List of All Resolved Issues and New Features in R81 Jumbo Hotfix Accumulator
|
Review the Important Notes section before installing a new Take. |
Take | Available Since | Recommended Since |
---|---|---|
04 Jan 2024 |
15 Jan 2024 |
|
23 Nov 2023 |
- |
|
27 Jun 2023 |
02 Aug 2023 |
|
22 Mar 2023 |
08 May 2023 |
|
19 Jan 2023 |
08 Feb 2023 |
|
09 Jan 2023 |
- | |
06 Nov 2022 |
01 Jan 2023 |
|
13 Oct 2022 |
24 Oct 2022 |
|
01 Sep 2022 |
- |
|
23 Jun 2022 |
22 Aug 2022 |
|
27 Apr 2022 |
12 Jun 2022 |
|
11 Apr 2022 |
24 Apr 2022 |
|
15 Mar 2022 |
- |
|
22 Feb 2022 |
02 Mar 2022 |
|
17 Jan 2022 |
- |
|
29 Dec 2021 |
- |
|
29 Sep 2021 |
12 Oct 2021 |
|
01 Sep 2021 |
- |
|
19 July 2021 |
26 Jul 2021 |
|
27 Jun 2021 |
- |
|
24 May 2021 |
29 Jun 2021 |
|
26 Apr 2021 |
- |
|
08 Apr 2021 |
- |
|
25 Mar 2021 |
05 Apr 2021 |
|
01 Mar 2021 |
- |
|
08 Feb 2021 |
- |
|
26 Jan 2021 |
- |
|
14 Dec 2020 |
- |
ID |
Product |
Description |
---|---|---|
Take 92 Published on 4 January 2024 and declared as Recommended on 15 January 2024 |
||
PRJ-51599, SMB-16203 |
Security Management |
In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803. |
Take 89 Published on 23 November 2023 |
||
PRJ-47120, |
Anti-Spam |
NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-49979 |
Security Management |
UPDATE: Removed a redundant rule-assistant.war package. |
PRJ-49890, PMTR-95687 |
Security Management |
UPDATE: Removed a redundant guava package. |
PRJ-49823, PMTR-95347 |
Security Management |
UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22. |
PRJ-49785, PMTR-95614 |
Security Management |
UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies. |
PRJ-49982, PMTR-74309 |
Security Management |
UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3. |
PRJ-48316, PRJ-49010, PRJ-50263, PRJ-49964, ODU-1256, ODU-1304, ODU-1121, ODU-1137 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 81, Take 85, Take 88, and Take 90 via a self-updatable package. Refer to sk170314. |
PRJ-49107, PMTR-94517 |
SmartConsole |
UPDATE: Applied security related improvements to the Jetty open source library. |
PRJ-50323, |
CPView |
UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-50041, |
CPView |
UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458. |
PRJ-50091, |
Security Gateway |
UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability. |
PRJ-46556, |
Security Gateway |
UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632. |
PRJ-48141, |
Threat Prevention |
UPDATE: Re-enabled the deprecated feature of exporting/importing custom intelligence feeds. |
PRJ-44319, |
Threat Prevention |
UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable. |
PRJ-49492, |
Threat Prevention |
UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-46942, |
Threat Prevention |
UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses. |
PRJ-49231, |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 80008407. |
PRJ-49744, PMTR-95099 |
Mobile Access |
UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default. |
PRJ-44242, |
Mobile Access |
UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):
|
PRJ-44435, |
ClusterXL |
UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742. |
PRJ-46314, |
ClusterXL |
UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically. |
PRJ-46915, |
VPN |
UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL. |
PRJ-48107, |
VSX |
UPDATE: Changed the vsx push configuration log:
|
PRJ-47449, |
Gaia OS |
UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:
|
PRJ-45235, |
Gaia OS |
UPDATE: SNMP traps for interfaces going up and going down will now contain the interface name and description. |
PRJ-46439, |
Gaia OS |
UPDATE: Added support for the Sandblast TE250XN Appliances. |
PRJ-44760, |
Gaia OS |
UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined. |
PRJ-47225, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427. |
PRJ-45726, |
Harmony Endpoint |
UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade. |
PRJ-49977, PRJ-49936 |
Harmony Endpoint |
UPDATE: Upgraded symmetricDS to the 3.14.9 version. |
PRJ-48799, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region. |
PRJ-48338, |
CloudGuard Network |
UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-45770, |
Scalable Platforms |
UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>". |
PRJ-48195, |
Scalable Platforms |
UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway. |
PRJ-32166, |
Scalable Platforms |
UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP). |
PRJ-45979, |
Scalable Platforms |
UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-48403, |
HCP |
UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-49203, |
Security Management |
Refer to sk181471. |
PRJ-48877, |
Security Management |
|
PRJ-50028, PMTR-95988 |
Security Management |
The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626. |
PRJ-47168, |
Security Management |
In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign". |
PRJ-46698, |
Security Management |
Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted. |
PRJ-44895, |
Security Management |
Policy installation gets stuck if the known proxy group contains the policy target. |
PRJ-46827, |
Security Management |
In some scenarios, the "Object is no longer available" validation warning appears for updatable objects. |
PRJ-49194, |
Security Management |
In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated. |
PRJ-47965, |
Security Management |
In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. |
PRJ-46130, |
Security Management |
A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway. |
PRJ-46397, |
Security Management |
In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448. |
PRJ-46015, |
Security Management |
The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ". |
PRJ-44430, |
Security Management |
In some scenarios, SmartConsole may get closed when opening the Policy Installation dialog. |
PRJ-46409, |
Security Management |
The Security Gateway may listen to the ports used by NAT. |
PRJ-49369, |
Security Management |
In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460. |
PRJ-33004, |
Security Management |
In SmartConsole, an attempt to view administrators may fail with "Error retrieving results". |
PRJ-35764, |
Security Management |
In some scenarios, the "show-packages" Management API command may return empty results when using the "domains-to-process" flag. |
PRJ-39774, |
Security Management |
Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command. |
PRJ-40127, |
Security Management |
When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes. |
PRJ-48199, |
Security Management |
Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole. |
PRJ-48036, |
Security Management |
An audit log may not be created after running Revert to Revision. |
PRJ-48380, |
Security Management |
In SmartConsole, export of policies with the "Hit count" column may get stuck. |
PRJ-43288, |
Security Management |
In rare scenarios:
|
PRJ-45897, |
Security Management |
In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920. |
PRJ-45987, |
Security Management |
Deleting a Domain that is connected to an AD Group fails. |
PRJ-47257, PRJ-47234, |
Security Management |
If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097. |
PRJ-46002, |
Security Management |
Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object. |
PRJ-48896, |
Security Management |
In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file. |
PRJ-45033, |
Security Management |
Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.
|
PRJ-44986, |
Security Management |
A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases. |
PRJ-45798, |
Security Management |
Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report. |
PRJ-41459, |
Security Management |
In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails. |
PRJ-41243, |
Security Management |
When closing an application from SmartConsole without changes, a redundant revision is created. |
PRJ-47041, |
Security Management |
When using the RADIUS username for authentication, login to SmartConsole may fail. |
PRJ-47045, |
Security Management |
In rare scenarios, after an upgrade, the Security Management Server may fail to start. |
PRJ-46795, |
Security Management |
The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054. |
PRJ-46730, |
Security Management |
In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397. |
PRJ-45781, |
Security Management |
In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes. |
PRJ-45439, |
Security Management |
In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787. |
PRJ-48690, |
Security Management |
Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user. |
PRJ-47618, |
Security Management |
In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user. |
PRJ-48863, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted. |
PRJ-48369, |
Security Management |
The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util. |
PRJ-47037, |
Security Management |
In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses. |
PRJ-34859, |
Security Management |
In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report. |
PRJ-46103, |
Multi-Domain Security Management |
In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983. |
PRJ-43690, |
Multi-Domain Management |
Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy. |
PRJ-47049, |
Multi-Domain Security Management |
In rare scenarios. in a Multi-Domain Security Management environment:
|
PRJ-40588, |
SmartConsole |
SmartConsole may crash while checking for updates. |
PRJ-45074, |
Web SmartConsole |
After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.
|
PRJ-46434, |
SmartProvisioning |
After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change. |
PRJ-47341, |
SmartView |
In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message. |
PRJ-47468, |
CPUSE |
Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation. |
PRJ-46185, |
Logging |
When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent. |
PRJ-45039, |
Logging |
The "Low disk space" warning may be incorrectly displayed in SmartConsole. |
PRJ-47218, |
Logging |
The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs. |
PRJ-48341, |
Logging |
In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field. |
PRJ-41166, |
Logging |
The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error". |
PRJ-47213, |
Logging |
In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail. |
PRJ-45323, |
Logging |
Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied. |
PRJ-39449, |
Logging |
The Logs view may show a "Failed to read record number" message. |
PRJ-45416, |
Logging |
Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic. |
PRJ-44206, |
Logging |
Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields. |
PRJ-47267, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-50897, PRHF-31187 |
Security Gateway |
A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security. |
PRJ-44700, |
Security Gateway |
In rare scenarios, the WSDNSD process may restart because of an internal error. |
PRJ-48152, |
Security Gateway |
Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet. |
PRJ-47369, |
Security Gateway |
The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted. |
PRJ-47330, |
Security Gateway |
When using the "cpstop" command on the Security Gateway, the fw_full core may be generated. |
PRJ-48246, |
Security Gateway |
The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281. |
PRJ-47519, |
Security Gateway |
After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped. |
PRJ-44188, |
Security Gateway |
The Security Gateway may crash due to a memory issue. |
PRJ-46137, |
Security Gateway |
The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032. |
PRJ-46052, |
Security Gateway |
The Security Gateway may crash while inspecting non-HTTP traffic. |
PRJ-43855, |
Security Gateway |
The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX. |
PRJ-45482, |
Security Gateway |
Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command. |
PRJ-46333, |
Security Gateway |
The Security Gateway may crash after a failure in policy installation. |
PRJ-45802, |
Security Gateway |
Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588. |
PRJ-47124, |
Security Gateway |
In some scenarios, after an upgrade, the FWD process may unexpectedly exit. |
PRJ-44617, |
Security Gateway |
In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505. |
PRJ-45343, |
Security Gateway |
When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route. |
PRJ-47557, |
Security Gateway |
FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165. |
PRJ-47324, |
Security Gateway |
Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade. |
PRJ-46376, |
Security Gateway |
Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature. |
PRJ-47601, |
Internal CA |
In rare scenarios, ICA certificate creation and enrollment fail. |
PRJ-44150, |
Threat Prevention |
In a rare scenario, policy installation may fail because of IoC observables overrides. |
PRJ-46836, |
Threat Prevention |
When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake. |
PRJ-43726, |
Threat Prevention |
In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic. |
PRJ-44765, |
Threat Prevention |
Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway. |
PRJ-44690, |
Threat Prevention |
In some scenarios, the Security Gateway fails to export or import IoC feeds. |
PRJ-48190, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters. |
PRJ-42146, |
Threat Prevention |
Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues. |
PRJ-46883, |
Threat Prevention |
Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure. |
PRJ-48924, |
Threat Prevention |
Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented. |
PRJ-47636, |
Threat Prevention |
The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148. |
PRJ-46116, |
Threat Emulation |
Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance. |
PRJ-48273, |
Identity Awareness |
There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417). |
PRJ-47063, |
Application Control |
When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur. |
PRJ-47748, PRJ-47646 |
IPS |
In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex. |
PRJ-50189, PMTR-96205 |
IPS |
Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6. |
PRJ-47238, |
Anti-Virus |
Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode. |
PRJ-47934, |
Anti-Virus |
When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade. |
PRJ-48971, |
Anti-Virus |
When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked. |
PRJ-48126, |
Anti-Virus |
A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol. |
PRJ-45835, |
Anti-Virus |
DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy. |
PRJ-47783, |
Anti-Virus |
A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection. |
PRJ-46604, |
Anti-Virus |
The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026. |
PRJ-47202, |
Mobile Access |
When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols. |
PRJ-47106, |
Mobile Access |
It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155. |
PRJ-45656, |
SSL Inspection |
In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0. |
PRJ-48701, |
SSL Inspection |
A FWK process memory leak may occur when canceling the download of a large file in the middle of the process. |
PRJ-47263, |
SSL Inspection |
The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak. |
PRJ-41306, |
ClusterXL |
When interfaces disconnect/connect on both members at the same time, it may cause a failover. |
PRJ-46504, |
ClusterXL |
Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969. |
PRJ-45348, |
ClusterXL |
After an upgrade, cluster members may frequently crash, causing instability in the environment. |
PRJ-45197, |
ClusterXL |
In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection". |
PRJ-44274, |
ClusterXL |
A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531. |
PRJ-43930, |
ClusterXL |
Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055. |
PRJ-45179, |
ClusterXL |
The VLAN configured bonded interface monitored state disappear after modifying the bonded interface properties. Refer to sk180724. |
PRJ-43638, |
SecureXL |
In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability. |
PRJ-44772, |
SecureXL |
The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646. |
PRJ-41793, |
Routing |
Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic. |
PRJ-47486, |
Routing |
When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted. |
PRJ-43247, |
Routing |
Traffic may be dropped when there are many OSPF routes of type 5. |
PRJ-47800, |
Routing |
When a BFD session is added or removed, disabled sessions may incorrectly come up. |
PRJ-47939, |
Routing |
An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354. |
PRJ-48116, |
Routing |
The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA. |
PRJ-44955, |
VPN |
A potential leak in VPN tunnels in a Multi-Version Cluster. |
PRJ-46293, |
VPN |
Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429. |
PRJ-42938, |
VPN |
Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##". |
PRJ-44164, |
VPN |
When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established. |
PRJ-47876, |
Multi-Portal |
The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication. |
PRJ-44267, |
VSX |
Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems. |
PRJ-47795, |
VSX |
A memory leak may occur in the CPD process. |
PRJ-47397, |
VSX |
When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown. |
PRJ-43877, |
VSX |
When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names." |
PRJ-47836, |
VSX |
In a rare scenario, affinity configuration on VSX may fail. |
PRJ-44299, |
VSX |
When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.
|
PRJ-49349, |
VSX |
In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823. |
PRJ-46970, |
Gaia OS |
Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249. |
PRJ-46274, |
Gaia OS |
When changing bond settings, the bond may be missing the global IPv6 Address. |
PRJ-47772, |
Gaia OS |
Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485. |
PRJ-28433, |
Gaia OS |
Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment. |
PRJ-44369, |
Gaia OS |
SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status. |
PRJ-43570, |
Harmony Endpoint |
After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed. |
PRJ-41336, |
Harmony Endpoint |
When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error. |
PRJ-46948, |
Harmony Endpoint |
KAV updater on the Server may fail to receive updates when proxy is used. |
PRJ-48255, |
Harmony Endpoint |
The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package. |
PRJ-46801, |
Harmony Endpoint |
In rare scenarios, when making changes in SmartConsole, it gets disconnected. |
PRJ-43043, |
Harmony Endpoint |
E2 engine may send an incorrect value of datDate in sync request. |
PRJ-47898, |
CloudGuard Network |
Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed. |
PRJ-47733, |
CloudGuard Network |
After an upgrade, Azure Gov mapping may fail. |
PRJ-43608, |
VoIP |
SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter). |
PRJ-45232, |
Scalable Platforms |
The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921. |
PRJ-47639, |
Scalable Platforms |
In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log. |
Take 87 Published on 27 June 2023 and declared as Recommended on 2 August 2023 |
||
PRJ-44424, |
Security Management |
NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository. |
PRJ-43520, |
Security Management |
NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs . For example:
|
PRJ-45294, |
Security Management |
UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792. |
PRJ-45489, |
Security Management |
UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster). |
PRJ-45202, ODU-843 |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314. |
PRJ-45471, |
CPView |
UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521. |
PRJ-45464, |
CPView |
UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522. |
PRJ-46339, |
Security Gateway |
In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze. |
PRJ-45461, |
Threat Prevention |
UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-44951, |
IPS |
UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day. |
PRJ-43604, PRHF-22566 |
SecureXL |
UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall. |
PRJ-47511, |
GaiaOS |
UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230: 1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor). 2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login). These Gaia Clish commands are available to work with this feature:
|
PRJ-45906, |
Scalable Platforms |
UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-44960, |
Scalable Platforms |
UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log. |
PRJ-44961, |
Scalable Platforms |
UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures. |
PRJ-45387, |
HCP |
UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-44450, |
Security Management |
In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681. |
PRJ-43185, |
Security Management |
If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461. |
PRJ-45872, |
Security Management |
In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified. |
PRJ-35493, |
Security Management |
The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted. |
PRJ-42421, |
Security Management |
An upgrade may fail when a Network object Group contains more than 32000 members. |
PRJ-45059, |
Security Management |
In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858. |
PRJ-43558, |
Security Management |
In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897. |
PRJ-47101, |
Security Management |
Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters. See the Important Notes section. |
PRJ-45157, |
Security Management |
APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites. |
PRJ-45486, |
Security Management |
In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation". |
PRJ-42038, |
Security Management |
Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)". |
PRJ-43567, |
Security Management |
After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail. |
PRJ-43810, |
Security Management |
Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584. |
PRJ-42619, |
Security Management |
When using the "Deployment from Local Paths and URLs" option, and inserting a correct path, the client is being deployed through the Management Server and not Locally as it should be deployed. |
PRJ-45653, |
Security Management |
Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service. |
PRJ-44994, |
Security Management |
In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out. |
PRJ-41327, |
Security Management |
If the Security Management Server is behind NAT, remote Management API login fails. |
PRJ-44084, |
Security Management |
Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514. |
PRJ-42551, |
Multi-Domain Security Management |
After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes". |
PRJ-45053, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked. |
PRJ-40737, |
Multi-Domain Security Management |
Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers. |
PRJ-44968, |
Multi-Domain Security Management |
In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages. |
PRJ-46086, |
Multi-Domain Security Management |
A scheduled Install Policy Preset may not have its next run time updated when:
|
PRJ-45067, |
Multi-Domain Security Management |
In rare scenarios, in a Multi-Domain Security Management environment:
|
PRJ-46508, |
SmartConsole |
Data Center objects may not appear as unused objects in the Object Explorer view, although they should. |
PRJ-43597, |
SmartConsole |
Typo in the Compliance report - "OSFP" instead of "OSPF". |
PRJ-39254, |
Logging |
In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server. |
PRJ-41593, |
Logging |
SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information. |
PRJ-20171, |
Logging |
In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached. |
PRJ-38479, |
Logging |
In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured. |
PRJ-41665, |
Logging |
In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field. |
PRJ-36111, |
Security Gateway |
When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email. |
PRJ-44094, |
Security Gateway |
In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure. |
PRJ-44231, |
Security Gateway |
After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore. |
PRJ-44919, |
Security Gateway |
After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs. |
PRJ-45495, |
Security Gateway |
On the Security Gateway with Management Data Plane Separation (MDPS) enabled:
|
PRJ-42357, |
Security Gateway |
Latency in connection caused by a packet flow change from F2V to F2F. |
PRJ-45396, |
Security Gateway |
Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801. |
PRJ-44999, |
Security Gateway |
In a Maestro environment, an encrypted over SSH or RDP connection may get closed when handled by the wrong member. |
PRJ-44310, |
Security Gateway |
In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash. |
PRJ-42529, |
Security Gateway |
In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart. |
PRJ-45477, |
Security Gateway |
Security Gateway may crash when running kernel debugs of the "UP" module. |
PRJ-44250, |
Security Gateway |
When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC. |
PRJ-44953, |
Security Gateway |
When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur. |
PRJ-44976, |
Security Gateway |
Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673. |
PRJ-45185, |
Security Gateway |
Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705. |
PRJ-45448, |
Security Gateway |
When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure. |
PRJ-46686, |
Security Gateway |
When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops. |
PRJ-45954, |
Security Gateway |
When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873. |
PRJ-38110, |
Security Gateway |
In some scenarios, the Security Gateway may crash. |
PRJ-44603, |
Security Gateway |
Stack buffer overflow may occur in the FWGTP process. |
PRJ-46536, |
Security Gateway |
The FWK process may unexpectedly exit while processing the mail flow and generate a core dump. |
PRJ-41966, |
Security Gateway |
When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected. |
PRJ-46644, |
Security Gateway |
Incorrect parsing of GTP-U traffic may cause anti-spoofing drops. |
PRJ-44854, |
Security Gateway |
Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter. |
PRJ-44751, |
Security Gateway |
Policy installation may fail with "Error 2000240" because of an IPv6 flow issue. |
PRJ-44550, |
Threat Prevention |
In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update. |
PRJ-42584, |
Threat Prevention |
When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced. |
PRJ-44199, |
Threat Prevention |
When IPS Blade is enabled, the Security Gateway may crash. |
PRJ-44569, |
Threat Prevention |
After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty feed". |
PRJ-45561, |
Threat Prevention |
In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail. |
PRJ-39346, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on PDP when installing policy. |
PRJ-44315, |
Content Awareness |
When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection. |
PRJ-45427, |
Application Control |
Some TLS1.3 applications without SNI do not match the rules. |
PRJ-41654, |
IPS |
Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps. |
PRJ-45754, |
Anti-Virus |
The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries. |
PRJ-46278, |
Anti-Virus |
Importing a custom intelligence feed containing IP ranges may fail. |
PRJ-45098 |
Mobile Access |
SSL Network Extender (SNX) may randomly disconnect after a version upgrade. Refer to sk173765. |
PRJ-46401, |
Mobile Access |
Sending emails with attachments via Capsule Workspace may fail on iOS. |
PRJ-45193, |
Mobile Access |
In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail. |
PRJ-45162, |
ClusterXL |
A VRRP cluster member may be stuck in boot after a cluster upgrade. |
PRJ-44873, |
SecureXL |
Traffic may be dropped and the FWACCEL core file is generated. |
PRJ-44454, |
ClusterXL |
After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops. |
PRJ-44676, |
SecureXL |
After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped. |
PRJ-45378, |
Routing |
A VRRP/VRRP6 interface may go into Master/Master state. |
PRJ-41964, |
Routing |
Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear. |
PRJ-44708, |
Routing |
An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface. |
PRJ-44939, |
Routing |
After an update, multicast traffic may be dropped. |
PRJ-44923, |
Routing |
When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode. |
PRJ-41799, |
Routing |
Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures. |
PRJ-45183 |
Routing |
Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669. |
PRJ-41116, |
Routing |
There may be high CPU utilization and slow recovery of the ROUTED process after a failover. |
PRJ-41961, |
Routing |
In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group. |
PRJ-45832, |
Routing |
The ROUTED daemon may unexpectedly exit because of multi-threading issues. |
PRJ-46127, |
Routing |
The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths. |
PRJ-44704, |
Routing |
Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table. |
PRJ-46357, |
Routing |
Routes marked as "stale" may be redistributed via BGP during graceful restart. |
PRJ-45467, |
VPN |
StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method. |
PRJ-44828, PRJ-44990, PRJ-46301, |
VPN |
|
PRJ-45918, |
VPN |
The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation. |
PRJ-43826, |
VPN |
In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855. |
PRJ-41969, |
VSX |
Increasing the MTU value of a bonded tagged interface may not be possible. |
PRJ-44088, |
VSX |
Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect. |
PRJ-45144, |
VSX |
Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster. |
PRJ-45400, |
VSX |
Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs. |
PRJ-44744, |
VSX |
Virtual System's interfaces may be missing when running the Clish command "show/save configuration". |
PRJ-45004, |
VSX |
A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command. |
PRJ-29905, |
Gaia OS |
It may not be possible to enter a snapshot description with more than one word. |
PRJ-45862, |
Gaia OS |
Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error. |
PRJ-41908, |
Gaia OS |
Gaia WebUI logs are printed with "info" severity. |
PRJ-42778, |
Gaia OS |
Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection". |
PRJ-45564, ACCHA-2110 |
Gaia OS |
The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728. |
PRJ-45791, |
CloudGuard Network |
Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries. |
PRJ-45539, |
CloudGuard Network |
AWS Data Center mapping fails when an interface subnet is missing from the list of subnets. |
PRJ-46474, |
VoIP |
SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file. |
PRJ-44613, |
VoIP |
In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue. |
PRJ-43516, PRJ-32398, |
VoIP |
After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651. |
PRJ-42616, |
Scalable Platforms |
The FW process may unexpectedly exit, producing a core dump file. |
PRJ-45884, |
Scalable Platforms |
In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System. |
PRJ-44926, |
Scalable Platforms |
After an upgrade, local IPv6 traffic from Active members may fail. |
PRJ-41940, |
Scalable Platforms |
When adding a new Virtual System and installing a policy, member state may change to Down. |
PRJ-42513, |
Scalable Platforms |
Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic. |
PRJ-42263, |
Scalable Platforms |
Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439. |
PRJ-32729, |
Scalable Platforms |
When there is a connectivity issue in the cluster, OSPF packets may be sent with delays and cause an outage. |
PRJ-44527, |
Scalable Platforms |
License is not copied from SMO to all other members if other members are in Down state. |
PRJ-43219, |
Carrier Security |
Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506. |
PRJ-43223, |
Carrier Security |
Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507. |
PRJ-46672, |
Carrier Security |
Packet corruption, leading to traffic and performance issues. |
PRJ-46675, PRJ-46678, |
Carrier Security |
After an upgrade, GTP traffic and memory issues may occur. |
Take 82 Published on 22 March 2023 and declared as Recommended on 8 May 2023 |
||
PRJ-43894, |
Security Gateway |
NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-44254, |
Threat Extraction |
NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-43806, |
Application Control, URL Filtering |
NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-44575, |
Internal CA |
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
PRJ-43909, |
SmartView |
NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process. |
PRJ-42182, |
IPS |
NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content. |
PRJ-42657, |
IPS |
UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections. |
PRJ-42305, |
Security Management |
UPDATE: Improved the "Purge revisions" operation to reduce the size of the database. |
PRJ-36634, |
Security Management |
UPDATE: Added an option to configure the maximum number of IPS SNORT rules. These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config (for MDS - additionally in the $MDS_FWDIR/conf/malware_config file): "[IPS] snort_convertor_max_rules_per_update=<value> snort_convertor_total_rules_num_limit=<value>". Refer to sk136515. |
PRJ-41618, |
Security Management |
UPDATE: To reduce policy installation time in large environments (that have many instances), policy can be installed in batches.
|
PRJ-34963, |
CPView |
UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878. |
PRJ-41200, |
Security Gateway |
UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).
|
PRJ-44558, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436. |
PRJ-43722, |
SSL Inspection |
UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates. |
PRJ-44611, |
Threat Emulation |
UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443. |
PRJ-43968, |
VPN |
UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.
Refer to sk98074. |
PRJ-42403, |
VSX |
UPDATE: Added more logs related to Pushing VSX Configuration.
. |
PRJ-45267, |
GaiaOS |
UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311. |
PRJ-44638, |
Gaia OS |
UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements. |
PRJ-43612, |
Gaia OS |
UPDATE: Gaia Cloning Groups will now use the highest TLS version available. |
PRJ-44356, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region. |
PRJ-43050, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS eu-south-2 (Spain) and eu-central-2 (Zurich) and ap-south-2 (Hyderabad) regions. |
PRJ-43026, |
CloudGuard Network |
UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher. |
PRJ-43403, |
Diagnostics |
Skyline may not show any information. Refer to sk180748. |
PRJ-41927, |
Security Management |
After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294. |
PRJ-40225, |
Security Management |
The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed. |
PRJ-44024, |
Security Management |
When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message. |
PRJ-41891, |
Security Management |
High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server. |
PRJ-42409, |
Security Management |
Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error. |
PRJ-43093, |
Security Management |
After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails. |
PRJ-41761, |
Security Management |
In some scenarios, the CME process fails to start. |
PRJ-42041, |
Security Management |
In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail. |
PRJ-39745, |
Security Management |
Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure. |
PRJ-43362, |
Security Management |
Editing a Global Assignment object using Ansible may fail. |
PRJ-43316, |
Security Management |
In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed. |
PRJ-44628, PMTR-90519 |
Security Management |
There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder. |
PRJ-43253, |
Security Management |
In some scenarios, the "api status" command shows that the Management API service is stopped. |
PRJ-42109, |
Security Management |
The date of a policy configured with "accelerated installation" may not be updated in logs. |
PRJ-43311, |
Security Management |
The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base. |
PRJ-43961, |
Security Management |
In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses. |
PRJ-44459, |
Security Management |
In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions. |
PRJ-42048, |
Multi-Domain Security Management |
In rare scenarios in a Multi-Domain Security Management environment:
|
PRJ-42848, |
Multi-Domain Security Management |
In a Multi-Domain Security Management environment, traffic may not match rules with custom applications. |
PRJ-44336, |
CPView |
The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540. |
PRJ-42083, |
CPView |
A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops. |
PRJ-43588, |
CPView |
In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart. |
PRJ-42283, |
CPView |
CPView may not show some interfaces. |
PRJ-43392, |
Logging |
When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects. |
PRJ-41017, |
Logging |
After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable. |
PRJ-33051, |
Logging |
The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803. |
PRJ-41017, |
Security Gateway |
When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead. |
PRJ-39800, |
Security Gateway |
After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash. |
PRJ-43126, |
Security Gateway |
Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption. |
PRJ-42087, |
Security Gateway |
The "fw monitor" command output may contain "no packets left to merge" messages. |
PRJ-42706, |
Security Gateway |
DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list. |
PRJ-41540, |
Security Management |
The FWK process may unexpectedly exit during Threat Prevention policy installation. |
PRJ-41579, |
Security Gateway |
In some scenarios, the CPD process may unexpectedly exit. |
PRJ-41563, |
Security Gateway |
SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625. |
PRJ-42756, |
Security Gateway |
The Security Gateway may crash because of an issue in the FILEAPP (File Application) module. |
PRJ-44080, |
Security Gateway |
In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated. |
PRJ-39601, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-37150, |
ClusterXL |
In an Active/Active cluster, a member may reboot because of a memory corruption issue. |
PRJ-41877, |
Security Gateway |
On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode. |
PRJ-40877, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-42803, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-39607, |
Security Gateway |
The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages. |
PRJ-43553, |
Security Gateway |
Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled. |
PRJ-42943, |
Security Gateway |
When Anti-Spoofing is enabled, the Security Gateway may crash. |
PRJ-38808, |
Security Gateway |
In a rare scenario, when QoS is enabled, the Security Gateway may crash. |
PRJ-41633, |
Security Gateway |
Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop. |
PRJ-36009, |
Security Gateway |
The Security Gateway may frequently crash with vmcore files, recording invalid context. |
PRJ-43704, |
Security Gateway |
The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs). |
PRJ-42101, |
Security Gateway |
When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled. |
PRJ-43532, |
Security Gateway |
The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated. |
PRJ-43838, |
Security Gateway |
The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation. |
PRJ-43885, |
Security Gateway |
In some scenarios, the FWD process is stuck during policy installation. |
PRJ-43010, |
Security Gateway |
When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted. |
PRJ-42295, |
Security Gateway |
When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command. |
PRJ-40319, |
Security Gateway |
In rare scenarios, the FWK process can unexpectedly exit and cause an outage. |
PRJ-41494, |
Security Gateway |
Stability issues when ICAP client is active. |
PRJ-40108, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL. |
PRJ-43346, |
Security Gateway |
A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data. |
PRJ-42902, |
Internal CA |
The certificate in SmartConsole is shown as valid, although it is expired. |
PRJ-41435, |
Internal CA |
When managing cloud Gateways, the FWM process memory usage may increase. |
PRJ-42285, |
Threat Prevention |
The "ioc_feeds set interval -r" command may fail. |
PRJ-42223, |
Threat Prevention |
In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file. |
PRJ-41597, |
Threat Prevention |
Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value. |
PRJ-43994, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP address range indicator. |
PRJ-38664, |
Threat Prevention |
The DLPU process may unexpectedly exit with a core dump file. |
PRJ-43997, |
Threat Prevention |
IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI. |
PRJ-32737, |
Threat Prevention |
After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml. |
PRJ-37566, |
Threat Prevention |
When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue. |
PRJ-40471, |
Threat Prevention |
If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible. |
PRJ-42437, |
Threat Prevention |
Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file. |
PRJ-41322, |
Identity Awareness |
Connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs. |
PRJ-42343, |
Identity Awareness |
During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659. |
PRJ-33064, |
Identity Awareness |
In a rare scenario, a wrong access role may be assigned to a user. |
PRJ-42338 |
Identity Awareness |
In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing. |
PRJ-42998, |
Identity Awareness |
In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side. |
PRJ-42932, |
Identity Awareness |
The PDPD process may cause CPU spikes during cluster failover. |
PRJ-43746, |
Identity Awareness |
The output of the "pdp monitor cv_le <agent-version>" command may be incorrect. |
PRJ-44382, |
Application Control |
A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability. |
PRJ-42505, |
Application Control |
In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher. |
PRJ-41220, |
Application Control |
The RAD process may freeze when an error occurs, and an error event is initialized. |
PRJ-43502, |
Application Control |
Policy installation may fail with an "Error 0-200184" message because of memory allocation issues. |
PRJ-43974, |
URL Filtering |
When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected. |
PRJ-41377, |
IPS |
When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation. |
PRJ-29955, |
Anti-Bot |
The "asg perf --delay" command does not change the "refresh time" on the screen. |
PRJ-43681, |
SSL Inspection |
In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode. |
PRJ-41412, |
Mobile Access |
Access to a web application that uses WebSocket protocol may not be possible. |
PRJ-42590, |
IPS |
The Security Gateway may crash during policy installation because of a memory allocation problem. |
PRJ-44179, |
IPS |
In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic. |
PRJ-42713, |
IPS |
In a rare scenario, the Security Gateway may crash during an IPS package update. |
PRJ-43582, |
DLP |
A memory leak may occur in the DLPU process. |
PRJ-35485, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290. |
PRJ-44010, |
Anti-Virus |
The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade. |
PRJ-43180, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and create core dump files. |
PRJ-43890, |
SSL Inspection |
In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473. |
PRJ-44290, |
Mobile Access |
Some web applications which use PT or UT link translation methods may have issues after a browser upgrade. |
PRJ-43153, |
Mobile Access |
The CVPND process may unexpectedly exit and create a core dump file. |
PRJ-41258, |
Mobile Access |
Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled. |
PRJ-42467, |
Mobile Access |
When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue. |
PRJ-43115, |
ClusterXL |
The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces. |
PRJ-42463, |
ClusterXL |
Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled. |
PRJ-43004, |
ClusterXL |
Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292. |
PRJ-44167, |
ClusterXL |
When handling HTTP/2 traffic, cluster members may crash, generating vmcores. |
PRJ-42895, |
SecureXL |
SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router. |
PRJ-29667, |
SecureXL |
When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored. |
PRJ-42574, |
SecureXL |
Multicast traffic may get dropped, and no logs are generated. |
PRJ-44130, |
SecureXL |
IPv6 template is not created when the connection is NATed. |
PRJ-43982, |
SecureXL |
In a rare scenario, a CPAQ message sent during policy push does not have critical priority, and can be dropped when the Security Gateway is busy. |
PRJ-43409, |
Routing |
The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM). |
PRJ-43921, |
Routing |
Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost. |
PRJ-43055, |
Routing |
The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486. |
PRJ-44258, |
Routing |
The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0". |
PRJ-41112, |
Routing |
It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time. |
PRJ-41330, |
Routing |
The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established but did not advertise routes. Lost routing causes the network to be down. |
PRJ-42309, |
VPN |
Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC). |
PRJ-43194, |
VPN |
TCP traffic on port 34500 may be encrypted by VPN, although it should not. |
PRJ-24874, |
VPN |
VPN endpoint users fail to login with ECDSA certificate. |
PRJ-44666, |
VPN |
When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output. |
PRJ-40912, |
VPN |
The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client. |
PRJ-44947, |
VPN |
When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664. |
PRJ-40727, |
VPN |
In some scenarios, when NAT is configured, VoIP traffic is dropped. |
PRJ-42878, |
VPN |
When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281. |
PRJ-42560, |
VPN |
When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty. |
PRJ-42761, |
VPN |
Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error. |
PRJ-41374, |
VPN |
StrongSWAN Remote Access client can connect but fails to access internal resources. |
PRJ-43549, |
VPN |
VPN stability issues. |
PRJ-43298, PRJ-43594, PRHF-27185 |
VPN |
Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651. |
PRJ-41049, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-40283, PRJ-43712, PRJ-42652, |
VPN |
Refer to sk180530. |
PRJ-43385, |
VPN |
After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only. |
PRJ-44121, |
VSX |
Changing the main IP address of a Virtual Router may cause the FWM process to exit. |
PRJ-42882, |
VSX |
In VSX, if Dynamic Balancing was manually disabled on R81, after an upgrade from R81 to R81.20, it automatically gets enabled. |
PRJ-41696, |
VSX |
The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database. |
PRJ-42253, |
Gaia OS |
Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error. |
PRJ-42961, |
Gaia OS |
IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309. |
PRJ-43650, |
Gaia OS |
When setting password hash on cloning group members, some members may not get updated. |
PRJ-42525, |
Gaia OS |
Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181. |
PRJ-43429, |
Gaia OS |
In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit. |
PRJ-42623, |
Gaia OS |
SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command. |
PRJ-42219, |
Gaia OS |
Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI. |
PRJ-44237, |
Gaia OS |
The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added. |
PRJ-40033, |
Gaia OS |
When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed. |
PRJ-43562, |
Gaia OS |
When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server. |
PRJ-43024, |
Gaia OS |
The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198. |
PRJ-43985, |
Gaia OS |
The "lldpneighbors" Clish command may have a corrupted output. Refer to sk182065. |
PRJ-40692, |
Harmony Endpoint |
When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit. |
PRJ-44477, |
CloudGuard Network |
Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started. |
PRJ-44346, |
CloudGuard Network |
The "Logical Volume duplicate fail" error is displayed in CLI when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381. |
PRJ-43258, |
CloudGuard Network |
Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object. |
PRJ-43395, |
CloudGuard Network |
VPN Cluster stability issue when the peer is an Azure Security Gateway. |
PRJ-43576, |
CloudGuard Network |
When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails. |
PRJ-42854, |
CloudGuard Network |
A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings. |
PRJ-43067, |
CloudGuard Network |
Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data. |
PRJ-43076, |
VoIP |
While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption. |
PRJ-39601, |
Scalable Platforms |
The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages. |
PRJ-42753, |
Scalable Platforms |
When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name. |
PRJ-42927, |
ClusterXL |
A Hide NAT port may be allocated twice causing the "out of state" drops. |
PRJ-29152, |
Scalable Platforms |
The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.) |
PRJ-43382, |
Scalable Platforms |
The clock verifier test (clock_verifier -v) fails. |
PRJ-43245, |
Scalable Platforms |
In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW). |
PRJ-32201, |
Scalable Platforms |
In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state. |
PRJ-23110, |
Scalable Platforms |
When creating a Virtual Switch in a Scalable Platform environment, virtual interfaces with names that start with "wrp<Number>" and "wrpj<Number>" have the same MAC address. This causes traffic from the External Switch to the Virtual System (through the Virtual Switch) to be handled by the Virtual Switch. It may lead to high CPU utilization on the Virtual Switch and traffic outage. |
PRJ-44160, |
Gaia OS |
When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail. |
PRJ-43803, |
Scalable Platforms |
The "asg perf" command fails when running it with the "-vv" flag. |
PRJ-40399, |
Carrier Security |
GTP traffic may be dropped, and tunnels are not registered in gtp_tunnels. |
PRJ-31657, |
Scalable Platforms |
The output of the "asg perf -6" command shows "IPV6 is Disabled". |
PRJ-40568, |
Scalable Platforms |
The output of the "asg perf" command may not show active software Blades. |
Take 81 Published on 19 January 2023 and declared as Recommended on 8 February 2023 |
||
- |
General |
Alignment to new self-updatable packages. |
PRJ-44013, PMTR-89893 |
VSX |
In VSX, after adding instances to a Virtual System (VS), their state may be inactive. See the Important Notes section. |
Take 79 Published on 9 January 2023 |
||
PRJ-39424 |
Security Management |
NEW:
|
PRJ-38115, |
Security Management |
UPDATE: Install Policy Presets will now run also in multi-site environments, even if the local domain does not have a Server on the Multi-Domain Server with the Active Global Domain, where the operation is triggered from. |
PRJ-22560, |
Security Management |
UPDATE: Improved the "Assign Global Policy" action time by approximately 50%. |
PRJ-42980, |
Web SmartConsole |
UPDATE: New features and improvements are released in Take 73 via self-updatable package. Refer to sk170314. |
PRJ-38055, |
Logging |
UPDATE: When there is no full license for SmartEvent, which includes the Correlation Unit component, Analyzer Client in Legacy SmartEvent Console will now show a relevant message. |
PRJ-41230 |
Logging |
UPDATE: Port 8211 no longer accepts connections with the cipher TLS_RSA_WITH_AES_128_CBC_SHA. |
PRJ-42701, |
Threat Prevention |
UPDATE: Added Update 16 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-42259, |
Threat Prevention |
UPDATE: Reduced loading time of big external Custom Intelligence Feeds. |
PRJ-38721, |
Threat Prevention |
UPDATE: File Download using SSH with MobaXterm Client fails when SSH Deep Packet Inspection (SSH DPI) is enabled. |
PRJ-40772, |
Scalable Platforms |
UPDATE: The "Obtain IPv4 Address Automatically" option in the IPv4 and IPv6 tabs of the Gaia Portal's Interface editor is now disabled (as it is on gClish). |
PRJ-40627, |
Scalable Platforms |
UPDATE: Blocked the ability to install Jumbo Hotfix Accumulator or to run an upgrade to a major version on Quantum Maestro Security Gateways using the Central Deployment tool in SmartConsole or the Management REST API. |
PRJ-38612, |
Harmony Endpoint |
UPDATE: Added the "-ignoreDA" flag for "epmcommands" to clean objects from the deleted users and computers, ignoring the "da_installed" flag. |
PRJ-41934, |
VoIP |
UPDATE: Added a new CLI command "fw ctl voip [-p {sip| mgcp| sccp| h323}] [-na]". It allows printing the description of defined VoIP protections, the required action, and the logging option configured for each protection. |
PRJ-41712, ODU-603 |
Smart-1 Cloud |
UPDATE: Added Update 6 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-41998, |
HCP |
UPDATE: Added Update 11 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-40539, |
Diagnostics |
The cpview -s export operations may fail on VS0 when cpview_services are running. |
PRJ-33895, |
Security Management |
Global Domain Assignment may fail if a rule in the global policy was recently enabled or disabled. |
PRJ-34736, |
Security Management |
When running the "show access-rule" API command with the "show-as-ranges" parameter on rules with negated cells, the returned result may be missing the values of the negated cells. |
PRJ-40237, |
Security Management |
Policy installation may fail with "Segmentation fault" or with "INTERNAL ERROR in PutBlock: dangling block at PutBlock". Refer to sk179700. |
PRJ-42858, |
Security Management |
After performing the "Revert to Revision" operation, new Audit logs cannot be seen in the Logging&Monitoring View in SmartConsole. |
PRJ-34153, |
Security Management |
Packet mode search in HTTPS Inspection policy may not work. |
PRJ-41070, |
Security Management |
Global Policy reassignment fails with "An internal error has occurred" if a Global rule, Rule Base, or section is created, moved, and then deleted without running a reassignment in between. |
PRJ-41975, |
Security Management |
The /var/log/dump/usermode/ directory on the Management Server may contain core dump files for the FWM process. Refer to sk180119. |
PRJ-41291, |
Security Management |
Access Policy installation may fail with the "Internal error occurred during the verification process" error. |
PRJ-40425, |
Security Management |
In rare scenarios, deleting a cluster member may fail with the "Could not delete object. Failed to remove/detach objects licenses" error. |
PRJ-40222, |
Security Management |
In a large environment, High Availability synchronization for the Global domain may fail with the "Global domain is busy syncing, please check sync status" error. |
PRJ-37831, |
Security Management |
"Automatic purge" fails on a Domain with active Global Domain Assignment and "automatic purge" configured on the Global Domain. |
PRJ-39391, |
Security Management |
In some scenarios, the "Assign Global Policy" action fails with the error message: "An internal error has occurred". |
PRJ-39717, |
Security Management |
It may not be possible to discard a work session with a newly created admin, a "Failed to discard revoke certificate" message is shown. |
PRJ-40733, |
Security Management |
In rare scenarios, Global Policy reassignment may fail with a "Failed to find object ID UUID of class com.checkpoint.objects.ips.ThreatIpsProtectionOverride" message. |
PRJ-42535, |
Security Management |
Access policy verification may fail when dynamic objects exist in the NAT policy. |
PRJ-41670, |
Security Management |
When using CME (Cloud Management Extension), the FWM process may unexpectedly exit because of a memory issue. |
PRJ-42251, |
Security Management |
Installing a large Access Control policy on Quantum Spark Security Gateways may fail due to high memory consumption on the Security Management Server caused by FW_LOADER. |
PRJ-41555, |
Security Management |
After an Application Control update, policy installation may fail. |
PRJ-38357, |
Security Management |
After creating a new administrator in SmartConsole, the Administrators view may fail to load with "Error retrieving results". |
PRJ-40822, |
Security Management |
Warning about multiple objects with the same IP address is displayed when there are duplicated auto-generated networks. |
PRJ-41913, |
Security Management |
Installing Database from Security Management on an R80.x Log Server may fail |
PRJ-42104, |
Multi-Domain Security Management |
In a Multi-Domain environment, the HitCount retention mechanism may prematurely remove the HitCount data. |
PRJ-37310, |
Multi-Domain Security Management |
SmartEvent may unexpectedly close when clicking Global Exclusion options or creating a new event. This issue occurs after migrating a Domain from the Multi-Domain Management Server to the Security Management Server. |
PRJ-42359, |
Multi-Domain Security Management |
An upgrade of the secondary Multi-Domain Server or Multi-Domain Log Server may fail when simultaneously upgrading several Servers. |
PRJ-41919, |
Multi-Domain Management |
In rare scenarios, in a Multi-Domain Management Server environment, a memory leak may occur in the FWM process. This may cause the process to exit. |
PRJ-31864, |
Logging |
When exporting logs in CEF format using Log Exporter and the value of the "time-in-milli" parameter is set as "true" (sk173167), the logs are not displayed in ArcSight SIEM Solution. |
PRJ-42413, |
Logging |
When LEA spawning is turned off (sk91343), the FWD process may run out of memory. |
PRJ-40491, |
Logging |
In a rare scenario, when using SmartEvent Automatic Reaction (Mail), the source IP address can be shown as a number and not in the dotted decimal notation format. |
PRJ-37297, |
Logging |
When exporting logs with the fwm logexport script and there is an empty or corrupted log file, the script runs in a loop with the "Failed to read record at position 0" error printed. |
PRJ-40143, |
Logging |
Emails sent as an automatic reaction may show only the first IP address for "Source"/"Destination" fields out of all the detected IP addresses. |
PRJ-21482, |
Logging |
The LOG_INDEXER process on the SmartEvent Server may unexpectedly exit, generating a core dump file, if the Log Server used by the correlation unit is deleted. |
PRJ-35879, |
Logging |
Although the Security Gateway is configured to send Syslog messages to the Domain Log Server (CLM), after several initial logs, they may stop coming to the Log Server. |
PRJ-37705, |
Logging |
It may not be possible to filter the "Subscriber" field in SmartLog. |
PRJ-37499, |
Logging |
The "epoll is enabled" warning is incorrectly displayed during policy installation. |
PRJ-38051, |
Logging |
Syslog messages with the "ErtFeed" type of attack are not indexed correctly in SmartLog. |
PRJ-41916, |
Logging |
Export to CSV in SmartView may be stuck in the "running" status. |
PRJ-39106, |
Logging |
In some scenarios, in the Logs view, the "Description" field may be missing. The issue is only cosmetic. |
PRJ-40916, |
Security Gateway |
The Security Gateway may crash because of memory corruption, and the following error appears in the/var/log/message file: "[xxxx] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: <xxxx>". |
PRJ-41623, |
Security Gateway |
When using Routing Separation and installing a Jumbo Hotfix Accumulator, MDPS configuration may be overridden. Refer to sk138672. |
PRJ-35109, |
Security Gateway |
There may be connectivity failure when browsing to Office 365, and ICAP Client is active on the Security Gateway with enabled "Data Trickling". |
PRJ-39574, |
Security Gateway |
The "sd_exception_chain_with_global_stateless: fwx_get_original_conn_key() failed" messages may flood /var/log/messages if IPS Blade is active. |
PRJ-40234, |
Security Gateway |
There may be stability issues when ICAP client is active. |
PRJ-41863, |
Security Gateway |
After an upgrade, it is not possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). |
PRJ-43342, |
Security Gateway |
The Security Gateway with enabled Anti-Virus may experience a memory allocation issue. |
PRJ-39967, |
Security Gateway |
The Security Gateway may crash with the "xxx kernel: [fw4_27];fwatomload_unregister: module RTM not registered xxx kernel: [fw4_27];e2eDisable: fwatomload_unregister failed" errors printed in logs. |
PRJ-37211, |
Security Gateway |
During a failover, BGP session may be re-established due to equal connection timers between two Security Gateways. |
PRJ-38489, |
Threat Prevention |
In a rare scenario, the mal_conns table may consume a large amount of memory. |
PRJ-41488, |
Threat Prevention |
Loading of Custom Intelligence Feeds with authentication may fail. |
PRJ-43513 |
Threat Prevention |
After an upgrade to Take 51 or higher, Access Control policy fails, if it is configured with an IoC local feed and hash indicators are added. See the Important Notes section. |
PRJ-41315, |
Threat Prevention |
Threat prevention policy installation fails if a Custom Intelligence Feeds name includes unsupported characters. |
PRJ-43368, PRJ-43360 |
Threat Extraction |
In some scenarios, Mail Transfer Agent (MTA) does not scan files with an unsupported extension if they were renamed to ".exe". |
PRJ-38542, |
Identity Awareness |
The PDPD daemon may frequently exit during the user authentication flow. |
PRJ-31974, |
Identity Awareness |
Changing the state of the "Automatic LDAP Group Update" feature for Identity Collector from CLI on the PDP Gateway does not survive a reboot. |
PRJ-34570, |
Identity Awareness |
SNMP/cpstat queries for Identity Awareness OIDs return wrong values if the PDP daemon is not running at the time of the query. |
PRJ-36508, |
Identity Awareness |
The CPU utilization of the PDP daemon may be high during a specific authentication flow. |
PRJ-41819, |
Identity Awareness |
In a rare scenario, the PDPD process may unexpectedly exit during peer certificate verification. |
PRJ-32991, |
IPS |
In some scenarios, IPS logs do not show the correct memory and CPU utilization when IPS is bypassed. |
PRJ-41215, |
Anti-Virus |
In a rare scenario, when Anti-Virus is enabled, there may be frequent VSX cluster failovers, and the Security Gateway may crash. |
PRJ-32971, |
Mobile Access |
Push notification may not be working with the legacy Mobile Access (MAB) Portal. Refer to sk176243. |
PRJ-40744, |
ClusterXL |
The cphaprob show_bond command does not show newly added subordinates from Virtual Systems (VSs). |
PRJ-42444, |
SecureXL |
The Security Gateway may prematurely expire half-closed TCP connections and drop VoIP and HTTPS packets with "First packet isn't SYN". Refer to sk180364. |
PRJ-41692, |
SecureXL |
The Security Gateway may crash and cause an outage when resolving the destination host MAC address through an interface with disabled ARP. |
PRJ-41204, |
SecureXL |
SNDs may reach 100% CPU utilization and are not released in some Site to Site VPN scenarios. |
PRJ-40265, |
CoreXL |
Connections matching the Access Control rules may get timed out, although they should be rejected according to the configuration. |
PRJ-41707, |
Routing |
The ROUTED process may unexpectedly exit when the route does not have a next hop. |
PRJ-41723, |
Routing |
The "asg diag verify" command reports inconsistent OSPFv3 routes for Security Gateway Modules in Quantum Maestro. Refer to sk179931. |
PRJ-42728, |
VPN |
In a rare scenario, when IPv6 is configured, and VPN is enabled, policy installation may cause a stability issue. |
PRJ-40859, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-41808, |
VPN |
When connecting with "Mixed" SSL Network Extender Authentication method, the SNX Client freezes with no output, and the results of the "vpn tu tlist" command show no tunnels. |
PRJ-41641, |
VPN |
In some scenarios, StrongSwan Client may get disconnected during re-authentication. |
PRJ-38166, |
VPN |
Trying to perform the "Reset Tunnel" action for an LDAP user from SmartView Monitor fails. Refer to sk178592. |
PRJ-39170, |
VPN |
Remote Access Client may fail to connect when using machine certificate authentication. |
PRJ-43355, |
VSX |
The SNMPD process may consume a high CPU in a VSX environment and there may be slowness when using the "fw vsx stat" command. Refer to sk180324. See the Important Notes section. |
PRJ-43269, |
Gaia OS |
After an upgrade, the RADIUS Server is unavailable and authentication fails. See the Important Notes section. |
PRJ-41612, |
Gaia OS |
Information about scheduled backup failure is now displayed in Clish, WebUI and in the error message inside the log file. |
PRJ-41685, |
Gaia OS |
In a cloning group cluster, when allowed hosts are changed from "Any" host to a specific host, communication between members is blocked, and the group cannot function. |
PRJ-41408, |
Gaia OS |
When configuring Gaia Cloning Group mode on the cluster, members with "off" state appear without an IP address and the "adding notification Member mvc is down" error is displayed. |
PRJ-34371, |
Gaia OS |
After an upgrade, the backup operation on VSX fails because there is not enough space in /var/log/CPbackup/backups. |
PRJ-42719, |
Harmony Endpoint |
Refer to sk180230. See the Important Notes section. |
PRJ-42149, |
CloudGuard Network |
Improved performance of pushing Data Center Objects changes to Security Gateways. |
PRJ-41845, |
CloudGuard Network |
Improved handling of NSX-T API responses. |
PRJ-42009, |
CloudGuard Network |
When mapping of some Azure Subscriptions fails, assets of these Subscriptions are revoked from the Security Gateway. |
PRJ-42114, |
CloudGuard Network |
AWS Data Center mapping fails when a Subnet with only IPv6 addresses is added to Virtual Private Cloud (VPC). |
PRJ-42256, |
CloudGuard Network |
After an upgrade in a Huawei Cloud environment, a network card may be renamed after a reboot. |
PRJ-19384, |
VoIP |
In some scenarios, when using early media with NAT, the first data connections specified in the SDP get closed, although they should not. And the new data connection does not open, resulting in one-way audio. Refer to sk179651. |
PRJ-42699, |
VoIP |
In some scenarios, when using static NAT, VoIP traffic may be affected. |
PRJ-41211, |
Scalable Platforms |
Performance data may not be collected on VSX Security Gateways. |
PRJ-40179, |
Scalable Platforms |
In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway Module (SGM). |
PRJ-41834, |
Scalable Platforms |
SNMP threshold events traps may be missing "Chassis ID" and "Blade ID" fields. Refer to sk179926. |
PRJ-40836, |
Scalable Platforms |
In a rare scenario, a non-SMO member may send GARP request over the Management interface, causing traffic impact. |
PRJ-41141, |
Scalable Platforms |
In some scenarios, the SNMPD process may unexpectedly exit. |
PRJ-40354, |
Scalable Platforms |
When running the "set kernel-routes on/off" and "set domainname <VALUE>" commands through gCLish, the configuration is applied only locally. |
PRJ-37828, |
Scalable Platforms |
Improved VPN on Quantum Maestro with Security Gateways hidden behind NAT. |
PRJ-42833, |
Scalable Platforms |
When trying to perform the downgrade procedure, a Site may be stuck in Backup state. The issue occurs if, before the downgrade, this Security Group was first upgraded and then its topology was changed. |
PRJ-39189, |
Scalable Platforms |
When a policy is configured with "SNMP trap alert script", the SNMP trap is sent with an undefined OID. |
PRJ-42946, |
Scalable Platforms |
Optimized the SNMP communication between Security Gateway Module (SGM) and Security Switch Module (SSM) to prevent timeouts. |
PRJ-41506, |
Scalable Platforms |
After an upgrade to Jumbo Hotfix Accumulator R81.10 Take 75 or higher, a member may be in Down state with a "pull_config" pnote. |
PRJ-42819, |
Scalable Platforms |
In a Quantum Maestro environment, the sp_upgrade command may fail when working in VSX mode. |
Take 77 Published on 6 November 2022 and declared as Recommended on 1 January 2023 |
||
PRJ-38347, |
Diagnostics |
The CPVIEWD process may cause CPU spikes. |
PRJ-41082, |
Security Management |
UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down. |
PRJ-40720, |
Security Management |
Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object. |
PRJ-40850, |
Security Management |
The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command. |
PRJ-39537, |
Security Management |
An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587. |
PRJ-40057, |
Security Management |
An Application Control and URL Filtering update may still occur even if the latest version is already installed. |
PRJ-40546, |
Security Management |
After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors. |
PRJ-40809, |
Security Management |
SmartConsole may unexpectedly disconnect. |
PRJ-39222, |
Security Management |
An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain". |
PRJ-39333, |
Security Management |
Install Policy Presets may fail with the "Install Policy Failed: Could not commit JPA transaction" error. |
PRJ-41552, |
Security Management |
Policy installation may get stuck on 99% when resuming queued policy installation tasks. |
PRJ-40445, |
Security Management |
Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577. |
PRJ-40407, |
Security Management |
Editing a Threat Profile object using Ansible automation tool may fail. |
PRJ-36206, |
Security Management |
Migration from the Management Server to the Domain Server may get stuck for 6-7 hours and then fail. |
PRJ-40586, |
Security Management |
The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645. |
PRJ-39209, |
Security Management |
The output of the "show opsec-application" API command may not show the host object name or UID. |
PRJ-38455, |
Security Management |
High Availability synchronization may fail with the "Failed to update shared licenses" error. |
PRJ-33921, |
Security Management |
Some unused sessions may remain open in the system, consuming memory and CPU. |
PRJ-38788, |
Security Management |
Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524. |
PRJ-38180, |
Security Management |
Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration. |
PRJ-40169, |
Multi-Domain Management |
A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours. |
PRJ-39488, |
Multi-Domain Management |
In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect. |
PRJ-38124, PRHF-23066 |
Multi-Domain Management |
Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message. |
PRJ-41126, |
SmartConsole |
Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate. |
PRJ-41285, |
Web SmartConsole |
UPDATE: Released Take 67 with new features and improvements. Refer to sk170314. |
PRJ-40612, |
Compliance |
In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it. |
PRJ-41021, |
CPView |
NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566. |
PRJ-36191, |
Logging |
UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT. |
PRJ-29737, |
Logging |
In SmartView, exporting views or reports that do not have tables may indefinitely continue processing. |
PRJ-40357, |
Logging |
In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596. |
PRJ-28111, |
Logging |
Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server. |
PRJ-41193, |
Logging |
It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only. |
PRJ-41359, |
Logging |
Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully. |
PRJ-30964, EPS-562 |
Logging |
In some scenarios, the Forensics report fails to open from Harmony Endpoint logs. |
PRJ-36476, |
Logging |
In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713. |
PRJ-41102, |
Logging |
When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name. |
PRJ-32206, |
Logging |
The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records. |
PRJ-38143, |
Security Gateway |
UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1. |
PRJ-32780, |
Security Gateway |
UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL. |
PRJ-40097, |
Security Gateway |
UPDATE:
|
PRJ-35147, |
Security Gateway |
Bond subordinates may be visible in the wrong plane. |
PRJ-40792, |
Security Gateway |
Enhanced connectivity during HTTP2 Inspection. |
PRJ-34171, |
Security Gateway |
After an upgrade, in a setup with a single VSX, the Security Gateway may crash. |
PRJ-40862, |
Security Gateway |
Improved the recovery mechanism for Dynamic Balancing. |
PRJ-40458, |
Security Gateway |
In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway. |
PRJ-40015, |
Security Gateway |
The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP). |
PRJ-39519, |
Security Gateway |
Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886. |
PRJ-39926, |
Security Gateway |
When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files. |
PRJ-41097, |
Security Gateway |
The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot. |
PRJ-24591, |
Security Gateway |
It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE". |
PRJ-39639, |
Security Gateway |
When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged. Refer to sk179431. |
PRJ-41029, |
Security Gateway |
Topology auto update may fail because of a too long interface name. |
PRJ-41090, |
Security Gateway |
A kernel crash may occur during system shutdown when PIM is enabled. |
PRJ-41032, |
Security Gateway |
The Security Gateway may run out of memory when retrieving topology. |
PRJ-38590, |
Security Gateway |
In a cluster environment, an ICAP implied rule may not be enforced after policy installation. |
PRJ-38552, |
Security Gateway |
After an upgrade, Anti-Virus Blade may cause increased memory consumption. |
PRJ-40023, |
Security Gateway |
Access Control policy installation may fail with a "Load on Module failed - problem with the Commit Function" message. |
PRJ-36866, |
Security Gateway |
After an upgrade, VSX cluster may have frequent failovers. |
PRJ-39579, |
Security Gateway |
In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash. |
PRJ-41415, |
Security Gateway |
The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs. |
PRJ-39331, |
Security Gateway |
After an upgrade, Access Control policy installation may fail with an "Update process is already running" message. |
PRJ-41450, |
Security Gateway |
Policy verification fails when a generic Data Center contains an object with an empty range. |
PRJ-40935, |
Security Gateway |
In a rare scenario, the Security Gateway may have a memory allocation issue. |
PRJ-41345, |
Internal CA |
UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591. |
PRJ-39988, |
Threat Prevention |
UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time. |
PRJ-40973, |
Threat Prevention |
Threat Prevention policy installation may fail with a "Connection aborted by Peer" message. |
PRJ-40592, |
Threat Prevention |
There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy. |
PRJ-41276, |
Threat Prevention |
Adding hash indicators may cause policy installation to fail with a warning message. |
PRJ-40855, |
Threat Prevention |
IoC feed may not load because of a parsing issue with the IP range indicator. |
PRJ-40437, |
Threat Prevention |
A kernel memory leak may occur during deep file inspection. |
PRJ-29735, |
Threat Prevention |
SCP connections may get terminated. |
PRJ-34888, |
Threat Prevention |
When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated. |
PRJ-39829, |
Identity Awareness |
Removed unnecessary debug messages in the Identity revocation flow. |
PRJ-35835, |
Identity Awareness |
Memory consumption may increase after policy installation when Secure ID is configured. |
PRJ-39161, |
Identity Awareness |
The Nested Groups Depth value changed in CLI may not survive a reboot. |
PRJ-37280, |
URL Filtering |
When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly. |
PRJ-38815, |
URL Filtering |
When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason. |
PRJ-31435, |
IPS |
Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization. |
PRJ-37726, |
DLP |
DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290. |
PRJ-33294, |
Anti-Virus |
Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag". |
PRJ-40260, |
SSL Inspection |
The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification. |
PRJ-39752, |
Anti-Virus |
The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked. |
PRJ-36733, |
ClusterXL |
In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage. |
PRJ-40832, |
Mobile Access |
After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail. |
PRJ-32968, |
Mobile Access |
Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244. |
PRJ-38459, |
Mobile Access |
In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance". |
PRJ-35510, |
ClusterXL |
UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers. |
PRJ-39183, |
ClusterXL |
In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory. |
PRJ-39073, |
SecureXL |
UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960. |
PRJ-36858, |
SecureXL |
Policy installation may cause cluster failover and impact the traffic flowing through the cluster. |
PRJ-40219, |
SecureXL |
In a rare scenario, ipsctl kernel module does not load at startup. |
PRJ-41481, |
SecureXL |
After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops". |
PRJ-39738, |
SecureXL |
There may be high CPU or/and latency in CIFS/SMB connections. |
PRJ-41207, |
Routing |
When changing PIM configuration, the ROUTED process may unexpectedly exit and generate a core dump due to a race condition. |
PRJ-40747, |
Routing |
The ROUTED process may unexpectedly exit when querying BGP data. |
PRJ-36890, |
VPN |
UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on. |
PRJ-41240, |
VPN, Multi-Portal |
UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434. |
PRJ-40844, |
VPN |
UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271. |
PRJ-40753, |
VPN |
Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705. |
PRJ-39235, |
VPN |
When connecting to Capsule VPN on iOS in a Multi-Domain Server or Scalable Platforms environment, loading a website may take up to one minute. |
PRJ-39807, |
VPN |
Adding a Security Gateway Module (SGM) to a Security Group may cause the Security Gateway crash when Link Selection is enabled in Load Sharing mode. |
PRJ-40869, |
VPN |
Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage. |
PRJ-40554, |
VPN |
When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources. |
PRJ-36710, |
VPN |
Improved Site-to-Site VPN stability. |
PRJ-40385, |
VPN |
The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart. |
PRJ-40582, |
VPN |
Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled. |
PRJ-37784, |
VPN |
In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121. |
PRJ-40829, |
VPN |
The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710. |
PRJ-39893, |
VSX |
UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode. |
PRJ-38515, |
VSX |
SecureXL may not let HTTPS traffic pass through a Virtual Router (VR). |
PRJ-41362, |
VSX |
A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation. |
PRJ-40703, |
VSX |
A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member". |
PRJ-34322, |
VSX |
The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command. |
PRJ-39981, |
VSX |
The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591. |
PRJ-39887, |
VSX |
Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481. |
PRJ-39711, |
VSX |
When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway. |
PRJ-39767, |
VSX |
Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command. |
PRJ-40798, |
VSX |
Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output. |
PRJ-40648, |
VSX |
The VSX Provisioning Tool may unexpectedly exit when adding a new virtual device. |
PRJ-40665, |
VSX |
When changing VSLS configuration with vsx_util, setting a new weight for each VS in Automatic mode fails with the "Operation failed. Can't write to database" error. Refer to sk179655. |
PRJ-38093, |
VSX |
The "Primary Slave" configuration in a Bond (MAGG) interface may not be applied to a Security Group. Refer to sk178765. |
PRJ-42179, |
VSX |
Pushing a VSX configuration fails after changing the CoreXL configuration in a Virtual System object. Refer to sk180107. See the Important Notes section. |
PRJ-40410, PRJ-42485, ODU-611 |
Gaia OS |
UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653. |
PRJ-40992, |
Gaia OS |
When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted. |
PRJ-40477, |
Gaia OS |
The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS). |
PRJ-40768, |
Gaia OS |
IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file. |
PRJ-40027, |
Gaia OS |
A user locked by the deny-on-nonuse mechanism cannot get unlocked. |
PRJ-41370, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region. |
PRJ-41734, |
CloudGuard Network |
UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region. |
PRJ-41100, |
CloudGuard Network |
Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS). |
PRJ-40839, |
CloudGuard Network |
Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways. |
PRJ-41462, |
CloudGuard Network |
Import of OpenStack Data Center CloudGuard Network objects may fail. |
PRJ-38023, |
Public Cloud CA Bundle |
Added Take 19 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-41143, |
Smart-1 Cloud |
Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056. |
PRJ-32195, |
Scalable Platforms |
In a VSX setup that includes members only in Site 2, asg monitoring commands (such as asg stat vs all) may incorrectly present Chassis 2 state as "N/A". |
PRJ-39025, |
Scalable Platforms |
When the "cphaprob list" command fails, CoreXL configuration pnote is not shown when expected. The issue is cosmetic only. |
PRJ-41296, |
Scalable Platforms |
When NAT is configured on both Source and Destination, with delayed sync enabled, connection drops may occur. |
Take 74 Published on 13 October 2022 and declared as Recommended on 24 October 2022 |
||
PRJ-42064, |
Threat Prevention |
Threat Prevention policy cannot be installed on R80.40 and lower Security Gateways when using a Security Zone object in the "Source" column. Refer to sk177605. See the Important Notes section. |
PRJ-42215, |
VSX |
In some scenarios, the vsx_provisioning_tool fails to delete an interface and claims that it has already been freed. |
Take 72 Published on 1 September 2022 |
||
PRJ-39461, |
Security Management |
UPDATE: Management API performance improvements:
|
PRJ-34853, |
Security Management |
UPDATE: Added validation of Custom Application/Site objects to prevent configuring invalid URLs, which causes Access policy installation failure. Refer to sk175187. |
PRJ-36920, |
Security Management |
When a Security Gateway is removed from a VPN community, it may still be seen under the permanent tunnel configuration. The issue is scoped to the Management side and does not impact the Gateway. |
PRJ-35655, |
Security Management |
The Security Cluster Wizard is not shown again after a Management restart in a Full High Availability cluster environment. |
PRJ-35600, |
Security Management |
An IPS update may fail if the user that performs the update is connected to the Multi-Domain Server on which the Global Domain is in Standby mode. |
PRJ-37763, |
Security Management |
The FWM process on the Management Server may unexpectedly exit, creating a core dump file. |
PRJ-35605, |
Security Management |
In SmartConsole, the "error retrieving results" message may be displayed when opening a new tab. |
PRJ-39471, |
Security Management |
Management HA synchronization may fail with the "NGM failed to import data" error. |
PRJ-38064, |
Security Management |
When uninstalling a Threat Prevention policy, there may be a verification warning "There are Threat Prevention uninstall candidates in policy targets", although the operation on the Gateway was completed successfully. |
PRJ-37886, |
Security Management |
Editing an object may fail with the "Could not access file for write operation" error. |
PRJ-38400, |
Security Management |
An Application Control and URL Filtering update may get stuck because of a lock object duplicate issue. |
PRJ-37509, |
Security Management |
Deleting a domain may fail when using the createDomainRecovery.sh script with the "UID" flag. |
PRJ-35060, |
Security Management |
Renaming the Security Management Server may fail with the "Failed to save object" error. Refer to sk177224. |
PRJ-37199, |
Security Management |
The Management API command "show-vpn-communities-star" for Diffie-Hellman groups 15-18 and group 24 fails with the "Invalid DH-Group in VPN Reply" error. Refer to sk27054. |
PRJ-38741, PRHF-23467 |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit and create a core dump. |
PRJ-38799, |
Security Management |
In some scenarios, the "show-gateways-and-servers" Management API command fails with "generic_err_object_not_found" when running it with "details-level full". |
PRJ-39229, |
Security Management |
In some scenarios, the Hit Count column on the NAT policy shows zero hits on all rules, even though there are hits. |
PRJ-38120, |
Security Management |
Policy installation may fail with "an internal error" because of an orphan policy issue. Refer to sk122954. |
PRJ-40202, |
Security Management |
Upon policy installation, Security Gateways may not receive changes made in the Service Based Link Selection configuration file $FWDIR/conf/vpn_service_based_routing.conf as per instructions of sk56384. Refer to sk179699. |
PRJ-37340, |
Security Management |
Objects that do not belong to groups may be shown in the Group Membership view in SmartConsole. |
PRJ-38708, |
Security Management |
Login to Domain via Management API using FQDN as the Domain parameter may fail with the "Domain not found" error. |
PRJ-38217, |
Security Management |
If Log Domain reassignment fails, an Application Control and URL Filtering update may get stuck at 70 percent showing the "Running post update actions" status. |
PRJ-37911, |
Security Management |
The flag "--method" for a CME command is not supported in SmartConsole Command Line. |
PRJ-40110, |
Security Management |
After a policy installation failure, fetching policy on the Security Gateway side by running the "fw fetch local" command may also fail. |
PRJ-40204, |
Security Management |
In some scenarios, certificate based login to a Log Server may fail with "Authentication Error". Refer to sk179144. |
PRJ-39020, PRHF-23435 |
Licensing |
|
PRJ-37988, PRHF-22589 |
SmartConsole |
After an Application Control update, some application control objects may disappear from SmartConsole, although they are not deprecated. |
PRJ-39118, ODU-377 |
Web SmartConsole |
UPDATE: Released Take 59 with new features and improvements. Refer to sk170314. |
PRJ-23758, |
Logging |
UPDATE: The local logging test will no longer run on the "asg_perf_hogs" utility, as it has its HCP (HealthCheck Point) test. Refer to sk171436. |
PRJ-37102, |
Logging |
UPDATE: Scheduled email reports will now use TLS1.2 instead of TLS1.0. Refer to sk178125. |
PRJ-36462, |
Logging |
When running the "cp_log_export filter-Blade-in" command with the value "Endpoint" and restarting the LOG_EXPORTER process, LOG_EXPORTER may fail to start. |
PRJ-38415, |
Logging |
When there are several Log Servers, a log distribution issue may occur. |
PRJ-39296, |
Logging |
An error may occur when changing Default Time Frame while the SmartView language is not English. |
PRJ-39589, |
Logging |
The FWD process may unexpectedly exit and create core dump files. |
PRJ-36020, |
Logging |
In SmartView, the "Top Users that Downloaded Malicious Files" widget in the "Hosts that Encountered Malicious files" view may show no results, although there are matches. |
PRJ-35996, |
Logging |
Logs with actions "Expired" and "Hold" may be missing from the Logging view. |
PRJ-39679, |
Logging |
When exporting the logs table with "All Columns" to a CSV file, the first cell of the first log (time column) displays a non-ASCII character ("ן»¿"), and the time is split into two cells. |
PRJ-39676, |
Logging |
A CSV file exported from SmartView may contain duplicated lines of headers. |
PRJ-40510, |
Security Gateway |
UPDATE: Added a defense mechanism against partial header attacks known as "Slowloris DoS" (CVE-2007-6750). |
PRJ-34679, |
Security Gateway |
UPDATE: Decreased the threshold for connections suspected as heavy from 5 to 3 seconds. Refer to sk164215. |
PRJ-39667, PRHF-23392 |
Security Gateway |
It may not be possible to monitor Security Gateways with enabled Management Data Plane Separation (MDPS). Refer to sk138672. |
PRJ-27916, |
Security Gateway |
When Strict Hold is enabled, traffic is logged with the log "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings". Refer to sk169995. |
PRJ-37518, |
Security Gateway |
The FW Monitor tool may fail when it is used on VSX with the "-v" and "-p all" options. |
PRJ-40999, PRJ-40954 |
Security Gateway |
In a VSX environment, SNMP queries to OSPF OIDs may fail. |
PRJ-40254, |
Security Gateway |
There may be a delay in the Logging view when more than 1000 Security Gateways are connected to the same Log Server. |
PRJ-34403, |
Security Gateway |
Deleting IP addresses in the SAM Database may fail. |
PRJ-37952, |
Security Gateway |
There is a Content Awareness alert for multiple connections and the processing error "Failed to extract text" is printed in logs. |
PRJ-40441, PRJ-38912 |
Security Gateway |
When Anti-Virus Blade is enabled, there may be a continuous high memory consumption which can lead to latency. |
PRJ-39215, |
Security Gateway |
The Security Gateway may crash during PM Stats collection. |
PRJ-39860, PRHF-23952 |
Security Gateway |
After renewing an Internal Certificate Authority (ICA) certificate, policy installation on Virtual Systems may fail with "Internal SSL authentication SSL error (Unknown)". |
PRJ-39685, |
Security Gateway |
An ICAP client crash may cause the Security Gateway also to crash and generate an FWK core dump. |
PRJ-38076, |
Security Gateway |
The Security Gateway may crash with a vmcore. |
PRJ-41455, |
Security Gateway |
During a DDoS attack, the CPD and CPRID processes may unexpectedly exit with core dump files and cause latency. |
PRJ-27778, PMTR-70632 |
Security Gateway |
The RAD daemon may fail and create core dump files on VSX Gateways. |
PRJ-36568, |
Internal CA |
UPDATE: In SmartConsole, added an alert to inform that the ICA certificate will be expired in less than one year. Refer sk158096. |
PRJ-40432, |
Threat Prevention |
UPDATE: The Global Detect value will now be updated in the "ips stat" command output. |
PRJ-39323, |
Threat Prevention |
Improved memory consumption by decreasing the size of the mal_conns table. |
PRJ-40396, ODU-385 |
Threat Prevention |
Added Update 15 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109. |
PRJ-41445, |
Threat Prevention |
In a specific HTTP connection scenario, the Security Gateway may become unresponsive. And the /var/log/messages file contains these messages during the time of the issue: " FW-1: fw_kfree: wrong magic number at tail end of XXX (XXX) caller is 'cmik_loader_fw_pm_match_cb' sz=80. FW-1 panic: cmik_loader_fw_pm_match_cb: fw_kfree: wrong magic number at tail (kiss_memory.c:XXX)". See the Important Notes section. |
PRJ-36293, |
Threat Prevention |
A "sft_rule_str_match_init: allocates 0 bytes" message may be printed many times in the /var/log/messages file. |
PRJ-36384, |
Application Control |
Refer to sk178406. |
PRJ-29435, |
URL Filtering |
When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly. |
PRJ-39058, |
IPS |
In a VSX setup, the IP address used as the origin SIC name in the IPS address log may differ from the IP in other reports. |
PRJ-36434, |
IPS |
When ClusterXL is configured, a file may pass without inspection during a failover. |
PRJ-39151, |
Anti-Bot |
|
PRJ-34073, |
Mobile Access |
Manual Web Form Single Sign-On (SSO) may fail when passwords contain special characters. |
PRJ-39153, |
Mobile Access |
Login to Mobile Access Citrix application may fail. |
PRJ-34724, |
Mobile Access |
In some scenarios, The Mobile Access applications fail to login because the Security Gateway may not forward HTTP request cookies of some browser-initiated requests to an internal Server. |
PRJ-35292, |
Mobile Access |
In some scenarios, when Mobile Access Blade is enabled, the Security Gateway may crash. |
PRJ-38435, PMTR-82133 |
Mobile Access |
When installing a specific hotfix, the CVPND process may unexpectedly exit. |
PRJ-34870, |
ClusterXL |
UPDATE: Added support for the "Same VMAC" feature. |
PRJ-37489, |
ClusterXL |
In a VSLS cluster with a few members and Virtual Systems, when shutting down a bond connected to one of the Virtual Systems, all Virtual Systems on this member may go to Down state. |
PRJ-40200, |
ClusterXL |
In a cluster configured in the Active-Active mode, there may be connectivity issues when one of the cluster interfaces is down on one of the cluster members. |
PRJ-39958, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade, there may be state flapping when using the sync interface MAC address bit "02". |
PRJ-39839, |
ClusterXL |
When reconnecting the OSPF interface on both members in a cluster, a failover may occur when receiving a ROUTED PNOTE on the Active member. |
PRJ-37943, |
ClusterXL |
In a VSX cluster with three or more members, sudden failover and recovery of the Standby VS may occur, causing termination of connections from the Active member. Refer to sk179446. |
PRJ-38594, |
SecureXL |
UPDATE: Added a new parameter cphwd_mcast_routing_interval_ms (default value is 0), which allows the multicast routing interval to be expressed in milliseconds. |
PRJ-37631, PRHF-22691 |
SecureXL |
UPDATE: The MSS value in the SYN Cookie response can now be configured. |
PRJ-40294, |
SecureXL |
A kernel memory leak may occur in an environment with a cluster in Active/Standby bridge mode. |
PRJ-38559, |
Routing |
UPDATE: Source Pruning will now be disabled by default when VRRP is enabled. This will prevent an interface from keeping the Standby member in Master state after port flapping. The issue is relevant only for Intel X710 network cards using the I40E driver. Refer to sk178484. |
PRJ-40091, PMTR-84418 |
Routing |
When running CPView and working in Source-Specific Multicast Mode (PIM-SSM) simultaneously, the ROUTED process may unexpectedly exit and create a core dump file. |
PRJ-37940, |
VPN |
NEW: KAT tests for IKE and TLS are now validated for FIPS certification. |
PRJ-37548, |
VPN |
In some scenarios, when StrongSwan client is connecting to a site or Security Gateway, the connection is established successfully, and the tunnel is created, but there is no traffic. Refer to sk118536. |
PRJ-37555, |
VPN |
An outage may occur when using IKEv2. |
PRJ-40663, |
VPN |
There may be a low throughput in a Site-to-Site VPN tunnel between two VSX Gateways with enabled. |
PRJ-38633, |
VPN |
Connection to Endpoint Security Client from the Remote Access VPN may be lost when the VPN tunnel timeout is reached. Refer to sk178891. |
PRJ-39064, |
VPN |
Capsule Connect may fail to connect to the Security Gateway because of an Office Mode IP allocation failure. |
PRJ-32680, |
VPN |
An IKEv1 tunnel may be deleted after the Dead Peer Detection (DPD) exchange and can cause an outage. |
PRJ-16239, |
VSX |
UPDATE: Added verification to prevent adding a bridge to a Virtual Router (VR) via the vsx_provisioning tool. |
PRJ-29583, |
VSX |
UPDATE: Decreased the time to edit routes in topologies where multiple Virtual Systems are connected to a Virtual Switch (VSW). |
PRJ-19530, |
VSX |
Policy installation may fail after resetting a Security Geteway and restoring a VSX cluster member backup. |
PRJ-32706, |
VSX |
After restoring the VSX Gateway backup, the SNMP agent stops responding when the context is set for a specific VS. |
PRJ-38726, |
VSX |
When running the "vsx_util downgrade" command, R80.20SP may not be listed as an available version. |
PRJ-38010, |
VSX |
"Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN..." may be printed in dmesg. |
PRJ-39113, |
VSX |
CoreXL instances of SND type may appear in CPView as "OTHER" and not as "CoreXL_SND". |
PRJ-39353, |
VSX |
Running the "brctl_show" command in a non-VS0 context may give VS0 results. |
PRJ-33315, |
VSX |
The FWM process may unexpectedly exit after using the VSX Provisioning tool. |
PRJ-32407, |
VSX |
The OID "Syslocation" can now be configured in the context of a virtual system as described in the article (IV-1) Advanced SNMP configuration in sk90860. |
PRJ-34766, PRHF-21568 |
VSX |
When using Link Selection probing, the VPND process may unexpectedly exit and create a core dump file. |
PRJ-38828, PMTR-82551 |
VSX |
The FWK process of Virtual Switch (VSW) may consume a high CPU. |
PRJ-33041, PMTR-69098 |
VSX |
In a VSX cluster, after pushing Bridge configuration, the state may change from Active/Active to Active/Standby. |
PRJ-32477, |
VSX |
When using the VSX Provisioning Tool, it may not be possible to create a new warp interface and then change the main IP address of the VS in the same transaction. |
PRJ-38408, PMTR-73704 |
VSX |
When creating a virtual system, the "Failed to create Virtual System directories" error is displayed. |
PRJ-38793, PMTR-82492 |
VSX |
In some scenarios, it is not possible to start a vsx_util upgrade/downgrade after a failed attempt. |
PRJ-40250, |
VSX |
In VSX, when deleting a warp interface (either by deleting the warp itself or by performing the "reset_gw" command, which deletes all Virtual Devices), the VSX Gateway may crash. |
PRJ-34095, |
VSX |
When running the "vsx showncs" command, the "cannot retrieve vsid for VSW_gw" error may be shown. |
PRJ-40360, |
VSX |
Improved packet rate performance on warp interfaces. |
PRJ-40072, |
VSX |
A "SIC Error for EntitlementManager: Peer sent wrong DN: CN=xxx,O=xxx" message may be displayed during boot or after running the "cpstart" command. Refer to sk179586. |
PRJ-35585, |
Gaia OS |
UPDATE: It is now possible to use Gaia proxy addresses with more than 16 characters. |
PRJ-24566, PRHF-16407 |
Gaia OS |
UPDATE: Added support for the Excluded Files feature (sk116679) for XFS file system on Kernel 3.10. |
PRJ-27471, |
Gaia OS |
UPDATE: A description was added to the output of the "show backup logs" command with information about each column. Refer to sk173970. |
PRJ-24454, |
Gaia OS |
UPDATE: Changed the Syslog message severity from "error" to "info" and removed the exclamation mark in a specific message which is displayed during the normal backup operation flow. |
PRJ-39378, |
Gaia OS |
The CONFD process may unexpectedly exit and generate a core dump file. |
PRJ-40365, |
Gaia OS |
Gaia Snapshot fails in Gaia Portal ("Maintenance" section > "Snapshot Management" page) - after clicking the "New" button, the progress gets to 100%, but the snapshot file is never created. Refer to sk180579. |
PRJ-37348, |
Gaia OS |
When adding and deleting a neighbor-entry ipv6-address, an error message is displayed, although the operation is successful. |
PRJ-39479, |
Gaia OS |
For TACACS users the ">" character is missing to separate the hostname from the commands. The fix is only cosmetic. |
PRJ-36697, |
Gaia OS |
The /var/log/messages file may be flooded with "failed to update arp table file" messages. |
PRJ-30118, |
CloudGuard Network |
UPDATE: After a failed Data Center mapping, the next scan retry will be initiated with a delay to provide sufficient recovery time. |
PRJ-33577, |
CloudGuard Network |
When trying to add a comment to a Data Center object with API, the name of the object may get the value of the "comments". |
PRJ-38070, |
CloudGuard Network |
Policy install or publish may fail because of the CPM process operations overload. |
PRJ-38643, |
VoIP |
NEW: Added a new tab for VoIP monitoring in CPView. |
PRJ-40929, PRJ-40928 |
VoIP |
After an upgrade, the MGCP traffic may be dropped. The output of the "fw ctl zdebug + drop" command shows: "dropped by fw_early_sip_nat reason: failed to get MGCP ports". |
PRJ-39816, |
VoIP |
The Security Gateway may crash when running UDP and TCP SIP traffic. |
PRJ-32417, |
Harmony Endpoint |
Web Remote Help returns to the sign-in page after generating the response code. Refer to sk172666. |
PRJ-39109, |
Scalable Platforms |
UPDATE: Added ability to change CIN interface IP ranges. Refer to sk179028. |
PRJ-37868, |
Scalable Platforms |
UPDATE: The asg_info command is no longer supported on Scalable Platforms. The "cpinfo -Q" command should be used instead. |
PRJ-39721, |
Scalable Platforms |
Changed the message informing that CPUSE upgrade packages are not available on Scalable Platforms appliances with VPN enabled. The fix is only cosmetic. |
PRJ-39116, |
Scalable Platforms |
The "asg_excp_conf get" command may fail. Existing exceptions cannot be printed due to unaligned exception max size between kernel and userspace (cphaprob). |
PRJ-39637, |
Scalable Platforms |
The Hit Count feature may not provide data for non-SMO members on VSX with Kernel 3.10. |
PRJ-31427, |
Scalable Platforms |
Running the "cphaconf debug_data" command before the member finished the boot phase may cause a crash. |
PRJ-38700, |
Scalable Platforms |
The ROUTED process may unexpectedly exit when OSPF is configured as P2P. |
PRJ-37970, PMTR-76980 |
Scalable Platforms |
In some scenarios, CPWD and HCP report the CPUS_USGS process as terminated. |
PRJ-35284, |
Scalable Platforms |
A cluster member may fail to perform Full Sync and remain in Down state with FULLSYNC PNOTE. |
PRJ-37650, |
Scalable Platforms |
The "asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs". |
PRJ-40308, ODU-454 |
HCP |
Added Update 9 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-40670, ODU-478 |
HCP |
Added Update 10 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 69 Released on 23 June 2022 and declared as Recommended on 22 August 2022 |
||
PRJ-38151, |
Security Management |
UPDATE: Additional improvements to Access Policy installation time. |
PRJ-32817, |
Security Management |
In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768. |
PRJ-37396, |
Security Management |
After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084. |
PRJ-37495, |
Security Management |
In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249. |
PRJ-36746, |
Security Management |
Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster. |
PRJ-33076, |
Security Management |
Updating objects with Management API may fail when editing the "groups" field and object UID is specified. |
PRJ-35298, |
Security Management |
When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile. |
PRJ-37327, |
Security Management |
In some scenarios, the policy installation may fail after editing the trac_client_1.ttm configuration file. Refer to sk174646 |
PRJ-37862, |
Security Management |
Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy from the Security Management Server to the Security Gateway. |
PRJ-38148, |
Security Management |
Cloud Shadow Objects verification may take several minutes. |
PRJ-35311, |
Security Management |
The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410. |
PRJ-36849, |
Security Management |
In rare scenarios, the Management Server may fail to start because of incorrect session handling. |
PRJ-37025, |
Security Management |
Viewing sessions in SmartConsole may fail with an "Error retrieving results" message while importing a Domain. |
PRJ-37259, |
Security Management |
In a large scale environment, the "show-access-rulebase" Management API command may take a significant amount of time to complete or time out after 5 minutes. |
PRJ-37709, |
Security Management |
Install Policy preset fails if the Threat Prevention policy was uninstalled. |
PRJ-37504, |
Security Management |
In rare scenarios, Global Domain Assignment may fail with a "class name not found for object" error message. |
PRJ-37635, |
Security Management |
After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted. |
PRJ-37523, |
Security Management |
Reassign Global Policy tasks may be stuck for Domains active on a different Multi-Domain Server even though the task is completed on the destination Multi-Domain Server. |
PRJ-37027, |
Security Management |
Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background. |
PRJ-39177, PRHF-23750 |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error. |
PRJ-38393, PMTR-72637 |
SmartConsole |
UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain. |
PRJ-33517, |
Logging |
In SmartView Widgets, improved samples visibility. |
PRJ-36027, |
Logging |
In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly. |
PRJ-33816, PMTR-72206 |
Logging |
The "log_exporter_reexport" command may export the logs from the beginning of the log file and not from the provided start position. |
PRJ-34250, |
Logging |
There may be an incorrect error message related to MakeConnection method. |
PRJ-37896, |
Logging |
Logs may be missing from SmartConsole after upgrading the Log Server if a VS object is configured without an IP. |
PRJ-34142, PRHF-21218 |
Logging |
On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904. |
PRJ-35976, PRHF-21400 |
Logging |
"Failed to open /opt/CPsuite-R81.10/fw1/log/" messages may appear in the log_indexer.elg file because of files ending with the ".log" suffix although they are not actual log files. |
PRJ-36655, |
Security Gateway |
NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled. Refer to sk105740. |
PRJ-38689, |
Security Gateway |
UPDATE: When using Routing Separation, hosts and servers configured in Clish will be automatically added to Management Plane (MPLANE). |
PRJ-19036, |
Security Gateway |
UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory used. The change is only cosmetic. |
PRJ-33859, |
Security Gateway |
In ISP Redundancy settings, when using the "dead on all host" feature and defining one link without any host (which is a misconfiguration) the ISP link is down. |
PRJ-37609, |
Security Gateway |
When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670. |
PRJ-37012, |
Security Gateway |
Multiqueue Clish "show" commands may fail in a Management Data Plane Separation (MDPS) environment. |
PRJ-27894, |
Security Gateway |
In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection. |
PRJ-33930, |
Security Gateway |
Cluster failover may trigger the FWK process to exit, with no traffic impact. |
PRJ-33699, |
Security Gateway |
In some scenarios, file download may fail with the "Connection queue exceeded max size" error. |
PRJ-36120, |
Security Gateway |
In CPView, under Network, Bytes Per Sec value in Traffic Rate may be incorrect. |
PRJ-36515, PRHF-22273 |
Security Gateway |
In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy. |
PRJ-38044, |
Threat Prevention |
Added Update 14 of Autonomous Threat Prevention Management integration Release Updates. Refer to sk167109. |
PRJ-38684, PRHF-23324 |
Threat Prevention |
In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout. |
PRJ-35852, |
Identity Awareness |
The PEP process may unexpectedly exit. |
PRJ-37979, |
IPS |
In very rare scenarios, a traffic outage may occur. |
PRJ-36521, PMTR-77922 |
IPS |
Improved detection in some IPS protections. |
PRJ-37714, |
IPS |
In some scenarios, an "[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL" message may be printed in the /var/log/messages file. |
PRJ-36160, |
ClusterXL |
UPDATE: It is now possible to edit minimal number of required subordinate interfaces for Bond Load Sharing via Clish. The new Clish command is "set interface <interface_name> links <value>". |
PRJ-37435, |
ClusterXL |
There may be connectivity issues for multicast traffic in PIM Sparse Mode. |
PRJ-35168, |
ClusterXL |
A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing routed pnote during a boot. |
PRJ-36603, |
ClusterXL |
Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade. |
PRJ-36615, |
ClusterXL |
During a Multi-Version Cluster (MVC) upgrade from R80.30 or lower, Active-Active split brain may happen. Refer to sk174510. |
PRJ-36177, |
ClusterXL |
In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby. |
PRJ-35228, |
ClusterXL |
In an Active/Active cluster, potential FTP data connection interruption may occur during failover. |
PRJ-26972, |
ClusterXL |
Local connection from the Management interface on a non-standard port (e.g. 8000) may fail. |
PRJ-37882, |
ClusterXL |
Local connection from a Standby member may fail when packets are not fragmented even if the interface MTU is smaller than the packet size. |
PRJ-38803, PMTR-82026 |
ClusterXL |
When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost. |
PRJ-37001 |
SecureXL |
NEW: In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Added a global parameter "cphwd_refresh_nh", disabled by default. It determines whether or not the Security Gateway will invoke its own refresh ARP mechanism after a successful route lookup. Refer to sk175603. |
PRJ-32709, |
SecureXL |
UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP address as the local IP address of the tunnel. |
PRJ-39009, PRHF-22881 |
SecureXL |
SYN Defender may not properly handle the S2C traffic related to Allow List. As a result, this traffic may be dropped. |
PRJ-39003, PRHF-23644 |
SecureXL |
SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop. |
PRJ-38502, PRHF-23143 |
CoreXL |
An Active member in a cluster may make a full reboot during policy installation. |
PRJ-36939, |
Routing |
In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF. |
PRJ-37463, |
VPN |
The VPND process may unexpectedly exit. |
PRJ-37282, |
VPN |
VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments. |
PRJ-36437, |
VPN |
Machine Authentication stability improvements for Remote Access Endpoint Clients. |
PRJ-35421, |
VPN |
When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field. |
PRJ-37774, |
VPN |
Capsule Connect (IPSec VPN) may fail to re-authenticate. |
PRJ-36450, |
VSX |
UPDATE: When resetting SIC for a specific Virtual System (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole. |
PRJ-38203, |
VSX |
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL. |
PRJ-36768, |
VSX |
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface. |
PRJ-33471, |
VSX |
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously. |
PRJ-35504, |
VSX |
There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic. |
PRJ-37617, |
VSX |
After an upgrade from R80.20SP/R80.30SP to R81, pushing accelerated policy may cause all non-SMO SG Members to go down. |
PRJ-35278, |
VSX |
In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via clish is deleted without validation. |
PRJ-37806, |
VSX |
Running the "vsx_util vsls" command may end with the "Segmentation fault" error. |
PRJ-28546, |
VSX |
Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344. |
PRJ-36787, |
VSX |
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0. |
PRJ-36524, PMTR-72069 |
Gaia OS |
NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state). |
PRJ-36087, |
Gaia OS |
WebUI session may end when creating a Role with full permissions. |
PRJ-38961, |
Gaia OS |
When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected. |
PRJ-38230, |
Gaia OS |
When running the "save configuration" command on a VSX device, other interfaces besides the Management interface are still presented. This is a cosmetic issue. |
PRJ-33556, PMTR-75925 |
Gaia OS |
In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443. |
PRJ-37119, |
VoIP |
When static NAT is configured, VoIP calls may not work. |
PRJ-38568, PRHF-23328 |
CloudGuard Network |
UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway. |
PRJ-37603, |
CloudGuard Network |
In Amazon Web Services (AWS), some Gateways may be crashing frequently with vmcores. |
PRJ-37949, |
CloudGuard Network |
In some scenarios, mapping of AWS Data Centers may take a long time to complete. |
PRJ-37776, |
CloudGuard Network |
During boot on KVM with 10 or more interfaces, the interface order may change. |
PRJ-38870, |
CloudGuard Network |
After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources. |
PRJ-38023, |
Public Cloud CA Bundle |
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-38036, |
Scalable Platforms |
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-34396, |
Scalable Platforms |
Non-SMO members may go to Down state after Anti-Malware policy installation failed. |
PRJ-36915, |
Scalable Platforms |
During policy installation, the state of the Single Management Object (SMO) may not be stable. |
PRJ-32450, |
Scalable Platforms |
In rare scenarios, changing the number of CoreXL instances in SP environments with many Virtual Systems may fail. |
PRJ-33923, |
Scalable Platforms |
On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error. |
PRJ-38298, |
Scalable Platforms |
During Jumbo Hotfix Accumulator installation, the sgm_lsp core dump may be created. |
PRJ-38482, |
Scalable Platforms |
When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647. |
PRJ-38224, |
HCP |
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 68 Released on 27 April 2022 and declared as Recommended on 12 June 2022 |
||
PRJ-29848, |
Diagnostics |
In some scenarios, CPView shows the SNMP data partially. |
PRJ-30407, |
Security Management |
UPDATE:
|
PRJ-34228, |
Security Management |
Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain. |
PRJ-35479, |
Security Management |
Multi-Domain High Availability synchronization in the Global Domain may fail with the "There are invalid assignments on peer" error. |
PRJ-32562, |
Security Management |
Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144. |
PRJ-34182, |
Security Management |
In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view. |
PRJ-33804, |
Security Management |
The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty. |
PRJ-34657, |
Security Management |
In a Multi-Domain Management environment, when fetching a Ldap branch using the "fetch" button from the Global Domain tab, the operation may fail. |
PRJ-30113, |
Security Management |
In rare scenarios, the "show-changes" and "show-sessions" Management API commands may fail. |
PRJ-36802, |
Security Management |
In some scenarios, the last modifier name is missing in unpublished sessions and SmartConsole unexpectedly closes. |
PRJ-33401, |
Security Management |
When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443. |
PRJ-35950, |
Security Management |
In the Compliance view, after changing "Policy Range" to a value smaller than 100%, best practices results become not available. Refer to sk177544. |
PRJ-33565, |
Security Management |
In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status. |
PRJ-32848, |
Security Management |
In rare scenarios, taking over a session may fail with "SmartConsole has experienced an unexpected error. Session operation failure". |
PRJ-34178, |
Security Management |
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server". |
PRJ-35225, |
Security Management |
When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265. |
PRJ-32718, |
Security Management |
If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491. |
PRJ-35017, |
Security Management |
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129. |
PRJ-32132, |
Security Management |
When working with End Point Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid". |
PRJ-33242, |
Security Management |
In rare scenarios, after an update, the Management Server fails to start. |
PRJ-34772, |
Security Management |
Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725. |
PRJ-35339, |
Security Management |
In rare scenarios, the Management Server may fail to start after an upgrade. |
PRJ-33365, |
Security Management |
Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464. |
PRJ-32746, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-32802, |
Security Management |
The mgmt_cli tool (API) with certificate login may not work. |
PRJ-37578, |
Security Management |
In some scenarios, after editing Blades in simple-gateway/cluster Ansible modules, the Blades are not changed, and Ansible shows that no changes occurred. |
PRJ-36622, |
Logging |
UPDATE: SmartView reports will now show the new Check Point logo. |
PRJ-30550, |
Logging |
In rare scenarios, when QoS Blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783. |
PRJ-29174, |
Logging |
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log. |
PRJ-32018, |
Logging |
When running the "show_logs" API command with "query-id argument" and the session is expired, the command ends with a timeout instead of presenting an error. |
PRJ-32373, |
Logging |
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck. |
PRJ-30145, |
Logging |
Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file. |
PRJ-35201, |
Logging |
In a rare scenario, the Security Management Server does not automatically delete older log files.Refer to sk177627. |
PRJ-34142, |
Logging |
On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904. |
PRJ-32580, |
Logging |
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application. |
PRJ-31495, |
Security Gateway |
UPDATE: A shadow rule can be added if the new rule and the existing rule have different timeouts. |
PRJ-29963, |
Security Gateway |
UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287. |
PRJ-35098, |
Security Gateway |
UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127. |
PRJ-35098, |
Security Gateway |
UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127. |
PRJ-31666, |
Security Gateway |
UPDATE: Adding Connection and Packet Distribution statistics in CPView. |
PRJ-38236, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53. |
PRJ-31495, |
Security Gateway |
UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. If a shadow rule exists, the new shadow rule will override the existing shadow rule. |
PRJ-32792, |
Security Gateway |
Matched rules on Inline layer may appear as the "Accept'"/ "Drop" action instead of "Inline". |
PRJ-35007, |
Security Gateway |
The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228. |
PRJ-32926, |
Security Gateway |
When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics". |
PRJ-28821, |
Security Gateway |
In rare scenarios, policy installation fails when adding a Cloudguard object to the NAT rulebase. |
PRJ-36048, |
Security Gateway |
In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message. |
PRJ-34727, |
Security Gateway |
In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with one of these errors:
|
PRJ-36994, |
Security Gateway |
|
PRJ-33612, |
Security Gateway |
In a rare scenario, the FWD process may unexpectedly exit. |
PRJ-34256, |
Security Gateway |
It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled. |
PRJ-33998, |
Security Gateway |
In rare scenarios, slow path connections that should be terminated/aborted may remain open until the timeout. |
PRJ-23480, |
Security Gateway |
Policy installation may fail when there is a heavy load on memory on the Security Gateway. |
PRJ-33274, |
Security Gateway |
The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952. |
PRJ-31208, |
Security Gateway |
The Security Gateway may crash during policy installation due to memory allocation problems. |
PRJ-34268, |
Security Gateway |
The log_exporter process may consume a high CPU. |
PRJ-37529, |
Security Gateway |
Improved Gateway internal memory allocation logic. |
PRJ-35154 |
Threat Prevention |
While using the Security Zone object in the "Source" column in the Threat Prevention policy, Security Gateways R80.40 and lower do not drop traffic. Refer to sk177605. |
PRJ-34218, |
Threat Prevention |
IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors. |
PRJ-34705, |
Threat Prevention |
In a rare scenario, after excessive memory usage, kernel may crash. |
PRJ-30445, |
Threat Prevention |
In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space. |
PRJ-36165, |
Identity Awareness |
In a rare scenario, the PDP process may unexpectedly exit with a core dump file. |
PRJ-28219, |
Identity Awareness |
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144. |
PRJ-35821, |
Identity Awareness |
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member. |
PRJ-32699, |
Identity Awareness |
Memory usage may be high for the pdpd process in a scenario, related to Identity Awareness nested groups in state 2 and 4. |
PRJ-33148, |
URL Filtering |
In some scenarios, websites encrypted with SSL are not matched correctly when categorization mode is on Hold and IDA is enabled. Refer to sk176283. |
PRJ-34515, |
URL Filtering |
In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump. |
PRJ-37544, |
IPS |
In a rare scenario, when the Security Gateway is configured as a proxy, file download may fail. |
PRJ-29428, |
IPS |
When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated. |
PRJ-32610, |
IPS |
When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites, the Gateway may drop traffic. |
PRJ-34645, |
DLP |
In a rare scenario, the DLP process may not delete temporary files used for scanning. |
PRJ-33210, |
DLP |
The dlpu process may unexpectedly exit, producing a core dump file. |
PRJ-33002, |
SSL Inspection |
UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2. |
PRJ-38257, |
SSL Inspection |
In some scenarios, the FWK process may unexpectedly exit during the TLS handshake. |
PRJ-33669, |
SSL Inspection |
In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-36355, |
SSL Inspection |
A connectivity issue may occur with certain TLS clients. |
PRJ-30125, |
SSL Inspection |
When HTTPS Inspection is enabled, and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345. |
PRJ-36299, |
SSL Inspection |
A memory leak related to TLS probe may occur in the WSTLSD process. |
PRJ-36496, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit while validating signatures of sites with improper certificate chains. |
PRJ-35782, |
SSL Inspection |
When running cipher_util in any VS other than VS0, the "Cannot access features configuration directory" error is shown. |
PRJ-34701, |
SSL Inspection |
Connections may hang and reach a timeout during browsing if the number of WSTLSD instances is reduced through configuration settings. |
PRJ-33955, |
SSL Inspection |
A connectivity issue may occur after changing the Security Gateway's name and installing policy. |
PRJ-34974, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly restart. |
PRJ-35935, PRJ-35934 |
SSL Network Extender |
UPDATE: SSL Network Extender was updated to version 800008304. It provides TLS 1.2 cipher suites support on macOS. |
PRJ-35245, |
Mobile Access |
MAB Guacamole-based clientless RDP/SSH connections, when closed prematurely, may cause the GuacProxy process to consume 100% CPU. |
PRJ-36059, |
Mobile Access |
Capsule Workspace cannot connect to a Mobile Access Gateway when Citrix application is configured and allowed to the end-user's group. |
PRJ-35979, |
ClusterXL |
A cluster failover may take longer than it should. |
PRJ-36915, |
ClusterXL |
During policy installation, the state of SMO may not be stable. |
PRJ-38370, |
ClusterXL |
Multicast packets may be dropped after policy installation. |
PRJ-33582, |
SecureXL |
In some scenarios, fragmented Cluster LS packets are dropped by SecureXL. |
PRJ-36471, |
SecureXL |
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW). |
PRJ-36073, |
SecureXL |
In some scenarios, related to sending multicast packets, the ICMP errors may be shown. |
PRJ-34340, |
SecureXL |
The "fwaccel dos rate add" command may fail with the "Another fwaccel command is already in progress" error. |
PRJ-30714, |
Routing |
Connectivity issues may occur after configuration of route based VPN (VTI interface). Refer to sk176368. |
PRJ-34711, |
Routing |
In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order. |
PRJ-35769, |
Routing |
UPDATE: Routed debug log will now show IP addresses. |
PRJ-35341 |
Routing |
The ROUTED daemon may unexpectedly exit with core dump when some interfaces lose connection with the PIM router. |
PRJ-37590, |
VPN |
During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high. |
PRJ-29881, |
VPN |
Improved VPN interoperability. |
PRJ-34374, |
VPN |
In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure. |
PRJ-35430, |
VPN |
In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment. |
PRJ-34493 |
VPN |
Remote Access users may not be able to connect when authenticating using a certificate issued by a subordinate CA. |
PRJ-38810, |
VPN |
In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767. See the Important Notes section. |
PRJ-33656, |
VPN |
The VPND process may unexpectedly exit with a core dump file. |
PRJ-35766, |
VPN |
Enhanced stability of Site-to-Site VPN with interoperable devices. |
PRJ-35391, |
VPN |
Improvements for IKEv2 when working with DAIPs. |
PRJ-35474, |
VPN |
Added VPN improvements for IKEv2 SA re-key. |
PRJ-35047, |
VPN |
In some scenarios, NAT-T tunnel establishment may fail. |
PRJ-29544, |
VPN |
Newly defined ROBO Gateways cannot connect until policy installation. |
PRJ-35559, |
VPN |
A memory leak may occur in the VPND process when using Remote Access Secondary Connect. |
PRJ-35343, |
VPN |
Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP IP which was configured before and had a connection from the DAIP Encryption Domain. |
PRJ-35231, |
VPN |
SSL entries may not be deleted from the "vpn tu tlist" command output, although there was a graceful exit. |
PRJ-35398, |
VPN |
IKEv2 Improvements for DAIP Gateway behind Hide NAT. |
PRJ-36180, |
VPN |
The FWK process may unexpectedly exit on a VS with an S2S VPN tunnel. |
PRJ-35535, |
VPN |
A memory leak may occur in the VPND process when using remote Access Back Connection. |
PRJ-35387, |
VPN |
In some scenarios, the RIM script is not activated in DPD Tunnel monitoring. |
PRJ-35556, |
VPN |
A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured. |
PRJ-34211, |
VPN |
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name. |
PRJ-35488, |
VPN |
In ike_sa_table there may be an entry with an IP address and not with a DAIP ID. |
PRJ-36238, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-34672, |
VSX |
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems. |
PRJ-36688, |
VSX |
In a Multi-Domain environment, the "vsx_util vsls" command may take a few minutes to run. |
PRJ-32079, |
VSX |
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database. |
PRJ-35000, |
VSX |
The "vsx_util reconfigure" command may fail without printing the cause of the error. |
PRJ-34603, |
VSX |
In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch. |
PRJ-35070, |
VSX |
When creating a new virtual system, some VSLS parameters like the Virtual System's weight value may be displayed wrong. |
PRJ-36770, |
Gaia OS |
NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-35003, |
Gaia OS |
Fixed the CVE-2020-14145 vulnerability. |
PRJ-31696, |
Gaia OS |
The "cpopenssl" command may fail with "No such file or directory". |
PRJ-36543, |
Gaia OS |
When adding an SSH host key, it won't be displayed because the total length of the command line cannot contain more than 512 characters. |
PRJ-37224, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-27909, |
Harmony Endpoint |
In some scenarios, logs related to Harmony Endpoint may be missing. |
PRJ-29972, |
Harmony Endpoint |
In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error. |
PRJ-36364, |
CloudGuard Network |
When booting up, the NSX-T CloudGuard Gateway may crash. |
PRJ-36274, |
CloudGuard Network |
In some scenarios, incorrect data center updates are pushed to the Gateway. |
PRJ-34527, |
CloudGuard Network |
When a Gateway's object name was changed, CloudGuard Central License Tool may fail to distribute licenses to the Gateway. |
PRJ-32917, |
CloudGuard Network |
NEW:
|
PRJ-35548, |
CloudGuard Network |
When there are VS's with same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects. |
PRJ-37053, |
CloudGuard Network |
In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904. See the Important Notes section. |
PRJ-36704, |
Public Cloud CA Bundle |
Added Take 14 of Public Cloud CA Bundle. Refer to sk172188. |
PRJ-35612, |
Scalable Platforms |
Setting time on Quantum Scalable Chassis may fail with the "Failed to update the date WARNING: CliError( ) called without module or error code" error. |
PRJ-29821, |
Scalable Platforms |
On a Scalable Platform configured in VSX mode, a new member added to a Security Group may stay in Down state because of a false-positive license issue. |
PRJ-36593, |
Scalable Platforms |
NEW: A new module parameter "ccl_correct_dr_between_chassis" is added.
Refer to sk177943. |
PRJ-36650, |
Scalable Platforms |
Running "cphaconf debug_data" in VSX context may cause the Gateway to crash. |
PRJ-35090, |
Scalable Platforms |
Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled. Refer to sk177946. |
PRJ-34216, |
Scalable Platforms |
In some scenarios, when accelerated policy installation is performed on a Security Gateway that doesn't have a valid policy, an obscure failure message is shown. |
PRJ-36360, |
Scalable Platforms |
OSPF may install a route to the incorrect IP when configured as P2P. Refer to sk177686. |
PRJ-37216, |
Scalable Platforms |
Local connection from a Standby site may be dropped if there is a switch between the sites. Refer to sk178045. |
PRJ-26825 |
Scalable Platforms |
Restoring a backup on the security group may get stuck upon reboot. |
PRJ-34048, |
Scalable Platforms |
After changing Multi-Queue configurations, members may remain in Down state. |
PRJ-36830, |
HCP |
Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 65 Released on 11 April 2022 and declared as Recommended on 24 April 2022 |
||
PRJ-38293, |
SmartConsole |
In some scenarios when R81 Jumbo Hotfix Accumulator Take 60 is installed:
Refer to sk178590. |
PRJ-37958, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1n to fix CVE-2022-0778. Refer sk178411. |
PRJ-37416, |
Gaia OS |
In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file. |
PRJ-37849, |
VoIP |
A cluster member may crash generating a vmcore because of a mismatch in SIP tables. See the Important Notes section. |
PRJ-37606, |
VoIP |
In a cluster environment, the Gateway may crash with a vmcore. |
Take 60 Released on 15 Mar 2022 |
||
PRJ-29395, |
Security Management |
NEW: Added support for Management API commands: "add-rules-batch" and "delete-rules-batch". |
PRJ-32892, |
Security Management |
UPDATE: It is now possible to increase the timeout value for Management High Availability synchronization. Refer to sk176165. |
PRJ-32765, |
Security Management |
UPDATE: Meta-info and comments fields are now displayed in the output of the "show-tasks" API command with "details-level standard". |
PRJ-24931, |
Security Management |
UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB. |
PRJ-32959, |
Security Management |
Added Update 13 of Autonomous Threat Prevention Management integration Release. Refer to sk167109. |
PRJ-31672, |
Security Management |
In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time. |
PRJ-30475, |
Security Management |
Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error. |
PRJ-30898, |
Security Management |
In rare scenarios, installing policy on an OSE device may fail with "Policy installation had failed due to an internal error". |
PRJ-32650, |
Security Management |
In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database. |
PRJ-33979, |
Security Management |
Policy installation from the Multi-Domain Server level may trigger installation of two policies for the same VS. |
PRJ-28169, |
Security Management |
In rare scenarios, the Management Server may fail to start due to incorrect sessions handling. |
PRJ-34200, |
Security Management |
High Availability synchronization fails when one Management Server is installed on an appliance of 6000 series and the other one is an Open Server, a Virtual Machine, or installed on an appliance of different series. |
PRJ-30385, |
Security Management |
In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930. |
PRJ-32360, |
Security Management |
In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated. |
PRJ-32669, |
Security Management |
When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found". |
PRJ-29240, |
Security Management |
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with an error. Refer to sk176805. |
PRJ-32857, |
Security Management |
After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running. |
PRJ-33464, |
Security Management |
While editing a Small Office LSM Profile object, SmartConsole may unexpectedly close when enabling Threat Emulation and navigating to the Configuration tab. |
PRJ-30068, |
Security Management |
|
PRJ-31892, |
Security Management |
In some scenarios, the API command "show-changes" fails with "Diff operation failed: Unable to build the diff reply." |
PRJ-32092, |
Security Management |
When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP. |
PRJ-34080, |
Security Management |
In some scenarios, after running an Ansible Playbook, objects are locked even though they were not changed. |
PRJ-34226, |
Security Management |
When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error". |
PRJ-33864, |
Security Management |
When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout. |
PRJ-32109, |
Security Management |
Policy installation may fail if more than 20,000 objects are created and added to rules. |
PRJ-20592, |
Security Management |
In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail. |
PRJ-31260, |
Security Management |
In some scenarios, the API command "login-to-domain" fails, and the cpm.elg log shows "Null Pointer Exception". |
PRJ-26781, |
Security Management |
In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245. |
PRJ-32360, |
Security Management |
In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated. |
PRJ-30100, |
Security Management |
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it. |
PRJ-30531, |
Security Management |
Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out. |
PRJ-33287, |
Security Management |
When reassigning Global policy after an IPS update on the Global Domain, the updated IPS version in the Audit Logs view may appear with "-1" value instead of the actual IPS version number. |
PRJ-29910, |
Security Management |
In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule. |
PRJ-32448, |
Security Management |
In rare scenarios, in a Multi-Domain environment, after performing an IPS Update, High Availability synchronization in the Global Domain fails with "NGM failed to import data". |
PRJ-30035, |
Security Management |
|
PRJ-25710, |
Security Management |
Deleting a network group may fail because it is used, although "Where Used" shows no usage. |
PRJ-33521, |
Security Management |
In rare scenarios, the Management Server may fail to start. |
PRJ-32429, |
Security Management |
In rare scenarios, adding a service to a rule in Access Policy:
Refer to sk176004. |
PRJ-30681, |
Security Management |
Policy installation with Directional VPN rules may fail with a verification error. |
PRJ-30884, |
Security Management |
In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file. |
PRJ-22266, |
Security Management |
In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967. |
PRJ-33553, |
Security Management |
When using the API to create an OPSEC CPMI application with a custom permissions profile, the default Super User profile is chosen instead. |
PRJ-33056, |
Security Management |
In some scenarios, when editing Exceptions in Inspection Settings, Gateways without IPS Blade may be missing from the "Install On" list. |
PRJ-30282, |
Security Management |
SmartConsole may unexpectedly close when the user opens the Global Assignment view after doing the "Solr Cure" procedure. Refer to sk175443. |
PRJ-34035, |
Security Management |
When many sessions are opened:
|
PRJ-30416, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-32041, |
Security Management |
In some scenarios, the $MDS_FWDIR/log/cpm.elg file contains many lines about "UnmarshalException". |
PRJ-33951, |
Security Management |
The "fwm logexport" command may fail with the "Failed to dump tables from NGM" error when running it from the Global Domain on the Multi-Domain Server or from the Log Server. |
PRJ-31742, |
Security Management |
In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain. |
PRJ-30059, |
Security Management |
In rare scenarios, after Management Server upgrade, importing the database may fail with "Tried to persist object". |
PRJ-30337, |
Security Management |
When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down. |
PRJ-31082, |
Security Management |
In rare scenarios, the FWM process on the Security Management Server unexpectedly exits. |
PRJ-30351, |
Multi-Domain Management |
During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface. |
PRJ-30526, |
Multi-Domain Management |
In rare scenarios, running the "fwm sic_reset" command on Multi-Domain Server may fail. |
PRJ-33168, |
Multi-Domain Management |
The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/. |
PRJ-29311, |
SmartConsole |
The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911. |
PRJ-29133, |
Compliance |
In some scenarios, auto-update flow fails during updatable object registration. |
PRJ-36042 |
Web SmartConsole |
UPDATE: Released Take 55 with new features and improvements. Refer to sk170314. |
PRJ-34293, |
Compliance |
After disabling Best Practices, the user receives security alerts.
|
PRJ-30092, |
Logging |
In rare scenarios, the LOG_INDEXER process stops working and logs are missing. Refer to sk176403. |
PRJ-19839, |
Logging |
On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928. |
PRJ-30664, |
Logging |
Refer to sk176644. |
PRJ-31617, |
Logging |
Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543. |
PRJ-29124, |
Logging |
SmartEvent may not show some of the Anti-Virus logs. |
PRJ-25654, |
Logging |
When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message. |
PRJ-32588, |
Logging |
There may be empty values in the "Office Mode IP" field in the Logs view. |
PRJ-32303, |
Logging |
When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email. |
PRJ-32029, |
Logging |
In some scenarios, the "vpn_user" field is empty in the Logs view and SmartEvent Reports, even though it contains values in the raw log. |
PRJ-23314, |
Logging |
Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d. |
PRJ-28317, |
Logging |
The "Last Update Time" field of a Session Log may show incorrect values. |
PRJ-26682, |
Logging |
Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field. |
PRJ-28324, |
Logging |
In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing. |
PRJ-26031, |
Logging |
In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323. |
PRJ-26308, |
Logging |
In rare scenarios, in SmartConsole, some logs are not shown. |
PRJ-20768, |
Logging |
In SmartConsole:
|
PRJ-32086, |
Logging |
A duplicate entry appears in /etc/cpshell/log_rotation.conf. This issue is only cosmetic. |
PRJ-31808, |
Security Gateway |
NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890. |
PRJ-32073, |
Security Gateway |
UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6. |
PRJ-34450, |
Security Gateway |
UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode. |
PRJ-33748, |
Security Gateway |
UPDATE: Added a new flag to the "dynamic_objects" command: "-uo <name of object>". The user can now see all content of a specific updatable object. |
PRJ-31273, |
Security Gateway |
UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229. |
PRJ-30012, |
Security Gateway |
In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up. |
PRJ-30296, |
Security Gateway |
Enhanced Check Point Active Streaming (CPAS). Refer to sk177025. |
PRJ-30693 |
Security Gateway |
The "Matched rule is not found" error appear when using Suspicious Activity Monitoring (SAM) rules with source and destination networks, or with a NATed IP. |
PRJ-30783, |
Security Gateway |
Access Policy installation may fail with "Error code 1-2000078". |
PRJ-33606, |
Security Gateway |
When there are security zones configured in the NAT rulebase and the connection has NAT on the destination, the Security Gateway IP address may still be shown as the source IP, although it should not. |
PRJ-20628, |
Security Gateway |
Running the "threshold_config" command may cause the CPD process to consume a high CPU. |
PRJ-33082, |
Security Gateway |
Extended logging may show a wrong status of Content Awareness Blade. The issue is only cosmetic. |
PRJ-25150, |
Security Gateway |
In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections. |
PRJ-33360, |
Security Gateway |
First policy installation after an upgrade may be followed by a warning message: "Updatable Objects are used in the policy but Gateway package is missing (see sk121877)". |
PRJ-29541, |
Security Gateway |
After reboot and policy installation, the "No interface configured in SmartCenter server with name mdps_tun. Matching by IP address to interface Mgmt" error may be printed in fwk.elg. |
PRJ-33513, |
Security Gateway |
CPView may show corrupted numbers in "F2V-Reasons". This issue is only cosmetic. |
PRJ-26965, |
Security Gateway |
Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS). |
PRJ-30670, |
Security Gateway |
In rare scenarios, when a Security Gateway is configured as Proxy, a wrong NAT port reuse may happen for 5 minutes long proxied connections. |
PRJ-25029, |
Security Gateway |
When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may hang. |
PRJ-27610, |
Security Gateway |
A debug message may be printed as an error. |
PRJ-31968, |
Security Gateway |
In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP. |
PRJ-31218, |
Security Gateway |
When a large number of VPN tunnels is configured and each one is used by a static route with ping, the ROUTED process may get incorrect cluster IPs for those tunnels. Refer to sk175887. |
PRJ-32337, |
Security Gateway |
Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message. |
PRJ-30614, |
Security Gateway |
In rare scenarios, when SACK is enabled, there may be connectivity issues. |
PRJ-30180, |
Security Gateway |
In a rare scenario, policy push to multiple Security Gateways may fail. Refer to sk177963. |
PRJ-18400, |
Security Gateway |
The FWD process may unexpectedly exit due to a rare race condition. Refer to sk173424. |
PRJ-29698, |
Security Gateway |
In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages. |
PRJ-32658, |
Security Gateway |
The Security Gateway may unexpectedly reboot and create a vmcore file. |
PRJ-32050, |
Security Gateway |
In a rare scenario, the Security Gateway may crash during policy installation. |
PRJ-32575, |
Security Gateway |
When deleting connection table entries with "fw ctl conntab -x", and using "rule", "service", "type", "flags" or "state" filters, entries that do not match these filters may still be deleted. |
PRJ-33125, |
Security Gateway |
In some scenarios, memory consumption and CPU usage may increase consistently. Refer to sk176370. |
PRJ-33493 |
Security Gateway |
The "Policy installation failed on gateway" error message is shown when the policy is pushed to multiple R80.20 Quantum Spark appliances. Refer to sk176713. |
PRJ-28448, |
Security Gateway |
DNS Server is getting overloaded with DNS requests from the Security Gateway when Domains or updatable objects are used in policy. The "Domain doesn't exist" error is shown. |
PRJ-35902 |
Security Gateway |
Uninstalling Jumbo Hotfix may cause interfaces to disappear. |
PRJ-31017, |
Internal CA |
In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start. |
PRJ-33250, |
Internal CA, VPN |
Creating a certificate for a third party Gateway with Check Point Internal CA may fail on the third party side. Refer to sk176468. |
PRJ-31462, |
Threat Prevention |
When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages. |
PRJ-33544, |
Threat Prevention |
When IPS Automatic update is enabled, a memory leak may occur in the FWD process. Refer to sk176947. |
PRJ-37475, |
Identity Awareness, Identity Logging |
UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148. |
PRJ-30493, |
Identity Awareness |
UPDATE: Enhanced Identity Sharing SmartPull mechanism for large scale environments. |
PRJ-32872, |
Identity Awareness |
When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause |
PRJ-30948, |
Identity Awareness |
In some scenarios, persistent high CPU is caused by ADQuery due to a large number of authentication requests. |
PRJ-30994, |
Identity Awareness |
In a rare scenario, the priorities defined in User Directory (Gateway level) override the default Domain Controller (DC) priorities defined in the LDAP Account unit. Servers with priority above 1000 are not ignored, although they should be. |
PRJ-27736, |
Identity Awareness |
The PDPD process may fail with "daemon did not respond or not running!" or cause a high CPU. |
PRJ-32127, |
Identity Awareness |
An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher. |
PRJ-28055, |
Application Control |
In a rare scenario, the SSM may encounter an issue and stop working. |
PRJ-29769, |
URL Filtering |
In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped. |
PRJ-28739, |
IPS |
In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588. |
PRJ-30803, |
IPS |
After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Security Gateways together, Security Gateways may consume more CPU during rule-match of new connections. |
PRJ-23348, |
IPS |
The track logging configuration of Network Quota protection is not applied. |
PRJ-28491, |
IPS |
In Autonomous Threat Prevention mode, "Profile Name" and "SmartDefense" fields may be missing in the IPS log. |
PRJ-30606, |
DLP |
UPDATE: Added temporary files cleaner for file converting operation. |
PRJ-30426, |
DLP |
The dlpu process may unexpectedly exit with core dump file. |
PRJ-31167, |
SSL Inspection |
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur. |
PRJ-34446, |
SSL Inspection |
The fwk process may unexpectedly exit during the TLS handshake. |
PRJ-34272, |
SSL Inspection |
A memory leak may occur in the WSTLSD process during session resumption for TLS 1.2. |
PRJ-31202, |
SSL Inspection |
If TLS 1.3 is enabled, using imported ECDSA certificates for HTTPS Inspection may cause the Security Gateway to crash. |
PRJ-31497, |
SSL Inspection |
When HTTPS Inspection is disabled and the "Categorize HTTPS websites" option is enabled, the "failed attaching RSA stub certificate to server" errors may appear in the fwk.elg and wstlsd.elg files during policy installation. |
PRJ-32884, |
SSL Inspection |
When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation. |
PRJ-31173, |
SSL Inspection |
A memory leak, related to TLS probing, may occur in the WSTLSD process. |
PRJ-33407, |
SSL Inspection |
In rare scenarios, TLS probing connections may remain open for extended periods. |
PRJ-32901, |
SSL Inspection |
In a rare scenario, the WSTLSD process may unexpectedly exit and produce a core dump file. |
PRJ-31232, |
SSL Network Extender |
SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760. |
PRJ-31177, |
Mobile Access |
UPDATE: Upgraded JQuery library version (from 1.1 to 3.6). |
PRJ-33876, |
Mobile Access |
Policy installation may fail due to table creation issues. |
PRJ-32471, |
ClusterXL |
Added Syslog support for Cluster events messages. |
PRJ-30382, |
ClusterXL |
In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize. |
PRJ-30819, |
SecureXL |
In a rare scenario, after an upgrade, HTTPS traffic may be dropped. |
PRJ-28645, |
SecureXL |
A redundant message "ACC: Accelerator started. " is printed in dmesg logs. |
PRJ-31487, |
Routing |
In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603. |
PRJ-24057, |
Routing |
In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts. |
PRJ-33356, |
Routing |
|
PRJ-30027, |
Routing |
After a failover, OSPF may restart immediately after the ROUTED daemon starts which causes the Active member to go into Down state instead of Standby state. |
PRJ-32424, |
VPN, Multi-Portal |
UPDATE: Certificate validation flow will use OCSP as the default revocation validation method. If OCSP URL does not exist, CRL will be used as a revocation validation method. |
PRJ-31473, |
VPN |
UPDATE: In policy installation, the type of messages, related to VPN certificate expiration, is changed from "info" to "warning". This issue is only cosmetic. |
PRJ-33738, |
VPN |
When applying Secure Configuration Verification (SCV) VPN client is not able to distinguish between Windows 10 and Windows 11. |
PRJ-31108, |
VPN |
In some scenarios, a memory leak may occur in the VPND process. |
PRJ-31290, |
VPN |
Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417. See the Important Notes section. |
PRJ-32550, |
VPN |
A memory leak may occur during Office Mode IP allocation. |
PRJ-32519, |
VPN |
Improved establishing IKEv2 tunnel with DAIP peer. |
PRJ-30330, |
VPN |
In some scenarios, IKEv2 tunnel may not work due to SA expiration. |
PRJ-30957, |
VPN |
Improvements for DAIP Gateway behind Hide NAT. |
PRJ-32760, |
VPN |
The output of the "vpn tu tlist" command may show an incorrect type of S2S tunnels protocol. |
PRJ-31132, |
VPN |
In some scenarios, a memory leak may occur in the VPND process. |
PRJ-29782, |
VPN |
Although the Simultaneous Login Prevention (SLP) feature is on, the user can connect with two clients and receive the same statically assigned Office-Mode IP. |
PRJ-32366, |
VPN |
Improved IKEv2 narrowing. |
PRJ-32130, |
VPN |
The output of the "vpn tu tlist" command may show a wrong date and time in "Authenticated at" line, although machine date and time settings are correct. |
PRJ-33834, |
VPN |
In rare scenarios, when SSL Network Extender (SNX) is in Application Mode, the VPND process may unexpectedly exit. |
PRJ-31700, |
VPN |
When the IKE daemon is enabled, VPN counters in CPView may show incorrect value. |
PRJ-30765, |
VPN |
In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file. |
PRJ-32596, |
VPN |
In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue. |
PRJ-24188, |
VPN |
VPN connectivity issues may occur when there are too many SAs. Refer to sk173828. |
PRJ-32612, |
VPN |
In some scenarios, Remote Client connections in Visitor Mode may cause the fwk process to exit. |
PRJ-31588, |
VPN |
In some scenarios, VPN tunnels statuses in SmartView Monitor are displayed incorrectly. |
PRJ-30649, |
VPN |
A machine-only tunnel cannot be established when VPN default realm is disabled. |
PRJ-36420, |
VPN |
In some scenarios, when VPN logs are enabled and DAIP (Dynamically Assigned IP) peer is configured, the VPND daemon may unexpectedly exit. |
PRJ-32533, |
VSX |
UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool. |
PRJ-33836, |
VSX |
UPDATE: Shadow bridges will now be automatically disabled on VSX Gateways if the bridges are not in Active/Active mode. |
PRJ-22483, |
VSX |
In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064. |
PRJ-33946, |
VSX |
Policy installation on a VS may fail after a cluster conversion between High Availability and Virtual System Load Sharing with the "vsx_util" command. |
PRJ-26975, |
VSX |
Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950. |
PRJ-37422, |
VSX |
After deleting a warp interface in SmartConsole, the active VSX cluster member may crash. |
PRJ-30315, |
Gaia OS |
NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612. |
PRJ-31560, |
Gaia OS |
NEW: Added support for TE2000XN appliances. |
PRJ-30202, |
Gaia OS |
UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind. |
PRJ-33688, |
Gaia OS |
Potential vulnerability related to specific Gaia API command on VSX systems. |
PRJ-28685, |
Gaia OS |
In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443. |
PRJ-31754, |
Gaia OS |
In some scenarios, after adding an SNMP USM user, the confd process may unexpectedly exit. |
PRJ-34589, |
Gaia OS |
Enhanced SNMP module stability. |
PRJ-30212, |
Gaia OS |
Refer to sk174969. |
PRJ-29065, |
Gaia OS |
Wrong output of the "set/delete ip-conflicts-monitor interface" command. The word "value" is printed multiple times. The issue is only cosmetic. |
PRJ-33508, |
Gaia OS |
Fixed CVE-2021-30361 - Gaia Portal Authenticated Command Injection. Refer to sk179128. |
PRJ-32248, |
Harmony Endpoint |
NEW: Added new push operations to Endpoint Web Management:
|
PRJ-33389, |
Harmony Endpoint |
NEW: It is now possible to configure Super Node in Harmony Endpoint. Refer to sk171703. |
PRJ-32886 |
Harmony Endpoint |
NEW:
|
PRJ-32645, |
Harmony Endpoint |
Refer to sk176186. |
PRJ-27848, |
Harmony Endpoint |
SmartEndpoint may show deleted certificates as expired. |
PRJ-32390, |
VoIP |
When using SIP, memory usage may increase over time on Active and Standby members. |
PRJ-34519, |
Smart-1 Cloud |
After a cluster failover CloudGuard Controller may not be able to find cloud objects. Refer to sk166056. |
PRJ-31769, |
CloudGuard Network |
Improved the handling of NSX-T Data Center throttling issues. |
PRJ-31772, |
CloudGuard Network |
In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway. |
PRJ-32231, |
CloudGuard Network |
The "vsec_lic_cli update" command now supports IP change in the license string. |
PRJ-27035, |
QoS |
In a rare scenario, when QoS is enabled, in SmartView Monitor, some traffic may be shown as "No Match". |
PRJ-30235, |
QoS |
In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs. |
PRJ-35158, |
Scalable Platforms |
NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414. |
PRJ-26373, |
Scalable Platforms |
NEW: Added ability to create and manage VSX objects of R80.30SP version via vsx_util and vsx_provisioning_tool. |
PRJ-25360, |
Scalable Platforms |
UPDATE:
|
PRJ-28902, |
Scalable Platforms |
UPDATE: Added ability to run the "hw_utilization" command on Quantum Maestro members. |
PRJ-25339, |
Scalable Platforms |
UPDATE: Added support for 40G SFP Transceiver for SSM440 (BTI40GSRQSFPP). |
PRJ-29023, |
Scalable Platforms |
In a Dual Site Quantum Maestro environment, traffic may be interrupted intermittently when a Domain object is used in the Rule Base. |
PRJ-33380, |
Scalable Platforms |
VPN traffic may be dropped due to certificate issues. |
PRJ-32952, |
Scalable Platforms |
Identity Sharing in VSLS Mode may not work as expected. |
PRJ-31405, |
Scalable Platforms |
The "config_verify" command may fail in a Scalable Platforms environment. |
PRJ-34102, |
Scalable Platforms |
Changing VLAN of an existing interface may cause arp reply not to be processed by the Gateway. Refer to sk176929. |
PRJ-31310, |
Scalable Platforms |
When IGMP snooping is disabled, using OSPF Multicast may lead to Anti Spoofing drops in SmartConsole. |
PRJ-33203, |
Scalable Platforms |
RADIUS user that has gclish set as default shell cannot login into the Security Group on Scalable Platforms R81.10: "Unable to get user permissions". Refer to sk176364. |
PRJ-30111, |
Scalable Platforms |
VPN tunnel may fail to establish with "dropped by vpn_inbound_pilicy_chain Reason: VPN inbound nat after vm failed". Refer to sk176404. |
PRJ-31838, |
Scalable Platforms |
The CMM is not updated with the time from a configured NTP Server. As a result, SGMs stay in the Down state for a long time. |
PRJ-26428, |
Scalable Platforms |
In rare scenarios, the command "hw_utilization -d" fails when more than 9 Virtual Systems are configured. |
PRJ-31138, |
Scalable Platforms |
Connectivity issues may occur on Identity Server (PDP) in large VSX setups. |
PRJ-25355, |
Scalable Platforms |
The "Software Versions" asg diag test may show false failure because of a CMM version mismatch. |
PRJ-28660, |
Scalable Platforms |
SNMP OID .1.3.6.1.4.1.2620.1.48.16 (asgSecureXLStatusBitmask) returns the status of SecureXL as enabled, even when it is not. |
PRJ-31590, |
Scalable Platforms |
When running the "asg_dr_verifier" command in the context of a Virtual System other than VS0, the output in the "BGP peers" section incorrectly shows: "Status: Inconsistency found on some of the SGMs". |
PRJ-34619, |
Scalable Platforms |
In some scenarios, a physical link issue on a Maestro Gateway may cause an unexpected site failover, a cluster state change on other Gateways, or packet drops. |
PRJ-31506, |
Scalable Platforms |
During policy installation, AD Query may stop working in the Scalable Platforms environment. |
PRJ-30616, |
Scalable Platforms |
Multiple traffic drops may occur on Scalable Platforms. Refer to sk173545. |
PRJ-25665, |
Scalable Platforms |
In some scenarios, if SSM goes down in a Chassis setup, the failure report cannot be collected fully. |
PRJ-33326 |
Scalable Platforms |
Added support for a new VMAC design. Refer to sk165674. |
PRJ-34442, |
HCP |
Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-22354, |
Infrastructure |
UPDATE: Updated Python 2.7.17 to 2.7.18, Python 3.7.7 to 3.7.12, added Python 3.9.7 and a Python3 alias. |
PRJ-29411, |
Infrastructure |
Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452. |
PRJ-29951, |
Infrastructure |
In a rare scenario, the user cannot connect to the Mobile Access Portal. |
Take 58 Released on 22 February 2022 and declared as Recommended on 2 March 2022 |
||
PRJ-36959, |
Security Management |
Policy installation and "where used" operation may take a long time if there are many inline layers and the "Install On" targets in the Rule Base are not defined as "Any". Refer to sk177928. |
PRJ-34691, |
Logging |
In some scenarios, in an environment that includes the SmartEvent Server, the log_indexer process restarts at midnight, producing a core dump file. Refer to sk177805. |
PRJ-36735, |
Threat Extraction |
In some scenarios, when Threat Extraction and Threat Emulation are both enabled, it may take a long time to scan the file before downloading, although there is no active content. |
Take 56 Released on 17 January 2022 |
||
PRJ-34733, |
Security Management, |
UPDATE: The Apache Log4j Java library is updated in order to harden the system. Check Point products are not vulnerable to Log4j. This change is motivated by cyber hygiene best practices. Refer to sk176865. |
PRJ-34505, |
Security Management |
The "Accept" button is missing when modifying "Actions" for rules. Refer to sk177204. |
PRJ-32979, |
CPView |
In "Overview", some data about disk space may be missing. |
Take 51 Released on 29 December 2021 |
||
PRJ-27433, |
Security Management |
NEW: Added support for CloudGuard Edge appliances in LSM and SmartConsole.
|
PRJ-31537, |
Security Management |
UPDATE: The Management API "show-logs" command timeout increased from 2.5 minutes to 5 minutes. |
PRJ-29237, |
Security Management |
UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information. |
PRJ-30365, |
Security Management |
UPDATE: Added new flags for Management API commands "add/set simple-gateway" and "add/set simple-cluster":
|
PRJ-27424, |
Security Management |
UPDATE: The "show application-sites" Management API command now returns additional fields for UIDs of primary category and additional categories. |
PRJ-31057, |
Security Management |
In rare scenarios, Security Management upgrade or migration may fail due to missing temporary files. |
PRJ-29188, |
Security Management |
In a rare scenario, High Availability full synchronization may fail due to a large number of records. |
PRJ-29305, |
Security Management |
In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed. |
PRJ-28901, |
Security Management |
When searching IP addresses using logical operators (AND / OR), the results may be incorrect:
Some matched objects may be missing, while some unmatched objects may be present. |
PRJ-28649, |
Security Management |
In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain. |
PRJ-28536, |
Security Management |
In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error. |
PRJ-27921, |
Security Management |
In rare scenarios, more than one IP address may be shown in SmartConsole's Sessions view under the "Connected From" column. |
PRJ-28896, |
Security Management |
If there are no explicit rules in one or more policy layers, policy verification may fail with the "No active rules found in the Security Policy" error. |
PRJ-28001, |
Security Management |
If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.
|
PRJ-20287, |
Security Management |
In rare scenarios, the second attempt of a Secondary Management Server upgrade may fail with "Task was interrupted because server restart". |
PRJ-26522, |
Security Management |
In a rare scenario, policy installation may fail with a "Policy installation had failed due to an internal error" message. |
PRJ-24634, |
Security Management |
In rare scenarios, policy installation may fail with an internal error due to missing permissions. Refer to sk17384. |
PRJ-26522, |
Security Management |
In a rare scenario, policy installation may fail with a message: "Policy installation had failed due to an internal error". |
PRJ-25629, |
Security Management |
In rare scenarios, a Management Server upgrade may fail with an "Object not found - [UID]" error message in the cpm.elg log file. |
PRJ-25566, |
Security Management |
In rare scenarios, an upgrade may fail when there is an OPSEC Server object configured. |
PRJ-23433, |
Security Management |
Upgrade to R81 may fail if one of the objects does not have a creator. |
PRJ-28785, |
Security Management |
In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes. |
PRJ-28570, |
Security Management |
In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" error message. Refer to sk174645. |
PRJ-28423, |
Security Management |
Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872. |
PRJ-28293, |
Security Management |
In rare scenarios, High Availability incremental synchronization may fail with a wrong status message. |
PRJ-28299, |
Security Management |
In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase. |
PRJ-28064, |
Security Management |
In rare scenarios:
|
PRJ-28088, |
Security Management |
In some scenarios, the Administrators view may not filter Domain names according to the permission profile of the connected administrator. |
PRJ-13161, |
Security Management |
The "show-global-assignment" command returns the default limit when the limit request is greater than the default limit. |
PRJ-26736, |
Security Management |
In a rare scenario, the "show hosts" Management API command with "details-level full" fails with a "Java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message. |
PRJ-26677, |
Security Management |
The "show gateways and servers" Management API command does not show policy information for cluster members. |
PRJ-27486, |
Security Management |
Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183. |
PRJ-27480, |
Security Management |
If there is an Administrator is named "Endpoint", an upgrade of Endpoint Security Server from R77.30 fails. |
PRJ-21788, |
Security Management |
In some scenarios, the output of the "cpmistat" command may contain partial information. |
PRJ-29898, |
Security Management |
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". |
PRJ-28157, |
Security Management |
In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server. |
PRJ-29517, |
Security Management |
In rare scenarios, when installing a policy immediately after publishing a session, the installation is not accelerated. |
PRJ-29158, |
Security Management |
Scheduled IPS updates data may not be shown in the IPS update report. |
PRJ-30048, |
Security Management |
The Management API command "show-sessions" may return sessions that were purged and no longer exist in the Management database. |
PRJ-29968, |
Security Management |
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X. |
PRJ-25197, |
Security Management |
The "Packet capture is not supported on this platform" warning appears after policy installation on SMB Gateways, although no packet capture is used. |
PRJ-30622, |
Security Management |
In rare scenarios, after the Security Management Server starts up, when connecting to SmartConsole, some objects appear more than once. |
PRJ-30054, |
Security Management |
In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007. |
PRJ-29469, |
Security Management |
In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866. |
PRJ-21877, |
Security Management |
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer. |
PRJ-21831, |
Multi-Domain Management |
In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file. |
PRJ-23852, |
Security Management |
Management Server upgrade may fail, if there is a large amount of customized column profiles in the Logs view. |
PRJ-30019, |
Security Management |
In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error. |
PRJ-27764, |
Security Management |
The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level. |
PRJ-29199, |
Security Management |
After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message. |
PRJ-25280, |
Security Management |
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005. |
PRJ-28816, |
Security Management |
In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full". |
PRJ-21778, |
Licensing |
In some scenarios, the total number of "sr" licenses may be counted incorrectly. |
PRJ-27346, |
Licensing |
In a rare scenario, the licensing status in SmartConsole is displayed incorrectly. |
PRJ-29804 |
Web SmartConsole |
Added enhancements for Task Manager and policy installation. Refer to Take 48 in sk170314. |
PRJ-30384, |
CPInfo |
UPDATE: Added CPInfo build 914000219. Refer to sk92739. |
PRJ-20498, |
CPUSE |
The "Recommended" Package value is not changed from true to false in SmartConsole while installing Jumbo Hotfix. Refer to sk174508. |
PRJ-22893, |
CPView |
In some scenarios, SNMP statistics per VS may not be displayed in CPView. |
PRJ-29825, |
SmartView |
UPDATE: In SmartView, new MITRE ATT&CK techniques were added to the heatmap view. |
PRJ-22159, |
Logging |
NEW:
|
PRJ-26809, |
Logging |
NEW: In SmartEvent GUI, added the "referrer" field for filtering correlation unit events. |
PRJ-25888, |
Logging |
UPDATE: During Management and Log Servers upgrade from R80.X to R81, indexes, stored in external storage (sk66003), can now be upgraded as part of the flow. |
PRJ-25897, |
Logging |
UPDATE: Improved the time of search that require scanning logs for several days. |
PRJ-29117, |
Logging |
In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430. |
PRJ-29221, |
Logging |
In a rare scenario, Application Control events may not be displayed in SmartEvent. |
PRJ-24979, |
Logging |
When AES authentication is configured, the "thresold_config" command does not send traps for SNMP v.3. Refer to sk173045. |
PRJ-23868, |
Logging |
In SmartView reports, the "Show only icon" option for table widgets does not work as expected. |
PRJ-26695, |
Logging |
When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543. |
PRJ-25833, |
Logging |
The LOG_INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access Blade is enabled on the Security Gateway. |
PRJ-25974, |
Logging |
In a rare scenario, logs that are created exactly at midnight, are shown in the SmartConsole Logs view tab but not shown in SmartView web. |
PRJ-24524, |
Logging |
In a low log rate, there may be a delay in exporting logs using the Log Exporter. |
PRJ-26116, |
Logging |
In a multi-site MDM environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name. |
PRJ-22346, |
Logging |
In SmartView, the "Duration" field is missing from Reports and Views. |
PRJ-28301, |
Logging |
When using the LEEF format in the Log Exporter tool, product names miss the last letter. |
PRJ-26726, |
Logging |
In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command. |
PRJ-27619, |
Logging |
The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event. |
PRJ-27050, |
Logging |
In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU. |
PRJ-21313, |
Logging |
|
PRJ-28341, |
Logging |
In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority. |
PRJ-25442, |
Logging |
On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239. |
PRJ-29030, |
Logging |
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report. |
PRJ-25623, |
Logging |
In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452). |
PRJ-23681, |
Logging |
In rare scenarios, in environments with many network objects, when typing a query in the Logs tab Search bar, SmartConsole may close unexpectedly. |
PRJ-30228 |
Logging |
When traffic is dropped due to a Threat Prevention rule, fetching a packet capture from a security Blade violation log may not work. |
PRJ-31210, |
Logging |
In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545. |
PRJ-29576, |
Security Gateway |
NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default. |
PRJ-28853, |
Security Gateway |
UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters. |
PRJ-29443, |
Security Gateway |
UPDATE: The default value for the kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560. |
PRJ-32157, |
Security Gateway |
UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51. |
PRJ-30982, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set _fw_bridge_with_ip_routing=1_ in the _$FWDIR/fwkern.conf_ file. Refer to sk165560. |
PRJ-29505, |
Security Gateway |
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. |
PRJ-29088, |
Security Gateway |
In some scenarios, the CPD process may consume high CPU because of the memory leak in File Download Tool (FDT). |
PRJ-28830, |
Security Gateway |
Improved the ICAP Server internal memory allocation logic. |
PRJ-26036, |
Security Gateway |
A "fw_xlate_rule_count_dec: refcount is negative" message may be displayed in dmesg when IP pool NAT is used on a cluster environment. |
PRJ-19771, |
Security Gateway |
Security Gateway may crash after policy installation. |
PRJ-24692, |
Security Gateway |
In rare scenarios, creating a new SAM rule on a Management machine may fail. |
PRJ-25294, |
Security Gateway |
In rare scenarios, a re-matched connection has 2 logs in SmartConsole. |
PRJ-26077, |
Security Gateway |
After policy installation, Security Gateway may stop responding due to memory leaks. |
PRJ-26393, |
Security Gateway |
In some scenarios, the WSDNSD process may unexpectedly exit and create a core file. Refer to sk173627. |
PRJ-28810, |
Security Gateway |
Added cosmetic fixes of the "cpwd_admin list" command output. |
PRJ-27560, |
Security Gateway |
In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188. |
PRJ-28104, |
Security Gateway |
In a rare scenario, a memory leak may occur on the Security Gateway. |
PRJ-27872, |
Security Gateway |
After a reboot or policy installation, the Cluster Under Load(CUL) messages in the fwk.ekg show CPU usage higher than 100%. |
PRJ-26824, |
Security Gateway |
In rare scenarios, a duplicate entry may appear in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic. |
PRJ-27077, |
Security Gateway |
In rare scenarios, using IP Pool NAT with only IPv4/IPv6 addresses configured may cause Security Gateway to crash. |
PRJ-27127, |
Security Gateway |
In some scenarios, the ROUTED process may unexpectedly exit. |
PRJ-28873, |
Security Gateway |
In a rare scenario, when using ICAP client, Security Gateway may crash. |
PRJ-26931, |
Security Gateway |
SNMP lowDiskSpace trap with MDPS does not work with SNMP versions v1/v2 . Refer to sk173811. |
PRJ-26584, |
Security Gateway |
In a rare scenario, CPView may show incorrect SecureXL statistics per VS. |
PRJ-27651, |
Security Gateway |
Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section. |
PRJ-29130, |
Security Gateway |
In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated" message. |
PRJ-30215, |
Security Gateway |
In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy. |
PRJ-30204, |
Security Gateway |
In some scenarios, NATed VPN traffic may be routed out through the wrong interface. Refer to sk176785. |
PRJ-29743, |
Security Gateway |
In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088. |
PRJ-29543, |
Security Gateway |
There is no option to enable hyperthreading via cpconfig. |
PRJ-29527, |
Security Gateway |
In a very rare scenario, the ICAP Server may crash with a core dump file generated. |
PRJ-29420, |
Security Gateway |
In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673. |
PRJ-29139, |
Security Gateway |
The cpsicdemux process may unexpectedly exit, causing the Secure Internal Communication (SIC) connection to fail. |
PRJ-28554, |
Security Gateway |
Capsule Workspace end users may fail to authenticate to their Exchange Mail Server via Mobile Access SSO when authenticated with Kerberos, and the end users belong to many user groups or user groups with very long names. |
PRJ-29588, |
Security Gateway |
In a rare scenario, Security Gateway may crash. |
PRJ-26671, |
Security Gateway |
In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs. |
PRJ-30251, |
Security Gateway |
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log. |
PRJ-31370, |
Security Gateway |
Improved the handling of a large number of sessions per single HTTP/S connection. |
PRJ-31031, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade. |
PRJ-28680, |
Threat Prevention |
UPDATE: Added the option to remove proxy usage in ioc_feeds tool. |
PRJ-28520, |
Threat Prevention |
In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed. |
PRJ-26543, |
Threat Prevention |
In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error. |
PRJ-26007, |
Threat Prevention |
SSH Deep Packet Inspection (SSH DPI) may fail after upgrade to R81. |
PRJ-25778, |
Threat Prevention |
In a rare scenario, the FWD process may unexpectedly exit after an upgrade. |
PRJ-28607, |
Threat Prevention |
Large file transfer in connections inspected by SSH Deep Packet Inspection (SSH DPI) may fail if SSH renegotiation is performed during the transfer. |
PRJ-28764, |
Threat Prevention |
In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer. |
PRJ-28939, |
Threat Prevention |
Improved telemetry for Infinity Vision SOC. |
PRJ-29616, |
Threat Prevention |
After an upgrade from R80.30, if Custom Intelligence Feeds (IoC) feature is enabled, Threat Prevention policy on VSX cluster may fail with "failed to handle indicators". |
PRJ-29926, |
Threat Prevention |
Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables. |
PRJ-28135, |
Threat Extraction |
In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg. |
PRJ-29488, |
Identity Awareness |
UPDATE:
|
PRJ-32355, |
Identity Awareness |
UPDATE: The default threshold value for Identity Collector Service Accounts exclusion was changed from 10 to 100. Refer to sk174266. |
PRJ-29397, |
Identity Awareness |
Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull. |
PRJ-27476, |
Identity Awareness |
When using sk167118, the user may fail to authenticate if the "Ask user for password" checkbox is enabled. |
PRJ-26804, |
Identity Awareness |
In a rare scenario, the Security Gateway may crash. |
PRJ-27943, |
Identity Awareness |
In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105. |
PRJ-29614, |
Identity Awareness |
In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables. |
PRJ-27193, |
Application Control |
UPDATE: Improved matching of URLs for custom applications. |
PRJ-27260, |
IPS |
Proxy source IP address is not printed in the IPS logs. |
PRJ-27959, |
IPS |
In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open. |
PRJ-26463, |
IPS |
An HTTP download of a large file may unexpectedly stop with an error message. |
PRJ-28245, |
IPS |
In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions. |
PRJ-29941, |
IPS |
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash. |
PRJ-32499, |
IPS |
In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process. |
PRJ-31694, |
IPS |
Improved the handling of decoded HTTP/S traffic. |
PRJ-29192, |
Anti-Bot |
UPDATE: Improved performance of Anti-Bot URL Reputation. |
PRJ-29476, |
SSL Inspection |
In some scenarios, a memory leak may occur when creating ECDHE keys. |
PRJ-30460, |
SSL Inspection |
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout. |
PRJ-30701, |
SSL Inspection, |
A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers. |
PRJ-29269, |
Mobile Access |
In a rare scenario, a memory leak may occur in the CVPND process. |
PRJ-28258, |
Mobile Access |
In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client. |
PRJ-27297, |
Mobile Access |
In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit. |
PRJ-27453, |
ClusterXL |
In a very rare scenario, after adding a member to a cluster, the FWK process may unexpectedly exit, creating core dumps. |
PRJ-28283, |
SecureXL |
In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly. |
PRJ-26953, |
SecureXL |
TCP packets may be dropped as "TCP out of state" although following sk11088. |
PRJ-32940, |
SecureXL |
In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed. |
PRJ-30030, |
Routing |
In some scenarios, when BootP is configured, during policy installation, the Security Gateway may become unresponsive and the ROUTED process may crash. |
PRJ-27820, |
Routing |
If the interface cable is unplugged, after a failover, Border Gateway Protocol (BGP) stops receiving routes from Primary member to Secondary and back to Primary. |
PRJ-23816, |
Routing |
During the boot process "pbrroute-conf" messages may appear. Refer to sk173514. |
PRJ-26754, |
Routing |
In some scenarios, the NetFlow Packet may report a wrong source IP Address. |
PRJ-29497, |
Routing |
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer. |
PRJ-28958, |
Routing |
The ROUTED process may unexpectedly exit. |
PRJ-29320, |
Routing |
AS path loops may occur, although BGP multihop is configured. |
PRJ-28840, |
Routing |
In some scenarios, an outage may occur because of premature graceful-restart exit. |
PRJ-31127, |
Routing |
In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. |
PRJ-28172, |
VPN |
NEW: Added StrongSwan clients counter to the VPN TU Tool. |
PRJ-29533, |
VPN |
RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode. |
PRJ-31115, |
VPN |
In some scenarios, when connecting with both Endpoint and SSL Network Extender (SNX) clients to a single Gateway, a memory leak may occur. |
PRJ-31148, |
VPN |
In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site. |
PRJ-27856, |
VPN |
When deleting an entry from m_ht hash table, a memory leak may occur. |
PRJ-27687, |
VPN |
In a rare scenario, a memory leak may occur. |
PRJ-27683, |
VPN |
When saving the login info of the client, a memory leak may occur. |
PRJ-27679, |
VPN |
Reauthentication of the client may lead to a memory leak. |
PRJ-28772, |
VPN |
In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation. |
PRJ-28027, |
VPN |
When StrongSwan client connecting with a RADIUS user, it may not receive an Office Mode IP address. |
PRJ-25884, |
VPN |
In some scenarios, when DAIP peer initiates IKEv2 negotiation with certificate authentication, the VPND process may unexpectedly exit. Refer to sk174665. |
PRJ-28378, |
VPN |
Improved VPN Site to Site tunnel establishment scenario with IKEv2. Refer to sk175092. |
PRJ-28075, |
VPN |
A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249. |
PRJ-21639, |
VPN |
The VPN Logs view show IP address octets in an unexpected (reversed) order. Refer to sk172807. |
PRJ-27814, |
VPN |
In some scenarios, the VPN tunnel between GCP cluster and GCP peer fails to establish. |
PRJ-27314, |
VPN |
IPSec VPN uses the wrong source IP address when initiating NAT-T encrypted traffic. Refer to sk172805. |
PRJ-22119, |
VPN |
In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump. |
PRJ-27675, |
VPN |
In some scenarios, the user may not be able to connect because the CVPND process unexpectedly exits. |
PRJ-25236, |
VPN |
Added improvements for DAIP Gateway behind Hide NAT and ROBO peer Gateways. |
PRJ-28558, |
VPN |
In some scenarios, when sending the SCV drop log, a memory leak may occur. |
PRJ-28265, |
VPN |
A memory leak may occur when clearing the CRL cache file. |
PRJ-28513, |
VPN |
In some scenarios, a memory leak may occur on the Security Gateway. |
PRJ-29283, |
VPN |
In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process. |
PRJ-28506, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-28575, |
VPN |
In some scenarios, Server connections to Remote Access L2TP clients may be unstable. |
PRJ-29483, |
VPN |
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN. |
PRJ-30869, |
VPN |
A memory leak may occur in the VPND process. |
PRJ-30756, |
VPN |
In some scenarios, when NAT is enabled, Route Based VPN traffic may be dropped. |
PRJ-29277, |
VPN |
A memory leak may occur in the CVPND process. |
PRJ-17830, |
VSX |
Recreation of a virtual system may fail due to an internal error. |
PRJ-27970, |
VSX |
When querying a VS for "sysObjectID" via SNMP, a generic net-SNMP value ("NET-SNMP-MIB::netSnmpAgentOIDs.10") returns instead of a Checkpoint value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62"). |
PRJ-29553, |
VSX |
After reboot, the VS's clish static arps configurations exist, but the static arps may be missing. |
PRJ-27543, |
VSX |
The weight of VSB in "cphaprob stat" is 0. This impacts load balancing between cluster members in a VSX cluster in VSLS mode. |
PRJ-22691, |
VSX |
This fix allows create/change a VSX cluster/Gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole. |
PRJ-30276, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes. |
PRJ-25766, |
Gaia OS |
After 248 days of up time, the VMSS Gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413. |
PRJ-27001, |
Gaia OS |
Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703. |
PRJ-27613, |
Gaia OS |
If NTPD service is configured in Management Data Plane Separation (MDPS) settings, NTPD error logs appear in var/log/messages after a reboot. |
PRJ-27696, |
Gaia OS |
When a non-TACACS user logs out from WebUI, "Cannot get pid" is printed as an error to the /var/log/messages file. |
PRJ-27978, |
Gaia OS |
A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC). |
PRJ-26024, |
Gaia OS |
In some scenarios, after an upgrade, Multi-Queue commands may fail without producing any output due to licensing issue. Refer to sk168178. |
PRJ-26430, |
Gaia OS |
The Link Layer Discovery Protocol (LLDP) sends the hostname with a dot when the Domain name is empty. |
PRJ-28797, |
Gaia OS |
In a rare scenario, a memory leak may occur in the monitord process. |
PRJ-29858, |
Harmony Endpoint |
UPDATE: In SmartEndpoint, besides FDE Remote Help, Bitlocker Management Recovery is now available for administrators with limited rights. |
PRJ-29178, |
Harmony Endpoint |
Remote installation push operation "Deployed new Endpoints" does not work on on-prem Servers because of self-signed certificates. |
PRJ-27751, |
Harmony Endpoint |
Endpoint Firewall may start dropping all network traffic after a Management Server upgrade from R80.10 or older versions. |
PRJ-31100, |
Harmony Endpoint |
Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM Blade is not activated. |
PRJ-30519, |
Harmony Endpoint |
In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://". |
PRJ-22501, |
VoIP |
Holding last source port table lock while searching for next free port may cause performance issues. |
PRJ-29515, |
CloudGuard Network |
NEW: In Amazon Web Services (AWS):
To enable the feature:
Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts. NEW: In Azure:
To enable the feature:
Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.
NEW: In AWS, Azure and Google Cloud Platform (GCP): Added support for API calls with HTTP response with reason-code only (without reason-phrase). |
PRJ-21216, |
CloudGuard Network |
The mq_mng tool does not show RX/TX packets counter statistics for the virtio_net driver. |
PRJ-29651, |
CloudGuard Network |
Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway. |
PRJ-22534, |
CloudGuard Network |
In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds. |
PRJ-30042, |
Smart-1 Cloud |
If wstunnel loses connectivity, after several attempts it may unexpectedly exit and not restart. Refer to sk166056. |
PRJ-23019, |
QoS |
Added QoS support for source port matching, allowing DSCP to mark different streams packets correctly. |
PRJ-29526, |
Scalable Platforms |
The "Hits" counter value in the SmartConsole rulebase does not update when traffic reaches a non-SMO Security Group member (for Security Gateway only). |
PRJ-21219, |
Scalable Platforms |
The SSM Allow Management Loss feature (sk145792) sends alerts even if a failure event's duration is short. |
PRJ-27511, |
Scalable Platforms |
In a rare scenario, a memory leak that requires constant reboots may occur. |
PRJ-25358, |
Scalable Platforms |
When restarting the active CMM (for example, with the "ccutil restart_cmm active" command), a chassis may fail over, even if there is a Standby CMM. |
PRJ-25347, |
Scalable Platforms |
In a rare scenario, the Chassis Monitor daemon (cmd) fails to retrieve the CPU temperatures due to an SNMP timeout. |
PRJ-21104, |
Scalable Platforms |
In some scenarios, UIPC feature does not work if a non-VS0 Virtual System is configured with an IP on the same subnet as VS0 management network. |
PRJ-25340, |
Scalable Platforms |
Allow Management Loss feature (sk145792) may not enter into Management Loss mode when backplane interface total packets amount exceeds 2 Billion. |
PRJ-28286, |
Scalable Platforms |
Using Static NAT for the destination in asymmetric connections may lead to Out of State traffic drops. Refer to sk174234. |
PRJ-27319, |
Scalable Platforms |
Added a cosmetic fix in asgPeaksTable. |
PRJ-27264, |
Scalable Platforms |
The "asg perf" command may fail when it calculates the average load of CPU cores when CoreXL uses all CPU cores available in the Security Group. |
PRJ-25368, |
Scalable Platforms |
If a Bond interface that is assigned to a Security Group is configured in the 802.3AD (LACP) mode, packet loss may occur on a Security Appliance when the Security Appliance becomes active after a reboot. |
PRJ-28427, |
Scalable Platforms |
In some scenarios, running the "asg perf" command with -vv flag fails. |
PRJ-29760, |
Scalable Platforms |
In a rare scenario, the "asg perf" command may take up to 90 seconds to update the data. The information may differ from CPView results. |
PRJ-30024, |
Scalable Platforms |
When rebooting a member from the standby site, it may send GARP when booting and cause a connectivity issue. Refer to sk176523. |
PRJ-29982, |
Scalable Platforms |
The outage may occur when configuring OSPF over VPN/VTI interface because of a missing cluster IP address for VPN/VTI interface. |
PRJ-25648 |
Scalable Platforms |
Collect data and statistics report in a scenario where SSM state has changed to down or entered into management loss mode |
PRJ-25781, |
Scalable Platforms |
In some scenarios, boot on SP VSX setup may fail with an "Unable to open '/vs1/dev/fw0': Connection refused" message. |
PRJ-27828, |
Scalable Platforms |
In a rare scenario, the "asg diag" command for verifying Interfaces may have an incorrect raw output. |
PRJ-27739, |
Scalable Platforms |
In rare scenarios, after accelerated policy installation, security members may go to down states. |
PRJ-28252, |
Scalable Platforms |
Added support for the command "snapshot-onetime" (import/export, from/to a remote Server) on Scalable Platforms. |
PRJ-29520, |
Scalable Platforms |
After setting a specific range of Blades in gclish, some commands may fail. |
PRJ-29390, |
Scalable Platforms |
During an upgrade of a Security Group, the "Fetching the policy from the Management Server and installing it" action fails on the upgraded Security Group Members. |
PRJ-25648, |
Scalable Platforms |
Scalable Platform automatically collects statistics and data in the /var/log/ssm_failure_reports/ directory, when:
|
PRJ-24519, |
Scalable Platforms |
After adding a new user via WebUI, the "asg diag" command may fail on configuration test (config_verify -v) due to inconsistent value in the database. The issue is only cosmetic. |
PRJ-22891, |
Scalable Platforms |
In some scenarios, the "asg diag" and "asg_license_verifier" commands fail with an incorrect message: "ERROR: No license for 'IPS-1' [mandatory feature 'ips']". |
PRJ-29002, |
Scalable Platforms |
In some scenarios, after an upgrade of Scalable Platform, reboot of a member may trigger additional reboots. |
PRJ-23306, |
Carrier Security |
UPDATE: The "FireWall-1 GX" module is renamed to "Carrier Security". |
PRJ-22323, |
Infrastructure |
In some scenarios, the cpmiquerybin and dbedit processes may unexpectedly exit causing a buffer overflow. |
Take 44 Released on 29 September 2021 and declared as Recommended on 12 October 2021 |
||
PRJ-30926, |
VPN |
In some scenarios, when ipassignment.conf file is used, Remote Access users cannot connect due to Office mode allocation failures. Refer to sk175448. |
Take 42 Released on 1 September 2021 |
||
PRJ-26240, |
Diagnostics |
NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2. |
PRJ-24235, |
Licensing |
UPDATE: If there is no license installed, the error message will be printed when running the "cpstart" command. |
PRJ-24201, |
Security Management |
NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629. |
PRJ-27200 |
Security Management |
NEW: Added the Hitcount column to the "Export to CSV" functionality in Access Policy.
|
PRJ-24985, |
Security Management |
NEW: Added ability for R81 Security Management or Multi-Domain Server to manage R81.10 Security Gateway.
|
PRJ-26026, |
Security Management |
NEW: Added the "get-interfaces" Management API for Security Gateway and Cluster objects.
|
PRJ-26414, |
Security Management |
NEW: Added the Management API command "show-layer-structure". |
PRJ-27122, |
Security Management |
UPDATE: The "Purge revisions" operation has been improved to further reduce the database's size. |
PRJ-27163, |
Security Management |
UPDATE: Performance improvement in an upgrade of Security Management and Multi-Domain Servers with large rulebases. |
PRJ-26194, |
Security Management |
In a rare scenario, the FWM process may unexpectedly exit. |
PRJ-26184, |
Security Management |
When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file. |
PRJ-26124, |
Security Management |
In some scenarios, HA synchronization fails in the Global Domain after the IPS update. |
PRJ-29004, |
Security Management |
In some scenarios, Publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703. See the Important Notes section. |
PRJ-25039, |
Security Management |
In rare scenarios, a task in progress may get stuck until the Management Server is restarted. |
PRJ-24011, |
Security Management |
In some scenarios, the NAT rule is not enforced when the rule name is identical to an object name placed on the rule. |
PRJ-25862, |
Security Management |
When running the "show-tasks" command with Management API and using the "order" parameter, the results are not ordered. |
PRJ-26455, |
Security Management |
In rare scenarios, the web_api_show_package.sh script fails, and the log shows "Null Pointer Exception". |
PRJ-22135, |
Security Management |
In some scenarios, a high load on the Management Server may cause SmartConsole slowness. |
PRJ-26630, |
Security Management |
In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189. |
PRJ-25010, |
Security Management |
After configuring VPN Blade on a Security Gateway with support-visitor-mode using Management API, VPN clients may fail to create sites. |
PRJ-21968, |
Security Management |
Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched. |
PRJ-22385, |
Security Management |
User may fail to connect to SmartConsole after the administrator changed the RADIUS Server host IP address. Refer to sk172065. |
PRJ-24331, |
Security Management |
In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy. |
PRJ-27621, |
Security Management |
In a rare scenario, the "Install Database" task may continue to run indefinitely. |
PRJ-26093, |
Security Management |
In rare scenarios, the Access Control policy installation fails with the "Security Management Server aborted connection" error. |
PRJ-25305, |
Security Management |
Policy verification may incorrectly fail with the verification error "Rule contains both Access Roles and network objects" when the installation is accelerated. |
PRJ-26343, |
Security Management |
When installing policy on a gateway for the first time, Threat Prevention policy installation may fail if installed with Access policy. |
PRJ-25687, |
Security Management |
In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name. |
PRJ-24052, |
Security Management |
If the Management Server is up for many days, the CPM process memory consumption and CPU usage may increase consistently. |
PRJ-26299, |
Security Management |
In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted. |
PRJ-26911, |
Security Management |
Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy. |
PRJ-25838, |
Security Management |
In some scenarios, deleting a Security Gateway object fails with the "Object <name> is used by a policy or by other objects" error even though the Security Gateway is not in use. Refer to sk173467. |
PRJ-25800, |
Security Management |
In rare scenarios, if the CPM process is up for many days, CPU, and memory consumption may continue to grow until a reboot is performed. |
PRJ-25254, |
Security Management |
Login with Management API fails when using the api-key and setting enter-last-published-session to "true". |
PRJ-26507, |
Security Management |
Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same". |
PRJ-25447, |
Security Management |
SmartConsole may unexpectedly close when renaming an Application Control rule name or changing an Application Control policy action. |
PRJ-25892, |
Multi-Domain Management |
NEW: Allow creating Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934. |
PRJ-26690, |
Multi-Domain Management |
After migrating the Global Domain and making global changes, when assigning/reassigning the Global Domain, the assignment may be shown as "Up to date" even though the latest global changes are not applied on the Domain. |
PRJ-25518, |
Multi-Domain Management |
In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole. |
PRJ-25406, |
Multi-Domain Management |
In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message. |
PRJ-27154, |
Multi-Domain Management |
OS information for Domain Servers may not be shown correctly at the MDS level. |
PRJ-22639, |
Multi-Domain Management |
In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted. |
PRJ-26302, |
Multi-Domain Management |
In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely. |
PRJ-20647, |
SmartConsole |
NEW: Added the option to print or save (as a file) the Changes Report. |
PRJ-23439, |
SmartConsole |
UPDATE: Changes report supports up to 50 revisions (instead of 10). |
PRJ-22813, |
SmartConsole |
Improved adjustment of the scrollbar in the Changes Report window. |
PRJ-26906, |
SmartConsole |
In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly. Refer to sk175405.
|
PRJ-26873, |
SmartConsole |
In some scenarios, the gateway hardware change in SmartConsole fails with "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning. |
PRJ-27576 |
Web SmartConsole |
NEW: Web SmartConsole now includes read/write capability for the most common activities. Refer to Take 44 in sk170314. |
PRJ-25931, |
SmartView |
NEW:
Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.
|
PRJ-27301, |
SmartView |
After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks. Refer to sk174047. |
PRJ-24351, |
CPView |
In some scenarios, a memory leak may occur in a cpview_services module. Refer to sk173952. |
PRJ-19795, |
Logging |
NEW: Added support for Endpoint Forensics reports to get-attachment API. |
PRJ-20258, |
Logging |
NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323. |
PRJ-21423, |
Logging |
NEW: The Log exporter now supports formatting for RSA SIEM application. |
PRJ-25596, |
Logging |
UPDATE: The Log Server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413. |
PRJ-20136, |
Logging |
UPDATE: When reverting a Management or Log Server from the R81 version 30 days after the upgrade, logs are no longer fetched or indexed. |
PRJ-25454, |
Logging |
In rare scenarios, logs generated in the same second, with the same ID, may not show up in SmartConsole's Logs tab. |
PRJ-22650, |
Logging |
Threat Emulation log description for HTTP emulation is incorrect. |
PRJ-23114, |
Logging |
In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done. |
PRJ-23821, |
Logging |
In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown. |
PRJ-23581, |
Logging |
In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs. |
PRJ-25646, |
Logging |
In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB). |
PRJ-24488, |
Logging |
When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways. |
PRJ-24216, |
Logging |
In a Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application. |
PRJ-24706, |
Logging |
In the SmartConsole Logs&Monitor tab, when the query time-frame is "Last Hour" and auto-refresh is on, if the query time is between 12:00 and 13:00, logs from that time will not be shown. |
PRJ-25657, |
Logging |
In some scenarios, the LOG_INDEXER process consumes 100% CPU and log indexing fails causing log queries to miss the recent logs. The issue occurs when rules have Accounting enabled and there is a lot of traffic matching these rules. |
PRJ-27072, |
Compliance |
In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains. |
PRJ-24580, |
SNMP |
NEW: Added CPview network statistics and network profile data to SNMP - throughput, packets rate, concurrent connections, drop reasons, top connections, and more. |
PRJ-24537, |
Security Gateway |
UPDATE: Added new Dynamic Balancing Clish command to enable default number of instances. To use it, run "set dynamic-balancing state enable set_default_fw_instances". Refer to sk164155. |
PRJ-26331, |
Security Gateway |
UPDATE: The prompt indication will show on which plane (management or data) the context is. For example:
|
PRJ-25102, |
Security Gateway |
UPDATE: The Connection Tracker (CPView >Advanced > CONN-TRACKER) will be activated by default. |
PRJ-25844, |
Security Gateway |
Added the Access Control rulebase matching visibility enhancement. |
PRJ-29753, |
Security Gateway |
In rare scenarios, the Security Gateway may failover while handling the HTTP/2 stream. |
PRJ-27036, |
Security Gateway |
VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683. |
PRJ-26479, |
Security Gateway |
In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security gateway to crash. |
PRJ-26811, |
Security Gateway |
In rare scenarios, policy installation may fail with the "Problem with the Commit Function" message. |
PRJ-26409, |
Security Gateway |
In some scenarios, policy installation on the MDPS Gateway fails with "ERROR: Duplicate keys in table 'cluster_members_ids_by_ips'" errors in SmartConsole. Refer to sk173485. |
PRJ-24127, |
Security Gateway |
RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927. |
PRJ-21271, |
Security Gateway |
In some scenarios, emails may be stuck in the MTA queue. |
PRJ-26016, |
Security Gateway |
In a rare scenario, a memory leak may occur in thein.emaild.mta process. |
PRJ-18127, |
Security Gateway |
In some scenarios, an incorrect interface name is displayed in CPView. |
PRJ-25393, |
Security Gateway |
In some scenarios, there is no match on URL Filtering rules. |
PRJ-26269, |
Security Gateway |
In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg. Refer to sk173546. |
PRJ-26345, |
Security Gateway |
When using Routing separation and ClusterXL, the "cphaprob -a if" command displays "mdps_tun" as "DOWN". |
PRJ-26152, |
Security Gateway |
In a rare scenario, a memory leak may occur when IPS / Anti-Bot / Anti-Virus Blade is enabled. |
PRJ-25817, |
Security Gateway |
Added Dynamic Anti-Spoofing stability enhancements. |
PRJ-27624, |
Security Gateway |
In some rare scenarios, only after a fast policy installation with a Non-FQDN object or an updatable object, wild card domains may not be enforced. |
PRJ-27124, |
Security Gateway |
Improved Generic Data Center object download to Security Gateway. |
PRJ-25738, |
Security Gateway |
In some scenarios, Security Gateway may crash when ICAP client is enabled. |
PRJ-26619, |
Security Gateway |
In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file. |
PRJ-26596, |
Security Gateway |
Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition. |
PRJ-23066, |
Security Gateway |
Improved displayed drop log messages on the Security Gateway:
Refer to sk172232. |
PRJ-22625, |
Security Gateway |
In some scenarios, the VSX Cluster switch may cause a core dump. |
PRJ-24010, |
Security Gateway |
In rare scenarios, when the sd_global_monitor_only property is set to true, there is no HTTP inspection. |
PRJ-24903, |
Security Gateway |
In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the "PSL Drop: internal - drop enabled" message was displayed. |
PRJ-24838, |
Security Gateway |
In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may stop working. Refer to sk172935. |
PRJ-23539, |
Security Gateway |
In some scenarios, values set in fwkern.conf may not be applied correctly. |
PRJ-25553, |
Security Gateway |
In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message. Refer to sk180404. |
PRJ-25483, |
Security Gateway |
In a rare scenario, the PDPD or VPND process on the Security Gateway consumes a high CPU. Refer to sk173706. |
PRJ-25472, |
Security Gateway |
In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206. |
PRJ-25157, |
Security Gateway |
When running the "fwaccel stats -r" command to reset the SXL statistics, the statistics may become corrupted. |
PRJ-24530, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-29346, |
Security Gateway |
In a rare scenario, the Security Gateway may sporadically crash. |
PRJ-18868, |
Security Gateway |
In rare scenarios, DynamicID authentication fails with a "Server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303. |
PRJ-23273, |
Security Gateway |
In some scenarios, the "fw ctl affinity" command on MPDS Dplane does not show the Mplane Multi-Queue interfaces. |
PRJ-29094, |
Security Gateway |
In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages. |
PRJ-26140, |
Internal CA |
UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates. |
PRJ-25273, |
Internal CA, VPN, Multi-Portal |
UPDATE: The IKE certificate's validity period is set to 1 year by default. Refer to sk176527. |
PRJ-26649, |
Internal CA |
UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424. |
PRJ-24831, |
Internal CA |
sk172610 was added to "Failed creating certificate. Certificate with a different letters' case exists" error message. |
PRJ-25544, |
Anti-Virus |
In a rare scenario, the Security Gateway may crash when working with Anti-Virus. |
PRJ-25245, |
Threat Extraction |
UPDATE: In Autonomous Threat Prevention (ATP) configured gateway, Threat profile field in sanitization (Threat Extraction) logs will refer to the current ATP profile installed. |
PRJ-26524, |
Threat Extraction |
Added Update 4 of Threat Extraction Engine. Refer to sk165832. |
PRJ-22272, |
Threat Prevention |
Improved the Threat Prevention policy installation time when installing on more than two Security gateways. |
PRJ-25845, |
Threat Prevention |
In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected. |
PRJ-25056, |
Identity Awareness |
NEW: Added Identity Collector Service Accounts exclusion. The default threshold value is 10. Refer to sk174266. |
PRJ-24690, |
Identity Awareness |
NEW: Added support for SAML authentication method for Remote Access VPN. Refer to sk172909 for configuration instructions.
|
PRJ-24500, |
Identity Awareness |
NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance. |
PRJ-25383, |
Identity Awareness |
UPDATE: Changed the Web-API conciliation score from 10 to 15. |
PRJ-25926, |
Identity Awareness |
Optimized the PDP expired timers mechanism performance. |
PRJ-25582, |
Identity Awareness |
In some scenarios, Identity Awareness with enabled Remote Access identity source constantly prints "A secondary session request was received from the same IP" message in the log and overrides the existing session. |
PRJ-17567, |
Identity Awareness |
IDA database may become corrupted on Scalable Platforms configured with multiple Identity Collectors in redundancy mode or Identity Sharing. |
PRJ-26232, |
Identity Awareness |
When the PDP gateway is connected to multiple pre-R81 PEP gateways, the CPU consumption may be high. Refer to sk173709. |
PRJ-29307, |
URL Filtering |
In some scenarios, HTTPS connections to Servers with untrusted certificates are held and not resumed (page cannot load). |
PRJ-24629, |
UserCheck |
In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured." error message. |
PRJ-26166, |
IPS |
In rare scenarios, the FWK process may unexpectedly exit when installing the policy. |
PRJ-23674, |
IPS |
A redundant debug message may be displayed in dmesg logs. |
PRJ-22232, |
IPS |
Packet capture may not be generated for certain IPS protections. |
PRJ-27971, |
IPS |
Added IPS Core Protections scan improvements for HTTP traffic. |
PRJ-26107, |
IPS |
Security Gateway may crash when the IPS profile name is very long. Refer to sk174025. |
PRJ-18857, |
DLP |
DynamicID via SMTP does not work when an HTTP proxy Server is defined. |
PRJ-26008, |
SSL Inspection |
When TLS 1.3 is enabled, a connectivity issue may occur for non-TLS traffic over inspected ports. |
PRJ-26740, |
SSL Inspection |
Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692. |
PRJ-20681, |
SSL Inspection |
A table hash size may be too small for some environments and cause an increased CPU usage. |
PRJ-25222, |
Mobile Access |
Improved the Portal Rendering performance in Unified Policy mode. |
PRJ-21798, |
Mobile Access |
The "Favorites" button does not work if URL does not start with "https://" |
PRJ-24688, |
Mobile Access |
In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications. |
PRJ-23732, |
Mobile Access |
In some scenarios, when configuring the "X-Forwarded-For" header to MAB reverse proxy, the header is passed in reverse order. |
PRJ-25105, |
ClusterXL |
Data connections from the Standby member of an Active-Standby cluster may be dropped on the stealth rule when "fwha_cluster_hide_active_only" is set to 1. |
PRJ-26575, |
ClusterXL |
The "set cluster member ccpenc" command description falsely shows that the default setting is off. |
PRJ-26981, |
ClusterXL |
In some scenarios, in Load Sharing mode, the cphaprob show_bond command on the Security Management Server shows the back-up subordinate status as "Not Available". Refer to sk175469. |
PRJ-25954, |
ClusterXL |
Hundreds of VLANs in VSX cluster may cause VLAN to get Internal Communication Network IP (funny IP) address when adding/editing VLAN. |
PRJ-26410, |
ClusterXL |
Log shows that CCP encryption fails on each policy installation. |
PRJ-23849, |
SecureXL |
In some non-VPN scenarios, MSS Adjustment (Clamping) does not work. |
PRJ-22786, |
SecureXL |
In a rare scenario, Security Gateway may crash after running the "fwaccel tab -t connections" command. |
PRJ-27226, |
SecureXL |
Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file. |
PRJ-24542, |
SecureXL |
In a VSX environment, the SYN Defender configuration may not be applied correctly. |
PRJ-25107, |
SecureXL |
SecureXL keeps forwarding packets in VSX bridge mode when the member is down. Refer to sk169495. |
PRJ-25511, |
SecureXL |
In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode. |
PRJ-26925, |
Gaia OS |
NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1. |
PRJ-26757, |
Gaia OS |
In some scenarios, the first packet of any protocol is dropped if there is no ARP cache entry in the ARP table for that destination. Refer to sk173933. |
PRJ-26334, |
Gaia OS |
In some scenarios on VSX, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file. |
PRJ-26329, |
Gaia OS |
When using routing separation, Clish configuration for the management plane may be missing. |
PRJ-24494, |
Gaia OS |
In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827. |
PRJ-24944, |
Gaia OS |
In some scenarios, Syslog debug messages are incorrectly printed as errors (ERR). |
PRJ-25667, |
Gaia OS |
In some scenarios, the driver's (i40e) response time for MQ settings takes too long time. |
PRJ-24597, |
Gaia OS |
When the RADIUS Server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting. |
PRJ-25375, |
Gaia OS |
SNMP sysOID 1.3.6.1.2.1.1.2.0 does not return Check Point system information when queried from Maestro Orchestrator. |
PRJ-26576, |
Routing |
In some scenarios, BFM fails to create pseudo interfaces (ethX-XX). |
PRJ-26792, |
Routing |
When working from gclish and Audit Log is enabled, every command is logged twice - once with the real user and once with the admin. |
PRJ-26526, |
Routing |
When using proxy arp on IP address within the same subnet as the cluster IP, no GARP is sent upon failover. |
PRJ-25996, |
Routing |
In some scenarios, the monitored IP option "force-if-symmetry" does not detect the asymmetric ping properly. |
PRJ-25915, |
Routing |
Netflow packets are sent from the individual VS IP address instead of VS0. |
PRJ-26970, |
Routing |
In some scenarios, the ROUTED process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time. |
PRJ-26962, |
Routing |
The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected. |
PRJ-25319, |
Routing |
In some scenarios, CPView displays incorrect values of RIP statistics. |
PRJ-27060, |
Routing |
In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination. |
PRJ-24389, |
Routing |
In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message. |
PRJ-23484, |
VoIP |
In some scenarios, the "sip_increase_opq_rnum: Error - number of reinvites exceeded the limit" message that indicates the malfunction SIP flow is printed in SIP debug. |
PRJ-23968, |
VSX |
UPDATE: Added ability to change the Management and Sync interfaces via vsx_util change_interfaces. |
PRJ-19978, |
VSX |
In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793. |
PRJ-26355, |
VSX |
In some scenarios, the priority list cannot be manually set via the "vsx_util vsls" command. |
PRJ-26633, |
VSX |
A bridge on a regular VS (not VS in bridge mode) is not supported on a VSX cluster in Active/Active mode. This fix blocks:
|
PRJ-26451, |
VSX |
In some scenarios, toggling between "Active up" mode and "Primary up" mode of a VSLS cluster with "vsx_util" is not reflected on the Gateway when using the "cphaprob stat" command. |
PRJ-26443, |
VPN |
In rare scenarios, a memory leak related to gateway authentication may occur. |
PRJ-26246, |
VPN |
In some scenarios, the VPND process may unexpectedly exit when connecting with strongSwan client. |
PRJ-26435, |
VPN |
In a rare scenario, a memory leak may occur when RASession_util is active. |
PRJ-25986, |
VPN |
In rare scenarios, IKE negotiation fails when using IPv6 addresses. |
PRJ-26434, |
VPN |
In a rare scenario, the IKED process unexpectedly exits with core dump when using Office Mode IP allocation for clients and users cannot connect. |
PRJ-26205, |
VPN |
MEP failover with 3rd party vendors may not work correctly. |
PRJ-26268, |
VPN |
In some scenarios in MEP configuration, failover to available MEP members may fail. |
PRJ-26400, |
VPN |
Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235. |
PRJ-24808, |
VPN |
Site to Site VPN connectivity issue when NAT is enabled. |
PRJ-26789, |
VPN |
In some scenarios, an incorrect Host IP address is shown in SmartConsole log when a client is not authorized to log in. |
PRJ-26624, |
VPN |
Added VPN stability improvement in IKEv2. |
PRJ-22529, |
VPN |
When Multiple Factor Authentication is configured with DynamicID , VPN clients may receive four password prompts. Refer to sk144932. |
PRJ-28152 |
VPN |
In some scenarios, this policy warning is displayed on CMAs: "gen_implied_rule: fail to get rule template ('iked_ports_block_in/out' rule will not be generated)". |
PRJ-25335, |
VPN |
In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug. |
PRJ-25054, |
VPN |
In some scenarios, a user may not be able to connect because the VPND process unexpectedly exits. |
PRJ-26342, |
VPN |
In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log. |
PRJ-26928, |
VPN |
In some scenarios, the VPND process unexpectedly exits after installing the policy. |
PRJ-25134, |
VPN |
In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method. |
PRJ-26176 |
Harmony Endpoint |
Harmony Endpoint Web Management Update - Compliance, Application Control, Firewall, and export package were added. |
PRJ-26281, |
Harmony Endpoint |
In some scenarios, the "Pre-boot screen saver" in SmartEndpoint Common Client Settings Policy is not visible. |
PRJ-27583, |
Harmony Endpoint |
In some scenarios, the "Uninstall Client" push operation in SmartEndpoint cannot be initiated and fails with exception. |
PRJ-27321, |
Harmony Endpoint |
In some scenarios, the EP URL Filtering policy may block websites under category 32 (political/legal) instead of category 31 (phishing). |
PRJ-28655 |
Harmony Endpoint |
In some scenarios, only partial info is shown in Anti-Malware updates dialog window in SmartEndpoint. |
PRJ-25729, |
QoS |
A memory leak may occur when using Domain names in QoS policy rules. Refer to sk174904. |
PRJ-26795, |
CloudGuard Network |
In some scenarios, CloudGuard Controller fails to fetch data from the standby ACI Server when the main ACI Server is unreachable. |
PRJ-25373, |
CloudGuard Network |
CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways. |
PRJ-26798, |
CloudGuard Network |
In some scenarios, CloudGuard Network Standby member cannot access the Internet. Refer to sk175108. |
PRJ-21257, |
Scalable Platforms |
NEW: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems. Configuration in Gaia gClish:
SNMP OIDs - Statistics from the specified Virtual System, statistics from each cluster member:
SNMP OIDs - Statistics from the specified Virtual System, total statistics from all cluster members:
|
PRJ-26563, |
Scalable Platforms |
NEW: Added new parameters for SNMP traps sent from Security Group Members:
|
PRJ-23649, |
Scalable Platforms |
UPDATE: Removed unsupported OIDs 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 from the chckpnt.mib file. |
PRJ-25357, |
Scalable Platforms |
UPDATE: Limited the /var/log/dist_mode.log file rotation size to 20MB to prevent exhaustion of disk space. |
PRJ-22208, |
Scalable Platforms |
UPDATE: Added Member ID to connection and session log. |
PRJ-21245, |
Scalable Platforms |
UPDATE: Added the new column "asgResourceTitle" to the SNMP Table "asgResourceTable". The new column contains the Security Group Member ID and the resource name. Format of the output: " Example output: " The SNMP OID of the new column is: |
PRJ-22986, |
Scalable Platforms |
UPDATE: New OIDs are assigned for these appliances:
|
PRJ-25785, |
Scalable Platforms |
"Failed to send event 8 SNMP request to chassis module" errors may appear in the messages log. |
PRJ-25526, |
Scalable Platforms |
"set user <username> password-hash" and "set user <username> force-password-change" Gaia gClish commands do not take effect on Security Group Members. |
PRJ-25858, |
Scalable Platforms |
In some scenarios, the fw_full core dump is randomly created on Quantum Scalable Chassis and Quantum Maestro appliances. |
PRJ-25495, |
Scalable Platforms |
In some scenarios, the asg diag test "IGMP consistency" (asg diag print 26) fails on Quantum Scalable Chassis and Quantum Maestro. |
PRJ-25506, |
Scalable Platforms |
fwaccel_dos_rate_on_install is not synced between SGM members. |
PRJ-25377, |
Scalable Platforms |
If the "Chassis HA mode" is configured as "VSLS", the SNMP query for the OID "asgChassisParamsMaxGrade" (.1.3.6.1.4.1.2620.1.48.28.4.1.4 and .1.3.6.1.4.1.2620.1.48.28.4.1.5) returns a wrong value.
|
PRJ-25376, |
Scalable Platforms |
The "asg_provision" command fails on hotfix inconsistency if ran outside of the global context (VS instead of VS0). |
PRJ-25374, |
Scalable Platforms |
The "asg_license_verifier -v" command that validates the licenses on SP cluster, may incorrectly fail with "Different licenses are installed across Blades" message. |
PRJ-27324, |
Scalable Platforms |
The VSX gateway creation on Scalable Platforms via SmartConsole or VSX Provisioning tool fails with the "Failed to determine appliance type" error. |
PRJ-27173, |
Scalable Platforms |
The MIB file $CPDIR/lib/snmp/chkpnt.mib fails MIB validation tests in the SNMP tree OID .1.3.6.1.4.1.2620.1.48.0 (asg). |
PRJ-26066, |
Scalable Platforms |
Improved the memory usage calculation by the "asg perf" command. |
PRJ-25671, |
Scalable Platforms |
|
MBS-13627 |
Scalable Platforms |
In some scenarios, SNMP Query for OID .1.3.6.1.4.1.2620.1.48.20.1.0 (asgThroughput) returns a value lower than expected (the F2F traffic is missing). |
PRJ-25542, |
Scalable Platforms |
The FWD process may unexpectedly exit when adding/deleting the "fw samp" rules. |
PRJ-26038, |
Scalable Platforms |
The "asg perf" command may display wrong values for "Throughput" and "Packet rate". |
PRJ-25741, |
Scalable Platforms |
Improved the memory / partitions size validity tests in the "asg resource" command. |
PRJ-25777, |
Scalable Platforms |
When interrupting the "asg_perf_hogs -v" command with the CTRL+C keys, the message on the screen shows "Operation was canceled/terminated by user" instead of "No issues were found". |
PRJ-21329, |
Scalable Platforms |
In rare scenarios, Switch distribution update in an early stage may trigger the FWK process to unexpectedly exit. |
PRJ-21328, |
Scalable Platforms |
In some scenarios, the output of the "asg_policy verify -a" command in the "Summary" section for the Security Group Member shows "Policy date is lower than max policy date". |
PRJ-21323, |
Scalable Platforms |
In some scenarios, SH zombies processes are created after a reboot or policy installation. |
PRJ-22146, |
Scalable Platforms |
The "delete backup" gClish command deletes backups only on the local member and not on all Security Group members. |
PRJ-21073, |
Scalable Platforms |
With this fix, sam_policy (samp) rules will be applied to new members added to the Security Group automatically. |
PRJ-22982, |
Scalable Platforms |
After adding a subordinate interface to a Bond interface, the output of the "asg diag" command shows that the "Distribution Mode" test failed because of an issue with the subordinate interface. |
PRJ-21832, |
Scalable Platforms |
SNMP query for OID 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 gives empty result. Refer to sk173423. |
PRJ-21580, |
Scalable Platforms |
Improved the Distribution Mode configuration for Bridge interfaces - each subordinate interface has a different Distribution Mode. |
PRJ-20750, |
Scalable Platforms |
In some scenarios, the "mq_mng -o -v" command fails with the "Error executing command" error message. |
PRJ-25801, |
Scalable Platforms |
The asymmetric traffic may fail if the "Synchronize connections if Synchronization is enabled on the cluster" checkbox in the "Cluster and synchronization" section of the corresponding service's properties is not selected. |
PRJ-25745, |
Scalable Platforms |
The command help (-h) misses the description of the -b parameter of the "asg_hard_start" command. |
PRJ-25719, |
Scalable Platforms |
Removed the "-amw" flag from the syntax of the "asg stat" command. Run the "asg stat -v" command to get the required information. |
PRJ-22554, |
Scalable Platforms |
Setting multi-queue on backplane interfaces via "mq_mng -s manual" command fails with the "Error executing command" error. |
PRJ-25344, |
Scalable Platforms |
In some scenarios, the unclear message "Management loss failure" is displayed in the command line. |
PRJ-25572, |
Scalable Platforms |
Removed the "ccutil reset_parity_counter" command from the code. |
PRJ-25576, |
Scalable Platforms |
The output of the "asg stat vs" command in the "Virtual System Status" section shows "active chassis" in lowercase when a Virtual System is in freeze. Now the output shows "Active chassis" with a capital letter. |
PRJ-25589, |
Scalable Platforms |
Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell /bin/bash and the 'admin' role are configured. |
PRJ-25463, |
Scalable Platforms |
Gaia gClish command that take more than 60 seconds to execute fail with "CLINFR0739 error in command execution; see "/var/log/messages"". Refer to sk170301. |
PRJ-23285, |
Scalable Platforms |
In some scenarios, the "RTNL: assertion failed" errors appear in /var/log/messages on Quantum Maestro/Quantum Scalable Chassis. |
PRJ-23217, |
Scalable Platforms |
In VSLS scenarios when the SMO is the ARP master, in ACTIVE-ACTIVE state the wrong VS may answer ARPs, causing "out-of-state" in TCP connections. |
PRJ-28053, |
Scalable Platforms |
In some scenarios, the Maestro Gateway leaves the Security Group. |
PRJ-22976, |
Scalable Platforms |
Setting MTU on Management Aggregation (MAGG) interface may fail. |
PRJ-28016, |
Scalable Platforms |
In some scenarios, bond interface subordinate fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00. |
PRJ-26992, |
HCP |
Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-24089, |
HCP |
Added Update #2 of HealthCheck Point (HCP) Release. Refer to sk171436. |
PRJ-26326, |
Carrier Security |
The FWK process may unexpectedly exit producing a core dump when the GTP tunnel expires. |
Take 36 Released on 19 July 2021 and declared as Recommended on 26 July 2021 |
||
PRJ-28539, |
ClusterXL |
During Multi-Version Cluster (MVC) upgrade with R81 Jumbo Hotfix Take 34, the "MVC WARNING uninitialized VPN table" message frequently appears in log. Refer to sk174445. |
PRJ-28195 |
ClusterXL |
In public cloud environments, CloudGuard Network High Availability/Cluster solutions may incorrectly detect Cluster status. See the Important Notes section. |
Take 34 Released on 27 June 2021 |
||
PRJ-25809 |
Security Management |
NEW: Performance improvements for security policy and database installation when R81 Security Management manages R80.40 Gateways. |
PRJ-20295, |
Security Management |
NEW: Added new API version (1.7.1). For more information, refer to the Management API Reference. |
PRJ-23312, |
Security Management |
UPDATE: Added Update 9 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109. |
PRJ-23923, |
Security Management |
SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server. |
PRJ-23774, |
Security Management |
"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation. |
PRJ-23885, |
Security Management |
In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error". |
PRJ-23544, |
Security Management |
In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles. |
PRJ-22442, |
Security Management |
Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003. |
PRJ-24487, |
Security Management |
In very large Management environments, Policy verification and installation may fail with FWM process core dump. Refer to sk173722. |
PRJ-24021, |
Security Management |
In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain Servers, some objects may not be visible in the System Domain. |
PRJ-24617, |
Security Management |
In Domain High Availability, policy installation may fail if a Global Dynamic Network object defined and the active peer is the Security Management Server. |
PRJ-23438, |
Security Management |
When configuring SNMP traps with thresholds_config utility on the Management Server, the settings may not be applied on the Security gateway upon policy installation. |
PRJ-22076, |
Security Management |
In rare scenarios, the Management Server may fail to start because Solr fails to initialize. |
PRJ-24520, |
Security Management |
When adding or updating star/meshed VPN community using the Management API and setting default values for ike-p2-use-pfs or ike-p2-pfs-dh-grp fields, the operation mail fail with the validation error. |
PRJ-21400, |
Security Management |
In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828. |
PRJ-23899, |
Security Management |
In some scenarios, the policy installation may fail after following sk55502. Refer to sk174646. |
PRJ-22202, |
Security Management |
In some scenarios in Management High Availability environment, after restoring a Domain from backup, the Security Management Server appears as 'Unavailable' in SmartConsole. |
PRJ-24612, |
Security Management |
Incorrect Mobile Access license status upon a license change. |
PRJ-25032, |
Security Management |
The "add access-role" Management API may fail when it is configured with base-dn. |
PRJ-25057, |
Security Management |
In some scenarios, the "set-simple-gateway name ..." and "set simple-cluster name ..." Management APIs may not reach the "SIC Communicating" state. |
PRJ-22132, |
Security Management |
In a rare scenario, Management HA synchronization fails after the Purge Revisions operation. |
PRJ-20811, |
Security Management |
On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704. |
PRJ-22124, |
Security Management |
Running override_server_setting.sh may not update settings correctly when updating a setting multiple times. |
PRJ-21705, |
Security Management |
In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently. |
PRJ-22212, |
Security Management |
In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail. |
PRJ-23931, |
Multi-Domain Management |
NEW: Once a day, Multi-Domain Management Servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level. |
PRJ-23698, |
Multi-Domain Management |
Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain. |
PRJ-22924, |
Multi-Domain Management |
When secondary Domain Management Server is in active state, sicRenew utility may fail with "Certificate cannot be renewed by the Internal CA. (Error no. -179)". Refer to sk172183. |
PRJ-22633, |
Multi-Domain Management |
UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations. |
PRJ-23160, |
Multi-Domain Management |
UPDATE: Added stabilization improvement for Assign and Reassign Global Policy operations. |
PRJ-22523, |
Multi-Domain Management |
In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704. |
PRJ-24760, |
Multi-Domain Management |
Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x. |
PRJ-22139, |
Multi-Domain Management |
A Multi-Domain Server with dozens of Domains may take a long time to start. |
PRJ-22784, |
SmartConsole |
UPDATE:
Note:
|
PRJ-22127, |
SmartConsole |
SmartConsole configures a default value for the IPv4 mask length of VIP interface each time a user opens the interface editor for cluster object configured in the Active-Active mode. As a result, the value configured by a user is overwritten with the default value each time the user opens the cluster object and clicks OK.
|
PRJ-21908, |
SmartConsole |
Generating a Changes Report may fail when the changes include new LSM Profiles or Small Office Gateway objects. |
PRJ-23605, |
SmartConsole |
In some scenarios, a SmartTask may fail to execute its action when it is triggered for a policy installation. |
PRJ-22524, |
SmartConsole |
"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' Blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management Servers has the "Logging & Status" Blade disabled. Refer to sk172226. |
PRJ-18888, |
CPView |
CPView shows "N/A" for speed values of some network cards. |
PRJ-22974, |
Compliance |
Deactivated Compliance Best Practices appear in the Compliance report. |
PRJ-21180, |
Logging |
NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated. |
PRJ-18560, |
Logging |
In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999. |
PRJ-23205, |
Logging |
In rare scenarios, when creating a Log Server object and establishing SIC, log queries from the newly created Log Server object may fail. |
PRJ-23068, |
Logging |
When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763. |
PRJ-22967, |
Logging |
In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention Blades, logs of "Anti Spam" Blade are not exported. |
PRJ-23416, |
Logging |
In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results). |
PRJ-20621, |
Logging |
In SmartView, when filtering with specific time filters, the result may include more logs than was requested. |
PRJ-22186, |
Logging |
In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one. |
PRJ-22250, |
Logging |
In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles". |
PRJ-23010, |
Logging |
In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis. |
PRJ-23283, |
Security Gateway |
NEW: Added the "Top Connections" tool. For more information, refer to sk172229. |
PRJ-21903, |
Security Gateway |
NEW: Added new troubleshooting tool to cplic command for Entitlement manager. |
PRJ-19592, |
Security Gateway |
NEW: Added support for authentication with a RADIUS Server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3. |
PRJ-20961, |
Security Gateway |
NEW: In a Management Data Plane Separation (MDPS) environment, each plane has its own configuration. Run these commands in each plane:
|
PRJ-19989, |
Security Gateway |
NEW: Added support for Drop templates optimization on accelerated policy installation. |
PRJ-23382, |
Security Gateway |
NEW: Implemented new Fast-Accel producer. The following Fast-Accel statistics are added to CPView:
|
PRJ-17932, |
Security Gateway |
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560. |
PRJ-22261, |
Security Gateway |
UPDATE: Added $CPDIR/log/sic_info.elg log file to show detailed SIC errors. |
PRJ-22988 |
Security Gateway |
UPDATE: Added support for DPL for non-FQDN Objects on Cluster Load Sharing environments. |
PRJ-22654, |
Security Gateway |
UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607. |
PRJ-23079, |
Security Gateway |
Enhancement: Early drop optimization will work even if the UserCheck is not relevant for this connection. |
PRJ-20570, |
Security Gateway |
In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file. |
PRJ-25905, |
Security Gateway |
In a rare scenario, machine hangs and user is unable to run any command. Refer to sk173405. |
PRJ-24731, |
Security Gateway |
On rare scenarios, running "fw1 + misp" debug on cluster may cause Security Gateway to crash. |
PRJ-24378, |
Security Gateway |
A memory leak in a DNS resolving infrastructure may occur. |
PRJ-20983, |
Security Gateway |
In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server. |
PRJ-19359, |
Security Gateway |
In a rare scenario, the FWK process may unexpectedly exit while passing TLS traffic, resulting in a cluster failover. |
PRJ-21473, |
Security Gateway |
When the Security Gateway is configured as a proxy, some network objects may not be matched correctly. |
PRJ-21056, |
Security Gateway |
In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336. |
PRJ-21012, |
Security Gateway |
In a rare scenario, Security gateway may crash when using non-FQDN domains in Access policy. |
PRJ-23393, |
Security Gateway |
Added support for "Other" services configured with IP protocol, but without advanced "Match" expression. |
PRJ-23342, |
Security Gateway |
Boot may take a long time on machines with many VLANs or secondary IP addresses. |
PRJ-21837, |
Security Gateway |
The "up_fw_module_load_commit: failed to load" error may be displayed in dmesg during cpstart or policy installation. |
PRJ-24300, |
Security Gateway |
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway. |
PRJ-24275, |
Security Gateway |
Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754. |
PRJ-22874, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 0-2000077" message. |
PRJ-22839, |
Security Gateway |
In a rare scenario, policy installation may fail with the "problem with the Commit Function" message. |
PRJ-22943, |
Security Gateway |
In rare scenarios, policy installation fails with "gen_other_service_inspect_func: failed to find corresponding service object for <service name>" error message. |
PRJ-22931, |
Security Gateway |
When using "User Alert 3" in the code alert, cosmetic error "FW-1: fwdrv_get_string_id_from_code: illegal parameters for code 8" appears in the /var/log/messages file. |
PRJ-22456, |
Security Gateway |
In a rare scenario, the Security gateway may crash with fwk and fwk_wd core dump files. |
PRJ-23102, |
Security Gateway |
The connection may not exist in the SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets. |
PRJ-22374, |
Security Gateway |
In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object). Refer to sk171665 to configure the required parameter SKIP_NATTED_IP. |
PRJ-23042, |
Security Gateway |
In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update. |
PRJ-23949, |
Security Gateway |
In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode. |
PRJ-24294, |
Security Gateway |
In a rare scenario, Security Gateway may crash during policy installation. |
PRJ-24414, |
Security Gateway |
In a rare scenario, Security Gateway may crash under heavy load during cluster failover. |
PRJ-23900, |
Security Gateway |
In a rare scenario, the Security Gateway may crash when GRE or VXLAN interfaces are configured. |
PRJ-21451, |
Security Gateway |
RSA integration using SAML (Security Assertion Markup Language) protocol may not work as expected. Refer to sk171501. |
PRJ-25304, |
Security Gateway |
When the Security Gateway is configured as a proxy, some network objects may not be matched correctly. |
PRJ-22740, |
Security Gateway |
When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck. |
PRJ-25594, |
Security Gateway |
In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together. |
PRJ-23428, |
Security Gateway |
The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145. |
PRJ-24466, |
Security Gateway |
In a rare scenario, Security Gateway may crash when handling some DNS packets. |
PRJ-19413, |
Security Gateway |
The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled. |
PRJ-23518, |
Application Control |
In some scenarios, the fw_full (fwd daemon) unexpectedly exits producing a core dump file and causing a cluster failover. |
PRJ-21772, |
Application Control |
A failure log may be generated when inspecting connections to servers with certificates without a common name (CN) field. |
PRJ-24479, |
Threat Extraction, |
In some scenarios, License errors for Threat Emulation and Threat Extraction Blades are displayed for NGTP customers that use Autonomous Threat Prevention. |
PRJ-24924, |
Threat Prevention |
UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300. |
PRJ-21883, |
Threat Prevention |
Policy installation fails if it contains objects with "://" text. |
PRJ-23571, |
Threat Prevention |
Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled. |
PRJ-19558, |
Threat Prevention |
In some scenarios, "cpssh_trans_endpoint_handle_session_travers_timeout: INTERNAL ERROR" errors are displayed in the fwk.elg file when inspecting SSH traffic. |
PRJ-20485, |
Threat Prevention |
In rare scenarios, Security Gateway may crash when working with SSH. |
PRJ-20814, |
Threat Prevention |
Large file download with SFTP may fail when the connection is inspected. |
PRJ-21279, |
Threat Prevention |
Removed the "beta" label from SSH DPI's SSH server identification string. |
PRJ-23037, |
Threat Prevention |
In rare scenarios, Security Gateway may crash if event app debug flag is enabled. |
PRJ-24193, |
Threat Prevention |
In rare scenarios, the Threat Prevention policy is not enforced after a reboot of the Security Gateway. |
PRJ-21656, |
SSL Inspection |
UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address. |
PRJ-20486, |
SSL Inspection |
Memory leak may occur during policy installation. |
PRJ-19857, |
SSL Inspection |
TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated. |
PRJ-24421, |
SSL Inspection |
Improved performance of the TLS handshake when TLS 1.3 support is enabled. |
PRJ-19765, |
SSL Inspection |
In rare scenarios in mixed IPv4/IPv6 environments, some connections may fail. |
PRJ-22428, |
SSL Inspection |
In some scenarios, the "Parallel TLS Sessions" and "Cache entries" CPView statistics for SSL Inspection are incorrect. |
PRJ-23398, |
SSL Inspection |
In rare scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing. |
PRJ-23442, |
SSL Inspection |
In some scenarios, memory leaks may occur after policy installation. |
PRJ-20237, |
SSL Inspection |
In a rare scenario, some errors in requests to the Security Gateway are ignored and can cause the connections to remain open instead of being closed. |
PRJ-25055, |
SSL Inspection |
In some scenarios, when HTTPS Inspection is enabled, overall memory consumption may gradually increase. Refer to sk171280. |
PRJ-21028, |
Anti-Malware |
Improved the way Threat Prevention distinguishes between .docx, .pptx, .xlsx and .zip files. |
PRJ-24782, |
Anti-Malware |
In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248. |
PRJ-23037, |
Anti-Malware |
In rare scenarios, Security Gateway may crash if event app debug is enabled. |
PRJ-21458, |
Identity Awareness |
In some scenarios, the VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*). |
PRJ-22360, |
Identity Awareness |
In some scenarios, output of "pdp conn pep" command may show incorrect PEP names. |
PRJ-20460, |
IPS |
UPDATE: Exceptions are now enforced for these IPS protections:
Refer to sk166222. |
PRJ-23191, |
IPS |
In rare scenarios, the Security gateway may crash. |
PRJ-22514, |
IPS |
Proxy source IP address is not printed in the IPS logs. |
PRJ-22405, |
IPS |
In some scenarios, the DNS response message with record type 0 may be dropped by "Non compliant DNS" protection. |
PRJ-20714, |
IPS |
In rare scenarios, policy installation fails due to duplicate id in IPS Snort protections. |
PRJ-22398, |
IPS |
The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS Blade is disabled. Refer to sk172903. |
PRJ-24254, |
Anti-Virus |
UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types. |
PRJ-23929, |
Anti-Bot |
UPDATE: Anti-Bot URL cache was enhanced to support further requests. |
PRJ-23982, |
UserCheck |
Sensitive file push.js may be visible on the Security gateway. |
PRJ-21297, |
URL Filtering |
UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing. This update also activates the retry mechanism by default. |
PRJ-22333, |
Mobile Access |
In some scenarios, the VPND process unexpectedly exits in SNX Application Mode. |
PRJ-23093, |
Mobile Access |
In some scenarios, the FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125. |
PRJ-23654, |
Mobile Access |
Remote Access session may not be synced on the standby member VS. |
PRJ-21644, |
Mobile Access |
Mobile Access may overwrite the /etc/hosts file on Security Gateway. |
PRJ-21700, |
ClusterXL |
UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces. |
PRJ-26458, |
ClusterXL |
UPDATE: Added clusterXLFailover to the database to have the ability to set SNMP traps to monitor cluster failovers. Refer to sk173810. |
PRJ-19515, |
ClusterXL |
In some scenarios, the required interface value is higher than it should be when adding a VLAN interface. |
PRJ-22151, |
ClusterXL |
During active-active-bridge mode, the "show routed cluster-state" command may display some members as subordinate instead of master. |
PRJ-21350, |
ClusterXL |
In some scenarios, a large quantity of logs is generated on cluster VIP API. |
PRJ-21974, |
ClusterXL |
In some scenarios, when using IPv6 link-local VIP and dynamic routing protocols, failovers can cause a temporary outage. |
PRJ-25943, |
ClusterXL |
In some scenarios, the user cannot run any dynamic routing or install any static routes, including the default route. |
PRJ-24146, |
SecureXL |
UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from. |
PRJ-18063, |
SecureXL |
UPDATE: Changed the "accept out of state" global parameter usage and added support to change it for specific VS. Refer to sk147093. |
PRJ-24653, |
SecureXL |
In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file. |
PRJ-23461, |
SecureXL |
A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns". |
PRJ-19373, |
SecureXL |
Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries. |
PRJ-20434, |
SecureXL |
In some scenarios, DOS/Rate Limiting rules that do not work as expected may be created. |
PRJ-22169, |
SecureXL |
Rate limiting rules using concurrent-connection counters may cause connections to be blocked. |
PRJ-22917, |
SecureXL |
Improved the Smart Connection Reuse feature to be consistent with the user configuration. Refer to sk24960. |
PRJ-22437, |
SecureXL |
In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections. |
PRJ-22290, |
SecureXL |
TCP reset packets may be dropped with an invalid sequence. |
PRJ-24478, |
Routing |
UPDATE: Allow "set bgp internal peer <value> send-route-refresh" commands. |
PRJ-23146, |
Routing |
UPDATE: Added "$" to the list of allowed characters for BGP MD5 authentication passwords in in WebUI and CLI. |
PRJ-23501, |
Routing |
UPDATE: Added support for PBR with VTI/VPN interfaces. |
PRJ-24499, |
Routing |
In some scenarios, after member failover, some traffic may be lost. |
PRJ-23742, |
Routing |
After restarting OSPF with the "restart ospf instance default" command, OSPF may not redistribute routes until making a configuration change. |
PRJ-24404 |
Routing |
VRRP member freezes when deleting a VLAN interface. Refer to sk106226. |
PRJ-24717, |
Routing |
In OSPF environment, the routed process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss. |
PRJ-25042, |
Routing |
In a rare scenario, the ROUTED process unexpectedly exits when creating an MFC (S,G) entry. Refer to sk176685. |
PRJ-22386, |
Routing |
In some scenarios, Fragmented traffic is dropped when using L4 Distribution. Refer to sk167198. |
- |
VPN |
Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417. |
PRJ-23843, |
VPN |
UPDATE: Option 3 of the "vpn tu" command shows now the realm name and if the authentication was performed with the server certificate. |
PRJ-24813, |
VPN |
UPDATE: Added VPN improvements in IKEv2:
|
PRJ-24915, |
VPN |
UPDATE:
|
PRJ-21904, |
VPN |
Added major VPN enhancements for Scalable Platforms. Refer to sk174228. |
PMTR-63196 |
VPN |
Added Improvements for VPND resiliency (disabled by default in this release). |
VPNS2S-2313 |
VPN |
"Invalid ID information" message may be displayed when peer is 3rd party and Link selection is overridden. |
VPNS2S-2313 |
VPN |
IKEv2 may cause the VPND process to exit unexpectedly when IKEv2 rekey uses certificates. |
VPNS2S-2313 |
VPN |
|
PRJ-24255, |
VPN |
In some scenarios, the TTM (Transform Template) file is not loaded when there are no TTM groups for the user. |
PRJ-26350, |
VPN |
If SSL Inspection or other Blades that use the CPAS infrastructure is enabled, a call trace warning is displayed in dmesg when the cpstop command is issued. |
PRJ-22416, |
VPN |
Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328. |
PRJ-25490, |
VPN |
In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266. |
PRJ-24889, |
VPN |
In some scenarios, the "Global param: operation failed: Unknown parameter (param name vpn_cluster_on_aws)" cosmetic error may appear in dmesg. |
PRJ-23304, |
VPN |
In rare scenarios, the VPND process may unexpectedly exit in an L2TP-related flow. |
PRJ-23975, |
VPN |
In some scenarios, the IKED process unexpectedly exits producing a core dump. |
PRJ-23986, |
VPN |
In some scenarios, the he VPND process may unexpectedly exit producing a core dump. |
PRJ-21944, |
VPN |
In some scenarios, VPN Remote Access users are disconnected after policy installation. Refer to sk171966. |
PRJ-24573, |
VPN |
Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type. |
PRJ-22414, |
VPN |
In some scenarios, L2TP tunnel is not deleted completely upon disconnection. |
PRJ-22544, |
VPN |
Added stability fix in validation checks for ECDSA certificates. |
PRJ-22285, |
VPN |
When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table. |
PRJ-23826 |
Gaia OS |
NEW: Adding support for Smart-1 600-S/M appliances. Refer to sk171903. |
PRJ-21432, |
Gaia OS |
NEW: Added support for hardware (sensors/NICs) data auto-update. |
PRJ-22843, |
Gaia OS |
UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019. |
PRJ-26746, |
Gaia OS |
The raid_diagnostic command fails on Smart-1 3050/3150/5050/5150 appliances. Refer to sk173788. |
PRJ-24606, |
Gaia OS |
Updated the OpenSSL version in the RPM database. |
PRJ-24134, |
Gaia OS |
Added timestamp, hostname and syslog version control to syslog messages. Refer to sk100727. |
PRJ-22877, |
Gaia OS |
In rare scenarios, Clish unexpectedly exits when configuring the ip-conflicts-monitor on more than 4 interfaces simultaneously. |
PRJ-21920, |
Gaia OS |
Unable to set MTU on Igb cards. |
PRJ-23615, |
Gaia OS |
In rare scenarios, there is a difference between the value of "Packets" in the output of "ifconfig <interface name>" and "show interface <interface name> statistics" commands. |
PRJ-23586, |
Gaia OS |
In some scenarios, Bond interface's subordinates stop sending LACP Traffic after reboot. Refer to sk169977. |
PRJ-22794, |
Gaia OS |
In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823. |
PRJ-22923, |
Gaia OS |
The "kernel: [SIM4];resume_from_error: failed to get ci_or_corr" error message may be printed numerous times in /var/log/messages file while running UDP Traffic Load. Refer to sk172543. |
PRJ-23330, |
Gaia OS |
The "snmptable" command may fail to fetch data via SNMP producing core dump. Refer to sk172824. |
PRJ-23422, |
Gaia OS |
The administrator cannot force a password change to users with UID 0. |
PRJ-23491, |
Gaia OS |
When bond/bridge interfaces configured with IP conflicts monitoring are deleted, they still appear under the configuration of ip-conflicts-monitor. |
PRJ-24174, |
Gaia OS |
In rare scenarios, the Security Gateway may crash during tcpdump. Refer to sk141412. |
PRJ-22216, |
Gaia OS |
"show configuration on" may not expose bond' members. |
PRJ-23829, |
VSX |
In rare scenarios, the Wrp interface may not come up. Refer to sk171753. |
PRJ-24383, |
VSX |
In rare scenarios, when the VSX cluster experiences an outage, the FWK process generates a core dump file. |
PRJ-27489 |
VSX |
In rare scenarios after Jumbo Hotfix installation, the Security Gateway may crash and a file system becomes corrupted. Refer to sk174191. See the Important Notes section. |
PRJ-21717, |
CloudGuard Azure |
Improved performance consistency (with Multi-Queue) after the Microsoft Azure Maintenance event. |
PRJ-20396, |
CloudGuard Network |
In some scenarios, failover to another APIC server fails. |
PRJ-23380, |
CloudGuard Network |
The SNMP response may show incomplete values. |
PRJ-23122, |
Endpoint Security |
NEW: Added an option to configure email alert for Endpoint High Availability synchronization issues.
|
PRJ-22511, |
Endpoint Security |
In rare scenarios, the Endpoint server fails to start after uninstalling Jumbo Hotfix. |
PRJ-24340, |
Endpoint Security |
In some scenarios, device duplications appear in SmartEndpoint. |
PRJ-24279, |
Endpoint Security |
In some scenarios, the "Included Blades" tab in the SmartEndpoint Package repository for Dynamic Package is empty. |
PRJ-23055, |
Endpoint Security |
In some scenarios, Compliance status shows "Status information is missing" in SmartEndpoint for all computers although the Blade is installed and running. |
PRJ-25251, |
Endpoint Security |
In some scenarios, the Policy server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates. |
PRJ-23133 |
IoT |
NEW: Added new features:
|
PRJ-25721 |
IoT |
UPDATE: If the recommended-policy includes some illegal rules, an IoT layer will be created with the legal rules only and the user will be notified with a warning about the illegal ones. |
PRJ-20922, |
QoS |
Security gateway may crash in QoS flow when interface goes down and up during packet processing. |
PRJ-22800, |
HCP |
Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436. |
Take 29 Released on 24 May 2021 and declared as Recommended on 29 Jun 2021 |
||
PRJ-26320, |
Logging |
After installing R81 Jumbo Hotfix Take 25 or higher, when running a Logs Query after 12:00 pm, all logs of the first half of the day are not shown in the Logs View. This issue occurs only on the same day of Jumbo Hotfix installation and is cosmetic only (all logs are indexed correctly). |
PRJ-25524 |
Security Gateway |
In some scenarios, "dst_release: dst:ffff88052d4c68c0 refcnt:-480" messages may be printed in dmesg regarding HTTPS traffic when SSL Inspection Blade is enabled. |
Take 27 Released on 26 April 2021 |
||
PRJ-24974, |
Security Management |
In environments that use Data Type Group objects, the Management server may fail to start after installing Jumbo Hotfix Take 23. See the Important Notes section. |
PRJ-24913, |
Security Management |
"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026. |
Take 25 Released on 08 April 2021 |
||
PRJ-21007, |
Security Management |
NEW: Improved FWM process performance during Security policy or database installation. |
PRJ-22314, |
Security Management |
NEW: Performance improvement of Management High Availability Full Sync. |
PRJ-18428, |
Security Management |
UPDATE: In High Availability environment, Assign and Reassign Global Policy actions are not supported for a Domain if the active Domain Server for this Domain is a Security Management device. The assignment will be performed after change-over to the primary Domain Server. |
PRJ-21873, |
Security Management |
UPDATE: Added Update 8 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109. |
PRJ-21239, |
Security Management |
In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large. |
PRJ-23500, |
Security Management |
In some scenarios, verification errors regarding conflict of rules may be missing if the policy installation is accelerated and the target is a cluster. |
PRJ-20805, |
Security Management |
In some scenarios, delete partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains. |
PRJ-21704, |
Security Management |
In large environments with High Availability, synchronization and upgrade may fail due to very large database size. |
PRJ-22519, |
Security Management |
Policy Installation may fail with "Error code: 0-2-2000245" message when using IPv6. |
PRJ-20128, |
Security Management |
Data Center objects defined in NAT and HTTPS Inspection rulebases may not be enforced correctly after policy installation that was accelerated. |
PRJ-21417, |
Security Management |
In rare scenarios, the initiation of the Management server may take a long time. |
PRJ-20305, |
Security Management |
In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error. |
PRJ-21360, |
Security Management |
In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole. |
PRJ-17790, |
Security Management |
In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT. |
PRJ-20888, |
Security Management |
In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view. |
PRJ-21587, |
Security Management |
In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop. |
PRJ-20766, |
Security Management |
High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches. |
PRJ-21185, |
Security Management |
In rare scenarios, logout from a session fails with "An internal error has occurred" message. |
PRJ-19720, |
Multi-Domain Management |
The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.
|
PRJ-21913, |
Multi-Domain Management |
In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup. |
PRJ-21081, |
Multi-Domain Management |
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059. |
PRJ-21344, |
Multi-Domain Management |
When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work. |
PRJ-20952, |
SmartConsole |
After a network interface is removed by cluster API, a network group assigned to that interface remains as used by cluster members and cannot be deleted. |
PRJ-21627, |
SmartConsole |
In Multi-Domain environment with High Availability using Security Management Server, if the Security Management is the active peer for a Domain assigned to the Global Domain, the Policy Package creation may fail. |
PRJ-20241, |
SmartConsole |
When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found". |
PRJ-19932, |
SmartConsole |
In rare scenarios, the "Show Policy Package" tool and some Management API commands with "details-level full" may fail when UTM cluster is part of the policy targets. |
PRJ-20316, |
SmartConsole |
In some scenarios, the "show gateways-and-servers" Management API command fails when running it with "details-level full" and when connected to the Global Domain. Refer to sk170895. |
PRJ-19142, |
SmartConsole |
In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325. |
PRJ-18923, |
SmartConsole |
In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435. |
PRJ-21160, |
SmartConsole |
If there is an HTTPS Inspection layer that is not used in the policy, policy installation may fail with the "Internal error" message. |
PRJ-21624, |
SmartConsole |
In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905. |
PRJ-21390, |
SmartConsole |
Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.). |
PRJ-22223, |
SmartConsole |
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker. |
PRJ-22050, |
SmartConsole |
In some scenarios, the Hit count information in the Access Policy rulebase is not shown correctly. |
PRJ-20776, |
Compliance |
In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed. |
PRJ-19303, |
Compliance |
Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices. |
PRJ-22825, |
Logging |
NEW: Log Server now supports up to 4 billion logs per day in Index mode (previously it stopped indexing with a limit of 2 billion logs). |
PRJ-21380, |
Logging |
In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly exit. |
PRJ-19011, |
Logging |
In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196. |
PRJ-24068, |
Logging |
In Smart-1 6000-L and 6000-XL, drill down to a log card from the Logs view does not bring results. |
PRJ-20587, |
Mobile Access |
Removed potential XSS vulnerability in the MAB Login page. |
PRJ-21112, |
Security Gateway |
Authentication may fail when LDAP branch name contains "\". |
PRJ-18980, |
Security Gateway |
In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293. |
PRJ-19801, |
Security Gateway |
Improved the policy enforcement of the ZIP archive inner files. |
PRJ-21613, |
Security Gateway |
Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold". |
PRJ-20341, |
Security Gateway |
In rare scenarios, passive FTP packets may be dropped. |
PRJ-21200, |
Security Gateway |
The VMCore file may be created during reboot after the upgrade procedure. |
PRJ-22082, |
Internal CA |
In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain. |
PRJ-21727, |
Content Awareness |
In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow. |
PRJ-20848, |
Identity Awareness |
In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136. |
PRJ-22016, |
Identity Awareness |
Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH). |
PRJ-20349, |
IPS |
In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally. |
PRJ-17883, |
Anti-Virus |
UPDATE: Improved Anti-Virus buffer allocation to reduce stack size. |
PRJ-20839, |
DLP |
Improved DLP scanning for POST request to some Web sites. |
PRJ-21711, |
SSL Inspection |
In rare scenarios, a memory leak may occur in a crypto module. |
PRJ-20977, |
Anti-Malware |
In rare scenarios, the Threat Prevention policy installation fails due to IoC parsing errors. Refer to sk171316. |
PRJ-18958, |
ClusterXL |
When MDPS is configured, the output of "cphaprob syncstat" may show unreadable characters for the speed of the sync interface. |
PRJ-19665, |
SecureXL |
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface. |
PRJ-20547, |
SecureXL |
Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI). |
PRJ-18663 |
Routing |
UPDATE: Added support for Check Point Active Streaming (CPAS), Policy-Based Routing (PBR), and Application-Based Routing (ABR) on the Security Gateway. Refer to sk167135. |
PRJ-22489 |
Gaia OS |
NEW: Added support for Smart-1 6000-L/XL appliances. Refer to sk171903. |
PRJ-23358, |
Gaia OS |
UPDATE: Upgraded OpenSSL to 1.1.1k to fix CVE-2021-3449 and add the latest security improvements. Refer to sk172983. |
PRJ-20733, |
Gaia OS |
CVE-2020-25705: ICMP reply rate. |
PRJ-21721 |
Gaia OS |
The "show configuration" command cannot print Gaia user with spaces in name. |
PRJ-21827, |
Gaia OS |
In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI. |
PRJ-18852, |
Gaia OS |
In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS. |
PRJ-20286, |
Gaia OS |
Messages log level in /var/log/messages file for ERR level was changed to INFO level when fetching proxy configuration from Clish/WebUI/Gaia API. |
PRJ-19975, |
Gaia OS |
In some scenarios, bond interface bandwidth monitored via SNMP is missing. |
PRJ-17684, |
Gaia OS |
When upgrading with enabled Management Data Plane Separation (MDPS), an additional reboot may be required. |
PRJ-18941, |
Gaia OS |
In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file. |
PRJ-21667, |
Gaia OS |
In some scenarios, policy installation on a Check Point Gateway in Azure causes the Gateway to crash and load a default policy. Refer to sk171553. |
PRJ-21261, |
VSX |
Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool. |
PRJ-20965, |
VSX |
After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352. |
PRJ-13302, |
VPN |
NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity. |
PRJ-17616, |
VPN |
UPDATE: Added:
|
PRJ-19217, |
VPN |
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled. |
PRJ-21544, |
VPN |
Added VPN Remote Access stability improvement. |
PRJ-22219, |
VPN |
When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550. |
PRJ-19905, |
VPN |
Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm. |
PRJ-21235, |
Endpoint Security |
NEW: Added Application Control and Developer Protection support in Endpoint Web Management. |
PRJ-21750, |
Endpoint Security |
On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list. |
PRJ-21915, |
Endpoint Security |
In some scenarios, the "Endpoint Security Client Version" report shows "N/A" in DAT Date column for all devices on the SmartEndpoint Reporting page. |
PRJ-21106, |
Endpoint Security |
Adding devices to virtual group using the epmcommands tool may fail. |
PRJ-19313, |
CloudGuard Network |
When creating a GCP Data Center, Test Connection may fail on large GCP accounts. |
PRJ-23944, |
Maestro VSX |
"dxl stat" and "dxl calc" commands may fail on non-VS0 context with the "failed to retrieve dxl information" error. |
Take 23 Released on 25 March 2021 and declared as Recommended on 5 Apr 2021 |
||
PRJ-23912, |
Security Management |
Accelerated Policy installation may fail with the "Error Code: 2000232" message if this policy contains changed services. Refer to sk172484. |
PRJ-23583, |
Endpoint Security |
Endpoint Security Clients may disconnect after installing R81 Jumbo Hotfix on a Management that was upgraded from the previous versions. Refer to sk172485. |
Take 17 Released on 01 March 2021 |
||
PRJ-22324, |
Security Management |
Accelerated Policy installation may fail when a Custom Application is used in Access Control policy, URL Filtering Blade is enabled and Application Control Blade is disabled on the selected gateway. |
PRJ-22277, |
Multi-Domain Management |
In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916. |
PRJ-20150, |
VSX |
In rare scenarios, some interfaces remain in "Down" state after reboot. |
Take 13 Released on 08 February 2021 |
||
PRJ-19946, |
Security Management |
NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally. |
PRJ-18434, |
Security Management |
NEW: The upgrade process is being monitored dynamically and will be stopped if it cannot be completed, not basing on a timeout. |
PRJ-19545, |
Security Management |
UPDATE: Added Update 6 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109. |
PRJ-20165, |
Security Management |
UPDATE: Added Update 7 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109. |
PRJ-19972, |
Security Management |
UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours. |
PRJ-20032, |
Security Management |
UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published. |
PRJ-20001, |
Security Management |
UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects. |
PRJ-22105, |
Security Management |
In some scenarios, the installation time of Jumbo Hotfix Take 11 on the Management Server may take up to several hours. |
PRJ-18253, |
Security Management |
When logging into SmartConsole directly to a Domain using RADIUS or TACACS, the Authentication method in the audit log may show as "Internal Password". Refer to sk168716. |
PRJ-17693, |
Security Management |
In some scenarios, HA temporary sub-directories in $FWDIR/tmp are not deleted if sync fails. Refer to sk170972. |
PRJ-18289, |
Security Management |
In rare scenarios, the CPU and memory usage of CPM process may be abnormally high. Refer to sk170672. |
PRJ-18266, |
Security Management |
'Revert to Revision' tasks cannot be cleared from tasks pane in SmartConsole. |
PRJ-19105, |
Security Management |
In some scenarios, Management HA change-over to Security Management Server Backup fails with the "Failed to communicate with the peer" message. |
PRJ-20564, |
Security Management |
In some scenarios, policy installation on LSM Gaia cluster profile fails with "Policy installation had failed due to an internal error" message. |
PRJ-17563, |
Security Management |
In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server. |
PRJ-17729, |
Security Management |
Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name. |
PRJ-19274, |
Security Management |
Policy installation duration may increase due to large $FWDIR/conf/invalid_object_names.C file on the Management server. Refer to sk170427. |
PRJ-18476, |
Security Management |
In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process. |
PRJ-19571, |
Security Management |
In rare scenarios, on a Multi-Domain Server where Domains are using a Security Management Server configured for High Availability, initial configuration of the Security Management Server may fail with "Failed to reach peer after restart" error. |
PRJ-20135, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-19950, |
Security Management |
The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds. |
PRJ-19589, |
Multi-Domain Management |
UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server. |
PRJ-19648, |
Multi-Domain Management |
In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556. |
PRJ-19278, |
Multi-Domain Management |
In rare scenarios, Management server becomes inaccessible after Global Policy reassign operation. |
PRJ-18994, |
Multi-Domain Management |
The "cplic db_print -all -x" command fails when running on the MDS level. |
PRJ-19321, |
SmartConsole |
NEW: Added support for Python 3 in Management API scripts. |
PRJ-20248, |
SmartConsole |
UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once). |
PRJ-18466, |
SmartConsole |
In some scenarios, Staging mode IPS protections activation in the Local Domain does not match the activation in the Global Domain after a Global Threat Prevention policy assignment. Refer to sk170322. |
PRJ-18338, |
SmartConsole |
When using the "set simple-cluster" Management API command to update a user defined security zone, the "Specify security zone" checkbox in SmartConsole is not selected. |
PRJ-19323, |
SmartConsole |
In some scenarios, the api.csv file may show extra empty columns. |
PRJ-19203, |
SmartConsole |
In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352. |
PRJ-19535, |
SmartConsole |
In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect. |
PRJ-18960, |
SmartConsole |
In a VPN Community with MEP configuration, the OK operation may fail with the "Update operation failed" message. |
PRJ-20787, |
SmartConsole |
When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing. |
PRJ-20381, |
SmartConsole |
Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names. |
PRJ-20911, |
SmartConsole |
In some scenarios, deleting a policy fails. |
PRJ-18550, |
SmartConsole |
In a community with Cluster VSX member, the Granular encryption window may not open and show "Unable to load page". |
PRJ-18309, |
SmartProvisioning |
NEW: Added support for Threat Emulation Blade on LSM profile of R81 SMB gateways and clusters.
|
PRJ-18000, |
Logging |
NEW:
|
PRJ-19451 |
Logging |
UPDATE: Log Exporter read mode default was changed to Semi-unified instead of Raw mode. |
PRJ-18099, |
Logging |
In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676. |
PRJ-21078 |
Logging |
In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments. |
PRJ-18405, |
Logging |
The FWM and\or LOG_INDEXER processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452. |
PRJ-19819, |
Logging |
In rare scenarios, the LOG_INDEXER process may unexpectedly exit when reading a specific log format. Refer to sk116117. |
PRJ-19846, |
SmartView |
UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets. |
PRJ-20875, |
SmartView |
UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel. |
PRJ-20795, |
Security Gateway |
UPDATE: Service with source port in the Access Rulebase will no longer disable accept templates for all connections. |
PRJ-19066, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-18982, |
Security Gateway |
In rare scenarios, Security Gateway may crash with USFW fwk core file. |
PRJ-19802, |
Security Gateway |
Connectivity issues may appear due to missing proxy ARP entries on the Security Gateway. |
PRJ-19813, |
Security Gateway |
In some scenarios, duplicate verification message is displayed when installing NAT policy on Security Gateways R80.40 and lower. |
PRJ-20362, |
Security Gateway |
In some scenarios, DHCP traffic may be dropped after installing an accelerated policy. |
PRJ-19705, |
Security Gateway |
In rare scenarios, a memory leak may occur in TOPOD process. |
PRJ-20386, |
Security Gateway |
In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher. |
PRJ-20633, |
Security Gateway |
In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server. |
PRJ-19586, |
Security Gateway |
In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic. |
PRJ-20516, |
Security Gateway |
In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped. |
PRJ-19852, |
Security Gateway |
In some scenarios, a memory leak may occur after sending a packet from the kernel. |
PRJ-20937, |
Security Gateway |
In a rare scenario, policy installation may fail on timeout and "fw amw fetch" process is still running on the Security gateway. |
PRJ-18488, |
Security Gateway |
In some scenarios, repeating "fwx_alloc_global_find_free_port_atomic: rtsp pending port doesn't match the same pool" errors are displayed in dmesg when using Hide NAT with VoIP. |
PRJ-20656, |
Security Gateway |
Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and wrong username/password provided by user. |
PRJ-20901, |
Security Gateway |
In some scenarios, the DNS requests from the Security gateway may fail. |
PRJ-18631, |
Security Gateway |
Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992. |
PRJ-19958, |
Security Gateway |
Half-closed accelerated TCP connections may take too long time to expire. |
PRJ-19942, |
Security Gateway |
In some scenarios, policy installation fails with "Error code 1-2000245". |
PRJ-18316, |
Security Gateway |
In rare scenarios, a memory leak may occur on Security Gateway in gconn table. |
PRJ-19162, |
Threat Extraction |
UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable. |
PRJ-19194, |
Threat Extraction |
UPDATE: Threat Extraction ( Sanitization) will be automatically disabled when Infinity Threat Prevention mode is installed while the machine does not have enough resources (RAM). |
PRJ-18248, |
Identity Awareness |
NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516. |
PRJ-19640, |
Identity Awareness |
In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process. |
PRJ-20863, |
Identity Awareness |
In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch. |
PRJ-18181, |
URL Filtering |
In some scenarios, the WSTLSD process may unexpectedly exit and produce a core dump. |
PRJ-19042, |
UserCheck |
In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message. |
PRJ-20927, |
IPS |
NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter. |
PRJ-19198, |
IPS |
In some scenarios, a non-compliant IMAP traffic is dropped. |
PRJ-19301, |
IPS |
In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs. |
PRJ-19601, |
DLP |
UPDATE: Improved the DLP scans queue for a better scan rate. |
PRJ-19923, |
DLP |
UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol. |
PRJ-20097, |
DLP |
UPDATE: Added support for multi-part data to DLP. |
PRJ-20935, |
SSL Inspection |
The AES-NI (Intel Advanced Encryption Standard New Instructions) status is not displayed and "dmesg | grep AES-NI" returns no output. Refer to sk170779. |
PRJ-19435, |
SSL Inspection |
In rare scenarios, the DynamicID Certificate validation may fail. |
PRJ-18843, |
SSL Inspection |
In rare scenarios, a memory leak may occur during policy installation. |
PRJ-21629, |
SSL Inspection |
When IPv6 is enabled, the wstlsd process may consume CPU at a high level after booting in kernel mode causing HTTPS connections to fail for a few minutes until the CPU returns to normal. |
PRJ-17875, |
HTTPS Inspection |
UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:
For configuration, refer to sk173633. |
PRJ-19196 |
Threat Prevention |
NEW: Improved the way Threat Prevention distinguishes between .docx, .pptx, .xlsx and .zip files. |
PRJ-18119, |
Anti-Malware |
Exported with ioc_feeds export command indicator feeds may contain user credentials. Refer to sk169035. |
PRJ-19591, |
Anti-Malware |
In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occurred" error message. |
PRJ-17439, |
Anti-Malware |
In some scenarios, users may fail to access a web site with many malicious URLs. |
PRJ-20924, |
Anti-Malware |
In a rare scenario, Security gateway may crash when the Threat Prevention Forensics feature is enabled. |
PRJ-18198, |
Anti-Malware |
In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway. |
PRJ-19745, |
Anti-Bot |
Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure. |
PRJ-19205, |
ClusterXL |
UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command:
|
PRJ-19926, |
ClusterXL |
In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state. |
PRJ-19393, |
ClusterXL |
"set router active-active-mode" settings do not survive a reboot. |
PRJ-20536, |
ClusterXL |
In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing. |
PRJ-16568, |
SecureXL |
NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features. |
PRJ-18324, |
SecureXL |
UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146. |
PRJ-20056, |
SecureXL |
In rare scenarios, SecureXL may crash due to NULL handling. |
PRJ-18088, |
SecureXL |
SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132. |
PRJ-20028, |
SecureXL |
Server may not reuse the TCP connection when the user allows out of state TCP packets. |
PRJ-20051, |
SecureXL |
Memory leak may occur in VPN or Active Streaming configuration. |
PRJ-19407, |
SecureXL |
In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148. |
PRJ-20105, |
Routing |
NEW: Added support for ISP Redundancy on Scalable Platforms Appliances. |
PRJ-19536, |
Routing |
On Scalable Platforms, SSH via MAB may disconnect. |
PRJ-19630, |
Routing |
ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works. |
PRJ-20445, |
Routing |
The old route may be not removed when an BGP ECMP route was changed. |
PRJ-20243, |
Routing |
In rare scenarios, confd or routed process may restart. |
PRJ-19464, |
Routing |
Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works. |
PRJ-18281, |
Routing |
Certain types of multicast traffic may not be handled correctly in Bridge mode. |
PRJ-18665, |
Routing |
PBR does not work with VTI/VPN. |
- |
Gaia OS |
NEW: Added support for 1570R and 1600 / 1800 SMB appliances. |
PRJ-19532, |
Gaia OS |
NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix. |
PRJ-20501, |
Gaia OS |
UPDATE: OpenSSL was updated to version 1.1.1i to include the latest code fixes and security improvements. |
PRJ-20472, |
Gaia OS |
In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object). Refer to sk171055 to configure the required parameter FORCE_NATTED_IP. |
PRJ-19518, |
Gaia OS |
The syslog messages may be spammed when the "show asset all" command is running. |
PRJ-17720, |
Gaia OS |
In some scenarios, one session disconnection of RADIUS users can cause another session to loose permission when one of the session terminates. |
PRJ-20944, |
Gaia OS |
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253. |
PRJ-18721, |
Gaia OS |
Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled. |
PRJ-18773, |
VPN |
NEW: Added Remote Access VPN performance improvement. |
PRJ-19717, |
VPN |
NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2. |
VPNS2S-1482 |
VPN |
NEW: Added new display of vpn tu tlist command for DAIP gateway. |
PRJ-19248, |
VPN |
NEW: Added CPDIAG (on/off) for IKE negotiations per community feature. |
PRJ-21123, |
VPN |
Access roles do not recognize Remote Access SNX CLI clients. |
PRJ-19672, |
VPN |
In some scenarios, Remote Access Endpoint client disconnects after roaming from Visitor Mode to NAT-T. |
PRJ-20869, |
VPN |
In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues. |
PRJ-20523, |
VPN |
In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol. |
PRJ-20276, |
VPN |
In a rare scenario, a memory leak may occur when RASession_util is active. |
PRJ-20949, |
VPN |
In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection. |
PRJ-20640, |
VPN |
In some scenarios, the VPND process may unexpectedly exit. |
PRJ-19425, |
VPN |
In some scenarios, the VPND process unexpectedly exits with Segmentation fault. |
PRJ-20334, |
VPN |
Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted. |
PRJ-20082, |
VPN |
Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway". |
PRJ-18504, |
VSX |
UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903. |
PRJ-20567 |
VSX |
IPv6 traffic and multicast IPv4 may not work with Virtual Switch (VSW). |
PRJ-20123, |
VSX |
In VSX environment, Generic Data Center objects are not enforced on the VSX members. |
PRJ-20284, |
VSX |
In some scenarios, SNMP v3 users are not recognized on VSX when SNMP is in VS mode. The "Unknown user name" error message is displayed. Refer to sk170993. |
PRJ-20597, |
VoIP |
VoIP RTP can cause overload on global instance (CoreXL instance 0). |
PRJ-18979, |
VoIP |
SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373. |
PRJ-18971, |
IoT |
NEW: Added IoT support to Multi-Domain Security Management.
|
PRJ-20905, |
Endpoint Security |
NEW: Added support for new Push Operations - Host Isolation and Host Release from isolation. |
PRJ-20990, |
Endpoint Security |
NEW: Added support for new Push Operation - Remote Uninstall for Endpoint Client. |
PRJ-20394 |
Endpoint Security |
UPDATE: Updated Endpoint Web Docker Image. |
PRJ-19400, |
Endpoint Security |
Attempt to move members from one group to another using Endpoint Server command line operations fails. |
PRJ-20778, |
Endpoint Security |
The "Sent to Client On" column is empty in SmartEndpoint >Reporting > Push Operations even if push operation was completed successfully. |
PRJ-19772 |
Endpoint Security |
Database size may increase exponentially because dynamic packages are packed into exported .tgz using migrate_export. |
PRJ-20639, |
Scalable Platforms |
NEW: Added full support for Gaia Backup. |
PRJ-20895, |
Scalable Platforms |
On Maestro / Scalable Platforms, users may disconnect after several attempts due to bad forwarding in TCPT flow. |
PRJ-20749, |
Maestro |
Gaia scheduled backup fails to run and the /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup". Refer to sk170925. |
PRJ-20140, |
Maestro |
"Packet Capture was not found" error when clicking the "View Packet Capture" link in the IPS log. |
Take 11 Released on 26 January 2021 |
||
PRJ-21382, |
Security Management |
Accelerated Policy installation may fail when a Custom Application is used in Access Control policy, URL Filtering Blade is enabled and Application Control Blade is disabled on the selected gateway. |
PRJ-18511, |
SmartConsole |
In a rare scenario, automatic NAT rules are not visible in SmartConsole. This may cause policy installation failure. Refer to sk171395. |
Take 10 Released on 14 December 2020 |
||
PRJ-18770, |
Security Management |
NEW: Improved FWM process performance during policy or database installation. |
PRJ-19096, |
Security Management |
Fetch policy on Security gateway may fail after installing Accelerated policy on it. |
PRJ-19137, |
Security Management |
In some scenarios, policy installation may fail with verification errors when the installation is accelerated. |
PRJ-18392, |
Security Management |
In a rare scenario, the FWM process unexpectedly exits. |
PRJ-19085, |
Security Management |
In some scenarios, HA synchronization may fill up the disk space of a standby Management Server. Refer to sk168492. |
PRJ-18493, |
Security Management |
In rare scenarios, a policy installation task may never complete. |
PRJ-18955, |
Security Management |
Policy verification may fail with error "For security gateways R80.40 and higher, rules that use Access Roles can only have "Any Traffic" or "RemoteAccess" in the VPN column" |
PRJ-18818, |
Security Management |
Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts. |
PRJ-18945, |
Security Management |
In rare scenarios, FWM process may unexpectedly exit after a login attempt to the Management server. |
PRJ-18908, |
Multi-Domain Management |
In some scenarios, size of MDS backup file increases after each policy installation. |
PRJ-19072 |
SmartConsole |
NEW: Added ability to view policies, objects and logs from the new Web SmartConsole. Refer to Take 24 sk170314. |
PRJ-16059, |
SmartConsole |
In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474. |
PRJ-18350, |
SmartConsole |
When removing an object from a group using the "groups" field of the object's module in the Ansible collection, the group will not be changed and Ansible will show that no changes are needed. |
PRJ-20142, |
SmartConsole |
Duplicate central licenses may be added to the management database. In some rare scenarios, this may lead to heavy load on the FWM process and prevent login. |
PRJ-18554, |
SmartConsole |
After enabling the Endpoint Policy Management Blade on the Security Management Server, some views on SmartConsole may not load properly and SmartClient may disconnect. |
PRJ-16978, |
SmartConsole |
In some scenarios, some Web APIs fail with "Script stopped running due to severe error!" message when SMB gateway is defined as a policy target. Refer to sk169557. |
PRJ-17644, |
SmartConsole |
When creating a user with Check Point password authentication through the Management API, log in to Mobile Access portal may fail. Refer to sk170412. |
PRJ-15815, |
SmartConsole |
In some scenarios, Management API does not start automatically after restart, although automatic start is enabled. Refer to sk168332. |
PRJ-18383, |
SmartConsole |
In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances. |
PRJ-18366, |
SmartConsole |
Enabling Threat Prevention policy may fail with validation errors when the policy's targets include cluster members running a version lower than R80.10. |
PRJ-17483, |
SmartProvisioning |
In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status. |
PRJ-18953, |
Security Gateway |
In rare scenarios, Security Gateway memory consumption may increase. |
PRJ-18931, |
Security Gateway |
NAT may not work properly when Domain objects are used in the Translated Destination column. |
PRJ-19177, |
Security Gateway |
Connections may be wrongly matched on Domain or Updatable objects used in Security policy. |
PRJ-19004, |
Security Gateway |
In some scenarios, when using routing separation, connection from data plane to management plane is dropped. |
PRJ-18685, |
Security Gateway |
In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway. |
PRJ-17806, |
Anti-Malware |
In a rare scenario, Security gateway may crash after a match of the Anti-Bot Blade. |
PRJ-19107, |
Identity Awareness |
NEW: Performance optimization for Identity broker. |
PRJ-18443, |
DLP |
In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced. |
PRJ-18826, |
HTTPS Inspection |
The user may not be able to browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332. |
PRJ-17828, |
SecureXL |
In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets. |
PRJ-18027, |
Routing |
SNMP queries for bgpPeerFsmEstablishedTime return an incorrect constant value. Refer to sk170074. |
PRJ-18530 |
Gaia OS |
NEW: Added Jumbo Hotfix for Scalable Platforms support. Refer to sk169954. |
PRJ-19156, |
Gaia OS |
NEW: Allow Amazon Web Services (AWS) to modify partitioning via lvm_manager. |
PRJ-18242, |
Gaia OS |
"cphaprob -h" shows wrong explanation for "cphaprob show_bond [<bond_name>]" command. |
PRJ-19331, |
Gaia OS |
In some scenarios, login from data plane context fails (no connectivity to server). |
PRJ-19150, |
Gaia OS |
"Docker0" bridge interface with assigned IP address from class B private pool may appear in the system, causing routing issues. |
PRJ-19051, |
Gaia OS |
In some scenarios, when using routing separation, modifying interface IP address fails. |
PRJ-18068, |
VPN |
NEW: Added Remote Access VPN performance improvements. |
PRJ-19165 |
VPN |
UPDATE: Added support for fetching CRL through proxy in Site to Site VPN configuration. |
PRJ-18535, |
VPN |
In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL. |
PRJ-18167, |
VPN |
In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212. |
PRJ-18733, |
VPN |
In some scenarios, userspace cores may appear on Security gateways with enabled AES-GCM-256 and AES-256 VPN encryption. Refer to sk169417. |
PRJ-18313, |
VPN |
"Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers. |