List of All Resolved Issues and New Features in R81 Jumbo Hotfix Accumulator

 

Review the Important Notes section before installing a new Take.

 

This version will reach its End of Support on October 31, 2024.

ID

Product

Description

Take 99

Published on 05 June 2024 and declared as Recommended on 16 June 2024

Take 99 - New Functionality

 

PRJ-50102,
PRHF-30325

Diagnostics

NEW: Added SecureXL SYN Defender metrics to Skyline. Refer to the Skyline Metrics Repository.

PRJ-51032

Security Management

NEW: Added ability for R81 Security Management or Multi-Domain Server to manage 19000 and 29000 Check Point appliances.

  • Requires R81 SmartConsole Build 568 (or higher).

PRJ-51434,
PMTR-98141

SSL Inspection

NEW: Added ability to import PKCS#12 files using AES-256-CBC encryption with PBKDF2-HMAC-SHA-256. This enhancement is designed for use in multi-portal environments and HTTPS Inspection scenarios.

PRJ-49831,
ACCESS-799

Application Control

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

  • To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

  • To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

PRJ-47017,
CRYPTOIS-2878

VPN

NEW: Added support for a new tool (shell script) on a Management Server that can show and renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways and VSX Virtual Systems. Refer to sk182070.

PRJ-48080,
PRHF-29774

CloudGuard Network

NEW: Added support for Azure Scale sets with Flexible orchestration mode.

Take 99 - Improvements and Resolved Issues

 

PRJ-55494,
PRHF-34269

VPN

CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.

PRJ-55469,
PRHF-34219

VPN

UPDATE: Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or lower, and not updated after the upgrade to R80.30, is blocked until the password is reset. Refer to sk182336.

PRJ-48778,
SL-8207

Security Management

UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files.

PRJ-52446,
PRHF-31852

Security Management

UPDATE: Added an ability to configure the schedule for Compliance blade scans. This should prevent login issues during the scans. Refer to sk182033.

PRJ-49172,
PRHF-30294

Security Management

UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877.

PRJ-48094,

PMTR-77299

CPView

UPDATE: CPView now shows statistical data also for servers with 256/512 CPU cores.

PRJ-51123,
PRHF-31302

Security Gateway

UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921.

PRJ-50427,

PMTR-96484

Security Gateway

UPDATE: During certificate validation, the Security Gateway now retrieves the Certificate Revocation List (CRL) from all CRL distribution points (CDP) listed in certificate extensions.

PRJ-46319,
PMTR-92164

Security Gateway

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

PRJ-50739,

PRHF-30794

Security Gateway

UPDATE: Added an ability to configure objects for the HTTPS Inspection CA using labels.

  • There are now handle-based and label-based configurations.

  • Hardware Security Module in High Availability mode (HSM HA) now supports only the label-based configuration.

PRJ-50498,
IDA-5167

Identity Awareness

UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways.

PRJ-48175,
PMTR-95781

Mobile Access

UPDATE: jQuery UI is upgraded to version 1.13.2. Resolved CVE-2021-41184.

PRJ-43432,
PRHF-26673

SecureXL

UPDATE: It is now possible to add exceptions to external IoC feeds.

PRJ-46624,
PMTR-87439

VPN

UPDATE: The "Server Authentication" attribute within the "Extended Key Usage" field is now included by default in IKE certificates generated by the Security Management Server.

PRJ-43881,
PMTR-86708

VSX

UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX.

PRJ-50872,
PMTR-97129

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1u to 1.1.1w to include the latest security improvements.

PRJ-48009,
PRHF-29711

Gaia OS

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

PRJ-50788,
PMTR-97169

Harmony Endpoint

UPDATE: Posture Management (Vulnerability & Patch Management) is now supported.

PRJ-50319,
PMTR-95965

CloudGuard Network

UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823.

PRJ-52861,
PMTR-100872

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ca-west-1 Calgary region.

PRJ-52626,

PRJ-53584,

PRJ-54097,

PRJ-54457,

ODU-1731,

ODU-1667,

ODU-1571,

ODU-1392

Automatic Updates - Web SmartConsole

UPDATE: New features and improvements are released in Take 94, Take 97, Take 100 and Take 102 via self-updatable package. Refer to sk170314.

PRJ-52818,
ODU-1491

Automatic Updates - CPView

UPDATE: Added Take 34 of CPviewExporter Release Updates. Refer to sk180521.

PRJ-52594,

PRJ-54686,

ODU-1707,
ODU-1499

Automatic Updates - CPView

UPDATE: Added Take 77 and Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-52040,
ODU-1201

Automatic Updates - Threat Extraction

UPDATE: Added Update 5 of Threat Extraction Engine. Refer to sk165832.

PRJ-51509,

PRJ-52585,

PRJ-53539,

ODU-1476,

ODU-1460,

ODU-1248

Automatic Updates - Threat Prevention

UPDATE: Added Update 22, Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-52694,
ODU-1408

Automatic Updates - Smart-1 Cloud

UPDATE: Added Update 7 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-52865,

PRJ-53686,

PRJ-54175,

ODU-1595,

ODU-1531,

ODU-1659

Automatic Updates - HCP

UPDATE: Added Update 15, Update 16 and Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-53395,

PRJ-53680,

PRJ-54171,

ODU-1611,

ODU-1563,

ODU-1683

Automatic Updates - CPSDC

UPDATE: Added Take 31, Take 33 and Take 34 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-50750,

PMTR-96420

Infrastructure

UPDATE: Added Python 3.11.4.

PRJ-49360,
PRHF-30301

Security Management

There may be synchronization failure and, as a result, corrupted Domain policies on the Multi-Domain Security Server when a newly created local administrator on the backup Security Management Server makes changes to rules or objects, after the Active role is switched to that Security Management Server.

PRJ-41779,
PRHF-25318

Security Management

In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view.

PRJ-52344,
PRHF-31814

Security Management

In some scenarios, the PostgreSQL database fully utilizes disk space on the Standby Security Management Server.

PRJ-50371,
PMTR-96089

Security Management

When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message.

PRJ-50017,
PMTR-86613

Security Management

It may not be possible to add/set a Threat Prevention Exception with a protection-or-site UID.

PRJ-53347,
PRHF-32714

Security Management

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file.

PRJ-51203,
PRHF-31334

Security Management

If all revisions were purged on the Security Management Server, the "show packages details-level full" Management API call may fail.

PRJ-51512,
PRHF-31523

Security Management

The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt.

PRJ-52779,
PRHF-32286

Security Management

When using the "set simple-gateway" Management API command to edit interfaces, the operation is only performed on fifty interfaces at a time.

PRJ-52848,
PRHF-32222

Security Management

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-52017,
PRHF-31622

Security Management

Exporting a policy that contains thousands of rules may fail when the "Hit Count" column is enabled.

PRJ-52913,
PRHF-32334

Security Management

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

PRJ-52043,
PRHF-31789

Security Management

In some scenarios, the Security Management Server upgrade to R81.20 fails with "java.lang.String incompatible with com.checkpoint.infrastructure.types.CPUUID" in the upgrade report. The issue occurs during the import of the User Data Domain.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-51541,
PMTR-98526

Security Management

Enabling automatic updates of Trusted CAs as described in sk173629 may fail.

PRJ-50357,
PRHF-30763

Security Management

In multi-site environments, when using LDAP administrators configured on an external LDAP Server, logging into Domains on different Multi-Domain Security Management Servers in parallel, synchronization may fail with the "failed to import data" status.

PRJ-51072,
PRHF-31280

Security Management

Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID.

PRJ-49882,
PRHF-30289

Security Management

Export of the Security Management Server may fail with "Could not find workSession WORKSESSION_UID in worksession's List" message in the upgrade report.

PRJ-49942,
PRHF-30561

Security Management

In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object.

PRJ-50591,
PRHF-30931

Security Management

High Availability synchronization runs after every scheduled Application Control update, even if the Application Control is up to date.

PRJ-51594,
PRHF-31532

Security Management

In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822.

PRJ-51617,
PRHF-31710

Security Management

Deleting a Domain may fail when using the createDomainRecovery.sh script.

PRJ-49665,
PMTR-92847

Security Management

The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks.

PRJ-52010,
PRHF-31738

Security Management

In some scenarios, policy installation may fail and the displayed message erroneously refers to sk178886: "One of the updatable objects was downloaded incorrectly (see SK178886". But sk178886 describes a different scenario and does not resolve the issue.

PRJ-52815,
PMTR-100795

Security Management

If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report.

PRJ-50765,
PRHF-31101

Security Management

In rare scenarios, during an upgrade or Domain migration, the API readiness test fails if the upgrade failed.

PRJ-48440,
PRHF-30005

Security Management

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

PRJ-52877,

PRJ-52516,

PRHF-32065,

PRHF-32383

Security Management

In rare scenarios, Access policy installation may fail with the "Installation failed. Reason: Failed to load Policy on Security Gateway" or "Operation failed, install/uninstall has been improperly terminated" messages.

PRJ-50997,
PRHF-31180

Security Management

Install Policy Presets may fail after purging all revisions. Refer to sk181652.

PRJ-51675,
PRHF-31606

Security Management

Global Assignment fails with "Locked for editing by another administrator and need to be published or discarded before the operation can take place". Refer to sk181807.

PRJ-52789,
PRHF-32309

Security Management

In rare scenarios, High Availability synchronization fails with "Peer is busy".

PRJ-45021,
PRHF-28126

Security Management

The "show users" Management API command fails if a user is configured to be able to connect on specific days, but the days are not selected.

PRJ-50353,
PRHF-30825

Security Management

SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script.

PRJ-50045,
PRHF-30714

Security Management

In High Availability environments, task progress notifications may get updated only every 5 minutes, even when the task is complete.

PRJ-49951,
PRHF-30373

Security Management

Login to SmartConsole may fail while the Compliance Blade is running a full scan.

PRJ-50185,
PRHF-30766

Security Management

In some scenarios, Access Policy installation fails with "Policy load / verification failed because it required more than the maximum allowed memory of 4GB. Follow sk161874 to improve the performance and prevent excessive memory consumption".

PRJ-50212,
PRHF-30688

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters.

PRJ-49343,
PMTR-95009

Security Management

SmartConsole may unexpectedly close after deleting an object in the Object Explorer view.

PRJ-48914,
PRHF-29502

Security Management

In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397.

PRJ-51066,
PRHF-31283

Security Management

In a rare scenario, the FWK and CPD processes may exit with core dumps at approximately the same time.

PRJ-49988,
PRHF-30686

Security Management

The "fwm sic_reset" command may fail and generate a core dump.

PRJ-49224,
PRHF-30300

Security Management

In some scenarios, an upgrade of the Security Management Server may fail if the import is running at 12 AM.

  • The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or via the Advanced Upgrade method.

PRJ-50406,

PRHF-30754

Security Management

The Change Report generated before publishing a session, may contain internal system changes that were made by the user.

PRJ-53726,
PMTR-102450

Security Management

Changes Report may allow to list certain directory contents.

PRJ-54093,
PRHF-28962

Security Management

In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-41752,
PRHF-25570

Security Management

Some debug messages may appear in the /var/log/messages file, although the debug mode is not activated. The issue is cosmetic only.

PRJ-55500,

PRHF-34248

Security Management

A memory leak may occur in the FWM process which leads to SmartConsole connection failures.

PRJ-52968,

PRHF-29693

Multi-Domain Security Management

The "cprlic get" command output may not provide correct information about vSEC licenses.

PRJ-51270,
PRHF-30806

Multi-Domain Security Management

In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails.

PRJ-48394,
PRHF-29737

Multi-Domain Security Management

In Multi-Domain Security Management environments, the "show simple-gateway" and "show simple-cluster" Management API commands may fail with "Runtime error: An internal error has occurred"

PRJ-49713,

PRHF-30513,

PRJ-50578,
PRHF-30902

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-49478,
PRHF-29987

Multi-Domain Management

When viewing Subordinate CA objects in SmartConsole:

  • Users with read-only permissions may receive a "Trusted CA" field as "not initialized" message.

  • The information under "Retrieve CRLs from" in the OPSEC PKI tab is inaccurate.

    • The fix requires installing SmartConsole R81 Build 568 (or higher).

PRJ-46933,
PRHF-28412

SmartConsole

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

PRJ-51425,
PMTR-98332

Web SmartConsole

Login with Web SmartConsole to the Security Management Server may fail if using a trusted client with IPv6.

PRJ-51663,
PMTR-98552

Web SmartConsole

An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801.

PRJ-49972,
PMTR-94928

CPView

CPU statistics may be incorrect or missing in CPView. Refer to sk182286.

PRJ-44496,
PMTR-90355

CPView

In rare scenarios, CPView does not handle VS context correctly.

PRJ-48001,
PRHF-29744

CPView

Offload may fail in CPView with "ERROR! Reason not initialized".

PRJ-52602,

PMTR-94461

CPView

In the "cpview -m" command output on the Security Gateway which is an Active Cluster member, "metrics system.network.nat.ports" and "system.network.nat.ports.limit" may not be displayed in the list of available metrics.

PRJ-48804,
SL-8218

Logging

Some attributes in SNMP MIB file may not be accessible.

PRJ-52719,
PRHF-30795

Logging

Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options.

PRJ-46286,
PRHF-27161

Logging

In SmartConsole, in the "Device License Information" view, the "New connection rate" field may indicate "please wait 10 seconds".

PRJ-47314,
PRHF-29126

Logging

When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly.

PRJ-49388,
PRHF-30398

Logging

In SmartView, incorrect results may be displayed when filtering logs using the "src_machine_name" field.

PRJ-47283,
PRHF-27417

Logging

When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters.

PRJ-48240,
PRHF-29837

Logging

The "source", "destination", "user" and "action" fields are not exported when exporting logs with the "visible columns" option to CSV in the SmartView Web application. Refer to sk181706.

PRJ-47982,
PRHF-29667

Logging

Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only.

PRJ-53335,
PMTR-101195

Logging

When the "IP Options drop" tracking Global Properties setting is configured to "Log" and the policy is installed, the Security Gateway drops traffic with disallowed IPv4 options or IPv6 extension headers, but no log is shown in SmartConsole.

PRJ-44589,

PRHF-26975

Logging

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

PRJ-46205,
PRHF-27710

Logging

Security Gateway forwards logs to the real IP address of the Management Server instead of the public (NATed) IP address. Refer to sk181609.

PRJ-52469,
PMTR-98658

Security Gateway

CIFS traffic may cause CPU spikes in the FWK process.

PRJ-51146,
PRHF-31357

Logging

When Identity Awareness blade is enabled, the "Src User Dn" and "Dst User Dn" fields in ICMP Logs are not masked for users without "Identities" permissions. Refer to sk181677.

PRJ-51526,
PRHF-31572

Security Gateway

Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are enabled. Refer to sk181793.

PRJ-51075,
PMTR-94275

Security Gateway

In rare scenarios, a file downloaded via HTTP may be corrupted.

PRJ-52672,

PRHF-32203

Security Gateway

CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

PRJ-48320,
PRHF-29953

Security Gateway

The system may not automatically end or interrupt the RAD process if it takes longer than a specified timeout duration.

PRJ-46201,
PRHF-25771

Security Gateway

In rare scenarios, updating the NTP Server may cause a temporary outage.

PRJ-50138,
PRHF-30588

Security Gateway

Accounting info may not be displayed in logs for IPv6 Cluster VRRP environments.

PRJ-47955,
PMTR-93503

Security Gateway

The CPVIEW_API_SERVICE process may exit with a timeout.

PRJ-50601,
PRHF-28340

Security Gateway

In some scenarios, the PDPD process may consume high CPU in the Identity Acquisition flow.

PRJ-51458,
PRHF-31473

Security Gateway

When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:

  • A DNS query to any ISP returns IP addresses of all three, although it should return only the active ISP.

  • When one ISP is down, the faulty ISP is also returned instead of the newly active.

PRJ-48261,
PMTR-93809

Security Gateway

Notifications of SecureXL connection deletion appear unfiltered in the debug output, also when using a debug filter.

PRJ-52519,

PRHF-31425

Security Gateway

The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process.

PRJ-47670,

PRJ-47666,

PRHF-29516,

PRHF-29535

Security Gateway

When there is fragmented traffic, the /var/log/messages file may be flooded with the "dst_release" entries.

PRJ-51037,

PRHF-31146

Security Gateway

The Security Gateway may crash during policy installation.

PRJ-51944,
PRHF-31780

Security Gateway

In some scenarios, if a rule with a security zone is installed using accelerated install policy, the traffic may stop matching the NAT Rule Base.

PRJ-52794,
PRHF-31617

Security Gateway

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router.

PRJ-47208,
PRHF-29194

Security Gateway

When running the tp_collector tool, the FW_FULL process may unexpectedly exit.

PRJ-52362,
ACCHA-2386

Security Gateway

In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled.

PRJ-47662,
PRHF-29452

Security Gateway

Incorrect local traffic routing by the Security Gateway causes message flooding in /var/log/messages.

PRJ-51607,
PRHF-31672

Security Gateway

The ICAP Server may fail to initialize.

PRJ-49115,
PRJ-45207

Security Gateway

In rare scenarios, the FWK process may unexpectedly exit when running an outgoing (a local connection) from the Security Gateway.

PRJ-52419,
PMTR-99316

Security Gateway

Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object.

PRJ-50658,
PRHF-30938

Security Gateway

The proxy IP address of users surfing HTTP sites may be displayed instead of the real source IP address.

PRJ-52112,
PMTR-98129

Security Gateway

Incorrect CPU statics may be shown in CPView when using Dynamic Split.

PRJ-45692,
PRHF-28403

Security Gateway

The VPND, CVPND, and PDPD processes on the Security Gateway may become non-responsive and cause SAML authentication for Remote Access VPN users to fail.

PRJ-48821,
PRHF-29853

Security Gateway

In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway.

PRJ-48021,
PMTR-91868

Security Gateway

In some scenarios, when IPS is enabled, CPU spikes may occur.

PRJ-47445,
PRHF-29413

Threat Prevention

When configuring ioc feeds from the management:

  • The "no_ssl_validation" variable may be deleted after the policy installation.

  • Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

PRJ-50656,
PRHF-30793

Threat Prevention

In rare scenarios, CPU utilization can reach high levels because the Multi-Queue affinity of interfaces that use the "mlx5_core" driver is not configured correctly during the boot process.

PRJ-47458,
PRHF-29514

Threat Prevention

In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash.

PRJ-46903,
PRHF-29115

Threat Prevention

Ioc_feeds changes the username to lowercase, which causes the "401" error. Refer to sk181039.

PRJ-48085,
PMTR-93601

Threat Prevention

An outage may occur when an unsupported SSH cipher is selected.

PRJ-49876,
PRHF-30512

Threat Prevention

Traffic directed towards a host situated behind the Security Gateway is not blocked. For instance, if an IP address listed in the feed sends an ICMP request, it will reach a host behind the Gateway without being blocked. Refer to sk132193.

PRJ-43971,
PRHF-21246

Threat Prevention

When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems.

PRJ-50050,
PRHF-30177

Threat Prevention

Security Gateway with a large number of CPU cores allocated to CoreXL SND may experience performance issues when an IoC Feed and the "fwaccel dos deny" feature are configured. Refer to sk182223.

PRJ-46442,
PRHF-28775

Threat Prevention

Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension.

PRJ-49511,
PMTR-94919

Threat Prevention

In a rare scenario, changes in Threat Prevention Custom Intelligence feeds settings may not be applied after policy installation.

PRJ-49007,

PMTR-92233

Threat Prevention

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

PRJ-48428,
PMTR-93558

Threat Prevention

Some connections may be dropped because of an issue in IPS inspection, which can be resolved by installing/fetching a local policy.

PRJ-42869,
PRHF-26332

Threat Prevention

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225.

PRJ-46595,
PRHF-29036

Threat Extraction

The "scrub send_orig_email <email_id> <recipient>" command fails. Refer to sk180974.

PRJ-55346,

PMTR-104752

Threat Prevention

The "Categorized HTTPS Sites" option does not classify specific websites when "TLS 1.3 hybridized Kyber support" is enabled in the browser. Refer to sk182318.

PRJ-49317

Identity Awareness

There may be high memory consumption by Identity Broker in the synchronization flow.

PRJ-51333,
PRHF-31398

Identity Awareness

When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access.

PRJ-49434,
PMTR-92848

Identity Awareness

In a rare scenario, revoked identity on Broker Publisher is not synchronized with its Broker subscribers.

PRJ-52369,
PRHF-31314

Identity Awareness

After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946.

PRJ-50512,
PMTR-92204

Identity Awareness

In a Cluster Load Sharing environment or when a single Policy Decision Point (PDP) is shared among multiple Policy Enforcement Points (PEPs), the PDP registers the PEP, but the PEP may not be aware of this registration.

PRJ-52871,
PRHF-32296

Identity Awareness

User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation.

PRJ-50582,
PRHF-30933

Identity Awareness

During policy installation, users authenticated using the Captive Portal may get disconnected.

PRJ-43455,
PRHF-26010

Application Control

When a policy contains a white list, some packets may not match the listed applications.

PRJ-45134,
PRHF-27966

Identity Awareness

In Multi-User Host setups, some accounts may be identified as service accounts, although they should not be flagged.

PRJ-51421,
PRHF-31468

Identity Awareness

In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network.

PRJ-46757,
PRHF-28441

Identity Awareness

The ida_tables_util tool may fail with the "bad adress" error.

PRJ-47440,
PMTR-92960

Identity Awareness

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

PRJ-45719,
PRHF-27843

Application Control

Policy installation fails when a custom application and user category have the same name.

PRJ-46197,
PMTR-85660

Application Control

CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186.

PRJ-50803,
PRHF-28437

IPS

There may be excessive "fwconn_chain_is_data_conn failed" messages in the /var/log/messages files when activating the IPS Blade.

PRJ-42479,
PRHF-26320

IPS

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

PRJ-49043,
PRHF-30082

DLP

The DLP process may unexpectedly exit during policy installation.

PRJ-53123,
PRHF-32092

Anti-Virus

The DLPU process may frequently exit with a core dump file.

PRJ-49519,
TPP-3592

Anti-Virus

The Anti-Virus Blade may inspect files on an SMB appliance although the "SMB" checkbox is disabled on the matched profile.

PRJ-51181,
PRHF-31305

Anti-Virus

Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures.

PRJ-52661,
PRJ-52660

Anti-Virus

Some URLs may be blocked by the Anti-Virus blade as malicious, even though the Threat Prevention Rule Base contains an exception rule with a Site/Application object that includes this URL.

PRJ-50527,
PMTR-96396

Anti-Virus

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

PRJ-49296,

PRHF-23253

Anti-Virus

Anti-Virus fails to release held connections after the inspection.

PRJ-49569,
PRHF-29935

Anti-Virus

The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds.

PRJ-49791,
PRHF-30328

SSL Inspection

Policy installation fails on the Security Gateway when using HTTPS Inspection with Hardware Security Module (HSM).

PRJ-45149,
PMTR-83342

SSL Inspection

When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text.

PRJ-52046,

PRHF-31811

Mobile Access

SSL Network Extender (SNX) cannot connect after installing Jumbo Hotfix Accumulator. Refer to sk181805.

See the Important Notes section.

PRJ-50115,
PRHF-30245

ClusterXL

In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also.

PRJ-50868,
PRHF-31176

ClusterXL

The output of the "cphaprob -m -a if" command may show an incorrect high VLAN ID address. This is a cosmetic issue.

PRJ-48412,
PRHF-29594

ClusterXL

In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem".

PRJ-52490,

PMTR-99615

ClusterXL

The CXLD process may consume the CPU at 70%-100% on VSX cluster members. Refer to sk181891.

See the Important Notes section.

PRJ-51586,
PRHF-31481

ClusterXL

The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster.

PRJ-52729,

PRHF-32237

ClusterXL

When working in ClusterXL mode with MDPS enabled on the cluster nodes, enabling a Cloning Group may get stuck in the "synchronizing" status.

PRJ-52894,
PMTR-100934

ClusterXL

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

PRJ-44518,
PRHF-23500

SecureXL

Multicast packets received on an interface with PIM disabled can cause multicast packet drops on other interfaces by filling up the kernel routing queue.

PRJ-52804,
PMTR-96017

SecureXL

In some scenarios when Route-based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address.

PRJ-50835,
PMTR-96036

SecureXL

There may be a delay in enforcing DOS/Rate Limiting rules to drop packets when concurrent connection limits are exceeded.

PRJ-51620,
PMTR-97796

SecureXL

In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list.

PRJ-49377,
PRHF-30056

SecureXL

Syn Defender may not correctly handle reused connections.

PRJ-52797,
PRHF-31629

SecureXL

The VSX Security Gateway can sometimes fail to add warp interfaces to the SecureXL accelerated interfaces list when including them in a Virtual Router or Virtual Switch.

PRJ-50925,
PMTR-97095

SecureXL

When attempting to route packets to unresponsive hosts, the CPU utilization may be high.

PRJ-52800,
PRHF-31631

SecureXL

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch.

PRJ-33122,
PMTR-75021

SecureXL

CPView shows SecureXL drops incorrectly as "0" (zero).

PRJ-51176,
PRHF-31303

SecureXL

The Security Gateway may crash with vmcore during boot while upgrading.

PRJ-48888,
PRHF-29906

SecureXL

The "fwaccel dos rate get -S IP" command fails to connect to the Security Gateway.

PRJ-50545,
PRJ-50419

SecureXL

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

PRJ-50944,
ACCHA-3546,

PRJ-50949,
PMTR-74344,

PRJ-50952,
PRHF-30474,

PRJ-50938,
PMTR-90999

SecureXL

In some scenarios, the VSX Security Gateway may not be able to pass VPN encrypted traffic from one Virtual System to another Virtual System through a Virtual Router/Switch.

PRJ-50942,
ACCHA-3219,

PRJ-50940,
ACCHA-3355,

SecureXL

In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch.

PRJ-49756,
PMTR-95601

SecureXL

Multicast restrictions set in SmartConsole may be bypassed if varying restrictions are configured for different interfaces.

PRJ-51208,

PRHF-31259

SecureXL

In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer.

PRJ-50831,
PMTR-96490

Routing

The "force-if-symmetry" setting in IPv4 static routes fails to mark IP addresses as unreachable, leading to the static route inaccurately remaining active in asymmetric scenarios.

PRJ-49962,
PMTR-95764

Routing

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

PRJ-49235,
PMTR-94838

Routing

When one of the multiple PIM neighbors goes down on the LAN, there may be outages in multicast traffic.

PRJ-51981,
ROUT-2393

Routing

When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing.

PRJ-52652,
PMTR-80016

Routing

A core dump for the ROUTED process is created while changing the Security Gateway PIM configuration from Bootstrap-Candidate to Candidate-RP using the "set pim" command.

PRJ-52650,

PRJ-52657,

PRJ-52654,
PRHF-31818,

PRHF-31977,

PMTR-78961

Routing

Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated.

PRJ-53567,
PMTR-100631

Routing

In rare scenarios, when a PIM interface or PIM instance stops working, the Security Gateway may crash if trying to access a bogus reference to a PIM neighbor.

PRJ-53055,
PRHF-32078

Routing

In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization.

PRJ-50024,
PRHF-29091

Routing

The traffic may be dropped, because the routes are sent but not installed to the routing table. The issue is related to IS-IS when running on P2P interfaces.

PRJ-52669,
PRHF-32205

Routing

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

PRJ-51258,
PRHF-31307

Routing

It may not be possible to propagate a newly added static route through OSPF.

PRJ-53052,
ROUT-2968

Routing

BGP peers may experience timeouts when these conditions occur simultaneously:

  • The network has more than 100 BGP peers configured,

  • The routing table contains tens of thousands of routes,

  • BGP tracing is enabled,

  • The BGP timers (such as keepalive and hold timers) are reduced from their default values, making the peers more sensitive to delays or congestion.

PRJ-49216,
PRHF-30327

VPN

Redundant log prints in /var/log/messages may be generated, although they should be printed only when the debug flags are enabled.

PRJ-33775,
PRHF-20660

VPN

The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic.

PRJ-46260,
PRHF-28718

VPN

The "Encryption Domain Per community" feature overrides the Encryption Domain for other communities. Refer to sk170857.

PRJ-49651,
PRJ-49485

VPN

VPN connectivity may be unstable when IPv6 and VPN star communities are configured.

PRJ-45126,
PMTR-89945

VPN

Back connection does not function on the Statically NATed Office Mode address as expected.

PRJ-49558,
PRHF-30457

VPN

When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed.

PRJ-47951,
PMTR-92800

VPN

Establishing an IKEv2 tunnel with Cross AZ Cluster may fail.

PRJ-47590,
PRHF-29596

VPN

In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error.

PRJ-53365,
PRHF-32706

VPN

VPN IKEv2 negotiation with a third-party peer may fail when the peer offers multiple combined encryption algorithms in one proposal. For example, AWS, by default, offers AES-GCM and AES-GCM-256. The issue triggers an IKE failure log.

PRJ-52947,
PRHF-32461

VPN

When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues.

PRJ-54239,

PMTR-103618

VPN

In a VPN Community with a configuration involving two Security Gateways (a Center Cluster and a Satellite Security Gateway) with IPv6 external and internal interfaces, when attempting to establish a Link Selection Star community between them, the VPN process may unexpectedly exit due to repetitive IKE core crashes on one of the Security Gateways while the other Security Gateway tries to establish a tunnel, resulting in connectivity issues.

PRJ-50311,
PMTR-96307

Multi-Portal

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

PRJ-48829,
PRHF-29729

VSX

In some scenarios, the VXLAN Driver Kernel may crash.

PRJ-50742,
PRHF-30006

VSX

VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface.

PRJ-50955,
PRHF-30747

VSX

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router.

PRJ-50174,
PRHF-30759

VSX

In some scenarios, installing policy via vsx_util may be stuck.

PRJ-49566,
PRJ-49192

VSX

Corrupted VS affinity configuration may cause excessive "cp_set_process_vs_affinity: Error corrupt affinity file" error messages.

PRJ-51979,
PMTR-97885

VSX

High CPU usage on SND cores when many interfaces are configured. Refer to sk181860.

PRJ-51295,

PMTR-97905

VSX

When adding a new Virtual System, a CPD core dump file may be generated.

PRJ-52722,
PRHF-32115

Gaia OS

The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922.

PRJ-33092,
PMTR-72381

Gaia OS

In some scenarios, the output of the "show configuration"/"snapshot-scheduled" command may contain corrupted text.

PRJ-46019,
PRHF-28611

Gaia OS

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

PRJ-50485,
PRHF-30667

Gaia OS

SNMP query does not bring the CPUSE package information for a single OID (not a table).

PRJ-46141,
PRHF-28669

Gaia OS

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

PRJ-51218,
PMTR-92877

Gaia OS

Clish may deny access of a non-local RADIUS user.

PRJ-50507,
PRHF-30939

Gaia OS

There may be some inconsistent syntax in the "comment" section for interface and static-route commands.

PRJ-48718,
PRHF-29974

Gaia OS

The "show configuration password-controls command output does not print the "set password-controls deny-on-fail block-admin on" option.

PRJ-45114,
PRHF-28172

Gaia OS

Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that.

PRJ-47175,
PRHF-29200

Gaia OS

When rebooting the Security Gateway, some VLANs may lose their IPv6 configuration.

PRJ-53488,
PMTR-95316

Gaia OS

Some valid interfaces may not be available with running the "set lldp interface" command.

PRJ-53193,
PRHF-32504

Gaia OS

In rare scenarios, the Gaia Portal daemon HTTPD may unexpectedly exit and create a core dump file in the /var/log/dump/usermode/ directory.

PRJ-52507,
PMTR-99867

Gaia OS

When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file.

PRJ-50587,

PRHF-30890

CloudGuard Network

In an environment with Cloud Security Gateways, frequent High Availability synchronization sessions can cause high CPU utilization. As a result, change of the Activity status may fail.

PRJ-47146,
PRHF-29171

Harmony Endpoint

When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers.

PRJ-47719,
PRHF-29658

Harmony Endpoint

The Application Scan Push Operation fails to upload an .xml file. Refer to sk181280.

PRJ-52129,

PRHF-31662

Harmony Endpoint

When attempting a one-time login for a migrated client in the Infinity Portal, the request fails with "400 error" caused by duplicate logon_name and domain_name entries in the database, preventing password generation from the Web interface.

PRJ-46988,
PRHF-28944

VoIP

In some scenarios, SIP TCP connections are dropped after a cluster failover.

PRJ-47993,
PRHF-29577

VoIP

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

PRJ-52885,
MBS-18033

Scalable Platforms

When running the "fwaccel stat" command on a VSX Security Gateway, the output may show physical interfaces as not accelerated, although they are.

PRJ-53620,
PMTR-99823

Scalable Platforms

The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members).

PRJ-44138,
MBS-16756

Scalable Platforms

If a DR packet arrives fragmented, it may not get forwarded to the DR manager, potentially causing connectivity issues.

PRJ-46791,
PMTR-92392

Scalable Platforms

An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and, therefore, may differ between members.

PRJ-46062,
PRHF-28410

Scalable Platforms

Querying SP Interface Data via SNMP may intermittently fail.

PRJ-50736,
PRHF-29610

Scalable Platforms

The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674.

PRJ-50745,
PRHF-30416

Scalable Platforms

Performance data collected from all members including the Standby site, may cause the "Instance Load" and "Accelerate Load" values to be different from the asg perf tool data.

PRJ-49465,
PRHF-30344

Scalable Platforms

On a Security Group with MDPS enabled:

  • The "asg perf" command on a Security Group does not show any output - the Gaia OS prompt appears immediately after entering the command and pressing the Enter key.

  • When running the "mac_verifier" and other commands on a Security Group, the output may show the error message "mount of /sys failed: device or resource busy".

  • The "distutil verify -v" command on a Security Group returns "verification failed".

After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane.

Refer to sk182076.

PRJ-48722,
PMTR-67380

Scalable Platforms

When running the "asg if script" command, the "Bridge Master" output does not fit in one line in the "Info" column. The issue is cosmetic only.

PRJ-50679,

PRHF-30764

Scalable Platforms

Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed.

PRJ-44499,
PRHF-27538

Scalable Platforms

Policy installation may cause traffic interruption on Maestro Security Group due to missing VLANs of a Virtual System in the configuration file.

PRJ-46221,
PMTR-88316

Scalable Platforms

During site failover, IPv6 traffic that goes through the Warp interface may be interrupted.

PRJ-44135,
MBS-16004

Scalable Platforms

Member state may flap between Active and Ready.

PRJ-52530,

PMTR-99841

Scalable Platforms

After dynamic routing manager failure and recovery, connections are dropped with a log message "TCP out of state: First packet isn't SYN". Refer to sk181874.

Take 92

Published on 4 January 2024 and declared as Recommended on 15 January 2024

PRJ-51599,

SMB-16203

Security Management

In rare scenarios, a boot may fail on a Security Gateway with IPS, Anti-Bot, or Application Control blade enabled. Refer to sk181803.

Take 89

Published on 23 November 2023

PRJ-47120,
PMTR-92660

Anti-Spam

NEW: We have extended the grace period of Anti-Spam Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-49979

Security Management

UPDATE: Removed a redundant rule-assistant.war package.

PRJ-49890,

PMTR-95687

Security Management

UPDATE: Removed a redundant guava package.

PRJ-49823,

PMTR-95347

Security Management

UPDATE: Upgraded the commons-compress-jar package from version 1.8 to version 1.22.

PRJ-49785,

PMTR-95614

Security Management

UPDATE: properJavaRDP - an SNX-embedded application for Mobile Access is now blocked and is no longer supported because of deprecated Java library dependencies.

PRJ-49982,

PMTR-74309

Security Management

UPDATE: Upgraded the Jackson Java library from version 2.5.0 to version 2.11.3.

PRJ-48316,

PRJ-49010,

PRJ-50263,

PRJ-49964,

ODU-1256,

ODU-1304,

ODU-1121,

ODU-1137

Web SmartConsole

UPDATE: New features and improvements are released in Take 81, Take 85, Take 88, and Take 90 via a self-updatable package. Refer to sk170314.

PRJ-49107,

PMTR-94517

SmartConsole

UPDATE: Applied security related improvements to the Jetty open source library.

PRJ-50323,
ODU-1328

CPView

UPDATE: Added Take 68 and Take 70 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-50041,
ODU-1264

CPView

UPDATE: Added Take 14 of CPquid (QUID) Release Updates. Refer to sk181458.

PRJ-50091,
PMTR-63855

Security Gateway

UPDATE: Improved traffic classification of GTP traffic on the Security Gateway to enhance the stability.

PRJ-46556,
PMTR-92206

Security Gateway

UPDATE: Added a new option in domains_tool, which allows to retrieve IP addresses of multiple Domains - "-md <list of domains>". Refer to sk161632.

PRJ-48141,
PMTR-93683

Threat Prevention

UPDATE: Re-enabled the deprecated feature of exporting/importing custom intelligence feeds.

PRJ-44319,
PMTR-90945

Threat Prevention

UPDATE: The DCE-RPC kernel tables will now be global instead of local. This adjustment helps avoid issues with syncing between firewall instances and keeps data connections stable.

PRJ-49492,
ODU-1170

Threat Prevention

UPDATE: Added Update 21 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-46942,
TPP-3290

Threat Prevention

UPDATE: IPS bypass triggers will now be activated based on the average CPU load exceeding the high threshold, as opposed to the previous implementation, where a single CPU load triggered the bypass. The change will result in more effective security measures without unnecessary bypasses.

PRJ-49231,
PMTR-92549

SSL Network Extender

UPDATE: SSL Network Extender was updated to version 80008407.

PRJ-49744,

PMTR-95099

Mobile Access

UPDATE: SNX used to connect back to Mobile Access Blade's portal FQDN by resolving its IP address locally. This method makes it sensitive to DNS poisoning attacks such as those specified by TunnelCrack. Therefore, it was modified to connect back to the Security Gateway / Cluster member IP address by default.

PRJ-44242,
PMTR-87141

Mobile Access

UPDATE: Enhanced PushReport (a troubleshooting tool for Mobile Access Blade):

  • changes in the cloud service configuration,

  • stability improvement.

PRJ-44435,
PMTR-89908

ClusterXL

UPDATE: Improved the fullsync time after reboot in large scale environments. Refer to sk180742.

PRJ-46314,
PMTR-90870

ClusterXL

UPDATE: When enabling the VMAC feature, link_monitoring on the cluster members will now be configured automatically.

PRJ-46915,
PMTR-80877

VPN

UPDATE: Added a global parameter "sim_no_local_ip_check" which allows packets not destined to a local IP address to proceed to Security Association lookup in SecureXL.

PRJ-48107,
PMTR-90795

VSX

UPDATE: Changed the vsx push configuration log:

  • The log file last_vsx_push_configuration.elg will now hold only the last vsx push configuration log.

  • The cyclic log file vsx_push_configuration.elg will now hold all previous push configuration logs, except the last one.

PRJ-47449,
ACCHA-3284

Gaia OS

UPDATE: Added driver and firmware update support for Dual-Wide 10/25/40/100G cards as a replacement option for:

  • CPAC-2-40F

  • CPAC-2-40F-B

  • CPAC-2-40F-C

  • CPAC-2-100/25F

  • CPAC-2-100/25F-B

PRJ-45235,
PRHF-28236

Gaia OS

UPDATE: SNMP traps for interfaces going up and going down will now contain the interface name and description.

PRJ-46439,
GAIA-10941

Gaia OS

UPDATE: Added support for the Sandblast TE250XN Appliances.

PRJ-44760,
PRHF-27893

Gaia OS

UPDATE: Increased the size of the scheduled snapshot database binding, allowing longer paths and passwords to be defined.

PRJ-47225,
PMTR-92606

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1t to 1.1.1u to include the latest security improvements. Refer to sk181427.

PRJ-45726,
PMTR-91551

Harmony Endpoint

UPDATE: Added new file types supported by Harmony Endpoint Threat Emulation blade.

PRJ-49977,

PRJ-49936

Harmony Endpoint

UPDATE: Upgraded symmetricDS to the 3.14.9 version.

PRJ-48799,
PMTR-94130

CloudGuard Network

UPDATE: Added support for Data Centers in AWS il-central-1 Israel (Tel Aviv) region.

PRJ-48338,
ODU-1081

CloudGuard Network

UPDATE: Added Take 20 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-45770,
PMTR-90618

Scalable Platforms

UPDATE: Added ability to stop configuration mismatch repeated reboots for debugging purposes. The new command is " cpha_blade_config auto_reboot <on/off>".

PRJ-48195,
PMTR-91032

Scalable Platforms

UPDATE: Added ability to use Generic Data Centers and Dynamic Objects with Maestro cluster, not just for a separate Security Gateway.

PRJ-32166,
MBS-14572

Scalable Platforms

UPDATE: Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).

PRJ-45979,
ODU-1154

Scalable Platforms

UPDATE: Added Take 29 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-48403,
ODU-1113

HCP

UPDATE: Added Update 13 and Update 14 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-49203,
PRHF-30319

Security Management

  • When updating Inline Access Layers, Threat Exceptions, and HTTPS Inspection (TLS) rules, the "Policy Name" field in the Audit Log may be incorrect.

  • The "Where used" operation fails for users with read-only permissions.

Refer to sk181471.

PRJ-48877,
PRHF-29542

Security Management

  • Running a Gaia API command on a Security Gateway using Management API from the Multi-Domain Security Management Server fails.

  • Running a Gaia API command on a Security Gateway using Management API from the Security Management Server fails if the Security Gateway certificate was not recreated.

PRJ-50028,

PMTR-95988

Security Management

The Gaia Clish command "show configuration user" fails with "Segmentation fault" on a Management Server. Refer to sk181626.

PRJ-47168,
PRHF-29222

Security Management

In rare scenarios, Global Policy reassignment fails with "IPS Update Failed On Assign".

PRJ-46698,
PRHF-24917

Security Management

Global Policy assignment fails if it is configured to assign to specific Domain policies and one of these local Domain policies is deleted.

PRJ-44895,
PRHF-27875

Security Management

Policy installation gets stuck if the known proxy group contains the policy target.

PRJ-46827,
PRHF-28923

Security Management

In some scenarios, the "Object is no longer available" validation warning appears for updatable objects.

PRJ-49194,
PRHF-30329

Security Management

In some scenarios, the CPRLIC process may unexpectedly exit without affecting the connectivity, and a core dump is generated.

PRJ-47965,
PRHF-29565

Security Management

In High Availability Security Management Server environments, outdated IPS packages are retained, which leads to a substantial increase of the database on Standby Security Management Server. Refer to sk182178.

PRJ-46130,
PMTR-71041

Security Management

A policy installation task may become stuck when an error occurs in the early installation stage, for example, when trying to install a policy on an unsupported version of Security Gateway.

PRJ-46397,
PRHF-28962

Security Management

In rare scenarios, policy installation fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

PRJ-46015,
PRHF-28592

Security Management

The "show-nat-rulebase" Management API command fails when Packet mode is enabled and "match on any" is set to "false". For example, "show-nat-rulebase XXX package YYY filter-settings.search-mode packet filter-settings.packet-search-settings.match-on-any false filter ZZZ".

PRJ-44430,
PRHF-27612

Security Management

In some scenarios, SmartConsole may get closed when opening the Policy Installation dialog.

PRJ-46409,
PMTR-90123

Security Management

The Security Gateway may listen to the ports used by NAT.

PRJ-49369,
PRHF-30255

Security Management

In environments with tens of thousands of network objects, opening and closing Security Gateway objects in SmartConsole takes a long time. Refer to sk181460.

PRJ-33004,
PMTR-75194

Security Management

In SmartConsole, an attempt to view administrators may fail with "Error retrieving results".

PRJ-35764,
PRHF-22024

Security Management

In some scenarios, the "show-packages" Management API command may return empty results when using the "domains-to-process" flag.

PRJ-39774,
PRHF-24049

Security Management

Disabling or enabling rules may not affect the "last-modify-time" field in the output of the "show-access-rule" Management API command.

PRJ-40127,
PRHF-24236

Security Management

When the Access Rule Base contains several hundred rules, the "set-access-rule" Management API command with the "new-position" parameter may take longer than expected or time out after 5 minutes.

PRJ-48199,
PRHF-29851

Security Management

Login via API fails if the Security Management Server has multiple IP addresses and they are not defined on the Security Management Server object in SmartConsole.

PRJ-48036,
PRHF-29549

Security Management

An audit log may not be created after running Revert to Revision.

PRJ-48380,
PRHF-29957

Security Management

In SmartConsole, export of policies with the "Hit count" column may get stuck.

PRJ-43288,
PRHF-26909

Security Management

In rare scenarios:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-45897,
PRHF-28666

Security Management

In rare scenarios, during an IPS update, a task notification reports that a database purge failed on the Standby Security Management Server. Refer to sk180920.

PRJ-45987,
PRHF-28558

Security Management

Deleting a Domain that is connected to an AD Group fails.

PRJ-47257,

PRJ-47234,
PRHF-29374,
PRHF-29423

Security Management

If the HTTPS policy contains an Identity Awareness Gateway object in the "Source"/"Destination" column, policy installation may fail when selecting more than one policy target. Refer to sk181097.

PRJ-46002,
PRHF-28590

Security Management

Changing the cluster mode via the "set simple-cluster" Management API command to "cluster-xl-ha" or "ospec-ha" returns success but has no effect on the cluster object.

PRJ-48896,
PRHF-30157

Security Management

In rare scenarios, upgrade of the Security Management Server to R81.20 fails with the "Task was interrupted because of server restart" and "DEADLOCK IN POSTGRES DETECTED!!!" messages in the cpm.elg log file.

PRJ-45033,
PRHF-27706

Security Management

Upgrade of a Security Management Server or a Multi-Domain Security Management Server with over 2000 NAT rules may take over 10 hours to complete.

  • The fix requires the upgrade to be done using a Blink image or via the Advanced Upgrade method.

PRJ-44986,
PRHF-28001

Security Management

A migrate export or CPUSE upgrade of a Security Management Server fails if a Rule Base contains more than 35,000 rules. Refer to sk178325 to check the recommended size of Rule Bases.

PRJ-45798,
PRHF-28187

Security Management

Security Management Server import fails with the "Tried to persist object XXX with domain YYY while active domain is ZZZ" error in the upgrade report.

PRJ-41459,
PRHF-24486

Security Management

In some scenarios, an automatic Trusted Certificate Authorities (CAs) update fails.

PRJ-41243,
PRHF-25050

Security Management

When closing an application from SmartConsole without changes, a redundant revision is created.

PRJ-47041,
PRHF-29223

Security Management

When using the RADIUS username for authentication, login to SmartConsole may fail.

PRJ-47045,
PRHF-29104

Security Management

In rare scenarios, after an upgrade, the Security Management Server may fail to start.

PRJ-46795,
PRHF-29116

Security Management

The "show-vpn-communities-star" Management API command fails for VPN communities using Diffie-Hellman groups 15-18. Refer to sk27054.

PRJ-46730,
PRHF-28910

Security Management

In rare scenarios, opening the Install Policy view gets timed out, and SmartConsole unexpectedly closes. Refer to sk181397.

PRJ-45781,
PRHF-27471

Security Management

In rare scenarios, the High Availability synchronization status shows "NGM failed to import data", and then is cleared automatically within 15 minutes.

PRJ-45439,
PRHF-28361

Security Management

In rare scenarios, Global Policy Reassignment takes a long time to complete after deleting a Global IPS profile. Refer to sk180787.

PRJ-48690,
SL-8197

Security Management

Users may be able to configure user-defined scripts to run on the Security Management Server, although they do not have the permissions of a super-user.

PRJ-47618,
PRHF-29494

Security Management

In rare scenarios, the /var/log/message file is filled with Clish login messages for the Admin user.

PRJ-48863,
PRHF-30091

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

PRJ-48369,
PRHF-29850

Security Management

The "crldp_initialized"and "crldp_name" keys may be missing in the registry after running promote_util.

PRJ-47037,
PRHF-29235

Security Management

In multi-site Multi-Domain Security Management environments, login to SmartConsole fails while an Install Policy Preset relays the Security Gateway installation statuses.

PRJ-34859,
PRHF-20141

Security Management

In the Revisions view, when comparing the selected revision to its previous revision, an empty screen is shown instead of a report.

PRJ-46103,
PRHF-28809

Multi-Domain Security Management

In some scenarios, the "Uninstall Threat Prevention Policy" window may show "no candidates found for operation", even though there are Security Gateways that have Threat Prevention policy installed and Threat Prevention is disabled in the Security Gateway editor. Refer to sk180983.

PRJ-43690,
PRHF-27130

Multi-Domain Management

Deleting the entire Domain including all its Domain Servers fails, if any of the Domain Servers is used in the Domain policy.

PRJ-47049,
PRHF-29196

Multi-Domain Security Management

In rare scenarios. in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-40588,
PRHF-85028

SmartConsole

SmartConsole may crash while checking for updates.

PRJ-45074,
PRHF-28115

Web SmartConsole

After an upgrade, "Every cluster network should define unique subnet" messages may be displayed in the Validation Pane.

  • The fix applies only when Jumbo Hotfix Accumulator Take is installed via Advanced upgrade or with a Blink image containing this Take.

PRJ-46434,
PRHF-28762

SmartProvisioning

After importing or deleting SNORT protections in the IPS Protections view, the view may not show the change.

PRJ-47341,
PRHF-29472

SmartView

In some scenarios, when a language other than English is chosen in SmartView, login to SmartView fails with an "Initialization failed" message.

PRJ-47468,
PMTR-92958

CPUSE

Tasks in SmartConsole may end unexpectedly during the Jumbo/ major version upgrade operation.

PRJ-46185,
PRHF-28421

Logging

When the CPD process is automatically restarted on the Security Gateway, the output of the "cpstat ls -f logging" command on the Security Management shows the Security Gateway is disconnected, the Log Server cannot be reached, although logs are sent.

PRJ-45039,
PRHF-28139

Logging

The "Low disk space" warning may be incorrectly displayed in SmartConsole.

PRJ-47218,
PRHF-29347

Logging

The "fwm logexport" may return "Failed to print record at position" and "missing table field" error messages despite succeeding to export the logs.

PRJ-48341,
PMTR-93310

Logging

In some scenarios, the "show logs" Management API returns incorrect values for the "Match table" field.

PRJ-41166,
PRHF-25147

Logging

The "show-simple-gateway" and "set-simple-gateway" Management API commands with the "logs-settings.forward-logs-to-log-server-schedule-name" parameter fail with "generic_server_error".

PRJ-47213,
PRHF-29149

Logging

In SmartView, filtering logs by Media Encryption & Port Protection Blade may fail.

PRJ-45323,
PMTR-79944

Logging

Configuring log settings to delete logs if free disk space is lower than a certain percentage may not be applied.

PRJ-39449,
SL-6793

Logging

The Logs view may show a "Failed to read record number" message.

PRJ-45416,
PRHF-28191

Logging

Source and destination IP addresses in SmartLog may not be shown correctly for duplicate packets of fragmented traffic.

PRJ-44206,
PRHF-27544

Logging

Windows Syslog messages information may be displayed in the "Description" field of the log and not parsed into the suitable fields.

PRJ-47267,
PRHF-29384

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-50897,

PRHF-31187

Security Gateway

A double-free flaw that leads to a possible Security Gateway crash was identified. This release includes the fix to enhance system stability and security.

PRJ-44700,
PRHF-27451

Security Gateway

In rare scenarios, the WSDNSD process may restart because of an internal error.

PRJ-48152,
PRHF-29602

Security Gateway

Topology and Anti-Spoofing ranges are not calculated on an external interface when adding a route to an internal interface that shares the same subnet.

PRJ-47369,
PMTR-88610

Security Gateway

The ICAP Server may stop sending files to the Threat Emulation and Anti-Virus Blades if the TED daemon was restarted.

PRJ-47330,
PMTR-92600

Security Gateway

When using the "cpstop" command on the Security Gateway, the fw_full core may be generated.

PRJ-48246,
PMTR-86113

Security Gateway

The /var/log/messages file of a VSX gateway is flooded with the "fwmultik_predefined_dispatching: BAD_MULTIK_TAG" messages with no impact of the connectivity. Refer to sk181281.

PRJ-47519,
PRHF-29318

Security Gateway

After installing a policy, because of high latency, the Security Gateway may delete connection before SIM Affinity is able to send an update notification. This may cause some connections to be dropped.

PRJ-44188,
PRHF-25647

Security Gateway

The Security Gateway may crash due to a memory issue.

PRJ-46137,
PRHF-28806

Security Gateway

The "g_tcpdump -mcap" command may not merge traffic capture outputs. Refer to sk181032.

PRJ-46052,
PRHF-28455

Security Gateway

The Security Gateway may crash while inspecting non-HTTP traffic.

PRJ-43855,
PMTR-83014

Security Gateway

The FWK process may unexpectedly exit with a core dump file when removing an IPv6 interface on VSX.

PRJ-45482,
PRHF-27892

Security Gateway

Incorrect bonds may be shown in the Data Plane when using MDPS with the "show bonding groups" command.

PRJ-46333,
PRHF-28842

Security Gateway

The Security Gateway may crash after a failure in policy installation.

PRJ-45802,
PRHF-28559

Security Gateway

Resolved an issue where CPD would consume a large amount of CPU in VSX with a large number of interfaces configured (greater than 1024). Refer to sk181588.

PRJ-47124,
PRHF-29292

Security Gateway

In some scenarios, after an upgrade, the FWD process may unexpectedly exit.

PRJ-44617,
PRHF-27190

Security Gateway

In a rare scenario, the FWD process listens to high ports that are not blocked by the "auth_services_real_ports_block" implied rule. Refer to sk180505.

PRJ-45343,
PRHF-28058

Security Gateway

When two routes with similar attributes are added to different routing tables, and one is deleted, Anti-Spoofing may drop the traffic to that route.

PRJ-47557,
PRHF-29583

Security Gateway

FTP connection may fail in Port mode with NAT and specific FTP clients. Refer to sk181165.

PRJ-47324,
PMTR-75350

Security Gateway

Benign files scanned by the ICAP Server may not be logged by Anti-Virus Blade.

PRJ-46376,
PMTR-84794

Security Gateway

Re-mirrored traffic may be re-ordered in the Mirror & Decrypt feature.

PRJ-47601,
PRHF-29572

Internal CA

In rare scenarios, ICA certificate creation and enrollment fail.

PRJ-44150,
PMTR-89916

Threat Prevention

In a rare scenario, policy installation may fail because of IoC observables overrides.

PRJ-46836,
PMTR-92384

Threat Prevention

When SSH Deep Packet Inspection (SSH DPI) is enabled, the Security Gateway may have SSH connectivity issues because of an incorrect choice of Message Authentication Code (MAC) algorithm during the SSH handshake.

PRJ-43726,
PMTR-89275

Threat Prevention

In some scenarios, CIFS parser is triggered when it is not needed, this leads to the Security Gateway not accelerating fully the SMB traffic.

PRJ-44765,
PRHF-27722

Threat Prevention

Fetching of Custom Intelligence Feeds fails when no proxy is configured on the Security Gateway.

PRJ-44690,
PRHF-27890

Threat Prevention

In some scenarios, the Security Gateway fails to export or import IoC feeds.

PRJ-48190,
PRHF-29760

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain specific delimiters.

PRJ-42146,
PRHF-26013

Threat Prevention

Fetching custom intelligence feeds via CLI may fail because of SSL certificate issues.

PRJ-46883,
PMTR-92083

Threat Prevention

Uploading an IoC file containing invalid characters (for example, quotation marks) may cause Threat Prevention policy installation failure.

PRJ-48924,
PMTR-88858

Threat Prevention

Anti-Virus Blade triggers the "Detect" logs for DNS traffic, although these malicious DNS requests were prevented.

PRJ-47636,
PRHF-29215

Threat Prevention

The output of the "fw amw unload" command shows the policy gets unloaded, however CPView still shows that the blades are enabled. Refer to sk181148.

PRJ-46116,
PMTR-91889

Threat Emulation

Multiple ifiPython3 processes may utilize the Security Gateway memory, affecting the Anti-Virus Blade performance.

PRJ-48273,
PRHF-29815

Identity Awareness

There may be no access to resources for identities received from the Remote Access identity source by splitting Domain (sk147417).

PRJ-47063,
PMTR-92599

Application Control

When the "Categorize HTTPS Websites" option is enabled and the global parameter "appi_urlf_ssl_cn_use_sni_without_validation" is set to true, a memory leak may occur.

PRJ-47748,

PRJ-47646

IPS

In rare scenarios, there may be a memory leak in ips_cmi_handler_match_cb_ex.

PRJ-50189,

PMTR-96205

IPS

Policy installation may fail on Security Gateways with enabled IPS and configured Strict profile and IPv6.

PRJ-47238,
PRHF-29289

Anti-Virus

Some websites may be unreachable when one of Threat Prevention Blades is in Hold mode.

PRJ-47934,
PRHF-29090

Anti-Virus

When transferring many files, SMB traffic may freeze while scanned by Anti-Virus Blade.

PRJ-48971,
PRHF-30090

Anti-Virus

When Anti-Virus DNS classification is set to Hold mode, the first DNS trap log of malicious Domains shows "Detect" in the Action field, although the connection was successfully blocked.

PRJ-48126,
PMTR-93685

Anti-Virus

A memory leak in the DLPU process may occur when Anti-Virus scans files over HTTP(s) or SMB (Server Message Block) protocol.

PRJ-45835,
TPP-3445

Anti-Virus

DLPU process memory consumption may be increased when SMB protocol is enabled in the Anti-Virus policy.

PRJ-47783,
PRHF-29581

Anti-Virus

A memory leak may occur in the Security Gateway when a connection is not correctly released after the inspection.

PRJ-46604,
PRHF-28851

Anti-Virus

The DLPU process may stop working, creating a User Space core dump file on the Security Gateway. Refer to sk181026.

PRJ-47202,
PRHF-29309

Mobile Access

When copying special German characters to and from the Guacamole Server, they are replaced with unreadable symbols.

PRJ-47106,
PRHF-29247

Mobile Access

It may not be possible to connect to the RDP application with SNX in Application mode. Refer to sk181155.

PRJ-45656,
PRHF-28404

SSL Inspection

In a VSX environment, the WSTLSD process run by Virtual Systems may ignore proxy configuration on VS0.

PRJ-48701,
PMTR-90439

SSL Inspection

A FWK process memory leak may occur when canceling the download of a large file in the middle of the process.

PRJ-47263,
PMTR-91800

SSL Inspection

The fwk.elg file may be flooded with the "mux_hold_opq_free: App has no hold params free function" messages for the TLS_PARSER app because of a memory leak.

PRJ-41306,
PRHF-25160

ClusterXL

When interfaces disconnect/connect on both members at the same time, it may cause a failover.

PRJ-46504,
PRHF-28936

ClusterXL

Some IPv6 connections randomly stop passing through ClusterXL in High Availability mode. Refer to sk180969.

PRJ-45348,
PRHF-28275

ClusterXL

After an upgrade, cluster members may frequently crash, causing instability in the environment.

PRJ-45197,
PRHF-28013

ClusterXL

In a cluster/Maestro in Load Sharing mode, the Security Gateway may drop NAT traversal traffic with "fwmultik_process_f2p_cookie_inner Reason: PSL Drop: No connection".

PRJ-44274,
PRHF-27346

ClusterXL

A Standby member may initiate FTP data connection, although it should be sent from the Active member. As a result, the connection is teminated. Refer to sk180531.

PRJ-43930,
PMTR-89813

ClusterXL

Site to Site VPN outage on ClusterXL Active member when running "cpstop" on the Standby cluster member. Refer to sk170055.

PRJ-45179,
PRHF-27989

ClusterXL

The VLAN configured bonded interface monitored state disappear after modifying the bonded interface properties. Refer to sk180724.

PRJ-43638,
PMTR-89506

SecureXL

In some scenarios, incorrect MSS value calculation may lead to traffic drops and performance instability.

PRJ-44772,
PMTR-70190

SecureXL

The "IOCTL command CPHWD_IOCTL_DOS_DENY_LIST_CLEAR was not successful" error may be printed during cpstart. Refer to sk180646.

PRJ-41793,
ROUT-2195

Routing

Adding or deleting a multicast group from a configured static RP environment can lead to outages in traffic.

PRJ-47486,
PMTR-93015

Routing

When multicast traffic for an existing (S,G) entry arrives at a non-IIF interface, the entry may be deleted and re-added when the next multicast packet is released, although the entry should not be deleted.

PRJ-43247,
ROUT-2018

Routing

Traffic may be dropped when there are many OSPF routes of type 5.

PRJ-47800,
PRHF-29662

Routing

When a BFD session is added or removed, disabled sessions may incorrectly come up.

PRJ-47939,
PMTR-93492

Routing

An OIF entry may be missing when multiple downstream neighbors are present on a LAN. Refer to sk181354.

PRJ-48116,
PRHF-29848

Routing

The ROUTED process may exit with a core dump when querying details of OSPF Type 5 LSA.

PRJ-44955,
PMTR-90731

VPN

A potential leak in VPN tunnels in a Multi-Version Cluster.

PRJ-46293,
PRHF-28702

VPN

Users that were moved from one AD group to another group still are shown in both access role groups when running the "pdp monitor" command. Refer to sk181429.

PRJ-42938,
PRHF-25665

VPN

Policy installation may take a long time and fail with "Operation failed, install/uninstall has been improperly terminated.&CURRENTVERCMP *##MSG_IDENTIFY##".

PRJ-44164,
PMTR-86796

VPN

When working with ClusterXL in Load Sharing mode, a VPN tunnel may fail to be established.

PRJ-47876,
PRHF-29650

Multi-Portal

The Security Gateway may send a wrong certificate to the MAB Portal during certificate authentication.

PRJ-44267,
PMTR-86105

VSX

Virtual System context may not be handled correctly by CPView, for example, the same interfaces may be listed on all virtual systems.

PRJ-47795,
PRHF-29709

VSX

A memory leak may occur in the CPD process.

PRJ-47397,
PRHF-29485

VSX

When changing Virtual Systems (VS's) using the VS name, the "failed to find an ID for a VS named XXX" error is shown.

PRJ-43877,
PMTR-87205

VSX

When running "vsx_fetch" from a context that is not VS0, this output is displayed: "Management rejected fetch for this module - sic name does not match. Couldn't fetch VSX configuration by IPs, trying to fetch by names."

PRJ-47836,
PRHF-29698

VSX

In a rare scenario, affinity configuration on VSX may fail.

PRJ-44299,
PMTR-90180

VSX

When adding a route using vsx_provisioning_tool and the "interface_name" option, this route cannot be removed.

  • Requires installing SmartConsole R81 Build 567 (or higher).

PRJ-49349,
PRHF-30364

VSX

In some scenarios, in a Maestro Security Group configured in the VSX mode, a Virtual System that connects to a Virtual Switch may drop traffic as "Out of State" or wrongly drop it on the clean up rule. Refer to sk181823.

PRJ-46970,
PRHF-29232

Gaia OS

Incorrect Multi-Queue configuration when MDPS, VSX, or both are enabled. Refer to sk181249.

PRJ-46274,
PRHF-28848

Gaia OS

When changing bond settings, the bond may be missing the global IPv6 Address.

PRJ-47772,
PRHF-28671

Gaia OS

Snapshot fails when the unpartitioned disk size is greater than 1TB. Refer to sk181485.

PRJ-28433,
PRHF-18469

Gaia OS

Backup on Gaia machine with Threat Emulation Blade enabled fails with "Cannot complete the backup process: not enough space". But the solution of sk166833 does not resolve the issue in a VSX environment.

PRJ-44369,
PRHF-27627

Gaia OS

SNMP OIDs for ISP Redundancy status are not refreshed when the ISP link changes the status.

PRJ-43570,
PRHF-27125

Harmony Endpoint

After the Deploy New Endpoint push operation is successfully done, the list of target devices may change to "None". And it is not possible to delete this push operation manually, a "Sorry, we had an API issue during request" message is printed.

PRJ-41336,
PRHF-25164

Harmony Endpoint

When downloading a dynamic package from the Endpoint Security Server and using the "/createmsi" command, the operation results with a "CRITICAL ERROR: Unable to create MSI! Missing file: System32\FirewallMonitor.dll" error.

PRJ-46948,
PRHF-29014

Harmony Endpoint

KAV updater on the Server may fail to receive updates when proxy is used.

PRJ-48255,
PRHF-25142

Harmony Endpoint

The default policy configured in the Infinity Portal may not be exported with the new Endpoint Security client package.

PRJ-46801,
PRHF-28984

Harmony Endpoint

In rare scenarios, when making changes in SmartConsole, it gets disconnected.

PRJ-43043,
PRHF-26539

Harmony Endpoint

E2 engine may send an incorrect value of datDate in sync request.

PRJ-47898,
PRHF-29630

CloudGuard Network

Azure mapping may fail on Private Endpoint without network interfaces. In the cloud proxy logs, the "ERROR datacenter.scanner.DcScanner [scanner-Azure-XXX]: Error during scan - attempting to reconnect for scanner of [Azure] in domainYYY" messages are printed.

PRJ-47733,
PRHF-29654

CloudGuard Network

After an upgrade, Azure Gov mapping may fail.

PRJ-43608,
PRHF-27033

VoIP

SIP agent implements a keep-alive mechanism against the RFC, making each message arrive with a different tag in the "From" header, which may increase the memory of the Security Gateway, and these messages may be dropped once they hit the limit defined (the "sim_max_reinvite" parameter).

PRJ-45232,
PRHF-24217

Scalable Platforms

The "asg_dr_verifier" command shows "Status: Inconsistency found on some of the SGMs", even if the OSPF neighbors are in Full state. Refer to sk179921.

PRJ-47639,
PRHF-29629

Scalable Platforms

In a Scalable Platform environment, when opening an IPS Packet Capture originated on a local member, the "Fetching in progress" error is displayed, and a "Capture file was not found on remote SGM" entry is printed in the log.

Take 87

Published on 27 June 2023 and declared as Recommended on 2 August 2023

PRJ-44424,
ACCESS-458

Security Management

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

PRJ-43520,
PMTR-89420

Security Management

NEW: It is now possible to add tags to Access rules and sections. A new field "tags" is added to the existing "add/set rule & section" Management APIs .

For example:

  • mgmt_cli add access-section layer "Network" position 1 name "New Section 1" tags mytag

  • mgmt_cli add access-rule layer "Network" position 1 name "Rule 1" tags mytag

PRJ-45294,
PMTR-86221

Security Management

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

PRJ-45489,
PRHF-28303

Security Management

UPDATE: Significant performance improvement for policy installation when using many layers (up to four times faster).

PRJ-45202,

ODU-843

Web SmartConsole

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

PRJ-45471,
ODU-827

CPView

UPDATE: First release of CPviewExporter Release Updates. Refer to sk180521.

PRJ-45464,
ODU-835

CPView

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

PRJ-46339,
PRHF-28674

Security Gateway

In rare scenarios, memory corruption occurs during packet correction requiring fragmentation, this may cause the Security Gateway crash or freeze.

PRJ-45461,
PRJ-46430,
ODU-890,
ODU-898

Threat Prevention

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

PRJ-44951,
PRHF-28082

IPS

UPDATE: Mapping of IPs to country/flag in the Logs & Monitor view > Logs is now automatically updated every day.

PRJ-43604,

PRHF-22566

SecureXL

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

PRJ-47511,
PMTR-93037

GaiaOS

UPDATE: Added notifications about the Expert mode login on Gaia Servers. Refer to sk181230:

1) Gaia sends an audit log to the Management Server / Log Server (SmartConsole > Logs & Monitor).

2) Gaia writes a log message to the /var/log/messages file (for a local login and an SSH login).

These Gaia Clish commands are available to work with this feature:

  • To see the current state of this feature: show audit login-notifier

  • To enable this feature (this is the default): set audit login-notifier on

  • To disable this feature: set audit login-notifier off

PRJ-45906,
ODU-946

Scalable Platforms

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

PRJ-44960,
PMTR-85311

Scalable Platforms

UPDATE: Added a new log file to indicate the reason of member reboots if they are triggered by configuration mismatch - /var/log/configuration_reboot_info.log.

PRJ-44961,
PMTR-89393

Scalable Platforms

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

PRJ-45387,
ODU-914

HCP

UPDATE: Added Update 12 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-44450,
PRHF-27276

Security Management

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

PRJ-43185,
PRHF-26778

Security Management

If a Security Gateway is added to a group after configuring an installation policy preset, the policy may not be installed on that Security Gateway. Refer to sk181461.

PRJ-45872,
PRHF-28640

Security Management

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

PRJ-35493,
PRHF-21009

Security Management

The Data Center object may change the status to "inaccessible/deleted", although the Virtual Machine in Azure was not deleted.

PRJ-42421,
PRHF-26275

Security Management

An upgrade may fail when a Network object Group contains more than 32000 members.

PRJ-45059,
PRHF-28094

Security Management

In large Multi-Domain Security Management environments, login to SmartConsole may fail while High Availability synchronization is running. Refer to sk180858.

PRJ-43558,
PRHF-26971,
PRJ-45049,
PRHF-27847,
PRJ-42547,
PRHF-26016

Security Management

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

PRJ-47101,
PRHF-29329

Security Management

Policy installation may fail with "Target is not defined in the database" error when the target name has many underscore or dash characters.

See the Important Notes section.

PRJ-45157,
PRHF-28175

Security Management

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

PRJ-45486,
PRHF-21566

Security Management

In rare scenarios, updating or deleting a cluster fails with "Failed to save object xxxx . Server error is: Data required for operation".

PRJ-42038,
PRHF-25898

Security Management

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

PRJ-43567,
PRHF-27059

Security Management

After Full synchronization, SmartConsole login from a Domain Management Server to the Security Management Server that is configured as High Availability may fail.

PRJ-43810,
PRHF-27187

Security Management

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

PRJ-42619,
PRHF-26287

Security Management

When using the "Deployment from Local Paths and URLs" option, and inserting a correct path, the client is being deployed through the Management Server and not Locally as it should be deployed.

PRJ-45653,
PRHF-28407

Security Management

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

PRJ-44994,
PRHF-27895

Security Management

In rare scenarios, login to SmartConsole fails, and opening Security Gateway objects times out.

PRJ-41327,
PRHF-25274

Security Management

If the Security Management Server is behind NAT, remote Management API login fails.

PRJ-44084,
PRHF-27440

Security Management

Login with SmartConsole to a Security Management Server may fail if using a DNS name instead of an IP address. Refer to sk180514.

PRJ-42551,
PRHF-26118

Multi-Domain Security Management

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

PRJ-45053,
PRHF-27948

Multi-Domain Security Management

In rare scenarios, in Multi-Domain multi-site environments, an IPS update on the Multi-Domain Security Management Server remains locked.

PRJ-40737,
PRHF-24558

Multi-Domain Security Management

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

PRJ-44968,
PRHF-28002

Multi-Domain Security Management

In rare scenarios, in Multi-Domain Security Management environments with over 500K network objects, login to SmartConsole fails with "Connection timed out" or "Unable to connect to server" messages.

PRJ-46086,
PRHF-28685

Multi-Domain Security Management

A scheduled Install Policy Preset may not have its next run time updated when:

  • The Multi-Domain Security Management Server was down while the preset was scheduled to run

  • There are over 50 presets defined

PRJ-45067,
PRJ-46161,
PRHF-28192,
PRHF-28143

Multi-Domain Security Management

In rare scenarios, in a Multi-Domain Security Management environment:

  • Login to the Security Management Server may fail with timeout.

  • Publish operations may take a long time.

PRJ-46508,
PRHF-28930

SmartConsole

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

PRJ-43597,
PRHF-27209

SmartConsole

Typo in the Compliance report - "OSFP" instead of "OSPF".

PRJ-39254,
PRHF-23374

Logging

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

PRJ-41593,
PRHF-25533

Logging

SmartEvent may generate false Anti-Bot / Anti-Virus related logs which do not contain any information.

PRJ-20171,
PRHF-14263

Logging

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

PRJ-38479,
SL-6728

Logging

In specific network configurations, after installing a policy, the target IP address of the Log Server may differ from what was configured.

PRJ-41665,
PRHF-25662

Logging

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

PRJ-36111,
PRHF-21819

Security Gateway

When on Microsoft Active Directory the "mobile" attribute value in DynamicID authentication preferred method is changed to an email address and then back to a phone number, OTP may still be sent to the email.

PRJ-44094,
PRHF-27460

Security Gateway

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

PRJ-44231,
PRHF-27318

Security Gateway

After policy installation, a VSX High Availability Cluster member may have a failover and generate a vmcore.

PRJ-44919,
PRHF-27936

Security Gateway

After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

PRJ-45495,
PRHF-28324

Security Gateway

On the Security Gateway with Management Data Plane Separation (MDPS) enabled:

  • when adding a RADIUS Server from WebUI, a new MDPS task with the IP address of the Server may not be added,

  • when deleting a RADIUS Server, the MDPS task may not be deleted.

PRJ-42357,
PMTR-88174

Security Gateway

Latency in connection caused by a packet flow change from F2V to F2F.

PRJ-45396,
PRHF-28037

Security Gateway

Login to Mobile Access Portal when authenticating with SAML may fail with an "Error while processing the request" message. Refer to sk180801.

PRJ-44999,
PRHF-27844

Security Gateway

In a Maestro environment, an encrypted over SSH or RDP connection may get closed when handled by the wrong member.

PRJ-44310,
PRHF-27439

Security Gateway

In rare scenarios, modifying the "fwmultik_temp_conns_enabled" parameter on-the-fly leads to the Security Gateway crash.

PRJ-42529,
PRHF-25233

Security Gateway

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

PRJ-45477,
PRHF-28350

Security Gateway

Security Gateway may crash when running kernel debugs of the "UP" module.

PRJ-44250,
PRHF-27426

Security Gateway

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

PRJ-44953,
PMTR-86007

Security Gateway

When Check Point Active Streaming (CPAS) is used, and the Server's MSS is bigger than the client's MSS, packet fragmentation may occur.

PRJ-44976,
PRHF-27997

Security Gateway

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

PRJ-45185,
PMTR-90969

Security Gateway

Traffic stops working after a Security Gateway Member recovers from a failure. Refer to sk180705.

PRJ-45448,
PRHF-28277

Security Gateway

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

PRJ-46686,
PMTR-91240

Security Gateway

When adding a new connection, the "Smart Connection Reuse" feature may cause errors in fwk.elg and connection drops.

PRJ-45954,
PMTR-83450

Security Gateway

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

PRJ-38110,
PRHF-22608

Security Gateway

In some scenarios, the Security Gateway may crash.

PRJ-44603,
PMTR-86732

Security Gateway

Stack buffer overflow may occur in the FWGTP process.

PRJ-46536,
PRHF-12636

Security Gateway

The FWK process may unexpectedly exit while processing the mail flow and generate a core dump.

PRJ-41966,
PRHF-25829

Security Gateway

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

PRJ-46644,
PRHF-28694

Security Gateway

Incorrect parsing of GTP-U traffic may cause anti-spoofing drops.

PRJ-44854,
PRHF-27465

Security Gateway

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

PRJ-44751,
PRHF-27707

Security Gateway

Policy installation may fail with "Error 2000240" because of an IPv6 flow issue.

PRJ-44550,
PRHF-27765

Threat Prevention

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

PRJ-42584,
PMTR-88424

Threat Prevention

When using a host with automatic static NAT in a Threat Prevention policy object, the rule may not be enforced.

PRJ-44199,
PMTR-89130

Threat Prevention

When IPS Blade is enabled, the Security Gateway may crash.

PRJ-44569,
PRHF-27749

Threat Prevention

After an upgrade, adding an IoC feed with IP range indicator type may fail with "Feed format problem. Bad or Empty feed".

PRJ-45561,
PRHF-21271

Threat Prevention

In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail.

PRJ-39346,
PRHF-23473

Identity Awareness

There may be connectivity issues and high CPU spikes on PDP when installing policy.

PRJ-44315,
PRHF-27270

Content Awareness

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

PRJ-45427,
PRHF-28304

Application Control

Some TLS1.3 applications without SNI do not match the rules.

PRJ-41654,
PRHF-25585

IPS

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

PRJ-45754,
PRHF-15953

Anti-Virus

The RAD process CPU utilization may be high when Anti-Virus engine processes many reverse DNS queries.

PRJ-46278,
PRHF-28749

Anti-Virus

Importing a custom intelligence feed containing IP ranges may fail.

PRJ-45098

Mobile Access

SSL Network Extender (SNX) may randomly disconnect after a version upgrade. Refer to sk173765.

PRJ-46401,
PRHF-28925

Mobile Access

Sending emails with attachments via Capsule Workspace may fail on iOS.

PRJ-45193,
PRHF-28182

Mobile Access

In rare scenarios, IOS users are unable to send emails using Capsule Workspace business mail.

PRJ-45162,
PMTR-91017

ClusterXL

A VRRP cluster member may be stuck in boot after a cluster upgrade.

PRJ-44873,
PRHF-27540

SecureXL

Traffic may be dropped and the FWACCEL core file is generated.

PRJ-44454,
PRHF-27561

ClusterXL

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

PRJ-44676,
PRHF-27803

SecureXL

After an upgrade, packets passing through a Remote Access VPN tunnel in a VSX environment may be silently dropped.

PRJ-45378,
PRHF-26701

Routing

A VRRP/VRRP6 interface may go into Master/Master state.

PRJ-41964,
MBS-16158

Routing

Routing log messages generated when Standby cluster members reconnect to members in Master state are not clear.

PRJ-44708,
PRHF-27240

Routing

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

PRJ-44939,
PRHF-23766

Routing

After an update, multicast traffic may be dropped.

PRJ-44923,
PMTR-90799

Routing

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

PRJ-41799,
PMTR-87520

Routing

Configuring OSPFv2 Graceful Restart and passive OSPF interfaces at the same time can cause graceful restart failures.

PRJ-45183
ROUT-2353

Routing

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

PRJ-41116,
PRHF-23620

Routing

There may be high CPU utilization and slow recovery of the ROUTED process after a failover.

PRJ-41961,
MBS-16159

Routing

In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group.

PRJ-45832,
PMTR-82733

Routing

The ROUTED daemon may unexpectedly exit because of multi-threading issues.

PRJ-46127,
ROUT-2801

Routing

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

PRJ-44704,
PRHF-27225

Routing

Multicast receivers send IGMP membership reports, but the outbound interfaces are missing from the routing table.

PRJ-46357,
PMTR-73657

Routing

Routes marked as "stale" may be redistributed via BGP during graceful restart.

PRJ-45467,
PRHF-28353

VPN

StrongSWAN Remote Access authentication fails when the LDAP lookup type is not the default method.

PRJ-44828,
PRHF-27569,

PRJ-44990,
PRHF-28061,

PRJ-46301,
PRHF-28849

VPN

  • Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

  • OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

  • Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

PRJ-45918,
PRHF-28589

VPN

The FWM process may unexpectedly exit at startup because of an incorrect VPN key initiation.

PRJ-43826,
PRHF-27339

VPN

In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855.

PRJ-41969,
PRHF-25866

VSX

Increasing the MTU value of a bonded tagged interface may not be possible.

PRJ-44088,
PRHF-27224

VSX

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

PRJ-45144,
PRHF-28154

VSX

Some packets may disappear when using the i40e driver, and VMAC is configured on the cluster.

PRJ-45400,
PRHF-28365

VSX

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

PRJ-44744,
PMTR-90616

VSX

Virtual System's interfaces may be missing when running the Clish command "show/save configuration".

PRJ-45004,
PRHF-28080

VSX

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

PRJ-29905,
PMTR-72562

Gaia OS

It may not be possible to enter a snapshot description with more than one word.

PRJ-45862,
PMTR-91668

Gaia OS

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

PRJ-41908,
PRHF-25737

Gaia OS

Gaia WebUI logs are printed with "info" severity.

PRJ-42778,
PRHF-26416

Gaia OS

Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection".

PRJ-45564,

ACCHA-2110

Gaia OS

The $FWDIR/log/fwd.elg file may get corrupted during log rotation. Refer to sk180728.

PRJ-45791,
PRJ-42015

CloudGuard Network

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

PRJ-45539,
PRHF-27987

CloudGuard Network

AWS Data Center mapping fails when an interface subnet is missing from the list of subnets.

PRJ-46474,
PMTR-90803

VoIP

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

PRJ-44613,
PRHF-27502

VoIP

In rare cases, SIP UDP traffic may cause Security Gateway to crash because of a memory allocation issue.

PRJ-43516,
PRHF-26939,

PRJ-32398,
PRHF-19493

VoIP

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

PRJ-42616,
PMTR-76837

Scalable Platforms

The FW process may unexpectedly exit, producing a core dump file.

PRJ-45884,
PMTR-90935

Scalable Platforms

In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System.

PRJ-44926,
PMTR-86526

Scalable Platforms

After an upgrade, local IPv6 traffic from Active members may fail.

PRJ-41940,
PMTR-87577

Scalable Platforms

When adding a new Virtual System and installing a policy, member state may change to Down.

PRJ-42513,
PMTR-88150

Scalable Platforms

Upon failover/failback, multicast packets are sent to Active members only. The member that changed state from Down to Active starts receiving the multicast packets before the route is resolved. This may impact traffic.

PRJ-42263,
ACCHA-2021

Scalable Platforms

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

PRJ-32729,
PMTR-72467

Scalable Platforms

When there is a connectivity issue in the cluster, OSPF packets may be sent with delays and cause an outage.

PRJ-44527,
PMTR-78822

Scalable Platforms

License is not copied from SMO to all other members if other members are in Down state.

PRJ-43219,
CST-312

Carrier Security

Security Gateway drops GTP traffic with the reason "Static IP not allowed". See sk181506.

PRJ-43223,
CST-316

Carrier Security

Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507.

PRJ-46672,
PRHF-28770

Carrier Security

Packet corruption, leading to traffic and performance issues.

PRJ-46675,
PRJ-46681,
PRHF-29045,
PRHF-28963,

PRJ-46678,
PRHF-28973

Carrier Security

After an upgrade, GTP traffic and memory issues may occur.

Take 82

Published on 22 March 2023 and declared as Recommended on 8 May 2023

PRJ-43894,
PMTR-89750

Security Gateway

NEW: We have extended the grace period of Compliance Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-44254,
PMTR-90165

Threat Extraction

NEW: We have extended the grace period of Threat Extraction Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-43806,
PMTR-89699

Application Control,

URL Filtering

NEW: We have extended the grace period of Application Control and URL Filtering Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-44575,
PMTR-90463

Internal CA

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

PRJ-43909,
PMTR-89774

SmartView

NEW: We have extended the grace period of SmartEvent Blade to support you for 90 days following contract expiration to continue providing the best security value during the renewal process.

PRJ-42182,
PMTR-87948

IPS

NEW: Added ability to block "HTTP 206 partial content" responses from resources with malicious content.

PRJ-42657,
TPP-2280

IPS

UPDATE: In several IPS protections, improved performance for traffic that contains repeated sections.

PRJ-42305,
PRHF-25869

Security Management

UPDATE: Improved the "Purge revisions" operation to reduce the size of the database.

PRJ-36634,
PRHF-22345

Security Management

UPDATE: Added an option to configure the maximum number of IPS SNORT rules.

These lines should be added at the end (or their value should be changed if they already exist) in the file $FWDIR/conf/malware_config

(for MDS - additionally in the $MDS_FWDIR/conf/malware_config file):

"[IPS]

snort_convertor_max_rules_per_update=<value>

snort_convertor_total_rules_num_limit=<value>".

Refer to sk136515.

PRJ-41618,
PMTR-87160

Security Management

UPDATE: To reduce policy installation time in large environments (that have many instances), policy can be installed in batches.

  • Each batch contains several instances that install the policy at the current iteration. By default, the batch size is set to "0" (off).

  • To enable it, run a CLI command "cpprod_util FwSetParam CP_INSTALL_POLICY_MT_LIMIT val" and set the value >0.

PRJ-34963,
PRJ-34958

CPView

UPDATE: Added logging information. The Logging tab can be found in the Advanced tab on both the Security Management Server and Security Gateway. Refer to sk101878.

PRJ-41200,
PRHF-24563

Security Gateway

UPDATE: Added ability to force GNAT Port randomization. It is controlled by kernel parameter (off by default).

  • To activate it, GNAT should be enabled. Also, in the fwkern.conf file, run "set fwx_force_random_nat_port_alloc=1",

  • To disable, run "set fwx_force_random_nat_port_alloc=0".

PRJ-44558,
PMTR-90438

Security Gateway

UPDATE: Apache HTTPD version was updated from 2.4.53 to 2.4.55 to fix CVE-2022-37436.

PRJ-43722,
PMTR-82302

SSL Inspection

UPDATE: The secp256r1 curve is now the preferred choice for signing ECDSA (Elliptic Curve Digital Signature Algorithm) certificates.

PRJ-44611,
PMTR-90504

Threat Emulation

UPDATE: FakeServer will now listen for packets coming from the Virtual Machine during Threat Emulation to port 18443 instead of port 8443.

PRJ-43968,
PRHF-27306

VPN

UPDATE: When the VTI MTU is different from the physical MTU, the physical MTU is used for sending packets by default.

  • To modify the default behavior (the change does not survive reboot), run the CLI command "fw ctl set int sim_vpn_use_physical_mtu 0 -a". This allows using configured VTI MTU as the default.

  • To make the change permanently, open the $PPKDIR/conf/simkern.conf file for editing and add the entry "sim_vpn_use_physical_mtu=0".

Refer to sk98074.

PRJ-42403,
PMTR-87600

VSX

UPDATE: Added more logs related to Pushing VSX Configuration.

  • On the Security Gateway side: in the last_vsx_push_configuration.elg. The log file will now be circular.

  • On the Security Management side: in the vsx_util log. Also, commands are added to the name of log files (for example, vsx_util_reconfigure_xxxxx_xx_xx.elg).

  • VSX Provisioning tool is now logged in the vpt_history.elg.

.

PRJ-45267,
PMTR-91124

GaiaOS

UPDATE: Added a defense mechanism against the hostname command injection in the Gaia Portal (CVE-2023-28130). Refer to sk181311.

PRJ-44638,
PMTR-90527

Gaia OS

UPDATE: Upgraded OpenSSL from 1.1.1n to 1.1.1t to include the latest security improvements.

PRJ-43612,
PRHF-26959

Gaia OS

UPDATE: Gaia Cloning Groups will now use the highest TLS version available.

PRJ-44356,
PRJ-44354

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-4 Melbourne region.

PRJ-43050,
PRJ-43048

CloudGuard Network

UPDATE: Added support for Data Centers in AWS eu-south-2 (Spain) and eu-central-2 (Zurich) and ap-south-2 (Hyderabad) regions.

PRJ-43026,
PRJ-43025

CloudGuard Network

UPDATE: Added support for connecting to VMware NSX-T 4.0.0.x and higher.

PRJ-43403,
PMTR-89295

Diagnostics

Skyline may not show any information. Refer to sk180748.

PRJ-41927,
PRHF-25575

Security Management

After an upgrade, while installing a policy, SmartConsole may unexpectedly close with a "The connection with the server was lost. Any unsaved changes will be preserved" message. Refer to sk180294.

PRJ-40225,
PRHF-24308

Security Management

The FWM process may frequently exit. This causes SmartConsole authentication to fail and dashboards that were opened before to get closed.

PRJ-44024,
PRHF-27405

Security Management

When using Custom Application/Site Group objects in an Access policy, policy installation may fail with an "Internal error" message.

PRJ-41891,
PRHF-25534

Security Management

High Availability synchronization fails if automatic purge is configured to run on the Standby Management Server.

PRJ-42409,
PRHF-26108

Security Management

Login to the Security Management Server or Multi-Domain Security Management Server may fail with the "Connection timeout" error.

PRJ-43093,
PRHF-25895

Security Management

After configuring an IoC feed on the Global Domain and assigning a Global Policy, Threat Prevention policy installation in the local Domain fails.

PRJ-41761,
PRHF-25381

Security Management

In some scenarios, the CME process fails to start.

PRJ-42041,
PRHF-25899

Security Management

In a rare scenario, the Show Package tool and some Management API commands with details-level "full" fail.

PRJ-39745,
PRHF-24043

Security Management

Adding a rule with the Management API and setting the action "to ask" does not set a default UserCheck if UserCheck was not specified. This may cause policy verification failure.

PRJ-43362,
PMTR-87860

Security Management

Editing a Global Assignment object using Ansible may fail.

PRJ-43316,
PMTR-87565

Security Management

In SmartConsole, when editing a tagged Security Gateway object, the tags may get removed.

PRJ-44628,

PMTR-90519

Security Management

There may be many duplicates of OCSP response in the $CPDIR/tmp/curl_crl_ocsp folder.

PRJ-43253,
PMTR-77168

Security Management

In some scenarios, the "api status" command shows that the Management API service is stopped.

PRJ-42109,
PRHF-25747

Security Management

The date of a policy configured with "accelerated installation" may not be updated in logs.

PRJ-43311,
PMTR-88097

Security Management

The API command "show-nat-rulebase" may not show the name of each rule in the Rule Base.

PRJ-43961,
PRHF-27308

Security Management

In rare scenarios, the Security Gateway accepts all IP addresses as approved "gui_clients", although it was provided with a list of specific trusted IP addresses.

PRJ-44459,
PRHF-27327

Security Management

In some scenarios, the "run-script" Management API command may fail with "Null Pointer Exception" when using root user permissions.

PRJ-42048,
PRHF-25759

Multi-Domain Security Management

In rare scenarios in a Multi-Domain Security Management environment:

  • Login to the Management Server may timeout and fail.

  • Publish operation may take a long time.

PRJ-42848,
PRHF-26378

Multi-Domain Security Management

In a Multi-Domain Security Management environment, traffic may not match rules with custom applications.

PRJ-44336,
PMTR-89535

CPView

The Network-per-CPU tab under CPVIEW > Advanced > SecureXL does not show traffic distribution for all CPUs. Refer to sk180540.

PRJ-42083,
PRHF-25916

CPView

A typo in "Dropped fragmentation violation" under CPView > Advanced > SecureXL > Drops.

PRJ-43588,
PMTR-89477

CPView

In a Multi-Domain Security Management environment, Skyline is down after mdsstop/mdsstart.

PRJ-42283,
PMTR-83780

CPView

CPView may not show some interfaces.

PRJ-43392,
PRHF-26905

Logging

When working with Multi-Domain Security Management, Virtual Systems (VS's) may be unable to send logs to the management because the Log Server constantly disconnects.

PRJ-41017,
PRHF-23629

Logging

After an upgrade and change of the Security Management Server name, logs created before the upgrade are unavailable.

PRJ-33051,
PRHF-20237

Logging

The "Daily logs retention" configuration on the Security Management Server / Log Server object is not applied if the "When disk space is below <number> Mbytes, start deleting old files" option is not enabled in the Disk Space Management. Refer to sk176803.

PRJ-41017,
PRHF-24896

Security Gateway

When using the SMTP service with resource objects in a rule and NAT is configured for the destination IP address, the traffic may match the Cleanup rule instead.

PRJ-39800,
PRHF-23890

Security Gateway

After making changes in Policy-Based Routing (PBR) and GRE configuration, the Security Gateway may repeatedly crash.

PRJ-43126,
PMTR-89008

Security Gateway

Some TCP connections may be stuck in "Both-Fin" state in the SecureXL connection table and cause high memory consumption.

PRJ-42087,
PRHF-25938

Security Gateway

The "fw monitor" command output may contain "no packets left to merge" messages.

PRJ-42706,
PRHF-26247

Security Gateway

DNS parser incorrectly handles additional records, which results in appearing additional DNS IP addresses in the FQDn objects list.

PRJ-41540,
PMTR-87066

Security Management

The FWK process may unexpectedly exit during Threat Prevention policy installation.

PRJ-41579,
PMTR-65731

Security Gateway

In some scenarios, the CPD process may unexpectedly exit.

PRJ-41563,
PRJ-41202

Security Gateway

SAML authentication fails with the "HTTP 500" error when MDPS is enabled on the Security Gateways. Refer to sk179625.

PRJ-42756,
PMTR-88555

Security Gateway

The Security Gateway may crash because of an issue in the FILEAPP (File Application) module.

PRJ-44080,
PRHF-26620

Security Gateway

In an Active/Standby cluster, when downloading a file using FTP protocol, the FWK process may unexpectedly exit, and a core dump file is generated.

PRJ-39601,
PRHF-22874

Scalable Platforms

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

PRJ-37150,
PRHF-22237

ClusterXL

In an Active/Active cluster, a member may reboot because of a memory corruption issue.

PRJ-41877,
PMTR-87372

Security Gateway

On supported Open Servers (sk167052), after changing the Firewall mode from Kernel Space (KSFW) to User Space (USFW) and reboot, the Security Gateway continues to boot in the Kernel Space mode.

PRJ-40877,
PMTR-85619

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-42803,
PRHF-23758

Security Gateway

Stability issues when ICAP client is active.

PRJ-39607,
PRHF-22919

Security Gateway

The Security Group Member (SGM) frequently goes into a Lost-> Down-> Active state because of fullsync pnote. This causes outages.

PRJ-43553,
PRHF-26844

Security Gateway

Security Gateway may drop traffic when Dynamic Anti-Spoofing is enabled.

PRJ-42943,
PRHF-26610

Security Gateway

When Anti-Spoofing is enabled, the Security Gateway may crash.

PRJ-38808,
PMTR-82347

Security Gateway

In a rare scenario, when QoS is enabled, the Security Gateway may crash.

PRJ-41633,
PRHF-25363

Security Gateway

Dynamic Dispatcher may send fragments of the same packet to different Firewall instances during a high load of fragmented traffic. This may cause some packets to drop.

PRJ-36009,
PRHF-21529

Security Gateway

The Security Gateway may frequently crash with vmcore files, recording invalid context.

PRJ-43704,
PRHF-27184

Security Gateway

The Security Gateway may crash during policy installation if the Rule Base has multiple layers and many interfaces on the Security Gateway (VLANs).

PRJ-42101,
PRHF-25657

Security Gateway

When adding an Access Role object in the NAT Rule Base, connectivity issues on the Security Gateway may occur if the Identity Awareness Blade on it is disabled.

PRJ-43532,
PRHF-26097

Security Gateway

The Security Gateway may crash because of a race condition that occurs during interface change while interface statistic is calculated.

PRJ-43838,
PRHF-27097

Security Gateway

The Security Gateway may receive duplicated traffic (such as non-IP protocol connections) for IPS inspection. This can trigger high CPU usage and result in failures to connect over SSH or policy installation.

PRJ-43885,
PRHF-26861

Security Gateway

In some scenarios, the FWD process is stuck during policy installation.

PRJ-43010,
PRHF-26600

Security Gateway

When adding a new RADIUS Server in Gaia Portal, its IP address is automatically added to MDPS tasks, but when deleting this Server, the MDPS task is not deleted.

PRJ-42295,
PRHF-26094

Security Gateway

When MDPS is configured, mdps_tun interface is shown when running the "cpstat ha -f all" command.

PRJ-40319,
PRHF-23658

Security Gateway

In rare scenarios, the FWK process can unexpectedly exit and cause an outage.

PRJ-41494,
PRHF-24787

Security Gateway

Stability issues when ICAP client is active.

PRJ-40108,
PRHF-20889

Security Gateway

In a rare scenario, the Security Gateway may crash when offloading packets to SecureXL.

PRJ-43346,
PMTR-88981

Security Gateway

A connection may be closed with the "ws_mux_handle_poll: ERROR: Poll flag still set after unsetting" error in the fwk.elg file, when HTTP parser does not receive requested data.

PRJ-42902,
PRHF-26659

Internal CA

The certificate in SmartConsole is shown as valid, although it is expired.

PRJ-41435,
PRHF-25382

Internal CA

When managing cloud Gateways, the FWM process memory usage may increase.

PRJ-42285,
PRHF-26079

Threat Prevention

The "ioc_feeds set interval -r" command may fail.

PRJ-42223,
PRJ-41688

Threat Prevention

In some scenarios, a "malware_res_rep_rad_query: rad_kernel_malware_request_prepare() failed" message may appear in the /var/log/messages file.

PRJ-41597,
PRHF-25439

Threat Prevention

Anti-Virus Blade fails to parse external IoC feeds that contain commas in the CSV column field value.

PRJ-43994,
PRHF-25811

Threat Prevention

IoC feed may not load because of a parsing issue with the IP address range indicator.

PRJ-38664,
PRHF-23320

Threat Prevention

The DLPU process may unexpectedly exit with a core dump file.

PRJ-43997,
PRHF-25573

Threat Prevention

IoC feed may not load, and the "Feed status cybercrime-tracker_hash_list :: engine memory allocation error. Feed log External IoC - External Indicators processing failed" error is displayed in CLI.

PRJ-32737,
PRHF-20234

Threat Prevention

After an upgrade, the FWD process may frequently exit while creating an AMW_report.xml.

PRJ-37566,
AVIR-1428

Threat Prevention

When Anti-Virus Blade is enabled, the Security Gateway may crash because of a memory allocation issue.

PRJ-40471,
PMTR-84923

Threat Prevention

If SSH Deep Packet Inspection (DPI) is enabled and NAT is configured on the Security Gateway, SSH connectivity from the Internet may not be possible.

PRJ-42437,
PMTR-87619

Threat Prevention

Automatic IPS, Anti-Virus or Anti-Bot updates may fail because of a corrupted next_update file.

PRJ-41322,
PRHF-25083

Identity Awareness

Connectivity issue may occur during Azure AD Group fetch, and the "get_http_error_msg - http code is 401" error response is shown in Identity Awareness logs.

PRJ-42343,
PRHF-26221

Identity Awareness

During subsequent policy installations (with an interval of at least 11 minutes between them), the Identity Awareness Gateway configured as an Identity Broker Subscriber revoked all Identities it learned from the Identity Awareness Gateway configured as its Identity Broker Publisher. Refer to sk180659.

PRJ-33064,
PRHF-20425

Identity Awareness

In a rare scenario, a wrong access role may be assigned to a user.

PRJ-42338

Identity Awareness

In a VSX High Availability cluster, a member in the Backup state should remain idle, but it opens connections for identity sharing.

PRJ-42998,
PRHF-24890

Identity Awareness

In a rare scenario, disconnection between the Identity Server (PDP) and Identity Gateway (PEP) leads to missing identities on the PEP side.

PRJ-42932,
PMTR-88806

Identity Awareness

The PDPD process may cause CPU spikes during cluster failover.

PRJ-43746,
PRHF-27158

Identity Awareness

The output of the "pdp monitor cv_le <agent-version>" command may be incorrect.

PRJ-44382,
PRHF-27645

Application Control

A buffer overflow may occur and cause the FWD process to exit. This leads to the Security Group Members in a Maestro environment change from Active to Down state and creates instability.

PRJ-42505,
PRHF-26186

Application Control

In a rare scenario, when Application Control is enabled, the Security Gateway in AWS Cloud may crash. The issue does not occur if Application Control database on the Security Gateway is updated with Release 141122_1 and higher.

PRJ-41220,
PMTR-86437

Application Control

The RAD process may freeze when an error occurs, and an error event is initialized.

PRJ-43502,
PRHF-26475

Application Control

Policy installation may fail with an "Error 0-200184" message because of memory allocation issues.

PRJ-43974,
PRHF-27284

URL Filtering

When applying the "appi_urlf_ssl_cn_use_sni_without_validation" kernel parameter, only the first notified application may be considered for Rule Base matching, and the rest of the apps are not detected.

PRJ-41377,
PRHF-25330

IPS

When Anti-Virus is enabled, the Mail Transfer Agent (MTA) log files may get blocked because of fail-close operation.

PRJ-29955,
MBS-14698

Anti-Bot

The "asg perf --delay" command does not change the "refresh time" on the screen.

PRJ-43681,
PRJ-43359

SSL Inspection

In some scenarios, Inbound HTTPS Inspection may fail when working in USFW (User-Space Firewall) mode.

PRJ-41412,
PRHF-25371

Mobile Access

Access to a web application that uses WebSocket protocol may not be possible.

PRJ-42590,
PMTR-88426

IPS

The Security Gateway may crash during policy installation because of a memory allocation problem.

PRJ-44179,
PMTR-89863

IPS

In some scenarios, the FWK process may unexpectedly exit, while Threat Prevention Blades inspect HTTP traffic.

PRJ-42713,
PRHF-26557

IPS

In a rare scenario, the Security Gateway may crash during an IPS package update.

PRJ-43582,
PRHF-27076

DLP

A memory leak may occur in the DLPU process.

PRJ-35485,
PRHF-21504

DLP

DLP logs for files uploaded to Microsoft OneDrive do not show the initial file names and extensions. Refer to sk178290.

PRJ-44010,
PMTR-89738

Anti-Virus

The fwk.elg file may be flooded with the "match_cb for CMI APP 11 - CI AV failed on context 144, executing context 366 and adding the app to apps in exception" messages because of improper parsing of HTTP headers by Anti-Virus Blade.

PRJ-43180,
PRHF-26878

SSL Inspection

The WSTLSD process may unexpectedly exit and create core dump files.

PRJ-43890,
PRHF-26317

SSL Inspection

In rare scenarios, the FWK and/or WSTLSD processes may unexpectedly exit and create a core dump during certificate validation. Refer to sk180473.

PRJ-44290,
PRHF-27598

Mobile Access

Some web applications which use PT or UT link translation methods may have issues after a browser upgrade.

PRJ-43153,
PRHF-26867

Mobile Access

The CVPND process may unexpectedly exit and create a core dump file.

PRJ-41258,
PRHF-25249

Mobile Access

Web applications may not work correctly when Mobile Access Blade is configured in Hostname Translation (HT) mode while the "obscure_destination_hostname" management attribute is disabled.

PRJ-42467,
PRHF-26292

Mobile Access

When Mobile Device Management (MDM) cooperative enforcement feature is enabled, establishing a VPN connection fails while the HTTPD log incorrectly indicates a compliance issue.

PRJ-43115,
PMTR-87809

ClusterXL

The "cphaprob tablestat" command may fail on the Security Gateway with many interfaces.

PRJ-42463,
PRHF-26264

ClusterXL

Stability issues may occur in a Multi-Version Cluster (MVC) when VPN is enabled.

PRJ-43004,
PRHF-26722

ClusterXL

Traffic does not pass through the GRE tunnel when Virtual MAC (VMAC) is enabled. Refer to sk180292.

PRJ-44167,
PRHF-27330

ClusterXL

When handling HTTP/2 traffic, cluster members may crash, generating vmcores.

PRJ-42895,
PRHF-26517

SecureXL

SecureXL may drop traffic when HTTPS Inspection is enabled on a VSX Security Gateway with a Virtual Router.

PRJ-29667,
PRHF-18663

SecureXL

When the "fw_tcp_out_of_state_monitor" mode is enabled with the "fw_allow_out_of_state_tcp" flag, some connections may be dropped, although they should go through and be monitored.

PRJ-42574,
PRHF-25865

SecureXL

Multicast traffic may get dropped, and no logs are generated.

PRJ-44130,
PMTR-89935

SecureXL

IPv6 template is not created when the connection is NATed.

PRJ-43982,
PMTR-89372

SecureXL

In a rare scenario, a CPAQ message sent during policy push does not have critical priority, and can be dropped when the Security Gateway is busy.

PRJ-43409,
PRHF-6347

Routing

The ROUTED process may repeatedly exit when using PIM in Sparse mode (SM).

PRJ-43921,
ROUT-2460

Routing

Failover may take longer than expected and traffic does not pass for several seconds because dynamic routes are lost.

PRJ-43055,
PMTR-74260

Routing

The "show ospf neighbors" command shows incorrect values for OSPF "Hello" and "Dead" intervals. Refer to sk180486.

PRJ-44258,
PRHF-27407

Routing

The ROUTED daemon may unexpectedly exit when using PIM and source IP address is set "0.0.0.0".

PRJ-41112,
PMTR-73346

Routing

It may take up to three hours for the second member to become Standby after a failover. An outage may occur during this time.

PRJ-41330,
PRHF-25024

Routing

The ROUTED daemon may unexpectedly exit and generate core dumps after OSPF neighborship was established but did not advertise routes. Lost routing causes the network to be down.

PRJ-42309,
PMTR-87519

VPN

Improved VPN tunnel synchronization in a Multi-Version Cluster environment (MVC).

PRJ-43194,
PRHF-26797

VPN

TCP traffic on port 34500 may be encrypted by VPN, although it should not.

PRJ-24874,
PRHF-16890

VPN

VPN endpoint users fail to login with ECDSA certificate.

PRJ-44666,
PMTR-86522

VPN

When running the "vpn tu tlist" on cluster Standby members, old IKEv2 SAs may be printed in the output.

PRJ-40912,
PRHF-24641

VPN

The "failed to terminate session" error is displayed when using RAsession_util to terminate Endpoint client.

PRJ-44947,
PRHF-28050

VPN

When many users in nested groups login using Remote Access Client \ connect to VPN, and the LDAP topology is large, there may be a spike of CPU usage and performance impact. Refer to sk180664.

PRJ-40727,
PMTR-76539

VPN

In some scenarios, when NAT is configured, VoIP traffic is dropped.

PRJ-42878,
PRHF-26241

VPN

When initiating IKEv2 tunnel from Check Point to a third party, creating Child SA fails. Refer to sk180281.

PRJ-42560,
PRHF-26325

VPN

When the user connects with RADIUS authentication method, the "Authentication method" value in Mobile Access logs is shown as empty.

PRJ-42761,
PRHF-26567

VPN

Despite the Secure Configuration Verification (SCV) exceptions being configured to not apply for connections, the strongSWAN client's traffic is dropped with the "Client's configuration is not verified" error.

PRJ-41374,
PRHF-25367

VPN

StrongSWAN Remote Access client can connect but fails to access internal resources.

PRJ-43549,
SDWANGW-1205

VPN

VPN stability issues.

PRJ-43298,
PRHF-26853,

PRJ-43594,

PRHF-27185

VPN

Stability issues for Data connections (RDP / RTP / FTP/ETC). Refer to sk179651.

PRJ-41049,
PRHF-21309

VPN

A memory leak may occur in the VPND process.

PRJ-40283,
PRHF-24166,

PRJ-43712,
PRHF-27256,

PRJ-42652,
PRHF-26482

VPN

  • NAT-T traffic may stop matching the implied rule after policy installation and is dropped with "IKE_NAT_TRAVERSAL Traffic Dropped from x.x.x.x to y.y.y.y" message in SmartLog.

  • VPND and IKED stability issues occur when loading newly created LDAP group objects.

Refer to sk180530.

PRJ-43385,
PRHF-27010

VPN

After an upgrade, an incorrect IPSec users counter may be displayed in SmartView Monitor or when running the "cpstat vpn -f ipsec" command for a cluster. The issue is cosmetic only.

PRJ-44121,
PMTR-88803

VSX

Changing the main IP address of a Virtual Router may cause the FWM process to exit.

PRJ-42882,
PMTR-88764

VSX

In VSX, if Dynamic Balancing was manually disabled on R81, after an upgrade from R81 to R81.20, it automatically gets enabled.

PRJ-41696,
VSX-2670

VSX

The "vsx_util change_mgmt_subnet" command may fail if a VSX object is not correctly saved in the database.

PRJ-42253,
PRHF-26113

Gaia OS

Running the "save configuration" command the second time in the same Clish session may fail with the "free(): invalid pointer" error.

PRJ-42961,
PRHF-26713

Gaia OS

IPv6 address may be removed from bond VLAN interface when changing bond xmit-hash-policy configuration. Refer to sk180309.

PRJ-43650,
PRHF-27195

Gaia OS

When setting password hash on cloning group members, some members may not get updated.

PRJ-42525,
PRHF-26323

Gaia OS

Gaia backup fails with "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups" although there is enough free disk space in the /var/log/ partition. Refer to sk180181.

PRJ-43429,
PRJ-42646

Gaia OS

In some scenarios, the "nslookup" command can cause the NSLOOKUP process to exit.

PRJ-42623,
PRHF-26432

Gaia OS

SNMP trap may not be sent after a cluster failover if it occurred by running the "clusterXL_admin down" command.

PRJ-42219,
PRHF-25947

Gaia OS

Incorrect logs are printed in the /var/log/httpd2_error_log file when logging into the WebUI.

PRJ-44237,
PRHF-27526

Gaia OS

The System Backup page in the Cloning Group view may be empty, although a scheduled backup was added.

PRJ-40033,
PRHF-24249

Gaia OS

When running the "ifconfig -a" command on a Virtual System (VS) with more than 250 interfaces, the "/bin/cp-ifconfig.sh: line 179: /bin/echo: Argument list too long" error is printed.

PRJ-43562,
PRHF-27096

Gaia OS

When restoring a backup with VSX objects, the objects database may not be restored on the newly installed Security Management Server.

PRJ-43024,
PMTR-62519

Gaia OS

The /usr/local/apache2/logs/access_log file is now rotated when its size reaches 1GB. This log file was added to the /etc/cpshell/log_rotation.conf configuration file. Refer to sk166198.

PRJ-43985,
PRHF-27222

Gaia OS

The "lldpneighbors" Clish command may have a corrupted output. Refer to sk182065.

PRJ-40692,
PMTR-71707

Harmony Endpoint

When connecting to the Security Management Server with SmartEndpoint but Endpoint component is not activated on the Server, the FWM process may unexpectedly exit.

PRJ-44477,
PMTR-90345

CloudGuard Network

Azure scan fails if a Virtual Machine Scale Set (VMSS) is deleted after the scan started.

PRJ-44346,
PRHF-26820

CloudGuard Network

The "Logical Volume duplicate fail" error is displayed in CLI when increasing the lv_current partition with lvm_manager on Azure. Refer to sk180381.

PRJ-43258,
PRHF-26750

CloudGuard Network

Disabling or removing all network interfaces from a vCenter object is not dynamically reflected on the CloudGuard Controller Data Center object.

PRJ-43395,
PMTR-80399

CloudGuard Network

VPN Cluster stability issue when the peer is an Azure Security Gateway.

PRJ-43576,
PMTR-89444

CloudGuard Network

When enabling debug mode with the "$MDS_FWDIR/scripts/cpm_debug.sh -c ObjectCrudSvcImpl" command, it may impact the work of CloudGuard Central License utility. And adding license fails.

PRJ-42854,
PRHF-26286

CloudGuard Network

A Kernel-based Virtual Machine (KVM) or a Virtual Machine using SRIOV with the i40evf/ixgbevf network driver, may boot with non-optimized performance settings.

PRJ-43067,
PRHF-26666

CloudGuard Network

Importing objects from VMware vCenter may fail with a "Failed to fetch objects from the Data Center." message because of a rare communication issue between CloudGuard Network Security controller and VMware vCenter Data.

PRJ-43076,
PRHF-26401

VoIP

While handling a multi-INVITE scenario (where a user registers with multiple devices), and the VoIP SIP MultiCore feature is enabled, each SIP INVITE maybe be handled simultaneously on different FW instances and cause memory corruption.

PRJ-39601,
PRHF-22874

Scalable Platforms

The SMO may frequently go into Lost-> Down-> Active state because of a memory leak in the FWK process. The issue causes failover and outages.

PRJ-42753,
PRHF-26604

Scalable Platforms

When using asg alert, the domain name is changed to "BladedCenter.com" instead of the configured name.

PRJ-42927,
PMTR-88804

ClusterXL

A Hide NAT port may be allocated twice causing the "out of state" drops.

PRJ-29152,
MBS-14167

Scalable Platforms

The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)

PRJ-43382,
PMTR-76352

Scalable Platforms

The clock verifier test (clock_verifier -v) fails.

PRJ-43245,
PMTR-74779

Scalable Platforms

In a Maestro Security Group, VPN tunnel is established correctly, but the local connection from Virtual Systems (VSs) fails. The issue occurs when packets are not forwarded to the right VS from the Virtual Switch (VSW).

PRJ-32201,
PRJ-31553

Scalable Platforms

In VSX mode, when configuring affinity settings on Security Group members, a new added member may stay in Down state.

PRJ-23110,
MBS-9806

Scalable Platforms

When creating a Virtual Switch in a Scalable Platform environment, virtual interfaces with names that start with "wrp<Number>" and "wrpj<Number>" have the same MAC address. This causes traffic from the External Switch to the Virtual System (through the Virtual Switch) to be handled by the Virtual Switch. It may lead to high CPU utilization on the Virtual Switch and traffic outage.

PRJ-44160,
PRJ-43959

Gaia OS

When uninstalling a Jumbo Hotfix, some of the REST APIs may not work. The "gaia_api status" command returns an error and requests may fail.

See the Important Notes section.

PRJ-43803,
PRJ-43802

Scalable Platforms

The "asg perf" command fails when running it with the "-vv" flag.

PRJ-40399,
PRHF-24044

Carrier Security

GTP traffic may be dropped, and tunnels are not registered in gtp_tunnels.

PRJ-31657,
MBS-14468

Scalable Platforms

The output of the "asg perf -6" command shows "IPV6 is Disabled".

PRJ-40568,
PRJ-40549

Scalable Platforms

The output of the "asg perf" command may not show active software Blades.

Take 81

Published on 19 January 2023 and declared as Recommended on 8 February 2023