R81 Jumbo Hotfix Take 13

NEW: The upgrade process is being monitored dynamically and will be stopped if it cannot be completed, not basing on a timeout.

UPDATE: Added Update 7 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.

UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.

In some scenarios, the installation time of Jumbo Hotfix Take 11 on the Management Server may take up to several hours.

In some scenarios, HA temporary sub-directories in $FWDIR/tmp are not deleted if sync fails. Refer to sk170972.

'Revert to Revision' tasks cannot be cleared from tasks pane in SmartConsole.

In some scenarios, policy installation on LSM Gaia cluster profile fails with "Policy installation had failed due to an internal error" message.

Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name.

In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process.

In a rare scenario, the FWM process unexpectedly exits.

UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server.

In rare scenarios, Management server becomes inaccessible after Global Policy reassign operation.

NEW: Added support for Python 3 in Management API scripts.

In some scenarios, Staging mode IPS protections activation in the Local Domain does not match the activation in the Global Domain after a Global Threat Prevention policy assignment. Refer to sk170322.

In some scenarios, the api.csv file may show extra empty columns.

In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect.

When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing.

In some scenarios, deleting a policy fails.

NEW: Added support for Threat Emulation Blade on LSM profile of R81 SMB gateways and clusters.

• Requires R81 SmartConsole Build 548 (or higher).

UPDATE: Log Exporter read mode default was changed to Semi-unified instead of Raw mode.

In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.

In rare scenarios, the LOG_INDEXER process may unexpectedly exit when reading a specific log format. Refer to sk116117.

UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.

In rare scenarios, Security Gateway memory consumption may increase.

Connectivity issues may appear due to missing proxy ARP entries on the Security Gateway.

In some scenarios, DHCP traffic may be dropped after installing an accelerated policy.

In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.

In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.

In some scenarios, a memory leak may occur after sending a packet from the kernel.

In some scenarios, repeating "fwx_alloc_global_find_free_port_atomic: rtsp pending port doesn't match the same pool" errors are displayed in dmesg when using Hide NAT with VoIP.

In some scenarios, the DNS requests from the Security gateway may fail.

Half-closed accelerated TCP connections may take too long time to expire.

In rare scenarios, a memory leak may occur on Security Gateway in gconn table.

UPDATE: Threat Extraction ( Sanitization) will be automatically disabled when Infinity Threat Prevention mode is installed while the machine does not have enough resources (RAM).

In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process.

In some scenarios, the WSTLSD process may unexpectedly exit and produce a core dump.

NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter.

In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs.

UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol.

The AES-NI (Intel Advanced Encryption Standard New Instructions) status is not displayed and "dmesg | grep AES-NI" returns no output. Refer to sk170779.

In rare scenarios, a memory leak may occur during policy installation.

UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:

• Improved enforcement of first connection when URL Filtering setting is 'Hold' mode
• Added SNI information to connection logs when connection is matched on rule with "Extended Log"
• Hold mode granularity

For configuration, refer to sk173633.

Exported with ioc_feeds export command indicator feeds may contain user credentials. Refer to sk169035.

In some scenarios, users may fail to access a web site with many malicious URLs.

In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway.

UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command:

• In Gaia Clish, run "show cluster members monitored"
• In Expert mode, run "cphaprob -m tablestat"

"set router active-active-mode" settings do not survive a reboot.

NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features.

In rare scenarios, SecureXL may crash due to NULL handling.

Server may not reuse the TCP connection when the user allows out of state TCP packets.

In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.

On Scalable Platforms, SSH via MAB may disconnect.

The old route may be not removed when an BGP ECMP route was changed.

Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works.

PBR does not work with VTI/VPN.

NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix.

In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object).

Refer to sk171055 to configure the required parameter FORCE_NATTED_IP.

In some scenarios, one session disconnection of RADIUS users can cause another session to loose permission when one of the session terminates.

Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled.

NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2.

NEW: Added CPDIAG (on/off) for IKE negotiations per community feature.

In some scenarios, Remote Access Endpoint client disconnects after roaming from Visitor Mode to NAT-T.

In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol.

In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection.

In some scenarios, the VPND process unexpectedly exits with Segmentation fault.

Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".

IPv6 traffic and multicast IPv4 may not work with Virtual Switch (VSW).

In some scenarios, SNMP v3 users are not recognized on VSX when SNMP is in VS mode. The "Unknown user name" error message is displayed. Refer to sk170993.

SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373.

NEW: Added support for new Push Operations - Host Isolation and Host Release from isolation.

UPDATE: Updated Endpoint Web Docker Image.

The "Sent to Client On" column is empty in SmartEndpoint >Reporting > Push Operations even if push operation was completed successfully.

NEW: Added full support for Gaia Backup.

Gaia scheduled backup fails to run and the /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup". Refer to sk170925.