R81 Jumbo Hotfix Take 25

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID	Product	Description
Take 25 Released on 08 April 2021
PRJ-21007, PRHF-14969	Security Management	NEW: Improved FWM process performance during Security policy or database installation.
PRJ-22314, PRJ-22315	Security Management	NEW: Performance improvement of Management High Availability Full Sync.
PRJ-18428, PMTR-61041	Security Management	UPDATE: In High Availability environment, Assign and Reassign Global Policy actions are not supported for a Domain if the active Domain Server for this Domain is a Security Management device. The assignment will be performed after change-over to the primary Domain Server.
PRJ-21873, ODU-82	Security Management	UPDATE: Added Update 8 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.
PRJ-21239, PMTR-62918	Security Management	In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large.
PRJ-23500, PMTR-66213	Security Management	In some scenarios, verification errors regarding conflict of rules may be missing if the policy installation is accelerated and the target is a cluster.
PRJ-20805, PRHF-14691	Security Management	In some scenarios, delete partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains.
PRJ-21704, PMTR-64423	Security Management	In large environments with High Availability, synchronization and upgrade may fail due to very large database size.
PRJ-22519, PMTR-64104	Security Management	Policy Installation may fail with "Error code: 0-2-2000245" message when using IPv6.
PRJ-20128, PMTR-62503	Security Management	Data Center objects defined in NAT and HTTPS Inspection rulebases may not be enforced correctly after policy installation that was accelerated.
PRJ-21417, PRJ-20995	Security Management	In rare scenarios, the initiation of the Management server may take a long time.
PRJ-20305, PRHF-14634	Security Management	In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.
PRJ-21360, PRHF-14606	Security Management	In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole.
PRJ-17790, PRHF-13382	Security Management	In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT.
PRJ-20888, PRHF-14946	Security Management	In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.
PRJ-21587, PRHF-15222	Security Management	In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop.
PRJ-20766, PRHF-14399	Security Management	High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.
PRJ-21185, PMTR-63358	Security Management	In rare scenarios, logout from a session fails with "An internal error has occurred" message.
PRJ-19720, PMTR-62272	Multi-Domain Management	The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile. A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag
PRJ-21913, PMTR-64572	Multi-Domain Management	In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup.
PRJ-21081, SMCUPG-1625	Multi-Domain Management	In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.
PRJ-21344, PRJ-16910	Multi-Domain Management	When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.
PRJ-20952, PMTR-62383	SmartConsole	After a network interface is removed by cluster API, a network group assigned to that interface remains as used by cluster members and cannot be deleted.
PRJ-21627, PMTR-55104	SmartConsole	In Multi-Domain environment with High Availability using Security Management Server, if the Security Management is the active peer for a Domain assigned to the Global Domain, the Policy Package creation may fail.
PRJ-20241, PRHF-14533	SmartConsole	When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".
PRJ-19932, PRHF-14278	SmartConsole	In rare scenarios, the "Show Policy Package" tool and some Management API commands with "details-level full" may fail when UTM cluster is part of the policy targets.
PRJ-20316, PRHF-14637	SmartConsole	In some scenarios, the "show gateways-and-servers" Management API command fails when running it with "details-level full" and when connected to the Global Domain. Refer to sk170895.
PRJ-19142, PRHF-14010	SmartConsole	In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325.
PRJ-18923, PRHF-13879	SmartConsole	In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.
PRJ-21160, PMTR-63555	SmartConsole	If there is an HTTPS Inspection layer that is not used in the policy, policy installation may fail with the "Internal error" message.
PRJ-21624, PRHF-15156	SmartConsole	In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905.
PRJ-21390, PMTR-63149	SmartConsole	Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.).
PRJ-22223, PMTR-32568	SmartConsole	In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.
PRJ-22050, PMTR-62337	SmartConsole	In some scenarios, the Hit count information in the Access Policy rulebase is not shown correctly.
PRJ-20776, PRHF-13197	Compliance	In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed.
PRJ-19303, PRHF-11595	Compliance	Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices.
PRJ-22825, PRHF-15936	Logging	NEW: Log Server now supports up to 4 billion logs per day in Index mode (previously it stopped indexing with a limit of 2 billion logs).
PRJ-21380, PMTR-63927	Logging	In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly exit.
PRJ-19011, PRHF-13936	Logging	In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196.
PRJ-24068, PMTR-66159	Logging	In Smart-1 6000-L and 6000-XL, drill down to a log card from the Logs view does not bring results.
PRJ-20587, VPNRA-642	Mobile Access	Removed potential XSS vulnerability in the MAB Login page.
PRJ-21112, PRHF-14953	Security Gateway	Authentication may fail when LDAP branch name contains "\".
PRJ-18980, PRHF-13153	Security Gateway	In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.
PRJ-19801, PMTR-60336	Security Gateway	Improved the policy enforcement of the ZIP archive inner files.
PRJ-21613, PRHF-14715	Security Gateway	Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".
PRJ-20341, PRHF-14616	Security Gateway	In rare scenarios, passive FTP packets may be dropped.
PRJ-21200, PMTR-63550	Security Gateway	The VMCore file may be created during reboot after the upgrade procedure.
PRJ-22082, PMTR-64650	Internal CA	In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain.
PRJ-21727, PMTR-64420	Content Awareness	In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow.
PRJ-20848, PRHF-14347	Identity Awareness	In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.
PRJ-22016, IDA-3194	Identity Awareness	Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH).
PRJ-20349, PRHF-14266	IPS	In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally.
PRJ-17883, PMTR-59113	Anti-Virus	UPDATE: Improved Anti-Virus buffer allocation to reduce stack size.
PRJ-20839, PRHF-14744	DLP	Improved DLP scanning for POST request to some Web sites.
PRJ-21711, PMTR-64263, PRJ-21991, PMTR-64780	SSL Inspection	In rare scenarios, a memory leak may occur in a crypto module.
PRJ-20977, PRHF-14820	Anti-Malware	In rare scenarios, the Threat Prevention policy installation fails due to IoC parsing errors. Refer to sk171316.
PRJ-18958, PRHF-13881	ClusterXL	When MDPS is configured, the output of "cphaprob syncstat" may show unreadable characters for the speed of the sync interface.
PRJ-19665, PRHF-13929	SecureXL	In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.
PRJ-20547, PRHF-14680	SecureXL	Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI).
PRJ-18663	Routing	UPDATE: Added support for Check Point Active Streaming (CPAS), Policy-Based Routing (PBR), and Application-Based Routing (ABR) on the Security Gateway. Refer to sk167135.
PRJ-22489	Gaia OS	NEW: Added support for Smart-1 6000-L/XL appliances. Refer to sk171903.
PRJ-23358, PMTR-65962, PRJ-24397, PMTR-67460	Gaia OS	UPDATE: Upgraded OpenSSL to 1.1.1k to fix CVE-2021-3449 and add the latest security improvements. Refer to sk172983.
PRJ-20733, PMTR-63201	Gaia OS	CVE-2020-25705: ICMP reply rate.
PRJ-21721	Gaia OS	The "show configuration" command cannot print Gaia user with spaces in name.
PRJ-21827, PRHF-12751	Gaia OS	In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI.
PRJ-18852, PRHF-13802	Gaia OS	In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS.
PRJ-20286, PRHF-13475	Gaia OS	Messages log level in /var/log/messages file for ERR level was changed to INFO level when fetching proxy configuration from Clish/WebUI/Gaia API. Example: [DATE TIME] <daemon.err> ... xpand[25958]: proxy_live_get_proc: Started...
PRJ-19975, PMTR-62104	Gaia OS	In some scenarios, bond interface bandwidth monitored via SNMP is missing.
PRJ-17684, PMTR-60173	Gaia OS	When upgrading with enabled Management Data Plane Separation (MDPS), an additional reboot may be required.
PRJ-18941, PRHF-13812	Gaia OS	In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file.
PRJ-21667, PRHF-15328	Gaia OS	In some scenarios, policy installation on a Check Point Gateway in Azure causes the Gateway to crash and load a default policy. Refer to sk171553.
PRJ-21261, VSX-2520	VSX	Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool.
PRJ-20965, VSX-2519	VSX	After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.
PRJ-13302, PMTR-63247	VPN	NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity.
PRJ-17616, PMTR-57245	VPN	UPDATE: Added: VPN Remote Access StrongSwan IKEv2 client logs. Key install logs with StrongSwan IKEv2 client improvement to show the correct authentication method. RAsession_util with StrongSwan IKEv2 client improvement.
PRJ-19217, PRHF-13685	VPN	Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.
PRJ-21544, PMTR-64128	VPN	Added VPN Remote Access stability improvement.
PRJ-22219, PRHF-15006	VPN	When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550.
PRJ-19905, PRHF-14090	VPN	Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm.
PRJ-21235, EPS-30018	Endpoint Security	NEW: Added Application Control and Developer Protection support in Endpoint Web Management.
PRJ-21750, PMTR-60418	Endpoint Security	On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list.
PRJ-21915, PMTR-50113	Endpoint Security	In some scenarios, the "Endpoint Security Client Version" report shows "N/A" in DAT Date column for all devices on the SmartEndpoint Reporting page.
PRJ-21106, PMTR-62363	Endpoint Security	Adding devices to virtual group using the epmcommands tool may fail.
PRJ-19313, PRHF-13909	CloudGuard Network	When creating a GCP Data Center, Test Connection may fail on large GCP accounts.
PRJ-23944, PMTR-66384	Maestro VSX	"dxl stat" and "dxl calc" commands may fail on non-VS0 context with the "failed to retrieve dxl information" error.