R81 Jumbo Hotfix Take 34

NEW: Added new API version (1.7.1). For more information, refer to the Management API Reference.

SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server.

In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error".

Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003.

In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain Servers, some objects may not be visible in the System Domain.

When configuring SNMP traps with thresholds_config utility on the Management Server, the settings may not be applied on the Security gateway upon policy installation.

When adding or updating star/meshed VPN community using the Management API and setting default values for ike-p2-use-pfs or ike-p2-pfs-dh-grp fields, the operation mail fail with the validation error.

In some scenarios, the policy installation may fail after following sk55502. Refer to sk174646.

Incorrect Mobile Access license status upon a license change.

In some scenarios, the "set-simple-gateway name ..." and "set simple-cluster name ..." Management APIs may not reach the "SIC Communicating" state.

On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704.

In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently.

NEW: Once a day, Multi-Domain Management Servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level.

When secondary Domain Management Server is in active state, sicRenew utility may fail with "Certificate cannot be renewed by the Internal CA. (Error no. -179)". Refer to sk172183.

UPDATE: Added stabilization improvement for Assign and Reassign Global Policy operations.

Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x.

UPDATE:

1. When using Updatable Objects, Source and Destination fields in logs will display the icon from the matched Updatable Object.
2. Improved the accuracy of flag icons when using Updatable Objects for Geo-IP restrictions.

Note:

• Requires R81 SmartConsole Build 552 (or higher).

Generating a Changes Report may fail when the changes include new LSM Profiles or Small Office Gateway objects.

"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' Blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management Servers has the "Logging & Status" Blade disabled. Refer to sk172226.

Deactivated Compliance Best Practices appear in the Compliance report.

In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999.

When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763.

In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results).

In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one.

In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis.

NEW: Added new troubleshooting tool to cplic command for Entitlement manager.

NEW: In a Management Data Plane Separation (MDPS) environment, each plane has its own configuration.

Run these commands in each plane:

• save configuration <Name of Script>
• load configuration <Name of Script>

NEW: Implemented new Fast-Accel producer.

The following Fast-Accel statistics are added to CPView:

• Status: current status of Fast-Accel feature (enabled/disabled).
• Configured rules: number of rules were added by the user. These rules determines whether a connection should be accelerated or not.
• Accelerated connections amount: number of accelerated connections.
• Total connections amount: total connections opened in PPAK.
• Accelerated connections percentage: percentage of accelerated connections as part of the overall traffic.
• Services distribution: number of times each service was used by the accelerated connections.

UPDATE: Added $CPDIR/log/sic_info.elg log file to show detailed SIC errors.

UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607.

In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file.

On rare scenarios, running "fw1 + misp" debug on cluster may cause Security Gateway to crash.

In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server.

When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.

In a rare scenario, Security gateway may crash when using non-FQDN domains in Access policy.

Boot may take a long time on machines with many VLANs or secondary IP addresses.

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

In some scenarios, policy installation fails with "Error code 0-2000077" message.

In rare scenarios, policy installation fails with "gen_other_service_inspect_func: failed to find corresponding service object for <service name>" error message.

In a rare scenario, the Security gateway may crash with fwk and fwk_wd core dump files.

In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object).

Refer to sk171665 to configure the required parameter SKIP_NATTED_IP.

In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode.

In a rare scenario, Security Gateway may crash under heavy load during cluster failover.

RSA integration using SAML (Security Assertion Markup Language) protocol may not work as expected. Refer to sk171501.

When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck.

The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145.

The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled.

A failure log may be generated when inspecting connections to servers with certificates without a common name (CN) field.

UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300.

Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled.

In rare scenarios, Security Gateway may crash when working with SSH.

Removed the "beta" label from SSH DPI's SSH server identification string.

In rare scenarios, the Threat Prevention policy is not enforced after a reboot of the Security Gateway.

Memory leak may occur during policy installation.

Improved performance of the TLS handshake when TLS 1.3 support is enabled.

In some scenarios, the "Parallel TLS Sessions" and "Cache entries" CPView statistics for SSL Inspection are incorrect.

In some scenarios, memory leaks may occur after policy installation.

In some scenarios, when HTTPS Inspection is enabled, overall memory consumption may gradually increase. Refer to sk171280.

In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248.

In some scenarios, the VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*).

UPDATE: Exceptions are now enforced for these IPS protections:

• ASCII Request Response
• ASCII Response Response
• HTTP Header Patterns
• HTTP URL Patterns
• CIFS File Patterns

Refer to sk166222.

Proxy source IP address is not printed in the IPS logs.

In rare scenarios, policy installation fails due to duplicate id in IPS Snort protections.

UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types.

Sensitive file push.js may be visible on the Security gateway.

In some scenarios, the VPND process unexpectedly exits in SNX Application Mode.

Remote Access session may not be synced on the standby member VS.

UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces.

In some scenarios, the required interface value is higher than it should be when adding a VLAN interface.

In some scenarios, a large quantity of logs is generated on cluster VIP API.

In some scenarios, the user cannot run any dynamic routing or install any static routes, including the default route.

UPDATE: Changed the "accept out of state" global parameter usage and added support to change it for specific VS. Refer to sk147093.

A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns".

In some scenarios, DOS/Rate Limiting rules that do not work as expected may be created.

Improved the Smart Connection Reuse feature to be consistent with the user configuration. Refer to sk24960.

TCP reset packets may be dropped with an invalid sequence.

UPDATE: Added "$" to the list of allowed characters for BGP MD5 authentication passwords in in WebUI and CLI.

In some scenarios, after member failover, some traffic may be lost.

VRRP member freezes when deleting a VLAN interface. Refer to sk106226.

In a rare scenario, the ROUTED process unexpectedly exits when creating an MFC (S,G) entry. Refer to sk176685.

Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417.

UPDATE: Added VPN improvements in IKEv2:

• Added support for IKEv2 authentication when using multiple certificates.
• Added support for "Matching info" authentication.

Added major VPN enhancements for Scalable Platforms. Refer to sk174228.

"Invalid ID information" message may be displayed when peer is 3rd party and Link selection is overridden.

• Stability improvement of IKEv2 rekey when using Pre-shared-key
• Stability improvement of cluster synchronization mechanism

If SSL Inspection or other Blades that use the CPAS infrastructure is enabled, a call trace warning is displayed in dmesg when the cpstop command is issued.

In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266.

In rare scenarios, the VPND process may unexpectedly exit in an L2TP-related flow.

In some scenarios, the he VPND process may unexpectedly exit producing a core dump.

Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type.

Added stability fix in validation checks for ECDSA certificates.

NEW: Adding support for Smart-1 600-S/M appliances. Refer to sk171903.

UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019.

Updated the OpenSSL version in the RPM database.

In rare scenarios, Clish unexpectedly exits when configuring the ip-conflicts-monitor on more than 4 interfaces simultaneously.

In rare scenarios, there is a difference between the value of "Packets" in the output of "ifconfig <interface name>" and "show interface <interface name> statistics" commands.

In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823.

The "snmptable" command may fail to fetch data via SNMP producing core dump. Refer to sk172824.

When bond/bridge interfaces configured with IP conflicts monitoring are deleted, they still appear under the configuration of ip-conflicts-monitor.

"show configuration on" may not expose bond' members.

In rare scenarios, when the VSX cluster experiences an outage, the FWK process generates a core dump file.

Improved performance consistency (with Multi-Queue) after the Microsoft Azure Maintenance event.

The SNMP response may show incomplete values.

In rare scenarios, the Endpoint server fails to start after uninstalling Jumbo Hotfix.

In some scenarios, the "Included Blades" tab in the SmartEndpoint Package repository for Dynamic Package is empty.

In some scenarios, the Policy server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates.

UPDATE: If the recommended-policy includes some illegal rules, an IoT layer will be created with the legal rules only and the user will be notified with a warning about the illegal ones.