R81 Jumbo Hotfix Take 42

 

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 42

Released on 1 September 2021

PRJ-26240,
PRJ-26233

Diagnostics

NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2.

PRJ-24235,
PMTR-64142

Licensing

UPDATE: If there is no license installed, the error message will be printed when running the "cpstart" command.

PRJ-24201,
PMTR-67200

Security Management

NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629.

PRJ-27200

Security Management

NEW: Added the Hitcount column to the "Export to CSV" functionality in Access Policy.

  • Requires R81 SmartConsole Build 553 (or higher).

PRJ-24985,
PRJ-25474

Security Management

NEW: Added ability for R81 Security Management or Multi-Domain Server to manage R81.10 Security Gateway.

  • Requires R81 SmartConsole Build 553 (or higher).

PRJ-26026,
PMTR-69307

Security Management

NEW: Added the "get-interfaces" Management API for Security Gateway and Cluster objects.

  • The functionality is parallel to the "Get Interfaces" button in the SmartConsole Network Management page in the Security Gateway / Cluster editor.
  • The API is available starting from version 1.7.

PRJ-26414,
PMTR-69791

Security Management

NEW: Added the Management API command "show-layer-structure".

PRJ-27122,
PMTR-70628

Security Management

UPDATE: The "Purge revisions" operation has been improved to further reduce the database's size.

PRJ-27163,
PMTR-70138

Security Management

UPDATE: Performance improvement in an upgrade of Security Management and Multi-Domain Servers with large rulebases.

PRJ-26194,
PMTR-69529

Security Management

In a rare scenario, the FWM process may unexpectedly exit.

PRJ-26184,
PRHF-17487

Security Management

When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file.

PRJ-26124,
PRHF-17476

Security Management

In some scenarios, HA synchronization fails in the Global Domain after the IPS update.

PRJ-29004,
PRHF-18817

Security Management

In some scenarios, Publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703.

See the Important Notes section.

PRJ-25039,
PRHF-16802

Security Management

In rare scenarios, a task in progress may get stuck until the Management Server is restarted.

PRJ-24011,
PMTR-62382

Security Management

In some scenarios, the NAT rule is not enforced when the rule name is identical to an object name placed on the rule.

PRJ-25862,
PMTR-67876

Security Management

When running the "show-tasks" command with Management API and using the "order" parameter, the results are not ordered.

PRJ-26455,
PRHF-17433

Security Management

In rare scenarios, the web_api_show_package.sh script fails, and the log shows "Null Pointer Exception".

PRJ-22135,
PMTR-63108

Security Management

In some scenarios, a high load on the Management Server may cause SmartConsole slowness.

PRJ-26630,
PRHF-17230

Security Management

In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

PRJ-25010,
PMTR-67525

Security Management

After configuring VPN Blade on a Security Gateway with support-visitor-mode using Management API, VPN clients may fail to create sites.

PRJ-21968,
PRHF-15471

Security Management

Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched.

PRJ-22385,
PRHF-15325

Security Management

User may fail to connect to SmartConsole after the administrator changed the RADIUS Server host IP address. Refer to sk172065.

PRJ-24331,
PRHF-16613

Security Management

In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy.

PRJ-27621,
PMTR-69273

Security Management

In a rare scenario, the "Install Database" task may continue to run indefinitely.

PRJ-26093,
PMTR-69327

Security Management

In rare scenarios, the Access Control policy installation fails with the "Security Management Server aborted connection" error.

PRJ-25305,
PMTR-67893

Security Management

Policy verification may incorrectly fail with the verification error "Rule contains both Access Roles and network objects" when the installation is accelerated.

PRJ-26343,
PMTR-59909

Security Management

When installing policy on a gateway for the first time, Threat Prevention policy installation may fail if installed with Access policy.

PRJ-25687,
PRHF-17286

Security Management

In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name.

PRJ-24052,
PMTR-66980

Security Management

If the Management Server is up for many days, the CPM process memory consumption and CPU usage may increase consistently.

PRJ-26299,
PRHF-17531

Security Management

In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted.

PRJ-26911,
PRHF-16657

Security Management

Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.

PRJ-25838,
PRHF-17362

Security Management

In some scenarios, deleting a Security Gateway object fails with the "Object <name> is used by a policy or by other objects" error even though the Security Gateway is not in use. Refer to sk173467.

PRJ-25800,
PRHF-17324

Security Management

In rare scenarios, if the CPM process is up for many days, CPU, and memory consumption may continue to grow until a reboot is performed.

PRJ-25254,
PMTR-68425

Security Management

Login with Management API fails when using the api-key and setting enter-last-published-session to "true".

PRJ-26507,
PMTR-69683

Security Management

Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same".

PRJ-25447,
PMTR-68607

Security Management

SmartConsole may unexpectedly close when renaming an Application Control rule name or changing an Application Control policy action.

PRJ-25892,
PMTR-69154

Multi-Domain Management

NEW: Allow creating Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934.

PRJ-26690,
PMTR-69747

Multi-Domain Management

After migrating the Global Domain and making global changes, when assigning/reassigning the Global Domain, the assignment may be shown as "Up to date" even though the latest global changes are not applied on the Domain.

PRJ-25518,
PRJ-25516

Multi-Domain Management

In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole.

PRJ-25406,
CPM-2542

Multi-Domain Management

In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message.

PRJ-27154,
PRHF-11539

Multi-Domain Management

OS information for Domain Servers may not be shown correctly at the MDS level.

PRJ-22639,
PRHF-15727

Multi-Domain Management

In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted.

PRJ-26302,
PRHF-17558

Multi-Domain Management

In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.

PRJ-20647,
PMTR-63143

SmartConsole

NEW: Added the option to print or save (as a file) the Changes Report.

PRJ-23439,
PMTR-65297

SmartConsole

UPDATE: Changes report supports up to 50 revisions (instead of 10).

PRJ-22813,
PMTR-61013

SmartConsole

Improved adjustment of the scrollbar in the Changes Report window.

PRJ-26906,
PRHF-17725

SmartConsole

In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly. Refer to sk175405.

  • Requires R81 SmartConsole Build 553 (or higher).

PRJ-26873,
PRHF-17640

SmartConsole

In some scenarios, the gateway hardware change in SmartConsole fails with "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning.

PRJ-27576

Web SmartConsole

NEW: Web SmartConsole now includes read/write capability for the most common activities. Refer to Take 44 in sk170314.

PRJ-25931,
PRJ-30691,
PMTR-69181,
PMTR-69007

SmartView

NEW:

  • It is now possible to set the default timeframe for all the SmartView web application functionalities.
  • The default value is "Last 24 hours".

Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.

  • Requires R81.00 SmartConsole Build 553 (or higher).

PRJ-27301,
PMTR-70643

SmartView

After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks. Refer to sk174047.

PRJ-24351,
PMTR-67284

CPView

In some scenarios, a memory leak may occur in a cpview_services module. Refer to sk173952.

PRJ-19795,
SL-4613

Logging

NEW: Added support for Endpoint Forensics reports to get-attachment API.

PRJ-20258,
PMTR-57895

Logging

NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323.

PRJ-21423,
PMTR-61503

Logging

NEW: The Log exporter now supports formatting for RSA SIEM application.

PRJ-25596,
SL-5164

Logging

UPDATE: The Log Server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413.

PRJ-20136,
PMTR-62674

Logging

UPDATE: When reverting a Management or Log Server from the R81 version 30 days after the upgrade, logs are no longer fetched or indexed.

PRJ-25454,
PMTR-68670

Logging

In rare scenarios, logs generated in the same second, with the same ID, may not show up in SmartConsole's Logs tab.

PRJ-22650,
PRHF-15710

Logging

Threat Emulation log description for HTTP emulation is incorrect.

PRJ-23114,
PMTR-52927

Logging

In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done.

PRJ-23821,
PRHF-12659

Logging

In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown.

PRJ-23581,
PMTR-65203

Logging

In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs.

PRJ-25646,
PMTR-68886

Logging

In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).

PRJ-24488,
SL-5577

Logging

When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways.

PRJ-24216,
PMTR-65200

Logging

In a Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.

PRJ-24706,
PMTR-67771

Logging

In the SmartConsole Logs&Monitor tab, when the query time-frame is "Last Hour" and auto-refresh is on, if the query time is between 12:00 and 13:00, logs from that time will not be shown.

PRJ-25657,
PRHF-7562

Logging

In some scenarios, the LOG_INDEXER process consumes 100% CPU and log indexing fails causing log queries to miss the recent logs. The issue occurs when rules have Accounting enabled and there is a lot of traffic matching these rules.

PRJ-27072,
PMTR-70430

Compliance

In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains.

PRJ-24580,
PMTR-66164

SNMP

NEW: Added CPview network statistics and network profile data to SNMP - throughput, packets rate, concurrent connections, drop reasons, top connections, and more.

PRJ-24537,
PMTR-66616

Security Gateway

UPDATE: Added new Dynamic Balancing Clish command to enable default number of instances. To use it, run "set dynamic-balancing state enable set_default_fw_instances". Refer to sk164155.

PRJ-26331,
PMTR-68117

Security Gateway

UPDATE: The prompt indication will show on which plane (management or data) the context is.

For example:

  • "[Expert@Host:0]" will be displayed as "[Expert@Host:dplane]" for the data plane.

  • "[Expert@Host:1]" will be displayed as "[Expert@Host:mplane]" for the management plane.

PRJ-25102,
PMTR-62328

Security Gateway

UPDATE: The Connection Tracker (CPView >Advanced > CONN-TRACKER) will be activated by default.

PRJ-25844,
PMTR-68979

Security Gateway

Added the Access Control rulebase matching visibility enhancement.

PRJ-29753,
PRHF-19043

Security Gateway

In rare scenarios, the Security Gateway may failover while handling the HTTP/2 stream.

PRJ-27036,
PMTR-67834

Security Gateway

VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683.

PRJ-26479,
PMTR-66746

Security Gateway

In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security gateway to crash.

PRJ-26811,
PMTR-68115

Security Gateway

In rare scenarios, policy installation may fail with the "Problem with the Commit Function" message.

PRJ-26409,
PMTR-69461

Security Gateway

In some scenarios, policy installation on the MDPS Gateway fails with "ERROR: Duplicate keys in table 'cluster_members_ids_by_ips'" errors in SmartConsole. Refer to sk173485.

PRJ-24127,
PRHF-15896

Security Gateway

RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927.

PRJ-21271,
PMTR-56012

Security Gateway

In some scenarios, emails may be stuck in the MTA queue.

PRJ-26016,
PMTR-68942

Security Gateway

In a rare scenario, a memory leak may occur in thein.emaild.mta process.

PRJ-18127,
PMTR-60844

Security Gateway

In some scenarios, an incorrect interface name is displayed in CPView.

PRJ-25393,
PRHF-17173

Security Gateway

In some scenarios, there is no match on URL Filtering rules.

PRJ-26269,
PRJ-26257

Security Gateway

In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg. Refer to sk173546.

PRJ-26345,
PMTR-69467

Security Gateway

When using Routing separation and ClusterXL, the "cphaprob -a if" command displays "mdps_tun" as "DOWN".

PRJ-26152,
PMTR-69312

Security Gateway

In a rare scenario, a memory leak may occur when IPS / Anti-Bot / Anti-Virus Blade is enabled.

PRJ-25817,
PRHF-16364

Security Gateway

Added Dynamic Anti-Spoofing stability enhancements.

PRJ-27624,
PMTR-71034

Security Gateway

In some rare scenarios, only after a fast policy installation with a Non-FQDN object or an updatable object, wild card domains may not be enforced.

PRJ-27124,
PMTR-70644

Security Gateway

Improved Generic Data Center object download to Security Gateway.

PRJ-25738,
PRHF-16886

Security Gateway

In some scenarios, Security Gateway may crash when ICAP client is enabled.

PRJ-26619,
PRHF-17663

Security Gateway

In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file.

PRJ-26596,
PMTR-70023

Security Gateway

Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition.

PRJ-23066,
PMTR-63142

Security Gateway

Improved displayed drop log messages on the Security Gateway:

  1. To see drops since the last reboot, use the fw ctl drop command.
  2. To see drops in real time, use the CPView tool.

Refer to sk172232.

PRJ-22625,
PRHF-15835

Security Gateway

In some scenarios, the VSX Cluster switch may cause a core dump.

PRJ-24010,
PRHF-16196

Security Gateway

In rare scenarios, when the sd_global_monitor_only property is set to true, there is no HTTP inspection.

PRJ-24903,
PMTR-66910

Security Gateway

In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the "PSL Drop: internal - drop enabled" message was displayed.
With this fix, the reason for the drop will be displayed.

PRJ-24838,
PRHF-15080

Security Gateway

In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may stop working. Refer to sk172935.

PRJ-23539,
PMTR-66212

Security Gateway

In some scenarios, values set in fwkern.conf may not be applied correctly.

PRJ-25553,
PMTR-67991

Security Gateway

In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message. Refer to sk180404.

PRJ-25483,
PRHF-17175

Security Gateway

In a rare scenario, the PDPD or VPND process on the Security Gateway consumes a high CPU. Refer to sk173706.

PRJ-25472,
PRHF-12897

Security Gateway

In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206.

PRJ-25157,
PMTR-67534

Security Gateway

When running the "fwaccel stats -r" command to reset the SXL statistics, the statistics may become corrupted.

PRJ-24530,
PRHF-16667

Security Gateway

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

PRJ-29346,
PRHF-17221

Security Gateway

In a rare scenario, the Security Gateway may sporadically crash.

PRJ-18868,
PRHF-13722

Security Gateway

In rare scenarios, DynamicID authentication fails with a "Server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303.

PRJ-23273,
PRHF-15932

Security Gateway

In some scenarios, the "fw ctl affinity" command on MPDS Dplane does not show the Mplane Multi-Queue interfaces.

PRJ-29094,
PRHF-18786

Security Gateway

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

PRJ-26140,
PMTR-69466

Internal CA

UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates.

PRJ-25273,
PMTR-68358

Internal CA, VPN, Multi-Portal

UPDATE: The IKE certificate's validity period is set to 1 year by default. Refer to sk176527.

PRJ-26649,
PMTR-70065

Internal CA

UPDATE: Expired certificates are now cleaned from the Internal CA database every three weeks and after reboot. Refer to sk42424.

PRJ-24831,
PMTR-67854

Internal CA

sk172610 was added to "Failed creating certificate. Certificate with a different letters' case exists" error message.

PRJ-25544,
PRJ-26201

Anti-Virus

In a rare scenario, the Security Gateway may crash when working with Anti-Virus.

PRJ-25245,
PMTR-68421

Threat Extraction

UPDATE: In Autonomous Threat Prevention (ATP) configured gateway, Threat profile field in sanitization (Threat Extraction) logs will refer to the current ATP profile installed.

PRJ-26524,
ODU-78

Threat Extraction

Added Update 4 of Threat Extraction Engine. Refer to sk165832.

PRJ-22272,
PRHF-14664

Threat Prevention

Improved the Threat Prevention policy installation time when installing on more than two Security gateways.

PRJ-25845,
PMTR-63963

Threat Prevention

In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected.

PRJ-25056,
PMTR-67604

Identity Awareness

NEW: Added Identity Collector Service Accounts exclusion. The default threshold value is 10. Refer to sk174266.

PRJ-24690,
PRJ-25444
PRJ-21304

Identity Awareness

NEW: Added support for SAML authentication method for Remote Access VPN. Refer to sk172909 for configuration instructions.

  • Requires R81 SmartConsole Build 553 (or higher).

PRJ-24500,
PMTR-67597

Identity Awareness

NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
The feature is disabled by default. To enable it, refer to sk128212.

PRJ-25383,
PMTR-68590

Identity Awareness

UPDATE: Changed the Web-API conciliation score from 10 to 15.

PRJ-25926,
PMTR-68088

Identity Awareness

Optimized the PDP expired timers mechanism performance.

PRJ-25582,
IDA-3937

Identity Awareness

In some scenarios, Identity Awareness with enabled Remote Access identity source constantly prints "A secondary session request was received from the same IP" message in the log and overrides the existing session.

PRJ-17567,
MBS-11293

Identity Awareness

IDA database may become corrupted on Scalable Platforms configured with multiple Identity Collectors in redundancy mode or Identity Sharing.

PRJ-26232,
IDA-4019

Identity Awareness

When the PDP gateway is connected to multiple pre-R81 PEP gateways, the CPU consumption may be high. Refer to sk173709.

PRJ-29307,
PMTR-72312

URL Filtering

In some scenarios, HTTPS connections to Servers with untrusted certificates are held and not resumed (page cannot load).

PRJ-24629,
TEX-2201

UserCheck

In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured." error message.

PRJ-26166,
PMTR-69256

IPS

In rare scenarios, the FWK process may unexpectedly exit when installing the policy.

PRJ-23674,
PRHF-14886

IPS

A redundant debug message may be displayed in dmesg logs.

PRJ-22232,
PRHF-14501

IPS

Packet capture may not be generated for certain IPS protections.

PRJ-27971,
PRHF-15586

IPS

Added IPS Core Protections scan improvements for HTTP traffic.

PRJ-26107,
PRHF-17301

IPS

Security Gateway may crash when the IPS profile name is very long. Refer to sk174025.

PRJ-18857,
PRHF-858

DLP

DynamicID via SMTP does not work when an HTTP proxy Server is defined.

PRJ-26008,
PMTR-61844

SSL Inspection

When TLS 1.3 is enabled, a connectivity issue may occur for non-TLS traffic over inspected ports.

PRJ-26740,
PRHF-4657

SSL Inspection

Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692.

PRJ-20681,
PRHF-14540

SSL Inspection

A table hash size may be too small for some environments and cause an increased CPU usage.

PRJ-25222,
PRHF-17088

Mobile Access

Improved the Portal Rendering performance in Unified Policy mode.

PRJ-21798,
PMTR-60183

Mobile Access

The "Favorites" button does not work if URL does not start with "https://"

PRJ-24688,
PRHF-16135

Mobile Access

In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications.

PRJ-23732,
PRHF-16302

Mobile Access

In some scenarios, when configuring the "X-Forwarded-For" header to MAB reverse proxy, the header is passed in reverse order.

PRJ-25105,
PRHF-17025

ClusterXL

Data connections from the Standby member of an Active-Standby cluster may be dropped on the stealth rule when "fwha_cluster_hide_active_only" is set to 1.

PRJ-26575,
PMTR-69991

ClusterXL

The "set cluster member ccpenc" command description falsely shows that the default setting is off.

PRJ-26981,
PMTR-64228

ClusterXL

In some scenarios, in Load Sharing mode, the cphaprob show_bond command on the Security Management Server shows the back-up subordinate status as "Not Available". Refer to sk175469.

PRJ-25954,
PRHF-17427

ClusterXL

Hundreds of VLANs in VSX cluster may cause VLAN to get Internal Communication Network IP (funny IP) address when adding/editing VLAN.

PRJ-26410,
PMTR-64102

ClusterXL

Log shows that CCP encryption fails on each policy installation.

PRJ-23849,
PRHF-15781

SecureXL

In some non-VPN scenarios, MSS Adjustment (Clamping) does not work.

PRJ-22786,
PMTR-65162

SecureXL

In a rare scenario, Security Gateway may crash after running the "fwaccel tab -t connections" command.

PRJ-27226,
PRHF-17734

SecureXL

Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file.

PRJ-24542,
PMTR-67556

SecureXL

In a VSX environment, the SYN Defender configuration may not be applied correctly.

PRJ-25107,
PRHF-13183

SecureXL

SecureXL keeps forwarding packets in VSX bridge mode when the member is down. Refer to sk169495.

PRJ-25511,
PRHF-16656

SecureXL

In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode.

PRJ-26925,
PMTR-69753

Gaia OS

NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.

PRJ-26757,
PMTR-69435

Gaia OS

In some scenarios, the first packet of any protocol is dropped if there is no ARP cache entry in the ARP table for that destination. Refer to sk173933.

PRJ-26334,
PMTR-44510

Gaia OS

In some scenarios on VSX, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file.

PRJ-26329,
PMTR-69006

Gaia OS

When using routing separation, Clish configuration for the management plane may be missing.

PRJ-24494,
PRHF-16665

Gaia OS

In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827.

PRJ-24944,
PRHF-16967

Gaia OS

In some scenarios, Syslog debug messages are incorrectly printed as errors (ERR).

PRJ-25667,
PRHF-16999

Gaia OS

In some scenarios, the driver's (i40e) response time for MQ settings takes too long time.

PRJ-24597,
PRHF-16780

Gaia OS

When the RADIUS Server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting.

PRJ-25375,
PRHF-15535

Gaia OS

SNMP sysOID 1.3.6.1.2.1.1.2.0 does not return Check Point system information when queried from Maestro Orchestrator.

PRJ-26576,
SPC-2237

Routing

In some scenarios, BFM fails to create pseudo interfaces (ethX-XX).

PRJ-26792,
MBS-14077

Routing

When working from gclish and Audit Log is enabled, every command is logged twice - once with the real user and once with the admin.

PRJ-26526,
MBS-14049

Routing

When using proxy arp on IP address within the same subnet as the cluster IP, no GARP is sent upon failover.

PRJ-25996,
PMTR-69290

Routing

In some scenarios, the monitored IP option "force-if-symmetry" does not detect the asymmetric ping properly.

PRJ-25915,
ROUT-1502

Routing

Netflow packets are sent from the individual VS IP address instead of VS0.

PRJ-26970,
PMTR-66574

Routing

In some scenarios, the ROUTED process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time.

PRJ-26962,
PMTR-65589

Routing

The ROUTED process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected.

PRJ-25319,
PMTR-68232

Routing

In some scenarios, CPView displays incorrect values of RIP statistics.

PRJ-27060,
PRHF-17925

Routing

In some scenarios, the ROUTED process may unexpectedly exit when there is a static route and a kernel route to the same destination.

PRJ-24389,
MBS-12759

Routing

In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.

PRJ-23484,
PMTR-65524

VoIP

In some scenarios, the "sip_increase_opq_rnum: Error - number of reinvites exceeded the limit" message that indicates the malfunction SIP flow is printed in SIP debug.

PRJ-23968,
PRHF-16338

VSX

UPDATE: Added ability to change the Management and Sync interfaces via vsx_util change_interfaces.

PRJ-19978,
PRHF-14371

VSX

In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793.

PRJ-26355,
PMTR-69561

VSX

In some scenarios, the priority list cannot be manually set via the "vsx_util vsls" command.

PRJ-26633,
PMTR-69220

VSX

A bridge on a regular VS (not VS in bridge mode) is not supported on a VSX cluster in Active/Active mode.

This fix blocks:

  1. Adding a bridge to a regular VS when the VSX is a cluster in Active/Active mode.
  2. Converting a VSX cluster to Active/Active mode when a regular VS with a bridge exists.

PRJ-26451,
PMTR-67687

VSX

In some scenarios, toggling between "Active up" mode and "Primary up" mode of a VSLS cluster with "vsx_util" is not reflected on the Gateway when using the "cphaprob stat" command.
This fix ensures that the change will always be reflected on the Gateway.

PRJ-26443,
PMTR-69836

VPN

In rare scenarios, a memory leak related to gateway authentication may occur.

PRJ-26246,
PMTR-69455

VPN

In some scenarios, the VPND process may unexpectedly exit when connecting with strongSwan client.

PRJ-26435,
PRHF-2715

VPN

In a rare scenario, a memory leak may occur when RASession_util is active.

PRJ-25986,
PMTR-65599

VPN

In rare scenarios, IKE negotiation fails when using IPv6 addresses.

PRJ-26434,
PMTR-69479

VPN

In a rare scenario, the IKED process unexpectedly exits with core dump when using Office Mode IP allocation for clients and users cannot connect.

PRJ-26205,
PMTR-68557

VPN

MEP failover with 3rd party vendors may not work correctly.

PRJ-26268,
PMTR-68840

VPN

In some scenarios in MEP configuration, failover to available MEP members may fail.

PRJ-26400,
PRHF-17622

VPN

Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235.

PRJ-24808,
PRHF-16698

VPN

Site to Site VPN connectivity issue when NAT is enabled.

PRJ-26789,
PMTR-69945

VPN

In some scenarios, an incorrect Host IP address is shown in SmartConsole log when a client is not authorized to log in.

PRJ-26624,
PRHF-17733

VPN

Added VPN stability improvement in IKEv2.

PRJ-22529,
PMTR-64500

VPN

When Multiple Factor Authentication is configured with DynamicID , VPN clients may receive four password prompts. Refer to sk144932.

PRJ-28152

VPN

In some scenarios, this policy warning is displayed on CMAs: "gen_implied_rule: fail to get rule template ('iked_ports_block_in/out' rule will not be generated)".

PRJ-25335,
VPNS2S-2335

VPN

In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug.

PRJ-25054,
PRHF-16121

VPN

In some scenarios, a user may not be able to connect because the VPND process unexpectedly exits.

PRJ-26342,
PMTR-69135

VPN

In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log.

PRJ-26928,
PMTR-70367

VPN

In some scenarios, the VPND process unexpectedly exits after installing the policy.

PRJ-25134,
PMTR-68208

VPN

In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method.

PRJ-26176

Harmony Endpoint

Harmony Endpoint Web Management Update - Compliance, Application Control, Firewall, and export package were added.

PRJ-26281,
PMTR-69675

Harmony Endpoint

In some scenarios, the "Pre-boot screen saver" in SmartEndpoint Common Client Settings Policy is not visible.

PRJ-27583,
EPS-33262

Harmony Endpoint

In some scenarios, the "Uninstall Client" push operation in SmartEndpoint cannot be initiated and fails with exception.

PRJ-27321,
PMTR-70852

Harmony Endpoint

In some scenarios, the EP URL Filtering policy may block websites under category 32 (political/legal) instead of category 31 (phishing).

PRJ-28655

Harmony Endpoint

In some scenarios, only partial info is shown in Anti-Malware updates dialog window in SmartEndpoint.

PRJ-25729,
PMTR-68887

QoS

A memory leak may occur when using Domain names in QoS policy rules. Refer to sk174904.

PRJ-26795,
PRHF-17668

CloudGuard Network

In some scenarios, CloudGuard Controller fails to fetch data from the standby ACI Server when the main ACI Server is unreachable.

PRJ-25373,
PRHF-17170

CloudGuard Network

CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways.

PRJ-26798,
PMTR-69072

CloudGuard Network

In some scenarios, CloudGuard Network Standby member cannot access the Internet. Refer to sk175108.

PRJ-21257,
MBS-10123

Scalable Platforms

NEW: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.

Configuration in Gaia gClish:

  1. Run: g_all "vsx mstat enable"
  2. Run: g_all "reboot"
  3. Configure SNMP v3 in the VS mode as described in sk90860.

SNMP OIDs - Statistics from the specified Virtual System, statistics from each cluster member:

  • Number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.10.1.*

  • Physical memory - 1.3.6.1.4.1.2620.1.48.30.40.10.1.*

  • Packet rate - 1.3.6.1.4.1.2620.1.48.30.80.10.1.*

  • Throughput - 1.3.6.1.4.1.2620.1.48.30.90.10.1.*

  • Interface packet rate - 1.3.6.1.4.1.2620.1.48.30.100.10.1.*

  • Connection rate - 1.3.6.1.4.1.2620.1.48.30.120.10.1.*

  • Virtual memory - 1.3.6.1.4.1.2620.1.48.30.130.10.1.*

SNMP OIDs - Statistics from the specified Virtual System, total statistics from all cluster members:

  • Total number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.20

  • Total packet rate - 1.3.6.1.4.1.2620.1.48.30.80.20

  • Total throughput - 1.3.6.1.4.1.2620.1.48.30.90.20

  • Total connection rate - 1.3.6.1.4.1.2620.1.48.30.120.20

PRJ-26563,
PMTR-66250

Scalable Platforms

NEW: Added new parameters for SNMP traps sent from Security Group Members:

  • chkpnyTrapChassisId : shows the chassis ID of the sender SGM
  • chkpnyTrapBladeId : shows the Blade ID of the sender SGM

PRJ-23649,
MBS-13202

Scalable Platforms

UPDATE: Removed unsupported OIDs 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 from the chckpnt.mib file.

PRJ-25357,
MBS-13352

Scalable Platforms

UPDATE: Limited the /var/log/dist_mode.log file rotation size to 20MB to prevent exhaustion of disk space.

PRJ-22208,
PMTR-64637

Scalable Platforms

UPDATE: Added Member ID to connection and session log.

PRJ-21245,
MBS-10229

Scalable Platforms

UPDATE: Added the new column "asgResourceTitle" to the SNMP Table "asgResourceTable". The new column contains the Security Group Member ID and the resource name.

Format of the output: "Site <Site-ID> Member <Member-ID> <Resource-Name>"

Example output: "Site 2 Member 1 Memory Utilization"

The SNMP OID of the new column is: asgResourceTable.1.8 (.1.3.6.1.4.1.2620.1.48.23.1.8).

PRJ-22986,
PMTR-65813

Scalable Platforms

UPDATE: New OIDs are assigned for these appliances:

  • checkPoint61000 - .1.3.6.1.4.1.2620.1.6.123.1.3001
  • checkPoint64000 - .1.3.6.1.4.1.2620.1.6.123.1.3002
  • checkPoint41000 - .1.3.6.1.4.1.2620.1.6.123.1.3003
  • checkPoint44000 - .1.3.6.1.4.1.2620.1.6.123.1.3004

PRJ-25785,
MBS-13716

Scalable Platforms

"Failed to send event 8 SNMP request to chassis module" errors may appear in the messages log.

PRJ-25526,
MBS-11956

Scalable Platforms

"set user <username> password-hash" and "set user <username> force-password-change" Gaia gClish commands do not take effect on Security Group Members.

PRJ-25858,
MBS-8488

Scalable Platforms

In some scenarios, the fw_full core dump is randomly created on Quantum Scalable Chassis and Quantum Maestro appliances.

PRJ-25495,
MBS-11764

Scalable Platforms

In some scenarios, the asg diag test "IGMP consistency" (asg diag print 26) fails on Quantum Scalable Chassis and Quantum Maestro.

PRJ-25506,
MBS-11670

Scalable Platforms

fwaccel_dos_rate_on_install is not synced between SGM members.

PRJ-25377,
MBS-12356

Scalable Platforms

If the "Chassis HA mode" is configured as "VSLS", the SNMP query for the OID "asgChassisParamsMaxGrade" (.1.3.6.1.4.1.2620.1.48.28.4.1.4 and .1.3.6.1.4.1.2620.1.48.28.4.1.5) returns a wrong value.

  • With this fix: When the High Availability mode configured to VSLS, Chassis grade will return "N/A". Otherwise the real Chassis grade will be displayed to user.

PRJ-25376,
PMTR-65459

Scalable Platforms

The "asg_provision" command fails on hotfix inconsistency if ran outside of the global context (VS instead of VS0).

PRJ-25374,
MBS-12834

Scalable Platforms

The "asg_license_verifier -v" command that validates the licenses on SP cluster, may incorrectly fail with "Different licenses are installed across Blades" message.

PRJ-27324,
PMTR-70795

Scalable Platforms

The VSX gateway creation on Scalable Platforms via SmartConsole or VSX Provisioning tool fails with the "Failed to determine appliance type" error.

PRJ-27173,
MBS-14108

Scalable Platforms

The MIB file $CPDIR/lib/snmp/chkpnt.mib fails MIB validation tests in the SNMP tree OID .1.3.6.1.4.1.2620.1.48.0 (asg).

PRJ-26066,
MBS-13605

Scalable Platforms

Improved the memory usage calculation by the "asg perf" command.

PRJ-25671,
MBS-13627

Scalable Platforms

  • Output of the "asg perf -p" command shows that the "Throughput" is 0 in the "Firewall" column.
  • Output of the "asg perf -v" command shows the "Throughput" value is lower than expected (the F2F traffic is missing).

MBS-13627

Scalable Platforms

In some scenarios, SNMP Query for OID .1.3.6.1.4.1.2620.1.48.20.1.0 (asgThroughput) returns a value lower than expected (the F2F traffic is missing).

PRJ-25542,
MBS-11427

Scalable Platforms

The FWD process may unexpectedly exit when adding/deleting the "fw samp" rules.

PRJ-26038,
MBS-13989

Scalable Platforms

The "asg perf" command may display wrong values for "Throughput" and "Packet rate".

PRJ-25741,
MBS-11788

Scalable Platforms

Improved the memory / partitions size validity tests in the "asg resource" command.

PRJ-25777,
MBS-6708

Scalable Platforms

When interrupting the "asg_perf_hogs -v" command with the CTRL+C keys, the message on the screen shows "Operation was canceled/terminated by user" instead of "No issues were found".

PRJ-21329,
MBS-8558

Scalable Platforms

In rare scenarios, Switch distribution update in an early stage may trigger the FWK process to unexpectedly exit.

PRJ-21328,
MBS-9585

Scalable Platforms

In some scenarios, the output of the "asg_policy verify -a" command in the "Summary" section for the Security Group Member shows "Policy date is lower than max policy date".

PRJ-21323,
MBS-12525

Scalable Platforms

In some scenarios, SH zombies processes are created after a reboot or policy installation.

PRJ-22146,
PMTR-64499

Scalable Platforms

The "delete backup" gClish command deletes backups only on the local member and not on all Security Group members.

PRJ-21073,
PMTR-63442

Scalable Platforms

With this fix, sam_policy (samp) rules will be applied to new members added to the Security Group automatically.

PRJ-22982,
MBS-7805

Scalable Platforms

After adding a subordinate interface to a Bond interface, the output of the "asg diag" command shows that the "Distribution Mode" test failed because of an issue with the subordinate interface.

PRJ-21832,
MBS-13133

Scalable Platforms

SNMP query for OID 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 gives empty result. Refer to sk173423.

PRJ-21580,
MBS-8858

Scalable Platforms

Improved the Distribution Mode configuration for Bridge interfaces - each subordinate interface has a different Distribution Mode.

PRJ-20750,
MBS-10656

Scalable Platforms

In some scenarios, the "mq_mng -o -v" command fails with the "Error executing command" error message.

PRJ-25801,
MBS-6493

Scalable Platforms

The asymmetric traffic may fail if the "Synchronize connections if Synchronization is enabled on the cluster" checkbox in the "Cluster and synchronization" section of the corresponding service's properties is not selected.

PRJ-25745,
MBS-5608

Scalable Platforms

The command help (-h) misses the description of the -b parameter of the "asg_hard_start" command.

PRJ-25719,
MBS-6180

Scalable Platforms

Removed the "-amw" flag from the syntax of the "asg stat" command. Run the "asg stat -v" command to get the required information.

PRJ-22554,
PMTR-65496

Scalable Platforms

Setting multi-queue on backplane interfaces via "mq_mng -s manual" command fails with the "Error executing command" error.

PRJ-25344,
MBS-11411

Scalable Platforms

In some scenarios, the unclear message "Management loss failure" is displayed in the command line.

PRJ-25572,
MBS-8473

Scalable Platforms

Removed the "ccutil reset_parity_counter" command from the code.

PRJ-25576,
MBS-7630

Scalable Platforms

The output of the "asg stat vs" command in the "Virtual System Status" section shows "active chassis" in lowercase when a Virtual System is in freeze. Now the output shows "Active chassis" with a capital letter.

PRJ-25589,
MBS-11765

Scalable Platforms

Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell /bin/bash and the 'admin' role are configured.

PRJ-25463,
MBS-12375

Scalable Platforms

Gaia gClish command that take more than 60 seconds to execute fail with "CLINFR0739 error in command execution; see "/var/log/messages"". Refer to sk170301.

PRJ-23285,
PMTR-65791

Scalable Platforms

In some scenarios, the "RTNL: assertion failed" errors appear in /var/log/messages on Quantum Maestro/Quantum Scalable Chassis.

PRJ-23217,
MBS-9689

Scalable Platforms

In VSLS scenarios when the SMO is the ARP master, in ACTIVE-ACTIVE state the wrong VS may answer ARPs, causing "out-of-state" in TCP connections.

PRJ-28053,
PMTR-71372

Scalable Platforms

In some scenarios, the Maestro Gateway leaves the Security Group.

PRJ-22976,
MBS-9077

Scalable Platforms

Setting MTU on Management Aggregation (MAGG) interface may fail.

PRJ-28016,
PMTR-71262

Scalable Platforms

In some scenarios, bond interface subordinate fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.

PRJ-26992,
ODU-123

HCP

Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-24089,
ODU-91

HCP

Added Update #2 of HealthCheck Point (HCP) Release. Refer to sk171436.

PRJ-26326,
CST-212

Carrier Security

The FWK process may unexpectedly exit producing a core dump when the GTP tunnel expires.