R81 Jumbo Hotfix Take 42

NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2.

NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629.

NEW: Added ability for R81 Security Management or Multi-Domain Server to manage R81.10 Security Gateway.

• Requires R81 SmartConsole Build 553 (or higher).

NEW: Added the Management API command "show-layer-structure".

UPDATE: Performance improvement in an upgrade of Security Management and Multi-Domain Servers with large rulebases.

When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file.

In some scenarios, Publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703.

See the Important Notes section.

In some scenarios, the NAT rule is not enforced when the rule name is identical to an object name placed on the rule.

In rare scenarios, the web_api_show_package.sh script fails, and the log shows "Null Pointer Exception".

In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.

Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched.

In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy.

In rare scenarios, the Access Control policy installation fails with the "Security Management Server aborted connection" error.

When installing policy on a gateway for the first time, Threat Prevention policy installation may fail if installed with Access policy.

If the Management Server is up for many days, the CPM process memory consumption and CPU usage may increase consistently.

Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.

In rare scenarios, if the CPM process is up for many days, CPU, and memory consumption may continue to grow until a reboot is performed.

Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same".

NEW: Allow creating Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934.

In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole.

OS information for Domain Servers may not be shown correctly at the MDS level.

In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.

UPDATE: Changes report supports up to 50 revisions (instead of 10).

In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly. Refer to sk175405.

• Requires R81 SmartConsole Build 553 (or higher).

NEW: Web SmartConsole now includes read/write capability for the most common activities. Refer to Take 44 in sk170314.

After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks. Refer to sk174047.

NEW: Added support for Endpoint Forensics reports to get-attachment API.

NEW: The Log exporter now supports formatting for RSA SIEM application.

UPDATE: When reverting a Management or Log Server from the R81 version 30 days after the upgrade, logs are no longer fetched or indexed.

Threat Emulation log description for HTTP emulation is incorrect.

In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown.

In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).

In a Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.

In some scenarios, the LOG_INDEXER process consumes 100% CPU and log indexing fails causing log queries to miss the recent logs. The issue occurs when rules have Accounting enabled and there is a lot of traffic matching these rules.

NEW: Added CPview network statistics and network profile data to SNMP - throughput, packets rate, concurrent connections, drop reasons, top connections, and more.

UPDATE: The prompt indication will show on which plane (management or data) the context is.

For example:

• "[Expert@Host:0]" will be displayed as "[Expert@Host:dplane]" for the data plane.

• "[Expert@Host:1]" will be displayed as "[Expert@Host:mplane]" for the management plane.

Added the Access Control rulebase matching visibility enhancement.

VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683.

In rare scenarios, policy installation may fail with the "Problem with the Commit Function" message.

RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927.

In a rare scenario, a memory leak may occur in thein.emaild.mta process.

In some scenarios, there is no match on URL Filtering rules.

When using Routing separation and ClusterXL, the "cphaprob -a if" command displays "mdps_tun" as "DOWN".

Added Dynamic Anti-Spoofing stability enhancements.

Improved Generic Data Center object download to Security Gateway.

In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file.

Improved displayed drop log messages on the Security Gateway:

1. To see drops since the last reboot, use the fw ctl drop command.
2. To see drops in real time, use the CPView tool.

Refer to sk172232.

In rare scenarios, when the sd_global_monitor_only property is set to true, there is no HTTP inspection.

In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may stop working. Refer to sk172935.

In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message. Refer to sk180404.

In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206.

In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.

In rare scenarios, DynamicID authentication fails with a "Server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303.

In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.

UPDATE: The IKE certificate's validity period is set to 1 year by default. Refer to sk176527.

sk172610 was added to "Failed creating certificate. Certificate with a different letters' case exists" error message.

UPDATE: In Autonomous Threat Prevention (ATP) configured gateway, Threat profile field in sanitization (Threat Extraction) logs will refer to the current ATP profile installed.

Improved the Threat Prevention policy installation time when installing on more than two Security gateways.

NEW: Added Identity Collector Service Accounts exclusion. The default threshold value is 10. Refer to sk174266.

NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
The feature is disabled by default. To enable it, refer to sk128212.

Optimized the PDP expired timers mechanism performance.

IDA database may become corrupted on Scalable Platforms configured with multiple Identity Collectors in redundancy mode or Identity Sharing.

In some scenarios, HTTPS connections to Servers with untrusted certificates are held and not resumed (page cannot load).

In rare scenarios, the FWK process may unexpectedly exit when installing the policy.

Packet capture may not be generated for certain IPS protections.

Security Gateway may crash when the IPS profile name is very long. Refer to sk174025.

When TLS 1.3 is enabled, a connectivity issue may occur for non-TLS traffic over inspected ports.

A table hash size may be too small for some environments and cause an increased CPU usage.

The "Favorites" button does not work if URL does not start with "https://"

In some scenarios, when configuring the "X-Forwarded-For" header to MAB reverse proxy, the header is passed in reverse order.

The "set cluster member ccpenc" command description falsely shows that the default setting is off.

Hundreds of VLANs in VSX cluster may cause VLAN to get Internal Communication Network IP (funny IP) address when adding/editing VLAN.

In some non-VPN scenarios, MSS Adjustment (Clamping) does not work.

Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file.

SecureXL keeps forwarding packets in VSX bridge mode when the member is down. Refer to sk169495.

NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.

In some scenarios on VSX, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file.

In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827.

In some scenarios, the driver's (i40e) response time for MQ settings takes too long time.

SNMP sysOID 1.3.6.1.2.1.1.2.0 does not return Check Point system information when queried from Maestro Orchestrator.

When working from gclish and Audit Log is enabled, every command is logged twice - once with the real user and once with the admin.

In some scenarios, the monitored IP option "force-if-symmetry" does not detect the asymmetric ping properly.

In some scenarios, the ROUTED process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time.

In some scenarios, CPView displays incorrect values of RIP statistics.

In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.

UPDATE: Added ability to change the Management and Sync interfaces via vsx_util change_interfaces.

In some scenarios, the priority list cannot be manually set via the "vsx_util vsls" command.

In some scenarios, toggling between "Active up" mode and "Primary up" mode of a VSLS cluster with "vsx_util" is not reflected on the Gateway when using the "cphaprob stat" command.
This fix ensures that the change will always be reflected on the Gateway.

In some scenarios, the VPND process may unexpectedly exit when connecting with strongSwan client.

In rare scenarios, IKE negotiation fails when using IPv6 addresses.

MEP failover with 3rd party vendors may not work correctly.

Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235.

In some scenarios, an incorrect Host IP address is shown in SmartConsole log when a client is not authorized to log in.

When Multiple Factor Authentication is configured with DynamicID , VPN clients may receive four password prompts. Refer to sk144932.

In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug.

In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log.

In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method.

In some scenarios, the "Pre-boot screen saver" in SmartEndpoint Common Client Settings Policy is not visible.

In some scenarios, the EP URL Filtering policy may block websites under category 32 (political/legal) instead of category 31 (phishing).

A memory leak may occur when using Domain names in QoS policy rules. Refer to sk174904.

CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways.

NEW: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.

Configuration in Gaia gClish:

1. Run: g_all "vsx mstat enable"
2. Run: g_all "reboot"
3. Configure SNMP v3 in the VS mode as described in sk90860.

SNMP OIDs - Statistics from the specified Virtual System, statistics from each cluster member:

• Number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.10.1.*

• Physical memory - 1.3.6.1.4.1.2620.1.48.30.40.10.1.*

• Packet rate - 1.3.6.1.4.1.2620.1.48.30.80.10.1.*

• Throughput - 1.3.6.1.4.1.2620.1.48.30.90.10.1.*

• Interface packet rate - 1.3.6.1.4.1.2620.1.48.30.100.10.1.*

• Connection rate - 1.3.6.1.4.1.2620.1.48.30.120.10.1.*

• Virtual memory - 1.3.6.1.4.1.2620.1.48.30.130.10.1.*

SNMP OIDs - Statistics from the specified Virtual System, total statistics from all cluster members:

• Total number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.20

• Total packet rate - 1.3.6.1.4.1.2620.1.48.30.80.20

• Total throughput - 1.3.6.1.4.1.2620.1.48.30.90.20

• Total connection rate - 1.3.6.1.4.1.2620.1.48.30.120.20

UPDATE: Removed unsupported OIDs 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 from the chckpnt.mib file.

UPDATE: Added Member ID to connection and session log.

UPDATE: New OIDs are assigned for these appliances:

• checkPoint61000 - .1.3.6.1.4.1.2620.1.6.123.1.3001
• checkPoint64000 - .1.3.6.1.4.1.2620.1.6.123.1.3002
• checkPoint41000 - .1.3.6.1.4.1.2620.1.6.123.1.3003
• checkPoint44000 - .1.3.6.1.4.1.2620.1.6.123.1.3004

"set user <username> password-hash" and "set user <username> force-password-change" Gaia gClish commands do not take effect on Security Group Members.

In some scenarios, the asg diag test "IGMP consistency" (asg diag print 26) fails on Quantum Scalable Chassis and Quantum Maestro.

If the "Chassis HA mode" is configured as "VSLS", the SNMP query for the OID "asgChassisParamsMaxGrade" (.1.3.6.1.4.1.2620.1.48.28.4.1.4 and .1.3.6.1.4.1.2620.1.48.28.4.1.5) returns a wrong value.

• With this fix: When the High Availability mode configured to VSLS, Chassis grade will return "N/A". Otherwise the real Chassis grade will be displayed to user.

The "asg_license_verifier -v" command that validates the licenses on SP cluster, may incorrectly fail with "Different licenses are installed across Blades" message.

The MIB file $CPDIR/lib/snmp/chkpnt.mib fails MIB validation tests in the SNMP tree OID .1.3.6.1.4.1.2620.1.48.0 (asg).

• Output of the "asg perf -p" command shows that the "Throughput" is 0 in the "Firewall" column.
• Output of the "asg perf -v" command shows the "Throughput" value is lower than expected (the F2F traffic is missing).

The FWD process may unexpectedly exit when adding/deleting the "fw samp" rules.

Improved the memory / partitions size validity tests in the "asg resource" command.

In rare scenarios, Switch distribution update in an early stage may trigger the FWK process to unexpectedly exit.

In some scenarios, SH zombies processes are created after a reboot or policy installation.

With this fix, sam_policy (samp) rules will be applied to new members added to the Security Group automatically.

SNMP query for OID 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 gives empty result. Refer to sk173423.

In some scenarios, the "mq_mng -o -v" command fails with the "Error executing command" error message.

The command help (-h) misses the description of the -b parameter of the "asg_hard_start" command.

Setting multi-queue on backplane interfaces via "mq_mng -s manual" command fails with the "Error executing command" error.

Removed the "ccutil reset_parity_counter" command from the code.

Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell /bin/bash and the 'admin' role are configured.

In some scenarios, the "RTNL: assertion failed" errors appear in /var/log/messages on Quantum Maestro/Quantum Scalable Chassis.

In some scenarios, the Maestro Gateway leaves the Security Group.

In some scenarios, bond interface subordinate fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.

Added Update #2 of HealthCheck Point (HCP) Release. Refer to sk171436.