R81 Jumbo Hotfix Take 51

UPDATE: The Management API "show-logs" command timeout increased from 2.5 minutes to 5 minutes.

UPDATE: Added new flags for Management API commands "add/set simple-gateway" and "add/set simple-cluster":

• "nat-hide-internal-interfaces" and "nat-settings" for NAT configuration.
• "fetch-policy" for Fetch Policy configuration.
• "advanced-settings.sam" for SAM configuration.
• "advanced-settings.connection-persistence" for Connection Persistence configuration.

In rare scenarios, Security Management upgrade or migration may fail due to missing temporary files.

In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed.

In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.

In rare scenarios, more than one IP address may be shown in SmartConsole's Sessions view under the "Connected From" column.

If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.

• Requires R81.00 SmartConsole Build 556 (or higher).

In a rare scenario, policy installation may fail with a "Policy installation had failed due to an internal error" message.

In a rare scenario, policy installation may fail with a message: "Policy installation had failed due to an internal error".

In rare scenarios, an upgrade may fail when there is an OPSEC Server object configured.

In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.

Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872.

In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.

In some scenarios, the Administrators view may not filter Domain names according to the permission profile of the connected administrator.

In a rare scenario, the "show hosts" Management API command with "details-level full" fails with a "Java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:" message.

Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183.

In some scenarios, the output of the "cpmistat" command may contain partial information.

In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.

Scheduled IPS updates data may not be shown in the IPS update report.

In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X.

In rare scenarios, after the Security Management Server starts up, when connecting to SmartConsole, some objects appear more than once.

In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866.

In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file.

In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error.

After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.

In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".

In a rare scenario, the licensing status in SmartConsole is displayed incorrectly.

UPDATE: Added CPInfo build 914000219. Refer to sk92739.

In some scenarios, SNMP statistics per VS may not be displayed in CPView.

NEW:

• In SmartEvent GUI added new products: "Behavioral Guard", "Anti-Exploit", "Anti-Bot" and "Anti-Ransomware"
• For Endpoint logs correlation, added a new pre-defined event: "Harmony Endpoint" under Legacy -> Endpoint Security.

UPDATE: During Management and Log Servers upgrade from R80.X to R81, indexes, stored in external storage (sk66003), can now be upgraded as part of the flow.

In some scenarios, emails of DLP Blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.

When AES authentication is configured, the "thresold_config" command does not send traps for SNMP v.3. Refer to sk173045.

When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543.

In a rare scenario, logs that are created exactly at midnight, are shown in the SmartConsole Logs view tab but not shown in SmartView web.

In a multi-site MDM environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name.

When using the LEEF format in the Log Exporter tool, product names miss the last letter.

The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.

• In environments with more than 500K network objects, the LOG_INDEXER process may lead to a memory leak.
• In some scenarios, when there are offline logs to index, queries are slower than expected.

On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239.

In environments with more than 500K network objects, the LOG_INDEXER process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452).

When traffic is dropped due to a Threat Prevention rule, fetching a packet capture from a security Blade violation log may not work.

NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.

UPDATE: The default value for the kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.

UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set _fw_bridge_with_ip_routing=1_ in the _$FWDIR/fwkern.conf_ file. Refer to sk165560.

In some scenarios, the CPD process may consume high CPU because of the memory leak in File Download Tool (FDT).

A "fw_xlate_rule_count_dec: refcount is negative" message may be displayed in dmesg when IP pool NAT is used on a cluster environment.

In rare scenarios, creating a new SAM rule on a Management machine may fail.

After policy installation, Security Gateway may stop responding due to memory leaks.

Added cosmetic fixes of the "cpwd_admin list" command output.

In a rare scenario, a memory leak may occur on the Security Gateway.

In rare scenarios, a duplicate entry may appear in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic.

In some scenarios, the ROUTED process may unexpectedly exit.

SNMP lowDiskSpace trap with MDPS does not work with SNMP versions v1/v2 . Refer to sk173811.

Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.

In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy.

In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088.

In a very rare scenario, the ICAP Server may crash with a core dump file generated.

The cpsicdemux process may unexpectedly exit, causing the Secure Internal Communication (SIC) connection to fail.

In a rare scenario, Security Gateway may crash.

Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.

In a rare scenario, the Security Gateway may crash when disabling or enabling Threat Prevention Blade.

In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.

SSH Deep Packet Inspection (SSH DPI) may fail after upgrade to R81.

Large file transfer in connections inspected by SSH Deep Packet Inspection (SSH DPI) may fail if SSH renegotiation is performed during the transfer.

Improved telemetry for Infinity Vision SOC.

Threat Prevention policy installation may fail when loading 2 IoC feeds that contain the same signature name for one of the observables.

UPDATE:

• Increased the default timeout values of entries: connected_pdp_refresh_interval is now set to 240 seconds and connected_pdp_grace_period is now set to 360 seconds.
• Added the "Identity information / Network information will be deleted" alert to SmartConsole.

Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.

In a rare scenario, the Security Gateway may crash.

In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables.

Proxy source IP address is not printed in the IPS logs.

An HTTP download of a large file may unexpectedly stop with an error message.

In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.

Improved the handling of decoded HTTP/S traffic.

In some scenarios, a memory leak may occur when creating ECDHE keys.

A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers.

In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.

In a very rare scenario, after adding a member to a cluster, the FWK process may unexpectedly exit, creating core dumps.

TCP packets may be dropped as "TCP out of state" although following sk11088.

In some scenarios, when BootP is configured, during policy installation, the Security Gateway may become unresponsive and the ROUTED process may crash.

During the boot process "pbrroute-conf" messages may appear. Refer to sk173514.

BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.

AS path loops may occur, although BGP multihop is configured.

In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.

RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.

In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site.

In a rare scenario, a memory leak may occur.

Reauthentication of the client may lead to a memory leak.

When StrongSwan client connecting with a RADIUS user, it may not receive an Office Mode IP address.

Improved VPN Site to Site tunnel establishment scenario with IKEv2. Refer to sk175092.

The VPN Logs view show IP address octets in an unexpected (reversed) order. Refer to sk172807.

IPSec VPN uses the wrong source IP address when initiating NAT-T encrypted traffic. Refer to sk172805.

In some scenarios, the user may not be able to connect because the CVPND process unexpectedly exits.

In some scenarios, when sending the SCV drop log, a memory leak may occur.

In some scenarios, a memory leak may occur on the Security Gateway.

A memory leak may occur in the VPND process.

A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.

In some scenarios, when NAT is enabled, Route Based VPN traffic may be dropped.

Recreation of a virtual system may fail due to an internal error.

After reboot, the VS's clish static arps configurations exist, but the static arps may be missing.

This fix allows create/change a VSX cluster/Gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole.

After 248 days of up time, the VMSS Gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.

If NTPD service is configured in Management Data Plane Separation (MDPS) settings, NTPD error logs appear in var/log/messages after a reboot.

A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC).

The Link Layer Discovery Protocol (LLDP) sends the hostname with a dot when the Domain name is empty.

UPDATE: In SmartEndpoint, besides FDE Remote Help, Bitlocker Management Recovery is now available for administrators with limited rights.

Endpoint Firewall may start dropping all network traffic after a Management Server upgrade from R80.10 or older versions.

In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://".

NEW: In Amazon Web Services (AWS):

• Added Load Balancers tags. The tags can now be viewed in SmartConsole and added to the rulebase.
• Added support for IMDSv2

To enable the feature:

1. Edit the $FWDIR/conf/vsec.conf on the Management Server and add the line: aws.enableLoadBalancersTags=true
2. From SSH run: vsec stop;vsec start

Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts.

NEW: In Azure:

• Added Application Security Groups
• Added Private Endpoints

To enable the feature:

1. Edit the $FWDIR/conf/vsec.conf on the Management Server and add the line: azure.enableAsgAndPep=true
2. From SSH run: vsec stop;vsec start

Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.

NEW: In AWS, Azure and Google Cloud Platform (GCP):

Added support for API calls with HTTP response with reason-code only (without reason-phrase).

Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway.

If wstunnel loses connectivity, after several attempts it may unexpectedly exit and not restart. Refer to sk166056.

The "Hits" counter value in the SmartConsole rulebase does not update when traffic reaches a non-SMO Security Group member (for Security Gateway only).

In a rare scenario, a memory leak that requires constant reboots may occur.

In a rare scenario, the Chassis Monitor daemon (cmd) fails to retrieve the CPU temperatures due to an SNMP timeout.

Allow Management Loss feature (sk145792) may not enter into Management Loss mode when backplane interface total packets amount exceeds 2 Billion.

Added a cosmetic fix in asgPeaksTable.

If a Bond interface that is assigned to a Security Group is configured in the 802.3AD (LACP) mode, packet loss may occur on a Security Appliance when the Security Appliance becomes active after a reboot.

In a rare scenario, the "asg perf" command may take up to 90 seconds to update the data. The information may differ from CPView results.

The outage may occur when configuring OSPF over VPN/VTI interface because of a missing cluster IP address for VPN/VTI interface.

In some scenarios, boot on SP VSX setup may fail with an "Unable to open '/vs1/dev/fw0': Connection refused" message.

In rare scenarios, after accelerated policy installation, security members may go to down states.

After setting a specific range of Blades in gclish, some commands may fail.

Scalable Platform automatically collects statistics and data in the /var/log/ssm_failure_reports/ directory, when:

• An SSM enters the management loss state. Refer to sk145792.
• An SSM goes down.

In some scenarios, the "asg diag" and "asg_license_verifier" commands fail with an incorrect message: "ERROR: No license for 'IPS-1' [mandatory feature 'ips']".

UPDATE: The "FireWall-1 GX" module is renamed to "Carrier Security".