R81 Jumbo Hotfix Take 60

NEW: Added support for Management API commands: "add-rules-batch" and "delete-rules-batch".

UPDATE: Meta-info and comments fields are now displayed in the output of the "show-tasks" API command with "details-level standard".

Added Update 13 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

Desktop policy installation may fail with the "Service ReferenceObject of type is not supported!" error.

In rare scenarios, deleting a Domain fails, leaving some remnants in the Management database.

In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.

In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.

When searching for tags usage, the "where-used" Management API command may fail with "Requested object not found".

After the Management Server restart, the API command "show_tasks" may show some suppressed tasks as "in progress", if before the restart they were cleared in SmartConsole while they were still running.

• The High Availability status on Security Management Server may be incorrect and performing failover is not possible.
• On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).

When searching an IP in Object Explorer, network objects with both IPv6 and IPv4 configured, may not appear in the results, although they match the IP.

When performing IPS Update or Global Domain Assignment, creating a Domain at the same time may fail with "Internal Error".

Policy installation may fail if more than 20,000 objects are created and added to rules.

In some scenarios, the API command "login-to-domain" fails, and the cpm.elg log shows "Null Pointer Exception".

In some cases, when changing only the "color" and "comment" object fields, policy installation may not be accelerated.

Creating an administrator in a Multi-Domain environment may cause SmartConsole to freeze and time out.

In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.

• The API command "show_packages_details" does not support the "OneTimeProb" parameter, although it is supported in GUI.
• In some scenarios, the API command "show_packages" with "details-level full" fails with "generic_error".

In rare scenarios, the Management Server may fail to start.

Policy installation with Directional VPN rules may fail with a verification error.

In some scenarios, the user may fail to connect to VPN Remote Access if there are expiration dates saved in a non-English date format. The issue can occur when SmartConsole is installed on a Windows client that uses a non-English locale. Refer to sk173967.

In some scenarios, when editing Exceptions in Inspection Settings, Gateways without IPS Blade may be missing from the "Install On" list.

When many sessions are opened:

• Publish operation may be slow
• APPI Update may be stuck on 30% and eventually fail
• Domain Import task may be stuck after 50% and then fail

In some scenarios, the $MDS_FWDIR/log/cpm.elg file contains many lines about "UnmarshalException".

In some scenarios, deleting a Domain fails when there is an administrator with API key authentication associated with this Domain.

When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.

During a CPUSE upgrade of a Multi-Domain Server, if there are multiple external interfaces defined, the Domain Servers may be assigned to an incorrect interface.

The mds_backup script may not collect Multi-Domain Server log files from $MDSDIR/log/.

In some scenarios, auto-update flow fails during updatable object registration.

• Requires R81 SmartConsole Build 559 (or higher).

On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928.

Non-English letters in SmartView reports exported as CSV may be displayed incorrectly. Refer to sk175543.

When SmartView Web is configured to not return empty values, a query may fail with a "query failed" message.

When configuring an Email alert as an Automatic Reaction in SmartEvent, and the alert contains data from the event, some fields may be missing in the generated email.

Daily Log/Indexes Maintenance does not delete old index files from $RTDIR/log_indexes if they contain files or subdirectories with a format different than %Y-%m-%d.

Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.

In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.

In SmartConsole:

• In Gateways and Servers view, IP statuses may not be accurate
• In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.

NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.

UPDATE: The "fw unloadlocal" command can now be used on a Virtual System only with the "-f" flag added. Otherwise, a warning message is displayed, indicating that unloading policy on a Virtual System will cause traffic issues with any Virtual System connected to a Virtual Switch or a Virtual System in Bridge mode.

UPDATE: The "-c" and "-i" flags in Top Connections Tool are now supported on VSX Gateways. Refer to sk172229.

Enhanced Check Point Active Streaming (CPAS). Refer to sk177025.

Access Policy installation may fail with "Error code 1-2000078".

Running the "threshold_config" command may cause the CPD process to consume a high CPU.

In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.

After reboot and policy installation, the "No interface configured in SmartCenter server with name mdps_tun. Matching by IP address to interface Mgmt" error may be printed in fwk.elg.

Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS).

When deleting all Suspicious Activity Monitoring (SAM) rules, adding a large number of new rules, and installing policy, the system may hang.

In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.

Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.

In a rare scenario, policy push to multiple Security Gateways may fail. Refer to sk177963.

In rare a scenario, a memory leak may occur with a "cpas_streamh_init_from_cookie failed" message printed in /var/log/messages.

In a rare scenario, the Security Gateway may crash during policy installation.

In some scenarios, memory consumption and CPU usage may increase consistently. Refer to sk176370.

DNS Server is getting overloaded with DNS requests from the Security Gateway when Domains or updatable objects are used in policy. The "Domain doesn't exist" error is shown.

In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.

When the "Automatically download Blade Contracts, new software, and other important data" checkbox is unchecked, Security Gateway may fail to update Threat Prevention packages.

UPDATE: Adjusted AD-Query and Identity Logging solutions to work with Microsoft hardening changes in DCOM which were required for CVE-2021-26414. Refer to sk176148.

When Identity Awareness Blade is enabled on the Security Gateway, rebooting of a member may trigger additional reboots. This may cause
one of the members to go down with a configuration pnote.

In a rare scenario, the priorities defined in User Directory (Gateway level) override the default Domain Controller (DC) priorities defined in the LDAP Account unit. Servers with priority above 1000 are not ignored, although they should be.

An Identity Broker subscriber may be shown as the session owner for Remote Access VPN sessions received from another publisher.

In a very rare scenario, when the Application Control (APPI) and URL filtering Blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.

After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Security Gateways together, Security Gateways may consume more CPU during rule-match of new connections.

In Autonomous Threat Prevention mode, "Profile Name" and "SmartDefense" fields may be missing in the IPS log.

The dlpu process may unexpectedly exit with core dump file.

The fwk process may unexpectedly exit during the TLS handshake.

If TLS 1.3 is enabled, using imported ECDSA certificates for HTTPS Inspection may cause the Security Gateway to crash.

When TLS 1.3 support is disabled, a memory leak may occur in the WSTLSD process during TLS session renegotiation.

In rare scenarios, TLS probing connections may remain open for extended periods.

SSL Network Extender (SNX) may fail during large file transfers. Refer to sk87760.

Policy installation may fail due to table creation issues.

In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize.

A redundant message "ACC: Accelerator started. " is printed in dmesg logs.

In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts.

After a failover, OSPF may restart immediately after the ROUTED daemon starts which causes the Active member to go into Down state instead of Standby state.

UPDATE: In policy installation, the type of messages, related to VPN certificate expiration, is changed from "info" to "warning". This issue is only cosmetic.

In some scenarios, a memory leak may occur in the VPND process.

A memory leak may occur during Office Mode IP allocation.

In some scenarios, IKEv2 tunnel may not work due to SA expiration.

The output of the "vpn tu tlist" command may show an incorrect type of S2S tunnels protocol.

Although the Simultaneous Login Prevention (SLP) feature is on, the user can connect with two clients and receive the same statically assigned Office-Mode IP.

The output of the "vpn tu tlist" command may show a wrong date and time in "Authenticated at" line, although machine date and time settings are correct.

When the IKE daemon is enabled, VPN counters in CPView may show incorrect value.

In some scenarios, Remote Access VPN users cannot connect to the Gateway due to a kernel table issue.

In some scenarios, Remote Client connections in Visitor Mode may cause the fwk process to exit.

A machine-only tunnel cannot be established when VPN default realm is disabled.

UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

In some scenarios, running the "snmpwalk" command may fail with incorrect OSPF-MIB information for VSX. Refer to sk172064.

Multi-Queue configuration does not survive reboot on VSX. Refer to sk173950.

NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612.

UPDATE: Added a Clish command "add/show/delete ntp interface" to choose to which interfaces the NTP daemon shall bind.

In some scenarios, in appliances: 6600,6700,6900, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

Enhanced SNMP module stability.

Wrong output of the "set/delete ip-conflicts-monitor interface" command. The word "value" is printed multiple times. The issue is only cosmetic.

NEW: Added new push operations to Endpoint Web Management:

• Kill Process
• Remote Command Execution
• Application Scan

NEW:

• Added ability to rename the Export Package
• Added persistent Notifications Center
• Improved performance of Asset Management
• Added extra fields to Asset Management table
• It is now possible to configure user session idle time on-premise
• Added support for macOS Port Protection
• Added Connection Awareness settings
• Added ability to manage IoCs

SmartEndpoint may show deleted certificates as expired.

After a cluster failover CloudGuard Controller may not be able to find cloud objects. Refer to sk166056.

In a rare scenario, there is a high CPU0 utilization on Azure Security Gateway.

In a rare scenario, when QoS is enabled, in SmartView Monitor, some traffic may be shown as "No Match".

NEW: Added a self-updatable package of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE:

• The "asg_reboot" command was changed to perform a software reboot only.
• The "asg_hard_reboot" command was added to perform a hardware reboot.

UPDATE: Added support for 40G SFP Transceiver for SSM440 (BTI40GSRQSFPP).

VPN traffic may be dropped due to certificate issues.

The "config_verify" command may fail in a Scalable Platforms environment.

When IGMP snooping is disabled, using OSPF Multicast may lead to Anti Spoofing drops in SmartConsole.

VPN tunnel may fail to establish with "dropped by vpn_inbound_pilicy_chain Reason: VPN inbound nat after vm failed". Refer to sk176404.

In rare scenarios, the command "hw_utilization -d" fails when more than 9 Virtual Systems are configured.

The "Software Versions" asg diag test may show false failure because of a CMM version mismatch.

When running the "asg_dr_verifier" command in the context of a Virtual System other than VS0, the output in the "BGP peers" section incorrectly shows: "Status: Inconsistency found on some of the SGMs".

During policy installation, AD Query may stop working in the Scalable Platforms environment.

In some scenarios, if SSM goes down in a Chassis setup, the failure report cannot be collected fully.

Added Update 6 of HealthCheck Point (HCP) Release. Refer to sk171436.

Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452.