R81 Jumbo Hotfix Take 68

In some scenarios, CPView shows the SNMP data partially.

Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.

Login to SmartEvent with Certificate Authentication may fail. Refer to sk179144.

The Management API command "set-multicast-address-range" does not remove IPs when the IPv4 or IPv6 address field is empty.

In rare scenarios, the "show-changes" and "show-sessions" Management API commands may fail.

When automatic purge is configured in a local Domain and there is an assignment between the Global Domain to that Domain, the "show-automatic purge" API command may fail in the Global Domain with the "Can't build automatic purge reply" error. Refer to sk176443.

In rare scenarios, a "Create Domain", "Delete Domain" or "Delete Domain Server" task can be stuck at 5% with the "Task in queue" status.

In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".

If there is a Global Domain Assignment, some results may be missing when searching in Packet Mode. Refer to sk178491.

When working with End Point Cloud, the License tab under "Gateways and Servers" in SmartConsole may show "Certificate error: CertAuthorityInvalid".

Policy installation on R81 (and below) Gateways may fail when there are multiple login options configured with SAML which uses Identity Provider as an authentication method. Refer to sk176725.

Global Domain Assignment fails with "An internal error has occurred" when there are more than 32K Threat Prevention Overrides in the local Domain. Refer to sk176464.

The mgmt_cli tool (API) with certificate login may not work.

UPDATE: SmartView reports will now show the new Check Point logo.

Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log.

When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.

In a rare scenario, the Security Management Server does not automatically delete older log files.Refer to sk177627.

In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.

UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.

UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127.

UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.

Matched rules on Inline layer may appear as the "Accept'"/ "Drop" action instead of "Inline".

When running the "cpstop" and "cpstart" commands, NAT statistics may fail with "fwx_alloc_global_find_free_port_atomic: failed to update NAT statistics".

In a rare scenario, DNS connection may be dropped with a "up_manager_cmi_handler_match_cb: connection not found" message.

• On 2200 appliances, the CPD process may unexpectedly exit because of sensor read failure.
• Sensor table values for 3600, 3600T, 3800, 6200B, 6200P, 6200T, 6400, 6600, 6700, 6900, 7000, 600-S are incorrect.

It may not be possible to use the Office 365 Tenant Restrictions feature when ICAP client is enabled.

Policy installation may fail when there is a heavy load on memory on the Security Gateway.

The Security Gateway may crash during policy installation due to memory allocation problems.

Improved Gateway internal memory allocation logic.

IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.

In a rare scenario, the DLP process leaves open unused file descriptors in the $FWDIR/tmp/dlp directory which may take up a large amount of disk space.

There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.

Memory usage may be high for the pdpd process in a scenario, related to Identity Awareness nested groups in state 2 and 4.

In a rare scenario, when URL Filtering Blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump.

When Website categorization mode is set to "Hold" and Gateway is Proxy, some connections may be incorrectly terminated.

In a rare scenario, the DLP process may not delete temporary files used for scanning.

UPDATE: Upgraded the default Infrastructure for local communication between some processes to TLS 1.2.

In some scenarios, the WSTLSD daemon may unexpectedly exit during TLS probing.

When HTTPS Inspection is enabled, and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.

In a rare scenario, the WSTLSD process may unexpectedly exit while validating signatures of sites with improper certificate chains.

Connections may hang and reach a timeout during browsing if the number of WSTLSD instances is reduced through configuration settings.

In rare scenarios, the WSTLSD daemon may unexpectedly restart.

MAB Guacamole-based clientless RDP/SSH connections, when closed prematurely, may cause the GuacProxy process to consume 100% CPU.

A cluster failover may take longer than it should.

Multicast packets may be dropped after policy installation.

The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).

The "fwaccel dos rate add" command may fail with the "Another fwaccel command is already in progress" error.

In rare scenarios, the ROUTED daemon may unexpectedly exit or write logs in the incorrect order.

The ROUTED daemon may unexpectedly exit with core dump when some interfaces lose connection with the PIM router.

Improved VPN interoperability.

In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.

In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.

See the Important Notes section.

Enhanced stability of Site-to-Site VPN with interoperable devices.

Added VPN improvements for IKEv2 SA re-key.

Newly defined ROBO Gateways cannot connect until policy installation.

Policy installation and establishing a connection from a Gateway with Static IP may fail, if the IP address was previously used by a peer Gateway with DAIP IP which was configured before and had a connection from the DAIP Encryption Domain.

IKEv2 Improvements for DAIP Gateway behind Hide NAT.

A memory leak may occur in the VPND process when using remote Access Back Connection.

A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.

In ike_sa_table there may be an entry with an IP address and not with a DAIP ID.

UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.

When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database.

In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch.

NEW: Gaia API (version 1.6 with Python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.

The "cpopenssl" command may fail with "No such file or directory".

Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.

In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error.

In some scenarios, incorrect data center updates are pushed to the Gateway.

NEW:

• Rule base search in SmartConsole now also matches rules with Data Center Objects.
• In SmartConsole, it is now possible to see IP addresses of all the objects included in: AWS VPC and Availability Zone, Azure Virtual Network, GCP Network
• In SmartConsole, improved searching objects using tags.

In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.

See the Important Notes section.

Setting time on Quantum Scalable Chassis may fail with the "Failed to update the date WARNING: CliError( ) called without module or error code" error.

NEW: A new module parameter "ccl_correct_dr_between_chassis" is added.

• Setting it to 0 disables inter-chassis corrections.
• Setting it to 1 returns to the default behavior.

Refer to sk177943.

Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled. Refer to sk177946.

OSPF may install a route to the incorrect IP when configured as P2P. Refer to sk177686.

Restoring a backup on the security group may get stuck upon reboot.