R81 Jumbo Hotfix Take 69

UPDATE: Additional improvements to Access Policy installation time.

After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084.

Accelerated Install Policy may fail with the verification error: "Rule-name has security zone objects that are not attached to any interface used in Cluster-name ", when the rule contains Security Zone and the install-on target is a cluster.

When cloning an IPS profile, the advanced settings of cloud protection may not be copied to the new profile.

Dynamic Objects defined on LSM Gateway in SmartProvisioning may be removed from the Security Gateway after fetching policy or pushing policy from the Security Management Server to the Security Gateway.

The web_api_show_package.sh script and some Management API commands with the "details-level full" option may fail when VPN settings are not defined for Interoperable objects. Refer to sk178410.

Viewing sessions in SmartConsole may fail with an "Error retrieving results" message while importing a Domain.

Install Policy preset fails if the Threat Prevention policy was uninstalled.

After changing the IP address of the Secondary Management Server, the old IP address is still shown in the High Availability window until the services are restarted.

Policy Installation may fail with the "Unable to start policy installation" error when the Import Domain task is running in the background.

UPDATE: It is now possible to execute the "run-script" Management API command on the Multi-Domain Server (MDS) and Multi-Domain Log Module (MLM) from the System Domain.

In IPS Core Protections logs, the link to the Threat Prevention profile is written incorrectly.

There may be an incorrect error message related to MakeConnection method.

On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.

NEW: Added a new kernel parameter "fw_ignore_before_drop_rules". It allows to skip the "before drop" implied rules and enforce policy according to the explicit rule in the Access Rule Base. By default, this capability is disabled.

Refer to sk105740.

UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory used. The change is only cosmetic.

When using the DAIP Gateway object in the Access Rulebase, debug error "fwdnd_log_info_lookup failed" may appear in the fwk.elglog, if the relevant rule has log track. Refer to sk178670.

In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.

In some scenarios, file download may fail with the "Connection queue exceeded max size" error.

In a rare scenario, a memory leak in the FWD process may occur during installing Threat Prevention policy.

In a rare scenario, an IPS, Anti-Virus, or Anti-Bot update package may fail to load because of a timeout.

In very rare scenarios, a traffic outage may occur.

In some scenarios, an "[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL" message may be printed in the /var/log/messages file.

There may be connectivity issues for multicast traffic in PIM Sparse Mode.

Data connection may be interrupted during a Multi-Version Cluster (MVC) upgrade.

In Virtual Device Status table, in vs0 context, the output shows the Active-Active status on two members instead of Active-Standby.

Local connection from the Management interface on a non-standard port (e.g. 8000) may fail.

When moving a cluster from Unicast to Multicast LS, Gratuitous ARP Request (GARP) may not be sent. The cluster cannot update multicast MAC entries on peers, which can cause traffic lost.

UPDATE: Virtual Extensible LAN (VXLAN) interfaces can now be configured over interfaces with an alias IP address. VXLAN interfaces will not use the alias IP address as the local IP address of the tunnel.

SYN Defender may change MSS in an SYN packet to a larger value, potentially causing traffic drop.

In a rare scenario, the ROUTED daemon may unexpectedly exit during a Multi-Version Cluster (MVC) upgrade when using OSPF.

VPN tunnel may not be stable in cluster load-sharing multicast and unicast environments.

When using Remote Access SAML authentication, the "Remote access client IP address and port were changed" log may contain incorrect data in the "Old IP" field.

UPDATE: When resetting SIC for a specific Virtual System (sk34098), the new certificate on the Security Gateway will now be automatically pulled from SmartConsole.

VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.

There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.

In some scenarios, if VSX Gateway creation fails and rollback is done, the default route of the Security Gateway that was configured via clish is deleted without validation.

Latency and packet loss issues may occur when traffic goes through external VS connected to Virtual switch (VSW). Refer to sk177344.

NEW: Added a Gaia Clish command "show configuration vxlan" to show all VXLAN info (interface creation, IP, MTU, comments, state).

When loading a configuration file to the new Security Gateway, VLAN interfaces may not be added to the bridge as expected.

In some scenarios, in 7000 appliances, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.

UPDATE: Previously, because of connectivity issues with Azure, CloudGuard Controller was deleting IP addresses of Data Center objects from the Security Gateway. CloudGuard Controller will now show an error message instead of revoking identities from the Security Gateway.

In some scenarios, mapping of AWS Data Centers may take a long time to complete.

After changing the default behavior in Identity session conciliation, the "delete-identity" request may trigger Cloud Controller to delete IP addresses from other Identity sources.

Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

During policy installation, the state of the Single Management Object (SMO) may not be stable.

On Scalable platform Chassis in VSX mode, when adding a new member to Security Gateway, the "dxl stat" command may fail with the "Failed to retrieve dxl status" error.

When running the CPUSE "installer" command in Gaia gClish of a Security Group, the output may show: "Error Failed to invoke action." Refer to sk178647.