R81 Jumbo Hotfix Take 77

UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down.

The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command.

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

SmartConsole may unexpectedly disconnect.

Install Policy Presets may fail with the "Install Policy Failed: Could not commit JPA transaction" error.

Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577.

Migration from the Management Server to the Domain Server may get stuck for 6-7 hours and then fail.

The output of the "show opsec-application" API command may not show the host object name or UID.

Some unused sessions may remain open in the system, consuming memory and CPU.

Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration.

In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect.

Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate.

In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it.

UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596.

It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only.

In some scenarios, the Forensics report fails to open from Harmony Endpoint logs.

When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name.

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

UPDATE:

• Added a new global parameter "fw_conn_double_error_allow_print " to enable/disable printing double connection error message to the log. When disabled, the Security Gateway will still drop a new connection if it is already recorded in the connection table, but there will be no error logs.

• Added a new global parameter "fw_conn_double_error_count" to count how many times the error occurred.

Enhanced connectivity during HTTP2 Inspection.

Improved the recovery mechanism for Dynamic Balancing.

The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP).

When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files.

It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE".

Topology auto update may fail because of a too long interface name.

The Security Gateway may run out of memory when retrieving topology.

After an upgrade, Anti-Virus Blade may cause increased memory consumption.

After an upgrade, VSX cluster may have frequent failovers.

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

Policy verification fails when a generic Data Center contains an object with an empty range.

UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591.

Threat Prevention policy installation may fail with a "Connection aborted by Peer" message.

Adding hash indicators may cause policy installation to fail with a warning message.

A kernel memory leak may occur during deep file inspection.

When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated.

Memory consumption may increase after policy installation when Secure ID is configured.

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization.

Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag".

The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked.

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory.

Policy installation may cause cluster failover and impact the traffic flowing through the cluster.

After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops".

When changing PIM configuration, the ROUTED process may unexpectedly exit and generate a core dump due to a race condition.

UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on.

UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271.

When connecting to Capsule VPN on iOS in a Multi-Domain Server or Scalable Platforms environment, loading a website may take up to one minute.

Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage.

Improved Site-to-Site VPN stability.

Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled.

The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710.

SecureXL may not let HTTPS traffic pass through a Virtual Router (VR).

A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member".

The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591.

When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway.

Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output.

When changing VSLS configuration with vsx_util, setting a new weight for each VS in Automatic mode fails with the "Operation failed. Can't write to database" error. Refer to sk179655.

Pushing a VSX configuration fails after changing the CoreXL configuration in a Virtual System object. Refer to sk180107.

See the Important Notes section.

When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted.

IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file.

UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region.

Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS).

Import of OpenStack Data Center CloudGuard Network objects may fail.

Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056.

When the "cphaprob list" command fails, CoreXL configuration pnote is not shown when expected. The issue is cosmetic only.