R81 Jumbo Hotfix Take 77

 

List of Resolved Issues and New Features

Note - This Take contains all fixes from all earlier Takes.

ID

Product

Description

Take 77

Published on 6 November 2022 and declared as Recommended on 1 January 2023

PRJ-38347,
PMTR-81030

Diagnostics

The CPVIEWD process may cause CPU spikes.

PRJ-41082,
PMTR-86078

Security Management

UPDATE: If ISP Redundancy is configured for a target Security Gateway, backup interfaces are now used for pushing policy if the primary interface is down.

PRJ-40720,
PRHF-24546

Security Management

Access Control policy installation may fail with the "Internal error" message when the encryption domain contains a Data Center object.

PRJ-40850,
PMTR-84394

Security Management

The LOG_EXPORTER process may cause high CPU because of frequent invocation of the "fw ver" command.

PRJ-39537,
PRHF-23867

Security Management

An Application Control and URL Filtering update may get stuck at 70 percent with the "Running post update actions" status. Refer to sk174587.

PRJ-40057,
PRHF-24082

Security Management

An Application Control and URL Filtering update may still occur even if the latest version is already installed.

PRJ-40546,
PRHF-24405

Security Management

After an upgrade, when the local domain Virtual System (VS) is updated, its objects may not be updated. The mirror VS object and local domain VS object may have different versions and colors.

PRJ-40809,
PRHF-24809

Security Management

SmartConsole may unexpectedly disconnect.

PRJ-39222,
PRHF-23186

Security Management

An Application Control and URL Filtering Database update may fail. The CPM log file states: "Update APPI Update Task Notification. progress: 100, status: FAILED, statusText: Failed to assign domain".

PRJ-39333,
PRHF-23594

Security Management

Install Policy Presets may fail with the "Install Policy Failed: Could not commit JPA transaction" error.

PRJ-41552,
PMTR-83511

Security Management

Policy installation may get stuck on 99% when resuming queued policy installation tasks.

PRJ-40445,
PMTR-84860

Security Management

Deleting a Threat Emulation Gateway object in SmartConsole may fail. Refer to sk170577.

PRJ-40407,
PMTR-84933

Security Management

Editing a Threat Profile object using Ansible automation tool may fail.

PRJ-36206,
PRHF-22196

Security Management

Migration from the Management Server to the Domain Server may get stuck for 6-7 hours and then fail.

PRJ-40586,
PRHF-24553

Security Management

The "Domain" and "Type" fields may be missing in the "show-groups" command output of a Management API request. Refer to sk179645.

PRJ-39209,
PRHF-23632

Security Management

The output of the "show opsec-application" API command may not show the host object name or UID.

PRJ-38455,
PRHF-23314

Security Management

High Availability synchronization may fail with the "Failed to update shared licenses" error.

PRJ-33921,
PRHF-21160

Security Management

Some unused sessions may remain open in the system, consuming memory and CPU.

PRJ-38788,
PRHF-23476

Security Management

Install Policy Preset may fail with "The server did not provide a meaningful reply.". Refer to sk179524.

PRJ-38180,
PRHF-22647

Security Management

Deleting a Domain operation may fail with an "internal error" when more than one of the Security Gateways in the Domain points to the same cluster object in the NAT configuration.

PRJ-40169,
PRHF-24144

Multi-Domain Management

A Multi-Domain Management Server upgrade may fail if upgrading one of the domains takes longer than four hours.

PRJ-39488,
PRHF-23926

Multi-Domain Management

In some scenarios, in a Multi-Domain Management Server environment, SmartConsole may unexpectedly disconnect.

PRJ-38124,

PRHF-23066

Multi-Domain Management

Although all Virtual Devices are deleted, deleting a Domain may fail with an "At least one Virtual Device is defined on this Domain/Domain Management Server. You need to delete all Virtual Systems/Routers prior to deleting Domain/Domain Management Server" message.

PRJ-41126,
PMTR-85721

SmartConsole

Centrally managed Quantum Spark Gateway version may be missing or incorrect after performing the "Get Gateway Data" action from SmartUpdate.

PRJ-41285,
ODU-470

Web SmartConsole

UPDATE: Released Take 67 with new features and improvements. Refer to sk170314.

PRJ-40612,
PRHF-24080

Compliance

In the Compliance Blade view, regulations with disabled best practices may display a result that does not correspond with the best practices listed below it.

PRJ-41021,
PMTR-86000

CPView

NEW: Integrated Skyline, a solution that provides an OpenTelemetry CPView Agent service to monitor your Check Point Servers and export health metrics from the CPView tool to an external location. Refer to sk178566.

PRJ-36191,
PRHF-22004

Logging

UPDATE: Amended the override_server_setting.sh script to support changes in the values of RFL_SOLR_MAX_MERGE_COUNT and RFL_SOLR_MAX_MERGE_THREAD_COUNT.

PRJ-29737,
PMTR-72628

Logging

In SmartView, exporting views or reports that do not have tables may indefinitely continue processing.

PRJ-40357,
PRHF-24410

Logging

In some scenarios, the FWD process may unexpectedly exit in a Log Server environment. Refer to sk179596.

PRJ-28111,
PRHF-18175

Logging

Logs may not be indexed on the Domain Log Server in a Multi-Domain Log Module (MLM) or on the Secondary Multi-Domain Management Server.

PRJ-41193,
PMTR-68271

Logging

It may not be possible to filter Anti-Virus logs for malicious CIFS traffic in SmartConsole. The issue is cosmetic only.

PRJ-41359,
PMTR-85027

Logging

Running the "cpstat ls -f logging" command on the Security Gateway may show the "disconnected" status after a reboot, although a new connection is established successfully.

PRJ-30964,

EPS-562

Logging

In some scenarios, the Forensics report fails to open from Harmony Endpoint logs.

PRJ-36476,
PRHF-22241

Logging

In SmartConsole, when Endpoint Policy Management Blade is enabled, the "SmartView server certificate is invalid" error may be shown when opening a new tab in the Logs & Monitor view. Refer to sk177713.

PRJ-41102,
PRHF-25074

Logging

When an object name begins with a digit, SmartView Monitor displays a name consisting of the letter "v" and UID instead of the actual object name.

PRJ-32206,
PRHF-20107

Logging

The "show-logs" Management API command fails when iterating over many pages of queries, and the total fetched records number exceeds 219,900 records.

PRJ-38143,
PRHF-22814

Security Gateway

UPDATE: Added support for RADIUS UPN authentication with MS-CHAPv2. To use it, enable the registry configuration in ckp_regedit -a SOFTWARE/Checkpoint/VPN1 RADIUS_MSCHAPV2_UPN -n 1.

PRJ-32780,
PMTR-72977

Security Gateway

UPDATE: The reset expired connections feature (fw_rst_expired_conn) is now supported on connections accelerated by SecureXL.

PRJ-40097,
PMTR-84200

Security Gateway

UPDATE:

  • Added a new global parameter "fw_conn_double_error_allow_print " to enable/disable printing double connection error message to the log. When disabled, the Security Gateway will still drop a new connection if it is already recorded in the connection table, but there will be no error logs.

  • Added a new global parameter "fw_conn_double_error_count" to count how many times the error occurred.

PRJ-35147,
PRJ-34015

Security Gateway

Bond subordinates may be visible in the wrong plane.

PRJ-40792,
PMTR-85514

Security Gateway

Enhanced connectivity during HTTP2 Inspection.

PRJ-34171,
PRHF-20978

Security Gateway

After an upgrade, in a setup with a single VSX, the Security Gateway may crash.

PRJ-40862,
PMTR-74446

Security Gateway

Improved the recovery mechanism for Dynamic Balancing.

PRJ-40458,
PMTR-84535

Security Gateway

In a rare scenario, the FWK process may unexpectedly exit because of a memory allocation issue on the Security Gateway.

PRJ-40015,
PRHF-24223

Security Gateway

The Security Gateway with VPN may drop the traffic after enabling BGP and Equal Cost Multipath (ECMP).

PRJ-39519,
PMTR-83692

Security Gateway

Output of the "dynamic_objects -uo_show" command on the Security Gateway may not show any updatable objects. Refer to sk178886.

PRJ-39926,
PRHF-23895

Security Gateway

When Anti-Virus Blade is enabled, the Security Gateway may crash multiple times with core dump files.

PRJ-41097,
PMTR-81750

Security Gateway

The "CPLogGetMyIp: fwobj_get_myown failed" error may be printed in CLI when starting cpboot.

PRJ-24591,
PRHF-14804

Security Gateway

It may not be possible to load specific sites. The Security Gateways drops the traffic from those web servers with "Reason: PSL Drop: MUX_PASSIVE".

PRJ-39639,
PRHF-23835

Security Gateway

When running the "g_fw monitor" command (Global Firewall Monitor), the traffic capture outputs can be created successfully but cannot be merged. Refer to sk179431.

PRJ-41029,
PRHF-24958

Security Gateway

Topology auto update may fail because of a too long interface name.

PRJ-41090,
PRJ-34903

Security Gateway

A kernel crash may occur during system shutdown when PIM is enabled.

PRJ-41032,
PRHF-24959

Security Gateway

The Security Gateway may run out of memory when retrieving topology.

PRJ-38590,
PMTR-79658

Security Gateway

In a cluster environment, an ICAP implied rule may not be enforced after policy installation.

PRJ-38552,
PRHF-23113

Security Gateway

After an upgrade, Anti-Virus Blade may cause increased memory consumption.

PRJ-40023,
PMTR-83767

Security Gateway

Access Control policy installation may fail with a "Load on Module failed - problem with the Commit Function" message.

PRJ-36866,
PRHF-22233

Security Gateway

After an upgrade, VSX cluster may have frequent failovers.

PRJ-39579,
PMTR-71476

Security Gateway

In a rare scenario, when IPS or Application Control is enabled, the Security Gateway may crash.

PRJ-41415,
PRHF-24690

Security Gateway

The Security Gateway may send multiple "Failed to fetch Check Point resources. Timeout was reached" logs.

PRJ-39331,
PRHF-23528

Security Gateway

After an upgrade, Access Control policy installation may fail with an "Update process is already running" message.

PRJ-41450,
PMTR-85044

Security Gateway

Policy verification fails when a generic Data Center contains an object with an empty range.

PRJ-40935,
PMTR-85828

Security Gateway

In a rare scenario, the Security Gateway may have a memory allocation issue.

PRJ-41345,
PMTR-86409

Internal CA

UPDATE: Internal CA on Check Point Management Servers can now create certificates with 3072-bit RSA keys - the root ICA certificate and SIC certificates. Refer to sk96591.

PRJ-39988,
PRHF-20730

Threat Prevention

UPDATE: In the Custom Intelligence Feeds feature, decreased the hash indicators loading time.

PRJ-40973,
PRHF-24784

Threat Prevention

Threat Prevention policy installation may fail with a "Connection aborted by Peer" message.

PRJ-40592,
PMTR-75706

Threat Prevention

There may be Security Gateway memory allocation issues related to creating a new Anti-Malware policy.

PRJ-41276,
PMTR-74610

Threat Prevention

Adding hash indicators may cause policy installation to fail with a warning message.

PRJ-40855,
PMTR-85654

Threat Prevention

IoC feed may not load because of a parsing issue with the IP range indicator.

PRJ-40437,
PMTR-82127

Threat Prevention

A kernel memory leak may occur during deep file inspection.

PRJ-29735,
PMTR-71844

Threat Prevention

SCP connections may get terminated.

PRJ-34888,
PMTR-77524

Threat Prevention

When the Security Gateway is in "Detect Only" mode, Threat Prevention Blade exceptions may not be accelerated.

PRJ-39829,
IDA-4187

Identity Awareness

Removed unnecessary debug messages in the Identity revocation flow.

PRJ-35835,
PMTR-71684

Identity Awareness

Memory consumption may increase after policy installation when Secure ID is configured.

PRJ-39161,
PMTR-83274

Identity Awareness

The Nested Groups Depth value changed in CLI may not survive a reboot.

PRJ-37280,
PRHF-21170

URL Filtering

When the Security Gateway works in proxy mode, the Application Control and URL Filtering rules may not match correctly.

PRJ-38815,
PMTR-80962

URL Filtering

When an URL Filtering rule has "Fail-Close" configuration, the Security Gateway may drop connections, and "URLF internal system error (0)" is recorded as the reason.

PRJ-31435,
PRHF-19698

IPS

Logs generated by IPS Bypass may not show the correct CPU/Memory Utilization.

PRJ-37726,
PRHF-22465

DLP

DLP logs for files uploaded to Microsoft OneDrive may not show the initial file names and extensions. Refer to sk178290.

PRJ-33294,
PMTR-61676

Anti-Virus

Removed a redundant message flooding logs in /var/log/messages: "ws_write_connection: end of body reached - clearing delay write flag".

PRJ-40260,
PMTR-83847

SSL Inspection

The WSTLSD process may unexpectedly exit and produce a core dump file during certificate chain verification.

PRJ-39752,
PRHF-23882

Anti-Virus

The Anti-Virus Blade interprets certain types of URLs as forbidden and blocks access to those URLs, although the content behind them is not of the type supposed to be blocked.

PRJ-36733,
PRHF-21591

ClusterXL

In a VRRP cluster, when an identity session is revoked from a non-master member, the Identity Database may become corrupted and cause an outage.

PRJ-40832,
PRHF-24826

Mobile Access

After disabling the ActiveSync service on the Security Gateway, login to Capsule Workspace (CWS) may fail.

PRJ-32968,
PRHF-20588

Mobile Access

Capsule Workspace push notifications do not work when the Single Sign-On (SSO) is configured to "prompt for credentials". Refer to sk176244.

PRJ-38459,
PRHF-23267

Mobile Access

In some scenarios, it is not possible to connect to SSL Network Extender(SNX), and the VPND log shows: "failed to add to table connectra_sessions_to_instance".

PRJ-35510,
PMTR-65024

ClusterXL

UPDATE: Added support for the "fw vsx fetch_all_cluster_policies" command, which can fetch policy for all Virtual Systems and Virtual Routers from cluster peers.

PRJ-39183,
PRHF-23684

ClusterXL

In a VRRP cluster environment with a large number of interfaces, the Security Gateway may consume a lot of memory.

PRJ-39073,
PRHF-22676

SecureXL

UPDATE: Added a new kernel parameter "fw_allow_reverse_syn" for Smart Connection Reuse. This parameter allows or drops SYN packets coming from the reverse direction. The parameter is set to 0 by default, the Security Gateway drops such packets. Refer to sk24960.

PRJ-36858,
PRHF-21863

SecureXL

Policy installation may cause cluster failover and impact the traffic flowing through the cluster.

PRJ-40219,
PMTR-63465

SecureXL

In a rare scenario, ipsctl kernel module does not load at startup.

PRJ-41481,
PRHF-25453

SecureXL

After an upgrade, SecureXL may drop multicast traffic with "reason:Fragment drops".

PRJ-39738,
PMTR-86052

SecureXL

There may be high CPU or/and latency in CIFS/SMB connections.

PRJ-41207,
PMTR-81175

Routing

When changing PIM configuration, the ROUTED process may unexpectedly exit and generate a core dump due to a race condition.

PRJ-40747,
PRHF-24743

Routing

The ROUTED process may unexpectedly exit when querying BGP data.

PRJ-36890,
PMTR-79153

VPN

UPDATE: After FIPS mode is enabled, Jitter is now automatically turned on.

PRJ-41240,
PRHF-24483

VPN, Multi-Portal

UPDATE: Added a new Registry parameter "use_crl_for_revocation_method" that enables the CRL revocation method when the Security Gateway does not get a response from an OCSP Server. Refer to sk179434.

PRJ-40844,
PMTR-85427

VPN

UPDATE: Added a configurable protection for blocking brute-force attacks on VPN SNX portal. Refer to sk180271.

PRJ-40753,
PMTR-85206

VPN

Resolved the "HTTP Response splitting" vulnerability in Security Gateway portals. Refer to sk179705.

PRJ-39235,
PRHF-23381

VPN

When connecting to Capsule VPN on iOS in a Multi-Domain Server or Scalable Platforms environment, loading a website may take up to one minute.

PRJ-39807,
PRHF-24079

VPN

Adding a Security Gateway Module (SGM) to a Security Group may cause the Security Gateway crash when Link Selection is enabled in Load Sharing mode.

PRJ-40869,
PRHF-24283

VPN

Site-to-Site NAT-T traffic may be routed incorrectly, which can cause an outage.

PRJ-40554,
PRHF-24156

VPN

When working in Hybrid mode, it is possible to connect using Remote Access, but it may not be possible to access internal resources.

PRJ-36710,
PRHF-21689

VPN

Improved Site-to-Site VPN stability.

PRJ-40385,
PMTR-84477

VPN

The "Unable to open '/dev/fw0': No such file or directory" error may be printed during cpstart.

PRJ-40582,
PMTR-84124

VPN

Connection over NAT-T tunnels may not be distributed well between instances of the Security Gateway with CoreXL enabled.

PRJ-37784,
PMTR-82856

VPN

In SmartView Monitor (SVM), the status of tunnels with third-party peers may be inaccurate. Refer to sk169121.

PRJ-40829,
PRHF-24812

VPN

The Security Gateway does not initiate or accept the VPN negotiation when working in Traditional Mode. Refer to sk179710.

PRJ-39893,
PMTR-56771

VSX

UPDATE: The "vsx_util view_vs_conf" command output now shows interfaces configured on Virtual Systems in Bridge mode.

PRJ-38515,
PRHF-23107

VSX

SecureXL may not let HTTPS traffic pass through a Virtual Router (VR).

PRJ-41362,
PMTR-86445

VSX

A VSX Gateway upgrade may fail with an error related to VSX Filesystem creation.

PRJ-40703,
PMTR-81932

VSX

A member in a VSX cluster may get stuck in DOWN state with "Event Code CLUS-113200" and a FULLSYNC PNOTE "Could not start a connection to remote member".

PRJ-34322,
PMTR-60045

VSX

The MTU value configured in SmartConsole may differ from the Virtual Switch (VSW) MTU value in the output of the "ifconfig" command.

PRJ-39981,
PMTR-83520

VSX

The vsx_util upgrade or downgrade operation may silently fail to update the database for one or more Virtual Systems (VSs). Refer to sk179591.

PRJ-39887,
PMTR-84069

VSX

Removing a warp interface may fail on one member, which creates a mismatch between the cluster members database because the warp interface remains on other members. Refer to sk180481.

PRJ-39711,
PMTR-80596

VSX

When running the "reset_gw" command on a VSX cluster member, the sync interface IP address is not deleted as part of the VSX configuration that should be deleted from the Security Gateway.

PRJ-39767,
PMTR-83046

VSX

Lines indicating uninstalling policies from virtual switches (VSWs) may be printed when running the "fw vsx unloadall" command.

PRJ-40798,
PMTR-84189

VSX

Extending SNMP with shell script (Article IV-6 in sk90860) fails for non-VS0 Virtual Systems (VSs) when queried via SNMP V3 and a "No more variables left in this MIB View (It is past the end of the MIB tree)" message is shown in the output.

PRJ-40648,
PMTR-85324

VSX

The VSX Provisioning Tool may unexpectedly exit when adding a new virtual device.

PRJ-40665,
PRHF-24682

VSX

When changing VSLS configuration with vsx_util, setting a new weight for each VS in Automatic mode fails with the "Operation failed. Can't write to database" error. Refer to sk179655.

PRJ-38093,
PMTR-64828

VSX

The "Primary Slave" configuration in a Bond (MAGG) interface may not be applied to a Security Group. Refer to sk178765.

PRJ-42179,
PMTR-81701

VSX

Pushing a VSX configuration fails after changing the CoreXL configuration in a Virtual System object. Refer to sk180107.

See the Important Notes section.

PRJ-40410,

PRJ-42485,

ODU-611

Gaia OS

UPDATE: Gaia API updates will now be automatically installed through AutoUpdater. Refer to sk165653.

PRJ-40992,
PRHF-24495

Gaia OS

When MDPS is configured, the SNMPD process may stop responding on some Security Gateways and must be restarted.

PRJ-40477,
PRHF-24463

Gaia OS

The SNMPD process may unexpectedly exit on the Security Gateway with enabled Management Data Plane Separation (MDPS).

PRJ-40768,
PMTR-81861

Gaia OS

IPv6 connections with Manual NAT rules may not be stable after enabling Neighbor Discovery Protocol (NDP) on a VLAN in the $FWDIR/conf/local.ndp file.

PRJ-40027,
PRHF-24243

Gaia OS

A user locked by the deny-on-nonuse mechanism cannot get unlocked.

PRJ-41370,
PMTR-86767

CloudGuard Network

UPDATE: Added support for Data Centers in AWS ap-southeast-2 (Jakarta) region.

PRJ-41734,
PMTR-87362

CloudGuard Network

UPDATE: Added support for Data Centers in AWS me-central-1 Middle East (UAE) region.

PRJ-41100,
PRHF-24322

CloudGuard Network

Azure Data Center mapping may fail because of a corrupt response from Azure for a specific Virtual Machine Scale Set (VMSS).

PRJ-40839,
PRHF-24490

CloudGuard Network

Failure to update IP addresses on a single AWS Gateway may cause delays in updating other Gateways.

PRJ-41462,
PRHF-25422

CloudGuard Network

Import of OpenStack Data Center CloudGuard Network objects may fail.

PRJ-38023,
ODU-587

Public Cloud CA Bundle

Added Take 19 of Public Cloud CA Bundle. Refer to sk172188.

PRJ-41143,
ODU-518

Smart-1 Cloud

Added Update 5 of Quantum Smart-1 Cloud. Refer to sk166056.

PRJ-32195,
PMTR-74269

Scalable Platforms

In a VSX setup that includes members only in Site 2, asg monitoring commands (such as asg stat vs all) may incorrectly present Chassis 2 state as "N/A".

PRJ-39025,
PMTR-82153

Scalable Platforms

When the "cphaprob list" command fails, CoreXL configuration pnote is not shown when expected. The issue is cosmetic only.

PRJ-41296,
PMTR-86488

Scalable Platforms

When NAT is configured on both Source and Destination, with delayed sync enabled, connection drops may occur.