R81 Jumbo Hotfix Take 87

NEW: Added a new field to the output of "mgmt_cli show updatable-objects-repository-content" command. This field displays the object's unique name as it is saved in the updatable objects repository.

UPDATE: Added ability to block policy installation if this policy contradicts another policy installed on the Security Gateway. In this scenario, the "install-policy" Management API command will now fail with "Requested policy X does not match currently installed policy Y on gateway Z. To ignore this warning, set the 'ignore-warnings' flag to 'true'". Refer to sk180792.

UPDATE: New features and improvements are released in Take 76 via self-updatable package. Refer to sk170314.

UPDATE: First release of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 18 and Update 19 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

UPDATE: Added Take 23 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

UPDATE: Added a new log file - /var/log/pull_config_report.log. It includes the summary of the "pull_config" action when it is performed on a member to indicate the reason for pull_config pnote/failures.

In rare scenarios, in Multi-Domain Security Management environments with many administrators that have custom permissions, SmartConsole is slow, and operations take longer than usual. Refer to sk180681.

In some scenarios, Access Policy Verification fails but the name of the failed rule is not specified.

An upgrade may fail when a Network object Group contains more than 32000 members.

In rare scenarios, in multi-site environments, Install Policy presets fail with "Timeout during task progress" or "You have reached the maximum number of active sessions". Refer to sk180897.

APP_ID may not be initialized when adding a new Check Point application via API, this may cause blocked access to several websites.

Editing an object in SmartConsole may fail with "Server error is: Object not found (Code: x08003001D, Could not access file for write operation)".

Login to SmartConsole with a RADIUS administrator from the SmartEvent Server may fail if this Server was upgraded. Refer to sk180584.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains source, destination, and service.

If the Security Management Server is behind NAT, remote Management API login fails.

After restoring a Multi-Domain Security Management Server, High Availability synchronization may fail with "The Security Management Servers contain different Hotfixes".

Deleting a Domain from SmartConsole fails after a Domain Server was removed and the Domain has no Domain Servers.

A scheduled Install Policy Preset may not have its next run time updated when:

• The Multi-Domain Security Management Server was down while the preset was scheduled to run

• There are over 50 presets defined

Data Center objects may not appear as unused objects in the Object Explorer view, although they should.

In rare scenarios, many open connections on port 18196 are observed on the Multi-Domain Security Management Server or Multi-Domain Log Security Management Server.

In large environments, after policy installation or when loading Real Time Monitor, RTMD CPU consumption may be high for several minutes and the process may exit when 4 GB of memory is reached.

In some scenarios, in the Logs & Monitor view, no results are shown when filtering updatable object names by the "dst_uo_name" field.

In some scenarios, the FWD process may unexpectedly exit and cause a short outage related to the BGP failure.

After an upgrade, memory usage may increase on all Security Gateway Modules, and the "pkt_handle_f2v_if_needed: dropping packet (failed to send notification)" error is printed in logs.

Latency in connection caused by a packet flow change from F2V to F2F.

In a Maestro environment, an encrypted over SSH or RDP connection may get closed when handled by the wrong member.

In some scenarios, while processing H323 traffic, the Security Gateway may unexpectedly restart.

When setting "cphwd_enable_ecmp = 1" (to route by the source and destination IP address), the Security Gateway may route the traffic to the wrong MAC.

Latency in loading websites when using Security Gateway as a Proxy with HTTPS Inspection enabled. Refer to sk180673.

When the Security Gateway handles specific HTTP requests, memory failure may occur. CPView registers SMEM failure.

When HTTPS Inspection is enabled, website loading in Firefox fails or is slow, after a few seconds, the "NS_ERROR_ABORT" error appears in the network tab of Firefox. Refer to sk180873.

Stack buffer overflow may occur in the FWGTP process.

When adding another loopback interface in an MDPS environment, it is shown in MPLANE and not in DPLANE as expected.

Web Security parsing error "illegal header format detected: Missing quotation mark" of content-disposition header - that contains a filename* parameter or an unquoted parameter.

In some scenarios, the FWD process unexpectedly exits, and the Security Group Members state flaps between Active and Down during an Anti-Bot Blade update.

When IPS Blade is enabled, the Security Gateway may crash.

In some scenarios, Anti-Virus and Anti-Bot updates on Maestro Security Group Members may fail.

When Content Awareness Blade is enabled, there is a limitation of the file size (sk118516). However, when the source object of the Content Awareness rule does not match the current connection, the limitation is not applied on this connection.

Running the "ips stats" command in CLI may cause the IPS process to unexpectedly exit with core dumps.

Importing a custom intelligence feed containing IP ranges may fail.

Sending emails with attachments via Capsule Workspace may fail on iOS.

A VRRP cluster member may be stuck in boot after a cluster upgrade.

After several failovers in a cluster, connections may fail to synchronize. This can cause a timeout and the "first packet isn't syn" drops.

A VRRP/VRRP6 interface may go into Master/Master state.

An IGMP group with an expiration time of 7101 weeks should be deleted when it reaches 0 seconds, but instead, it may remain at 7101 weeks until a membership report is sent, then it resets to the interval of that interface.

When PIM and state refresh are enabled, the state refresh message may not be sent automatically after a failback in ClusterXL HA Primary Up mode.

Cluster member may stop sending multicast PIM traffic after failover or a reboot. Refer to sk180669.

In some scenarios, a Security Group Member failover can trigger routes to be lost on other members in the Security Group.

The ROUTED daemon may unexpectedly exit when aggregating routes with long AS paths.

Routes marked as "stale" may be redistributed via BGP during graceful restart.

• Remote Access clients are unable to connect using Machine Certificate Authentication when the certificate has OCSP and CRL but the gateway is unable to resolve properly the OCSP or to get a proper answer from the OCSP server. Refer to sk179434.

• OCSP is disabled on the user's IIS Server, but the Security Gateway does not fall back to the CRL method. Refer to sk179434.

• Security Gateway sends defaultCert to the third party instead of an OCSP certificate. An unexpected OCSP response may cause a VPN gateway to stop using its certificate until the next policy installation. Refer to sk180683.

In a Site to Site VPN, when one of the sites is a cluster in Load Sharing mode, it can cause incorrect destination member calculation for asymmetric connection and the traffic might be dropped. Refer to sk180855.

Values provided by the VSX OID tree: 1.3.6.1.4.1.2620.1.16.22.5.1 may be incorrect.

Warp interfaces may appear in VS0 and disrupt connectivity when editing a Virtual Switch with a bond and VLANs.

A VSX Security Gateway may crash while attempting to collect statistics after running the "cpstop" command.

Gaia backup may fail, leaving a temporary partition behind. Any new attempt to create a new backup returns an error.

Scheduled SCP snapshots to a Windows Server may fail with the "Failed to connect to remote server. Please validate connection".

Deleting one hundred IP addresses or more from the Security Gateway at once may fail, resulting in recurrent deletion retries.

SIP traffic may be dropped and "kiss_htab_bl_infra_slink: failed "earlynat_sport_ghtab_bl":3 reason: KISS_HTAB_BL_SLINK_LIMIT_REACHED" is printed in the fwk.elg file.

After an upgrade, VoIP, and SIP / H323 traffic may be dropped in the VPN tunnel. Refer to sk179651.

In VSLS mode, SNMP traffic may incorrectly be forwarded to SMO instead of DR manager of the corresponding Virtual System.

When adding a new Virtual System and installing a policy, member state may change to Down.

Excessive "cphwd_get_device_accelerated_ifs: too many interfaces (32,XXX)" messages may log to $FWDIR/log/fwk.elg. Refer to sk180439.

License is not copied from SMO to all other members if other members are in Down state.

Security Gateway drops GTP Echo Response traffic with the reason "Wrong Destination Port". See sk181507.