R81 Jumbo Hotfix Take 99

NEW: Added ability for R81 Security Management or Multi-Domain Server to manage 19000 and 29000 Check Point appliances.

• Requires R81 SmartConsole Build 568 (or higher).

NEW: Added ability to drop the traffic of specific UDP applications per packet. For example, the Security Gateway can now drop the specific commands and allow the other commands of the BACNet Protocol.

This ability is enabled by default.

• To disable this ability, run: "fw ctl set int appi_drop_packet_enabled 0".

• To enable this ability, run: "fw ctl set int appi_drop_packet_enabled 1".

NEW: Added support for Azure Scale sets with Flexible orchestration mode.

CVE-2024-24919 - Quantum Security Gateway Information Disclosure. Refer to sk182336.

UPDATE: Added validation for new permissions for configuring a script to run on the Security Gateway from Gateway object > Logs Alerts/Storage > Run the following script before deleting old files.

UPDATE: Added verification for policy deletion. If the policy is installed on the Security Gateway, the "delete-package" Management API command now fails with "Policy X is installed on 1 or more gateways.". Refer to sk181877.

UPDATE: Added ability to increase the instance processing queue size, by modifying the kernel parameter "fwmultik_pending_queue_len_limit" (the default value is "2000"). Refer to sk181921.

UPDATE: When changes are made to updatable objects within a policy and a missing or corrupted package is detected, the policy installation will fail, resulting in the generation of a log.

UPDATE: The identity synchronization from Policy Decision Point (PDP) to Smart-Pull Policy Enforcement Point (PEP) client now takes several seconds instead of a few minutes, especially beneficial in environments with a single PDP Security Gateway sharing to multiple PEP Security Gateways.

UPDATE: It is now possible to add exceptions to external IoC feeds.

UPDATE: The "IPv6 autoconfig" parameter is now disabled by default on VSX.

UPDATE: The output of "show arp dynamic all" and "dbget ip:arpdynamic:show:0" which was previously limited to +-4450 entries, now increases dynamically.

UPDATE: Updated the Jetty open source library from the 9.3.6.v20151106 version to 9.4.52.v20230823.

UPDATE: New features and improvements are released in Take 94, Take 97, Take 100 and Take 102 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 77 and Take 93 of CPotelcol (OpenTelemetry Collector) Release Updates. Refer to sk180522.

UPDATE: Added Update 22, Update 23 and Update 24 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

UPDATE: Added Update 15, Update 16 and Update 17 of HealthCheck Point (HCP) Release. Refer to sk171436.

UPDATE: Added Python 3.11.4.

In some scenarios, SmartConsole may close unexpectedly when clicking the "View Changes" option in the Install Policy view.

When attempting to load a SNORT Rules file that contains one or more spaces, the import process fails with an ambiguous error message.

In rare scenarios, the FWM process on the Security Management Server may unexpectedly exit or not start, creating a core dump file.

The revisions purge process may get stuck due to an incomplete purge operation from a previous attempt.

Login to SmartConsole fails if the "Read_Write_All_Profile" permission profile is deleted.

Deleting a Security Gateway object fails if there is a license attached to the Security Gateway and the Security Gateway is physically disconnected.

Enabling automatic updates of Trusted CAs as described in sk173629 may fail.

Running a Gaia API command on the Security Gateway through the Management API from the Security Management Server fails when configuring the "target" parameter with either the Security Gateway name or UID.

In environments with many network objects, SmartConsole may freeze while it loads the VPN tab of a Security Gateway object.

In rare scenarios, Global Policy assignment fails when there are many open Remote CPM Server sessions. Refer to sk181822.

The "set-smart-task" API command fails when enabling the "Send mail to/from" option in SmartTasks.

If there are changes in the HTTPS Policy and Certificates in the session, a "Something went wrong" message appears when opening the Change Report.

The "set checkpoint-host" API command may fail if the host object has a VPN Tunnel interface (vpnt) defined.

Install Policy Presets may fail after purging all revisions. Refer to sk181652.

In rare scenarios, High Availability synchronization fails with "Peer is busy".

SmartConsole may unexpectedly close after policy installation when SmartTasks return invalid characters from a user-defined script.

Login to SmartConsole may fail while the Compliance Blade is running a full scan.

Packet mode search in SmartConsole may show rules that do not match the query if the query contains four or more filters.

In some scenarios the "show access rulebase" Management API command with "details-level full" can take a significant amount of time to complete or time out after five minutes. Refer to sk181397.

The "fwm sic_reset" command may fail and generate a core dump.

The Change Report generated before publishing a session, may contain internal system changes that were made by the user.

In rare scenarios, policy installation on R77.30 Security Gateway fails with "Operation failed, install/uninstall has been improperly terminated". Refer to sk180448.

A memory leak may occur in the FWM process which leads to SmartConsole connection failures.

In Multi-Domain Security Management environments, if there are more than three hundred forty Domains, login to SmartConsole fails.

In rare scenarios, in a Multi-Domain Security Management environment:

• Login to the Management Server may timeout and fail.

• Publish operation may take a long time.

Defining more than two hundred GUI clients causes the "Command Line" tab in SmartConsole to be greyed out and the "api status" command to show an error status.

An "Error logging into domain" message is displayed in Web SmartConsole when connecting to a Domain on a peer Multi-Domain Security Management Server. Refer to sk181801.

In rare scenarios, CPView does not handle VS context correctly.

In the "cpview -m" command output on the Security Gateway which is an Active Cluster member, "metrics system.network.nat.ports" and "system.network.nat.ports.limit" may not be displayed in the list of available metrics.

Administrators without the "run script" permissions can enable or disable the option to run a script on a Security Gateway, using advanced configuration options.

When the active log file, for example, the fw.log for the Security Gateway is older than two days, the CPLogFilePrint utility does not print the log records correctly.

When using Log Exporter to export logs to Splunk, a log entry in Splunk is split to separate lines if it contains the CRLF characters.

Some Access Rule Base logs may be generated with a wrong interface direction. The issue is cosmetic only.

In a rare scenario, a Security Gateway / Cluster Member may stop logging locally or to configured Log Servers. Refer to sk170331.

CIFS traffic may cause CPU spikes in the FWK process.

Sporadic latency while uploading a file when HTTPS Inspection and ICAP client are enabled. Refer to sk181793.

CVE-2023-51764 - Postfix SMTP Smuggling vulnerability. Refer to sk181944.

In rare scenarios, updating the NTP Server may cause a temporary outage.

The CPVIEW_API_SERVICE process may exit with a timeout.

When using three or more ISP DNS proxies in High Availability mode and Load Sharing mode:

• A DNS query to any ISP returns IP addresses of all three, although it should return only the active ISP.

• When one ISP is down, the faulty ISP is also returned instead of the newly active.

The ICAP Server does not send data for the Threat Prevention blades inspection, after the restart of the TEMAIN process.

The Security Gateway may crash during policy installation.

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic back to Gaia OS directly out of an interface on a Virtual Router.

In a VSX environment, the FW_FULL process may exit when running "fw monitor -p all" with the "-v" flag on a specific list of Virtual Systems (VS's) where not all VS's have identical blade configurations enabled.

The ICAP Server may fail to initialize.

Incorrect static NAT destination is applied when the original destination in the NAT rule is the Security Gateway object, but the actual destination does not match the main IP address of the Security Gateway object.

Incorrect CPU statics may be shown in CPView when using Dynamic Split.

In some scenarios, a misconfiguration on a DNS Server may lead to exhaustion of ephemeral ports on the Security Gateway.

When configuring ioc feeds from the management:

• The "no_ssl_validation" variable may be deleted after the policy installation.

• Fetching feed fails with the "Peer certificate cannot be authenticated with given CA certificates" reason.

In a rare scenario, there may be an unexpected reboot and a vmcore file generated in /var/log/crash.

An outage may occur when an unsupported SSH cipher is selected.

When URLF and APPI are disabled in VS0 in VSX setup, automatic updates fail on other Virtual Systems.

Files that undergo emulation while operating from a corporate location are transformed into PDF format. However, when the same files are accessed through a VPN remote client, they do not get the pdf file extension.

In a rare scenario, when cloning SGM in Maestro, the FWD process may exit during an IPS/Anti-Virus/Anti-Bot package update.

After installing a hotfix in a cluster setup with a Threat Prevention policy that includes Network Objects, a member may get stuck during initialization after a reboot. Refer to sk180225.

The "Categorized HTTPS Sites" option does not classify specific websites when "TLS 1.3 hybridized Kyber support" is enabled in the browser. Refer to sk182318.

When a Multi-User Host is used with Identity Broker, the user session may expire on the PEP side, while still connected on the PDP, causing failure of user-based access.

After an upgrade, the Security Identifier (SID) for LDAP Users or LDAP Groups that were configured prior to the upgrade may be empty. Refer to sk181946.

User/Security Gateway identities may be revoked unexpectedly if an additional update from the AD Query identity source is rejected due to Identity session conciliation.

When a policy contains a white list, some packets may not match the listed applications.

In a rare scenario, an Identity Gateway (PEP) becomes unresponsive while unregistering a network.

In a rare scenario, when Identity Broker is configured, a memory leak in the PDPD process may occur during policy installation.

CPView and the 'cpstat' command show different Application Control database versions. Refer to sk181186.

Core IPS Protection "Unknown Resource Record" drops valid requests of specific DNS types.

The DLPU process may frequently exit with a core dump file.

Some file downloads fail with a logged "failure-reject" error because of the Anti-Virus Blade improperly classifying documents, causing inspection failures.

In a rare scenario, the Security Gateway may crash during inspection of file downloads.

The Anti-Virus Blade fails to show the UserCheck page for the URLs blocked by Custom Intelligence feeds.

When HTTPS Inspection is enabled, the Security Gateway generates a log that includes the message "Certificate Chain is not signed by a Trusted CA" when an end-user connects to an HTTP site or a site with an untrusted SSL certificate. But, in some scenarios, the log does not include this text.

In a cluster environment, the Security Gateway may become unresponsive on the Active member, and after a failover the issue occurs on the new Active member also.

In a cluster connected to Smart-1 Cloud, local probing may start on the "maas_tunnel" interface, although it is not monitored by the cluster. Output of the Expert command "cphaprob -i list" or the Gaia Clish command "show cluster members pnotes problem" shows that the Critical Device "Local Probing" reports its state as "problem".

The Security Gateway may crash during the conversion from VRRP Cluster to ClusterXL Cluster.

In a rare scenario, after an upgrade, connections between networks may be dropped with the "First Packet isn't SYN" error.

In some scenarios when Route-based probing is configured, the VSX Security Gateway sends out encrypted traffic with a source IP address of all zeroes through a Virtual Switch interface. This traffic may be dropped by routers, the VPN peer Gateway or other Security Gateways due to the invalid source IP address.

In some scenarios, fragmented ICMP packets may bypass the DOS/ Rate limiting deny list.

The Security Gateway may fail to add interfaces to the SecureXL accelerated interfaces list.

In some scenarios, the VSX Security Gateway may not set the MAC header correctly when sending traffic directly out of an interface on a Virtual Router or Virtual Switch.

The Security Gateway may crash with vmcore during boot while upgrading.

High CPU utilization may be triggered when User Mode (UPPAK) and VPN are enabled under high load.

In some scenarios, the VSX Security Gateway may crash when sending VPN encrypted traffic through a Virtual Router/Switch.

In Kernel mode Firewall, traffic passing through the GRE tunnel may not reach the peer.

During the processing of PIM Join-Prune messages, the absence of prior ({},G) state prevents the processing of (S,G) joins for the same group, even when present in the message.

When running a Gaia API request that results in multiple configuration changes, only the first change may be applied initially. The subsequent changes are not enforced until another change triggers re-processing.

Cluster failover may occur when the ROUTED process due to a memory leak unexpectedly exits with a core dump file generated.

In scenarios where numerous BGP peers are configured with the "multihop" option enabled, combined with short "keepalive" settings and a large number of routes being received from each peer, the ROUTED process may experience high CPU utilization.

Enabling rfc1583-compatibility via Clish fails with "CLINFR0329 Invalid command:'set ospf instance default rfc1583-compatibility on".

BGP peers may experience timeouts when these conditions occur simultaneously:

• The network has more than 100 BGP peers configured,

• The routing table contains tens of thousands of routes,

• BGP tracing is enabled,

• The BGP timers (such as keepalive and hold timers) are reduced from their default values, making the peers more sensitive to delays or congestion.

The FWK process crashes sporadically, causing impact on traffic due to an issue related to the decryption of fragmented traffic.

VPN connectivity may be unstable when IPv6 and VPN star communities are configured.

When using the "fw tab" command to view the IKE_SA_table, the output shows a column containing the IP addresses that are not meant to be displayed while the correct IP addresses are not printed.

In a Site to Site VPN, following an update, the Security Gateway may erroneously transmit an invalid IKE SPI to its peer. Consequently, during the rekey process, the tunnel fails due to the "invalid IKE SPI" error.

When the DAIP Gateway public IP address occasionally changes, the connected Security Gateway fails to update the new IP address and continues responding to the old IP address, causing communication issues.

A low-severity security vulnerability may exist when establishing an HTTPS connection to the Security Gateway.

VSX Gateway / VSX cluster member may crash during policy installation after deleting a virtual interface.

In some scenarios, installing policy via vsx_util may be stuck.

High CPU usage on SND cores when many interfaces are configured. Refer to sk181860.

The MONITORD daemon causes high CPU after 388 days of uptime. Refer to sk181922.

The SNMPD process memory consumption may be high, which causes the process to become unresponsive.

Taking a snapshot on the Security Management Server fails because of the error during copying the /boot/config/ content.

There may be some inconsistent syntax in the "comment" section for interface and static-route commands.

Lock database override may not work as expected when it is set via Ansible playbook, and another admin was connected to SSH before that.

Some valid interfaces may not be available with running the "set lldp interface" command.

When a non-local user executes a Gaia API command, the action is incorrectly logged as performed by the "admin" user in the /var/log/messages file.

When selecting to filter machines by infection name in SmartEndpoint Reporting > Anti-Malware > Top infections, the listed computers do not match the displayed numbers.

When attempting a one-time login for a migrated client in the Infinity Portal, the request fails with "400 error" caused by duplicate logon_name and domain_name entries in the database, preventing password generation from the Web interface.

When the SIP Multi-core feature is enabled, and a SIP over UDP rule with one-way calls (only outgoing calls, for example) is defined, the returned traffic is dropped. Refer to sk181525.

The "reboot -b all" command in gClish may fail. The environment hangs or reboots partially (only some of the members).

An additional reboot may be performed on Maestro Security Gateway because of the database entry (otlp) which should not be pulled from SMO. This entry is updated locally on each member via self-update functionality and, therefore, may differ between members.

The Gaia gClish command "installer verify CPUSE Package ID member_ids all" fails with "Quitting due to time-out" on a Scalable Platform Security Group. Refer to sk181674.

On a Security Group with MDPS enabled:

• The "asg perf" command on a Security Group does not show any output - the Gaia OS prompt appears immediately after entering the command and pressing the Enter key.

• When running the "mac_verifier" and other commands on a Security Group, the output may show the error message "mount of /sys failed: device or resource busy".

• The "distutil verify -v" command on a Security Group returns "verification failed".

After installing this Take, when MDPS plane separation is enabled, in the context of the Management plane, the directory /sys/class/net/ now shows interfaces that belong to the Data plane, although it should show interfaces that belong to the Management plane.

Refer to sk182076.

Scalable Platform Interface data OIDs (1.3.6.1.4.1.2620.1.48.26) may not be refreshed.

During site failover, IPv6 traffic that goes through the Warp interface may be interrupted.