List of All Resolved Issues and New Features in R82 Jumbo Hotfix Accumulator

NEW: SD-WAN functionality now supports AWS Cross Availability Zone and traffic steering with configurable multi-target probing.

UPDATE: Added the "Type" and "Resource" columns to the HTTPS Inspection Logs table under Logs & Events.

UPDATE: Added support for using Network Groups in the "Install On" column of the NAT Policy.

UPDATE: Added a count of Session and Connection logs to the "cpstat" command output.

UPDATE: Support TLS 1.3 for the RAD process requests. To activate it, change the TLS version to "TLSv1_3". Refer to sk178505.

UPDATE: Added a kernel parameter "domo_reverse_lookup_disabled" to disable reverse DNS lookups to avoid rare incorrect matches in scenarios involving non-Fully Qualified Domain Name (non-FQDN) Domains.

• "domo_reverse_lookup_disabled 1" to disable reverse DNS lookups.

• "domo_reverse_lookup_disabled 0" to enable reverse DNS lookups (the default value).

UPDATE: HTTPS Inspection statistics are now available through SNMP requests.

UPDATE: Added support for the Mobile Access Portal "WebSocket" applications to work in environments with asymmetric network bandwidth (the download speed is faster than the upload speed) between external and internal networks. Refer to sk95311.

UPDATE: Added selection of specific Security Gateways to onboard to the Infinity Portal, and the ability to disable the feature completely. Refer to sk180557.

UPDATE: In the Clish API, added the comprehensive VSNext task monitoring capabilities, previously available only in the WebUI.

UPDATE: Rather than using the management switch, it is now possible to choose a different management interface for each virtual system (VS).

UPDATE: Traffic between an external network host and an internal network host is now accelerated when a static NAT is configured to translate a cluster member's IP address or specific high port to an internal host IP address or specific service port. This scenario is relevant in Check Point CloudGuard Network Security Azure High Availability deployments, where traffic passes through a Load Balancer.

• To enable acceleration, add this kernel parameter to the $FWDIR/boot/modules/fwkern.conf file - "accel_dnat_to_cluster=1".

• The change can also be applied immediately to the running FW1 process without requiring a reboot: "fw ctl set int accel_dnat_to_cluster 1".

In SmartConsole, in the Gateways & Servers view, under Device & License Information of a Security Gateway or Cluster object, or in CPView and SNMP traps, the value of "new connection rate" for OID .1.3.6.1.4.1.2620.1.1.26.11.6.0 is incorrect.

In rare scenarios, a core file of the CPRLIC process is generated.

Login using a TACACS Server created with the "add tacacs-server" Management API command, fails with "authentication to server failed".

Creating a Threat Prevention Exception from a log fails with the "Failed to add exception" error when the "File Name" field in the log contains a Windows directory separator ("\").

In some scenarios, Web SmartConsole session gets disconnected after several minutes.

In rare scenarios, when more than one Security Blade is enabled on the Security Gateway, Presets for policy installation may fail after purging all revisions.

When using SmartWorkflow on a Security Management Server with more than 200 administrators, requests may stall or cause SmartConsole crashes during submission.

Access Control Policy installation may take a long time when updatable objects are used in the policy.

In rare scenarios, login to SmartConsole using LDAP, TACACS or RADIUS authentication fails with a timeout.

Global Policy Reassignment fails with the "org.postgresql.util.PSQLException: ERROR: more than one row returned by a subquery used as an expression" error printed in the cpm.elg file.

In rare scenarios, policy installation fails with "Policy installation had failed due to an internal error".

When modifying the URL definition type in an Application Site object using the "set application-site" Management API command with the "urls-defined-as-regular-expression" parameter, the type of pre-existing URLs remains unchanged.

In some scenarios, policy state directories are synchronized between Active and Standby Security Management Servers, leading to high disk space usage.

Duplicated licenses on the Security Management Server may impact the vsec_lic_cli utility.

When enabling the Threat Emulation Blade on a Maestro Security Gateway Object in SmartConsole, a "Failed to check compatibility on gateway" message may be printed. Refer to sk183053.

In rare scenarios, Global Policy Assignment fails with an "IPS update is currently running in local domain" message, although IPS update is not running in that Domain.

In some scenarios, the Security Management Server with a proxy configured is unable to connect to Infinity Portal after changing the proxy settings.

Packet mode search or search within Object Explorer for IP address ranges may not work correctly on the Standby Security Management Server.

In some scenarios, Virtual Security Gateways lose their licenses. This causes Site to Site VPN and Remote Access VPN services to go down, while general internet access remains functional. SmartUpdate may not load.

In a Multi-Domain Security Management environment, an audit log is not created after changing the "Parent rule for Domain's policy" Domain layer.

In rare scenarios, the "mdsstat" command shows that the CPD process is down even though it is up and running.

In some scenarios, in the Multi-Domain Security Management Server, certain previously utilized global objects may remain hidden from both the SmartConsole's Object Explorer View and the "show unused-objects" Management API command.

In some scenarios, the "SIC Error for EntitlementManager: Peer sent wrong DN" error is printed in cpd.elg on a VSX Gateway.

In rare scenarios, the "Blades" widget in the Compliance Blade Overview page is blank.

In the cloud environments (Smart-1 Cloud and EPMaaS), logs query may fail because of the AWS certificate change.

When disconnecting the Security Management Server from the Infinity Portal and connecting to a different region, log sharing from Log Servers does not work until the Log Server restarts.

When a NAT-T tunnel is set up between VPN peers, packets having UDP encapsulation added to the headers are not transmitted out of the PPPoE interface as they should be. VPN connection appears to be established but does not actually pass traffic.

The DHCPv6 relay drops reply messages from the DHCPv6 server rather than forwarding them to the clients.

The FWK process exits with core dumps and error messages in $FWDIR/log/fwk.elg:"malware_res_rep_match_dns_response: check_dns_response_activate() failed".

The CPD or FWK process may unexpectedly restart when handling the interface statistics.

In rare scenarios, HTTPS inspection may block the downloading and uploading of PDF files to and from the Web Server.

In a specific scenario, file downloads intermittently stop until resumed manually because of HTTP parsing issues and Content Awareness parsing failures.

The DSD process (Dynamic Split Daemon) may exit when the "affinity" command input is large.

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway.

In a rare scenario, an outage may occur in an Azure environment after one cluster member crashes and recovers.

In certain scenarios, the $SAMLPORTAL_HOME/logs/error_log file may continuously grow, potentially consuming a significant amount of disk space.

In rare scenarios, Security Gateway may crash when running the "ethtool -x" or the "ethtool -X" command for an interface that uses the AWS ENA network driver.

After enabling Security Zones in NAT Rule Base, wrong IP address is shown in logs and NAT is performed incorrectly. Refer to sk183088.

In a rare scenario, the FWK process may exit because of memory corruption.

In a rare scenario, Security Gateway may crash with vmcore when working in Kernel Mode Firewall (KMFW).

A stability issue where the ICAP Server may unexpectedly restart when processing traffic from a Security Gateway with Threat Emulation enabled.

In a rare scenario, VoIP Traffic fails after the initial call when SecureXL operates in User Mode (UPPAK). Refer to sk183218.

Incorrect memory handling may cause the FWK process to unexpectedly exit.

In some scenarios, a VPN outage may occur after an ICA renewal.

In rare scenarios, the Threat Emulation Blade may fail to correctly classify the file type.

A memory leak can occur in the Threat Extraction file inspection process for HTTP/S protocols. When memory consumption reaches the maximum allowed allocation, it causes the process to crash and automatically restart.

In a rare scenario, the PDPD process may unexpectedly exit during a cluster failover.

Web protections may not properly block HTTP requests without a Host header.

Some custom applications in the HTTPS Inspection policy are not matched if they are part of a Group object. Refer to sk183176.

In some scenarios, when URL Filtering Blade analyzes web requests, the RAD error may appear in /var/log/messages: "rad_kernel_urlf_request_serialize: string len =XXXX bigger than max 4096".

The FWK process may unexpectedly exit during HTTPS inspection flow which requires the RAD service categorization.

When Anti-Virus is enabled, files are not downloaded with the "Failed writing the file" error printed in logs, and the block page is not displayed.

In some scenarios, the Anti-Bot Blade fails to parse external IoC feeds with IP address observables.

In some scenarios, a SmartConsole log with the Anti-Bot Blade entries may appear when the Anti-Bot Blade is disabled in the profile.

When a TLS connection is rejected because of no shared key exchange between the client and the Security Gateway, no log is generated to inform the administrator.

The HTTPD process periodically exits when accessing the Mobile Access Blade Citrix application because of the memory leak in the Citrix proxy implementation.

In ClusterXL High Availability setup, a crash may occur on both the primary and secondary members, causing network outages.

The FWK process may exit after enabling or disabling the "Same VMAC" feature. Refer to sk165674.

ClusterXL drops traffic that is sent to its IPv6 Virtual IP Address that is configured with the Unicast Link-Local scope (/64). Refer to sk183104.

High volumes of RST packets may cause CPU spikes, resulting in incoming network packet drops on SND instances.

In a rare scenario, the Security Gateway may become unresponsive during extended high memory utilization.

The Hardware Acceleration offloaded connection may break when the route is updated, affecting the offload flow and slowing down operations.

When SecureXL works in User Mode (UPPAK), in a VSX environment with many virtual systems, the WebUI may not be accessible when it reaches its internal connection limit.

A warning message "adp_rt4_delete: rt entry .... does not exist for slot 1" may be printed in the /var/log/dmesg file while VPN connection remains active.

The Security Gateway with SecureXL in User Mode (UPPAK) may crash under load during bond interface state flapping.

Memory allocation issue when handling Jumbo Frames.

SecureXL in User Mode (UPPAK) may restart when adding or removing VLAN interfaces and the Security Gateway is under high load.

In rare cases, when an internal BGP (iBGP) peer disconnects during a graceful restart, BGP may fail to advertise all routes. However, the missing routes still appear under "adj-rib-out" with a next hop of "0.0.0.0."

When obtaining a new IP address using the "dhclient -r" command turning off and on the interface configured as Dynamic Address IP (DAIP), the interface loses its IP address and fails to acquire a new one from the DHCP Server.

The ROUTED daemon may exit with a core dump file during IBGP synchronization.

When a network connection is established simultaneously in both directions (server-to-client and client-to-server), the Security Gateway experiences connectivity issues because of incorrect packet dispatching, leading to dropped packets. Refer to sk183072.

After an upgrade, Site to Site VPN tunnels (IKEv2) fail to establish. Logs show the "Auth exchange: Sending notification to peer: Invalid syntax" and "INVALID_KE_PAYLOAD" errors for IKE traffic.

In VSNext environments, CPView VSX Data shows only VS0.

Virtual Switches with names larger than 128 characters cannot be deleted, the "Virtual System with ID2 does not exist" error is displayed.

Occasional failures during simultaneous creation of multiple Virtual Systems (VS's), where identical IDs are assigned to more than one VS.

VSNext Virtual Gateway drops traffic when it is connected to a Virtual Switch. This issue affects systems running NGTP software blades. Refer to sk183460.

A memory leak may occur in a VSX environment, related to the transmitting packets module.

In a VSX environment, the Security Gateway may crash when removing an interface from topology.

Output of the "dynamic_split -p" command shows "Dynamic Split is currently off (Stopped due to State Verification failure)" on a VSX Gateway. Refer to sk181231.

When attempting to create cloning groups on an R82 Security Gateway, the "Error - Home directory for 'cadmin' cannot be in /home/cadmin directory" error is printed. Refer to sk182989.

In a Maestro environment, an error message about short string length may be incorrectly displayed when setting an expert password string that includes the colon ":" character on the Security Gateway.

High volumes of VoIP/ SIP traffic may trigger a Security Gateway crash.

Dynamic IP address changes for DAIP Gateway objects are not propagated to all Security Gateways in the SD-WAN VPN community, causing VPN connectivity failures.

On ElasticXL platform, there may be unnecessary or unsuccessful attempts to update the distribution of traffic among the cluster members.

In the VSNext mode (on ElasticXL and Maestro Security Groups), the Gaia gClish / Gaia Clish command "show interface" in the context of Virtual Switches fails with "CLINFR0699 Invalid command".

Changing the bond mode on Scalable Platform Security Group members may cause a MAC address mismatch on the bond interface because of the bond slaves reordering that does not match the database. Refer to sk182488.

The "fw fetch local" command fails on a Virtual System without SIC established because the SIC name is missing.

IP broadcast helper cannot forward the packets if the IP address of the "relay to" is not directly connected to the Security Gateway.

In some scenarios, the perfanalyze scripts output shows duplicates in cores data, this can cause the CPD process to crash.

When the Maestro Fastforward feature is enabled, rebooting a member may cause the member to be down because of the policy installation failure and the "Site HA module not started" error may be displayed.

Configured proxy ARP may not work as expected, when the "Same VMAC" feature is enabled.

A reboot loop with a generated configuration pnote may be triggered when Security Group hostname contains strings with "mq" or "otlp".

NEW:

• Added ARP Next-Hop prober to enhance support for additional network topologies.

• Introduced HTTP prober to reflect real-time Web Access metrics.

• Implemented Link Aggregation mode proportional to Download and Upload bandwidth.

• Administrators are now able to override SD-WAN interface Circuit configuration.

• Integrated Forward Error Correction to ensure successful traffic delivery by adding error correction code packets to the Overlay packet stream.

• Introduced Dynamic Objects (SD-WAN Internet, My VPN Domain, and Peer VPN Domain) to better represent Overlay and Internet address spaces.

• Added administrator control for Symmetric Packet Return, forcing Ingress Traffic to be replied on the same ISP.

• Enabled SD-WAN Overlay establishment across different Domains using Global VPN Community (MDS).

• Allowed SD-WAN Overlay to operate on top of Route-based VPN.

• Increased maximum Overlay size to support up to 500 Security Gateways.

• Improved accuracy of SD-WAN decision-making during policy installation.

• Enabled setup of IPv4 SD-WAN overlay when non-SD-WAN IPv6 interfaces are configured.

UPDATE: Resolved CVE-2024-52888 - Mobile Access File Share applications are vulnerable to stored XSS attacks. Refer to sk183055.

UPDATE: The Global Domain automatic purge settings now automatically restore and reschedule after a Security Management Server restart.

UPDATE: Reduced memory usage of LDAP keepalives and improved connection error handling, resulting in improved system reliability and security performance.

UPDATE: Added a new Gaia Clish parameter to ignore the Autonomous System (AS) Path when aggregating routes: "set aggregate <IP Address>/<IP Mask> aspath-ignore {on | off}". Note, enabling "aspath-ignore" will disable "aspath-truncate" if configured.

UPDATE: Optimized memory management when processing Jumbo Frames.

UPDATE: In ElasticXL, restoring Gaia OS backup is now supported.

In VSNext ElasticXL Load Sharing environments, traffic latency and interface flapping may occur between two members in the Virtual Switch (VSW), when the switch is configured on non-management interfaces and both members are on the same site.

In SmartConsole, in the Quantum Spark Cluster object, editing the interfaces (manually or with the "Get Interfaces" action) fails with an unclear error message "Failed to save object".

In rare scenarios:

• Login to the Security Management Server may fail with timeout.

• Publish operations may take a long time.

Scheduled Snapshot Issues:

• Gaia may not recognize the Remote Server as a known host during scheduled backup creation, even after following sk164234 instructions.

• The "Remote server identity is not known by Gaia" error is displayed despite proper HBA configuration.

• The "set snapshot-scheduled recurrence monthly" command fails when using the "all" option.

Refer to sk182665.

In some scenarios, SmartTasks triggered by "after submit", "approve" and "reject" events fail to run.

In some scenarios, deleting a Security Gateway object fails if the Security Gateway is a participant in the Global VPN Community.

In the "Gateways and Servers" tab, when opening a shell on a specific Security Gateway, a "Connection failed" message pops up.

Performing changes to the Global Properties may not be possible if:

• Encryption algorithms in Remote Access > VPN-Authentication and encryption are SHA384 or SHA512.

• There is at least one Security Gateway configured with a version lower than R81.

In rare scenarios, an upgrade of Multi-Domain Security Management Server, handling Domain Log Server certificates, may get stuck.

• The fix will only be applied if the upgrade to R82 Jumbo Hotfix Accumulator Take 14 or higher is done using a Blink image or the Advanced Upgrade method.

In some scenarios, an HTTP format size protection exception is not applied to the HTTP/2 flow.

When the autodebug feature is enabled, the RAD service may consume high CPU and trigger "RAD service not available" alert logs.

Incorrect Rule Base parameters synchronization logic may lead to the FWK process exit.

High CPU usage on SND cores related to processing network traffic and distributing it to the appropriate firewall instances.

Large NAT Rule Base may lead to high CPU usage during packet processing.

The FWK process may exit with a core dump file when the Security Gateway passes SMB traffic and the Hyperflow feature is enabled.

PPPoE interface fails to restart when it is disconnected from the Server side. Refer to sk182154.

In a rare scenario, the PDPD process may unexpectedly exit during the PDP sharing flow.

HTTPS Site Categorization fails to properly handle unsupported QUIC protocol versions, causing classification errors instead of following the configured fail-mode (open/close) policy.

The DLP blade may not block the password-protected files of a specific type, although it should.

HTTPS inspection session logs lack detailed explanations in the "explanation" field, displaying generic messages that do not clarify action reasons. This is a cosmetic issue.

During cluster startup with routing separation enabled, a mismatch between routing and firewall process initialization can trigger premature full synchronization pnotes when the routing process is not fully synchronized.

SD-WAN may not work as expected when SecureXL User Space Mode (UPPAK) is enabled.

Routing related connectivity and stability issues may occur when SecureXL operates in User Mode (UPPAK). Refer to sk183181.

The "iphelper" (IP Broadcast Helper) service may trigger high CPU utilization because of a recursive packet broadcasting loop between network interfaces.

Network traffic to the Internet experiences slowdowns and file download interruptions due to packets being dropped with "OS routing failed" errors during route lookup failures.

Two or more Endpoint Security VPN (Remote Access VPN) Users may get the same Office Mode IP address. Refer to sk182537.

When using machine-restricted Access Roles, IKEv2 VPN connections fail at the cleanup rule due to missing machine information and user source IP, while IKEv1 connections are unaffected.

VPN connection may not be stable when transitioning from Legacy Link Selection to R82 Link Selection.

After traffic is stopped and tunnels are deleted, the tunnels may appear as "Disconnected" for about 30 seconds, and then again as "Connected" because of DPD probing.

In VSNext, multiple CPRID processes running on different ports per virtual system may cause instability in large scale environments.

Using the "#" character in the Message of the Day (MOTD) banner message causes SGMs to fail during boot.

When running the "enabled_blades" command multiple times simultaneously, the command output may be incorrect.

In rare scenarios, Security Group members may fail to receive their Gaia database from the Single Management Object (SMO). When this occurs, gClish commands related to these missing Security Group configurations may fail.

UPDATE: Deprecated RC2-CBC cipher for SIC in OpenSSL.

UPDATE:

• Improved debugging in the Security Gateway to identify problematic hosts when resolving their next-hop IP addresses.

• The custom ADP queue size configuration now persists after rebooting the Security Gateway. The relevant global parameters are located in the $PPKDIR/conf/adpkern.conf file:

  • "adp_nh_total_max_arp_qents"

  • "adp_nh_local_max_arp_qents"

In rare scenarios, when exporting policy hitcounts to CSV format, the "Hitcount" column may appear blank in the exported file.

The Database Installation progress bar may not update during task execution.

In some scenarios, in a Multi-Domain Security Management environment, the Hit Count retention mechanism may not remove the Hit Count data from all the Domains.

In rare scenarios, in Multi-Domain Security Management environments, login to SmartConsole fails.

When the Security Management has an additional NAT configuration in the SD-WAN policy (Infinity Portal), an indicating banner may not appear in SmartConsole NAT Rule Base. This is a cosmetic issue.

• Requires R82 SmartConsole Build 1051 or higher.

In a rare scenario, the FWK process may exit due to a race condition.

Anti-Spoofing may drop IPv6 traffic that arrives at an interface with an IPv6 address configured. Refer to sk182725.

Traffic through specific interfaces is dropped when the QoS blade is active and "ISP redundancy-LS" is configured. Refer to sk182807.

DoS protection and connection rate limiting configurations may fail to effectively enforce rules.

In a VSX environment, enabling Threat Prevention blades may cause continuous file accumulation on the Security Gateway's hard drive.

Identity Broker Subscriber configured with recalculation of Access Roles does not match all Access Roles after the User and Machine are identified.

In a rare scenario, the PDPD process may unexpectedly exit during policy installation.

A memory leak may occur in the SIM process when using DOS/Rate Limiting rules.

Policy installation failures can disrupt the expected behavior of "fwaccel dos" commands.

An ECDH object may be deleted before its associated event is completed processing.

There is no audio during the first 5 seconds of each VoIP call. Refer to sk182730.

In SmartConsole, in the Device and License Information view, the Compliance Blade license status may incorrectly display "Quota Exceeded" when Virtual Routers or Virtual Switches are present.

During patch deployment in Posture Management, attempting to patch multiple systems for a specific application using the "Group By Application" option fails with the "Failed to Start Patching Process" error.

When handling multiple shared uplinks across numerous interfaces, errors related to LACP bond uplink updates may be printed in logs.