R82 Jumbo Hotfix Take 73

NEW: It is now possible to add host/network/range objects for split tunnel on exclusion/inclusion modes. Refer to R82 Remote Access VPN Administration Guide > Dynamic Split Tunneling for SaaS Using Updatable Objects.

NEW: Now you can manage Harmony SASE Internet Access policy and HTTPS Inspection policy directly from SmartConsole. By centralizing policy management, the integration ensures consistent policy enforcement across products, streamlines governance for security policies, and consolidates operations into one trusted, management platform.

UPDATE: Check Point response to Apache Tomcat CVEs on Harmony Endpoint Security Management Server - CVE-2025-31651 and CVE-2025-31650. Refer to sk183615.

UPDATE: Policy verification error messages are now improved for scenarios when verification fails because of updatable objects, dynamic objects, and Domain objects in a Remote Access VPN community.

UPDATE:

• Directory scanner improvements for large environments.

• Emon JSON data payload management improvements.

UPDATE: Added the LogHub feature to the Insights tool.

UPDATE: New features and improvements are released in Take 157 via self-updatable package. Refer to sk170314.

The Security Gateway freezes or crashes without generating a core dump, and the message "Global htab id 100020 out of range!" appears in the $FWDIR/log/fwk.elgfile, when running CPDiag. Refer to sk183538.

In rare scenarios, login using Management API fails with a timeout and the "api status" command returns "API readiness test failed" message. Refer to sk184342.

When a user with read-only permissions for Global Domains (for example, a user with the Global Manager profile) connects to the System Domain in SmartConsole, the SmartConsole status bar incorrectly displays the user as having read-write permissions.

In rare scenarios, an IPS update fails because of duplicate objects.

In SmartConsole, if the Task pane has no tasks to show, the Task pane incorrectly shows an "Error retrieving results" message.

In rare scenarios, the Security Management Server fails to start after performing a "Revert to Revision" operation.

When using the "set-threat-protection" Management API command, overriding either the packet-capture or track values also overrides the action field and sets it to "inactive".

The "show-packages" Management API command executed with "async-response" parameter may fail with "generic_err_invalid_parameter_name".

In certain scenarios, an upgrade of the Multi-Domain Security Management Server may fail with a "During synchronization a new object was found through a relationship that was not marked cascade PERSIST" message.

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or with the Advanced Upgrade method.

In rare scenarios, the description of IPS Logs in the Logs view may be unclear. Refer to sk182386.

Improper memory handling within the CPD process may result in unexpected process restart.

Potential memory leak in the CPD process.

The Security Gateway may drop packets and potentially crash because of memory allocation issues.

Infinite routing loop may occur because of TTL handling in SecureXL Medium Path. Refer to sk183728.

In a Maestro VSX environment, Layer 2 MAC address table in Bridge Mode (Bridge Forwarding Database) entries may be incorrectly deleted, causing connectivity issues.

Running the "show cp-trusted-ca-certificate" Management API with invalid validFrom/validTo values in the database causes an error and blocks the Trusted Certificates view.

Mobile Access Software Blade may incorrectly terminate Guacamole-based clientless RDP/SSH sessions due to client idleness.

In rare scenarios, Mobile Access SmartConsole Logs may not match views/queries, including the "MAC address" or "Methods" field names.

Potential USIM process exit when using virtio devices and changing the MTU value.

In some scenarios, the VSX Security Gateway may not route traffic correctly for non-accelerated connections and accelerated connections that require Active or Passive Streaming when SecureXL User Mode (UPPAK) is enabled.

The USIM process may exit when viewing the fg_conn table using the "fwaccel tab -t" command.

Multiple "radix_get_value" messages may appear in fwk.elg log files.

When a VLAN interface is configured as the synchronization interface for the VSX cluster and SecureXL User Mode (UPPAK) is enabled, Virtual Systems on non-active members cannot forward traffic to Virtual Systems on the active member through a warp interface.

Interface cards are not displayed in the output of the "show asset network" command when SecureXL User Mode (UPPAK) and MDPS are enabled. Refer to sk184218.

In some scenarios, the Security Gateway may crash when IoC feed contains an IPv6 address.

Rate Limiting policy installation (when the Rate Limiting policy is updated or country code data is updated) may take a long time.

IPv6 Site-2-Site connectivity may not be stable in Enhanced Link Selection configuration on ClusterXL environments.

IPv6 traffic outage in Enhanced Link Selection configuration after tunnel deletion on one side during tunnel renegotiation.

In an ElasticXL Cluster in the VSNext Mode, when physical interfaces are configured as management interfaces on Virtual Systems, these interfaces are down after reboot.

Gaia Portal Session Cookie missing the SameSite attribute. Security scanners and penetration tests flag the missing SameSite attribute as a vulnerability. Refer to sk183645.

DHCP traffic peaks may cause high utilization, potentially impacting connectivity.

SNMP Power Supply trap reports false "Down" status. Refer to sk183702.

LACP bonds may continue passing traffic when running SecureXL User Space Mode and the value drops below the configured minimum number of links, although the bond interface should stop passing traffic.

Full Disk Encryption user update password fails with auth_type 3 (certificate and password).

After upgrading the Endpoint Security Client from a non-compliant version to E88.62 on Azure AD devices (protected by Full Disk Encryption), multiple clients may enter a disconnected state.

The CloudGuard Network Central License utility fails to distribute a single license using CLI.

Members added to a Security Group with the MDPS feature enabled may stay in the Down state because of a missing license (licenses are not distributed from the SMO member to the added Security Group members).

Maestro Orchestrator fails to add a new Security Appliance to a Security Group when the Maestro Fastforward feature is enabled in the Security Group. Refer to sk184233.

In an ElasticXL Cluster in the VSNext Mode, it is not possible to configure more than 32 CoreXL IPv4 / IPv6 Firewall instances in a Virtual Gateway in the CLI. The Gaia gClish command "set vsnext corexl-instances virtual-gateway ID ipv4-instances Value" fails with the "CLINFR0409 Invalid number: Value. Not in range 1..32." error.

In a VSNext environment with a Virtual Switch (VSW), SNMP data for ASG branches may not be collected.

In the Maestro and Chassis environment with multiple Virtual Systems (VSs) and updatable objects, the disk may reach full capacity. Refer to sk184576.

See the Critical Information section.

In a Maestro VSX VSLS Cluster, after setting the kernel parameters "fwha_monitor_all_vlan=1" and "fwha_enable_if_probing=1", memory consumption may immediately increase to 100% and cause an outage.

The "Invalid property name for chassis" error is displayed when changing the "alert_threshold packet_rate_total_threshold_low_ratio" value.

SAM rules fail to gracefully terminate PDP context when the timer expires.