R82 Jumbo Hotfix Take 103

NEW: Policy Auditor is a policy analytics and auditing tool that provides visibility into traffic behavior within the user's network. In SmartConsole > Security Policies > Access Control, Policy Auditor presents a matrix view of the network's logical segments and the access rules defined between them. The tool allows administrators to audit these security rules and verify that they align with organizational access policies and segmentation requirements.

• Requires R82 SmartConsole Build 1065 or higher.

NEW: Introduced the new Migration Tool for converting ClusterXL to ElasticXL. Refer to sk183894.

NEW: Added integration between the Security Management Server and Illumio to extend Check Point micro-segmentation capabilities. This integration enables importing Illumio Workloads and Labels into SmartConsole and using them directly in the Access Control Policy. It improves policy visibility and operational awareness, with enforcement performed on the Security Gateway without requiring an additional policy installation.

UPDATE: Resolved CVE-2026-48131 - VPND IKE Fragment Reassembly - Heap Out-of-Bounds Write via Sequence Number Zero. Refer to sk184981.

UPDATE: Resolved CVE-2026-48133 - Identity Awareness Captive Portal - Unauthenticated Local File Inclusion. Refer to sk184993.

UPDATE: Resolved CVE-2026-48135 - HTTP service can incorrectly process malformed HTTP requests. Refer to sk184991.

This Jumbo Hotfix Accumulator Take includes dozens of code and functionality hardening changes.

UPDATE: JRE is updated from version 8.0_8.50 to 8.0_8.60.

UPDATE: In environments with thousands of Domain objects or External User Groups, the policy installation duration is now significantly improved.

UPDATE: When connecting a Domain to the Check Point Portal, Dedicated Log Servers in the Domain are now connected automatically.

UPDATE: The Zero Phishing Software Blade improvements:

• Changed the default Portal Accessibility configuration from "Through all interfaces" to "Through internal interfaces", including the VPN-encrypted interfaces.

• Resolved an issue that prevented saving manual updates to internal accessibility settings. Refer to R82 Threat Prevention Administration Guide.

Requires installing R82 SmartConsole Build 1065.

UPDATE: Added a capping status indicator to CPView and SmartConsole showing whether log sharing is actively sending logs to the Cloud or it reached its daily limit. Refer to R82 Security Management Administration Guide.

UPDATE: When OCSP certificate validation fails, the Security Gateway now automatically falls back to CRL validation. Manual configuration via the Check Point Registry (described in Scenario 2 in sk179434) is no longer required.

UPDATE: Added the ability to automatically stop kernel debugging after a specified number of seconds. See the R82 Quantum Security Gateway Administration Guide. Refer to the command "fw ctl debug -T <Number of Seconds>".

UPDATE: Added an ability to automatically roll back CoreXL instance changes on a VS if the operation fails on one of the cluster members.

UPDATE: Added support for Microsoft Azure Network Adapter (MANA) driver. Refer to sk183754.

UPDATE: New features and improvements are released in Take 163, Take 165, Take 170 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 53 to Log Exporter Auto Update Deployment. Refer to sk182866.

UPDATE: Added Take 43 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.

In rare scenarios, CME (Cloud Management Extension) fails to run because of the "show-simple-gateway" Management API command failure. The CME logs show such entries: "Product - CMESeverity - criticalDescription - Error during synchronization with Security Gateways. Error details: Failed to scan for gateway instances in the cloud account".

Policy installation may fail when an inline layer is used more than once in the same policy and this error is displayed "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support".

In a Full High Availability (HA) ClusterXL deployment, the Check Point Portal does not display the Active Management Server as connected. As a result, Configuration Sharing is not working as expected in the Check Point Portal.

The delay may be observed during the "compiling policy" and "generating policy files" stages in SmartConsole.

When using the "add/set data-type-weighted-keywords" and "add/set data-type-file-attributes" Management API commands, the field "description" is missing from the response.

SMB packages may not appear in the Multi-Domain Security Management "package repository list", even though they uploaded successfully.

In SmartTask-generated emails, the Sender field displays the username instead of the user's email address.

In rare scenarios, the /var/tmp directory may be filled up with redundant tmpUserDefineCmd_OS0*.sh files, created during Compliance Software Blade scans.

In some scenarios, an upgrade of the Security Management Server may fail with a "There can only be one Automatic Purge Setting for this domain. Duplicates are invalid" message.

• The fix will only be applied if the upgrade to this Jumbo Hotfix Take is done using a Blink image or with the Advanced Upgrade method.

The "set-checkpoint-host" Management API command with the "interfaces" field may fail with the "generic_err_invalid_parameter" error.

Upon creation of a new Domain on a Multi-Domain Security Management Server, the Domain Server's virtual IP address is not added to the Gaia database, making it inaccessible via Clish commands. Refer to sk183941.

In some scenarios, the Management Server may generate excessive log messages, causing the cpm.elg log file to reach its size limit quickly.

In some scenarios, the Domain Log Management Server fails to connect to the Check Point Portal.

Apostrophes used in CPView strings cause CPDiag to fail. CPView History data is not shown. Refer to sk184873.

In SmartView Monitor, opened from Logs & Events > Tunnel & User Monitoring, the "SmartEvent Correlation Unit" status may be displayed as "Not running" although the CPSEMD process is running.

In the "HTTPS Inspection Statistics" in SmartView, filtering by the "bypass_reason" field returns no results.

In some scenarios, incorrect values are shown in the "Total Bytes" field in the logs. Refer to sk184237.

In the Connection logs, the Source Country and Destination Country fields may contain missing or incorrect values.

In some scenarios, non-ASCII characters may appear garbled in SmartEvent Automatic Reaction emails.

Changing instances on Virtual Systems may not trigger synchronization flows in some relevant directories and in the High Availability module.

In rare scenarios, after an upgrade, the Security Gateway may crash because of a missing route.

In a rare scenario, an incorrect zone assignment occurs when NAT Rule Base returns HOLD. Refer to sk184530.

In rare scenarios, the FWK process may unexpectedly exit when the Anti-Bot Software Blade inspects a specific malformed domain.

Running the "g_tcpdump mcap" with "-C" flag fails with the file matching or captured packets merging error.

During a ClusterXL High Availability failover, the FWK process may unexpectedly exit when processing Web Security traffic.

In some scenarios, SNMPv3 monitoring fails on Data Plane when MDPS is enabled. Refer to sk184379.

Enabling ForceAuth for Remote Access VPN fails because of a typo in the saml_force_authn_override.sh script (sk182042).

In scenarios where a network connection is closed before the Anti-Virus ThreatCloud emulation or scanning response is received, the affected session may experience connectivity instability.

In some scenarios, non-accelerated traffic from a Standby VSX Cluster member may not be routed to the correct virtual instance on the current Active member when SecureXL User Mode (UPPAK) is enabled.

In some scenarios, when processing HTTPS traffic in the accelerated pipelined path, the FWK process may unexpectedly exit.

In Smart-1 Cloud environments, the "Threat Prevention" view may display 0 in the "Logs" column under the "Top Protections" widget. Refer to sk184505.

In a rare scenario, the Threat Prevention rule base may fail to match traffic to any rule.

When the Packet Tagging feature is enabled on the Full Identity Agent, new user and machine identity sessions reported to the Identity Awareness Gateway may not be assigned the correct Access Roles. As a result, traffic from these sessions may not match Access Control Policy rules that use access roles with Packet Tagging enabled.

In a rare scenario, when the fetch_by_SID feature is enabled, the PDPD process repeatedly exits. Refer to sk182745.

In some scenarios, a memory leak may occur in the DLPU process. The /var/log directory on the Active Cluster member reaches critical disk usage levels.

In a rare scenario, when using Dynamic URL List, updating the version file may result in a FWK process restart.

In some scenarios, changes to the kernel parameter "dlpk_drv_default_queue_sz" may not take effect.

In some scenarios, the Security Gateway may drop DNS traffic with non-malicious Domains.

After an upgrade, the Mobile Access Software Blade's CVPND daemon fails to load and the Mobile Access Portal becomes inaccessible when adding new Virtual Systems or converting to a VSX Gateway, due to improper updates to the gateway-side configuration file cvpnd.C. Refer to sk183293.

Connections with fragmented packets drop on Scalable Platform/Maestro when there are multiple active Security Group Members (SGMs) on the site. Refer to sk182559.

After creating a High Availability ClusterXL and syncing to Smart-1 Cloud, running the "get interfaces with topology" in Smart-1 Cloud may cause the Sync interface to be removed from the Cluster object.

In rare scenarios, CPHASTART, CPHACONF, and CPHAMCSET processes may intermittently unexpectedly exit.

IPv4 addresses in the SYN Defender Allow List in SmartConsole may be loaded with the address octets reversed.

Changes to the SYN Defender Allow List made in SmartConsole may not override or replace local modifications made directly on the Security Gateway.

When using DoS Deny List and running "cpstop", an error message may be displayed, and a memory leak may occur.

A failed Access Control policy installation may block future installs until the Security Gateway is rebooted, even after the original issue is resolved.

In some scenarios, when installing a policy fails, the Sand Blast Security Gateway becomes unresponsive and reboots automatically. The "Installation failed. Reason: Due to a timeout value of 600000 (millisecond) (port) (IP), Security Management Server aborted the connection with the peer" error is displayed in SmartConsole.

In some scenarios, the USIM_X86 process may become unresponsive.

The USIM process may exit with core dumps when debug information is collected.

When the Security Gateway is working with SecureXL in User Mode (UPPAK) mode, in some scenarios, the USIM process may exit and not restart, although it should.

When configuring PIM in Sparse Mode across multiple Virtual Systems on a VSX Security Gateway, the Security Gateway may crash, resulting in loss of connectivity.

When SecureXL User Mode (UPPAK) mode may be disabled if some scripts are incorrectly edited.

When SecureXL works in User Mode (UPPAK) on Security Gateways with CPAC-4-10F-C interface modules, invalid Ethernet frames permanently shut down the port's transmit queue, causing complete connectivity loss.

A ROUTED daemon may exit with a dump file during an OSPF route lookup on a route being redistributed between BGP and OSPF.

A VSX Security Gateway may drop traffic with IPv4 options or IPv6 extension headers arriving from a Virtual Switch (VSW) interface.

When MDPS routing separation is enabled, Link Layer Discovery Protocol (LLDP) fails to be enabled from Gaia Portal.

LLDP data formatting issues when querying using SNMP. Refer to sk183733.

On a Scalable Platform Security Group, although an SHA hash type was configured for Gaia OS passwords with the Gaia Global Clish command "set password-controls password-hash-type", the Gaia Global Clish command "set expert-password" saves the password as an MD5 hash in the Gaia OS database. Refer to sk182339.

The SSHD process unexpectedly exits on the Multi-Domain Log Server (MLM) after an SSH session ends. Refer to sk183972.

Upon logging in to the Gaia Portal, the login page accepts the credentials, briefly displays the homepage, and then automatically redirects back to the login screen.

Custom log rotation configured using Gaia OS does not apply to SAML-related log files, so these logs are not rotated automatically. Refer to sk113241.

Cloning groups may fail during configuration updates. Refer to sk184701.

VPN traffic outage may occur in ClusterXL environments with SD-WAN Overlay or Enhanced Link Selection after a Cluster failover. The new Active cluster member fails to properly handle VPN traffic because of synchronization or MAC address handling problems.

SSL Network Extender Portal is accessible even when it is disabled in SmartConsole. Refer to sk184344.

The VPND daemon intermittently exits after a downgrade.

Remote Access Endpoint Security Client may fail to connect.

The VPND and IKED daemons keep restarting after upgrading to R82 in an environment with multiple VTI interfaces. Refer to sk184895.

In some scenarios, over time, prolonged VPN traffic may lead to gradual memory growth.

VPN traffic outage may occur in ClusterXL environments with IKEv2 after a Cluster failover.

After a Cluster failback, RDP (Routed Data Path) or DPD (Dead Peer Detection) probing may not be triggered, which can result in traffic continuing to use outdated Multiple Entry Point (MEP) Gateway selections.

In environments where all Security Gateways are configured with IPv6 addresses only, Site-to-Site VPN connectivity may be disrupted when Enhanced Link Selection is enabled.

The IKED process may exit when the traffic is passing through IKEv2 tunnels.

Enhanced Link Selection configured with Auto Next Hop uses invalid IP addresses, preventing tunnel initiation.

IKE daemons may fail to start on Cluster members without generating dump files.

A malformed or incorrect interface name in the "cphaprob -a if" command on VS0 triggers a fatal error in the cluster process, causing the member to go DOWN and generating a core dump.

After upgrading the firmware, the interface on one of the VSX cluster members may go down.

Deleting a Virtual Switch (VSW) may break connectivity for unrelated Virtual Systems (VSs).

The Netscout feature may not monitor network connectivity to remote known hosts on VSs other than VS0.

When adding or deleting static routes in the huge VSX environment (more than 50 Virtual Systems and hundreds of static routes), VS creation fails with "Unable to watch directory /etc/routed-mc-enable: init: Too many open files". Refer to sk181317.

In VSNext ElasticXL and VSNext Maestro, running the "cpconfig" command from Clish/gClish within a Virtual System context may trigger execution in the Global context.

When capturing packets on a warp interface in a Virtual System (VS) of a VSX Security Gateway with SecureXL User Mode (UPPAK) enabled, certain reply packets may not be captured, for example, ICMP Echo Replies to traffic directed at the Security Gateway.

When the Same VMAC Mode is enabled on ElasticXL, VS0 may lose connectivity (SSH).

The FWM may unexpectedly exit when attaching a license to a Security Gateway using vSEC license distribution (vsec_lic_cli).

Registration of Data Center assets with a numeric, non-UID unique identifier may fail, potentially causing performance impact on the Security Management Server.

VPN traffic outage may occur in ClusterXL environments after a Cluster failover.

In rare scenarios, SD-WAN objects (such as Peer VPN Domain, My VPN Domain, or SD-WAN Internet) may be incomplete, causing SD-WAN rules to match traffic incorrectly. Refer to sk184814.

Security Gateway may drop legitimate H323 traffic with "Illegal H.225(Q931) No Q.931 User-user IE found". Refer to sk184591.

In a Maestro environment with Multi-Domain Security Management and enabled MDPS, SNMP per member queries do not survive member failover. Additionally, SNMP queries to the SMO may be routed to the dplane instead of the mplane.

A Security Group Member may enter a continuous boot loop after the other members were upgraded. An incorrect image file (with an invalid or mismatched MD5 checksum) is presented on the Single Management Object (SMO). As a result, the problematic member fails to complete the autoclone and repeatedly reboots.

Using a unique IP address with the Same VMAC feature enabled may cause connections to the Standby unique IP address to fail.

In DNS per-Virtual System (per-VS) mode, the DNSMASQ process may allocate ports outside the defined local port pool, potentially resulting in dropped DNS traffic.

When an upgraded site holds the initial connection, subsequent site failovers may cause out-of-state packet drops.

When "g_ClusterXL admin up" is triggered from a non-VS0 member (for example, VS1), the command fails and the upgraded site remains down with a pnote.

After creating a light snapshot locally, the snapshot appears in the output of "show lightshots", but the /mnt/lightshot directory is empty. When attempting to export the snapshot using the "set snapshot-onetime export <Snapshot-Name> target local path <Local-Path>" command, the operation fails with the "General Rsync failure" error.

After creating a bridge interface using Gaia Portal and rebooting, the Security Gateway state is down.

These actions applied through the Web Portal are not applied to all Security Group members, but only to the SMO:

• create/delete/edit scheduled backup

• edit mail-address/notification-level for mailing

• delete backup

In a rare scenario, when a VPN-corrected packet is dropped, the packet truncation warning "14 bytes missing" may be seen in the "tcpdump" output.

OSPF adjacencies repeatedly disconnect in a VSNext Cluster. Refer to sk184396.

On a Maestro dual-site environment, the sgm_pmd core dump file may be generated after the Jumbo Hotfix Accumulator installation. There is no functional impact.

Bond interface deletion or IP address change may cause a site failover.

In ElasticXL setups, it may not be possible to add a second Sync interface to the bonding group.

After joining a VSNext ElasticXL member to a second site via automation, a pnote for the management (magg1) interface appears under vs0 in "cphaprob -a if", instead of under Virtual Switch (vswOID) as expected.

GTP-U intra-tunnel packets may be dropped with "Packet too short" and "Invalid IP packet" errors in Bridge Mode, preventing proper inspection of encapsulated traffic.