R82 Jumbo Hotfix Take 25

NEW: SD-WAN functionality now supports AWS Cross Availability Zone and traffic steering with configurable multi-target probing.

UPDATE: Added the "Type" and "Resource" columns to the HTTPS Inspection Logs table under Logs & Events.

UPDATE: Added support for using Network Groups in the "Install On" column of the NAT Policy.

UPDATE: Added a count of Session and Connection logs to the "cpstat" command output.

UPDATE: Support TLS 1.3 for the RAD process requests. To activate it, change the TLS version to "TLSv1_3". Refer to sk178505.

UPDATE: Added a kernel parameter "domo_reverse_lookup_disabled" to disable reverse DNS lookups to avoid rare incorrect matches in scenarios involving non-Fully Qualified Domain Name (non-FQDN) Domains.

• "domo_reverse_lookup_disabled 1" to disable reverse DNS lookups.

• "domo_reverse_lookup_disabled 0" to enable reverse DNS lookups (the default value).

UPDATE: HTTPS Inspection statistics are now available through SNMP requests.

UPDATE: Added support for the Mobile Access Portal "WebSocket" applications to work in environments with asymmetric network bandwidth (the download speed is faster than the upload speed) between external and internal networks. Refer to sk95311.

UPDATE: Added selection of specific Security Gateways to onboard to the Infinity Portal, and the ability to disable the feature completely. Refer to sk180557.

UPDATE: In the Clish API, added the comprehensive VSNext task monitoring capabilities, previously available only in the WebUI.

UPDATE: Rather than using the management switch, it is now possible to choose a different management interface for each virtual system (VS).

UPDATE: Traffic between an external network host and an internal network host is now accelerated when a static NAT is configured to translate a cluster member's IP address or specific high port to an internal host IP address or specific service port. This scenario is relevant in Check Point CloudGuard Network Security Azure High Availability deployments, where traffic passes through a Load Balancer.

• To enable acceleration, add this kernel parameter to the $FWDIR/boot/modules/fwkern.conf file - "accel_dnat_to_cluster=1".

• The change can also be applied immediately to the running FW1 process without requiring a reboot: "fw ctl set int accel_dnat_to_cluster 1".

In SmartConsole, in the Gateways & Servers view, under Device & License Information of a Security Gateway or Cluster object, or in CPView and SNMP traps, the value of "new connection rate" for OID .1.3.6.1.4.1.2620.1.1.26.11.6.0 is incorrect.

In rare scenarios, a core file of the CPRLIC process is generated.

Login using a TACACS Server created with the "add tacacs-server" Management API command, fails with "authentication to server failed".

Creating a Threat Prevention Exception from a log fails with the "Failed to add exception" error when the "File Name" field in the log contains a Windows directory separator ("\").

In some scenarios, Web SmartConsole session gets disconnected after several minutes.

In rare scenarios, when more than one Security Blade is enabled on the Security Gateway, Presets for policy installation may fail after purging all revisions.

When using SmartWorkflow on a Security Management Server with more than 200 administrators, requests may stall or cause SmartConsole crashes during submission.

Access Control Policy installation may take a long time when updatable objects are used in the policy.

In rare scenarios, login to SmartConsole using LDAP, TACACS or RADIUS authentication fails with a timeout.

Global Policy Reassignment fails with the "org.postgresql.util.PSQLException: ERROR: more than one row returned by a subquery used as an expression" error printed in the cpm.elg file.

In rare scenarios, policy installation fails with "Policy installation had failed due to an internal error".

When modifying the URL definition type in an Application Site object using the "set application-site" Management API command with the "urls-defined-as-regular-expression" parameter, the type of pre-existing URLs remains unchanged.

In some scenarios, policy state directories are synchronized between Active and Standby Security Management Servers, leading to high disk space usage.

Duplicated licenses on the Security Management Server may impact the vsec_lic_cli utility.

When enabling the Threat Emulation Blade on a Maestro Security Gateway Object in SmartConsole, a "Failed to check compatibility on gateway" message may be printed. Refer to sk183053.

In rare scenarios, Global Policy Assignment fails with an "IPS update is currently running in local domain" message, although IPS update is not running in that Domain.

In some scenarios, the Security Management Server with a proxy configured is unable to connect to Infinity Portal after changing the proxy settings.

Packet mode search or search within Object Explorer for IP address ranges may not work correctly on the Standby Security Management Server.

In some scenarios, Virtual Security Gateways lose their licenses. This causes Site to Site VPN and Remote Access VPN services to go down, while general internet access remains functional. SmartUpdate may not load.

In a Multi-Domain Security Management environment, an audit log is not created after changing the "Parent rule for Domain's policy" Domain layer.

In rare scenarios, the "mdsstat" command shows that the CPD process is down even though it is up and running.

In some scenarios, in the Multi-Domain Security Management Server, certain previously utilized global objects may remain hidden from both the SmartConsole's Object Explorer View and the "show unused-objects" Management API command.

In some scenarios, the "SIC Error for EntitlementManager: Peer sent wrong DN" error is printed in cpd.elg on a VSX Gateway.

In rare scenarios, the "Blades" widget in the Compliance Blade Overview page is blank.

In the cloud environments (Smart-1 Cloud and EPMaaS), logs query may fail because of the AWS certificate change.

When disconnecting the Security Management Server from the Infinity Portal and connecting to a different region, log sharing from Log Servers does not work until the Log Server restarts.

When a NAT-T tunnel is set up between VPN peers, packets having UDP encapsulation added to the headers are not transmitted out of the PPPoE interface as they should be. VPN connection appears to be established but does not actually pass traffic.

The DHCPv6 relay drops reply messages from the DHCPv6 server rather than forwarding them to the clients.

The FWK process exits with core dumps and error messages in $FWDIR/log/fwk.elg:"malware_res_rep_match_dns_response: check_dns_response_activate() failed".

The CPD or FWK process may unexpectedly restart when handling the interface statistics.

In rare scenarios, HTTPS inspection may block the downloading and uploading of PDF files to and from the Web Server.

In a specific scenario, file downloads intermittently stop until resumed manually because of HTTP parsing issues and Content Awareness parsing failures.

The DSD process (Dynamic Split Daemon) may exit when the "affinity" command input is large.

In a rare scenario, the FWK process may unexpectedly exit and bring down the Security Gateway.

In a rare scenario, an outage may occur in an Azure environment after one cluster member crashes and recovers.

In certain scenarios, the $SAMLPORTAL_HOME/logs/error_log file may continuously grow, potentially consuming a significant amount of disk space.

In rare scenarios, Security Gateway may crash when running the "ethtool -x" or the "ethtool -X" command for an interface that uses the AWS ENA network driver.

After enabling Security Zones in NAT Rule Base, wrong IP address is shown in logs and NAT is performed incorrectly. Refer to sk183088.

In a rare scenario, the FWK process may exit because of memory corruption.

In a rare scenario, Security Gateway may crash with vmcore when working in Kernel Mode Firewall (KMFW).

A stability issue where the ICAP Server may unexpectedly restart when processing traffic from a Security Gateway with Threat Emulation enabled.

In a rare scenario, VoIP Traffic fails after the initial call when SecureXL operates in User Mode (UPPAK). Refer to sk183218.

Incorrect memory handling may cause the FWK process to unexpectedly exit.

In some scenarios, a VPN outage may occur after an ICA renewal.

In rare scenarios, the Threat Emulation Blade may fail to correctly classify the file type.

A memory leak can occur in the Threat Extraction file inspection process for HTTP/S protocols. When memory consumption reaches the maximum allowed allocation, it causes the process to crash and automatically restart.

In a rare scenario, the PDPD process may unexpectedly exit during a cluster failover.

Web protections may not properly block HTTP requests without a Host header.

Some custom applications in the HTTPS Inspection policy are not matched if they are part of a Group object. Refer to sk183176.

In some scenarios, when URL Filtering Blade analyzes web requests, the RAD error may appear in /var/log/messages: "rad_kernel_urlf_request_serialize: string len =XXXX bigger than max 4096".

The FWK process may unexpectedly exit during HTTPS inspection flow which requires the RAD service categorization.

When Anti-Virus is enabled, files are not downloaded with the "Failed writing the file" error printed in logs, and the block page is not displayed.

In some scenarios, the Anti-Bot Blade fails to parse external IoC feeds with IP address observables.

In some scenarios, a SmartConsole log with the Anti-Bot Blade entries may appear when the Anti-Bot Blade is disabled in the profile.

When a TLS connection is rejected because of no shared key exchange between the client and the Security Gateway, no log is generated to inform the administrator.

The HTTPD process periodically exits when accessing the Mobile Access Blade Citrix application because of the memory leak in the Citrix proxy implementation.

In ClusterXL High Availability setup, a crash may occur on both the primary and secondary members, causing network outages.

The FWK process may exit after enabling or disabling the "Same VMAC" feature. Refer to sk165674.

ClusterXL drops traffic that is sent to its IPv6 Virtual IP Address that is configured with the Unicast Link-Local scope (/64). Refer to sk183104.

High volumes of RST packets may cause CPU spikes, resulting in incoming network packet drops on SND instances.

In a rare scenario, the Security Gateway may become unresponsive during extended high memory utilization.

The Hardware Acceleration offloaded connection may break when the route is updated, affecting the offload flow and slowing down operations.

When SecureXL works in User Mode (UPPAK), in a VSX environment with many virtual systems, the WebUI may not be accessible when it reaches its internal connection limit.

A warning message "adp_rt4_delete: rt entry .... does not exist for slot 1" may be printed in the /var/log/dmesg file while VPN connection remains active.

The Security Gateway with SecureXL in User Mode (UPPAK) may crash under load during bond interface state flapping.

Memory allocation issue when handling Jumbo Frames.

SecureXL in User Mode (UPPAK) may restart when adding or removing VLAN interfaces and the Security Gateway is under high load.

In rare cases, when an internal BGP (iBGP) peer disconnects during a graceful restart, BGP may fail to advertise all routes. However, the missing routes still appear under "adj-rib-out" with a next hop of "0.0.0.0."

When obtaining a new IP address using the "dhclient -r" command turning off and on the interface configured as Dynamic Address IP (DAIP), the interface loses its IP address and fails to acquire a new one from the DHCP Server.

The ROUTED daemon may exit with a core dump file during IBGP synchronization.

When a network connection is established simultaneously in both directions (server-to-client and client-to-server), the Security Gateway experiences connectivity issues because of incorrect packet dispatching, leading to dropped packets. Refer to sk183072.

After an upgrade, Site to Site VPN tunnels (IKEv2) fail to establish. Logs show the "Auth exchange: Sending notification to peer: Invalid syntax" and "INVALID_KE_PAYLOAD" errors for IKE traffic.

In VSNext environments, CPView VSX Data shows only VS0.

Virtual Switches with names larger than 128 characters cannot be deleted, the "Virtual System with ID2 does not exist" error is displayed.

Occasional failures during simultaneous creation of multiple Virtual Systems (VS's), where identical IDs are assigned to more than one VS.

VSNext Virtual Gateway drops traffic when it is connected to a Virtual Switch. This issue affects systems running NGTP software blades. Refer to sk183460.

A memory leak may occur in a VSX environment, related to the transmitting packets module.

In a VSX environment, the Security Gateway may crash when removing an interface from topology.

Output of the "dynamic_split -p" command shows "Dynamic Split is currently off (Stopped due to State Verification failure)" on a VSX Gateway. Refer to sk181231.

When attempting to create cloning groups on an R82 Security Gateway, the "Error - Home directory for 'cadmin' cannot be in /home/cadmin directory" error is printed. Refer to sk182989.

In a Maestro environment, an error message about short string length may be incorrectly displayed when setting an expert password string that includes the colon ":" character on the Security Gateway.

High volumes of VoIP/ SIP traffic may trigger a Security Gateway crash.

Dynamic IP address changes for DAIP Gateway objects are not propagated to all Security Gateways in the SD-WAN VPN community, causing VPN connectivity failures.

On ElasticXL platform, there may be unnecessary or unsuccessful attempts to update the distribution of traffic among the cluster members.

In the VSNext mode (on ElasticXL and Maestro Security Groups), the Gaia gClish / Gaia Clish command "show interface" in the context of Virtual Switches fails with "CLINFR0699 Invalid command".

Changing the bond mode on Scalable Platform Security Group members may cause a MAC address mismatch on the bond interface because of the bond slaves reordering that does not match the database. Refer to sk182488.

The "fw fetch local" command fails on a Virtual System without SIC established because the SIC name is missing.

IP broadcast helper cannot forward the packets if the IP address of the "relay to" is not directly connected to the Security Gateway.

In some scenarios, the perfanalyze scripts output shows duplicates in cores data, this can cause the CPD process to crash.

When the Maestro Fastforward feature is enabled, rebooting a member may cause the member to be down because of the policy installation failure and the "Site HA module not started" error may be displayed.

Configured proxy ARP may not work as expected, when the "Same VMAC" feature is enabled.

A reboot loop with a generated configuration pnote may be triggered when Security Group hostname contains strings with "mq" or "otlp".