R82 Jumbo Hotfix Take 60

UPDATE: Enhanced packet search in SmartConsole with three IP address modes:

• "Exact": Returns rules where the IP address/network in the rule is exactly the same as the IP address/network in the search.

• "Containing": Returns rules where the IP address/network you searched for contains the IP address/network of the rule.

• "Contained in": Returns rules where the IP address/network you searched for is contained within the IP address/network of the rule.

UPDATE: Added a new kernel parameter "up_rulebase_run_implied_rules" (enabled by default - "1"). Setting to "0" disables execution of implied rules in the Access Control Rule Base.

UPDATE: Deleting Virtual System 0 (VS0) from the WebUI causes loss of connection with the cluster. Virtual Systems 0 and 500 are now blocked from deletion in the WebUI to prevent this issue.

UPDATE: New features and improvements are released in Take 155 and Take 156 via self-updatable package. Refer to sk170314.

UPDATE: Added Take 52 and Take 53 of CPquid (QUID) Release Updates. Refer to sk181458.

UPDATE: Added Update 27 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.

Regenerating a token on a Security Gateway Smart-1 Cloud may fail with an unclear validation message "No error in result from fwm command: [gen-pki-cert-req]".

When the Dynamic URL List feature is enabled, Security Gateway may crash during policy installation.

See the Critical Information section.

In a rare scenario, the FWM process exits during a vsx_util upgrade.

Scheduled automatic purge revisions may result in duplicate purge revisions tasks after restart of a Multi-Domain Security Management Server.

The RAD daemon may unexpectedly exit.

Threat Emulation on ICAP Server fails with "There was an Unexpected Internal error, Please try again later". Refer to sk184228.

In some scenarios, when HyperFlow is enabled, websites that use HTTP2 protocol do not load properly.

In deployments with a large number of Security Gateways, memory usage may reach 98% and Security Gateways may become unresponsive.

In a rare scenario, SmartConsole does not display a notification when the IP reputation feed for the Anti-Bot Software Blade fails to load.

In a rare scenario, the PDPD daemon may unexpectedly exit while updating identity session timers.

In the Application Layer, an "any-any" rule (from any source to any destination, using any service) with long-lived connections may cause excessive memory usage. Refer to sk184196.

In some traffic flows, packets containing certain headers may be dropped regardless of how the non-compliant HTTP Inspection is configured.

When using DoS Deny List, CPU usage may increase.

When using DoS Deny List, a firewall kernel module memory leak may occur.

Significant latency on a VSX Security Gateway when transmitting non-accelerated or accelerated traffic with Active or Passive Streaming, through multiple Virtual Systems connected by Virtual Switches when SecureXL User Mode is enabled.

In some scenarios, the Security Gateway delays offloading a connection to the Quantum LightSpeed hardware accelerated card when SecureXL User Mode (UPPAK) is enabled.

In some scenarios, after an update of the OS route configuration, there may be a significant delay in traffic passing through the Security Gateway when SecureXL works in the User Mode (UPPAK). Refer to sk182740.

VPN cluster members may crash after a cluster failover with BGP enabled and the exit of the USIM process.

When taking snapshots of the Security Group Members, some of the Members may crash, the dmesg_dumps shows multiple messages occurred before the crash "the active connections feature is currently enabled in the SmartView Tracker and due to high load it is making sync too slow to function properly. Therefore, 319489 active connection updates were dropped and no sync updates were lost".

An unprintable character symbol may appear next to the username in the "Log In" logs when connecting with the configured "Fetch Username from Subject DN.CN" parsing.

When installing a new policy on Virtual Systems, the installation succeeds, although the error "VSX INSTALL ERROR: Failed to extract FW1 policy details! Skipping state directory overwrite" is displayed.

In rare scenarios, policy installation may fail after an upgrade in VSX environments.

When deploying a Check Point ElasticXL Cluster in VSNext mode, Virtual System Load Sharing may assign the same MAC address to multiple Virtual System WRP interfaces, causing network connectivity issues or MAC address conflicts.

Modifying the number of CoreXL Firewall instances on a Virtual System (VS) or VSX Gateway may result in Security Policy installation issues or loss of policy configuration.

In rare scenarios, policy installation causes traffic matched by the "prefer local breakout" rule to be incorrectly routed through the underlay private link instead of the overlay.

When running the "fw ctl iflist" command, there is a discrepancy between the expected network interfaces and what the kernel actually detects. This may lead to connectivity issues.

When multiple subordinate interfaces in the Sync bond are not dedicated Sync interfaces, MAC address duplicates may occur, causing communication failures between cluster members.

After enabling Maestro Fastforward on a Security Group, traffic matching relevant rules is routed to the default Security Gateway instead of the correct nexthop because the static route is missing from /etc/mlx_routing.json on the Maestro Orchestrator. The Orchestrator shows 200 routes and fails to pick up the interface's routes, despite the interface topology is configured as "according to routes" in SmartConsole.

Scalable Platforms in the VSNext mode do not support Cluster Load Sharing (two or more Security Group Members on the same Site).

When running the "show asset all" command on setups with ElasticXL enabled, Disk Model, Serial, and Capacity outputs are not displayed.

The gClish command "set cluster configuration image auto-clone state" may not be propagated to Security Group Members.