Released on 30 May 2022 and declared as Recommended on 13 July 2022
Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.
In the Compliance view, after changing "Policy Range" to a value smaller than 100%, best practices results become not available. Refer to sk177544.
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".
In rare scenarios, the Management Server may fail to start after an upgrade.
In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249.
In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view.
When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.
In some scenarios, after editing blades in simple-gateway/cluster Ansible modules, the blades are not changed and Ansible shows that no changes occurred.
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.
After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084.
When cloning an IPS profile, the advanced settings of cloud protection are not copied to the new profile.
In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768.
In a rare scenario, the FWM process unexpectedly exits.
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error.
UPDATE: SmartView reports will now show the new Check Point logo.
UPDATE: Mapping of IP addresses to country/flag is now automatically updated every day. They are visible in the Logs and Events views.
In rare scenarios, when QoS blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783.
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.
There may be an incorrect error message related to MakeConnection method.
In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627.
In some scenarios, logs related to Content Awareness are missing.
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log.
Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file.
On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.
Improved samples visibility in SmartView Widgets.
Logs may be missing from Smart Console after upgrading the Log Server if a VS object is configured without an IP.
UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127.
UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory. The change is only cosmetic.
UPDATE: Adding Connection and Packet Distribution statistics in CPView.
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.
UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.
UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. If a shadow rule exists, the new shadow rule will override the existing shadow rule.
Improved Security Gateway internal memory allocation logic.
In a rare scenario, DNS connection may be dropped with "up_manager_cmi_handler_match_cb: connection not found".
In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.
In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with an error.
The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952.
Policy installation may fail when reaching out of memory on the Security Gateway.
Uninstalling Jumbo Hotfix may cause interfaces to disappear.
The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228.
In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn".
Bond slaves may be visible in the wrong plane.
IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.
The PDP process may unexpectedly exit with a core dump file.
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.
The PEP process may unexpectedly exit.
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.
In a rare scenario, when URL Filtering blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump.
After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Gateways together, Gateways may consume more CPU during rule-match of new connections.
In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail.
When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites,the Security Gateway may drop the traffic.
When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.
A memory leak related to TLS probe may occur in the WSTLSD process.
In a rare scenario, some options in a web application may be missing in Mobile Access Portal.
A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing ROUTED pnote during a boot.
A cluster failover may take longer than it should.
Multicast packets may be dropped after policy installation.
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).
In some scenarios, fragmented Cluster LS packets are dropped by SecureXL.
In some scenarios, related to sending multicast packets, the ICMP errors may be shown.
Connectivity issues may occur after configuration of route-based VPN (VTI interface). Refer to sk176368.
IKEv2 Improvements for DAIP Gateway behind Hide NAT.
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.
Remote Access users are unable to connect when authenticating using a certificate issued by a subordinate CA.
Improvements for DAIP Gateway behind Hide NAT.
A memory leak may occur in the VPND process when using remote Access Back Connection.
The VPND process may unexpectedly exit causing VPN connections to restart.
In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure.
In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.
In some scenarios, the RIM script is not activated in DPD Tunnel monitoring.
A memory leak may occur in the VPND process when using Remote Access Secondary Connect.
A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.
In some scenarios, NAT-T tunnel establishment may fail.
After initiating a tunnel between a regular Gateway and a DAIP Gateway, running the "vpn tu tlist'" command on the peer, may show the peer IP instead of the DAIP IP.
Improved VPN interoperability.
During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high.
A memory leak may occur in the VPND process.
In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.
The "vsx_util reconfigure" command may fail without printing the cause of the error.
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database.
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.
There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.
In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch.
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-188.8.131.52.0.
NEW: Gaia API (version 1.6 with python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.
UPDATE: Changed the Syslog message severity from "error" to "info" and removed the exclamation mark in a specific message which is displayed during the normal backup operation flow.
In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.
In some scenarios, logs related to Harmony Endpoint may be missing.
When static NAT is configured, VoIP calls may not work.
Public Cloud CA Bundle
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.
Public Cloud CA Bundle
Added Take 14 of Public Cloud CA Bundle. Refer to sk172188.
Added update 4 of Quantum Smart-1 Cloud. Refer to sk166056.
In Amazon Web Services (AWS), some Gateways may frequently crash with vmcores.
When there are virtual systems with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects.
In some scenarios, incorrect data center updates are pushed to the Gateway.
In some scenarios, mapping of AWS Data Centers may take a long time to complete.
In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436.
Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436.