Take 161
Released on 30 May 2022 and declared as Recommended on 13 July 2022
PRJ-34227,
PRHF-21357
Security Management
Deleting a Domain may fail when there is an administrator with API key authentication associated with this Domain.
PRJ-35949,
PRHF-21894
Security Management
In the Compliance view, after changing "Policy Range" to a value smaller than 100%, best practices results become not available. Refer to sk177544.
PRJ-34177,
PRHF-20991
Security Management
In rare scenarios, Install Policy Presets may fail with "Failed to run Install Policy on the active Domain Server".
PRJ-35338,
PRHF-21851
Security Management
In rare scenarios, the Management Server may fail to start after an upgrade.
PRJ-37494,
PRHF-22409
Security Management
In some scenarios, the "show-hosts" Management API command fails with "generic_error" when running it with "details-level full". Refer to sk178249.
PRJ-34181,
PRHF-21215
Security Management
In rare scenarios, the Management Server becomes inaccessible if there are more than 5000 objects in the Gateways and Servers view.
PRJ-35224,
PRHF-21778
Security Management
When exporting rules with "hit counts" and the timeframe is set to a different value than "all", the "hit counts" are missing from the export file. Refer to sk177265.
PRJ-37577,
PMTR-80846
Security Management
In some scenarios, after editing blades in simple-gateway/cluster Ansible modules, the blades are not changed and Ansible shows that no changes occurred.
PRJ-35016,
PRHF-21705
Security Management
Install Policy Verification may fail with the "Rule has security zone objects that are not attached to any interface used" error when configuring cluster's interfaces on only one member. Refer to sk177129.
PRJ-37395,
PRHF-22603
Security Management
After performing the Solr Cure procedure, objects may appear as duplicated in SmartConsole. Refer to sk178084.
PRJ-35297,
PMTR-75023
Security Management
When cloning an IPS profile, the advanced settings of cloud protection are not copied to the new profile.
PRJ-32816,
PRHF-20492
Security Management
In rare scenarios, when installing a policy after performing "revert to revision", some changes made to a policy may not be installed on the Security Gateway. Refer to sk176768.
PRJ-32745,
PRHF-20512
Security Management
In a rare scenario, the FWM process unexpectedly exits.
PRJ-39176,
PRHF-23750
Security Management
In some scenarios, the Management API command "show-packages" with "details-level full" may fail with the "Could not commit JPA transaction" error.
PRJ-36621,
PMTR-79023
Logging
UPDATE: SmartView reports will now show the new Check Point logo.
PRJ-36197
Logging
UPDATE: Mapping of IP addresses to country/flag is now automatically updated every day. They are visible in the Logs and Events views.
PRJ-30549,
PRHF-19084
Logging
In rare scenarios, when QoS blade is enabled, the FWD process may unexpectedly exit. Refer to sk177783.
PRJ-32372,
PRHF-18699
Logging
When running CPinfo in a large scale environment, the SmartEventCollectLogs process may get stuck.
PRJ-34249,
PRHF-21188
Logging
There may be an incorrect error message related to MakeConnection method.
PRJ-35200,
PRHF-20349
Logging
In a rare scenario, the Security Management Server does not automatically delete older log files. Refer to sk177627.
PRJ-34805,
PRHF-21554
Logging
In some scenarios, logs related to Content Awareness are missing.
PRJ-29173,
PRHF-18866
Logging
Removed unnecessary debug messages: "fwbintabreplace: table svm_range_gateways not found" and "fwbintabreplace: table svm_range_gateways_valid not found" from the fwd debug log.
PRJ-30144,
PMTR-60786
Logging
Recurring "Unable to open '/dev/fw0': No such file or directory" may be printed in the fwd.elg file.
PRJ-34141,
PRHF-21218
Logging
On the Domain level, in the Logs view, available services may not appear in the drop-down filter list. Refer to sk178904.
PRJ-32579,
PRHF-20447
Logging
In some scenarios, it is not possible to add the "Policy Rule UID" column to the Logs view in the SmartView Web Application.
PRJ-33516,
PMTR-71704
Logging
Improved samples visibility in SmartView Widgets.
PRJ-37896,
PRHF-22858
Logging
Logs may be missing from Smart Console after upgrading the Log Server if a VS object is configured without an IP.
PRJ-35097,
PMTR-76491
Security Gateway
UPDATE: Added a new global parameter: "fw_daf_module_mac_mode". It allows mirroring traffic to a Linux-based device. It is set to "0" by default. Refer to sk178127.
PRJ-19035,
PMTR-61532
Security Gateway
UPDATE: In CPView overview, the "FW" field will now show physical memory used instead of virtual memory. The change is only cosmetic.
PRJ-31665,
PMTR-68092
Security Gateway
UPDATE: Adding Connection and Packet Distribution statistics in CPView.
PRJ-38235,
PMTR-81910
Security Gateway
UPDATE: Apache HTTPD version was updated from 2.4.51 to 2.4.53.
PRJ-29962,
UP-452
Security Gateway
UPDATE: Added two minutes grace period before dropping the non-TCP server-to-client packets upon policy installation and rematch flow. Refer to sk173287.
PRJ-31494,
PRHF-7049
Security Gateway
UPDATE: Following sk110157, adding a shadow SAM V1 rule is now possible only if the new rule and the existing rule have different timeouts. If a shadow rule exists, the new shadow rule will override the existing shadow rule.
PRJ-37528,
PRHF-22491
Security Gateway
Improved Security Gateway internal memory allocation logic.
PRJ-36047,
PMTR-78861
Security Gateway
In a rare scenario, DNS connection may be dropped with "up_manager_cmi_handler_match_cb: connection not found".
PRJ-26984,
PRHF-17754
Security Gateway
In rare scenarios, connectivity issues to specific websites may occur during web traffic inspection.
PRJ-34726,
PRHF-21103
Security Gateway
In rare scenarios, if temporary files were not deleted successfully, downloading certain file types may fail with an error.
PRJ-33273,
PMTR-26836
Security Gateway
The control connection may not be refreshed together with the data connection if the data connection is accelerated. Refer to sk168952.
PRJ-23479,
PRHF-16013
Security Gateway
Policy installation may fail when reaching out of memory on the Security Gateway.
PRJ-37356,
PRJ-35902
Security Gateway
Uninstalling Jumbo Hotfix may cause interfaces to disappear.
PRJ-35006,
PRHF-21742
Security Gateway
The dynamic NAT allocation port warning is continuously printed in /var/log/messages. Refer to sk177228.
PRJ-34787,
PMTR-65164
Security Gateway
In some scenarios, Security Gateway drops GRE traffic. Kernel debug shows "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn".
PRJ-34015
Security Gateway
Bond slaves may be visible in the wrong plane.
PRJ-34088,
PRJ-34218
Threat Prevention
IPS and other Threat Prevention logs may not contain packet capture. And dmesg may be flooded with related errors.
PRJ-36164,
PRHF-21680
Identity Awareness
The PDP process may unexpectedly exit with a core dump file.
PRJ-35820,
PRHF-21396
Identity Awareness
On Scalable Platforms\Cluster LS, the Identity Database may become corrupted when an identity session is revoked from a non-master member.
PRJ-35851,
PRHF-22037
Identity Awareness
The PEP process may unexpectedly exit.
PRJ-28218,
PRHF-15223
Identity Awareness
There may be connectivity issues and high CPU spikes on the PDPD, VPND processes, and on the Gateway when installing policy. Refer to sk174144.
PRJ-34514,
PRHF-20998
URL Filtering
In a rare scenario, when URL Filtering blade is active, in Website categorization background mode, the FWK process crashes and creates a core dump.
PRJ-32742,
PMTR-70772
IPS
After installing a Threat Prevention policy with many rules and/or exceptions, on multiple Gateways together, Gateways may consume more CPU during rule-match of new connections.
PRJ-37543,
PRHF-22301
IPS
In a rare scenario, when the Security Gateway is configured as a proxy, downloading files may fail.
PRJ-32609,
PRHF-20132
IPS
When Anti-Virus and/or gzip inspection are enabled on the Gateway, during CloudFlare inspection of specific websites,the Security Gateway may drop the traffic.
PRJ-30124,
PMTR-66344
SSL Inspection
When HTTPS Inspection is enabled and traffic is inspected, detect logs for HTTPS traffic may show the "Invalid CRL Retrieved" and "No Valid CRL" error messages. Refer to sk172345.
PRJ-36298,
PMTR-76171
SSL Inspection
A memory leak related to TLS probe may occur in the WSTLSD process.
PRJ-32908,
PRHF-1527
Mobile Access
In a rare scenario, some options in a web application may be missing in Mobile Access Portal.
PRJ-35167,
PMTR-77780
ClusterXL
A single cluster member with Dynamic Routing configuration may stay permanently in DOWN state producing ROUTED pnote during a boot.
PRJ-35980,
PMTR-74818
ClusterXL
A cluster failover may take longer than it should.
PRJ-38369,
PRHF-23291
ClusterXL
Multicast packets may be dropped after policy installation.
PRJ-36470,
PRHF-21775
SecureXL
The VSX Gateway may crash when trying to route traffic from a VS to a Virtual Switch (VSW).
PRJ-33581,
PMTR-75970
SecureXL
In some scenarios, fragmented Cluster LS packets are dropped by SecureXL.
PRJ-34902,
PRJ-36073
SecureXL
In some scenarios, related to sending multicast packets, the ICMP errors may be shown.
PRJ-30713,
PRHF-18975
Routing
Connectivity issues may occur after configuration of route-based VPN (VTI interface). Refer to sk176368.
PRJ-35400,
PRJ-35403,
PRJ-35345,
VPNS2S-2848,
VPNS2S-2457,
VPNS2S-2770
VPN
IKEv2 Improvements for DAIP Gateway behind Hide NAT.
PRJ-34210,
PMTR-74824
VPN
IKEv2 ID configuration may not be applied when an IPv6 address is written as a certificate's alternative name.
PRJ-34492
VPN
Remote Access users are unable to connect when authenticating using a certificate issued by a subordinate CA.
PRJ-35397,
VPNS2S-2822
VPN
Improvements for DAIP Gateway behind Hide NAT.
PRJ-35534,
PMTR-78432
VPN
A memory leak may occur in the VPND process when using remote Access Back Connection.
PRJ-37462,
PRHF-21891
VPN
The VPND process may unexpectedly exit causing VPN connections to restart.
PRJ-34373,
PMTR-75526
VPN
In rare scenarios, Remote Access users cannot connect to the Gateway because of certificate authentication failure.
PRJ-35429,
PMTR-78314
VPN
In some scenarios, L2TP users cannot connect to the Gateway in a cluster environment.
PRJ-35386,
VPNS2S-2726
VPN
In some scenarios, the RIM script is not activated in DPD Tunnel monitoring.
PRJ-35557,
PMTR-78462
VPN
A memory leak may occur in the VPND process when using Remote Access Secondary Connect.
PRJ-35555,
PMTR-78436
VPN
A memory leak may occur in the VPND process when using Remote Access with Multiple Entry Points configured.
PRJ-35046,
PMTR-77549
VPN
In some scenarios, NAT-T tunnel establishment may fail.
PRJ-33322,
VPNS2S-1482
VPN
After initiating a tunnel between a regular Gateway and a DAIP Gateway, running the "vpn tu tlist'" command on the peer, may show the peer IP instead of the DAIP IP.
PRJ-29880,
PRHF-19050
VPN
Improved VPN interoperability.
PRJ-37589,
PRHF-22751
VPN
During policy installation when using DAIP behind hide NAT, CPU usage for the VPND process may be high.
PRJ-36237,
PRHF-22206
VPN
A memory leak may occur in the VPND process.
PRJ-38811,
PRJ-38729
VPN
In some scenarios, it is not possible to connect with Remote Access using DHCP for Office Mode. Refer to sk178767.
PRJ-34671,
PMTR-77130
VSX
UPDATE: The "vsx_util reconfigure" operation is not supported on a VSX cluster member or VSX Gateway which has no virtual systems configured. The operation will now alert about the absence of virtual systems.
PRJ-34999,
PMTR-77287
VSX
The "vsx_util reconfigure" command may fail without printing the cause of the error.
PRJ-32078,
PMTR-74295
VSX
When creating a static route on a virtual system, some network objects may be created with the same name inside the network group which causes failure in writing the object to the database.
PRJ-36767,
PMTR-52576
VSX
VSX Cluster Internal Communication Network IP address is shown in ifconfig after changing the name or VLAN of a VR physical interface.
PRJ-35503,
PMTR-62860
VSX
There may be a mismatch of policy name on virtual switch when using the "fw stat" and "vsx stat -v" commands. The issue is only cosmetic.
PRJ-33470,
PMTR-73998
VSX
In some scenarios, the "vsx_util reconfigure" command cannot fetch the policy installed previously.
PRJ-38202,
PRHF-23118
VSX
In some scenarios, the VSX Security Gateway may not decrease the packet's TTL.
PRJ-34602,
PMTR-74840
VSX
In some scenarios, the VSX Gateway may incorrectly handle broadcast packets received from a Virtual Switch.
PRJ-36786,
PMTR-79249
VSX
The "snmpwalk" command may time out after reaching SNMPv2-SMI::mib-2.68.1.2.0.
PRJ-36771,
PRJ-36756
Gaia OS
NEW: Gaia API (version 1.6 with python3 support) will now be deployed via Jumbo Hotfix. Refer to sk143612.
PRJ-24453,
PRHF-16628
Gaia OS
UPDATE: Changed the Syslog message severity from "error" to "info" and removed the exclamation mark in a specific message which is displayed during the normal backup operation flow.
PRJ-37415,
PMTR-74360
Gaia OS
In a rare scenario, while idle, the Security Gateway may crash producing a vmcore file.
PRJ-37225,
PMTR-63343
Gaia OS
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.
PRJ-27908,
PRHF-17814
Harmony Endpoint
In some scenarios, logs related to Harmony Endpoint may be missing.
PRJ-37118,
PRHF-18358
VoIP
When static NAT is configured, VoIP calls may not work.
PRJ-38022,
ODU-342
Public Cloud CA Bundle
Added Take 18 of Public Cloud CA Bundle. Refer to sk172188.
PRJ-36703,
ODU-244
Public Cloud CA Bundle
Added Take 14 of Public Cloud CA Bundle. Refer to sk172188.
PRJ-34518,
PRJ-37145,
ODU-200,
ODU-286
Smart-1 Cloud
Added update 4 of Quantum Smart-1 Cloud. Refer to sk166056.
PRJ-37602,
PRHF-22145
CloudGuard Network
In Amazon Web Services (AWS), some Gateways may frequently crash with vmcores.
PRJ-35547,
PRHF-21841
CloudGuard Network
When there are virtual systems with the same name prefix, the CloudGuard Controller fails to update the VS with Data Center Objects.
PRJ-36273,
PRHF-22059
CloudGuard Network
In some scenarios, incorrect data center updates are pushed to the Gateway.
PRJ-37950,
PRHF-22994
CloudGuard Network
In some scenarios, mapping of AWS Data Centers may take a long time to complete.
PRJ-37052,
PRHF-20096
CloudGuard Network
In some scenarios, Data Center objects are not enforced on an AWS GEO cluster (Active/Active) Gateway. Refer to sk175904.
PRJ-38035,
ODU-341
Scalable Platforms
Added Take 21 of Check Point Support Data Collector (CPSDC) for Scalable Platforms and Maestro Security Appliances. Refer to sk164414.
PRJ-38223,
ODU-349
HCP
Added Update 8 of HealthCheck Point (HCP) Release. Refer to sk171436.
PRJ-36829,
ODU-287
HCP
Added Update 7 of HealthCheck Point (HCP) Release. Refer to sk171436.