The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
|
Using Domain Objects in the rulebase might cause wrong policy actions in R80.10 JHF Take_91-103
|
Technical Level
|
| Solution ID |
sk133176 |
| Technical Level |
|
| Severity |
High |
| Product |
Security Gateway |
| Version |
R80.10 |
| Date Created |
02-Aug-2018
|
| Last Modified |
22-Oct-2018
|
Symptoms
- Using Domain Objects in the rule base (directly or in a group) might cause wrong policy actions on Security Gateways running R80.10 Jumbo Hotfix Take_91-103.
- The rule that is enforced is not the one with the Domain objects (or group containing such objects) as it should, but rather a different irrelevant rule.
- In the accept log, the reason will appear as "Connection terminated before detection..." (see sk113479 for more details on this log reason).
- Sometimes no log will be created. Sometimes debug logs will show "Reason: Rulebase - ERROR;".
Solution
This problem was fixed. The fix is included in:
If you use Domain objects in Non-FQDN mode (see sk120633 for details) - you must install Take_112 or higher.
The Hotfix should be installed on the Security Gateway. Installing it on the Security Management is also recommended but it is not a must.
Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade Cluster / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).
