Jumbo Hotfix Accumulator for R80.20 with Gaia 3.10 for CloudGuard and Open Server Security Gateways (R80_20_3_10_jumbo

Support Center > Search Results > SecureKnowledge Details

Jumbo Hotfix Accumulator for R80.20 with Gaia 3.10 for CloudGuard and Open Server Security Gateways (R80_20_3_10_jumbo_hf)

Technical Level

Solution ID	sk146212
Technical Level
Product	Quantum Security Gateways
Version	R80.20
Platform / Model	AWS, Azure, Google Cloud Platform, Open Server
Date Created	03-Feb-2019
Last Modified	13-Apr-2021

Solution

Important: The Check Point default version widely recommended for all deployments is R80.40 Take 294 with Jumbo Hotfix Accumulator latest GA Take. For more information on all Check Point releases, refer to the Release map and Release Terminology articles.

Table of Contents:

Introduction
Availability
Important Notes
List of Resolved Issues per Hotfix
Installation Instructions
Uninstall Instructions
List of Replaced Files
Revision History

Introduction

R80.20 3.10 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.

Every R80.20 3.10 Jumbo Hotfix Accumulator has a specific corresponding R80.20 Jumbo Hotfix Accumulator Take.

The Incremental Hotfix and this article are periodically updated with new fixes.

The list below describes each resolved issue and provides a Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which the take was published is also listed.

Refer to sk98028 - Jumbo Hotfix Accumulator FAQ.

Availability

General Availability Take:

Product	Take	Date	CPUSE offline package	Corresponding R80.20 Jumbo Hotfix Accumulator
Security Gateway	Take_32	11 Feb 2020	(TGZ)	Take_33 (with additional fixes, see below)

Ongoing Take:

Product	Take	Date	CPUSE offline package	Corresponding R80.20 Jumbo Hotfix Accumulator
Security Gateway	Take_39	13 Apr 2021	(TGZ)	Take_33 (with additional fixes, see below)

For Standalone/Security Management, refer to sk137592: Jumbo Hotfix Accumulator for R80.20 (R80_20_jumbo_hf).

Important Notes

Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.20.3.10 and a specific corresponding R80.20 Jumbo Hotfix Accumulator Take.
There are architectural differences between the 3.10 kernel and the 2.6.18 kernel (see Jumbo Hotfix Accumulator for R80.20). As a result, each kernel's Jumbo Hotfix level is different because not all fixes required for the 2.6.18 kernel are required for the 3.10 kernel. If you need a specific known limitation from the R80.20 Jumbo Hotfix to be ported for the 3.10 kernel, please Contact Support. Over time, Check Point aims to align both JHF trains.
For CPUSE installation, CPUSE Agent build 1573 and above (refer to sk92449) must be used.
It is recommended to install Jumbo Hotfix Accumulator on all the R80.20 3.10 machines running on Gaia OS.
This Jumbo Hotfix Accumulator is suitable for these products and configurations:
- Security Gateway
- Cluster
- CloudGuard IaaS
This Jumbo Hotfix Accumulator has to be installed only after the successful completion of Gaia First Time Configuration Wizard and a reboot.
To check the Take number of the currently installed R80.20 3.10 Jumbo Hotfix Accumulator (if it is installed), run: [Expert@HostName:0]# cpinfo -y all

List of Resolved Issues per Take

ID	Description
R80.20 3.10 Jumbo HotFix - Ongoing Take 39 (13 April 2021)
GAIA-8503	UPDATE: Added new certificates for Microsoft Azure. For details, refer to this Microsoft article.
GAIA-7351	When bridge rerouting is enabled, Management/local traffic may be allowed over a Gateway bridge.
GAIA-8497	In some scenarios, the mlx5_core driver incorrectly handles multiple traffic classes. This could result in a crash. Refer to sk171553.
GAIA-8501	In some scenarios, SNMP user details may be visible in /var/log/messages.
GAIA-8546	In a rare scenario involving multiple disconnections and reconnections between the Security Gateway and Log Server, the connection is not automatically restored, and logs may not be written locally. Refer to sk164852.
GAIA-7369	In some scenarios, there is general traffic latency on the Security Gateway. Refer to sk165652.
GAIA-8285	Improved the stability of the VPND process when a "CCCclientRequest" packet is sent.
GAIA-7634	Some Remote Access clients that do not support Multi-Factor Authentication (MFA) are able to connect to a Security Gateway even though the "Allow older clients" option is disabled. Refer to sk166912.
GAIA-8367	CVE-2020_25705: ICMP reply rate.
GAIA-7312	Vulnerability fix for CVE-2020-8597: Point-to-Point Protocol Daemon (pppd). Refer to sk165875.
R80.20 3.10 Jumbo HotFix - Ongoing Take 32 (11 Feb 2020)
GAIA-7035	Since R80.20, in some scenarios, predictable TCP sequences are generated by the Security Gateway. Refer to sk164775.
GAIA-7048	In some scenarios, a connectivity issue takes place in a ClusterXL environment after a fast "fail over"-"fail back" or a "fail over" on bridge configuration.
GAIA-6863	Cannot update the Geo Policy IPToCountry database on Security Gateways. Refer to sk163672.
GAIA-6925	16000 and 26000 Appliances with CPAC-4-1/10F-C NICs (using i40e driver) connected to some specific Cisco switches are flopping. Refer to sk163267. Fix is relevant for Gaia 3.10 only.
GAIA-6681	Improved Domain/CMA logs visibility.
GAIA-6962	UDP packets are dropped during policy installation, and the following error is displayed: "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn". Refer to sk148432.
GAIA-6263	In some scenarios, IP-VLAN traffic traversing a bridge of two physical interfaces has the VLAN tag stripped. The fix is relevant for Gaia 3.10 only.
GAIA-5589	Security hardening for Identity Awareness Agent (IDA) enforcement according to XFF IP.
PMTR-38242	In some scenarios on Gaia OS, certain categories are not getting matched on ICMP traffic.
GAIA-6586	In some scenarios, several applications are not matched correctly when HTTPS Inspection is enabled and URL Filtering is in HOLD mode.
GAIA-6221	If the VPN tunnel is configured with GCM ciphers for Phase 2, encrypted traffic may be dropped when SecureXL is enabled. Refer to sk152832.
PMTR-39222 (GAIA-6732)	Added ixgbevf cpmq support.
GAIA-6114	Fix for R80.20 Jumbo Hotfix Take 91 that overrides cli.sh and blocks users from connecting via ssh after installing the Jumbo Hotfix on AWS CGI.
GAIA-6523	Non-FQDN domain objects may not be enforced correctly when used in the Access policy along with updatable objects.
GAIA-5648	In some scenarios, categorization of HTTPS sites over IPv6 does not work as expected.
GAIA-6276	Access rulebase might not be enforced properly when wildcard objects are used in source and destination columns. Refer to sk162692.
PMTR-40649	In some scenarios, there are connectivity issues between Capsule Workspace and Security Gateway.
R80.20 3.10 Jumbo HotFix - Ongoing Take 19 (07 July 2019)
PMTR-33209, PMTR-30582	The user cannot access ClusterXL Standby members over an IPSec tunnel, or when the connections are routed through the Active member. Refer to sk147493.
PRJ-2374	CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1657, PRJ-5035, PMTR-30582	In some scenarios, in ClusterXL, unable to connect to the Standby Cluster member from a non-local subnet via SSH or WebUI. Refer to sk147493.
R80.20 3.10 Jumbo HotFix - Ongoing Take 17 (17 June 2019)
GAIA-5428	Bridge interfaces are not displayed in SmartConsole when fetching interfaces form a Security Gateway, causing issues with zones' related policy decisions. Refer to sk153932.
PRJ-1817	Removed unnecessary backup procedure suitable for older Linux kernel files.
GAIA-5479	Azure maintenance operations on the Azure Hosts can cause the NIC driver to be reloaded. Our SW did not correctly handle all the use cases and configurations in the event of a reload operation when the gateway VM is in "started" state in Azure. This fix (introduced in Take_17) fixes this issue and makes sure that even if the driver is reloaded during regular operation, the NIC and the Security Gateway will be configured correctly.
R80.20 3.10 Jumbo HotFix - Ongoing Take 13 (28 May 2019)
PMTR-30425	VPN tunnels with 3rd party peers fail because of mismatched IDs. Refer to sk144094.
PMTR-24021	Fix for cases in which MSS clamping was not applied.
GAIA-3976	Fix for MAC address blocking SecureXL bridge traffic.
GAIA-3975	Fix for SecureXL not correctly initializing tunnel driver interface.
PMTR-30657	When X-Forwarded-For (XFF) settings are enabled on one of the policy layers and/or on the Security Gateway object, the /var/log/messages file shows errors related to asynchronous identity fetch. Refer to sk145673.
PMTR-33559	Users are not matched to access roles with nested LDAP groups or LDAP groups with a filter. Refer to sk148092.
PMTR-35309	Important security update for IPSec Site-to-Site (S2S) VPN. Refer to sk149892.

Installation Instructions

Procedure:

Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)
- Offline installation
  
  Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
  1. Install the latest build of CPUSE Agent from sk92449.
  2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
  3. In the upper right corner, click on the Import Package button.
  4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
  5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
  6. Select the imported package Check_Point_R80.20_3.10_Jumbo_HF_T13_Security_Gateway_FULL - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
  7. Select this package and click on Install Update button on the toolbar.
Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)
For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
- Offline installation
  
  Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
  1. Install the latest build of CPUSE Agent from sk92449.
  2. Connect to command line on target Gaia OS.
  3. Log in to Clish.
  4. Acquire the lock over Gaia configuration database:
    HostName:0> lock database override
  5. Import the package from the hard disk:
    Note: When import completes, this package is deleted from the original location.
    HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
  6. Show the imported packages:
    Note: Refer to the top section "Hotfixes" - refer to "Check_Point_R80.20_3.10_Jumbo_HF_T13_Security_Gateway_FULL"
    HostName:0> show installer packages imported
  7. Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts:
    HostName:0> installer verify <Package_Number>
  8. Install the imported package:
    HostName:0> installer install <Package_Number>

Uninstall Instructions

Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.

Procedure:

Show / Hide instructions for uninstall in Gaia Portal - using CPUSE (Check Point Update Service Engine)
1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
  Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
2. Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
3. Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
4. Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
5. A warning will be displayed that after this uninstall, the machine will be automatically rebooted.
  Click on 'OK' to start the uninstall.
Show / Hide instructions for uninstall in Gaia Clish - using CPUSE (Check Point Update Service Engine)
1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
  Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
2. Connect to command line on Gaia OS.
3. Log in to Clish.
4. Acquire the lock over Gaia configuration database:
  HostName:0> lock database override
5. Uninstall the package:
  HostName:0> installer uninstall <Package_Number>
  Note: The progress (in per cent) will be displayed in Clish.
6. Machine will be rebooted automatically.

List of Replaced Files

Contact Check Point Support for a list of files replaced by this Jumbo Hotfix Accumulator.

Revision History

Show / Hide revision history

Date	Description
13 Apr 2021	Release of Ongoing Take 39
11 Feb 2020	Release of Ongoing Take 32
07 July 2019	Release of Ongoing Take 19
17 June 2019	Release of Ongoing Take 17
28 May 2019	Release of Ongoing Take 13

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating