Take_237 is the latest R80.30 Jumbo Hotfix Accumulator General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:
For older General Availability Takes, check out our Download Archive.
Ongoing Take
Product
Take
Release Date
CPUSE Offline package
SmartConsole package
Security Gateway / Standalone Gaia 2.6.18
Jumbo HF Take_241
2 Jan 2022
(TGZ)
(EXE) Build 103
Security Gateway Gaia 3.10
(TGZ)
Security Management
(TGZ)
Use these CPUSE Online Identifiers:
Check_Point_R80_30_JUMBO_HF_Bundle_T<Take number>_sk153152_Security_Gateway_and_Standalone_2_6_18_FULL.tgz Check_Point_R80_30_JUMBO_HF_Bundle_T<Take number>_sk153152_Security_Gateway_3_10_FULL.tgz and Check_Point_R80_30_JUMBO_HF_Bundle_T<Take number>_sk153152_Security_Management_3_10_FULL.tgz
Important Notes
Starting from Take 219, any manual change of $FWDIR/conf/rad_conf.C file may be overridden by the next Jumbo Hotfix installation. If you edited this file manually, refer to sk163793 and follow the instructions on how to keep your manual changes.
Take 236: Customers using Threat Prevention IOC on Gaia 3.10 may fail to add or remove feeds. The fix is included in Take 237.
Take 236: Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417.
Starting from Take 237, after performing the Solr Cure procedure, "Check Point defined objects” may not be visible in SmartConsole. A fix for this issue will be part of the upcoming Take. For more details, refer to sk177204.
Take 235: User may fail to run any dynamic routing or install any static routes, including the default route. The fix is included in Take 236.
Before you upgrade from Jumbo Hotfix Take 235 to Take 236, uninstall Take 235.
If you use a cluster with enabled Identity Awareness, refer to to sk170516 after the first installation of Jumbo Hotfix to avoid unexpected behavior with Identity Awareness.
List of Resolved issues and New Features per HotFix Take
Take 241 | Take 237 | Take 236 | Take 235 | Take 232
ID
Product
Description
R80.30 Jumbo HotFix - Ongoing Take 241 (2 January 2022)
PRJ-24929, PRHF-16947
Security Management
UPDATE: Added a warning message in SmartConsole, alerting if during policy installation memory utilization of the FWM process exceeded 3.5GB.
PRJ-29232
Security Management
UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information.
PRJ-30098, PRHF-19248
Security Management
In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.
PRJ-28647, PRHF-18202
Security Management
In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.
PRJ-28421, PMTR-10273
Security Management
Virtual session timeout for a TCP service cannot exceed 86400 seconds. Refer to sk168872.
PRJ-27999, PRHF-18245
Security Management
If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.
In rare scenarios, a Management Server upgrade may fail with an error message "Object not found - [UID]" in the cpm.elg log file.
PRJ-28534, PRHF-18063
Security Management
In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error.
PRJ-28155, PRHF-17926
Security Management
In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.
PRJ-28086, PMTR-70942
Security Management
In some scenarios, the Administrators view may not filter domain names according to the permission profile of the connected administrator.
PRJ-24948, PRHF-16976
Security Management
If there is an Administrator named "Endpoint", an upgrade of Endpoint Security Server from R77.30 version fails.
PRJ-26909, PRHF-16657
Security Management
Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.
PRJ-26297, PRHF-17531
Security Management
In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted.
PRJ-26300, PRHF-17558
Security Management
In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.
PRJ-26734, PRHF-17606
Security Management
In a rare scenario, in the Management API, the "show hosts" command with "details-level full" fails with a message "java.util.InputMismatchException: got at least one duplicate UID in requested list, duplicates UIDs:".
PRJ-26675, PRHF-17744
Security Management
The Management API command "show gateways and servers" does not show policy information for cluster members.
PRJ-28782, PRHF-18557
Security Management
In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.
PRJ-30624, PRJ-30622
Security Management
In rare scenarios, after the Security Management Server starts up, when connecting to SmartConsole, some objects appear more than once.
PRJ-25037, PRHF-16802
Security Management
In rare scenarios, a task in progress may get stuck until the Management Server is restarted.
PRJ-26977, SMCUPG-1675
Security Management
After migrating a Domain to Security Management Server, the FWM process may be shown as "down" in watchdog, although it is up and running. Refer to sk163814.
PRJ-26628, PRHF-17230
Security Management
In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.
PRJ-13163, PRHF-11027
Security Management
The "show-global-assignment" command may ignore the limit request and return the default limit.
PRJ-26122, PRHF-17476
Security Management
In some scenarios, HA synchronization fails in the Global Domain after an IPS update.
PRJ-25798, PRHF-17324
Security Management
In rare scenarios, if the CPM process is up for many days, CPU and memory consumption mаy continue to grow until a reboot is performed.
PRJ-25564, PRHF-17182
Security Management
In rare scenarios, an upgrade may fail when there is an OPSEC Server object configured.
PRJ-22133, PMTR-63108
Security Management
In some scenarios, a high load on the Management Server may cause SmartConsole slowness.
PRJ-28568, PRHF-18422
Security Management
In some scenarios, the Purge Revisions operation fails with an error message: "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx". Refer to sk174645.
PRJ-29156, PRJ-30418, PRHF-18883
Security Management
Scheduled IPS updates data may not be shown in the IPS update report.
PRJ-29186, PRHF-18470
Security Management
In a rare scenario, High Availability full synchronization may fail due to a large number of records.
PRJ-28899, PRHF-18508
Security Management
When searching IP addresses using logical operators (and/or):
with SmartConsole in the Object Explorer view
with the Management API command "Show objects" and the "filter" field,
the results may be incorrect. Some matched objects may be missing, while some unmatched objects may be present.
PRJ-28291, PRHF-18210
Security Management
In rare scenarios, High Availability incremental synchronization may fail with a wrong status message.
PRJ-28297, PRHF-18362
Security Management
In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.
PRJ-25000, PRHF-17007
Security Management
After migrating a Domain to a Multi-Domain Management and assigning a Global Policy, if there are objects with the same name in the Domain and Global Domain, the assignment succeeds, although it must fail due to name duplication.
PRJ-23452, PRHF-16065
Security Management
After upgrade from R77.x, "Cannot assign a Domain more than once" errors may appear in the validations pane.
PRJ-24329, PRHF-16613
Security Management
In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy.
PRJ-23124, PRHF-15939
Security Management
Migration of Security Management Server to a Domain on a Multi-Domain Server may be blocked if there are multiple Certificate Authority objects. Refer to sk174270.
PRJ-21786, PRHF-15257
Security Management
In some scenarios, the output of the "cpmistat" command may contain partial information.
PRJ-30052, PRHF-18928
Security Management
In rare scenarios, the FWM process unexpectedly exits and fails to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.
PRJ-28062, PRJ-28063
Security Management
In rare scenarios:
Login to the Management Server may timeout and fail
Publish operation may take a long time.
PRJ-29896, PRHF-18828
Security Management
In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server". Refer to sk174910.
PRJ-25195, PMTR-68090
Security Management
The "Packet capture is not supported on this platform" warning appears after policy installation for SMB Gateways, although no packet capture is used.
PRJ-29966, PRHF-19308
Security Management
In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X.
PRJ-21875, PRHF-15460
Security Management
In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.
PRJ-22421, PRHF-15598
Security Management
Domain Server Migration between different Multi-Domain Management Servers may fail if a previous migration attempt of the same Domain already failed and another different Domain name is used for the second attempt.
PRJ-25278, PRHF-17037
Security Management
In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.
PRJ-29197, PRHF-18782
Security Management
After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.
PRJ-23850, PMTR-66674
Security Management
Management Server upgrade may fail if there is a large amount of customized column profiles in Logs View.
PRJ-27484, PRHF-18079
Security Management
Global Policy reassignment may fail with "An internal error has occurred" due to duplicated Access Policy Assignment object. Refer to sk174183.
PRJ-28814, PRHF-18712
Security Management
In some scenarios, the "show gateways-and-servers" Management API command fails with "generic_error" when running it with "details-level full".
PRJ-30387, PRHF-16024
Security Management
In rare scenarios, editing a cluster object fails with the "Code: 0x8003001D, Could not access file for write operation" error. Refer to sk176930.
PRJ-26779, PRHF-17767
Security Management
In some scenarios, in Override Categorization, it may not be possible to sort or to find objects by name using Object Explorer. Refer to sk175245.
PRJ-30881, PRJ-30882, PMTR-62059
Security Management
In rare scenarios, during an upgrade, the FWM process may unexpectedly exit with a core dump file.
PRJ-20708, PRHF-14327
Security Management
In rare scenarios, if one of the Multi-Domain Servers is down, reconfiguring VSX may fail.
PRJ-29908, PRHF-18974
Security Management
In some scenarios, it is possible to disable a shared layer, although it is used in more than one rule.
PRJ-31079, PRJ-31080, PRHF-19251
Security Management
In rare scenarios, the FWM process on the Security Management Server unexpectedly exits.
PRJ-30822, PRHF-19479
Security Management
In some scenarios, in SmartConsole, the IPS update status list does not reflect correctly all the Gateways having the IPS blade enabled. Refer to sk175449.
PRJ-30334, PRJ-30335, PRHF-18150
Security Management
When one Server in a logical Server group is down, the second Server keeps trying to access it, no matter how long the Server is down.
PRJ-32107, PMTR-63070
Security Management
Policy installation may fail if more than 20,000 objects are created and added to rules.
PRJ-31670, PRHF-19891
Security Management
In rare scenarios, the API commands "show-automatic-purge" and "set-automatic-purge" may fail if there were two earlier attempts to update the Automatic Purge at the same time.
PRJ-30066, PRHF-19326
Security Management
The High Availability status on Security Management Server may be incorrect, and performing failover is not possible.
On Multi-Domain Server, after performing failover in the Global Domain and restarting services, the former active Global Domain Server still appears as active (although it is standby).
PRJ-28167, PRHF-18380
Security Management
In rare scenarios, the Management Server may fail to start due to incorrect sessions handling.
PRJ-32545, CPM-2222
Security Management
Values updated in resourceProfiles files to handle high CPU utilization for the Java process (sk123417) are not resistant and are overridden after Jumbo Hotfix Accumulator installation or backup/restore or export/import procedures.
PRJ-21829, PRJ-29591, PRHF-15448
Multi-Domain Management
In rare scenarios, after an upgrade, the CPD process in a Multi-Domain environment may unexpectedly exit, creating a core dump file.
PRJ-21775, PRJ-21776, PMTR-63316
Licensing
In some scenarios, the total number of "sr" licenses may be counted incorrectly.
PRJ-28522
Licensing
In a very rare scenario, SmartConsole login attempts mail fail due to high CPU usage of the CPD process.
PRJ-27343, PRJ-27344
Licensing
In a rare scenario, the licensing status in SmartConsole is displayed incorrectly.
PRJ-29309, PRHF-18767
SmartConsole
The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911.
PRJ-30370, PRJ-30376
CPInfo
UPDATE: Added CPInfo build 914000219. Refer to sk92739.
PRJ-25007, SL-5634
Logging
NEW: SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452.
PRJ-25928, PRJ-30687, PMTR-69181, PMTR-69007
Logging
NEW:
It is now possible to set the default timeframe for all the SmartView web application functionalities.
The default value is "Last 24 hours".
Note: The default time frames on the SmartView web application and SmartConsole are not synchronized.
NEW: In SmartEvent GUI, added the "referrer" field for filtering correlation unit events.
PRJ-23488, SL-5368
Logging
NEW:
In SmartEvent GUI added new products: "Behavioral Guard", "Anti-Exploit", "Anti-Bot" and "Anti-Ransomware"
For Endpoint logs correlation, added a new pre-defined event: "Harmony Endpoint" under Legacy -> Endpoint Security.
PRJ-16280, PRHF-11939
Logging
In some scenarios, emails of DLP blade may be sent with obfuscated information, with no option to present the full data. Refer to sk106430.
PRJ-25831, PMTR-68506
Logging
The INDEXER process on the SmartEvent Server may consume a high CPU when the Mobile Access blade is enabled on the Gateway.
PRJ-24522, PMTR-67575
Logging
In a low log rate, there may be a delay in exporting logs using the Log Exporter.
PRJ-25644, PMTR-68886
Logging
In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).
PRJ-13741, PRJ-13742, PRHF-11391
Logging
The "Could not connect to Monitoring Blade" error is displayed when trying to show the "Top Interfaces" view in SmartConsole or SmartView Monitor for a Gateway that has more than 100 interfaces.
PRJ-27048, PRHF-17285
Logging
In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU.
PRJ-26724, PRHF-17205
Logging
In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command.
PRJ-24282, PMTR-66677
Logging
In rare scenarios, when exporting logs to Check Point Infinity Portal, the Log Exporter may unexpectedly exit.
PRJ-26692, PMTR-70010
Logging
When adding the "UC Block" action, log queries may not show UserCheck logs. Refer to sk174543.
PRJ-22343, PRHF-15696
Logging
In SmartView, the "Duration" field is missing from Reports and Views.
PRJ-22647, PRHF-15710
Logging
Threat Emulation log description for HTTP emulation is incorrect.
PRJ-23866,
Logging
In SmartView reports, the "Show only icon" option for table widgets does not work as expected.
PRJ-23678, PMTR-62763
Logging
In rare scenarios, in environments with many network objects, when typing a query in the search bar in the Logs tab, SmartConsole may close unexpectedly.
PRJ-14237, PRHF-11770
Logging
In SmartView, grouping or filtering by the field "Total Bytes" causes the query to fail.
PRJ-21322, PRHF-15198
Logging
In the Method field, logs with the following values are not shown in the SmartConsole's Logs tab. They are only shown when opening a single log record. The values are: MOVE, TEXT, XGET, UNDEFINED, VTTEST, ABCD, SEARCH, RPC_CONNECT, PRONECT, TRACK, CFYZ, BADMETHOD, DEBUG, MGET, GET, MKCOL, QUALYS, RNDMMTD, PRI, NESSUS, BDMT, BADMTHD.
PRJ-26113, PMTR-69276
Logging
In a multi-site MDM environment, Log queries may fail to retrieve results from a CMA or CLM, if there is another CMA or CLM with the same sic_name.
PRJ-16983, PRHF-12847
Logging
In a rare scenario, Application Control events may not be displayed in SmartEvent.
PRJ-27617, PRHF-18157
Logging
The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.
PRJ-25439, PRHF-17184
Logging
On a Management Server, with SmartEvent enabled and many Networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239.
PRJ-25621, PMTR-68809
Logging
In environments with more than 500K network objects, the log_indexer process on SmartEvent and Correlation Unit Server may unexpectedly close with the "Out of memory" error and a dump core file, although limited resolving is enabled (according to sk164452).
PRJ-28339, PMTR-69859
Logging
In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority.
PRJ-29028, PRHF-17596
Logging
In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report.
PRJ-31210, PRJ-30722
Logging
In a rare scenario, logs export from SmartView web view to CSV may fail. Refer to sk175545.
PRJ-17259, PRHF-12617
Logging
In SmartConsole:
In Gateways and Servers view, IP statuses may not be accurate
In the Threat Prevention Policy tab, under "Updates", Gateways IPS update status may not be up-to-date, although the new IPS package was received successfully.
PRJ-26306, PRHF-17314
Logging
In rare cases, in SmartConsole, some logs are not shown.
PRJ-28322, PRHF-17811
Logging
In some scenarios, in SmartLog, free-text search does not work for some inspection settings logs and their description is missing.
PRJ-26029, PRHF-17325
Logging
In a rare scenario, after an NSX Gateway upgrade, enforcement details/identities are not pushed by the controller to the Gateway automatically, it can be done only by manual update. Refer to sk173323.
PRJ-26679, PRHF-17724
Logging
Logs that are sent by Log Exporter in CEF format, cannot be displayed if they include non-digit characters in the "dst_phone_number" field.
PRJ-14118, PRHF-11778
Logging
Syslog messages are not shown in SmartConsole when syslog_free_text_parser.C contains references to ".ini" files which are located directly syslog folder $FWDIR/conf/syslog.
PRJ-19836, PRJ-19837, PRHF-14286
Logging
On Gateways with many interfaces, after policy installation or after reboot, Real-Time Monitor (RTM) may consume a high CPU on the Gateway. Refer to sk170928.
PRJ-30582, PMTR-63927
Logging
In some scenarios, in Multi-Domain Servers with many Domains, the Solr process for logs may unexpectedly exit.
PRJ-20496, PMTR-63033
CPUSE
The "Recommended" Package value is not changed from true to false in SmartConsole while installing Jumbo Hotfix. Refer to sk174508.
PRJ-29573, PRJ-29574, PRHF-15052
Security Gateway
NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.
PRJ-31910, PRJ-31911, PRHF-19710
Security Gateway
NEW: Added a new kernel parameter "cphwd_medium_path_qid_by_cpu_id". The parameter is disabled by default. Refer to sk175890.
PRJ-28850, PRJ-28851, PRHF-18624
Security Gateway
UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters.
PRJ-29441, PMTR-72448
Security Gateway
UPDATE: The default value for kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.
Fix is relevant for Gaia 3.10 only.
PRJ-30980, PMTR-73404
Security Gateway
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.
Fix is relevant for Gaia 3.10 only.
PRJ-32070, PRJ-32071, STRM-737
Security Gateway
UPDATE: Check Point Active Streaming (CPAS) TCP Window scale factor is now increased up to 6.
PRJ-32154, PRJ-32155, PMTR-74372
Security Gateway
UPDATE: Apache HTTPD version was updated from 2.4.41 to 2.4.51.
PRJ-26821, PRJ-26822, PRHF-17872
Security Gateway
A duplicate entry appears in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic.
PRJ-26033, PRJ-26034, PMTR-67536
Security Gateway
The "fw_xlate_rule_count_dec: refcount is negative -1" message may be displayed in dmesg when IP pool NAT is used on a cluster environment.
PRJ-4172, PRJ-27993, PRHF-5036
Security Gateway
Large number of "fwpslglue_do_log: message [0] will be truncated in log" logs is printed in /var/log/messages, although debug is not enabled.
PRJ-25291, PRJ-25292, PRHF-16907
Security Gateway
In rare scenarios, a re-matched connection has 2 logs in SmartConsole.
PRJ-27074, PRJ-27075, PMTR-70300
Security Gateway
In rare scenarios, using IP Pool NAT with only IPv4/IPv6 addresses configured may cause Security Gateway to crash.
PRJ-24909, PRJ-24914, PMTR-66910
Security Gateway
In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the “PSL Drop: internal - drop enabled” message was displayed. With this fix, the reason for the drop will be displayed.
PRJ-26476, PRJ-26477, PMTR-66746
Security Gateway
In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security Gateway to crash.
PRJ-27125, PRHF-17942
Security Gateway
In some scenarios, the routed process may unexpectedly exit.
Fix is relevant for Gaia 3.10 only.
PRJ-29417, PRJ-29418, PMTR-71855
Security Gateway
In some scenarios, policy installation fails with the "Error code: 0-2000108" message. Refer to sk170673.
PRJ-14623, PRJ-14624, PRHF-11760
Security Gateway
After policy installation, Security Gateway may stop responding due to memory leaks.
PRJ-27558, PRJ-27557, PRHF-17949
Security Gateway
In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.
PRJ-27918, PRJ-27944, PRHF-13493
Security Gateway
In some scenarios, the CPD process may consume high CPU because of the memory leak in FDT (File Download Tool).
PRJ-19769, PRJ-19768, PRHF-14017
Security Gateway
Security Gateway may crash after policy installation.
PRJ-28827, PRJ-28828, PRHF-18098
Security Gateway
Improved the ICAP Server internal memory allocation logic.
PRJ-26390, PRJ-26391, PRHF-17436
Security Gateway
The WSDNSD process unexpectedly exits and creates a core file. Refer to sk173627.
PRJ-27648, PRJ-27649, PMTR-70634
Security Gateway
Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.
PRJ-29136, PRJ-29137, PRHF-18403
Security Gateway
The cpsicdemux process may unexpectedly exit, causing Secure Internal Communication (SIC) connection to fail.
PRJ-29740, PRJ-29741, PMTR-72615
Security Gateway
In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated Refer to sk11088.
PRJ-29502, PRJ-29503, PRHF-18863
Security Gateway
In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues.
PRJ-29627, PRJ-29628, PRHF-19049
Security Gateway
In a rare scenario, Security Gateway may crash.
PRJ-26581, PRJ-26582, PMTR-68272
Security Gateway
In a rare scenario, CPView may show incorrect SecureXL statistics per VS.
PRJ-30248, PRJ-30249, PMTR-70219
Security Gateway
Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.
PRJ-26668, PRJ-26669, PRHF-17760
Security Gateway
In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.
PRJ-31215, PRJ-31216, PRHF-19896
Security Gateway
When a large number of VPN tunnels is configured, and each one is used by a static route with ping, the routed process may get incorrect cluster IPs for those tunnels. Refer to sk175887.
PRJ-30039, ODU-103
Security Gateway
If wstunnel loses connectivity, after several attempts, it may unexpectedly exit and not restart. Refer to sk166056.
PRJ-25147, PRJ-25148, PRHF-14366
Security Gateway
In a rare scenario, the TCP Half Closed timer (sk137672) may fail when configured for medium/fast connections.
PRJ-30086, PRJ-30010, PRHF-18938
Security Gateway
In a rare scenario, when QoS is enabled, Security Gateway may crash while interfaces go down and up.
PRJ-30611, PRJ-30612, PRHF-19614
Security Gateway
In rare scenarios, when SACK is enabled, there may be connectivity issues.
PRJ-20625, PRJ-20626, PRHF-14374
Security Gateway
Running the threshold_config command may cause the CPD process to consume a high CPU.
PRJ-32099, PMTR-32214
Security Gateway
In a rare scenario, policy installation may cause connections termination.
PRJ-31965, PRJ-31966, PMTR-74144
Security Gateway
In a rare scenario, "Connection/sec" data for accelerated traffic in CPView may differ from the statistics in SNMP.
PRJ-31367, PRJ-31368, PRHF-19693
Security Gateway
Improved the handling of a large number of sessions per single HTTP/S connection.
PRJ-26963, PMTR-70393
Security Gateway
Improved CPS rate on Autoscale deployments of Amazon Web Services (AWS).
Fix is relevant for Gaia 3.10 only.
PRJ-32334, PMTR-72682
Security Gateway
Defining an IPv6 NAT rule with address range (hide) on the translated column may fail with an incorrect error message.
PRJ-26647, PMTR-70065
Internal CA
This fix will clean up expired certificates from the Internal CA database every three weeks and after reboot.
PRJ-31014, PRHF-19772
Internal CA
In a rare scenario, when CRL files are created, some of them may be generated with a large number in the filename. When deleting CRL files, CPCA repeatedly fails to start.
PRJ-24987, PRJ-24988, PMTR-61787
Threat Prevention
UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300.
PRJ-28677, PRJ-28678, AVIR-1444
Threat Prevention
UPDATE: Added the option to remove proxy usage in ioc_feeds tool.
PRJ-23266, PMTR-49906
Threat Prevention
In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing.
Fix is relevant for Gaia 3.10 only.
PRJ-26540, PRJ-26541, PMTR-69186
Threat Prevention
In some scenarios, the IPS update status in SmartConsole is incorrect after the automatic update fails with the "Update failed. Failed to load database" error.
PRJ-22269, PRJ-22270, PRHF-14664
Threat Prevention
Improved the Threat Prevention policy installation time when installing on more than two Security gateways.
PRJ-26200, PRJ-25544
Threat Prevention
In a rare scenario, the Security Gateway may crash when working with Anti-Virus.
PRJ-28517, PRJ-28518, TPP-1291
Threat Prevention
In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.
PRJ-25226, PRJ-22396, PRHF-15404
Threat Prevention
The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS blade is disabled. Refer to sk172903.
PRJ-29923, PRJ-29924, PRHF-19208
Threat Prevention
Threat Prevention policy installation may fail when loading 2 IOC feeds that contain the same signature name for one of the observables.
PRJ-30094, PRJ-30095, PRHF-18623
Threat Prevention
In some scenarios, loading Custom Intelligence Feeds that include an IP address with a subnet mask of 32 bits (x.x.x.x/32) may fail.
PRJ-28974, PRJ-28989, PRJ-28937
Threat Prevention
Improved telemetry for Infinity Vision SOC.
PRJ-29368, PRJ-29369, AVIR-936
Threat Prevention
In rare scenarios, IOC feed loading fails due to hash parsing errors.
PRJ-28137, PRJ-28138, PRJ-27437
Threat Extraction
In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg.
PRJ-33562, PRJ-33563, PRJ-33561
Threat Prevention
In a rare scenario, the Security Gateway may crash when working with Anti-Virus or Threat Emulation.
PRJ-29490, PRJ-29491, IDA-4049
Identity Awareness
UPDATE:
Increased the default timeout values of entries: connected_pdp_refresh_interval is now set to 240 seconds and connected_pdp_grace_period is now set to 360 seconds.
Added the "Identity information / Network information will be deleted" alert to SmartConsole.
PRJ-26801, PRJ-26802, MBS-13669
Identity Awareness
In a rare scenario, the Security Gateway may crash.
PRJ-29400, PRJ-29402, IDA-4087
Identity Awareness
Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.
PRJ-29611, PRJ-29612, PRHF-18943
Identity Awareness
In a rare scenario, some IPv6 sessions may get deleted due to an incorrect update of Identity Gateway (PEP) kernel tables.
PRJ-27190, PRJ-27191, PRHF-17768
Application Control
UPDATE: Improved matching of URLs for custom applications.
PRJ-29766, PRJ-29767, PRHF-18914
URL Filtering
In a very rare scenario, when the Application Control (APPI) and URL filtering blades are active, in hold mode, some applications cannot be identified and the traffic is dropped.
PRJ-26104, PRJ-26105, PRHF-17301
IPS
Security Gateway may crash when the IPS profile name is very long. Refer to sk174025.
PRJ-27257, PRJ-27258, PMTR-65461
IPS
Proxy source IP address is not printed in the IPS logs.
PRJ-28488, PRJ-28489, PRHF-16635
IPS
An HTTP download of a large file may unexpectedly stop with an error message.
PRJ-27956, PRJ-27957, PRHF-18158
IPS
In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open.
PRJ-29938, PRJ-29939, PRHF-18992
IPS
In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.
PRJ-28736, PRJ-28737, PRHF-17049
IPS
In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.
PRJ-31691, PRJ-31692, PMTR-73790
IPS
Improved the handling of decoded HTTP/S traffic.
PRJ-32500, PRJ-32501, PRJ-32415
IPS
In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process.
PRJ-28499, PRJ-28500, PMTR-59113
Anti-Virus
UPDATE: Improved Anti-Virus buffer allocation to reduce stack size.
PRJ-24613, PRJ-24614, PMTR-66115
Anti-Virus
UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types.
PRJ-23568, PRJ-23569, PRHF-15500
Anti-Virus
Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled.
PRJ-29132, PRJ-29190, TPP-1157
Anti-Bot
UPDATE: Improved performance of Anti-Bot URL Reputation.
PRJ-29473, PRJ-29474, PMTR-72234
SSL Inspection
In some scenarios, a memory leak may occur when creating ECDHE keys.
PRJ-30457, PRJ-30458, PRHF-19516
SSL Inspection
In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.
PRJ-31170, PRJ-31171, PMTR-72409
SSL Inspection
A memory leak, related to TLS probing, may occur in the WSTLSD process.
PRJ-31164, PRJ-31165, PMTR-72136
SSL Inspection
In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur.
PRJ-30698, PRJ-30699, PMTR-72756
SSL Inspection, VPN
A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers.
PRJ-27294, PRJ-27295, VPNRA-761
Mobile Access
In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit.
PRJ-28255, PRJ-28256, PRHF-16057
Mobile Access
In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.
In some scenarios, a memory leak may occur in the CVPND process.
PRJ-27787, PMTR-64102
ClusterXL
Log shows that CCP encryption fails on each policy installation.
Fix is relevant for Gaia 3.10 only.
PRJ-29834, PRHF-18898
ClusterXL
In a VRRP cluster, changes to the CCP encryption channel do not remain after reboot on Kernel 3.10. Refer to sk174968.
Fix is relevant for Gaia 3.10 only.
PRJ-28601, PMTR-64228
ClusterXL
In some scenarios, in Load Sharing mode, the "cphaprob show_bond" command on the Security Management Server shows the back-up slave status as "Not Available". Refer to sk175469.
Fix is relevant for Gaia 3.10 only.
PRJ-28357, PRJ-28358, CORXL-251
ClusterXL
Clock jumps forward/backward may cause some operations to fail and the cluster to go down.
PRJ-30502, PRJ-30503, PRJ-30284
ClusterXL
In VSX Load Sharing (VSLS) environment, a disconnected bond LS interface impacts all VS's at the member regardless that the interface is connected to a specific VS.
PRJ-28222, PRJ-28225, PRJ-28054
SecureXL
In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly.
PRJ-26950, PRJ-26951, PMTR-70242
SecureXL
TCP packets may be dropped as "TCP out of state" although following sk11088.
PRJ-32937, PRJ-32938, PMTR-75157
SecureXL
In some scenarios, when configuring internal/external enforcement for DOS/Rate limiting, a syslog error message may be displayed.
PRJ-27817, PRJ-27818, PMTR-63965
Routing
If the interface cable is unplugged, after a failover, Border Gateway Protocol (BGP) stops receiving routes from Primary member to Secondary and back to Primary.
PRJ-31124, PRJ-31125, PMTR-73496
Routing
In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending.
PRJ-26959, PRJ-26960, PMTR-65589
Routing
The routed process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected.
PRJ-28392, PRJ-28393
Routing
The checksum of PIM "register" packets may be calculated incorrectly, causing the RP router to discard a "register" packet.
PRJ-28837, PRJ-28838, PMTR-51501
Routing
In some scenarios, an outage may occur because of premature graceful-restart exit.
PRJ-29494, PRJ-29495, ROUT-1745
Routing
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.
PRJ-26751, PRJ-26752, PRJ-26750
Routing
In some scenarios, the NetFlow Packet may report a wrong source IP Address.
PRJ-29317, PRJ-29318, ROUT-1721
Routing
AS path loops may occur, although BGP multihop is configured.
PRJ-29494, PRJ-29495, ROUT-1745
Routing
BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.
PRJ-28955, PRJ-28956, PRHF-17739
Routing
The routed process may unexpectedly exit when OSPF is configured with the "IsMaxAgeLSAEntry()" assert.
PRJ-31484, PRJ-31485, PRHF-19472
Routing
In some scenarios, the Security Gateway may not forward traffic to a client if its IP address is changed by DHCP. Refer to sk175603.
PRJ-24054, PRJ-24055, PRHF-10260
Routing
In some scenarios, when using DHCP, the Security Gateway may not correctly route traffic to hosts.
PRJ-31471, PMTR-68362
VPN
UPDATE: In policy installation, the type of messages related to VPN certificate expiration is changed from "info" to "warning". This issue is only cosmetic.
PRJ-28572, PRJ-28573, PRHF-17880
VPN
In some scenarios, Server connections to Remote Access L2TP clients may be unstable.
PRJ-28769, PRJ-28770, PMTR-71850
VPN
In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation.
PRJ-26528, PRJ-26529, PRHF-17627
VPN
In some scenarios, NAT-T traffic outages may occur after a cluster failover. Refer to sk175552.
PRJ-23978, PRHF-12576
VPN
Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.
Fix is relevant for Gaia 3.10 only.
PRJ-22116, PRJ-22117, PMTR-31204
VPN
In rare scenarios, after policy installation, the VPND process may unexpectedly exit with core dump.
PRJ-21636, PRJ-21637, PRHF-15318
VPN
VPN Logs show IP address octets in an unexpected (reversed) order. Refer to sk172807.
PRJ-28375, PRJ-28376, PMTR-71772
VPN
Improved VPN Site to Site tunnel establishment scenario with IKEv2. Refer to sk175092.
PRJ-27311, PRJ-27312, PRHF-14851
VPN
IPSec VPN uses the wrong source IP address when initiating NAT-T encrypted traffic. Refer to sk172805.
PRJ-28072, PRJ-28073, PRHF-18369
VPN
A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249.
PRJ-27672, PRJ-27673, PMTR-70855
VPN
In some scenarios, the user may not be able to connect because the CVPND process unexpectedly exits.
PRJ-27684, PRJ-27685, PMTR-70957
VPN
In a rare scenario, a memory leak may occur.
PRJ-27680, PRJ-27681, PMTR-71025
VPN
When saving the login info of the client, a memory leak may occur.
PRJ-27676, PRJ-27677, PMTR-71013
VPN
Reauthentication of the client may lead to a memory leak.
PRJ-27853, PRJ-27854, PMTR-71136
VPN
When deleting an entry from m_ht hash table, a memory leak may occur.
PRJ-27811, PRJ-27812, PMTR-71098
VPN
In some scenarios, the VPN tunnel between GCP cluster and GCP peer fails to establish.
PRJ-25140, PRJ-25141, PRHF-16647
VPN
In some scenarios, outbound traffic with NAT-T outgoing packets is sent from an incorrect link. Refer to sk176711.
PRJ-26397, PRJ-26398, PRHF-17622
VPN
Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235.
PRJ-25881, PRJ-25882, PRHF-16370
VPN
In some scenarios, when DAIP peer initiates IKEv2 negotiation with certificate authentication, the VPND process may unexpectedly exit. Refer to sk174665.
PRJ-28312, PRHF-12576
VPN
Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.
PRJ-28510, PRJ-28511, PRHF-18408
VPN
In some scenarios, a memory leak may occur on the Security Gateway.
PRJ-28503, PRJ-28504, PRHF-18400
VPN
A memory leak may occur in the VPND process.
PRJ-29280, PRJ-29281 PRHF-18818
VPN
In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process.
PRJ-29480, PRJ-29481, PMTR-72463
VPN
A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.
PRJ-29530, PRJ-29531, PRHF-18564
VPN
RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.
PRJ-28560, PRJ-28561, PMTR-20176
VPN
In some scenarios, when sending the SCV drop log, a memory leak may occur.
In some scenarios, a memory leak may occur in the VPND process.
PRJ-31145, PRJ-31146, PMTR-73511
VPN
In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site.
PRJ-28262, PRJ-28263, PRHF-18295
VPN
A memory leak may occur when clearing the CRL cache file.
PRJ-31129, PRJ-31130, PMTR-73498
VPN
In some scenarios, a memory leak may occur in the VPND process.
PRJ-31287, PRJ-31288, PRHF-19707
VPN
Hardened the ability to use narrowed IKEv2 tunnels. Refer to sk166417.
PRJ-30762, PRJ-30763, PRHF-19548
VPN
In a very rare scenario, a cluster member may unexpectedly crash and restart, creating a core dump file.
PRJ-30327, PRJ-30328, PMTR-73629
VPN
In some scenarios, IKEv2 tunnel may not work due to SA expiration.
PRJ-30866, PRJ-30867, PRHF-19755
VPN
A memory leak may occur in the VPND process.
PRJ-29593, PRJ-29594, VPNS2S-2505
VPN
In a rare scenario, the IKEv2 negotiation appears successful, although it failed.
PRJ-31027, PRJ-31028, PRHF-19776
VPN
Many "remote access client IP address and port were changed" logs are printed after an upgrade.
PRJ-28604, PMTR-48561
VSX
In a rare scenario, a cluster member may crash when running the "cphaconf show bond" command.
Fix is relevant for Gaia 3.10 only.
PRJ-29550, PRJ-29551, PRHF-18753
VSX
After a reboot, the VS's clish static ARPs configuration exists, but the static ARPs may be missing.
PRJ-27967, PRJ-27968, PMTR-35890
VSX
When querying a VS for "sysObjectID" viaSNMP, a generic netSNMP value is returned ("NET-SNMP-MIB::netSnmpAgentOIDs.10") instead of Check point value ("SNMPv2-SMI::enterprises.2620.1.6.123.1.62").
PRJ-26128, PRJ-26131, PMTR-53985
VSX
After upgradе, the VS names may be displayed incorrectly in the output of the "vsx stat -v" command.
PRJ-22689, PMTR-65535
VSX
This fix allows create/change a VSX cluster/gateway to have up to 32 CoreXL instances with VSX Provisioning Tool. Currently, it is possible to do this only in SmartConsole.
PRJ-26559, PRHF-17590
VSX
Multi-Queue configuration on VSX does not remain after reboot. Refer to sk173950.
Fix is relevant for Gaia 3.10 only.
PRJ-30312, PRJ-30313, PMTR-72515
Gaia OS
NEW: Gaia API (version 1.6) will now be deployed via Jumbo Hotfix. Refer to sk143612.
PRJ-26927, PMTR-69753
Gaia OS
NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.
UPDATE: The command "show multiple-queue Affinity" deprecation message was changed. The new message is "This command is deprecated. Please use: show interface VALUE Multi-queue."
Fix is relevant for Gaia 3.10 only.
PRJ-26997, PRHF-17900
Gaia OS
Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash". Refer to sk176703.
Fix is relevant for Gaia 3.10 only.
PRJ-27975, PRJ-27976, PMTR-69876
Gaia OS
A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC).
PRJ-28973, PRJ-28794, PRJ-28795, PRHF-18683
Gaia OS
In a rare scenario, a memory leak may occur in the monitord process.
PRJ-27671, PRHF-13802
Gaia OS
In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS.
Fix is relevant for Gaia 3.10 only.
PRJ-25764, PRHF-17216
Gaia OS
After 248 days of up time, the VMSS gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.
Fix is relevant for Gaia 3.10 only.
PRJ-28683, PMTR-71763
Gaia OS
In some scenarios, in appliances: 6600,6700,6900,7000, Power Supply Unit (PSU) status information may be incorrect. Refer to sk174443.
Fix is relevant for Gaia 3.10 only.
PRJ-25248, PMTR-68435
Endpoint Security
In some scenarios, the Policy Server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates.
PRJ-27331, PRJ-27325
CloudGuard
Added support for Amazon Web Services (AWS) IMDSv2 in CloudGuard Controller
Improved connecting to GCP Data Center
PRJ-27032, PRJ-27033, PRHF-16098
QoS
In a rare scenario, in SmartView Monitor, some QoS traffic may be shown as "No Match".
PRJ-30232, PRJ-30233, PRHF-18342
QoS
In a rare scenario, the FWD process may unexpectedly exit due to invalid QoS logs.
PRJ-28052, PMTR-71262
Scalable Plaforms
In some scenarios, bond interface slave fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.
Fix is relevant for Gaia 3.10 only.
PRJ-30016, ODU-181
HCP
Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436.
PRJ-30253, PRJ-27245, ODU-123
HCP
Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436.
PRJ-24086, PRJ-24087, ODU-91
HCP
Added Update 2 of HealthCheck Point (HCP) Release. Refer to sk171436.
PRJ-22797, PRJ-22798, ODU-81
HCP
Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436.
PRJ-22320, PRJ-22321, PRHF-15689
Infrastructure
In some scenarios, the cpmiquerybin and dbedit processes may unexpectedly exit causing a buffer overflow.
PRJ-31766, PRJ-31767, PRHF-19016
Infrastructure
Policy installation fails with "Operation failed, install/uninstall has been improperly terminated" when a CMA name is more than 36 characters long. Refer to sk175452.
R80.30 Jumbo HotFix - General Availability Take 237 (11 July 2021, GA from 31 Aug 2021)
UPDATE: If there is no license installed, the error message will be printed when running the cpstart command.
PRJ-24203, PMTR-67200
Security Management
NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629.
PRJ-25034, SMCUPG-1653
Security Management
UPDATE: If there is no license on the Security Management Server, a new verification blocks an attempt to migrate a Domain.
PRJ-31072, PRHF-19320
Security Management
UPDATE: Added an environmental variable to control the sduu command timeout in the FWM process: SDUU_UPDATE_TIMEOUT.
PRJ-24609, PRJ-24610, PMTR-63454
Security Management
Incorrect Mobile Access license status upon a license change.
PRJ-22383, PRJ-26134, PRHF-15325
Security Management
User may fail to connect to SmartConsole after the administrator changed the RADIUS server host IP address. Refer to sk172065.
PRJ-19633, PRHF-14000
Security Management
The Management API command "get-attachment" may fail with an error. Refer to sk170894.
PRJ-26505, PMTR-69683
Security Management
Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same".
PRJ-26192, PMTR-69529
Security Management
In a rare scenario, the FWM process may unexpectedly unexpectedly exit.
PRJ-21917, PRHF-15491
Security Management
In some scenarios, the Desktop policy fails with "Policy installation had failed due to an internal error. If the problem persists please contact Check Point support". Refer to sk171970.
PRJ-21398, PRHF-15001
Security Management
In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828.
PRJ-25685, PRHF-17286
Security Management
In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name.
PRJ-24050, PMTR-66980
Security Management
If the Management Server is up for many days, the CPM process's memory consumption and CPU usage may increase consistently.
PRJ-23883, PMTR-66708
Security Management
In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error".
PRJ-22074, PRHF-15725
Security Management
In rare scenarios, the Management Server may fail to start because Solr fails to initialize.
PRJ-26182, PRHF-17487
Security Management
When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file.
PRJ-21966, PRHF-15471
Security Management
Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched.
PRJ-26192, PMTR-69529
Security Management
In a rare scenario, the FWM process may unexpectedly unexpectedly exit.
PRJ-24485, PRHF-16631
Security Management
In very large Management environments, Policy verification and installation may fail with core dump. Refer to sk173722.
PRJ-23937, CPM-3316
Multi-Domain Management
NEW: Once a day, Multi-Domain Management Servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level.
PRJ-25890, PMTR-69154
Multi-Domain Management
NEW: Added ability to create Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934.
PRJ-25516, PRJ-25517
Multi-Domain Management
In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole.
PRJ-22637, PRHF-15727
Multi-Domain Management
In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted.
PRJ-24758, PRHF-16660
Multi-Domain Management
Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x.
PRJ-23696, PRHF-16119
Multi-Domain Management
Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain.
PRJ-25408, CPM-2542
Multi-Domain Management
In some scenarios, HA synchronization may fail on the MDS level with the "Failed to synchronize this peer due to purged revisions in the database." message.
PRJ-15876, PRHF-11539
Multi-Domain Management
OS information for Domain Servers may not be shown correctly at the MDS level.
PRJ-26870, PRHF-17640
SmartConsole
In some scenarios, the gateway hardware change in SmartConsole fails with "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning.
PRJ-27299, PMTR-70643
SmartView
After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks. Refer to sk174047.
PRJ-27070, PMTR-70430
Compliance
In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains.
PRJ-20256, PMTR-57895
Logging
NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323.
PRJ-21420, PMTR-61503
Logging
NEW: The Log exporter now supports formatting for RSA SIEM application.
PRJ-25135, PRHF-17079
Logging
NEW: Added support for JSON format in Log Exporter.
PRJ-25593, SL-5164
Logging
UPDATE: The Log Server now supports up to 2700 Gateways (previously was 1024). Refer to sk163413.
PRJ-12425, PRJ-12426, PRHF-10612
Logging
In some scenarios, exported FireWall logs from a Security Gateway to an external syslog server (sk87560) contain a redundant new line character.
PRJ-16646, PMTR-58979
Logging
In the SmartConsole Logs tab, the "IKE IDs" field cannot be added to column profiles.
PRJ-23819, PRHF-12659
Logging
In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown.
PRJ-24893, PRJ-24892
Logging
Starting from Jumbo Take 216, logs exported in LogRhythm format via the Log Exporter, appear in an incorrect format.
PRJ-23578, PMTR-65203
Logging
In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs.
PRJ-24214, PMTR-65200
Logging
In Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.
PRJ-23762, PRHF-16328
Logging
In rare scenarios, SmartConsole may unexpectedly close if the pre-defined VPN columns profile in the Logs view was modified and saved.
PRJ-22965, PMTR-64536
Logging
In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention blades, logs of the "Anti Spam" blade are not exported.
PRJ-15230, PRHF-12075
Logging
In SmartView, when creating a statistical table and grouping by Time, the query may fail.
PRJ-20618, PRHF-14608
Logging
In SmartView, when filtering with specific time filters, the result may include more logs than was requested.
PRJ-25452, PMTR-68670
Logging
In rare scenarios, logs generated at the same second, with the same ID, may not show up in SmartConsole's Logs tab.
PRJ-24481, SL-5577
Logging
When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways.
PRJ-25270, PMTR-68358
Internal CA, VPN, Multi-Portal
UPDATE: The IKE certificate's validity period is set to 1 year by default. Refer to sk176527.
PRJ-26137, PMTR-69466
Internal CA
UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates.
PRJ-26700
Internal CA
Expired certificates cannot be deleted via the ICA Management Tool.
PRJ-21126, PRJ-21127, PRHF-13973
Security Gateway
UPDATE: Service with source port in the Access rulebase will no longer disable accept templates for all connections.
PRJ-24375, PRJ-24376, SMB-10515
Security Gateway
A memory leak in a DNS resolving I/S may occur.
PRJ-20980, PRHF-14104
Security Gateway
In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server.
PRJ-23076, PRJ-23077, PMTR-65799
Security Gateway
Enhancement: Early drop optimization will work even if the UserCheck is not relevant for this connection.
PRJ-24007, PRJ-24008, PRHF-16196
Security Gateway
In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection.
PRJ-23271, PRHF-15932
Security Gateway
In some scenarios, the "fw ctl affinity" command on MPDS Dplane does not show the Mplane Multi-Queue interfaces.
Fix is relevant for Gaia 3.10 only.
PRJ-22622, PRJ-22623, PRHF-15835
Security Gateway
In some scenarios, the VSX Cluster switch may cause a core dump.
PRJ-23425, PRJ-23426, PMTR-65909
Security Gateway
The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145.
PRJ-26374, PRJ-26375, PRJ-26257
Security Gateway
In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg.
PRJ-16919, PRJ-16920, PRHF-12897
Security Gateway
In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway. Refer to sk174206.
PRJ-24527, PRJ-24528, PRHF-16667
Security Gateway
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.
When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck.
PRJ-23946, PRJ-23947, PMTR-66474
Security Gateway
In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode.
PRJ-23340, PRHF-16111
Security Gateway
Boot may take a long time on machines with many VLANs or secondary IP addresses.
Fix is relevant for Gaia 3.10 only.
PRJ-25735, PRJ-25736, PRHF-16886
Security Gateway
In some scenarios, Security Gateway may crash when ICAP client is enabled.
PRJ-25617, PRJ-25618, PRHF-15688
Security Gateway
In a rare scenario, Security Gateway may crash when handling some DNS packets.
PRJ-25907, PMTR-69241
Security Gateway
In a rare scenario, machine hangs and user is unable to run any command. Refer to sk173405.
PRJ-24124, PRJ-24125, PRHF-15896
Security Gateway
RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927.
PRJ-21268, PRJ-21269, PMTR-56012
Security Gateway
In some scenarios, emails may be stuck in the MTA queue.
PRJ-24518, PRJ-24556
Gaia OS
In some scenarios, when adding a "#" in the login banner, the banner becomes corrupted.
PRJ-25390, PRJ-25391, PRHF-17173
Security Gateway
In some scenarios, there is no match on URL Filtering rules.
PRJ-25599, PRJ-25600, PRHF-12228
Security Gateway
In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together.
PRJ-24416, PRHF-16452
Security Gateway
In a rare scenario, Security Gateway may crash under heavy load during cluster failover.
Fix is relevant for Gaia 3.10 only.
PRJ-23846, PRJ-23847, PRHF-15781
Security Gateway
In some non-VPN scenarios, MSS Adjustment (Clamping) does not work.
PRJ-26149, PRJ-26150, PMTR-69312
Security Gateway
In a rare scenario, a memory leak may occur when IPS / Anti-Bot / Anti-Virus blade is enabled.
PRJ-25550, PRJ-25551, PMTR-67991
Security Gateway
In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message.
PRJ-25154, PRJ-25155, PMTR-67534
Security Gateway
When running the "fwaccel stats -r" command to reset the SXL statistics, the statistics may become corrupted.
PRJ-27039, PRJ-27038, PMTR-67834
Security Gateway
VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683.
PRJ-22945, PRJ-22946, PMTR-55080
Security Gateway
In rare scenarios, policy installation fails with "gen_rpc_service_inspect_func: <service name> mismatch in service_arr" error message. Refer to sk174165.
PRJ-23456, PMTR-66212
Security Gateway
In some scenarios, values set in fwkern.conf file may not be applied correctly.
PRJ-14275, PRHF-7150
Security Gateway
In some scenarios, SCCP traffic may be dropped by the Security Gateway. Refer to sk108124.
Fix is relevant for Gaia 3.10 only.
PRJ-24835, PRJ-24836, PRHF-15080
Security Gateway
In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may unexpectedly exit. Refer to sk172935.
PRJ-23063, PRJ-23064, PMTR-63142
Security Gateway
Improved displayed drop log messages on the Security Gateway:
To see drops since the last reboot, use the fw ctl drop command.
In rare scenarios, DynamicID authentication fails with "server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303.
PRJ-27160, PRJ-27161, PRHF-16851
Security Gateway
In rare scenarios, running "fw1 + misp" debug on cluster may cause Security Gateway to crash.
PRJ-26616, PRJ-26617, PRHF-17663
Security Gateway
In some scenarios, "[INFO] encode resource in base64 failed" messages generated by the RAD process are shown in /var/log/messages file.
PRJ-26593, PRJ-26594, PMTR-70023
Security Gateway
Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition.
PRJ-23265, PMTR-49906
Threat Prevention
In rare scenarios, the "fw load_sigs" command fails to exit appropriately after completing.
PRJ-23775, PRJ-23927, PMTR-66261
Anti-Bot
UPDATE: Anti-Bot URL cache was enhanced to support further requests.
PRJ-25746, PRJ-25747, PMTR-67597
Identity Awareness
NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance. The feature is disabled by default. To enable it, refer to sk128212.
PRJ-25388, PRHF-10292
Identity Awareness
In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492.
Fix is relevant for Gaia 3.10 only.
PRJ-25923, PRJ-25924, PMTR-68088
Identity Awareness
Optimized the PDP expired timers mechanism performance.
PRJ-26229, PRJ-26231, IDA-4019
Identity Awareness
When the PDP gateway is connected to multiple pre-R81 PEP gateways, the CPU consumption may be high. Refer to sk173709.
PRJ-26201, PRJ-25544
Anti-Virus
In a rare scenario, the Security Gateway may crash when working with Anti-Virus.
Fix is relevant for Gaia 3.10 only.
PRJ-21769, PRJ-21770, PMTR-58795
Application Control
A failure log may be generated when inspecting connections to servers with certificates without a common name (CN) field.
PRJ-24630, PRJ-24631, TEX-2201
UserCheck
In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured..." error message.
PRJ-23979, PRJ-23981, PRHF-16392
UserCheck
Sensitive file push.js may be visible on the Security gateway.
PRJ-23034, PRJ-23035, PMTR-65728
Anti-Malware
In rare scenarios, Security Gateway may crash if event app debug is enabled.
PRJ-23039, PRJ-23040, PMTR-65729
Anti-Malware
In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update.
PRJ-24779, PRJ-24780, PRHF-16849
Anti-Malware
In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248.
PRJ-23297, PRJ-23299, PRJ-23295
IPS
UPDATE: Added support for PM statistics when IPS is disabled.
PRJ-25198, PRJ-25199, IPS-352
IPS
In some scenarios, the DNS response message with record type 0 may be dropped by "Non compliant DNS" protection.
PRJ-24982, PRJ-24982, PRJ-24932
IPS
In a rare scenario, Security Gateway crashes when Threat Prevention Forensic Log feature is enabled.
PRJ-24344, PRJ-24381, PRHF-16288
IPS
Improved the HTTP protocol handling.
PRJ-20711, PRHF-13454
IPS
In rare scenarios, policy installation fails due to duplicate id in IPS Snort protections.
PRJ-19938, PRJ-19939, PMTR-58379
SSL Inspection
UPDATE: Avoid sending the TLS probe during inbound inspection when it is nоt necessary for the SNI-based categorization.
PRJ-21689, PRJ-21691, PMTR-63310
SSL Inspection
UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address.
PRJ-20678, PRJ-20679, PRHF-14540
SSL Inspection
A table hash size may be too small for some environments and cause an increased CPU usage.
PRJ-26742, PRJ-26743, PRHF-4657
SSL Inspection
Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692.
PRJ-19854, PRJ-19855, PMTR-61029
SSL Inspection
TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated.
PRJ-24460, PRJ-24470, PMTR-65718
SSL Inspection
In some scenarios, memory leaks may occur after policy installation.
PRJ-24467, PRJ-24469, PMTR-66181
SSL Inspection
In rare scenarios, the wstlsd daemon may unexpectedly exit during TLS probing.
PRJ-25177, PRJ-25192, PRHF-14178
SSL Inspection
In some scenarios, when HTTPS Inspection is enabled, overall memory consumption may gradually increase. Refer to sk171280.
PRJ-24666, PRJ-24204
ClusterXL
The Gaia Clish command "set snmp traps trap clusterXLFailover enable" fails with "Bad Command Unknown Trap name." Refer to sk173810.
Fix is relevant for Gaia 3.10 only.
PRJ-24143, PRJ-24144, PMTR-67140
SecureXL
UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from.
PRJ-24650, PRJ-24651, PMTR-67738
SecureXL
In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file.
PRJ-17459, PRJ-17460, PRHF-13183
SecureXL
SecureXL keeps forwarding packets in VSX bridge mode when the member is down. Refer to sk169495.
PRJ-23458, PRJ-23459, PRHF-16084
SecureXL
A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns".
PRJ-22788, PRJ-22789, PMTR-65162
SecureXL
In a rare scenario, Security Gateway may crash after running the "fwaccel tab -t connections" command.
PRJ-25509, PRHF-16656
SecureXL
In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode.
Fix is relevant for Gaia 3.10 only.
PRJ-27222, PRJ-27223, PRHF-17921
SecureXL
In some scenarios, SYN Defender log messages in SmartConsole show "*** MISSING ***" instead of the real log.
PRJ-24539, PRJ-24540, PMTR-67556
SecureXL
In a VSX environment, the SYN Defender configuration may not be applied correctly.
PRJ-27224, PRHF-17734
SecureXL
Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file.
UPDATE: User does not have to enable logging/accounting in SmartConsole to generate the Netflow records. New ‘NetFlow Firewall rule’ option was added to configure NetFlow to report per Firewall rule by turning it on and enabling Log/Accounting per rule.
PRJ-23247
Routing
VRRP member freezes when deleting a VLAN interface. Refer to sk106226.
PRJ-24789, PMTR-48384
Routing
In some scenarios, OSPF configured with unnumbered VTI on cluster frequently moves between "Full" and "EXSTART" status.
PRJ-24714, PRJ-24715, PRHF-16801
Routing
In OSPF environment, the routed process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss.
PRJ-24968, PRJ-24969, PMTR-48361
Routing
Graceful restart has been enhanced to tolerate a non-standard behavior by peers of closing BGP connection before getting established.
PRJ-25040, PRJ-25043, PRHF-16981
Routing
In a rare scenario, the routed process unexpectedly exits when creating an MFC (S,G) entry. Refer to sk176685.
PRJ-25993, PRJ-25994, PMTR-69290
Routing
In some scenarios, the monitored IP option "force-if-symmetry" does not detect the asymmetric ping properly.
PRJ-24386, PRJ-24387, MBS-12759
Routing
In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.
PRJ-25316, PRJ-25317, PMTR-68232
Routing
In some scenarios, CPView displays incorrect values of RIP statistics.
PRJ-27043, PRJ-27045, PMTR-57379
Routing
The routed process with Ping enabled always gets reset during Clish reconfiguration.
PRJ-26967, PRJ-26968, PMTR-66574
Routing
In some scenarios, the routed process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time.
PRJ-27057, PRJ-27058, PRHF-17925
Routing
In some scenarios, the routed process may unexpectedly exit when there is a static route and a kernel route to the same destination.
PRJ-25914, ROUT-1502
Routing
Netflow packets are sent from the individual VS IP address instead of VS0.
Fix is relevant for Gaia 3.10 only.
PRJ-23090, PRJ-23091, PRHF-12121
Mobile Access
In some scenarios, FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125.
PRJ-22330, PRJ-22331, PMTR-21454
Mobile Access
In some scenarios, the VPND process unexpectedly exits in SNX Application Mode.
PRJ-23722, PMTR-60065
Mobile Access
Remote Access session may not be synced on the standby member VS.
Fix is relevant for Gaia 3.10 only.
PRJ-23729, PRJ-23730, PRHF-16302
Mobile Access
In some scenarios, when configuring the "X-Forwarded-For" header to MAB reverse proxy, the header is passed in reverse order.
PRJ-22804, PRJ-22805, SNX-61
Mobile Access
When the administrator adds more than 30 native applications, users may fail to connect via SSL Network Extender Application mode.
PRJ-25219, PRJ-25220, PRHF-17088
Mobile Access
Improved the Portal Rendering performance in Unified Policy mode.
PRJ-24685, PRHF-16135
Mobile Access
In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications.
PRJ-24815, PRJ-24814, VPNS2S-2313
VPN
UPDATE: Added VPN improvements in IKEv2:
Added support for IKEv2 authentication when using multiple certificates.
Added support for “Matching info” authentication.
VPNS2S-2313
VPN
“Invalid ID information” message may be displayed when peer is 3rd party and Link selection is overridden.
VPNS2S-2313
VPN
IKEv2 may cause the VPND process to unexpectedly exit when IKEv2 rekey uses certificates.
VPNS2S-2313
VPN
Stability improvement of IKEv2 rekey when using Pre-shared-key
Stability improvement of cluster synchronization mechanism
PRJ-25051, PRJ-25052, PRHF-16121
VPN
In some scenarios, user may not be able to connect because the VPND process unexpectedly exits.
PRJ-25131, PRJ-25132, PMTR-68208
VPN
In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method.
PRJ-21940, PRJ-21941, PRHF-15509
VPN
In some scenarios, VPN Remote Access users are disconnected after policy installation. Refer to sk171966.
PRJ-24250, PRJ-24251, PRHF-15984
VPN
In some scenarios, the TTM (Transform Template) file is not loaded when there are no TTM groups for the user.
PRJ-14270, PRJ-14271, PRHF-9691
VPN
Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type.
PRJ-24400, PRJ-24401, PRHF-16421
VPN
In some scenarios, DAIP gateways may be identified as Remote Access, causing the connection to fail. Refer to sk173417.
PRJ-25487, PRJ-25488, PMTR-68687
VPN
In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266.
PRJ-24858, PRJ-24859, PRHF-16883
VPN
The VPND process may unexpectedly exit when cipher priority configuration is invalid. Refer to sk173083.
PRJ-23972, PRJ-23973, PMTR-65986
VPN
In some scenarios, the IKED process unexpectedly exits producing a core dump.
PRJ-22526, PRJ-22527, PMTR-64500
VPN
When Multiple Factor Authentication is configured with DynamicID , VPN clients may receive four password prompts. Refer to sk144932.
PRJ-26202, PRJ-26203, PMTR-68557
VPN
MEP failover with 3rd party vendors may not work correctly.
PRJ-26339, PRJ-26340, PMTR-69135
VPN
In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log.
PRJ-25334, PRJ-26237, VPNS2S-2335
VPN
In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug.
PRJ-26265, PRJ-26266, PMTR-68840
VPN
In some scenarios in MEP configuration, failover to available MEP members may fail.
PRJ-26933, PRJ-26932, PMTR-70367
VPN
In some scenarios, the VPND process unexpectedly exits after installing the policy.
PRJ-27738
VPN
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address.
Fix is relevant for Gaia 3.10 only.
PRJ-26621, PRJ-26622, PRHF-17733
VPN
Added VPN stability improvement in IKEv2.
PRJ-25983, PRJ-25984, PMTR-65599
VPN
In rare scenarios, IKE negotiation fails when using IPv6 addresses.
PRJ-25310, PRJ-25311, PRHF-17101
VPN
In rare scenarios, all traffic is dropped with "Rulebase Internal Error" in SmartLog.
PRJ-24804, PRJ-24806, PRHF-16698
VPN
Site to Site VPN connectivity issue when NAT is enabled.
PRJ-26440, PRJ-26441, PMTR-69836
VPN
In rare scenarios, a memory leak related to gateway authentication may occur.
PRJ-26438, PRJ-26437, PRHF-2715
VPN
In a rare scenario, a memory leak may occur when RASession_util is active.
PRJ-26431, PRJ-26432, PMTR-69479
VPN
In a rare scenario, the IKED process stops with core dump when using Office Mode IP allocation for clients and users cannot connect.
PRJ-21428, PRJ-21429, PRJ-21430, PRJ-21424
Gaia OS
NEW: Added support for hardware (sensors/NICs) data auto-update.
PRJ-25670, PRHF-16999
Gaia OS
In some scenarios, the driver's (i40e) response time for MQ settings takes a too long time.
Fix is relevant for Gaia 3.10 only.
PRJ-26111, PRJ-24594, PRJ-24595, PRHF-16780
Gaia OS
When the RADIUS server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting
PRJ-24492, PRHF-16665
Gaia OS
In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827.
Fix is relevant for Gaia 3.10 only.
PRJ-24508
Gaia OS
In some scenarios, when adding a "#" in the login banner, the banner becomes corrupted.
Fix is relevant for Gaia 3.10 only.
PRJ-24371, PRJ-25003, PRJ-24372, PMTR-49877
Gaia OS
In some scenarios, the force-password-change option does not work.
PRJ-23965, PRHF-16338
VSX
UPDATE: Added ability to change the Management and Sunc interfaces via vsx_util change_interfaces.
PRJ-25022, PRJ-25023, PRHF-14371
VSX
In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793.
PRJ-5187, PMTR-32931
VSX
In some scenarios during shutdown, the FWK process may unexpectedly exit producing a core dump when VSX gateway is upgraded to R80.30.
PRJ-25726, PRJ-25727, PMTR-68887
QoS
A memory leak may occur when using domain names in QoS policy rules. Refer to sk174904.
PRJ-24289, ODU-83
Smart-1 Cloud
Added Update #1 of Quantum Smart-1 Cloud. Refer to sk166056.
PRJ-25384, PRHF-17170
CloudGuard IaaS
CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways.
PRJ-23351, PRHF-13883
CloudGuard IaaS
The SNMP response may show incomplete values.
PRJ-21719, PMTR-64430
CloudGuard Azure
Improved performance consistency (with Multi-Queue) after the Microsoft Azure Maintenance event.
R80.30 Jumbo HotFix - General Availability Take 236 (11 May 2021, GA from 1 June 2021)
PRJ-25945, PRJ-25946, CLUS-1804
ClusterXL
In some scenarios, the user cannot run any dynamic routing or install any static routes, including the default route.
-
VPN
Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417.
R80.30 Jumbo HotFix - Ongoing Take 235 (26 Apr 2021)
PRJ-24911, PMTR-67937
Security Management
"Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026.
PRJ-9515, PRHF-8550
Security Management
The Rule UID is hidden in Audit logs. Refer to sk165016.
PRJ-23921, PMTR-64482
Security Management
SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server.
PRJ-22609, SMCUPG-1375
Security Management
In some scenarios, a Domain migration may fail during the Access Policy import with the "Object not found" error in cpm.elg file.
PRJ-22440, PRHF-15754
Security Management
Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003.
PRJ-22122, PMTR-61785
Security Management
Running override_server_setting.sh may not update settings correctly when updating a setting multiple times.
PRJ-15904, PRHF-12367
Security Management
Security policy compilation fails if the Domain network object name (FDQN name) contains space.
PRJ-17232, PRHF-12911
Security Management
In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently.
PRJ-23772, PMTR-66072
Security Management
"Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation.
PRJ-22871, PRHF-15786
Security Management
In some scenarios, policy installation fails with "Error code 0-2000077" message.
PRJ-20808, PRJ-20809, PMTR-62949
Security Management
On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704.
PRJ-22210, PMTR-61168
Security Management
In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail.
PRJ-22129, PMTR-61861
Security Management
In a rare scenario, Management HA synchronization fails after the Purge Revisions operation.
PRJ-13069, PRHF-11089
Security Management
In rare scenarios, during a Global Policy Reassignment, the Management Server may unexpectedly exit and fail to start again.
PRJ-22631, PMTR-62650
Multi-Domain Management
UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations.
PRJ-23158, PMTR-64136
Multi-Domain Management
UPDATE: Added stabilization improvement for Assign and Reassign Global Policy operations.
PRJ-22579, SMCUPG-1625
Multi-Domain Management
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.
PRJ-22595, PRHF-15856
Multi-Domain Management
Create Domain action may fail with a "License violation detected" error even though CPSM-DOMAINS-1 license is applied on the Management Server.
PRJ-24019, PMTR-66953
Multi-Domain Management
In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain.
PRJ-21911, PMTR-64572
Multi-Domain Management
In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup.
PRJ-22521, PMTR-65290
Multi-Domain Management
In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704.
PRJ-22137, PMTR-64481
Multi-Domain Managemen
A Multi-Domain Server with dozens of Domains may take a long time to start.
PRJ-23542, PMTR-66182
Multi-Domain Managemen
In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles.
PRJ-13189, PRHF-11482
Multi-Domain Management
In a rare scenario, Advanced upgrade from R80.10 may fail.
PRJ-19498, PMTR-61526
SmartConsole
"The object specified in 'Always send alerts to' field, has no active 'Logging & Status' blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" blade disabled. Refer to sk172226.
PRJ-21622, PRHF-15156
SmartConsole
In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905.
PRJ-22217, PMTR-32568
SmartConsole
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.
PRJ-17275, PMTR-59746
SmartConsole
The "Recent Tasks" view allows only Super Users to view other administrators' tasks.
PRJ-21182, PMTR-61750
Logging
NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated.
PRJ-18558, PRHF-13614
Logging
In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999.
PRJ-23154, PMTR-62454
Logging
When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule. Refer to sk172763.
PRJ-23203, PMTR-65244
Logging
In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail.
PRJ-23007, PRHF-15886
Logging
In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis.
PRJ-21113, PRJ-24227
Logging
In some scenarios, when declaring a filter in Log Exporter, logs may not be exported. Refer to sk173025.
PRJ-23414, PMTR-60082
Logging
In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results).
PRJ-17118, PMTR-59484
Logging
In SmartView, chart and timeline widgets may show a "Query Failed" error.
PRJ-21305, PMTR-62117
Logging
In environments with more than 500K network objects, the log_indexer process may lead to a memory leak.
In some scenarios, when there are offline logs to index, queries are slower than expected.
PRJ-15783, PRHF-11889
Logging
In SmartView, when the user exports a container widget with charts to PDF, some data may be missing, and the charts may be shown in a distorted manner.
PRJ-22183, PMTR-58496
Logging
In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one.
PRJ-22247, PMTR-65133
Logging
In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles".
PRJ-21144, PMTR-51637
Logging
In SmartView, when opening a log card popup in lower resolutions, the text in the header may be cut off.
PRJ-21372, PMTR-63927
Logging
In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly unexpectedly exit.
PRJ-15325, PMTR-52927
Logging
In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done.
PRJ-23139, PMTR-65727
Internal CA
The output of the "lscert" command has duplicate lines for all certificates that are not in "pending" status.
PRJ-16050, PRHF-11884
Compliance
Deactivated Compliance Best Practices appear in the Compliance report.
PRJ-21900, PRJ-21901, PMTR-64675
Security Gateway
NEW: Added new troubleshooting tool to cplic command for Entitlement manager.
PRJ-23384, PRJ-23385, PMTR-66195
Security Gateway
NEW: Implemented new Fast-Accel producer.
The following Fast-Accel statistics are added to CPView:
Status: current status of Fast-Accel feature (enabled/disabled).
Configured rules: number of rules were added by the user. These rules determines whether a connection should be accelerated or not.
Accelerated connections amount: number of accelerated connections.
Total connections amount: total connections opened in PPAK.
Accelerated connections percentage: percentage of accelerated connections as part of the overall traffic.
Services distribution: number of times each service was used by the accelerated connections.
PRJ-22678, PRJ-22679, PRHF-14534
Security Gateway
UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607.
PRJ-10988, PRJ-15441, PRHF-8504
Security Gateway
UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.
PRJ-19572, PRJ-22934, PRHF-13912
Security Gateway
When using "User Alert 3" in the code alert, cosmetic error "FW-1: fwdrv_get_string_id_from_code: illegal parameters for code 8" appears in the /var/log/messages file.
PRJ-20568, MBS-12769
Security Gateway
In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file.
PRJ-22453, PRJ-22454, PMTR-64448
Security Gateway
In a rare scenario, Security gateway may crash with fwk and fwk_wd core dump files.
PRJ-19410, PRJ-19411, PMTR-60877
Security Gateway
The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled.
PRJ-22371, PRJ-22372, PRHF-15705
Security Gateway
In some scenarios, the Security Gateway attempts to access the Management Server through the server's NAT IP address (defined in the "NAT" section of the server object), while the server is reachable only through the main IP address (defined in the "General Properties" section of the server object).
Refer to sk171665 to configure the required parameter SKIP_NATTED_IP.
PRJ-20902, PRHF-5313
Security Gateway
In a rare scenario, the FWK process unexpectedly exits during debug.
Fix is relevant for Gaia 3.10 only.
PRJ-21110, PRHF-14953
Security Gateway
Authentication may fail when LDAP branch name contains "\".
Fix is relevant for Gaia 3.10 only.
PRJ-21053, PRJ-21054, PRHF-15024
Security Gateway
In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336.
PRJ-23519, PRJ-23520, PRJ-23502
Security Gateway
Security Gateway may freeze on boot when enable IPv6 and IPv4 with 40 instances in Kernel mode. Refer to sk172364.
PRJ-21470, PRJ-21471, PRHF-14963
Security Gateway
When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.
PRJ-23396, PRJ-23395, PRHF-15802
Security Gateway
Added support for “Other” services configured with IP protocol, but without advanced “Match” expression.
PRJ-23099, PRJ-23100, PRHF-13417
Security Gateway
The connection may not exist in SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets.
PRJ-21310, PRJ-21311, PMTR-63867
Security Gateway
Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754.
PRJ-24297, PRJ-24298, PMTR-67184
Security Gateway
In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.
PRJ-22079, PRJ-22080, PMTR-64650
Internal CA
In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain.
PRJ-19450, PRJ-21495, IDA-3194
Identity Awareness
Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH).
PRJ-24583, PRJ-24584, PMTR-56794
Identity Awareness
In some scenarios, a Security gateway may crash after Take 232 installation due to Identity Awareness specific flow.
PRJ-21455, PRJ-21456, PRHF-14980
Identity Awareness
In some scenarios, VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*).
PRJ-22357, PRJ-22358, IDA-3759
Identity Awareness
In some scenarios, output of "pdp conn pep" command may show wrong PEP names.
PRJ-21237, PRJ-14541, PMTR-52079
IPS
UPDATE: Exceptions are now enforced for these IPS protections:
Proxy source IP address is not printed in the IPS logs.
PRJ-19491, PRJ-23516, PMTR-20344
Application Control
The fw_full (fwd daemon) unexpectedly exits producing a core dump fila and causing a cluster failover.
PRJ-21294, PRJ-21295, PMTR-63495
URL Filtering
UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing. This update also activates the retry mechanism by default.
PRJ-21708, PRJ-21709, PMTR-64263
SSL Inspection
In rare scenarios, a memory leak may occur in a crypto module.
PRJ-19776, PRJ-19777, PMTR-57233
SSL Inspection
In some scenarios, the wstlsd process may unexpectedly exit when browsing to certain websites.
PRJ-19780, PRJ-19781, PMTR-58480
SSL Inspection
A memory leak may occur during policy installation.
PRJ-22532, PMTR-41488
Anti-Malware
UPDATE: Improved behavior of Intelligence Feed failure.
Fix is relevant for Gaia 3.10 only.
PRJ-22019, PRJ-22020, PMTR-63963
Anti-Malware
In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected.
PRJ-20267, PRJ-20268, PRHF-14501
Anti-Malware
Packet capture may not be generated for certain IPS protections.
PRJ-18701, PRHF-12299
UserCheck
When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details.
Fix is relevant for Gaia 3.10 only.
PRJ-14601, PRJ-14602, PMTR-56744
Mobile Access
In some scenarios, pinger (MAB process that handles the ActiveSync traffic) may unexpectedly exit.
PRJ-21641, PRJ-21642, PMTR-60226
Mobile Access
Mobile Access may overwrite the /etc/hosts file on Security Gateway.
PRJ-21697, PRJ-21698, PMTR-64360
ClusterXL
UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces.
PRJ-21347, PRJ-21348, CLUS-1804
ClusterXL
In some scenarios, a large quantity of logs is generated on cluster VIP API.
PRJ-19516, PRHF-14206
ClusterXL
In some scenarios, the required interface value is higher than it should be when adding a VLAN interface.
Fix is relevant for Gaia 3.10 only.
PRJ-22149, PMTR-63571
ClusterXL
During active-active-bridge mode, the "show routed cluster-state" command may display some members as slave instead of master.
Fix is relevant for Gaia 3.10 only.
PRJ-18060, PRJ-18061, PMTR-60766
SecureXL
UPDATE: Changed the "accept out of state" global parameter usage and added support to change it for specific VS. Refer to sk147093.
PRJ-22287, PRJ-22288, PMTR-62849
SecureXL
TCP reset packets may be dropped with an invalid sequence.
PRJ-22166, PRJ-22167, PRHF-15607
SecureXL
Rate limiting rules using concurrent-connection counters may cause connections to be blocked.
PRJ-22434, PRJ-22435, PRHF-15755
SecureXL
In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections.
PRJ-19370, PRJ-19371, PRHF-14133
SecureXL
Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries.
PRJ-20683, PRJ-20682
SecureXL
In some scenarios, not all IP addresses listed in Deny List file $FWDIR/conf/deny_lists are loaded.
PRJ-22914, PRJ-22915, PRHF-15478
SecureXL
Improved the Smart Connection Reuse feature to be consistent with the user configuration. Refer to sk24960.
PRJ-19663, PRHF-13929
SecureXL
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.
Fix is relevant for Gaia 3.10 only.
PRJ-22901, PMTR-48384
Routing
In some scenarios, OSPF configured with unnumbered VTI on cluster frequently moves between "Full" and "EXSTART" status.
Fix is relevant for Gaia 3.10 only.
PRJ-17586, PRJ-17587
Gaia OS
UPDATE: SNMP USM user names limitation was increased from 8 characters to 31.
PRJ-22920, PRJ-22921, PMTR-62465
Gaia OS
"kernel: [SIM4];resume_from_error: failed to get ci_or_corr" error message may be printed numerous times in /var/log/messages file while running UDP Traffic Load. Refer to sk172543.
PRJ-21997, PRJ-21998, PRJ-21999, PMTR-56379
Gaia OS
In rare scenarios, SNMP user details may be visible in /var/log/messages file.
PRJ-21925, PRJ-21924, PRJ-17304
Gaia OS
Unable to set MTU on Igb cards.
PRJ-443
Gaia OS
Non-English characters in Expert password may cause Clish to crash.
PRJ-24153, PRHF-15900
Gaia OS
In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823.
PRJ-24049, PRJ-24062, DP-7201
Gaia OS
Captive Portal / SAML portal may not work after installation with Blink image.
PRJ-21664, PRHF-15328
Gaia OS
In some scenarios, policy installation on a Check Point Gateway in Azure causes the Gateway to crash and load a default policy. Refer to sk171553.
Fix is relevant for Gaia 3.10 only.
PRJ-20743, PMTR-63201
Gaia OS
CVE-2020_25705: ICMP reply rate.
Fix is relevant for Gaia 3.10 only.
PRJ-22214, PRHF-15159
Gaia OS
"show configuration on" may not expose bond members.
Fix is relevant for Gaia 3.10 only.
PRJ-13301, PMTR-63247
VPN
NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity.
PRJ-15567
VPN
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address.
PRJ-19902, PRJ-19903, PRHF-14090
VPN
Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm.
PRJ-18413, PRJ-16099, PMTR-62229
VPN
Remote Access VPN policy installation optimization. Refer to sk173947.
PRJ-21762, PRJ-22178, PMTR-34300
VPN
In a rare scenario, there may be an incorrect IKE ID in an ID payload with 3rd party peers in IKEv1 and IKEv2.
PRJ-17493, PRHF-13007
VPN
In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage. Refer to sk172926.
Fix is relevant for Gaia 3.10 only.
PRJ-22424, PRJ-22608, PRHF-11938
VPN
Tunnel Test packets may be dropped by Secure Configuration Verification (SCV) check when implied rules are disabled. Refer to sk168033.
PRJ-21649, PRJ-22302, PRHF-15006
VPN
When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550.
PRJ-19215, PRHF-13685
VPN
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.
Fix is relevant for Gaia 3.10 only.
PRJ-22411, PRJ-22412, PMTR-60014
VPN
In some scenarios, L2TP tunnel is not deleted completely upon disconnection.
PRJ-23940, PRJ-23939, PRHF-14819
VPN
When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table.
PRJ-23301, PRJ-23302, PMTR-66146
VPN
In rare scenarios, the vpnd process may unexpectedly exit in an L2TP-related flow.
PRJ-22541, PRJ-22542, PRHF-14102
VPN
Added stability fix in validation checks for ECDSA certificates.
PRJ-21259, VSX-2520
VSX
Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool.
PRJ-15568
VPN
In some scenarios, NAT-T traffic is sent to the wrong next-hop MAC address.
Fix is relevant for Gaia 3.10 only.
PRJ-23827, PRHF-16241
VSX
In rare scenarios, the Wrp interface may not come up. Refer to sk171753.
Fix is relevant for Gaia 3.10 only.
PRJ-20919, PRJ-20920, PRHF-14900
QoS
Security gateway may crash in QoS flow when interface goes down and up during packet processing.
R80.30 Jumbo HotFix - Ongoing Take 232 (16 March 2021)
PRJ-20071, MCFG-229
Security Management
NEW: Optimized the Solr build time to improve performance in the following operations:
Restore of the entire MDS/MLM from backup
Upgrade from R80.10
Solr Cure
PRJ-21004, PRHF-14969
Security Management
NEW: Improved FWM process performance during Security policy or database installation.
PRJ-22316, PRJ-22314
Security Management
NEW: Performance improvement of Management High Availability Full Sync.
PRJ-20030, PMTR-61770
Security Management
UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.
PRJ-19999, PRHF-14293
Security Management
UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.
PRJ-20854, SMCUPG-1316
Security Management
Management Server upgrade from R80.20 to R80.40 may fail if a Network Interface object refers to a Gateway object that does not exist.
PRJ-21254, PMTR-62918
Security Management
In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large.
PRJ-21186, PMTR-63358
Security Management
In rare scenarios, logout from a session fails with "An internal error has occurred" message.
PRJ-17788, PRHF-13382
Security Management
In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT.
PRJ-21590, PRHF-15244
Security Management
Although the Access Settings of the Management API is set to "All IP addresses", the API server does not accept requests from any IP address unless the IP is defined explicitly as a Trusted Client.
PRJ-20886, PRHF-14946
Security Management
In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.
PRJ-21585, PRHF-15222
Security Management
In rare scenarios, the CPM Solr process may not be stopped when running cpstop or mdsstop.
PRJ-20803, PRHF-14691
Security Management
In some scenarios, deleting a partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains.
PRJ-21416, PRJ-20995
Security Management
In rare scenarios, the initiation of the Management server may take a long time.
PRJ-21358, PRHF-14606
Security Management
In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole.
PRJ-20303, PRHF-14634
Security Management
In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.
PRJ-20764, PRHF-14399
Security Management
High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.
PRJ-20841, SMCUPG-1454
Security Management
When migrating a Domain Management Server to a Security Management Server:
SmartEvent blade cannot be activated on the migrated domain.
If the Domain had standby Domain Servers, it may cause inconsistencies in the database, that may result in different failures. For example, policy installation may fail.
PRJ-16471, PMTR-58631
Multi-Domain Management
UPDATE: When reassigning Global Domain for a Domain that is active on another Multi-Domain Server, the task is immediately relayed to the remote Multi-Domain Server without waiting in queue of the local server due to other tasks that are running.
PRJ-22274, PMTR-65110
Multi-Domain Management
In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916.
PRJ-21276, SMCUPG-1625
Multi-Domain Management
In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.
PRJ-19993, PRHF-14349
Multi-Domain Management
After importing two (or more) Security Management servers into a Multi-Domain Server, the Gateway objects may not be functional:
The editor may not show configuration correctly
Security Gateway update may fail.
PRJ-19722, PMTR-62272
Multi-Domain Management
The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.
A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag.
PRJ-21343, PRJ-16910
Multi-Domain Management
When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.
PRJ-20239, PRHF-14533
SmartConsole
When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".
PRJ-21387, PMTR-63149
SmartConsole
Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.).
PRJ-21524
SmartConsole
In a rare scenario, automatic NAT rules are not visible in SmartConsole.
PRJ-20314, PRHF-14637
SmartConsole
In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895.
PRJ-18921, PRHF-13879
SmartConsole
In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.
PRJ-19140, PRHF-14010
SmartConsole
In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325.
PRJ-18859, SL-4613
Logging
NEW: Added support for Endpoint Forensics reports to get-attachment API.
PRJ-7953, PRHF-7415
Logging
In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.
PRJ-20562, PMTR-58714
Logging
In rare scenarios, the Log Exporter fails to connect to external destination when using the TLS protocol.
PRJ-17355, PMTR-59205
Logging
FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.
PRJ-19009, PRHF-13936
Logging
In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196.
PRJ-21156, PRJ-21078
Logging
In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.
PRJ-20873, PMTR-62957
SmartView
UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.
PRJ-20774, PRHF-13197
Compliance
In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed.
PRJ-14101, PRHF-11595
Compliance
Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices.
PRJ-21109, PRHF-14953
Security Gateway
Authentication may fail when LDAP branch name contains "\".
PRJ-20338, PRJ-20339, PRHF-14616
Security Gateway
In rare scenarios, passive FTP packets may be dropped.
PRJ-21670, PRJ-21671, PRJ-8275
Security Gateway
In some scenarios, a Security policy installation fails during high CPU utilization.
PRJ-20898, PRJ-20899, PRHF-14824
Security Gateway
In some scenarios, the DNS requests from the Security Gateway may fail.
PRJ-17204, PRJ-17205, PRHF-2895
Security Gateway
After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0.
PRJ-21610, PRJ-21611, PRHF-14715
Security Gateway
Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".
PRJ-20630, PRJ-20631, PRHF-14378
Security Gateway
In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.
PRJ-20383, PRJ-20384, PRHF-13431
Security Gateway
In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.
PRJ-19849, PRJ-19850, PRHF-14268
Security Gateway
In some scenarios, a memory leak may appear after sending a packet from the kernel.
PRJ-19702, PRJ-19703, PMTR-62215
Security Gateway
In rare scenarios, a memory leak may occur in TOPOD process.
PRJ-19583, PRJ-19584, PMTR-61102
Security Gateway
In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.
PRJ-11204, PRJ-17829, PRHF-9029
Security Gateway
In some scenarios, traffic that is matched on implied rule is dropped while it should not.
PRJ-19798, PRJ-19799, PMTR-60336
Security Gateway
Improved the policy enforcement of the ZIP archive inner files
PRJ-22407, PRJ-22833
Security Gateway
In some scenarios, the "rad_kernel_service_container_add_service" error is printed to dmesg.
PRJ-21362, PMTR-52835
Security Gateway
Traffic may be dropped when the Hide NAT is configured on IPv6 host.
Fix is relevant for Gaia 3.10 only.
PRJ-21240, PRJ-21241, PRHF-12746
Security Gateway
In rare scenarios, proxy ARP entries may be deleted when installing a policy.
PRJ-20923, PRJ-18595, PRHF-13478
Anti-Malware
In a rare scenario, the Security Gateway may crash when the Threat Prevention Forensics feature is enabled.
PRJ-20974, PRJ-20975, PRHF-14820
Anti-Malware
In rare scenarios, the Threat Prevention policy installation fails due to IOC parsing errors. Refer to sk171316.
PRJ-21724, PRJ-21725, PMTR-64420
Content Awareness
In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow.
PRJ-20751, PRJ-20752, PMTR-52421
Identity Awareness
NEW: Added the Identity Awareness performance and memory consumption improvements. Refer to sk170516.
PRJ-20845, PRJ-20846, PRHF-14347
Identity Awareness
In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.
PRJ-20860, PRJ-20861, IDA-3642
Identity Awareness
In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch.
PRJ-23594, PRHF-10292
Identity Awareness
In Identity Awareness Captive portal, the default Check Point logo is displayed even if the user-defined logo is configured. Refer to sk133492.
Fix is relevant for Gaia 3.10 only.
PRJ-20346, PRJ-20347, PRHF-14266
IPS
In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally.
PRJ-20094, PRJ-20095, PMTR-59101
DLP
UPDATE: Added support for multi-part data to DLP.
PRJ-20836, PRJ-20837, PRHF-14744
DLP
Improved DLP scanning for POST request to some Web sites.
PRJ-18840, PRJ-18841, PRHF-13322
SSL Inspection
In rare scenarios, a memory leak may occur during policy installation.
PRJ-19039, PRJ-19040, PRHF-13886
UserCheck
In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.
PRJ-20517, PRJ-20489, PRHF-13935
ClusterXL
UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command:
In Gaia Clish, run "show cluster members monitored"
In Expert mode, run "cphaprob -m tablestat"
PRJ-20533, PRJ-20534, PRHF-14728
ClusterXL
In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing.
PRJ-19391, PRHF-14115
ClusterXL
"set router active-active-mode" settings do not survive а reboot.
Fix is relevant for Gaia 3.10 only.
PRJ-19924, PMTR-58748
ClusterXL
In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state.
Fix is relevant for Gaia 3.10 only.
PRJ-19662, PRHF-13929
SecureXL
In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.
PRJ-19404, PRJ-19405, PMTR-60870
SecureXL
In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.
PRJ-17402, PRJ-17403, PRHF-13153
SecureXL
In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.
PRJ-20545, PRHF-14680
SecureXL
Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI).
Fix is relevant for Gaia 3.10 only.
PRJ-5075, PRHF-3929
Gaia OS
NEW: The ARP cache size limit on Clish was increased to 131072 hosts.
Fix is relevant for Gaia 3.10 only.
PRJ-19559, PRJ-19560, PRJ-19561, PRJ-19531
Gaia OS
NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix.
PRJ-22837, PMTR-55383
Gaia OS
UPDATE: Added the option to bind IP addresses to sockets using the "udp_connect" API. Refer to sk171019.
PRJ-21847, PRJ-21848, PMTR-50378
Gaia OS
UPDATE: Updated the arp table limit to 131072 in:
"set arp table" maximum entries through WebUI
Help description of "set arp table cache-size" in CLI
PRJ-20037, GAIA-6704
Gaia OS
UPDATE: Added support for multiple commands definition in Dynamic CLI feature.
Fix is relevant for Gaia 3.10 only.
PRJ-18938, PRJ-18939, PRHF-13812
Gaia OS
In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file.
PRJ-20042, PMTR-55457
Gaia OS
Sensitive Information Disclosure may appear in the output of "show file *" CLI command.
Fix is relevant for Gaia 3.10 only.
PRJ-20744, PMTR-63201
Gaia OS
CVE-2020_25705: ICMP reply rate.
PRJ-16959, PRJ-16960, PRHF-12751
Gaia OS
In some scenarios, the "rhost"value may be missing from logs when the user tries to access the WebUI.
PRJ-21093, PMTR-48177
Gaia OS
WebUI may not load for Management devices.
PRJ-20038, PMTR-49489
Gaia OS
Several features are duplicated (both in WebUI and Clish) in RBA roles configuration/settings.
This is a cosmetic issue. Fix is relevant for Gaia 3.10 only.
PRJ-19623, PMTR-58288
Gaia OS
Extended commands are missing after adding Dynamic CLI.
Fix is relevant for Gaia 3.10 only.
PRJ-20040, PMTR-54647
Gaia OS
Read-Only users may run Dynamic CLI command with UUID other than 0.
Fix is relevant for Gaia 3.10 only.
PRJ-15660, PRJ-15661, PMTR-57216
Routing
UPDATE: Display of routing CPview results is limited to 30 lines.
PRJ-19627, PRJ-19628, PRHF-14280
Routing
ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.
PRJ-15548, PRJ-15549, PRHF-11629
VPN
UPDATE: Added the TTM-per-group feature improvement that allows it to work with more client types (for example Nemo client).
PRJ-20946, PRJ-20947, PMTR-63287
VPN
In some scenarios, L2TP clients disconnect from the Security Gateway after 10 minutes of the connection.
PRJ-18751, PRJ-18752, PRHF-2209
VPN
In some scenarios, the Dynamic ID configuration in SmartConsole (SMS/Email) is ignored. Refer to sk144933. With this fix, an administrator will be able to choose for each login option separately which protocol (HTTP/SMTP) will be used to send the one-time code.
PRJ-17492, PRHF-13007
VPN
In IKEv2 renegotiation scenario, IPSec SAs may be deleted on a standby cluster member during post sync causing a VPN traffic outage.
PRJ-20825, PRJ-21087, PRJ-20824
VPN
In IKEv2, the renegotiation of IKE SA may fail.
PRJ-21541, PRJ-21542, PMTR-64128
VPN
Added VPN Remote Access stability improvement.
PRJ-19482, VPNS2S-1446
VPN
Added various VPN connection improvements on Gaia 3.10.
PRJ-21694, PRHF-15321
VPN
When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key. Refer to sk171756.
Fix is relevant for Gaia 3.10 only.
PRJ-19214, PRHF-13685
VPN
Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.
PRJ-12241, PRJ-16987, PRHF-10370
VPN
When clicking "View..." in Trusted CA object's OPSEC PKI tab, this may show the "Failed to get a certificate of <object name> from keyset" error. Refer to sk166496.
PRJ-7480, PRJ-15245, GAIA-6504
VPN
Policy installation with VPN enabled may take a long time.
PRJ-7476, PRJ-15244, VPNRA-297
VPN
The vpnd daemon may unexpectedly exit during policy installation when the Mobile Access blade is used.
PRJ-19422, PRJ-19423, PRHF-13784
VPN
In some scenarios, the vpnd process unexpectedly exits with Segmentation fault.
PRJ-13820, PRJ-21084, PRHF-10420
VPN
Access roles do not recognize Remote Access SNX CLI clients.
PRJ-17185, PRHF-12828
VPN
Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".
PRJ-18269, PRJ-18270, PRHF-13543
VPN
The VPND process on a standby cluster member may unexpectedly exit when VPN peer has a probing link selection configured. Refer to sk170136.
PRJ-19971, PRJ-19969
VSX
UPDATE: Removed the .1.3.6.1.4.1.2620.1.16.22.2 (vsxStatusCPUUsageTable) and .1.3.6.1.4.1.2620.1.16.22.4 (vsxStatusCPUUsagePerCPUTable) OIDs as not supported on Gaia 3.10.
PRJ-20148, PRHF-14537
VSX
In rare scenarios, some interfaces remain in "Down" state after reboot.
Fix is relevant for Gaia 3.10 only.
PRJ-20963, VSX-2519
VSX
After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.
PRJ-15445, PRJ-15446, PMTR-55887
VSX
In some scenarios, there may be high CPU utilization in a VSX environment with several instances.
PRJ-20584, PRJ-20585, VPNRA-642
Mobile Access
Removed potential XSS vulnerability in the MAB Login page.
PRJ-19234, PRJ-19235, PRHF-14046
Mobile Access
There may be a delay when connecting to HTTPS based SMS portal over a non-standard proxy port. Refer to sk170497.
PRJ-21748, PMTR-60418
Endpoint Security
On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list.
PRJ-19311, PRHF-13909
CloudGuard IaaS
When creating a GCP Data Center, Test Connection may fail on large GCP accounts.
R80.30 Jumbo HotFix - General Availability Take 228 (02 February 2021, GA from 16 March 2021)
PRJ-19947, PMTR-62429
Security Management
NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally.
PRJ-19697, PRJ-13465
Security Management
UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours.
PRJ-17762, PMTR-58785
Security Management
When migrating a Security Management Server that was created as a standby and then set to active, into a Domain Management Server, the new Domain is created without an active Domain Server.
PRJ-19083, PRHF-13972
Security Management
In some scenarios, HA synchronization may fill up the disk space of a standby Management Server. Refer to sk168492.
PRJ-17691, PRHF-13332
Security Management
In some scenarios, HA temporary sub-directories under $FWDIR/tmp are not deleted if sync fails. Refer to sk170972.
PRJ-18287, PMTR-61010
Security Management
In rare scenarios, the CPU and memory usage of the CPM process may be abnormally high. Refer to sk170672.
PRJ-20114, PMTR-60541
Security Management
In a rare scenario, the FWM process unexpectedly exits.
PRJ-18378, PMTR-53043
Security Management
In some scenarios, SecurID configuration files on the Security Gateway are overridden upon policy installation.
PRJ-18474, PRHF-13644
Security Management
In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process.
PRJ-19952, PRHF-14394
Security Management
The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds.
PRJ-17727, PRHF-13278
Security Management
Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name.
PRJ-18897, PRHF-13860
Security Management
Policy installation may fail after migration from Domain Management to Security Management Server.
PRJ-21077
Security Management
When installing an R80.30 Jumbo Hotfix Take higher than 83 on Security Management server, the /opt/CPSFWR80CMP-R80.30/conf/vpn_route.conf file is overwritten. Refer to sk170573.
PRJ-19272, PRHF-14074
Security Management
Policy installation duration may increase due to a large $FWDIR/conf/invalid_object_names.C file on the Management Server. Refer to sk170427.
PRJ-17212, PRHF-12851
Multi-Domain Management
UPDATE: With this fix, mds_backup will back up the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server.
PRJ-19276, PRHF-13977
Multi-Domain Management
In rare scenarios, the Management Server becomes inaccessible after a Global Policy reassign operation.
PRJ-18250, PRHF-12413
Multi-Domain Management
Migration of Domain Server between different Multi-Domain Servers may fail due to incorrect internal values of default objects.
PRJ-17561, PRHF-12885
Multi-Domain Management
In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server.
PRJ-19646, PMTR-62201
Multi-Domain Management
In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556.
PRJ-19318, PMTR-61346
SmartConsole
NEW: Added support for Python 3 in Management API scripts.
PRJ-20245, PMTR-62490
SmartConsole
UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once).
PRJ-13811, PRJ-13808
SmartConsole
In some scenarios, the Administrators view shows all administrators in all domains regardless of the specific permission profile of the connected administrator.
PRJ-18883, PRHF-13818
SmartConsole
Setting values for the environment variables of the Management API as per sk165938 does not work: the values are neither loaded nor used by the API process.
PRJ-20146, PRJ-20145
SmartConsole
SmartConsole may disconnect when searching in the Object Explorer for the text with an odd number of double quotes.
PRJ-13814, PMTR-19017
SmartConsole
In some scenarios, when the user attempts to delete a VSX Gateway / VSX Cluster, an error message may appear and the operation may not be completed successfully. Refer to sk167492.
Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names.
PRJ-13122, PRHF-11105
SmartConsole
In some scenarios, the "Update operation failed" error is displayed when attempting to delete a Gateway from the VPN community. Refer to sk167212.
PRJ-19832, PMTR-50205
SmartConsole
The "show objects" command returns all objects in Global domain with any filter when "ip-only" flag is set to "true".
PRJ-20785, PRHF-13556
SmartConsole
When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing.
PRJ-19533, PMTR-62078
SmartConsole
In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect.
PRJ-19201, PRHF-13955
SmartConsole
In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352.
PRJ-18381, PRHF-13609
SmartConsole
In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances.
PRJ-14105, PRHF-11590
SmartConsole
Search in Threat Prevention Exceptions in Protection/Site/File/Blade column may not return all expected results.
PRJ-18464, PRHF-13551
SmartConsole
In some scenarios, Staging mode IPS protections activation in the Local domain does not match the activation in the Global domain after a Global Threat Prevention policy assignment. Refer to sk170322.
PRJ-18779, PMTR-56281
SmartView
In rare scenarios, "Critical attacks allowed by policy widgets" in the "General Overview" view may show no results while actual data exists. Refer to sk171001.
PRJ-19844, PMTR-62010
SmartView
UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets.
PRJ-17996, SL-2106
Logging
NEW:
Log Exporter can now schedule a recurring reconnection to the target 3rd party server periodically. This allows usage of a Load Balancer component for target servers.
The target 3rd party server can be declared as a DNS name also when using UDP protocol.
PRJ-1655, SL-1901
Logging
UPDATE: Added ability to SOLR process running on the Log server to prevent TLS1.1 and below in port 8211. Refer to sk168472.
PRJ-7524, SL-2989
Logging
Connection between the Gateway and the Log Server may go down, with this error message in the fwd.elg file on the Gateway: "Log server xxx.xxx.xxx.xxx went down".
PRJ-19818, SL-4358
Logging
In rare scenarios, the log_indexer process may unexpectedly exit when reading a specific log format. Refer to sk116117.
PRJ-5873, PRHF-3460
Logging
In rare scenarios, when the user configures a custom event with a script based automatic reaction in SmartEvent, the SmartEvent client may show the "Server is not responding. Please try to reconnect later" error. Refer to sk155192.
PRJ-19715, PMTR-53967
Logging
When installing a newer Jumbo Hotfix, the Log Exporter filtering configuration may not persist and set to default.
PRJ-2522, SL-1755
Logging
In rare scenarios, the log_indexer process may unexpectedly exit.
PRJ-17163, PMTR-59241
Logging
The "show-log" API command may fail with the "GENERIC_SERVER_ERROR" error.
PRJ-11311, PMTR-51802
Logging
In Multi-Domain Management environments, some of the log_indexer processes may fail to start due to an occupied port.
PRJ-16175, PMTR-55550
Logging
In some scenarios, the cpsemd process on the log server may close unexpectedly during a restart, shutdown or upgrade.
PRJ-12200, PRJ-12201, PRHF-10306
Logging
In some scenarios, the "Failed to fetch the file" error is displayed when trying to open Threat Emulation summary reports generated by VSX Gateways.
PRJ-11342, PRJ-19227, PRHF-9582
Security Gateway
NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3.
PRJ-20336, PRJ-20337, PMTR-57101
Security Gateway
NEW: Added Performance improvement when IP Pool NAT is used.
PRJ-20676, PMTR-62328
Security Gateway
NEW: Added the Connection Tracker module - a background mechanism collecting connection flows’ key points vertically from all Security gateway components. The connection flows helps understanding connectivity and latency issue pointing on successful / problematic stages in a connection lifecycle.
In rare scenarios, Security Gateway memory consumption may increase.
PRJ-7737, PRJ-19485, AVIR-479
Security Gateway
False "alert" logs may be displayed in some Anti-Spam events.
PRJ-18628, PRJ-18629, PRHF-11912
Security Gateway
Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992.
PRJ-13345, PRJ-19281, PRHF-8408
Security Gateway
In a rare scenario, the FWD process opens connections to port 111.
PRJ-20513, PRJ-20514, PRHF-14630
Security Gateway
In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped.
PRJ-19955, PRJ-19956, PMTR-62477
Security Gateway
Half-closed accelerated TCP connections may take too long time to expire.
PRJ-13375, PRJ-13376 PMTR-54887
Security Gateway
The TCP State Logging feature may not work as expected. Refer to sk101221.
PRJ-20954, PRJ-20953
Security Gateway
In some scenarios, logs with incorrect action are generated by ICAP server.
PRJ-20653, PRJ-20654, PMTR-63092
Security Gateway
Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and wrong username/password provided by user.
PRJ-13969, PRJ-18236, PRHF-11634
IPS
UPDATE: The "ips stat" command now shows all active Threat Prevention profiles with IPS enabled on the Security gateway.
PRJ-19298, PRJ-19299, PRHF-13560
IPS
In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs.
PRJ-16444, PRJ-16445, PRHF-12684
IPS
The get_ips_statistics.sh script on VSX may fail with "/bin/cat: /proc/self/vrf: No such file or directory" error.
PRJ-13498, PRJ-19199, PRHF-10943
IPS
In some scenarios, a non-compliant IMAP traffic is dropped.
PRJ-19743, PRHF-13998
Anti-Bot
Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure.
PRJ-19590, PRJ-16924
Anti-Virus
In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occured" error message.
Fix is relevant for Gaia 3.10 only.
PRJ-19597, PRJ-19600, PRHF-14259
DLP
UPDATE: Improved the DLP scans queue for a better scan rate.
PRJ-19920, PRJ-19921, PRHF-14156
DLP
UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol.
PRJ-18988, PRJ-18989, PMTR-59795
DLP
In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced.
PRJ-17872, PRJ-17873, PRHF-10279
HTTPS Inspection
UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:
Improved enforcement of first connection when URL Filtering setting is 'Hold' mode
Added SNI information to connection logs when connection is matched on rule with "Extended Log"
In some scenarios, the HTTPS Inspection CA bundle is not created on the Security Gateway.
PRJ-16561, PRJ-16562, PMTR-58568
Anti-Malware
Security Gateway may crash when certain traffic is handled during policy installation and the Anti-Virus Deep Scanning is enabled.
PRJ-16621, PRJ-16622, PRHF-12737
Anti-Malware
Exported with "ioc_feeds export" command indicator feeds may contain user credentials. Refer to sk169035.
PRJ-15224, PRJ-18762, PMTR-54248
Anti-Malware
In a rare scenario, HTTP connections are timed-out.
PRJ-17842, PRJ-18561, PMTR-58416
Anti-Malware
In some scenarios, Threat Prevention logs appear half-full (not unified).
PRJ-18700, PRHF-12299
UserCheck
When using the UserCheck agent, the original URL attribute variable $orig_url$ may appear on URL field of log details.
PRJ-19159, PRJ-19160, TEX-1482
Threat Extraction
UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable. To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy.
PRJ-9944, PRJ-17021, PRHF-8315
Threat Extraction
In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway.
PRJ-17419, PMTR-45649
Threat Prevention
Improvements in HTTP chunked encoding inspection.
PRJ-18246, PRJ-18124
Identity Awareness
NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516.
Fix is relevant for Gaia 3.10 only.
PRJ-13174, PRJ-17912, PMTR-53443
Identity Awareness
UPDATE: Optimized memory usage in the PDP process’s LDAP operations.
PRJ-19637, PRJ-19638, PMTR-61982
Identity Awareness
In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process.
PRJ-19747, PRJ-19746, PRHF-14338
Identity Awareness
In some scenarios, the Security Gateway may not recognize an IP address as a local address, resulting in wrong drops.
PRJ-18178, PRJ-18179, MBS-12220
URL Filtering
In some scenarios, the wstlsd process may unexpectedly exit and produce a core dump.
PRJ-17324, PRJ-17325, PRHF-13031
Mobile Access
Remote access connectivity failure when the user belongs to number of groups that exceeds the limited available space (200~ groups).
PRJ-14363, PRJ-14358
ClusterXL
Same MAC Magic configuration on different clusters in Unicast mode may cause flapping in switch. Refer to sk167206.
PRJ-16514, PRJ-16515, MBS-11708
SecureXL
NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features.
PRJ-18321, PRJ-18322, PRHF-13474
SecureXL
UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146.
PRJ-20053, PRJ-20054, PRHF-14417
SecureXL
In rare scenarios, SecureXL may crash due to NULL handling.
PRJ-16581, PRJ-16582, PRHF-12716
SecureXL
In some scenarios, traffic with the destination IP address as the broadcast address configured according to sk98810 is dropped.
PRJ-18082, PRJ-18083, PRHF-13507
SecureXL
SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132.
PRJ-20049, PRHF-14165
SecureXL
Memory leak may appear in VPN or Active Streaming configuration.
Fix is relevant for Gaia 3.10 only.
PRJ-20025, PRJ-20026, PRHF-14228
SecureXL
Server may not reuse the TCP connection when the user allows out of state TCP packets.
PRJ-19461, PRJ-19462, PMTR-60878
Routing
Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works.
PRJ-20046, PRJ-20047, PRHF-14304
Routing
In some scenarios, large number of unnecessary log messages may be sent to /var/log/messages file which makes it difficult to run debug. Refer to sk170796.
PRJ-20437, PRJ-20438, PMTR-45014
Routing
ECMP route nexthops learned from BGP peers may be not properly updated in the kernel, resulting in network connectivity loss.
PRJ-20442, PRJ-20443, ROUT-1325
Routing
The old route may be not removed when an BGP ECMP route was changed.
PRJ-18278, PMTR-58528
Routing
Certain types of multicast traffic may not be handled correctly in Bridge mode.
Fix is relevant to Gaia 3.10 only.
PRJ-20469, PRJ-20470, PRHF-14653
Gaia OS
In some scenarios, the Security Gateway attempts to fetch the policy from / send logs to the real IP address of the Management Server (defined in the "General Properties" section of the server object) instead of the server's NAT IP address (defined in the "NAT" section of the server object).
Refer to sk171055 to configure the required parameter FORCE_NATTED_IP.
PRJ-18239, PRJ-18241, PRHF-13451
Gaia OS
"cphaprob -h" shows incorrect explanation for "cphaprob show_bond [<bond_name>]" command.
PRJ-19328, PRJ-19329, PRHF-14073
Gaia OS
In some scenarios, login from data plane context fails (no connectivity to server).
PRJ-18609, PMTR-60804
Gaia OS
Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled.
Fix is relevant for Gaia 3.10 only.
PRJ-18079, PRJ-18080, PRHF-13504, PRJ-18084
Gaia OS
On environments with large IP routing tables, the SNMPD process may consume 100% CPU when running a scan from an external tool. Refer to sk170150.
PRJ-20941, PRJ-20942, PMTR-63343
Gaia OS
Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.
NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2.
PRJ-17485, PRJ-17486, PMTR-40127
VPN
NEW: Added Anti-Spoofing functionality for Remote Access Office Mode IPs in SecureXL.
PRJ-16430, PRJ-16431
VPN
UPDATE: Added ability to fetch CRL with proxy in Site to Site VPN.
PRJ-19088, PRJ-19089, PMTR-61752
VPN
UPDATE: Remote Access VPN stability improvement.
PRJ-15740, PRJ-15741, PRHF-12010
VPN
In some scenarios, findSAByPeer does not validate the peer IP address for DAIP peer behind NAT.
PRJ-16339, PRJ-16340, PRHF-12447
VPN
The user may be unable to connect with Remote Access when the username or user field in the certificate is too long.
PRJ-14334, PRHF-9885
VPN
A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902.
Fix is relevant for Gaia 3.10 only.
PRJ-21085, PMTR-60933
VPN
"Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers.
Fix is relevant for Gaia 3.10 only.
PRJ-20520, PRJ-20521, PRHF-14766
VPN
In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol.
PRJ-20645, PRJ-20635, PMTR-63280
VPN
In some scenarios, the VPND process may unexpectedly exit.
PRJ-21681, PRHF-15321
VPN
When IKEv2 and pre-shared-key is configured, VPN may fail on the second IKE SA re-key.
PRJ-20331, PRJ-20332, PMTR-62776
VPN
Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted.
PRJ-20273, PRJ-20274, PRHF-14308
VPN
In a rare scenario, a memory leak may appear when RASession_util is active.
PRJ-20866, PRJ-20867, PMTR-56565
VPN
In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues.
PRJ-18501, PRJ-18502, PMTR-60820
VSX
UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903.
PRJ-18187, PRJ-18188, PMTR-53549
VSX
VSX VSLS Cluster with 3 Members may fail to connect to Identity Collector. Refer to sk170836.
PRJ-20044
Endpoint Security
Jumbo Hotfix installation may fail on top of the Jumbo Hotfix with Takes lower than 163.
PRJ-20599, PRJ-20600, PRHF-14400
VoIP
VoIP’s RTP can cause overload on global instance (CoreXL instance 0).
PRJ-16455, PRJ-16456, PRHF-12691
VoIP
SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373.
R80.30 Jumbo HotFix - General Availability Take 227 (15 December 2020, GA from 28 January 2021)
PRJ-14510, PRHF-11981
CPView
In some scenarios, CPView may unexpectedly exit after upgrade from R80.20 GA.
PRJ-17661, PMTR-43792
CPView
CPView history may save data for a short period only. Refer to sk172264.
Fix is relevant for Gaia 3.10 only.
PRJ-18835, PRJ-18768, PRHF-13728
Security Management
NEW: Improved FWM process performance during policy or database installation.
PRJ-16368, PRHF-12594
Security Management
When logging into SmartConsole directly to a Domain using Radius or TACACS, the Authentication method in the audit log may show as "Internal Password". Refer to sk168716.
PRJ-17042, PMTR-59394
Security Management
In rare scenarios, some objects may be locked and not available for editing. Refer to sk169772.
PRJ-18816, PRHF-13819
Security Management
Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts.
PRJ-19022, PMTR-61616
Security Management
In rare scenarios, FWM process may unexpectedly exit after a login attempt to the Management server.
PRJ-18491, PRHF-13681
Security Management
In rare scenarios, a policy installation task may never complete.
PRJ-16473, PMTR-58630
Security Management
Login with SmartConsole is blocked while purge revisions task is running.
PRJ-18689, PRHF-13744
Multi-Domain Management
Database installation to the newly created Domain Log Server may fail.
PRJ-18906, PMTR-61579
Multi-Domain Management
In some scenarios, size of MDS backup file increases after each policy installation.
PRJ-18682, PRJ-18683
Multi-Domain Management
In some scenarios, domain import to a Multi-Domain Management Server may fail.
PRJ-17237, PMTR-59666
Multi-Domain Management
On Multi-Domain environments with multiple Multi-Domain servers connected in HA, operations such as "Log in" and "Reassign Global Domain" may fail due to high load on FWM process.
PRJ-7432, PRHF-7241
Multi-Domain Management
In rare scenarios, reassigning the Global Policy on a specific domain fails with "An internal error has occurred". Refer to sk163938.
PRJ-13475, PRHF-11299
Multi-Domain Management
Domain Servers may disappear from Multi-Domain view after running the Solr Cure utility.
PRJ-17879, PMTR-60559
SmartConsole
In Global Properties under Stateful Inspection tab, the "TCP end timeout (R80.20 and higher gateways)" option does not support values higher than 60 seconds.
In some scenarios, Management API does not start automatically after restart, although automatic start is enabled. Refer to sk168332.
PRJ-18040, PMTR-60761
SmartConsole
In some scenarios, after a successful IPS update, the new IPS version does not appear under 'switch version' window.
PRJ-18329, PMTR-58703
SmartConsole
Exception group may be incorrectly deleted in the following scenarios:
"Apply On" in exception group is changed from "Automatically attached to each rule with profile" to "Automatically attached to all rules".
A profile that was attached to the exception group, is deleted.
The group is removed from the exception groups list, however it remains in the Threat Prevention rulebase.
PRJ-17642, PRHF-13379
SmartConsole
When creating a user with Check Point password authentication through the Management API, log in to Mobile Access portal may fail. Refer to sk170412.
PRJ-19058, PMTR-34323
SmartConsole
Upgrade may fail due to IPS protections comment that is exceeding the comment length limit.
PRJ-18774, PMTR-59827
SmartConsole
In some scenarios, FWM and CPD processes may consume high CPU due to large number of Security Management/Security gateway objects in the policy.
PRJ-16705, PRHF-12819
SmartConsole
Enabling Threat Prevention policy may fail with validation errors when the policy's targets include cluster members running a version lower than R80.10.
PRJ-17413, PRHF-13223
SmartConsole
When removing an object from a group using the “groups” field of the object’s module in the Ansible collection, the group will not be changed and Ansible will show that no changes are needed.
PRJ-18308, PRJ-18307
SmartProvisioning
NEW: Added support for Threat Emulation blade on LSM profile of R80.20 SMB gateways and clusters.
In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status.
PRJ-488, SL-1896
Logging
In SmartConsole logs tab, filtering logs by the field "Method" may return empty results when using the values PROPFIND, CCM_POST or PATCH.
PRJ-19001, PRJ-19002, PRHF-13892
Security Gateway
In some scenarios, when using routing separation, connection from data plane to management plane is dropped.
PRJ-19180, PRJ-19182, PMTR-61822
Security Gateway
Connections may be wrongly matched on Domain or Updatable objects used in Security policy.
PRJ-14447, PRJ-14448, PMTR-10041
Security Gateway
In some scenarios, large number of interfaces defined on Security gateway may cause high CPU utilization by CPD process. Refer to sk168674.
PRJ-17367, PRJ-17368, PRHF-858
Security Gateway
DynamicID via SMTP does not work when an HTTP proxy server is defined.
PRJ-13260, PRJ-14257, PRHF-9930
Security Gateway
In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg.
PRJ-17958, PRJ-17959, PMTR-60574
Security Gateway
In some scenarios, policy installation fails with "Error code 0-2000077".
PRJ-17605, PRHF-1162
Internal CA
In some scenarios, manual edit of user's certificate expiration period does not take effect. Refer to sk143292.
PRJ-18421, PRJ-18422, MPTT-2224
Internal CA
In a rare scenario, some emails with links are cached due to timeout failure.
PRJ-18823, PRJ-18824, PRHF-13605
HTTPS Inspection
Cannot browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332.
PRJ-18245, PRJ-18124
Identity Awareness
NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516.
PRJ-16170, PRJ-16171, IDA-754
Identity Awareness
When working with AD server without global catalog enabled and nesting query is set to 'pdp nested_groups __set_state 2', direct groups are fetched correctly, but nested groups are not fetched. Refer to sk166199.
PRJ-18343, PRJ-18344, PRHF-11733
IPS
NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter.
PRJ-19153, PRJ-19167, PMTR-48913
Anti-Malware
In some scenarios, files stop passing when the Threat Emulation inspection takes a too long time.
PRJ-19737, PRJ-19738, PRJ-17439
Anti-Malware
In some scenarios, users may fail to access a web site with many malicious URLs.
PRJ-15942, PRJ-15943, PRHF-12119
Anti-Malware
In a rare scenario, Security gateway may crash after a match of the Anti-Bot blade.
PRJ-11729, PRJ-15700, PMTR-52415
Anti-Malware
In some scenarios, custom intelligence feeds with URL encoding characters may not be parsed correctly. Refer to sk168077.
PRJ-8614, PRJ-13385, NSS-2348
Anti-Malware
In some scenarios, dmesg may show many "rad_client id 6 is not register" errors.
PRJ-13731, PRJ-13601
Anti-Malware
In some scenarios, some emails may not be scanned by Anti-Bot's Suspicious Mail Protection when IPv6 is configured.
Fix is relevant for Gaia 3.10 only.
PRJ-16648, PRJ-16649, PRHF-13642
Anti-Malware
In some scenarios, if the configuration file size is more than 2GB, the "File exceeded size limit" message appears when Anti-Virus blade works in Hold mode.
PRJ-13579, PRHF-9289
Anti-Malware
In some scenarios, a "Feed Error" message appears when the user fetches a Custom Intelligence Feed. Refer to sk165932.
Fix is relevant for Gaia 3.10 only.
PRJ-13199, PRJ-14280, IPS-898
Anti-Malware
Security Gateway may crash when trying to access a site encoded with Base64.
-
Gaia OS
NEW: Added support for 1570R and 1600 / 1800 SMB appliances.
PRJ-16670, PRJ-16671, PMTR-53960
Gaia OS
UPDATE: CPView Network -> Top-Protocols and Network -> Top-Protocols tabs was added back. Refer to sk167903.
PRJ-16264, PMTR-55837
Gaia OS
Multi-Queue IRQ affinity is set incorrectly for i40e and MLNX interfaces.
Fix is relevant for Gaia 3.10 only.
PRJ-19049, PRHF-13949
Gaia OS
In some scenarios, when using routing separation, modifying interface IP address fails.
Fix is relevant for Gaia 3.10 only.
PRJ-18024, PRJ-18025, PRHF-13480
Routing
SNMP queries for bgpPeerFsmEstablishedTime return an incorrect constant value. Refer to sk170074.
PRJ-17854, PRJ-17855, PRHF-13388
Routing
In rare scenarios involving large AS paths, there may be a loss of BGP adjacency. Refer to sk170876.
PRJ-18968, PRJ-18797, PMTR-46178
Routing
In some scenarios, the routed process unexpectedly exits when removing an OSPF interface that had authentication configured. Refer to sk170272.
PRJ-14128, PMTR-42541
Mobile Access
Browser based applications cannot be opened in MAB portal.
RADIUS packet sent by Security gateway, may show the Framed-IP-Address field in the reverse order. Refer to sk167361.
PRJ-17026, PRJ-17027, PRHF-5394
VPN
The VPND process cannot stop listening on port 264.
PRJ-17084, PRHF-12828
VPN
Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".
Fix is relevant for Gaia 3.10 only.
PRJ-17341, PMTR-59783
VPN
In rare scenarios, VPN clients may disconnect during Security policy installation.
Fix is relevant for Gaia 3.10 only.
PRJ-17267, PRJ-17268, VPNRA-404
VPN
When Security gateway is behind NAT and its main IP address is configured to NAT IP, Client may disconnect when using Visitor Mode.
PRJ-10034, PRJ-16396, CRYPTOIS-661
VPN
In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212.
PRJ-17166, VPNS2S-1446
VPN
Different VPN connection improvements.
PRJ-18105, PRJ-18106, PRHF-13218
VSX
In rare scenarios, dynamic objects database may be cloned between Virtual Systems. Refer to sk169514.
PRJ-17298, PRJ-17299, PMTR-59775
VSX
Connections distribution may get unbalanced on VSX environment. Refer to sk169352.
PRJ-17328, PMTR-53247
VSX
In some scenarios on a VSX machine, when SNMP is in VS mode, USM users are not recognized and SNMP queries such as SNMPWALK, get error message "unknown user".
Fix is relevant for Gaia 3.10 only.
PRJ-14260, PRJ-14261, PRHF-11784
VSX
In some scenarios, wrong (too big) SNMP values are displayed when running SNMP query.
PRJ-17207, PMTR-59637
Compliance
UPDATE: Added ability to select 'Any' in the Service column when creating a custom firewall Best practice.
In some scenarios, content of the "User Name" tab in SmartEndpoint is displayed in wrong format.
PRJ-15858, PRHF-7446
Endpoint Security
An exception may be displayed in SmartEndpoint when uploading an offline group software deployment package. Refer to sk165852.
PRJ-16286, PRJ-16287, PMTR-58322
VoIP
NEW: Added support for HopCount field in H323 protocol. Refer to sk169513.
PRJ-17751, PMTR-60322
CloudGuard IaaS
In some scenarios, userspace cores may appear on CloudGuard for Azure Gateways with VPN enabled and using AES-GCM-256 and AES-256. Refer to sk169417.
Fix is relevant for Gaia 3.10 only.
R80.30 Jumbo HotFix - General Availability Take 226 (29 November 2020, GA from 08 December 2020)
PRJ-19494, PRJ-19675
VPN
In a rare scenario, certain conditions under VPN utilization may cause the Security gateway to crash.
PRJ-18200, PMTR-60885
CloudGuard IaaS
UPDATE: Added new certificates for Microsoft Azure. For details, refer to this Microsoft article.
R80.30 Jumbo HotFix - Ongoing Take 221 (21 October 2020)
PRJ-17453, PRJ-17454, PMTR-58781
Diagnostics
In some scenarios, peak values for interfaces are not updated in CPView.
PRJ-15500, PMTR-56638
Security Management
NEW: The $MDS_FWDIR/scripts/cpm_status.sh script will show if the CPM process fails to start.
PRJ-15564, PRHF-12170
Security Management
NEW: In some scenarios, modifying or deleting objects in bulk may cause slowness in SmartConsole responses and long duration of operations. Ability to improve performance in such cases was added. Refer to sk135972.
PRJ-14525, PRJ-13319
Security Management
Upgrade from R80.10 may take many hours when there are hundreds or more Administrators and dozens or more Permission Profiles defined.
PRJ-15416, PMTR-48628
Security Management
In some scenarios, Read-Only sessions appear twice in the Sessions view.
PRJ-18046, PRHF-13462
Security Management
In rare scenarios, a Management server may become inaccessible and requires a reboot. Refer to sk170634.
PRJ-17072, PRJ-13851
Security Management
In some scenarios, the Security Management Server's startup takes a very long time after editing or deleting many Administrators.
PRJ-13726, PMTR-55574
Multi-Domain Management
NEW:
Global object deletion will be blocked if used in Domains on the Multi Domain Server.
The "Unused Objects" filter in the Global Domain will show objects only if not used by all of the Domains on the Multi-Domain Server.
PRJ-16437, PRHF-12236
Multi-Domain Management
After upgrading a Multi-Domain Management Server, the object version of the Domain Management Servers or Domain Log Servers in the MDS SmartConsole may not have changed.
PRJ-17022, PMTR-58167
Multi-Domain Management
On MDS environment with Global VPN Community usage, policy installation mail fail with "internal error" message after upgrade. Refer to sk169157.
PRJ-15719, PRHF-12271
Multi-Domain Management
When the user attempts to add/change the Leading Interface through mdsconfig, it may fail with the "no external interfaces found on this machine" error. Refer to sk168319.
PRJ-17306, PMTR-59799
Multi-Domain Management
In rare scenarios, the fwm process may unexpectedly exit and fail the Multi-Domain Management server upgrade.
PRJ-16642, PMTR-58309
Multi-Domain Management
In some scenarios, Domain Management Server is shown in System Domain under Domains View even though it was deleted.
PRJ-17069, PMTR-59232
Multi-Domain Management
In some scenarios, Domain appears in the System Domain without any Domain Servers.
PRJ-13795, PMTR-43231
Multi-Domain Management
In a Multi-Domain Server, domain-related processes may not start when the user runs "evstop" and then "evstart".
PRJ-12245, PRHF-10477
Multi-Domain Management
In some scenarios, a Global Administrator connected to the Logging and Monitoring view in MDS cannot see auto-complete suggestions when typing in the logs search box. Refer to sk166752.
PRJ-16426, PMTR-58559
Multi-Domain Management
Management HA incremental synchronization may break in the MDS level with "failed to import data" error message due to an operation related to the Compliance Blade.
PRJ-13455, PRHF-10952
SmartConsole
In some scenarios, Management API commands with "details-level":"full" Payload return a truncated output and fail to complete. Refer to sk170414.
PRJ-12854, PRHF-10453
SmartConsole
Hit count data may not be deleted automatically.
PRJ-7307, PMTR-45443
SmartConsole
When creating SecuRemote DNS object with more than 6 characters as Domain suffix, it fails with the "Domain suffix contains illegal characters" error.
PRJ-17006, PMTR-48331
SmartConsole
When using SmartConsole CLI, the application may unexpectedly terminate if the input has quotation marks that are not closed.
PRJ-16061, PRHF-12395
SmartConsole
In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474.
PRJ-9660, PRHF-8304
SmartConsole
In rare scenarios, Access policy installation may be incorrectly blocked. A verification incorrectly states that HTTPS Inspection rules do not contain 'Any' or 'Application/Site' objects in the Site Category column, even though they do.
PRJ-16467, PRHF-11438
SmartConsole
Update corporate Gateway procedure takes a long time and may cause login issues and general slowness in the Provisioning GUI.
PRJ-14356, SL-4323
SmartView
In SmartView, when the user sends a generated report via email in a language with non-standard English letters (Accented, Cyrillic, Chinese, Japanese, etc), some of the text may appear as question marks (?).
PRJ-16434, PMTR-53663
SmartView
In SmartView's GDPR Report, some of the text appears in German although the selected language is not German.
PRJ-16889, PMTR-59093
SmartView
In SmartView, after adding a new page to a report, the preview page appears to have no data although it has (this data appears in the Edit Mode).
PRJ-17017, PMTR-59317
Logging
UPDATE: Added ability to filter Threat Prevention and Endpoint logs by file size on a Log server machine via Logs & Monitor view in SmartConsole.
PRJ-13349, PMTR-54708
Logging
In some scenarios, when the user configures the log exporter filter with the “cp_log_export” command (action, origin, product), the filter is not configured properly according to the used format.
PRJ-13622, PRHF-11057
Logging
Leef format is not certified with IBM causing the following issues:
In some scenarios, the "CGsoapSessions::AuthenticateSession failed, session is not authenticated" message may appear in mds.elg or fwm.elg file. Refer to sk152933.
PRJ-15598, PRJ-15607, PRJ-13567
Security Gateway
In some scenarios, policy installation fails with "Error code 0-2000121".
PRJ-13887, PRJ-14440, PRHF-9759
Security Gateway
An interface name with more than 15 characters may cause the policy installation to fail. Refer to sk167955.
PRJ-13694, PRJ-13695, PMTR-55510
Security Gateway
Proxy arp change is applied only after the second policy installation.
PRJ-16399, PRJ-16400, PRHF-12631
Security Gateway
When using Management Data Plane Separation (MDPS), schedule backup may fail.
PRJ-16087, PRJ-16088, PRHF-12224
Security Gateway
In rare scenarios, a memory leak may appear on Security Gateway in gconn table.
PRJ-17311, PRJ-17312, PMTR-59182
Security Gateway
In rare scenarios, Security Gateway memory consumption may increase.
PRJ-15839, PRJ-15840, PRHF-12221
Security Gateway
ICAP block page displays virus name as "Unknown" instead of the virus name as it appears in the logs.
PRJ-17086, PRJ-17087, PRHF-13025
Security Gateway
When using a routing separation, syslogd does not move to the management plane.
PRJ-16911, PMTR-59141
Security Gateway
In some scenarios, a timeout occurs when the user enables resource separation via Clish. Refer to sk170372.
Fix is relevant for Gaia 3.10 only.
PRJ-11292, PRJ-13902, PRHF-8491
Security Gateway
Unused OIDs may appear in SNMP MIB file.
PRJ-16664, PRJ-16665, PRHF-12727
Security Gateway
Security Gateway running in USFW mode (User-Mode Firewall) may crash with fwk core dump. Refer to sk169119.
PRJ-16316
Identity Awareness
NEW: Enable client based policy (e.g. authentication) for cloud-based environments for connections with NAT on the source.
Fix is relevant for Gaia 3.10 only.
PRJ-17650, PRJ-17651. PMTR-44711
Identity Awareness
In some scenarios, user cannot authenticate to Captive Portal as a Guest User.
PRJ-12544, PRJ-12545, PMTR-52404
Identity Awareness
In a rare scenario, a standby cluster member receives updates from identity sources and creates a mismatch in the PDP tables.
PRJ-15580, PRHF-9645
Application Control
In some scenarios, deprecated applications are not removed/replaced during an upgrade from R77.30 to R80.x. Refer to sk131372.
PRJ-17198, PRJ-17199, PMTR-59565
HTTPS Inspection
In a rare scenario, a connection remains open after it is closed by the server, and the web browser may load a page for a long time.
PRJ-14258, PRJ-16218, PMTR-39143
Threat Extraction
Watermark insertion may fail in spreadsheet files where the column range is not defined.
PRJ-16924
Anti-Virus
In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occured" error message.
PRJ-13789, PRJ-15361, PRHF-10357
IPS
Support bypass SMBv3 multi-channel when SMB feature is enabled for Anti-Virus or Threat Extraction (see sk101606).
PRJ-15975, PRJ-15976, PMTR-57915
UserCheck
In some scenarios, the UserCheck daemon usrchkd may unexpectedly exit.
PRJ-17452, PRJ-17639, PRHF-12934
UserCheck
In some scenarios, UserCheck agent notifications may be blocked.
PRJ-14650, PRJ-14651, PMTR-56622
Mobile Access
The Mobile Access Blade's portal dialog for editing web application SSO credentials may not work correctly.
PRJ-13845, PMTR-42541
Mobile Access
Browser based applications cannot be opened in MAB portal.
PRJ-17447, PRJ-17446
Mobile Access
Mobile Access Blade may fail to install on VSX environments due to a missing configuration file.
PRJ-2923, PRJ-14462, PRHF-4457
SecureXL
In a rare scenario, the Security Gateway may crash when deleting certain non-TCP connections.
PRJ-18532, PRJ-18533, PMTR-61276
SecureXL
In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL.
PRJ-16682, PRJ-16683, PRHF-12714
SecureXL
In a rare scenario, Security gateway may crash when receiving packets from an MDPS management interface.
PRJ-9563, PRJ-14831, PRHF-9919
SecureXL
In a rare scenario, Security gateway may crash when the Drop Template feature is enabled.
PRJ-17449, PRJ-17450, PRHF-13029
SecureXL
In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets.
PRJ-6002, PRJ-15712, PRHF-2914
SecureXL
In some scenarios, output of "fwaccel stat" command does not display the layer name that disables the templates (only "Layer ---" is displayed). Refer to sk145533.
PRJ-16578, PRJ-16579, SPC-3089
Routing
In some scenarios, the routed daemon may unexpectedly exit with BGP.
PRJ-17712, PRJ-17713, ROUT-954
Routing
Security Gateway may stop forwarding the Multicast stream when PIM is configured on it. Refer to sk169774.
PRJ-15819, PRHF-12144
VPN
NEW: Performance improvement of VPN tunnel when using SHA-384. Refer to sk168336.
Fix is relevant for Gaia 3.10 only.
PRJ-15715, PRJ-16031, PMTR-40124
VPN
UPDATE: Connection types summary was added for "vpn tu tlist" and "vpn show_tcpt" commands.
Incorrect number of connected users may be displayed in "vpn show_tcpt" summary line output.
PRJ-14343, PRHF-7359
VPN
Improved usability of VPN tunnel monitoring "vpn tu" command.
Fix is relevant for Gaia 3.10 only.
PRJ-15620, PRJ-15621, PMTR-57459
VPN
Access Roles with MAB SNX as the client type may not work.
PRJ-16209, PRJ-16210, VPNRA-469
VPN
In rare scenarios, the Security Gateway may crash after VPN users connect to the network.
PRJ-16411, PRJ-16412, PMTR-55514
VPN
In rare scenarios, Remote Access clients may not be able to re-connect after a failover.
PRJ-15836, PRJ-15837, PMTR-40895
VPN
When a Gateway does not recognize the SPI, it sometimes sends the "Invalid SPI" notification in clear. As a result, the peer may ignore it, resulting in an outage.
PRJ-16720, PRJ-16721, PMTR-57565
VPN
Remote Access potential connectivity issue when there are more than 1 external interfaces.
PRJ-17633, PRJ-17634, PMTR-42363
VPN
The vpnd process may unexpectedly exit when the user runs the "vpn tu" command.
PRJ-16864, PRJ-16865, PMTR-55844
VPN
Software Blade name inconsistency between login and logout logs of an SNX client.
PRJ-17314, PRJ-17331, PRHF-12973
VPN
Added VPN IKEv2 improvements.
PRJ-16726, PRJ-16727
VPN
Added VPN connection improvements.
PRJ-17773, PRJ-17706
VPN
The vpnd process may unexpectedly exit during IKEv2 negotiation.
PRJ-16595, PRJ-12770, PRHF-10314
VPN
In some scenarios, RADIUS authentication may take more than five minutes to be fulfilled with Endpoint Clients, reaching connection timeout on the Gateway side.
PRJ-16268, PRHF-12508
VSX
Latency and/or packet loss may occur for traffic which passes through a Virtual Switch in a VSX Gateway. Refer to sk168592.
PRJ-16305, PRHF-11856
Gaia OS
NEW: Added Multi-Queue (MQ) support for Sync interface.
Fix is relevant for Gaia 3.10 only.
PRJ-11045, PRJ-11046, ACCL-417
Gaia OS
UPDATE: CPView Network -> Top-Protocols and Network -> Top-Connections tabs were added back. Refer to sk167903.
PRJ-11993, PRJ-15408, PRHF-10312
Gaia OS
In rare scenarios, a snapshot creation may fail.
PRJ-16315, PMTR-55189
Gaia OS
In some scenarios, Cluster does not recognize bond slaves.
Fix is relevant for Gaia 3.10 only.
PRJ-15464, PRJ-15465, PMTR-56502
Gaia OS
"show asset" command shows the Network card model CPAC-4-1C instead of CPAC-4-1C-L.
PRJ-4869, PRJ-16255, PRJ-16256, PRHF-5016
Gaia OS
A Timestamp in Unix/Epoch time may not be updated when the user changes a password using hash.
PRJ-14313, PRJ-14314, PRHF-11752
Gaia OS
In rare scenarios, gateway uptime in SmartConsole may show an abnormally high number. Refer to sk167937.
PRJ-15615, PRJ-11969, PRHF-9336
Gaia OS
The confd process may unexpectedly exit when the user runs the "show/set/add interface" long command. Refer to sk167635.
PRJ-14263, PMTR-39601
Gaia OS
The "show security-gateway monitored-interfaces" command may return wrong output. Refer to sk166902.
Fix is relevant for Gaia 3.10 only.
PRJ-16566, PRHF-12526
Gaia OS
In the Management Data Plane Separation (MDPS) environment, the output for the "show asset network" command may not report some line cards if they have mixed management/data plane interfaces.
Fix is relevant for Gaia 3.10 only.
PRJ-14459, PRHF-9702
Gaia OS
It is not allowed to create usernames with reserved words, e.g., 'eval', 'apply' etc., in the middle of the username in the WebUI. Refer to sk170681.
PRJ-16078, PRJ-16079, PMTR-57581
Gaia OS
In some scenarios, when the user tries to return to the factory default, the machine reverts to a different snapshot.
PRJ-12739, PMTR-51157
Gaia OS
Restore backup may fail due to unmatched upgrade tools.
PRJ-12861, PMTR-51379
Gaia OS
Creating LOM users for Smart-1 525/625/5050/5150 appliances may fail if the username length is shorter then 4 characters.
PRJ-9118, PRJ-15227, PRHF-4435
Gaia OS
In some scenarios, SNMP fails to report disk utilization.
PRJ-13941, PRJ-16310, PRHF-11368
Gaia OS
In some scenarios, when the RADIUS user enables bash logging (as per sk99134) and moves to expert mode, the username in the log files appears as admin instead of RADIUS.
NEW: Added new AWS regions af-south-1, ap-northeast-3, and eu-south-1.
PRJ-16253, PRHF-12538
CloudGuard IaaS
Scanning of GCP Data Center may fail when instance does not have disks.
PRJ-16599, PRHF-12083
Endpoint Security
In some scenarios, Policy server stops syncing with the Endpoint Security Server. Refer to sk168912.
R80.30 Jumbo HotFix - General Availability Take 219 (13 September 2020, GA from 12 October 2020)
PRJ-7663, PMTR-46091
Diagnostics
CPview may show partial information, if there are more than 256 interfaces configured on the system.
PRJ-16146, PMTR-58152
Security Management
NEW:
The "cma_migrate" command will continue working if the SSH connection with the Multi-Domain Server was lost.
If the user presses "Ctrl+C" while cma_migrate is running, the user will be asked whether to stop cma_migrate or to continue.
PRJ-14644, PRHF-11983
Security Management
NEW: Solr server process is restarted automatically if it is not responsive for a long time.
PRJ-16875, PRHF-12879
Security Management
In some scenarios, sessions that were opened for the third parties or automatic scripts that use Management API, remain open. Refer to sk169072.
PRJ-11703, PRHF-9017
Security Management
The Purge Revisions operation may not clean deleted objects of previous revisions.
PRJ-15496, PMTR-57275
Security Management
$MDS_FWDIR/scripts/solr_start.sh script may fail to start Solr Cure if sk123417 is applied.
PRJ-12491, PRHF-10058
Security Management
When using packet mode in Rulebase Search, results from inline layer may be matched even though their parent layer is not.
PRJ-16343, PRHF-12861
Security Management
Rulebase search may fail with "An error occurred while searching" if one (or more) of the rules that matches the search criteria has a reference to a security zone. Refer to sk168935.
PRJ-16196, PRHF-9260
Security Management
When running the "show-access-rulebase" API command with filter, and the selected layer is an inline layer, rules of the inline layer are not returned even though they match the search criteria.
PRJ-14296, PRHF-11704
Security Management
In rare scenarios, High Availability sync fails with "Ngm failed to import data" error after the user deletes a Permission Role.
PRJ-13462, PMTR-54975
Security Management
In rare scenarios, Install Policy Presets are not triggered.
PRJ-13918, MCFG-242
Security Management
In some scenarios, exporting the Security Management Server in order to migrate it to Domain in Multi-Domain Environment fails.
PRJ-14491, SMCUPG-1384
Security Management
In some scenarios, migrating two different Security Management Servers to domains in the same Multi-Domain Management Server fails.
PRJ-15609, PMTR-57447
Multi-Domain Management
NEW: Added ability to run Management REST API on a Multi-Domain Log Server.
PRJ-15458, PRHF-6093
Multi-Domain Management
Policy Installation may fail due to an internal error in an MDS environment where there is a Global Dynamic object usage inside Networks Groups with a depth that is higher than 2-level (group inside a group).
PRJ-14760, PRHF-12085
Multi-Domain Management
In some scenarios, migrating a Domain between different Multi-Domain Management servers fails if a previous migration of the same Domain failed.
PRJ-15415, PRJ-13920
Multi-Domain Management
In Multi-Domain environments with High Availability, if the Management Server is stopped while there's a Purge Revisions operations in progress, the server may fail to start again. Refer to sk168175.
PRJ-14454, PRHF-11940
Multi-Domain Management
Policies may disappear from the Global Domain Assignments view after running the Solr Cure utility. Refer to sk168060.
PRJ-13905, PMTR-54935
SmartConsole
In some scenarios, when working with older applications like SmartView or SmartProvisioning, the admin count in SmartConsole presents an incorrect number of connected admins.
PRJ-15969, PRHF-10916
SmartConsole
Global Policy reassign in MDS may fail with "An internal error has occurred" message after adding overrides to Snort protections.
PRJ-15371, PMTR-57065
SmartConsole
The user may not be able to delete objects that are referenced by a previously deleted policy. Refer to sk122954.
PRJ-15832, PMTR-39061
SmartProvisioning
In some scenarios, when the user installs policy on R77.30 Central Office Security Gateway from Management version R80 and higher, VPN tunnels may be dropped for LSM Gateways.
PRJ-14550, PMTR-53415
SmartProvisioning
After creating Small Office Appliance via SmartProvisioning GUI with SIC and CA name parameters provided, the VPN tab fields are not updated.
PRJ-14531, PMTR-55130
SmartView
In some scenarios, when the user attempts to download a DLP attachment from the log card in SmartView, the download does not start.
PRJ-14361, PMTR-54723
SmartView
In SmartView, the icon is missing from the cover page of Compliance and Content Awareness PDF reports.
PRJ-13561, PMTR-53242
Logging
In rare scenarios, the evstop script does not stop all logging processes. As a result, upgrade procedures may hang and show no progress.
PRJ-14048, PRHF-11502
Logging
In some scenarios, the "cp_log_export status" command prints "last log read at: N/A" rather then a timestamp.
PRJ-13170, PRHF-9994
Compliance
Compliance Partial Scans in Multi-Domain environments using Global Policies may lead to SmartConsole freeze or long publish times. Refer to sk170562.
PRJ-14368, PRJ-15747, PRHF-10818
Security Gateway
UPDATE: Reduced CPU usage in some configurations by parsing TLS traffic only when required by the policy. See sk166700 for more information.
PRJ-10297, PRJ-14638, PRHF-8781
Security Gateway
In some scenarios, the license status of the Security Gateway is not updated properly in SmartConsole.
PRJ-12946, PRJ-15333, PRHF-10972
Security Gateway
After policy installation, the output of the "cphaprob stat" command may show "HA module not started" when a large number of non-monitored Cluster interfaces are configured in SmartConsole.
This fix adds support for multiple non-monitored interfaces in SmartConsole.
PRJ-9848, PRHF-7150
Security Gateway
In some scenarios, SCCP traffic may be dropped by the Security Gateway. Refer to sk108124.
PRJ-15769, PRJ-15770, PMTR-57606
Security Gateway
In some scenarios, some DNS protections may not be enforced.
PRJ-16157, PRJ-16158, PMTR-58124
Security Gateway
In a rare scenario, Security Gateway may crash after policy installation.
PRJ-15847, PRJ-15848, PMTR-57739
Security Gateway
SXL drop due to routing configuration when using security zone on bridge (layer2).
PRJ-14632, PRJ-14633, PRHF-12058
Security Gateway
In rare scenarios, Security Gateway memory consumption may increase.
PRJ-14068, PRJ-14069, AVIR-1090
Security Gateway
In rare scenarios, Security Gateway may crash due to memory allocation failure.
PRJ-9656, PRJ-8049
Security Gateway
When running 'fw6 ctl affinity -l' command, the IPv6 instances are not displayed.
Fix is relevant for Gaia 3.10 only.
PRJ-13588, PRJ-15805, PRHF-11311
Security Gateway
In a rare scenario, Security Gateway may crash during policy installation.
PRJ-11141. PRJ-13149, PMTR-39019
Security Gateway
In some scenarios, "fwxlate_dyn_port_global_to_local_get_port: port was not found in global, and not in local" error message may appear in dmesg.
PRJ-14125, PMTR-56181
Security Gateway
In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway.
Fix is relevant for Gaia 3.10 only.
PRJ-16405, PRHF-12305
Security Gateway
In some scenarios, when VPN blade or ISP Redundancy are used, traffic may be routed to the wrong interface. Refer to sk168881.
Fix is relevant for Gaia 3.10 only.
PRJ-15723, PMTR-39944
Application Control
In some scenarios, HTTP traffic is blocked with "HTTP parsing error occurred (2)" and "parameters are undecodable in request" errors. Refer to sk160092.
Fix is relevant for Gaia 3.10 only.
PRJ-15687, PRJ-15688, PRHF-12067
HTTPS Inspection
In some scenarios, web traffic may be blocked with "Content Awareness - Error: Internal system error (1000)" error log.
PRJ-12564, IDA-2983
Identity Awareness
PDP may consume high CPU during policy installation because of a large amount of Access Roles.
PRJ-7759, PRJ-11482, PMTR-40495
SSL Inspection
DynamicID authentication may fail due to server certificate validation failure. Refer to sk167177.
PRJ-11510, SMB-12153
SSL Inspection
In some scenarios, there may be SSL Inspection issues in cluster environments on 1500 Series Security Gateways. Refer to sk170218.
PRJ-16486, PRJ-16489, PMTR-57645
IPS
In some scenarios, invalid characters are sent to gw-stat report.
PRJ-14547, PRJ-12053
Threat Extraction
Cluster synchronization fails for Threat Extraction.
PRJ-16106, PRJ-16105, PRHF-12463
URL Filtering
In some scenarios, there may be sporadic connectivity issues in the Anti-Malware/URLF service (RAD).
PRJ-16990, PRJ-16965
Mobile Access
Mobile Access portal may become unresponsive after Jumbo Hotfix uninstallation. Refer to sk169152.
PRJ-14610, PRJ-14611, PRHF-7700
SecureXL
UPDATE: Added a global variable that enables log for packets that include unapproved IP option. This variable is off by default.
PRJ-10496, PRJ-10497, PMTR-50926
SecureXL
In some scenarios, SecureXL makes an offload decision to not accelerate multicast traffic for route-based VPN.
PRJ-14515, PRJ-14516, PRHF-10860
SecureXL
In a rare scenario, a VSX gateway with Virtual Switch may crash.
PRJ-13761, PRJ-13762, PMTR-55537
SecureXL
Security Gateway may crash when concurrent connection rules exist in the DOS/Rate limiting policy and the Application Control blade is enabled.
PRJ-13413, PRJ-14518, ACCHA-301
SecureXL
DECnet DIGITAL Network Architecture (Phase IV) traffic may be dropped. Refer to sk167202.
PRJ-15900, PRJ-15901, PRHF-12374
SecureXL
An asymmetric routing issue may occur between a Virtual System and a Virtual Switch/Router.
PRJ-16352, PRJ-16349
CoreXL
In a rare scenario, CPU consuming on some instances is high. Refer to sk168513.
PRJ-9402, PRJ-15354, STRM-152
QoS
In some scenarios, QoS Policy installation fails with the following massage: "Error - QoS Policy does not apply to any network interface. Please edit your Network Object and check the interfaces you wish to install on" when policy is defined properly on the interface.
PRJ-14433, PRJ-14434, PMTR-53221
Gaia OS
NEW: Added support for CPAC-4-10-AB cards.
PRJ-14595, PMTR-55036
Gaia OS
NEW: Added Multi-Queue (MQ) support for Management interface.
PRJ-15541,PRJ-15542, PRJ-9095
Gaia OS
NEW: Added a new feature for preventing MITM attacks when OS backup is stored on remote storage via SCP protocol. Refer to sk164234.
PRJ-14080, PMTR-54518
Gaia OS
NEW: The i40e driver version was upgraded to improve performance.
Fix is relevant for Gaia 3.10 only.
PRJ-10078, PRJ-14537, PMTR-50675
Gaia OS
When enlarging the partition via lvm_manager from a small partition to a larger partition, the user may reach an internal filesystem settings limit. As a result, some filesystem monitoring commands unexpectedly exit.
PRJ-13626, PRJ-14228, PRJ-15591, PRHF-11367
Gaia OS
The "show configuration" Clish command may show 'Exported by admin' instead of the correct user name.
PRJ-16272, PRJ-16273, PRHF-10941
Gaia OS
User fails to add ecsda hot keys via Clish to the hosts file. This prevents from setting up the scheduled backups before the system goes into production.
PRJ-5959, PRHF-6250
Gaia OS
In some scenarios, commands that were typed into Clish can be executed later on if the SSH session was uninterruptedly terminated.
PRJ-13271, GAIA-7496
Gaia OS
In some scenarios, the value for Voltage/Fan/Temperature sensor may appear as "NotValid" instead of a number.
PRJ-11129, PMTR-51775
Gaia OS
Setting LACP rate does not survive a reboot on Gaia 3.10.
PRJ-15860, PMTR-57779
Gaia OS
"... Error I40E_AQ_RC_EINVAL adding RX filters on PF..." error may appear during i40e driver operation and RSS key may be reset during certain driver operations.
Fix is relevant for Gaia 3.10 only.
PRJ-14512, PRJ-14513, PRHF-6216
Routing
BGP connection may fail to establish when there are multiple peer groups with the same AS number in iBGP configurations.
PRJ-15484, PMTR-54930
Routing
BGP fails to establish with high MTU setting on Gaia 3.10.
PRJ-16018, PRHF-12425
CloudGuard IaaS
In some scenarios, CloudGuard Controller may lose connection to GCP projects. Refer to sk168499.
PRJ-12184, VSECC-1293
CloudGuard IaaS
CloudGuard Controller may sometimes update the Standby cluster member in VSLS mode.
PRJ-14405, PRJ-14406, PMTR-54728
VPN
Connectivity improvements for Remote Access VPN with L2TP.
PRJ-14574, PRJ-14575, PMTR-54771
VPN
IP compression may not work in some scenarios when IKEv2 is configured.
PRJ-14242, PRJ-14243, PRHF-7995
VPN
VPN traffic may be dropped when working with peer behind NAT - Hide NAT with Port Translation.
PRJ-11051, PRJ-14391, PRHF-7972
VPN
Improved NAT Detection with 3rd party peers in IKEv1 and IKEv2. Refer to sk165003.
PRJ-10952, PRJ-14318, PRHF-8923
VPN
In some scenarios, VPN tunnel connection is dropped with "no MSA for MSPI" error. Refer to sk167393.
PRJ-15329, PRJ-15330, VPNRA-379
VPN
In some scenarios, Remote Access VPN traffic may be dropped when XFF is enabled.
PRJ-15321, PRJ-15320, PMTR-48973
VPN
In some scenarios, using LS/HA mode on a VPN tunnel may cause packets to be dropped. Refer to sk160612.
PRJ-12808
Endpoint Security
NEW: Added support for BitLocker Encryption Management in Full Disk Encryption.
R80.30 Jumbo HotFix - General Availability Take 217 (11 August 2020, GA from 13 Sep 2020)
PRJ-14369, PRJ-14370, PMTR-36116
Diagnostics
Missing information in total throughput/inbound/outbound packets in CPView history's Network view.
PRJ-13961, PMTR-55974
Security Management
NEW: Added the ability to purge revisions automatically based on user configuration. Refer to Automatic Purge Documentation.
PRJ-12307, PMTR-48736
Security Management
NEW: Added enhancements for CPM Monitor Tool:
Compatibility of file names between Linux and Windows.
Better and more readable resources consumption report.
All data is wrapped into a single tgz file, for better handling.
PRJ-13048, PRHF-11033
Security Management
After the user adds new Threat Indicators, Management HA may fail with "NGM failed to import data" error. Refer to sk167156.
PRJ-13612, PRHF-11300
Security Management
In rare scenarios, the "where-used" API command fails with "Management server failed to execute command" error.
PRJ-12143, CPM-2624
Security Management
Management HA synchronization between the active Domain server to a standby Domain server may fail with "Failed to import data" error.
PRJ-13166, PMTR-53758
Security Management
When an administrator enters a very long text into an object field (more than 32767 characters), the Security Management Server terminates and fails to start.
PRJ-12374, PRHF-10550
Security Management
Policy Presets may disappear from view after the user runs the Solr Cure utility. Refer to sk167455.
PRJ-9112, PRHF-4593
Security Management
"The Correlation Unit can't connect to one of its Log Servers. Please make sure connectivity between the Correlation Unit and Log Server isn't blocked. There is no need to stop the job." message after the putkey process. Refer to sk12882.
PRJ-14097, PMTR-56164
SmartConsole
NEW: The new and useful APIs of version 1.6.1 are now available also as part of API version 1.5. For more information, refer to the Management API Reference v1.6.1.
PRJ-13007, PRHF-10998
SmartConsole
In the Management API, the "show objects" command with details-level full may return the "ip-address" field even if it is empty.
PRJ-14291, PMTR-53220
SmartConsole
If there are thousands (or more) of unused objects, the "show unused-objects" API command and the Unused Objects view may load and work very slowly. Also, the load on the Management server will increase, causing general slowness when working with SmartConsole.
PRJ-14173, PMTR-32568
SmartConsole
In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.
PRJ-13899, PRHF-11537
SmartConsole
Audit log is not shown in SmartConsole's Logs & Monitor View for the login action through API when the "-r" flag is set to true (login as root).
PRJ-12704, PRHF-10295
SmartView
The SmartView Timeline may be distorted when logs contain an empty value for the field specified in the “Series” settings and when the Legend is enabled. Refer to sk167095.
PRJ-12098, PMTR-52324
Logging
NEW:
Added Management API command "show logs" to query logs.
Added Management API command "get attachment" to fetch attachments from logs by log ID and attachment ID.
PRJ-14215, PRJ-14216, PMTR-56300
Security Gateway
In a rare scenario, the Security gateway may crash if the rulebase contains a logical server object.
PRJ-11751, PMTR-52426
Security Gateway
Citrix file download may fail when the Mobile Access blade is enabled.
Fix is relevant for Gaia 3.10 only.
PRJ-14041, PRHF-11743
Security Gateway
When routing separation (MDPS) is enabled, interface statistics in CPView may not show information.
PRJ-11765, PRJ-13278, PMTR-41719
Security Gateway
"cpas_glue_psync_h: No synced opaque" error messages may appear in dmesg as a result of the synchronization of the members in the cluster. Refer to sk167033.
PRJ-13380, PRJ-13381, PMTR-54897
Security Gateway
In some scenarios, Security gateway generates an ICMP error with wrong IP address. Refer to sk167953.
PRJ-11742, PRJ-13464, SWG-2533
Security Gateway
Improved connectivity in a specific flow when ICAP Client is enabled with Trickling 3.
PRJ-11416, PRJ-13986, PRHF-9776
Security Gateway
In some scenarios, NAT log shows source port 0 even though a port was allocated.
PRJ-14481, PRJ-14482, PMTR-54946
Security Gateway
When moving context in MDPS with mplane or dplane and bash logging is enabled, the "grep" command is executed.
PRJ-12619, PRJ-12620, PMTR-45782
Identity Awareness
After the user disables and re-enables the Identity Collector in SmartConsole, the Identity Collector may fail to connect to the PDP Gateway again.
PRJ-13565, PRJ-14135, PRHF-561
Identity Awareness
In some scenarios, when the user changes the TACACS+ server to a different one, the configuration is applied only after an MDS reboot.
PRJ-8712, PRJ-14177, PRHF-7978
Identity Awareness
In some scenarios, Dynamic ID authentication fails when SMS server returns HTTP status code 2xx but not 200 or 202.
PRJ-12502, PRJ-13929, PRHF-10481
Identity Awareness
In some scenarios, Identity Awareness counters in cluster environments show zero.
PRJ-13514, PRJ-13515, PMTR-55246
Identity Awareness
In some scenarios, a XFF allowed proxy list is enforced only for instance 0 in VSLS environment after VS has transitioned from Backup to Active.
PRJ-13597, PMTR-55344
HTTPS Inspection
In some scenarios, web traffic is blocked with "HTTP parsing error occurred" and "parameters are undecodable in request" errors.
PRJ-7278, PRHF-7027
Application Control
In some scenarios, Application Control updates cannot be initiated on Gateways without Application Control enabled, even though URL Filtering is enabled.
PRJ-13601
Anti-Malware
In some scenarios, some emails may not be scanned by Anti-Bot's Suspicious Mail Protection when IPv6 is configured.
PRJ-8326
Anti-Malware
In some scenarios, the EICAR Anti-Virus test file may not be detected when transferred by SMB protocol.
PRJ-10662, PRHF-9289
Anti-Malware
In some scenarios, a "Feed Error" message appears when the user fetches a Custom Intelligence Feed. Refer to sk165932.
PRJ-10768, PRHF-8926
Internal CA
In some scenarios, no SIC between R80.x Security Management and R77 Security gateway after ICA certificate replacement procedure described in sk158096.
PRJ-11628, PRJ-11552
SecureXL
In some scenarios, MCAST packets may not be accelerated on a PIM-SM RP Gateway.
PRJ-14077, PRJ-14078, PMTR-56026
SecureXL
For some topologies, RIPV2 neighbors may be missing. Refer to sk167934.
PRJ-14218, PRJ-14248
ClusterXL
In some scenarios, SmartConsole shows ClusetXL status as "is not responding". Refer to sk168187.
PRJ-11195, PRHF-9801
ClusterXL
In some scenarios, "fw ctl affinity" and "sim affinity" commands show wrong IRQ numbers. Refer to sk166356.
PRJ-14010, PRJ-14011, PRHF-11326
CoreXL
ESP traffic is dropped on a Security Gateway that forwards the VPN traffic. Refer to sk167973.
PRJ-11450, PMTR-51868
Gaia OS
NEW: Added support for Smart-1 3150/3050 SAN and 'show asset' line cards for SAN.
PRJ-12833
Gaia OS
NEW: Added a Fail-open card support for new appliance line ( for Gaia 3.10 ):
CPAC-4-1C-BP-C
CPAC-2-10FSR-BP-C
PRJ-7271, PRHF-7124
Gaia OS
In some scenarios, adding a Gaia user may result in a high number of zombie sh processes. Refer to sk164259.
PRJ-13479, PMTR-55154
Gaia OS
Intake and outlet temperature sensors display incorrect values on 15400 appliance.
PRJ-10801, PRJ-14285, PMTR-56454
Gaia OS
In some scenarios, due to backup compression errors, restoring a backup does not restore all files.
PRJ-13269, PRJ-13270, GAIA-7496
Gaia OS
In some scenarios, the value for Voltage/Fan/Temperature sensor may appear as "NotValid".
PRJ-12761, PMTR-52834
Gaia OS
In some scenarios, the WebUI shows unknown HDDs that are not part of RAID.
PRJ-11497, PRJ-11498, PMTR-51462
Gaia OS
In some scenarios, the PSU status is reflected even if there is no PSU on the appliance.
PRJ-10351, PRJ-13644, PRJ-13646, PRHF-8760
Gaia OS
In rare scenarios, clish consumes 100% CPU when the user runs a Tenable scan. Refer to sk166195.
PRJ-11809, PRJ-11810, PRHF-9221
Gaia OS
Only 1024 characters of a cron jobs output are displayed when using show cron jobs from clish. Refer to sk167632.
PRJ-12421, GAIA-7499
Gaia OS
In some scenarios, concurrent CIFS mount/umount processes to the same Windows machine may crash the kernel.
PRJ-14419, PRJ-14413, PRHF-11683
Gaia OS
In some scenarios, the snapshot creation fails because of compression errors.
PRJ-10801
Gaia OS
In some scenarios, because of backup compression errors, restoring a backup does not restore all files.
PRJ-13650, PRJ-13744, PRJ-13745
Gaia OS
In some scenarios, SNMPD daemon unexpectedly exits with core dump, causing the SNMP service to become unavailable.
PRJ-13720, PRJ-13722
Gaia OS
In some scenarios, a snapshot creation may fail.
PRJ-11683, PRJ-11365
Routing
NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners.
PRJ-13977, PRJ-13978, PRHF-11680
Routing
UPDATE: The logging of "aspath-regex" and "community-regex" routemap fields is now disabled by default and can be enabled through the trace log.
PRJ-13925, PRJ-13980, PMTR-54829
Routing
UPDATE: Increased the configuration limits of the BFD timers for detect multiplier, minimum RX interval, and minimum TX interval to 255, 255000, and 255000, respectively.
PRJ-13352, PRJ-13353, PMTR-54833
Routing
In some scenarios, routed process generates an assert when the user runs the "dbget -rv iclid" command.
PRJ-7519, PMTR-23165
Mobile Access
In some scenarios, Mobile Access end-users become disconnected from their Citrix sessions after policy installation.
PRJ-7392, PRHF-1886
Mobile Access
Logs regarding protection level compliance for SNX applications may refer to the general authorization policy rather than to the protection levels.
PRJ-13728, PRJ-13729, PMTR-54159
Mobile Access
In some scenarios, Web application SSO credentials are not displayed correctly in the 'Credentials' dialog when the application's destination hostname is configured as an IP address.
PRJ-11804, PRJ-12125, VPNRA-357
VPN
In some scenarios, an incorrect IPSec counter may be displayed with cpstats / SmartView Monitor / SNMP in a ClusterXL environment. Refer to sk167297.
PRJ-14203, PMTR-49502
VPN
"vpn_trap_multik: - wrong header length 36 != 72" message may appear in the vpnd.elg when working with multiple users with the same credentials.
Fix is relevant for Gaia 3.10 only.
PRJ-2619, VPNS2S-445
VPN
VPN stability was improved for some scenarios.
Fix is relevant for Gaia 3.10 only.
PRJ-12890, PRJ-13332, PRHF-10685
VPN
IKEv2 rekey may fail when the resolved peer IP address is not the main IP address. Refer to sk166897.
PRJ-12464, PRJ-13470, PRHF-388
VPN
In a rare scenario, Security Gateway may crash when using Remote Access VPN with L2TP clients.
PRJ-15988, PRJ-15983, PRJ-15984
VPN
Starting from R80.30 Jumbo Hotfix Take 210, clients that do not support MFA (such as Mac OS and iOS) cannot connect as Remote Access clients if MFA is enabled. Refer to sk168493.
PRJ-13407, PMTR-54443
VPN
In rare scenarios, the Global Domain Assignment view shows that a Global Domain Assignment is in the 'up to date' state even though it is not.
PRJ-13341, PRHF-1164
VPN
In some scenarios, L2TP client fails to connect with "failed to write L2TP session params to kernel" error in vpnd.elg file. Refer to sk167636.
PRJ-13529, PRJ-13531, VPNRA-398
VPN
In some scenarios, Remote Access VPN users are not matched against the Access Control policy and traffic is dropped. Refer to sk167432.
PRJ-2020, VPNS2S-445
VPN
VPN stability was improved for some scenarios.
PRJ-15240, PRHF-12039
VSX
VSs load up in parallel from boot/after cpstart from VS0.
Fix is relevant for Gaia 3.10 only.
PRJ-14150, PRHF-11651
Endpoint Security
In some scenarios, no audit logs are shown regarding object changes in SmartEndpoint virtual groups and FDE pre-boot users. Refer to sk167907.
PRJ-14131, PRHF-7699
Endpoint Security
In some scenarios, the user cannot get an FDE Offline Management File (cpomf) for an offline group in SmartEndpoint if this group or a directory in its path has special characters \ _ %.
R80.30 Jumbo HotFix - General Availability Take 215 (06 July 2020, GA from 04 August 2020)
PRJ-11587, PRHF-9260
Security Management
In some scenarios, when using Rulebase Search, the 'number of rules' section is incorrect. Refer to sk166003.
PRJ-12025, PMTR-51885
Security Management
NEW: Tasks that fail to complete within 18 hours will be stopped automatically and appear as failed. Refer to sk166455.
PRJ-12274, PMTR-53007
Security Management
In Management HA configuration, a hotfix installation may incorrectly fail during the verification phase.
PRJ-10058, PRHF-8924
Security Management
In some scenarios, Security policy deletion or installation may fail when there are many Application Control objects used in this policy.
PRJ-12670, PMTR-52789
Security Management
If an administrator searches for a certain text in SmartConsole, it may cause the Management Server to become inaccessible until a restart.
PRJ-13152, CPM-2811
Security Management
In rare scenarios, a session becomes unusable, and one or more of the following may occur:
The user is not able to log in and make changes with this session.
NEW: Added ability to log in to the Management Server with SmartConsole while MDS Backup is running.
PRJ-12205, PRHF-10405
Multi-Domain Management
In some scenarios, changes to a .def file in $FWDIR/lib might be reverted when creating a secondary CMA.
PRJ-11508
Multi-Domain Management
A migration from the Security Management Server to a Domain on a Multi-Domain Management Server may fail with: “didn't find ObjectStoreSessionEntity for session <uuid> return null" error in the cpm.elg file.
PRJ-8497, PMTR-48272
Multi-Domain Management
The "Recent Tasks" and "Install Policy Preset" views in MDS Domain might include Domain names, policy packages, and Gateways names. This information is not filtered according to the administrator's permission profile.
PRJ-9602, PRHF-8502
Multi-Domain Management
In environments with more than five Multi Domain servers, changes to objects might not be reflected in the logs.
PRJ-12485, PRHF-10330
Multi-Domain Management
Multi-Domain Administrator configuration for RADIUS authentication might show local Domain Radius servers and groups.
PRJ-12965, PRHF-10944
Multi-Domain Management
In some scenarios, certain deleted domain level objects are visible in the SmartConsole at the MDS level.
PRJ-13033, PRHF-10917
Multi-Domain Management
Global Policy reassignment may fail after performing the IPS update in the Global domain.
PRJ-12555, PRHF-10523
Multi-Domain Management
In some scenarios, updating firewall_properties in GuiDBedit in the MDS context fails. Refer to sk42184.
PRJ-12776, PMTR-52320
SmartConsole
NEW: Added API commands for user, user-template, user-group and identity-tag.
PRJ-12900, PMTR-53694
SmartConsole
NEW: Added more information on each Management API call to api.csv.
PRJ-11258, PRHF-9106
SmartConsole
In some scenarios, Inspection Settings view under the General tab is blank.
PRJ-12454, PMTR-37222
SmartConsole
In some scenarios, a calculation of UIDs for irrelevant rules may result in the "Cannot insert a rule into its own sub rulebase" validation error.
PRJ-12810, PMTR-53855
SmartConsole
When using the Management API "show-objects" command to show OPSEC application objects, it may fail with "Requested object [OBJECT ID] not found".
PRJ-12973, PMTR-51691
SmartConsole
When a VSX Cluster object is edited, no changes are made and the "Topology has changed. Please reinstall Security Policy" message is always displayed after clicking OK, even if no changes are made.
PRJ-12445, PRHF-8488
SmartConsole
In some scenarios, IPS update tasks may stuck when multiple machines are attempting an update within the same time frame.
PRJ-12458, PRHF-8968
SmartConsole
In some scenarios, IPS update may be locked with the message "IPS management update is locked by Scheduled update" .
PRJ-12210, PMTR-52897
SmartConsole
When running the "show-domain" API command, the "active" field may be missing from the reply.
PRJ-10670, PMTR-49128
SmartView
In SmartView, when using a language other than English, an error may occur when drilling down on a widget.
PRJ-10200, PRHF-9019
SmartView
SmartView may show "query failed" error message when creating table widget with filter by source/destination host name. Refer to sk119056.
PRJ-11432, PRHF-8506
SmartProvisioning
The SmartProvisioning application may hang when the user adds/edits Dynamic Objects in the LSM Gateway object editor.
PRJ-11501, PRJ-11502, PMTR-52209
Security Gateway
NEW: Added "Hold" override for unsupported protocols (i.e. GRE). Refer to sk148432.
PRJ-11695, PRJ-12363, PRHF-9799
Security Gateway
In a rare scenario, access rules with service type of "other" may not be matched correctly. Refer to sk166365.
PRJ-13204, PRJ-13205
Security Gateway
In rare scenario, a traffic outage may occur when time objects are used in the access policy.
PRJ-8675, PRJ-10168, PMTR-38384
Security Gateway
In some scenarios, "simple_debug_filter_unset: unsetting debug filter when no filter is set" messages may appear in dmesg. Refer to sk165675.
PRJ-12732, PMTR-53779
Security Gateway
In a rare scenario, memory is not freed correctly in the routing mechanism.
Fix is relevant for Gaia 3.10 only.
PRJ-12101, PMTR-41300
Security Gateway
In some scenarios, when running "fw monitor" with the "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed. Refer to sk166592.
PRJ-12236, PRJ-12379, PRHF-10039
Security Gateway
In a rare scenario, Security Gateway memory consumption may increase when the Anti-Virus blade is enabled.
PRJ-13075, PRJ-13076, PMTR-54306
Security Gateway
When HTTPS Inspection is enabled using layer-2/bridge, traffic may be dropped when deciding the outgoing interfaces.
PRJ-5540, PRJ-5541, PMTR-39046
Security Gateway
Added ability for fw monitor to support monitoring traffic on Acceleration Card.
PRJ-13089, PRJ-13090, PRHF-11016
Security Gateway
CPView Utility may not display speed and driver.
SNMP does not use custom OID, dplane OID mapping to mplane.
Some connections through mplane on Standby member may be dropped.
PRJ-9047, PRHF-8153
Threat Prevention
The number of overrides in Threat Prevention policy -> Profile -> Overrides may also show inactivated overrides, with mismatched information between "override" and "User Modified".
PRJ-12831, PRJ-12432, PRHF-11043
Threat Prevention
In a rare scenario, when Threat Prevention Forensics feature is enabled, memory usage may rise on the Security gateway due to failures in memory release flow.
PRJ-12394, PRJ-12383, PMTR-45311
Threat Prevention
In some scenarios, policy installation fails with "Error code 0-2000111".
PRJ-12766, PRJ-12790, TEX-1762
Threat Extraction
In rare scenarios, the watermark_cp_file_convertd daemon used by Threat Extraction may restart frequently, causing high CPU usage. Refer to sk168318.
PRJ-12339, PRJ-12340, PMTR-53146
URL Filtering
In a rare scenario, policy installation may fail with "Error code: 0-2000112" if the URL Filtering blade is active while no other feature or blade is enabled.
PRJ-13116, PRJ-13117, PMTR-52580
DLP
Improved DLP functionality when working with IDA MUH1 and MUH2 agents.
PRJ-12468, PRJ-13511, PMTR-38976
Anti-Malware
In rare scenarios, Security Gateway crashes during CIFS traffic when the Anti-Virus blade is in Hold mode and the CIFS feature is enabled for Anti-Virus or Threat Extraction (see sk101606).
PRJ-13109, PRJ-13238, PRHF-11112
HTTPS Inspection
In some scenarios, HTTPS websites may show corrupted text when HTTPS Inspection and Anti-Virus are enabled.
PRJ-11059, PRHF-9354
Application Control
In some scenarios, Application Control update task may get stuck indefinitely when it is executed as part of Global Policy assignment.
PRJ-12165, PMTR-52106
Application Control
In some scenarios, Application Control updates in Multi-Domain High Availability environments may get stuck when multiple updates from different Domains/Multi-Domains take place simultaneously.
PRJ-10157, PRHF-8586
Logging
"UserCheck Reference ID” field is missing from logs when the message of the UserCheck customized page is modified and does not contain the text "reference:". Refer to sk165355.
PRJ-11888, PRHF-10057
Logging
In some scenarios, searching for logs using "client_name" in the logging tab returns no values.
PRJ-4738, PRJ-4737
Logging
In environments that use certain mail servers, sending a report using SmartView may not work properly.
PRJ-4610, PRHF-5209
Logging
When trying to open a Forensic report in SmartLog, the "Error getting report." message may appear if there is a network object configured with the same IP address as that of the Endpoint Security Management Server
PRJ-12285, CLUS-1752
ClusterXL
ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel.
PRJ-12709, PRHF-10849
ClusterXL
In some scenarios, a Cluster member forwards ICMP replies via its Sync interface after being rebooted.
PRJ-12550, PRJ-12549, PRHF-10647
SecureXL
NEW: Added tunable kernel parameter "adp_mc_rt_hold_queue_len" to adpkern.conf to eliminate multicast packet drops at the start of a connection (when large bursts of multicast traffic are expected).
PRJ-12174, PRJ-12641, PRHF-10228
SecureXL
In some scenarios, TCP traffic containing the TCP Fast Open option may be dropped by the Security Gateway.
PRJ-11365
Routing
NEW: Performance improvement for multicast packets in SecureXL (fast path) when there are no multicast listeners.
Fix is relevant for Gaia 3.10 only.
PRJ-12802, PRJ-12803, ROUT-541
Routing
In some scenarios, when processing BGP ECMP routes, routed may unexpectedly exit, resulting in loss of BGP adjacency.
PRJ-12798, PRJ-12799, ROUT-530
Routing
In some scenarios, there may be a loss of BGP adjacency when displaying BGP routes with very long AS paths or large numbers of BGP communities.
PRJ-12072, PRJ-6149
Gaia OS
NEW: Added support for Jumbo Hotfix installation on Check Point 3800, 6400, 6700, 7000, 16200, 16600HS, 28000 and 28600HS appliances. Refer to sk110052, sk139932 and sk152733.
In some scenarios, the xmlUpgradeExec process may unexpectedly exit during Jumbo Hotfix installation. As a result, the configuration file may not be created correctly. Upon login, the following error message may appear: "/etc/appliance_config.xml:1: parser error : Document is empty /etc/appliance_config.xml:1: parser error: Start tag expected, ^^^ not found".
PRJ-12812, GAIA-7625
Gaia OS
The activate_sw_raid utility may fail due to incorrect disk names.
Fix is relevant for Gaia 3.10 only.
PRJ-12248, PMTR-52663
Gaia OS
UPDATE: on Smart-1 410:
Line card 1 model PE2G2SFPi35*-CP* is changed to CPAC-2-1F-SM*-C*
Line card 2 model PE210G2SPI9A-XR*-CP* is changed to CPAC-2-10F-SM*-C*
PRJ-3026, PRJ-13311, PRHF-4557
Gaia OS
Backup on Gaia machine may fail with "Cannot complete the backup process: not enough space". Refer to sk98609.
PRJ-11620, PRHF-10009
Gaia OS
When a bond exceeds 60GB/s, ethtool may report an incorrect speed of the bond interface.
PRJ-8949, GAIA-7018
Gaia OS
In some scenarios, interface names may not correspond to the correct ports on 4-ports 10GbE SFP+ Rev 1.1 on 12200/4200/4400/4600/4800/TE250 appliances.
PRJ-12791, PRJ-12518, PRHF-10672
Gaia OS
In some scenarios, a backup on a Gaia device with Threat Emulation Blade enabled may fail with "Cannot complete the backup process: not enough space". Refer to sk166833.
PRJ-8621, PRJ-11119, PRHF-7485
VPN
Improved the VPN connectivity with DAIP peers when Tunnel Monitoring is enabled. Refer to sk164933.
PRJ-11723, PRHF-2844
VPN
Added L2TP Remote Access client connectivity improvements. Refer to Scenario 2 in sk145895.
Fix is relevant for Gaia 3.10 only.
PRJ-12178, PRJ-12309, VPNRA-364
VPN
Connectivity improvements for Remote Access VPN using Traditional mode.
PRJ-12194, PRHF-9885
VPN
A connectivity issue may occur when a non-encrypted VPN tunnel is used with IKEv2. Refer to sk167902.
PRJ-13105
VPN
In some scenarios, packets are dropped on proposal unmatched, although the VPN tunnel is established. Refer to sk122438.
PRJ-11244, PRJ-12418, PRHF-9628
VoIP
SIP calls with NAT (SIP packet with no SDP but content-type=sdp) may fail to open correctly.
PRJ-9104, PRJ-9929, PRHF-7758
VoIP
In a rare scenario, Security gateway crashes when passing SIP traffic. Refer to sk166474.
PRJ-12623, VSX-2219
VSX
In a rare scenario, creating new VSX and pushing configuration may cause the cluster members to crash.
Fix is relevant to Gaia 3.10 only.
PRJ-13077, PRHF-10978
VSX
When performing a provisioning operation in VSX, process may hang on "Pushing configuration to ...". Refer to sk167175.
PRJ-10416, MAGB-781
Mobile Access
Some Web applications published by Mobile Access Blade may not work in Host Translation mode.
PRJ-12601, PRJ-12602, PMTR-53442
Mobile Access
Mobile Access ActiveSync session timeout may not update properly, generating repeated error messages in the cvpnd.elg debug output.
PRJ-11836, PRHF-10015
Endpoint Security
An error in FDE preboot users calculation might cause Endpoint to be left in a disconnected state. Refer to sk142313.
PRJ-11690, PRHF-9169
Endpoint Security
The following may occur in installations with Media Encryption (refer to sk166074):
Unable to log in with SmartEndpoint
External devices do not appear in the "Discovered Devices" report
Errors in the server_messages.log related to PSQLException on MeSimilarDiscoveredDevicesSelect
PRJ-11822, PRHF-5833
Endpoint Security
In some scenarios, SmartEndpoint doe not update info in reports about devices when the user is logged out. Refer to sk164035.
PRJ-11143, PRHF-9706
Endpoint Security
Local users might not be displayed under the selected machine in the "Users and Computers tab" in SmartEndpoint. Refer to sk166316.
PRJ-11832, PRHF-8234
Endpoint Security
The Endpoint directory scanner may fail to reconnect to the AD if the connection was lost during the scan.
PRJ-11840, PRHF-9304
Endpoint Security
Cannot delete the client MSI package from SmartEndpoint because of previously deleted FDE offline group.
PRJ-11815, PRHF-9151
Endpoint Security
When a user name is updated in SmartEndpoint, the change may result in an unexpected expiration date. Refer to sk165872.
PRJ-11828, RHF-7087
Endpoint Security
SmartEndpoint might export a report to Excel in which incorrect distinguished names appear for deleted users/devices. Refer to sk163943.
PRJ-11824, PRHF-6365
Endpoint Security
Users/devices may not change their locations in the tree according to Active Directory changes when certain special characters appear in the names.
PRJ-11819, PRHF-9157
Endpoint Security
The default paths for offline folders in SmartEndpoint -> Offline group creation wizard may be incorrect.
PRJ-12691, MB-731
Compliance
Compliance blade may show incorrect Best Practice status if one or more relevant network objects for that Best Practice is in status "N/A".
R80.30 Jumbo HotFix - General Availability Take 214 (30 June 2020, GA from 14 July 2020)
PRJ-13803
Security Management
Upgrade to R80.30 Jumbo HotFix Ongoing Takes 210 and 213 from R80.20 Jumbo HotFix Take 161 fails.
R80.30 Jumbo HotFix - Ongoing Take 213 (23 June 2020)
PRJ-13688, PRJ-13686
Security Management
In some scenarios, when using many management API calls in parallel, the output is not consistent. Refer to sk167509.
PRJ-8256, PMTR-36367
Security Management
FWM and\or INDEXER processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.
R80.30 Jumbo HotFix - Ongoing Take 210 (26 May 2020)
PRJ-11386, PMTR-52087
Security Management
NEW: Significant performance improvement for policy installation time when many groups are defined on the Management Server.
PRJ-10900, PMTR-49801
Security Management
NEW: Set values for environment variables on the Management Server that will remain there after a Management Server upgrade, as well as Backup/Restore and Export/Import of the Management Server. Refer to sk165938.
PRJ-11009, PMTR-46009
Security Management
NEW: Added ability for R80.30 Security Management or Multi-Domain Server to manage 7000 and 28000 Check Point appliances.
"Policy installation had failed due to an internal error. If the problem persists please contact Check Point support" message may be displayed on policy installation failure. Refer to sk149093.
PRJ-8793, PRJ-8831 VPNRA-316
Security Management
Improved the Access Control Policy installation time for environments with high amount of objects and enabled IPSEC VPN blade. Refer to sk166321.
PRJ-8416, PRHF-7865
Security Management
When the user runs the 'add-domain' Web API command on an existing Domain, the original Domain is deleted.
PRJ-9214, PRHF-8370
Security Management
Logging into SmartConsole to the Standby Management Server with a Radius or TACACS user may fail after changing the shared secret on the Radius or TACACS object.
PRJ-10472, PMTR-49832
Security Management
In a rare scenario, export from the previous version does not complete because the Postgres dump_all process gets stuck.
PRJ-11523, PRHF-9981
Multi-Domain Management
In rare scenarios, upgrading the Multi-Domain Server fails to upgrade some Domain Servers with "IllegalArgumentException" in the upgrade log.
PRJ-12065, PRHF-10327
Multi-Domain Management
The FWM process of domains may not stop after the user runs mdsstop or mdsstop_customer.
PRJ-11073, PMTR-51815
SmartConsole
NEW: Added ability to reset the following network object fields to be empty through the Management API: ipv4-address, ipv6-address, subnet4, subnet6, mask-length4, and mask-length6.
PRJ-11905, PRHF-10275
SmartConsole
In rare scenarios, certain domain level objects may not be visible in SmartConsole at the MDS level.
PRJ-5103, PMTR-40942
SmartConsole
"An internal error has occurred" message may pop up when the user tries to modify a Revision's description.
PRJ-11458, PRHF-9941
SmartConsole
Unable to delete Snort protections in Multi-Domain environment - they still exist after deletion.
PRJ-12955, PRHF-10916
SmartConsole
Global Policy reassign in MDS may fail with 'An internal error has occurred' message after adding overrides to Snort protections.
PRJ-11391, PRJ-9293
SmartConsole
When running Management API commands, the default values for 'dereference-group-members' and 'show-membership' flags may change from "True" to "False".
PRJ-7746
Smart Provisioning
The security profile may not be visible on the new 1500 LSM Gateway wizard.
PRJ-9741, PRJ-10976, PMTR-51721
QoS
Packets to the broadcast IP address (255.255.255.255) may cause dmesg to fill with “fg_classify_and_offload_all_ifdirs: fglogRulename Failed.” messages.
PRJ-11928, PRJ-11960 PRJ-11897
QoS
In some scenarios, SmartView Monitor shows "No Match" rule on QoS traffic.
PRJ-9381, PRJ-9388
Security Gateway
NEW: Added DNS Passive Learning feature for enhanced non-FQDN domain objects & updatable objects matching. Refer to sk161612.
PRJ-9017, PRJ-9512 PRHF-4623
Security Gateway
NEW: Added support for the bridge configuration when packet is passing via the Security gateway twice.
PRJ-8883, PRJ-9380, PRHF-7048
Security Gateway
In a rare scenario, Security gateway may crash when activating a web parsing debug.
PRJ-1214, PRJ-10896, PRHF-3652
Security Gateway
In a rare scenario, the Security Gateway may crash due to a NULL pointer reference.
PRJ-11530, MUX-319
Security Gateway
In a rare scenario, Security gateway may crash while connection is closed while being held.
PRJ-4092, PMTR-35130
Security Gateway
Using spaces in the $FWDIR/boot/modules/fwkern.conf file may cause long reboot time.
PRJ-2411, PRJ-10978 PRHF-4282
Security Gateway
DCE-RPC traffic may be dropped because of a drop template that is incorrectly created for the ALL_DCE_RPC service.
PRJ-5730, PRJ-10926, PRHF-6035
Security Gateway
In some scenarios, SIP traffic may be dropped by Anti-Spoofing with "fw_early_sip_nat Reason: spoofed packet on SIP traffic" error in dmseg although it is set to"detect".
PRJ-9838, PMTR-48719
Security Gateway
When ISP Redundancy is configured on a cluster, the backup ISP link status may show as down even though the link is up.
PRJ-9122, PRJ-8907
Security Gateway
Connections may be dropped when "keep all connections" is configured during policy installation. Refer to sk166212.
PRJ-7334, PMTR-45346
Security Gateway
In some scenarios, a standby cluster member may crash when it starts handling the IPv6 traffic. Refer to sk166655.
Fix is relevant for Gaia 3.10 only.
PRJ-8616, PRJ-9511, PMTR-46465
Security Gateway
In some scenarios, the uc_log_suppression_data table may reach its limit and "uc_log_suppression_set_entry: Failed storing log data in log suppression table" error appears in /var/log/messages file.
PRJ-8296, PRJ-8297, PRHF-5333
Security Gateway
In some scenarios, there may be connectivity problems with DHCP traffic.
PRJ-8687, PRJ-8628, PMTR-39579
Security Gateway
When bridge rerouting is enabled, Management/local traffic may be allowed over a Gateway bridge.
PRJ-11954, PRJ-11955, PMTR-52583
Security Gateway
In a rare scenario, Security Gateway may crash due to NULL pointer reference.
PRJ-10845, PRJ-10836 PRHF-1898
Application Control
NEW: Gateway status will reflect Application Control and URL Filtering updates.
PRJ-8238, PMTR-47855
IPS
In some scenarios, Threat Prevention policy installation may fail when the Threat Prevention profile performance impact is configured to "Very Low".
PRJ-6151, PMTR-32830
IPS
In rare scenario, a memory leak may occur if there is HTTP 206 partial content.
PRJ-9488, PMTR-46123
IPS
After an upgrade, policy installation may not update the IPS version on the gateway if the "IPS scheduled update" option was changed before the upgrade.
PRJ-10938, PRJ-10939, PMTR-51681
IPS
In a rare scenario, the fw_full process may unexpectedly exit.
PRJ-9449, PRJ-9546, PRHF-8530
IPS, VSX
In some scenarios, SmartConsole shows "No license" and "Contract is expired" for IPS blade in VSX. Refer to sk164917.
PRJ-10096, PRJ-10266, PMTR-40198
Identity Awareness
NEW: Added support for LDAP automatic group update feature in Identity Collector.
PRJ-11853, PRJ-11851
Identity Awareness
NEW: Added Terminal Server agent v2 (aka MUH2) support for R80.30 Security Gateway. For more information, see sk134312.
PRJ-5231, PRJ-10933, PRHF-4808
Identity Awareness
Failure in LDAP groups membership query for specific user that was reported by MUH agent, may cause all users under the same MUH agent to be removed from the PDP database.
PRJ-10224, PRJ-10257, PMTR-39175
Identity Awareness
In a rare scenario, there is a memory leak in the IDA daemon pepd.
PRJ-9393, PRJ-9394, PMTR-49565
Identity Awareness
NEW: Performance improvement in the automatic LDAP group update feature.
PRJ-10386, PRJ-10894 IDA-2719
Identity Awareness
In a rare scenario, identity session groups and access roles may disappear following a policy installation.
PRJ-11614, PRJ-11616, IDA-1828
Identity Awareness
In a rare scenario, a memory leak, related to the Identity Awareness flow, may occur in the kernel.
PRJ-10329, PRJ-12342, ACCL-547
Anti-Virus
In some scenarios, dmesg shows many "cmik_loader_fw_context_match_cb: match_cb for CMI APP 11 failed on context 249" messages.
PRJ-10129, PRJ-10367, TEX-1670
Threat Extraction
"An error has occurred while adding watermark to file" error may appear while adding watermark to a file. Refer to sk165594.
PRJ-9934, PRJ-10739, PMTR-49938
HTTPS Inspection
In some scenarios, when the minimum version of HTTPS Inspection is set to TLS 1.1, some websites may unexpectedly exit. Refer to sk165555.
PRJ-6957, PRJ-11154, PMTR-31108
Anti-Malware
In some scenarios, dmesg may show the following errors: "cmik_loader_fw_context_match_cb: m atch_cb for CMI APP 3 failed on context 56, executing context 366 and adding the app to apps in exception".
PRJ-10969, PRJ-10990, SWG-2484
DLP
NEW: Reading and sending files from the registry by DLP was optimized.
PRJ-9328, PRJ-10860, PRHF-8152
DLP
Improved the scanning time of files for some scenarios in SMTP and HTTP/S.
PRJ-9693, PRJ-10861, PRHF-8503
DLP
In some scenarios, DLP prints wrong error message in the log.
PRJ-5022, PRJ-10466, PRHF-5528
DLP
The DLP engine may incorrectly process the file if the file name is missing in the connection header.
PRJ-9774, PRJ-10863, PRHF-8847
DLP
In some scenarios for SMTP, when an internal user sends an email, the DLP logs may show the topology as "external to external" instead of as "internal to internal".
PRJ-10423, RJ-10811, PMTR-39431
DLP
In a rare scenario, when Security Gateway is configured as proxy, the HTTP traffic may be not scanned by DLP.
PRJ-10855, PRJ-10854
DLP
DLP stability for some scenarios was improved.
PRJ-9190
Logging
NEW: Added support for viewing MITRE ATT&CK fields.
PRJ-9316, PRHF-8166
Logging
Logging view may show results from the wrong day if the server Time Zone is configured to use half/quarter hour deviations from standard time.
PRJ-8922, PRHF-8148
Logging
When the user searches logs in the "Logs and Monitor" tab in SmartConsole and applies a filter using the "?" wildcard, incorrect logs may be returned.
PRJ-4136, PRHF-2711
Logging
In some scenarios, it may not be possible to filter logs by the field "IKE IDs:" when searching the log files directly.
PRJ-10358, PMTR-46596
Logging
Log_indexer may unexpectedly exit on a SmartEvent server with a large number of CPUs (32 and up), and\or when the total number of log servers declared in correlation units is above 30.
PRJ-8213, PRHF-7592
Logging
"Problem has occurred during search < External Log server > Disconnected" error may appear in "Logs & Monitor" tab after creating dummy object for NAT.
PRJ-11006, PRHF-9292
Logging
In some scenarios, changes made to Network Objects on the Security Management Server are not reflected in the logs view. Refer to sk166493.
PRJ-9193, PMTR-42449, SL-3104
Logging
After synchronization, MLM / Secondary MDM may have different log policy configuration. Refer to sk165692.
PRJ-1525, SL-2379
Logging
In some scenarios, Autosuggestion does not complete in SmartConsole's "Logs & Monitor" tab for users who do not have super user privileges. Refer to sk155252.
PRJ-11362, PMTR-51655
Logging
In a rare scenario, the CPD process on a Security Management Server that manages R77.30 Security Gateway may unexpectedly exit.
PRJ-9706, PRHF-7716
Logging
The FWD process may unexpectedly exit if one of the following changes were made using GuiDBEdit:
Change to log forwarding timing
Change to log switch timing
PRJ-9127, PRJ-9128, PMTR-46873
SecureXL
NEW: Added acceleration support for Ethernet Over IP Tunneling (EOIP). EOIP is RFC 3378 protocol # 97 used between Wireless AP and Wireless Cisco controller.
PRJ-9826, PRJ-9827, PMTR-50294
SecureXL
In some scenarios, SYN Defender cookie validation may fail.
PRJ-10234, PRJ-10274, PMTR-51942
SecureXL
Policy installation may fail with "Error code 0-2000240" when Drop templates option is enabled. Refer to sk165716.
PRJ-10816, PRJ-10946, PMTR-25593
SecureXL
Rule that contains dhcpv6 services, does not disable SecureXL Accept Templates. Refer to sk32578.
PRJ-8489, PRJ-8490, PMTR-48255
SecureXL
In some scenarios, held packets are incorrectly reported to the penalty box.
PRJ-4176, PRJ-11057, PRHF-5051
SecureXL
In some scenarios, there may be a length verification error with SCTP traffic.
PRJ-7418, PRJ-9669, PRHF-5522
SecureXL
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. This fix enables the new property per specific gateway. Refer to sk147093.
PRJ-5905, PRJ-5906, PMTR-43772
SecureXL
In some scenarios, the penalty box violation rate is calculated incorrectly.
PRJ-6124, PRJ-8690, PRHF-5797
SecureXL
In some scenarios, DOS/Rate Limiting drops too few (or too many) packets for "concurrent-conns" fw samp rules. Refer to sk112454.
PRJ-11679, PRJ-11680 PRJ-11551
SecureXL
MCAST packets may be handled incorrectly when promiscuous (tcpdump) mode is enabled for the interface.
PRJ-10001, PRJ-10002, PRHF-5120
SecureXL
Improved TCP state inspection for "Smart Connection Reuse" feature.
PRJ-12020, PRJ-12021, PRHF-10097
SecureXL
In some scenarios, ACK, FIN, and RST TCP packets are dropped, causing outages.
PRJ-12498, PRJ-12660, PMTR-52267
SecureXL
SCTP Stateful inspection and payload NAT (INIT Chunks) may not work correctly.
PRJ-11021, PRJ-11024, PRHF-3767
Routing
Active VRRP cluster member may not show full accounting information in logs. Refer to sk159432.
PRJ-5866, PMTR-43718
ClusterXL
SNMP Response for OID .1.3.6.1.4.1.2620.1.5.6 ("haState") is "Active" on all members of ClusterXL High Availability mode. Refer to sk106291.
PRJ-1502, PRJ-10922, PRHF-3839
ClusterXL
The output of the 'cphaprob routedifcs' command may be missing interfaces.
PRJ-7614, PRJ-7615, PRHF-7166
ConnectControl
Logical servers will have global table for lookups to prevent the race condition where two instances has different decisions because local sync is flushed every 0.1 sec.
Added 'fw balance' command for visibility.
PRJ-5333, PRJ-5334, PMTR-41386
VPN
NEW: Added functionality enhancements for the authentication realms that is used with Remote Access VPN.
PRJ-5702, PRJ-10024, PMTR-42483
VPN
NEW: Improved policy installation performance when the MAB blade is enabled with Legacy Policy and Native Application rules. Refer to sk175105.
PRJ-10271, PRJ-10272, PMTR-50151
VPN
NEW: 3DES is disabled by default for HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI abd Mobile Access curl. Note: Disabling 3DES will fail 3rd party OPSEC SDK 6.0 clients connectivity. To enable it, refer to sk113114.
PRJ-11643, PRJ-11750, VPNRA-353
VPN
Added Stability improvement for Remote Access VPN.
PRJ-12746, PRJ-12747, PRJ-12738
VPN
Some Remote Access clients that do not support Multi-Factor Authentication (MFA) are able to connect to a Security Gateway even though the "Allow older clients" option is disabled. Refer to sk166912.
PRJ-12992, VPNRA-384
VPN
In some scenarios, a connectivity issue appears when working with Capsule Connect.
Fix is relevant for Gaia 3.10 only.
PRJ-11920, PRJ-10869
VPN
Memory leak in VPN daemon may appear during the IP address assignment.
PRJ-8263, PRJ-9749, PRHF-7769
VPN
Server-to-Server and Client-to-Server VPN may fail when using Wire Mode while SecureXL is enabled.
PRJ-11282, PRHF-7681
VPN
In a rare scenario, vpnd process unexpectedly exits due to Segmentation fault.
Fix is relevant for Gaia 3.10 only.
PRJ-12523, PMTR-36437
VPN
In some scenarios, VPN traffic distribution change may cause high CPU consumption on one CPU core. Refer to sk165853.
Fix is relevant for Gaia 3.10 only.
PRJ-6139, PRJ-11183, PRHF-4292
VPN
In a rare scenario, the vpnd process unexpectedly exits due to memory access problem.
PRJ-4452, PRJ-11189, PMTR-40912
VPN
Improved IKEv2 negotiation flow.
PRJ-7693, PRHF-7359
VPN
Improved usability of VPN tunnel monitoring "vpn tu" command.
PRJ-10390, PRHF-1053
VPN
In a rare scenario, vpnd process unexpectedly exits due to issue in IKEv2 flow.
PRJ-8115, PMTR-49502
VPN
“vpn_trap_multik: - wrong header length 36 != 72” message may appear in the vpnd.elg when working with multiple users with the same credentials.
PRJ-8177, PRJ-11099, PRHF-7426
VPN
In a rare scenario, a memory leak in VPND may occur during the TLS key exchange in HTTPS portals.
PRJ-11483, PRJ-11485, PRJ-8726
VPN
In some scenarios, vpnd cores may be generated sporadically during boot time/cluster failovers on the Cluster Standby Member.
PRJ-11238, PRJ-11239, PMTR-42727
VPN
Added connectivity improvement for VPN over NAT traversal (UDP 4500). Refer to sk155953.
PRJ-6677, PRJ-6676 PRHF-6634
VPN
In some scenarios, NAT-T packets are going out with the wrong interface, when encrypted. Refer to sk165697.
PRJ-6719, PRHF-6672
VPN
In some scenarios, the vpnd process unexpectedly exits on cluster members.
PRJ-8889, PMTR-43850
VPN
Improved stability of VPN traffic on VSX Gateway. Refer to sk166655.
Fix is relevant for Gaia 3.10 only.
PRJ-9231, PRJ-9232, PMTR-39379
Routing
Although only OSPFv2 with Graceful Restart Helper is configured, the Critical Device OSPF3 Graceful Restart may show the "OSPF3 Graceful Restart PROBLEM Master -> Standby. Waiting for GR" message during the cluster failover.
PRJ-3618, PRJ-3615, PRHF-4829
Routing
In some scenarios, routed unexpectedly exits when receiving an LSA with a checksum value of zero.
PRJ-11543, PRJ-11544 ROUT-554
Routing
In some scenarios, routed unexpectedly exits and traffic is lost after a failover in ClusterXL when BGP and ECMP are enabled. Refer to sk166175.
PRJ-12224, PRJ-12225, ROUT-856
Routing
In some scenarios, routed process unexpectedly exits when adding an interface to OSPFv3 with a prefix length above 63 and having two or more areas.
PRJ-4236, PRJ-10925, PRHF-4250
VoIP
In some scenarios, H323 connections are dropped after "Virtual session timeout" is configured. Refer to sk156372.
PRJ-9956, PRHF-897
VoIP
In some scenarios, UA traffic is dropped when packet contains more then 9 UA's. Refer to sk135114.
PRJ-2462, PRJ-10927, PRHF-4097
VoIP
In some scenarios, MGCP traffic may be dropped by the Security Gateway with the following message in fw ctl zdebug drop: fw_mgcp_undo_earlynat: the needed early_nat request entry (with natted src) not found, dropping; fw_conn_post_inspect Reason: Handler 'mgcp_manager' drop;
PRJ-11687, PRHF-9774
VSX
The following error may appear in /var/log/messages: "Destroying alive neighbour *".
PRJ-10935, PRJ-11283, PMTR-12883
VSX
In a rare scenario, portals are not reachable after the fwk process unexpectedly exits.
PRJ-10902, PRJ-10911, PMTR-22709
VSX
In VSX cluster with VMAC mode, traffic may not pass through VSX Cluster members if SecureXL is enabled. Refer to sk138894.
PRJ-3801, PMTR-40396
Gaia OS
NEW: Added the ability to configure an IPv6 address for a LOM interface on Smart 1-525/5050/5150 appliances.
PRJ-9351, PRHF-8098
Gaia OS
Added optimization for 40GbE and 25/100GbE cards configured in multiqueue allowing better transmit performance when Hyper-Threading (SMT) is enabled.
PRJ-8007, PRJ-8008, PMTR-46037
Gaia OS
Apache API was updated.
PRJ-9221, PRJ-9222, PMTR-43418
Gaia OS
All VRRP cluster members are in Master state when using i40e driver.
PRJ-10166, PMTR-51849
Gaia OS
Smart-1 625 appliances may show RAID syncing on both RAID disks.
PRJ-11159, GAIA-6136
Gaia OS
Incorrect status may be displayed in clish for pulled PSU.
PRJ-8054, PRJ-11373, PRJ-11370, PRHF-7532
Gaia OS
In some scenarios, latency issues may occur in Clish and in the WebUI when using web scanning tools (Qualys). Refer to sk164153.
PRJ-9013, PRJ-12031, PMTR-45907
Gaia OS
In a rare scenario, machine hangs for ~10 minutes during boot. Refer to sk164268.
PRJ-7913, PRJ-7579, PRJ-7580, PMTR-42309
Gaia OS
'#', '=' and '+' characters cannot be used in "Banner" and "Message of the day" features.
PRJ-5175, PRJ-5271, PMTR-40400
Gaia OS
Any of the following may occur in vSphere on a Management appliance:
vSphere client/WebUI does not show the instance IP in the instance summary window.
vSphere client/WebUI reports that VMware tools are "not running" in the instance summary window.
Machine time/date is not synchronized with the ESX host.
PRJ-11368, PRJ-11749, PRHF-9804
Gaia OS
SNMP Trap may not be sent even though a failover occurred. Refer to sk166100.
PRJ-11535, PRHF-9858
Gaia OS
In some scenarios the snmpd process floods /var/log/messages with errors regarding parsing voltage sensor value.
PRJ-10398, PRJ-10396
Gaia OS
In some scenarios, transmit queues may stop, causing packet loss.
PRJ-11321, PRJ-11322, PRHF-6250
Gaia OS
In some scenarios, commands that were typed into Clish can be executed later on if the SSH session was uninterruptedly terminated.
PRJ-11692, PRHF-10028
Endpoint Security
In SmartEndpoint, Anti-Malware's "Top Infections" report has an empty infection name. Refer to sk166232.
PRJ-2924, PMTR-39317
Endpoint Security
Very frequently repeated "update register" requests may cause performance issues.
PRJ-5622, PMTR-43207
Endpoint Security
Endpoint Management may incorrectly show that no local Anti-Malware signatures updater is installed on the DHS-complaint engine.
PRJ-5805, PRJ-10932, VSECNSX-1211
CloudGuard IaaS
NEW: Added support for Identity Sharing with CloudGuard for NSX-V.
PRJ-7891, VSECC-1001
CloudGuard IaaS
NEW: Added support for Google Cloud Platform projects with Shared VPC. Refer to sk164139.
PRJ-10913, VSECC-1222
CloudGuard IaaS
When an Azure subnet is missing its prefix attribute, the Microsoft Azure Data Center may fail to poll data, resulting in a loss of updates to the Security Gateway.
PRJ-11025, VSECC-1231
CloudGuard IaaS
When an Azure Virtual Network Interface is missing its properties' primary attribute, the Microsoft Azure Data Center may fail to poll data, resulting in a loss of updates to the Security Gateway.
PRJ-10867, VSECC-1119
CloudGuard IaaS
In a rare scenario, the OpenStack Data Center becomes unresponsive, which results in a loss of updates to the Security Gateway.
R80.30 Jumbo HotFix - General Availability Take 196 (21 May 2020, GA from 26 May 2020)
PRJ-12850
Installation
In some scenarios, installation of a software update hotfixes on top of Jumbo Hotfix Accumulator Take 195 may fail with “Conflict found, version R80_30_JUMBO_HF_MAIN with hotfix :XXX - details: “cr:PRJ-11542 files: libfw_kern_64_us.so, libfw_kern_64_us_v6.so” message.
R80.30 Jumbo HotFix - Ongoing Take 195 (26 April 2020)
PRJ-8953, MCFG-246
Upgrade Tools
Upgrade from R80.20 to R80.30 may fail with messages related to cmsobfuscationkey.
PRJ-10629
Installation
Firmware upgrade for Small Office appliance using SmartProvisioning in Multi-Domain Management environment may fail.
PRJ-8644, CPM-2623
Security Management
NEW: Performance enhancements while the Management Server is under high load.
PRJ-8606, PRJ-8605
Security Management
NEW: Added ability to search in the Management Server by adding asterisk before any sequence of characters. For more information, refer to sk164873.
Security hardening: The Management Server will block connection requests with a TLS version below 1.2 on port 19009.
PRJ-8896, PMTR-48673
Security Management
When an administrator fails to publish another administrator’s session, the session of the other administrator disappears from the Sessions view in SmartConsole.
PRJ-7887, PMTR-46703
Security Management
In some scenarios, when the user modifies a policy rule and creates a section above it in the same session, the log tracker shows that the rule was created instead of modified.
PRJ-5794, PMTR-40790
Security Management
In some scenarios, after the user manually performs "Full Sync", a newly created secondary Domain Server or Domain Log Server is not shown in SmartConsole's Domains view.
PRJ-678, PMTR-36302
Security Management
In some scenarios, Check Point services fail to start and the CPM log shows that there are duplicate session aggregators.
PRJ-9265, PMTR-49516
Security Management
Policy verification may fail after the user does the following steps: Configures specific install targets for a policy, publishes them, changes the install targets back to "All Gateways", and tries to install them on a Gateway which is not in the original list of targets.
PRJ-6704, PMTR-44004
Security Management
In a rare scenario, when viewing the Layer History, some revisions not relevant to the selected Layer may be shown.
PRJ-8394, PMTR-45121
Security Management
In a rare scenario, tasks do not appear in the Tasks notifications bar even though they are running.
PRJ-9261, PMTR-49143
Security Management
Upgrade of Multi-Domain Server may fail when the source version is R80.10 and there is no license configured on the target machine.
PRJ-9668, PRJ-4734, PRHF-5341
Security Management
In a rare scenario, the FWD process on the Security Management may unexpectedly exit during peak hours.
PRJ-10088, PMTR-50276
Security Management
The cpm_solr process may unexpectedly exit and cause one of the following:
The upgrade of a Management machine may stuck on 58%
The Management HA synchronization may fail with "NGM failed to import data" error
Users may not be able to log in.
PRJ-9089, PRHF-8266
Security Management
In a rare scenario, when an environment has many Gateways (dozens), the FWM daemon may unexpectedly exit when 4 GB of memory is reached. Refer to sk165015.
PRJ-7819, PRHF-4644
Security Management
In some scenarios, SmartView Monitor unexpectedly terminates when the user selects the Specific QoS Rules option in Top QoS Rules.
PRJ-7768, PRHF-7425
Security Management
In rare scenarios, publishing a session fails with the following "Action Failed due to an Internal Error" error. Discarding the session in SmartConsole completes as "discarded", but the changes are still there.
The same behavior occurs in the Management API: mgmt_cli -r true discard uid <UID> number-of-discarded-changes: 4 message: "OK"
PRJ-5447, PMTR-40663
Security Management
In some scenarios, an unclear error appears when the user imports a global policy on a Multi-Domain Management Server. The error is caused by a mismatch between the leading interface defined on the machine and the one defined in the database.
PRJ-9299, PRHF-8336
Security Management
In a rare scenario, the "SmartDashboard component failed to connect to server <IP address>. Please contact technical support" error is displayed in SmartConsole when opening the Management object for editing.
PRJ-8230, PRHF-7728
Security Management
The "Unused Objects" filter in Object Explorer may display a failure message if there are more than 20000 unused objects.
A limit was added so that only the first 5000 objects will be displayed.
PRJ-9322, PRHF-8494
Security Management
In some scenarios, a disconnected SmartView Monitor session appears in SmartConsole with a grayed out 'Disconnect' option, which cannot be discarded. Refer to sk165037.
PRJ-9171, PMTR-48463
Multi-Domain Management
NEW: Performance improvement for Multi-Domain environments in which many administrators are connected.
PRJ-9236, PMTR-45644
Multi-Domain Management
NEW: Performance enhancements for the delete Domain operation.
PRJ-10746, PMTR-50936
Multi-Domain Management
In some scenarios, policy installation from the Domain Management Server fails after mds_backup procedure that was interrupted. Refer to sk165559.
PRJ-10530, PRHF-8581
Multi-Domain Management
The mds_import.sh script may fail if the IPS version for a Domain/CMA does not exist on the R80.x Multi-Domain Management Server.
PRJ-11176, PMTR-51890
Multi-Domain Management
In some scenarios, Full synchronization fails in the Global Domain with "Full sync with peer '[Peer Name]' NGM failed to import data" error. Refer to sk145972.
PRJ-10363, PMTR-51017
Multi-Domain Management
After performing Full synchronization or failover of the Global Domain, the following operations may fail (refer to sk145972):
Global Domain reassignment
IPS or Application Control updates in the Global Domain
PRJ-11166, PMTR-51180
Multi-Domain Management
In a rare scenario, synchronization between Multi-Domain Management Servers breaks after revisions purge operation.
PRJ-2630
Multi-Domain Management
In a Multi-Domain Management environment with more than 50 Domains, some Domains are not displayed in the SmartEvent GUI.
PRJ-9240, PRJ-9743, PRHF-8077
Multi-Domain Management
In some scenarios, secondary MDS or MLM fail to renew a management certificate. Refer to sk164732.
PRJ-6985, PMTR-44593
Multi-Domain Management
In some scenarios, there may be high Solr CPU on Multi-Domain Management Servers with dozens of Domains.
PRJ-9698. PRHF-8593
Multi-Domain Management
MLM may open a connection to the reversed IP address of the Multi-Domain Server.
PRJ-10526, PRHF-8686
Multi-Domain Management
Upgrade of Multi-Domain Server may fail if Sync With User Center is running.
PRJ-9281, PMTR-49566
SmartConsole
NEW: Enhancement: Two new flags were added for the performance improvement of Threat Protection API commands: 'show-profiles' and 'show-ips-additional-properties'. The default value for both flags is false.
PRJ-3771, PRHF-2388
SmartConsole
In "Top services" view of SmartView Monitor, "cp_tcp_A936..." service is displayed instead of "https" service. Refer to sk146052.
PRJ-9465, PMTR-49817
SmartConsole
In some scenarios, when the user attempts to delete a Gateway / Cluster member, an error message may appear and the operation may not complete successfully.
PRJ-4063, PRJ-71
SmartConsole
Objects of Unused Access Roles are not visible in the Object Explorer. Refer to sk151896.
PRJ-9079, API-864
SmartConsole
In some scenarios, the Management Server may unexpectedly exit following authenticated API commands to create or update objects with extremely long comments.
PRJ-9549, PRJ-9544
SmartConsole
When the user invokes the 'show-access-layer' API command, the parent layer may be missing from the output result.
PRJ-1449, PRHF-3822
SmartConsole
In some scenarios, the api.elg log is flooded with the the "Returning default standard reply class" message.
PRJ-10287, PRHF-3128
SmartConsole
"An internal error has occurred. (Code: 0x8003001D, Could not access file for write operation)" error is displayed when editing IKE PSK on “External User Profile” objects using Legacy SmartDashboard. Refer to Scenario 2 in sk119973.
PRJ-7054, PMTR-43349
SmartConsole
When performing Backup and Restore, user may get a misleading message that these operations are supported only for Gaia.
PRJ-10634, PRJ-10705, PRJ-10710, PMTR-45783
SmartProvisioning
In some scenarios, after creating a Small Office gateway using LSMCli, some fields in the Gateway object on the SmartProvsioning are not populated.
PRJ-10139, PMTR-43309
SmartProvisioning
Deletion of LSM Robo cluster may cause the FWM process to unexpectedly exit.
PRJ-8017, PMTR-46682
SmartView
SmartView may show wrong time in tables and graphs for clients located in Brazil.
PRJ-8134, PMTR-45751
SmartView
"The process <process-name> which is monitored by watchdog restarted more than once in the last half an hour" error may appear in the SmartEvent GUI status window even though the process has been up for more than 30 minutes.
PRJ-7922, PMTR-46737
SmartView
In the Logs page of the SmartView web application, the "File Name" filter may appear twice in the quick filters pane.
PRJ-7724, PRHF-7326
SmartView
In SmartView, when filtering a view using special characters in the search bar and exporting to Excel, the file may be generated empty.
PRJ-10373, PRHF-8973
SmartView
In some scenarios, after user imports view/report in SmartView, the imported view/report is not shown in the Catalog.
PRJ-4329, SE-331
SmartEvent
In some scenarios, automatic reactions in SmartEvent are sent with the "Destination address" field containing the resolved country name instead of the raw IP value. Refer to sk146992.
PRJ-7497, PRHF-7101
SmartEvent
When using SmartEvent automatic reactions, *.MHT files in $RTDIR/tmp directory are not cleaned up in case of email sending failure.
PRJ-10467, PMTR-49504
Security Gateway
In a rare scenario, after upgrading a Security Gateway to R80.30, the log_indexer process running on the Log server may consume 100% CPU and cause the indexing backlog.
PRJ-9443, PRJ-9444, PRJ-9416
Security Gateway
Added logs for packets that include invalid TCP options. This feature is disabled by default.
PRJ-9558, PRJ-9559, PMTR-48022
Security Gateway
In a rare scenario, fast accel configuration may be deleted after an upgrade from R80.20
PRJ-10028, PMTR-50431
Security Gateway
In a rare scenario, when the web server is defined, policy installation fails with "Error code 0-20000111".
PRJ-9688, PRJ-9689, PMTR-46451
Security Gateway
Traffic may be dropped on DAIP gateway after the gateway IP address is changed or the gateway is rebooted. Refer to sk165176.
PRJ-8751, PRJ-8752, PMTR-46471
Security Gateway
In some scenarios, incorrect number of outbound interfaces may be received when SecureXL is disabled.
PRJ-10202, PRJ-10203, PRHF-9508
Security Gateway
ICAP Client may not working properly when Threat Extraction blade is enabled.
To enable the fix, set the enable_icap_with_strict_hold parameter to 1
PRJ-10279, PRJ-10308, PMTR-50683
Anti-Malware
NEW: Added support to allow Threat Extraction to scan a file download in additional scenarios.
PRJ-10960, PRJ-10737, PRHF-9265
SSL Inspection
In a rare scenario, a memory leak may appear when SSL inspection is enabled.
PRJ-7996, PRJ-7997, PMTR-46960
HTTPS Inspection
WSDNSD memory leak may appear when updatable objects are configured in the policy. Refer to sk165616.
PRJ-9405, PRJ-10362, PMTR-51402
HTTPS Inspection
In some scenarios, wrong certificate is shown by HTTPS Inspection for some websites, including certificates issued by "CloudFlare Inc ECC CA-2". Refer to sk118392.
PRJ-11092, PRJ-4418
IPS
In some scenarios, a '+' (plus sign) in an HTTP URL may be replaced with ' ' (space) when the "Forensics" feature is turned on in Threat Prevention.
Fix is relevant for Gaia 3.10 only.
PRJ-9539, PRJ-9540, PRHF-4033
Identity Awareness
Policy installation process has been improved.
PRJ-10759, PRJ-10760, IDA-2866
Identity Awareness
In some scenarios, multiple "idapi_load_data_impl: session id <Session ID> not found in client_db, although ip <Session IP> was assigned to it" errors appear in /var/log/messages file. Refer to sk167174.
PRJ-7673, PMTR-45649
Threat Prevention
Improvements in HTTP chunked encoding inspection.
PRJ-7640, PMTR-45565
Threat Prevention
Improved enforcement of Threat Prevention blades in partial HTTP responses.
PRJ-5790, PRJ-10192, PMTR-43536
Threat Extraction
Link to the original file in Threat Extraction may not function properly (in cleaned files only).
PRJ-2281, PMTR-38493
Logging
NEW: Added CloudGuard SaaS Security Checkup that presents a summary of security activity and findings in your SaaS applications. This report allows reviewing phishing emails, malicious files and URLs, data loss incidents, Shadow IT detections and potentially compromised accounts.
PRJ-7925, PMTR-42913
Logging
Following changes in correlation unit settings, new logs may not be read by SmartEvent until the log_indexer process is restarted.
PRJ-5574, PRHF-6592
Logging
When a Log Server is configured to parse Syslog messages, the field "User" may be truncated in the parsed log in the Log Details view if the field contains underscore.
PRJ-6023, PRHF-4951
Logging
When restarting the FWD process on the Log server, the syslogd process (syslog daemon), may unexpectedly exit.
PRJ-4448, PMTR-39444
Logging
In SmartView, drilling down from the timeline widget to logs, may show less logs than expected.
PRJ-5650, PRHF-6080
Logging
In some scenarios, when the user creates a table widget in SmartView, there is no option to add the “hostname” field. Refer to sk162752.
PRJ-8682, PRHF-7856
Logging
In some scenarios, Threat Emulation Logs cannot be viewed in the logging or reporting views because of a certain format of the "file size" field sent from the Security Gateway.
PRJ-8496, PRHF-7875
Logging
In SmartView, when the user exports logs to CSV using the "visible columns" option, the following fields may be missing from the CSV file: Resource, Application Risk, Application Name, and Application Category.
PRJ-5900, PRHF-6120
Logging
It is not possible to query the "file_name" field on a Log server that does not have the SmartEvent activated.
PRJ-434, PRHF-2797
Logging
In SmartEvent, when the user customizes an event to accumulate logs by the field UUID, logs with UUID equal to 0 may not be correlated.
PRJ-4982, SL-2893
Logging
In SmartView, the percentage values in pie charts may add up to 99% or 101%.
PRJ-9971, SL-3551
Logging
In a Multi-Domain environment, one or more CMA's SMARTLOG_SERVER processes may fail to start after upgrade. Refer to sk165262.
PRJ-8761, PRJ-8762, PMTR-40390
SecureXL
NEW: Improved performance for multicast traffic after all listeners have been removed for an existing connection.
PRJ-10399, PRJ-4542, 02390699
SecureXL
In some scenarios, asymmetric traffic is dropped on Security gateway with several Bridge interfaces. Refer to sk114976.
This fix adds a feature to support certain types of asymmetric bridged configurations.
PRJ-8915, PRJ-8890
SecureXL
In some scenarios, multicast packets arrive to the Security gateway in order, but leave out-of-order.
PRJ-8979, PRJ-8980, PRJ-8977
SecureXL
When PIM-SM multicast routing transitions from RPT to SPT, packets may be dropped or become out-of-order.
PRJ-8982, PMTR-44150
SecureXL
When NAT-T packets pass through a Security gateway, this traffic may be dropped.
PRJ-10186, ACCHA-127
SecureXL
In some scenarios, a general traffic latency is observed on the Security Gateway. Refer to sk165652.
PRJ-9326, PRJ-10646, PRJ-2546
SecureXL
In some scenarios, SNMP queries for SecureXL OIDs return incorrect values.
PRJ-5029, PRJ-10179, PMTR-39590
SecureXL
In a rare scenario, Security gateway may crash under heavy load.
PRJ-2485
Routing
PBR may not work for port or protocol used separately in a PBR rule.
Fix is relevant for Gaia 3.10 only.
PRJ-9074, PRJ-9850, PRHF-8337
Routing
In some scenarios, a corrupted BGP AS4_PATH attribute value may result in an invalid, long BGP update that is rejected by the BGP peer. Refer to sk167157.
PRJ-7490, PRJ-8224, PMTR-39273
Routing
In some scenarios, the CLISH command for PBR results in an error.
PRJ-5002, PRHF-5471
VSX
Resource Monitor Control may cause segmentation fault when there are more than 64 CPUs. Refer to sk125112.
PRJ-9994, PMTR-47050
VSX
In some scenarios, traffic may be forwarded on bridge interface when member is down.
Fix is relevant for Gaia 3.10 only.
PRJ-10541, PMTR-51263
VSX
In the menu of 'vsx_util vsls' #1 (Display current VS Load sharing configuration), the table shows cut names of VSs (original names are longer).
PRJ-10556, PRJ-10557, VPNS2S-938
VPN
Improved the VPN Site-to-Site tunnel establishment scenario with IKEv2.
PRJ-7014, PRHF-2844
VPN
Added L2TP Remote Access client connectivity improvements. Refer to Scenario 2 in sk145895.
Fix is relevant for Gaia 2.6.18 only.
PRJ-6118, PMTR-44901
VPN
In some scenarios, NAT-D traffic goes out from the first external interface.
PRJ-11035, PMTR-36437
VPN
In some scenarios, VPN traffic distribution change may cause high CPU consumption on one CPU core. Refer to sk165853.
Fix is relevant for Gaia 2.6.18 only.
PRJ-5763, PRJ-6093, PMTR-43541
VPN
In some scenarios, accelerated VPN tunnels routed over PPPoE interface may cause drop of encrypted traffic of some connections. Refer to sk148872.
PRJ-30753, PRJ-30754, PRHF-19484
VPN
In some scenarios, when NAT is enabled, Route Based VPN traffic may be dropped.
PRJ-2216, PRJ-9931, PMTR-30347
VoIP
In some scenarios, VoIP calls are dropped with "SIP Re-Invites exceeded the limit" reject reason. Refer to sk145412.
PRJ-7822, PMTR-44869
Gaia OS
NEW: Added the /proc/sys/net/bridge/bpdu_forwarding flag to block BPDU packets per bridge setup on Gaia 3.10.
PRJ-10803, PRJ-10804, PRJ-10810, PMTR-50836
Gaia OS
CVE-2020-8597: pppd is vulnerable to buffer overflow. Refer to sk165875.
PRJ-5186, PRHF-5617
Endpoint Security
The log description of the "Media Encryption & Port Protection" blade may state that the "Media Storage" is encrypted even though it is not. The details in the log show the correct value. Refer to sk162812.
-
SMB
NEW: R80.30 Jumbo Hotfix Accumulator Take 195 supports the new SMB 1500 appliances LSM.
PRJ-10119, PRJ-9633
Compliance
In some scenarios, database import on a single Domain machines where the Compliance blade is activated fails, and as a result, the FWM process unexpectedly exits after the import.
R80.30 Jumbo HotFix - General Availability Take 191 (22 April 2020, GA from 30 April 2020)
PRJ-11782
Multi-Domain Management
Web API may be down after uninstalling Takes 163-180 of R80.30 Jumbo Hotfix. Refer to sk166393.
R80.30 Jumbo HotFix - Ongoing Take 180 (08 April 2020)
PRJ-11542, PRJ-11546
Gaia OS
In a rare scenario on a cluster environment, Security gateway may corrupt data or crash during an upgrade.
R80.30 Jumbo HotFix - Ongoing Take 168 (17 March 2020)
PRJ-10897, PRJ-10918
Gaia OS
In a rare scenario, Security gateway may crash on cluster fail-over when ISP redundancy is configured.
R80.30 Jumbo HotFix - Ongoing Take 166 (11 March 2020)
PRJ-9461
Security Management
NEW: Added ability for R80.30 Security Management or Multi-Domain Server to manage R80.40 Security gateway. Refer to sk164652.
On 3600 and 3600T appliances, alarm led turns on if one of the PSU is disconnected. Refer to sk166000.
Fix is relevant for Gaia 3.10 only.
R80.30 Jumbo HotFix - Ongoing Take 163 (05 March 2020)
PRJ-9397, PMTR-44668
Security Management
In a rare scenario, the FWM process will utilize 100% CPU, and connections to SmartConsole may fail.
PRJ-8492, PMTR-48267
Security Management
When reverting a security layer to a previous revision, if there are rules which are currently disabled, but were enabled in the selected previous revision (or vice versa), their status may not be reverted.
PRJ-5450, PMTR-42420
Security Management
In some scenarios, an upgrade from R7x secondary Multi-Domain Server with active Domains may fail.
PRJ-8376, PRHF-7874
Security Management
In some scenarios, the exported database may be very large and include redundant data.
PRJ-7468, CPM-1745
Security Management
Global policy reassignment may fail after a rulebase is deleted in the Global Domain.
PRJ-7918, PRHF-7614
Security Management
When installing policy to a Cisco router, an automatic ACL number change may cause networking issues.
PRJ-7413, CPM-2541
Security Management
In a rare scenario, all users connected to the Management Server get disconnected and new logins fail until the Management Server is restarted.
PRJ-3039, PMTR-39305
Security Management
In some scenarios, the Management Server takes a long time to start or even fails to start.
PRJ-8095, PRHF-7729
Security Management
In some scenarios, policy installation fails when the installation target is Check Point Host.
PRJ-8876, PMTR-23492
Security Management
Added support for Internal CA certificate replacement.
PRJ-7784, PMTR-46434
Security Management
In some scenarios, HA synchronization in the Global Domain fails with the "Failed to sync peer - Global Domain is incompatible with the Domains." error.
PRJ-8859, PMTR-48652
Security Management
If the database contains an internal user object with the same account name as an administrator object, then after the user publishes any change to the administrator object, the login in a VPN client with the internal user account may fail.
PRJ-8799, PMTR-48610
Security Management
If the database contains an internal user object with the same account name as an administrator object, then after the user publishes any change to the internal user object, the login in SmartConsole with the administrator account may fail.
PRJ-7457, PRHF-7167
Security Management
In some scenarios, upgrade fails with the "Satellite object of type GatewayAggregator not found for core object" message in cpm.elg file.
PRJ-8189, PMTR-47772
Multi-Domain Management
The Administrator and Trusted Clients pop-up editors at the Multi-Domain Server level show all domain names linked to these objects. Domain Managers with partial permissions, may see the names of domains that they are not permitted to see.
PRJ-7831, PMTR-43461
Multi-Domain Management
In some scenarios, upgrade of R7x secondary Multi-Domain Management Server or Multi-Domain Log Server fails.
PRJ-6786, PRJ-5742
SmartConsole
NEW: LDAP advanced query now supports ANR filtering.
PRJ-5100, PMTR-41234
SmartConsole
When editing the description of a revision, the "Changes" field is reset to 0.
PRJ-8650, PRJ-8753
SmartConsole
In some scenarios, on a Global domain, when the user sets a logging option of an IPS protection whose activation is Detect or Prevent, the activation of the protection is set to "Inactive" on the local domain after an Assign Global Policy operation.
PRJ-7943, PMTR-46715
SmartConsole
In some scenarios, when running the "show-mdss" command with the "details-level full" option, not all Domains are retrieved.
PRJ-6143, PMTR-41587
SmartConsole
After an upgrade of R80.10 Management, cloned Multi-Domain super user permission profiles (Read/Write permission profiles) may be missing the "Global VPN Management" permission.
PRJ-8701, PRHF-7991
SmartConsole
The shared secret's edit button may be grayed out.
PRJ-7771
SmartConsole
The API command 'show-api-versions' may return version 1.6 instead of 1.5. Refer to sk163942.
PRJ-9081, PMTR-47530
SmartConsole
In some scenarios, IPS update fails in the Global Domain after an upgrade from R80.10.
PRJ-8351, PRJ-8352
Security Gateway
Improved the ICAP client connectivity when using Trickling mode 3 in settings.
PRJ-7333, PRJ-7244
Security Gateway
Connectivity issues may appear when ISP Redundancy is configured.
PRJ-7801, PRJ-7802, PMTR-45962
Security Gateway
In a rare scenario, routed process unexpectedly exits under high load.
PRJ-7374, PRJ-7375, PMTR-45566
Security Gateway
Improved multicast routing under high load and/or during system initialization.
PRJ-9051, PRJ-9593, PRHF-8288
Security Gateway
Global connections may not be freed correctly when the Gateway acts as a Proxy.
PRJ-8906, PRJ-8919
Security Gateway
"fwk_build_cparams_hashes: failed to create str cparams hash" dmesg error may appear during policy installation.
PRJ-8723, PRJ-8724, PMTR-26082
Security Gateway
Improved scalability of DOS/Rate limiting rules.
PRJ-3477, PRJ-8442, PRHF-4624
Security Gateway
In a topology in which Client and Server are connected to the Security Gateway using two different interfaces each, for example:
Client -- eth1 <Gateway> eth2 -- Server Client -- eth3 <Gateway> eth4 -- Server
The response packets from Server to Client may be incorrectly routed back to the Server because of an incorrect route cache in the Security Gateway.
PRJ-7088, PRJ-7096, PMTR-42966
Security Gateway
In some scenarios, connectivity problems may appear due to proxy arp table that is not updated after policy installation.
PRJ-8646, PRJ-8647, PMTR-41512
Security Gateway
In a rare scenario, ICAP client requires manual steps to activate RESP mode after running cpstop ; cpstart.
PRJ-8152, PRHF-7736
Security Gateway
Policy installation on Cluster may fail if the Cluster member name is longer than 64 characters.
PRJ-7879, PRJ-7880
Security Gateway
In a rare scenario, there is no HTTPS Inspection when ICAP client is enabled.
PRJ-8877, PRHF-7389
Security Gateway
In some scenarios, there is no SIC after applying the ICA certificate replacement procedure.
PRJ-7870, PRJ-7867, SWG-2361
Security Gateway
Improved DNS caching and negative DNS response handling.
PRJ-7752, PRHF-7389
Security Gateway
In some scenarios, there is no SIC after applying the ICA certificate replacement procedure.
PRJ-2795, IPS-682
IPS
In some scenarios, the interface name is not displayed correctly in the IPS log.
PRJ-8880
IPS
In a rare scenario, Security gateway may crash due to NULL pointer reference.
Fix is relevant for Gaia 2.6.18 only
PRJ-9195, PMTR-36246
Anti-Malware
In a rare scenario, policy installation fails when the Security Management Server is handling a large number of Security Gateways.
PRJ-6114
Threat Extraction
In rare scenarios, files fail to download when the Threat Extraction blade is active.
PRJ-6075, PRJ-6076, PMTR-41138
Identity Awareness
Machine identity for Terminal Server agent is not identified unless Identity Agent is also enabled on the Security Gateway.
PRJ-8424, IDA-2022
Identity Awareness
Identity Awareness performance improvements in large scale environments.
PRJ-8279, PRJ-8280, MBS-9133
SSL Inspection
In some scenarios, some HTTPS sites are not categorized when both "Categorize HTTPS Sites" and "HTTPS Inspection" are enabled.
PRJ-8340, PRJ-8341, PMTR-47846
SSL Inspection
In a rare scenario, memory leak may appear in ICAP client when HTTPS Inspection is enabled.
PRJ-7653, PMTR-45863
SSL Inspection
HTTPS Inspection's default CA certificate was upgraded to use a signing algorithm based on SHA256 instead of SHA1. Refer to sk163932.
PRJ-7166, PMTR-23406
SSL Inspection
NEW: Added support for proxy configuration when downloading CRL from a VSX device. Refer to sk151115.
PRJ-8551, PRJ-8548
Logging
NEW: Log Exporter feature exports log attachment identifiers and adds the ability to fetch them through the Management API command.
PRJ-3654, PRHF-4654
Logging
SmartEvent may not correlate certain Anti-Virus logs.
PRJ-6190, PRHF-6325
Logging
Widgets inside SmartView's "Views and Reports" may result in "Query Failed" messages when filtered by the "Log Server Origin" field.
PRJ-6698, PMTR-44388
Logging
In some scenarios, exporting a large number of logs to Excel may fail and cause SmartView to restart.
PRJ-7709, PMTR-39944
Application Control
In some scenarios, HTTP traffic is blocked with "HTTP parsing error occurred (2)" and "parameters are undecodable in request" errors. Refer to sk160092.
PRJ-7553, PRJ-7554, PRHF-7071
ClusterXL
In a rare scenario in a ClusterXL environment, SYN Defender may incorrectly drop a valid traffic.
PRJ-7638, PRJ-7639, PMTR-46064
ClusterXL
The "set router-options auto-restore-iface-routes" command is now deprecated.
PRJ-7705, PRJ-7706, PRHF-6356
SecureXL
Some traffic may not pass when Policy Based Routing (PBR) and SecureXL are enabled. Refer to sk163252.
PRJ-7502, PRJ-7707, PMTR-34845
SecureXL
In some scenarios, new connection may fail to open if it is reopened with the same source port. Refer to sk164839.
PRJ-7561, PRJ-7562, PRHF-7247
SecureXL
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. Refer to sk147093.
PRJ-4341, PMTR-40757
SecureXL
In some scenarios, IP-VLAN traffic traversing a bridge of two physical interfaces has the VLAN tag stripped.
Fix is relevant for Gaia 3.10 only.
PRJ-8976, PMTR-44150
SecureXL
When NAT-T packets pass through a standalone gateway, this traffic may be dropped if SecureXL is enabled.
Fix is relevant for Gaia 3.10 only.
PRJ-600, PRJ-7319, PMTR-35261
SecureXL
SYN Defender status in CPView sometimes appears as invalid.
PRJ-6157, PRJ-6161, PRHF-6490
SecureXL
In some scenarios, SecureXL causes an issue in the routing of multicast traffic.
PRJ-8780, PRJ-8781, PRHF-6971
SecureXL
In a rare scenario, DOS/Rate Limiting Logs are not searchable.
PRJ-4383, PRJ-603, PMTR-36548
SecureXL
In some scenarios, DOS/Rate Limiting configuration is not applied after reboot if no fw samp policy is configured.
PRJ-7192
Gaia OS
NEW: Added support of Jumbo Hotfix Accumulator on Smart-1 625 appliances.
PRJ-7719, GAIA-6588
Gaia OS
16000 and 26000 Appliances with CPAC-4-1/10F-C NICs (using i40e driver) connected to some specific Cisco switches are flopping. Refer to sk163267.
PRJ-5983, GAIA-5634
Gaia OS
In a rare scenario, there is network interface flapping with Intel (igb) interfaces connected to Cisco switches. Refer to sk163852.
PRJ-7372, PMTR-44835
Gaia OS
In some scenarios, the iDRAC (LOM) interface is not pingable.
PRJ-8770, PRJ-7825, PMTR-46170,
Routing
PIM may be unable to resolve outbound interface of multicast route when unicast route lookup fails.
PRJ-7407, PRJ-7408, PMTR-45530
Routing
When MaaS tunnels are added, the routed process may unexpectedly exit.
PRJ-7303, PRHF-4371
Mobile Access
In a rare scenario, when Mobile Access blade is enabled, the Security Gateway may crash with vmcore.
PRJ-7066, PMTR-45006
CloudGuard
In some scenarios, subnet objects may not contain all the relevant IP addresses for VMSS VMs.
PRJ-5941, PRHF-5289
Endpoint Security
NEW: Added the feature to use epmCommands with object nids.
PRJ-5943, PRHF-5936
Endpoint Security
Some messages in the self-help portal are not properly localized in Japanese.
PRJ-7113, PRHF-6221
Endpoint Security
In a rare scenario, Endpoint Management Server on AWS crashes when the user sets the property "Gateways management" to "Over the internet" in the AWS template.
PRJ-7114, PRHF-6011
Endpoint Security
In some scenarios, Endpoint Management does not start after an upgrade to R80.30 in the environment that manages both Endpoints and Gateways. Refer to sk163537.
PRJ-5136, PRJ-8337, PMTR-34812
VSX
Performance optimization for the time object matching on VSX environment.
PRJ-8456, PMTR-42292
VSX
Adding a VD after deleting a VD fails, and then the 'netns add' command returns "RTNETLINK answers: No space left on device" error message.
Fix is relevant for Gaia 3.10 only.
R80.30 Jumbo HotFix - General Availability Take 155 (20 February 2020, GA from 01 March 2020)
PRJ-9968, PRJ-9973
Security Gateway
In a rare scenario, a non-HTTP traffic on port TCP/80 is dropped.
PRJ-10115, PRJ-10116, PMTR-43665
Application Control HTTPS Inspection
In some scenarios, when Application Control and HTTPS Inspection are enabled and detailed or extended log is used, applications may not be matched correctly.
R80.30 Jumbo HotFix - General Availability Take 140 (03 February 2020, GA from 10 February 2020)
PRJ-9410, PMTR-46906
Security Gateway
In some scenarios, Security gateway crashes when the Priority Queue feature is enabled.
PRJ-5530, PMTR-42941
CloudGuard
In some scenarios, centrally distributed license disappears from CloudGuard Gateways. Refer to sk151794.
R80.30 Jumbo HotFix - Ongoing Take 136 (22 January 2020)
PRJ-8217, PMTR-47601
Security Management
Management HA synchronization fails with error "Failed to export data" on Multi-Domain Management or Security Management server environment with at least 3 machines. Refer to sk164792.
R80.30 Jumbo HotFix - Ongoing Take 135 (13 January 2020)
PRJ-6822, PMTR-37053
Upgrade Tools
In some scenarios, cannot export a database using the migration tools of the current version while there are open sessions in the database.
PRJ-4930, PMTR-41602
Upgrade Tools
In some scenarios, the FWM process fails to start after a successful upgrade with the "Found an indication that the current domain was migrated, and the migration had failed. Cannot start after a migration failure" message in the fwm.elg file.
PRJ-7423, PRJ-7424, PMTR-44671
Infrastructure
In some scenarios, Anti-Bot\Anti-Virus\IPS\Threat Emulation blade update fails with "Curl error code 56".
PRJ-5918, PMTR-39797
Security Management
In a rare scenario, the $CPDIR/tmp/ directory is filled with "CKP_mutex::_opt_CPsuite-RXX_fw1_log__..." files. Refer to sk36754.
Fix is relevant for Gaia 3.10 only.
PRJ-2341, PMTR-38095
Security Management
In a rare scenario, the Security Management server does not start due to a missing object, or a duplication of objects.
PRJ-5717, PMTR-42089
Security Management
In some scenarios, upgrade from R7x is not aborted when there is not enough disk space to complete the import operation.
PRJ-5665, PRHF-6087
Security Management
In some scenarios, purge revisions fails and blank lines that cannot be deleted, appear in SmartConsole Revisions view. Refer to sk163116.
PRJ-5757, PMTR-43497
Security Management
High Availability synchronization between Management Servers may fail when there is no enough disk space in the root partition.
PRJ-5661, PRHF-5965
Security Management
Blank lines may appear in SmartConsole Purge Revisions view after purging a large database.
PRJ-4971, PRHF-5435
Security Management
In some scenarios, disconnected sessions with no changes or locks appear in SmartConsole session view.
PRJ-4835, PRHF-5419
Security Management
The FWM process may unexpectedly exit when an incorrect license SKU with a specific format is applied.
PRJ-5656, PRHF-5776
Security Management
In some scenarios, cpm_status.sh reports incorrect CPM status. Refer to sk162633.
PRJ-5097, PMTR-41712
Security Management
When an administrator edits the description of a revision, he becomes the publisher of the revision.
PRJ-7040, PRHF-6722
Security Management
The 'fwm sic_reset' command does not print which object still has an IKE certificate.
PRJ-5245, PRJ-5250
Multi-Domain Management
NEW: Added the Domain Management Migration, Backup and Upgrade feature:>
Backup and restore an individual Domain Management Server on a Multi-Domain Server.
Migrate a Multi-Domain Security Management from one Multi-Domain Server to a different Multi-Domain Server.
Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
Migrate a Domain Management Server to become a Security Management Server.
In some scenarios, the "Installed IPS Version" information is empty in the "Gateways and Servers" view.
PRJ-3549, PRJ-7071
SmartConsole
In a rare scenario, when editing a Star VPN community, SmartConsole terminates.
PRJ-6934, PRHF-6842
SmartConsole
Threat prevention policy installation may include wrong topology warning on VSX cluster interfaces.
PRJ-5525, PRHF-5527
SmartConsole
In some scenarios, applying "Where used" from the local Domain on an object that is used in global policies, may return results from the global policies that are not assigned to the local Domain. Refer to sk162753.
PRJ-6642, PRHF-6606
SmartConsole
In some scenarios, administrator cannot open the 'RemoteAccess' - VPN community object for editing.
PRJ-5374, PMTR-43427
SmartConsole
In Multi-Domain environment, IPS protections become staging on each domain after global policy assignment while the protection does have override/staging status in the global domain.
PRJ-2438, PRHF-4184
SmartConsole
When disabling NAT for a network object and searching for the NAT IP address, the network object is still shown as part of the search results even though it should not be.
PRJ-1678, SL-1890
SmartView
In some scenarios, Hit Count on specific rules does not increment after they were recently created or re-ordered. Refer to sk138033.
PRJ-5630, PRHF-5810
SmartView
In SmartView, when exporting logs to Excel after drill-down, the amount of logs is less than expected. Refer to sk162621.
PRJ-6047, PRJ-6048, PMTR-43654
Security Gateway
Improved misleading log for connections that terminate before detection.
PRJ-3350, PRJ-6729, SWG-2013
Security Gateway
In some scenarios, a designated interface may drop packets.
PRJ-8197, PRJ-8198, PMTR-47784
Security Gateway
Since R80.20, in some scenarios, predictable TCP sequences are generated by the Security Gateway. Refer to sk164775.
PRJ-7498, PRJ-7499, PMTR-45710
Security Gateway
In a rare scenario, running the "cpstop -fwflag -driver" command may cause a memory leak in IPv6 environment.
PRJ-8009, PRJ-8096, PMTR-46330
Security Gateway
Improved a Proxy connectivity while Anti-Virus blade works in Hold mode.
PRJ-1702, PRJ-6728, PRJ-4482
Security Gateway
In some scenarios, the /var/log/messages file is flooded with ICAP related errors.
PRJ-5890, PRHF-6029
Security Gateway
In some scenarios, enabling the Multi-Queue on a line card enables the Multi-Queue also on the on-board interfaces. Refer to sk162622.
PRJ-6640, SL-2819
Logging
In some scenarios, user cannot see his Check Point logs in LogRhythm platform using Log Exporter.
PRJ-5937, PRHF-5344
Logging
In some scenarios, when retrieving the UserCheck logs, FWD process on the Security gateway may unexpectedly exit.
PRJ-6855, PMTR-42177
Logging
In a rare scenario, the "Logs & Monitor" view in SmartConsole freezes while scrolling down the results.
PRJ-7815, PMTR-42519
Logging
In a rare scenario involving multiple disconnections and reconnections between Security gateway and Log Server, connection is not automatically restored and logs may not be written locally. Refer to sk164852.
PRJ-7055, PRJ-5881, QOS-67
QoS
QoS Time Objects are not enforced in R80.20. Refer to sk163074.
PRJ-3714, PRJ-6949, PRHF-2795
DLP
DLP activation was optimized to reduce the CPU consumption.
PRJ-7507, PRHF-5184
Identity Awareness
When the Identity Awareness blade is enabled, a memory leak may appear in LDAP sessions.
PRJ-8193, PRJ-8194, MBS-8939
URL Filtering
In some scenarios, HTTPS traffic is not categorized as expected.
PRJ-6863, PMTR-41488
Anti-Malware
UPDATE: Improved behavior of Intelligence Feed failure.
PRJ-7464, PRJ-7465, PMTR-45826
IPS
Cannot update the Geo Policy IPToCountry database on Security Gateways. Refer to sk163672.
PRJ-4418
IPS
In some scenarios, a '+' (plus sign) in an HTTP URL may be replaced with ' ' (space) when the "Forensics" feature is turned on in Threat Prevention.
In a rare scenario, FTP Data connections do not pass while SYN Defender is active and enforcing.
PRJ-635, PMTR-22503
SecureXL
In some scenarios, virtio_net is not able to run multiqueue.
PRJ-7712, PRJ-8244, PMTR-18338
SecureXL
"sume_from_fw_forward: dropping packet of for vsid=0 due to loop prevention" dmesg errors during policy installation failure.
PRJ-5620, PRJ-8021, PRHF-5809
ClusterXL
In some scenarios, a connectivity issue takes place in ClusterXL environment after a fast "fail over"-"fail back" or a "fail over" on bridge configuration.
PRJ-6160, PRJ-6787, PRJ-6788, PRHF-6143
Gaia OS
"Gaia Web-UI recognized a non-valid input data" error when creating a scheduled backup in WebUI via SCP or FTP with special characters used.
PRJ-5132, PRJ-1545, GAIA-4880
Gaia OS
In some scenarios, the VSX Management fails to be properly restored from backup.
PRJ-6038, PRJ-6129, GAIA-6587
Gaia OS
In some scenarios, the Smart-1 3150 appliance becomes unresponsive after enabling the optical interface.
To upgrade to R80.30 using the Jumbo Hotfix, make sure all the interfaces are in state OFF. Refer to sk146512.
PRJ-3727, PRHF-5205
Gaia OS
In a rare scenario, many "skb_warn_bad_offload" warnings appear in the /var/log/messages file.
Fix is relevant for Gaia 3.10 only.
PRJ-6588, GAIA-6588
Gaia OS
16000 and 26000 Appliances with CPAC-4-1/10F-C NICs (using i40e driver) connected to some specific Cisco switches are flopping. Refer to sk163267.
Fix is relevant for Gaia 3.10 only.
PRJ-1758, PRJ-6054, PRJ-6057, PRHF-3943
Gaia OS
A network interface may restart when changing its properties from WebUI if the interfaces configuration was performed via CLISH.
PRJ-1261, PRHF-3675
Gaia OS
CPD process may unexpectedly exit when attempting to query sensor values on Smart-1 525, Smart-1 5050 and Smart-1 5150 appliances.
PRJ-6000, PRJ-7128, ROUT-445
Routing
In a rare scenario, last two (or more) nexthops of a BGP ECMP route disappear simultaneously and are not removed from the forwarding database. Refer to sk153552.
PRJ-6110, PRJ-6111, PRHF-6139
Routing
In a rare scenario, the routed process may unexpectedly exit during ClusterXL failover when BGP is configured. Refer to sk165682.
PRJ-6578, PRJ-7405, PRHF-6603
Routing
For compliance and interoperability with BGP peers implementing older RFC, no BGP capability is advertised if peer does not advertise it first.
PRJ-5884, VSX-2190
VSX
The "vsx_util vsls" command does not display in full the long names of the VSX server name. Refer to sk163073.
PRJ-6174, PRHF-6145
Endpoint Security
Exported from SmartEndpoint .xlsx files may produce a warning when opened in Excel.
PRJ-5752, EPS-2262
Endpoint Security
Endpoint Management may fail on FileVault recovery for MacOS clients, when a computer re-joins domain.
PRJ-3404, PRJ-5954, VPNS2S-417
VPN
SmartView Monitor VPN tunnel status may show incorrect or missing tunnels status for a cluster object.
PRJ-7172, PRJ-7122, VPNRA-300
VPN
Packets from SSL Network Extender are dropped: "Reason: decrypted and user methods are not identical (VPN Error code 01)". Refer to sk163636.
PRJ-7181, PMTR-44859
CloudGuard
Public IP addresses for Virtual Machines and Virtual Machines Scale Sets may be missing.
PRJ-7382, PRHF-7119
CloudGuard
During a license pool creation, when a blade service is shared between different licenses, the vsec_lic_cli tool may create multiple pools instead of one.
R80.30 Jumbo HotFix - General Availability Take 111 (25 November 2019, GA from 03 December 2019)
PRJ-7380
CPUSE
The "The previous take wasn't fully restored. Please uninstall and install it." error is displayed when attempting to uninstall R80.30 Jumbo HotFix Take 76 or Take 107. Refer to sk163674.
R80.30 Jumbo HotFix - Ongoing Take 107 (20 November 2019)
PRJ-1336, PRHF-3455
Security Management
Inline layers are not verified when there are no selected targets in the 'install on' column.
PRJ-4875, PRHF-5274
Security Management
In some scenarios, when setting or modifying the Email/Phone fields of an administrator, the old values still appear at the bottom pane under "View Sessions" instead of the updated values.
PRJ-5557, PMTR-43278
Security Management
In some scenarios, policy installation fails with "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000117)". Refer to sk162554.
PRJ-5413, PRHF-5815
Security Management
In some scenarios, policy Installation fails with "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk162855.
PRJ-2984, API-744
Security Management
In some scenarios, show generic-objects API command fails with "Management Server failed to execute command". Refer to sk157693.
PRJ-3379, PMTR-39797
Security Management
In a rare scenario, the $CPDIR/tmp/ directory is filled with "CKP_mutex::_opt_CPsuite-RXX_fw1_log__..." files. Refer to sk36754.
PRJ-5495, PRHF-5881
Security Management
NEW: Added the policy verifier memory enhancement and additional debugging options. Refer to sk162453.
PRJ-1248, PRHF-2012
Security Management
High CPU utilization by FWM process when SmartEvent is enabled on the Security Management Server. Refer to sk147563.
PRJ-5023, PRHF-4877
Security Management
In some scenarios, policy verification process fails for extremely large policies. Refer to sk161412.
PRJ-5424, PMTR-41518
Security Management
In some scenarios, policy fetch fails if name of the Security gateway that tries to fetch this policy is not defined in DNS. Refer to sk150472.
PRJ-6942, PRHF-6754
Security Management
In a rare scenario, policy installation fails with "Policy installation had failed due to an internal error". Refer to sk163482.
PRJ-4666, PMTR-41210
Multi-Domain Management
The FWM process may unexpectedly exit when there is no valid license on the Multi-Domain Server.
PRJ-7007, PRJ-6992
Multi-Domain Management
The Gaia restore of Multi-Domain Server fails when using Take 76 of R80.30 Jumbo Hotfix Accumulator. Refer to sk163473.
PRJ-3138, PRJ-1343
SmartConsole
In some scenarios, DNS Maximum Reply Length IPS protection is not enforced.
To fully resolve the issue, R80.30 SmartConsole Build 20 (or higher) should be installed.
PRJ-1511, PMTR-35845
SmartConsole
In some scenarios, Installation Targets do not show the correct gateways when cloning and editing the installation targets in the same session.
PRJ-1882, PRJ-783
SmartConsole
In some scenarios, user cannot delete a VS object since it is referenced by an automatically generated exception rule. Refer to sk167272.
PRJ-4202, PMTR-40076
SmartView
NEW: Added support for "SmartView for QRadar" extension.
PRJ-5784, PRHF-611
Compliance
In some scenarios, the Compliance blade checks the 'Parent rule for Domain's policy' placeholder as if it was a real rule and shows the rule index in the Firewall Best Practices relevant objects.
PRJ-5480, PRJ-5482, NAT-110
Security Gateway
NEW: Enhancement: NAT port exhaustion logs mechanism was updated. Refer to sk156852.
PRJ-4805, PMTR-41392
Security Gateway
NEW: Added ability to enable NAT over specific IP address avoiding a source port allocation.
PRJ-6036, PRJ-4165, PMTR-39641
Security Gateway
In some scenarios, when the ICAP server on the Security gateway is enabled, some web pages do not load.
PRJ-4749, PRHF-5313
Security Gateway
In a rare scenario, the FWK process unexpectedly exits during debug.
PRJ-946, GAIA-4638
Security Gateway
Connectivity issues on some HTTPS sites (as login pages) when Security gateway is configured as proxy. Refer to sk147878.
PRJ-2919, UP-293
Security Gateway
In a rare scenario, Security gateway may crash due to NULL pointer reference.
PRJ-5326, PRJ-5433, PMTR-42553
Security Gateway
Non-FQDN domain objects may not be enforced correctly when used in the Access policy along with updatable objects.
PRJ-5820, PRJ-5821, PMTR-37949
Security Gateway
In some scenarios, traffic is dropped with 'up_transaction_notify_clob failed' error in dmesg when Application Control is enabled.
PRJ-5312, PRJ-5314, NAT-137
Security Gateway
In a rare scenario, Security gateway freezes when IP pool NAT and VPN are used.
PRJ-4356, PRJ-4405, SWG-2208
Security Gateway
In a rare scenario, Security gateway crashes when proxy is enabled.
PRJ-1872, PRJ-5114, PRHF-3940
Security Gateway
In some scenarios, when using Hide NAT with GRE tunnel, packets going through this GRE tunnel may get dropped. Refer to sk154492.
PRJ-4398, PRJ-4400, PMTR-34813
Security Gateway
In some scenarios, traffic is dropped with "[ERROR]: network_classifier_handle_dag: failed to get uuid of DAG bogus_ip" error in dmesg.
PRJ-3426, PMTR-35854
Security Gateway
In a rare scenario, changing the xmit-hash-policy of the bonding group while machine handling traffic, causes it to crash. Refer to sk154573.
PRJ-4180, PRJ-4362, SWG-2174
Security Gateway
Some Web sites cannot be opened when Content Awareness or Anti-Virus/Anti-Bot is enabled, and Security gateway is configured as proxy.
PRJ-4403, PRJ-4650, PMTR-40858
Security Gateway
In a rare scenario, when X-Forwarded-For (XFF) settings are enabled on one of the policy layers and on the Security Gateway object, traffic may be accepted although it should be dropped according to Access policy.
PRJ-771, PRJ-6035, SWG-1922
Security Gateway
In a rare scenario, memory usage may rise on Security gateway, when using service with resource with "Optimize URL logging" feature enabled. Refer to sk153052.
PRJ-4351, PRJ-4352, PMTR-41407
Security Gateway
Access rulebase may not be enforced properly when wildcard objects are used in source and destination columns. Refer to sk162692.
PRJ-5141, PMTR-38249
Security Gateway
In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy.
Fix is relevant for Gaia 3.10 only.
PRJ-4114, PRHF-2796
Security Gateway
In some scenarios, logs cannot be seen because the log_indexer process stopped working.
PRJ-3276, PRJ-2310
Logging
Log Exporter filtering feature allows to decide which logs will be exported based on values from the various fields on the raw log.
PRJ-3210, PRHF-4497
Logging
In some Full HA environment scenarios, the "Logserver <Cluster virtual IP> is disconnected" error pops up in SmartConsole log view.
PRJ-1325, PRHF-3690
Logging
In some scenarios, when running mdsstart, the following error message is shown: "/opt/CPSmartLog-R80.20/bin/smartlogstop: line 65: /opt/CPmds-R80.20/customers//CPSmartLog-R80.20/log/smartlogRun.log: No such file or directory".
PRJ-1311, PRHF-3681
Logging
In the Logs & Monitor view, the "File size" field is missing from the logs generated by Media Encryption & Port Protection blade. Refer to sk157952.
PRJ-2019, PRHF-2607
Logging
In some scenarios, when SAM activity is defined and a Log server receives a high amount of packets, the FWD process on the Log server unexpectedly exits.
PRJ-5338, PRJ-5295
Logging
NEW: Added new Log Exporter feature to export links to the relevant log and log attachments (such as Forensics\TE report).
PRJ-4759, PMTR-40677
IPS
In some scenarios, IPS update fails as a result of error in management server installation.
PRJ-6658, PRJ-6659, PRJ-6655
HTTPS Inspection
NEW: HTTP traffic performance enhancement on VSX environment when Gzip enforcement is used.
PRJ-5877, PRJ-5609
HTTPS Inspection
In a rare scenario, Security Gateway may crash during non-compliant HTTP traffic.
PRJ-6078, PRJ-6086
ClusterXL
After installing Jumbo HotFix Take 76 only on a standby member, it's outgoing traffic does not pass.
PRJ-4591, PRJ-4592, PMTR-41002
ClusterXL
In some scenarios, arp table is not synchronized with master MAC address after fail-over.
PRJ-5080, PRJ-2152
ClusterXL
The message "fwlddist_debug_update_op: resetting to avoid overflow" should be printed only in debug mode since it's not an error.
PRJ-4584, PRJ-5258, PMTR-37812
ClusterXL
In some scenarios, installing policy in order to update the cluster topology during high load, causes the members to fail-over. Refer to sk154575.
PRJ-4409, PRJ-4583, PMTR-38208
ClusterXL
In some scenarios, when changing cluster topology and installing the policy, the cluster fails over. Refer to sk156335.
PRJ-5859, PRJ-1848
SecureXL
In a rare scenario, Host destination entries are memory leaking when neighbor entry is in incomplete state. Refer to sk157252.
Fix is relevant for Gaia 3.10 only.
PRJ-5153, PMTR-37736
SecureXL
In some scenarios, IGMP packets are not forwarded across bridge interfaces.
Fix is relevant for Gaia 3.10 only.
PRJ-5154, PMTR-37727
SecureXL
In some scenarios, packets with IP options are not forwarded across bridge interfaces. Refer to Issue #3 in sk154892.
Fix is relevant for Gaia 3.10 only.
PRJ-2815, PRHF-3608
SecureXL
On cluster, Drop templates are disabled on reboot. Refer to sk153412.
Fix is relevant for Gaia 3.10 only.
PRJ-5152, 02541089
SecureXL
In a rare scenario, Security gateway may freez / crash when a multicast routing is configured. Refer to sk119299.
Fix is relevant for Gaia 3.10 only.
PRJ-4783, PRJ-4784, PMTR-40553
SecureXL
NEW: "sim if" and "sim nonaccel" commands will be deprecated. Instead, "fwaccel if" and "fwaccel nonaccel" commands will be used to accommodate multiple SecureXL instances.
PRJ-6850, PRJ-6851, PMTR-25095
SecureXL
In some scenarios, the Security Gateway accepts the traffic, but no ARP request is sent. Refer to sk152093.
PRJ-6100, PRJ-6101, PRHF-5450
SecureXL
In some scenarios, SecureXL drops TCP packets with "Out of state" reason.
PRJ-5155, PRJ-5156, PMTR-23471
SecureXL
The "fwaccel conns" command has incorrect Help text.
The "fwaccel conns -n" command returns "invalid mask given" message.
PRJ-6779, PRJ-6108, PRHF-5706
SecureXL
In some scenarios, connection does not to expire correctly when NAT and some Software Blades are enabled.
PRJ-4360, PRJ-4361, PMTR-40826
SecureXL
In a rare scenario, Security gateway may crash if cpinfo reads from the /proc/ppk/cpls directory before SecureXL is initialized.
PRJ-6150, PRJ-4564
SecureXL
NEW: Added new SecureXL Fast Accelerator for Non-Scalable Platforms. Refer to sk156672.
PRJ-834, PMTR-36031
CoreXL
In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled.
PRJ-5469, PRJ-5684, PMTR-38358
SSL Inspection
In some scenarios, several applications are not matched correctly when HTTPS Inspection enabled and URL Filtering is in HOLD mode.
PRJ-5288, PRJ-4758
URL Filtering
NEW: Improved scalability and resiliency of URL Filtering service.
PRJ-6857, PRJ-6828, SWG-2314
URL Filtering
In a rare scenario, RAD process fails to process new kernel requests.
PRJ-3614, PRJ-4854, ROUT-679
Routing
In some scenarios, OSPFv3 LS updates of the default route are not accepted by the Security gateway for Stub/TSA areas. Refer to sk161472.
PRJ-6063, PRJ-6062, PRHF-2798
Routing
In a rare scenario, the routed process may unexpectedly exit when a route with a local address as a nexthop is received.
PRJ-5551, PRJ-5596, PRHF-1739
Gaia OS
In some scenarios, Smart-1 405 and 410 appliances may show high voltage due to incorrect VBat thresholds.
PRJ-1030, GAIA-5047
Gaia OS
Changing the xmit-hash-policy of the bond may cause all static arp entries to disappear from the arp -a output. Refer to sk152892.
PRJ-2191, PRHF-5189
Gaia OS
Many "fwldbcast_new: too many hosts : 0" kernel messages appear in /var/log/messages file. Refer to sk153253.
PRJ-962, PRJ-2789, PRHF-2474
Gaia OS
In some scenarios, user cannot access terminal from WebUI in monitor role mode.
PRJ-6686, PRJ-6687, PRJ-6991, PMTR-44076
Gaia OS
In some scenarios, Gaia restore on Multi-Domain Server fails with error "failed to edit update registry". Refer to sk163312.
PRJ-2819, PMTR-39191
Gaia OS
While unplugging one of the Power supply cables on Smart-1 5150/5050/525 appliances a false 'No Read' message appears for ~5 seconds in both PSUs statuses (instead of Present/Input Lost/Absence).
PRJ-4156, PRJ-5075, PRHF-3929
Gaia OS
NEW: The ARP cache size limit on Clish was increased to 131072 hosts.
PRJ-4523, PRJ-4524, GAIA-5047
Gaia OS
Changing the xmit-hash-policy of the bond may cause all static arp entries to disappear from the arp -a output. Refer to sk152892.
PRJ-3122, PMTR-38890
Endpoint Security
In some scenarios, Endpoint Security Clients are in "Disconnected" state after Endpoint Security Server upgrade. Refer to sk161113.
PRJ-2321, EPS-21609
Endpoint Security
If there is a large amount of devices which are going to be removed from the Deleted Container, the server may fail to process the epmCommands, returning "FATAL: remaining connection slots are reserved for non-replication superuser connections" error.
PRJ-2014, EPS-20841
Endpoint Security
In some scenarios, SmartEndpoint shows "Unknown Error" when trying to open the "User and Computers" Tab "Top Bots" and software deployment by policy reports. Refer to sk151932.
PRJ-5352, PMTR-39950
Endpoint Security
In some scenarios, migrate_import fails with the "ERROR: Command completed with error code #2 and output: psql.bin: could not connect to server: No such file or directory" message in $UEPMDIR/logs/exportedFileManip*.log.
PRJ-2913, EPS-21658
Endpoint Security
In some scenarios, when searching for a machine in SmartEndpoint and selecting it, a "Server Error" message appears. Refer to sk158432.
PRJ-1810, PMTR-27831
VPN
NEW: Connectivity enhancements for Remote Access clients using internal Office mode allocation with a long timeout.
PRJ-4648, PRJ-6593, PRHF-4819
VPN
In some scenarios, traffic is not working over Site-to-Site VPN after an upgrade.
PRJ-2873, PRJ-4726, PMTR-38894
VPN
Connectivity improvement for Remote Access clients in environments with 3rd party VPN tunnels.
PRJ-3557, VSX-1866
VSX
NEW: Added the option to configure reject routes via vsx_provisioning_tool on Scalable Platforms Appliances. Refer to sk151473.
PRJ-5922, PRHF-6345
VSX
In some scenarios, IGMP traffic is dropped by "local interface address spoofing" in VSX HA. Refer to sk162953.
PRJ-4674, PMTR-41221
VSX
VSX configuration cannot not be applied after upgrade from R77.x to R80.x, due to duplicated VSX routes.
R80.30 Jumbo HotFix - Ongoing Take 76 (11 October 2019)
-
General
Added GUI support for Check Point 26000 and 16000 appliances. Refer to sk162832.
-
General
Added support for Check Point 26000T and 16000 model appliances and CloudGuard IaaS products AWS, Azure, GCP.
PRJ-2726, PMTR-38948
Upgrade
Added a pre-upgrade verification that Global network objects with NAT configuration are not supported.
PRJ-718, PMTR-36761
Security Management
Enhancement: added feature for tracking random CPM process crashes on Security Management server. Refer to sk150913.
PRJ-3604, PMTR-39644
Security Management
Added ability to automatically determine the API process memory allocation to avoid "Out of memory" errors. Refer to sk119553.
PRJ-4241, PMTR-38720
Security Management
When many users are connected to and actively working in the same domain in SmartConsole, they may experience:
Slowness in SmartConsole responses
Long duration of operations
High load on the Management Server
PRJ-4729, PMTR-41157
Security Management
After deleting a network object that is part of a network group, the audit log of the group modification does not show who is the removed member. Refer to sk164057.
PRHF-3242, PRJ-659
Security Management
In a rare scenario, the policy verifier ignores rules with object named "Internet" used with negate operator.
PRJ-4306, PMTR-40468
Security Management
Added a mechanism to prevent the Management Server from starting if an import process was interrupted.
PRJ-2339, PRHF-4046
Security Management
In some scenarios, user cannot discard or publish a work session, receiving the general message "Internal error".
PRJ-1762, PMTR-37924
Security Management
Due to a failed full sync, FWM was restarted unexpectedly and obsolete domain sessions were used in the global policy assignment.
PMTR-23492, PRJ-2847
Security Management
Added support for Internal CA certificate replacement.
PRJ-3874, PRHF-3463
Security Management
In some scenarios, size of the shadow_object.C file increases after each policy installation, eventually causing a failure in installing a policy.
PRJ-2341, PMTR-38095
Security Management
In a rare scenario, the Security Management server does not start due to a missing object, or a duplication of objects.
PRJ-1493, PMTR-38249
Security Management
In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy.
PRJ-1380, PRHF-3514
Security Management
In some scenarios, upgrade from R7x fails with core file of cpdb process due to an empty field in 'autoupdate_and_install_settings' object.
PRJ-1974, CPM-2300
Security Management
In some rare scenarios CPM server does not start after a failure in delete domain.
PRJ-1518, CPM-2264
Security Management
Performance and stability improvements in large High Availability setups.
PRJ-3879, PMTR-39361, PMTR-40489
Security Management
Cannot export a .pdf file from the License inventory view after Jumbo HotFix installation on the Management server.
PRJ-1375, CPM-2242
Security Management
In some scenarios, High Availability synchronization between Management Servers fails and HA menu is disabled.
PRJ-3689, PMTR-36555
Security Management
New policy creation may fail when there are no installation targets defined in this policy.
PRJ-1903, PRJ-1899
Security Management
After opening and searching in pickers for a few times, the "error retrieving results" message appears when opening a picker.
PRJ-2488, PMTR-38103
Security Management
In some scenarios, a validation incident about Invalid Email Address is presented in SmartConsole after upgrade from R77.
PRJ-2441, PMTR-38293
Security Management
In some scenarios, QoS policy installation fails when installing the blade without installing Access or Threat blades of the same policy first.
PRJ-2788, PMTR-37630
Multi-Domain Management
In some scenarios, Multi-Domain Server upgrade from R80 fails due to an internal error related to deprecated application objects. Refer to sk157752.
PRJ-5639
CPInfo
In some scenarios, the CPInfo tool does not show/collect the correct information after Jumbo Hotfix installation. Refer to sk162775.
PRJ-4415, PRHF-5177
Compliance
In some scenarios, some of the Best Practices show "N\A" status in the Compliance blade dashboard.
PRJ-1273, SL-1052
Logging
In a rare scenario, when an environment has many gateways (dozens), FWM on the log server may crash when reaching to 4 GB memory.
PRJ-4965 SL-2456
Logging
In a rare scenario, a specific log fails to be written and an alert informing on this is displayed in SmartConsole.
PRJ-2678, PRHF-3831
Logging
In a rare scenario, the accounting of bytes in a report is not accurate.
PRJ-871, PRHF-2806
Logging
In a rare scenario, SmartConsole does not show indexed logs because the log_indexer process stopped working. Refer to sk152934.
PRJ-1158, PRHF-3561
Logging
In SmartView, if a view contains 2 map widgets, one displaying source countries and the other displaying destination countries, drilling down on one of them may display incorrect data.
PRHF-4975, PRJ-4062
Logging
In some scenarios, when exporting logs with "Visible columns" option selected from SmartView, some columns return empty record. Refer to sk161712.
PRJ-2645, SL-2509
Logging
Running views and reports with a filter fails if the filter contains a "NOT" operator combined with parentheses.
PRJ-3529, PMTR-34580
Multi-Domain Management
In some scenarios, Administrator does not see that a revision was created in its Domain (on Domain level) after a Global policy was assigned to it.
PRJ-3048, PMTR-39455
Multi-Domain Management
If user deletes a CLM from a Domain (it's forbidden, the validation was added), the CLM remains as partially deleted and user cannot create a new one.
PRJ-3527, PMTR-40003
Multi-Domain Management
Objects on Domain level that should be shown on the Multi-Domain Server level, sometimes are not shown correctly.
PRJ-2385, PMTR-38670
Multi-Domain Management
In a rare scenario, CPM server fails to start after successful Domain deletion.
PMTR-38211, PRJ-2172
Multi-Domain Management
In some scenarios, logs are not saved under $MDS_FWDIR/log/failed_tasks directory.
PRJ-799, PMTR-36765
Multi-Domain Management
In some scenarios, the "Unable to connect to server. Please make sure the server is up and running." error appears when trying to log into single Domain from SmartConsole. Refer to sk153293.
PRJ-1567, SMCUPG-719
Multi-Domain Management
Deletion of Domain failed with "Could not send message" error when having large amount of gateways in the Domain. The Domain remain without Domain Servers.
PRJ-1303, PRJ-1305
Multi-Domain Management
When running the 'add-domain' Web API command on an existing Domain, the original Domain may be deleted.
PRJ-1444, PRHF-3783
Multi-Domain Management
In some scenarios, gateways are missing in the 'Gateways and Servers' view in SmartConsole on the MDS level.
PRJ-2245, PMTR-36614
Multi-Domain Management
The mds_backup command will generate an output file of format .tar instead of .tgz to improve the duration time of backup (mds_backup) and restore (mds_restore) of Multi-Domain Server. Refer to sk163300.
PRJ-1532
Multi-Domain Management
In a specific scenario, Global policy rules may change order after Multi-Domain Server upgrade. Refer to sk155432.
PRJ-374, PRHF-3285
Multi-Domain Management
In a rare scenario, FWM process unexpectedly exits on the Domain level during login.
PRJ-1970, PRJ-4545, PRHF-3268
SmartConsole
In setups with a large quantity of network object, users may experience slowness when editing the HTTPS Inspection policy. Refer to sk147134.
To fully resolve the issue, R80.30 SmartConsole Build 20 (or higher) should be installed.
PRJ-3870, PRHF-4655
SmartConsole
In a rare scenario, when user clicks on Mail Transfer Agent (MTA) options in the Security gateway settings or on 'Next hop' column inside MTA settings, SmartConsole shows "Not Responding" and freezes. Refer to sk161232.
To fully resolve the issue, R80.30 SmartConsole Build 20 (or higher) should be installed.
PRJ-619, PRHF-3415
SmartConsole
In some scenarios, upgrade fails with "com.checkpoint.management.classes.dle.triggers.internal.VersionInfo.VersionInfo" exception in cpm.elg file.
PRJ-1879, PRJ-1864
SmartConsole
In some scenarios, SmartConsole unexpectedly exits while adding or removing many objects via Web API.
PRJ-1210, PRHF-3465
SmartConsole
Pre-shared keys are missing after upgrade.
PRJ-832, PMTR-36527
SmartConsole
Redundant layers appear in the output of the 'show-package' command when Global policy holding more than one layer, is assigned to Domain.
PRJ-1144, API-549
SmartConsole
Management API command "put file" can be used for command execution with certain permissions.
PRJ-1434, PMTR-31155
SmartConsole
In some scenarios, SmartConsole terminates when installing policy on many targets at once.
PRHF-2194, PRJ-4434
SmartConsole
In some scenarios, Client certificate is removed when deleting Domain that is included in certificate's permissions.
PRJ-2142, PMTR-38301
SmartConsole
Added the protectionExternalInfo property in the overrides object that displays the CVEs in the output of 'show threat-profile' command.
PRJ-2419, PRJ-1407, PMTR-38710
SmartProvisioning
In VPN Community managed by SmartProvisioining:
When adding SMB gateway to the VPN community, VPN tunnel may not been established.
When changing security profile in VPN community, the VPN settings are not changed.
Policy installation fails for cluster member of CO Gateway.
PROV-2068, PRJ-4672
SmartProvisioning
In some scenarios in SmartProvisioning:
When executing Run Script on SmartProvisioning profile, the application disconnects from the server and is closed.
When executing Push Settings and Actions the "The action was not performed due to maintenance mode" error appears.
MCFG-199, PRJ-2384
SmartProvisioning
SmartUpdate generates audit log even when no action was taken.
PRHF-3392, PRJ-869
SmartProvisioning
In VPN star community managed by SmartProvisioning, VPN tunnels may not be established after installing policy to CO gateway (center). Refer to sk152612.
PRJ-4311, PRJ-4314, GAIA-6260, STRM-149
Security Gateway
In some scenarios, a remote client disconnects after one hour although the session is not idle. Refer to sk160213.
PRJ-3589, STRM-109, PRJ-3564
Security Gateway
Disabling connections timestamp does not work on active streaming connections. Refer to sk62700.
PRJ-4416, QOS-22, PRJ-698
Security Gateway
In a rare scenario, Security gateway crashes during QoS policy installation.
PRJ-4804, PMTR-41392
Security Gateway
Enabled avoiding source port allocation for specific predefined connections.
PRJ-4147, UP-293
Security Gateway
In a rare scenario, Security gateway may crash due to NULL pointer reference.
Fix is relevant for Gaia 3.10 only.
PRJ-4615, PMTR-40937, PRJ-4554
Security Gateway
In some scenarios, VoIP traffic is dropped with "allocate_port_impl: could not find a free port;" error in dmesg.
PRJ-4758
URL Filtering
Improved scalability and resiliency of URL Filtering service.
Fix is relevant for Gaia 3.10 only.
PRJ-4845, PRJ-4844, PMTR-4178
SSL Inspection
In a rare scenario, when SSL Inspection is enabled and there is big latency, Microsoft websites (for example Azure) may not respond. Refer to sk150175.
PRJ-1161
IPS
CMA migration may take a long time when there are many IPS protections local overrides.
PRJ-5173, PRJ-2168, PRJ-2108
IPS
In some scenarios, categorization of HTTPS sites over IPv6 does not work as expected.
PRJ-1666
Threat Emulation
Management Server upgrade may fail in these scenarios:
There are Threat Emulation settings, which remained from Security Gateway objects that were already removed.
There are Threat Emulation settings, which are configured in the cluster member objects and not in the cluster object.
Deleting a Threat Prevention profile may fail if the IPS profile has many overrides. Refer to sk136552.
PRJ-4148, PMTR-40174
Threat Prevention
Upgrade fails due to invalid Threat Emulation settings connected to gateways that no longer exist or to cluster members.
Fix will affect only Advanced upgrade
PRJ-5077, PMTR-41915
Threat Prevention
In a rare scenario, R80.30 Security gateway managed by R80.30 Management crashes when running a Threat Prevention Software Blade with the Forensics feature enabled. Refer to sk161812.
Fix is relevant for Gaia 3.10 only.
PRJ-1919, PRJ-2416, PRJ-2417, PRJ-3510
Identity Awareness
Security hardening for Identity Awareness Agent (IDA) enforcement according to XFF IP.
PRJ-3478, PRJ-1952
Identity Awareness
Performance improvement of Identity Awareness kernel tables for Cluster and multi-fw1 instances gateways.
PRJ-3478, IDA-1966
Identity Awareness
In a rare scenario, identities are missing from all connected Identity Gateways (PEPs).
IDA-1987, PRJ-1956
Identity Awareness
In a rare scenario, sessions longer than 24 hours disappear from the Identity Gateway (PEP) but exist on the Identity server (PDP)
IDA-1981
Identity Awareness
Users are not propagated from the PDP to the PEP on a specific network due to a rare race condition between register and unregister requests triggered by different instances or cluster members.
PRJ-1926
Identity Awareness
The output of pep show pdp all command on the Identity Gateway (PEP) contains "inx invalid type (0)" instead of an Identity server (PDP) IP address. Refer to Scenario #3 in sk156953.
PMTR-32539, PRHF-3443
Identity Awareness
Users are not authenticated when an identity source provides the login name in an 'User Principal Name' format "user@domain". Refer to sk147417.
PRJ-3137, PRJ-5259, PMTR-38645
ClusterXL
Added support for Cluster Load Sharing without IPSec VPN. To enable the support, refer to sk162637.
PRJ-1657, PRJ-5035, PMTR-30582
ClusterXL
In some scenarios, unable to connect to the Standby Cluster member from a non-local subnet via SSH or WebUI. Refer to sk147493.
PRJ-2147, PRJ-3439, PRHF-4105
ClusterXL
In a rare scenario, the fw_workers process consumes high CPU on the Standby member of a ClusterXL. Refer to sk156333.
PRJ-3295, PRHF-4301
CoreXL
In a rare scenario, Custom affinity configuration is overwritten when HT is enabled. Refer to sk158112.
PRJ-998, PMTR-35350
CoreXL
In some scenarios, VPN connection's records remain in the Global connections table even after the connection expires. Refer to sk155332.
PRJ-2397
CoreXL
"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312.
PRJ-1299
SecureXL
In a rare scenario, multicast routing lookup may lead to SIM crash.
PRJ-631, PRHF-5533
SecureXL
In some scenarios, latency is observed on the Security gateway. Refer to sk162914.
PRJ-1177, PRJ-1176
SecureXL
Added sim module parameter "sim_anti_spoofing_enabled" to allow disable of anti-spoofing in Performance Pack without installing new Firewall policy.
PRJ-1642, PRJ-3660, PRHF-4350
SecureXL
In some scenarios, SecureXL drops the TCP traffic for the particular connection for invalid state reasons. Refer to sk147093.
PRJ-4622, PMTR-40703, PRJ-4621
SecureXL
In some scenarios, sending IP fragmented traffic through a Virtual Switch or Virtual Router fails with "Virtual defragmentation error".
PRJ-4735, PRHF-3487, PRJ-1223, PRJ-1841
SecureXL
In some scenarios, Policy Based Routing (PBR) does not work properly when acceleration is enabled.
PRJ-2119, PRJ-1848
SecureXL
In a rare scenario, Host destination entries are memory leaking when neighbor entry is incomplete state. Refer to sk157252.
PRJ-1218, PMTR-37165
SecureXL
In some scenarios, multicast traffic is not forwarded across bridge interfaces.
PRJ-1252, PRHF-3608
SecureXL
On cluster, Drop templates are disabled on reboot. Refer to sk153412.
In a rare scenario, a Policy Based Routing (PBR) does not work although configured.
PRJ-2323, PRJ-5078, PMTR-38429
Gaia OS
The restore backup operation fails if the machine was installed via ISO during the backup, and via CPUSE during the restore.
PRJ-1477, PRJ-5115, PMTR-37425
Gaia OS
Backup task may fail if SmartConsole is open during backup.
PRJ-3136, GAIA-2861
Gaia OS
In some scenarios, the IGB driver interfaces are occasionally down after reboot of a Management machine. Refer to sk135532.
PRJ-3365, PRJ-3361, PRJ-3364
Gaia OS
'|' and '-' characters cannot be used in the message banner.
PRJ-3113, PMTR-39534
Gaia OS
Added support for LOM (iDRAC) interfaces.
PRJ-1677
Gaia OS
Clish command "show system init-services" and Expert command "service --status-all" run "mdsstart" on the server.
GAIA-4695, PRJ-615, PRJ-4527
Gaia OS
When running "service vmtoolsd restart" command on Gaia installation with VMware, the "Installing memory driver: FATAL: Module vmmemctl not found. [FAILED]" error is displayed although the vmw_balloon.ko driver is loaded. Note: this issue is only cosmetic.
PRJ-1771, GAIA-4793
Routing
The default OSPF instance binding is missing.
ROUT-484, PRJ-4849, PRJ-4850
Routing
In some scenarios, legitimate subnets of 0.0.0.0 (for example 0.0.0.0/1) cannot be configured for certain routing features, like static routes, PBR, routemaps, etc.
PRJ-4279, PRJ-4266, PRHF-5105
VSX
In a rare scenario, machine crashes when using VSX with Virtual Switch (VSW).
PRJ-4921, PMTR-32931
VSX
In some scenarios, the fwk process may crash when VSX gateway is upgraded to R80.30.
PRJ-4956, GAIA-6397, PRJ-4950
VSX
In some scenarios, traffic does not pass in VSX setup with VS-VSW-VS topology and some Threat Prevention blades enabled on VSs.
PRJ-1420, PRJ-4740, GAIA-5136
VPN
Improved the VPN connectivity for VSX and User-Space Firewall gateways.
PRJ-4740, PRJ-1420
VPN
In some scenarios, VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment. Refer to sk154692.
PRJ-1385, GAIA-5338
VPN
In some scenarios with acceleration enabled, traffic through VR for a VPN setup does not pass.
PRJ-2348, PMTR-38631
VPN
Remote Access client randomly disconnect / unable to connect when DHCP multi-homed server is configured.
PMTR-38041, PRJ-4153, PRJ-4488
VPN
In some scenarios, the Phase-2 negotiation fails with "Reason: Wrong value for: Encapsulation Mode" after upgrade. Refer to sk157092.
R80.30 Jumbo HotFix - General Availability Take 50 (03 September 2019, GA from 24 September 2019)
-
General
Added support for Gaia kernel 3.10.
-
General
Added support for Check Point 26000 and 16000T model appliances and CloudGuard IaaS products AWS, Azure, GCP.
PRJ-2300
Security Management
Added Management support for 16000 and 26000 appliances.
GUI support was added in R80.30 Jumbo HotFix Take 71.
PRJ-5065, PRJ-3101
Multi-Domain Management
Import of Multi-Domain Management Server fails when Jumbo HotFix is installed on the target machine and the source machine is R77.x. Refer to sk162032.
PRHF-3248, PRJ-823, PRJ-2737
Security Gateway
In a rare scenario, Security gateway freezes when Priority Queue is enabled. Refer to sk149413.
PRJ-3736, PRJ-3737, PMTR-40259
Security Gateway
In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway.
PMTR-25703, PRJ-2694
Security Gateway
In a rare scenario, when configured as a proxy/ICAP client, a Security gateway may crash when using HTTPS Policy Categorization.
Fix is relevant for Gaia 3.10 only.
PRJ-5028
Threat Prevention
In a rare scenario, R80.30 Security gateway managed by R80.30 Management crashes when running a Threat Prevention Software Blade with the Forensics feature enabled. Refer to sk161812.
PRJ-2891, PMTR-31316
Logging
In some scenarios with low disk space and customized retention configuration, logs and indexes may be deleted contrary to the configuration.
In some cases, logs are not forwarded when log forwarding in enabled on a Log server machine.
PRJ-2896, PRJ-748
Logging
In a rare scenario, cannot open new tab in SmartView after exporting data using a relative time filter.
"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312.
Fix is relevant for Gaia 3.10 only.
PMTR-35350, PRJ-2735
CoreXL
In some scenarios, VPN connection's records remain in the Global connections table even after the connection expires. Refer to sk155332.
Fix is relevant for Gaia 3.10 only.
PRJ-2734, PMTR-36031
CoreXL
In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled.
Fix is relevant for Gaia 3.10 only.
PRJ-2668, PRJ-2358
Gaia OS
CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1981, GAIA-5576
Gaia OS
IPv6 address configured on VLAN interfaces is missing after reboot.
Fix is relevant for Gaia 3.10 only.
PRJ-2579, GAIA-5563
Gaia OS
Status of newly created VLAN interface is "off".
Fix is relevant for Gaia 3.10 only.
PRJ-2561, GAIA-5815
Gaia OS
When adding more than 256 bridge interfaces, CPD process unexpectedly exits, bringing down SIC.
Fix is relevant for Gaia 3.10 only.
PRJ-2782, GAIA-5512
CPView
The SMT Status is "Unknown" instead of "Enabled" in CPView.
Fix is relevant for Gaia 3.10 only. The SMT Status is removed from CPView on Gaia 3.10 kernel as there is no soft-disable of Hyper-Threading on this kernel version anymore.
PRJ-4055, GAIA-6172
VSX
In some scenarios, a new hotfix installation via CPUSE fails on VSX. Refer to sk159713.
Fix is relevant for Gaia 3.10 only.
PMTR-39868, PRJ-3528, PRJ-3671
VSX
In some scenarios, traffic is dropped on VSX. Refer to sk160352.
R80.30 Jumbo HotFix - General Availability Take 19 (02 July 2019, GA from 04 Aug 2019)
PRJ-634, PMTR-15461
SecureXL
Added support for i40evf driver.
PRJ-451, PRHF-3283
Security Management
In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message.
PRJ-1647, PMTR-36840
Multi-Domain Management
Improved duration of Multi-Domain Server upgrade from R80.10.
PRJ-593, PRHF-3300
Multi-Domain Management
Multi-Domain Server processes must be down when running cma_migrate.
PRJ-1787, PMTR-37945
SmartConsole
In a rare scenario, when using "add-threat-exception" API command to empty rulebase, it fails with the "Runtime error: Index: -1, Size: 0" error.
PRJ-1552, PMTR-31316
Logging
In some scenarios with low disk space and customized retention configuration, logs and indexes may be deleted contrary to the configuration.
In some cases, logs are not forwarded when log forwarding in enabled on a Log server machine.
PRJ-748
Logging
In a rare scenario, cannot open new tab in SmartView after exporting data using a relative time filter.
PRJ-633, PRJ-2897
SecureXL
Debug messages are not printed when running "fwaccel dbg -m adp all" and sending multicast packets through the Security gateway.
PRJ-898, GAIA-4855
VSX
When SecureXL and IPS are enabled on VS connected to VR, HTTP traffic does not pass the internal Host.
PRJ-2371, PRJ-2358
Gaia OS
CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
In the upper right corner, click on the Import Package button.
In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
Above the list of all software packages, click on the Showing Recommended packages button - selectAll.
Select the imported package Check Point R80.30 Jumbo hotfix T<number> for sk153152 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select this package and click on Install Update button on the toolbar.
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to command line on target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from the hard disk: HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.30 Jumbo hotfix T<number> for sk153152" HostName:0> show installer packages imported
Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Install the imported package: HostName:0> installer install <Package_Number>
Uninstall Instructions
Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
A warning will be displayed that after this uninstall, the machine will be automatically rebooted. Click on 'OK' to start the uninstall.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Uninstall the package: HostName:0> installer uninstall <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
