Support Center > Search Results > SecureKnowledge Details
Jumbo Hotfix Accumulator for R81 (R81_jumbo_hf) Technical Level
Solution
Click Here to Show the Entire Article

Availability | Important Notes| List of resolved issues | Installation instructions | Uninstall instructions | Revision History

 

Introduction

R81 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.

This Incremental Hotfix and this article are periodically updated with new fixes.

The list below describes each resolved issue and provides the Take number which includes the fix. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, the table includes the date the take was published. List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

The Jumbo Hotfix Accumulator supports these products and configurations: Security Gateway, Security Management Server, Multi-Domain Management Server, Log Server, Multi-Domain Log Server, SmartEvent Server, Endpoint Security Server, VSX and Cluster.

  • Install this Jumbo Hotfix Accumulator only after you successfully complete the Gaia First Time Configuration Wizard and reboot.
  • For CPUSE installation, use the latest Deployment Agent build (refer to sk92449).
  • We recommend to install Jumbo Hotfix Accumulator on all R81 devices. Refer to R81 Release Notes for the list of supported environments.

Also refer to sk98028 - Jumbo Hotfix Accumulator FAQ.


Support for Scalable Platform and Open Servers

R81 Jumbo Hotfix Accumulator provides support for Security Gateways configurations running on Open Servers and Scalable Platform appliances.
  • For an Existing Security Gateway running on Open Servers, a Blink image consisting of R81 GA image (Take 392) and R81 Jumbo Hotfix is available in the Download section below. 

  • For Freshly installed Open Servers, first use the R81 ISO image from the R81 Home page and then, before placing the machine into the production environment, install the R81 Jumbo Hotfix package from the below table (not the Blink image). 

  • For Freshly installed  Scalable Platform appliances, first use the R81 ISO image from the R81 Scalable Platform Home page and then, before placing the machine into the production environment, install the R81 Jumbo Hotfix package from the below table.

The R81 ISO image (Take 392) and the R81 image included in the Blink image are identical.


Availability 

  • General Availability Take

    Take_23 is the latest R81 Jumbo Hotfix Accumulator General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:

    Product Take Date CPUSE Offline package SmartConsole package
    Security Management and Security Gateway Jumbo HF Take_23 25 Mar 2021 (TAR) (EXE)
    Build 550
    Blink Image for Security Gateway and Open Server 
    Clean Install / Upgrade
    R81 GA Take 392 + Jumbo HF Take_23 05 Apr 2021 (TGZ)
    Blink Image for Security Management - Clean Install / Upgrade (TGZ)
    Blink Image for Multi-Domain Management - Clean Install (TGZ)

    • Effective April 08 2021, the SmartConsole package has been updated to Build 550.
    • For Gaia Fast Deployment mechanism "Blink", refer to sk120193.
    • Blink image for the secondary Multi-Domain Management  and Multi-Domain Log Module (MLM) will be added in one of the upcoming Jumbo Takes.


  • Ongoing Take

    Product Take Date CPUSE Offline package SmartConsole package
    Security Management and Security Gateway Jumbo HF Take_27 26 Apr 2021 (TAR) (EXE)
    Build 550

    • Use Check_Point_R81_JUMBO_HF_MAIN_Bundle_T<Take number>_FULL.tgz for:
      • CPUSE Online Identifier
      • Starting from R81 Management servers, for Central Deployment with SmartConsole Online Identifier
    • Effective April 08 2021, the SmartConsole package has been updated to Build 550.




Take 27 | Take 25 | Take 23 | Take 17 | Take 13 | List of upcoming resolved issues



Important Notes

  • Before you perform an upgrade, refer to sk164258 to check the compatibility of Jumbo Hotfix Takes between different releases. 
  • In R81 Jumbo Hotfix Take 10, the file name displayed in CPUSE (the Online package) is different from the name of the file that was imported from the sk article (the Offline package):
    • The Offline package from the sk article is displayed as Check_Point_R81_JUMBO_HF_MAIN_Bundle_T10_FULL
    • The Online CPUSE package is displayed as Check_Point_R81_JUMBO_HF_Bundle_T10_sk170114_FULL

    Note: this is only a display issue and there is no impact on functionality. This issue will be fixed in the upcoming Jumbo Hotfix Take
  • IDA Customers who want to install R81 Jumbo Hotfix Takes 13 or higher, should follow sk170516.
  • Customers who upgraded their Management server to R81 GA and install R81 Jumbo Hotfix Takes 13 or 17, may disconnect from Endpoint Clients. For more information, refer to sk172485. The fix is included in Take 23. 
  • Web SmartConsole is not available for customers who install Take 23 without having installed a Jumbo Hotfix before. The fix is included in Take 25. For details, refer to sk170314.
  • If you install Jumbo Hotfix on a cluster with enabled Identity Awareness, refer to sk170516 to see the procedure Check Point recommends following the installation. 
  • In environments that use Data Type Group objects, the Management server may fail to start after installing Jumbo Hotfix Take 23. The fix is included in Take 27.
  • Starting from Take 25, many "dst_release: dst:ffff88052d4c68c0 refcnt:-480" messages may appear in dmesg and possibly impact system performance. This issue is limited to CPAS Connections, as SSL Inspection/Proxy/TE or TEX are activated/Anti-Virus deep scan is enabled. This issue will be fixed in the upcoming Jumbo Hotfix Take.

 

List of Resolved issues and New Features per HotFix Take


ID Product Description
R81 Jumbo HotFix - Ongoing Take 27 (26 April 2021)
PRJ-24974,
PRHF-16965
Security Management In environments that use Data Type Group objects, the Management server may fail to start after installing Jumbo Hotfix Take 23.
PRJ-24913,
PMTR-67937
Security Management "Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026.
R81 Jumbo HotFix - Ongoing Take 25 (08 April 2021)
PRJ-21007,
PRHF-14969
Security Management NEW: Improved FWM process performance during Security policy or database installation. 
PRJ-22314,
PRJ-22315
Security Management NEW: Performance improvement of Management High Availability Full Sync.
PRJ-18428,
PMTR-61041
Security Management UPDATE: In High Availability environment, Assign and Reassign Global Policy actions are not supported for a Domain if the active Domain Server for this Domain is a Security Management device. The assignment will be performed after change-over to the primary Domain Server.
PRJ-21873,
ODU-82
Security Management UPDATE: Added Update 8 of Infinity Threat Prevention Management (ITPM). Refer to sk167109.
PRJ-21239,
PMTR-62918
Security Management In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large.
PRJ-23500,
PMTR-66213
Security Management In some scenarios, verification errors regarding conflict of rules may be missing if the policy installation is accelerated and the target is a cluster.
PRJ-20805,
PRHF-14691
Security Management In some scenarios, delete partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains.
PRJ-21704,
PMTR-64423
Security Management In large environments with High Availability, synchronization and upgrade may fail due to very large database size.
PRJ-22519,
PMTR-64104
Security Management Policy Installation may fail with "Error code: 0-2-2000245" message when using IPv6.
PRJ-20128,
PMTR-62503
Security Management Data Center objects defined in NAT and HTTPS Inspection rulebases may not be enforced correctly after policy installation that was accelerated.
PRJ-21417,
PRJ-20995
Security Management In rare scenarios, the initiation of the Management server may take a long time.
PRJ-20305,
PRHF-14634
Security Management In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.
PRJ-21360,
PRHF-14606
Security Management In some scenarios, the Purge Revisions task may stop and show 0% for hours.
PRJ-17790,
PRHF-13382
Security Management In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT.
PRJ-20888,
PRHF-14946
Security Management In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.
PRJ-21587,
PRHF-15222
Security Management In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop.
PRJ-20766,
PRHF-14399
Security Management High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.
PRJ-21185,
PMTR-63358
Security Management In rare scenarios, logout from a session fails with "An internal error has occurred" message.
PRJ-19720,
PMTR-62272
Multi-Domain Management The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.
  • A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag
PRJ-21913,
PMTR-64572
Multi-Domain Management In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup.
PRJ-21081,
SMCUPG-1625
Multi-Domain Management In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.
PRJ-21344,
PRJ-16910
Multi-Domain Management When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.
PRJ-20952,
PMTR-62383
SmartConsole After a network interface is removed by cluster API, a network group assigned to that interface remains as used by cluster members and cannot be deleted.
PRJ-21627,
PMTR-55104
SmartConsole In Multi-Domain environment with High Availability using Security Management Server, if the Security Management is the active peer for a Domain assigned to the Global Domain, the Policy Package creation may fail.
PRJ-20241,
PRHF-14533
SmartConsole When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".
PRJ-19932,
PRHF-14278
SmartConsole In rare scenarios, the "Show Policy Package" tool and some Management API commands with details-level "full" may fail when UTM cluster is part of the policy targets.
PRJ-20316,
PRHF-14637
SmartConsole In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895.
PRJ-19142,
PRHF-14010
SmartConsole In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325.
PRJ-18923,
PRHF-13879
SmartConsole In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.
PRJ-21160,
PMTR-63555
SmartConsole If there is an HTTPS Inspection layer that is not used in the policy, policy installation may fail with the "Internal error" message.
PRJ-21624,
PRHF-15156
SmartConsole In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905.
PRJ-21390,
PMTR-63149
SmartConsole Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.).
PRJ-22223,
PMTR-32568
SmartConsole In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.
PRJ-22050,
PMTR-62337
SmartConsole In some scenarios, the Hit count information in the Access Policy rulebase is not shown correctly.
PRJ-20776,
PRHF-13197
Compliance In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed.
PRJ-19303,
PRHF-11595
Compliance Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices.
PRJ-22825,
PRHF-15936
Logging NEW: When received more than 2 Billion logs per day, log indexing stops until midnight.
PRJ-21380,
PMTR-63927
Logging In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly stop working.
PRJ-19011,
PRHF-13936
Logging In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196.
PRJ-24068,
PMTR-66159
Logging In Smart-1 6000-L and 6000-XL, drill down to a log card from the Logs view does not bring results.
PRJ-20587,
VPNRA-642
Mobile Access Removed potential XSS vulnerability in the MAB Login page.
PRJ-21112,
PRHF-14953
Security Gateway Authentication may fail when LDAP branch name contains "\".
PRJ-18980,
PRHF-13153
Security Gateway In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.
PRJ-19801,
PMTR-60336
Security Gateway Improved the policy enforcement of the ZIP archive inner files.
PRJ-21613,
PRHF-14715
Security Gateway Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".
PRJ-20341,
PRHF-14616
Security Gateway In rare scenarios, passive FTP packets may be dropped.
PRJ-21200,
PMTR-63550
Security Gateway The VMCore file may be created during reboot after the upgrade procedure.
PRJ-22082,
PMTR-64650
Internal CA In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process stops working when trying to renew a certificate on a standby Domain.
PRJ-21727,
PMTR-64420
Content Awareness In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow.
PRJ-20848,
PRHF-14347
Identity Awareness In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.
PRJ-20349,
PRHF-14266
IPS In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally.
PRJ-20839,
PRHF-14744
DLP Improved DLP scanning for POST request to some Web sites.
PRJ-21711,
PMTR-64263,
PRJ-21991,
PMTR-64780
SSL Inspection In rare scenarios, a memory leak may occur in a crypto module.
PRJ-20977,
PRHF-14820
Anti-Malware In rare scenarios, the Threat Prevention policy installation fails due to IOC parsing errors. Refer to sk171316.
PRJ-18958,
PRHF-13881
ClusterXL When MDPS is configured, the output of "cphaprob syncstat" may show unreadable characters for the speed of the sync interface.
PRJ-19665,
PRHF-13929
SecureXL In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.
PRJ-20547,
PRHF-14680
SecureXL Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI).
PRJ-22489 Gaia OS NEW: Added support for Smart-1 6000-L/XL appliances. Refer to sk171903.
PRJ-23358,
PMTR-65962,
PRJ-24397,
PMTR-67460
Gaia OS UPDATE: Upgraded OpenSSL to 1.1.1k to fix CVE-2021-3449 and add the latest security improvements. Refer to sk172983.
PRJ-20733,
PMTR-63201
Gaia OS CVE-2020_25705: ICMP reply rate.
PRJ-21721 Gaia OS The "show configuration" command cannot print Gaia user with spaces in name.
PRJ-21827,
PRHF-12751
Gaia OS In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI.
PRJ-18852,
PRHF-13802
Gaia OS In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS.
PRJ-20286,
PRHF-13475
Gaia OS Messages log level in /var/log/messages file for ERR level was changed to INFO level when fetching proxy configuration from Clish/WebUI/Gaia API.
Example: [DATE TIME] <daemon.err> ... xpand[25958]: proxy_live_get_proc: Started...
PRJ-19975,
PMTR-62104
Gaia OS In some scenarios, bond interface bandwidth monitored via SNMP is missing.
PRJ-17684,
PMTR-60173
Gaia OS When upgrading with enabled Management Data Plane Separation (MDPS), an additional reboot may be required.
PRJ-18941,
PRHF-13812
Gaia OS In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file.
PRJ-21667,
PRHF-15328
Gaia OS In some scenarios, policy installation on a Check Point Gateway in Azure causes the Gateway to crash and load a default policy. Refer to sk171553.
PRJ-21261,
VSX-2520
VSX Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool.
PRJ-20965,
VSX-2519
VSX After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.
PRJ-13302,
PMTR-63247
VPN NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity.
PRJ-17616,
PMTR-57245
VPN UPDATE: Added:
  • VPN Remote Access StrongSwan IKEv2 client logs.
  • Key install logs with StrongSwan IKEv2 client improvement to show the correct authentication method.
  • RAsession_util with StrongSwan IKEv2 client improvement.
PRJ-19217,
PRHF-13685
VPN Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.
PRJ-21544,
PMTR-64128
VPN Added VPN Remote Access stability improvement.
PRJ-22219,
PRHF-15006
VPN When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550.
PRJ-19905,
PRHF-14090
VPN Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm.
PRJ-21235,
EPS-30018
Endpoint Security NEW: Added Application Control and Developer Protection support in Endpoint Web Management.
PRJ-21750,
PMTR-60418
Endpoint Security On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list. 
PRJ-21915,
PMTR-50113
Endpoint Security In some scenarios, the "Endpoint Security Client Version" report shows "N/A" in DAT Date column for all devices on the SmartEndpoint Reporting page.
PRJ-21106,
PMTR-62363
Endpoint Security Adding devices to virtual group using the epmcommands tool may fail.
PRJ-19313,
PRHF-13909
CloudGuard IaaS When creating a GCP Data Center, Test Connection may fail on large GCP accounts.
PRJ-23944,
PMTR-66384
Maestro VSX "dxl stat" and "dxl calc" commands may fail on non-VS0 context with the "failed to retrieve dxl information" error.
R81 Jumbo HotFix - General Availability Take 23 (25 March 2021, GA from 5 Apr 2021)
PRJ-23912,
PRHF-16377
Security Management Accelerated Policy installation may fail with the "Error Code: 2000232" message if this policy contains changed services. Refer to sk172484.
PRJ-23583,
PMTR-66363
Endpoint Security Endpoint Security Clients may disconnect after installing R81 Jumbo Hotfix on a Management that was upgraded from the previous versions. Refer to sk172485.
R81 Jumbo HotFix - Ongoing Take 17 (01 March 2021)
PRJ-22324,
PMTR-62199
Security Management Accelerated Policy installation may fail when a Custom Application is used in Access Control policy, URL Filtering blade is enabled and Application Control blade is disabled on the selected gateway.
PRJ-22277,
PMTR-65110
Multi-Domain Management In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916.
PRJ-20150,
PRHF-14537
VSX In rare scenarios, some interfaces remain in "Down" state after reboot. Refer to sk171753.
R81 Jumbo HotFix - Ongoing Take 13 (08 February 2021)
PRJ-19946,
PMTR-62429
Security Management NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally.
PRJ-18434,
PMTR-60665
Security Management NEW: The upgrade process is being monitored dynamically and will be stopped if it cannot be completed, not basing on a timeout.
PRJ-19545,
ODU-73
Security Management NEW: Added Update 6 of Infinity Threat Prevention Management (ITPM). Refer to sk167109.
PRJ-20165,
ODU-76
Security Management NEW: Added Update 7 of Infinity Threat Prevention Management (ITPM). Refer to sk167109.
PRJ-19972,
PRJ-13465
Security Management UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours.
PRJ-20032,
PMTR-61770
Security Management UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.
PRJ-20001,
PRHF-14293
Security Management UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.
PRJ-22105,
PRJ-21382
Security Management In some scenarios, the installation time of Jumbo Hotfix Take 11 on the Management Server may take up to several hours.
PRJ-18253,
PRHF-12594
Security Management When logging into SmartConsole directly to a Domain using Radius or TACACS, the Authentication method in the audit log may show as "Internal Password". Refer to sk168716.
PRJ-17693,
PRHF-13332
Security Management In some scenarios, HA temporary sub-directories under $FWDIR/tmp are not deleted if sync fails. Refer to sk170972.
PRJ-18289,
PMTR-61010
Security Management In rare scenarios, the CPU and memory usage of CPM process may be abnormally high. Refer to sk170672.
PRJ-18266,
PRHF-13607
Security Management 'Revert to Revision' tasks cannot be cleared from tasks pane in SmartConsole.
PRJ-19105,
PMTR-61908
Security Management In some scenarios, Management HA change-over to Security Management Server Backup fails with the "Failed to communicate with the peer" message.
PRJ-20564,
PMTR-62785
Security Management In some scenarios, policy installation on LSM Gaia cluster profile fails with "Policy installation had failed due to an internal error" message.
PRJ-17563,
PRHF-12885
Security Management In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server.
PRJ-17729,
PRHF-13278
Security Management Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name.
PRJ-19274,
PRHF-14074
Security Management Policy installation duration may increase due to large $FWDIR/conf/invalid_object_names.C file on the Management server. Refer to sk170427
PRJ-18476,
PRHF-13644
Security Management In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process.
PRJ-19571,
PMTR-60842
Security Management In rare scenarios, on a Multi-Domain Server where Domains are using a Security Management Server configured for High Availability, initial configuration of the Security Management Server may fail with "Failed to reach peer after restart" error.
PRJ-20135,
PMTR-60541
Security Management In a rare scenario, the FWM process stops working.
PRJ-19950,
PRHF-14394
Security Management The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds.
PRJ-19589,
PRHF-12851
Multi-Domain Management UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server.
PRJ-19648,
PMTR-62201
Multi-Domain Management In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556.
PRJ-19278,
PRHF-13977
Multi-Domain Management In rare scenarios, Management server becomes inaccessible after Global Policy reassign operation.
PRJ-18994,
PRHF-13874
Multi-Domain Management The "cplic db_print -all -x" command fails when running on the MDS level.
PRJ-20647,
PMTR-63143
SmartConsole NEW: Added the option to print or save (as a file) the Changes Report.
PRJ-19321,
PMTR-61346
SmartConsole NEW: Added support for Python 3 in Management API scripts.
PRJ-20248,
PMTR-62490
SmartConsole UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once).
PRJ-18466,
PRHF-13551
SmartConsole In some scenarios, Staging mode IPS protections activation in the Local domain does not match the activation in the Global domain after a Global Threat Prevention policy assignment. Refer to sk170322.
PRJ-18338,
PRHF-12226
SmartConsole When using the "set simple-cluster" Management API command to update a user defined security zone, the "Specify security zone" checkbox in SmartConsole is not selected.
PRJ-19323,
PMTR-60220
SmartConsole In some scenarios, the api.csv file may show extra empty columns.
PRJ-19203,
PRHF-13955
SmartConsole In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352.
PRJ-19535,
PMTR-62078
SmartConsole In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect.
PRJ-18960,
PMTR-61418
SmartConsole In a VPN Community with MEP configuration, the OK operation may fail with the "Update operation failed" message.
PRJ-20787,
PRHF-13556
SmartConsole When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing.
PRJ-20381,
PMTR-62935
SmartConsole Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names.
PRJ-20911,
PMTR-63302
SmartConsole In some scenarios, deleting a policy fails.
PRJ-18550,
PMTR-61235
SmartConsole In a community with Cluster VSX member, the Granular encryption window may not open and show "Unable to load page".
PRJ-18309,
PRJ-18307
SmartProvisioning NEW: Added support for Threat Emulation blade on LSM profile of R81 SMB gateways and clusters.
  • Requires R81 SmartConsole Build 548 (or higher).
PRJ-18000,
SL-2106
Logging NEW:
  1. Log Exporter can now schedule a recurring reconnection to the target 3rd party server periodically. This allows usage of a Load Balancer component for target servers.
  2. The target 3rd party server can be declared as a DNS name also when using UDP protocol.
PRJ-19451 Logging UPDATE: Log Exporter read mode default was changed to Semi-unified instead of Raw mode.
PRJ-18099,
PRHF-7415
Logging In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.
PRJ-21078 Logging In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.
PRJ-18405,
PMTR-59205
Logging FWM and\or INDEXER processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.
PRJ-19819,
SL-4358
Logging In rare scenarios, the log_indexer process may stop working when reading a specific log format. Refer to sk116117.
PRJ-19846,
PMTR-62010
SmartView UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets.
PRJ-20875,
PMTR-62957
SmartView UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.
PRJ-20795,
PRHF-13973
Security Gateway UPDATE: Service with source port in the Access rulebase will no longer disable accept templates for all connections.
PRJ-19066,
PRJ-18831,
PRJ-20716,
PRJ-20057,
PRJ-20738,
PRJ-20058
Security Gateway In rare scenarios, Security Gateway memory consumption may increase.
PRJ-18982,
PMTR-61179
Security Gateway In rare scenarios, Security Gateway may crash with USFW fwk core file.
PRJ-19802,
PMTR-62080
Security Gateway Connectivity issues may appear due to missing proxy ARP entries on the Security Gateway.
PRJ-19813,
PMTR-62012
Security Gateway In some scenarios, duplicate verification message is displayed when installing NAT policy on Security Gateways R80.40 and lower.
PRJ-20362,
PMTR-62876
Security Gateway In some scenarios, DHCP traffic may be dropped after installing an accelerated policy.
PRJ-19705,
PMTR-62215
Security Gateway In rare scenarios, a memory leak may occur in TOPOD process.
PRJ-20386,
PRHF-13431
Security Gateway In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.
PRJ-20633,
PRHF-14378
Security Gateway In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.
PRJ-19586,
PMTR-61102
Security Gateway In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.
PRJ-20516,
PRHF-14630
Security Gateway In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped.
PRJ-19852,
PRHF-14268
Security Gateway In some scenarios, a memory leak may occur after sending a packet from the kernel.
PRJ-20937,
PMTR-62420
Security Gateway In a rare scenario, policy installation may fail on timeout and "fw amw fetch" process is still running on the Security gateway.
PRJ-18488,
PMTR-61165
Security Gateway In some scenarios, repeating "fwx_alloc_global_find_free_port_atomic: rtsp pending port doesn't match the same pool" errors are displayed in dmesg when using Hide NAT with VoIP.
PRJ-20656,
PMTR-63092
Security Gateway Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and wrong username/password provided by user.
PRJ-20901,
PRHF-14824
Security Gateway In some scenarios, the DNS requests from the Security gateway may fail.
PRJ-18631,
PRHF-11912
Security Gateway Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992.
PRJ-19958,
PMTR-62477
Security Gateway Half-closed accelerated TCP connections may take too long time to expire.
PRJ-19942,
PMTR-61708
Security Gateway In some scenarios, policy installation fails with "Error code 1-2000245".
PRJ-18316,
PRHF-12224
Security Gateway In rare scenarios, a memory leak may occur on Security Gateway in gconn table.
PRJ-19162,
TEX-1482
Threat Extraction UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable.
To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy.
PRJ-19194,
TEX-1906
Threat Extraction UPDATE: Threat Extraction ( Sanitization) will be automatically disabled when Infinity Threat Prevention mode is installed while the machine does not have enough resources (RAM).
PRJ-18248,
PRJ-18124
Identity Awareness NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516.
PRJ-19640,
PMTR-61982
Identity Awareness In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process.
PRJ-20863,
IDA-3642
Identity Awareness In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch.
PRJ-18181,
MBS-12220
URL Filtering In some scenarios, the wstlsd process may stop working and produce a core dump.
PRJ-19042,
PRHF-13886
UserCheck In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.
PRJ-20927,
PRHF-11733
IPS NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter.
PRJ-19198,
PRHF-10943
IPS In some scenarios, a non-compliant IMAP traffic is dropped. 
PRJ-19301,
PRHF-13560
IPS In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs.
PRJ-19601,
PRHF-14259
DLP UPDATE: Improved the DLP scans queue for a better scan rate.
PRJ-19923,
PRHF-14156
DLP UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol.
PRJ-20097,
PMTR-59101
DLP UPDATE: Added support for multi-part data to DLP.
PRJ-20935,
PRHF-14978
SSL Inspection The AES-NI (Intel® Advanced Encryption Standard New Instructions) status is not displayed and "dmesg | grep AES-NI" returns no output. Refer to sk170779.
PRJ-19435,
PRHF-13987
SSL Inspection In rare scenarios, the DynamicID Certificate validation may fail.
PRJ-18843,
PRHF-13322
SSL Inspection In rare scenarios, a memory leak may occur during policy installation.
PRJ-21629,
PMTR-64293
SSL Inspection When IPv6 is enabled, the wstlsd process may consume а high CPU after booting in kernel mode causing HTTPS connections to fail for a few minutes until the CPU returns to normal.
PRJ-17875,
PRHF-10279
HTTPS Inspection UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:
  • Improved enforcement of first connection when URL Filtering setting is 'Hold' mode
  • Added SNI information to connection logs when connection is matched on rule with "Extended Log"
  • Hold mode granularity
PRJ-19196 Threat Prevention NEW: Improved the way Threat Prevention distinguishes between .docx, .pptx, .xlsx and .zip files.
PRJ-18119,
PRHF-12737
Anti-Malware Exported with ioc_feeds export command indicator feeds may contain user credentials. Refer to sk169035.
PRJ-19591,
PRJ-16924
Anti-Malware In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occurred" error message.
PRJ-17439,
PMTR-62284
Anti-Malware In some scenarios, users may fail to access a web site with many malicious URLs.
PRJ-20924,
PRHF-13478
Anti-Malware In a rare scenario, Security gateway may crash when the Threat Prevention Forensics feature is enabled.
PRJ-18198,
PRHF-8315
Anti-Malware In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway.
PRJ-19745,
PRHF-13998
Anti-Bot Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure.
PRJ-19205,
PRHF-13935
ClusterXL UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command. The new command is "show cluster members monitored".
PRJ-19926,
PMTR-58748
ClusterXL In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state.
PRJ-19393,
PRHF-14115
ClusterXL "set router active-active-mode" settings do not survive а reboot.
PRJ-20536,
PRHF-14728
ClusterXL In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing.
PRJ-16568,
MBS-11708
SecureXL NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features.
PRJ-18324,
PRHF-13474
SecureXL UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146.
PRJ-20056,
PRHF-14417
SecureXL In rare scenarios, SecureXL may crash due to NULL handling.
PRJ-18088,
PRHF-13507
SecureXL SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132.
PRJ-20028,
PRHF-14228
SecureXL Server may not reuse the TCP connection when the user allows out of state TCP packets.
PRJ-20051,
PRHF-14165
SecureXL Memory leak may occur in VPN or Active Streaming configuration.
PRJ-19407,
PMTR-60870
SecureXL In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.
PRJ-20105,
MBS-11960
Routing NEW: Added support for ISP Redundancy on Scalable Platforms Appliances.
PRJ-19536,
PMTR-62075
Routing On Scalable Platforms, SSH via MAB may disconnect.
PRJ-19630,
PRHF-14280
Routing ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.
PRJ-20445,
ROUT-1325
Routing The old route may be not removed when an BGP ECMP route was changed.
PRJ-20243,
PRHF-14562
Routing In rare scenarios, confd or routed process may restart.
PRJ-19464,
PMTR-60878
Routing Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works.
PRJ-18281,
PMTR-58528
Routing Certain types of multicast traffic may not be handled correctly in Bridge mode.
PRJ-18665,
PRJ-18664
Routing PBR does not work with VTI/VPN.
- Gaia OS NEW: Added support for 1570R and 1600 / 1800 SMB appliances.
PRJ-19532,
PRJ-19531
Gaia OS NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix.
PRJ-20501,
PMTR-62883
Gaia OS UPDATE: OpenSSL was updated to version 1.1.1i to include the latest code fixes and security improvements.
PRJ-20472,
PRHF-14653
Gaia OS UPDATE: On Scalable Platforms, added ability to force a Security Gateway to access Management/Log-Server via the NATed IP address for fetching policy or sending logs, by running this command on the Security Gateway: ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1
PRJ-18303,
PRHF-13428
Gaia OS UPDATE: Added clusterXLFailover to the database to have the ability to set SNMP traps to monitor cluster failovers.
PRJ-19518,
PRA-1520
Gaia OS The syslog messages may be spammed when the "show asset all" command is running.
PRJ-17720,
PRHF-13075
Gaia OS In some scenarios, one session disconnection of RADIUS users can cause another session to loose permission when one of the session terminates.
PRJ-20944,
PMTR-63343
Gaia OS Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.
PRJ-18721,
PMTR-60804
Gaia OS Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled.
PRJ-18773,
PMTR-61381
VPN NEW: Added Remote Access VPN performance improvement.
PRJ-19717,
PMTR-60976,
VPNS2S-1335
VPN NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2.
VPNS2S-1482 VPN NEW: Added new display of vpn tu tlist command for DAIP gateway.
PRJ-19248,
PMTR-62158
VPN NEW: Added CPDIAG (on/off) for IKE negotiations per community feature.
PRJ-21123,
PRHF-10420
VPN Access roles do not recognize Remote Access SNX CLI clients.
PRJ-19672,
PMTR-61913
VPN In some scenarios, Remote Access Endpoint client disconnects after roaming from Visitor Mode to NAT-T.
PRJ-20869,
PMTR-56565
VPN In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues.
PRJ-20523,
PRHF-14766
VPN In a rare scenario, the FWM process stops working when enrolling a certificate using the SCEP protocol.
PRJ-20276,
PRHF-14308
VPN In a rare scenario, a memory leak may occur when RASession_util is active.
PRJ-20949,
PMTR-63287
VPN In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection.
PRJ-20640,
PMTR-63280
VPN In some scenarios, the VPND process may stop working.
PRJ-19425,
PRHF-13784
VPN In some scenarios, the vpnd process stops working with Segmentation fault.
PRJ-20334,
PMTR-62776
VPN Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted.
PRJ-20082,
PRHF-12828
VPN Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".
PRJ-18504,
PMTR-60820
VSX UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903.
PRJ-20567 VSX IPv6 traffic and multicast IPv4 may not work with Virtual Switch (VSW).
PRJ-20123,
PMTR-62387
VSX In VSX environment, Generic Data Center objects are not enforced on the VSX members.
PRJ-20284,
PRHF-14543
VSX In some scenarios, SNMP v3 users are not recognized on VSX when SNMP is in VS mode. The "Unknown user name" error message is displayed. Refer to sk170993.
PRJ-20597,
PRHF-14400
VoIP VoIP’s RTP can cause overload on global instance (CoreXL instance 0).
PRJ-18979,
PRHF-12691
VoIP SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373
PRJ-18971,
PRJ-17805
IoT NEW: Added IoT support to Multi-Domain Security Management.
  • Requires R81 SmartConsole Build 549 (or higher).
PRJ-20905,
PMTR-59281
Endpoint Security NEW: Added support for new Push Operations - Host Isolation and Host Release from isolation.
PRJ-20990,
PMTR-61783
Endpoint Security NEW: Added support for new Push Operation - Remote Uninstall for Endpoint Client.
PRJ-20394 Endpoint Security UPDATE: Updated Endpoint Web Docker Image.
PRJ-19400,
PRHF-14139
Endpoint Security Attempt to move members from one group to another using Endpoint Server command line operations fails.
PRJ-20778,
PMTR-63041
Endpoint Security The "Sent to Client On" column is empty in SmartEndpoint >Reporting > Push Operations even if push operation was completed successfully.
PRJ-19772 Endpoint Security Database size may increase exponentially because dynamic packages are packed into exported .tgz using migrate_export. 
PRJ-20639,
MBS-10278
Scalable Platforms NEW: Added full support for Gaia Backup.
PRJ-20895,
MBS-12714
Scalable Platforms On Maestro / Scalable Platforms, users may disconnect after several attempts due to bad forwarding in TCPT flow.
PRJ-20749,
MBS-12642
Maestro Gaia scheduled backup fails to run and the /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup". Refer to sk170925.
PRJ-20140,
PMTR-62718
Maestro "Packet Capture was not found" error when clicking the "View Packet Capture" link in the IPS log.
R81 Jumbo HotFix - Ongoing Take 11 (26 January 2021)
PRJ-21382,
PMTR-62199
Security Management Accelerated Policy installation may fail when a Custom Application is used in Access Control policy, URL Filtering blade is enabled and Application Control blade is disabled on the selected gateway.
PRJ-18511,
PMTR-61232
SmartConsole In a rare scenario, automatic NAT rules are not visible in SmartConsole. This may cause policy installation failure. Refer to sk171395.
R81 Jumbo HotFix - Ongoing Take 10 (14 December 2020)
PRJ-18770,
PRHF-13728
Security Management NEW: Improved FWM process performance during policy or database installation.
PRJ-19096,
PMTR-61758
Security Management Fetch policy on Security gateway may fail after installing Accelerated policy on it.
PRJ-19137,
PMTR-61781
Security Management In some scenarios, policy installation may fail with verification errors when the installation is accelerated.
PRJ-18392,
PMTR-60541
Security Management In a rare scenario, the FWM process stops working. 
PRJ-19085,
PRHF-13972
Security Management In some scenarios, HA synchronization may fill up the disk space of a standby Management Server. Refer to sk168492.
PRJ-18493,
PRHF-13681
Security Management In rare scenarios, a policy installation task may never complete.
PRJ-18955,
PRHF-13948
Security Management Policy verification may fail with error "For security gateways R80.40 and higher, rules that use Access Roles can only have ‘Any Traffic’ or ‘RemoteAccess’ in the VPN column"
PRJ-18818,
PRHF-13819
Security Management Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts.
PRJ-18945,
PMTR-61616
Security Management In rare scenarios, FWM process may stop working after a login attempt to the Management server.
PRJ-18908,
PMTR-61579
Multi-Domain Management In some scenarios, size of MDS backup file increases after each policy installation.
PRJ-19072 SmartConsole NEW: Added ability to view policies, objects and logs from the new Web SmartConsole. Refer to sk170314.
PRJ-16059,
PRHF-12395
SmartConsole In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474
PRJ-18350,
PRHF-13223
SmartConsole When removing an object from a group using the “groups” field of the object’s module in the Ansible collection, the group will not be changed and Ansible will show that no changes are needed.
PRJ-20142,
PMTR-60372
SmartConsole Duplicate central licenses may be added to the management database. In some rare scenarios, this may lead to heavy load on the FWM process and prevent login.
PRJ-18554,
PMTR-60476
SmartConsole After enabling the Endpoint Policy Management blade on the Security Management Server, some views on SmartConsole may not load properly and SmartClient may disconnect.
PRJ-16978,
PRHF-12928
SmartConsole In some scenarios, some Web APIs fail with "Script stopped running due to severe error!" message when SMB gateway is defined as a policy target. Refer to sk169557.
PRJ-17644,
PRHF-13379
SmartConsole When creating a user with Check Point password authentication through the Management API, log in to Mobile Access portal may fail. Refer to sk170412.
PRJ-15815,
PRHF-12352
SmartConsole In some scenarios, Management API does not start automatically after restart, although automatic start is enabled. Refer to sk168332.
PRJ-18383,
PRHF-13609
SmartConsole In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances.
PRJ-18366,
PRHF-12819
SmartConsole Enabling Threat Prevention policy may fail with validation errors when the policy's targets include cluster members running a version lower than R80.10.
PRJ-17483,
PRHF-12997
SmartProvisioning In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status.
PRJ-18953,
PRJ-18833
Security Gateway In rare scenarios, Security Gateway memory consumption may increase.
PRJ-18931,
PMTR-61541
Security Gateway NAT may not work properly when domain objects are used in the Translated Destination column.
PRJ-19177,
PMTR-61822
Security Gateway Connections may be wrongly matched on Domain or Updatable objects used in Security policy.
PRJ-19004,
PRHF-13892
Security Gateway In some scenarios, when using routing separation, connection from data plane to management plane is dropped.
PRJ-18685,
PMTR-56181
Security Gateway In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway.
PRJ-17806,
PRHF-12119
Anti-Malware In a rare scenario, Security gateway may crash after a match of the Anti-Bot blade.
PRJ-19107,
IDA-3240
Identity Awareness NEW: Performance optimization for Identity broker.
PRJ-18443,
PMTR-59795
DLP In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced.
PRJ-18826,
PRHF-13605
HTTPS Inspection The user may not be able to browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332.
PRJ-17828,
PRHF-13029
SecureXL In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets.
PRJ-18027,
PRHF-13480
Routing SNMP queries for bgpPeerFsmEstablishedTime return an incorrect constant value. Refer to sk170074.
PRJ-18530 Gaia OS NEW: Added Jumbo Hotfix for Scalable Platforms support. Refer to sk169954.
This Jumbo Hotfix Take is mandatory for Scalable Platform installation. 
PRJ-19156,
PMTR-61729
Gaia OS NEW: Allow Amazon Web Services (AWS) to modify partitioning via lvm_manager.
PRJ-18242,
PRHF-13451
Gaia OS "cphaprob -h" shows wrong explanation for "cphaprob show_bond [<bond_name>]" command.
PRJ-19331,
PRHF-14073
Gaia OS In some scenarios, login from data plane context fails (no connectivity to server).
PRJ-19150,
PMTR-57495
Gaia OS "Docker0" bridge interface with assigned IP address from class B private pool may appear in the system, causing routing issues.
PRJ-19051,
PRHF-13949
Gaia OS In some scenarios, when using routing separation, modifying interface IP address fails.
PRJ-18068,
PMTR-59437
VPN NEW: Added Remote Access VPN performance improvements.
PRJ-19165 VPN UPDATE: Added support for fetching CRL through proxy in Site to Site VPN configuration.
PRJ-18535,
PMTR-61276
VPN In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL.
PRJ-18167,
CRYPTOIS-661
VPN In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212.
PRJ-18733,
PMTR-61360
VPN In some scenarios, userspace cores may appear on Security gateways with enabled AES-GCM-256 and AES-256 VPN encryption. Refer to sk169417.
PRJ-18313,
PMTR-60933
VPN "Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers.

 

Installation instructions

Procedure:

  • Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)

    • Offline installation

      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
      3. In the upper right corner, click on the Import Package button.
      4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
      5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
      6. Select the imported package Check Point R81 Jumbo hotfix T<number> for sk170114 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      7. Select this package and click on Install Update button on the toolbar.


  • Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)

    For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".

    • Offline installation

      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to command line on target Gaia OS.
      3. Log in to Clish.
      4. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      5. Import the package from the hard disk:
        HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
      6. Show the imported packages:
        Note: Refer to the top section "Hotfixes" - refer to "Check Point R81 Jumbo hotfix T<number> for sk170114"
        HostName:0> show installer packages imported
      7. Verify that this R81 Jumbo Hotfix Accumulator package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      8. Install the imported package:
        HostName:0> installer install <Package_Number>

 

Uninstall instructions

Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.

    Procedure:

     

     

    List of upcoming resolved issues

    The below issues are planned to be addressed in our future Jumbo Hotfix Takes. The list is not final and may be changed.

    ID Product Description
    PRJ-23923,
    PMTR-64482
    Security Management SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server.
    PRJ-23774,
    PMTR-66072
    Security Management "Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation.  
    PRJ-23544,
    PMTR-66182
    Security Management In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles.
    PRJ-22442,
    PRHF-15754
    Security Management Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003.
    PRJ-24021,
    PMTR-66953
    Security Management In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain.
    PRJ-22132,
    PMTR-61861
    Security Management In a rare scenario, Management HA synchronization fails after the Purge Revisions operation.
    PRJ-20811,
    PMTR-62949
    Security Management On Security Management with connected Endpoint Security Server, the SICTUNNEL process may stop working and start again every few minutes with core file ~4gb in size.
    PRJ-22124,
    PMTR-61785
    Security Management Running override_server_setting.sh may not update settings correctly when updating a setting multiple times.
    PRJ-21705,
    PRHF-12911
    Security Management In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently.
    PRJ-22212,
    PMTR-61168
    Security Management In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail.
    PRJ-22633,
    PMTR-62650
    Multi-Domain Management UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations.
    PRJ-23160,
    PMTR-64136
    Multi-Domain Management UPDATE: Added stabilization improvement for Assign and Reassign Global Policy operations.
    PRJ-22523,
    PMTR-65290
    Multi-Domain Management In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704.
    PRJ-22139,
    PMTR-64481
    Multi-Domain Management A Multi-Domain Server with dozens of Domains may take a long time to start.
    PRJ-22524,
    PMTR-61526
    SmartConsole "The object specified in 'Always send alerts to' field, has no active 'Logging & Status' blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" blade disabled. Refer to sk172226.
    PRJ-22974,
    PRHF-11884
    Compliance Deactivated Compliance Best Practices appear in the Compliance report.
    PRJ-21180,
    PMTR-61750
    Logging NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated. 
    PRJ-18560,
    PRHF-13614
    Logging In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999
    PRJ-23205,
    PMTR-65244
    Logging In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail.
    PRJ-23068,
    PMTR-62454
    Logging When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule.
    PRJ-23416,
    PMTR-60082
    Logging In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results).
    PRJ-20621,
    PRHF-14608
    Logging In SmartView, when filtering with specific time filters, the result may include more logs than was requested.
    PRJ-22186,
    PMTR-58496
    Logging In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one.
    PRJ-22250,
    PMTR-65133
    Logging In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles".
    PRJ-23010,
    PRHF-15886
    Logging In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis.
    PRJ-21903,
    PMTR-64675
    Security Gateway NEW: Added new troubleshooting tool to cplic command for Entitlement manager.
    PRJ-19592,
    PRHF-9582
    Security Gateway NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3.
    PRJ-20961,
    PMTR-61684
    Security Gateway NEW: In a Management Data Plane Separation (MDPS) environment, each plane has its own configuration. Run these commands in each plane:
    • save configuration <Name of Script>
    • load configuration <Name of Script>
    PRJ-21473,
    PRHF-14963
    Security Gateway When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.
    PRJ-21056,
    PRHF-15024
    Security Gateway In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336.
    PRJ-21012,
    PRHF-15031
    Security Gateway In a rare scenario, Security gateway may crash when using non-FQDN domains in Access policy.
    PRJ-23393,
    PRHF-15802
    Security Gateway Added support for “Other” services configured with IP protocol, but without advanced “Match” expression.
    PRJ-21837,
    PMTR-63900
    Security Gateway "up_fw_module_load_commit: failed to load" error may be displayed in dmesg during cpstart or policy installation.
    PRJ-24300,
    PMTR-67184
    Security Gateway In a rare scenario, the FWK process stops working on the Security Gateway.
    PRJ-24275,
    PMTR-63867
    Security Gateway Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754.
    PRJ-22874,
    PRHF-15786
    Security Gateway In some scenarios, policy installation fails with "Error code 0-2000077" message.
    PRJ-22456,
    PMTR-64448
    Security Gateway In a rare scenario, the Security gateway may crash with fwk and fwk_wd core dump files.
    PRJ-23102,
    PRHF-13417
    Security Gateway The connection may not exist in the SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets.
    PRJ-22374,
    PRHF-15705
    Security Gateway In some scenarios, the Security Gateway attempts to access the Management Server via the Management's NAT IP address (defined in the "NAT" section in SmartConsole), while it is reachable only via the main IP address (defined in the "General Properties" section).
    PRJ-19413,
    PMTR-60877
    Security Gateway The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled.
    PRJ-23518,
    PMTR-20344
    Application Control In some scenarios, the fw_full (fwd daemon) stops working producing a core dump file and causing a cluster failover.
    PRJ-21297,
    PMTR-63495
    URL Filtering UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing. This update also activates the retry mechanism by default.
    PRJ-21644,
    PMTR-60226
    Mobile Access Mobile Access may overwrite the /etc/hosts file on Security Gateway.
    PRJ-21700,
    PMTR-64360
    ClusterXL UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces.
    PRJ-19515,
    PRHF-14206
    ClusterXL In some scenarios, the required interface value is higher than it should be when adding a VLAN interface.
    PRJ-22151,
    PMTR-63571
    ClusterXL During active-active-bridge mode, the "show routed cluster-state" command may display some members as slave instead of master.
    PRJ-21350,
    CLUS-1804
    ClusterXL In some scenarios, a large quantity of logs is generated on cluster VIP API.
    PRJ-19373,
    PRHF-14133
    SecureXL Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries.
    PRJ-20434,
    PMTR-58524
    SecureXL In some scenarios, DOS/Rate Limiting rules that do not work as expected may be created.
    PRJ-22169,
    PRHF-15607
    SecureXL Rate limiting rules using concurrent-connection counters may cause connections to be blocked. 
    PRJ-22917,
    PRHF-15478
    SecureXL Improved the Smart Connection Reuse feature to be consistent with the user configuration.
    PRJ-22437,
    PRHF-15755
    SecureXL In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections. 
    PRJ-22290,
    PMTR-62849
    SecureXL TCP reset packets may be dropped with an invalid sequence.
    PRJ-22414,
    PMTR-60014
    VPN In some scenarios, L2TP tunnel is not deleted completely upon disconnection. 
    PRJ-22544,
    PRHF-14102
    VPN Added stability fix in validation checks for ECDSA certificates.
    PRJ-22285,
    PRHF-14819
    VPN When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table.
    PRJ-23826 Gaia OS NEW: Adding support for Smart-1 600-S/M appliances. Refer to sk171903.
    PRJ-22843,
    PMTR-55383
    Gaia OS UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019
    PRJ-21920,
    PRJ-17304
    Gaia OS Unable to set MTU on Igb cards.
    PRJ-22794,
    PRHF-15900
    Gaia OS In rare scenarios, "show asset network" command may lead to memory leak.
    PRJ-22216,
    PRHF-15159
    Gaia OS "show configuration on" may not expose bond' members.
    PRJ-23829,
    PRHF-16241
    VSX In rare scenarios, the Wrp interface may not come up.
    PRJ-20922,
    PRHF-14900
    QoS Security gateway may crash in QoS flow when interface goes down and up during packet processing.

     

      

     

      

    Revision History

    Show / Hide revision history

    Date Description
    09 May 2021 Updated the Important Notes section
    02 May 2021 Published List of upcoming resolved issues
    26 Apr 2021 Released Take 27 of R81 Jumbo Hotfix Accumulator
    18 Apr 2021 Updated the Important Notes section
    08 Apr 2021
    • Released Take 25 of R81 Jumbo Hotfix Accumulator
    • SmartConsole package has been updated to Build 550
    05 Apr 2021 Take 23 of R81 Jumbo Hotfix Accumulator moved to General Availability
    25 Mar 2021 Released Take 23 of R81 Jumbo Hotfix Accumulator
    17 Mar 2021
    • Updated the Important Notes section
    • Published List of upcoming resolved issues
    01 Mar 2021 Released Take 17 of R81 Jumbo Hotfix Accumulator
    08 Feb 2021
    • Released Take 13 of R81 Jumbo Hotfix Accumulator
    • SmartConsole package has been updated to Build 549
    26 Jan 2021  Released Take 11 of R81 Jumbo Hotfix Accumulator
    21 Dec 2020
    • Updated the Important Notes section
    • Published List of upcoming resolved issues
    14 Dec 2020  First release of R81 Jumbo Hotfix Accumulator - Take 10

     

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment