Support Center > Search Results > SecureKnowledge Details
Jumbo Hotfix Accumulator for R81 (R81_jumbo_hf) Technical Level
Solution

Click Here to Show the Entire Article

Availability | Important Notes | List of resolved issues | Installation instructions | Uninstall instructions | Revision History

 

Introduction

R81 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.

   Supported products and configurations

The Jumbo Hotfix Accumulator supports these products and configurations: Security Gateway, Security Management Server, Multi-Domain Management Server, Log Server, Multi-Domain Log Server, SmartEvent Server, Harmony Endpoint, VSX and Cluster.

  • Install this Jumbo Hotfix Accumulator only after you successfully complete the Gaia First Time Configuration Wizard and reboot.
  • Check Point recommends installing Jumbo Hotfix Accumulator on all R81 devices. 
  • For CPUSE installation, use the latest Deployment Agent build (refer to sk92449).
  • If you install Jumbo Hotfix on a cluster with enabled Identity Awareness, refer to sk170516 to see the procedure Check Point recommends following the installation.


   Support for Scalable Platform and Open Servers

R81 Jumbo Hotfix Accumulator provides support for Security Gateways configurations running on Open Servers and Scalable Platform appliances.

  • For an Existing Security Gateway running on Open Servers, a Blink image consisting of R81 GA image (Take 392) and R81 Jumbo Hotfix is available in the Download section below. 
  • For Freshly installed Open Servers, first use the R81 ISO image from the R81 Home page and then, before placing the machine into the production environment, install the R81 Jumbo Hotfix package from the below table (not the Blink image). 
  • For Freshly installed  Scalable Platform appliances, first use the R81 ISO image from the R81 Scalable Platform Home page and then, before placing the machine into the production environment, install the R81 Jumbo Hotfix package from the below table.


The R81 ISO image (Take 392) and the R81 image included in the Blink image are identical.


Jumbo Hotfix Accumulator FAQ | Releases Terminology | Jumbo Hotfix Takes Compatibility



Availability

  • General Availability Take


    Take_36 is the latest R81 Jumbo Hotfix Accumulator General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:

    Product Take Date CPUSE Offline package SmartConsole package
    Security Management and Security Gateway Jumbo HF Take_36 19 Jul 2021 (TAR) (EXE)
    Build 553
    Blink Image for Security Gateway and Open Server
    Clean Install / Upgrade
    R81 GA Take 392 + Jumbo HF Take_36 26 Jul 2021 (TGZ)
    Blink Image for Security Management - Clean Install / Upgrade (TGZ)
    Blink Image for Multi-Domain Management - Clean Install (TGZ)

 

  • Ongoing Take

    Product Take Date CPUSE Offline package SmartConsole package
    Security Management and Security Gateway Jumbo HF Take_42 1 Sep 2021 (TAR) (EXE)
    Build 553

    • Use Check_Point_R81_JUMBO_HF_MAIN_Bundle_T<Take number>_FULL.tgz for:
      • CPUSE Online Identifier
      • Starting from R81 Management servers, for Central Deployment with SmartConsole Online Identifier



Take 42 | Take 36 | Take 34 | Take 29 | Take 27


Important Notes

  • Starting from Take 27, publish and install policy may fail after purging database revisions. For details, refer to sk174703.
  • Starting from Take 34, Remote Access users with statically assigned Office mode IP in ipassignment.conf file may not connect to the Security Gateway. For more information and a hotfix, refer to sk175448. Fix will be added to the upcoming Jumbo Take. 
  • Take 34: Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417.
  • If you use a cluster with enabled Identity Awareness, refer to to sk170516  after the first installation of Jumbo Hotfix to avoid unexpected behavior with Identity Awareness.
  • If you are using a Jumbo Take below the latest GA Take, click here for more important notes
    • Take 23: Web SmartConsole is not available for customers who install Take 23 without having installed a Jumbo Hotfix before. The fix is included in Take 25. For details, refer to sk170314.
    • Takes 23-25: In environments that use Data Type Group objects, the Management server may fail to start after installing Jumbo Hotfix. The fix is included in Take 27. 
    • Starting from Take 34, any manual change of $FWDIR/conf/rad_conf.C file may be overridden by the next Jumbo Hotfix installation. If you edited this file manually, refer to sk163793 and follow the instructions on how to keep your manual changes.
    • When upgrading from Jumbo Takes 17-27 on VSX environment (SP and non-SP), the VSX gateway may experience crash and corrupted file system. The fix is included in Take 34. For more information, refer to sk174191.
    • Take 34 is not compatible with the CloudGuard Network for Public Cloud due to incompatibility with cloud cluster fail-over flow. The fix is included in Take 36.


List of Resolved issues and New Features per HotFix Take


Enter the string to filter the below table:

ID Product Description
R81 Jumbo HotFix - Ongoing Take 42 (1 September 2021)
PRJ-26240,
PRJ-26233
Diagnostics NEW: Added the Check Point Performance Sizing Utility (CPSizeMe) v5.2.
PRJ-24235,
PMTR-64142
Licensing UPDATE: If there is no license installed, the error message will be printed when running the cpstart command.
PRJ-24201,
PMTR-67200
Security Management NEW: Trusted CAs updates for HTTPS Inspection can be configured to be installed automatically upon update. Refer to sk173629.
PRJ-27200 Security Management NEW: Added the Hitcount column to the "Export to CSV" functionality in Access Policy.
  • Requires R81 SmartConsole Build 553 (or higher).
PRJ-24985,
PRJ-25474
Security Management NEW: Added ability for R81 Security Management or Multi-Domain Server to manage R81.10 Security gateway.
  • Requires R81 SmartConsole Build 553 (or higher).
PRJ-26026,
PMTR-69307
Security Management NEW: Added the "get-interfaces" Management API for Security Gateway and Cluster objects.
  • The functionality is parallel to the “Get Interfaces” button in the SmartConsole Network Management page in the Security Gateway / Cluster editor.
  • The API is available starting from version 1.7.
PRJ-26414,
PMTR-69791
Security Management NEW: Added the Management API command "show-layer-structure". 
PRJ-27122,
PMTR-70628
Security Management UPDATE: The "Purge revisions" operation has been improved to further reduce the database's size.
PRJ-27163,
PMTR-70138
Security Management UPDATE: Performance improvement in an upgrade of Security Management and Multi-Domain Servers with large rulebases. 
PRJ-26194,
PMTR-69529
Security Management In a rare scenario, the FWM process may unexpectedly exit.
PRJ-26184,
PRHF-17487
Security Management When running the "fwm logexport" command multiple times, the FWM process may unexpectedly exit, producing a core file.
PRJ-26124,
PRHF-17476
Security Management In some scenarios, HA synchronization fails in the Global Domain after the IPS update.
PRJ-29004,
PRHF-18817
Security Management In some scenarios, Publish operation fails with the  "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703.
PRJ-25039,
PRHF-16802
Security Management In rare scenarios, a task in progress may get stuck until the Management server is restarted.
PRJ-24011,
PMTR-62382
Security Management In some scenarios, the NAT rule is not enforced when the rule’s name is identical to an object’s name placed on the rule.
PRJ-25862,
PMTR-67876
Security Management When running the "show-tasks" command with Management API and using the "order" parameter, the results are not ordered.
PRJ-26455,
PRHF-17433
Security Management In rare scenarios, the web_api_show_package.sh script fails, and the log shows "Null Pointer Exception".
PRJ-22135,
PMTR-63108
Security Management In some scenarios, a high load on the Management server may cause SmartConsole slowness.
PRJ-26630,
PRHF-17230
Security Management In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole.
PRJ-25010,
PMTR-67525
Security Management After configuring VPN blade on a Security Gateway with support-visitor-mode using Management API, VPN clients may fail to create sites.
PRJ-21968,
PRHF-15471
Security Management Packet Mode search in rule base ignores matching of inline layer parent rules. In some scenarios, this may retrieve inline layer rules that should not be matched.
PRJ-22385,
PRHF-15325
Security Management User may fail to connect to SmartConsole after the administrator changed the RADIUS server host IP address. Refer to sk172065.
PRJ-24331,
PRHF-16613
Security Management In some scenarios, the "Recent Tasks" view shows the initiator as a System administrator when the Global Manager user initiates reassign and install policy. 
PRJ-27621,
PMTR-69273
Security Management In a rare scenario, the "Install Database" task may continue to run indefinitely.
PRJ-26093,
PMTR-69327
Security Management In rare scenarios, the Access Control policy installation fails with the "Security Management Server aborted connection" error.
PRJ-25305,
PMTR-67893
Security Management Policy verification may incorrectly fail with the verification error "Rule contains both Access Roles and network objects" when the installation is accelerated.
PRJ-26343,
PMTR-59909
Security Management When installing policy on a gateway for the first time, Threat Prevention policy installation may fail if installed with Access policy.
PRJ-25687,
PRHF-17286
Security Management In some scenarios, a policy installation failure message may show "ReferenceObject" instead of the actual object's name.
PRJ-24052,
PMTR-66980
Security Management If the Management Server is up for many days, the CPM process's memory consumption and CPU usage may increase consistently. 
PRJ-26299,
PRHF-17531
Security Management In rare scenarios, tasks may run indefinitely until the Security Management Server is restarted.
PRJ-26911,
PRHF-16657
Security Management Policy installation to multiple gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.
PRJ-25838,
PRHF-17362
Security Management In some scenarios, deleting a Security Gateway object fails with the "Object <name> is used by a policy or by other objects" error even though the Security Gateway is not in use. Refer to sk173467.
PRJ-25800,
PRHF-17324
Security Management In rare scenarios, if the CPM process is up for many days, CPU and memory consumption mаy continue to grow until a reboot is performed.
PRJ-25254,
PMTR-68425
Security Management Login with Management API fails when using the api-key and setting enter-last-published-session to "true".
PRJ-26507,
PMTR-69683
Security Management Policy verification may incorrectly fail with a NAT verification error "The range size of Original and Translated columns must be the same".
PRJ-25892,
PMTR-69154
Multi-Domain Management NEW: Allow creating Domain Management Servers with a netmask different than the one of the Multi-Domain Server. Refer to sk173934.
PRJ-26690,
PMTR-69747
Multi-Domain Management After migrating the Global Domain and making global changes, when assigning/reassigning the Global Domain, the assignment may be shown as "Up to date" even though the latest global changes are not applied on the Domain.
PRJ-25518,
PRJ-25516
Multi-Domain Management In rare scenarios, in a Multi-Domain environment with active Domains on multiple Multi-Domain Servers, when performing manual HA sync in one Domain, objects from another Domain are not shown in SmartConsole.
PRJ-25406,
CPM-2542
Multi-Domain Management In some scenarios, HA synchronization may fail on the MDS level with the  "Failed to synchronize this peer due to purged revisions in the database." message.
PRJ-27154,
PRHF-11539
Multi-Domain Management OS information for Domain Servers may not be shown correctly at the MDS level.
PRJ-22639,
PRHF-15727
Multi-Domain Management In rare scenarios, the Multi-Domain Management Server may fail to start if Domains were previously deleted.
PRJ-26302,
PRHF-17558
Multi-Domain Management In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.
PRJ-20647,
PMTR-63143
SmartConsole NEW: Added the option to print or save (as a file) the Changes Report.
PRJ-23439,
PMTR-65297
SmartConsole UPDATE: Changes report supports up to 50 revisions (instead of 10).
PRJ-22813,
PMTR-61013
SmartConsole Improved adjustment of the scrollbar in the Changes Report window.
PRJ-26906,
PRHF-17725
SmartConsole In some scenarios, loading the Access Control policy causes SmartConsole to close unexpectedly.
  • Requires R81 SmartConsole Build 553 (or higher).
PRJ-26873,
PRHF-17640
SmartConsole In some scenarios, the gateway hardware change in SmartConsole fails with "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked." warning.
PRJ-27576 Web SmartConsole NEW: Web SmartConsole now includes read/write capability for the most common activities. 
PRJ-25931,
PMTR-69007
SmartView NEW:
  • It is now possible to set the default timeframe for Logs view and Reports of SmartView as part of User Preferences.
  • The default timeframe value was changed from "Last 7 days" to "Last 24 hours". 
    Note: there is a similar setting for the default timeframe in the SmartConsole Logs view. The settings are separated for each application.
PRJ-27301,
PMTR-70643
SmartView After upgrade, SmartView scheduled export to Excel of Reports and Views stop running and users are unable to edit the scheduled tasks. Refer to sk174047.
PRJ-24351,
PMTR-67284
CPView In some scenarios, a memory leak may occur in a cpview_services module. Refer to sk173952.
PRJ-19795,
SL-4613
Logging NEW: Added support for Endpoint Forensics reports to get-attachment API.
PRJ-20258,
PMTR-57895
Logging NEW: Log exporter allows the re-export of logs based on starting and end positions provided by the user, to close possible gaps. Refer to sk122323.
PRJ-21423,
PMTR-61503
Logging NEW: The Log exporter now supports formatting for RSA SIEM application.
PRJ-25596,
SL-5164
Logging UPDATE: The Log server now supports up to 2700 Gateways (previously was 1024).
PRJ-20136,
PMTR-62674
Logging UPDATE: When reverting a Management or Log Server from the R81 version 30 days after the upgrade, logs are no longer fetched or indexed.
PRJ-25454,
PMTR-68670
Logging In rare scenarios, logs generated in the same second, with the same ID, may not show up in SmartConsole's Logs tab.
PRJ-22650,
PRHF-15710
Logging Threat Emulation log description for HTTP emulation is incorrect.
PRJ-23114,
PMTR-52927
Logging In some scenarios in SmartView, exporting a report or view to PDF duplicates the item and displays it twice in the Catalog until the export is done.
PRJ-23821,
PRHF-12659
Logging In rare scenarios, when querying logs with a timeframe larger than 1 day, only 50 logs from each day will be shown.
PRJ-23581,
PMTR-65203
Logging In some scenarios following a Multi-Domain Management Server upgrade, logs queries may not retrieve results from some CMAs\CLMs.
PRJ-25646,
PMTR-68886
Logging In SmartView (Reports and Web Logs view), the value of the file size is displayed differently from the Logs view in SmartConsole (GB instead of GiB).
PRJ-24488,
SL-5577
Logging When a Management Server manages more than 1024 Gateways, the connectivity status may show "N/A" for several Gateways.
PRJ-24216,
PMTR-65200
Logging In а Multi-Domain environment, the same Domain may appear twice in the Domains view of the SmartEvent application.
PRJ-24706,
PMTR-67771
Logging In the SmartConsole Logs&Monitor tab, when the query time-frame is "Last Hour" and auto-refresh is on, if the query time is between 12:00 and 13:00, logs from that time will not be shown.
PRJ-25657,
PRHF-7562
Logging In some scenarios, the log_indexer process consumes 100% CPU and log indexing fails causing log queries to miss the recent logs. The issue occurs when rules have Accounting enabled and there is a lot of traffic matching these rules.
PRJ-27072,
PMTR-70430
Compliance In some scenarios on Multi-Domain environments, Compliance data is not synchronized between primary and secondary Domains. 
PRJ-24580,
PMTR-66164
SNMP NEW: Added CPview network statistics and network profile data to SNMP - throughput, packets rate, concurrent connections, drop reasons, top connections, and more.
PRJ-24537,
PMTR-66616
Security Gateway UPDATE: Added new Dynamic Balancing Clish command to enable default number of instances. To use it, run "set dynamic-balancing state enable ++set_default_fw_instances". Refer to sk164155.
PRJ-26331,
PMTR-68117
Security Gateway UPDATE: The prompt indication will show on which plane (management or data) the context is.
For example,
[Expert@Host:0] will be displayed as [Expert@Host:dplane] for data plane
[Expert@Host:1] will be displayed as [Expert@Host:mplane] for management plane
PRJ-25102,
PMTR-62328
Security Gateway UPDATE: The Connection Tracker (CPView >Advanced > CONN-TRACKER) will be activated by default.
PRJ-25844,
PMTR-68979
Security Gateway Added the Access Control rulebase matching visibility enhancement.
PRJ-29753,
PRHF-19043
Security Gateway In rare scenarios, the Security Gateway may failover while handling the HTTP/2 stream.
PRJ-27036,
PMTR-67834
Security Gateway VSX provisioning may fail to commit changes to the VSX database. Refer to sk173683.
PRJ-26479,
PMTR-66746
Security Gateway In some rare scenarios, when IPv6 is configured and Office Mode Anti-Spoofing is enabled, running "cpstop;cpstart" may cause a Security gateway to crash.
PRJ-26811,
PMTR-68115
Security Gateway In rare scenarios, policy installation may fail with the "Problem with the Commit Function" message.
PRJ-26409,
PMTR-69461
Security Gateway In some scenarios, policy installation on the MDPS Gateway fails with "ERROR: Duplicate keys  in table 'cluster_members_ids_by_ips'" errors in SmartConsole. Refer to sk173485.
PRJ-24127,
PRHF-15896
Security Gateway RADIUS authentication failure messages are written to SmartConsole logs but not presented to a user. Refer to sk173927.
PRJ-21271,
PMTR-56012
Security Gateway In some scenarios, emails may be stuck in the MTA queue.
PRJ-26016,
PMTR-68942
Security Gateway In a rare scenario, a memory leak may occur in in.emaild.mta process.
PRJ-18127,
PMTR-60844
Security Gateway In some scenarios, an incorrect interface name is displayed in CPView.
PRJ-25393,
PRHF-17173
Security Gateway In some scenarios, there is no match on URL Filtering rules.
PRJ-26269,
PRJ-26257
Security Gateway In a rare scenario, incorrect error messages regarding the ICAP client flow appear in dmesg. Refer to sk173546.
PRJ-26345,
PMTR-69467
Security Gateway When using Routing separation and ClusterXL, the "cphaprob -a if" command displays "mdps_tun" as "DOWN".
PRJ-26152,
PMTR-69312
Security Gateway In a rare scenario, a memory leak may occur when IPS / Anti-Bot / Anti-Virus blade is enabled.
PRJ-25817,
PRHF-16364
Security Gateway Added Dynamic Anti-Spoofing stability enhancements.
PRJ-27624,
PMTR-71034
Security Gateway In some rare scenarios, only after a fast policy installation with a Non-FQDN object or an updatable object, wild card domains may not be enforced.
PRJ-27124,
PMTR-70644
Security Gateway Improved Generic Data Center object download to Security Gateway.
PRJ-25738,
PRHF-16886
Security Gateway In some scenarios, Security Gateway may crash when ICAP client is enabled.
PRJ-26619,
PRHF-17663
Security Gateway In some scenarios, "[INFO] encode resource in base64 failed" messages generated by RAD process are shown in /var/log/messages file.
PRJ-26596,
PMTR-70023
Security Gateway Configuring the "Virtual Activation Timeout" option above 65535 may lead to an incorrect timeout definition.
PRJ-23066,
PMTR-63142
Security Gateway Improved displayed drop log messages on the Security Gateway:
  1. To see drops since the last reboot, use the "fw ctl drop" command.
  2. To see drops in real time, use the CPView tool.
Refer to sk172232.
PRJ-22625,
PRHF-15835
Security Gateway In some scenarios, the VSX Cluster switch may cause a core dump.
PRJ-24010,
PRHF-16196
Security Gateway In rare scenarios, when the "sd_global_monitor_only" property is set to "true", there is no HTTP inspection.
PRJ-24903,
PMTR-66910
Security Gateway In rare scenarios, the name of the application that drops a packet was not shown in the drop debug. Instead, the “PSL Drop: internal - drop enabled” message was displayed.
With this fix, the reason for the drop will be displayed.
PRJ-24838,
PRHF-15080
Security Gateway In some scenarios, when moving Mobile Access from Legacy to Unified Policy, previously configured native application may stop working. Refer to sk172935.
PRJ-23539,
PMTR-66212
Security Gateway In some scenarios, values set in fwkern.conf may not be applied correctly.
PRJ-25553,
PMTR-67991
Security Gateway In some scenarios, connections are dropped with the "Virtual defragmentation error: fragment table is full" message.
PRJ-25483,
PRHF-17175
Security Gateway In a rare scenario, the PDPD or VPND process on the Security Gateway consumes a high CPU. Refer to sk173706.
PRJ-25472,
PRHF-12897
Security Gateway In rare scenarios, SmartView Monitor shows the "Error code: 2147483647" message when viewing data from a VSX Gateway.  Refer to sk174206.
PRJ-25157,
PMTR-67534
Security Gateway When running the "fwaccel stats -r" command to reset the SXL statistics, the statistics may become corrupted.
PRJ-24530,
PRHF-16667
Security Gateway In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.
PRJ-29346,
PRHF-17221
Security Gateway In a rare scenario, the Security Gateway may sporadically crash.
PRJ-18868,
PRHF-13722
Security Gateway In rare scenarios, DynamicID authentication fails with a "Server_code 403 log_msg General HTTP error" message in vpnd.elg. Refer to sk170303.
PRJ-23273,
PRHF-15932
Security Gateway In some scenarios, the "fw ctl affinity" command on MPDS Dplane does not show the Mplane Multi-Queue interfaces.
PRJ-29094,
PRHF-18786
Security Gateway In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.
PRJ-26140,
PMTR-69466
Internal CA UPDATE: Added automatic extension for Internal CA database to support more than 100,000 certificates.
PRJ-25273,
PMTR-68358
Internal CA UPDATE: The IKE certificate's validity period is set to 1 year by default.
PRJ-24831,
PMTR-67854
Internal CA sk172610 was added to "Failed creating certificate. Certificate with a different letters' case exists" error message.
PRJ-26649,
PMTR-70065
Internal CA This fix will clean up expired certificates from the Internal CA database every three weeks and after reboot.
PRJ-25544,
PRJ-26201
Anti-Virus In a rare scenario, the Security Gateway may crash when working with Anti-Virus.
PRJ-25245,
PMTR-68421
Threat Extraction UPDATE: In Autonomous Threat Prevention (ATP) configured gateway, Threat profile field in sanitization (Threat Extraction) logs will refer to the current ATP profile installed.
PRJ-26524,
ODU-78
Threat Extraction Added Update 4 of Threat Extraction Engine. Refer to sk165832.
PRJ-22272,
PRHF-14664
Threat Prevention Improved the Threat Prevention policy installation time when installing on more than two Security gateways.
PRJ-25845,
PMTR-63963
Threat Prevention In rare scenarios, the Threat Prevention Blade Exception used for performance optimization does not work as expected.
PRJ-25056,
PMTR-67604
Identity Awareness NEW: Added automatic mechanism to exclude service accounts on PDP gateway to improve both PDP performance and functionality.
PRJ-24690,
PRJ-25444
PRJ-21304
Identity Awareness NEW: Added support for SAML authentication method for Remote Access VPN. Refer to sk172909 for configuration instructions.
  • Requires R81 SmartConsole Build 553 (or higher).
PRJ-24500,
PMTR-67597
Identity Awareness NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
The feature is disabled by default. To enable it, refer to sk128212.
PRJ-25383,
PMTR-68590
Identity Awareness UPDATE: Changed the Web-API conciliation score from 10 to 15.
PRJ-25926,
PMTR-68088
Identity Awareness Optimized the PDP expired timers mechanism performance.
PRJ-25582,
IDA-3937
Identity Awareness In some scenarios, Identity Awareness with enabled Remote Access identity source constantly prints "A secondary session request was received from the same IP" message in the log and overrides the existing session.
PRJ-17567,
MBS-11293
Identity Awareness IDA database may become corrupted on Scalable Platforms configured with multiple Identity Collectors in redundancy mode or Identity Sharing.
PRJ-26232,
IDA-4019
Identity Awareness When the PDP gateway is connected to multiple pre-R81 PEP gateways, the CPU consumption may be high. Refer to sk173709.
PRJ-29307,
PMTR-72312
URL Filtering In some scenarios, HTTPS connections to servers with untrusted certificates are held and not resumed (page cannot load).
PRJ-24629,
TEX-2201
UserCheck In rare scenarios, when clicking the "Send Original Mail to me" button (sk140214) in the UserCheck portal for Threat Extraction, action fails with "An unexpected error has occured ..." error message.
PRJ-26166,
PMTR-69256
IPS In rare scenarios, the FWK process may unexpectedly exit when installing the policy.
PRJ-23674,
PRHF-14886
IPS A redundant debug message may be displayed in dmesg logs.
PRJ-22232,
PRHF-14501
IPS Packet capture may not be generated for certain IPS protections.
PRJ-27971,
PRHF-15586
IPS Added IPS Core Protections scan improvements for HTTP traffic.
PRJ-26107,
PRHF-17301
IPS Security Gateway may crash when the IPS profile name is very long. Refer to sk174025.
PRJ-18857,
PRHF-858
DLP DynamicID via SMTP does not work when an HTTP proxy server is defined.
PRJ-26008,
PMTR-61844
SSL Inspection When TLS 1.3 is enabled, a connectivity issue may occur for non-TLS traffic over inspected ports. 
PRJ-26740,
PRHF-4657
SSL Inspection Added an option to bypass Name Constraints extension on certificates using a registry flag. Refer to sk159692.
PRJ-20681,
PRHF-14540
SSL Inspection A table hash size may be too small for some environments and cause an increased CPU usage.
PRJ-25222,
PRHF-17088
Mobile Access Improved the Portal Rendering performance in Unified Policy mode.
PRJ-21798,
PMTR-60183
Mobile Access The "Favorites" button does not work if URL does not start with "https://"
PRJ-24688,
PRHF-16135
Mobile Access In some scenarios, the HTTPD process consumes a high CPU causing slowness in access to web applications.
PRJ-23732,
PRHF-16302
Mobile Access In some scenarios, when configuring the "X-Forwarded-For" header to MAB reverse proxy, the header is passed in reverse order.
PRJ-25105,
PRHF-17025
ClusterXL Data connections from the Standby member of an Active-Standby cluster may be dropped on the stealth rule when "fwha_cluster_hide_active_only" is set to 1.
PRJ-26575,
PMTR-69991
ClusterXL The "set cluster member ccpenc" command description falsely shows that the default setting is off.
PRJ-25954,
PRHF-17427
ClusterXL Hundreds of VLANs in VSX cluster may cause VLAN to get Internal Communication Network IP (funny IP) address when adding/editing VLAN.
PRJ-26410,
PMTR-64102
ClusterXL Log shows that CCP encryption fails on each policy installation.
PRJ-23849,
PRHF-15781
SecureXL In some non-VPN scenarios, MSS Adjustment (Clamping) does not work.
PRJ-22786,
PMTR-65162
SecureXL In a rare scenario, Security Gateway may crash after running the "fwaccel tab -t connections" command.
PRJ-27226,
PRHF-17734
SecureXL Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file.
PRJ-24542,
PMTR-67556
SecureXL In a VSX environment, the SYN Defender configuration may not be applied correctly.
PRJ-25107,
PRHF-13183
SecureXL SecureXL keeps forwarding packets in VSX bridge mode when the member is down. Refer to sk169495.
PRJ-25511,
PRHF-16656
SecureXL In a rare scenario, Security Gateway may crash when generating CPInfo in VSX mode.
PRJ-26925,
PMTR-69753
Gaia OS NEW: Added support for new card 4 ports 1/10GbE SFP+ Rev 4.1.
PRJ-26757,
PMTR-69435
Gaia OS In some scenarios, the first packet of any protocol is dropped if there is no ARP cache entry in the ARP table for that destination. Refer to sk173933.
PRJ-26334,
PMTR-44510
Gaia OS In some scenarios on VSX, the "Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth instead" message appears in /var/log file.
PRJ-26329,
PMTR-69006
Gaia OS When using routing separation, Clish configuration for the management plane may be missing.
PRJ-24494,
PRHF-16665
Gaia OS In a rare scenario, the Security Gateway may become unresponsive. Refer to sk172827.
PRJ-24944,
PRHF-16967
Gaia OS In some scenarios, Syslog debug messages are incorrectly printed as errors (ERR).
PRJ-25667,
PRHF-16999
Gaia OS In some scenarios, the driver's (i40e) response time for MQ settings takes too long time.
PRJ-24597,
PRHF-16780
Gaia OS When the RADIUS server uses a multi-pool "Access Challenge", the system sends many authentication requests without waiting.
PRJ-25375,
PRHF-15535
Gaia OS SNMP sysOID 1.3.6.1.2.1.1.2.0 does not return Check Point system information when queried from Maestro Orchestrator.
PRJ-26576,
SPC-2237
Routing In some scenarios, BFM fails to create pseudo interfaces (ethX-XX).
PRJ-26792,
MBS-14077
Routing When working from gclish and Audit Log is enabled, every command is logged twice - once with the real user and once with the admin.
PRJ-26526,
MBS-14049
Routing When using proxy arp on IP address within the same subnet as the cluster IP, no GARP is sent upon failover.
PRJ-25996,
PMTR-69290
Routing In some scenarios, the monitored IP option "force-if-symmetry" does not detect the asymmetric ping properly.
PRJ-25915,
ROUT-1502
Routing Netflow packets are sent from the individual VS IP address instead of VS0.
PRJ-26970,
PMTR-66574
Routing In some scenarios, the routed process may produce a core dump when it receives IGMPv3 Membership Reports over a long period of time.
PRJ-26962,
PMTR-65589
Routing The routed process may unexpectedly exit when candidate RP is enabled, and a rapid failover occurs or when the candidate RP interface is disconnected.
PRJ-25319,
PMTR-68232
Routing In some scenarios, CPView displays incorrect values of RIP statistics.
PRJ-27060,
PRHF-17925
Routing In some scenarios, the routed process may unexpectedly exit when there is a static route and a kernel route to the same destination.
PRJ-24389,
MBS-12759
Routing In rare scenarios, a Load Sharing cluster can experience DHCP relay drops with the "dropped by fw_post_vm_chain_handler Reason: Handler 'dhcp_reply_code' drop" message.
PRJ-23484,
PMTR-65524
VoIP In some scenarios, the "sip_increase_opq_rnum: Error - number of reinvites exceeded the limit" message that indicates the malfunction SIP flow is printed in SIP debug.
PRJ-23968,
PRHF-16338
VSX UPDATE: Added ability to change the Management and Sunc interfaces via vsx_util change_interfaces.
PRJ-19978,
PRHF-14371
VSX In some scenarios, the "cpstat vsx" command does not show the correct output. Refer to sk170793.
PRJ-26355,
PMTR-69561
VSX In some scenarios, the priority list cannot be manually set via the "vsx_util vsls" command.
PRJ-26633,
PMTR-69220
VSX A bridge on a regular VS (not VS in bridge mode) is not supported on a VSX cluster in Active/Active mode.
This fix blocks:
  1. Adding a bridge to a regular VS when the VSX is a cluster in Active/Active mode.
  2. Converting a VSX cluster to Active/Active mode when a regular VS with a bridge exists.
PRJ-26451,
PMTR-67687
VSX In some scenarios, toggling between "Active up" mode and "Primary up" mode of a VSLS cluster with "vsx_util" is not reflected on the Gateway when using the "cphaprob stat" command. 
This fix ensures that the change will always be reflected on the Gateway.
PRJ-26443,
PMTR-69836
VPN In rare scenarios, a memory leak related to gateway authentication may occur.
PRJ-26246,
PMTR-69455
VPN In some scenarios, the VPND process may unexpectedly exit when connecting with strongSwan client.
PRJ-26435,
PRHF-2715
VPN In a rare scenario, a memory leak may occur when RASession_util is active.
PRJ-25986,
PMTR-65599
VPN In rare scenarios, IKE negotiation fails when using IPv6 addresses. 
PRJ-26434,
PMTR-69479
VPN In a rare scenario, the IKED process unexpectedly exits with core dump when using Office Mode IP allocation for clients and users cannot connect.
PRJ-26205,
PMTR-68557
VPN MEP failover with 3rd party vendors may not work correctly.
PRJ-26268,
PMTR-68840
VPN In some scenarios in MEP configuration, failover to available MEP members may fail.
PRJ-26400,
PRHF-17622
VPN Policy installation may fail when VPN community is not configured on the Security Gateway. Refer to sk174235.
PRJ-24808,
PRHF-16698
VPN Site to Site VPN connectivity issue when NAT is enabled.
PRJ-26789,
PMTR-69945
VPN In some scenarios, an incorrect Host IP address is shown in SmartConsole log when a client is not authorized to log in.
PRJ-26624,
PRHF-17733
VPN Added VPN stability improvement in IKEv2.
PRJ-22529,
PMTR-64500
VPN When Multiple Factor Authentication is configured with DynamicID , VPN clients may receive four password prompts. Refer to sk144932.
PRJ-28152 VPN In some scenarios, this policy warning is displayed on CMAs: "gen_implied_rule: fail to get rule template ('iked_ports_block_in/out' rule will not be generated)".
PRJ-25335,
VPNS2S-2335
VPN In some scenarios, the "Illegal sequence number" error may be printed in Dead Peer Detection (DPD) debug.
PRJ-25054,
PRHF-16121
VPN In some scenarios, a user may not be able to connect because the VPND process unexpectedly exits.
PRJ-26342,
PMTR-69135
VPN In some scenarios, Phase 2 NULL encryption in IKEv2 fails with "Received notification from peer: No proposal chosen" message in the log.
PRJ-26928,
PMTR-70367
VPN In some scenarios, the VPND process unexpectedly exits after installing the policy.
PRJ-25134,
PMTR-68208
VPN In some scenarios, the VPN Remote Access client cannot reconnect after changing the authentication method.
PRJ-26176 Harmony Endpoint Harmony Endpoint Web Management Update - Compliance, Application Control, Firewall and export package were added.
PRJ-26281,
PMTR-69675
Harmony Endpoint In some scenarios, the "Pre-boot screen saver" in SmartEndpoint Common Client Settings Policy is not visible.
PRJ-27583,
EPS-33262
Harmony Endpoint In some scenarios, the "Uninstall Client" push operation in SmartEndpoint cannot be initiated and fails with exception.
PRJ-27321,
PMTR-70852
Harmony Endpoint In some scenarios, the EP URL Filtering policy may block websites under category 32 (political/legal) instead of category 31 (phishing). 
PRJ-28655 Harmony Endpoint In some scenarios, only partial info is shown in Anti-Malware updates dialog window in SmartEndpoint.
PRJ-25729,
PMTR-68887
QoS A memory leak may occur when using domain names in QoS policy rules. Refer to sk174904.
PRJ-26795,
PRHF-17668
CloudGuard IaaS In some scenarios, CloudGuard Controller fails to fetch data from the standby ACI server when the main ACI server is unreachable.
PRJ-25373,
PRHF-17170
CloudGuard IaaS CloudGuard Controller with Cisco ACI Data Center sends updates without IP addresses to Security Gateways.
PRJ-26798,
PMTR-69072
CloudGuard IaaS In some scenarios, CloudGuard IaaS Standby member cannot access the Internet. Refer to sk175108.
PRJ-21257,
MBS-10123
Scalable Platforms NEW: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.

Configuration in Gaia gClish
:
  1. Run: g_all "vsx mstat enable"
  2. Run: g_all "reboot"
  3. Configure SNMP v3 in the VS mode as described in sk90860.
SNMP OIDs - statistics from the specified Virtual System, statistics from each cluster member:
Number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.10.1.*
Physical memory - 1.3.6.1.4.1.2620.1.48.30.40.10.1.*
Packet rate - 1.3.6.1.4.1.2620.1.48.30.80.10.1.*
Throughput - 1.3.6.1.4.1.2620.1.48.30.90.10.1.*
Interface packet rate - 1.3.6.1.4.1.2620.1.48.30.100.10.1.*
Connection rate - 1.3.6.1.4.1.2620.1.48.30.120.10.1.*
Virtual memory - 1.3.6.1.4.1.2620.1.48.30.130.10.1.*

SNMP OIDs - statistics from the specified Virtual System, total statistics from all cluster members
:
Total number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.20
Total packet rate - 1.3.6.1.4.1.2620.1.48.30.80.20
Total throughput - 1.3.6.1.4.1.2620.1.48.30.90.20
Total connection rate - 1.3.6.1.4.1.2620.1.48.30.120.20
PRJ-26563,
PMTR-66250
Scalable Platforms NEW: Added new parameters for SNMP traps sent from Security Group Members:
  • chkpnyTrapChassisId : shows the chassis ID of the sender SGM
  • chkpnyTrapBladeId : shows the blade ID of the sender SGM
PRJ-23649,
MBS-13202
Scalable Platforms UPDATE: Removed unsupported OIDs 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 from the chckpnt.mib file.
PRJ-25357,
MBS-13352
Scalable Platforms UPDATE: Limited the /var/log/dist_mode.log file rotation size to 20MB to prevent exhaustion of disk space.
PRJ-22208,
PMTR-64637
Scalable Platforms UPDATE: Added Member ID to connection and session log.
PRJ-21245,
MBS-10229
Scalable Platforms UPDATE: Added the new column "asgResourceTitle" to the SNMP Table "asgResourceTable". The new column contains the Security Group Member ID and the resource name.
Format of the output: "Site <Site-ID> Member <Member-ID> <Resource-Name>"
Example output: "Site 2 Member 1 Memory Utilization

The SNMP OID of the new column is: asgResourceTable.1.8 (.1.3.6.1.4.1.2620.1.48.23.1.8).
PRJ-22986,
PMTR-65813
Scalable Platforms UPDATE: New OIDs are assigned for these appliances:
  • checkPoint61000 - .1.3.6.1.4.1.2620.1.6.123.1.3001
  • checkPoint64000 - .1.3.6.1.4.1.2620.1.6.123.1.3002
  • checkPoint41000 - .1.3.6.1.4.1.2620.1.6.123.1.3003
  • checkPoint44000 - .1.3.6.1.4.1.2620.1.6.123.1.3004
PRJ-25785,
MBS-13716
Scalable Platforms "Failed to send event 8 SNMP request to chassis module" errors may appear in the messages log.
PRJ-25526,
MBS-11956
Scalable Platforms "set user <username> password-hash" and "set user <username> force-password-change" Gaia gClish commands do not take effect on Security Group Members.
PRJ-25858,
MBS-8488
Scalable Platforms In some scenarios, the fw_full core dump is randomly created on Quantum Scalable Chassis and Quantum Maestro appliances.
PRJ-25495,
MBS-11764
Scalable Platforms In some scenarios, the asg diag test "IGMP consistency" (asg diag print 26) fails on Quantum Scalable Chassis and Quantum Maestro.
PRJ-25506,
MBS-11670
Scalable Platforms fwaccel_dos_rate_on_install is not synced between SGM members. 
PRJ-25377,
MBS-12356
Scalable Platforms If the "Chassis HA mode" is configured as "VSLS", the SNMP query for the OID "asgChassisParamsMaxGrade" (.1.3.6.1.4.1.2620.1.48.28.4.1.4 and .1.3.6.1.4.1.2620.1.48.28.4.1.5) returns a wrong value.
  • With this fix: When the High Availability mode configured to VSLS, Chassis grade will return "N/A". Otherwise the real Chassis grade will be displayed to user.
PRJ-25376,
PMTR-65459
Scalable Platforms The "asg_provision" command fails on hotfix inconsistency if ran outside of the global context (VS instead of VS0).
PRJ-25374,
MBS-12834
Scalable Platforms The "asg_license_verifier -v" command that validates the licenses on SP cluster, may incorrectly fail with "Different licenses are installed across blades" message.
PRJ-27324,
PMTR-70795
Scalable Platforms The VSX gateway creation on Scalable Platforms via SmartConsole or VSX Provisioning tool fails with the "Failed to determine appliance type" error.
PRJ-27173,
MBS-14108
Scalable Platforms The MIB file $CPDIR/lib/snmp/chkpnt.mib fails MIB validation tests in the SNMP tree OID .1.3.6.1.4.1.2620.1.48.0 (asg).
PRJ-26066,
MBS-13605
Scalable Platforms Improved the memory usage calculation by the "asg perf" command.
PRJ-25671,
MBS-13627
Scalable Platforms
  • Output of the "asg perf -p" command shows that the "Throughput" is 0 in the "Firewall" column.
  • Output of the "asg perf -v" command shows the "Throughput" value is lower than expected (the F2F traffic is missing) 
MBS-13627 Scalable Platforms In some scenarios, SNMP Query for OID .1.3.6.1.4.1.2620.1.48.20.1.0 (asgThroughput) returns a value lower than expected (the F2F traffic is missing).
PRJ-25542,
MBS-11427
Scalable Platforms The FWD process may unexpectedly exit when adding/deleting the "fw samp" rules.
PRJ-26038,
MBS-13989
Scalable Platforms The "asg perf" command may display wrong values for "Throughput" and "Packet rate".
PRJ-25741,
MBS-11788
Scalable Platforms Improved the memory / partitions size validity tests in the "asg resource" command.
PRJ-25777,
MBS-6708
Scalable Platforms When interrupting the "asg_perf_hogs -v" command with the CTRL+C keys, the message on the screen shows "Operation was canceled/terminated by user" instead of "No issues were found".
PRJ-21329,
MBS-8558
Scalable Platforms In rare scenarios, Switch distribution update in an early stage may trigger the FWK process to unexpectedly exit.
PRJ-21328,
MBS-9585
Scalable Platforms In some scenarios, the output of the "asg_policy verify -a" command in the "Summary" section for the Security Group Member shows "Policy date is lower than max policy date".
PRJ-21323,
MBS-12525
Scalable Platforms In some scenarios, SH zombies processes are created after a reboot or policy installation.
PRJ-22146,
PMTR-64499
Scalable Platforms The "delete backup" gClish command deletes backups only on the local member and not on all Security Group members.
PRJ-21073,
PMTR-63442
Scalable Platforms With this fix, sam_policy (samp) rules will be applied to new members added to the Security Group automatically.
PRJ-22982,
MBS-7805
Scalable Platforms After adding a slave interface to a Bond interface, the output of the "asg diag" command shows that the "Distribution Mode" test failed because of an issue with the slave interface.
PRJ-21832,
MBS-13133
Scalable Platforms SNMP query for OID 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 gives empty result. Refer to sk173423.
PRJ-21580,
MBS-8858
Scalable Platforms Improved the Distribution Mode configuration for Bridge interfaces - each slave interface has a different Distribution Mode.
PRJ-20750,
MBS-10656
Scalable Platforms In some scenarios, the "mq_mng -o -v" command fails with the "Error executing command" error message.
PRJ-25801,
MBS-6493
Scalable Platforms The asymmetric traffic may fail if the "Synchronize connections if Synchronization is enabled on the cluster" checkbox in the "Cluster and synchronization" section of the corresponding service's properties is not selected.
PRJ-25745,
MBS-5608
Scalable Platforms The command help (-h) misses the description of the -b parameter of the "asg_hard_start" command.
PRJ-25719,
MBS-6180
Scalable Platforms Removed the "-amw" flag from the syntax of the "asg stat" command. Run the "asg stat -v" command to get the required information.
PRJ-22554,
PMTR-65496
Scalable Platforms Setting multi-queue on backplane interfaces via "mq_mng -s manual" command fails with the "Error executing command" error.
PRJ-25344,
MBS-11411
Scalable Platforms In some scenarios, the unclear message "Management loss failure" is displayed in the command line.
PRJ-25572,
MBS-8473
Scalable Platforms Removed the "ccutil reset_parity_counter" command from the code.
PRJ-25576,
MBS-7630
Scalable Platforms The output of the "asg stat vs" command in the "Virtual System Status" section shows "active chassis" in lowercase when a Virtual System is in freeze. Now the output shows "Active chassis" with a capital letter.
PRJ-25589,
MBS-11765
Scalable Platforms Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell /bin/bash and the 'admin' role are configured.
PRJ-25463,
MBS-12375
Scalable Platforms Gaia gClish command that take more than 60 seconds to execute fail with "CLINFR0739 error in command execution; see "/var/log/messages"." Refer to sk170301
PRJ-23285,
PMTR-65791
Scalable Platforms In some scenarios, the "RTNL: assertion failed" errors appear in /var/log/messages on Quantum Maestro/Quantum Scalable Chassis.
PRJ-23217,
MBS-9689
Scalable Platforms In VSLS scenarios when the SMO is the ARP master, in ACTIVE-ACTIVE state the wrong VS may answer ARPs, causing "out-of-state" in TCP connections.
PRJ-28053,
PMTR-71372
Scalable Platforms In some scenarios, the Maestro Gateway leaves the Security Group.
PRJ-22976,
MBS-9077
Scalable Platforms Setting MTU on Management Aggregation (MAGG) interface may fail.
PRJ-28016,
PMTR-71262
Scalable Platforms In some scenarios, bond interface slave fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.
PRJ-26992,
ODU-123
HCP Added Update 3 of HealthCheck Point (HCP) Release. Refer to sk171436.
PRJ-26326,
CST-212
Carrier Security The FWK process may unexpectedly exit producing a core dump when the GTP tunnel expires.
R81 Jumbo HotFix - General Availability Take 36 (19 July 2021, GA from 26 July 2021)
PRJ-28539,
PMTR-71636
ClusterXL During Multi-Version Cluster (MVC) upgrade with R81 Jumbo Hotfix Take 34, the "MVC WARNING uninitialized VPN table" message frequently appears in log. Refer to sk174445.
PRJ-28195 ClusterXL In public cloud environments, CloudGuard Network High Availability/Cluster solutions may incorrectly detect Cluster status.
R81 Jumbo HotFix - Ongoing Take 34 (27 June 2021)
PRJ-25809 Security Management NEW: Performance improvements for security policy and database installation when R81 Security Management manages R80.40 Gateways.
PRJ-20295,
PMTR-62823
Security Management NEW: Added new API version (1.7.1). For more information, refer to the Management API Reference.
PRJ-23312,
ODU-89
Security Management UPDATE: Added Update 9 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.
PRJ-23923,
PMTR-64482
Security Management SmartConsole Extensions fail to load with "Error: unable to retrieve read-only session" if login with SmartConsole is performed with an IP address that is not defined as the primary IP of the Management Server.
PRJ-23774,
PMTR-66072
Security Management "Query failed" error is displayed in Security Gateway Device & License Information view in SmartConsole when canceling the "Export to PDF/CSV" operation.
PRJ-23885,
PMTR-66708
Security Management In some scenarios, when updating Check Point Host object to be a Network Policy Management and in addition configuring it as a Secondary Server, "Publish" fails with "Action Failed due to an internal error".
PRJ-23544,
PMTR-66182
Security Management In some scenarios, HA sync in a Multi-Domain environment may fail with the "Failed to import data" error message after the user creates new Permission Roles.
PRJ-22442,
PRHF-15754
Security Management Upgrade or migration from R80.10 and lower to R80.20 and higher may fail with "Scheme adjustment had failed" error in logs. Refer to sk172003.
PRJ-24487,
PRHF-16631
Security Management In very large Management environments, Policy verification and installation may fail with FWM process core dump. Refer to sk173722.
PRJ-24021,
PMTR-66953
Security Management In some scenarios, after upgrade of Multi-Domain environment that has active Domains on multiple Multi-Domain servers, some objects may not be visible in the System Domain.
PRJ-24617,
PRHF-16791
Security Management In Domain High Availability, policy installation may fail if a Global Dynamic Network object defined and the active peer is the Security Management server.
PRJ-23438,
PMTR-65646
Security Management When configuring SNMP traps with thresholds_config utility on the Management Server, the settings may not be applied on the Security gateway upon policy installation.
PRJ-22076,
PRHF-15725
Security Management In rare scenarios, the Management Server may fail to start because Solr fails to initialize.
PRJ-24520,
PMTR-67390
Security Management When adding or updating star/meshed VPN community using the Management API and setting default values for ike-p2-use-pfs or ike-p2-pfs-dh-grp fields, the operation mail fail with the validation error.
PRJ-21400,
PRHF-15001
Security Management In rare scenarios, deleting an object fails with "Can't reach source object, maybe it already deleted" error. Refer to sk172828.
PRJ-23899,
PRHF-16297
Security Management In some scenarios, the policy installation may fail after following sk55502. Refer to sk174646.
PRJ-22202,
PRHF-15250
Security Management In some scenarios in Management High Availability environment, after restoring a Domain from backup, the Security Management Server appears as 'Unavailable' in SmartConsole.
PRJ-24612,
PMTR-63454
Security Management Incorrect Mobile Access license status upon a license change.
PRJ-25032,
PMTR-68166
Security Management The "add access-role" Management API may fail when it is configured with base-dn.
PRJ-25057,
PMTR-68197
Security Management In some scenarios, the "set-simple-gateway name ..." and "set simple-cluster name ..." Management APIs may not reach the "SIC Communicating" state.
PRJ-22132,
PMTR-61861
Security Management In a rare scenario, Management HA synchronization fails after the Purge Revisions operation.
PRJ-20811,
PMTR-62949
Security Management On Security Management with connected Endpoint Security Server, the SICTUNNEL process may unexpectedly exit and start again every few minutes with core file ~4gb in size. Refer to sk173704.
PRJ-22124,
PMTR-61785
Security Management Running override_server_setting.sh may not update settings correctly when updating a setting multiple times.
PRJ-21705,
PRHF-12911
Security Management In some scenarios, Apache does not start and shows a "No space left on device" message if the user runs "cprestart" frequently.
PRJ-22212,
PMTR-61168
Security Management In rare scenarios, concurrent update operations performed by several administrators on the Management Server may fail.
PRJ-23931,
CPM-3316
Multi-Domain Management NEW: Once a day, Multi-Domain Management servers will check for peers that are not synchronized. If such are identified, HA full sync will be automatically initiated at the MDS level.
PRJ-23698,
PRHF-16119
Multi-Domain Management Global Policy Reassignment may take a long time to complete after an IPS Update in the Global Domain.
PRJ-22924,
PMTR-65145
Multi-Domain Management When secondary Domain Management Server is in active state, sicRenew utility may fail with "Certificate cannot be renewed by the Internal CA. (Error no. -179)". Refer to sk172183.
PRJ-22633,
PMTR-62650
Multi-Domain Management UPDATE: Improved the Domain Management Server and Domain Log Server creation and deletion operations.
PRJ-23160,
PMTR-64136
Multi-Domain Management UPDATE: Added stabilization improvement for Assign and Reassign Global Policy operations.
PRJ-22523,
PMTR-65290
Multi-Domain Management In some scenarios, Reassign Global Domain for a Domain that is active on another Multi-Domain Server may fail with "An internal error has occurred" message. Refer to sk172704.
PRJ-24760,
PRHF-16660
Multi-Domain Management Global Policy Assignments may be missing in Multi-Domain environment after upgrade from R77.x.
PRJ-22139,
PMTR-64481
Multi-Domain Management A Multi-Domain Server with dozens of Domains may take a long time to start.
PRJ-22784,
SL-5370
SmartConsole UPDATE:
  1. When using Updatable Objects, Source and Destination fields in logs will display the icon from the matched Updatable Object.
  2. Improved the accuracy of flag icons when using Updatable Objects for Geo-IP restrictions.
  • Requires R81 SmartConsole Build 552 (or higher).
PRJ-22127,
PMTR-62338
SmartConsole SmartConsole configures a default value for the IPv4 mask length of VIP interface each time a user opens the interface editor for cluster object configured in the Active-Active mode. As a result, the value configured by a user is overwritten with the default value each time the user opens the cluster object and clicks OK.
  • Requires R81 SmartConsole Build 552 (or higher).
PRJ-21908,
PMTR-61429
SmartConsole Generating a Changes Report may fail when the changes include new LSM Profiles or Small Office Gateway objects.
PRJ-23605,
PMTR-66244
SmartConsole In some scenarios, a SmartTask may fail to execute its action when it is triggered for a policy installation.
PRJ-22524,
PMTR-61526
SmartConsole "The object specified in 'Always send alerts to' field, has no active 'Logging & Status' blade" error may be displayed after running the "add-simple-gateway" command in Management HA environments where one of the Security Management servers has the "Logging & Status" blade disabled. Refer to sk172226.
PRJ-18888,
PRJ-18886
CPView CPView shows "N/A" for speed values of some network cards.
PRJ-22974,
PRHF-11884
Compliance Deactivated Compliance Best Practices appear in the Compliance report.
PRJ-21180,
PMTR-61750
Logging NEW: Resource pools for log queries and report generation have been separated to ensure query responsiveness while multiple reports are generated. 
PRJ-18560,
PRHF-13614
Logging In the "Logs" view in SmartConsole, when the query filter contains "time:yesterday" as a literal, the query fails with a "Query resolution failed" error. The pre-defined time filter "Yesterday" shows results from today. Refer to sk170999.
PRJ-23205,
PMTR-65244
Logging In rare scenarios, when creating a Log server object and establishing SIC, log queries from the newly created Log server object may fail.
PRJ-23068,
PMTR-62454
Logging When viewing an Access log card that was matched on both a Network layer (firewall) rule and an Application layer rule, and both actions are "Accept", the application layer rule will be presented in the card instead of the network layer rule.
PRJ-22967,
PMTR-64536
Logging In some scenarios, when exporting logs using the Log exporter tool and filtering on all Threat Prevention blades, logs of "Anti Spam" blade are not exported.
PRJ-23416,
PMTR-60082
Logging In SmartView's "Cyber Attack View - Endpoint", the widgets Active/Dormant Attacks and Cleaned/Blocked Attacks show clean hosts as infected (false positive results).
PRJ-20621,
PRHF-14608
Logging In SmartView, when filtering with specific time filters, the result may include more logs than was requested.
PRJ-22186,
PMTR-58496
Logging In SmartView, when the user exports multiple PDF/CSV/Templates of the same view/report at the exact same time, the second export to complete may overwrite the first one.
PRJ-22250,
PMTR-65133
Logging In some scenarios, in the "Views and Reports" of SmartView, it is not possible to use the field "Roles".
PRJ-23010,
PRHF-15886
Logging In rare scenarios, when the user exports logs to Excel using SmartView web, the action fails when the exported logs contain special characters, like emojis.
PRJ-23283,
PMTR-65335
Security Gateway NEW: Added the "Top Connections" tool. For more information, refer to sk172229.
PRJ-21903,
PMTR-64675
Security Gateway NEW: Added new troubleshooting tool to cplic command for Entitlement manager.
PRJ-19592,
PRHF-9582
Security Gateway NEW: Added support for authentication with a RADIUS server that expects to receive an empty password on the first message. VPN client will receive 2 dialogs instead of 3.
PRJ-20961,
PMTR-61684
Security Gateway NEW: In a Management Data Plane Separation (MDPS) environment, each plane has its own configuration. Run these commands in each plane:
  • save configuration <Name of Script>
  • load configuration <Name of Script>
PRJ-19989,
PMTR-59944
Security Gateway NEW: Added support for Drop templates optimization on accelerated policy installation.
PRJ-23382,
PMTR-66195
Security Gateway NEW: Implemented new Fast-Accel producer.

The following Fast-Accel statistics are added to CPView:

  • Status: current status of Fast-Accel feature (enabled/disabled).
  • Configured rules: number of rules were added by the user. These rules determines whether a connection should be accelerated or not.
  • Accelerated connections amount: number of accelerated connections.
  • Total connections amount: total connections opened in PPAK.
  • Accelerated connections percentage: percentage of accelerated connections as part of the overall traffic.
  • Services distribution: number of times each service was used by the accelerated connections.
PRJ-17932,
PRHF-8504
Security Gateway UPDATE: Added L3 routing support for bridge interface assigned with IP address. To enable it, set fw_bridge_with_ip_routing=1 in the $FWDIR/fwkern.conf file. Refer to sk165560.
PRJ-22261,
PMTR-64681
Security Gateway UPDATE: Added $CPDIR/log/sic_info.elg log file to show detailed SIC errors.
PRJ-22988 Security Gateway UPDATE: Added support for DPL for non-FQDN Objects on Cluster Load Sharing environments.
PRJ-22654,
PRHF-14534
Security Gateway UPDATE: Security Gateway performance optimizations for specific scenarios. Refer to sk174607.
PRJ-23079,
PMTR-65799
Security Gateway Enhancement: Early drop optimization will work even if the UserCheck is not relevant for this connection.
PRJ-20570,
MBS-12769
Security Gateway In some scenarios, the "fwauthd_init: got known service port XXX ... choosing another one" message appears repeatedly in the $FWDIR/log/fwd.elg file.
PRJ-25905,
PMTR-69241
Security Gateway In a rare scenario, machine hangs and user is unable to run any command. Refer to sk173405.
PRJ-24731,
PRHF-16851
Security Gateway On rare scenarios, running "fw1 + misp" debug on cluster may cause Security Gateway to crash.
PRJ-24378,
SMB-10515
Security Gateway A memory leak in a DNS resolving infrastructure may occur.
PRJ-20983,
PRHF-14104
Security Gateway In rare scenarios, the CPD process unexpectedly exits when the VPN is enabled, and statuses are not sent to the Management Server.
PRJ-19359,
PRHF-14127
Security Gateway In a rare scenario, FWK process may unexpectedly exit while passing TLS traffic, resulting in a cluster failover.
PRJ-21473,
PRHF-14963
Security Gateway When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.
PRJ-21056,
PRHF-15024
Security Gateway In a rare scenario, Fast Accel logs are sent although they are disabled on the matched rule. Refer to sk171336.
PRJ-21012,
PRHF-15031
Security Gateway In a rare scenario, Security gateway may crash when using non-FQDN domains in Access policy.
PRJ-23393,
PRHF-15802
Security Gateway Added support for “Other” services configured with IP protocol, but without advanced “Match” expression.
PRJ-23342,
PRHF-16111
Security Gateway Boot may take a long time on machines with many VLANs or secondary IP addresses.
PRJ-21837,
PMTR-63900
Security Gateway "up_fw_module_load_commit: failed to load" error may be displayed in dmesg during cpstart or policy installation.
PRJ-24300,
PMTR-67184
Security Gateway In a rare scenario, the FWK process unexpectedly exits on the Security Gateway.
PRJ-24275,
PMTR-63867
Security Gateway Allow automatic configuration of Identity Awareness nested group state 4 for Security Gateways with a previously installed fix for IDA-754.
PRJ-22874,
PRHF-15786
Security Gateway In some scenarios, policy installation fails with "Error code 0-2000077" message.
PRJ-22839,
PMTR-64303
Security Gateway In a rare scenario, policy installation may fail with the "problem with the Commit Function" message.
PRJ-22943,
PMTR-65733
Security Gateway In rare scenarios, policy installation fails with "gen_other_service_inspect_func: failed to find corresponding service object for <service name>" error message.
PRJ-22931,
PRHF-13912
Security Gateway When using "User Alert 3" in the code alert, cosmetic error "FW-1: fwdrv_get_string_id_from_code: illegal parameters for code 8" appears in the /var/log/messages file.
PRJ-22456,
PMTR-64448
Security Gateway In a rare scenario, the Security gateway may crash with fwk and fwk_wd core dump files.
PRJ-23102,
PRHF-13417
Security Gateway The connection may not exist in the SecureXL connection table when configuring Smart Connection Reuse kernel parameters and allow out of state TCP packets.
PRJ-22374,
PRHF-15705
Security Gateway In some scenarios, the Security Gateway attempts to access the Management Server via the Management's NAT IP address (defined in the "NAT" section in SmartConsole), while it is reachable only via the main IP address (defined in the "General Properties" section).
PRJ-23042,
PMTR-65729
Security Gateway In a rare scenario, Security Gateway may crash during the Application Control / IPS / Anti-Bot package update.
PRJ-23949,
PMTR-66474
Security Gateway In a rare scenario, Security Gateway may crash when running in USFW (User-Space Firewall) mode.
PRJ-24294,
PMTR-67231
Security Gateway In a rare scenario, Security Gateway may crash during policy installation.
PRJ-24414,
PRHF-16452
Security Gateway In a rare scenario, Security Gateway may crash under heavy load during cluster failover.
PRJ-22750,
PRHF-15894
Security Gateway In a rare scenario, Security Gateway may crash due to log buffer corruption.
PRJ-23900,
PMTR-65612
Security Gateway In a rare scenario, the Security Gateway may crash when GRE or VXLAN interfaces are configured.
PRJ-21451,
PRHF-14785
Security Gateway RSA integration using SAML (Security Assertion Markup Language) protocol may not work as expected. Refer to sk171501.
PRJ-25304,
PMTR-68439
Security Gateway When the Security Gateway is configured as a proxy, some network objects may not be matched correctly.
PRJ-22740,
PRHF-15578
Security Gateway When Strict Hold is enabled in the fail-open configuration, some HTTPS connections may stuck.
PRJ-25594,
PRHF-12228
Security Gateway In some scenarios, packets are dropped due to incorrect SACK translation when SACK and sequence translation are being used together.
PRJ-23428,
PMTR-65909
Security Gateway The VPND process may consume high CPU because of ECDHE use, which affects multi-portal functionality. Refer to sk173145.
PRJ-24466,
PRHF-15688
Security Gateway In a rare scenario, Security Gateway may crash when handling some DNS packets.
PRJ-19413,
PMTR-60877
Security Gateway The "new-conn-rate" DOS/Rate limiting rules may not be enforced in usermode when enforcement for internal interfaces is disabled.
PRJ-23518,
PMTR-20344
Application Control In some scenarios, the fw_full (fwd daemon) unexpectedly exits producing a core dump file and causing a cluster failover.
PRJ-21772,
PMTR-58795
Application Control A failure log may be generated when inspecting connections to servers with certificates without a common name (CN) field.
PRJ-24479,
PMTR-67931
Threat Extraction,
Threat Emulation
In some scenarios, License errors for Threat Emulation and Threat Extraction blades are displayed for NGTP customers that use Autonomous Threat Prevention.
PRJ-24924,
PMTR-61787
Threat Prevention UPDATE: Added support for more than 20 CIFS objects in rulebase. Refer to sk170300.
PRJ-21883,
PRHF-15174
Threat Prevention Policy installation fails if it contains objects with "://" text.
PRJ-23571,
PRHF-15500
Threat Prevention Security Gateway may crash when transferring the HTTP multipart traffic if the Anti-Virus Deep Scanning, Threat Extraction, or Threat Emulation is enabled.
PRJ-19558,
PMTR-61333
Threat Prevention In some scenarios, "cpssh_trans_endpoint_handle_session_travers_timeout: INTERNAL ERROR" errors are displayed in the fwk.elg file when inspecting SSH traffic.
PRJ-20485,
PMTR-61702
Threat Prevention In rare scenarios, Security Gateway may crash when working with SSH.
PRJ-20814,
PMTR-61640
Threat Prevention Large file download with SFTP may fail when the connection is inspected.
PRJ-21279,
PMTR-60297
Threat Prevention Removed the "beta" label from SSH DPI's SSH server identification string.
PRJ-23037,
PMTR-65728
Threat Prevention In rare scenarios, Security Gateway may crash if event app debug flag is enabled.
PRJ-24193,
TPE-453
Threat Prevention In rare scenarios, the Threat Prevention policy is not enforced after a reboot of the Security Gateway.
PRJ-21656,
PMTR-63310
SSL Inspection UPDATE: Avoid sending the TLS probe during the inbound inspection when a rule is matched according to the IP address.
PRJ-20486,
PMTR-62467
SSL Inspection Memory leak may occur during policy installation.
PRJ-19857,
PMTR-61029
SSL Inspection TLS probing failures generate logs with a general description in SmartLog: "Internal system error in HTTPS Inspection (Error Code: 2)". With this fix, more descriptive logs will be generated.
PRJ-24421,
PMTR-66343
SSL Inspection Improved performance of the TLS handshake when TLS 1.3 support is enabled.
PRJ-19765,
PMTR-62211
SSL Inspection In rare scenarios in mixed IPv4/IPv6 environments, some connections may fail.
PRJ-22428,
PMTR-64992
SSL Inspection In some scenarios, the "Parallel TLS Sessions" and "Cache entries" CPView statistics for SSL Inspection are incorrect.
PRJ-23398,
PMTR-66181
SSL Inspection In rare scenarios, the Security gateway may crash during TLS probing. 
PRJ-23442,
PMTR-65718
SSL Inspection In some scenarios, memory leaks may occur after policy installation.
PRJ-20237,
PMTR-59665
SSL Inspection In a rare scenario, some errors in requests to the Security Gateway are ignored and can cause the connections to remain open instead of being closed.
PRJ-25055,
PRHF-14178
SSL Inspection In some scenarios, when HTTPS Inspection is enabled, overall memory consumption may gradually increase. Refer to sk171280.
PRJ-21028,
PMTR-63319
Anti-Malware Improved the way Threat Prevention distinguishes between .docx, .pptx, .xlsx and .zip files.
PRJ-24782,
PRHF-16849
Anti-Malware In a rare scenario, the Security gateway may crash with the "Problem with the Commit Function" error during policy installation. Refer to sk173248.
PRJ-23037,
PMTR-65728
Anti-Malware In rare scenarios, Security Gateway may crash if event app debug is enabled.
PRJ-21458,
PRHF-14980
Identity Awareness In some scenarios, the VPN Remote Access client fails to connect if a certificate contains a DN with an asterisk (*). 
PRJ-22360,
IDA-3759
Identity Awareness In some scenarios, output of "pdp conn pep" command may show incorrect PEP names.
PRJ-20460,
PMTR-52079
IPS UPDATE: Exceptions are now enforced for these IPS protections:
  • ASCII Request Response
  • ASCII Response Response
  • HTTP Header Patterns
  • HTTP URL Patterns
  • CIFS File Patterns
Refer to sk166222.
PRJ-23191,
PRHF-15832
IPS In rare scenarios, the Security gateway may crash.
PRJ-22514,
PMTR-65461
IPS Proxy source IP address is not printed in the IPS logs.
PRJ-22405,
IPS-352
IPS In some scenarios, the DNS response message with record type 0 may be dropped by "Non compliant DNS" protection.
PRJ-20714,
PRHF-13454
IPS In rare scenarios, policy installation fails due to duplicate id in IPS Snort protections.
PRJ-22398,
PRHF-15404
IPS The "ciu_lic_open_lic_db_file: crc check failed" error message may be printed in fwd.elg log file during the policy installation if the IPS blade is disabled. Refer to sk172903.
PRJ-24254,
PMTR-66115
Anti-Virus UPDATE: Reduce performance when Anti-Virus is configured with deep inspection on all file types.
PRJ-23929,
PMTR-66261
Anti-Bot UPDATE: Anti-Bot URL cache was enhanced to support further requests.
PRJ-23982,
PRHF-16392
UserCheck Sensitive file push.js may be visible on the Security gateway.
PRJ-21297,
PMTR-63495
URL Filtering UPDATE: Improved RAD event output to provide additional information on events, such as detailed timing. This update also activates the retry mechanism by default.
PRJ-22333,
PMTR-21454
Mobile Access In some scenarios, the VPND process unexpectedly exits in SNX Application Mode.
PRJ-23093,
PRHF-12121
Mobile Access In some scenarios, FWK process unexpectedly exits due to SNX authorization timeout in MAB's Unified Policy mode. Refer to sk173125.
PRJ-23654,
PMTR-60065
Mobile Access Remote Access session may not be synced on the standby member VS.
PRJ-21644,
PMTR-60226
Mobile Access Mobile Access may overwrite the /etc/hosts file on Security Gateway.
PRJ-21700,
PMTR-64360
ClusterXL UPDATE: Added the fwha_disable_ccp_on_monitor global kernel parameter. The parameter turns on/off the sending of CCP packets on link monitor interfaces.
PRJ-26458,
PRHF-13428
ClusterXL UPDATE: Added clusterXLFailover to the database to have the ability to set SNMP traps to monitor cluster failovers. Refer to sk173810.
PRJ-19515,
PRHF-14206
ClusterXL In some scenarios, the required interface value is higher than it should be when adding a VLAN interface.
PRJ-22151,
PMTR-63571
ClusterXL During active-active-bridge mode, the "show routed cluster-state" command may display some members as slave instead of master.
PRJ-21350,
CLUS-1804
ClusterXL In some scenarios, a large quantity of logs is generated on cluster VIP API.
PRJ-21974,
PMTR-64480
ClusterXL In some scenarios, when using IPv6 link-local VIP and dynamic routing protocols, failovers can cause a temporary outage.
PRJ-25943,
CLUS-1804
ClusterXL In some scenarios, the user cannot run any dynamic routing or install any static routes, including the default route.
PRJ-24146,
PMTR-67140
SecureXL UPDATE: Firewall debug drop template message now indicates the rule ID the template was created from.
PRJ-18063,
PMTR-60766
SecureXL UPDATE: Changed the "accept out of state" global parameter usage and added support to change it for specific VS. Refer to sk147093.
PRJ-24653,
PMTR-67738
SecureXL In some scenarios, the "reached the limit of maximum enqueued packets!" log is printed in the /var/log/messages file.
PRJ-23461,
PRHF-16084
SecureXL A race condition in the DOS/Rate limiting policy's install logic may cause incorrect counter values for "concurrent-conns".
PRJ-19373,
PRHF-14133
SecureXL Security Gateway may crash when the user runs "fwaccel tab -t" to view certain rate limiting tables that have a large number of entries.
PRJ-20434,
PMTR-58524
SecureXL In some scenarios, DOS/Rate Limiting rules that do not work as expected may be created.
PRJ-22169,
PRHF-15607
SecureXL Rate limiting rules using concurrent-connection counters may cause connections to be blocked. 
PRJ-22917,
PRHF-15478
SecureXL Improved the Smart Connection Reuse feature to be consistent with the user configuration.
PRJ-22437,
PRHF-15755
SecureXL In some scenarios, the concurrent-conns rate limiting count may be inaccurate for FTP data connections.
PRJ-22290,
PMTR-62849
SecureXL TCP reset packets may be dropped with an invalid sequence.
PRJ-24478,
PRHF-16658
Routing UPDATE: Allow "set bgp internal peer <value> send-route-refresh" commands.
PRJ-23146,
PRHF-16038
Routing UPDATE: Added "$" to the list of allowed characters for BGP MD5 authentication passwords in in WebUI and CLI.
PRJ-23501,
PRJ-23499
Routing UPDATE: Added support for PBR with VTI/VPN interfaces.
PRJ-24499,
PMTR-66844
Routing In some scenarios, after member failover, some traffic may be lost.
PRJ-23742,
PMTR-62549
Routing After restarting OSPF with the "restart ospf instance default" command, OSPF may not redistribute routes until making a configuration change.
PRJ-24404 Routing VRRP member freezes when deleting a VLAN interface. Refer to sk106226.
PRJ-24717,
PRHF-16801
Routing In OSPF environment, the routed process may unexpectedly exit when a VPN tunnel is flapped leading to a temporary connectivity loss.
PRJ-25042,
PRHF-16981
Routing In a rare scenario, the routed process unexpectedly exits when creating an MFC (S,G) entry.
PRJ-22386,
MBS-9798
Routing In some scenarios, Fragmented traffic is dropped when using L4 Distribution. Refer to sk167198.
- VPN Hardened the ability to use narrowed IKEv2 tunnels. For more information, refer to sk166417.
PRJ-23843,
PMTR-66754
VPN UPDATE: Option 3 of the "vpn tu" command shows now the realm name and if the authentication was performed with the server certificate.
PRJ-24813,
VPNS2S-2313
VPN UPDATE: Added VPN improvements in IKEv2:
  • Added support for IKEv2 authentication when using multiple certificates.
  • Added support for “Matching info” authentication.
PRJ-21904,
PMTR-63196
VPN Added major VPN enhancements for Scalable Platforms. Refer to sk174228.
PMTR-63196 VPN Added Improvements for VPND resiliency (disabled by default in this release).
VPNS2S-2313 VPN Invalid ID information” message may be displayed when peer is 3rd party and Link selection is overridden.
VPNS2S-2313 VPN IKEv2 may cause the VPND process to exit unexpectedly when IKEv2 rekey uses certificates.
VPNS2S-2313 VPN
  • Stability improvement of IKEv2 rekey when using Pre-shared-key
  • Stability improvement of cluster synchronization mechanism
PRJ-24255,
PRHF-15984
VPN In some scenarios, the TTM (Transform Template) file is not loaded when there are no TTM groups for the user.
PRJ-26350,
PMTR-69744
VPN If SSL Inspection or other blades that use the CPAS infrastructure is enabled, a call trace warning is displayed in dmesg when the cpstop command is issued.
PRJ-22416,
PRHF-12576
VPN Remote Access users may randomly disconnect because the Tunnel test packets are mapped to the incorrect interface. Refer to sk172328.
PRJ-25490,
PMTR-68687
VPN In VSX environments, Anti-Spoofing in SecureXL may cause Remote Access VPN drops. Refer to sk173266.
PRJ-24889,
PMTR-63753
VPN In some scenarios, the "Global param: operation failed: Unknown parameter (param name vpn_cluster_on_aws)" cosmetic error may appear in dmesg.
PRJ-23304,
PMTR-66146
VPN In rare scenarios, the VPND process may unexpectedly exit in an L2TP-related flow.
PRJ-23975,
PMTR-65986
VPN In some scenarios, the IKED process unexpectedly exits producing a core dump.
PRJ-23986,
PMTR-66902
VPN In some scenarios, the he VPND process may unexpectedly exit producing a core dump.
PRJ-21944,
PRHF-15509
VPN In some scenarios, VPN Remote Access users are disconnected after policy installation. Refer to sk171966.
PRJ-24573,
PRHF-9691
VPN Added IKE improvement for DAIP peer with ID_DER_ASN1_DN ID type.
PRJ-22414,
PMTR-60014
VPN In some scenarios, L2TP tunnel is not deleted completely upon disconnection. 
PRJ-22544,
PRHF-14102
VPN Added stability fix in validation checks for ECDSA certificates.
PRJ-22285,
PRHF-14819
VPN When the Remote Access is configured to use DHCP for the Office Mode allocation, disconnection of SNX/L2TP clients may cause the IP address not be removed from the table.
PRJ-23826 Gaia OS NEW: Adding support for Smart-1 600-S/M appliances. Refer to sk171903.
PRJ-21432,
PRJ-21424
Gaia OS NEW: Added support for hardware (sensors/NICs) data auto-update.
PRJ-22843,
PMTR-55383
Gaia OS UPDATE: Added the option to bind IP addresses to sockets using the udp_connect API. Refer to sk171019.
PRJ-26746,
PMTR-70210
Gaia OS The raid_diagnostic command fails on Smart-1 3050/3150/5050/5150 appliances. Refer to sk173788.
PRJ-24606,
PMTR-67624
Gaia OS Updated the OpenSSL version in the RPM database.
PRJ-24134,
PRJ-23252
Gaia OS Added timestamp, hostname and syslog version control to syslog messages. Refer to sk100727.
PRJ-22877,
PRHF-15925
Gaia OS In rare scenarios, Clish unexpectedly exits when configuring the ip-conflicts-monitor on more than 4 interfaces simultaneously.
PRJ-21920,
PRJ-17304
Gaia OS Unable to set MTU on Igb cards.
PRJ-23615,
PRHF-16252
Gaia OS In rare scenarios, there is a difference between the value of "Packets" in the output of "ifconfig <interface name>" and "show interface <interface name> statistics" commands.
PRJ-23586,
MBS-9917
Gaia OS In some scenarios, Bond interface's slaves stop sending LACP Traffic after reboot. Refer to sk169977.
PRJ-22794,
PRHF-15900
Gaia OS In rare scenarios, "show asset network" command may lead to memory leak. Refer to sk174823.
PRJ-22923,
PMTR-62465
Gaia OS "kernel: [SIM4];resume_from_error: failed to get ci_or_corr" error message may be printed numerous times in /var/log/messages file while running UDP Traffic Load. Refer to sk172543.
PRJ-23330,
PRHF-16081
Gaia OS The "snmptable" command may fail to fetch data via SNMP producing core dump. Refer to sk172824.
PRJ-23422,
PMTR-65206
Gaia OS The administrator cannot force a password change to users with UID 0.
PRJ-23491,
PMTR-64696
Gaia OS When bond/bridge interfaces configured with IP conflicts monitoring are deleted, they still appear under the configuration of ip-conflicts-monitor.
PRJ-24174,
PRHF-16489
Gaia OS In rare scenarios, the Security Gateway may crash during tcpdump. Refer to sk141412.
PRJ-22216,
PRHF-15159
Gaia OS "show configuration on" may not expose bond' members.
PRJ-23829,
PRHF-16241
VSX In rare scenarios, the Wrp interface may not come up. Refer to sk171753.
PRJ-24383,
PRHF-16604
VSX In rare scenarios, when the VSX cluster experiences an outage, the FWK process generates a core dump file.
PRJ-27489 VSX In rare scenarios after Jumbo Hotfix installation, the Security Gateway may crash and a file system becomes corrupted. Refer to sk174191.
PRJ-21717,
PMTR-64430
CloudGuard Azure Improved performance consistency (with Multi-Queue) after the Microsoft Azure Maintenance event.
PRJ-20396,
PMTR-60449
CloudGuard IaaS In some scenarios, failover to another APIC server fails.
PRJ-23380,
PRHF-13883
CloudGuard IaaS The SNMP response may show incomplete values.
PRJ-23122,
PMTR-60974
Endpoint Security NEW: Added an option to configure email alert for Endpoint High Availability synchronization issues.
  • Requires R81 SmartConsole Build 552 (or higher).
PRJ-22511,
PMTR-65440
Endpoint Security In rare scenarios, the Endpoint server fails to start after uninstalling Jumbo Hotfix.
PRJ-24340,
PMTR-65923
Endpoint Security In some scenarios, device duplications appear in SmartEndpoint.
PRJ-24279,
PMTR-66083
Endpoint Security In some scenarios, the "Included Blades" tab in the SmartEndpoint Package repository for Dynamic Package is empty. 
PRJ-23055,
PRHF-15942
Endpoint Security In some scenarios, Compliance status shows "Status information is missing" in SmartEndpoint for all computers although the blade is installed and running.
PRJ-25251,
PMTR-68435
Endpoint Security In some scenarios, the Policy server fails to synchronize with Endpoint primary Management after installing a hotfix for local E1 signature updates.
PRJ-23133 IoT NEW: Added new features:
  1. Custom tags support - Any custom tag can be now used within a policy.
    • Add it to the $VSECDIR/conf/IotTags.conf configuration file
    • Run vsec off; vsec on
  2. Zone tag - The ‘Zone’ tag is now considered as a built-in tag. 
PRJ-25721 IoT UPDATE: If the recommended-policy includes some illegal rules, an IoT layer will be created with the legal rules only and the user will be notified with a warning about the illegal ones.
PRJ-20922,
PRHF-14900
QoS Security gateway may crash in QoS flow when interface goes down and up during packet processing.
PRJ-22800,
ODU-81
HCP Added Update 1 of HealthCheck Point (HCP) Release. Refer to sk171436.
R81 Jumbo HotFix - General Availability Take 29 (24 May 2021, GA from 29 Jun 2021)
PRJ-26320,
PMTR-66768
Logging After installing R81 Jumbo Hotfix Take 25 or higher, when running a Logs Query after 12:00 pm, all logs of the first half of the day are not shown in the Logs View. This issue occurs only on the same day of Jumbo hotfix installation and is cosmetic only (all logs are indexed correctly).
PRJ-25524 Security Gateway In some scenarios, "dst_release: dst:ffff88052d4c68c0 refcnt:-480" messages may be printed in dmesg regarding HTTPS traffic when SSL Inspection blade is enabled.
R81 Jumbo HotFix - Ongoing Take 27 (26 April 2021)
PRJ-24974,
PRHF-16965
Security Management In environments that use Data Type Group objects, the Management server may fail to start after installing Jumbo Hotfix Take 23.
PRJ-24913,
PMTR-67937
Security Management "Unauthorized client" error on login failure from an IP address that is not explicitly defined in the Trusted Clients list. Refer to sk173026.
R81 Jumbo HotFix - Ongoing Take 25 (08 April 2021)
PRJ-21007,
PRHF-14969
Security Management NEW: Improved FWM process performance during Security policy or database installation. 
PRJ-22314,
PRJ-22315
Security Management NEW: Performance improvement of Management High Availability Full Sync.
PRJ-18428,
PMTR-61041
Security Management UPDATE: In High Availability environment, Assign and Reassign Global Policy actions are not supported for a Domain if the active Domain Server for this Domain is a Security Management device. The assignment will be performed after change-over to the primary Domain Server.
PRJ-21873,
ODU-82
Security Management UPDATE: Added Update 8 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.
PRJ-21239,
PMTR-62918
Security Management In some scenarios, the log file of PostgreSQL (postgres.elg) may become very large.
PRJ-23500,
PMTR-66213
Security Management In some scenarios, verification errors regarding conflict of rules may be missing if the policy installation is accelerated and the target is a cluster.
PRJ-20805,
PRHF-14691
Security Management In some scenarios, delete partial domain with createDomainRecovery.sh script fails when there are several RadiusGroup objects with the same name in different domains.
PRJ-21704,
PMTR-64423
Security Management In large environments with High Availability, synchronization and upgrade may fail due to very large database size.
PRJ-22519,
PMTR-64104
Security Management Policy Installation may fail with "Error code: 0-2-2000245" message when using IPv6.
PRJ-20128,
PMTR-62503
Security Management Data Center objects defined in NAT and HTTPS Inspection rulebases may not be enforced correctly after policy installation that was accelerated.
PRJ-21417,
PRJ-20995
Security Management In rare scenarios, the initiation of the Management server may take a long time.
PRJ-20305,
PRHF-14634
Security Management In some scenarios, deleting a Domain Server may fail with "Got at least one duplicate UID in requested list" error.
PRJ-21360,
PRHF-14606
Security Management In some scenarios, the Purge Revisions task may stop and show 0% for hours or fail with the "An error has occurred while performing revision purge operation" message in SmartConsole.
PRJ-17790,
PRHF-13382
Security Management In some scenarios, policy verification for static NAT rules succeeds even though the source subnet NAT is bigger than the destination subnet NAT.
PRJ-20888,
PRHF-14946
Security Management In some scenarios, when connecting to an existing session in SmartConsole from a different IP address, a wrong "Client IP" is shown in Audit Logs view.
PRJ-21587,
PRHF-15222
Security Management In rare cases, the CPM Solr process may not be stopped when running cpstop or mdsstop.
PRJ-20766,
PRHF-14399
Security Management High load may occur on the Management Server when searching for a prefix of IP address that has more than 10 thousand matches.
PRJ-21185,
PMTR-63358
Security Management In rare scenarios, logout from a session fails with "An internal error has occurred" message.
PRJ-19720,
PMTR-62272
Multi-Domain Management The Multi-Domain session APIs "view sessions" and "show last-published-session" results may include sessions that were not filtered according to the administrator's permissions profile.
  • A Domain manager running the API will be notified when the results will be filtered and will be asked to run the command again with the "ignore-warnings" flag
PRJ-21913,
PMTR-64572
Multi-Domain Management In some scenarios, installation of Jumbo Hotfix on Multi-Domain Server may fail after running restore from backup.
PRJ-21081,
SMCUPG-1625
Multi-Domain Management In some scenarios, HA Full Sync on the System Domain fails after upgrade on a Multi-Site environment with multiple Multi-Domain Servers. Refer to sk171059.
PRJ-21344,
PRJ-16910
Multi-Domain Management When running many Reassign Global Domain operations for Domains that are not active on the current Multi-Domain Server, the load on the Server may increase and result in slowness of user and automation work.
PRJ-20952,
PMTR-62383
SmartConsole After a network interface is removed by cluster API, a network group assigned to that interface remains as used by cluster members and cannot be deleted.
PRJ-21627,
PMTR-55104
SmartConsole In Multi-Domain environment with High Availability using Security Management Server, if the Security Management is the active peer for a Domain assigned to the Global Domain, the Policy Package creation may fail.
PRJ-20241,
PRHF-14533
SmartConsole When there are no search results, search in Access Control Policy displays "An error occurred while searching" instead of "No Items Found".
PRJ-19932,
PRHF-14278
SmartConsole In rare scenarios, the "Show Policy Package" tool and some Management API commands with details-level "full" may fail when UTM cluster is part of the policy targets.
PRJ-20316,
PRHF-14637
SmartConsole In some scenarios, the "show gateways-and-servers" Management API command fails when running it with details-level full and when connected to the Global Domain. Refer to sk170895.
PRJ-19142,
PRHF-14010
SmartConsole In some scenarios, the "add-user" API command with authentication method TACACS+ or Radius server fails with "object not found" message. Refer to sk170325.
PRJ-18923,
PRHF-13879
SmartConsole In some scenarios, the "show-access-rulebase" Management API command fails when running it with details-level "full" and there is a network group with more than 50000 objects on one of the rules. Refer to sk170435.
PRJ-21160,
PMTR-63555
SmartConsole If there is an HTTPS Inspection layer that is not used in the policy, policy installation may fail with the "Internal error" message.
PRJ-21624,
PRHF-15156
SmartConsole In some scenarios, FWM process logs show Provisioning/LSM activity even though LSM is not in use. Refer to sk171905.
PRJ-21390,
PMTR-63149
SmartConsole Slowness may be observed in some SmartProvisioning operations (like open SmartProvisioning GUI, create a new LSM object, open an LSM object editor, etc.).
PRJ-22223,
PMTR-32568
SmartConsole In some scenarios, a validation warning may appear on an updatable object with the following message: "Object is no longer supported. Enforcing security for this object is not possible." However, the object is still available in the updatable objects picker.
PRJ-22050,
PMTR-62337
SmartConsole In some scenarios, the Hit count information in the Access Policy rulebase is not shown correctly.
PRJ-20776,
PRHF-13197
Compliance In some scenarios, an incorrect Compliance status for Gaia OS Best Practices is displayed.
PRJ-19303,
PRHF-11595
Compliance Compliance Blade may not scan inline layers for Application Control and URL Filtering best practices.
PRJ-22825,
PRHF-15936
Logging NEW: Log server now supports up to 4 billion logs per day in Index mode (previously it stopped indexing with a limit of 2 billion logs).
PRJ-21380,
PMTR-63927
Logging In some scenarios, in Multi-Domain servers with many domains, the Solr process for logs may unexpectedly exit.
PRJ-19011,
PRHF-13936
Logging In a rare scenario, CPD process may use a random port for AMON communication instead of port 18196.
PRJ-24068,
PMTR-66159
Logging In Smart-1 6000-L and 6000-XL, drill down to a log card from the Logs view does not bring results.
PRJ-20587,
VPNRA-642
Mobile Access Removed potential XSS vulnerability in the MAB Login page.
PRJ-21112,
PRHF-14953
Security Gateway Authentication may fail when LDAP branch name contains "\".
PRJ-18980,
PRHF-13153
Security Gateway In some scenarios, PPTP or GRE traffic may be dropped. Refer to sk170293.
PRJ-19801,
PMTR-60336
Security Gateway Improved the policy enforcement of the ZIP archive inner files.
PRJ-21613,
PRHF-14715
Security Gateway Security Gateway may crash when "Categorize HTTPS Websites" feature is enabled and categorization mode is set to "Hold".
PRJ-20341,
PRHF-14616
Security Gateway In rare scenarios, passive FTP packets may be dropped.
PRJ-21200,
PMTR-63550
Security Gateway The VMCore file may be created during reboot after the upgrade procedure.
PRJ-22082,
PMTR-64650
Internal CA In a rare scenario, "This operation is not supported on STANDBY members" message is displayed and the cpca_client process unexpectedly exits when trying to renew a certificate on a standby Domain.
PRJ-21727,
PMTR-64420
Content Awareness In a rare scenario, Security Gateway may crash when CPcode is running within Content Awareness or parser flow.
PRJ-20848,
PRHF-14347
Identity Awareness In some scenarios, running pdpd commands results in "daemon did not respond or not running!" error. Refer to sk171136.
PRJ-22016,
IDA-3194
Identity Awareness Added optimization for PDP when handling Terminal servers Multi-User Host Agent (MUH).
PRJ-20349,
PRHF-14266
IPS In rare scenario, the SmartConsole shows the "IPS is not responding" message even though IPS is functioning normally.
PRJ-20839,
PRHF-14744
DLP Improved DLP scanning for POST request to some Web sites.
PRJ-21711,
PMTR-64263,
PRJ-21991,
PMTR-64780
SSL Inspection In rare scenarios, a memory leak may occur in a crypto module.
PRJ-20977,
PRHF-14820
Anti-Malware In rare scenarios, the Threat Prevention policy installation fails due to IOC parsing errors. Refer to sk171316.
PRJ-18958,
PRHF-13881
ClusterXL When MDPS is configured, the output of "cphaprob syncstat" may show unreadable characters for the speed of the sync interface.
PRJ-19665,
PRHF-13929
SecureXL In some scenarios, connections are dropped when SYN Defender and ISN Defender are both enabled on the same interface.
PRJ-20547,
PRHF-14680
SecureXL Security Gateway may crash when there are interfaces that do not need the ARP resolution (VTI).
PRJ-22489 Gaia OS NEW: Added support for Smart-1 6000-L/XL appliances. Refer to sk171903.
PRJ-23358,
PMTR-65962,
PRJ-24397,
PMTR-67460
Gaia OS UPDATE: Upgraded OpenSSL to 1.1.1k to fix CVE-2021-3449 and add the latest security improvements. Refer to sk172983.
PRJ-20733,
PMTR-63201
Gaia OS CVE-2020_25705: ICMP reply rate.
PRJ-21721 Gaia OS The "show configuration" command cannot print Gaia user with spaces in name.
PRJ-21827,
PRHF-12751
Gaia OS In some scenarios, the "rhost" value may be missing from logs when the user tries to access the WebUI.
PRJ-18852,
PRHF-13802
Gaia OS In some scenarios, the "show arp dynamic all" command displays values of VS0 instead of VS.
PRJ-20286,
PRHF-13475
Gaia OS Messages log level in /var/log/messages file for ERR level was changed to INFO level when fetching proxy configuration from Clish/WebUI/Gaia API.
Example: [DATE TIME] <daemon.err> ... xpand[25958]: proxy_live_get_proc: Started...
PRJ-19975,
PMTR-62104
Gaia OS In some scenarios, bond interface bandwidth monitored via SNMP is missing.
PRJ-17684,
PMTR-60173
Gaia OS When upgrading with enabled Management Data Plane Separation (MDPS), an additional reboot may be required.
PRJ-18941,
PRHF-13812
Gaia OS In some scenarios, the "... fwldbcast_handle_retrans_request: Updated bchosts_mask to 1" message may be printed in /var/log/messages file.
PRJ-21667,
PRHF-15328
Gaia OS In some scenarios, policy installation on a Check Point Gateway in Azure causes the Gateway to crash and load a default policy. Refer to sk171553.
PRJ-21261,
VSX-2520
VSX Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool.
PRJ-20965,
VSX-2519
VSX After running "vsx_util vsls" and selecting option #6, the operation may fail with the "Internal Error: got empty reply set" error. Refer to sk171352.
PRJ-13302,
PMTR-63247
VPN NEW: Added 3 new views to SmartView for Remote Access, providing visibility for Remote Access users, users login summary, failed login attempts, used clients, top login options, number of users, operating systems, authentication methods and login activity.
PRJ-17616,
PMTR-57245
VPN UPDATE: Added:
  • VPN Remote Access StrongSwan IKEv2 client logs.
  • Key install logs with StrongSwan IKEv2 client improvement to show the correct authentication method.
  • RAsession_util with StrongSwan IKEv2 client improvement.
PRJ-19217,
PRHF-13685
VPN Site to Site VPN fails to establish with IKEv2 on GCP when NAT-t is enabled.
PRJ-21544,
PMTR-64128
VPN Added VPN Remote Access stability improvement.
PRJ-22219,
PRHF-15006
VPN When static NAT is configured on a destination, the SCV may fail to access the internal resources and "No scv status from client..." drops appear in SmartConsole. Refer to sk171550.
PRJ-19905,
PRHF-14090
VPN Mobile Access SNX may fail to connect to the Security gateway when the realm used by the client is different for the SSL VPN realm.
PRJ-21235,
EPS-30018
Endpoint Security NEW: Added Application Control and Developer Protection support in Endpoint Web Management.
PRJ-21750,
PMTR-60418
Endpoint Security On the SmartEndpoint Reporting page, the "Endpoint Connectivity" report that is filtered by a virtual group returns an empty list. 
PRJ-21915,
PMTR-50113
Endpoint Security In some scenarios, the "Endpoint Security Client Version" report shows "N/A" in DAT Date column for all devices on the SmartEndpoint Reporting page.
PRJ-21106,
PMTR-62363
Endpoint Security Adding devices to virtual group using the epmcommands tool may fail.
PRJ-19313,
PRHF-13909
CloudGuard IaaS When creating a GCP Data Center, Test Connection may fail on large GCP accounts.
PRJ-23944,
PMTR-66384
Maestro VSX "dxl stat" and "dxl calc" commands may fail on non-VS0 context with the "failed to retrieve dxl information" error.
R81 Jumbo HotFix - General Availability Take 23 (25 March 2021, GA from 5 Apr 2021)
PRJ-23912,
PRHF-16377
Security Management Accelerated Policy installation may fail with the "Error Code: 2000232" message if this policy contains changed services. Refer to sk172484.
PRJ-23583,
PMTR-66363
Endpoint Security Endpoint Security Clients may disconnect after installing R81 Jumbo Hotfix on a Management that was upgraded from the previous versions. Refer to sk172485.
R81 Jumbo HotFix - Ongoing Take 17 (01 March 2021)
PRJ-22324,
PMTR-62199
Security Management Accelerated Policy installation may fail when a Custom Application is used in Access Control policy, URL Filtering blade is enabled and Application Control blade is disabled on the selected gateway.
PRJ-22277,
PMTR-65110
Multi-Domain Management In some scenarios, updating a Domain Server may fail with the "<IP> already in use" message. Refer to sk171916.
PRJ-20150,
PRHF-14537
VSX In rare scenarios, some interfaces remain in "Down" state after reboot.
R81 Jumbo HotFix - Ongoing Take 13 (08 February 2021)
PRJ-19946,
PMTR-62429
Security Management NEW: Added new Management HA utility to schedule automatic full syncs to peers that failed to be synchronized incrementally.
PRJ-18434,
PMTR-60665
Security Management NEW: The upgrade process is being monitored dynamically and will be stopped if it cannot be completed, not basing on a timeout.
PRJ-19545,
ODU-73
Security Management UPDATE: Added Update 6 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.
PRJ-20165,
ODU-76
Security Management UPDATE: Added Update 7 of Autonomous Threat Prevention Management (ATPM). Refer to sk167109.
PRJ-19972,
PRJ-13465
Security Management UPDATE: If a Management HA synchronization stalls (displaying "Peer is busy"), it will be released within 2 hours instead of 24 hours.
PRJ-20032,
PMTR-61770
Security Management UPDATE: When purging revisions, task notifications will also be purged if created before the last revision to purge was published.
PRJ-20001,
PRHF-14293
Security Management UPDATE: Added improvements in policy load process, to reduce the policy installation time when having large amount of objects.
PRJ-22105,
PRJ-21382
Security Management In some scenarios, the installation time of Jumbo Hotfix Take 11 on the Management Server may take up to several hours.
PRJ-18253,
PRHF-12594
Security Management When logging into SmartConsole directly to a Domain using Radius or TACACS, the Authentication method in the audit log may show as "Internal Password". Refer to sk168716.
PRJ-17693,
PRHF-13332
Security Management In some scenarios, HA temporary sub-directories in $FWDIR/tmp are not deleted if sync fails. Refer to sk170972.
PRJ-18289,
PMTR-61010
Security Management In rare scenarios, the CPU and memory usage of CPM process may be abnormally high. Refer to sk170672.
PRJ-18266,
PRHF-13607
Security Management 'Revert to Revision' tasks cannot be cleared from tasks pane in SmartConsole.
PRJ-19105,
PMTR-61908
Security Management In some scenarios, Management HA change-over to Security Management Server Backup fails with the "Failed to communicate with the peer" message.
PRJ-20564,
PMTR-62785
Security Management In some scenarios, policy installation on LSM Gaia cluster profile fails with "Policy installation had failed due to an internal error" message.
PRJ-17563,
PRHF-12885
Security Management In some scenarios, reassigning a Global Policy may fail if the Global and local domains are not active on the same Multi-Domain Server.
PRJ-17729,
PRHF-13278
Security Management Upgrade may fail if a Data Center object was last modified by an Administrator with a single quote in the name.
PRJ-19274,
PRHF-14074
Security Management Policy installation duration may increase due to large $FWDIR/conf/invalid_object_names.C file on the Management server. Refer to sk170427.
PRJ-18476,
PRHF-13644
Security Management In some scenarios, the first environment variable configured using sk165938 is not loaded and not used by the CPM process.
PRJ-19571,
PMTR-60842
Security Management In rare scenarios, on a Multi-Domain Server where Domains are using a Security Management Server configured for High Availability, initial configuration of the Security Management Server may fail with "Failed to reach peer after restart" error.
PRJ-20135,
PMTR-60541
Security Management In a rare scenario, the FWM process unexpectedly exits.
PRJ-19950,
PRHF-14394
Security Management The Management HA window in SmartConsole may mistakenly show the "Peer is busy" warning message for a few seconds.
PRJ-19589,
PRHF-12851
Multi-Domain Management UPDATE: With this fix, mds_backup will backup the Upgrade Tools package(s) and mds_restore will restore them on a Multi-Domain Server.
PRJ-19648,
PMTR-62201
Multi-Domain Management In rare scenarios, a Domain is shown in the Domains view without any Domain Server or a Domain is shown with Domain Server that was deleted and does not exist anymore. Refer to sk170556.
PRJ-19278,
PRHF-13977
Multi-Domain Management In rare scenarios, Management server becomes inaccessible after Global Policy reassign operation.
PRJ-18994,
PRHF-13874
Multi-Domain Management The "cplic db_print -all -x" command fails when running on the MDS level.
PRJ-19321,
PMTR-61346
SmartConsole NEW: Added support for Python 3 in Management API scripts.
PRJ-20248,
PMTR-62490
SmartConsole UPDATE: A pop-up warning will be displayed every time a "Custom Application" object with a performance impacting URL is edited (instead of being displayed only once).
PRJ-18466,
PRHF-13551
SmartConsole In some scenarios, Staging mode IPS protections activation in the Local domain does not match the activation in the Global domain after a Global Threat Prevention policy assignment. Refer to sk170322.
PRJ-18338,
PRHF-12226
SmartConsole When using the "set simple-cluster" Management API command to update a user defined security zone, the "Specify security zone" checkbox in SmartConsole is not selected.
PRJ-19323,
PMTR-60220
SmartConsole In some scenarios, the api.csv file may show extra empty columns.
PRJ-19203,
PRHF-13955
SmartConsole In some scenarios, when using the "set simple-gateway" API command with "logs-settings.forward-logs-to-log-server", it fails with "Generic server error". Refer to sk170352.
PRJ-19535,
PMTR-62078
SmartConsole In some scenarios, when adding a new user certificate of type .p12 via API command, the returned certificate may be incorrect.
PRJ-18960,
PMTR-61418
SmartConsole In a VPN Community with MEP configuration, the OK operation may fail with the "Update operation failed" message.
PRJ-20787,
PRHF-13556
SmartConsole When the user creates an Access Role, the AD organization tree may show duplicate branches, and some branches may be missing.
PRJ-20381,
PMTR-62935
SmartConsole Adding Global dynamic objects to source or destination columns of access rules on the Global Domain via Management API may fail when using the Global dynamic object names.
PRJ-20911,
PMTR-63302
SmartConsole In some scenarios, deleting a policy fails.
PRJ-18550,
PMTR-61235
SmartConsole In a community with Cluster VSX member, the Granular encryption window may not open and show "Unable to load page".
PRJ-18309,
PRJ-18307
SmartProvisioning NEW: Added support for Threat Emulation blade on LSM profile of R81 SMB gateways and clusters.
  • Requires R81 SmartConsole Build 548 (or higher).
PRJ-18000,
SL-2106
Logging NEW:
  1. Log Exporter can now schedule a recurring reconnection to the target 3rd party server periodically. This allows usage of a Load Balancer component for target servers.
  2. The target 3rd party server can be declared as a DNS name also when using UDP protocol.
PRJ-19451 Logging UPDATE: Log Exporter read mode default was changed to Semi-unified instead of Raw mode.
PRJ-18099,
PRHF-7415
Logging In rare scenarios, a log may display incorrect values in the Action and Rule field. Refer to sk170676.
PRJ-21078 Logging In rare scenarios, the FWD process on the Security gateway may be blocked for several seconds due to processing of log attachments.
PRJ-18405,
PMTR-59205
Logging FWM and\or log_indexer processes may repeatedly stop when there are more than ~500K network objects declared. Refer to sk164452.
PRJ-19819,
SL-4358
Logging In rare scenarios, the log_indexer process may unexpectedly exit when reading a specific log format. Refer to sk116117.
PRJ-19846,
PMTR-62010
SmartView UPDATE: Improved the time resolutions usability (formally known as samples) of the Timeline widgets.
PRJ-20875,
PMTR-62957
SmartView UPDATE: To improve performance, SmartView now exports data in CSV format instead of Excel.
PRJ-20795,
PRHF-13973
Security Gateway UPDATE: Service with source port in the Access rulebase will no longer disable accept templates for all connections.
PRJ-19066,
PRJ-18831,
PRJ-20716,
PRJ-20057,
PRJ-20738,
PRJ-20058
Security Gateway In rare scenarios, Security Gateway memory consumption may increase.
PRJ-18982,
PMTR-61179
Security Gateway In rare scenarios, Security Gateway may crash with USFW fwk core file.
PRJ-19802,
PMTR-62080
Security Gateway Connectivity issues may appear due to missing proxy ARP entries on the Security Gateway.
PRJ-19813,
PMTR-62012
Security Gateway In some scenarios, duplicate verification message is displayed when installing NAT policy on Security Gateways R80.40 and lower.
PRJ-20362,
PMTR-62876
Security Gateway In some scenarios, DHCP traffic may be dropped after installing an accelerated policy.
PRJ-19705,
PMTR-62215
Security Gateway In rare scenarios, a memory leak may occur in TOPOD process.
PRJ-20386,
PRHF-13431
Security Gateway In a rare scenario, Access Control policy installation may fail after upgrade of Security Gateway from R80.10 or below to R80.20 or higher.
PRJ-20633,
PRHF-14378
Security Gateway In rare scenarios, high memory consumption in CPD may occur due to a memory leak in authentication flow with an LDAP server.
PRJ-19586,
PMTR-61102
Security Gateway In some scenarios, "email_unified_cmi_get_attribs: not valid caller: up_log_get_user_hash" error appears in dmesg for SMTP traffic.
PRJ-20516,
PRHF-14630
Security Gateway In some scenarios, when using routing separation, connection to Management Plane via Data Plane is dropped.
PRJ-19852,
PRHF-14268
Security Gateway In some scenarios, a memory leak may occur after sending a packet from the kernel.
PRJ-20937,
PMTR-62420
Security Gateway In a rare scenario, policy installation may fail on timeout and "fw amw fetch" process is still running on the Security gateway.
PRJ-18488,
PMTR-61165
Security Gateway In some scenarios, repeating "fwx_alloc_global_find_free_port_atomic: rtsp pending port doesn't match the same pool" errors are displayed in dmesg when using Hide NAT with VoIP.
PRJ-20656,
PMTR-63092
Security Gateway Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and wrong username/password provided by user.
PRJ-20901,
PRHF-14824
Security Gateway In some scenarios, the DNS requests from the Security gateway may fail.
PRJ-18631,
PRHF-11912
Security Gateway Wrong memory (hmem) values may be reported by specific SNMP OID. Refer to sk168992.
PRJ-19958,
PMTR-62477
Security Gateway Half-closed accelerated TCP connections may take too long time to expire.
PRJ-19942,
PMTR-61708
Security Gateway In some scenarios, policy installation fails with "Error code 1-2000245".
PRJ-18316,
PRHF-12224
Security Gateway In rare scenarios, a memory leak may occur on Security Gateway in gconn table.
PRJ-19162,
TEX-1482
Threat Extraction UPDATE: Threat Extraction will no longer attempt to perform "Convert to PDF" if the file is corrupted, because the resulting files in these cases are usually unreadable.
To reactivate this behavior, set the "enable_alternative_scrub_method" variable in $FWDIR/conf/scrub_debug.conf file to 1 and install the Security policy.
PRJ-19194,
TEX-1906
Threat Extraction UPDATE: Threat Extraction ( Sanitization) will be automatically disabled when Infinity Threat Prevention mode is installed while the machine does not have enough resources (RAM).
PRJ-18248,
PRJ-18124
Identity Awareness NEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516.
PRJ-19640,
PMTR-61982
Identity Awareness In some scenarios, when a standby cluster member receives RADIUS accounting updates, there may be high CPU on the PDP process.
PRJ-20863,
IDA-3642
Identity Awareness In some scenarios, there may be enforcement issues for MUHv2 users due to table mismatch.
PRJ-18181,
MBS-12220
URL Filtering In some scenarios, the wstlsd process may unexpectedly exit and produce a core dump.
PRJ-19042,
PRHF-13886
UserCheck In some scenarios, users cannot restore original attachment via UserCheck portal and receive the "An unexpected error has occurred" error message.
PRJ-20927,
PRHF-11733
IPS NEW: Added ability to send connection log per application match for ATM transactions identification. The functionality is disabled by default and can be enabled by using the "up_duplicate_connection_log_on_packet_matched_app_enabled" kernel parameter.
PRJ-19198,
PRHF-10943
IPS In some scenarios, a non-compliant IMAP traffic is dropped. 
PRJ-19301,
PRHF-13560
IPS In some scenarios, log output shows the Origin/Source as "0.0.0.0" in VSX 3rd party IPS logs.
PRJ-19601,
PRHF-14259
DLP UPDATE: Improved the DLP scans queue for a better scan rate.
PRJ-19923,
PRHF-14156
DLP UPDATE: Expanded DLP postfix authentication to include NTLM to allow the Security gateway to connect to a mail servers that use the NTLM authentication protocol.
PRJ-20097,
PMTR-59101
DLP UPDATE: Added support for multi-part data to DLP.
PRJ-20935,
PRHF-14978
SSL Inspection The AES-NI (Intel® Advanced Encryption Standard New Instructions) status is not displayed and "dmesg | grep AES-NI" returns no output. Refer to sk170779.
PRJ-19435,
PRHF-13987
SSL Inspection In rare scenarios, the DynamicID Certificate validation may fail.
PRJ-18843,
PRHF-13322
SSL Inspection In rare scenarios, a memory leak may occur during policy installation.
PRJ-21629,
PMTR-64293
SSL Inspection When IPv6 is enabled, the wstlsd process may consume а high CPU after booting in kernel mode causing HTTPS connections to fail for a few minutes until the CPU returns to normal.
PRJ-17875,
PRHF-10279
HTTPS Inspection UPDATE: "Categorize HTTPS websites" feature enhancements when "Categorize HTTPS Sites" feature is enabled:
  • Improved enforcement of first connection when URL Filtering setting is 'Hold' mode
  • Added SNI information to connection logs when connection is matched on rule with "Extended Log"
  • Hold mode granularity
For configuration, refer to sk173633.
PRJ-19196 Threat Prevention NEW: Improved the way Threat Prevention distinguishes between .docx, .pptx, .xlsx and .zip files.
PRJ-18119,
PRHF-12737
Anti-Malware Exported with ioc_feeds export command indicator feeds may contain user credentials. Refer to sk169035.
PRJ-19591,
PRJ-16924
Anti-Malware In rare scenarios, after downloading files, Anti-Virus prevent logs appear with "Strict hold is not possible failure - Write to other side occurred" error message.
PRJ-17439,
PMTR-62284
Anti-Malware In some scenarios, users may fail to access a web site with many malicious URLs.
PRJ-20924,
PRHF-13478
Anti-Malware In a rare scenario, Security gateway may crash when the Threat Prevention Forensics feature is enabled.
PRJ-18198,
PRHF-8315
Anti-Malware In some scenarios, multiple files called "ckp_mutex" are created on the Security Gateway.
PRJ-19745,
PRHF-13998
Anti-Bot Dynamic Global Network Object usage inside a Network Group object may cause an Access Policy installation failure.
PRJ-19205,
PRHF-13935
ClusterXL UPDATE: Added the option to display only monitored interfaces to "show cluster members <option>" command:
  • In Gaia Clish, run "show cluster members monitored"
  • In Expert mode, run "cphaprob -m tablestat"
PRJ-19926,
PMTR-58748
ClusterXL In rare scenarios, running cphastop;cphastart may cause a cluster member to stay in "Down" state.
PRJ-19393,
PRHF-14115
ClusterXL "set router active-active-mode" settings do not survive а reboot.
PRJ-20536,
PRHF-14728
ClusterXL In some scenarios, data connections are dropped with "First packet isn't SYN" message on ClusterXL Load Sharing.
PRJ-16568,
MBS-11708
SecureXL NEW: Added the ability to enable monitor-only mode for penalty box independently of other DOS/Rate limiting features.
PRJ-18324,
PRHF-13474
SecureXL UPDATE: Drop templates can be generated for connections with matched action Reject. For additional information and configuration, refer to sk171146.
PRJ-20056,
PRHF-14417
SecureXL In rare scenarios, SecureXL may crash due to NULL handling.
PRJ-18088,
PRHF-13507
SecureXL SNMP may show wrong values for the number of bytes and packets accepted by Security gateway. Refer to sk170132.
PRJ-20028,
PRHF-14228
SecureXL Server may not reuse the TCP connection when the user allows out of state TCP packets.
PRJ-20051,
PRHF-14165
SecureXL Memory leak may occur in VPN or Active Streaming configuration.
PRJ-19407,
PMTR-60870
SecureXL In some scenarios, Rate Limiting rules for DoS do not work after reboot. Refer to sk170148.
PRJ-20105,
MBS-11960
Routing NEW: Added support for ISP Redundancy on Scalable Platforms Appliances.
PRJ-19536,
PMTR-62075
Routing On Scalable Platforms, SSH via MAB may disconnect.
PRJ-19630,
PRHF-14280
Routing ip-reachability-detection ping marks a target IP address as "unreachable" if the path goes via a VPN tunnel, although pinging this IP address directly works.
PRJ-20445,
ROUT-1325
Routing The old route may be not removed when an BGP ECMP route was changed.
PRJ-20243,
PRHF-14562
Routing In rare scenarios, confd or routed process may restart.
PRJ-19464,
PMTR-60878
Routing Routed logs may incorrectly state that routemaps that export to OSPF cannot set the OSPF manual tag, even though the functionality works.
PRJ-18281,
PMTR-58528
Routing Certain types of multicast traffic may not be handled correctly in Bridge mode.
PRJ-18665,
PRJ-18664
Routing PBR does not work with VTI/VPN.
- Gaia OS NEW: Added support for 1570R and 1600 / 1800 SMB appliances.
PRJ-19532,
PRJ-19531
Gaia OS NEW: Gaia API (version 1.5) will now be deployed via Jumbo Hotfix.
PRJ-20501,
PMTR-62883
Gaia OS UPDATE: OpenSSL was updated to version 1.1.1i to include the latest code fixes and security improvements.
PRJ-20472,
PRHF-14653
Gaia OS UPDATE: On Scalable Platforms, added ability to force a Security Gateway to access Management/Log-Server via the NATed IP address for fetching policy or sending logs, by running this command on the Security Gateway: ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 FORCE_NATTED_IP -n 1
PRJ-19518,
PRA-1520
Gaia OS The syslog messages may be spammed when the "show asset all" command is running.
PRJ-17720,
PRHF-13075
Gaia OS In some scenarios, one session disconnection of RADIUS users can cause another session to loose permission when one of the session terminates.
PRJ-20944,
PMTR-63343
Gaia OS Upgrade process may fail due to corrupted sic_local_cert.p12 certificate. Refer to sk171253.
PRJ-18721,
PMTR-60804
Gaia OS Bond interface in XOR mode or 802.3AD (LACP) mode may experience suboptimal performance, if on the Bond interface the Transmit Hash Policy is configured to "Layer 3+4" and Multi-Queue is enabled.
PRJ-18773,
PMTR-61381
VPN NEW: Added Remote Access VPN performance improvement.
PRJ-19717,
PMTR-60976,
VPNS2S-1335
VPN NEW: Added VPN command line mechanism stability enhancement and VPN improvements in IKEv2.
VPNS2S-1482 VPN NEW: Added new display of vpn tu tlist command for DAIP gateway.
PRJ-19248,
PMTR-62158
VPN NEW: Added CPDIAG (on/off) for IKE negotiations per community feature.
PRJ-21123,
PRHF-10420
VPN Access roles do not recognize Remote Access SNX CLI clients.
PRJ-19672,
PMTR-61913
VPN In some scenarios, Remote Access Endpoint client disconnects after roaming from Visitor Mode to NAT-T.
PRJ-20869,
PMTR-56565
VPN In some scenarios, the VPND process keeps re-downloading the same CRL, which can cause performance issues.
PRJ-20523,
PRHF-14766
VPN In a rare scenario, the FWM process unexpectedly exits when enrolling a certificate using the SCEP protocol.
PRJ-20276,
PRHF-14308
VPN In a rare scenario, a memory leak may occur when RASession_util is active.
PRJ-20949,
PMTR-63287
VPN In some scenarios, L2TP clients disconnect from the Security gateway after 10 minutes of the connection.
PRJ-20640,
PMTR-63280
VPN In some scenarios, the VPND process may unexpectedly exit.
PRJ-19425,
PRHF-13784
VPN In some scenarios, the VPND process unexpectedly exits with Segmentation fault.
PRJ-20334,
PMTR-62776
VPN Security gateway may crash when you install policy on a MAB gateway and a policy file is corrupted.
PRJ-20082,
PRHF-12828
VPN Connectivity issue may appear between Check Point Gateway and 3rd party device in MEP DPD configuration when 3rd party device is defined as Central Gateway in MEP. Relevant error message: "Failed to resolve VPN MEP gateway".
PRJ-18504,
PMTR-60820
VSX UPDATE: Added support for VSX SecureXL tabs on CPView. Refer to sk167903.
PRJ-20567 VSX IPv6 traffic and multicast IPv4 may not work with Virtual Switch (VSW).
PRJ-20123,
PMTR-62387
VSX In VSX environment, Generic Data Center objects are not enforced on the VSX members.
PRJ-20284,
PRHF-14543
VSX In some scenarios, SNMP v3 users are not recognized on VSX when SNMP is in VS mode. The "Unknown user name" error message is displayed. Refer to sk170993.
PRJ-20597,
PRHF-14400
VoIP VoIP’s RTP can cause overload on global instance (CoreXL instance 0).
PRJ-18979,
PRHF-12691
VoIP SIP parser may cause the wrong RTP dynamic connection to be opened. Refer to sk169373
PRJ-18971,
PRJ-17805
IoT NEW: Added IoT support to Multi-Domain Security Management.
  • Requires R81 SmartConsole Build 549 (or higher).
PRJ-20905,
PMTR-59281
Endpoint Security NEW: Added support for new Push Operations - Host Isolation and Host Release from isolation.
PRJ-20990,
PMTR-61783
Endpoint Security NEW: Added support for new Push Operation - Remote Uninstall for Endpoint Client.
PRJ-20394 Endpoint Security UPDATE: Updated Endpoint Web Docker Image.
PRJ-19400,
PRHF-14139
Endpoint Security Attempt to move members from one group to another using Endpoint Server command line operations fails.
PRJ-20778,
PMTR-63041
Endpoint Security The "Sent to Client On" column is empty in SmartEndpoint >Reporting > Push Operations even if push operation was completed successfully.
PRJ-19772 Endpoint Security Database size may increase exponentially because dynamic packages are packed into exported .tgz using migrate_export. 
PRJ-20639,
MBS-10278
Scalable Platforms NEW: Added full support for Gaia Backup.
PRJ-20895,
MBS-12714
Scalable Platforms On Maestro / Scalable Platforms, users may disconnect after several attempts due to bad forwarding in TCPT flow.
PRJ-20749,
MBS-12642
Maestro Gaia scheduled backup fails to run and the /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup". Refer to sk170925.
PRJ-20140,
PMTR-62718
Maestro "Packet Capture was not found" error when clicking the "View Packet Capture" link in the IPS log.
R81 Jumbo HotFix - Ongoing Take 11 (26 January 2021)
PRJ-21382,
PMTR-62199
Security Management Accelerated Policy installation may fail when a Custom Application is used in Access Control policy, URL Filtering blade is enabled and Application Control blade is disabled on the selected gateway.
PRJ-18511,
PMTR-61232
SmartConsole In a rare scenario, automatic NAT rules are not visible in SmartConsole. This may cause policy installation failure. Refer to sk171395.
R81 Jumbo HotFix - Ongoing Take 10 (14 December 2020)
PRJ-18770,
PRHF-13728
Security Management NEW: Improved FWM process performance during policy or database installation.
PRJ-19096,
PMTR-61758
Security Management Fetch policy on Security gateway may fail after installing Accelerated policy on it.
PRJ-19137,
PMTR-61781
Security Management In some scenarios, policy installation may fail with verification errors when the installation is accelerated.
PRJ-18392,
PMTR-60541
Security Management In a rare scenario, the FWM process unexpectedly exits. 
PRJ-19085,
PRHF-13972
Security Management In some scenarios, HA synchronization may fill up the disk space of a standby Management Server. Refer to sk168492.
PRJ-18493,
PRHF-13681
Security Management In rare scenarios, a policy installation task may never complete.
PRJ-18955,
PRHF-13948
Security Management Policy verification may fail with error "For security gateways R80.40 and higher, rules that use Access Roles can only have ‘Any Traffic’ or ‘RemoteAccess’ in the VPN column"
PRJ-18818,
PRHF-13819
Security Management Management HA synchronization between Multi-Domain Management Servers may fail with "Failed to import data" error due to manual or automatic updates of contracts.
PRJ-18945,
PMTR-61616
Security Management In rare scenarios, FWM process may unexpectedly exit after a login attempt to the Management server.
PRJ-18908,
PMTR-61579
Multi-Domain Management In some scenarios, size of MDS backup file increases after each policy installation.
PRJ-19072 SmartConsole NEW: Added ability to view policies, objects and logs from the new Web SmartConsole. Refer to sk170314.
PRJ-16059,
PRHF-12395
SmartConsole In some scenarios, certain Gateways do not appear in the IPS Core protections list. Refer to sk168474
PRJ-18350,
PRHF-13223
SmartConsole When removing an object from a group using the “groups” field of the object’s module in the Ansible collection, the group will not be changed and Ansible will show that no changes are needed.
PRJ-20142,
PMTR-60372
SmartConsole Duplicate central licenses may be added to the management database. In some rare scenarios, this may lead to heavy load on the FWM process and prevent login.
PRJ-18554,
PMTR-60476
SmartConsole After enabling the Endpoint Policy Management blade on the Security Management Server, some views on SmartConsole may not load properly and SmartClient may disconnect.
PRJ-16978,
PRHF-12928
SmartConsole In some scenarios, some Web APIs fail with "Script stopped running due to severe error!" message when SMB gateway is defined as a policy target. Refer to sk169557.
PRJ-17644,
PRHF-13379
SmartConsole When creating a user with Check Point password authentication through the Management API, log in to Mobile Access portal may fail. Refer to sk170412.
PRJ-15815,
PRHF-12352
SmartConsole In some scenarios, Management API does not start automatically after restart, although automatic start is enabled. Refer to sk168332.
PRJ-18383,
PRHF-13609
SmartConsole In some scenarios, running an action on a ROBO Gateway behind NAT does not work during sync on SMB appliances.
PRJ-18366,
PRHF-12819
SmartConsole Enabling Threat Prevention policy may fail with validation errors when the policy's targets include cluster members running a version lower than R80.10.
PRJ-17483,
PRHF-12997
SmartProvisioning In some scenarios, when recreating a ROBO object with the same name, the new object receives the previous status.
PRJ-18953,
PRJ-18833
Security Gateway In rare scenarios, Security Gateway memory consumption may increase.
PRJ-18931,
PMTR-61541
Security Gateway NAT may not work properly when domain objects are used in the Translated Destination column.
PRJ-19177,
PMTR-61822
Security Gateway Connections may be wrongly matched on Domain or Updatable objects used in Security policy.
PRJ-19004,
PRHF-13892
Security Gateway In some scenarios, when using routing separation, connection from data plane to management plane is dropped.
PRJ-18685,
PMTR-56181
Security Gateway In some scenarios, compilation errors during policy installation are ignored instead of immediately failing the policy. This may cause drops on the Security Gateway.
PRJ-17806,
PRHF-12119
Anti-Malware In a rare scenario, Security gateway may crash after a match of the Anti-Bot blade.
PRJ-19107,
IDA-3240
Identity Awareness NEW: Performance optimization for Identity broker.
PRJ-18443,
PMTR-59795
DLP In a rare scenario, "SEC Filings - Draft or Recent" Data Type in DLP is not properly enforced.
PRJ-18826,
PRHF-13605
HTTPS Inspection The user may not be able to browse with Chrome when using mixed chain with ECDSA subordinate CA in HTTPS Inspection. Refer to sk170332.
PRJ-17828,
PRHF-13029
SecureXL In some scenarios, CPView may show incorrect statistics for VPN encrypted/decrypted packets.
PRJ-18027,
PRHF-13480
Routing SNMP queries for bgpPeerFsmEstablishedTime return an incorrect constant value. Refer to sk170074.
PRJ-18530 Gaia OS NEW: Added Jumbo Hotfix for Scalable Platforms support. Refer to sk169954.
This Jumbo Hotfix Take is mandatory for Scalable Platform installation. 
PRJ-19156,
PMTR-61729
Gaia OS NEW: Allow Amazon Web Services (AWS) to modify partitioning via lvm_manager.
PRJ-18242,
PRHF-13451
Gaia OS "cphaprob -h" shows wrong explanation for "cphaprob show_bond [<bond_name>]" command.
PRJ-19331,
PRHF-14073
Gaia OS In some scenarios, login from data plane context fails (no connectivity to server).
PRJ-19150,
PMTR-57495
Gaia OS "Docker0" bridge interface with assigned IP address from class B private pool may appear in the system, causing routing issues.
PRJ-19051,
PRHF-13949
Gaia OS In some scenarios, when using routing separation, modifying interface IP address fails.
PRJ-18068,
PMTR-59437
VPN NEW: Added Remote Access VPN performance improvements.
PRJ-19165 VPN UPDATE: Added support for fetching CRL through proxy in Site to Site VPN configuration.
PRJ-18535,
PMTR-61276
VPN In rare scenarios, when a Wire-Mode is configured on a community, it may cause a Security gateway from another community not to accelerate connections in SecureXL.
PRJ-18167,
CRYPTOIS-661
VPN In some scenarios, Security Gateway Portals and Remote Access VPN clients show wrong certificate after certificate renewal. Refer to sk131212.
PRJ-18733,
PMTR-61360
VPN In some scenarios, userspace cores may appear on Security gateways with enabled AES-GCM-256 and AES-256 VPN encryption. Refer to sk169417.
PRJ-18313,
PMTR-60933
VPN "Decryption failed" drop logs may appear under heavy VPN load for accelerated tunnels using SHA 384 or SHA 512 Ciphers.

 

Installation Instructions

Procedure:

  • Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)

    • Offline installation

      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
      3. In the upper right corner, click on the Import Package button.
      4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
      5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
      6. Select the imported package Check Point R81 Jumbo hotfix T<number> for sk170114 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      7. Select this package and click on Install Update button on the toolbar.


  • Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)

    For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".

    • Offline installation

      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to command line on target Gaia OS.
      3. Log in to Clish.
      4. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      5. Import the package from the hard disk:
        HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
      6. Show the imported packages:
        Note: Refer to the top section "Hotfixes" - refer to "Check Point R81 Jumbo hotfix T<number> for sk170114"
        HostName:0> show installer packages imported
      7. Verify that this R81 Jumbo Hotfix Accumulator package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      8. Install the imported package:
        HostName:0> installer install <Package_Number>

 

Uninstall Instructions

Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.

    Procedure:

     


    Revision History


    Show / Hide revision history

    Date Description
    19 Sep 2021 Updated the Important Notes section
    01 Sep 2021
    • Released Take 42 of R81 Jumbo Hotfix Accumulator
    • SmartConsole package has been updated to Build 553
    31 Aug 2021 Updated the Important Notes section
    16 Aug 2021 Added PRJ-22016 to Take 25
    28 Jul 2021 Added PRJ-20570 to Take 34
    26 Jul 2021
    • Take 36 of R81 Jumbo Hotfix Accumulator moved to General Availability
    • Updated the Important Notes section
    25 Jul 2021 Added link to General Availability Jumbo Takes Download Archive
    20 Jul 2021 Published List of upcoming resolved issues
    19 July 2021 Released Take 36 of R81 Jumbo Hotfix Accumulator
    29 Jun 2021 Take 29 of R81 Jumbo Hotfix Accumulator moved to General Availability
    27 Jun 2021
    • Released Take 34 of R81 Jumbo Hotfix Accumulator
    • SmartConsole package has been updated to Build 552
    24 May 2021 Released Take 29 of R81 Jumbo Hotfix Accumulator
    09 May 2021 Updated the Important Notes section
    02 May 2021 Published List of upcoming resolved issues
    26 Apr 2021 Released Take 27 of R81 Jumbo Hotfix Accumulator
    18 Apr 2021 Updated the Important Notes section
    08 Apr 2021
    • Released Take 25 of R81 Jumbo Hotfix Accumulator
    • SmartConsole package has been updated to Build 550
    05 Apr 2021 Take 23 of R81 Jumbo Hotfix Accumulator moved to General Availability
    25 Mar 2021 Released Take 23 of R81 Jumbo Hotfix Accumulator
    17 Mar 2021
    • Updated the Important Notes section
    • Published List of upcoming resolved issues
    01 Mar 2021 Released Take 17 of R81 Jumbo Hotfix Accumulator
    08 Feb 2021
    • Released Take 13 of R81 Jumbo Hotfix Accumulator
    • SmartConsole package has been updated to Build 549
    26 Jan 2021 Released Take 11 of R81 Jumbo Hotfix Accumulator
    21 Dec 2020
    • Updated the Important Notes section
    • Published List of upcoming resolved issues
    14 Dec 2020 First release of R81 Jumbo Hotfix Accumulator - Take 10

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment