Support Center > Search Results > SecureKnowledge Details
Jumbo Hotfix Accumulator for R81.10 (R81_10_jumbo_hf) Technical Level
Solution



Click Here to Show the Entire Article

Availability | Important Notes | List of resolved issues | Installation instructions | Uninstall instructions | Revision History

 

Introduction


R81.10 Jumbo Hotfix Accumulator
is an accumulation of stability and quality fixes resolving multiple issues in different products.

   Supported products and configurations

The Jumbo Hotfix Accumulator supports these products and configurations: Security Gateway, Security Management Server, Multi-Domain Management Server, Log Server, Multi-Domain Log Server, SmartEvent Server, Endpoint Security Server, VSX and Cluster.

  • Install this Jumbo Hotfix Accumulator only after you successfully complete the Gaia First Time Configuration Wizard and reboot.
  • Check Point recommends installing Jumbo Hotfix Accumulator on all R81.10 devices.
  • For CPUSE installation, use the latest Deployment Agent build (refer to sk92449).
     

   Support for Scalable Platforms

R81.10 Jumbo Hotfix Accumulator provides support for Security Gateways configurations running on Scalable Platform appliances (Quantum Maestro and Quantum Scalable Chassis).

  • For Freshly installed  Scalable Platform appliances, first use the R81.10 ISO image from the R81.10 Scalable Platform Home page and then, before placing the machine into the production environment, install the R81.10 Jumbo Hotfix package from the below table.
  • Effective November 23, 2021, R81.10 Scalable Platforms Clean Install and Upgrade images were updated. For more information, see sk176388.
    The new updated image (Take 338) supports only R81.10 Jumbo Hotfix Accumulator Take 14 and higher.


Jumbo Hotfix Accumulator FAQ | Releases Terminology | Jumbo HFA Takes Compatibility




Availability

  • General Availability Take


    Take_9 is the latest R81.10 Jumbo Hotfix Accumulator General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:

    Product Take Release Date CPUSE Offline package SmartConsole package
    Security Management / Security Gateway / Maestro Orchestrator Jumbo HF Take_9  30 Aug 2021 (TAR) (EXE)
    Build 402
    Blink Image for Security Gateway and Open Server
    Clean Install / Upgrade
    R81.10 GA Take 335 + Jumbo HF Take_9 18 Oct 2021 (TGZ)
    Blink Image for Security Management - Clean Install / Upgrade (TGZ)
    Blink Image for Multi-Domain Management - Clean Install (TGZ)

  • Ongoing Take

    Product Take Release Date CPUSE Offline package SmartConsole package
    Security Management / Security Gateway / Maestro Orchestrator Jumbo HF Take_14 22 Nov 2021 (TAR) (EXE)
    Build 402


  • Use Check_Point_R81_10_JUMBO_HF_MAIN_Bundle_T<Take number>_FULL.tgz for:
    • CPUSE Online Identifier
    • For Central Deployment with SmartConsole Online Identifier



Take 14 | Take 9

 

List of Resolved issues and New Features per HotFix Take


Enter the string to filter the below table:

ID Product Description
R81.10 Jumbo HotFix - Ongoing Take 14 (22 November 2021) 
PRJ-29293,
PMTR-72367
Security Management NEW: Added Multi-Domain Server (MDS) level support for exporting data from the Gateways and Servers view into a CSV file.
PRJ-30364,
PMTR-63855
Security Management UPDATE: Added new flags for Management API commands "add/set simple-gateway" and "add/set simple-cluster":
  • "nat-hide-internal-interfaces" and "nat-settings" for NAT configuration
  • "fetch-policy" for Fetch Policy configuration
  • "advanced-settings.sam" for SAM configuration
  • "advanced-settings.connection-persistence" for Connection Persistence configuration.
PRJ-29235,
TPM-2843
Security Management UPDATE: Added a new flag to the Threat Prevention "show-protections" API command ("show-capture-packets-and-track") that allows not to return capture-packets and track information.
PRJ-32347,
PMTR-74618
Security Management Network objects groups with more than 101 members may not be enforced correctly on the Security Gateway. The Security Gateway will only match 101 members of the group. Refer to sk176065.
PRJ-30055,
PRHF-18928
Security Management In rare scenarios, the FWM process may unexpectedly exit and fail to start, creating core dumps in the /var/log/dump/usermode directory. Refer to sk175007.
PRJ-29189,
PRHF-18470
Security Management In a rare scenario, High Availability full synchronization may fail due to a large number of records.
PRJ-29100,
PRHF-18749
Security Management In some scenarios, it is possible to disable a parent rule for the Domain Policy.
PRJ-29005,
PRHF-18817
Security Management In some scenarios, Publish operation fails with the "Object with uid=<RandomCharacters> was updated in the database but its dleConvertedObject wasn't found" error. Refer to sk174703.
PRJ-29306,
PMTR-72376
Security Management In environments with a large number of objects, licenses for cluster members in the Licenses tab may not be displayed.
PRJ-28650,
PRHF-18202
Security Management In some scenarios, when using a VPN community, the status of the Global Domain Assignment may change to "not up to date", although no changes were made in the Global Domain.
PRJ-28479,
PRHF-18549
Security Management In a rare scenario, when Identity Awareness blade is enabled, policy verification on an LSM Profile may fail.
PRJ-28537,
PRHF-18063
Security Management In rare scenarios, Global Policy Assignment may fail with the "class name not found for object" error.
PRJ-28897,
PRHF-18677
Security Management If there are no explicit rules in one or more policy layers, policy verification may fail with the "No active rules found in the Security Policy" error.
PRJ-28786,
PRHF-18557
Security Management In some scenarios, "show-mdss" and "show-domains" Management API commands take a significant amount of time to complete or time out after 5 minutes.
PRJ-28778,
PRHF-11027
Security Management The "show-global-assignment" command returns the default limit when the limit request is greater than the default limit.
PRJ-28002,
PRHF-18245
Security Management If Brute Force Password Guessing Protection is set to the value of more than 25 seconds, login to SmartConsole fails.
  • Requires R81.10 SmartConsole Build 402 (or higher).
PRJ-27500,
PRHF-16657
Security Management Policy installation to multiple Gateways from Install Policy Presets may fail if each policy has its own HTTPS Inspection policy.
PRJ-27501,
PRHF-17230
Security Management In rare scenarios during system startup, a cleanup operation may cause high CPU on multiple Postgres processes and prevent login to SmartConsole. Refer to sk175189.
PRJ-27503,
PRHF-17558
Security Management In rare scenarios, Global Domain Assignment and Domain Creation tasks may continue to run indefinitely.
PRJ-28571,
PRHF-18422
Security Management In some scenarios, the Purge Revisions operation fails with the "An error has occurred while performing revisions purge operation, Incident ID - xxxxx-xxxxxxx-xxxxx-xxxxx" message. Refer to sk174645.
PRJ-28300,
PRHF-18362
Security Management In rare scenarios, High Availability on the Global Domain may fail to synchronize the Multi-Domain Log Server if IPS protection was added or removed in the Threat Prevention rulebase.
PRJ-28294,
PRHF-18210
Security Management In rare scenarios, High Availability incremental synchronization may fail with a wrong status message.
PRJ-28089,
PMTR-70942
Security Management In some scenarios, the Administrators view may not filter Domain names according to the permission profile of the connected administrator.
PRJ-28158,
PRHF-17926
Security Management In rare scenarios, if Domain migration fails, the operation may not revert fully and leave some remnants in the database of the Management Server.
PRJ-29159,
PRHF-18883
Security Management Scheduled IPS updates data may not be shown in the IPS update report.
PRJ-29899,
PRHF-18828
Security Management In some scenarios, login to a Domain from the System Domain dashboard may fail with "Failed to connect to server".
Refer to sk174910.
PRJ-30047,
PMTR-72849
Security Management The Management API command "show-sessions" may return sessions that were purged and no longer exist in the Management database.
PRJ-29518,
PMTR-72306
Security Management In rare scenarios, when installing a policy immediately after publishing a session, the installation is not accelerated.  
PRJ-29790,
PRHF-17037
Security Management In rare scenarios, login to Multi-Domain Management fails with the "No Valid Domains were found for [username]" error. Refer to sk175005.
PRJ-30031,
PRHF-15460
Security Management In some scenarios, applying the "Where used" action may show incorrect data when an object exists more than once in an Inline Layer.
PRJ-29969,
PRHF-19308
Security Management In some scenarios, simultaneous policy installation on multiple Gateways may fail if there is at least one Gateway on R77.X and one Gateway on R80.X.
PRJ-29470,
PRHF-19006
Security Management In some scenarios, an API query to VRRP cluster for "show simple-cluster name <name>" returns an incorrect cluster type. Refer to sk174866.
PRJ-29791,
PMTR-73142
Security Management When initiating the Secure Internal Communication (SIC) for LSM objects using management API: 
  • When using the LSM API commands for a large batch of devices, failures with an "Establish SIC failed. Reset SIC on gateway and try again." message may occur.  When trying to re-initiate the SIC for a specific device, the SIC is successfully created. 
  • In Multi-Domain Server (MDS) environments, the SIC certificate is created at the Global level instead of the Domain level.
PRJ-30020,
PMTR-72786
Security Management In rare scenarios, the "set-group" API command may return the "generic_err_invalid_parameter" error.
PRJ-27765,
PRHF-17484
Security Management The Management API commands "import-smart-task" and "export-smart-task" are enabled at the System Domain level, although Smart Tasks are only supported at the Local Domain level. 
PRJ-29200,
PRHF-18782
Security Management After an upgrade from R77.x. in a multi-site environment, High Availability full synchronization may fail with an "NGM failed to load data" message.
PRJ-30101,
PRHF-19248
Security Management In rare scenarios, a Multi-Domain administrator's profile may be changed after deleting a Domain if the administrator had custom permissions for it.
PRJ-31536,
PRHF-20007
Multi-Domain Management High Availability synchronization status in the Global Domain may show "Unknown" for some Multi-Domain Log Modules (MLM) in environments with more than 6 MDS's/MLM's.
PRJ-29312,
PRHF-18767
SmartConsole The Compliance "Security Best Practices" report for the Anti-Bot practice contains unrelated objects starting with "AB_". Refer to sk174911
PRJ-29805

Web SmartConsole Added enhancements for Task Manager and policy installation. Refer to sk170314.
PRJ-30371,
PRJ-30370
CPInfo UPDATE: Added CPInfo Build 914000219. Refer to sk92739.
PRJ-29826,
PMTR-72671
SmartView UPDATE: In SmartView, new MITRE ATT&CK techniques were added to the heatmap view.
PRJ-31152,
SL-5634
Logging NEW: SmartEvent can now skip indexing of firewall session logs to reduce load on the Log Server device. The feature is disabled by default. To enable it, see Issue #4 in sk150452.
PRJ-28084,
PRHF-18157
Logging The CPSEMD process on SmartEvent Server may unexpectedly exit when trying to send two automatic reactions simultaneously for the same event.
PRJ-27883,
PRHF-17285
Logging In rare scenarios, Management object changes may not be reflected in the Logs view. When the issue occurs, the CPM process may also consume a high CPU.
PRJ-28342,
PMTR-69859
Logging In some scenarios, Log Exporter configured to export in TLS, cannot authenticate a certificate from an external certificate authority.
PRJ-29031,
PRHF-17596
Logging In rare scenarios, SmartEvent may show no results or partial results in the Audit Log report.
PRJ-25441,
PRHF-17184
Logging On a Management Server, with SmartEvent enabled and many networks configured in the database, login to SmartConsole may fail with an "Error: the operation timeout" message, and the FWM process is running with a high CPU. Refer to sk167239.
PRJ-29577,
PRHF-15052
Security Gateway NEW: Added a new kernel parameter "up_disable_early_drop_optimization_for_reject" to disable "Early Drop Optimization" for reject rules. The parameter is enabled by default.
PRJ-29444,
PMTR-72448
Security Gateway UPDATE: The default value for the kiss_kthread_allow_resched kernel parameter is changed to 1. Refer to sk170560.
PRJ-28854,
PRHF-18624
Security Gateway UPDATE: Added DNS Passive Learning support for DNS responses containing the Domain name in uppercase letters.
PRJ-31371,
PRHF-19693
Security Gateway Improved the handling of a large number of sessions per single HTTP/S connection.
PRJ-29131,
PRHF-18716
Security Gateway In rare scenarios, policy installation may fail with an "Operation failed, install/uninstall has been improperly terminated" message.
PRJ-30205,
PMTR-72814
Security Gateway In some scenarios, NATed VPN traffic may be routed out through the wrong interface.
PRJ-29528,
PRHF-18984
Security Gateway In a very rare scenario, the ICAP Server may crash with a core dump file generated.
PRJ-29506,
PRHF-18863
Security Gateway In some scenarios, using automatic Network Static NAT/Address range objects may cause connectivity issues. 
PRJ-29421,
PMTR-71855
Security Gateway In a rare scenario, policy installation on the Security Gateway may fail with an "Error code: 0-2000108" message. Refer to sk170673.
PRJ-29223,
PRHF-17436
Security Gateway In some scenarios, the WSDNSD process may unexpectedly exit and create a core file. Refer to sk173627.
PRJ-29080,
PRHF-17872
Security Gateway In rare scenarios, a duplicate entry may appear in the /etc/cpshell/log_rotation.conf file. This issue is only cosmetic.
PRJ-29089,
PRHF-13493
Security Gateway In some scenarios, the CPD process may consume a high CPU because of the memory leak in FDT (File Download Tool).
PRJ-29095,
PRHF-18786
Security Gateway In rare scenarios, policy installation fails with "Segmentation fault" and "Error compiling IPv4 flavor" messages.
PRJ-27652,
PMTR-70634
Security Gateway Negative values may appear in the output of the "fw tab -t connections -s" command and under the NAT section.
PRJ-28811,
PRHF-18657
Security Gateway Added cosmetic fixes of the cpwd_admin list command output.
PRJ-28412,
PRHF-17942
Security Gateway In some scenarios, the routed process may unexpectedly exit.
PRJ-28105,
PRHF-18024
Security Gateway In a rare scenario, a memory leak may occur on the Security Gateway.
PRJ-27561,
PRHF-17949
Security Gateway In some scenarios, configuring an un-numbered virtual interface may cause ARP requests to stay not answered by the interface. Refer to sk174188.
PRJ-29140,
PRHF-18403
Security Gateway The cpsicdemux process may unexpectedly exit, causing the Secure Internal Communication (SIC) connection to fail.
PRJ-30014,
PMTR-68272
Security Gateway In a rare scenario, CPView may show incorrect SecureXL statistics per VS.
PRJ-28874,
PRHF-18560
Security Gateway In a rare scenario, when using ICAP client, Security Gateway may crash. 
PRJ-28555,
PMTR-71632
Security Gateway Capsule Workspace end users may fail to authenticate to their Exchange mail Server via Mobile Access SSO when authenticated with Kerberos, and the end users belong to many user groups or user groups with very long names.
PRJ-29744,
PMTR-72615
Security Gateway In a rare scenario, due to TCP connection reuse, a TCP connection may not be initiated. Refer to sk11088.
PRJ-30216,
MPTT-4834
Security Gateway In some scenarios, policy installation may take longer or fail when GEO Updatable Objects are used in the policy.
PRJ-30149,
PRHF-17386
Security Gateway There is no option to enable hyperthreading via cpconfig.
PRJ-30252,
PMTR-70219
Security Gateway Added a translation of the error exit code of cprid_util in $CPDIR/log/cprid_util.elg debug log.
PRJ-29589,
PRHF-19049
Security Gateway In a rare scenario, Security Gateway may crash.
PRJ-27165,
PRHF-17760
Security Gateway In a rare scenario, traffic outage may occur. It is caused by a memory leak related to delayed logs.
PRJ-28681,
AVIR-1444
Threat Prevention UPDATE: Added the option to remove proxy usage in ioc_feeds tool.
PRJ-28521,
TPP-1291
Threat Prevention In rare scenarios, the Security Gateway may crash when the TCP connection is unexpectedly closed.
PRJ-28765,
PMTR-71415
Threat Prevention In some scenarios, when using OpenSSH 8.2 Server, file download fails after starting the transfer.
PRJ-28975,
PRJ-28939
Threat Prevention Improved telemetry for Infinity Vision SOC.
PRJ-27437,
PRJ-28137
Threat Extraction In some scenarios, the "fw_send_kmsg: No buffer for tsid 44" error is printed in dmesg.  
PRJ-27436,
PMTR-67604
Identity Awareness NEW: Added automatic mechanism to exclude service accounts on PDP gateway to improve both PDP performance and functionality.
PRJ-32354,
PRJ-32353
Identity Awareness UPDATE: The default threshold value for Identity Collector Service Accounts exclusion was changed from 10 to 100. Refer to sk174266.
PRJ-29404,
IDA-4087
Identity Awareness Improved the Identity Server (PDP) performance for publishing new network on Identity Sharing with SmartPull.
PRJ-27477,
PRHF-18015
Identity Awareness When using sk167118, the user may fail to authenticate if the "Ask user for password" checkbox is enabled.
PRJ-28129,
PMTR-69981
Identity Awareness In some scenarios, the "Browser Transparent Single Sign-On" portal may not use the certificate associated with the IP address resolved from the portal's main URL. Refer to sk174869.
PRJ-27942,
IDA-4112
Identity Awareness In some scenarios, users may not be able to reach Identity Gateway (PEP). Refer to sk174105.
PRJ-29615,
PRHF-18943
Identity Awareness In a rare scenario, some IPv6 sessions may get deleted due to incorrect update of Identity Gateway (PEP) kernel tables.
PRJ-28117,
PRHF-17768
Application Control UPDATE: Improved matching of URLs for custom applications.
PRJ-29308,
PMTR-72312
URL Filtering In some scenarios, HTTPS connections to servers with untrusted certificates are held and not resumed (page cannot load).
PRJ-28637,
PMTR-65461
IPS Proxy source IP address is not printed in the IPS logs.
PRJ-28246,
PRHF-18338
IPS In some scenarios, HTTP Parser in the CPView statistics may show incorrect values for connections with more than 50 sessions.
PRJ-27960,
PRHF-18158
IPS In some scenarios for HTTP, Gateway closes a connection from the Server side, but the user side may remain open.
PRJ-29942,
PRHF-18992
IPS In rare scenarios, if IPS Geolocation is enabled, the Security Gateway may crash.
PRJ-28740,
PRHF-17049
IPS In some scenarios, the destination IP is missing from the IPS logs. Refer to sk174588.
PRJ-32498,
PRJ-32415
IPS In some scenarios, when IPS Automatic update is enabled, a memory leak may occur in the FWD process.
PRJ-31761,
PMTR-73790
IPS Improved the handling of decoded HTTP/S traffic.
PRJ-29193,
TPP-1157
Anti-Bot UPDATE: Improved the performance of Anti-Bot URL Reputation.
PRJ-29477,
PMTR-72234
SSL Inspection In some scenarios, a memory leak may occur when creating ECDHE keys.
PRJ-31203,
PMTR-73538
SSL Inspection If TLS 1.3 is enabled, using imported ECDSA certificates for HTTPS Inspection may cause the Security Gateway to crash. 
PRJ-31150,
PMTR-72409
SSL Inspection A memory leak, related to TLS probing, may occur in the WSTLSD process.
PRJ-31151,
PMTR-72136
SSL Inspection In some scenarios, the WSTLSD process may unexpectedly close, or a memory leak may occur.
PRJ-30461,
PRHF-19516
SSL Inspection In rare scenarios, HTTPS connections may hang indefinitely during the TLS handshake, causing timeout.
PRJ-28259,
PRHF-16057
Mobile Access In a rare scenario, the VPND process may unexpectedly exit causing user disconnections from Checkpoint Mobile client.
PRJ-28069,
VPNRA-761
Mobile Access In rare scenarios, when SNX client is used with Application mode on the Mobile Access Blade, the VPND process may unexpectedly exit.
PRJ-29276,
PRJ-29270,
PRJ-29263,
PRHF-3700,
PRHF-3742,
PRHF-3784
Mobile Access In some scenarios, a memory leak may occur in the CVPND process.
PRJ-30383,
PRHF-19273
ClusterXL In a rare scenario, after an upgrade and reboot, a Standby member is set to down with a FULLSYNC PNOTE and cannot synchronize.
PRJ-28285,
PMTR-71419
ClusterXL Scalable Platform Gateway may drop traffic as "Out of State" when static NAT is configured for the destination IP Address. Refer to sk174234.
PRJ-31796,
MBS-14715
ClusterXL In some scenarios, during an upgrade to R81.10SP, a failover fails with a crash.
PRJ-27229,
PMTR-70242
SecureXL TCP packets may be dropped as "TCP out of state" although following sk11088.
PRJ-27227,
PRHF-17734
SecureXL Invalid VLAN traffic may cause repeated "deliver_list is empty!!!" error messages in the /var/log/messages file.
PRJ-28287,
PRJ-28054
SecureXL In a rare scenario, DoS/Rate Limiting when using rules with country codes (CC) or autonomous system numbers (ASN) may not update Geo IP files correctly.
PRJ-29498,
ROUT-1745
Routing BGP sessions may unexpectedly close because of unrecognized AFI/SAFI pairs in multiprotocol capability advertisements from a peer.
PRJ-28959,
PRHF-17739
Routing The routed process may unexpectedly exit when OSPF is configured with the "IsMaxAgeLSAEntry()" assert.
PRJ-29321,
ROUT-1721
Routing AS path loops may occur, although BGP multihop is configured.
PRJ-29894,
PRHF-19268
Routing In some scenarios, when BootP is configured, during policy installation, the Security Gateway may become unresponsive and the routed process may crash.
PRJ-31128,
PMTR-73496
Routing In rare cases, if Graceful Restart is not configured on the BGP peer, BGP routes may be lost near the Graceful Restart ending. 
PRJ-28173,
PMTR-71425
VPN NEW: Added StrongSwan clients counter to the VPN TU Tool.
PRJ-27857,
PMTR-71136
VPN When deleting an entry from m_ht hash table, a memory leak may occur.
PRJ-28028,
PMTR-71319
VPN When StrongSwan client connecting with a RADIUS user, it may not receive an Office Mode IP address. 
PRJ-28514,
PRHF-18408
VPN In some scenarios, a memory leak may occur on the Security Gateway.
PRJ-28507,
PRHF-18400
VPN A memory leak may occur in the VPND process.
PRJ-28076,
PRHF-18369
VPN A Remote Access client fails to login when a DN record length is bigger than 256. Refer to sk174249.
PRJ-28576,
PRHF-17880
VPN In some scenarios, Server connections to Remote Access L2TP clients may be unstable.
PRJ-29298,
PMTR-72019
VPN Added VPN IKEv2 improvements.
PRJ-28754,
VPNS2S-2506
VPN Added IKEv2 improvement for DAIP peer.
PRJ-29284,
PRHF-18818
VPN In rare scenarios, re-configuring a trusted CA bundle may cause a memory leak in the VPND process.
PRJ-28773,
PMTR-71850
VPN In some scenarios, in High Availability clusters with enabled CoreXL, SSL clients cannot connect to the Security Gateway because of incorrect license calculation.
PRJ-28266,
PRHF-18295
VPN A memory leak may occur when clearing the CRL cache file. 
PRJ-29484,
PMTR-72463
VPN A memory leak may occur in the VPND process in IKEv2 Site to Site VPN.
PRJ-28557,
PMTR-20176
VPN In some scenarios, when sending the SCV drop log, a memory leak may occur.
PRJ-30971,
VPNS2S-2692
VPN In a rare scenario, a memory leak may occur in the IKED process.
PRJ-29533,
PRHF-18564
VPN RIM script is not invoked for DAIP peer with Dead Peer Detection (DPD) permanent tunnels in passive mode.
PRJ-31109,
PRJ-31116,
PMTR-73487,
PMTR-73488
VPN In some scenarios, a memory leak may occur in the VPND process.
PRJ-31149,
PMTR-73511
VPN In some scenarios, a memory leak may occur when using the SSL Network Extender (SNX) client to create a site.
PRJ-30870,
PRHF-19755
VPN A memory leak may occur in the VPND process.
PRJ-30702,
PMTR-72756
HTTPS Inspection,
VPN
A memory leak in HTTPS Inspection and HTTPS portals may occur when using ECDHE ciphers.
PRJ-29554,
PRHF-18753
VSX After reboot, the VS's clish static arps configurations exist, but the static arps may be missing. 
PRJ-28180,
PMTR-71418
VSX In a rare scenario, the "asg perf" command may take up to 90 seconds to update the data. The information may differ from CPView results.
PRJ-28143,
PMTR-71406
VSX In some scenarios, running the "asg perf" command with -vv flag fails.
PRJ-30277,
PMTR-72997
Gaia OS UPDATE: Upgraded OpenSSL to 1.1.1L. Merged the CVE-2021-3711 and CVE-2021-3712 fixes.
PRJ-27697,
PRHF-17721
Gaia OS When a non-TACACS user logs out from WebUI, there is a "Cannot get pid" error message in the /var/log/messages file.
PRJ-28414,
PRHF-17216
Gaia OS After 248 days of up time, the VMSS Gateway sends a Cold restart alert reboot, but the VMSS does not reboot. Refer to sk173413.
PRJ-27614,
PRJ-27612
Gaia OS If NTPD service is configured in MDPS settings, the NTPD error logs appear in var/log/messages after a reboot.
PRJ-26999,
PRHF-17900
Gaia OS Setting hashed SHA256/SHA512 expert password may fail with an error message: "set password-controls password-hash-type <password_hased> GAIA9999 Invalid Salted Hash".
PRJ-28798,
PRHF-18683
Gaia OS In a rare scenario, a memory leak may occur in the monitord process.
PRJ-26456,
GAIA-8922
Gaia OS The Link Layer Discovery Protocol (LLDP) sends the hostname with a dot when the Domain name is empty.
PRJ-29179,
PRHF-17857
Harmony Endpoint Remote installation push operation "Deployed new Endpoints" does not work on on-prem Servers because of self-signed certificates.
PRJ-29974,
PRHF-16925
Harmony Endpoint In some scenarios, a query which counts host_ckp objects may return more results than expected. It leads to a memory leak with the "Out Of Memory" error.
PRJ-31101,
PRHF-16439
Harmony Endpoint Restoring a UEPM Server backup via the Web Gaia Portal may not work on a new Server where the UEPM blade is not activated.
PRJ-29860,
PRHF-17602
Harmony Endpoint UPDATE: In SmartEndpoint, besides FDE Remote Help, Bitlocker Management Recovery is now available for administrators with limited rights.
PRJ-30516,
PMTR-73094
Harmony Endpoint In the Smart Endpoint tabs, the Server may generate reports where users have long names starting with "ntdomain://".
PRJ-29514,
VSECC-1418
CloudGuard NEW:
In Amazon Web Services (AWS):
  • Added Load Balancers tags. The tags can now be viewed in  SmartConsole and added to the rulebase.
  • Added support for IMDSv2
To enable the feature:
Edit $FWDIR/conf/vsec.conf on the Management Server and add the line: aws.enableLoadBalancersTags=true
From SSH run: vsec stop;vsec start

Note: This feature requires adding DescribeTags and DescribeLoadBalancers permissions to the AWS Data Centers accounts.

In Azure:
  • Added Application Security Groups
  • Added Private Endpoints
To enable the feature:
Edit $FWDIR/conf/vsec.conf on the Management Server and add the line: azure.enableAsgAndPep=true
From SSH run: vsec stop;vsec start

Note: This feature requires adding permissions to list Application Security Groups and Private Endpoints.  
PRJ-29652,
PRHF-17648
CloudGuard IaaS Amazon Web Services (AWS) Data Center scan may fail and no updates are sent to the Security Gateway.
PRJ-29623,
PRJ-28171,
PMTR-60092
CloudGuard IaaS In some scenarios, when there are Data Center objects in Access Policy Rule Base, policy verification may fail although policy installation succeeds.
PRJ-31238,
PRHF-19757
QoS QoS policy installation may fail with “Error - service out of range”. Refer to sk175467.
PRJ-32479 Scalable Platforms UPDATE: Added support for Bridge Mode in Maestro Security Group. 
PRJ-32689 Scalable Platforms UPDATE: Added support for Maestro Hyperscale Orchestrator MHO-175.
PRJ-27336,
PMTR-70850
Scalable Platforms Added a cosmetic fix in asgPeaksTable.
PRJ-29981,
MBS-12054
Scalable Platforms The outage may occur when configuring OSPF over VPN/VTI interface because of missing cluster IP address for VPN/VTI interface.
PRJ-27625,
MBS-14079
Scalable Platforms In rare scenarios, when running the "snmpwalk" command, multiple irrelevant error logs may appear in /var/log/messages.
PRJ-27512,
PRHF-17895
Scalable Platforms In a rare scenario, a memory leak that requires constant reboots may occur.
PRJ-29153,
PMTR-71771
Scalable platforms In some scenarios, Maestro Orchestrator SDK may stop responding until restarting the Orchestrator service.
PRJ-30025,
MBS-13662
Scalable platforms When rebooting a member from the standby site, it may send GARP when booting and cause a connectivity issue.
PRJ-30286 Scalable platforms Packet drop may occur after Maestro Orchestrator reboot.
PRJ-27157,
PMTR-70678
Scalable Platforms After adding a new user via WebUI, asg_diag may fail on configuration test (config_verify -v) due to inconsistent value in the database. The issue is only cosmetic.
PRJ-29516,
PMTR-72141
Scalable Platforms After setting a specific range of blades in gclish, some commands may fail.
PRJ-29391,
PMTR-72185
Scalable Platforms During an upgrade of a Security Group to R81.10, the "Fetching the policy from the Management Server and installing it" action fails on the upgraded R81.10 Security Group Members. Refer to sk174844.
PRJ-30023,
ODU-181
HCP Added Update 5 of HealthCheck Point (HCP) Release. Refer to sk171436.
R81.10 Jumbo HotFix - General Availability Take 9 (30 August 2021, GA from 18 October 2021)
PRJ-25588,
PMTR-68823
Security Management NEW: Added new features to the Changes report:
  • Summary section to rule
  • Administrator and session info to rule
  • "Back to top" button
PRJ-28702,
ODU-112
Security Management Added Update 11 of Autonomous Threat Prevention Management integration Release. Refer to sk167109.
PRJ-27622,
PMTR-69273
Security Management In a rare scenario, the "Install Database" task may continue to run indefinitely.
PRJ-29485 Security Management When adding a new Multi-Domain Server to an existing environment and connecting to the System Domain of the newly added server, Domains are not shown in the Domains view.
PRJ-27717,
PRHF-17205
Logging In some scenarios, the FWD process on Security Gateway may cause high memory consumption when Log Forwarding is configured or when running the "fw fetchlogs" command.
PRJ-29754,
PRHF-19043
Security Gateway In rare scenarios, the Security Gateway may failover while handling the HTTP/2 stream.
PRJ-28608,
PMTR-68865
Threat Prevention Large file transfer in connections inspected by SSH Deep Packet Inspection (SSH DPI) may fail if SSH renegotiation is performed during the transfer.
PRJ-27435,
PMTR-67597
Identity Awareness NEW: Added a new Auto-Tune feature for Nested Groups to select the optimal nested state for maximum performance.
The feature is disabled by default. To enable it, refer to sk128212.
PRJ-27434,
PRJ-28656,
PRJ-21304
Identity Awareness NEW: Added support for SAML authentication method for Remote Access VPN. Refer to sk172909 for configuration instructions.
  • Requires R81.10 SmartConsole Build 400 (or higher).
PRJ-28540,
PMTR-71636
ClusterXL During Multi-Version Cluster (MVC) upgrade with R81 Jumbo Hotfix Take 34, the "MVC WARNING uninitialized VPN table" message frequently appears in log. Refer to sk174445.
PRJ-27592,
PMTR-69876
Gaia OS A memory leak may occur on a Security Gateway while configuring Secure Internal Communication (SIC).
PRJ-27795,
PRHF-18108
Harmony Endpoint In some scenarios, Endpoint Firewall starts dropping all network traffic after the Management server upgrade from R80.10.
PRJ-29801,
PMTR-72677
Harmony Endpoint In some scenarios, the Endpoint server may stop responding to the Endpoint clients.
PRJ-28017,
PMTR-71262
Scalable Platforms In some scenarios, bond interface slave fails to properly initialize and shows a partner system MAC address of 00:00:00:00:00:00.
PRJ-28125,
PRJ-28053
Scalable Platforms In some scenarios, the Maestro Gateway leaves the Security Group.
PRJ-29239,
PRHF-18948
Scalable Platforms Configuring HA bond in VSX may lead to crash upon active slave change.
PRJ-27262,
MBS-14076
Scalable Platforms The "asg perf" command may fail when it calculates the average load of CPU cores when CoreXL uses all CPU cores available in the Security Group.

 

Installation Instructions

Procedure:

  • Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)

    • Offline installation

      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
      3. In the upper right corner, click on the Import Package button.
      4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
      5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
      6. Select the imported package Check Point R81 Jumbo hotfix T<number> for sk170114 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      7. Select this package and click on Install Update button on the toolbar.


  • Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)

    For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".

    • Offline installation

      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to command line on target Gaia OS.
      3. Log in to Clish.
      4. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      5. Import the package from the hard disk:
        HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
      6. Show the imported packages:
        Note: Refer to the top section "Hotfixes" - refer to "Check Point R81 Jumbo hotfix T<number> for sk170114"
        HostName:0> show installer packages imported
      7. Verify that this R81 Jumbo Hotfix Accumulator package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      8. Install the imported package:
        HostName:0> installer install <Package_Number>

 

Uninstall Instructions

Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.

    Procedure:

    Revision History

    Show / Hide revision history

    Date Description
    22 Nov 2021
    • Released Take 14 of R81.10 Jumbo Hotfix Accumulator
    • SmartConsole package has been updated to Build 402
    18 Oct 2021 Take 9 of R81.10 Jumbo Hotfix Accumulator moved to General Availability
    29 Sep 2021 Published List of upcoming resolved issues
    13 Sep 2021 Updated the CPUSE Online Identifier string
    30 Aug 2021
    • First release of R81.10 Jumbo Hotfix Accumulator - Take 9
    • SmartConsole package has been updated to Build 400

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment