R80.20: New Jumbo Hotfix (Take 43) On-Going Release

Yifat_Chen — Mon, 11 Feb 2019 19:46:31 GMT

Hi,

A new Ongoing Jumbo Hotfix Accumulator take for R80.20 (take 43) is available. Please refer to sk137592

Resolved Issues:

Product	Symptoms
Security Management	Values updated in resourceProfiles files to handle high CPU utilization for "Java" process (described in sk123417) are not resistant and get overridden after Jumbo Hotfix Accumulator installation or backup/restore or export/import procedures.
Security Management	Running the fwm sic_reset command from CMA fails with "reset_objects: updateMultiple failed". Refer to sk142512.
Security Management	Once user performs any change to his configuration, the Compliance blade performs a partial scan and calculates the relevant Best practices. During this scan, exceptions of relevant objects for these Best practices are deleted. Meaning, if previously obj1 was excluded from applying Best practice #1, during partial scan obj1 will be relinked to Best practice #1.
Multi-Domain Management	After new Domain creation, logs from this Domain are not seen in SmartConsole.
Multi-Domain Management	Upgrade of the Primary Multi-Domain Server from R80.10 fails when its Global Domain is in Standby mode. Refer to sk143892.
Multi-Domain Management	CPView is not supported on Multi-Domain Security Management environments.
SmartConsole	"Synchronization with Check Point UserCenter" feature displays "Synchronization with Check Point UserCenter requires a valid license." warning message even though all licenses are valid.
SmartConsole	If administrator updates his details (e.g. name, phone, email) and tries to publish the session, it fails with "Internal error" message. After Jumbo HFA installation, the session cannot be published or discarded and any further update will fail.
SmartConsole	When using Global VPN Community with permanent tunnel gateways list (matrix / permanent tunnel gateways), upgrade from R7x fails.
SmartConsole	"Error: SIC initialization failed because of failure in parsing the certificate file" error when user attempts to log in with certificate to API (mgmt_cli) with password including "!".
SmartConsole	Web API show-package fails if the package was installed on a cluster member which is already deleted. Refer to sk144132.
SmartConsole	Attempt to update Threat Emulation images fails with "Could not send Threat Emulation images update command, validate SIC connectivity and install policy with Threat Emulation enabled for [name]" message.
SmartConsole	The existing regulation is not updated and appears as "EU Data Privacy" instead of "GDPR".
Security Gateway	Traffic is dropped when using non-FQDN Domain object in Security policy.
Security Gateway	Added support for NAT on payload of H323 packets when different IP addresses are used for payload and control.
Threat Emulation	Added ability to update Threat Emulation file types in an offline environment.
HTTPS Inspection	When HTTPS Inspection is enabled and "Hide X-Forwarded-For in outgoing traffic" option is selected, the XFF header is not obfuscated on HTTPs traffic.
Identity Awareness	In some scenarios, Identity Agent fails to authenticate using Kerberos SSO due to very large Kerberos ticket and the agent fallback to User/Password authentication.
Anti-Malware	During upgrade, if Anti-Virus is enabled, all emails are stuck in MTA queue due to missing certificate.
IPS	The "A general error has occurred" message is displayed when trying to change the IPS protection configuration in "MySQL -> General settings".
Web Intelligence	In some scenarios, connectivity issues between Capsule Workspace and Security gateway.
Web Intelligence	Potential memory leak due to "Out of state" HTTP response.
SSL Inspection	Added support for custom extension used by Apple.
Logging	In rare scenarios, when the Log server miscalculates the available disk space, it may stop receiving logs from the connected gateways and cause the logs to accumulate locally on the Security gateway. Refer to sk146152.
Logging	After two or more upgrades of a Security gateway / Security Management server / Log server or SmartEvent server, log maintenance fails to delete logs from older version.
Logging	After Daylight saving time change, the logs from the time of change until the end of the day are not indexed and the "Illegal instant due to time zone offset transition (daylight savings time 'gap')" error is displayed in solr.elg file.
Logging	After upgrade from R80.x to R80.20 GA, the pre-upgrade logs data will not be deleted according to the logs retention policy.
Logging	In rare scenarios, due to a connection attempt failure to the Security Management, the Security gateway starts logging locally.
Logging	When Security gateway is configured to send alerts only to a specific Log server, logs may be written locally on the gateway instead to be sent to the Log server.
Logging	Added Threat Emulation forensic report in SmartView Log card.
SecureXL	Memory consumption on Security Gateway increases after enabling NetFlow v9 in Gaia OS. Refer to sk118719.
SecureXL	Concurrent connections monitoring can become inaccurate when "fw samp quota" rules are changed.
SecureXL	In rare scenarios, Security gateway crashes when penalty checkbox is selected.
SecureXL	In some scenarios, large number of incorrectly classified "simlinux_br_port: dev == NULL !!!" debug messages appear in kernel message logs.
ClusterXL	In some scenarios, standby cluster member sends PIM Hello packets.
VSX	In some scenarios, the cpd and fw_full processes stop working when the TDERROR debug flag is enabled.
VSX	Traffic from a Virtual System in VSX Cluster to Security Management Server is dropped with "Local interface address spoofing" log. Refer to sk110473.
Gaia OS	CVE-2018-15473: Username enumeration is possible due to a premature bail-out while dealing with a malformed packet. The issue exists in several authentication protocols.
Gaia OS	When using conv2db to recreate Gaia database from /config/active, comments are not skipped and the new database file may contain irrelevant information. Refer to sk139832. Note: the issue is cosmetic only.
Gaia OS	SNMPD process fails to send Coldstart on reboot. Coldstart is configured by threshold that can be too short comparing to the OS boot time.
Gaia OS	Connectivity problem for 10 Gigabit fiber network interfaces (be2net driver) after upgrade from R77.30.
Gaia OS	Added support for "/", "(", and "*" characters as part of the system message banner.
Gaia OS	syslog messages forwarded to external Syslog server, do not contain the host name. Refer to sk100727.
Gaia OS	In some scenarios, snmpwalk reports false values of bond interface.
Gaia OS	In some scenarios, sporadic timeouts occur during snmpwalk run.
Gaia OS	Different LOM versions are reported in WebUI and Clish.
VPN	After Cluster failover, VPN tunnel is down and "Unknown SPI for IPsec packet" log is shown. Refer to sk112339.

Thanks!

Release Management Group

Re: R80.20: New Jumbo Hotfix (Take 43) On-Going Release

Pedro_Silva — Mon, 25 Feb 2019 08:28:44 GMT

How do we find out more information about the symptoms fixed by "

SSL Inspection

Added support for custom extension used by Apple.

I tried logging a support ticket but didn't receive any additional information.

I am used to things like Cisco Bugtraq that gives usually good info to help you determine if a fix applies to the problems you are experiencing.

Thanks

Pedro

topic Re: R80.20: New Jumbo Hotfix (Take 43) On-Going Release in General Topics

R80.20: New Jumbo Hotfix (Take 43) On-Going Release

Re: R80.20: New Jumbo Hotfix (Take 43) On-Going Release