Danny Jung

R80.10: New Jumbo Hotfix (Take 154) GA-Release

Discussion created by Danny Jung Champion on Oct 23, 2018
Latest reply on Oct 24, 2018 by Benoit Verove

A new General Availability Jumbo Hotfix Accumulator take for R80.10 (Take 154) is available.

Also download and install the updated R80.10 SmartConsole.

 

Take_154 is the latest General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from sk116380.

 

Resolved issues since previous GA-Take:

ProductSymptoms
AllR80.10 Jumbo HotFix support for R80.10 image Take 479.
Security ManagementChanges for LDAP Account Unit priority performed from SmartConsole per Security gateway, are not saved in database. 
Multi-Domain ManagementGlobal Policy Assignment fails with "Task failed" error with no details.
Refer to sk123578.
Multi-Domain ManagementThere is no clear error message in case of a license violation during Multi-Domain Management database import.
Multi-Domain ManagementCMA/Domain upgrade failure indication was improved.
Multi-Domain Management In Multi-Domain environment, Compliance updates do not take effect although a success message is presented in Compliance Overview. 
Multi-Domain ManagementWhen trying to delete a Domain in a Multi-Domain Management server, operation fails with  "Delete Domain failed: Trying to update a detached objectthrough ObjectStoreSession" error.
Refer to sk124492.
Threat Emulation Added new implied rule to allow communication from TED to SYMO.
Application ControlThe fw_full (fwd daemon) stops working producing a core dump fila and causing a cluster failover.
HTTPS InspectionThe following errors may be seen in dmesg and /var/log/messages when enabling HTTPS Inspection:
[ERROR]: rad_kernel_urlf_request_set_url: cp_lstring_search for path slash failed [ERROR]: nrb_https_inspection_column_category_fill_rad_request: rad_kernel_urlf_request_set_url() failed [ERROR]: nrb_rulebase_default_match: virtual match_func failed for column 'External Column' (11) [ERROR]: nrb_rb_https_inspection_match: virtual rb_match_func failed
Identity AwarenessMUH Agent sends unnecessary MUH updates causing high CPU on PEP, which leads to delays with getting identities and can cause connectivity issues. 
Identity AwarenessPDPD daemon stops working periodically when the configured Account Unit contains Domain Controllers that are all defined as "Ignored".
Identity AwarenessIn rare scenarios, PDPD daemon stops working repeatedly during groups update process.
Identity AwarenessUpdate with "-" machine name from the Domain Controller causes the Identity Collector to create un-authenticated sessions on the PDP. 
Identity Awareness In some cases, users are associated not with all LDAP groups to which they actually belong. Therefore, data from the LDAP server may be sent in different order.
SmartEvent "No matches found for your search" message in the browser when searching for a user's name when it starts with 0 and contains only numbers.
Refer to sk122294.
LoggingWhen setting 'log_delete_below_metrics' to MBytes, 'log_delete_below_value' cannot be set to more than quarter of disk size. When setting it with 'log_delete_below_metrics' to percent, 'log_delete_below_value' is unlimited. 
Refer to sk133473.
SmartConsoleSmartConsole exits at the "Initializing Services" stage of login.
SmartConsoleRunning "Get Interfaces without Topology" automatically enables Anti-Spoofing.
Refer to sk136372.
Gaia OStcpdump exits with "Buffer overflow" messages when running "tcpdump -i any -eP" command.
Gaia OSNew connections to the gateway are rejected due to too many "kernel: dst cache overflow" messages in /var/log/messages file.
VPNRoute based VPN stability was improved. 
VPNMSS clamping cooperation with SecureXL in certain scenarios was improved.
VPNImproving IPSEC renegotiation stability in S2S with 3rd parties. 
Security GatewayR80.10 Security Gateway send some wrong SNMP VRRP OID’s.
Refer to sk130412
Security GatewayClient packets stay not NATed in connection table if NAT fails. 
Security GatewayLink collisions in Security Gateway due to race condition in cluster environment.
ClusterXLClusterXL stability during policy installation was improved.
Refer to sk133372.
ClusterXLWhen there is a large number of BGP peers and interfaces and ClusterXL failover occurs, resulting CPU utilization can be high for a few minutes on the old active member. During this time, routed did not respond to queries such as "show route" command in clish.
ClusterXLWith a large number of eBGP peers (>200), RouteD daemon repeatedly stops working. 
Threat Prevention

Added new Threat Prevention capabilities. For more information, refer to sk122853
New feature in Mail Transfer Agent (MTA): MTA is now updatable (refer to sk123174).
The first MTA engine update contains several enhancements and new features, including:

  • Setting a next-hop server by Domain name.
  • Removing/replacing malicious links & attachments from e-mails with a customizable text.
  • Adding a customized text to a malicious e-mail's body or subject.
  • Malicious e-mail tagging using an X-header.
  • Sending a copy of the malicious e-mail.
Security ManagementInplace upgrade from R77.30 to R80.10 fails with "Invalid white space character" message.
Refer to sk122098.  
Security ManagementSecurity Management migration to R80.10 fails due to NumberFormatException.
Refer to sk125272
Security ManagementFollowing an upgrade from R77 to R80.10, 'Inspection Settings' view will not correctly reflect overridden actions. This does not affect the Security Gateway that continues to receive the correct overridden actions. 
Security ManagementPerformance issues in the Management HA incremental HA synchronization mechanism of the Global Domain.
Security ManagementPerformance optimization of Compliance Blade in large scale environment.  
Security ManagementAdded infrastructure support for AWS Transit VPC. 
Security Management,
Multi-Domain Management
Upgrade to R80.10 fails with "Maximum Number of Child Elements limit (50000) Exceeded" message.
Refer to sk123857
Multi-Domain ManagementGlobal Domain Assignment fails with "Missing protection 'Protection_Name' in profile 'Default Inspection' in the global domain" message.
Refer to sk130492.  
Multi-Domain Management When attempting to import Multi-Domain Server or Multi-Domain Log Server database onto R80.10 machine, the import script fails with "The IP address of the source and target Secondary Multi-Domain Servers/Multi-Domain Log Servers must be the same." error.
Refer to sk129092.
Multi-Domain ManagementDBsync stops working during a CMA import from R77.x.
Multi-Domain ManagementAfter changing the name of a Multi-Domain Management Server, the previous name is still shown in the Domain editor. 
Multi-Domain Management"No MD role specified" error when migration\upgrade of Multi-Domain Management Server from pre-R80 MDS to R80.10 fails.
Refer to sk123862
Multi-Domain Management The mdsstat command was updated for Smart-1 525, 5050 and 5150 Appliances. 
Multi-Domain Management "dleserver.utils.UidManager" errors on cma_migrate failure on Multi-Domain Management upgraded from R80. 
Multi-Domain Management Upgrade from R77.X to R80.10 of Multi-Domain Management environments that use partial assignments and have more than 50 Domains and local policies (combined), has inconsistent assignment settings (loss of data). 
Security Gateway Check Point response to SegmentSmack (CVE-2018-5390) & FragmentSmack (CVE-2018-5391).
Refer to sk134253
Security GatewayAfter upgrade to R80.10, BGP peer is stuck in Active state.
Refer to sk131592
Security GatewayDynamic ID does not send correctly a username using the $NAME tag.
Security Gateway Dynamic ID fails with "Dynamic ID authentication failed" error after upgrade to R80.10.
Refer to sk124953.
Security Gateway Dynamic ID does not work with specific vendors that require user's phone number.
Security GatewayBGP communities are not correctly matched by routemaps, resulting BGP routes not being populated and not advertised. 
Security GatewayBGP connections from point-to-point clustered interfaces are rejected. 
Security GatewaySecurity Gateway stops working in some scenarios when Mobile Access blade is enabled in Unified Policy mode and Security Zones are used in the security policy. 
Security GatewayTraffic drops after adding rules with Domain objects and installing policy.
Refer to sk133253
Security GatewayEmails remain in the spool when SMTP Resource Rule is defined.
Refer to sk122010
Security Gateway"dynamic objects -c" command returns partial output when more than 20 Dynamic objects are defined on the Security Gateway. 
Security GatewayTraffic to span port interfaces is dropped when Security Zones are used in Access policy.
Security Gateway,
Security Management

The CPView Utility was improved:

  • Added new capability to collect and present I/O data.
  • Enabled CPView History collection on Management machines.
RoutingNetFlow IPv6 daemon cannot be started after upgrade from R77.30 due to missing bindings in configuration file. 
RoutingRouteD daemon stops working or OSPF Adjacency is stuck in "Loading" state when receiving OSPF LSA of Type 10 and Type 11. 
Refer to sk115314.
Routing VRRP member freezes when deleting a VLAN interface.
Refer to sk106226
Routing Enabling ping option for static routes causes the routes to disappear on the standby member.
SmartConsoleValidation incidents are not disappearing after an upgrade to R80.10 even when resolving them.
Refer to sk123357
SmartConsole"Policy installation had failed due to an internal error" message on policy installation failure when using Native Mobile Access application that uses '*Any' services (with no other existing Native Mobile Access applications that use other services in the system).
SmartConsole Cannot update the Security gateway object when using permission profile without write permissions for Threat Prevention policy. 
SmartConsoleAPI is missing targets information in reply of "install-policy" command when installing on more than 50 targets. The reply holds the first 50 targets only. 
SmartEventSmartEvent's Automatic Reaction emails are missing information in some fields.
Refer to sk133032.
SmartEventIn 'LOGS & MONITOR' tab, HTTPS Inspection queries show no results.
Refer to sk133392
LoggingWhen certain security rule definition includes the "Alert -> mail" log track option, email alerts have ".." at the end which means some fields were truncated.
Refer to sk123240
LoggingWhen running "SmartConsole -> Logs & Monitor -> Queries -> Threat Prevention -> IPS Blade -> Staging" query in non-index mode, the "There is a problem to read log file. Try again" error is displayed. 
LoggingWhen generating a view of any report, the "Problem has occurred during search" errorpops up with details: "Query resolution failed. Logs might not display properly". 
Mobile AccessMulti-factor authentication with Dynamic ID using Email does not work when the email address ends with 't' or 'n'.
Identity AwarenessIdentities are not synced to PEP if two PDPs will report the same network
Refer to sk130373
Identity Awareness When using multiple PEP gateways with the same internal IP address, only one of the PEP gateways gets identities from PDP.
Identity Awareness RADIUS accounting server does not understand accounting-response from Check Point gateway.
Refer to sk130532
Identity Awareness"Group membership of the required account (user or machine) could not be retrieved from the AD. Make sure the account exists in the AD." log is received from Identity Awareness blade when format of RADIUS user is "user@domain".
Refer to scenario 6 in sk106133.
Identity AwarenessAD users with special characters in their names cannot authenticate.
Refer to sk131872.
DLPThe dlp_fingerprint and cp_file_convert processes consume CPU at high level although DLP blade is disabled. 
Refer to sk102213.
IPSNew logs of IPS update tool are created in $FWDIR/log directory on a daily basis. For more information refer to sk131652
IPSNo packet capture is received with IPS protection log.
Refer to sk121605
IPSFailures during batch update of IPS objects.
Anti-MalwareThreat Prevention policy installation fails with "malware_policy_get_ioc_override() failed" message when disabling the "Enable indicator scanning" option.
Application ControlSome non-SSL applications are identified as 'Unknown Traffic' when Application Control, URL Filtering and 'Categorize HTTPS Sites' are enabled. 
Application ControlNon-SSL traffic is dropped with "appi_rad_uf_cmi_handler_server_response: no hello done, failed" error message in dmesg when "Categorize HTTPS sites" feature is enabled. 
Refer to sk64162.
Gaia OSOutput of "show message motd" clish command is corrupted if the "motd" message is too long.
Refer to sk122199.
Smart-1Pressing <TAB> (autocomplete mechanism) from the Expert mode of Smart-1 525, 5050 and 5150 does not convert paths stored in variables (like $FWDIR) to full paths.
VSXTrusted Source feature does not work in VSX environment.
Refer to sk122533
SecureXLMultiple RX drops during policy installation under high load traffic.
Refer to sk123312
SecureXLConnectivity issue during policy installation when NAT templates are enabled between CPUs. 
SecureXL EIGRP traffic going through Security Gateway in bridge mode with SecureXL enabled, is randomly dropped.
Refer to sk125632
SecureXLWhen the Dynamic Dispatcher is enabled together with SecureXL NAT templates, traffic on port 80 and 443 is dropped with "Instance mismatch (inbound)" messages.
Refer to sk113398
VPN"You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) that tries to connect to a Cluster in High Availability mode.
Refer to sk120652.
HardwareImproved forensics with host-side PCIe drivers during shutdown, during Seurity gateway crash triggered by a SAM-related problem.
CloudGuardAfter installing policy, when adding a new Data Center object and running "Menu" -> "Verify Access Control Policy", the verification might fail with the "Rule 1 Hides rule 2 for Services & Applications: Any" error message. 
Refer to sk123572.
Security ManagementMonitoring view does not show the ClusterXL status of VSX members.
Security ManagementIn some scenarios, API login requests fail with "errorCode [CP_ERR_COULD_NOT_CONNECT_FWM]" error in api.elg file.
SmartConsole

When changing the administrator profile by API in Multi-Domain Management, the following scenarios may occur: 

  1. Modifying administrator's profile may not take effect, previous permissions are still configured and might be enforced.
  2. User can configure "Permission profile per domain" in addition to "Multi-Domain Super User" or "Domain Super User" not knowing it may not take effect.
SmartConsole In some scenarios, the "show package" API command fails due to timeout.
SmartConsoleOn environments with many revisions, "show-changes" API calls take long time to finish and can cause the API server to terminate unexpectedly. 
Security GatewayUsing two Domain objects for the same domain name, one with "www." prefix and the other without, in different rules in the rulebase might cause those rules not to be enforced correctly.
Security GatewayDomain objects of domain names that are defined in local hosts file are not enforced. 
Security GatewayA rule with Security Zone object may not be correctly matched for broadcast traffic. 
Security GatewayPerformance optimization of services and applications matching process.
Refer to sk128452
SmartEventAfter upgrade of a dedicated SmartEvent server, Object synchronization status appears as "Failed" in the status window of SmartEvent GUI.
SmartEvent When setting up clear connection between the Security Management server and R80.10 SmartEvent server per sk101928, Log indexer clear connection could not be established.
Refer to sk123580.  
SmartEvent Added ability to filter logs in queries and reports using the "Packets" field. 
SmartEventAutomatic reaction is not initiated when selecting the "Send automatic reactions but do not generate an event" option in SmartEvent policy. 
LoggingIn some scenarios, the "Logs & Monitor" view is stuck on searching and does not respond to any query.
Threat Emulation The system cannot emulate files due to lack of disk space.
Refer to sk124712
Gaia OSSecurity hardening for Gaia OS WebUI. 
ClusterXLIn CloudGuard Azure clusters environments, some packets are incorrectly identified as Cluster Control Protocol packets, potentially causing error logs related to cluster state. In some cases, this can lead to a cluster failover. 
SecureXLIn some scenarios, when SecureXL is enabled, Security gateway crashes under heavy load while opening a new connection from template mask.

Outcomes