A new General Availability Jumbo Hotfix Accumulator take for R80.10 (Take 154) is available.
Also download and install the updated R80.10 SmartConsole.
Take_154 is the latest General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from sk116380.
Resolved issues since previous GA-Take:
|All||R80.10 Jumbo HotFix support for R80.10 image Take 479.|
|Security Management||Changes for LDAP Account Unit priority performed from SmartConsole per Security gateway, are not saved in database.|
|Multi-Domain Management||Global Policy Assignment fails with "Task failed" error with no details.|
Refer to sk123578.
|Multi-Domain Management||There is no clear error message in case of a license violation during Multi-Domain Management database import.|
|Multi-Domain Management||CMA/Domain upgrade failure indication was improved.|
|Multi-Domain Management||In Multi-Domain environment, Compliance updates do not take effect although a success message is presented in Compliance Overview.|
|Multi-Domain Management||When trying to delete a Domain in a Multi-Domain Management server, operation fails with "Delete Domain failed: Trying to update a detached objectthrough ObjectStoreSession" error.|
Refer to sk124492.
|Threat Emulation||Added new implied rule to allow communication from TED to SYMO.|
|Application Control||The fw_full (fwd daemon) stops working producing a core dump fila and causing a cluster failover.|
|HTTPS Inspection||The following errors may be seen in dmesg and /var/log/messages when enabling HTTPS Inspection:|
[ERROR]: rad_kernel_urlf_request_set_url: cp_lstring_search for path slash failed [ERROR]: nrb_https_inspection_column_category_fill_rad_request: rad_kernel_urlf_request_set_url() failed [ERROR]: nrb_rulebase_default_match: virtual match_func failed for column 'External Column' (11) [ERROR]: nrb_rb_https_inspection_match: virtual rb_match_func failed
|Identity Awareness||MUH Agent sends unnecessary MUH updates causing high CPU on PEP, which leads to delays with getting identities and can cause connectivity issues.|
|Identity Awareness||PDPD daemon stops working periodically when the configured Account Unit contains Domain Controllers that are all defined as "Ignored".|
|Identity Awareness||In rare scenarios, PDPD daemon stops working repeatedly during groups update process.|
|Identity Awareness||Update with "-" machine name from the Domain Controller causes the Identity Collector to create un-authenticated sessions on the PDP.|
|Identity Awareness||In some cases, users are associated not with all LDAP groups to which they actually belong. Therefore, data from the LDAP server may be sent in different order.|
|SmartEvent||"No matches found for your search" message in the browser when searching for a user's name when it starts with 0 and contains only numbers.|
Refer to sk122294.
|Logging||When setting 'log_delete_below_metrics' to MBytes, 'log_delete_below_value' cannot be set to more than quarter of disk size. When setting it with 'log_delete_below_metrics' to percent, 'log_delete_below_value' is unlimited. |
Refer to sk133473.
|SmartConsole||SmartConsole exits at the "Initializing Services" stage of login.|
|SmartConsole||Running "Get Interfaces without Topology" automatically enables Anti-Spoofing.|
Refer to sk136372.
|Gaia OS||tcpdump exits with "Buffer overflow" messages when running "tcpdump -i any -eP" command.|
|Gaia OS||New connections to the gateway are rejected due to too many "kernel: dst cache overflow" messages in /var/log/messages file.|
|VPN||Route based VPN stability was improved.|
|VPN||MSS clamping cooperation with SecureXL in certain scenarios was improved.|
|VPN||Improving IPSEC renegotiation stability in S2S with 3rd parties.|
|Security Gateway||R80.10 Security Gateway send some wrong SNMP VRRP OID’s.|
Refer to sk130412.
|Security Gateway||Client packets stay not NATed in connection table if NAT fails.|
|Security Gateway||Link collisions in Security Gateway due to race condition in cluster environment.|
|ClusterXL||ClusterXL stability during policy installation was improved. |
Refer to sk133372.
|ClusterXL||When there is a large number of BGP peers and interfaces and ClusterXL failover occurs, resulting CPU utilization can be high for a few minutes on the old active member. During this time, routed did not respond to queries such as "show route" command in clish.|
|ClusterXL||With a large number of eBGP peers (>200), RouteD daemon repeatedly stops working.|
Added new Threat Prevention capabilities. For more information, refer to sk122853.
|Security Management||Inplace upgrade from R77.30 to R80.10 fails with "Invalid white space character" message. |
Refer to sk122098.
|Security Management||Security Management migration to R80.10 fails due to NumberFormatException. |
Refer to sk125272.
|Security Management||Following an upgrade from R77 to R80.10, 'Inspection Settings' view will not correctly reflect overridden actions. This does not affect the Security Gateway that continues to receive the correct overridden actions.|
|Security Management||Performance issues in the Management HA incremental HA synchronization mechanism of the Global Domain.|
|Security Management||Performance optimization of Compliance Blade in large scale environment.|
|Security Management||Added infrastructure support for AWS Transit VPC.|
|Upgrade to R80.10 fails with "Maximum Number of Child Elements limit (50000) Exceeded" message. |
Refer to sk123857.
|Multi-Domain Management||Global Domain Assignment fails with "Missing protection 'Protection_Name' in profile 'Default Inspection' in the global domain" message.|
Refer to sk130492.
|Multi-Domain Management||When attempting to import Multi-Domain Server or Multi-Domain Log Server database onto R80.10 machine, the import script fails with "The IP address of the source and target Secondary Multi-Domain Servers/Multi-Domain Log Servers must be the same." error.|
Refer to sk129092.
|Multi-Domain Management||DBsync stops working during a CMA import from R77.x.|
|Multi-Domain Management||After changing the name of a Multi-Domain Management Server, the previous name is still shown in the Domain editor.|
|Multi-Domain Management||"No MD role specified" error when migration\upgrade of Multi-Domain Management Server from pre-R80 MDS to R80.10 fails. |
Refer to sk123862.
|Multi-Domain Management||The mdsstat command was updated for Smart-1 525, 5050 and 5150 Appliances.|
|Multi-Domain Management||"dleserver.utils.UidManager" errors on cma_migrate failure on Multi-Domain Management upgraded from R80.|
|Multi-Domain Management||Upgrade from R77.X to R80.10 of Multi-Domain Management environments that use partial assignments and have more than 50 Domains and local policies (combined), has inconsistent assignment settings (loss of data).|
|Security Gateway||Check Point response to SegmentSmack (CVE-2018-5390) & FragmentSmack (CVE-2018-5391).|
Refer to sk134253.
|Security Gateway||After upgrade to R80.10, BGP peer is stuck in Active state. |
Refer to sk131592.
|Security Gateway||Dynamic ID does not send correctly a username using the $NAME tag.|
|Security Gateway||Dynamic ID fails with "Dynamic ID authentication failed" error after upgrade to R80.10.|
Refer to sk124953.
|Security Gateway||Dynamic ID does not work with specific vendors that require user's phone number.|
|Security Gateway||BGP communities are not correctly matched by routemaps, resulting BGP routes not being populated and not advertised.|
|Security Gateway||BGP connections from point-to-point clustered interfaces are rejected.|
|Security Gateway||Security Gateway stops working in some scenarios when Mobile Access blade is enabled in Unified Policy mode and Security Zones are used in the security policy.|
|Security Gateway||Traffic drops after adding rules with Domain objects and installing policy. |
Refer to sk133253.
|Security Gateway||Emails remain in the spool when SMTP Resource Rule is defined.|
Refer to sk122010.
|Security Gateway||"dynamic objects -c" command returns partial output when more than 20 Dynamic objects are defined on the Security Gateway.|
|Security Gateway||Traffic to span port interfaces is dropped when Security Zones are used in Access policy.|
The CPView Utility was improved:
|Routing||NetFlow IPv6 daemon cannot be started after upgrade from R77.30 due to missing bindings in configuration file.|
|Routing||RouteD daemon stops working or OSPF Adjacency is stuck in "Loading" state when receiving OSPF LSA of Type 10 and Type 11. |
Refer to sk115314.
|Routing||VRRP member freezes when deleting a VLAN interface. |
Refer to sk106226.
|Routing||Enabling ping option for static routes causes the routes to disappear on the standby member.|
|SmartConsole||Validation incidents are not disappearing after an upgrade to R80.10 even when resolving them. |
Refer to sk123357.
|SmartConsole||"Policy installation had failed due to an internal error" message on policy installation failure when using Native Mobile Access application that uses '*Any' services (with no other existing Native Mobile Access applications that use other services in the system).|
|SmartConsole||Cannot update the Security gateway object when using permission profile without write permissions for Threat Prevention policy.|
|SmartConsole||API is missing targets information in reply of "install-policy" command when installing on more than 50 targets. The reply holds the first 50 targets only.|
|SmartEvent||SmartEvent's Automatic Reaction emails are missing information in some fields.|
Refer to sk133032.
|SmartEvent||In 'LOGS & MONITOR' tab, HTTPS Inspection queries show no results. |
Refer to sk133392.
|Logging||When certain security rule definition includes the "Alert -> mail" log track option, email alerts have ".." at the end which means some fields were truncated.|
Refer to sk123240.
|Logging||When running "SmartConsole -> Logs & Monitor -> Queries -> Threat Prevention -> IPS Blade -> Staging" query in non-index mode, the "There is a problem to read log file. Try again" error is displayed.|
|Logging||When generating a view of any report, the "Problem has occurred during search" errorpops up with details: "Query resolution failed. Logs might not display properly".|
|Mobile Access||Multi-factor authentication with Dynamic ID using Email does not work when the email address ends with 't' or 'n'.|
|Identity Awareness||Identities are not synced to PEP if two PDPs will report the same network|
Refer to sk130373.
|Identity Awareness||When using multiple PEP gateways with the same internal IP address, only one of the PEP gateways gets identities from PDP.|
|Identity Awareness||RADIUS accounting server does not understand accounting-response from Check Point gateway.|
Refer to sk130532.
|Identity Awareness||"Group membership of the required account (user or machine) could not be retrieved from the AD. Make sure the account exists in the AD." log is received from Identity Awareness blade when format of RADIUS user is "user@domain".|
Refer to scenario 6 in sk106133.
|Identity Awareness||AD users with special characters in their names cannot authenticate.|
Refer to sk131872.
|DLP||The dlp_fingerprint and cp_file_convert processes consume CPU at high level although DLP blade is disabled. |
Refer to sk102213.
|IPS||New logs of IPS update tool are created in $FWDIR/log directory on a daily basis. For more information refer to sk131652.|
|IPS||No packet capture is received with IPS protection log. |
Refer to sk121605.
|IPS||Failures during batch update of IPS objects.|
|Anti-Malware||Threat Prevention policy installation fails with "malware_policy_get_ioc_override() failed" message when disabling the "Enable indicator scanning" option.|
|Application Control||Some non-SSL applications are identified as 'Unknown Traffic' when Application Control, URL Filtering and 'Categorize HTTPS Sites' are enabled.|
|Application Control||Non-SSL traffic is dropped with "appi_rad_uf_cmi_handler_server_response: no hello done, failed" error message in dmesg when "Categorize HTTPS sites" feature is enabled. |
Refer to sk64162.
|Gaia OS||Output of "show message motd" clish command is corrupted if the "motd" message is too long.|
Refer to sk122199.
|Smart-1||Pressing <TAB> (autocomplete mechanism) from the Expert mode of Smart-1 525, 5050 and 5150 does not convert paths stored in variables (like $FWDIR) to full paths.|
|VSX||Trusted Source feature does not work in VSX environment. |
Refer to sk122533.
|SecureXL||Multiple RX drops during policy installation under high load traffic.|
Refer to sk123312.
|SecureXL||Connectivity issue during policy installation when NAT templates are enabled between CPUs.|
|SecureXL||EIGRP traffic going through Security Gateway in bridge mode with SecureXL enabled, is randomly dropped.|
Refer to sk125632.
|SecureXL||When the Dynamic Dispatcher is enabled together with SecureXL NAT templates, traffic on port 80 and 443 is dropped with "Instance mismatch (inbound)" messages.|
Refer to sk113398.
|VPN||"You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) that tries to connect to a Cluster in High Availability mode. |
Refer to sk120652.
|Hardware||Improved forensics with host-side PCIe drivers during shutdown, during Seurity gateway crash triggered by a SAM-related problem.|
|CloudGuard||After installing policy, when adding a new Data Center object and running "Menu" -> "Verify Access Control Policy", the verification might fail with the "Rule 1 Hides rule 2 for Services & Applications: Any" error message. |
Refer to sk123572.
|Security Management||Monitoring view does not show the ClusterXL status of VSX members.|
|Security Management||In some scenarios, API login requests fail with "errorCode [CP_ERR_COULD_NOT_CONNECT_FWM]" error in api.elg file.|
When changing the administrator profile by API in Multi-Domain Management, the following scenarios may occur:
|SmartConsole||In some scenarios, the "show package" API command fails due to timeout.|
|SmartConsole||On environments with many revisions, "show-changes" API calls take long time to finish and can cause the API server to terminate unexpectedly.|
|Security Gateway||Using two Domain objects for the same domain name, one with "www." prefix and the other without, in different rules in the rulebase might cause those rules not to be enforced correctly.|
|Security Gateway||Domain objects of domain names that are defined in local hosts file are not enforced.|
|Security Gateway||A rule with Security Zone object may not be correctly matched for broadcast traffic.|
|Security Gateway||Performance optimization of services and applications matching process.|
Refer to sk128452.
|SmartEvent||After upgrade of a dedicated SmartEvent server, Object synchronization status appears as "Failed" in the status window of SmartEvent GUI.|
|SmartEvent||When setting up clear connection between the Security Management server and R80.10 SmartEvent server per sk101928, Log indexer clear connection could not be established.|
Refer to sk123580.
|SmartEvent||Added ability to filter logs in queries and reports using the "Packets" field.|
|SmartEvent||Automatic reaction is not initiated when selecting the "Send automatic reactions but do not generate an event" option in SmartEvent policy.|
|Logging||In some scenarios, the "Logs & Monitor" view is stuck on searching and does not respond to any query.|
|Threat Emulation||The system cannot emulate files due to lack of disk space.|
Refer to sk124712.
|Gaia OS||Security hardening for Gaia OS WebUI.|
|ClusterXL||In CloudGuard Azure clusters environments, some packets are incorrectly identified as Cluster Control Protocol packets, potentially causing error logs related to cluster state. In some cases, this can lead to a cluster failover.|
|SecureXL||In some scenarios, when SecureXL is enabled, Security gateway crashes under heavy load while opening a new connection from template mask.|