Important security and stability enhancements for Security Gateway

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk100431
Technical Level
Severity	High
Product	IPS, IPSec VPN, Mobile Access / SSL VPN, SSL Network Extender, Identity Awareness, HTTPS Inspection, DLP
Version	R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10
OS	Gaia, IPSO 6.2, Windows, SecurePlatform 2.6, Crossbeam XOS, Linux
Platform / Model	All
Date Created	19-May-2014
Last Modified	21-Jul-2018

Symptoms

A potential stability issue might be triggered by a certain traffic condition when one or more of the following is enabled on the Security Gateway:
- IPS blade
- IPsec Remote Access
- Mobile Access / SSL VPN blade
- SSL Network Extender
- Identify Awareness blade
- HTTPS Inspection
- UserCheck
- Data Leak Prevention blade
Relevant versions: R75.40VS / R75.45 / R75.46 / R75.47 / R76 / R77 / R77.10.
Relevant deployments: Security Gateway / Cluster / VSX.

Solution

This problem was fixed. The fix is included in:

Check Point R80.10
Check Point R77.30
Check Point R77.20
Security Gateway VE Hypervisor Mode R77.10
Check Point R76SP for 61000/41000
Jumbo Hotfix Accumulator for R77.10 - since Take_24
Jumbo Hotfix Accumulator for R77 - since Take_7
Jumbo Hotfix Accumulator for R76 - since Take_10
Jumbo Hotfix Accumulator for R75.47 - since Take_30

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade VSX / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

For other supported versions, Check Point Support can supply a Hotfix.

Customers should install the following hotfix on their Security Gateways.

Procedure:

Note: In cluster environment, this procedure must be performed on all members of the cluster.

Show / Hide hotfix installation instructions - Gaia OS using CPUSE (Check Point Update Service Engine)
We recommend using CPUSE to install this hotfix.

Note: Hotfix has to be installed on Security Gateway / each cluster member.
- In Gaia Portal:
  1. Connect to the Gaia Portal on your machine.
  2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out').
  3. Navigate to the 'Software Updates' - 'Status and Actions' pane.
  4. Go to the 'Updates' tab to see the published hotfixes available for download.
  5. Select the Check_Point_Hotfix_VERSION_sk100431.tgz package - right-click on it - click on 'Download' (this will download the hotfix to your machine).
  6. Right-click on the Check_Point_Hotfix_VERSION_sk100431.tgz package - click on 'Install' (this will install the hotfix on the machine and display the installation status).
  7. When prompted for reboot (a pop up window appears), confirm to reboot the machine.
- In Clish:
  1. Connect to Gaia command line (over SSH, or console).
  2. Log in to Clish shell.
  3. See the list of available packages for download:
    HostName> show installer available_packages
  4. Download this hotfix:
    HostName> installer download Check_Point_Hotfix_VERSION_sk100431.tgz
  5. Check the download progress by repeatedly running this command:
    HostName> show installer package_status
    Outputs for example:
    Check_Point_Hotfix_R77.10_sk100431.tgz - Downloading (2.95 MB/s) - Progress: 6% Check_Point_Hotfix_R77.10_sk100431.tgz - Available for install
  6. See the list of available packages for install:
    HostName> show installer available_local_packages
  7. Install this hotfix:
    HostName> installer install Check_Point_Hotfix_VERSION_sk100431.tgz
  8. Check the installation progress by repeatedly running this command:
    HostName> show installer package_status
    Outputs for example:
    Check_Point_Hotfix_R77.10_sk100431.tgz - Installing - Progress: 3% Check_Point_Hotfix_R77.10_sk100431.tgz - installed
  9. Machine will be rebooted automatically.
Contact Check Point Support for any assistance.
Show / Hide hotfix installation instructions - Gaia / SecurePlatform / Linux OS (manual installation in Command Line)
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Gateway / each cluster member.
2. Download the relevant hotfix package:
  
  Note: In order to download these packages you will need to have a Software Subscription or Active Support plan.
  
  Platform R75.40VS R75.47 R76 R77 R77.10
  
  Gaia OS,
  SecurePlatform OS,
  Linux OS Contact
  Check
  Point
  Support
  to get this
  Hotfix (TGZ) (TGZ) (TGZ) (TGZ)
  
  For fixes on top of other affected versions, contact Check Point Support.
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar zxvf Check_Point_Hotfix_VERSION_Linux_sk100431.tgz
5. Install the hotfix:
  
  [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
Show / Hide hotfix installation instructions - IPSO OS
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Gateway / each cluster member.
2. Download the relevant hotfix package:
  
  Note: In order to download these packages you will need to have a Software Subscription or Active Support plan.
  
  Platform R75.40VS R75.47 R76 R77 R77.10
  
  IPSO OS 6.2 Contact
  Check
  Point
  Support
  to get this
  Hotfix (TGZ) (TGZ) (TGZ) (TGZ)
  
  For fixes on top of other affected versions, contact Check Point Support.
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar zxvf Check_Point_Hotfix_VERSION_IPSO6_sk100431.tgz
5. Install the hotfix:
  
  [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
Show / Hide hotfix installation instructions - Windows OS
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Gateway / each cluster member.
2. Download the relevant hotfix package:
  
  Note: In order to download these packages you will need to have a Software Subscription or Active Support plan.
  
  Platform R75.40VS R75.47 R76 R77 R77.10
  
  Windows OS Contact
  Check
  Point
  Support
  to get this
  Hotfix (TGZ) (TGZ) (TGZ) (TGZ)
  
  For fixes on top of other affected versions, contact Check Point Support.
3. Transfer the hotfix package to the machine (into some directory, e.g., C:\some_path_to_fix\).
4. Install the hotfix:
  1. Use any archive program (WinZIP, WinRAR, 7-Zip, TUGZip, IZArc) to unpack the Check_Point_Hotfix_VERSION_Win_sk100431.tgz file.
  2. Open the Disk_Images folder.
  3. Open the Disk1 folder.
  4. Right-click on the setup.exe file - click on 'Run as administrator'.
    Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
5. Reboot the machine.

Additional resolved issues:

Show / Hide the list of additional resolved issues

Additional issues resolved by this hotfix:

ID	Symptoms	Comments
01354607, 01359114, 01360313, 01360314, 01361087, 01368930, 01375852, 01384279, 01384850	Enabling URL Filtering blade and Application Control blade might cause Security Gateway to hang. Refer to sk99027.	-
01375859, 01376023, 01376384, 01402195, 01402203, 01402212, 01402215	MGCP traffic is randomly dropped with log "`Response to unknown Request. Bad Call-ID`" after upgrade to R76 / R77 / R77.10. Refer to sk99026.	Not relevant for R75.47
01362385, 01366990, 01377452, 01379645, 01396795, 01402500, 01404287	URL Filtering drops the traffic with an "`Internal Error`" log. Refer to sk98743.	Relevant only for R75.47
01396595, 01396692, 01397545, 01398410, 01404169, 01404182, 01404184, 01404197	A redirect to the UserCheck page can cause the fwk0 process to crash, which causes traffic outage. Refer to sk100505.	-
01341419, 01364227, 01368057, 01368058, 01369917, 01370962, 01375738, 01380193, 01391855, 01403937	When URL Filtering or Identity Awareness is enabled, trying to reach HTTPS sites can sometimes cause the Security Gateway to crash. Refer to sk98935.	-
01345138, 01371610, 01381090, 01384237, 01404282, 01404655, 01405997	Upgrade from R76 with enabled Mobile Access blade and Push Notifications to R77.10 can cause the operating system of the Security Gateway to freeze. Refer to sk101062.	-

Applies To:

01382860 , 01400226 , 01399995 , 01400636 , 01417154 , 01400003 , 01400439 , 01557626 , 01400042 , 01441228 , 01384130 , 01401879 , 01417966 , 01428389 , 01417401 , 01412347 , 01688765 , 01418494 , 01402060 , 01400443 , 01400606 , 01446616 , 01400044 , 01400624 , 01400018 , 01400441 , 01534442 , 01401303 , 01719587 , 01423125
01399865 , 01418505 , 01719593 , 01400945 , 01443879 , 01687858 , 01817919 , 01433377 , 01402373 , 01401989 , 01408860 , 01416578 , 01418895 , 01401587 , 01417404 , 01414436 , 01423435 , 01423128 , 01401878 , 01409199 , 01410284 , 01400476 , 01410193 , 01400947 , 01417206 , 01415901 , 01412573 , 01407275 , 01400920
This solution replaces sk100175.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating