In-place upgrade of Multi-Domain Management / Multi-Domain Log Server from releases prior to R77 may fail due to missing disk space on root partition. In order to avoid this, refer to sk101589.

Note: The issue is solved on July 20, 2014 by replacement of Gaia Upgrade Package from R76 and R75.4x and SecurePlatform Upgrade Package for Multi-Domain from R76.

It is not possible to disable a Bond interface on Gaia OS:

• In Gaia Portal, the "enable" checkbox of a Bond interface is greyed out (so it is not possible to clear this box)
• "NMSETH0029 Interface Name_of_Bond state cannot be set to off, it can only be deleted" error in Clish when running the 'set interface Name_of_Bond state off' command.

00267458, 01526068, 01539200

• "Gaia Web-UI recognized a non-valid input data" error when adding SNMP Trap receiver in Gaia Portal
• "NMSSNM002 Community names cannot contain spaces or special characters" error when adding SNMP Trap receiver in Gaia Clish.

Gaia OS syslogd daemon and Check Point syslog daemon can not run simultaneously on Security Management Server / Domain Management Server / Log Server on Gaia OS in the following scenario:

• "Accept Syslog messages" is enabled in the properties of Management Server / Log Server object (SmartDashboard - object properties - "Logs" menu - "Additional Logging Configuration").
• Gaia OS on Management Server / Log Server is configured to forward the received syslog messages to another Syslog server (Gaia Portal - "System Management" pane - "System Logging" - click on "Add" - enter the IP address of another Syslog server).

• When TACACS+ non-local user runs clish -c "some_clish_syntax" command from Expert mode (e.g., clish -c "show interface eth0"), the following errors appear:

  [Expert@HostName]# clish -c "some_clish_syntax"
  CLINFR0829  Unable to get user permissions.
  CLINFR0599  Failed to build ACLs.
  

• When TACACS+ non-local user runs clish -c "some_clish_syntax" command from Expert mode (e.g., clish -c "show interface eth0") on VSX Gateway, the following error appears:

  [Expert@HostName:0]# clish -c "some_clish_syntax"
  CLINFR0220  User is not allowed to access any virtual-system.
  

Not possible to configure AES and SHA1 for SNMPv3 USM user on Gaia OS.

Refer to sk90860 - section "(IV-5) Advanced SNMP configuration - Configure SNMPv3 users to use SHA / AES authentication".

During policy installation, /var/log/messages file on Security Gateway shows the following Gaia Clish auditlog entries:

• Domain name (FQDN) that was configured in First Time Configuration Wizard does not appear in the /etc/hosts file on Gaia OS.
• Not possible to add Domain name (FQDN) of hosts to the /etc/hosts file on Gaia OS.

To get logs from a newly installed Security Gateway (Security mode or VSX mode):

1. Install a Security policy on the Security Gateway.
2. Install the database on the Security Management Server (Policy > Install Database).

On a Security Management Server running on Linux OS, an FTP command sometimes results in an error: "Auth type not supported".

Workaround: Navigate to the /usr/bin/ directory and then run FTP commands.

• During policy installation, SmartDashboard suddenly disconnects from Security Management Server / Domain Management Server. There are no error messages.
• After the failed policy installation, Edge devices are not able to connect to this Service Center.
  Only after manual restart of SMS process resolves this issue.
• FWM process and SMS process crash with core dump files during policy installation.

Installing policy on R77.X Security Gateway(s) and UTM-1 Edge device(s) at the same time might fail during Policy Compilation with the following error:
cpp: line N, Error: Inside #ifdef block at end of input, depth = X
1 error in preprocessor

SmartEvent dialog box is empty when going to 'Application & URL Filtering' tab - clicking on 'Overview' pane - in 'Top Users' widget hovering with a mouse cursor over a user - clicking on 'More info...'.
Refer to sk102629.

The following message appears in SmartDashboard when trying to delete a Satellite Gateway object from an IPsec VPN community:

When trying to rename an Interoperable Device object, the following warning appears in SmartDashboard:

"Installation failed. Reason: Load on module failed, failed to load security policy" error in SmartDashboard when installing policy from Security Management Server R77 (and above) onto Security Gateways R76 and lower.

Refer to sk33893.

Sometimes, the R77.20 Add-on column does not show in SmartDomain Manager after the Add-on package is installed on the Multi-Domain Management Server.

Workaround: Restart the MDS processes. Run: mdsstop -s and mdsstart -s.

Sometimes, a new Domain cannot be created after the installation of the R77.20 Add-on.

Workaround: Restart the MDS processes. Run: mdsstop -m and mdsstart -m.

"Unexpected error" pops up in the SmartDashboard when trying to connect to Primary Security Management Server after failover.
Refer to sk107176.

FW process crash on CLM when running the "fw fetchlog" command.

Refer to sk110733.

Uploading a large attachment with Outlook Web App 2010 sometimes fails.

To fix: Install the Microsoft patch on Windows Servers 2008 and lower.

If a Security Gateway is configured for NAT and belongs to a community with IKEv2, then the IKEv2 negotiation sometimes fails.

Workaround: Disable NAT for the IPsec VPN community.

IPv6 routing issue in Star community when VPN Routing is set to "To center, or through the center to other satellites, to internet and other VPN targets" (VPN Community properties - "Advanced Settings" - "VPN Routing"):

• If IPv6 is enabled on the Center Gateway, then all IPv6 traffic will be sent through the Center Gateway
• If IPv6 is disabled on the Center Gateway, then IPv6 traffic between internal networks will be dropped by the Center Gateway with "Clear text packet should be encrypted"

When traffic passes through a VSX in Bridge mode, a connection may fail after the failover to an upgraded member.

Workaround: Set the value of Forward Delay parameter for Bridge interface to 1 (one).
Refer to sk66531.

State of R77.10 / R77.20 ClusterXL member changes to "Down" due to Critical Device "Interface Active Check" in the following scenario:

1. Monitoring of the lowest and highest VLANs is enabled (default; fwha_monitor_low_high_vlans=1)
2. A new VLAN is added on the ClusterXL member with VLAN ID, which is lower/higher than any existing VLAN ID

SSL Network Extender in Application Mode does not support applications that use IPV6 or IPV4-mapped IPV6 addresses. The default action for such connections is to go directly to the destination and not through the SSL tunnel even if its destination is in the encryption domain. To enhance security, you can change the default behavior of such connections to drop.

To do this, change the DWORD 32 registry key decimal value to:
11, HKEY_CURRENT_USER\Software\Checkpoint\SSL Network Extender\parameters\DropIpv6

Refer to sk97444.

To query a VSX Gateway / VSX cluster member over SNMPv2 / SNMPv3, the query should be sent to the VSX machine itself (context of VS0):

• In DMI configuration:
  
  • In case of a single VSX Gateway, the SNMP query should be sent to the IP address of the DMI interface.
  • In case of a VSX cluster, the SNMP query should be sent to the physical IP address (of the DMI interface) of each cluster member.
• In non-DMI configuration:
  
  • The SNMP query should be sent to the physical IP address of the external interface on the VSX machine.

After a VSX cluster member is upgraded to R77.20 and rebooted, its cluster state changes to 'Ready' before all the Virtual Systems are up. This may lead to a failure during the failover.

Workaround: Make sure each Virtual System has restarted, before you continue with the rest of the VSX cluster upgrade and failover.
On each Virtual System run:

1. cphaprob state
   Make sure the Virtual System is in Ready state.
2. ps auxw | grep fwk
   Make sure that the fwk process started on the Virtual System.

In VSLS, when a MGMT interface is disconnected from a cluster member:

• Cannot install policy on Virtual Systems on the member with the disconnected Management interface
• Active Virtual Systems on that member do not failover

1. Open Virtual System / Virtual Router object.
2. Go to 'Topology' pane.
3. Click on 'Advanced Routing...' button.
4. Click on 'Add...' button.
5. When configuring a rule, VSX Gateway itself does not appear in the 'Next Hop Gateway' list (only other Virtual Systems / Virtual Routers appear).

Workaround: Add the DHCP ports (67 and 68) to management_specific_ports_hide table.

Conversion of a Security Gateway to VSX mode fails when the Threat Emulation blade is enabled. An error message incorrectly says that Threat Emulation is not supported for VSX.

Workaround: Disable Threat Emulation blade before you start the conversion and then enable it when the conversion completes.

State of Virtual System in VSX High Availability cluster changes to "Down" due to Critical Device "Interface Active Check" in the following scenario:

1. Monitoring of the lowest and highest VLANs is enabled (default; fwha_monitor_low_high_vlans=1)
2. VLAN with lowest VLAN ID was configured on one Virtual System "A" ("VS_A")
3. VLAN with highest VLAN ID was configured on another Virtual System ("VS_B")
4. VLAN was configured on Virtual System "A" ("VS_A") with VLAN ID, which is higher than any existing VLAN ID on Virtual System "B" ("VS_B")

Threat Prevention policy installation fails:

• In SmartDashboard with "Compilation failed" error.
  
  

• When manually loading the policy under debug, with these errors:

  amw_add_key: fread() failed
amw_load: amw_add_key() failed
amw_load_main: amw_load has failed
main: amw_load_main() failed

When name of file attached to e-mail is written in non-ASCII characters, it is displayed as "unsafe string" in received e-mail.
Refer to sk105164.

UserCheck block page is not shown when some sites are blocked and HTTPS Inspection is on.

Refer to sk110689

SecureXL drops DNS packets in the following scenario:

1. Drop Optimization is enabled in Security Gateway / Cluster object (per sk90861)
2. DNS fast expiry feature is enabled (value of "delete_on_reply" attribute in the "domain-udp" service is set to "true")

TCP traffic is dropped with "TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker in the following scenario:

• Security Gateway is configured in Bridge mode
• SecureXL is enabled
• Application Control blade / URL Filtering blade is enabled

evs_backup command sometimes fails with the following messages:

Security Gateway fails to fetch new IntelliStore feeds.
Refer to sk102649.

IPS Exception with Protection ANY does not work.
Refer to sk117397.

• IPv6 traffic does not pass through Security Gateway with configured CoreXL IPv6 FW instances.
• Kernel debug ('fw ctl debug -m fw + drop') shows that IPv6 traffic is dropped by CoreXL SND:
  ;[cpu_X];[fw6_X];fw_log_drop_ex: Packet proto=58 ... dropped by fwmultik_dispatch_outbound Reason: No instance (outbound);