Support Center > Search Results > SecureKnowledge Details
Check Point R77.20 Resolved Issues
Solution

This article lists all of the issues that have been resolved in R77.20.

Important notes:

 

Table of Contents

  • General
  • Upgrade
  • Security Gateway
  • ClusterXL
  • Gaia / SecurePlatform
  • Dynamic Routing
  • Identity Awareness
  • Anti-Malware
  • UserCheck
  • Application Control
  • URL Filtering
  • IPS
  • DLP
  • Threat Prevention (Anti-Bot / Anti-Virus / Threat Emulation)
  • Internal CA
  • Mobile Access
  • SSL Network Extender
  • SecureXL
  • Security Management
  • Multi-Domain Security Management
  • SmartDashboard, SmartView Tracker and SmartView Monitor
  • SmartEvent / SmartReporter
  • SmartProvisioning
  • SNMP
  • QoS
  • VPN
  • VSX
  • Compliance Blade
  • VoIP
  • Endpoint Security Unified Management
  • CoreXL
  • Appliances
  • IPSO
  • HTTPS Inspection

 

ID Symptoms
General
01404337,
01408283
On SecurePlatform, some static routes configured on an interface are deleted when using the 'eth_set' command to set speed/duplex on that interface to 'autoneg'.
Refer to sk100988.
01369132, 01395955
Clean install from USB device fails on Check Point Appliance because the installation process (anaconda) includes the USB installation media as part of the installation target.
Refer to sk100566.
Upgrade
01375792 "Check Point SmartEvent Client experienced a serious problem and must close immediately..." when trying to connect with SmartEvent GUI to SmartEvent Server for the first time after upgrade to R77.10.
Refer to sk98878.
Security Gateway
01322955,
01323223,
01323225,
01339025,
01404871
Specific traffic is dropped by Security Gateway, although it should be accepted by the relevant security rule because in FireWall rulebase, the Service may be evaluated before evaluating the Source or the Destination.
Refer to sk97876.
01364112,
01366286,
01366291
RTSP 'SETUP' request packets are dropped by Security Gateway.
Refer to sk99114.
01354607,
01360314,
01359114,
01360313,
01361087,
01368930,
01375852,
01384279,
01384850,
01399125,
01399635,
01402104,
01402197,
01402236,
01402238,
01402247,
01404673,
01405817,
01413670
Enabling URL Filtering blade and Application Control blade might cause Security Gateway to hang.
Refer to sk99027.
01322060,
01345585,
01345586,
01345587,
01391617,
01442718,
01463778
Manual Client authentication unexpectedly fails when connecting to the Security Gateway on port 900.
01361721,
01363508
SMTP transparent proxy does not work with NAT when CoreXL is enabled.
Refer to sk98730.
01366133,
01373298,
01383099
Memory leak when using Client Authentication on port 259.
Refer to sk98966.
01371145,
01373299,
01383102;
01371146,
01373300,
01383104
SmartView Tracker shows logs about Client Authentication although 'Successful Authentication Tracking' is set to 'None'.
Refer to sk98966.
01322325,
01323049,
01340776,
01372400,
01376344,
01455920
VPN and/or NAT traffic between accelerated and non-accelerated interfaces, or between non-accelerated interfaces, is not allowed.
01336864,
01352515,
01353560,
01353561
ARP table on Security Gateway is cleared after policy installation (which causes traffic outage). As a result, policy installation progress shows "success" even if it failed when running the 'fw fetch local' command on Security Gateway.
01380461,
01382310
Syntax error in the output of fw ctl affinity -l.
01391750,
01392406.
01386379
Syntax error during policy installation after upgrade to R77.
Refer to sk100197.
01400226,
01399995,
01400636,
01417154,
01401303,
01400439,
01400003,
01400042,
01401879,
01384130,
01417966,
01417401,
01412347,
01418494,
01402060,
01400443,
01400606,
01400044,
01400624,
01382860,
01400018,
01400441,
01423125
Security Gateway might become unstable after an upgrade to R76 / R77 / R77.10.
Refer to sk100431.
01393071,
01383424
When running the fw pstat command, negative values are shown for fragments.
01401585,
01407075
The in.ahttpd process consumes CPU at high level when working with Websense.
Refer to sk100787.
00900938,
00465321,
00826456,
00756312,
00493578,
01233665,
01205224,
00556489,
00466319,
01380209,
00520464,
01298159,
00466318,
01293982,
01145500,
00744959,
00733322,
01267217
Manual Client Authentication with ACE server (RSA tokens) fails randomly because in.ahclientd daemon is stuck due to ACE services.
Refer to sk97473.
01399192,
01399049
"IPv6 is not compatible with Drop Templates. Please make sure that IPv6 is not enabled on Security Gateway" false warning is generated when installing Security policy.
Refer to sk100489.
01384154,
01407376,
01407752,
01408686
When malformed DHCP relay packet arrives, Security Gateway drops this packet and stops the connection. But then the next NOT malformed packet that arrives is also dropped on the same connection.
Refer to sk100233.
01347637,
01352509,
01355809,
01355861,
01357797,
01359052,
01359339,
01396359,
01407277
Every few weeks, the firewall suddenly loses all Proxy ARP entries. Output of fw ctl arp command returns "No proxy arps found".
Refer to sk98740.
01375562,
01376256
Executing 'fw sam' command refreshes timeouts of all entries in the Connections Table.
Refer to sk99066.
01320745,
01338315,
01344610,
01360229,
01360918,
01360919,
01372939,
01372940
When SCCP video conference is initiated, the VoIP phone hangs with "Connection to server lost, temporary error".
Refer to sk98836.
01402038,
01402476,
01432001,
01402472,
01402588
If the database is large and has many rules with domain objects, Domain Object rules are bypassed.
01388808,
01395285,
01413258,
01419870
In Load Sharing Unicast mode cluster with ISP Redundancy enabled, TCP connections to the cluster Virtual IP addresses fail.
01394743,
01423889,
01393444,
01433745,
01424374
SSH session to an IP address defined on a VLAN interface fails.
Refer to sk101120.
01426202,
01460773
Security Gateway under high traffic load might freeze after several days of uptime.
Refer to sk102190.
01426872,
01467589;
01427791,
01471887
Security Gateway might crash when available memory is low.
Refer to sk102719.
01292768,
01310693,
01310694,
01310695,
01310695;
01305054,
01310696,
01310697,
01310698,
01310698
'fw sam' command fails to process the SAM rule with "sam: Name_of_GW_Object (FW_Index/FW_Total) ... failed 'Syntax of SAM rule' processing" error.
Refer to sk97306.
ClusterXL
01373809 Connectivity Upgrade is not supported for 3rd Party clusters.
01354819,
01361433,
01361435,
01364125,
01407594,
01426889,
01430677
SmartView Monitor randomly shows the state of a 3rd party cluster member (e.g., VRRP) as "Active attention".
Refer to sk98698.
01346966,
01351988,
01351990,
01369718,
01372574,
01382138,
01421084
When ARP reply packets received by the Active member are forwarded to other members on non-Gaia gateways, connectivity issues may arise on some Layer 3 devices connected to the cluster, for example on Cisco ACE load balancer.
Refer to sk98417.
01101309,
01295443,
01323188,
01323304,
01347032,
01385102,
01400575,
01405365,
01431662,
01433263
Output of 'cphaprob syncstat' command does not show any peers: 'IDs of F&A Peers - None' .
Refer to sk98167.
01317978,
01339635,
01342581,
01344714,
01402655
Some IPv6 pings are lost in the following IPv6 topology (ICMPv6 "Neighbor Advertisement" Type 136 packets are dropped due link collision):

Host_1 on Net_1 --- ClusterXL High Availability with IPv6 --- Host_2 on Net_2

where:
  • IPv6 address of Host_1 is NATed to an IPv6 address on Net_2
  • IPv6 address of Host_2 is NATed to an IPv6 address on Net_1
Refer to sk98075.
00927546,
01392636,
01415314,
01417159,
01421988
After change of member state in R77.10 cluster on Gaia OS, Proxy ARP configuration from the $FWDIR/conf/local.arp file is lost.
Refer to sk98853.
01371278,
01381638,
01407798,
01429238,
01449315,
01455215
Pings sent by Standby cluster member consume a large number of NAT high ports.
Refer to sk99108.
01382069,
01312678,
01382133
Output of the cphaprob state command shows "none" instead of Sync IP address.
Refer to sk98701.
01343146,
01344075,
01344079
Cluster debug message "FW-1: fwha_check_confirm: X machines did not confirm my state (<STATE>) yet;" might be misleading.
Refer to sk98202.
01341828,
01342888,
01342890,
01375740,
01352765,
01376129
Traffic outages and routing table drops in ClusterXL High Availability in Primary Up configuration.
Refer to sk98168.
01402180,
01461361
ClusterXL member with enabled HTTP/HTTPS Proxy might crash while internal client downloads a big file through the HTTP proxy.
Refer to sk102714.
01111297,
01320815,
01322895,
01322900,
01382195,
01405958
Port flapping on the switch, to which the Synchronization interfaces are connected of three and more ClusterXL members.
Refer to sk95150.
01361034, 01361390, 01361391, 01453256 Maximum limits of concurrent connections do not match on members of Full HA cluster. Output of "fw tab -t connections" command on the Primary member of Full HA cluster shows the maximum limit of concurrent connections as "unlimited".
Refer to sk98697.
Gaia / SecurePlatform
01092980,
01094857,
01094858,
01322316,
01342118,
01380501,
01401142
Incorrect netmask displayed in Clish when running show interface command.
01323619,
00265675,
00265808
When an IPv6 routing command is entered twice, the IPv6 address is not formatted correctly.
01363876,
01371042,
00266018,
01396279
RouteD daemon crashes with core dump file during cluster failover when RouteD tries to delete the ClusterXL listen task that has not finished yet.
Refer to sk104222.
01292823, 00266184, 01381941, 01393900, 01457952 RouteD daemon crashes with core dump files when Dynamic Routing manager goes down and up.
Refer to sk100203.
01318867,
01369738,
01321216,
01374588
Zombie process 'cciss_vol_status' appears on HP Open Server running Gaia OS.
Refer to sk97857.
01321363,
01336243,
01360976,
01363927,
01364356,
01370330,
01373098,
01377079,
01401249,
01422203
/var/log/messages file on Gaia OS gateways repeatedly shows:
modprobe: FATAL: Could not open '/lib/modules/2.6.18-92cpx86_64/kernel/net/ipv6/ipv6.ko'.
Refer to sk95222.
01349373,
01349246,
01349371,
01360255,
01412845
Core dump files are not compressed on Gaia OS after upgrading from SecurePlatform OS.
Refer to sk98341.
01364855,
01365145,
01365146,
01372380,
01374186,
01375344,
01379853,
01393166,
01394331,
01412840,
01418719,
01450060,
01473986
After reboot of Gaia OS, some interfaces are named as 'ethX_rename'.
Refer to sk97446.
01351038,
01351124,
01351126,
01395397,
01412667
Gaia clishd daemon becomes unstable and might crash with core dump file.
Refer to sk98329.
01306241,
01320769
Update timezone data to tzdata2013g.
01204771,
01294031,
01294032,
01433846
Installation fails because of missing PCI table records.
01319366,
01321433,
01370011
Gaia Clish command 'show rba role monitorRole' shows that built-in 'monitorRole' can run extended command, which it is not allowed to.
Refer to sk98115.
01373478,
01373679,
01404998,
01418898,
01451667
SCP backup on Gaia OS fails when user password greater than 16 characters.
Refer to sk100215.
00981634,
00982105,
00982109,
01118403,
01180913,
01185614,
01187940,
01202762,
01206740,
01219314,
01219703,
01255374,
01261375,
01271946,
01273207,
01292302,
01301033,
01342212,
01345877,
01352316,
01358795,
01364807,
01372387,
01380304,
01386106,
01403739,
01430676,
01446912,
01456174

The following messages appear in /var/log/messages file:

  • "syslogd: sendto: Invalid argument"
  • "syslogd: sendto: Bad File Descriptor"
  • "syslogd: sendto: Connection refused"
  • "syslogd: write: Connection refused" on R77.10

Refer to sk83160.
01406839,
01407599,
01464194
'cpstat os -f sensors' command does not show the hardware sensors information on some Open Servers.
Refer to sk102193.
01377392,
01379912,
01418601,
01419376
RouteD daemon terminates on Gaia OS after enabling IPv6.
Refer to sk98863.
01321667,
01323048,
01361452,
01365127
"KERPHY0069 Static Arp IP instance does not belong to any existing subnet" error in Clish when running "add arp static" command on VSX gateway.
Refer to sk98852.
01373582,
01399427,
01378428,
01373903,
01463118
RADIUS users with UID=0 and /bin/bash as the default shell, receive UID=96 and do not get the permissions to execute Check Point commands
01395337,
01395366
Clish crashes when logging in to Expert mode from Clish.
Refer to sk113266.
01377096,
01377305
Gaia backup does not collect files from $CVPNDIR/conf/ directory.
Refer to sk99079.
01455461,
01455632
Gaia backup on VSX R77.10 machine does not collect the contents of $CVPNDIR directory.
Refer to sk102027.
01395540,
01395748
Unable to add VLAN in Gaia Portal when interface is not on the same page.
Refer to sk100538.
01319366,
01321433,
01370011
'show rba role monitorRole' command shows that built-in 'monitorRole' can run extended command that are not allowed for the role.

Example:
# show rba role monitorRole
You can find the following line: read-only-feature ext_cphastop.
Refer to sk98115.
00266007,
00266009,
00266071,
00266277
Redistributing interface routes in Gaia Portal from an interface with capital letters in its name (e.g., "Mgmt", "DMZ") fails - only the static routes are exported.
Refer to sk99067.
01382318,
01382397,
01423823,
01440537,
01475757
Clish or Gaia Portal might become unresponsive.
Refer to sk100174.
00265904,
00265905,
01323107
The IPv6 router discovery page in the Gaia Portal shows the 6-in-4 tunnel interface option. This is not a valid option.
01323103,
00265906,
00265907
In the Gaia Portal (Advanced Routing > IPv6 OSPF), if you select a 6-in-4 tunnel for OSPFv3 an incorrect syntax error message shows.
00265760,
00265682,
01319704
In Gaia Portal in VRRP6 section, it is possible to configure a virtual router without a valid link local address. This causes RouteD daemon to crash.
00265909,
01323097,
00265908
In Gaia Portal in VRRP configuration, selecting 6in4 or 4in6 tunnel interfaces causes many syntax error messages.
00265915,
01348919,
00265812
Enhancement: If Gaia Portal -> OSPF -> 'Election Priority' value is deleted, it is reset to default, which is displayed in the Gaia Portal.
01337071,
01360875,
01360833
After connecting to an ISP, the PPPoE Interface in the Gaia Portal is still shown as "Connecting".
01430768,
01428654,
01400536,
01243892,
01361459,
01430732
After upgrading the Gaia OS, querying the SNMP OID 'SysObjectID' returns a specific appliance model instead of "generic Linux system".
01349748 An interface Rx/Tx ring size parameter modified in the Gaia Portal does not survive reboot.
Refer to sk100626.
01381429,
01386313,
01381179
RADIUS user connects with UID 96 although UID 0 is configured, and not able to run any command.
Refer to sk98958.
01323125,
00265902,
00265683
When you define a 6-in-4 tunnel interface as an outgoing interface for an fe80 address, a syntax error appears.
01286240,
01289153,
01289155,
01289156,
01302544,
01320932,
01352385,
01363913,
01396455,
01409261,
01417079,
01426966,
01430143,
01438582,
01463990;
01319377,
01319795,
01319796,
01363914,
01364339,
01369651,
01396470,
01409247,
01417082,
01438584,
01463992
Intermittently, non-local TACACS user is not able to login:
  • CLINFR0829 Unable to get user permissions.
    CLINFR0599 Failed to build ACLs.
    
  • /var/log/messages file shows:
    User not logged in. He has no configured role.
    
Refer to sk97409.
01148068,
01149572,
01149573,
01149574,
01187282,
01407570
'Scheduled Backup' in SecurePlatform WebUI does not work.
Refer to sk92747.
01360794,
01377768,
01398924,
01418165,
01449155,
01471854
Security Gateway might crash when setting MTU of 9000 and above on a Bond interface.
Refer to sk99113.
01346327,
01346375,
01346679,
01346680,
01350141,
01372665,
01372988,
01378331,
01381375,
01381376,
01381377
Gaia OS configured as NTP client responds to NTP queries from hosts.
Refer to sk98287.
00935189, 00935303, 01075844, 01090386, 01160985, 01180805, 01186421, 01342226, 01456153;
00956291, 00956369, 01082333, 01105026, 01186598, 01342210, 01456165;
01399215, 01401007, 01452067, 01475275, 01595558, 01597357, 01599477

/var/log/messages file on Security Gateway running Gaia OS and SmartView Tracker logs from Security Gateway running Gaia OS repeatedly show the following messages about Hardware Sensors:

  • Several times per second in /var/log/messages file:
    xpand[PID]: Sending request to System Interface
    xpand[PID]: The max bit is 0 value is 0 max is 0.000000
    xpand[PID]: The min bit is 0 value 0 min is 0.000000


  • Every minute:
    xpand[PID]: Note: no Name_of_Sensor sensors

Refer to sk79140.
Dynamic Routing
01355732,
00265618,
00265619,
00267091
In a cluster configured for PIM SM, RouteD daemon crashes with core dump files on the Standby member.
00265664,
00265671,
00265953,
00265999,
00266288,
00266364,
00266656,
01367471
After a neighboring router restarts, a Security Gateway running OSPF with Graceful Restart Helper fails to re-establish adjacency status with the neighbor. The state shows as 'DOWN' instead of 'FULL'.
01322077,
01322763,
01322765,
01322766,
01440852
When using 'aspath-prepend-count' in routemap for BGP, the prepend count is not exported to the BGP peer.
Refer to sk101789.
00406474,
00264022,
00266212,
00266273,
01223750,
01140690,
01176722
OSPF routes are lost after a long period of time from a cluster member on SecurePlatform OS.
Refer to sk92997.
01375782,
01382255;
01374376,
01382252
RouteD daemon becomes unstable on Gaia ClusterXL when the 'ping' option is set on a static route.
Note: If the nexthop does not respond to the pings, RouteD daemon can still become unstable in certain scenarios.
Refer to sk99025.
00777831,
01401071,
01400572
RouteD becomes unstable, when OSPF and RIP are enabled, and RIP code handles non-RIP routes.
01350372,
01370331
When exporting Static/Direct/RIP routes into OSPF without a routemap, or when not configuring automatic or manual tag, tag value is set to an unexpected value in the uninitiated variable in that function.
Refer to sk98415.
00265919,
00265305,
00265745
Enhancement: Gaia Portal and Clish reject non-local addresses for the bootstrap-candidate field in PIM configuration.
01319770,
01360831,
01360867
Clish command "show route ospf" was modifed to include the tag field in the output.
01382407,
01382560,
01382407
Various PBR commands end with "Invalid gateway address" error.
Refer to sk99124.
00265918,
00265829,
00265306
The CLI command for PIM candidate-rp accepts any non-local IP address as a local address.
Identity Awareness
01323615,
01323845,
01323856,
01323859
Custom MSI package for Identity Awareness Multi-User Host Agent (Terminal Servers Identity Agent) requires to enter credentials during the installation, although it should contain pre-shared secret.
Refer to sk97879.
01336133,
01336588,
01371398
Identity Awareness Agent fails to connect after a reboot on Windows XP SP3.
01360356,
01362304,
01362305
PDP Advanced rulebase configuration is not saved when creating a custom Identity Agent.
01363794,
01363810,
01363812
If a permission script is run with the 'username' option, where the user belongs to more than one SID, the script throws an exception.
01322219,
01342540,
01346299,
01346300,
01346301,
01346386,
01350554,
01355824

In Check Point 'Identity Agent - Distributed Configuration' tool - go to 'Server Configuration' pane:

  1. Add default rule
  2. Add at least 2 additional rules
  3. Edit one of these rules
  4. Inside the rule, all the fields are empty, but when clicking on OK, the the Identity Server's IP address appears correctly in 'Identity Server' column
Refer to sk101894.
01322471,
01322911,
01322912,
01322913,
01336551,
01363705,
01376783
Mobile phone users are logged out from Captive Portal every several minutes during web surfing.
Refer to sk97868.
01338036,
01354354,
01354355,
01399652,
01399685
Identity Agent crashes randomly.
Refer to sk98426.
01342598,
01370423,
01370424,
01370427
In "Identity Agent - Distributed Configuration" window, when changing a regular rule from the middle of the rule base to be a 'default' rule, the list displays the rules incorrectly.
Refer to sk98206.
01350837,
01352695,
01353620,
01353766
When an LDAP group is nested in another LDAP group, and the parent group is used in an 'AccessRole', users in the nested group will not be identified as part of the parent group and will not be assigned to this 'AccessRole'. As a result, enforcement based on this 'AccessRole' (within Firewall, Application Control, etc. policies) will be incorrect.
Refer to sk98328.
01364961,
01373957,
01366849,
01372531
Identity Agent is disconnected from Security Gateway, and it takes a long time to reconnect.
Refer to sk99030.
01362283,
01363268,
01363270,
01432221,
01439398,
01456751,
01460002
HTTP connections for TCP services with non standard HTTP ports (e.g., port 5555, instead of port 80 or port 8080) are not redirected to Captive Portal.
Refer to sk99030.
01339379,
01354358,
01354359,
01399654,
01399710
Roaming does not reactivate after Identity Agent disconnects and then reconnects.
01342605,
01346287,
01346288,
01346298

In Check Point 'Identity Agent - Distributed Configuration' tool - go to 'Server Configuration' pane:

  • When editing a default rule, radio buttons for 'IPv4 Range' and 'AD Site' are available and can be selected. However, after clicking on OK, the changes are not applied.
  • 'Subnet Mask' for 'IPv4 Range' can be assigned an invalid value (e.g. 1.1.1.1).
  • 'AD Site' can be assigned empty.
Refer to sk99014.
01353767,
01355483,
01355484,
01398550
PDP daemon might crash when PEP daemon disconnects from it.
Refer to sk98526.
01341104,
01354356,
01354357,
01368947,
01399655,
01399725
Identity Agent roaming is not activated on hosts with Windows Vista or later versions.
01349619,
01351284,
01351285,
01357977,
01362696,
01457006
PDP daemon crashes with core dump files after upgrading to R77.
Refer to sk98342.
01349850,
01408224,
01408077
When configuring the Microsoft NPS (Windows RADIUS Server) with RADIUS accounting, this causing the "RADIUS packets are not parsed correctly" error message by parsing Vendor-Specific attribute, where data was changed from one value to multiple values.
01383383,
01382233,
01382918
Kerberos Authentication timeout for Browser-Based Authentication.
Refer to sk100168.
Anti-Malware
01369179,
01316402
Firewall drops DNS Queries when the AD Bit is set (1) - RFC allows it. RFC 6840 (DNSSEC) section 5.7 (Setting the AD Bit on Queries).
Refer to sk97730.
01371645,
01364092,
01365030,
01421751,
01369833,
01361489,
01367220,
01369323

Check Point Online Web Service failure. "Refer to sk74040 for more information" log appears repeatedly in SmartView Tracker when Anti-Virus or Anti-Bot or both are enabled.

Refer to sk98717, sk95827, sk98285 and sk96192.

UserCheck
01396595,
01396692,
01397545,
01398410,
01404169,
01404182,
01404184,
01404197
Random traffic outages when UserCheck is enabled on Security Gateway.
Refer to sk100505.
Application Control
01382637,
01383002,
01410612
Application Control Blade does not block some TCP over DNS applications.
Refer to sk99044.
01425390,
01456120
Security Gateway with enabled Application Control blade might crash after resetting SIC in 'cpconfig' menu and exiting from 'cpconfig' menu.
Refer to sk102121.
URL Filtering
01422411,
01377452,
01379645,
01405849,
01396795,
01404287,
01362385,
01414498,
01366990, 01402500
URL Filtering drops the traffic with an "Internal Error" log.
Refer to sk98743.
IPS
01370016,
01371192,
01381780
PPTP GRE connections are not deleted from Connections Table when IPS inspection for PPTP is enabled.
Refer to sk100201.
01404684,
01405875
The IPS Global exception is not enforced by the "Non Compliant DNS" protection. It is enforced by other protections.
01371106,
01371106,
01369029,
01373092,
01373146,
01373340 ,
01373341,
01374176,
01374992,
01375066,
01379576,
01380064,
01380537,
01380654,
01380694,
01380904,
0138129 ,
01407054
Some protections do not work for specific HTTP evasions.
Refer to sk98814.
01341601,
01345469,
01352653,
01356253,
01356256,
01377944,
01379164,
01379826,
01379870,
01381145,
01384008,
01392357,
01392855,
01399478,
01402849,
01415574,
01426888,
01470230
Traffic rate is decreased significantly when assigning any IPS profile other than 'Default_Protection'.
Refer to sk92527.
01367531, 01375276, 01375404, 01375414, 01375713, 01375715, 01375716, 01380512, 01511033 IPS protection "TCP Off-Path Sequence Inference" drops TCP "RST" packets with "ACK" value 0.
Refer to sk104640.
DLP
01407930,
01409377,
01410583,
01465357
Memory consumption on DLP Gateway constantly increases when SMTP / HTTP inspection is enabled.
Refer to sk102211.
Threat Prevention (Anti-Bot / Anti-Virus / Threat Emulation)
00522494,
00532012,
00668652,
00858519,
00861495,
00875802,
00899420,
01145587,
01383108,
01383190

FTP connection in Passive Mode does not work after configuring Anti-Virus Blade to scan FTP traffic.

To enable the fix, set the value of kernel parameter 'fw_ftp_allow_double_parenthesis_termination' to 1.

Refer to sk45085.
01377195,
01379692,
01468191
Security Gateway with enabled Anti-Virus blade might crash during Anti-Virus scan of a file transferred over File Share (Common Internet File System, CIFS).
Refer to sk102488.
01380688,
01467858
Security Gateway with enabled Anti-Virus blade / Anti-Bot blade and policy 'Action' set to 'Prevent' might crash under high load.
Refer to sk102489.
Internal CA
01323357,
01343905,
01346144,
01346145,
01362289,
01427578
ICA Tool does not show 'Expired' status for expired certificates (certificates still appear as 'Valid').
Refer to sk101049.
Mobile Access
01344463,
01356902,
01374713,
01400844
Mobile Enterprise clients get disconnected and must relogin after enabling Hostname Translation (HT) on Mobile Access gateway.
Refer to sk98199.
01346097,
01347184,
01353120,
01347202,
01381192
When accessing Outlook Web Access (OWA) through the Mobile Access Portal, this message shows: "Error: Access Denied. The format or content of your request has been detected as invalid or unsafe (400)."
Refer to sk98215.
01351290,
01353108,
01356928
When you upgrade a VSX Gateway from R77 to R77.10, before enabling the Mobile Access Software Blade, it is necessary to install an upgrade package on the VSX Gateway.
Refer to sk98352.
01054881,
01363324
Secure Network Extender fails to resolve DNS through proxy.
01322353,
01322920,
01322922,
01377737
When a browser sends a cookie that it got from another page on a different port, the Mobile Access gateway does not recognize the cookie.
01365409,
01365508
Multiple Authentication Schemes with certificate not enforced correctly on Check Point Mobile VPN clients.
Refer to sk98592.
01365190,
01392800
Enhancement: Improved /cvpn/Scripts/sendsms script.
01410021,
01410492,
01422633,
01433800
Link Translation fails to translate HTML pages with correct content type.
Refer to sk101076
01353168,
01353697,
01353705
Links with Unicode Hexadecimal encoding are not translated by Mobile Access Path Translation (PT).
Refer to sk98976.
01386027,
01391576
When using the SSL Network Extender inside a Secure Work Space, after 10 minutes it stops working.
01373378,
01374229,
01377765,
01420441,
01455351
Citrix StoreFront main page is not loaded through the Mobile Access.
Refer to sk100322.
01396169,
01398504
If Simultaneous Login Prevention (SLP) is enabled, the SharePoint session disconnects after you open a Microsoft Office document.
01206850,
01207032,
01207033,
01207466,
01367463,
01463847
SNX client is rejected with "Access denied - wrong user name or password" error in Mobile Access Portal when trying to change the password.
Refer to sk95026.
01426823,
01427362,
01427363,
01469797,
01470830
Mobile Access Portal might become unstable if an authenticated user sends a password that contains Extended ASCII characters (e.g., euro €).
Refer to sk102487.
SSL Network Extender
01363323,
00544011
SSL tunnel will sometimes terminate on failure to send data.
01207032 "Access denied - wrong user name or password" error when using password with special characters.
SecureXL
01005615,
00262552,
00262768,
00263066,
00263390,
00263494,
01025284
Endpoint client fails during policy installation when SecureXL is enabled.
01379842,
01383740,
01384330,
01405757,
01407753,
01412661,
01429733
Some pings are lost when passing through Security Gateway with enabled SecureXL.
Refer to sk99112.
01407414,
01409468
SecureXL sends ICMP Fragmentation packets even if the DF flag is off.
01383940,
00266263
SecureXL gets disabled automatically after upgrade to R77.10.
Refer to sk99041.
01405942,
01398592,
01398302,
01418762,
01421012
The output of fwaccel stat command shows:
Accelerator Status : off by Firewall (too many general errors (Number_Larger_than_10) (caller: cphwd_offload_drop_templates))
Refer to sk100467 (Scenario 1 - Number of elements in kernel table 'src_ranges_list' exceeds the limit).
01407353,
00266535,
00266599,
00266601,
00266763,
01414222,
01438463,
01438902
SecureXL drops UDP connections with "Dropped Traffic: dropped by handle_outbound_pac, Reason: connection not found".
Refer to sk101134.
01403403,
01407248,
01412797,
01429528,
01433211
SmartView Monitor shows incorrect traffic amounts when SecureXL is enabled.
Refer to sk101107.
01336995,
00265456,
00266019,
00266053,
01341519,
01364424,
01364425,
01365920,
01399776
IPS protection "Sequence Verifier" drops legitimate packets when SecureXL is enabled.
Refer to sk98830
01269753,
01289912,
00266020,
00266120,
00266148,
01289911,
01289913,
01504572,
01521559
Traffic sent over VPN tunnel does not reach its destination because SecureXL does not start fragmenting the packets. 
Refer to sk98070.
01337381,
00266060,
00266160,
00266427,
00266654,
00266716,
01551843
Security Gateway with enabled SecureXL might crash when available memory is low.
Refer to sk102719.
Security Management
01368104 In SmartView Tracker, DLP email log, if you select Send, this message shows: "This action is only supported on gateways that are version R75.20 and higher".
00949658,
01339246,
01339247,
01339252
Memory leak in FWM daemon.
01381866,
01386063,
01395376
FWD daemon might crash under debug.
01340456,
01340731,
01340734,
01346077,
01393797,
01413728,
01426136,
01448520,
01453279
Policy Verification takes very long time and eventually times out.
Refer to sk98106.
01361034,
01361390,
01361391,
01453256
When converting Standalone to Full HA there are 2 parameters that are not "transferred" to members from the cluster member.
Refer to sk98697.
01338842,
01340526,
01340527
Policy installation in SmartDashboard connected to Secondary HA Management Server fails with "No License to Manage QoS UTM-1 Sites" error.
Refer to sk98097.
01378687,
01380213
Login to SmartLog with a Global Manager username (from SmartDomain Manager) fails with: "The connection to Multi-Domain Server has been refused because the database could not be opened".
01047516,
01366704,
01368761
When policy is installed from Secondary Management server, Endpoint Connect fails with error 'OM: xxxx tried to connect, but you have reached the number of purchased licenses'.
01192796 If Enable drop optimization feature is enabled in an R76 Security Gateway object (SmartDashboard -> R76 Security Gateway Properties -> Optimizations pane), policy installation can fail on R76 Security Gateway.
01360844,
01362223,
01362224

The $CPDIR/tmp/ directory is filled with 'file...' files.

Example:

[Expert@HostName]# ls -l $CPDIR/tmp/file*

...

-rw-rw---- 1 admin root 771506 Jan 13 13:01 /opt/CPshrd-R77/tmp/fileR5LELI
-rw-rw---- 1 admin root 904722 Jan 13 13:25 /opt/CPshrd-R77/tmp/fileRcK0nz
-rw-rw---- 1 admin root 240090 Jan 13 13:25 /opt/CPshrd-R77/tmp/fileRfA9jP

Refer to sk98567.

01391939,
01392258
Policy installation becomes unstable when Application Control or URL Filtering blade is enabled.
01400327,
01419340,
01400566,
01400243
Management HA status changing from Synchronized to Lagging approximately every two hours.
Refer to sk100555.
01406724,
01407013
The fwm logexport command fails with 'Error: Failed to read field FollowUp' after enabling Anti-Virus / Anti-Bot blades.
Related to sk91620.
01402368,
01402165
"License allows only a single Virtual System" error message during policy installation.
Refer to sk100463.
01407810,
01410109,
01419951,
01433897,
01436598
In a Management HA configuration, when changing the rulebase and saving it, the audit log record for the automatic sync shows an incorrect client IP address.
01368631,
01371531,
01427548
Resource field shows "*** Confidential ***" in Application Control / DLP logs on 3rd party LEA OPSEC client when using Permissions Profile.
Refer to sk101570.
01415906,
01456935
FWD daemon crashes on Security Management Server / Domain Management Server with core dump file when creating new Security Gateway objects with Identity Awareness blade.
Refer to sk102120.
01349964,
01352693,
01352694,
01396070,
01404453,
01413833,
01421334,
01453206
SmartView Tracker does not display any logs when filtering in 'Origin' column by Security Gateway's object name.
Refer to sk98349.
01357827,
01360076,
01360258,
01360259,
01395307,
01426058,
01426251
ClusterXL with ISP Redundancy sends VPN traffic with wrong source IP address after VPN link failover.
Refer to sk98532.
Multi-Domain Security Management
01366715,
00499297,
00816100, 00525150, 00929341 
Administrator names cannot include the "@" and "\" characters.
To enable this fix, set this environment variable on the Multi-Domain Server and Security Management server: CP_P1_DISABLE_STRICT_ADMIN_NAME_VALIDATION

Refer to sk44759 
01392300,
01395213
If you add a second Domain Management Server (DMS) or a Domain Log Server (DLS) to an existing domain it will be created with the wrong software version (R77 instead of R77.10).
Refer to to sk98809.
01404568,
01404266
SmartUpdate does not support Linux50 packages.
Refer to sk100946.
01427929
Size of $MDSDIR/log/cpwd.log file grows rapidly (to several gigabytes) on Multi-Domain Server.
Refer to sk109675.
01322609,
01322803,
01322804
"The Global History file is not found" error in SmartDomain Manager. Related to sk97812.
01353886,
01365307,
01365309,
01378060
Session description information is not provided in Domain Management Server "change-to-active" audit log.
Refer to sk98695.
01364741,
01366005,
01366007,
01368102
SmartView Tracker is not able to fetch firewall log file from Security Gateway.
Refer to sk98647.
01380563, 01380792, 01815829 Output of 'top' command shows that threshold_config process consumes CPU at 100% on Multi-Domain Security Management Server.
Refer to sk99081.
SmartDashboard, SmartView Tracker and SmartView Monitor
01371627,
01372064,
01372714,
01372855,
01374089,
01375067
When using a trusted link with site-to-site VPN, the tunnel is down because the unencrypted tunnel test packets are dropped.
01362293,
01365748,
01365750
The View Rule option in SmartView Tracker does not show the rule.
Refer to sk98716.
01346262,
01343273,
01346260
When selecting SmartDashboard -> File menu -> Installed Policies -> select policy for a Virtual Router -> View Policy, the operation fails with "View Installed Policy operation failed" error.
Refer to sk98275.
01382864,
01382987
When a rule name contains non ASCII characters, policy installation fails with the error "Load on module failed - failed to load security policy".
Refer to sk33893.
01382845,
01382196,
01382427
Right-click on APN (Access Point Name) object causes SmartDashboard to become unstable.
Refer to sk99127
01402103,
01405328,
01405435
"Where Used..." dialog shows interface UID and not its name.
01370009,
01370366
SmartView Tracker - View menu -> Query Properties option is always selected (although clicking on this option toggles the Query Properties filter window correctly).
Refer to sk99077.
01351236,
01350069,
01381412,
01351234,
01401893,
cpstat os -f routing command and Smartview Monitor show nexthop as 0.0.0.0
Refer to sk98420.
01149900,
01295432,
01358114
Following a migrate, and prior to explicitly installing a policy, editing a VSX cluster object will result in overriding the existing policy with a default one.
01312882,
01313567,
01319015,
01406001
Search-Field in Mobile Access policy does not work when connected with SmartDashboard in Read-Only mode.
01373058,
01373864,
01410456
SmartDashboard does not accept usernames or passwords longer than 30 characters.
Refer to sk99020.
01352011,
01373827
If you configure a cluster with the same IP address as Cluster IP already configured on the interface of the cluster node, there is no error message.
Refer to sk100211.
01368608,
01405357,
01371697
When exiting SmartDashboard, if "Find in Rule Base" window (still) open, SmartDashboard crashes.
Refer to sk98952.
01352197,
01354317,
01354318
In SmartDashboard, when creating new object with space in its name, space is changed to underscore "_".
Refer to sk98455.
01342385,
01347611,
01347612,
01412607
When changing placeholder's state only (expanding / collapsing without any database changes), the changes are not saved.
Refer to sk98278.
SmartEvent / SmartReporter
01375792 "Check Point SmartEvent Client experienced a serious problem and must close immediately..." when trying to connect with SmartEvent GUI to SmartEvent Server for the first time after upgrade to R77.10.
Refer to sk98878.
01337798,
01338189,
01338190,
01400331
Using an external script in "automatic reactions" in SmartEvnet does not work.
Refer to sk97632.
01361419,
01363419,
01363421,
01368780,
01370804,
01395373,
01447069,
01449264,
01453125

R77.10 Log Server stops forwarding logs to LEA clients:

  • New events are not coming to SmartEvent.
  • Logs are not processed by SmartReporter consolidation session.
  • Logs are not forwarded to 3rd-party OPSEC clients.

Refer to sk98588.
01339672,
01339954,
01352471,
01374073
SmartEvent 'Top Users By Traffic' view does not show any events for Active Directory users.
Refer to sk98092.
01339272,
01379224,
01339952,
01339953
Country filter in SmartEvent returns empty for countries with apostrophe, such as Cot'e Divor.
01338561,
01338574,
01338575,
01383641
In Network Activity report, the total network traffic in the 'Summary' section is smaller than the total traffic in the 'Top Network Activity' section.
Refer to sk98073.
01339464,
01339214,
01340543
Value of 'days_to_keep' configured per sk69706 is not applied.
Refer to sk98095.
01346234,
01346578,
01375667,
01346579
SmartEvent reports fail with no data found, if AD name has a comma (,) in it.
Refer to sk98275.
01380916,
01381197
SmartReporter license for 25 Security Gateways allows only 20.
Refer to sk99111.
01382558,
01382557
Timeline View section is empty in SmartEvent GUI client.
Refer to sk98900.
01368648,
01371514,
01371650
SmartEvent keeps old events longer than configured.
Refer to sk99021.
01340644,
01340537,
01340359,
01383941
Network Activity by Date shows duplicate week entries.
01385997,
01384305
Cannot query event if UserName contains quotes comma apostrophe.
Refer to sk99043.
01377756,
01403467,
01377610,
01395497
When trying to restart an existing session / create a new consolidation session, it appears to start, then the status goes into 'Abort' almost immediately.
Refer to sk99080.
01400328,
01400316

When you generate a DLP report with a filter in SmartEvent, we get the following errors:

Unable to complete generation for: Section: 5. DLP User Actions by User Unit: 5.1 DLP User Actions by User
Additional information:
:ERROR: column "dlp_violation" does not exist
LINE 1: ..._VIEW ON (TEMP_VIEW.rowid=USERS_VIEW.eventid, dlp_violat...

Refer to sk100547.

01370563,
01371218
The SmartEvent GUI client becomes unstable when creating an event based on an existing event from the "Mobile Access" group.
Refer to sk99110.
01313659,
01336916,
01336955,
01319013
After an upgrade, SmartEvent does not show any events and shows an error "No connection to correlation unit".
Refer to sk97632.
00863374,
00866796,
00905558,
01079529,
01127897,
01140149,
01186407,
01226490,
01227438,
01227439,
01227440,
01265819,
01374971,
01375023
In E-mail alerts sent by SmartEvent, the user name field contains '*** Confidential ***' instead of real data.
Refer to sk68020.
01410542,
01410560,
01410563,
01465990
Memory leaks in cpsemd process on SmartEvent server when it fails to connect to log storage.
Refer to sk102266.
SmartProvisioning
01319138,
01317912,
01344395
Filtering by 'Firmware' does not work.
Refer to sk98092.
SNMP
01311922,
01320010,
01320011,
01365028,
01367709,
01412793
SNMPD daemon fails to start / crashes on Gaia OS.
Refer to sk98324.
01323376,
01324127,
01324128,
01351121,
01351585,
01366207,
01461578
SNMPD process crashes with "Segmentation fault" error.
Refer to sk98066.
01392172,
01392626,
01400511

Not able to load the Check Point MIB files from R76SP into MIB Browser (e.g., CA Spectrum OneClick) - MIB Browser shows multiple errors:

  • Could not parse the file CHECKPOINT-MIB.
  • Could not parse the file CHECKPOINT-GAIA-TRAP-MIB.
  • The MIB CHECKPOINT-MIB referenced by the selected file appears to contain more than one MIB definition.
  • The MIB RFC1155-SMI referenced by the selected file appears to contain more than one MIB definition.

Refer to sk100169.
01373662,
01375761
MIB tree in the $CPDIR/lib/snmp/chkpnt.mib file is missing OID branches, which appear in the output of snmpwalk command:
  • 1.3.6.1.4.1.2620.1.1.26.11.1.0
  • 1.3.6.1.4.1.2620.1.1.26.11.2.0
  • 1.3.6.1.4.1.2620.1.1.26.11.3.0
  • 1.3.6.1.4.1.2620.1.1.26.11.4.0
01376058,
01376770,
01379432,
01401320
CPD daemon crashes due to a file-descriptor leak, if SNMP traps are enabled with the threshold_config command.
01402619,
01402835
Description of SNMP OID 1.3.6.1.4.1.2620.1.38.24.1.5 (identityAwarenessDistributedEnvTableStatus) in the $CPDIR/lib/snmp/chkpnt.mib file is incorrect.
Refer to sk100990.
01373656,
01375758
MIB syntax causes a Java error in HP Network Node Manager (NNM) when working with Check Point MIB file$CPDIR/lib/snmp/chkpnt.mib file.
01378261,
01378643,
01394806
SMI syntax error in Check Point MIB file$CPDIR/lib/snmp/chkpnt.mib file:
  • extra comma after 'haClusterSyncNetMask' before closing bracket '}' in 'HaClusterSyncEntry'
  • extra comma after 'svnNetIfOperState' before closing bracket '}' in 'SvnNetIfTableEntry'
Refer to sk73440.
01386495,
01386346,
01401324
The snmpwalk command for Check Point OID 1.3.6.1.4.1.2620 stops in the middle of the query with "Timeout: No Response from" error, and core dump files are created for snmpd process in the /var/log/dump/usermode directory.
Refer to sk100193.
01398870,
01399409,
01418605,
01440524,
01453530,
01469745
SNMPD process crashes with core dump files.
Refer to sk100514.
01382326,
01386014,
01394013
The SNMP query for IP-FORWARD-MIB::ipCidrRouteMask shows output of mask in reversed-endian order.
01355690,
01363319,
01363321,
01381841,
01391819,
01407756,
01414243
SNMP query for any OID under 1.3.6.1.4.1.2620.1.6.7.5 (multiProcTable) returns 0 (zero).
Refer to sk98570.
01311467,
01311997,
01311998,
01311999,
01392708,
01428858,
01430113
SNMPD daemon crashes.
01323200,
01336334,
01336335,
01364361,
01364471,
01380312,
01407801,
01433095
The SNMP agent stops working correctly after a period of time.
QoS
01343078,
01355467,
01371032
VPN traffic might be dropped in some cases on Anti-Spoofing when SecureXL and QoS are enabled on R77.10 Security Gateway.
Refer to sk98172.
VPN
00833986,
00835824,
01101966,
01104905,
01379596,
01379730,
01461368
VPND daemon might crash during policy installation.
Refer to sk102716.
01352900,
01353061,
01353062,
01355363,
01372789,
01372862,
01374864
VPND memory usage rises steadily until the machine runs out of memory.
Refer to sk98388.
01361432,
01362498,
01362506,
01362507,
01379840,
01414249
When you open the VPN SSL Network Extender portal in Internet Explorer 11, SSL Network Extender will only start in Java, not ActiveX.
01371627,
01372064,
01372714,
01372855,
01374089,
01375067
SmartView Monitor shows that a tunnel is down when using link selection with a trusted link.
01360917 There is no way to set waiting time for smaller packets before fragmentation. Fix: new global variable 'ipsec_mtu_icmp_wait_timeout' was introduced. It can be set to values from 1 to 10
01382259,
01395861,
01395878,
01395881,
01395884,
01395885,
01395888
Remote access VPN clients (IPsec) connect with Visitor Mode (TCPT) during install policy instead of NAT-T.
01266307,
01361806,
01417081
VPN shell command option 'tunnels/' is not supported on Gaia.
01360983,
01361317,
01361503,
01361504
VPND stability issue with L2TP clients.
01398492,
01337987,
01403407
VPND becomes unstable when many applications, rules, or user groups are defined in Mobile Access Software Blade policy.
Refer to sk100488.
01381022,
01381542,
01412083,
01459083,
01468193
Traffic over remote access VPN tunnels is interrupted during policy installation onto VPN Gateway.
Refer to sk98914.
01217021,
01361797
IKE selectors are not chosen properly when ike_use_largest_possible_subnets is false.
Refer to sk101219.
01395232,
01396707
Users cannot use the real IP address of DAIP gateway when using the 'vpn tu' command.
Refer to sk100346.
01231095,
01231254,
01231255,
01231256,
01234787,
01262160,
01361863,
01383011,
01465966
"Failed to allocate an IP address" error when using 'ipassignment.conf' file to assign Office Mode IP address and Check Point Mobile VPN clients for Android/iOS.
Refer to sk95088.
VSX
- IP addresses that belong to VSX Internal Communication Network appear in routing tables and are published by dynamic routing protocols.
Refer to sk102177.
- SmartDashboard and 'ifconfig' command show different IP address for interfaces of VSX objects.
Refer to sk92596.
01258154,
01347285,
01356724
VPN configurations that use the IP-per-user and IP-Pool-per-group features may not work correctly on the Virtual Systems because $FWDIR/conf/ipassignment.conf file contains identical configuration on all Virtual Systems.
Refer to sk97992.
01394079,
01397060
After adding a new USM (User-based Security Model) user, query from vs0 on vs2 works with user credentials, but after setting the SNMP agent off and on again, same query with same user credentials responds with: "snmpwalk: Unknown user name".
Refer to sk100218
01351290,
01353108,
01356928
Mobile Access blade does not function as expected when enabled on Virtual Systems of a VSX gateway that was upgraded from R77 to R77.10.
Refer to sk98352 for upgrade package download and installation instructions.
01290516,
01295822,
01359798,
01338428,
01358508
Gaia Clish command "show virtual-system all" displays empty virtual system list when logging with TACACS+ / RADIUS user (non-local) to VSX Gateway.
Refer to sk105342.
01402165,
01402368
"License allows only a single Virtual System" error message during policy installation.
Refer to sk100463
01394915

When using vsx_util change_private_net to change an IPv6 address, you must supply an IPv4 address, even if the addresses were not changed.
Refer to sk117062

01375670,
01370177
The CoreXL tab in the Virtual Sysyem object is empty.
01415541

Enhancement: Rate limiting for each Virtual System in VSX is supported. Run: "vsenv VSID" in Expert mode, or "set virtual-system VSID" in Clish, and then run the "fw samp ..." commands.

Refer to sk112454 - How to configure Rate Limiting rules for DoS Mitigation.

01291155,
01347249,
01347240,
01347249,
01356757
Remote Wipe on a Check Point Mobile Enterprise, connected to a Virtual System, takes effect up to 24 hours after its user certificate has been revoked.
01321032,
01347407,
01356785
The vsx_util add_member command does not work with IPv6 address.
Refer to sk97995.
01262108,
01358857,
01359659,
01362993,
01373866
On VSX machine, output of Clish command 'show arp' shows the ARP table only for Virtual System 0, even if the command is run from a context of the different Virtual System.
Refer to sk98003.
01372432 Policy installation on VSX gateways (of version VSX NGX R65) fails when 140 or more VPN communities are in use.
Refer to sk25827.
01383273,
01384856,
01392830,
01394068,
01415010,
01424740,
01440515,
01444143,
01444357
SNMP query for OID 'vsxCounters' (.1.3.6.1.4.1.2620.1.16.23) returns incorrect values after deleting a Virtual System.
Refer to sk101477.
01279754,
01471922,
01471953
Traffic outage might occur through Virtual Systems with enabled Application Control blade.
Refer to sk102720.
01368553, 01368927, 01401772, 01475358, 01572817;
01392700

Traffic passing through the VSX cluster is lost (during more than several seconds) when cluster state of Standby member changes:

  • if a cable is disconnected from the Standby member and then reconnected
  • if a switch port, to which the Standby member connects, is shut down and then brought up
Refer to sk104567.
01386051, 01749692, 01769512 Output of "ifconfig <Name_of_Interface>" command in the context of VSX cluster member (VS0) shows wrong IP address.
Refer to sk108700.
00972349, 01368630, 01749694 Output of "ifconfig" command in the context of Virtual Systems shows Internal Communication (Funny) IP addresses instead of Real IP addresses.
Refer to sk108699.
01380189, 01381264, 01568713, 01380553
Multi-Queue configuration might be reset during reboot on VSX Gateway.
Refer to sk98945.
Compliance Blade
01345316,
01355290,
01371433
Compliance Blade does not recognize network objects after advanced upgrade from R77 to R77.10 / R77.20.
Refer to sk98204.
01395492,
01472683,
01470595
Stealth Rule compliance check does not work as expected. See sk102424.
VoIP
01386074,
01392936
SIP call fails - call receiver can hear voice, call initiator can not hear voice from call receiver.
Refer to sk100410.
01379712,
01383038,
01413378,
01379691,
01383036,
01413392
External VoIP phones are not able to connect to Internal VoIP phones (behind the Security Gateway) that use Gatekeeper because 'alternativeAddress' in H.225 Facility Message payload is not NATed.
Refer to sk98970.
01375859,
01376023,
01376384,
01402195,
01402203,
01402212,
01402215,
01404681,
01405846,
01410025
MGCP traffic is dropped with log "Response to unknown Request. Bad Call-ID" after upgrade to R76 / R77 / R77.10.
Refer to sk99026.
00362320,
00374502,
00413223,
01391913,
01392318,
01415004,
01419975,
01461248
SIP connections may be regularly dropped with "Number of reinvites exceeded the limit" error.
New "sip_expire" parameter added to enable users to customize how much time a registration request should take.
Endpoint Security Unified Management
01360520,
01386165
In Web Remote Help, user name auto-complete only works for login name, common name, and display name.
Resolution: run this script to configure name types for autocompletion: $UEPMDIR/system/install/wrhAutoCompletionConfig
00673732 Full Disk Encryption clients on Mac computers show dynamic token (challenge/response) in Preboot, but it is not supported.
CoreXL
01418503,
01366672,
01365459,
01400272,
01365150,
01284703,
01365149,
01380924,
01407041,
01365460,
01366671,
01403930
Kernel debug fw ctl debug command is not applied to all CoreXL FW instances:
  • Kernel debug is disabled only for CoreXL FW instance 0 (and not for all instances)
  • Kernel debug flag 'all' is enabled only for CoreXL FW instance 0 (and not for all instances)
  • Kernel debug specified flags are enabled only for CoreXL FW instance 0 (and not for all instances)
  • The CPU consumption may remain high after running the 'fw ctl debug 0' command
Refer to sk98625.
Appliances
01405092,
01405869,
01405909
Policy installation on 1100 appliance fails with 'Failed to generate the rulebase' error.
Refer to sk100613.
01401717,
01207926,
01407638,
01408221
Output of "show asset" command does not show the CPU model and CPU frequency properly.
Refer to sk100468.
IPSO
01397287 VPN traffic with IKEV1, B-GCM-256, or B-GCM-128 on IPSO gateways does not work with SecureXL.
Workaround: Disable SecureXL to use these encryption methods.
00209685,
01372378,
01378009,
1380848
CPSNMPD process consumes CPU at high level on IPSO OS.
Refer to sk40258.
HTTPS Inspection
01372343,
01398701,
01372648,
01402055,
01422259
Occasionally, certificate errors appear for some HTTPS sites, although HTTPS Inspection policy is configured to 'Bypass' these sites.
Refer to sk98972.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment