| ID |
Symptoms |
| General |
01404337,
01408283 |
On SecurePlatform, some static routes configured on an interface are deleted when using the 'eth_set' command to set speed/duplex on that interface to 'autoneg'.
Refer to sk100988. |
01369132, 01395955
|
Clean install from USB device fails on Check Point Appliance because the installation process (anaconda) includes the USB installation media as part of the installation target.
Refer to sk100566. |
| Upgrade |
| 01375792 |
"Check Point SmartEvent Client experienced a serious problem and must close immediately..." when trying to connect with SmartEvent GUI to SmartEvent Server for the first time after upgrade to R77.10.
Refer to sk98878. |
| Security Gateway |
01322955,
01323223,
01323225,
01339025,
01404871 |
Specific traffic is dropped by Security Gateway, although it should be accepted by the relevant security rule because in FireWall rulebase, the Service may be evaluated before evaluating the Source or the Destination.
Refer to sk97876. |
01364112,
01366286,
01366291 |
RTSP 'SETUP' request packets are dropped by Security Gateway.
Refer to sk99114. |
01354607,
01360314,
01359114,
01360313,
01361087,
01368930,
01375852,
01384279,
01384850,
01399125,
01399635,
01402104,
01402197,
01402236,
01402238,
01402247,
01404673,
01405817,
01413670 |
Enabling URL Filtering blade and Application Control blade might cause Security Gateway to hang.
Refer to sk99027. |
01322060,
01345585,
01345586,
01345587,
01391617,
01442718,
01463778 |
Manual Client authentication unexpectedly fails when connecting to the Security Gateway on port 900. |
01361721,
01363508 |
SMTP transparent proxy does not work with NAT when CoreXL is enabled.
Refer to sk98730. |
01366133,
01373298,
01383099 |
Memory leak when using Client Authentication on port 259.
Refer to sk98966. |
01371145,
01373299,
01383102;
01371146,
01373300,
01383104 |
SmartView Tracker shows logs about Client Authentication although 'Successful Authentication Tracking' is set to 'None'.
Refer to sk98966. |
01322325,
01323049,
01340776,
01372400,
01376344,
01455920 |
VPN and/or NAT traffic between accelerated and non-accelerated interfaces, or between non-accelerated interfaces, is not allowed. |
01336864,
01352515,
01353560,
01353561 |
ARP table on Security Gateway is cleared after policy installation (which causes traffic outage). As a result, policy installation progress shows "success" even if it failed when running the 'fw fetch local' command on Security Gateway. |
01380461,
01382310 |
Syntax error in the output of fw ctl affinity -l. |
01391750,
01392406.
01386379 |
Syntax error during policy installation after upgrade to R77.
Refer to sk100197. |
01400226,
01399995,
01400636,
01417154,
01401303,
01400439,
01400003,
01400042,
01401879,
01384130,
01417966,
01417401,
01412347,
01418494,
01402060,
01400443,
01400606,
01400044,
01400624,
01382860,
01400018,
01400441,
01423125 |
Security Gateway might become unstable after an upgrade to R76 / R77 / R77.10.
Refer to sk100431. |
01393071,
01383424 |
When running the fw pstat command, negative values are shown for fragments. |
01401585,
01407075 |
The in.ahttpd process consumes CPU at high level when working with Websense.
Refer to sk100787. |
00900938,
00465321,
00826456,
00756312,
00493578,
01233665,
01205224,
00556489,
00466319,
01380209,
00520464,
01298159,
00466318,
01293982,
01145500,
00744959,
00733322,
01267217 |
Manual Client Authentication with ACE server (RSA tokens) fails randomly because in.ahclientd daemon is stuck due to ACE services.
Refer to sk97473. |
01399192,
01399049 |
"IPv6 is not compatible with Drop Templates. Please make sure that IPv6 is not enabled on Security Gateway" false warning is generated when installing Security policy.
Refer to sk100489. |
01384154,
01407376,
01407752,
01408686 |
When malformed DHCP relay packet arrives, Security Gateway drops this packet and stops the connection. But then the next NOT malformed packet that arrives is also dropped on the same connection.
Refer to sk100233. |
01347637,
01352509,
01355809,
01355861,
01357797,
01359052,
01359339,
01396359,
01407277 |
Every few weeks, the firewall suddenly loses all Proxy ARP entries. Output of fw ctl arp command returns "No proxy arps found".
Refer to sk98740. |
01375562,
01376256 |
Executing 'fw sam' command refreshes timeouts of all entries in the Connections Table.
Refer to sk99066. |
01320745,
01338315,
01344610,
01360229,
01360918,
01360919,
01372939,
01372940 |
When SCCP video conference is initiated, the VoIP phone hangs with "Connection to server lost, temporary error".
Refer to sk98836. |
01402038,
01402476,
01432001,
01402472,
01402588 |
If the database is large and has many rules with domain objects, Domain Object rules are bypassed. |
01388808,
01395285,
01413258,
01419870 |
In Load Sharing Unicast mode cluster with ISP Redundancy enabled, TCP connections to the cluster Virtual IP addresses fail. |
01394743,
01423889,
01393444,
01433745,
01424374 |
SSH session to an IP address defined on a VLAN interface fails.
Refer to sk101120. |
01426202,
01460773 |
Security Gateway under high traffic load might freeze after several days of uptime.
Refer to sk102190. |
01426872,
01467589;
01427791,
01471887 |
Security Gateway might crash when available memory is low.
Refer to sk102719. |
01292768,
01310693,
01310694,
01310695,
01310695;
01305054,
01310696,
01310697,
01310698,
01310698 |
'fw sam' command fails to process the SAM rule with "sam: Name_of_GW_Object (FW_Index/FW_Total) ... failed 'Syntax of SAM rule' processing" error.
Refer to sk97306. |
| ClusterXL |
| 01373809 |
Connectivity Upgrade is not supported for 3rd Party clusters. |
01354819,
01361433,
01361435,
01364125,
01407594,
01426889,
01430677 |
SmartView Monitor randomly shows the state of a 3rd party cluster member (e.g., VRRP) as "Active attention".
Refer to sk98698. |
01346966,
01351988,
01351990,
01369718,
01372574,
01382138,
01421084 |
When ARP reply packets received by the Active member are forwarded to other members on non-Gaia gateways, connectivity issues may arise on some Layer 3 devices connected to the cluster, for example on Cisco ACE load balancer.
Refer to sk98417. |
01101309,
01295443,
01323188,
01323304,
01347032,
01385102,
01400575,
01405365,
01431662,
01433263 |
Output of 'cphaprob syncstat' command does not show any peers: 'IDs of F&A Peers - None' .
Refer to sk98167. |
01317978,
01339635,
01342581,
01344714,
01402655 |
Some IPv6 pings are lost in the following IPv6 topology (ICMPv6 "Neighbor Advertisement" Type 136 packets are dropped due link collision):
Host_1 on Net_1 --- ClusterXL High Availability with IPv6 --- Host_2 on Net_2
where:
- IPv6 address of Host_1 is NATed to an IPv6 address on Net_2
- IPv6 address of Host_2 is NATed to an IPv6 address on Net_1
Refer to sk98075. |
00927546,
01392636,
01415314,
01417159,
01421988 |
After change of member state in R77.10 cluster on Gaia OS, Proxy ARP configuration from the $FWDIR/conf/local.arp file is lost.
Refer to sk98853. |
01371278,
01381638,
01407798,
01429238,
01449315,
01455215 |
Pings sent by Standby cluster member consume a large number of NAT high ports.
Refer to sk99108. |
01382069,
01312678,
01382133 |
Output of the cphaprob state command shows "none" instead of Sync IP address.
Refer to sk98701. |
01343146,
01344075,
01344079 |
Cluster debug message "FW-1: fwha_check_confirm: X machines did not confirm my state (<STATE>) yet;" might be misleading.
Refer to sk98202. |
01341828,
01342888,
01342890,
01375740,
01352765,
01376129 |
Traffic outages and routing table drops in ClusterXL High Availability in Primary Up configuration.
Refer to sk98168. |
01402180,
01461361 |
ClusterXL member with enabled HTTP/HTTPS Proxy might crash while internal client downloads a big file through the HTTP proxy.
Refer to sk102714. |
01111297,
01320815,
01322895,
01322900,
01382195,
01405958 |
Port flapping on the switch, to which the Synchronization interfaces are connected of three and more ClusterXL members.
Refer to sk95150. |
| 01361034, 01361390, 01361391, 01453256 |
Maximum limits of concurrent connections do not match on members of Full HA cluster. Output of "fw tab -t connections" command on the Primary member of Full HA cluster shows the maximum limit of concurrent connections as "unlimited".
Refer to sk98697.
|
| Gaia / SecurePlatform |
01092980,
01094857,
01094858,
01322316,
01342118,
01380501,
01401142 |
Incorrect netmask displayed in Clish when running show interface command. |
01323619,
00265675,
00265808 |
When an IPv6 routing command is entered twice, the IPv6 address is not formatted correctly. |
01363876,
01371042,
00266018,
01396279
|
RouteD daemon crashes with core dump file during cluster failover when RouteD tries to delete the ClusterXL listen task that has not finished yet.
Refer to sk104222. |
| 01292823, 00266184, 01381941, 01393900, 01457952 |
RouteD daemon crashes with core dump files when Dynamic Routing manager goes down and up.
Refer to sk100203.
|
01318867,
01369738,
01321216,
01374588 |
Zombie process 'cciss_vol_status' appears on HP Open Server running Gaia OS.
Refer to sk97857. |
01321363,
01336243,
01360976,
01363927,
01364356,
01370330,
01373098,
01377079,
01401249,
01422203 |
/var/log/messages file on Gaia OS gateways repeatedly shows:
modprobe: FATAL: Could not open '/lib/modules/2.6.18-92cpx86_64/kernel/net/ipv6/ipv6.ko'.
Refer to sk95222. |
01349373,
01349246,
01349371,
01360255,
01412845 |
Core dump files are not compressed on Gaia OS after upgrading from SecurePlatform OS.
Refer to sk98341. |
01364855,
01365145,
01365146,
01372380,
01374186,
01375344,
01379853,
01393166,
01394331,
01412840,
01418719,
01450060,
01473986 |
After reboot of Gaia OS, some interfaces are named as 'ethX_rename'.
Refer to sk97446. |
01351038,
01351124,
01351126,
01395397,
01412667 |
Gaia clishd daemon becomes unstable and might crash with core dump file.
Refer to sk98329. |
01306241,
01320769 |
Update timezone data to tzdata2013g. |
01204771,
01294031,
01294032,
01433846 |
Installation fails because of missing PCI table records. |
01319366,
01321433,
01370011 |
Gaia Clish command 'show rba role monitorRole' shows that built-in 'monitorRole' can run extended command, which it is not allowed to.
Refer to sk98115. |
01373478,
01373679,
01404998,
01418898,
01451667 |
SCP backup on Gaia OS fails when user password greater than 16 characters.
Refer to sk100215. |
00981634,
00982105,
00982109,
01118403,
01180913,
01185614,
01187940,
01202762,
01206740,
01219314,
01219703,
01255374,
01261375,
01271946,
01273207,
01292302,
01301033,
01342212,
01345877,
01352316,
01358795,
01364807,
01372387,
01380304,
01386106,
01403739,
01430676,
01446912,
01456174 |
The following messages appear in /var/log/messages file:
- "
syslogd: sendto: Invalid argument"
- "
syslogd: sendto: Bad File Descriptor"
- "
syslogd: sendto: Connection refused"
- "
syslogd: write: Connection refused" on R77.10
Refer to sk83160. |
01406839,
01407599,
01464194 |
'cpstat os -f sensors' command does not show the hardware sensors information on some Open Servers.
Refer to sk102193. |
01377392,
01379912,
01418601,
01419376 |
RouteD daemon terminates on Gaia OS after enabling IPv6.
Refer to sk98863. |
01321667,
01323048,
01361452,
01365127 |
"KERPHY0069 Static Arp IP instance does not belong to any existing subnet" error in Clish when running "add arp static" command on VSX gateway.
Refer to sk98852. |
01373582,
01399427,
01378428,
01373903,
01463118 |
RADIUS users with UID=0 and /bin/bash as the default shell, receive UID=96 and do not get the permissions to execute Check Point commands |
01395337,
01395366 |
Clish crashes when logging in to Expert mode from Clish.
Refer to sk113266. |
01377096,
01377305 |
Gaia backup does not collect files from $CVPNDIR/conf/ directory.
Refer to sk99079. |
01455461,
01455632 |
Gaia backup on VSX R77.10 machine does not collect the contents of $CVPNDIR directory.
Refer to sk102027. |
01395540,
01395748 |
Unable to add VLAN in Gaia Portal when interface is not on the same page.
Refer to sk100538. |
01319366,
01321433,
01370011 |
'show rba role monitorRole' command shows that built-in 'monitorRole' can run extended command that are not allowed for the role.
Example:
# show rba role monitorRole
You can find the following line: read-only-feature ext_cphastop.
Refer to sk98115. |
00266007,
00266009,
00266071,
00266277 |
Redistributing interface routes in Gaia Portal from an interface with capital letters in its name (e.g., "Mgmt", "DMZ") fails - only the static routes are exported.
Refer to sk99067. |
01382318,
01382397,
01423823,
01440537,
01475757 |
Clish or Gaia Portal might become unresponsive.
Refer to sk100174. |
00265904,
00265905,
01323107 |
The IPv6 router discovery page in the Gaia Portal shows the 6-in-4 tunnel interface option. This is not a valid option. |
01323103,
00265906,
00265907 |
In the Gaia Portal (Advanced Routing > IPv6 OSPF), if you select a 6-in-4 tunnel for OSPFv3 an incorrect syntax error message shows. |
00265760,
00265682,
01319704 |
In Gaia Portal in VRRP6 section, it is possible to configure a virtual router without a valid link local address. This causes RouteD daemon to crash. |
00265909,
01323097,
00265908 |
In Gaia Portal in VRRP configuration, selecting 6in4 or 4in6 tunnel interfaces causes many syntax error messages. |
00265915,
01348919,
00265812 |
Enhancement: If Gaia Portal -> OSPF -> 'Election Priority' value is deleted, it is reset to default, which is displayed in the Gaia Portal. |
01337071,
01360875,
01360833 |
After connecting to an ISP, the PPPoE Interface in the Gaia Portal is still shown as "Connecting". |
01430768,
01428654,
01400536,
01243892,
01361459,
01430732 |
After upgrading the Gaia OS, querying the SNMP OID 'SysObjectID' returns a specific appliance model instead of "generic Linux system". |
| 01349748 |
An interface Rx/Tx ring size parameter modified in the Gaia Portal does not survive reboot.
Refer to sk100626. |
01381429,
01386313,
01381179 |
RADIUS user connects with UID 96 although UID 0 is configured, and not able to run any command.
Refer to sk98958. |
01323125,
00265902,
00265683 |
When you define a 6-in-4 tunnel interface as an outgoing interface for an fe80 address, a syntax error appears. |
01286240,
01289153,
01289155,
01289156,
01302544,
01320932,
01352385,
01363913,
01396455,
01409261,
01417079,
01426966,
01430143,
01438582,
01463990;
01319377,
01319795,
01319796,
01363914,
01364339,
01369651,
01396470,
01409247,
01417082,
01438584,
01463992
|
Intermittently, non-local TACACS user is not able to login:
Refer to sk97409. |
01148068,
01149572,
01149573,
01149574,
01187282,
01407570 |
'Scheduled Backup' in SecurePlatform WebUI does not work.
Refer to sk92747. |
01360794,
01377768,
01398924,
01418165,
01449155,
01471854
|
Security Gateway might crash when setting MTU of 9000 and above on a Bond interface.
Refer to sk99113. |
01346327,
01346375,
01346679,
01346680,
01350141,
01372665,
01372988,
01378331,
01381375,
01381376,
01381377
|
Gaia OS configured as NTP client responds to NTP queries from hosts.
Refer to sk98287. |
00935189, 00935303, 01075844, 01090386, 01160985, 01180805, 01186421, 01342226, 01456153;
00956291, 00956369, 01082333, 01105026, 01186598, 01342210, 01456165;
01399215, 01401007, 01452067, 01475275, 01595558, 01597357, 01599477 |
/var/log/messages file on Security Gateway running Gaia OS and SmartView Tracker logs from Security Gateway running Gaia OS repeatedly show the following messages about Hardware Sensors:
- Several times per second in /var/log/messages file:
xpand[PID]: Sending request to System Interface
xpand[PID]: The max bit is 0 value is 0 max is 0.000000
xpand[PID]: The min bit is 0 value 0 min is 0.000000
- Every minute:
xpand[PID]: Note: no Name_of_Sensor sensors
Refer to sk79140. |
| Dynamic Routing |
01355732,
00265618,
00265619,
00267091 |
In a cluster configured for PIM SM, RouteD daemon crashes with core dump files on the Standby member. |
00265664,
00265671,
00265953,
00265999,
00266288,
00266364,
00266656,
01367471 |
After a neighboring router restarts, a Security Gateway running OSPF with Graceful Restart Helper fails to re-establish adjacency status with the neighbor. The state shows as 'DOWN' instead of 'FULL'. |
01322077,
01322763,
01322765,
01322766,
01440852 |
When using 'aspath-prepend-count' in routemap for BGP, the prepend count is not exported to the BGP peer.
Refer to sk101789. |
00406474,
00264022,
00266212,
00266273,
01223750,
01140690,
01176722 |
OSPF routes are lost after a long period of time from a cluster member on SecurePlatform OS.
Refer to sk92997. |
01375782,
01382255;
01374376,
01382252 |
RouteD daemon becomes unstable on Gaia ClusterXL when the 'ping' option is set on a static route.
Note: If the nexthop does not respond to the pings, RouteD daemon can still become unstable in certain scenarios.
Refer to sk99025. |
00777831,
01401071,
01400572 |
RouteD becomes unstable, when OSPF and RIP are enabled, and RIP code handles non-RIP routes. |
01350372,
01370331 |
When exporting Static/Direct/RIP routes into OSPF without a routemap, or when not configuring automatic or manual tag, tag value is set to an unexpected value in the uninitiated variable in that function.
Refer to sk98415. |
00265919,
00265305,
00265745 |
Enhancement: Gaia Portal and Clish reject non-local addresses for the bootstrap-candidate field in PIM configuration. |
01319770,
01360831,
01360867 |
Clish command "show route ospf" was modifed to include the tag field in the output. |
01382407,
01382560,
01382407 |
Various PBR commands end with "Invalid gateway address" error.
Refer to sk99124. |
00265918,
00265829,
00265306 |
The CLI command for PIM candidate-rp accepts any non-local IP address as a local address. |
| Identity Awareness |
01323615,
01323845,
01323856,
01323859 |
Custom MSI package for Identity Awareness Multi-User Host Agent (Terminal Servers Identity Agent) requires to enter credentials during the installation, although it should contain pre-shared secret.
Refer to sk97879. |
01336133,
01336588,
01371398 |
Identity Awareness Agent fails to connect after a reboot on Windows XP SP3. |
01360356,
01362304,
01362305 |
PDP Advanced rulebase configuration is not saved when creating a custom Identity Agent. |
01363794,
01363810,
01363812 |
If a permission script is run with the 'username' option, where the user belongs to more than one SID, the script throws an exception. |
01322219,
01342540,
01346299,
01346300,
01346301,
01346386,
01350554,
01355824 |
In Check Point 'Identity Agent - Distributed Configuration' tool - go to 'Server Configuration' pane:
- Add default rule
- Add at least 2 additional rules
- Edit one of these rules
- Inside the rule, all the fields are empty, but when clicking on OK, the the Identity Server's IP address appears correctly in '
Identity Server' column
Refer to sk101894. |
01322471,
01322911,
01322912,
01322913,
01336551,
01363705,
01376783 |
Mobile phone users are logged out from Captive Portal every several minutes during web surfing.
Refer to sk97868. |
01338036,
01354354,
01354355,
01399652,
01399685 |
Identity Agent crashes randomly.
Refer to sk98426. |
01342598,
01370423,
01370424,
01370427 |
In "Identity Agent - Distributed Configuration" window, when changing a regular rule from the middle of the rule base to be a 'default' rule, the list displays the rules incorrectly.
Refer to sk98206. |
01350837,
01352695,
01353620,
01353766 |
When an LDAP group is nested in another LDAP group, and the parent group is used in an 'AccessRole', users in the nested group will not be identified as part of the parent group and will not be assigned to this 'AccessRole'. As a result, enforcement based on this 'AccessRole' (within Firewall, Application Control, etc. policies) will be incorrect.
Refer to sk98328. |
01364961,
01373957,
01366849,
01372531 |
Identity Agent is disconnected from Security Gateway, and it takes a long time to reconnect.
Refer to sk99030. |
01362283,
01363268,
01363270,
01432221,
01439398,
01456751,
01460002 |
HTTP connections for TCP services with non standard HTTP ports (e.g., port 5555, instead of port 80 or port 8080) are not redirected to Captive Portal.
Refer to sk99030. |
01339379,
01354358,
01354359,
01399654,
01399710 |
Roaming does not reactivate after Identity Agent disconnects and then reconnects. |
01342605,
01346287,
01346288,
01346298 |
In Check Point 'Identity Agent - Distributed Configuration' tool - go to 'Server Configuration' pane:
- When editing a default rule, radio buttons for '
IPv4 Range' and 'AD Site' are available and can be selected. However, after clicking on OK, the changes are not applied.
- '
Subnet Mask' for 'IPv4 Range' can be assigned an invalid value (e.g. 1.1.1.1).
- '
AD Site' can be assigned empty.
Refer to sk99014. |
01353767,
01355483,
01355484,
01398550 |
PDP daemon might crash when PEP daemon disconnects from it.
Refer to sk98526. |
01341104,
01354356,
01354357,
01368947,
01399655,
01399725 |
Identity Agent roaming is not activated on hosts with Windows Vista or later versions. |
01349619,
01351284,
01351285,
01357977,
01362696,
01457006 |
PDP daemon crashes with core dump files after upgrading to R77.
Refer to sk98342. |
01349850,
01408224,
01408077 |
When configuring the Microsoft NPS (Windows RADIUS Server) with RADIUS accounting, this causing the "RADIUS packets are not parsed correctly" error message by parsing Vendor-Specific attribute, where data was changed from one value to multiple values. |
01383383,
01382233,
01382918 |
Kerberos Authentication timeout for Browser-Based Authentication.
Refer to sk100168. |
| Anti-Malware |
01369179,
01316402 |
Firewall drops DNS Queries when the AD Bit is set (1) - RFC allows it. RFC 6840 (DNSSEC) section 5.7 (Setting the AD Bit on Queries).
Refer to sk97730. |
01371645,
01364092,
01365030,
01421751,
01369833,
01361489,
01367220,
01369323 |
Check Point Online Web Service failure. "Refer to sk74040 for more information" log appears repeatedly in SmartView Tracker when Anti-Virus or Anti-Bot or both are enabled.
Refer to sk98717, sk95827, sk98285 and sk96192.
|
| UserCheck |
01396595,
01396692,
01397545,
01398410,
01404169,
01404182,
01404184,
01404197 |
Random traffic outages when UserCheck is enabled on Security Gateway.
Refer to sk100505. |
| Application Control |
01382637,
01383002,
01410612 |
Application Control Blade does not block some TCP over DNS applications.
Refer to sk99044. |
01425390,
01456120 |
Security Gateway with enabled Application Control blade might crash after resetting SIC in 'cpconfig' menu and exiting from 'cpconfig' menu.
Refer to sk102121. |
| URL Filtering |
01422411,
01377452,
01379645,
01405849,
01396795,
01404287,
01362385,
01414498,
01366990, 01402500 |
URL Filtering drops the traffic with an "Internal Error" log.
Refer to sk98743. |
| IPS |
01370016,
01371192,
01381780 |
PPTP GRE connections are not deleted from Connections Table when IPS inspection for PPTP is enabled.
Refer to sk100201. |
01404684,
01405875 |
The IPS Global exception is not enforced by the "Non Compliant DNS" protection. It is enforced by other protections. |
01371106,
01371106,
01369029,
01373092,
01373146,
01373340 ,
01373341,
01374176,
01374992,
01375066,
01379576,
01380064,
01380537,
01380654,
01380694,
01380904,
0138129 ,
01407054 |
Some protections do not work for specific HTTP evasions.
Refer to sk98814. |
01341601,
01345469,
01352653,
01356253,
01356256,
01377944,
01379164,
01379826,
01379870,
01381145,
01384008,
01392357,
01392855,
01399478,
01402849,
01415574,
01426888,
01470230 |
Traffic rate is decreased significantly when assigning any IPS profile other than 'Default_Protection'.
Refer to sk92527. |
| 01367531, 01375276, 01375404, 01375414, 01375713, 01375715, 01375716, 01380512, 01511033 |
IPS protection "TCP Off-Path Sequence Inference" drops TCP "RST" packets with "ACK" value 0.
Refer to sk104640. |
| DLP |
01407930,
01409377,
01410583,
01465357 |
Memory consumption on DLP Gateway constantly increases when SMTP / HTTP inspection is enabled.
Refer to sk102211. |
| Threat Prevention (Anti-Bot / Anti-Virus / Threat Emulation) |
00522494,
00532012,
00668652,
00858519,
00861495,
00875802,
00899420,
01145587,
01383108,
01383190 |
FTP connection in Passive Mode does not work after configuring Anti-Virus Blade to scan FTP traffic.
To enable the fix, set the value of kernel parameter 'fw_ftp_allow_double_parenthesis_termination' to 1.
Refer to sk45085. |
01377195,
01379692,
01468191 |
Security Gateway with enabled Anti-Virus blade might crash during Anti-Virus scan of a file transferred over File Share (Common Internet File System, CIFS).
Refer to sk102488. |
01380688,
01467858 |
Security Gateway with enabled Anti-Virus blade / Anti-Bot blade and policy 'Action' set to 'Prevent' might crash under high load.
Refer to sk102489. |
| Internal CA |
01323357,
01343905,
01346144,
01346145,
01362289,
01427578 |
ICA Tool does not show 'Expired' status for expired certificates (certificates still appear as 'Valid').
Refer to sk101049. |
| Mobile Access |
01344463,
01356902,
01374713,
01400844 |
Mobile Enterprise clients get disconnected and must relogin after enabling Hostname Translation (HT) on Mobile Access gateway.
Refer to sk98199. |
01346097,
01347184,
01353120,
01347202,
01381192 |
When accessing Outlook Web Access (OWA) through the Mobile Access Portal, this message shows: "Error: Access Denied. The format or content of your request has been detected as invalid or unsafe (400)."
Refer to sk98215. |
01351290,
01353108,
01356928 |
When you upgrade a VSX Gateway from R77 to R77.10, before enabling the Mobile Access Software Blade, it is necessary to install an upgrade package on the VSX Gateway.
Refer to sk98352. |
01054881,
01363324 |
Secure Network Extender fails to resolve DNS through proxy. |
01322353,
01322920,
01322922,
01377737 |
When a browser sends a cookie that it got from another page on a different port, the Mobile Access gateway does not recognize the cookie. |
01365409,
01365508 |
Multiple Authentication Schemes with certificate not enforced correctly on Check Point Mobile VPN clients.
Refer to sk98592. |
01365190,
01392800 |
Enhancement: Improved /cvpn/Scripts/sendsms script. |
01410021,
01410492,
01422633,
01433800 |
Link Translation fails to translate HTML pages with correct content type.
Refer to sk101076 |
01353168,
01353697,
01353705 |
Links with Unicode Hexadecimal encoding are not translated by Mobile Access Path Translation (PT).
Refer to sk98976. |
01386027,
01391576 |
When using the SSL Network Extender inside a Secure Work Space, after 10 minutes it stops working. |
01373378,
01374229,
01377765,
01420441,
01455351 |
Citrix StoreFront main page is not loaded through the Mobile Access.
Refer to sk100322. |
01396169,
01398504 |
If Simultaneous Login Prevention (SLP) is enabled, the SharePoint session disconnects after you open a Microsoft Office document. |
01206850,
01207032,
01207033,
01207466,
01367463,
01463847 |
SNX client is rejected with "Access denied - wrong user name or password" error in Mobile Access Portal when trying to change the password.
Refer to sk95026. |
01426823,
01427362,
01427363,
01469797,
01470830 |
Mobile Access Portal might become unstable if an authenticated user sends a password that contains Extended ASCII characters (e.g., euro ).
Refer to sk102487. |
| SSL Network Extender |
01363323,
00544011 |
SSL tunnel will sometimes terminate on failure to send data. |
| 01207032 |
"Access denied - wrong user name or password" error when using password with special characters. |
| SecureXL |
01005615,
00262552,
00262768,
00263066,
00263390,
00263494,
01025284 |
Endpoint client fails during policy installation when SecureXL is enabled. |
01379842,
01383740,
01384330,
01405757,
01407753,
01412661,
01429733 |
Some pings are lost when passing through Security Gateway with enabled SecureXL.
Refer to sk99112. |
01407414,
01409468 |
SecureXL sends ICMP Fragmentation packets even if the DF flag is off. |
01383940,
00266263 |
SecureXL gets disabled automatically after upgrade to R77.10.
Refer to sk99041. |
01405942,
01398592,
01398302,
01418762,
01421012 |
The output of fwaccel stat command shows:
Accelerator Status : off by Firewall (too many general errors (Number_Larger_than_10) (caller: cphwd_offload_drop_templates))
Refer to sk100467 (Scenario 1 - Number of elements in kernel table 'src_ranges_list' exceeds the limit). |
01407353,
00266535,
00266599,
00266601,
00266763,
01414222,
01438463,
01438902 |
SecureXL drops UDP connections with "Dropped Traffic: dropped by handle_outbound_pac, Reason: connection not found".
Refer to sk101134. |
01403403,
01407248,
01412797,
01429528,
01433211 |
SmartView Monitor shows incorrect traffic amounts when SecureXL is enabled.
Refer to sk101107. |
01336995,
00265456,
00266019,
00266053,
01341519,
01364424,
01364425,
01365920,
01399776
|
IPS protection "Sequence Verifier" drops legitimate packets when SecureXL is enabled.
Refer to sk98830 |
01269753,
01289912,
00266020,
00266120,
00266148,
01289911,
01289913,
01504572,
01521559 |
Traffic sent over VPN tunnel does not reach its destination because SecureXL does not start fragmenting the packets.
Refer to sk98070. |
01337381,
00266060,
00266160,
00266427,
00266654,
00266716,
01551843 |
Security Gateway with enabled SecureXL might crash when available memory is low.
Refer to sk102719. |
| Security Management |
| 01368104 |
In SmartView Tracker, DLP email log, if you select Send, this message shows: "This action is only supported on gateways that are version R75.20 and higher". |
00949658,
01339246,
01339247,
01339252 |
Memory leak in FWM daemon. |
01381866,
01386063,
01395376 |
FWD daemon might crash under debug. |
01340456,
01340731,
01340734,
01346077,
01393797,
01413728,
01426136,
01448520,
01453279 |
Policy Verification takes very long time and eventually times out.
Refer to sk98106. |
01361034,
01361390,
01361391,
01453256 |
When converting Standalone to Full HA there are 2 parameters that are not "transferred" to members from the cluster member.
Refer to sk98697. |
01338842,
01340526,
01340527 |
Policy installation in SmartDashboard connected to Secondary HA Management Server fails with "No License to Manage QoS UTM-1 Sites" error.
Refer to sk98097. |
01378687,
01380213 |
Login to SmartLog with a Global Manager username (from SmartDomain Manager) fails with: "The connection to Multi-Domain Server has been refused because the database could not be opened". |
01047516,
01366704,
01368761 |
When policy is installed from Secondary Management server, Endpoint Connect fails with error 'OM: xxxx tried to connect, but you have reached the number of purchased licenses'. |
| 01192796 |
If Enable drop optimization feature is enabled in an R76 Security Gateway object (SmartDashboard -> R76 Security Gateway Properties -> Optimizations pane), policy installation can fail on R76 Security Gateway. |
01360844,
01362223,
01362224 |
The $CPDIR/tmp/ directory is filled with 'file...' files.
Example:
[Expert@HostName]# ls -l $CPDIR/tmp/file*
...
-rw-rw---- 1 admin root 771506 Jan 13 13:01 /opt/CPshrd-R77/tmp/fileR5LELI
-rw-rw---- 1 admin root 904722 Jan 13 13:25 /opt/CPshrd-R77/tmp/fileRcK0nz
-rw-rw---- 1 admin root 240090 Jan 13 13:25 /opt/CPshrd-R77/tmp/fileRfA9jP
Refer to sk98567.
|
01391939,
01392258 |
Policy installation becomes unstable when Application Control or URL Filtering blade is enabled. |
01400327,
01419340,
01400566,
01400243 |
Management HA status changing from Synchronized to Lagging approximately every two hours.
Refer to sk100555. |
01406724,
01407013 |
The fwm logexport command fails with 'Error: Failed to read field FollowUp' after enabling Anti-Virus / Anti-Bot blades.
Related to sk91620. |
01402368,
01402165 |
"License allows only a single Virtual System" error message during policy installation.
Refer to sk100463. |
01407810,
01410109,
01419951,
01433897,
01436598 |
In a Management HA configuration, when changing the rulebase and saving it, the audit log record for the automatic sync shows an incorrect client IP address. |
01368631,
01371531,
01427548 |
Resource field shows "*** Confidential ***" in Application Control / DLP logs on 3rd party LEA OPSEC client when using Permissions Profile.
Refer to sk101570. |
01415906,
01456935 |
FWD daemon crashes on Security Management Server / Domain Management Server with core dump file when creating new Security Gateway objects with Identity Awareness blade.
Refer to sk102120. |
01349964,
01352693,
01352694,
01396070,
01404453,
01413833,
01421334,
01453206 |
SmartView Tracker does not display any logs when filtering in 'Origin' column by Security Gateway's object name.
Refer to sk98349. |
01357827,
01360076,
01360258,
01360259,
01395307,
01426058,
01426251 |
ClusterXL with ISP Redundancy sends VPN traffic with wrong source IP address after VPN link failover.
Refer to sk98532. |
| Multi-Domain Security Management |
01366715,
00499297,
00816100, 00525150, 00929341 |
Administrator names cannot include the "@" and "\" characters.
To enable this fix, set this environment variable on the Multi-Domain Server and Security Management server: CP_P1_DISABLE_STRICT_ADMIN_NAME_VALIDATION
Refer to sk44759 |
01392300,
01395213 |
If you add a second Domain Management Server (DMS) or a Domain Log Server (DLS) to an existing domain it will be created with the wrong software version (R77 instead of R77.10).
Refer to to sk98809. |
01404568,
01404266 |
SmartUpdate does not support Linux50 packages.
Refer to sk100946. |
01427929
|
Size of $MDSDIR/log/cpwd.log file grows rapidly (to several gigabytes) on Multi-Domain Server.
Refer to sk109675. |
01322609,
01322803,
01322804 |
"The Global History file is not found" error in SmartDomain Manager. Related to sk97812. |
01353886,
01365307,
01365309,
01378060 |
Session description information is not provided in Domain Management Server "change-to-active" audit log.
Refer to sk98695. |
01364741,
01366005,
01366007,
01368102 |
SmartView Tracker is not able to fetch firewall log file from Security Gateway.
Refer to sk98647. |
| 01380563, 01380792, 01815829 |
Output of 'top' command shows that threshold_config process consumes CPU at 100% on Multi-Domain Security Management Server.
Refer to sk99081.
|
| SmartDashboard, SmartView Tracker and SmartView Monitor |
01371627,
01372064,
01372714,
01372855,
01374089,
01375067 |
When using a trusted link with site-to-site VPN, the tunnel is down because the unencrypted tunnel test packets are dropped. |
01362293,
01365748,
01365750 |
The View Rule option in SmartView Tracker does not show the rule.
Refer to sk98716. |
01346262,
01343273,
01346260 |
When selecting SmartDashboard -> File menu -> Installed Policies -> select policy for a Virtual Router -> View Policy, the operation fails with "View Installed Policy operation failed" error.
Refer to sk98275. |
01382864,
01382987 |
When a rule name contains non ASCII characters, policy installation fails with the error "Load on module failed - failed to load security policy".
Refer to sk33893. |
01382845,
01382196,
01382427 |
Right-click on APN (Access Point Name) object causes SmartDashboard to become unstable.
Refer to sk99127 |
01402103,
01405328,
01405435 |
"Where Used..." dialog shows interface UID and not its name. |
01370009,
01370366 |
SmartView Tracker - View menu -> Query Properties option is always selected (although clicking on this option toggles the Query Properties filter window correctly).
Refer to sk99077. |
01351236,
01350069,
01381412,
01351234,
01401893, |
cpstat os -f routing command and Smartview Monitor show nexthop as 0.0.0.0
Refer to sk98420. |
01149900,
01295432,
01358114 |
Following a migrate, and prior to explicitly installing a policy, editing a VSX cluster object will result in overriding the existing policy with a default one. |
01312882,
01313567,
01319015,
01406001 |
Search-Field in Mobile Access policy does not work when connected with SmartDashboard in Read-Only mode. |
01373058,
01373864,
01410456 |
SmartDashboard does not accept usernames or passwords longer than 30 characters.
Refer to sk99020. |
01352011,
01373827 |
If you configure a cluster with the same IP address as Cluster IP already configured on the interface of the cluster node, there is no error message.
Refer to sk100211. |
01368608,
01405357,
01371697 |
When exiting SmartDashboard, if "Find in Rule Base" window (still) open, SmartDashboard crashes.
Refer to sk98952. |
01352197,
01354317,
01354318 |
In SmartDashboard, when creating new object with space in its name, space is changed to underscore "_".
Refer to sk98455. |
01342385,
01347611,
01347612,
01412607 |
When changing placeholder's state only (expanding / collapsing without any database changes), the changes are not saved.
Refer to sk98278. |
| SmartEvent / SmartReporter |
| 01375792 |
"Check Point SmartEvent Client experienced a serious problem and must close immediately..." when trying to connect with SmartEvent GUI to SmartEvent Server for the first time after upgrade to R77.10.
Refer to sk98878. |
01337798,
01338189,
01338190,
01400331 |
Using an external script in "automatic reactions" in SmartEvnet does not work.
Refer to sk97632. |
01361419,
01363419,
01363421,
01368780,
01370804,
01395373,
01447069,
01449264,
01453125 |
R77.10 Log Server stops forwarding logs to LEA clients:
- New events are not coming to SmartEvent.
- Logs are not processed by SmartReporter consolidation session.
- Logs are not forwarded to 3rd-party OPSEC clients.
Refer to sk98588. |
01339672,
01339954,
01352471,
01374073 |
SmartEvent 'Top Users By Traffic' view does not show any events for Active Directory users.
Refer to sk98092. |
01339272,
01379224,
01339952,
01339953 |
Country filter in SmartEvent returns empty for countries with apostrophe, such as Cot'e Divor. |
01338561,
01338574,
01338575,
01383641 |
In Network Activity report, the total network traffic in the 'Summary' section is smaller than the total traffic in the 'Top Network Activity' section.
Refer to sk98073. |
01339464,
01339214,
01340543 |
Value of 'days_to_keep' configured per sk69706 is not applied.
Refer to sk98095. |
01346234,
01346578,
01375667,
01346579 |
SmartEvent reports fail with no data found, if AD name has a comma (,) in it.
Refer to sk98275. |
01380916,
01381197 |
SmartReporter license for 25 Security Gateways allows only 20.
Refer to sk99111. |
01382558,
01382557 |
Timeline View section is empty in SmartEvent GUI client.
Refer to sk98900. |
01368648,
01371514,
01371650 |
SmartEvent keeps old events longer than configured.
Refer to sk99021. |
01340644,
01340537,
01340359,
01383941 |
Network Activity by Date shows duplicate week entries. |
01385997,
01384305 |
Cannot query event if UserName contains quotes comma apostrophe.
Refer to sk99043. |
01377756,
01403467,
01377610,
01395497 |
When trying to restart an existing session / create a new consolidation session, it appears to start, then the status goes into 'Abort' almost immediately.
Refer to sk99080. |
01400328,
01400316 |
When you generate a DLP report with a filter in SmartEvent, we get the following errors:
Unable to complete generation for: Section: 5. DLP User Actions by User Unit: 5.1 DLP User Actions by User
Additional information:
:ERROR: column "dlp_violation" does not exist
LINE 1: ..._VIEW ON (TEMP_VIEW.rowid=USERS_VIEW.eventid, dlp_violat...
Refer to sk100547.
|
01370563,
01371218 |
The SmartEvent GUI client becomes unstable when creating an event based on an existing event from the "Mobile Access" group.
Refer to sk99110. |
01313659,
01336916,
01336955,
01319013 |
After an upgrade, SmartEvent does not show any events and shows an error "No connection to correlation unit".
Refer to sk97632. |
00863374,
00866796,
00905558,
01079529,
01127897,
01140149,
01186407,
01226490,
01227438,
01227439,
01227440,
01265819,
01374971,
01375023 |
In E-mail alerts sent by SmartEvent, the user name field contains '*** Confidential ***' instead of real data.
Refer to sk68020. |
01410542,
01410560,
01410563,
01465990 |
Memory leaks in cpsemd process on SmartEvent server when it fails to connect to log storage.
Refer to sk102266. |
| SmartProvisioning |
01319138,
01317912,
01344395 |
Filtering by 'Firmware' does not work.
Refer to sk98092. |
| SNMP |
01311922,
01320010,
01320011,
01365028,
01367709,
01412793 |
SNMPD daemon fails to start / crashes on Gaia OS.
Refer to sk98324. |
01323376,
01324127,
01324128,
01351121,
01351585,
01366207,
01461578 |
SNMPD process crashes with "Segmentation fault" error.
Refer to sk98066. |
01392172,
01392626,
01400511 |
Not able to load the Check Point MIB files from R76SP into MIB Browser (e.g., CA Spectrum OneClick) - MIB Browser shows multiple errors:
- Could not parse the file CHECKPOINT-MIB.
- Could not parse the file CHECKPOINT-GAIA-TRAP-MIB.
- The MIB CHECKPOINT-MIB referenced by the selected file appears to contain more than one MIB definition.
- The MIB RFC1155-SMI referenced by the selected file appears to contain more than one MIB definition.
Refer to sk100169. |
01373662,
01375761 |
MIB tree in the $CPDIR/lib/snmp/chkpnt.mib file is missing OID branches, which appear in the output of snmpwalk command:
- 1.3.6.1.4.1.2620.1.1.26.11.1.0
- 1.3.6.1.4.1.2620.1.1.26.11.2.0
- 1.3.6.1.4.1.2620.1.1.26.11.3.0
- 1.3.6.1.4.1.2620.1.1.26.11.4.0
|
01376058,
01376770,
01379432,
01401320 |
CPD daemon crashes due to a file-descriptor leak, if SNMP traps are enabled with the threshold_config command. |
01402619,
01402835 |
Description of SNMP OID 1.3.6.1.4.1.2620.1.38.24.1.5 (identityAwarenessDistributedEnvTableStatus) in the $CPDIR/lib/snmp/chkpnt.mib file is incorrect.
Refer to sk100990. |
01373656,
01375758 |
MIB syntax causes a Java error in HP Network Node Manager (NNM) when working with Check Point MIB file$CPDIR/lib/snmp/chkpnt.mib file. |
01378261,
01378643,
01394806 |
SMI syntax error in Check Point MIB file$CPDIR/lib/snmp/chkpnt.mib file:
- extra comma after 'haClusterSyncNetMask' before closing bracket '}' in 'HaClusterSyncEntry'
- extra comma after 'svnNetIfOperState' before closing bracket '}' in 'SvnNetIfTableEntry'
Refer to sk73440. |
01386495,
01386346,
01401324 |
The snmpwalk command for Check Point OID 1.3.6.1.4.1.2620 stops in the middle of the query with "Timeout: No Response from" error, and core dump files are created for snmpd process in the /var/log/dump/usermode directory.
Refer to sk100193. |
01398870,
01399409,
01418605,
01440524,
01453530,
01469745 |
SNMPD process crashes with core dump files.
Refer to sk100514. |
01382326,
01386014,
01394013 |
The SNMP query for IP-FORWARD-MIB::ipCidrRouteMask shows output of mask in reversed-endian order. |
01355690,
01363319,
01363321,
01381841,
01391819,
01407756,
01414243 |
SNMP query for any OID under 1.3.6.1.4.1.2620.1.6.7.5 (multiProcTable) returns 0 (zero).
Refer to sk98570. |
01311467,
01311997,
01311998,
01311999,
01392708,
01428858,
01430113 |
SNMPD daemon crashes. |
01323200,
01336334,
01336335,
01364361,
01364471,
01380312,
01407801,
01433095 |
The SNMP agent stops working correctly after a period of time. |
| QoS |
01343078,
01355467,
01371032 |
VPN traffic might be dropped in some cases on Anti-Spoofing when SecureXL and QoS are enabled on R77.10 Security Gateway.
Refer to sk98172. |
| VPN |
00833986,
00835824,
01101966,
01104905,
01379596,
01379730,
01461368 |
VPND daemon might crash during policy installation.
Refer to sk102716. |
01352900,
01353061,
01353062,
01355363,
01372789,
01372862,
01374864 |
VPND memory usage rises steadily until the machine runs out of memory.
Refer to sk98388. |
01361432,
01362498,
01362506,
01362507,
01379840,
01414249 |
When you open the VPN SSL Network Extender portal in Internet Explorer 11, SSL Network Extender will only start in Java, not ActiveX. |
01371627,
01372064,
01372714,
01372855,
01374089,
01375067 |
SmartView Monitor shows that a tunnel is down when using link selection with a trusted link. |
| 01360917 |
There is no way to set waiting time for smaller packets before fragmentation. Fix: new global variable 'ipsec_mtu_icmp_wait_timeout' was introduced. It can be set to values from 1 to 10 |
01382259,
01395861,
01395878,
01395881,
01395884,
01395885,
01395888 |
Remote access VPN clients (IPsec) connect with Visitor Mode (TCPT) during install policy instead of NAT-T. |
01266307,
01361806,
01417081 |
VPN shell command option 'tunnels/' is not supported on Gaia. |
01360983,
01361317,
01361503,
01361504 |
VPND stability issue with L2TP clients. |
01398492,
01337987,
01403407 |
VPND becomes unstable when many applications, rules, or user groups are defined in Mobile Access Software Blade policy.
Refer to sk100488. |
01381022,
01381542,
01412083,
01459083,
01468193 |
Traffic over remote access VPN tunnels is interrupted during policy installation onto VPN Gateway.
Refer to sk98914. |
01217021,
01361797 |
IKE selectors are not chosen properly when ike_use_largest_possible_subnets is false.
Refer to sk101219. |
01395232,
01396707 |
Users cannot use the real IP address of DAIP gateway when using the 'vpn tu' command.
Refer to sk100346. |
01231095,
01231254,
01231255,
01231256,
01234787,
01262160,
01361863,
01383011,
01465966 |
"Failed to allocate an IP address" error when using 'ipassignment.conf' file to assign Office Mode IP address and Check Point Mobile VPN clients for Android/iOS.
Refer to sk95088. |
| VSX |
| - |
IP addresses that belong to VSX Internal Communication Network appear in routing tables and are published by dynamic routing protocols.
Refer to sk102177. |
| - |
SmartDashboard and 'ifconfig' command show different IP address for interfaces of VSX objects.
Refer to sk92596. |
01258154,
01347285,
01356724 |
VPN configurations that use the IP-per-user and IP-Pool-per-group features may not work correctly on the Virtual Systems because $FWDIR/conf/ipassignment.conf file contains identical configuration on all Virtual Systems.
Refer to sk97992. |
01394079,
01397060 |
After adding a new USM (User-based Security Model) user, query from vs0 on vs2 works with user credentials, but after setting the SNMP agent off and on again, same query with same user credentials responds with: "snmpwalk: Unknown user name".
Refer to sk100218 |
01351290,
01353108,
01356928 |
Mobile Access blade does not function as expected when enabled on Virtual Systems of a VSX gateway that was upgraded from R77 to R77.10.
Refer to sk98352 for upgrade package download and installation instructions. |
01290516,
01295822,
01359798,
01338428,
01358508 |
Gaia Clish command "show virtual-system all" displays empty virtual system list when logging with TACACS+ / RADIUS user (non-local) to VSX Gateway.
Refer to sk105342.
|
01402165,
01402368 |
"License allows only a single Virtual System" error message during policy installation.
Refer to sk100463 |
| 01394915 |
When using vsx_util change_private_net to change an IPv6 address, you must supply an IPv4 address, even if the addresses were not changed.
Refer to sk117062.
|
01375670,
01370177 |
The CoreXL tab in the Virtual Sysyem object is empty. |
| 01415541 |
Enhancement: Rate limiting for each Virtual System in VSX is supported. Run: "vsenv VSID" in Expert mode, or "set virtual-system VSID" in Clish, and then run the "fw samp ..." commands.
Refer to sk112454 - How to configure Rate Limiting rules for DoS Mitigation.
|
01291155,
01347249,
01347240,
01347249,
01356757 |
Remote Wipe on a Check Point Mobile Enterprise, connected to a Virtual System, takes effect up to 24 hours after its user certificate has been revoked. |
01321032,
01347407,
01356785 |
The vsx_util add_member command does not work with IPv6 address.
Refer to sk97995. |
01262108,
01358857,
01359659,
01362993,
01373866 |
On VSX machine, output of Clish command 'show arp' shows the ARP table only for Virtual System 0, even if the command is run from a context of the different Virtual System.
Refer to sk98003. |
| 01372432 |
Policy installation on VSX gateways (of version VSX NGX R65) fails when 140 or more VPN communities are in use.
Refer to sk25827. |
01383273,
01384856,
01392830,
01394068,
01415010,
01424740,
01440515,
01444143,
01444357 |
SNMP query for OID 'vsxCounters' (.1.3.6.1.4.1.2620.1.16.23) returns incorrect values after deleting a Virtual System.
Refer to sk101477. |
01279754,
01471922,
01471953 |
Traffic outage might occur through Virtual Systems with enabled Application Control blade.
Refer to sk102720. |
01368553, 01368927, 01401772, 01475358, 01572817;
01392700 |
Traffic passing through the VSX cluster is lost (during more than several seconds) when cluster state of Standby member changes:
- if a cable is disconnected from the Standby member and then reconnected
- if a switch port, to which the Standby member connects, is shut down and then brought up
Refer to sk104567.
|
| 01386051, 01749692, 01769512 |
Output of "ifconfig <Name_of_Interface>" command in the context of VSX cluster member (VS0) shows wrong IP address.
Refer to sk108700.
|
| 00972349, 01368630, 01749694 |
Output of "ifconfig" command in the context of Virtual Systems shows Internal Communication (Funny) IP addresses instead of Real IP addresses.
Refer to sk108699.
|
01380189, 01381264, 01568713, 01380553
|
Multi-Queue configuration might be reset during reboot on VSX Gateway.
Refer to sk98945. |
| Compliance Blade |
01345316,
01355290,
01371433 |
Compliance Blade does not recognize network objects after advanced upgrade from R77 to R77.10 / R77.20.
Refer to sk98204. |
01395492,
01472683,
01470595 |
Stealth Rule compliance check does not work as expected. See sk102424. |
| VoIP |
01386074,
01392936 |
SIP call fails - call receiver can hear voice, call initiator can not hear voice from call receiver.
Refer to sk100410. |
01379712,
01383038,
01413378,
01379691,
01383036,
01413392 |
External VoIP phones are not able to connect to Internal VoIP phones (behind the Security Gateway) that use Gatekeeper because 'alternativeAddress' in H.225 Facility Message payload is not NATed.
Refer to sk98970. |
01375859,
01376023,
01376384,
01402195,
01402203,
01402212,
01402215,
01404681,
01405846,
01410025 |
MGCP traffic is dropped with log "Response to unknown Request. Bad Call-ID" after upgrade to R76 / R77 / R77.10.
Refer to sk99026. |
00362320,
00374502,
00413223,
01391913,
01392318,
01415004,
01419975,
01461248 |
SIP connections may be regularly dropped with "Number of reinvites exceeded the limit" error.
New "sip_expire" parameter added to enable users to customize how much time a registration request should take. |
| Endpoint Security Unified Management |
01360520,
01386165 |
In Web Remote Help, user name auto-complete only works for login name, common name, and display name.
Resolution: run this script to configure name types for autocompletion: $UEPMDIR/system/install/wrhAutoCompletionConfig |
| 00673732 |
Full Disk Encryption clients on Mac computers show dynamic token (challenge/response) in Preboot, but it is not supported. |
| CoreXL |
01418503,
01366672,
01365459,
01400272,
01365150,
01284703,
01365149,
01380924,
01407041,
01365460,
01366671,
01403930 |
Kernel debug fw ctl debug command is not applied to all CoreXL FW instances:
- Kernel debug is disabled only for CoreXL FW instance 0 (and not for all instances)
- Kernel debug flag 'all' is enabled only for CoreXL FW instance 0 (and not for all instances)
- Kernel debug specified flags are enabled only for CoreXL FW instance 0 (and not for all instances)
- The CPU consumption may remain high after running the 'fw ctl debug 0' command
Refer to sk98625. |
| Appliances |
01405092,
01405869,
01405909 |
Policy installation on 1100 appliance fails with 'Failed to generate the rulebase' error.
Refer to sk100613. |
01401717,
01207926,
01407638,
01408221 |
Output of "show asset" command does not show the CPU model and CPU frequency properly.
Refer to sk100468. |
| IPSO |
| 01397287 |
VPN traffic with IKEV1, B-GCM-256, or B-GCM-128 on IPSO gateways does not work with SecureXL.
Workaround: Disable SecureXL to use these encryption methods. |
00209685,
01372378,
01378009,
1380848 |
CPSNMPD process consumes CPU at high level on IPSO OS.
Refer to sk40258.
|
| HTTPS Inspection |
01372343,
01398701,
01372648,
01402055,
01422259 |
Occasionally, certificate errors appear for some HTTPS sites, although HTTPS Inspection policy is configured to 'Bypass' these sites.
Refer to sk98972. |
