This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.
When upgrading from R77, R77.10 or R77.20 to R77.30, the following error might appear:
***********************************************************
Welcome to Check Point R77.30 installation
***********************************************************
There is insufficient disk space for the installation of this application.
In order to install this application <VOLUME-SIZE> MB is required under <PARTITION>
Distribution of a R77.30 package in SmartUpdate R77.20 to Security Gateways R77.20 fails when the option "Revert installation to image on failure" is enabled. Refer to sk101438.
-
Upgrade from R77.20 with hotfix "R77_20_HF9" ("Bar Mitzvah", sk106478) to R77.30 fails due to a fix conflict as this hotfix is not included in Check Point R77.30. Follow the instructions in sk107233.
01281332
Upgrade process to Gaia R77.30 on HP platforms that use CCISS driver might end with unresponsive system. Refer to sk106708.
01620955, 01623073
If you install the R77.30 Add-on on a Security Management Server / Multi-Domain Security Management Server running on Gaia OS using CPUSE in Gaia Portal, then you must reboot the server after R77.30 Add-on installation is complete. Otherwise, some Check Point processes might not start correctly.
01638230
The Check Point trial license is not retained during an upgrade to R77.30 using CPUSE in Gaia Portal. Install a standard Check Point license before the upgrade.
01658826
If R77.30 Add-on package (that was installed using CPUSE in Gaia Portal on another machine and then exported using CPUSE) is manually imported using CPUSE, it appears in the "Minor Versions (HFAs)" section instead of the "Hotfixes" section. In addition, the "Re-install" option is enabled, although it should be disabled.
01622674
The error message "FW1: Internal error - failed to determine operation mode" can be ignored in R77.30 Add-on installation logs files (/opt/CPInstLog/install_scrub_plg_R77.elg and /opt/CPInstLog/install_indicators_plg_R77.elg).
01611022
If you have gateways of different R77 versions and GX is enabled on a R77.30 Security Gateway only, policy installation will fail. Solution: Use the "Install On" column for the GTP rules.
01362643, 01416065, 01614707
During in-place upgrade from VSX R77.x to VSX R77.30, the $FWDIR/conf/amon_vsx_refresh_interval file is overwritten. If the refresh interval of VSX SNMP counters should be a value other than default 30 (seconds), you will have to edit the file manually after upgrade as described in sk101713 (and in sk97947).
01666916
If Multi-Domain Security Management Server was upgraded from SecurePlatform OS to R77.30 Gaia, you must manually install the latest build of Deployment Agent to use CPUSE. Refer to sk92449.
01679305, 01680971
To upgrade from R77.20 Endpoint Security Manager on Gaia OS, which runs with Java 64-bit:
Gaia OS: Clean install from USB device fails on Open Server because the installation process (anaconda) includes the USB installation media as part of the installation target. Refer to sk100566.
01395379
Red Hat Linux OS: When installing Multi-Domain Security Management Server, the server's IP address must be manually defined in the /etc/hosts file before the Check Point products are installed.
01530062
Red Hat Linux OS: If you installed the R77.30 Add-on on top of Multi-Domain Security Management Server, then you must uninstall the R77.30 Add-on before you can configure the Multi-Domain Security Management Server.
Gaia
-
Hardware Sensors reading are incomplete on 15000 and 23000 appliances until the Gaia First Time Configuration Wizard is run. Refer to sk114595.
-
Timeout when trying to assign IP addresses to more than 200 VLANs on 23800 appliance running R77.30 Gaia OS Build 18. Refer to sk120553.
01816080, 01822237, 01822236
DHCP Relay and DHCP Server do not function when configured together on the same Gaia OS.
Between DHCP Relay (routed) process and DHCP Server (dhcpd) process, the last process to start up will receive all the UDP unicast traffic. The first process sees no unicast traffic.
Both DHCP Relay (routed) process and DHCP Server (dhcpd) process will see UDP broadcasts.
If DHCP Server (dhcpd) process starts first, then this joint configuration will work, because dhcpd process only cares about UDP broadcasts. If DHCP Relay (routed) process starts first, then this joint configuration would fail to work, because the replies from DHCP Server that should be relayed are UDP unicasts.
Timezone data of few regions is missing from Gaia OS R77.30. Refer to sk105902.
01561217, 01561480, 01564882, 01566775
kipmi0 daemon consumes CPU at 100% on Open Servers running Gaia OS. Refer to sk104316.
01621547
In a Hyper-V environment, the Virtual Machine's clock (OS time) moves faster than the hardware (Host) time. As a result, the Virtual Machine's clock drift can accumulate rapidly and prevent NTP from working correctly. Refer to sk105862.
01691878, 01693135, 01692055
"This page is currently in read only mode, the requested action cannot be performed" message appears in Gaia Portal when logging in with the TACACS+ user and clicking on the "Enable TACACS+ authentication" button at the top. Refer to sk106324.
01695987, 01704522
Scheduled Gaia backup in R77.30 fails to transfer backup file to remote server. Refer to sk106647.
01702790
"libdb set: missing or invalid argument" error in Gaia Portal when creating snapshot. Refer to sk106646.
01687266
"IMAGE MANAGEMENT: going to restore system image .. Error: 'Couldn't connect to /tmp/xgets: No such file or directory" on the console when reverting to snapshot or to factory default image on Check Point appliance. This message can be ignored. Functionality is not affected.
01362834, 01363388, 01749317, 01769560
Gaia configuration commands are not saved sorted in way that guarantees continuation when loading them. Refer to sk107286.
01696274, 01778888
/var/log/messages file on Gaia OS repeatedly shows: xpand[PID]: image_mgmt_get_version: version was get from registry major=[X] minor=[.Y] xpand[PID]: version is X.Y
"Gaia Web-UI recognized a non-valid input data" error when creating a Scheduled Job in Gaia Portal. Refer to sk107513.
01817116, 01820170, 01820171
/etc/snmp/userDefinedSettings.conf file on Gaia OS (see sk90860) is overwritten during a hotfix installation. Refer to sk107861.
01824819, 01826286
"CLINFR0479 You can't start interactive session from another interactive session" error when trying to log in / switch to Clish over SSH. Refer to sk108058.
01865733, 01868095
"SKU is invalid" error when pasting the License "cplic put" string in Gaia Portal and clicking on "OK". Refer to sk108895.
01879767, 01881081
Kernel panic during cpinfo creation due to ip command invoked by cpinfo.
01923939, 01924979
Output of "raid_diagnostic" command shows some garbage characters in "ProductID" field. Refer to sk109612.
01937716, 01937817
Backup restore includes the original MAC addresses of the machine. Refer to sk109934.
01940689, 01944407, 01944426
OSPF configuration cannot be updated/changed in Gaia Portal when working in Internet Explorer (IE) browser - after changing the settings and clicking on "Apply", the settings do not take affect and revert to default settings. Refer to sk109946.
01956738, 01957576
Output of Clish command "show sysEnv all" / Expert mode command "dbget sysEnv:all" is corrupted (text is not ordered). Refer to sk110220.
01956093, 01958751
Clish commands "show configuration" and "save configuration" do not show / save the configured user's "realname". Refer to sk110222.
01989855, 01990930
Security Gateway running on Gaia OS randomly becomes unresponsive when DLP blade is configured with Fingerprinting and external storage repository is used. Refer to sk110801.
01987789, 01996692
"WARNING The following features: NameOfFeature, , provide a privilege level equivalent to that of 'adminRole'" message in Clish when adding some read-only commands to RBA role. Refer to sk110772.
02051292, 02053059
Gaia OS might crash when removing a Bond interface in Gaia Portal. Refer to sk111673.
02045637, 02049302
Proxy ARP table is not loaded after reboot causing entry's to be out of date in case of bond interfaces that uses different MAC address. Refer to sk111675.
02084298, 02089780
Syslog Protocol version is not sent in syslog packets as per RFC 5424. Refer to sk112159.
02167050, 02184450
Setting state of interface to "off" on Gaia OS does not turn off the link on that interface. Refer to sk112598.
01919246, 02088229, 02091344
eBGP peers connected over an OSPF adjacency are using wrong next hop for BGP routes. Refer to sk112112.
02085699, 02189660
Hardware Diagnostic Tool test fails on "Self-test" for 1GbE expansion cards when an SFP transceiver for RJ45 (Copper) is connected to the appliance. Refer to sk112857.
02332735, 02335959, 02335269
Output of lspci utility contains many "Unknown devices" messages. Refer to sk113214.
02355069, 02357493
Firewall-1 information is not restored from a backup when Threat Emulation is enabled. Refer to sk113594.
02359678, 02360935
/var/log/messages file is filled with Audit Logs for Gaia Clish commands: clish[PID]: user logged from admin clish[PID]: cmd by admin: Start executing : xxx (cmd md5: ...) clish[PID]: cmd by admin: Processing : xxx (cmd md5: ...) clish[PID]: cmd by admin: Start executing : exit (cmd md5: ...) Refer to sk113897.
02356738, 02365245, 02357833
confd process crashes with core dump files when running the cpinfo command. Refer to sk113750
01111060, 02356903, 01309032
Saving the configuration on Gaia OS times out with 'NMSCFD0026 Timeout waiting for response from database server' error. Refer to sk113746
02415990, 02419964, 02416200, 02419960
In SmartUpdate, on Windows Servers, "Generate cpinfo" not working. Refer to sk115193
02423303, 02423845
Newly configured user (with UID that is not 0) is not able to log in from Gaia Clish to Expert mode on VSX Gateway. Refer to sk115221.
02441209, 02441899
"confd" process consumes the CPU at almost 100% on Check Point appliance with installed LOM card. Refer to sk115634.
02488772, 02489413
"confd" process crashes with core dump file when running the Gaia Clish command "show asset all" every several minutes.
02473276, 02479189
"Authentication failure" error in Gaia Portal when logging in with TACACS+ user, whose password contains special characters, such as "<", ">", "&", ";", "*", ":", "$", "|". Refer to sk101332.
02488513, 02491901
Snapshot creation on Gaia OS is stuck at 1-2%. Refer to sk116679.
02490383, 02491329, 02491797
Multicast PIM traffic register packets are sent with checksum 0xd63f that non-compliant with RFC (should be 0xdeff).
02536858, 02537075
/var/log/CPbackup.elg file shows the following errors: Error:'get_xml_val': cannot find XML:nil Error : 'xml_text_to_hash': Failed to read <nil> from content buffer Refer to sk118718.
02559704, 02561586; 02561478, 02561588
After adding the RBA roles Gaia commands (add rba role TACP-0 virtual-system-access all), the lines are missing from "show configuration" command output, but the values can be seen in Expert mode (/config/active). Refer to sk119394.
02621916, 02644222
When umounting an ext3 file system, Security gateway crashes with vmcore.
02669317, 02670441
Routed process enters slave/slave state after fwd crash.
02694599
'show message motd' clish command output is corrupted. Refer to sk122199
02711037
Cannot run scheduled backup using a Windows SCP server. Refer to sk122792
02711255, 02712191
RADIUS user with special characters in a class attribute field is stuck on the spinning icon when logging into the WebUI.
02717143
Security Gateway stops advertising default route into OSPF NSSA area. Refer to sk123074
02722123
'show asset' command do not show network information. Refer to sk123342
If the SecurePlatform WebUI "Snapshot" page looks corrupted, then use this workaround:
Connect to command line.
Log in to Expert mode.
Run this command: lvs
If you see 100% in the 'Snap%' column of image named 'lv_current_snap', then run this command: lvremove -f /dev/vg_splat/lv_current_snap
Connect ot SecurePlatform WebUI.
02559795, 02560843
Snapshot creation reaches 93% and stops, although there is enough space. Refer to sk119675.
02518465, 02520009
SecurePlatform OS sets the timezone to "UTC" when the zone is entered with a space character in the "sysconfig" menu. Refer to sk117737.
Security Gateway
02431007, 02467491
NAT stops working completely at some point. Refer to sk116013.
01540833, 01542323
Security Gateway with PPPoE external interface installs "defaultfilter" policy instead of an expected policy when PPPoE interface is administratively shut down. Refer to sk43293.
01717808, 01718192, 01647153
"fw_getifs: filter interface <interface_name> - no IP" message appears for every interface when running "fw getifs" command under "TDERROR" debug, although those interfaces have an IP address assigned. Refer to sk106856.
01782528, 01783676
"Service Name" field in SmartView Tracker logs shows wrong service. Refer to sk107416.
01786162, 01789060; 01408308, 01424553, 01437963
Errors when modifying default filter / Initial Policy on Security Gateway running IPSO 6.2. Refer to sk103999.
01811945, 01816989
MGCP call fails to establish after upgrade from R75.45 to R77.30. Refer to sk107975.
01860616, 01863650, 02053111
Security Gateway on Gaia OS crashes with vmcore dump file while adding/removing an interface during policy installation, during 'cpstop;cpstart' commands, during policy unload. Refer to sk108816.
01873031, 01875134
"Via" field in HTTP Request sent to a web server by Security Gateway in Non Transparent proxy mode contains incomplete HTTP version - only major version (e.g., only "1" instead of "1.0" / "1.1"). Refer to sk108900.
01912515, 01912962
Connections are broken for short time after disabling SecureXL, or after installing a policy. Refer to sk109468.
01963489, 01965804
in.ahclientd process occasionally crashes with core dump files.
01825619, 01664184, 01962131
Security Gateway / Virtual System might crash due to double record of a connection in Connections Table. Refer to sk110476.
01928723, 01929760; 01928725, 01929762
Traffic is dropped without any logs
Policy installation fails with "Load on Module failed" and kernel debug shows "fwk_atomic_load_prepare: fwk_mtcounter_prepare failed"
HTTP/HTTPS traffic drop when Domain Object is configured Refer to sk110687.
01710137, 01848363, 01707360, 01856715
Issues with traffic and with web pages when Security Gateway is configured in Proxy Non-Transparent mode. Refer to sk106663.
02052179, 02053086
"Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data" in web browser when accessing a web server through Security Gateway in Non-Transparent Proxy mode without next proxy. Refer to sk111741.
02340784, 02341504
TCP traffic fails to return from static NAT host when using ISP Redundancy and SecureXL. Refer to sk113236.
02342651, 02345193, 02350210, 02363864, PRHF-122
/etc/hosts stops resolving URL on Security Gateway configured as Proxy. Refer to sk113453.
02359254, 02361607, 02362029
"fwd" process or "fw_full" process on Security Gateway consumes memory at high level and crashes with core dump file. Refer to sk113736.
02422575, 02425040, 02428176; 02446698 02447665
Stability issue on Security gateway.
02473855, 02479570
Once the Log server is down for a long period of time, the gateways do not try to reconnect to it and logs are being saved locally. Refer to sk116233.
02049251, 02057072
In SmartDashboard, the "Hits" counter in a specific rule does not increase even though traffic was matched to this rule. Refer to sk115098.
02516897, 02518182
Memory leak in FWD process, followed by "Segmentation fault" error in /var/log/messages file.
02537839, 02539556
Logging session does not switch to the backup logging server after connectivity loss. Refer to sk118697.
02563963, 02564330
Cannot create events based on "sys_message:" filter. Refer to sk119995.
02706593, 02706821
Security Gateway crashes during policy push. Refer to sk122755
02713205, 02715396
Security Gateway is sending wrong format BSD Syslog logs. Refer to sk122952
02761248
Logs with action "Hold" are seen in SmartView Tracker. Refer to sk125892
02367178, 02367230, 02367241, 01831439, 02389976
Kernel memory usage keep increasing, regardless of the connection amount. Refer to sk129052
Security Management
01678185, 01678465
Policy installation might fail with "ERROR: stab identifier <lsv_profiles> for host redefined" in the following scenario:
R77.30 Security Management Server running on Gaia OS or IPSO OS.
There are two R77.x Security Gateways / Clusters (e.g., "GW_1" and "GW_2") managed by this server:
"GW_1" has IPSec VPN blade enabled
"GW_2" has DLP blade enabled, IPSec VPN blade disabled, and belongs to VPN Encryption Domain of "GW_1"
Workaround: Enable IPSec VPN blade on "GW_2" and install policy on "GW_2".
If the Security Management Server is installed on Linux OS, sometimes the IP address field in the Security Management Server's object is empty. Workaround: In SmartDashboard, manually enter the main IP address.
01993128, 01994944
Users are deleted after R77.30 Management Add-on installation. Refer to sk110887.
01551117
On a Security Management Server installed on Linux OS, an "ftp" command sometimes results in an error "ftp: relocation error". Workaround: Run FTP commands from the /usr/bin/ directory (# cd /usr/bin).
00419335, 01134550, 01648694
$CPDIR/tmp/ directory is filled with 'CKP_mutex::_opt_CPsuite-RXX_fw1_log__...' files.. Refer to sk36754.
01718196, 01718386
Policy Verification fails to find overlapping rules. Refer to sk106854.
01732223, 01732576, 01732588
Policy verification fails abnormally on R77.30 Security Management Server (SmartDashboard might disconnect / close unexpectedly, or even crash) when rulebase contains Address Range objects with IPv6 addresses. Refer to sk107182.
01801629, 01802130, 01811077, 01805365
"Warning: Rule <N> contains a domain object. It will not be enforced by IPv6 policy." during policy verification refers to wrong rule number. Refer to sk107601.
01810182, 01810870
"Unable to contact Certificate Authority on the Security Management Server" error in SmartDashboard after running "cpstop ; cpstart" commands. Refer to sk107593
01832860, 01834896
Manual policy verification does not catch manual NAT rules where the Source of the original packet is defined as 'Any'. Refer to sk108278.
01835229, 01836587
"fw logswitch" command on Log Server fails if its object in SmartDashboard is defined with a NAT IP Address. Refer to sk108291.
01846456, 01846721
Manual NAT policy verification passes while it should fail. Refer to sk108389.
01864424, 01864734
"Get Topology" action shows "fe80::" in results. Refer to sk108760.
01922184, 01922547
Policy installation fails with core dump when Security gateway and Security Management server run R77.30. Refer to sk109616.
01922555, 01922761
The "cprinstall install" command fails. Refer to sk109617.
01844466
Applying policy update to Security Gateway Virtual Edition from "veconfig" menu fails with "Failed - Connection to gateway failed". Refer to sk109739.
01940812
URL Filtering does not work on Edge device. Refer to sk110219.
01971837, 01974133
"Gaia OS Best Practices" on the Compliance tab of SmartDashboard shows status "N/A" for clusters. Refer to sk110474.
01982896, 01983661
In Management HA environment, FWM daemon might crash during an attempt to delete Security Gateway / Cluster object in SmartDashboard. Refer to sk110748.
02013718, 02015361
"Where used" does not show results while logged into Log server via SmartDashboard. Refer to sk111077.
02024427, 02027207
Imported data from fwm logexport is not properly aligned. Refer to sk111304.
02167186, 02169523
"URL" field shows "*** Confidential ***" in HTTPS Inspection logs on 3rd party LEA OPSEC client. Refer to sk101570.
02219579, 02252490
IPS Bypass under load thresholds are not tuneable in Full HA environment. Refer to sk112659.
01911675, 02103719, 02103172
Memory leak in CPD daemon (in cpmon) causes the daemon to crash (due to exhaustion of available memory).
01912502, 02103768, 02103182
Memory leak in CPD daemon (in licutil) causes the daemon to crash (due to exhaustion of available memory).
02456777, 02456968, 02457349
FWM process crashes while pushing configuration to VSX cluster with Identity Awareness blade enabled and AD server configured.
02485375, 02486836
FWM process crashes sporadically when deleting the Security gateway object in SmartDashboard.
02491211, 02492143
FWM process crashes after installation of Install R77.30 Add-On.
02503435, 02504502
FWM process crashes while debug is enabled.
02555706, 02556381, 02555760, 02556390
Memory leak in FWM CPM module.
02590945, 02592411
Security Management server stops receiving logs from all gateways. Refer to sk120316
02657790, 02659048
SmartDashboar crashes at 40% on "Loading objects list" stage.
02666158, 02668798
R77.20/R77.30 Add-on activation or deactivation fails due to timeout. Refer to sk121436.
02704776, 02705333
Creating secondary CMA overrides files in $FWDIR/lib/ directory оn the primary CMA. Refer to sk122538.
BS-635
The Compliance blade status for Best Practices APP113 and URL148 show "Poor" instead of "Secure".
Multi-Domain Security Management
01530078
You must install the R77.30 Add-on on Multi-Domain Security Management Server R77.30 before importing the database that was exported from Multi-Domain Security Management Server R77.20 with installed R77.20 Add-on. Otherwise, database import fails.
01519804
To uninstall the R77.30 Add-on from a Multi-Domain Security Management Server, first you must de-activate it on all Domains:
In SmartDomain Manager, go to "Version & Blades Updates" tab
Double-click on the Domain - go to "Version & Blades Updates" tab
Select the "R77.30" - click on "Remove" button - click on OK
01515648
The Gaia alias feature is not supported on the Multi-Domain Security Management Server, and it overrides the aliases Domain Management Servers.
01702895, 01703025
SmartLog GUI client connected to the Multi-Domain Server (global database) does not show logs from the remote Multi-Domain Server or Multi-Domain Log Server in the following environments:
At least two R77.30 Multi-Domain Servers (regardless whether they are configured in Management HA or not)
R77.30 Multi-Domain Server with R77.30 Multi-Domain Log Server
mds_backup procedure is stuck at "Releasing all databases" stage. Refer to sk107862.
01640559, 01802714, 01641851
"Error: Cannot assign the Global IPS policy - The version of IPS on the Domain Management Server and in the Global policy must be the same". Refer to sk108877.
01894840, 01909809, 01909714
Assigning of Global Policy fails on some Domain Management Servers after modifying a global object. Refer to sk109436.
01973414, 01973521
Global Policy assignment problem after failing IPS update. Refer to sk110498.
02022345, 02022609
Users ($FWDIR/conf/fwmusers file) and GUI clients ($FWDIR/conf/gui-clients file) are overwritten on Security Management Server during MDS synchronization when Domain Management Server and Security Management Server are configured in High Availability mode Refer to sk111175
02135303, 02135745
Global Policy assign fails with "There is already local object with the name: among the Domain Management Server's objects" error. Refer to sk112342.
02368249
"Global object modification is prohibited!" error in SmartDashboard connected to a Domain Management Server during policy installation. Refer to sk114154.
02394950, 02395997
SmartDomain Manager loads very slowly and might even crash. Refer to sk114618.
02699530, 02699530, 02699530
Top process is not killed after closing ssh session and running at 100%.
SmartDashboard
01687346
SmartDashboard Help incorrectly shows "You can assign up to 8 instances on a Virtual System" (SmartDashboard - Virtual System object - "CoreXL" pane - click on "?" button in the upper right corner). The correct number is up to 10.
01689711
When editing protections in R77.30 SmartDashboard -> IPS blade -> Protections (for example, SIP Filtering), it is impossible to exit the protection editing. Refer to sk106444.
01693797, 01932180, 01694050
"Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked" warning in R77.30 SmartDashboard when changing a hardware platform in a gateway object that is used in Identity Sharing of another gateway. Refer to sk106434.
01693797, 01694050
"Changing the hardware to <Hardware type> is blocked." warning when editing cluster object that shares Identity Awareness. Refer to sk106482.
01778329, 01778691
SmartDashboard overrides authentication scheme database field for mobile_realm. Refer to sk107278.
01785636, 01787259
When cloning an interoperable Device in SmartDashboard, the following error is displayed and the name cannot be changed: "Rename is not allowed because the object contains shared secrets. First, remove the shared secrets from the object and click OK." Refer to sk107455.
01824544, 01825189
When opening Account Unit tree, see "The parameter is incorrect" error. Refer to sk108137.
01834373, 01834983
SmartDashboard does not display one of cluster interfaces because of case sensitive name uniqueness. Refer to sk108264.
01848315, 01849360
SmartDashboard crashes when trying to delete Override category. Refer to sk108615.
01853376, 01856256
In Read Only mode, right-click on object in NAT policy does not bring up the context menu. Refer to sk108618.
01855908, 01861192
When Security Management manages many VPN gateways, the VPN Tab is stuck on loading and may crash the GUI. Refer to sk108628.
01856760, 01857716, 01858017
SmartDashboard displays "Internal error" message and crashes when clicking on Threat Prevention tab and going to Policy and than back to overview. Refer to sk108629.
01816574, 01817765
"Hide NAT" icon is displayed for "Static NAT" method in "Destination" column of "Translated Packet". Refer to sk109013.
01875766
"An unexpected error occurred - Sorry for the inconvenience, please restart the application" error in SmartEndpoint, when going to Deployment tab - expanding Advanced Package Settings - clicking on VPN Client Settings - selecting a VPN Site, which has "Authentication method" defined as "CAPI-certificate" - clicking on Edit... Refer to sk109126 - Scenario 2.
01851861, 01862102
There is no prompt message on exit attempt after making changes in Application & URL Filtering or DLP tab - the changes are saved automatically without asking. Refer to sk109813
-
Deleting a network object (that is a part of a Group object) while filtering "By IP address" causes the order of objects to change back to default order "By Name". Refer to sk109704.
01796510, 01799558, 01907575, 01799727, 01933963
Wrong icon for Automatic NAT rules. On automatic NAT rules, the icon of hide NAT rules always shows the letter "S". This letter should indicate the adtr method, and should be "H" when the method is Hide. Refer to sk109836.
01964494, 01965659
SMTP property is not shown on VSX Cluster Object. Refer to sk110266.
02082122, 02083516
SmartDashboard Picker filtering does not show the correct result. Refer to sk112057.
02127822, 02127888, 02128542
Access roles objects are not synchronized with the Log server. Refer to sk112359.
02167023, 02170424
Users and user groups added to an Access Role are not saved in SmartDashboard when FIPS is enabled on Windows OS. Refer to sk112494.
02156746, 02157741
"Unhandled exception - Value does not fall within the expected range" error when saving user-defined regulation in Compliance blade of R77.30 SmartDashboard opened in Demo mode. Refer to sk112581.
02565748, 02566223
SmartDashboard does not get the topology of VTI interfaces from cluster members running on Gaia Embedded OS. Refer to sk119832.
MB-77
Administrators with Customized permission profile cannot manage VSX objects.
Workaround: Use Read/Write all permission.
PMTR-10186, PMTR-567
SmartConsole is not disconnected after time specified in 'SmartConsole > Manage & Settings > Permissions & Administrators > Administrators > Idle Timeout'.
01378314
HiDPI (High Dots Per Inch) is not supported in R77.30
Endpoint Security Server
01652844; 01669080
If no licenses are applied on Security Management Server, then it automatically uses a Plug and Play license for the first 15 days. If during that time, Endpoint Policy Management blade is activated, then an Endpoint Policy trial license is shown in the output of "cplic print" command, although the Plug and Play license is still valid. The trial license is not used until the Plug and Play license expires.
01907703, 01909558
Garbled characters in Action name in SmartEndpoint. Refer to sk109575.
SmartEvent / SmartReporter
01450132, 01451865, 01477664, 01491056, 01599078
"No data available for [SmartReporter]" error in reports. Refer to sk102007.
01577697, 01577791
evs_backup command sometimes fails with the following messages:
Postgres service is down, starting postgres Failed to start postgres service. Please check backup.err for detailed errors eva_db_backup.csh fail error has occurred. evs_backup will stop
SmartReporter PDF reports are shown incorrectly. Refer to sk104840
01877490, 01877827
"Dev Mode: ON - Syntax error" in SmartEvent/SmartReporter reports. Refer to sk108979.
01928368, 01928572
Core dump files for CPSEMD process are generated in /var/log/dump/usermode/ directory after each reboot of SmartEvent server. Refer to sk109714.
01969321, 01969673
The CPSEMD process crashes with core dump due to signal 15 when SmartEvent machine is rebooted.
-
SmartEvent GUI client may crash when trying to apply Learning Mode recommendations.
02439787, 02440104
"No relevant data found" warning when running Login Failures report. Refer to sk115658.
02442888, 02443123
Scanned hosts value is incorrect in Threat Prevention report. Refer to sk115680
02472200, 02473138, 02473784, 02475632
Report generation with custom Service field filter (for example SMTP), fails. Refer to sk116312.
02559461, 02562448
Mail alerts that contain IPv6 show 0.0.0.0 instead of the real IP address. Refer to sk119714.
SL-1849
CPSEAD crashes when using an Offline Job for a log file with a high rate of logs. The issue is resolved in R80.10 and above.
SmartView Monitor
01692615, 01694011, 01697239
SmartView Monitor shows the status of cluster interfaces as "Partially up". Refer to sk106488.
01879709, 01885825, 01881984, 01937995
The rtmd process crashes due to memory corruption.
02537633, 02539688
SmartView Monitor "Top QoS Rules" view shows that almost all traffic matches the "No Match" rule when SecureXL is enabled on Security Gateway. Refer to sk118720.
SmartView Tracker
00764403; 00936644
SmartView Tracker displays ROBO gateways / Edge devices managed by SmartProvisioning in the "Origin" column as Device ID "0.0.0.X" instead of the Device real IP address. Refer to sk106966.
SmartProvisioning
01913532, 01914320
SmartProvisioning profile change generates duplicated IP ranges. Refer to sk109457.
02400017, 02401486
SmartProvisioning Configuration script does not work for 1180 SMB appliance. Refer to sk114735.
02417542, 02418996
SmartProvisioning GUI shows VLAN interfaces as "ethX.NNN:Resolve:DataStruct:Encode:..." in ROBO Gateway properties window. Refer to sk115135.
VPN
-
Online Certificate Status Protocol (OCSP) verification of certificates signed with SHA-256 is not supported. Refer to sk108752 - "Scenario 3".
01616679, 01626526; 01600927, 01626372
Dead Peer Detection (DPD) does not work in Aggressive Mode. Refer to sk105390.
01695819
upgrade-export overwrites files from Cross-Site Request Forgery (CSRF) fix (01491932) rendering the ICA portal non-functional. Refer to sk106697.
01727625, 01730966, 01729434
"vpn debug on TDERROR_ALL_ALL=5" command does not update the previously set debug flags. Refer to sk107172.
01820334, 01821023
Security Gateway might crash after running 'cpstop' command if MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (fw_clamp_vpn_mss=1). Refer to sk101219.
01844057
After ISP failover on LSV peer, gateway keeps using the old MSPI. Refer to sk108388.
01841784, 01844569, 01844802
"According to the policy the traffic should not have been decrypted" drop log for traffic from VPN peers managed via SmartProvisioning (e.g., Edge devices) after upgrade of Security Gateway to R77.30. Refer to sk108427.
01691222, 01904577
Not possible to establish Site-to-Site VPN tunnel with Large Scale VPN (LSV) peer, which is a DAIP device. Refer to sk109473.
01857440, 01860064
When center gateway receives encrypted traffic to which it has no keys to decrypt AND peer is dynamically assigned (DAIP), VPN does not work properly. Refer to sk109853.
01949238, 01949716
Site-to-Site VPN using IKEv2 fails when SecureXL is enabled. Refer to Scenario 5 in sk114834.
01956286, 01986659, 01986240
Remote Access users are unable to connect when authenticating using a certificate issued by a subordinate CA. Refer to sk110747.
02021708, 02022230
Unable to store Intermediate CAs in CertCache. Refer to sk111272.
02023245, 02027402
Concurrent IKA SAs counter is too large on Standby member. Refer to sk111373.
02075249, 02088049
Site-to-Site VPN tunnel fails after some time and has to be renegotiated, if the IKEv2 SA was initiated by the peer. Refer to sk112137.
02058553, 02088047
IKEv2 negotiation for Site-to-Site VPN tunnel fails if IKEv2 SA payload contains more than 8 proposals. Refer to sk112139.
02074389, 02079149
Site-to-Site VPN fails between Check Point Security Gateway and Check Point Virtual Appliance for Amazon Web Services (AWS). Refer to sk112141.
02059238, 02060173, 02060616
Fail to authenticate with 3rd party peers when using Diffie-Hellman Group 19, or Diffie-Hellman Group 20. Refer to sk112156.
Randomly, new VPN tunnels are not being established with the peers. Randomly, traffic is not passing over multiple VPN tunnels. Refer to sk113837.
02381660, 02384651
Security Gateway is sending incorrect IDs in IKE Phase 2 if using IP Range object for encryption domain. Refer to sk114494.
02436237
VPN traffic fails when collecting kernel debug with a filter "fw ctl debug -e" and SecureXL is disabled. Refer to sk115580.
02436809, 02439762
Traditional Mode with User Authentication FTP traffic failing. Refer to sk115614
02476348, 02478082
When connected with L2TP client to the Security Gateway's alias IP address, the returned encrypted traffic is sent out with the source IP address of the physical interface. Refer to sk116655
02490101, 02490384
VPN Tunnel instability issues with Cisco Gateway using IKEv2. Refer to sk116776.
02509724
DAIP gateway takes a long time to establish a VPN permanent tunnel (DPD) after reboot. Refer to sk117513.
02514005; 02534915; 02529275
DAIP devices deployed as VPN Satellite gateways, do not support VPN link fail-over between a static link (using permanent IP address) to the DAIP link, and vice-versa.
Trusted interfaces are not supported for DAIP devices.
02536801, 02537327, 02540697
IKEv1 using DH group 19/20 fails to encrypt / decrypt packets. Refer to sk118713
02540281, 02543370
Problems with supernetting during IKE negotiation with Large Scale VPN (LSV) peer. Refer to sk118855
02564507, 02570956
Client Setting "Calculate IP based on topology" breaks when using host. Refer to sk120121
02564111, 02565222, 02590209
MTU on VPN traffic is limited by MTU of 1500. Refer to sk120122
02447010, 02542849
"You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) that tries to connect to a Cluster in High Availability mode. Refer to sk120652.
02663779, 02666335
Unable to connect with SHA-512 user certificate on Windows Capsule. Refer to sk121418
02702969, 02706012
Security Gateway accepts an other Diffie-Helman group then is configred. Refer to sk122438
02701519, 02701727
RADIUS authentication fails for LDAP users as the gateway uses sAMAccountName and not UPN when UPN is needed. Refer to sk122477
02700394. 02700552
3rd party VPN peer rejects IDs proposed in IKE phase 2 and tunnel not established (unless initiated from peer side). Refer to sk122478
02708339, 02710768
Site-to-site VPN traffic issue in vSEC for Azure deployment. Refer to sk122754
02766380 02766590
When Endpoint Security VPN client connects without Office Mode, upon disconnect, ccc_sessions entry not deleted. sk127452
Host on network shows an error about duplication of its IP address when ClusterXL with VMAC is used. Refer to sk92364.
02344721, 02622869
Traffic interruption on VLAN interfaces during policy installation on ClusterXL Load Sharing Multicast. Refer to sk120593.
01646584, 01879544, 01657956
Various traffic issues on cluster due to FWD daemon taking all slots on cluster subscriber list. Refer to sk109596.
01709078
Some Remote Access VPN clients are not able to connect to ClusterXL in Load Sharing Unicast mode with enabled CoreXL. Refer to sk106745.
01709088, 01712864
Sometimes there is no VPN client connection from particular IP address to cluster. Refer to sk106816.
01715078
Output of "cpstat ha -f all" command shows status of some VLAN interfaces as "Partially up". Refer to sk106488.
01848272, 01855069, 01855384
Cluster "Interface table" is empty in SmartView Monitor and in output of "cpstat -f all ha" command. sk108546.
01808943
"First packet isn't SYN" drop logs in SmartView Tracker for TCP traffic from ClusterXL in Load Sharing Unicast mode with enabled SecureXL. Refer to sk107618.
01835404, 01836082
"find_device_thread: cannot find device cphad" messages in $FWDIR/log/cphamcset.elg file on IPSO OS. Refer to sk108273.
By forging CCP packets, it is possible to "confuse" cluster members about the state of peer members and cause denial of service (cluster members could be forced to incorrectly change their state to "Ready"). Refer to sk108360.
01883794, 01885801
"Interface table" in SmartView Monitor and in the output of "cpstat ha -f all" command shows only one configured cluster interface on IPSO-based cluster members running R77.20 / R77.30. Refer to sk109143.
02008783, 02010172
Cluster member with highest priority is not able to become new Active after changing the Members' Priorities. Refer to sk110999.
00443545, 01492996; 01888621, 02221764, 02221768
NAT rule on cluster does not hide the Source IP address behind the configured IP address if the packet is sent to Cluster VIP address
NAT rule on cluster does not hide the Source IP address behind the Cluster VIP address if the packet is sent to Cluster VIP address
UserCheck daemon (usrchkd) crashes every few days. Refer to sk122953
Mobile Access
01610643
The Mobile Access tab > Additional Settings > Link Translation page is not supported when working with SmartDashboard in Read-Only mode.
01620696
RAsession_util command (see sk104644) will show Capsule Connect and Check Point integrated VPN for Win 8.1 session, although the user disconnected the VPN tunnel from the mobile client side. No further data will pass between the client and the Security Gateway. The record, from RAsession_util, will expire according to the session's original expiration time, with a session expiration log in SmartLog.
01702733, 01703139
When used without specifying the full path, cvpnd_settings crashes. Refer to sk106673.
01704233, 01706873, 01706888
ActiveSync Capsule Workspace users get authentication pop-ups using every few minutes after upgrading to R77.30. Refer to sk106607.
01736208, 01738947
Web Form SSO with configured login page does not work. Refer to sk107254.
01807600, 01807879
Accessing the MAB portal without providing certificate results in unclear log in SmartView Tracker. Refer to sk107812.
01841717, 01841906
Mobile Access Gateway does not send domain as part of Web Form SSO response. Refer to sk108498.
01853732, 01862399, 01854127
Mobile Access log on SmartView Tracker shows the browser version instead of the OS version. Refer to sk108711
01734925, 01854129, 01862401
"[CVPN_ERROR] statusToString: Unrecognized status: 5" error in the debug of CVPND daemon on Mobile Access Gateway. Refer to sk108876.
01908331, 01909424
Web application not displayed correctly in Mobile Access Blade when using Path Translation. Refer to sk109579.
01836233, 01863723
Client Certificates Tab is not showing in Read mode in Mobile Access. Refer to sk109837.
01939853, 01943615
External User groups are not matched correctly when connecting to SNX Portal - users get permissions to access resources, which they are not supposed to access. Refer to sk110014.
01932329, 01940409, 01953139
"Error: Page cannot be displayed. An error occurred while processing the request" in web browser after entering the credentials in Mobile Access Portal. Refer to sk110072.
01958625, 01959114
After one SNX user disconnects, all other connected users are disconnected. Mobile Access gateway becomes non responsive. Refer to sk110316.
02127881, 02136465
Mobile Access deleteUserSettings command does not work when user name contains spaces. Refer to sk112467
02156587, 02157190, 02172262
SSL Inspection: Site does not load for the first time after a renegotiation. Refer to sk112599
02371118, 02377407
Relativity web application accessed via MAB does not show open folders until web page is refreshed. sk114259
02457976, 02460809
"failed to establish trust" error message when try to enroll the certificate from Capsule Workspace. Refer to sk116095
02467377
Failed to overwrite existing files using Mobile Access File Share Application. Refer to sk116238
02510647, 02511628
Pages not translated when header Content-Type: */* in HT Link Translation. Refer to sk117514
02520551, 02522305
Untranslated links in iNotes Web Application when using Hostname Translation. Refer to sk118037
02526048, 01838814
Endpoint Security on Demand Secure Workspace does not automatically support Windows 10 Creators Update or later versions.
The Mobile Access Portal does not support Web-Form SSO for Citrix StoreFront Web interface.
-
Mobile Access does not support viewing or editing files with 'Office Online apps', Microsoft's browser-based Office applications. Outlook Web Access is supported, however you cannot open or edit Office Online app files from emails.
02729238, 02730507
Rule mismatch on SSL inspection rulebase. Refer to sk123718
SSL Network Extender
01381144, 01439006, 01534244
If MultiCore support for SSL is enabled, then SSL Network Extender roaming is not supported. Refer to sk101223.
01432574, 01432727, 01461593
The SSL Network Extender connection from command line "snx -l <CA_Di>> -s <Server>" fails with "SNX: Authentication failed" when authenticating with a user certificate. Refer to sk101588.
01376618, 01371231
If MultiCore support for SSL is enabled, then connections between SSL Network Extender clients are not supported. Refer to sk101223.
02450974, 02454119
"Cannot establish connection to SSL Network Extender gateway. Try to reconnect." error from SNX client on Mac OS X / macOS after disabling both RC4 and 3DES cipher suites on the Mobile Access Gateway. Refer to sk116156.
SecureXL
01554849, 01576112, 01611699
TCP packets are not dropped as Out-of-State when SecureXL is enabled. Refer to sk104557.
01385943, 00266287; 01463835, 00267250
TCPdump shows wrong IP addresses for NATed traffic when SecureXL is enabled. Refer to sk100194.
01919249, 01915798, 01915162
Output of "fwaccel stat" command shows: Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)). Refer to sk100467 (Scenario 3 - "UDP traffic causes too many general errors").
01536546, 01596104, 01596291, 01598767, 01615398
SecureXL Accept Templates not created when ISP Redundancy is enabled in Primary/Backup mode. Refer to sk104679.
01719131
Security Gateway might crash when disabling and re-enabling SecureXL. Refer to sk106934.
01769402, 01777881, 01771790
Multiple "cphwd_pslglue_can_offload_template: error, psl_opaque is NULL" errors in /var/log/messeges file after upgrade to R77.30. Refer to sk107258
01846041, 01852946, 01846244
SecureXL on Standby cluster member drops traffic with "Address spoofing" log. Refer to sk108502.
01848202, 01850540
Check Point 21000 series appliance with SAM card might crash while handling fragmented TCP packets. Refer to sk108589.
01845461, 01853546; 01906167
Check Point 21000 series appliance with SAM card might crash during policy installation. Refer to sk108643.
01825599, 01847635
Check Point 21000 series appliance with SAM card might crash due to removal of Layer 2 header by SAM card. Refer to sk108652.
02372653, 02468724
Check Point 21000 series appliance with SAM card is not able to boot after installing Take 210, Take 213 or Take 216 of R77.30 Jumbo Hotfix Accumulator. Refer to sk116070.
Traffic disruption after policy installation on 21000 appliance with installed SAM card (with uptime of more than 250 days). Refer to sk119999.
01574329, 01844422, 01973806, 01973814
Gaia OS on Check Point 21000 series appliance with SAM card becomes unresponsive when trying to delete a VLAN interface after passing multicast traffic through that VLAN interface. Refer to sk115420.
01642962, 01648328, 01885055, 01897151
Packets are not routed correctly when PBR is configured and SecureXL is enabled. Refer to sk109741.
01934947, 01939363
"sim dropcfg -l" command incorrectly shows "Enforced on external interfaces only". Refer to sk109960.
02020740
Security Gateway with enabled SecureXL might crash during policy installation. Refer to sk111411.
02057286, 02058104
Cluster member might crash when processing a NAT connection, if SecureXL is not enabled on all cluster members. Refer to sk111888.
01827637, 02029717, 02009223
Low performance on Security Gateway configured in Monitor Mode (Mirror Port mode) per sk101670. Refer to sk112798.
02368502, 02369852, 02369778
Security Gateway with enabled SecureXL might crash during policy installation when SAM card is not installed. Refer to sk114153.
02383351, 02385918, 02383440
Security Gateway might crash when disabling the SecureXL SIM feature "NAC" and restarting the SecureXL. Refer to sk114424.
02390699, 02398953, 02396299
Asymmetric traffic is dropped on Security Gateway with enabled SecureXL and several Bridge interfaces. Refer to sk114976.
02459107, 02461409
Computers with dynamically assigned IP addresses are not able to access web sites by their URLs when SecureXL is enabled. Refer to sk116160.
02495600, 02497103
VSX Gateway crashes in rare event when VPN traffic passes over two or more Virtual Systems (which causes the traffic to warp-jump) with enabled SecureXL. Refer to sk116953.
02507051, 02507372
Cluster member with enabled SecureXL crashes during policy installation due to issues in SecureXL NAT Templates. Refer to sk117332.
02535956, 02536066
Memory consumption on Security Gateway increases after enabling NetFlow v9 in Gaia OS. Refer to sk118719.
02541089, 02551724, 02541431
Security Gateway freezes / crashes in rare scenario when SecureXL is enabled and multicast routing is configured. Refer to sk119299.
02054022, 02301812
VSX Gateway with enabled SecureXL crashes in rare scenario while collecting CPInfo file / running CPView Utility during high traffic load. Refer to sk119992.
02613465, 02615348
"First packet isn't SYN, TCP flags : FIN-ACK" drop log for RSH (remote shell) traffic sent from a Server. Refer to sk120462.
02661524
Kernel panic after fw_worker_1 reaches 100% of CPU usage.
CoreXL
01802551, 01802999
Creating a Virtual System with one CoreXL FW instance might end with an error and cause the VSX Gateway / VSX Cluster member to crash with kernel core dump.
01801032, 01829886
Issues with traffic passing through Security Gateway with enabled CoreXL Dynamic Dispatcher. Refer to sk108432.
01873994
Difficulties in connecting to untrusted sites when both HTTPS Inspection and CoreXL Dynamic Dispatcher are enabled. Refer to sk108894.
01884966, 01857938
R77.30 cluster member might go Down after disabling CoreXL Dynamic Dispatcher only on one member. Refer to sk108856.
01961260, 01966223
Traffic between ClusterXL members drops randomly. Refer to sk110312.
01991091, 01991801, 02007206, 02004437
Although CoreXL Affinity was configured to assign only a specific process to certain CPU cores, some interfaces are still being assigned to those CPU cores. Refer to sk110940.
02012536, 02013035
Traffic outage on ClusterXL after enabling both CoreXL Dynamic Dispatcher (sk105261) and SecureXL NAT Templates (sk71200). Refer to sk111015.
02109273, 02110128, 02109398, 02119936
The following syntax errors appear after running the cpstart command:
/opt/CPsuite-R77/fw1//scripts/fwaffinity_mq_apply.sh: line X: let: cpu_id = % 2: syntax error: operand expected (error token is "% 2") /opt/CPsuite-R77/fw1//scripts/fwaffinity_mq_apply.sh: line Y: 1<<: syntax error: operand expected (error token is "<")
Session Authentication fails for all connections when CoreXL is enabled on Security Gateway. Refer to sk109838.
02378614, 02378995
Issue with SIM Affinity on two 40GB interfaces (expansion cards). Refer to sk114396.
01995709, 01996404, 01995254, 02389830
The "fw -i <id> ctl pstat" command shows "memory used: 0%". Refer to sk110881.
Dynamic Routing
01842491, 01844272
BGP routemaps stop working correctly after Gaia OS upgrade from R75.4X / R76 versions to R77.10 and later versions. Refer to sk108497.
01865692, 01870556
When receiving a packet of Bootstrap Router update in PIM protocol from non-multicast IP address, RouteD daemon crashes.
01888022, 01959704, 01968564
Not able to configure routemap for each BGP peer on Gaia OS. Refer to sk110477.
01976708, 01976875
RIP stops working on enabling dynamic routing. Refer to sk110616.
01980694, 01989783, 01989782
Routes redistributed by Gaia OS to BGP peer are sent without BGP community value. Refer to sk110563.
01569785, 01579695
Configuring PIM Sparse Mode with dynamic Rendezvous Point (RP) fails in cluster environment on Gaia OS. Refer to sk110939.
02060290, 02060715, 02066063, 02062736
RouteD daemon might crash when PIM packets are received in an un-supported IP format. Refer to sk111891.
02110490, 02110665
RouteD daemon might crash if PIM is configured and machine is rebooted when all cables are disconnected. Refer to sk112251.
02349239
BGP starts advertising all the routes with "as_prepend", even to AS where prepend is not configured. Refer to sk113504.
02068809, 02333746, 02333261
Security Gateway / Cluster Member on Gaia OS with configured BGP that uses MD5 Authentication might randomly crash (tcp_v4_calc_md5_hash(...) at tcp_ipv4.c). Refer to sk101976.
02358210, 02364750, 02364752
VRRP Backup member on Gaia OS sends BGP traffic to BGP peers. Refer to sk114265.
02423514
Unable to redistribute routes as OSPF LSA of Type 1 with manual tag. Refer to sk115298.
02426496, 02427038
RouteD daemon crashes upon receiving OSPF LSA of Type 10 and Type 11. Refer to sk115314.
02422231
Traffic outage might occur on VSX Gateway with configured OSPF when adding a new Virtual System (due to a crash of RouteD daemon). Refer to sk115333.
02454663, 02455061
RouteD daemon crashes with core dump file when a BGP route is configured with an invalid nexthop.
02477031, 02483011, 02477112
RouteD daemon crashes with core dump file when OSPF and more than 90 VTI interfaces are configured on Security Gateway / Cluster.
02660328, 02660955
BGP looses adjacency during failover and generates cores. Refer to sk121345
02707988
'RTGRTG0019 tclproc: wrong # args: should be "bgp_lookup_ASNumberIPIn ASNumber peerAddr gtype"' error in Gaia Clish when trying to import routemaps for iBGP peer Refer to sk115140
02692890, 02458287
Some BGP routes are not being advertised after BGP peer reset. Refer to sk122272
SNMP
01610111
There is no response (no error, no timeout) when querying SNMP 64-bit (High-Capacity) counters in the following scenario:
VSX R77, VSX R77.10, VSX R77.20 that was upgraded to R77.30 using in-place upgrade
SNMP mode was configured to "vs" (Clish command 'set snmp mode vs') before the in-place upgrade to R77.30
Check Point VSX OID Branch 1.3.6.1.4.1.2620.1.16 can not be queried per Virtual System. The SNMP response contains the data from all configured Virtual Systems. Refer to sk90860.
01466618
To query a VSX Gateway / VSX cluster member over SNMPv2 / SNMPv3, the query should be sent to the VSX machine itself (context of VS0):
In DMI configuration:
In case of a single VSX Gateway, the SNMP query should be sent to the IP address of the DMI interface.
In case of a VSX cluster, the SNMP query should be sent to the physical IP address (of the DMI interface) of each cluster member.
In non-DMI configuration:
The SNMP query should be sent to the physical IP address of the external interface on the VSX machine.
If SNMP traps for hardware sensors are configured on Open Server running Gaia OS, then the traps for sensor values outside of the threshold can be sent, even when they are within the threshold limits.
01689724; 01668968
After enabling the SNMP Trap "coldStart" in Gaia OS, it is sent every time the SNMP Agent (SNMPD daemon) is started, regardless of the current system up-time. Refer to sk107616.
01852762, 01858277
Output of "snmptranslate" command returns different OIDs for objects in "chkpntTrap" branch. Refer to sk108697.
01899551, 01907792, 01900061
snmpd process might crash with core dump file (due to Segmentation fault) when it exits.
01912362, 01913555
"Wrong Type (should be INTEGER)" errors when querying SNMP OID 'vsxCountersTable' on VSX Gateway. Refer to sk109469.
02508239
"No Such Instance currently exists at this OID" error message after installing R77.30 Jumbo Hotfix Take_225. Refer to sk117353.
02696520, 02697170
Captive login portal page is shown in a baby frame of web site. Refer to sk122257
VSX
01657585
Traffic latency on VSX Gateway if MTU larger than 4096 (Jumbo Frames) is configured on an interface. Refer to sk110351.
01298013, 01347319, 01356763
The "vsx_util reconfigure" command fails with "Failed to fetch configuration information from <Name_of_VSX_object>". Refer to sk98001.
01465442, 01436496
An upgraded cluster member goes into Ready state after the reboot, even before the rest of the cluster members are upgraded. Workaround:
Run cphaprob state command to verify that all the Virtual Systems are in Ready state.
Run ps -elL | grep fwk command to verify that fwk process is running on every Virtual System.
01459867, 01472369
When you create a new bond in Gaia Clish with only two physical slaves, the output of cphaconf show_bond command shows the second added slave as "Not available", and the bond cannot fail over. Refer to sk105999.
01562612
If a Virtual System is the Hub of a Star VPN Community, it cannot support SmartLSM gateways as satellites.
01548786
The "vsx_util change_mgmt_subnet" command does not support IPv6.
01618097
"vsx_util reconfigure" command on Security Management Server / Domain Management Server fails to resume with "Error: Interface 'Interface_Name' exists in the management database, but not on the gateway". Refer to sk105441.
Pushing VSX configuration fails with "Internal Error - Failed to commit changes in the OS". Refer to sk103844.
01824410, 01824578
"Bridge uses two different VLAN tags for interfaces. This configuration cannot be used with Active-Active bridge mode" error in SmartDashboard when creating a Virtual System in Bridge mode between interfaces with different VLAN tags. Refer to sk107972.
01848953, 01853474, 01854369
Issues with FWD daemon on VSX Gateway with Bypass Card (FONIC) installed on the appliance. Refer to sk108588.
01750204, 01842632
Clients behind a Virtual System configured as Non Transparent HTTP/HTTPS Proxy are not able to connect to any site. Refer to sk107313.
01721813
New routes configured in Virtual System object are not shown as "Hidden" on Virtual System, which causes VSX internal IP addresses to being published to Dynamic Routing protocols. Refer to sk109738.
01931909, 01938036
"Illegal routing gateway or interface retrieved from the VSX GW" error in SmartDashboard when creating a new VSX Gateway / VSX Cluster object. Refer to sk109815.
01868018, 01892596, 01888862; 01959895
Virtual Systems are "Down" after reboot of VSX Cluster Member because FWD pnote and CPHAD pnote are reported as "NOT UP". Refer to sk110073.
Virtual Systems are in "Unknown" state after reboot of VSX Cluster Member. Refer to sk110074.
02084934, 02086287
"SmartView Monitor error has occurred (error code: 2147483647)" pop-up in SmartView Monitor GUI when viewing data from a VSX Gateway / VSX Cluster Member. Refer to sk112154.
00892773
VTI interfaces are not supported in VSX mode.
02338729; 02338820; 02338954; 02338696
During policy installation, Virtual Systems on VSX VSLS cluster shortly go to "Down" state due to "Interface Active Check" pnote. Refer to sk114234.
02032862, 02423243
"vsx_util reconfigure" fails with "Failed to commit changes in the OS.Management interface must have an IP address." error in non-DMI configuration. Refer to sk115131.
02537316; 02151898, 02103463
Virtual Switches in VSX cluster are shown in "PROBLEM" status in SmartView Monitor without any error message. Refer to sk112067.
02532554, 02532716
"CLINFR0699 Invalid command" error when a user with read-only Gaia OS role runs the "set virtual-system" command on VSX Gateway. Refer to sk118693.
02651720, 02656447, 02652003
Traffic outage when rebooting a VSX cluster member in case there is no connectivity to the Management Server. Refer to sk120842.
00186960
Per Virtual System High Availability or Virtual System Load Sharing (VSLS) requires a physical interface connected to Virtual Switch. Refer to sk36980
LTE
-
FireWall-1 GX is not supported on VSX Cluster.
-
FireWall-1 GX is not supported on VSX Virtual System in Bridge mode.
-
If the Security Management Server or Domain Management Server manages gateways of earlier versions, and at least one R77.30 Security Gateway with GTP rules, then the GTPMGT license is required. Without this license, policy installation fails.
-
SecureXL Templates are disabled starting from GTP rules in the Firewall Policy. To improve the performance of Security Gateway, the GTP rules have to be placed below the rules for traffic that should be accelerated by SecureXL Templates. For more details, refer to sk32578.
-
GTP PDU Integrity Tests (Verify Flow Labels and G-PDU sequence number checks) are not supported in accelerated mode. For more details, refer to the Firewall-1 GX 5.0 Administration Guide - "GTP PDU Integrity Tests".
-
If Carrier Grade NAT (CGN) and traditional Hide NAT are configured, there must not be overlap in the translated packet source address (public IP address). If there is an overlap, policy verification fails.
-
Carrier Grade NAT (CGN) is not compatible with R77.30 CoreXL Dynamic Dispatcher and Priority Queues features. If you want to use CGN in rules, you have to completely disable those features with "fw ctl multik set_mode 0" command (refer to sk105261).
-
Kernel Syslog supports only Firewall blade logs. Kernel Syslog is not supported for IPv6 logs or Software Blade logs.
01385956
Kernel Syslog is not supported when the R77.30 Security Gateway is managed by R76 Security Management Server with LTE Hotfix.
00754079
When Overbilling Attack Protection is enabled, you must define a rule that allows FW1_sam traffic from the GX object to the Check Point Security Gateway. For more details, refer to Firewall-1 GX 5.0 Administration Guide - "Enabling Overbilling Attack Protection".
00780056
GTP Bandwidth Management using QoS is not supported.
00752420
When establishing a SIC connection with a newly installed GX 5.0 cluster object in SmartDashboard, the platform version must be manually set to R70.
00773195
When using the IPS and the Full Intra-Tunnel features, GTP traffic may not be inspected.
The workaround is to change the IPS protection scope from "Protect internal hosts" only to "Perform IPS inspection on all traffic":
Double-click on the FireWall-1 GX object in SmartDashboard.
Go to IPS pane (if IPS pane is missing, verify the IPS blade was enabled).
In Protection Scope, select Perform IPS inspection on all traffic and click on OK.
Install the Policy.
When using the default "Protect internal hosts only" mode, the IPS blade inspects traffic from either the Internal to External interface, or vice versa, using the Security Gateway's topology (which is set in the GX object). Since the inner-GTP traffic does not have its own distinct topology settings and rule base, the IPS blade inspects the inner-GTP packet using the GX object's topology settings, which may cause it to skip the inspection. To override this, you must set the "Perform IPS inspection on all traffic" option.
00788268
Full Intra-Tunnel inspection is enforced only on encapsulated IPv4 traffic.
01011519
IPS "Aggressive Aging" protection is not supported by FireWall-1 GX gateway (if you enable IPS blade in FireWall-1 GX object, you must set this protection to "Inactive" in the IPS profile applied to FireWall-1 GX. Otherwise, unexpected behavior can occur).
00829371
SCTP or Diameter objects cannot be the service of a manual NAT rule. Static NAT will still be applied for rules that match SCTP if the service is set to "Any". All NAT methods can be applied for Diameter over TCP traffic if the service is set to "Any".
DLP
01692002, 01560455, 01692033, 01692705
Downloaded file might be bypassed instead of being blocked by DLP in the following scenario:
DLP blade is enabled.
Threat Emulation blade is enabled.
Threat Emulation Connection Handling Mode is set to "Background"
Threat Prevention Engine Fail Mode is set to "Allow all connections (Fail-open)"
Large file not being dropped by DLP, even though it is configured to drop such files due to extreme condition. Refer to sk108893.
01957541, 01878703
User receive notification "Your emails are about to expire" from Data Leak Prevention. However, there are no e-mails in the DLP portal. Refer to sk110314.
02535086, 02536889
When Security gateway is enabled with proxy and DLP, HTTP connections to external sites are allowed on Implied rules. Refer to sk118698.
02693946, 02698363
DLPU sync issue with huge files. Refer to sk122258
SWG-1078, PRHF-130, PRHF-100
Memory leak when DLP works with HTTPS Inspection.
Anti-Virus
01688777, 01689576, 01690566
HTTP 206 "Partial Content" error in SmartView Tracker. Refer to sk106446.
01749088, 01782611, 01749108
High memory utilization on Security Gateway during Anti-Virus scan of large files transferred over HTTP. Refer to sk107384.
01856214, 01860237, 01904755
High CPU utilization on Security Gateway during Anti-Virus scan of large files transferred over CIFS/SMB2. Refer to sk109582.
01728021, 01778247, 01867575
Image Upload button is disabled on ok.ru site when Anti-Virus and IPS are enabled. Refer to sk109580.
01968370, 01969946
RAD is consuming high CPU with HTTP traffic. Refer to sk110501.
02488332, 02491746, 02496568
Connectivity to internal mail server fails when Anti-Virus with deep inspection scanning is enabled. Refer to sk116738.
02496107, 02502978, 02641393; 02653578, 02655762
In rare cases, Security Gateway does not sent "SMTP 554" response when Anti-Virus blade detects an e-mail with malicious attached file. Refer to sk120841.
Threat Emulation
02070628, 02333285
Threat Emulation logs show "Detect" for e-mail attachments instead of "Prevent" when Threat Extraction blade is also enabled. Refer to sk115252.
02378836, 02380610
Mail Transfer Agent (MTA) protection bypass. Refer to sk114664.
01696858, 01697082, 01697348
SmartView Tracker displays e-mail subject as ISO string if it is written not in English. Refer to sk105164 (Scenario 4).
01714845, 01859125, 01896617
E-mail client receives timeout error, e-mails do not reach their destinations, and SmartView Tracker shows duplicated Threat Emulation logs from a cluster. Refer to sk109198.
01664717, 01661636, 01705031, 01891039
Files are emulated even though their MD5 is added as 'Exception' to Threat Prevention policy. Refer to sk109438.
01934518, 01934719
TED daemon affinity is not updated by the "tecli set affinity <num_of_instances> <num_of_ted_cpus>" command. Refer to sk109818.
01931837, 01935044
"Maximum delay time" setting for Mail Transfer Agent is not applied if the defined value is greater than 15 minutes. Refer to sk109893.
01983310, 01984463
"Used disk space percent" counter in the $FWDIR/log/emaild.mta.elg log file shows unrealistic large value. Refer to sk110555.
02019281, 02020285
File download from some web sites over HTTP through Threat Emulation gateway times out. Refer to sk111136.
02048969, 02049960
Postfix process is not monitored by any WatchDog. Refer to sk111783.
02351736, 02352719
Threat Emulation / Threat Extraction removes some key characters at the end of each e-mail. Refer to sk113556
02518836, 02521095
CPD becomes unstable during contract / license entitlement.
Threat Extraction
02447126, 02452339
"An error has occurred while extracting file" log from Threat Extraction blade when it blocks files attached to e-mails. Refer to sk115892.
02452806, 02454286, 02454288
The "Message-ID:" header of the original email is capitalized differently when Threat Extraction is enabled. Refer to sk115954.
02541266, 02543053
User connected from mobile phone cannot send original e-mail to their mailbox through UserCheck portal. Refer to sk118856
02679957
Attachment file name is garbled when using Threat Extraction with Apple Mail. Refer to sk121800
02687319, 02691461, 02696459
Persistence of UserCheck incidents is not preserved when quarantine time is very high. Refer to sk122099
PRHF-19, PRHF-35, PRHF-45
Threat Extraction incidents are not stored for longer than 15 minutes. Refer to sk124792
02710284, 02711076, PRHF-207
Extracted (cleaned) PDF files in Threat Extraction are malformed Tiff images.
SmartLog
01710875, 01711097
After upgrade to R77.30, SmartLog becomes non-responsive. The "smartlog_server" process consumes CPU at 100%. Refer to sk106782.
01725423
SmartLog GUI freezes occasionally, and it is not possible to log in to SmartLog GUI again. Refer to sk107153.
01854131
SmartLog displays the wrong hostname for a DHCP re-assigned IP. SmartView Tracker shows the correct hostname (corresponding to the user). Refer to sk108710
01864909, 01865057
"User" column in Global SmartLog GUI shows asterisks "******" instead of "User@Domain". Refer to sk108771.
01872463, 01872717
Packet Capture hyperlink is missing in SmartLog GUI. Refer to sk108934.
01935060, 01936585
In some records, the Origin field in the SmartLog is displayed in the 0.0.0.0.x format. Refer to sk109820.
01984127; 02273694
SmartLog GUI of Global SmartLog does not sort the logs by time when running a query. Refer to sk112826.
02076718, 02078662
"Server is disconnected!" message appears in SmartLog GUI, and it closes when running a query, or scrolling in SmartLog GUI. Refer to sk112140.
02443147, 02443623
Some of the entries in fw.log are not displayed in SmartLog. Refer to sk115698
02515100, 02510942
Cannot select local Security Management in SmartLog's "Servers view" although it is displayed in the list. Refer to sk117573.
02655801, 02655956
"Xml Parse error" when trying to display Threat Emulation logs in SmartLog. Refer to sk120982.
IPS
02658128, 02658437
IPS blade is automatically enabled on R7X Security Gateway during policy installation from R80.X Management Server, although IPS blade is disabled in the Security Gateway object. Refer to sk121152.
01707734
When Geo Protection mechanism is activated, Geo logs are generated for connections from reserved IP addresses (RFC 1918) (which creates too many logs).
Upon Geo Protection match, the "Source Country" field is populated according to the matching country in the rule base and not according to the actual country source IP. Countries that are not included in the policy are logged as "OTR" in log's "Source Country" and "Destination Country" fields.
Security Gateway becomes unresponsive and memory consumption increases when HTTP traffic passes through. Refer to sk109801.
01835506, 01849370, 01884821, 01886146, 01844696
Whith Anti-Virus, Application Control and URL Filtering blades enabled and APPI rule base configured to block "Malware / Malicious sites" with UserCheck message, when downloading Eicar test file over HTTPS, the UserCheck page is not displayed. Refer to sk109802.
01947356, 01949890
Global IPS Exception for protection "Any" does not work for e-mail traffic. Refer to sk117397.
02123480, 02128208
DNS traffic is dropped by IPS with log "Attack Information: Bad Resource Record format, Illegal EDNS0 RR". Refer to sk112578.
02333892, 02336619, 02334787
Outage after IPS database upgrade and install policy. Refer to sk113251.
01988035, 02300946
Multiple queries in a single DNS Query packet might cause the FWK daemon to crash on VSX Gateway. Refer to sk115254.
IPS-171
when IPS is enabled, see many "fwconn_chain_is_data_conn" errors messages in dmesg log. Refer to sk119952
02669417, 02670305
FWK crashes when malformed DNS packet arrives to the Security gateway.
02725091, 02725301
SCTP traffic dropped by by 'SCTP Unknown Chunk Type'. Refer to sk123561
HTTPS Inspection
01707909
HTTPS Inspection drops traffic to a web site that uses untrusted server certificate even when the "Untrusted server certificate" is disabled. Refer to sk107288.
01834487, 01834994
Probe Bypass is initiated on non-SSL connection. Refer to sk108294.
01827198, 01779781, 01732856, 01980269, 01815535
HTTPS traffic is not routed according to Policy Base Routing (PBR) when HTTPS inspection is enabled. Refer to sk110690.
02439065, 02439802
Security Gateway crashes with vmcore while creating the report (fw ctl sdstat report\stop ).
02267698, 02465120, 02413999
Some HTTPS sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE cipher is used. Refer to sk112954.
02457781, 02498183
Applications, Dynamic objects and Domain objects are available for use in the HTTPS Inspection policy, but these objects are not enforced on the Security Gateway. Refer to sk119276.
02669935
Skype for Business not working when HTTPS inspection is enables and Security Gateway is configured as a proxy. Refer to sk121473.
Compliance
-
Do not have the ability to create your own Best Practices (resolved by installing R77.30 Add-On).
-
Do not have the ability to to manage your own internal policy (resolved by installing R77.30 Add-On).
-
Do not have the ability to view Compliance configuration from the SmartDomain Manager (resolved by installing R77.30 Add-On).
-
Security Alert notification are not received in the e-mail (resolved by installing R77.30 Add-On).
01749642
Status of Compliance Best Practice "AB105" is "Poor" although "Update Malware database on the Security Gateway" is enabled. Refer to sk107373.
01817842
Status of Compliance Best Practice "APP103" is "Poor" although "Supports file transfer" block rule is defined under 'Application & URL Filtering' rulebase. Refer to sk107165.
01957344, 01957675
Compliance Blade shows "N/A" status for various Firewall Best Practices. Refer to sk110318.
Application Control
01871981, 01875943
FTP traffic speed decreases when Application Control blade is enabled. Refer to sk109012.
When Security Gateway configured as proxy, Skype blocked by Application Control. Refer to sk113124.
URL Filtering
01861543, 01878274, 01884021, 01885550
Ability to increase the speed of RAD daemon's connection creation/deletion by configuring the number of categorization queries sent by RAD daemon to Check Point cloud in one connection (via parameter RAD_QUERIES_NUMBER_PER_CONNECTION in Check Point Registry). Refer to sk109474.
01910074, 01972747, 01973174, 01912245
Some HTTPS web sites are not categorized correctly when "Categorize HTTPS sites" is enabled. Refer to sk110475.
QoS
01938571, 01938659, 01938796
QoS (Floodgate) policy install randomly causes Security Gateway to crash and reboot. Refer to sk109840.
02516674, 02517802
QoS rule with Time object is enforced one hour later\earlier than time configured after daylight saving. Refer to sk117893.
02563501, 02567776, 02567790
No warning is displayed if an empty network group object appears in the source or destination column.
02667570, 02668912
Some QoS log fields are with gibberish. Refer to sk121476.
QOS-2, QOS-7
QoS policy installation on Security Gateway with more than 1024 interfaces is failing. Refer to sk134812.
Stateful NAT46
-
These features are not supported for NAT64:
VoIP
SSL inspection
SSL de-multiplexer
HTTP header spoofing
HTTP proxy
-
You cannot use stateless NAT46 for FTP, VoIP or other protocols that require state information between control and data connections
vSEC Gateway for NSX
00631234
Management High Availability and Log Server are not supported on a standalone vSEC Gateway for NSX.
00527267
Performance Pack (SecureXL) Heavy Load Quality of Service feature (HLQoS) is not supported.
00575640
Cloning and templates are supported for vSEC Gateway for NSX Virtual Machine, if:
The VM is a newly deployed vSEC Gateway for NSX (immediately following the first boot).
You have not yet configured any Check Point products.
You have not yet done any configuration steps, such as sysconfig or cpconfig.
00566886
CPU consumption for the vSEC Gateway for NSX might show inaccurate results. To resolve this issue, reserve CPU resources on the ESX:
In the vSphere client, right click the vSEC Gateway for NSX.
Select Edit Settings.
On the Resources tab, move the Reservation slider to allocate a guaranteed CPU share (in MHz).
00568259
You can configure up to 2 virtual CPUs for the vSEC Gateway for NSX. Starting from Take_84 of Jumbo Hotfix Accumulator for R77.30, it is possible to configure more than 2 CPUs on vSEC Gateway for NSX.
Check Point Appliances
02192187, 02361143, 02366385
Multi-Queue does not work on 3200 / 5000 / 15000 / 23000 appliances when it is enabled for on-board interfaces. Refer to sk114625.
02488450, 02490810
Gaia Clish command "show asset all" on 21400 appliance does not show the amount of RAM present and the Power Supply status. Refer to sk116677.
02758776
Power supply status is 'Dummy' in 'cpstat' output on 5100/5200/5400 appliances. Refer to sk125573
VoIP
02413299, 02414451
Security Gateway / Active cluster member freezes / locks up randomly when processing H.323 traffic. Refer to sk114977.
02356285, 02402646; 02057823; 01920648, 02337230
H.323 VoIP call drops after exactly one hour because Keep Alive "ACK" packets are not forwarded to the VoIP clients. Refer to sk113749.
02398266, 02398945, 02401774
VoIP calls over VPN with destination in Internet fail. Refer to sk114817.
01557130, 02017992, 01633237
VPN Central Gateway drops SIP RTP traffic between the SIP Call Manager and the VPN Satellite Gateway, where the SIP call was initiated. Refer to sk111839.
02305365, 02312153
SIP VoIP call is disconnected / stops working several minutes after establishing the connection when SecureXL is enabled. Refer to sk112913.
01704012
VoIP traffic, or traffic that uses reserved VoIP ports is dropped after enabling CoreXL Dynamic Dispatcher. Refer to sk106665.
02441588
Avaya VoIP calls with Avaya Call Manager fail through Check Point Security Gateway. Refer to sk104786.
02490592, 02491121, 02491840
SIP session progress packets are not being NATed. Refer to sk116739.
02507365, 02507766
Security gateway crashes while handling SIP traffic.
Tools
02475032, 02475513
CPView history shows large number of pps on the interfaces after running cpstop command. Refer to sk116368.
Anti-Spam
02660987, 02661360
Randomly Anti-spam is dropping email. Refer to sk121344.
02709578, 02710785, 02711336
When Security gateway is configured as MTA, Anti-Spam blade does not stamp email subjects as 'spam' or 'suspected spam'
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to 