Support Center > Search Results > SecureKnowledge Details
Check Point R77.30 Known Limitations
Solution

 

 

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

 

Important notes:

 

Table of Contents

  • Installation and Upgrade
  • Gaia
  • SecurePlatform
  • Security Gateway
  • Security Management
  • Multi-Domain Security Management
  • SmartDashboard
  • Endpoint Security Server
  • SmartEvent / SmartReporter
  • SmartView Monitor
  • SmartView Tracker
  • SmartProvisioning
  • VPN
  • Cluster
  • Identity Awareness
  • Mobile Access
  • SSL Network Extender
  • SecureXL
  • CoreXL
  • Dynamic Routing
  • SNMP
  • VSX
  • LTE
  • DLP
  • Anti-Virus
  • Threat Emulation
  • Threat Extraction
  • SmartLog
  • IPS
  • HTTPS Inspection
  • Compliance
  • Application Control
  • URL Filtering
  • QoS
  • Stateful NAT46
  • vSEC Gateway for NSX
  • Check Point Appliances
  • VoIP
  • Tools
  • Anti-Spam


Enter the string to filter the below table:

ID Symptoms
Installation and Upgrade
-

When upgrading from R77, R77.10 or R77.20 to R77.30, the following error might appear:

***********************************************************
Welcome to Check Point R77.30 installation 
***********************************************************
There is insufficient disk space for the installation of this application.
In order to install this application <VOLUME-SIZE> MB is required under <PARTITION>
Refer to sk105509.
- Distribution of a R77.30 package in SmartUpdate R77.20 to Security Gateways R77.20 fails when the option "Revert installation to image on failure" is enabled.
Refer to sk101438.
- Upgrade from R77.20 with hotfix "R77_20_HF9" ("Bar Mitzvah", sk106478) to R77.30 fails due to a fix conflict as this hotfix is not included in Check Point R77.30.
Follow the instructions in sk107233.
01281332 Upgrade process to Gaia R77.30 on HP platforms that use CCISS driver might end with unresponsive system.
Refer to sk106708.
01620955, 01623073 If you install the R77.30 Add-on on a Security Management Server / Multi-Domain Security Management Server running on Gaia OS using CPUSE in Gaia Portal, then you must reboot the server after R77.30 Add-on installation is complete. Otherwise, some Check Point processes might not start correctly.
01638230 The Check Point trial license is not retained during an upgrade to R77.30 using CPUSE in Gaia Portal. Install a standard Check Point license before the upgrade.
01658826 If R77.30 Add-on package (that was installed using CPUSE in Gaia Portal on another machine and then exported using CPUSE) is manually imported using CPUSE, it appears in the "Minor Versions (HFAs)" section instead of the "Hotfixes" section.
In addition, the "Re-install" option is enabled, although it should be disabled.
01622674 The error message "FW1: Internal error - failed to determine operation mode" can be ignored in R77.30 Add-on installation logs files (/opt/CPInstLog/install_scrub_plg_R77.elg and /opt/CPInstLog/install_indicators_plg_R77.elg).
01611022 If you have gateways of different R77 versions and GX is enabled on a R77.30 Security Gateway only, policy installation will fail.
Solution: Use the "Install On" column for the GTP rules.
01362643, 01416065, 01614707 During in-place upgrade from VSX R77.x to VSX R77.30, the $FWDIR/conf/amon_vsx_refresh_interval file is overwritten.
If the refresh interval of VSX SNMP counters should be a value other than default 30 (seconds), you will have to edit the file manually after upgrade as described in sk101713 (and in sk97947).
01666916 If Multi-Domain Security Management Server was upgraded from SecurePlatform OS to R77.30 Gaia, you must manually install the latest build of Deployment Agent to use CPUSE.
Refer to sk92449.
01679305, 01680971

To upgrade from R77.20 Endpoint Security Manager on Gaia OS, which runs with Java 64-bit:

  1. Follow the sk92853 to revert Java back to 32-bit
  2. Perform the upgrade to R77.30 and reboot
  3. Follow the sk92853 to upgrade Java to 64-bit
01549207, 01884161 Gaia OS: Clean install from USB device fails on Open Server because the installation process (anaconda) includes the USB installation media as part of the installation target.
Refer to sk100566.
01395379 Red Hat Linux OS: When installing Multi-Domain Security Management Server, the server's IP address must be manually defined in the /etc/hosts file before the Check Point products are installed.
01530062 Red Hat Linux OS: If you installed the R77.30 Add-on on top of Multi-Domain Security Management Server, then you must uninstall the R77.30 Add-on before you can configure the Multi-Domain Security Management Server.
Gaia
- Hardware Sensors reading are incomplete on 15000 and 23000 appliances until the Gaia First Time Configuration Wizard is run.
Refer to sk114595.
- Timeout when trying to assign IP addresses to more than 200 VLANs on 23800 appliance running R77.30 Gaia OS Build 18.
Refer to sk120553.
01816080, 01822237, 01822236 DHCP Relay and DHCP Server do not function when configured together on the same Gaia OS.
  • Between DHCP Relay (routed) process and DHCP Server (dhcpd) process, the last process to start up will receive all the UDP unicast traffic. The first process sees no unicast traffic.
  • Both DHCP Relay (routed) process and DHCP Server (dhcpd) process will see UDP broadcasts.
  • If DHCP Server (dhcpd) process starts first, then this joint configuration will work, because dhcpd process only cares about UDP broadcasts.
    If DHCP Relay (routed) process starts first, then this joint configuration would fail to work, because the replies from DHCP Server that should be relayed are UDP unicasts.
Refer to sk98839.
01651073 Timezone data of few regions is missing from Gaia OS R77.30.
Refer to sk105902.
01561217, 01561480, 01564882, 01566775 kipmi0 daemon consumes CPU at 100% on Open Servers running Gaia OS.
Refer to sk104316.
01621547 In a Hyper-V environment, the Virtual Machine's clock (OS time) moves faster than the hardware (Host) time. As a result, the Virtual Machine's clock drift can accumulate rapidly and prevent NTP from working correctly.
Refer to sk105862.
01691878, 01693135, 01692055 "This page is currently in read only mode, the requested action cannot be performed" message appears in Gaia Portal when logging in with the TACACS+ user and clicking on the "Enable TACACS+ authentication" button at the top.
Refer to sk106324.
01695987, 01704522 Scheduled Gaia backup in R77.30 fails to transfer backup file to remote server.
Refer to sk106647.
01702790 "libdb set: missing or invalid argument" error in Gaia Portal when creating snapshot.
Refer to sk106646.
01687266 "IMAGE MANAGEMENT: going to restore system image ..
Error: 'Couldn't connect to /tmp/xgets: No such file or directory
"
on the console when reverting to snapshot or to factory default image on Check Point appliance.
This message can be ignored. Functionality is not affected.
01362834, 01363388, 01749317, 01769560 Gaia configuration commands are not saved sorted in way that guarantees continuation when loading them.
Refer to sk107286.
01696274, 01778888

/var/log/messages file on Gaia OS repeatedly shows:
xpand[PID]: image_mgmt_get_version: version was get from registry major=[X] minor=[.Y]
xpand[PID]: version is X.Y

Refer to sk109038.
01786538, 01789262 "Gaia Web-UI recognized a non-valid input data" error when creating a Scheduled Job in Gaia Portal.
Refer to sk107513.
01817116, 01820170, 01820171 /etc/snmp/userDefinedSettings.conf file on Gaia OS (see sk90860) is overwritten during a hotfix installation.
Refer to sk107861.
01824819, 01826286 "CLINFR0479 You can't start interactive session from another interactive session" error when trying to log in / switch to Clish over SSH.
Refer to sk108058.
01865733, 01868095 "SKU is invalid" error when pasting the License "cplic put" string in Gaia Portal and clicking on "OK".
Refer to sk108895.
01879767,
01881081
Kernel panic during cpinfo creation due to ip command invoked by cpinfo.
01923939, 01924979 Output of "raid_diagnostic" command shows some garbage characters in "ProductID" field.
Refer to sk109612.
01937716, 01937817 Backup restore includes the original MAC addresses of the machine.
Refer to sk109934.
01940689, 01944407, 01944426 OSPF configuration cannot be updated/changed in Gaia Portal when working in Internet Explorer (IE) browser - after changing the settings and clicking on "Apply", the settings do not take affect and revert to default settings.
Refer to sk109946.
01956738, 01957576

Output of Clish command "show sysEnv all" / Expert mode command "dbget sysEnv:all" is corrupted (text is not ordered).
Refer to sk110220.

01956093, 01958751 Clish commands "show configuration" and "save configuration" do not show / save the configured user's "realname".
Refer to sk110222.
01989855, 01990930 Security Gateway running on Gaia OS randomly becomes unresponsive when DLP blade is configured with Fingerprinting and external storage repository is used.
Refer to sk110801.
01987789, 01996692 "WARNING The following features: NameOfFeature, , provide a privilege level equivalent to that of 'adminRole'" message in Clish when adding some read-only commands to RBA role.
Refer to sk110772.
02051292, 02053059 Gaia OS might crash when removing a Bond interface in Gaia Portal.
Refer to sk111673.
02045637, 02049302 Proxy ARP table is not loaded after reboot causing entry's to be out of date in case of bond interfaces that uses different MAC address.
Refer to sk111675.
02084298, 02089780 Syslog Protocol version is not sent in syslog packets as per RFC 5424.
Refer to sk112159.
02167050, 02184450 Setting state of interface to "off" on Gaia OS does not turn off the link on that interface.
Refer to sk112598.
01919246, 02088229, 02091344 eBGP peers connected over an OSPF adjacency are using wrong next hop for BGP routes.
Refer to sk112112.
02085699, 02189660 Hardware Diagnostic Tool test fails on "Self-test" for 1GbE expansion cards when an SFP transceiver for RJ45 (Copper) is connected to the appliance.
Refer to sk112857.
02332735, 02335959, 02335269 Output of lspci utility contains many "Unknown devices" messages.
Refer to sk113214.
02355069, 02357493 Firewall-1 information is not restored from a backup when Threat Emulation is enabled.
Refer to sk113594.
02359678, 02360935 /var/log/messages file is filled with Audit Logs for Gaia Clish commands:
clish[PID]: user logged from admin
clish[PID]: cmd by admin: Start executing : xxx (cmd md5: ...)
clish[PID]: cmd by admin: Processing : xxx (cmd md5: ...)
clish[PID]: cmd by admin: Start executing : exit (cmd md5: ...)

Refer to sk113897.
02356738,
02365245,
02357833
confd process crashes with core dump files when running the cpinfo command.
Refer to sk113750
01111060,
02356903,
01309032
Saving the configuration on Gaia OS times out with 'NMSCFD0026 Timeout waiting for response from database server' error.
Refer to sk113746
02415990,
02419964,
02416200,
02419960
In SmartUpdate, on Windows Servers, "Generate cpinfo" not working.
Refer to sk115193
02423303, 02423845 Newly configured user (with UID that is not 0) is not able to log in from Gaia Clish to Expert mode on VSX Gateway.
Refer to sk115221.
02441209, 02441899 "confd" process consumes the CPU at almost 100% on Check Point appliance with installed LOM card.
Refer to sk115634.
02488772, 02489413 "confd" process crashes with core dump file when running the Gaia Clish command "show asset all" every several minutes.
02473276, 02479189 "Authentication failure" error in Gaia Portal when logging in with TACACS+ user, whose password contains special characters, such as "<", ">", "&", ";", "*", ":", "$", "|".
Refer to sk101332.
02488513, 02491901 Snapshot creation on Gaia OS is stuck at 1-2%.
Refer to sk116679.
02490383,
02491329,
02491797
Multicast PIM traffic register packets are sent with checksum 0xd63f that non-compliant with RFC (should be 0xdeff).
02536858, 02537075
/var/log/CPbackup.elg file shows the following errors:
Error:'get_xml_val': cannot find XML:nil
Error : 'xml_text_to_hash': Failed to read <nil> from content buffer
Refer to sk118718.
02559704, 02561586;
02561478, 02561588
After adding the RBA roles Gaia commands (add rba role TACP-0 virtual-system-access all), the lines are missing from "show configuration" command output, but the values can be seen in Expert mode (/config/active).
Refer to sk119394.
02621916,
02644222
When umounting an ext3 file system, Security gateway crashes with vmcore.
02669317,
02670441
Routed process enters slave/slave state after fwd crash. 
02694599 'show message motd' clish command output is corrupted.
Refer to sk122199
02711037 Cannot run scheduled backup using a Windows SCP server.
Refer to sk122792
02711255,
02712191
RADIUS user with special characters in a class attribute field is stuck on the spinning icon when logging into the WebUI. 
02717143 Security Gateway stops advertising default route into OSPF NSSA area.
Refer to sk123074
02722123 'show asset' command do not show network information.
Refer to sk123342
02730903 Unable to create a snapshot.
Refer to sk123612
SecurePlatform
01673299

If the SecurePlatform WebUI "Snapshot" page looks corrupted, then use this workaround:

  1. Connect to command line.
  2. Log in to Expert mode.
  3. Run this command: lvs
  4. If you see 100% in the 'Snap%' column of image named 'lv_current_snap', then run this command: lvremove -f /dev/vg_splat/lv_current_snap
  5. Connect ot SecurePlatform WebUI.
02559795,
02560843
Snapshot creation reaches 93% and stops, although there is enough space.
Refer to sk119675.
02518465,
02520009
SecurePlatform OS sets the timezone to "UTC" when the zone is entered with a space character in the "sysconfig" menu.
Refer to sk117737.
Security Gateway
02431007,
02467491
NAT stops working completely at some point.
Refer to sk116013.
01540833,
01542323
Security Gateway with PPPoE external interface installs "defaultfilter" policy instead of an expected policy when PPPoE interface is administratively shut down.
Refer to sk43293.
01717808,
01718192,
01647153
"fw_getifs: filter interface <interface_name> - no IP" message appears for every interface when running "fw getifs" command under "TDERROR" debug, although those interfaces have an IP address assigned.
Refer to sk106856.
01782528, 01783676 "Service Name" field in SmartView Tracker logs shows wrong service.
Refer to sk107416.
01786162, 01789060;
01408308, 01424553, 01437963
Errors when modifying default filter / Initial Policy on Security Gateway running IPSO 6.2.
Refer to sk103999.
01811945,
01816989
MGCP call fails to establish after upgrade from R75.45 to R77.30.
Refer to sk107975.
01860616,
01863650, 02053111
Security Gateway on Gaia OS crashes with vmcore dump file while adding/removing an interface during policy installation, during 'cpstop;cpstart' commands, during policy unload.
Refer to sk108816.
01873031,
01875134
"Via" field in HTTP Request sent to a web server by Security Gateway in Non Transparent proxy mode contains incomplete HTTP version - only major version (e.g., only "1" instead of "1.0" / "1.1").
Refer to sk108900.
01912515,
01912962
Connections are broken for short time after disabling SecureXL, or after installing a policy.
Refer to sk109468.
01963489,
01965804
in.ahclientd process occasionally crashes with core dump files.
01825619,
01664184,
01962131
Security Gateway / Virtual System might crash due to double record of a connection in Connections Table.
Refer to sk110476.
01928723,
01929760;
01928725,
01929762
  • Traffic is dropped without any logs
  • Policy installation fails with "Load on Module failed" and kernel debug shows "fwk_atomic_load_prepare: fwk_mtcounter_prepare failed"
Refer to sk109797.
01827910,
01827946,
01827969
HTTP/HTTPS traffic drop when Domain Object is configured
Refer to sk110687.
01710137,
01848363,
01707360,
01856715

Issues with traffic and with web pages when Security Gateway is configured in Proxy Non-Transparent mode.
Refer to sk106663.

02052179,
02053086
"Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data" in web browser when accessing a web server through Security Gateway in Non-Transparent Proxy mode without next proxy.
Refer to sk111741.
02340784,
02341504
TCP traffic fails to return from static NAT host when using ISP Redundancy and SecureXL.
Refer to sk113236.
02342651,
02345193,
02350210,
02363864,
PRHF-122
/etc/hosts stops resolving URL on Security Gateway configured as Proxy.
Refer to sk113453.
02359254,
02361607,
02362029
"fwd" process or "fw_full" process on Security Gateway consumes memory at high level and crashes with core dump file.
Refer to sk113736.
02422575,
02425040,
02428176;
02446698
02447665
Stability issue on Security gateway.
02473855,
02479570
Once the Log server is down for a long period of time, the gateways do not try to reconnect to it and logs are being saved locally.
Refer to sk116233.
02049251, 02057072 In SmartDashboard, the "Hits" counter in a specific rule does not increase even though traffic was matched to this rule.
Refer to sk115098.
02516897,
02518182
Memory leak in FWD process, followed by "Segmentation fault" error in /var/log/messages file.
02537839,
02539556
Logging session does not switch to the backup logging server after connectivity loss.
Refer to sk118697.
02563963,
02564330
Cannot create events based on "sys_message:" filter.
Refer to sk119995
02706593,
02706821
Security Gateway crashes during policy push.
Refer to sk122755
02713205, 02715396 Security Gateway is sending wrong format BSD Syslog logs.
Refer to sk122952
02761248 Logs with action "Hold" are seen in SmartView Tracker.
Refer to sk125892
02367178,
02367230,
02367241,
01831439,
02389976
Kernel memory usage keep increasing, regardless of the connection amount.
Refer to sk129052
Security Management
01678185, 01678465

Policy installation might fail with "ERROR: stab identifier <lsv_profiles> for host redefined" in the following scenario:

  1. R77.30 Security Management Server running on Gaia OS or IPSO OS.

  2. There are two R77.x Security Gateways / Clusters (e.g., "GW_1" and "GW_2") managed by this server:
    • "GW_1" has IPSec VPN blade enabled
    • "GW_2" has DLP blade enabled, IPSec VPN blade disabled, and belongs to VPN Encryption Domain of "GW_1"

Workaround: Enable IPSec VPN blade on "GW_2" and install policy on "GW_2".

Refer to sk106196.

01520237 If the Security Management Server is installed on Linux OS, sometimes the IP address field in the Security Management Server's object is empty.
Workaround: In SmartDashboard, manually enter the main IP address.
01993128, 01994944 Users are deleted after R77.30 Management Add-on installation.
Refer to sk110887.
01551117 On a Security Management Server installed on Linux OS, an "ftp" command sometimes results in an error "ftp: relocation error".
Workaround: Run FTP commands from the /usr/bin/ directory (# cd /usr/bin).
00419335, 01134550, 01648694 $CPDIR/tmp/ directory is filled with 'CKP_mutex::_opt_CPsuite-RXX_fw1_log__...' files..
Refer to sk36754.
01718196, 01718386 Policy Verification fails to find overlapping rules.
Refer to sk106854.
01732223, 01732576, 01732588 Policy verification fails abnormally on R77.30 Security Management Server (SmartDashboard might disconnect / close unexpectedly, or even crash) when rulebase contains Address Range objects with IPv6 addresses.
Refer to sk107182.
01801629,
01802130,
01811077,
01805365
"Warning: Rule <N> contains a domain object. It will not be enforced by IPv6 policy." during policy verification refers to wrong rule number.
Refer to sk107601.
01810182,
01810870
"Unable to contact Certificate Authority on the Security Management Server" error in SmartDashboard after running "cpstop ; cpstart" commands.
Refer to sk107593
01832860, 01834896 Manual policy verification does not catch manual NAT rules where the Source of the original packet is defined as 'Any'.
Refer to sk108278.
01835229, 01836587 "fw logswitch" command on Log Server fails if its object in SmartDashboard is defined with a NAT IP Address.
Refer to sk108291.
01846456, 01846721 Manual NAT policy verification passes while it should fail.
Refer to sk108389.
01864424, 01864734 "Get Topology" action shows "fe80::" in results.
Refer to sk108760.
01922184, 01922547 Policy installation fails with core dump when Security gateway and Security Management server run R77.30.
Refer to sk109616.
01922555, 01922761 The "cprinstall install" command fails.
Refer to sk109617.
01844466 Applying policy update to Security Gateway Virtual Edition from "veconfig" menu fails with "Failed - Connection to gateway failed".
Refer to sk109739.
01940812 URL Filtering does not work on Edge device.
Refer to sk110219.
01971837, 01974133 "Gaia OS Best Practices" on the Compliance tab of SmartDashboard shows status "N/A" for clusters.
Refer to sk110474.
01982896,
01983661
In Management HA environment, FWM daemon might crash during an attempt to delete Security Gateway / Cluster object in SmartDashboard.
Refer to sk110748.
02013718, 02015361 "Where used" does not show results while logged into Log server via SmartDashboard.
Refer to sk111077.
02024427, 02027207 Imported data from fwm logexport is not properly aligned.
Refer to sk111304.
02167186,
02169523
"URL" field shows "*** Confidential ***" in HTTPS Inspection logs on 3rd party LEA OPSEC client.
Refer to sk101570.
02219579, 02252490 IPS Bypass under load thresholds are not tuneable in Full HA environment.
Refer to sk112659.
01911675, 02103719, 02103172 Memory leak in CPD daemon (in cpmon) causes the daemon to crash (due to exhaustion of available memory).
01912502, 02103768, 02103182 Memory leak in CPD daemon (in licutil) causes the daemon to crash (due to exhaustion of available memory).
02456777,
02456968,
02457349
FWM process crashes while pushing configuration to VSX cluster with Identity Awareness blade enabled and AD server configured.
02485375,
02486836
FWM process crashes sporadically when deleting the Security gateway object in SmartDashboard.
02491211,
02492143
FWM process crashes after installation of Install R77.30 Add-On.
02503435,
02504502
FWM process crashes while debug is enabled.
02555706,
02556381,
02555760,
02556390 
Memory leak in FWM CPM module.
02590945,
02592411
Security Management server stops receiving logs from all gateways.
Refer to sk120316
02657790,
02659048
SmartDashboar crashes at 40% on "Loading objects list" stage.
02666158,
02668798
R77.20/R77.30 Add-on activation or deactivation fails due to timeout.
Refer to sk121436
02704776, 02705333  Creating secondary CMA overrides files in $FWDIR/lib/ directory оn the primary CMA.
Refer to sk122538.
BS-635  The Compliance blade status for Best Practices APP113 and URL148 show "Poor" instead of "Secure".
Multi-Domain Security Management
01530078 You must install the R77.30 Add-on on Multi-Domain Security Management Server R77.30 before importing the database that was exported from Multi-Domain Security Management Server R77.20 with installed R77.20 Add-on. Otherwise, database import fails.
01519804

To uninstall the R77.30 Add-on from a Multi-Domain Security Management Server, first you must de-activate it on all Domains:

  1. In SmartDomain Manager, go to "Version & Blades Updates" tab
  2. Double-click on the Domain - go to "Version & Blades Updates" tab
  3. Select the "R77.30" - click on "Remove" button - click on OK
01515648 The Gaia alias feature is not supported on the Multi-Domain Security Management Server, and it overrides the aliases Domain Management Servers.
01702895, 01703025

SmartLog GUI client connected to the Multi-Domain Server (global database) does not show logs from the remote Multi-Domain Server or Multi-Domain Log Server in the following environments:

  • At least two R77.30 Multi-Domain Servers (regardless whether they are configured in Management HA or not)
  • R77.30 Multi-Domain Server with R77.30 Multi-Domain Log Server
Refer to sk106600.
01820185, 01820311 mds_backup procedure is stuck at "Releasing all databases" stage.
Refer to sk107862.
01640559, 01802714, 01641851 "Error: Cannot assign the Global IPS policy - The version of IPS on the Domain Management Server and in the Global policy must be the same".
Refer to sk108877.
01894840, 01909809, 01909714 Assigning of Global Policy fails on some Domain Management Servers after modifying a global object.
Refer to sk109436.
01973414, 01973521 Global Policy assignment problem after failing IPS update.
Refer to sk110498.
02022345, 02022609 Users ($FWDIR/conf/fwmusers file) and GUI clients ($FWDIR/conf/gui-clients file) are overwritten on Security Management Server during MDS synchronization when Domain Management Server and Security Management Server are configured in High Availability mode
Refer to sk111175
02135303, 02135745 Global Policy assign fails with "There is already local object with the name: among the Domain Management Server's objects" error.
Refer to sk112342.
02368249 "Global object modification is prohibited!" error in SmartDashboard connected to a Domain Management Server during policy installation.
Refer to sk114154.
02394950, 02395997 SmartDomain Manager loads very slowly and might even crash.
Refer to sk114618.
02699530,
02699530,
02699530
Top process is not killed after closing ssh session and running at 100%.
SmartDashboard
01687346 SmartDashboard Help incorrectly shows "You can assign up to 8 instances on a Virtual System"
(SmartDashboard - Virtual System object - "CoreXL" pane - click on "?" button in the upper right corner).
The correct number is up to 10.
01689711 When editing protections in R77.30 SmartDashboard -> IPS blade -> Protections (for example, SIP Filtering), it is impossible to exit the protection editing.
Refer to sk106444.
01693797, 01932180, 01694050 "Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked" warning in R77.30 SmartDashboard when changing a hardware platform in a gateway object that is used in Identity Sharing of another gateway.
Refer to sk106434.
01693797, 01694050 "Changing the hardware to <Hardware type> is blocked." warning when editing cluster object that shares Identity Awareness.
Refer to sk106482.
01778329,
01778691
SmartDashboard overrides authentication scheme database field for mobile_realm.
Refer to sk107278.
01785636, 01787259

When cloning an interoperable Device in SmartDashboard, the following error is displayed and the name cannot be changed:
"Rename is not allowed because the object contains shared secrets. First, remove the shared secrets from the object and click OK."
Refer to sk107455.

01824544,
01825189
When opening Account Unit tree, see "The parameter is incorrect" error.
Refer to sk108137.
01834373, 01834983 SmartDashboard does not display one of cluster interfaces because of case sensitive name uniqueness. Refer to sk108264.
01848315,
01849360
SmartDashboard crashes when trying to delete Override category.
Refer to sk108615.
01853376, 01856256 In Read Only mode, right-click on object in NAT policy does not bring up the context menu.
Refer to sk108618.
01855908, 01861192 When Security Management manages many VPN gateways, the VPN Tab is stuck on loading and may crash the GUI.
Refer to sk108628.
01856760, 01857716, 01858017 SmartDashboard displays "Internal error" message and crashes when clicking on Threat Prevention tab and going to Policy and than back to overview.
Refer to sk108629.
01816574, 01817765 "Hide NAT" icon is displayed for "Static NAT" method in "Destination" column of "Translated Packet".
Refer to sk109013.
01875766 "An unexpected error occurred - Sorry for the inconvenience, please restart the application" error in SmartEndpoint, when going to Deployment tab - expanding Advanced Package Settings - clicking on VPN Client Settings - selecting a VPN Site, which has "Authentication method" defined as "CAPI-certificate" - clicking on Edit...
Refer to sk109126 - Scenario 2.
01851861, 01862102 There is no prompt message on exit attempt after making changes in Application & URL Filtering or DLP tab - the changes are saved automatically without asking.
Refer to sk109813
- Deleting a network object (that is a part of a Group object) while filtering "By IP address" causes the order of objects to change back to default order "By Name".
Refer to sk109704.
01796510,
01799558,
01907575,
01799727,
01933963
Wrong icon for Automatic NAT rules. On automatic NAT rules, the icon of hide NAT rules always shows the letter "S". This letter should indicate the adtr method, and should be "H" when the method is Hide.
Refer to sk109836.
01964494, 01965659 SMTP property is not shown on VSX Cluster Object.
Refer to sk110266.
02082122, 02083516 SmartDashboard Picker filtering does not show the correct result.
Refer to sk112057.
02127822, 02127888, 02128542 Access roles objects are not synchronized with the Log server.
Refer to sk112359.
02167023, 02170424 Users and user groups added to an Access Role are not saved in SmartDashboard when FIPS is enabled on Windows OS.
Refer to sk112494.
02156746, 02157741 "Unhandled exception - Value does not fall within the expected range" error when saving user-defined regulation in Compliance blade of R77.30 SmartDashboard opened in Demo mode.
Refer to sk112581.
02565748, 02566223
SmartDashboard does not get the topology of VTI interfaces from cluster members running on Gaia Embedded OS.
Refer to sk119832.
MB-77

Administrators with Customized permission profile cannot manage VSX objects.

Workaround: Use Read/Write all permission.

PMTR-10186,
PMTR-567
SmartConsole is not disconnected after time specified in 'SmartConsole > Manage & Settings > Permissions & Administrators > Administrators > Idle Timeout'.
01378314 HiDPI (High Dots Per Inch) is not supported in R77.30 
Endpoint Security Server
01652844;
01669080
If no licenses are applied on Security Management Server, then it automatically uses a Plug and Play license for the first 15 days. If during that time, Endpoint Policy Management blade is activated, then an Endpoint Policy trial license is shown in the output of "cplic print" command, although the Plug and Play license is still valid. The trial license is not used until the Plug and Play license expires.
01907703,
01909558
Garbled characters in Action name in SmartEndpoint.
Refer to sk109575.
SmartEvent / SmartReporter
01450132, 01451865, 01477664, 01491056, 01599078 "No data available for [SmartReporter]" error in reports.
Refer to sk102007.
01577697, 01577791

evs_backup command sometimes fails with the following messages:

Postgres service is down, starting postgres
Failed to start postgres service. Please check backup.err for detailed errors
eva_db_backup.csh fail
error has occurred. evs_backup will stop

Refer to sk104839.
01877586, 01877829 SmartReporter PDF reports are shown incorrectly. Refer to sk104840
01877490, 01877827 "Dev Mode: ON - Syntax error" in SmartEvent/SmartReporter reports. Refer to sk108979.
01928368, 01928572 Core dump files for CPSEMD process are generated in /var/log/dump/usermode/ directory after each reboot of SmartEvent server.
Refer to sk109714.
01969321,
01969673
The CPSEMD process crashes with core dump due to signal 15 when SmartEvent machine is rebooted.
- SmartEvent GUI client may crash when trying to apply Learning Mode recommendations.
02439787, 02440104 "No relevant data found" warning when running Login Failures report.
Refer to sk115658.
02442888,
02443123
Scanned hosts value is incorrect in Threat Prevention report.
Refer to sk115680
02472200, 02473138, 02473784, 02475632 Report generation with custom Service field filter (for example SMTP), fails.
Refer to sk116312.
02559461,
02562448
Mail alerts that contain IPv6 show 0.0.0.0 instead of the real IP address.
Refer to sk119714
SmartView Monitor
01692615, 01694011, 01697239 SmartView Monitor shows the status of cluster interfaces as "Partially up".
Refer to sk106488.
01879709, 01885825, 01881984, 01937995 The rtmd process crashes due to memory corruption.
02537633, 02539688
SmartView Monitor "Top QoS Rules" view shows that almost all traffic matches the "No Match" rule when SecureXL is enabled on Security Gateway.
Refer to sk118720.
SmartView Tracker
00764403;
00936644
SmartView Tracker displays ROBO gateways / Edge devices managed by SmartProvisioning in the "Origin" column as Device ID "0.0.0.X" instead of the Device real IP address.
Refer to sk106966.
SmartProvisioning
01913532,
01914320
SmartProvisioning profile change generates duplicated IP ranges.
Refer to sk109457.
02400017, 02401486 SmartProvisioning Configuration script does not work for 1180 SMB appliance.
Refer to sk114735.
02417542, 02418996 SmartProvisioning GUI shows VLAN interfaces as "ethX.NNN:Resolve:DataStruct:Encode:..." in ROBO Gateway properties window.
Refer to sk115135.
VPN
- Online Certificate Status Protocol (OCSP) verification of certificates signed with SHA-256 is not supported.
Refer to sk108752 - "Scenario 3".
01616679, 01626526;
01600927, 01626372
Dead Peer Detection (DPD) does not work in Aggressive Mode.
Refer to sk105390.
01695819 upgrade-export overwrites files from Cross-Site Request Forgery (CSRF) fix (01491932) rendering the ICA portal non-functional.
Refer to sk106697.
01727625,
01730966,
01729434
"vpn debug on TDERROR_ALL_ALL=5" command does not update the previously set debug flags.
Refer to sk107172.
01820334, 01821023 Security Gateway might crash after running 'cpstop' command if MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (fw_clamp_vpn_mss=1).
Refer to sk101219.
01844057 After ISP failover on LSV peer, gateway keeps using the old MSPI.
Refer to sk108388.
01841784, 01844569, 01844802 "According to the policy the traffic should not have been decrypted" drop log for traffic from VPN peers managed via SmartProvisioning (e.g., Edge devices) after upgrade of Security Gateway to R77.30.
Refer to sk108427.
01691222, 01904577 Not possible to establish Site-to-Site VPN tunnel with Large Scale VPN (LSV) peer, which is a DAIP device.
Refer to sk109473.
01857440,
01860064
When center gateway receives encrypted traffic to which it has no keys to decrypt AND peer is dynamically assigned (DAIP), VPN does not work properly.
Refer to sk109853.
01949238, 01949716 Site-to-Site VPN using IKEv2 fails when SecureXL is enabled.
Refer to Scenario 5 in sk114834.
01956286,
01986659,
01986240
Remote Access users are unable to connect when authenticating using a certificate issued by a subordinate CA.
Refer to sk110747.
02021708,
02022230
Unable to store Intermediate CAs in CertCache.
Refer to sk111272.
02023245,
02027402
Concurrent IKA SAs counter is too large on Standby member.
Refer to sk111373.
02075249, 02088049 Site-to-Site VPN tunnel fails after some time and has to be renegotiated, if the IKEv2 SA was initiated by the peer.
Refer to sk112137.
02058553, 02088047 IKEv2 negotiation for Site-to-Site VPN tunnel fails if IKEv2 SA payload contains more than 8 proposals.
Refer to sk112139.
02074389, 02079149 Site-to-Site VPN fails between Check Point Security Gateway and Check Point Virtual Appliance for Amazon Web Services (AWS).
Refer to sk112141.
02059238,
02060173,
02060616
Fail to authenticate with 3rd party peers when using Diffie-Hellman Group 19, or Diffie-Hellman Group 20.
Refer to sk112156.
02070666,
02071813,
02076410,
02097090
IPSec instability with IKEv2.
Refer to sk112160.
01818839, 02336244, 02336240 Randomly, new VPN tunnels are not being established with the peers.
Randomly, traffic is not passing over multiple VPN tunnels.
Refer to sk113837.
02381660,
02384651
Security Gateway is sending incorrect IDs in IKE Phase 2 if using IP Range object for encryption domain.
Refer to sk114494.
02436237 VPN traffic fails when collecting kernel debug with a filter "fw ctl debug -e" and SecureXL is disabled.
Refer to sk115580.
02436809,
02439762
Traditional Mode with User Authentication FTP traffic failing.
Refer to sk115614
02476348, 02478082 When connected with L2TP client to the Security Gateway's alias IP address, the returned encrypted traffic is sent out with the source IP address of the physical interface.
Refer to sk116655
02490101,
02490384
VPN Tunnel instability issues with Cisco Gateway using IKEv2.
Refer to sk116776.
02509724 DAIP gateway takes a long time to establish a VPN permanent tunnel (DPD) after reboot.
Refer to sk117513.
02514005;
02534915;
02529275
  • DAIP devices deployed as VPN Satellite gateways, do not support VPN link fail-over between a static link (using permanent IP address) to the DAIP link, and vice-versa.
  • Trusted interfaces are not supported for DAIP devices.
02536801,
02537327,
02540697
IKEv1 using DH group 19/20 fails to encrypt / decrypt packets.
Refer to sk118713
02540281,
02543370
Problems with supernetting during IKE negotiation with Large Scale VPN (LSV) peer.
Refer to sk118855
02564507,
02570956
Client Setting "Calculate IP based on topology" breaks when using host.
Refer to sk120121
02564111,
02565222,
02590209
MTU on VPN traffic is limited by MTU of 1500.
Refer to sk120122
02447010, 02542849
"You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) that tries to connect to a Cluster in High Availability mode.
Refer to sk120652.
02663779,
02666335
Unable to connect with SHA-512 user certificate on Windows Capsule.
Refer to sk121418
02702969, 02706012 Security Gateway accepts an other Diffie-Helman group then is configred.
Refer to sk122438
02701519,
02701727
RADIUS authentication fails for LDAP users as the gateway uses sAMAccountName and not UPN when UPN is needed.
Refer to sk122477
02700394.
02700552
3rd party VPN peer rejects IDs proposed in IKE phase 2 and tunnel not established (unless initiated from peer side).
Refer to sk122478
02708339,
02710768
Site-to-site VPN traffic issue in vSEC for Azure deployment.
Refer to sk122754
02766380
02766590
When Endpoint Security VPN client connects without Office Mode, upon disconnect, ccc_sessions entry not deleted.
sk127452
Cluster
00545387, 01104217, 01145895, 01153486, 01295463, 01345084, 01348870, 01531739 Host on network shows an error about duplication of its IP address when ClusterXL with VMAC is used.
Refer to sk92364.
02344721, 02622869
Traffic interruption on VLAN interfaces during policy installation on ClusterXL Load Sharing Multicast.
Refer to sk120593.
01646584, 01879544, 01657956 Various traffic issues on cluster due to FWD daemon taking all slots on cluster subscriber list.
Refer to sk109596.
01709078 Some Remote Access VPN clients are not able to connect to ClusterXL in Load Sharing Unicast mode with enabled CoreXL.
Refer to sk106745.
01709088, 01712864 Sometimes there is no VPN client connection from particular IP address to cluster.
Refer to sk106816.
01715078 Output of "cpstat ha -f all" command shows status of some VLAN interfaces as "Partially up".
Refer to sk106488.
01848272, 01855069, 01855384 Cluster "Interface table" is empty in SmartView Monitor and in output of "cpstat -f all ha" command.
sk108546.
01808943 "First packet isn't SYN" drop logs in SmartView Tracker for TCP traffic from ClusterXL in Load Sharing Unicast mode with enabled SecureXL.
Refer to sk107618.
01835404, 01836082 "find_device_thread: cannot find device cphad" messages in $FWDIR/log/cphamcset.elg file on IPSO OS.
Refer to sk108273.
01820037, 01820130, 01878926, 01881830, 01877156, 01877245, 01834660, 01828139, 01874732 By forging CCP packets, it is possible to "confuse" cluster members about the state of peer members and cause denial of service (cluster members could be forced to incorrectly change their state to "Ready").
Refer to sk108360.
01883794, 01885801 "Interface table" in SmartView Monitor and in the output of "cpstat ha -f all" command shows only one configured cluster interface on IPSO-based cluster members running R77.20 / R77.30.
Refer to sk109143.
02008783, 02010172 Cluster member with highest priority is not able to become new Active after changing the Members' Priorities.
Refer to sk110999.
00443545, 01492996;
01888621, 02221764, 02221768
  • NAT rule on cluster does not hide the Source IP address behind the configured IP address if the packet is sent to Cluster VIP address
  • NAT rule on cluster does not hide the Source IP address behind the Cluster VIP address if the packet is sent to Cluster VIP address
Refer to sk113163.
02409452, 02416469 Flapping of cluster members with Bond configured in Load Sharing mode when the neighboring switch is rebooted.
Refer to sk114993.
02498077, 02501519 Traffic from ClusterXL to third party devices is dropped.
Refer to sk116975.
02512799 Intermittent traffic issues and RouteD crash in ClusterXL on Gaia OS.
Refer to sk117576.
02554000, 02560538, 02556227 Traffic through ClusterXL High Availability mode is interrupted when Standby member is rebooted.
Refer to sk120073.
02622338, 02630620 SmartView Tracker in "Active" mode shows the same log for the same connection from each ClusterXL High Availability member.
Refer to sk120343.
02763780, 02763792 ClusterXL in Load Sharing mode is sending packets with Multicast MAC as the Source MAC.
Refer to sk126392
Identity Awareness
01474286, 01474449, 01474579, 01487885, 01597454 Automatic update of LDAP group membership does not work.
Refer to sk102656.
01459386, 01471410, 01481343, 01491580, 01495011, 01529144, 01554413 Some users randomly get a block page from Identity Awareness gateway.
Refer to sk102172.
01831743, 01842394, 01842525, 01835922 Policy installation on Identity Awareness Gateway fails randomly.
Refer to sk108290.
01897211, 01899289 Multiple drop logs "First packet isn't SYN" for TCP port 15105 or port 28581 on VSX cluster member with enabled Identity Sharing.
Refer to sk109255.
01893074, 01936094, 01894188 Identity Awareness Gateway might crash when running 'cpstop' command.
Refer to sk111315.
01559273,
01912184,
01936759,
01668821,
01570158,
01975585,
01566538
After memory utilization problem, PDP process crashes with core dump and Identity Awareness stops.
02329550,
02332115
PDPD process crashes when traffic does not match the access roles.
02291902 Identity Awareness Gateway may lose connection with Domain Controllers configured for the ADQuery.
Refer to sk113216.
02517753
Improved stability of PDPD daemon related to Captive Portal.
02696520,
02697170

Captive login portal page is shown in a baby frame of web site.
Refer to sk122257

02703712
02703689
02702724

AD testing generates core dumps.

Refer to sk122472

IDA-623

High CPU usage after policy installation when pdpd is running.

Refer to sk122352

02714694 UserCheck daemon (usrchkd) crashes every few days.
Refer to sk122953
Mobile Access
01610643 The Mobile Access tab > Additional Settings > Link Translation page is not supported when working with SmartDashboard in Read-Only mode.
01620696 RAsession_util command (see sk104644) will show Capsule Connect and Check Point integrated VPN for Win 8.1 session, although the user disconnected the VPN tunnel from the mobile client side.
No further data will pass between the client and the Security Gateway. The record, from RAsession_util, will expire according to the session's original expiration time, with a session expiration log in SmartLog.
01702733, 01703139 When used without specifying the full path, cvpnd_settings crashes.
Refer to sk106673.
01704233, 01706873, 01706888 ActiveSync Capsule Workspace users get authentication pop-ups using every few minutes after upgrading to R77.30.
Refer to sk106607.
01736208,
01738947
Web Form SSO with configured login page does not work.
Refer to sk107254.
01807600,
01807879
Accessing the MAB portal without providing certificate results in unclear log in SmartView Tracker.
Refer to sk107812.
01841717, 01841906 Mobile Access Gateway does not send domain as part of Web Form SSO response.
Refer to sk108498.
01853732,
01862399,
01854127
Mobile Access log on SmartView Tracker shows the browser version instead of the OS version.
Refer to sk108711
01734925, 01854129, 01862401 "[CVPN_ERROR] statusToString: Unrecognized status: 5" error in the debug of CVPND daemon on Mobile Access Gateway.
Refer to sk108876.
01908331,
01909424
Web application not displayed correctly in Mobile Access Blade when using Path Translation. Refer to sk109579.
01836233,
01863723
Client Certificates Tab is not showing in Read mode in Mobile Access.
Refer to sk109837.
01939853, 01943615 External User groups are not matched correctly when connecting to SNX Portal - users get permissions to access resources, which they are not supposed to access.
Refer to sk110014.
01932329, 01940409, 01953139 "Error: Page cannot be displayed. An error occurred while processing the request" in web browser after entering the credentials in Mobile Access Portal.
Refer to sk110072.
01958625,
01959114
After one SNX user disconnects, all other connected users are disconnected. Mobile Access gateway becomes non responsive.
Refer to sk110316.
02127881,
02136465
Mobile Access deleteUserSettings command does not work when user name contains spaces.
Refer to sk112467
02156587,
02157190,
02172262
SSL Inspection: Site does not load for the first time after a renegotiation.
Refer to sk112599
02371118,
02377407
Relativity web application accessed via MAB does not show open folders until web page is refreshed.
sk114259
02457976,
02460809
"failed to establish trust" error message when try to enroll the certificate from Capsule Workspace.
Refer to sk116095
02467377 Failed to overwrite existing files using Mobile Access File Share Application.
Refer to sk116238
02510647,
02511628
Pages not translated when header Content-Type: */* in HT Link Translation.
Refer to sk117514
02520551,
02522305
Untranslated links in iNotes Web Application when using Hostname Translation.
Refer to sk118037
02526048, 01838814  Endpoint Security on Demand Secure Workspace does not automatically support Windows 10 Creators Update or later versions.
01595256, 01586057 The Mobile Access Portal does not support Web-Form SSO for Citrix StoreFront Web interface. 
Mobile Access does not support viewing or editing files with 'Office Online apps', Microsoft's browser-based Office applications. Outlook Web Access is supported, however you cannot open or edit Office Online app files from emails.
02729238,
02730507
Rule mismatch on SSL inspection rulebase.
Refer to sk123718
SSL Network Extender
01381144, 01439006, 01534244 If MultiCore support for SSL is enabled, then SSL Network Extender roaming is not supported.
Refer to sk101223.
01432574, 01432727, 01461593 The SSL Network Extender connection from command line "snx -l <CA_Di>> -s <Server>" fails with "SNX: Authentication failed" when authenticating with a user certificate.
Refer to sk101588.
01376618, 01371231 If MultiCore support for SSL is enabled, then connections between SSL Network Extender clients are not supported.
Refer to sk101223.
02450974, 02454119 "Cannot establish connection to SSL Network Extender gateway. Try to reconnect." error from SNX client on Mac OS X / macOS after disabling both RC4 and 3DES cipher suites on the Mobile Access Gateway.
Refer to sk116156.
SecureXL
01554849, 01576112, 01611699 TCP packets are not dropped as Out-of-State when SecureXL is enabled.
Refer to sk104557.
01385943, 00266287;
01463835, 00267250
TCPdump shows wrong IP addresses for NATed traffic when SecureXL is enabled.
Refer to sk100194.
01919249, 01915798, 01915162 Output of "fwaccel stat" command shows:
Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)).
Refer to sk100467 (Scenario 3 - "UDP traffic causes too many general errors").
01536546, 01596104, 01596291, 01598767, 01615398 SecureXL Accept Templates not created when ISP Redundancy is enabled in Primary/Backup mode.
Refer to sk104679.
01719131 Security Gateway might crash when disabling and re-enabling SecureXL.
Refer to sk106934.
01769402, 01777881, 01771790 Multiple "cphwd_pslglue_can_offload_template: error, psl_opaque is NULL" errors in /var/log/messeges file after upgrade to R77.30.
Refer to sk107258
01846041, 01852946, 01846244 SecureXL on Standby cluster member drops traffic with "Address spoofing" log.
Refer to sk108502.
01848202, 01850540 Check Point 21000 series appliance with SAM card might crash while handling fragmented TCP packets.
Refer to sk108589.
01845461, 01853546; 01906167 Check Point 21000 series appliance with SAM card might crash during policy installation.
Refer to sk108643.
01825599, 01847635 Check Point 21000 series appliance with SAM card might crash due to removal of Layer 2 header by SAM card.
Refer to sk108652.
02372653, 02468724
Check Point 21000 series appliance with SAM card is not able to boot after installing Take 210, Take 213 or Take 216 of R77.30 Jumbo Hotfix Accumulator.
Refer to sk116070.
02063194, 02455007, 02366816;
02503790, 02528926, 02503796
Traffic disruption after policy installation on 21000 appliance with installed SAM card (with uptime of more than 250 days).
Refer to sk119999.
01574329, 01844422, 01973806, 01973814 Gaia OS on Check Point 21000 series appliance with SAM card becomes unresponsive when trying to delete a VLAN interface after passing multicast traffic through that VLAN interface.
Refer to sk115420.
01642962, 01648328, 01885055, 01897151 Packets are not routed correctly when PBR is configured and SecureXL is enabled.
Refer to sk109741.
01934947, 01939363 "sim dropcfg -l" command incorrectly shows "Enforced on external interfaces only".
Refer to sk109960.
02020740 Security Gateway with enabled SecureXL might crash during policy installation.
Refer to sk111411.
02057286, 02058104 Cluster member might crash when processing a NAT connection, if SecureXL is not enabled on all cluster members.
Refer to sk111888.
01827637, 02029717, 02009223 Low performance on Security Gateway configured in Monitor Mode (Mirror Port mode) per sk101670.
Refer to sk112798.
02368502, 02369852, 02369778 Security Gateway with enabled SecureXL might crash during policy installation when SAM card is not installed.
Refer to sk114153.
02383351, 02385918, 02383440 Security Gateway might crash when disabling the SecureXL SIM feature "NAC" and restarting the SecureXL.
Refer to sk114424.
02390699, 02398953, 02396299 Asymmetric traffic is dropped on Security Gateway with enabled SecureXL and several Bridge interfaces.
Refer to sk114976.
02459107, 02461409
Computers with dynamically assigned IP addresses are not able to access web sites by their URLs when SecureXL is enabled.
Refer to sk116160.
02495600, 02497103
VSX Gateway crashes in rare event when VPN traffic passes over two or more Virtual Systems (which causes the traffic to warp-jump) with enabled SecureXL.
Refer to sk116953.
02507051, 02507372 Cluster member with enabled SecureXL crashes during policy installation due to issues in SecureXL NAT Templates.
Refer to sk117332.
02535956, 02536066
Memory consumption on Security Gateway increases after enabling NetFlow v9 in Gaia OS.
Refer to sk118719.
02541089, 02551724, 02541431 Security Gateway freezes / crashes in rare scenario when SecureXL is enabled and multicast routing is configured.
Refer to sk119299
02054022, 02301812
VSX Gateway with enabled SecureXL crashes in rare scenario while collecting CPInfo file / running CPView Utility during high traffic load.
Refer to sk119992.
02613465, 02615348 "First packet isn't SYN, TCP flags : FIN-ACK" drop log for RSH (remote shell) traffic sent from a Server.
Refer to sk120462.
02661524 Kernel panic after fw_worker_1 reaches 100% of CPU usage. 
CoreXL
01802551,
01802999
Creating a Virtual System with one CoreXL FW instance might end with an error and cause the VSX Gateway / VSX Cluster member to crash with kernel core dump.
01801032, 01829886 Issues with traffic passing through Security Gateway with enabled CoreXL Dynamic Dispatcher.
Refer to sk108432.
01873994 Difficulties in connecting to untrusted sites when both HTTPS Inspection and CoreXL Dynamic Dispatcher are enabled.
Refer to sk108894.
01884966, 01857938 R77.30 cluster member might go Down after disabling CoreXL Dynamic Dispatcher only on one member.
Refer to sk108856.
01961260, 01966223 Traffic between ClusterXL members drops randomly.
Refer to sk110312.
01991091, 01991801, 02007206, 02004437 Although CoreXL Affinity was configured to assign only a specific process to certain CPU cores, some interfaces are still being assigned to those CPU cores.
Refer to sk110940.
02012536, 02013035 Traffic outage on ClusterXL after enabling both CoreXL Dynamic Dispatcher (sk105261) and SecureXL NAT Templates (sk71200).
Refer to sk111015.
02109273, 02110128, 02109398, 02119936

The following syntax errors appear after running the cpstart command:

/opt/CPsuite-R77/fw1//scripts/fwaffinity_mq_apply.sh: line X: let: cpu_id = % 2: syntax error: operand expected (error token is "% 2")
/opt/CPsuite-R77/fw1//scripts/fwaffinity_mq_apply.sh: line Y: 1<<: syntax error: operand expected (error token is "<")

Refer to sk112250.
01852502, 02296541;
01852497, 02327335
Session Authentication fails for all connections when CoreXL is enabled on Security Gateway.
Refer to sk109838.
02378614,
02378995
Issue with SIM Affinity on two 40GB interfaces (expansion cards).
Refer to sk114396.
01995709, 01996404, 01995254, 02389830 The "fw -i <id> ctl pstat" command shows "memory used: 0%".
Refer to sk110881.
Dynamic Routing
01842491, 01844272 BGP routemaps stop working correctly after Gaia OS upgrade from R75.4X / R76 versions to R77.10 and later versions.
Refer to sk108497.
01865692,
01870556
When receiving a packet of Bootstrap Router update in PIM protocol from non-multicast IP address, RouteD daemon crashes.
01888022, 01959704, 01968564 Not able to configure routemap for each BGP peer on Gaia OS.
Refer to sk110477.
01976708,
01976875
RIP stops working on enabling dynamic routing.
Refer to sk110616.
01980694, 01989783, 01989782 Routes redistributed by Gaia OS to BGP peer are sent without BGP community value.
Refer to sk110563.
01569785, 01579695 Configuring PIM Sparse Mode with dynamic Rendezvous Point (RP) fails in cluster environment on Gaia OS.
Refer to sk110939.
02060290, 02060715, 02066063, 02062736 RouteD daemon might crash when PIM packets are received in an un-supported IP format.
Refer to sk111891.
02110490, 02110665 RouteD daemon might crash if PIM is configured and machine is rebooted when all cables are disconnected.
Refer to sk112251.
02349239 BGP starts advertising all the routes with "as_prepend", even to AS where prepend is not configured.
Refer to sk113504.
02068809, 02333746, 02333261 Security Gateway / Cluster Member on Gaia OS with configured BGP that uses MD5 Authentication might randomly crash (tcp_v4_calc_md5_hash(...) at tcp_ipv4.c).
Refer to sk101976.
02358210, 02364750, 02364752 VRRP Backup member on Gaia OS sends BGP traffic to BGP peers.
Refer to sk114265.
02423514 Unable to redistribute routes as OSPF LSA of Type 1 with manual tag.
Refer to sk115298.
02426496, 02427038 RouteD daemon crashes upon receiving OSPF LSA of Type 10 and Type 11.
Refer to sk115314.
02422231 Traffic outage might occur on VSX Gateway with configured OSPF when adding a new Virtual System (due to a crash of RouteD daemon).
Refer to sk115333.
02454663, 02455061 RouteD daemon crashes with core dump file when a BGP route is configured with an invalid nexthop.
02477031, 02483011, 02477112 RouteD daemon crashes with core dump file when OSPF and more than 90 VTI interfaces are configured on Security Gateway / Cluster.
02660328,
02660955
BGP looses adjacency during failover and generates cores.
Refer to sk121345
02707988 'RTGRTG0019 tclproc: wrong # args: should be "bgp_lookup_ASNumberIPIn ASNumber peerAddr gtype"' error in Gaia Clish when trying to import routemaps for iBGP peer
Refer to sk115140
02692890,
02458287
Some BGP routes are not being advertised after BGP peer reset.
Refer to sk122272
SNMP
01610111

There is no response (no error, no timeout) when querying SNMP 64-bit (High-Capacity) counters in the following scenario:

  1. VSX R77, VSX R77.10, VSX R77.20 that was upgraded to R77.30 using in-place upgrade
  2. SNMP mode was configured to "vs" (Clish command 'set snmp mode vs') before the in-place upgrade to R77.30
Refer to sk105540.
01453316 Check Point VSX OID Branch 1.3.6.1.4.1.2620.1.16 can not be queried per Virtual System. The SNMP response contains the data from all configured Virtual Systems.
Refer to sk90860.
01466618

To query a VSX Gateway / VSX cluster member over SNMPv2 / SNMPv3, the query should be sent to the VSX machine itself (context of VS0):

  • In DMI configuration:
    • In case of a single VSX Gateway, the SNMP query should be sent to the IP address of the DMI interface.
    • In case of a VSX cluster, the SNMP query should be sent to the physical IP address (of the DMI interface) of each cluster member.
  • In non-DMI configuration:
    • The SNMP query should be sent to the physical IP address of the external interface on the VSX machine.
Refer to sk90860.
01398267, 01410549, 01477795, 01400095 If SNMP traps for hardware sensors are configured on Open Server running Gaia OS, then the traps for sensor values outside of the threshold can be sent, even when they are within the threshold limits.
01689724; 01668968 After enabling the SNMP Trap "coldStart" in Gaia OS, it is sent every time the SNMP Agent (SNMPD daemon) is started, regardless of the current system up-time.
Refer to sk107616.
01852762, 01858277 Output of "snmptranslate" command returns different OIDs for objects in "chkpntTrap" branch.
Refer to sk108697.
01899551, 01907792, 01900061 snmpd process might crash with core dump file (due to Segmentation fault) when it exits.
01912362, 01913555 "Wrong Type (should be INTEGER)" errors when querying SNMP OID 'vsxCountersTable' on VSX Gateway.
Refer to sk109469.
02508239 "No Such Instance currently exists at this OID" error message after installing R77.30 Jumbo Hotfix Take_225.
Refer to sk117353.
02696520,
02697170
Captive login portal page is shown in a baby frame of web site.
Refer to sk122257
VSX
01657585
Traffic latency on VSX Gateway if MTU larger than 4096 (Jumbo Frames) is configured on an interface.
Refer to sk110351.
01298013,
01347319,
01356763
The "vsx_util reconfigure" command fails with "Failed to fetch configuration information from <Name_of_VSX_object>".
Refer to sk98001.
01465442,
01436496
An upgraded cluster member goes into Ready state after the reboot, even before the rest of the cluster members are upgraded.
Workaround:
  1. Run cphaprob state command to verify that all the Virtual Systems are in Ready state.
  2. Run ps -elL | grep fwk command to verify that fwk process is running on every Virtual System.
01459867,
01472369
When you create a new bond in Gaia Clish with only two physical slaves, the output of cphaconf show_bond command shows the second added slave as "Not available", and the bond cannot fail over.
Refer to sk105999.
01562612 If a Virtual System is the Hub of a Star VPN Community, it cannot support SmartLSM gateways as satellites.
01548786 The "vsx_util change_mgmt_subnet" command does not support IPv6.
01618097 "vsx_util reconfigure" command on Security Management Server / Domain Management Server fails to resume with "Error: Interface 'Interface_Name' exists in the management database, but not on the gateway".
Refer to sk105441.
01510367,
01615464,
01516504, 01516749,
01519022,
01561476
Pushing VSX configuration fails with "Internal Error - Failed to commit changes in the OS".
Refer to sk103844.
01824410, 01824578 "Bridge uses two different VLAN tags for interfaces. This configuration cannot be used with Active-Active bridge mode" error in SmartDashboard when creating a Virtual System in Bridge mode between interfaces with different VLAN tags.
Refer to sk107972.
01848953, 01853474, 01854369 Issues with FWD daemon on VSX Gateway with Bypass Card (FONIC) installed on the appliance.
Refer to sk108588.
01750204, 01842632 Clients behind a Virtual System configured as Non Transparent HTTP/HTTPS Proxy are not able to connect to any site.
Refer to sk107313.
01721813 New routes configured in Virtual System object are not shown as "Hidden" on Virtual System, which causes VSX internal IP addresses to being published to Dynamic Routing protocols.
Refer to sk109738.
01931909, 01938036 "Illegal routing gateway or interface retrieved from the VSX GW" error in SmartDashboard when creating a new VSX Gateway / VSX Cluster object.
Refer to sk109815.
01868018, 01892596, 01888862;
01959895
Virtual Systems are "Down" after reboot of VSX Cluster Member because FWD pnote and CPHAD pnote are reported as "NOT UP".
Refer to sk110073.
01890990, 01892718, 01946973, 01891329, 01893558, 01908409 Virtual Systems are in "Unknown" state after reboot of VSX Cluster Member.
Refer to sk110074.
02084934, 02086287 "SmartView Monitor error has occurred (error code: 2147483647)" pop-up in SmartView Monitor GUI when viewing data from a VSX Gateway / VSX Cluster Member.
Refer to sk112154.
00892773 VTI interfaces are not supported in VSX mode.
02338729;
02338820;
02338954;
02338696
During policy installation, Virtual Systems on VSX VSLS cluster shortly go to "Down" state due to "Interface Active Check" pnote.
Refer to sk114234.
02032862, 02423243 "vsx_util reconfigure" fails with "Failed to commit changes in the OS.Management interface must have an IP address." error in non-DMI configuration.
Refer to sk115131.
02537316;
02151898, 02103463
Virtual Switches in VSX cluster are shown in "PROBLEM" status in SmartView Monitor without any error message.
Refer to sk112067.
02532554, 02532716
"CLINFR0699 Invalid command" error when a user with read-only Gaia OS role runs the "set virtual-system" command on VSX Gateway.
Refer to sk118693.
02651720, 02656447, 02652003
Traffic outage when rebooting a VSX cluster member in case there is no connectivity to the Management Server.
Refer to sk120842.
00186960 Per Virtual System High Availability or Virtual System Load Sharing (VSLS) requires a physical interface connected to Virtual Switch.
Refer to sk36980
 
LTE
-

FireWall-1 GX is not supported on VSX Cluster.

- FireWall-1 GX is not supported on VSX Virtual System in Bridge mode.
- If the Security Management Server or Domain Management Server manages gateways of earlier versions, and at least one R77.30 Security Gateway with GTP rules, then the GTPMGT license is required. Without this license, policy installation fails.
- SecureXL Templates are disabled starting from GTP rules in the Firewall Policy. To improve the performance of Security Gateway, the GTP rules have to be placed below the rules for traffic that should be accelerated by SecureXL Templates.
For more details, refer to sk32578.
- GTP PDU Integrity Tests (Verify Flow Labels and G-PDU sequence number checks) are not supported in accelerated mode.
For more details, refer to the Firewall-1 GX 5.0 Administration Guide - "GTP PDU Integrity Tests".
- If Carrier Grade NAT (CGN) and traditional Hide NAT are configured, there must not be overlap in the translated packet source address (public IP address). If there is an overlap, policy verification fails.
- Carrier Grade NAT (CGN) is not compatible with R77.30 CoreXL Dynamic Dispatcher and Priority Queues features. If you want to use CGN in rules, you have to completely disable those features with "fw ctl multik set_mode 0" command (refer to sk105261).
- Kernel Syslog supports only Firewall blade logs. Kernel Syslog is not supported for IPv6 logs or Software Blade logs.
01385956 Kernel Syslog is not supported when the R77.30 Security Gateway is managed by R76 Security Management Server with LTE Hotfix.
00754079 When Overbilling Attack Protection is enabled, you must define a rule that allows FW1_sam traffic from the GX object to the Check Point Security Gateway.
For more details, refer to Firewall-1 GX 5.0 Administration Guide - "Enabling Overbilling Attack Protection".
00780056 GTP Bandwidth Management using QoS is not supported.
00752420 When establishing a SIC connection with a newly installed GX 5.0 cluster object in SmartDashboard, the platform version must be manually set to R70.
00773195

When using the IPS and the Full Intra-Tunnel features, GTP traffic may not be inspected.

The workaround is to change the IPS protection scope from "Protect internal hosts" only to "Perform IPS inspection on all traffic":

  1. Double-click on the FireWall-1 GX object in SmartDashboard.
  2. Go to IPS pane (if IPS pane is missing, verify the IPS blade was enabled).
  3. In Protection Scope, select Perform IPS inspection on all traffic and click on OK.
  4. Install the Policy.
When using the default "Protect internal hosts only" mode, the IPS blade inspects traffic from either the Internal to External interface, or vice versa, using the Security Gateway's topology (which is set in the GX object). Since the inner-GTP traffic does not have its own distinct topology settings and rule base, the IPS blade inspects the inner-GTP packet using the GX object's topology settings, which may cause it to skip the inspection. To override this, you must set the "Perform IPS inspection on all traffic" option.
00788268 Full Intra-Tunnel inspection is enforced only on encapsulated IPv4 traffic.
01011519 IPS "Aggressive Aging" protection is not supported by FireWall-1 GX gateway (if you enable IPS blade in FireWall-1 GX object, you must set this protection to "Inactive" in the IPS profile applied to FireWall-1 GX. Otherwise, unexpected behavior can occur).
00829371 SCTP or Diameter objects cannot be the service of a manual NAT rule. Static NAT will still be applied for rules that match SCTP if the service is set to "Any". All NAT methods can be applied for Diameter over TCP traffic if the service is set to "Any".
DLP
01692002,
01560455,
01692033,
01692705

Downloaded file might be bypassed instead of being blocked by DLP in the following scenario:

  • DLP blade is enabled.
  • Threat Emulation blade is enabled.
  • Threat Emulation Connection Handling Mode is set to "Background"
  • Threat Prevention Engine Fail Mode is set to "Allow all connections (Fail-open)"
Refer to sk106421.
01865516,
01868162
Large file not being dropped by DLP, even though it is configured to drop such files due to extreme condition.
Refer to sk108893.
01957541,
01878703
User receive notification "Your emails are about to expire" from Data Leak Prevention. However, there are no e-mails in the DLP portal.
Refer to sk110314.
02535086,
02536889
When Security gateway is enabled with proxy and DLP, HTTP connections to external sites are allowed on Implied rules.
Refer to sk118698.
02693946,
02698363
DLPU sync issue with huge files.
Refer to sk122258
SWG-1078,
PRHF-130,
PRHF-100
Memory leak when DLP works with HTTPS Inspection.
Anti-Virus
01688777,
01689576,
01690566
HTTP 206 "Partial Content" error in SmartView Tracker.
Refer to sk106446.
01749088, 01782611, 01749108 High memory utilization on Security Gateway during Anti-Virus scan of large files transferred over HTTP.
Refer to sk107384.
01856214, 01860237, 01904755 High CPU utilization on Security Gateway during Anti-Virus scan of large files transferred over CIFS/SMB2.
Refer to sk109582.
01728021, 01778247, 01867575 Image Upload button is disabled on ok.ru site when Anti-Virus and IPS are enabled.
Refer to sk109580.
01968370,
01969946
RAD is consuming high CPU with HTTP traffic.
Refer to sk110501.
02488332, 02491746, 02496568 Connectivity to internal mail server fails when Anti-Virus with deep inspection scanning is enabled.
Refer to sk116738.
02496107, 02502978, 02641393;
02653578, 02655762
In rare cases, Security Gateway does not sent "SMTP 554" response when Anti-Virus blade detects an e-mail with malicious attached file.
Refer to sk120841.
Threat Emulation
02070628, 02333285 Threat Emulation logs show "Detect" for e-mail attachments instead of "Prevent" when Threat Extraction blade is also enabled.
Refer to sk115252.
02378836, 02380610 Mail Transfer Agent (MTA) protection bypass.
Refer to sk114664.
01696858, 01697082, 01697348 SmartView Tracker displays e-mail subject as ISO string if it is written not in English.
Refer to sk105164 (Scenario 4).
01714845, 01859125, 01896617 E-mail client receives timeout error, e-mails do not reach their destinations, and SmartView Tracker shows duplicated Threat Emulation logs from a cluster.
Refer to sk109198.
01664717, 01661636, 01705031, 01891039 Files are emulated even though their MD5 is added as 'Exception' to Threat Prevention policy.
Refer to sk109438.
01934518, 01934719 TED daemon affinity is not updated by the "tecli set affinity <num_of_instances> <num_of_ted_cpus>" command.
Refer to sk109818.
01931837, 01935044 "Maximum delay time" setting for Mail Transfer Agent is not applied if the defined value is greater than 15 minutes.
Refer to sk109893.
01983310, 01984463 "Used disk space percent" counter in the $FWDIR/log/emaild.mta.elg log file shows unrealistic large value.
Refer to sk110555.
02019281, 02020285 File download from some web sites over HTTP through Threat Emulation gateway times out.
Refer to sk111136.
02048969, 02049960 Postfix process is not monitored by any WatchDog.
Refer to sk111783.
02351736,
02352719
Threat Emulation / Threat Extraction removes some key characters at the end of each e-mail.
Refer to sk113556
02518836,
02521095
CPD becomes unstable during contract / license entitlement.
Threat Extraction
02447126, 02452339 "An error has occurred while extracting file" log from Threat Extraction blade when it blocks files attached to e-mails.
Refer to sk115892.
02452806, 02454286, 02454288 The "Message-ID:" header of the original email is capitalized differently when Threat Extraction is enabled.
Refer to sk115954.
02541266,
02543053
User connected from mobile phone cannot send original e-mail to their mailbox through UserCheck portal.
Refer to sk118856
02679957 Attachment file name is garbled when using Threat Extraction with Apple Mail.
Refer to sk121800
02687319,
02691461,
02696459
Persistence of UserCheck incidents is not preserved when quarantine time is very high.
Refer to sk122099
PRHF-19,
PRHF-35,
PRHF-45
Threat Extraction incidents are not stored for longer than 15 minutes.
Refer to sk124792
02710284,
02711076,
PRHF-207
Extracted (cleaned) PDF files in Threat Extraction are malformed Tiff images. 
SmartLog
01710875, 01711097 After upgrade to R77.30, SmartLog becomes non-responsive.
The "smartlog_server" process consumes CPU at 100%.
Refer to sk106782.
01725423 SmartLog GUI freezes occasionally, and it is not possible to log in to SmartLog GUI again.
Refer to sk107153.
01854131 SmartLog displays the wrong hostname for a DHCP re-assigned IP. SmartView Tracker shows the correct hostname (corresponding to the user).
Refer to sk108710
01864909, 01865057 "User" column in Global SmartLog GUI shows asterisks "******" instead of "User@Domain".
Refer to sk108771.
01872463, 01872717 Packet Capture hyperlink is missing in SmartLog GUI.
Refer to sk108934.
01935060, 01936585 In some records, the Origin field in the SmartLog is displayed in the 0.0.0.0.x format.
Refer to sk109820.
01984127;
02273694
SmartLog GUI of Global SmartLog does not sort the logs by time when running a query.
Refer to sk112826.
02076718, 02078662 "Server is disconnected!" message appears in SmartLog GUI, and it closes when running a query, or scrolling in SmartLog GUI.
Refer to sk112140.
02443147,
02443623
Some of the entries in fw.log are not displayed in SmartLog.
Refer to sk115698
02515100, 02510942 Cannot select local Security Management in SmartLog's "Servers view" although it is displayed in the list.
Refer to sk117573.
02655801,
02655956
"Xml Parse error" when trying to display Threat Emulation logs in SmartLog.
Refer to sk120982
IPS
02658128, 02658437
IPS blade is automatically enabled on R7X Security Gateway during policy installation from R80.X Management Server, although IPS blade is disabled in the Security Gateway object.
Refer to sk121152.
01707734
  • When Geo Protection mechanism is activated, Geo logs are generated for connections from reserved IP addresses (RFC 1918) (which creates too many logs).
  • Upon Geo Protection match, the "Source Country" field is populated according to the matching country in the rule base and not according to the actual country source IP.
    Countries that are not included in the policy are logged as "OTR" in log's "Source Country" and "Destination Country" fields.
Refer to sk106838.
01817004, 02158447;
01891486, 02158426;
01817044, 02279342
Security Gateway becomes unresponsive and memory consumption increases when HTTP traffic passes through.
Refer to sk109801.
01835506, 01849370, 01884821, 01886146, 01844696 Whith Anti-Virus, Application Control and URL Filtering blades enabled and APPI rule base configured to block "Malware / Malicious sites" with UserCheck message, when downloading Eicar test file over HTTPS, the UserCheck page is not displayed.
Refer to sk109802.
01947356, 01949890 Global IPS Exception for protection "Any" does not work for e-mail traffic.
Refer to sk117397.
02123480, 02128208 DNS traffic is dropped by IPS with log "Attack Information: Bad Resource Record format, Illegal EDNS0 RR".
Refer to sk112578.
02333892,
02336619,
02334787
Outage after IPS database upgrade and install policy.
Refer to sk113251.
01988035, 02300946 Multiple queries in a single DNS Query packet might cause the FWK daemon to crash on VSX Gateway.
Refer to sk115254.
IPS-171 when IPS is enabled, see many "fwconn_chain_is_data_conn" errors messages in dmesg log.
Refer to sk119952
02669417,
02670305 
FWK crashes when malformed DNS packet arrives to the Security gateway.
02725091,
02725301
SCTP traffic dropped by by 'SCTP Unknown Chunk Type'.
Refer to sk123561
HTTPS Inspection
01707909 HTTPS Inspection drops traffic to a web site that uses untrusted server certificate even when the "Untrusted server certificate" is disabled.
Refer to sk107288.
01834487, 01834994 Probe Bypass is initiated on non-SSL connection.
Refer to sk108294.
01827198, 01779781, 01732856, 01980269, 01815535 HTTPS traffic is not routed according to Policy Base Routing (PBR) when HTTPS inspection is enabled.
Refer to sk110690.
02439065,
02439802
Security Gateway crashes with vmcore while creating the report (fw ctl sdstat report\stop ).
02267698, 02465120, 02413999
Some HTTPS sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE cipher is used.
Refer to sk112954.
02457781, 02498183
Applications, Dynamic objects and Domain objects are available for use in the HTTPS Inspection policy, but these objects are not enforced on the Security Gateway.
Refer to sk119276.
02669935 Skype for Business not working when HTTPS inspection is enables and Security Gateway is configured as a proxy. Refer to sk121473.
Compliance
- Do not have the ability to create your own Best Practices (resolved by installing R77.30 Add-On).
- Do not have the ability to to manage your own internal policy (resolved by installing R77.30 Add-On).
- Do not have the ability to view Compliance configuration from the SmartDomain Manager (resolved by installing R77.30 Add-On).
- Security Alert notification are not received in the e-mail (resolved by installing R77.30 Add-On).
01749642 Status of Compliance Best Practice "AB105" is "Poor" although "Update Malware database on the Security Gateway" is enabled.
Refer to sk107373.
01817842 Status of Compliance Best Practice "APP103" is "Poor" although "Supports file transfer" block rule is defined under 'Application & URL Filtering' rulebase.
Refer to sk107165.
01957344,
01957675
Compliance Blade shows "N/A" status for various Firewall Best Practices.
Refer to sk110318.
Application Control
01871981, 01875943 FTP traffic speed decreases when Application Control blade is enabled.
Refer to sk109012.
01872944, 01894400;
01907475, 01919574, 01912368, 01919277
Users occasionally are not able to access HTTPS sites when "Categorize HTTPS sites" option is enabled.
Refer to sk109581.
02310196,
02323510,
02334185,
02323506,
02329183,
02330718
When Security Gateway configured as proxy, Skype blocked by Application Control.
Refer to sk113124.
URL Filtering
01861543, 01878274, 01884021, 01885550 Ability to increase the speed of RAD daemon's connection creation/deletion by configuring the number of categorization queries sent by RAD daemon to Check Point cloud in one connection (via parameter RAD_QUERIES_NUMBER_PER_CONNECTION in Check Point Registry).
Refer to sk109474.
01910074, 01972747, 01973174, 01912245 Some HTTPS web sites are not categorized correctly when "Categorize HTTPS sites" is enabled.
Refer to sk110475.
QoS
01938571, 01938659, 01938796 QoS (Floodgate) policy install randomly causes Security Gateway to crash and reboot.
Refer to sk109840.
02516674, 02517802 QoS rule with Time object is enforced one hour later\earlier than time configured after daylight saving.
Refer to sk117893.
02563501,
02567776,
02567790 
No warning is displayed if an empty network group object appears in the source or destination column.
02667570,
02668912

Some QoS log fields are with gibberish.
Refer to sk121476.

QOS-2, QOS-7

QoS policy installation on Security Gateway with more than 1024 interfaces is failing.
Refer to sk134812.

Stateful NAT46
-

These features are not supported for NAT64:

  • VoIP
  • SSL inspection
  • SSL de-multiplexer
  • HTTP header spoofing
  • HTTP proxy
- You cannot use stateless NAT46 for FTP, VoIP or other protocols that require state information between control and data connections
vSEC Gateway for NSX
00631234 Management High Availability and Log Server are not supported on a standalone vSEC Gateway for NSX.
00527267 Performance Pack (SecureXL) Heavy Load Quality of Service feature (HLQoS) is not supported.
00575640 Cloning and templates are supported for vSEC Gateway for NSX Virtual Machine, if:
  • The VM is a newly deployed vSEC Gateway for NSX (immediately following the first boot).
  • You have not yet configured any Check Point products.
  • You have not yet done any configuration steps, such as sysconfig or cpconfig.
00566886 CPU consumption for the vSEC Gateway for NSX might show inaccurate results.
To resolve this issue, reserve CPU resources on the ESX:
  1. In the vSphere client, right click the vSEC Gateway for NSX.
  2. Select Edit Settings.
  3. On the Resources tab, move the Reservation slider to allocate a guaranteed CPU share (in MHz).
00568259 You can configure up to 2 virtual CPUs for the vSEC Gateway for NSX.
Starting from Take_84 of Jumbo Hotfix Accumulator for R77.30, it is possible to configure more than 2 CPUs on vSEC Gateway for NSX.
Check Point Appliances
02192187,
02361143,
02366385
Multi-Queue does not work on 3200 / 5000 / 15000 / 23000 appliances when it is enabled for on-board interfaces.
Refer to sk114625.
02488450, 02490810 Gaia Clish command "show asset all" on 21400 appliance does not show the amount of RAM present and the Power Supply status.
Refer to sk116677.
02758776 Power supply status is 'Dummy' in 'cpstat' output on 5100/5200/5400 appliances.
Refer to sk125573
VoIP
02413299,
02414451
Security Gateway / Active cluster member freezes / locks up randomly when processing H.323 traffic.
Refer to sk114977.
02356285,
02402646;
02057823;
01920648, 02337230
H.323 VoIP call drops after exactly one hour because Keep Alive "ACK" packets are not forwarded to the VoIP clients.
Refer to sk113749.
02398266,
02398945,
02401774
VoIP calls over VPN with destination in Internet fail.
Refer to sk114817.
01557130,
02017992,
01633237
VPN Central Gateway drops SIP RTP traffic between the SIP Call Manager and the VPN Satellite Gateway, where the SIP call was initiated.
Refer to sk111839.
02305365,
02312153
SIP VoIP call is disconnected / stops working several minutes after establishing the connection when SecureXL is enabled.
Refer to sk112913.
01704012 VoIP traffic, or traffic that uses reserved VoIP ports is dropped after enabling CoreXL Dynamic Dispatcher.
Refer to sk106665.
02441588 Avaya VoIP calls with Avaya Call Manager fail through Check Point Security Gateway.
Refer to sk104786.
02490592, 02491121, 02491840 SIP session progress packets are not being NATed.
Refer to sk116739.
02507365,
02507766
Security gateway crashes while handling SIP traffic.
Tools
02475032,
02475513
CPView history shows large number of pps on the interfaces after running cpstop command.
Refer to sk116368.
Anti-Spam
02660987,
02661360
Randomly Anti-spam is dropping email.
Refer to sk121344.
02709578,
02710785,
02711336
When Security gateway is configured as MTA, Anti-Spam blade does not stamp email subjects as 'spam' or 'suspected spam

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment