Check Point R77.30 Resolved Issues

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk104861
Product	All
Version	R77.30
Date Created	19-May-2015
Last Modified	20-Feb-2018

Solution

This article lists all of the issues that have been resolved in R77.30.

Important notes:

To see if an issue has been fixed in other releases, search for the issue ID in Support Center.
For more information on R77.30, see the R77.30 Release Notes, R77.30 Home Page and R77.30 Known Limitations. You can also visit our Firewall and VPN Blades forum or any other Check Point discussion forum to ask questions and get answers from technical peers and Support experts.

Table of Contents

General
Security Gateway
Security Management
Multi-Domain Security Management
SmartDashboard
SmartDomain Manager
SmartProvisioning
SmartEvent / SmartReporter
SmartLog
SmartUpdate
Cluster

DLP
IPS
Gaia and SecurePlatform
Gaia
VPN
HTTPS Inspection
Application Control
URL Filtering
Threat Prevention
Anti-Spam
Identity Awareness

Mobile Access
SNX
Dynamic Routing
SecureXL
CoreXL
SNMP
VSX
VoIP
Check Point appliances

Enter the string to filter the below table:

ID	Symptoms
General
01469332, 01476439, 01431248, 01540945	Check Point update and online services migration to SHA-256 based certificates. Refer to sk103839.
01568676; 01621187	Check Point response to Leap Second introduced in UTC on 30 June 2015. Refer to sk104560.
01569696, 01570266	Check Point response to CVE-2015-0235 (glibc - GHOST). Refer to sk104443.
01602689, 01602914	Check Point response to TLS FREAK Attack (CVE-2015-0204). Refer to sk105062.
01528449, 01531583	Check Point response to TLS 1.x padding vulnerability. Refer to sk103683.
01495114, 01517944; 01045465; 01187625; 01500668, 01510595; 01490480, 01505361; 01466725, 01511136; 01637431, 01517944	Check Point response to the POODLE Bites vulnerability (CVE-2014-3566). Refer to sk102989. Note: All the fixes mentioned in the sk102989 were integrated.
01481407, 01481626; 01487398	Check Point response to CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability (Shellshock). Refer to sk102673.
01516988, 01552223, 01525773	Security Gateway / Active cluster member might crash rarely when one of the following blades is enabled: IPS, URL Filtering, Application Control, Anti-Bot. Refer to sk104250.
Security Gateway
01433753, 01439099	Security Gateway configured as Proxy occasionally stops processing all traffic. Refer to sk102134.
01430609, 01432668, 01438923, 01450221, 01555515, 01570507, 01585395	Security Gateway with enabled Non-Transparent Proxy causes some sites to no longer function properly because HTTP 'OPTIONS' method is not recognized by the Security Gateway in Proxy mode. Refer to sk102188.
01426380, 01428952, 01556352	Memory leak detection procedure (sk35496) reports a memory leak: `;FW-1: In fw_hmem_report_leaks ;fw_drv_fini: XXX bytes allocated by 'fw_spii_pset_create' leaked at ... ... ... ... ;FW-1: fw_hmem_stat_report: total unfreed hmem allocations: ..., bytes ... ;Starting SMEM alllocations report ... ... ... ;FW-1: Leak in: fw_spii_pset_create: hmem_bytes ... ;Ended SMEM alllocations report ... ... ... ;FW-1: In fw_hmem_report_leaks`
01425391, 01425206	Policy installation on R77 Security Gateways fails with the following errors: `"/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: syntax error ... ... ... "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: table <auth_services> has no predefined format ... ... ... "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: table <client_was_auth> has no predefined format ... ... ... "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: syntax error Error compiling IPv6 flavor. Compilation failed. Operation ended with errors.` UFP IPv6 logs in SmartView Tracker show wrong hit rate statistics. Refer to sk101330.
01407754, 01413708, 01416985, 01425115, 01425120, 01456747	NFS-RPC traffic passes the Security Gateway when there is a rule that contains ALL_DCE_RPC service. Refer to sk101128.
00267452, 01526619, 01535357, 01529160	Security Gateway / VSX Gateway / Cluster member might crash while inspecting multicast traffic. SecureXL does not accelerate multicast traffic. Refer to sk103698.
01321419, 01380507, 01393458, 01412903, 01446442, 01457510, 01488685, 01535858, 01535870, 01570407, 01576250	"funcchain" process frequently crashes with core dump file on Security Gateway. Refer to sk98151.
01513354, 01513406, 01513829, 01513872, 01513875	Security Gateway might crash when IPv6-over-IPv4 security rule is configured, but IPv6 is disabled. Refer to sk103526.
01443734, 01445232, 01446201	IPv6 ICMP traffic is dropped by "0 - Implied Rules". Refer to sk102390.
01445232, 01443734, 01446201	ICMPv6 traffic is dropped by Security Gateway if there is a Firewall rule that contains the ssh2 service. Refer to sk102390.
01433313, 01433710, 01482416	Policy installation fails due timeout on Security Gateway with Broadcom NetXtreme interfaces that use bnx2x driver. Refer to sk101547.
00554859, 01203427	TCP traffic is dropped on "IP options" and problematic IP option could not be found in kernel debug. Refer to sk94085.
01438052, 01442503	Security Gateway might crash during policy installation in rare scenarios. Refer to sk102787.
01409490, 01492561	Memory consumption on Security Gateway constantly increases. Refer to sk103077.
01504351, 01513713	Security Gateway might crash when working with Multi-Portal. Refer to sk104698.
01414168, 01420268, 01414888, 01416219, 01440122	"Fetch Settings From Device: getStaticRoutes - no nextop type found for key X.X.X.X/Y" error in SmartDashboard after adding static routes on a Security Gateway in Gaia Portal. Refer to sk100611.
01530781, 01535296	Security Gateway logs locally and does not attempt to reconnect to Security Management Server / Domain Management Server / Log Server after restart of Security Management Server / Domain Management Server / Log Server. Refer to sk103760.
01246785, 01561569, 01355222	"Installation failed. Reason: Load on module failed, failed to load security policy" error in SmartDashboard when installing policy from Security Management Server R77 (and above) onto Security Gateways R76 and lower. Refer to sk33893.
01516302, 01516817, 01556237	Fetching policy on a DAIP gateway fails with "External interface is not properly defined. Please run cpconfig to define it." Refer to sk103819.
01495958, 01496338, 01496872, 01499687	FWD process on Security Gateway might crash when working with Proxy ARP. Refer to sk103214.
01525172, 01529706	Mounting a directory using NFSv3 over IPv6 through Security Gateway fails because traffic is not matched to the relevant rule. Refer to sk105843.
01502277, 01502277	Improved inspection of CIFS protocol.
01506203, 01506203, 01518764	Improved inspection of RPC protocol.
01433903, 01446782, 01526229	"fw tab -s" command might fail to print the output with "Failed to get table status for .." when there are multiple security rules with numerous Domain Objects. Refer to sk106132.
01407991, 01408863	Client Authentication logs for Single-Sign On are always generated even if "Successful Authentication Tracking" in Client Authentication properties is set to "None". Refer to sk106131.
01432321, 01480962	Memory leak in in.ahttpd daemon.
01462129, 01462555, 01481937, 01598761	Enhancement: Configure ISP Redundancy Link to fail over only when all configured hosts are not answering to pings. Refer to sk102848.
01469476, 01489869, 01523002, 01539690, 01466177	Security Gateway with enabled SecureXL might crash when processing a packet with Multicast Source IP address and Unicast Destination IP address. Refer to sk108818.
Security Management
01446920, 01447343, 01476881	Added debug prints in the FWD process for sending logs to OPSEC LEA clients.
01445077, 01445354, 01576280	Log actions are not filtered by the fw log -c command. Refer to sk101905.
01431881, 01432334	When defining an ICMP service with Type and Code and install it on Cisco router, the ICMP code value is ignored. Refer to sk101500.
01429626, 01431234, 01462250	"IPv6 addresses domain is not supported in Remote Access VPN community" error during policy installation, even though IPv6 is not enabled. Refer to sk101506.
01424794, 01425078; 01189860, 01168429, 01433749	Cannot connect OPSEC log service to Security Management Server running on Windows OS. Refer to sk101398.
01431881, 01432334	When defining an ICMP service with Type and Code and installing it on a Cisco router, the ICMP Code value is ignored. Refer to sk101500.
01507964	The cp_merge policy command overwrites the original policy. The policies should have merged.
01529753, 01531065; 01527202, 01531650, 01530121, 01530122, 01556090	R76 / R77 / R77.10 / R77.20 takes long time to reboot / start Check Point services. Refer to sk103822.
01523349, 01525113	Policy Verification error is not displayed when installing policy on Clusters R75.X and lower with configured IPv6 address. Refer to sk103734.
01575068, 01575106	Threat Prevention policy installation fails: In SmartDashboard with "`Compilation failed`" error. When manually loading the policy under debug, with these errors: `amw_add_key: fread() failed amw_load: amw_add_key() failed amw_load_main: amw_load has failed main: amw_load_main() failed` Refer to sk105783.
01425206, 01425391	Policy installation on R77 Security Gateways fails with errors: "syntax error" and "table has no predefined format". Refer to sk101330.
01395422, 01396110, 01624406	Policy installation fails with "Operation incomplete due to timeout" error. Refer to sk109236 - Scenario 5.
01408654, 01433847, 01501001	During policy installation, SmartDashboard suddenly disconnects; after that Edge devices are not able to connect to this Service Center. Refer to sk103118.
01525314, 01527814	"Failed to update administrator object (Reason: No write permission for object: XXX)" error in SmartDashboard when Administrator with Read-Only permissions tries to change his own password. Refer to sk103738.
01533783, 01535163, 01576237	User" field shows "`* Confidential *`" in logs when connection to OPSEC server is on non-authenticated port (clear port). Refer to sk101570.
01552113, 01554842, 01554870	Special sub-directories in $FWDIR/conf/ are not synchronized between Security Management Servers / Multi-Domain Security Management Servers in HA configuration: `$FWDIR/conf/lists` `$FWDIR/conf/XML` `$FWDIR/conf/vs_repository` `$FWDIR/conf/syslog` `$FWDIR/conf/snmpTrap` `$FWDIR/conf/recovery` Refer to sk104298.
01520619, 01521546	"The Converter failed to convert policy. Possibly wrong policy name." error in SmartDashboard during policy installation on Edge device: After creating rules with new R77.20 DHCP / DHCP Relay services per sk98839 (dhcp-request and dhcp-reply), policy installation on Edge device fails with: Firewall and Address Translation Policy Verification: Failed during authorization_domains_list convertion Verifier warnings: The Converter failed to convert policy. Possibly wrong policy name. "Name_of_Policy" Policy installation under debug per sk60745 (fwm -d load -S ...) shows: dhcp-reply Protocol type is not supported in Backward Compatibility mode Security Policy Verification Errors/Warnings: The Converter failed to convert policy. Possibly wrong policy name. "Name_of_Policy" Policy verification failed. ... ... ... dhcp-reply Protocol type is not supported in Backward Compatibility mode Objects conversion failed. Conversion failed. Refer to sk57840 - "Scenario 7".
01493176, 01493994	Changes in Administrator password and allowed GUI clients are not synchronized in Management HA deployment. Refer to sk103053.
01492692, 01492806, 01526283	"router_load -cisco" command wrongly shows "Download was successful" although it was not able to connect to Cisco OSE device (e.g., user does not have permissions to folder "/tftpboot"). Refer to sk102996.
01429626, 01431234, 01462250	"IPv6 addresses domain is not supported in Remote Access VPN community" error during policy installation, even though IPv6 is not enabled. Refer to sk101506.
00740016, 01459891, 01521269, 01433486	Policy verification does not warn about rules containing Address Ranges. Refer to sk102627.
01475712, 01477031	FWM process frequently crashes due to memory leak on the Security Management Server. Refer to sk106289.
01424274, 01424395	Policy installation on Identity Awareness gateway with defined IPv6 address fails with "ERROR: forward declaration of table was not completed". Refer to sk101396.
01416668, 01416792	"Failed to fetch the file" message when trying to open packet capture in SmartView Tracker log that was sent from VSX Gateway.. Refer to sk101210.
01457310, 01457392, 01474470; 01340727, 01392488	Sync with User Center in SmartDashboard (per sk94064) fails with "Internal Error: Failed to complete licensing information operation". Refer to sk102186.
01459576, 01459702	"User" field in SmartView Tracker logs is masked with stars ****** even though this field is empty. Refer to sk102251.
01459091, 01459410, 01657107, 01502815	"Warning: The IP address of the license does not match the IP address of the host" during policy installation or database installation. Refer to sk105358.
Multi-Domain Security Management
01548875; 01569400, 01571447	mds_backup fails with one of these errors: `Variable name too long` `-: No such file or directory` Refer to sk104107.
01530792, 01531872	When running the mds_backup using "mds_backup -g -L best -d /var/backup/files -b -l >> /var/backup/mds_backup.log" command, the procedure is stuck at "Releasing all databases". Refer to sk103741.
01421195, 01421714	Status of Multi-Domain Security Management is shown as "Disconnected" from the High Availability Multi-Domain Servers. Refer to sk101234.
01453094, 01453136	Global Policy fails to install due to a large number of target gateways.
01523435, 01523571	Pushing VSX configuration fails with "Domain Management Server <NAME_of_DOMAIN> is not responding". Refer to sk103616.
01471409, 01473195	"shell-init: could not get current directory: getcwd: cannot access parent directories" error during upgrade from SecurePlatform to Gaia. Refer to sk103843.
01446678, 01449567, 01450004	High memory and CPU usage of all Multi-Domain Management servers in multi-site environment. Refer to sk101830.
01452092, 01453486	After upgrading the MDS, Domain Manager user no longer can log into Global SmartLog GUI: "The connection to Multi-Domain Server 'x.x.x.x' has been refused because the database could not be opened". Refer to sk105401.
01447813, 01447873	When reassigning/assigning/installing Global Policy in SmartDomain Manager and checking the box 'Install last Advanced Security Policy on all Gateways of assigned Domains', the following errors are displayed about VSX Virtual Systems in Bridge Mode: `Name_of_Target_Domain : Starting Advanced Security Policy Installation Process Name_of_Target_Domain : Advanced Security Policy Installation aborted - no candidates to install on Name_of_Target_Domain : Target (Name_of_Virtual_System) - no policy is installed on this module. Can't select a policy to install` Refer to sk65321.
01476521, 01476560; 01435766; 01422537, 01423420	"Unspecified error" or "Failed to create a new version" error in SmartDashboard during policy installation and/or when creating a new Database Revision Control version. Refer to sk103407.
01488725, 01488755	After changing the administrator's Authentication Scheme from 'Check Point Password' to 'OS Password' with the 'mdscmd setadminauth <ADMIN_NAME> os' command, administrator is still able to authenticate in SmartDomain Manager with 'Check Point Password'. Refer to sk102946.
01473624, 01619573, 01622756, 01474743	FWM process in context of MDS consumes CPU at 100% on all Multi-Domain Management Servers / Multi-Domain Log Servers. Refer to sk105139.
01433686, 01433688, 00750155, 00747320, 00753738, 00782482, 00829978	"No license for FloodGate-1 Management" error when installing QoS policy from R75 Domain Management Server. Refer to sk69723.
01475120, 01475739	Gateway object Link Selection redundancy settings are not preserved when converted to Global object.
01606313, 01606356, 01672563, 01674054	"mdscmd" command with "-i" option fails to resolve the Domain Management Server Name by IP address. Refer to sk105172.
01538298, 01538331	The "mdscmd adddomain ..." command / "mdscmd addlogserver ..." command creates Domain Management Server / Domain Log Server with wrong build number - as a result, SmartDashboard shows "R77" version instead of the real version "R77.10" / "R77.20". Refer to sk103958.
01441367, 01441431, 01805702	Login to an external SmartLog server GUI with MDM accounts fails with "`Authentication failed`" error. Refer to sk101677.
SmartDashboard
01447215	Enhancement: The SmartDashboard shows a warning ""This is restricted environment, access is allowed for authorized administrators only"" prior to the Administrator session establishment. Refer to sk102665.
01426687, 01431408, 01466682	"`Failed to launch the application`" error when right-clicking on a Log Server in the SmartDomain Manager to launch the SmartView Tracker. Refer to sk101507.
01393866, 01398958	SmartDashboard allows spaces in the name of Cluster Virtual interface. Refer to sk100470.
01445522, 01448852, 01450594	Less results when using Objects list in SmartDashboard to search an object by typing all or a part of its name. Refer to sk101908.
01429170, 01444105, 01429397	Not possible to select a specific user when editing / creating an Identity Awareness Access Role in SmartDashboard: open Identity Awareness Gateway object - go to "Identity Awareness" pane - check the box "Identity Agents" - click on "Settings..." button - go to "Authentication Settings" section and click on "Settings..." button - in "Users Directories" section, check the box "LDAP users" - select "Specific" - click on the green [+] to add a user - a red [X] is displayed for for all AUs, and users are never shown.
01399656, 01400353	Changes are not saved in "Threat Prevention" tab - open "Traditional Anti-Virus" - open "Security Gateway" - open "Mail Protocols" - click on "Mail Anti-Virus".
01444480, 01445833	The "Comment" section in the Application Control policy does not show all lines. Refer to sk101906.
01522265, 01522660, 01523578	Anti-Spoofing setting changes to "Undefined" when a VSX cluster object is edited in SmartDashboard. Policy installation fails with error: "The Topology information must be configured for object <Object Name>, interface <Interface Name>, in order to use the Anti-Spoofing feature". Refer to sk92646.
01433872, 01434077	Cannot clear the options 'Timeframe' in 'Hits' column of rulebase. Refer to sk101586.
01425798, 01426437	Incorrect time in the administrator notification state in SmartDashboard. Refer to sk101426.
01415750	Query Syntax for the Firewall Policy to show rules that contain "Any". Refer to sk101061.
01110639, 01414949	SmartDashboard fails to get IPS updates when a proxy server is configured via Group Policy. Refer to sk98078.
01407037, 01408005, 01460140	Checking the box "Automatically authenticate users from machines in the domain" is not saved in Identity Awareness settings. Refer to sk100789.
01458255, 01458503	Checking the box "Turn on QoS Logging" is not saved in Centrally Managed 600 / 1100 / Security Gateway 80 object. Refer to sk102046.
01424705, 01426225	"Some URLs are invalid and therefore were not added" message in SmartDashboard when importing URLs from a CSV file. Refer to sk101338.
01456672, 01456938	GuiDBedit Tool crashes on every search or double-click on any object. Refer to sk116863.
01475618	SmartDashboard becomes unresponsive when navigating in the policy with SmartWorkflow blade enabled..
01456659, 01456848, 01570096	After renaming the Interoperable Device object, pre-shared secret disappears from the object. Refer to sk102170.
SmartDomain Manager
01475299, 01476322	SmartDomain Manager crashes when attempting to connect to Multi-Domain Security Management Server.
SmartProvisioning
01518762, 01520311	Edge devices managed by SmartProvisioning connect to wrong VPN community after policy installation. Refer to sk105683.
01439666, 01446485, 01449094, 01449266, 01461149, 01541541, 01556316	1100 Appliances managed by SmartProvisioning get wrong VPN certificate. Refer to sk102033.
01443735, 01444059	SmartProvisioning design flaw when editing Office Mode interface in Edge configuration. Refer to sk101868.
SmartEvent / SmartReporter
01412839, 01413746, 01441222, 01456781, 01553039, 01657422	"No relevant data found to generate report" message when generating one of the reports listed: "Endpoint Security VPN Users Activity" "Successful Logins" "Login Failures" "Login Activity" Refer to sk100966.
01448260	"Validation error in field "corr_unit_list" of element #1 at object "OnlineJob" @ "Eventia Jobs"" when trying to select an object as the SmartEvent Log Server. Refer to sk103533.
01431846, 01431972, 01491280, 01477751	DLP events are not created in SmartEvent even though there are DLP logs. Refer to sk101491.
01558556, 01559070	.NET error "System.ArgumentOutOfRangeException: Value of 'XXX' is not valid for 'Value'. 'Value' should be between 'Minimum' and 'Maximum'" in SmartEvent GUI when accessing 'Policy' menu - 'Database Maintenance' after increasing the size of the SmartEvent database to more than 1 TB per sk69706 and installing the Event policy. Refer to sk104241.
01408259, 01415653	SmartEvent reports for AD groups do not show all users. Refer to sk101509.
01450736, 01453019, 01473184, 01479259, 01502583	Configuring SmartEvent to work with LEA server on different ports with different authentication methods. Refer to sk101928.
01477749, 01477950, 01502255, 01546478	SmartEvent dialog box is empty when working with 'Top Users' widget on 'Application & URL Filtering' tab in SmartDashboard. Refer to sk102629.
01466229, 01466876, 01466862	Some reports are missing in SmartEvent GUI on 'Reports' tab when logging in from Domain Management Server. Refer to sk102272.
01474354, 01474971	postgres process on SmartEvent server consumes CPU at high level. Refer to sk102660.
01572885, 01573246	SmartReporter fails to generate report for selected hours with "ERROR: syntax error at or near ','LINE 1: SELECT MOD(((EXTRACT(HOUR FROM , SUM(...". Refer to sk105840.
01496232	Application Risk events in SmartEvent show lower levels of risk than what is defined for the application.
00639626; 01460348. 01460558	After creating a report, it is not possible to view the results in SmartReporter GUI and an error message is displayed. Refer to sk61180.
01473131, 01473192, 01503175, 01584670	Generation of user activity report while filtering on application fails. Refer to sk102655.
01490072, 01490633	"`Object name contains space`" warning when adding a Log Field to a Filter in SmartEvent GUI. Refer to sk112992.
SmartLog
01431950, 01432243	When using a special Permissions Profile, the username of an administrator that viewed the DLP 'Incident' logs in SmartLog GUI is not logged in the 'Management' ('Audit') logs in SmartView Tracker. Instead, the value 'localhost' is displayed in the 'Admin' column of the 'Management' ('Audit') logs. Refer to sk101528.
SmartUpdate
01458259, 01459317, 01463006	SmartUpdate does not allow to upload files to Check Point Service Requests that start with digit "5". Refer to sk102133.
01470728, 01471607	Contracts update from the User Center in SmartUpdate fails with "Could not fetch contracts from User Center" error on coomputers with SecureClient installed. Refer to sk102429.
01483090, 01489826	cpinfo generation via SmartUpdate with "add log files" option fails. Refer to sk102826.
Cluster
01564004	Cluster Global ID, configurable in First Time Wizard and persistent after upgrade, resolves issues when multiple clusters are connected to the same network segment. Refer to sk25977.
01444923, 01447368	Proxy ARP entries for Automatic NAT rules are not written to the ARP table on VRRP Cluster. Refer to sk101907.
01438669, 01447467	CCP transmission mode (multicast, broadcast) is not persistent across a CPUSE upgrade. Workaround: After the CPUSE upgrade is completed, set the desired CCP transmission mode per sk20576 (with "cphaconf set_ccp <multicast\|broadcast>" command).
01496890	Starting in Gaia R77.20 and Gaia R75.47, the $FWDIR/conf/discntd.if file is not needed anymore. An interface, which is not part of the cluster topology is treated as "disconnected". Refer to sk69180.
01462163, 01465843, 01577576	Simultaneous ping to IPv6 addresses of cluster members and to Cluster Virtual IPv6 address does not work. Refer to sk102235.
01434159, 01440652, 01554504, 01600743	ClusterXL administrators cannot suppress the messages printed by the Cluster Under Load (CUL) mechanism (see sk92723) in the /var/log/messages file and in the dmesg. Refer to sk101649.
01401092, 01404180, 01473298, 01501607, 01614412, 01621354, 01625365	RouteD daemon might consume CPU at very high level on ClusterXL member running Gaia OS, when there are issues with cluster sync interfaces. Refer to sk102737.
01312467, 01354117, 01472107, 01461376	Although CCP mode is set to Broadcast, Delta Sync packets are sent over Sync interface(s) as Multicast. Refer to sk101132.
01444902, 01445205, 01568063	ClusterXL interfaces are not displayed correctly in SmartView Monitor. Refer to sk101891.
01449608, 00267074, 01510489	Random failovers in VRRP cluster with configured BGP on Gaia OS. Refer to sk102006.
01434159, 01440652	Suppress the Cluster Under Load (CUL) messages in the /var/log/messages file and in the dmesg. Note: Must set the value of kernel parameter fwha_enable_cul_logging to 0. Refer to sk101649.
01394541, 01481322, 01394737; 01392662, 01495372, 00267059	Standby cluster member with enabled SecureXL drops packets on Anti-Spoofing when VMAC mode is enabled. Refer to sk100405.
01489439, 01509596, 01510332	VRRPv3 cluster on Gaia OS goes into Master / Master state after failover is initiated over IPv6 links. Refer to sk102850.
01443738, 01495302, 01560272, 00267123	RouteD process (routed -N) consumes CPU at 100% on a cluster member running Gaia OS. Refer to sk102436.
01516713, 01546299, 01546302, 01547500, 01582543	RouteD daemon might consume CPU at high level on Standby / VRRP Backup cluster member running Gaia OS. Refer to sk105863.
01544799, 01545225, 01644686	Some interfaces are missing in the output of "cpstat -f all ha" command on VRRP / OPSec cluster members running Gaia OS compared to the output of Clish command "show vrrp summary" and output of Expert command "cphaprob -a if". Refer to sk105868.
01532706, 01536326, 01651492, 01653126, 01655747, 01656044	RouteD daemon might crash on Gaia VRRP cluster member if a fail-over is triggered on an interface with VLANs. Refer to sk105957.
00264335, 00266279	Output of Gaia Clish command "show vrrp summary" might incorrectly show "VRRP: VRRP not enabled" during VRRP failover in Gaia VRRP cluster. Refer to sk112614.
01415023, 01432373	State of R77.10 / R77.20 ClusterXL member changes to "Down" due to Critical Device "Interface Active Check" in the following scenario: Monitoring of the lowest and highest VLANs is enabled (default; fwha_monitor_low_high_vlans=1) A new VLAN is added on the ClusterXL member with VLAN ID, which is lower/higher than any existing VLAN ID Refer to sk106776.
01476281, 01477456, 01515235, 01593791	After fail-over in VRRP cluster, the connection to VRRP VIP address is wrongly NATed (folded) to the physical IP address of previous Master member (now Backup member) instead of being NATed to the physical IP address of new Master.
DLP
01563293, 01570131, 01570138	DLP is not enforced on Korean language. Refer to sk102548.
01517177, 01280494, 01511668, 01530458; 01522782, 01530038	"DLP Recipients" field in DLP log contains truncated e-mail addresses. Refer to sk103635.
01384209, 01394596	DLP Gateway occasionally hangs/freezes due to crash of 'fwdlp' process. Refer to sk100407.
01495884, 01496456	DLP Gateway might crash during DLP session. Refer to sk103070.
IPS
01402677, 01502447, 01554541, 01409267, 01657016	DNS 'NOTIFY' (Zone Change Notification) packets are dropped by the IPS blade with SmartView Tracker log "Non Complaint DNS - Illegal number of Resource Records".
01424004, 01430984, 01432213, 01457549, 01467431, 01468837, 01481392, 01493902	RTSP over HTTP traffic might cause high CPU load on Security Gateway when HTTP inspection on non standard ports is enabled. Refer to sk103113.
00508495, 01087845, 01573511, 01573552, 01433163	Security Gateway with enabled IPS blade might crash in "cmi_context_get_status ()" function. Refer to sk104642.
01473260	Permanently setting the desired value of kernel parameter fwpslglue_log_ctrl in the $FWDIR/boot/modules/fwkern.conf file does not survive policy installation or reboot - the value is reset to default value. Refer to sk63160.
01481858, 01481996, 01498296	'Follow Up' flag disappears from IPS logs in SmartView Tracker. No logs are shown in SmartView Tracker - 'Network Security Blades' - 'IPS Blade' - 'Follow Up' view. Refer to sk102733.
01465073, 01472536, 01473776	Windows OS updates traffic is rejected by IPS blade with "Block HTTP Non Compliant - Failed to handle connection data". Refer to sk102671.
01412270, 01493901, 01451658	Kernel debug 'fw ctl debug -m WS + stream' (and 'fw ctl debug -m WS all') causes high load on CPU, which might cause the machine to freeze. Refer to sk103111.
01488103, 01560056, 01511647	IPS protection "TCP Off-Path Sequence Inference" drops TCP packets originated by Security Gateway. Important Note: The default value of kernel parameter psl_offpath_allow_local_packet is 1 (one). Refer to sk104637.
Gaia and SecurePlatform
01401927, 01610334, 01402267	Security Gateway on Open Server using the be2net NIC driver might crash.
Gaia
01434138, 01445642, 01492259, 01601885, 01614909	"syslogd: local sendto: Invalid argument" error in /var/log/messages file. Refer to sk83160.
01398138, 01400820	Usage of a relative FTP path in the backup wizard can cause errors. A comment was added to the Gaia Portal: "You should use full server side path to remote directory, e.g. /var/log/CPbackup/backups/".
01530077, 01531603, 01614907	Date stamp in R77.20 Gaia backup file was set to "DD_MMM_YYYY_HH_MM". Now it is derived from the Clish "set format date" setting. Refer to sk104106.
01527601, 01529778	In the Gaia Portal - Network Management pane - Network Interfaces configuration, when editing a slave interface, which is shown on a different page from its parent Bond interface, the "IPv4" tab and "IPv6" tab are not grayed out (although they should be). Refer to sk105839.
01502687, 01502803, 01505698; 01513530, 01513706; 01513535, 01513704	VMCORE dump file is not created correctly on a machine that has more than 4GB of RAM and runs Gaia OS with 32-bit / 64-bit kernel: In Gaia OS with 32-bit kernel: VMCORE dump file created during the crash is incomplete - its size is only 1.9 GB In Gaia OS with 64-bit kernel: VMCORE dump file is not created during the crash Refer to sk103328.
01574444, 01575917, 01581226, 01594203, 01595732; 01600184, 01603889, 01605966	confd process consumes CPU at high level on Gaia OS due to large size of Gaia Database (/config/db/initial_db). Refer to sk104761.
01149077, 01150321, 01150322, 01150323, 01288447; 01149080, 01150324, 01150325, 01150327, 01288450, 01540885, 01545648	Issues with default routes via PPPoE interfaces on Gaia OS: All default routes are deleted when running multiple PPPoE tunnels and one PPPoE tunnel disconnects. Multiple PPPoE tunnels with the same peer address cause RouteD daemon to exit (e.g., two PPPoE tunnels receive the same peer address from the ISP, who is not willing to change such configuration). The following message appears in /var/log/messages file: `routed[PID]: if_get_address: duplicate address detected: X.X.X.X/Y` Refer to sk92948.
01433011, 01661885, 01433334, 01516391	"sudo: sorry, you must have a tty to run sudo" error upon SCP connection to Gaia OS using RADIUS user with default shell /bin/bash and uid=0 on the involved Gaia OS. Refer to sk106044.
01482873, 01487355	Scroll stops working in Gaia Portal on "Network Interfaces" page inside the table with interfaces. Refer to sk102799.
01426068, 01426160, 01445202, 01452026, 01469580, 01473270, 01500557, 01507021, 01513212, 01515176, 01515237	After reboot, Gaia system loads without Clish and without static routes. Refer to sk101501.
01489986, 01490967, 01493295, 01495178, 01496126, 01496169, 01497490, 01499306, 01499337, 01499340, 01499343, 01502649, 01502699; 01493150	New law in Russia regarding Daylight Savings Time 2014. Refer to sk103054.
01488900, 01491395, 01505055	"tcpdump" / "arp" (and other) commands do not work when authenticating with RADIUS user, even if user is SuperUser on Gaia OS (UID 0). Refer to sk105175.
01467555, 01468600, 01614910	When running Clish command "show configuration", user is sometimes logged out from Clish / SSH / console. When running in Expert mode command clish -c "show configuration", user is not logged out, but the command does not produce any output. When running Clish command "save configuration <filename>", the command fails with "glibc detected" error, and only a part of the configuration is saved in the <filename>. Refer to sk113266.
01423170, 01423468, 01437168, 01569853	"Authentication failure" error when authenticating with TACACS user that has special characters in his password. Refer to sk101332.
01471255, 01475263, 01496788	Gaia Clish is very slow when making any changes in Gaia OS configuration. Refer to sk102994.
01381595, 01385234, 01513659	RADIUS secret can be seen in Gaia Database - /config/db/initial file. Refer to sk99039.
01430788, 01431074	Configuring an interface in Gaia Portal to obtain an IP address from DHCP causes all other interfaces with configured static addresses to lose their current IP addresses and also obtain an IP address from DHCP. Refer to sk101513.
01530022, 01531035	Clish command "show asset all" returns incorrect Chassis and Motherboard information on 21000 appliances. Refer to sk103711.
01502473, 01503130; 01502711, 01503132	IPv6 traffic from some hosts stops passing randomly through the Security Gateway / Active ClusterXL member running Gaia OS. Refer to sk103226.
01488429, 01489353	Intermittent outages of TCP traffic on 10GbE interfaces in IP Appliances running Gaia OS. Refer to sk102969.
01509559, 01510315	RouteD daemon might crash when running routing commands in Gaia Clish. Refer to sk103432.
01402294	syslog messages forwarded by Gaia OS to an external Syslog server do not contain timestamp. Refer to sk100727. Note: Additional fix for timestamp format is required (Issue 01711921).
01442598, 01443242	A user created in Gaia Portal with '/bin/bash' shell and 'monitorRole' role gets admin permissions upon login - this user is able to execute any command in Expert mode and in Clish. Refer to sk101650.
01383404, 01403777, 01408257, 01414106, 01419203	Intel X520-2 NICs (8086:10fb, 8086:0003) are not recognized by Gaia OS in 64-bit mode - output of Expert command 'ifconfig -a' or Clish command 'show interfaces' does not show these interfaces. Refer to sk101412.
00267458, 01526068, 01539200, 01563854	Gaia IP Broadcast Helper does not forward Directed Broadcast traffic. Refer to sk103963.
01414789, 01414851	User authenticated by TACACS, does not see the 'Blades' and 'Network Configuration' widgets on Gaia Portal's "System Overview" page. Refer to sk101088.
01354491, 01394076, 01394990	Output of Clish command "show configuration rba" shows that "readonly" roles have "readwrite" features. Output of Expert command "grep roles /config/active" shows that roles only have the defined "readonly" features. Refer to sk104009.
01577790, 01578357	syslog daemon crashes after enabling 'Send Syslog messages to management server' in Gaia Portal. Refer to sk113266.
01570045, 01570872, 01612421	Output of "raid_diagnostic" command shows "State:MISSING" for one of hard disks on Check Point Appliance with RAID / Open Server with RAID. Refer to sk104580.
01469180, 01494277, 01502550, 01578108	After adding scheduled backup (add backup-scheduled) and setting scheduled backup (set backup-scheduled) in Gaia Clish, the command show backup-scheduled NAME returns: `The scheduled backup is performed localy. The backup is not scheduled` Deleting the scheduled backup in Gaia Clish (with '`delete backup-scheduled NAME`') does not delete its cron job - output of Expert command 'crontab -l' still shows the deleted scheduled backup (as '`/bin/scheduled_backup NAME`'). Refer to sk104878.
01429934, 01431285	In Gaia Portal, Link Status of VLAN interface defined on Bond interface does not change when the Link Status of Bond's physical slave interfaces changes. Refer to sk101514.
01428735, 01432295, 01432973, 01518522, 01553076	Changes made in the value of 'vmalloc' in the /boot/grub/grub.conf file on Gaia OS do not survive reboot. Refer to sk103506.
01410324, 01410662, 01571828	User is not able to connect to Gaia Portal after enabling Federal Information Processing Standards (FIPS) compliance in Windows OS. Refer to sk100994.
01445836, 00267031, 01465986	/var/log/messages file on Gaia OS repeatedly shows: routed[PID]: ifa_unnumbered_find_proxy: no proxy interface found. Refer to sk101899.
01547769, 01550478	Gaia Portal crashes with error "Unable to connect to the server. Press OK to reconnect." when TACACS / RADIUS user with "adminRole" privileges changes "Roles" settings in Gaia Portal. Refer to sk91420.
01458064, 01519461, 01355465	"cp_ipaddrs:SIOCGIFCONF failed: Bad address" error when starting a user mode process under valgrind on Gaia OS 64-bit. Refer to sk103768.
01515984, 01516394	NTP synchronization does not work when using FQDN of the NTP server instead of IP address. Refer to sk104819.
01493236, 01510892, 01493666	Output of top command shows that monitord and confd processes consume CPU at 100%. Refer to sk102988.
01396067, 01397262	Login to Gaia Clish fails with "CLINFR0819 User: admin denied access via CLI" after clean installation. Refer to sk100418.
01517800, 01520211, 01520218, 01520221	"Gaia Web-UI recognized a non-valid input data" error when adding SNMP Trap receiver in Gaia Portal. "NMSSNM0025 Community names cannot contain spaces or special characters" error when adding SNMP Trap receiver in Gaia Clish. Refer to sk107513.
01400893, 01401536, 01406408, 01521366	Hosts connected to a Gaia machine with enabled DHCP Server do not receive IP addresses. Refer to sk100545.
01445570, 01445768, 01459433	Gaia command config_system (sk69701) does not complete the configuration: Configuration of Security Management Server product / Log Server product Configuration of Default Gateway on Gaia OS Configuration of SmartEvent Server product and Correlation Unit product Refer to sk101712.
01458160, 01461805, 01470402, 01510462, 01511898, 01512051	Output of "ps auxw" command after reboot shows multiple "clishd" processes in state "Z" (zombie) with "defunct" arguments. Refer to sk105953.
01521745, 01522591, 01647302	"Nothing needed to be done" is returned when running "set user <username> lock-out off" command in Clish to unlock a user that has been locked out per the "Deny Access to Unused Accounts" configuration. Refer to sk103596.
01474647, 01499686, 01496521	RouteD daemon crashes due to memory leak in a Cluster with exactly two members when RouteD sync connection is re-established by the Standby cluster member.
01558083, 01559220	The output of the "ss -a" command does not show all ports and their current state. Refer to sk104245.
01499739, 01500368, 01652671, 01658690	"syslogd" daemon crashes after reboot of Gaia OS. Refer to sk103254.
01576134, 01585104, 01585189, 01613901	"RTGRTG0019 tclproc: can't read "Part_Of_Password_After_$_Character": no such variable" error in Gaia Clish after entering OSPF secret that contains "$" character(s). Refer to sk106305.
01406917, 01407062	State of VLAN interface that was created on Bond interface and was administratively set to "Down", is changed to "Up" after adding a comment on the Bond interface. Refer to sk100788.
01537857, 01842664, 01547505	Gaia Portal - "Network Management" section - "Network Interfaces" page might get stuck (does not load entries) if multiple interfaces (several dozen) are configured. Refer to sk108435.
VPN
01540656	Enhancement: Policy Installation shows a warning if there is a VPN community with a weak encryption algorithm: "Community <COMMUNITY_NAME> is configured with the <ENCRYPTION_ALGORITHM> algorithm in IKE\|IPsec Security Association ("<PHASE>"), which provides weak confidentiality." Where the following encryption algorithms are considered weak: DES DES-40CP CAST CAST-40 NULL
01413687, 01419272	Enhancement: Print all Visitor Mode clients, their IP addresses and usernames. Refer to sk106139.
01368629, 01443028	To comply with new Federal Information Processing Standards (FIPS) standards, certificates are no longer signed using a hash algorithm weaker than SHA-256.
01450978	To comply with new Federal Information Processing Standards (FIPS) standards, only the following symmetric encryption algorithms are allowed on Security Gateway (if other algorithms are configured, then policy installation will fail): IKEv1, IKEv2: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256 ESP: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256
01404026, 01404567, 01556384, 01571967	The SSL Network Extender VPN portal is available on port 444 in clear. Refer to sk100646.
01503050, 01907907	Improved IKEv2 exchange.
01424048, 01424181, 01466269, 01520616, 01528345, 01554579, 01602916	Memory consumption on VPN Gateway constantly increases. Refer to sk102267.
01532401, 01539196, 01560781, 01621047, 01621087	Remote Access clients that authenticate with username and password, cannot connect to Security Gateway working in Hybrid Mode if it does not have an ICA and uses 3rd party certificate. Refer to sk105566.
01500432, 01519542, 01552227, 01552900; 01585429, 01600788, 01600951	VPN tunnel can not be established / no traffic passes when SHA-384 is configured for data integrity. Refer to sk104578.
01430907, 01432266	Policy install during link probing session sometimes causes VPN outage. Refer to sk101532.
01401345, 01401349, 01469398	A peer gateway in a Site-to-Site VPN that is the NAT-T responder cannot work with IKEv2.
01456238, 01595992	A Security Gateway with dual stack (IPv4 and IPv6) cannot work with a Cisco router in a Site-to-Site VPN.
01406280, 01571331, 01571340	L2TP authentication with a machine certificate sometimes fails on Windows client.
01078280, 01361857, 01377165, 01629560	Office Mode IP addresses are not correctly released from the DHCP Server.
00650516, 01287519	IKE Phase 1 with DAIP device fails after IP address of DAIP device was changed. Refer to sk101911.
01231095; 01478729, 01479380	"Failed to allocate an IP address" error when using ipassignment.conf file to assign Office Mode IP address. Refer to sk95088.
01466380, 01466599	No logs are shown in SmartView Tracker when selecting 'Link Selection' or 'Permanent Tunnels' in 'VPN Feature' filter. Refer to sk102332.
01269753	Traffic sent over VPN tunnel does not reach its destination because SecureXL does not start fragmenting the packets. Refer to sk98070.
01468444, 01469027	IKE fails with message "Traffic Selector Unacceptable" if there are more than 255 Traffic Selectors. Refer to sk102437.
01395684, 01402909	LDAP user fails to connect with Remote Access clients - error "Failed to download Topology". Refer to sk100466.
01511779, 01536687, 01556032	VPND daemon crashes every ~30 minutes on Security Gateway due to memory leak. Refer to sk105841.
01493720, 01513252, 01551056	VPND daemon might crash during SSL handshake. Refer to sk104474.
01469093, 01469743, 01556273	VPND daemon might crash during logging.
01455936, 01456884, 01571134	Authentication to SNX / CheckPoint Mobile VPN with 3rd party certificate fails. Refer to sk33319.
01340539, 01592300, 01369908	Some Remote Access users are not able to connect to large Remote Access VPN Communities. Refer to sk105181.
01464632, 01465318	Client configured with always_connect enabled tries to reconnect even though certificate revoked or expired. Refer to sk102408.
01395232, 01396707; 01532845, 01579042, 01535285	The vpn tu command shows the real IP address when using the command to show the tunnels, but when using one of the delete commands, it does not accept the real IP address to delete the tunnel. Refer to sk100346.
01474694, 01558870, 01559881, 01559938, 01580640, 01606476; 01463675, 01559835, 01559883, 01559932, 01580632, 01606626, 01654788	Remote Access VPN clients are not assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file, but from a general Office Mode IP Pool. Refer to sk105162.
01434100, 01479667, 01437953	Check Point Security Gateway is not able to establish VPN tunnel correctly with Edge cluster after failover if Edge devices are managed by SmartProvisioning. Refer to sk101680.
01453022, 01602039, 01453615, 01556311	Kernel memory leak detection procedure sk35496 shows memory leak in fwmspi.c: `;Starting SMEM alllocations report ... ... ... fw_drv_fini: XXX bytes allocated by 'fwmspi.c:N' leaked at ... allocation time ... ... ... ... FW-1: SMEM Leak in: fwmspi.c:N: smem bytes XXX, smem num of allocations YYY ... ... ... ;Ended SMEM alllocations report`
01464684, 01469758, 01556271	Memory leak when there is an error saving data into kernel table "inbound_SPI".
01410361, 01439990	Certificate Signing Requests could only be encoded with UTF8 String, and not TeleTex string.
HTTPS Inspection
01418393, 01456436, 01467522, 01470952, 01471765, 01474667, 01479662, 01510285, 01516601, 01522323, 01546352, 01551219, 01556280, 01577129	Added ECDHE support to HTTPS Inspection and Multi Portals. Refer to sk104717.
01482072	Improved HTTPS Inspection Bypass mechanism. Refer to sk104717.
01439385, 01495016, 01493588, 01493594, 01481655, 01508906; 01433683, 01495015, 01493587, 01493590, 01481652, 01508914	Improvement in negotiation rate of HTTPS traffic through Security Gateway R76 and above. Refer to sk103081.
01467047, 01495926, 01614223, 01624869	RC4 cipher is allowed for Inbound HTTPS inspection. Refer to sk104095.
01521925, 01523439, 01539818, 01523437, 01523353	Security Gateway with enabled HTTPS Inspection crashes repeatedly. Refer to sk108653.
Application Control
01522437, 01528311, 01528847, 01530694, 01539945	Application Control policy with distributed Identity Awareness rules may cause Security Gateway to crash when processing a UDP domain connection.
01412965, 01413413, 01500608, 01502786, 01516725, 01525401, 01551242, 01553991, 01554511, 01558819, 01575200	TLSv1 Server Hello packets being dropped by Application Control of HTTPS in SmartView Tracker and debug. Refer to sk100971.
01518127, 01556228	Access to web sites fails with multiple "Internal System Error" logs from Application Control / URL Filtering. Refer to sk64162.
00267191, 01493069, 01495399	Amount of transmitted traffic in Application Control Accounting logs is much higher than the amount of transmitted traffic reported by the relevant outbound interface (e.g., 'TX' counter in the output of 'ifconfig -a' command).. Refer to sk103071.
01457139, 01556295, 01457569	Traffic fails after rebooting Security Gateway with enabled Application Control blade. Refer to sk102135.
01653873, 01655271, 01655835, 01662792	HTTP traffic is blocked by Application Control with "HTTP parsing error occurred, blocking request (as configured in engine settings)" log. Refer to sk106288.
URL Filtering
01430167, 01434385	URL Filtering blocks HTTPS web sites with "Internal System Error occured" log when "Categorize HTTPS sites" and "Fail-close" are enabled. Refer to sk64162.
01448602, 01449446, 01450281	R77.20 URL Filtering blocks HTTPS traffic with the following log in SmartView Tracker: User <UserName> was blocked access to ... from <IP Address> `Source = <IP Address> and <UserName> Protocol = tcp Service = https (443) Action = Block Reason = Internal System Error occurred, blocking request (as configured in engine settings). See sk64162 for more information.` Refer to sk64162.
01466938, 01474787, 01476226	URL Filtering intermittently blocks some HTTPS requests with the following SmartView Tracker logs: `Action = Block Reason = Internal System Error occurred, blocking request (as configured in engine settings). See SK64162 for more information.` Refer to sk64162.
01431893, 01480952, 01433702	URL Filtering R76 and above blocks non-HTTPS traffic (e.g., SFTP) with "Internal System Error occurred" log in SmartView Tracker: `Blade = URL Filtering Action = Block Reason = Internal System Error occurred, blocking request (as configured in engine settings). See SK64162 for more information.` Refer to sk64162.
Threat Prevention (Anti-Bot / Anti-Virus / Threat Emulation)
01434059, 01436435, 01445037, 01448961, 01450819, 01457322	Anti-Virus and Threat Emulation blades miss inspection. Refer to sk101708.
01536719	Threat Prevention policy is installed on all Security Gateways regardless of explicit Policy Targets. Refer to sk104559.
01477760, 01549918	Security Gateway R77.20 fails to fetch new IntelliStore feeds for Anti-Bot / Anti-Virus. Refer to sk102649.
01534587, 01550413, 01554630, 01562032	Security Gateway might crash when Threat Prevention "Fail Mode" is set to "Block all connections (Fail-close)". Refer to sk104866.
01602329, 01613027, 01611875, 01611607	Amount of consumed memory constantly increases on Security Gateway with enabled Anti-Virus blade. Refer to sk105572.
01571753, 01578807, 01600189, 01627049, 01629010, 01634746	Specific web sites are not reachable when Anti-Virus/Anti-Bot blade is enabled and the packet is generated by the Security Gateway. Refer to sk104638.
01428602, 01431817, 01441828, 01512656	SmartEvent shows "Severity = <4GB" in Anti-Virus / Anti-Bot event. Refer to sk106130.
Anti-Spam
01532558, 01619863	/var/log/messages file on Security Gateway repeatedly shows "ld_commit_ex: Attempting to commit unbound ld 7981" during policy installation. Refer to sk105545.
Identity Awareness
01427389, 01502416, 01427823, 01510189; 01427391, 01510361, 01427825; 01433720, 01502418, 01434036	It is not possible to exclude networks from Identity Awareness Captive Portal's keepalive feature. Refer to sk101449.
01424973, 01425440, 01426025, 01482791, 01542491	Identity Agent on Mac OS X asks to trust the Identity Server's certificate during each boot. Refer to sk101327.
01416765, 01410342, 01416767, 01424641, 01449848, 01410174, 01416765, 01424645, 01449845	Browser-based Authentication guests are timed out by Identity Awareness after 10 minutes. Refer to sk101503.
01474077, 01555626, 01494408, 01474405	PDP daemon crashes when logging a MUH authentication. Refer to sk105069.
01393374, 01420182, 01569611, 01569641, 01574012	When Identity Sharing configuration is used, it can take as long as 10 minutes for the components to sync after restart.
01470526, 01473354, 01608568, 01613406	User login events are logged by Identity Awareness as separate logins for different users if username is written in upper case letters, or in lower case letters - in all Check Point logs, the user is identified by the username with which the user has actually logged in - as if different user names were used ('`USERNAME`' / '`UserName`' / '`username`'). Refer to sk102398.
01574462, 01580691	In a VSX Gateway, Captive Portal's customized company logo is shared between all Virtual Systems. As a result, when the policy is installed on one of the Virtual Systems, customized company logos are overwritten on all the other Virtual Systems.
01505808, 01506056, 01556019	VPN clients authenticated by the RADIUS protocol are not in PDP listed groups. Therefore, they are not assigned to the correct Access roles.
01553174, 01553863, 01554012, 01569537	Identity Awareness RADIUS Accounting clients are not assigned their specific user-defined RADIUS Message Attributes. Refer to sk105786.
01157206, 01159941, 01159942, 01159943, 01209559, 01321563, 01351162, 01363762, 01395591; 01459004, 01459085, 01489476	The following messages appear repeatedly in $FWDIR/log/fwd.elg file on Identity Awareness gateway: CLogFormat::create failed - field already exists (xxx) of type (string) ! CFormatsDict::registerFormat - bad format string ! Refer to sk102171.
01505808, 01506056, 01556019	VPN clients authenticated by RADIUS protocol are not mapped to Access Role. Refer to sk105173.
01415512, 01418757	Output of "pdp monitor ip <IP_ADDRESS>" command on Security Gateway shows multiple users associated with the same Source IP address. Refer to sk101115.
01425676, 01431642; 01336257	Identities are not shared with all gateways. Refer to sk101369.
01552306, 01555558	Output of command "pep show user query cid <IP_Address_of_Terminal_Server>" does not show any identities when Identity Agent is installed on Terminal Server / Citrix Server. Refer to sk104115.
01494506, 01494654	Output of "fw tab -s \| grep -E "PEAK\|pep" command on Identity Awareness Gateway shows that the current (VALS) number of entries and the peak (PEAK) number of entries in the pep_identity_index table has reached 25000. Refer to sk103221.
01403516, 01487394	PEPD process consumes CPU at 100%. Refer to sk100641.
01507444, 01510887	Improved handling of URL in Captive Portal.
01432854, 01433432	After a failover in a VRRP cluster, the connection between the PDP and the PEP stays connected to the "old" MASTER PEP.
01438363, 01439077	"MADService.exe" process consumes CPU at high level on the Terminal Server. sk101611.
01376945, 01585397; 01383114, 01471725	Memory leak in PDPD daemon related to ADQuery. Refer to sk106422.
01410448, 01419319	"Table pdp_sessions entries limit (90000) reached" critical system alert messages repeatedly appear in SmartView Tracker. Refer to sk101288.
01459986, 01471398	"Group membership of the required account (user or machine) could not be retrieved from the AD" log from Identity Awareness blade in SmartView Tracker. Refer to sk106133.
01410233, 01525141, 01834591, 01862252	Improved generation of new session ID (to make sure this ID is not assigned to some other basic or super session).
Mobile Access
01361273, 01438252, 01437810	Enhancement: New apache directive CvpnTranslateResponseHeader that enables the translation of URLs in the headers. To add a new header: Edit the $CVPNDIR/conf/includes/Web_inside.location.conf file on Mobile Access gateway Search for CvpnTranslateResponseHeader Add your header using this format: CvpnTranslateResponseHeader <header_name> Save the file Reload the Mobile Access policy with cvpnd_admin policy command
01428128, 01431248; 01476439, 01476439	Mobile Access support for SHA-256 signed certificates. Refer to sk101541.
01467856, 01471445, 01613474, 01614665	Link Translation domain does not work - some links are not included/excluded from translation domain. Refer to sk105565.
00776003, 01323079, 01323080, 01346323, 01360113, 01376976, 01377147, 01393090, 01394078, 01397611, 01408848, 01476174, 01495176, 01513491	Traffic initiated from internal host towards SSL VPN client is dropped with "Unauthorized SSL VPN traffic" log. Refer to sk97811. Note: Must add a new variable in Check Point Registry on Management Server - 'SNX_ALLOW_GW_TO_GW' and set its value to 1.
01499536, 01501020, 01499541, 01501008, 01501161, 01501308, 01501438, 01501891, 01526621	Push Notifications are not received on the mobile phones due to IPS protection "Secure Socket Layer (SSL) v3.0". Refer to sk103080.
01459334, 01463070, 01569322	HTTP Based SSO authentication fails to internal Web / Application servers if Single Sign On (SSO) is disabled in the application properties. Refer to sk102308.
01432236, 01432548	The Mobile Access portal homepage does not show the time zone for the last logon.
01410021, 01410492; 01430262, 01430684	Disabling Mobile Access 'Content-Analyzer' feature for specific host. Refer to sk101076.
01367460, 01373577	"This content cannot be displayed in a Frame" error when accessing an application through Mobile Access using Hostname Translation (HT). Refer to sk99072.
01399802, 01402334, 01513710	When a user connects to two e-mail accounts using ActiveSync (e.g., a personal account and a group account) from a single mobile device, multiple Mobile Access sessions are created (instead of two expected sessions). Refer to sk100552.
01273495, 01368685, 01368687	Padding in the HTTP POST request body causes an internal server error.
01611014; 01527864	Accessing Mobile Access Portal applications takes very long time. Refer to sk105525.
01456061, 01463349, 01569353	Kerberos authentication fails on Mobile Access Gateway. Refer to sk102194.
01508210, 01508222	Mobile Access Blade option to change language in webmail does not work. Refer to sk104001.
01450216, 01452166, 01575638	Mobile Access blade translates all URLs with IP addresses. Refer to sk102032.
01454984, 01455527, 01463441	Windows Domain specified in Single Sign On (SSO) configuration of File Shares applications is not enforced by Mobile Access. Refer to sk102307.
01399854, 01400184, 01531213	When enabling ESOD, Mobile Access policy installation fails with "Failed to install policy on Mobile Access blade - previous configuration is used". Refer to sk100539.
01512514, 01512731	Mobile Access Blade connectivity issue to Citrix server.
01498075, 01498678	Disables SSLv3 (and forces TLSv1.0) in Mobile Access Blade when connecting to internal HTTPS servers.
01417659, 01418553	"This file is invalid for use as the following: Personal Information Exchange" error during certificate enrollment process in the Mobile Access Portal when using a language other than English in the Mobile Access Portal. Refer to sk101007.
01568636, 01550222	SSL sessions for outgoing connections are not resumed by Mobile Access gateway. Refer to sk106423.
01465740, 01469307, 01493223, 01844638	Some web sites can not be reached through Mobile Access Gateway with Hostname Translation. Refer to sk108593.
01679094, 01866036	Mobile Access users do not receive push notifications if their usernames contain domain name. Refer to sk108836.
SNX
01443252, 01502258	New: Maximal SNX session duration can be increased from 1 day (1440 minutes) to 1 week (10080 minutes). Refer to sk102288.
Dynamic Routing
00263386, 00266252, 01528113; 01566199	New feature on Gaia OS: OSPF Graceful Restart with VRRP. Refer to sk104441.
01539457, 01546505, 01567556, 01577303	Time stamps in RouteD traces on Gaia OS will be printed with milliseconds as well. Refer to sk105852.
01448634, 01448859, 01450278	Security Gateway / Cluster Member on Gaia OS with configured BGP that uses MD5 Authentication might randomly crash (`tcp_v4_calc_md5_hash(...) at crypto.h`). Refer to sk101976.
01524538, 01524594, 01526450, 01526769, 01594168	Missing BGP routes after failover in a cluster with BGP Graceful Restart configured on Gaia OS. Refer to sk103724.
01563234, 01564383, 01565007	RouteD daemon on Gaia OS might crash due to memory leak when PIM Sparse Mode multicast is configured. Refer to sk104518.
01565294, 01656917, 01573437	RouteD daemon in VRRP cluster might crash in the loop, if only one cluster member is active and it was rebooted or 'cpstop;cpstart' commands were executed. Refer to sk106045.
01523452, 01531276; 01355732, 00265619; 00265931, 01645351, 01557546	RouteD daemon on Gaia OS might crash on cluster member when PIM Sparse Mode multicast is configured and multicast traffic arrives from peer cluster member. Refer to sk104847.
00266170, 00266274, 00266193	PIM multicast traffic does not pass correctly through Security Gateway on SecurePlatform Pro. Refer to sk100219.
01544573, 01546503	Random flapping of OSPF neighbors in Gaia OS cluster under load. Refer to sk105865.
01468506, 01470238, 01509726, 01509815, 01509822	Output of Clish command "show ospf neighbors" does not show any OSPF neighbors over the Virtual Tunnel Interfaces (VTI) if "`Use Virtual Address`" is enabled for OSPF. Refer to sk105163.
01413420, 01414872	/var/log/messages file on VRRP cluster member running on Gaia OS and configured RIP repeatedly shows: `routed[PID]: cpcl_should_send() returns -1` Refer to sk106128.
01480023, 01496492	RouteD daemon might crash after state of an interface changes several times (flaps) when OSPF with Graceful Restart is configured.
01366638, 01879973, 01438233	OSPF with enabled MD5 authentication is not establishing adjacency due to MTU mismatch. Refer to sk109092.
01509785, 02083430, 01518596, 01518594, 01696761	RouteD daemon on Gaia OS / IPSRD daemon on IPSO OS might crash when processing PIM-DM traffic. Refer to sk113622.
SecureXL
00266698, 00267039, 01437178, 01604531	Some connections are dropped as out of state after failover in ClusterXL HA mode on 21000 appliances with SAM card. Refer to sk101287.
01557358, 01605468, 01557500	Security Gateway with enabled SecureXL and passing multicast traffic crashes every several days. Refer to sk105854.
01574333, 01575168, 01921759, 01810487, 01704611	Improved SAM card log collection when host appliance crashes with "`ADP slot N possibly hung`" message.
01401927, 01402267, 01515140, 01610334, 01612989, 01613022	Security Gateway using the be2net NIC driver crashes when SecureXL is enabled.
01024708, 01479524, 01499685, 01500107, 01513093	SecureXL is now able to copy DiffServ mark from the packet's IP header (inner header) to the IPSec header of the encrypted packet after encapsulation (outer header). Refer to sk105722.
01380466, 01529968, 01467341, 01467342; 01461944, 01559697, 01534647; 01465882, 01530180, 00267265, 00267264	Check Point 21000 series appliance with SAM card might crash when removing a slave interface from bonding group defined on SAM ports. Refer to sk104358.
01426122, 01550640, 01443313, 01444855; 01429933, 01531479, 01443315; 01510636, 01523681, 01513427, 01513825	Check Point 21000 series appliance with SAM card crashes when disabling SecureXL and during / after policy installation. Refer to sk101451.
01385280; 01673919, 01489973, 01467347	Check Point 21000 series appliance with SAM card might crash due to exhaustion of all memory when there is an inbound clear traffic that should have been encrypted (such traffic is correctly dropped, but sending notifications from SAM card to the FireWall about such clear text packets received on encrypted connections might consume valuable memory).
01565618, 01577958, 01674183, 01677466	Check Point 21000 series appliance with SAM card might drop traffic with "Virtual defragmentation error: Timeout" log when sent over a VPN tunnel. Refer to sk106292.
01458115, 00267136, 00267390, 01481039, 01513355, 01522999, 01526474, 01526491, 01528105, 01528107	When enabling SAM card with SecureXL and ClusterXL Unicast Mode, traffic is dropped. Refer to sk102246.
01397083, 01397729, 01638997	SAM card on Check Point 21000 appliances might crash during boot if the number of configured CoreXL FW instances is equal to the number of CPU cores on the appliance (e.g., there are 16 CPU cores, and 16 CoreXL FW instances were configured). Refer to sk100546.
01499723, 01500455, 01675110, 01676648	21000 series appliance with SAM card might crash in specific scenario when accessing the /dev/tilegxpci/boot* for reading or writing. Refer to sk103209.
00266155, 00267073, 01674942	Enhancement for Check Point 21000 series appliance with SAM card: Statistics for network memory buffers is now available via "ipsctl -a" command under: net:dev:adp:ipsctl:slot:<N>:kern:mbuf:stats Description: An "mbuf" is a basic unit of memory management in the kernel IPC subsystem. Network packets and socket buffers are stored in mbufs. A network packet may span multiple mbufs arranged into a mbuf chain (linked list), which allows adding or trimming network headers with little overhead.
01392081, 01476360, 01392620, 01523990	SecureXL does not accelerate IPv4 packets with VLAN tag on Security Gateway in Bridge mode when IPv6 is enabled. Refer to sk100170.
01323769, 01516673	Security Gateway might crash during boot if drop optimization is enabled in 'Firewall Policy Optimization'. Refer to sk105182.
01472346, 00267397	When SecureXL is enabled, traffic through the VPN trusted interface is sent encrypted instead of clear. Refer to sk102742.
01447865, 01448372	IPSO cluster member crashes when SecureXL is enabled and services are configured to start synchronization after a delay. Refer to sk101909.
01475197, 01475246, 01476946, 01555628	Intermittent traffic outage on Security Gateway with enabled NetFlow. Refer to sk102553.
01560458, 01560789, 01561579, 01566368, 01567351, 01573268, 01573318	Security Gateway configured in Monitor Mode (per sk101670) with enabled SecureXL might freeze intermittently. Refer to sk105842.
01501271, 01505007, 01506385, 01514600	Output of "fwaccel stat" command shows: `Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function))`. Refer to sk100467 (Scenario 2 - "Collision of partial connections in SecureXL due to SecureXL Optimized Drops feature").
00266712, 00266721, 00266756, 00266890, 00267014, 01531274, 01625640, 01625653, 01625654, 01625656	Additional information will be added to the core dump file if SAM card crashes.
01446679, 01448860, 01554558	Security Gateway might crash in the following scenario: SecureXL is enabled Value of kernel parameter sim_ipsec_dont_fragment is set to 1 VPN tunnel needs to pass fragmented packets Refer to sk101219.
01475359, 01631637, 01479665	SecureXL in Virtual Router drops packets on Anti-Spoofing if SecureXL is disabled on the connected Virtual System (example topology: Host - VS with SXL off - VR with SXL on - Host).
00266889, 01516730	SecureXL instability when SecureXL NAT Templates are enabled and Hide NAT is configured on VSX. Refer to sk106709.
01778058, 01745305, 01545578, 01605342	SecureXL sends the traffic with Destination MAC Address 00:00:00:00:00:00. Refer to sk107436.
01585371, 01809152, 01585371	Security Gateway with enabled SecureXL and IPSec VPN blade might crash when traffic passes over VPN tunnel. Refer to sk107912.
CoreXL
01532511, 01532943	IPv6 traffic does not pass through Security Gateway with configured CoreXL IPv6 FW instances. Kernel debug ('`fw ctl debug -m fw + drop`') shows that IPv6 traffic is dropped by CoreXL SND: `;[cpu_X];[fw6_X];fw_log_drop_ex: Packet proto=58 ... dropped by fwmultik_dispatch_outbound Reason: No instance (outbound);` Refer to sk93000.
01441450, 01626569, 01447005	CoreXL can not be enabled on Security Gateway in the following scenario: IP Pool NAT is already enabled IPv6 is already enabled Refer to sk105886.
01061497, 01552423	Traffic that depends on Dynamic Objects stops passing after policy installation - it is actually dropped by the rule that should accept it. Refer to sk107079.
SNMP
01386525, 01391815; 01492740; 01495104	Gaia OS / SecurePlatform OS: Compliance errors in SMI syntax in Check Point MIB files show in MIB browsers or MIB validation websites. Refer to sk73440.
01427113, 01427355	Gaia OS: SNMP VRRP Traps do not appear in Gaia Clish / Gaia Portal after upgrading from R77. Refer to sk101407.
01289099, 01289976, 01289977, 01289978, 01312680, 01359227, 01380612, 01395468, 01428848, 01493327	Gaia OS: "Could not resolve 'Sensor' within the trap 'Trap'" errors in Spectrum CA when importing Check Point 'GaiaTrapsMIB.mib' file. Refer to sk97410.
01466901, 01473389, 01467051, 01493167, 01634466	Gaia OS: SNMP functionality breaks intermittently (stops answering SNMP Queries, stops sending SNMP Traps). Refer to sk102271.
01446615, 01447324	Gaia OS: "The value of sensor could not be read" error in /var/log/messages file and SNMP Traps about hardware sensors are sent repeatedly. Refer to sk101898.
01421392, 01422059; 01421419, 01422061	Gaia OS: Querying Check Point SNMP OID .1.3.6.1.4.1.2620.1.1.27.1.12 returns IPv4 addresses instead of IPv6 addresses. Refer to sk101231.
01428542, 01428702	Gaia OS: SNMP Trap for a monitored process that runs under different names generates SNMP Trap Alert although this process is not down. Refer to sk101446.
01481801, 01490663	Gaia OS: SNMPD daemon occasionally crashes with a segmentation fault. Refer to sk103817.
00431330, 01217380; 00560935, 01240901	SecurePlatform OS: Although multiple 'trap2sink' commands were added to /etc/snmp/snmpd.conf file, the 'snmpmonitor' sends traps only to the sink server specified in the last 'trap2sink' entry in /etc/snmp/snmpd.conf file. SecurePlatform OS sends SNMP Traps with 'public' community name, although different community was configured in /etc/snmp/snmpd.conf file. Refer to sk66581.
01523786, 01528656	Gaia OS / SecurePlatform OS: SNMP configuration per RFC2925 "DISMAN-PING-MIB" does not work. Refer to sk103817.
01530562, 01534523, 01579063	Gaia OS / SecurePlatform OS / X-Series XOS: SNMP v1 query on port 260 (via CPSNMPD daemon) for Check Point OIDs (.1.3.6.1.4.1.2620) returns "Wrong Type (should be INTEGER): Counter32". Refer to sk105178.
01455870, 01666037, 01456126, 01555587	Gaia OS / SecurePlatform OS: SNMP Response for OID .1.3.6.1.4.1.2620.1.5.6 (`.iso.org.dod.internet.private.enterprises.checkpoint.products.ha.haState`) is "Active" from all members of R77.20 ClusterXL High Availability mode. Refer to sk106291.
01507852, 01508950	Gaia OS / SecurePlatform OS: SNMP request for OID 'fwAcceptBytesIn' and OID 'fwAcceptBytesOut' returns '0' on all interfaces. Refer to sk105395.
VSX
01445626, 01512960, 01561558, 01585337; 01406101, 01433481, 01420495, 01515539; 01421738, 01520921, 01598784, 01614545; 01469339, 01474529, 01614538	Virtual System does not respond to SNMP query after in-place upgrade to R75.40VS / R76 / R77 / R77.10 / R77.20. Refer to sk102232.
01367090, 01436486, 01436558	In VSLS, when a Management interface is disconnected from a cluster member: Cannot install policy on Virtual Systems on the member with the disconnected Management interface Active Virtual Systems on that member do not failover
01520879, 01523332	The "vsx_util view_vs_conf" command shows "!NH" for IPv6 interface routes configured on VSX. Refer to sk105397.
01469254, 01470204	SNMP query for CPU usage by each Virtual System (OID 1.3.6.1.4.1.2620.1.16.22.2) returns 0 (zero) values. Refer to sk102434.
01321203	During reboot of Active member in VSX cluster, the state of Standby member is "HA not started" instead of "Active". Refer to sk98021.
01176854; 01196058; 01428068, 01430436	"NMINST0069 cannot access to the virtual-system" error when a user that is authenticated on RADIUS (rba role 'radius-group-any') connects to Security Gateway in VSX mode over SSH and tries to switch from context of VS0 to other contexts with "set virtual-system <VSID>" command (and output of "show virtual-system all" command is empty). Refer to sk93507.
01427690, 01476310	Virtual System in HTTP/HTTPS Proxy mode intermittently stops passing traffic. Refer to sk103122.
00890032, 01547534	"cphaprob syncstat" command on VSX cluster member fails with "get_fwha_debug_from_kernel: ioctl failed. size is 2048: Invalid argument". Refer to sk104059.
01455016, 01455601, 01636910, 01638700	VSX machine with enabled IPv6 might crash when running 'netstat' command. Refer to sk102028.
01459347, 01465758, 01465937, 01498468, 01547995	R77.10 / R77.20 VSX Gateway intermittently stops passing traffic during high traffic load. Refer to sk102310.
01537853, 01539535	SNMP request for Virtual System's SIC state "vsxStatusSicTrustState" (OID .1.3.6.1.4.1.2620.1.16.22.1.1.8) returns wrong data. Refer to sk104035.
01620408, 01629040, 01629043, 01629049, 01629050, 01629051, 01636953	FWK process might crash with core dump when collecting kernel debug.
01493208, 01477107, 01646244	Improved stability of FWK process to resolve traffic being dropped with "Internal system error" log due to RAD timing out.
01396472, 01396841, 01619725	After issuing 'cpstop;cpstart' commands on the Standby VSX cluster member, the output of 'cphaprob -a if' command shows the following state of the Sync interface configured on Bond interface: The state of Sync interface as 'UP' in the context of VSX itself (VS0). The state of Sync interface as 'DOWN' for each Virtual System. Refer to sk100450.
01404063, 01413547, 01409322	VSX does not generate syslog messages and SNMP traps about Connections Table capacity. Refer to sk106137.
01472068, 01499711, 01496518	Memory leak in RouteD daemon on VSX cluster.
01583403	After VSX Gateway reboot or start of RouteD daemon, static IPv6 routes between Virtual Routers are sometimes deleted.
01415749, 01481408, 01423985	VSX cluster member is in 'Down' state after reboot. If SecureXL is disabled on Virtual System(s) and enabled on Virtual Switch(es), then SecureXL on Virtual Switch(es) would drop CCP packets due to a tagging issue. This causes a pnote 'Interface Active Check' on Virtual System(s) to report its status as 'problem', which in turn causes the VSX cluster member to report its state as 'Down'. As an immediate workaround, disable SecureXL with fwaccel off command in the context of involved Virtual Switch(es).
VoIP
01432186, 01436581, 01556086	MGCP traffic is NATed to port range of 10000. Refer to sk101587.
01433546, 01439174, 01499676, 01526701	MGCP Call Agent and Media Gateway are not able to register in the following scenario: SIP services are used in the rulebase MGCP service "`mgcp_MG`" is not used in the rulebase Refer to sk102049.
00545410, 01431240, 01556349	VoIP SIP traffic without the '@' character in the 'FROM' or 'TO' part of the header (i.e., when there is no user) is dropped by IPS with the following log: `Attack: Malformed SIP datagram Attack information: "Illegall 'FROM' user in request packet"` Refer to sk68221.
Check Point appliances
01380239, 01381238, 01600716, 01600757, 01612423	"Error while reading mask" and "fw: Corrupt affinity value Unsupported" errors when running fw ctl affinity -l command on Check Point appliances 12000 / 13000 / 21000. Refer to sk99078.
01610292	Policy installation on 1100 appliance object fails with "Commit function failed" error when the IPS "Recommended_Protection" or a manually created IPS profile is assigned to 1100 appliance object. Refer to sk105217.
01463257, 01501391	Boot Menu is not seen during boot when connected via LOM card to Check Point Smart-1 25B, Smart-1 225 or 13500 / 13800 appliances. Refer to sk102178.
01529412, 01529627, 01560695, 01562794	Slow traffic / traffic latency through RuggedCom Appliance. Refer to sk103890.
01401670, 01402659	Gaia Clish command "show asset memory" returns wrong data on 12200 appliances. Refer to sk100786.
01427915, 00266881	On IP Series Appliances running R77.10/R77.20, output of fwaccel conns command shows interfaces as offloaded to the ADP, even if there is no ADP card installed.
00266983, 00267068, 01557560	On IP1280 / IP1285 and IP2450 / IP2455 appliances, the VTT minimal value has to be changed to 1.045V. Refer to sk92780.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating