Support Center > Search Results > SecureKnowledge Details
Check Point R77.30 Resolved Issues Technical Level

This article lists all of the issues that were resolved in R77.30.

Important notes:


Table of Contents

  • General
  • Security Gateway
  • Security Management
  • Multi-Domain Security Management
  • SmartDashboard
  • SmartDomain Manager
  • SmartProvisioning
  • SmartEvent / SmartReporter
  • SmartLog
  • SmartUpdate
  • Cluster
  • DLP
  • IPS
  • Gaia and SecurePlatform
  • Gaia
  • VPN
  • HTTPS Inspection
  • Application Control
  • URL Filtering
  • Threat Prevention
  • Anti-Spam
  • Identity Awareness
  • Mobile Access
  • SNX
  • Dynamic Routing
  • SecureXL
  • CoreXL
  • SNMP
  • VSX
  • VoIP
  • Check Point appliances

Enter the string to filter the below table:

ID Symptoms
01469332, 01476439, 01431248, 01540945 Check Point update and online services migration to SHA-256 based certificates.
Refer to sk103839.
Check Point's response to Leap Second, introduced in UTC on 30 June 2015.
Refer to sk104560.
01569696, 01570266 Check Point's response to CVE-2015-0235 (glibc - GHOST).
Refer to sk104443.
01602689, 01602914 Check Point's response to TLS FREAK Attack (CVE-2015-0204).
Refer to sk105062.
01528449, 01531583 Check Point's response to TLS 1.x padding vulnerability.
Refer to sk103683.
01495114, 01517944;
01500668, 01510595;
01490480, 01505361;
01466725, 01511136;
01637431, 01517944
Check Point's response to the POODLE Bites vulnerability (CVE-2014-3566).
Refer to sk102989.
Note: All the fixes mentioned in sk102989 were integrated.
Check Point's response to CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability (Shellshock).
Refer to sk102673.
01516988, 01552223, 01525773 Security Gateway / Active cluster member might crash rarely, when one of these blades is enabled: IPS, URL Filtering, Application Control, Anti-Bot.
Refer to sk104250.
Security Gateway
01433753, 01439099 Security Gateway configured as a Proxy occasionally stops processing all traffic.
Refer to sk102134.
01430609, 01432668, 01438923, 01450221, 01555515, 01570507, 01585395 Security Gateway with enabled Non-Transparent Proxy causes some sites to no longer function properly, because HTTP 'OPTIONS' method is not recognized by the Security Gateway in Proxy mode.
Refer to sk102188.
01426380, 01428952, 01556352

Memory leak detection procedure (sk35496) reports a memory leak:

;FW-1: In fw_hmem_report_leaks
;fw_drv_fini: XXX bytes allocated by 'fw_spii_pset_create' leaked at ...
... ... ...
;FW-1: fw_hmem_stat_report: total unfreed hmem allocations: ..., bytes ...
;Starting SMEM alllocations report
... ... ...
;FW-1: Leak in: fw_spii_pset_create: hmem_bytes ...
;Ended SMEM alllocations report
... ... ...
;FW-1: In fw_hmem_report_leaks
01425391, 01425206
  • Policy installation on R77 Security Gateways fails with these errors:

    "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: syntax error
    ... ... ...
    "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: table <auth_services> has no predefined format
    ... ... ...
    "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: table <client_was_auth> has no predefined format
    ... ... ...
    "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: syntax error
    Error compiling IPv6 flavor.
    Compilation failed.
    Operation ended with errors.

  • UFP IPv6 logs in SmartView Tracker show wrong hit rate statistics.
Refer to sk101330.
01407754, 01413708, 01416985, 01425115, 01425120, 01456747 NFS-RPC traffic passes the Security Gateway when there is a rule that contains ALL_DCE_RPC service.
Refer to sk101128.
00267452, 01526619, 01535357, 01529160
  • Security Gateway / VSX Gateway / Cluster member might crash while inspecting multicast traffic.
  • SecureXL does not accelerate multicast traffic.
Refer to sk103698.
01321419, 01380507, 01393458, 01412903, 01446442, 01457510, 01488685, 01535858, 01535870, 01570407, 01576250 "funcchain" process frequently crashes with core dump file on the Security Gateway.
Refer to sk98151.
01513354, 01513406, 01513829, 01513872, 01513875 The Security Gateway might crash when IPv6-over-IPv4 security rule is configured, but IPv6 is disabled.
Refer to sk103526.
01443734, 01445232, 01446201 IPv6 ICMP traffic is dropped by "0 - Implied Rules".
Refer to sk102390.
01445232, 01443734, 01446201 ICMPv6 traffic is dropped by the Security Gateway if there is a Firewall rule that contains the ssh2 service.
Refer to sk102390.
01433313, 01433710, 01482416 Policy installation fails due to a timeout on the Security Gateway with Broadcom NetXtreme interfaces that use bnx2x driver.
Refer to sk101547.
00554859, 01203427 TCP traffic is dropped on "IP options", and problematic IP option could not be found in kernel debug.
Refer to sk94085.
01438052, 01442503 The Security Gateway might crash during policy installation in rare scenarios.
Refer to sk102787.
01409490, 01492561 Memory consumption on the Security Gateway constantly increases.
Refer to sk103077.
01504351, 01513713 The Security Gateway might crash when working with Multi-Portal.
Refer to sk104698.
01414168, 01420268, 01414888, 01416219, 01440122 "Fetch Settings From Device: getStaticRoutes - no nextop type found for key X.X.X.X/Y" error in SmartDashboard after adding static routes on a Security Gateway in the Gaia Portal.
Refer to sk100611.
01530781, 01535296 The Security Gateway logs locally and does not attempt to reconnect to the Security Management Server / Domain Management Server / Log Server after restart of the Security Management Server / Domain Management Server / Log Server.
Refer to sk103760.
01246785, 01561569, 01355222 "Installation failed. Reason: Load on module failed, failed to load security policy" error in SmartDashboard when installing policy from the Security Management Server R77 (and above) onto Security Gateways R76 and lower.
Refer to sk33893.
01516302, 01516817, 01556237 Fetching policy on a DAIP gateway fails with "External interface is not properly defined. Please run cpconfig to define it."
Refer to sk103819.
01495958, 01496338, 01496872, 01499687 The FWD process on the Security Gateway might crash when working with Proxy ARP.
Refer to sk103214.
01525172, 01529706 Mounting a directory using NFSv3 over IPv6 through the Security Gateway fails because traffic is not matched to the relevant rule.
Refer to sk105843.
01502277, 01502277 Improved inspection of the CIFS protocol.
01506203, 01506203, 01518764 Improved inspection of the RPC protocol.
01433903, 01446782, 01526229 "fw tab -s" command might fail to print the output with "Failed to get table status for .." when there are multiple security rules with numerous Domain Objects.
Refer to sk106132.
01407991, 01408863 Client Authentication logs for Single-Sign On are always generated even if "Successful Authentication Tracking" in Client Authentication properties is set to "None".
Refer to sk106131.
01432321, 01480962 Memory leak in in.ahttpd daemon.
01462129, 01462555, 01481937, 01598761 Enhancement: Configure ISP Redundancy Link to fail over, only when all configured hosts are not answering to pings.
Refer to sk102848.
01469476, 01489869, 01523002, 01539690, 01466177 A Security Gateway with enabled SecureXL might crash when processing a packet with Multicast Source IP address and Unicast Destination IP address.
Refer to sk108818.
Security Management
01446920, 01447343, 01476881 Added debug prints in the FWD process for sending logs to OPSEC LEA clients.
01445077, 01445354, 01576280 Log actions are not filtered by the fw log -c command.
Refer to sk101905.
01431881, 01432334 When defining an ICMP service with Type and Code and installing it on Cisco router, the ICMP code value is ignored.
Refer to sk101500.
01424794, 01425078;
01189860, 01168429, 01433749
Cannot connect OPSEC log service to the Security Management Server running on Windows OS.
Refer to sk101398.
01507964 The cp_merge policy command overwrites the original policy. The policies should have merged.
01529753, 01531065;
01527202, 01531650, 01530121, 01530122, 01556090
R76 / R77 / R77.10 / R77.20 takes long time to reboot / start Check Point services.
Refer to sk103822.
01523349, 01525113 Policy Verification error is not displayed when installing policy on Clusters R75.X and lower with configured IPv6 address.
Refer to sk103734.
01575068, 01575106

Threat Prevention policy installation fails:

  • In SmartDashboard with "Compilation failed" error.

  • When manually loading the policy under debug, with these errors:

    amw_add_key: fread() failed
    amw_load: amw_add_key() failed
    amw_load_main: amw_load has failed
    main: amw_load_main() failed
Refer to sk105783.
01425206, 01425391 Policy installation on R77 Security Gateways fails with errors: "syntax error" and "table has no predefined format".
Refer to sk101330.
01395422, 01396110, 01624406 Policy installation fails with "Operation incomplete due to timeout" error.
Refer to sk109236 - Scenario 5.
01408654, 01433847, 01501001 During policy installation, SmartDashboard suddenly disconnects. After that Edge devices are not able to connect to this Service Center.
Refer to sk103118.
01525314, 01527814 "Failed to update administrator object (Reason: No write permission for object: XXX)" error in SmartDashboard when an Administrator with Read-Only permissions tries to change their own password.
Refer to sk103738.
01533783, 01535163, 01576237 User" field shows "*** Confidential ***" in logs when connection to OPSEC server is on non-authenticated port (clear port).
Refer to sk101570.
01552113, 01554842, 01554870

Special sub-directories in $FWDIR/conf/ are not synchronized between the Security Management Servers / Multi-Domain Security Management Servers in High Availability configuration:

  • $FWDIR/conf/lists
  • $FWDIR/conf/XML
  • $FWDIR/conf/vs_repository
  • $FWDIR/conf/syslog
  • $FWDIR/conf/snmpTrap
  • $FWDIR/conf/recovery
Refer to sk104298.
01520619, 01521546

"The Converter failed to convert policy. Possibly wrong policy name." error in SmartDashboard during policy installation on an Edge device:

  • After creating rules with new R77.20 DHCP / DHCP Relay services per sk98839 (dhcp-request and dhcp-reply), policy installation on the Edge device fails with:

    Firewall and Address Translation Policy Verification:
    Failed during authorization_domains_list convertion
    Verifier warnings: The Converter failed to convert policy. Possibly wrong policy name. "Name_of_Policy"
  • Policy installation under debug per sk60745 (fwm -d load -S ...) shows:

    dhcp-reply Protocol type is not supported in Backward Compatibility mode
    Security Policy Verification Errors/Warnings:
    The Converter failed to convert policy. Possibly wrong policy name. "Name_of_Policy"
    Policy verification failed.
    ... ... ...
    dhcp-reply Protocol type is not supported in Backward Compatibility mode
    Objects conversion failed. Conversion failed.
Refer to sk57840 - "Scenario 7".
01493176, 01493994 Changes in the Administrator password and allowed GUI clients are not synchronized in Management High Availability deployment.
Refer to sk103053.
01492692, 01492806, 01526283 "router_load -cisco" command wrongly shows "Download was successful" although it was not able to connect to a Cisco OSE device (e.g., user does not have permissions to folder "/tftpboot").
Refer to sk102996.
01429626, 01431234, 01462250 "IPv6 addresses domain is not supported in Remote Access VPN community" error during policy installation, even though IPv6 is not enabled.
Refer to sk101506.
00740016, 01459891, 01521269, 01433486 Policy verification does not warn about rules containing Address Ranges.
Refer to sk102627.
01475712, 01477031 FWM process frequently crashes due to a memory leak on the Security Management Server.
Refer to sk106289.
01424274, 01424395 Policy installation on an Identity Awareness gateway with defined IPv6 address fails with "ERROR: forward declaration of table was not completed".
Refer to sk101396.
01416668, 01416792 "Failed to fetch the file" message when trying to open a packet capture in a SmartView Tracker log that was sent from VSX Gateway..
Refer to sk101210.
01457310, 01457392, 01474470;
01340727, 01392488
Sync with User Center in SmartDashboard (per sk94064) fails with "Internal Error: Failed to complete licensing information operation".
Refer to sk102186.
01459576, 01459702 "User" field in SmartView Tracker logs is masked with stars ****** even though this field is empty.
Refer to sk102251.
01459091, 01459410, 01657107, 01502815 "Warning: The IP address of the license does not match the IP address of the host" during policy installation or database installation.
Refer to sk105358.
Multi-Domain Security Management
01569400, 01571447

mds_backup fails with one of these errors:

  • Variable name too long
  • -: No such file or directory
Refer to sk104107.
01530792, 01531872 When running the mds_backup using "mds_backup -g -L best -d /var/backup/files -b -l >> /var/backup/mds_backup.log" command, the procedure is stuck at "Releasing all databases".
Refer to sk103741.
01421195, 01421714 Status of the Multi-Domain Security Management is shown as "Disconnected" from the High Availability Multi-Domain Servers.
Refer to sk101234.
01453094, 01453136 Global Policy fails to install due to a large number of target gateways.
01523435, 01523571 Pushing VSX configuration fails with "Domain Management Server <NAME_of_DOMAIN> is not responding".
Refer to sk103616.
01471409, 01473195 "shell-init: could not get current directory: getcwd: cannot access parent directories" error during upgrade from SecurePlatform to Gaia.
Refer to sk103843.
01446678, 01449567, 01450004 High memory and CPU usage of all Multi-Domain Management servers in a multi-site environment.
Refer to sk101830.
01452092, 01453486 After upgrading the MDS, Domain Manager user can no longer log into the Global SmartLog GUI:
"The connection to Multi-Domain Server 'x.x.x.x' has been refused because the database could not be opened".
Refer to sk105401.
01447813, 01447873

When reassigning/assigning/installing Global Policy in SmartDomain Manager and checking the box 'Install last Advanced Security Policy on all Gateways of assigned Domains', these errors are displayed about VSX Virtual Systems in Bridge Mode:

Name_of_Target_Domain : Starting Advanced Security Policy Installation Process
Name_of_Target_Domain : Advanced Security Policy Installation aborted - no candidates to install on
Name_of_Target_Domain : Target (Name_of_Virtual_System) - no policy is installed on this module. Can't select a policy to install

Refer to sk65321.
01476521, 01476560;
01422537, 01423420
"Unspecified error" or "Failed to create a new version" error in SmartDashboard during policy installation and/or when creating a new Database Revision Control version.
Refer to sk103407.
01488725, 01488755 After changing the administrator's Authentication Scheme from 'Check Point Password' to 'OS Password' with the 'mdscmd setadminauth <ADMIN_NAME> os' command, administrator is still able to authenticate in the SmartDomain Manager with 'Check Point Password'.
Refer to sk102946.
01473624, 01619573, 01622756, 01474743 FWM process in the context of MDS consumes CPU at 100% on all Multi-Domain Management Servers / Multi-Domain Log Servers.
Refer to sk105139.
01433686, 01433688, 00750155, 00747320, 00753738, 00782482, 00829978 "No license for FloodGate-1 Management" error when installing QoS policy from an R75 Domain Management Server.
Refer to sk69723.
01475120, 01475739 Gateway object Link Selection redundancy settings are not preserved when converted to Global object.
01606313, 01606356, 01672563, 01674054 "mdscmd" command with "-i" option fails to resolve the Domain Management Server Name by IP address.
Refer to sk105172.
01538298, 01538331 The "mdscmd adddomain ..." command / "mdscmd addlogserver ..." command creates a Domain Management Server / Domain Log Server with wrong build number - as a result, SmartDashboard shows "R77" version instead of the real version "R77.10" / "R77.20".
Refer to sk103958.
01441367, 01441431, 01805702 Login to an external SmartLog server GUI with MDM accounts fails with "Authentication failed" error.
Refer to sk101677.
01447215 Enhancement: The SmartDashboard shows a warning ""This is restricted environment, access is allowed for authorized administrators only"" prior to the Administrator session establishment.
Refer to sk102665.
01426687, 01431408, 01466682 "Failed to launch the application" error when right-clicking on a Log Server in the SmartDomain Manager to launch the SmartView Tracker.
Refer to sk101507.
01393866, 01398958 SmartDashboard allows spaces in the name of Cluster Virtual interface.
Refer to sk100470.
01445522, 01448852, 01450594 Less results when using the Objects list in SmartDashboard to search for an object by typing all or a part of its name.
Refer to sk101908.
01429170, 01444105, 01429397 Not possible to select a specific user when editing / creating an Identity Awareness Access Role in SmartDashboard:
Open Identity Awareness Gateway object - go to "Identity Awareness" pane - check the box "Identity Agents" - click on "Settings..." button - go to "Authentication Settings" section and click on "Settings..." button - in "Users Directories" section, check the box "LDAP users" - select "Specific" - click on the green [+] to add a user - a red [X] is displayed for for all AUs, and users are never shown.
01399656, 01400353 Changes are not saved in "Threat Prevention" tab - open "Traditional Anti-Virus" - open "Security Gateway" - open "Mail Protocols" - click on "Mail Anti-Virus".
01444480, 01445833 The "Comment" section in the Application Control policy does not show all lines.
Refer to sk101906.
01522265, 01522660, 01523578
  • Anti-Spoofing setting changes to "Undefined" when a VSX cluster object is edited in SmartDashboard.
  • Policy installation fails with error: "The Topology information must be configured for object <Object Name>, interface <Interface Name>, in order to use the Anti-Spoofing feature".
Refer to sk92646.
01433872, 01434077 Cannot clear the options 'Timeframe' in 'Hits' column of rulebase.
Refer to sk101586.
01425798, 01426437 Incorrect time in the administrator notification state in SmartDashboard.
Refer to sk101426.
01415750 Query Syntax for the Firewall Policy to show rules that contain "Any".
Refer to sk101061.
01110639, 01414949 SmartDashboard fails to get IPS updates when a proxy server is configured via a Group Policy.
Refer to sk98078.
01407037, 01408005, 01460140 Checking the box "Automatically authenticate users from machines in the domain" is not saved in the Identity Awareness settings.
Refer to sk100789.
01458255, 01458503 Checking the box "Turn on QoS Logging" is not saved in Centrally Managed 600 / 1100 / Security Gateway 80 object.
Refer to sk102046.
01424705, 01426225 "Some URLs are invalid and therefore were not added" message in SmartDashboard when importing URLs from a CSV file.
Refer to sk101338.
01456672, 01456938 GuiDBedit Tool crashes on every search or double-click on any object.
Refer to sk116863.
01475618 SmartDashboard becomes unresponsive when navigating in the policy with SmartWorkflow blade enabled.
01456659, 01456848, 01570096 After renaming the Interoperable Device object, pre-shared secret disappears from the object.
Refer to sk102170.
SmartDomain Manager
01475299, 01476322 SmartDomain Manager crashes when attempting to connect to the Multi-Domain Security Management Server.
01518762, 01520311 Edge devices managed by SmartProvisioning connect to the wrong VPN community after policy installation.
Refer to sk105683.
01439666, 01446485, 01449094, 01449266, 01461149, 01541541, 01556316 1100 Appliances managed by SmartProvisioning get wrong VPN certificate.
Refer to sk102033.
01443735, 01444059 SmartProvisioning design flaw when editing Office Mode interface in Edge configuration.
Refer to sk101868.
SmartEvent / SmartReporter
01412839, 01413746, 01441222, 01456781, 01553039, 01657422

"No relevant data found to generate report" message when generating one of the reports listed:

  • "Endpoint Security VPN Users Activity"
  • "Successful Logins"
  • "Login Failures"
  • "Login Activity"
Refer to sk100966.
01448260 "Validation error in field "corr_unit_list" of element #1 at object "OnlineJob" @ "Eventia Jobs"" when trying to select an object as the SmartEvent Log Server.
Refer to sk103533.
01431846, 01431972, 01491280, 01477751 DLP events are not created in SmartEvent even though there are DLP logs.
Refer to sk101491.
01558556, 01559070 .NET error "System.ArgumentOutOfRangeException: Value of 'XXX' is not valid for 'Value'. 'Value' should be between 'Minimum' and 'Maximum'" in SmartEvent GUI when accessing 'Policy' menu - 'Database Maintenance' after increasing the size of the SmartEvent database to more than 1 TB per sk69706 and installing the Event policy.
Refer to sk104241.
01408259, 01415653 SmartEvent reports for AD groups do not show all users.
Refer to sk101509.
01450736, 01453019, 01473184, 01479259, 01502583 Configuring SmartEvent to work with an LEA server on different ports with different authentication methods.
Refer to sk101928.
01477749, 01477950, 01502255, 01546478 SmartEvent dialog box is empty when working with 'Top Users' widget on 'Application & URL Filtering' tab in SmartDashboard.
Refer to sk102629.
01466229, 01466876, 01466862 Some reports are missing in SmartEvent GUI on the  'Reports' tab when logging in from Domain Management Server.
Refer to sk102272.
01474354, 01474971 postgres process on SmartEvent server consumes CPU at high level.
Refer to sk102660.
01572885, 01573246 SmartReporter fails to generate a report for selected hours with "ERROR: syntax error at or near ','LINE 1: SELECT MOD(((EXTRACT(HOUR FROM , SUM(...".
Refer to sk105840.
01496232 Application Risk events in SmartEvent show lower levels of risk than what is defined for the application.
01460348. 01460558
After creating a report, it is not possible to view the results in SmartReporter GUI and an error message is displayed.
Refer to sk61180.
01473131, 01473192, 01503175, 01584670 Generation of a user activity report while filtering on application fails.
Refer to sk102655.
01490072, 01490633 "Object name contains space" warning when adding a Log Field to a Filter in SmartEvent GUI.
Refer to sk112992.
01431950, 01432243 When using a special Permissions Profile, the username of an administrator that viewed the DLP 'Incident' logs in SmartLog GUI is not logged in the 'Management' ('Audit') logs in SmartView Tracker. Instead, the value 'localhost' is displayed in the 'Admin' column of the 'Management' ('Audit') logs.
Refer to sk101528.
01458259, 01459317, 01463006 SmartUpdate does not allow to upload files to Check Point Service Requests that start with digit "5".
Refer to sk102133.
01470728, 01471607 Contracts update from the User Center in SmartUpdate fails with "Could not fetch contracts from User Center" error on computers with SecureClient installed.
Refer to sk102429.
01483090, 01489826 cpinfo generation via SmartUpdate with "add log files" option fails.
Refer to sk102826.
01564004 Cluster Global ID, configurable in First Time Wizard and persistent after upgrade, resolves issues when multiple clusters are connected to the same network segment.
Refer to sk25977.
01444923, 01447368 Proxy ARP entries for Automatic NAT rules are not written to the ARP table on VRRP Cluster.
Refer to sk101907.
01438669, 01447467 CCP transmission mode (multicast, broadcast) is not persistent across a CPUSE upgrade.
Workaround: After the CPUSE upgrade is completed, set the desired CCP transmission mode per sk20576 (with "cphaconf set_ccp <multicast|broadcast>" command).
01496890 Starting in Gaia R77.20 and Gaia R75.47, the $FWDIR/conf/discntd.if file is not needed anymore. An interface, which is not part of the cluster topology is treated as "disconnected".
Refer to sk69180.
01462163, 01465843, 01577576 Simultaneous ping to IPv6 addresses of cluster members and to Cluster Virtual IPv6 address does not work.
Refer to sk102235.
01434159, 01440652, 01554504, 01600743 ClusterXL administrators cannot suppress the messages printed by the Cluster Under Load (CUL) mechanism (see sk92723) in the /var/log/messages file and in the dmesg.
Refer to sk101649.
01401092, 01404180, 01473298, 01501607, 01614412, 01621354, 01625365 RouteD daemon might consume CPU at a very high level on a ClusterXL member running Gaia OS, when there are issues with cluster sync interfaces.
Refer to sk102737.
01312467, 01354117, 01472107, 01461376 Although CCP mode is set to Broadcast, Delta Sync packets are sent over Sync interface(s) as Multicast.
Refer to sk101132.
01444902, 01445205, 01568063 ClusterXL interfaces are not displayed correctly in SmartView Monitor.
Refer to sk101891.
01449608, 00267074, 01510489 Random failovers in VRRP cluster with configured BGP on Gaia OS.
Refer to sk102006.
01434159, 01440652 Suppress the Cluster Under Load (CUL) messages in the /var/log/messages file and in the dmesg.
Note: Must set the value of kernel parameter fwha_enable_cul_logging to 0.
Refer to sk101649.
01394541, 01481322, 01394737;
01392662, 01495372, 00267059
Standby cluster member with enabled SecureXL drops packets on Anti-Spoofing when VMAC mode is enabled.
Refer to sk100405.
01489439, 01509596, 01510332 VRRPv3 cluster on Gaia OS goes into Master / Master state after failover is initiated over IPv6 links.
Refer to sk102850.
01443738, 01495302, 01560272, 00267123 RouteD process (routed -N) consumes CPU at 100% on a cluster member running Gaia OS.
Refer to sk102436.
01516713, 01546299, 01546302, 01547500, 01582543 RouteD daemon might consume CPU at high level on Standby / VRRP Backup cluster member running Gaia OS.
Refer to sk105863.
01544799, 01545225, 01644686 Some interfaces are missing in the output of "cpstat -f all ha" command on VRRP / OPSec cluster members running Gaia OS compared to the output of Clish command "show vrrp summary" and output of Expert command "cphaprob -a if".
Refer to sk105868.
01532706, 01536326, 01651492, 01653126, 01655747, 01656044 RouteD daemon might crash on a Gaia VRRP cluster member if a fail-over is triggered on an interface with VLANs.
Refer to sk105957.
00264335, 00266279 Output of Gaia Clish command "show vrrp summary" might incorrectly show "VRRP: VRRP not enabled" during VRRP failover in Gaia VRRP cluster.
Refer to sk112614.
01415023, 01432373

State of R77.10 / R77.20 ClusterXL member changes to "Down" due to Critical Device "Interface Active Check" in this scenario:

  1. Monitoring of the lowest and highest VLANs is enabled (default; fwha_monitor_low_high_vlans=1)
  2. A new VLAN is added on the ClusterXL member with VLAN ID, which is lower/higher than any existing VLAN ID
Refer to sk106776.
01476281, 01477456, 01515235, 01593791 After fail-over in VRRP cluster, the connection to VRRP VIP address is wrongly NATed (folded) to the physical IP address of previous Master member (now Backup member) instead of being NATed to the physical IP address of new Master.
01563293, 01570131, 01570138 DLP is not enforced on Korean language.
Refer to sk102548.
01517177, 01280494, 01511668, 01530458;
01522782, 01530038
"DLP Recipients" field in DLP log contains truncated e-mail addresses.
Refer to sk103635.
01384209, 01394596 DLP Gateway occasionally hangs/freezes due to crash of 'fwdlp' process.
Refer to sk100407.
01495884, 01496456 DLP Gateway might crash during DLP session.
Refer to sk103070.
01402677, 01502447, 01554541, 01409267, 01657016 DNS 'NOTIFY' (Zone Change Notification) packets are dropped by the IPS blade with SmartView Tracker log "Non Complaint DNS - Illegal number of Resource Records".
01424004, 01430984, 01432213, 01457549, 01467431, 01468837, 01481392, 01493902 RTSP over HTTP traffic might cause high CPU load on the Security Gateway when HTTP inspection on non-standard ports is enabled.
Refer to sk103113.
00508495, 01087845, 01573511, 01573552, 01433163 Security Gateway with enabled IPS blade might crash in "cmi_context_get_status ()" function.
Refer to sk104642.
01473260 Permanently setting the desired value of kernel parameter fwpslglue_log_ctrl in the $FWDIR/boot/modules/fwkern.conf file does not survive policy installation or reboot - the value is reset to the default value.
Refer to sk63160.
01481858, 01481996, 01498296 'Follow Up' flag disappears from IPS logs in SmartView Tracker. No logs are shown in SmartView Tracker - 'Network Security Blades' - 'IPS Blade' - 'Follow Up' view.
Refer to sk102733.
01465073, 01472536, 01473776 Windows OS updates traffic is rejected by the IPS blade with "Block HTTP Non Compliant - Failed to handle connection data".
Refer to sk102671.
01412270, 01493901, 01451658 Kernel debug 'fw ctl debug -m WS + stream' (and 'fw ctl debug -m WS all') causes high load on CPU, which might cause the machine to freeze.
Refer to sk103111.
01488103, 01560056, 01511647 IPS protection "TCP Off-Path Sequence Inference" drops TCP packets originated by Security Gateway.
Important Note: The default value of kernel parameter psl_offpath_allow_local_packet is 1 (one).
Refer to sk104637.
Gaia and SecurePlatform
01401927, 01610334, 01402267 Security Gateway on Open Server using the be2net NIC driver might crash.
01434138, 01445642, 01492259, 01601885, 01614909 "syslogd: local sendto: Invalid argument" error in /var/log/messages file.
Refer to sk83160.
01398138, 01400820 Usage of a relative FTP path in the backup wizard can cause errors.
A comment was added to the Gaia Portal: "You should use full server side path to remote directory, e.g. /var/log/CPbackup/backups/".
01530077, 01531603, 01614907 Date stamp in R77.20 Gaia backup file was set to "DD_MMM_YYYY_HH_MM". Now it is derived from the Clish "set format date" setting.
Refer to sk104106.
01527601, 01529778 In the Gaia Portal - Network Management pane - Network Interfaces configuration, when editing a slave interface, which is shown on a different page from its parent Bond interface, the "IPv4" tab and "IPv6" tab are not grayed out (although they should be).
Refer to sk105839.
01502687, 01502803, 01505698;
01513530, 01513706;
01513535, 01513704

VMCORE dump file is not created correctly on a machine that has more than 4GB of RAM and runs Gaia OS with 32-bit / 64-bit kernel:

  • In Gaia OS with 32-bit kernel:
    VMCORE dump file created during the crash is incomplete - its size is only 1.9 GB
  • In Gaia OS with 64-bit kernel:
    VMCORE dump file is not created during the crash
Refer to sk103328.
01574444, 01575917, 01581226, 01594203, 01595732;
01600184, 01603889, 01605966
confd process consumes CPU at high level on Gaia OS due to large size of Gaia Database (/config/db/initial_db).
Refer to sk104761.
01149077, 01150321, 01150322, 01150323, 01288447;
01149080, 01150324, 01150325, 01150327, 01288450, 01540885, 01545648

Issues with default routes via PPPoE interfaces on Gaia OS:

  • All default routes are deleted when running multiple PPPoE tunnels and one PPPoE tunnel disconnects.

  • Multiple PPPoE tunnels with the same peer address cause RouteD daemon to exit (for example, two PPPoE tunnels receive the same peer address from the ISP, who is not willing to change such configuration).
    This message appears in /var/log/messages file:
    routed[PID]: if_get_address: duplicate address detected: X.X.X.X/Y
Refer to sk92948.
01433011, 01661885, 01433334, 01516391 "sudo: sorry, you must have a tty to run sudo" error upon SCP connection to Gaia OS using RADIUS user with default shell /bin/bash and uid=0 on the involved Gaia OS.
Refer to sk106044.
01482873, 01487355 Scroll stops working in Gaia Portal on "Network Interfaces" page inside the table with interfaces.
Refer to sk102799.
01426068, 01426160, 01445202, 01452026, 01469580, 01473270, 01500557, 01507021, 01513212, 01515176, 01515237 After reboot, Gaia system loads without Clish and without static routes.
Refer to sk101501.
01489986, 01490967, 01493295, 01495178, 01496126, 01496169, 01497490, 01499306, 01499337, 01499340, 01499343, 01502649, 01502699;
New law in Russia regarding Daylight Savings Time 2014.
Refer to sk103054.
01488900, 01491395, 01505055 "tcpdump" / "arp" (and other) commands do not work when authenticating with a RADIUS user, even if the user is a SuperUser on Gaia OS (UID 0).
Refer to sk105175.
01467555, 01468600, 01614910
  • When running Clish command "show configuration", the user is sometimes logged out from Clish / SSH / console.
  • When running in Expert mode command clish -c "show configuration", the user is not logged out, but the command does not produce any output.
  • When running Clish command "save configuration <filename>", the command fails with "glibc detected" error, and only a part of the configuration is saved in the <filename>.
Refer to sk113266.
01423170, 01423468, 01437168, 01569853 "Authentication failure" error when authenticating with a TACACS user that has special characters in their password.
Refer to sk101332.
01471255, 01475263, 01496788 Gaia Clish is very slow when making any changes in the Gaia OS configuration.
Refer to sk102994.
01381595, 01385234, 01513659 RADIUS secret can be seen in Gaia Database - /config/db/initial file.
Refer to sk99039.
01430788, 01431074 Configuring an interface in Gaia Portal to obtain an IP address from DHCP causes all other interfaces with configured static addresses to lose their current IP addresses and also obtain an IP address from DHCP.
Refer to sk101513.
01530022, 01531035 Clish command "show asset all" returns incorrect Chassis and Motherboard information on 21000 appliances.
Refer to sk103711.
01502473, 01503130;
01502711, 01503132
IPv6 traffic from some hosts stops passing randomly through the Security Gateway / Active ClusterXL member running Gaia OS.
Refer to sk103226.
01488429, 01489353 Intermittent outages of TCP traffic on 10GbE interfaces in IP Appliances running Gaia OS.
Refer to sk102969.
01509559, 01510315 RouteD daemon might crash when running routing commands in Gaia Clish.
Refer to sk103432.
01402294 syslog messages forwarded by Gaia OS to an external Syslog server do not contain timestamp.
Refer to sk100727.
Note: Additional fix for timestamp format is required (Issue 01711921).
01442598, 01443242 A user created in Gaia Portal with '/bin/bash' shell and 'monitorRole' role gets admin permissions upon login - this user is able to execute any command in Expert mode and in Clish.
Refer to sk101650.
01383404, 01403777, 01408257, 01414106, 01419203 Intel X520-2 NICs (8086:10fb, 8086:0003) are not recognized by Gaia OS in 64-bit mode - output of Expert command 'ifconfig -a' or Clish command 'show interfaces' does not show these interfaces.
Refer to sk101412.
00267458, 01526068, 01539200, 01563854 Gaia IP Broadcast Helper does not forward Directed Broadcast traffic.
Refer to sk103963.
01414789, 01414851 User authenticated by TACACS, does not see the 'Blades' and 'Network Configuration' widgets on Gaia Portal's "System Overview" page.
Refer to sk101088.
01354491, 01394076, 01394990
  • Output of Clish command "show configuration rba" shows that "readonly" roles have "readwrite" features.
  • Output of Expert command "grep roles /config/active" shows that roles only have the defined "readonly" features.
Refer to sk104009.
01577790, 01578357 syslog daemon crashes after enabling 'Send Syslog messages to management server' in the Gaia Portal.
Refer to sk113266.
01570045, 01570872, 01612421 Output of "raid_diagnostic" command shows "State:MISSING" for one of the hard disks on a Check Point Appliance with RAID / Open Server with RAID.
Refer to sk104580.
01469180, 01494277, 01502550, 01578108
  • After adding scheduled backup (add backup-scheduled) and setting scheduled backup (set backup-scheduled) in Gaia Clish, the command show backup-scheduled NAME returns:
    The scheduled backup is performed localy.
    The backup is not scheduled
  • Deleting the scheduled backup in Gaia Clish (with 'delete backup-scheduled NAME') does not delete its cron job - output of Expert command 'crontab -l' still shows the deleted scheduled backup (as '/bin/scheduled_backup NAME').
Refer to sk104878.
01429934, 01431285 In Gaia Portal, Link Status of VLAN interface defined on a Bond interface does not change when the Link Status of the Bond's physical slave interfaces changes.
Refer to sk101514.
01428735, 01432295, 01432973, 01518522, 01553076 Changes made in the value of 'vmalloc' in the /boot/grub/grub.conf file on Gaia OS do not survive reboot.
Refer to sk103506.
01410324, 01410662, 01571828 User is not able to connect to Gaia Portal after enabling Federal Information Processing Standards (FIPS) compliance in Windows OS.
Refer to sk100994.
01445836, 00267031, 01465986 /var/log/messages file on Gaia OS repeatedly shows: routed[PID]: ifa_unnumbered_find_proxy: no proxy interface found.
Refer to sk101899.
01547769, 01550478 Gaia Portal crashes with error "Unable to connect to the server. Press OK to reconnect." when a TACACS / RADIUS user with "adminRole" privileges changes "Roles" settings in Gaia Portal.
Refer to sk91420.
01458064, 01519461, 01355465 "cp_ipaddrs:SIOCGIFCONF failed: Bad address" error when starting a user mode process under valgrind on Gaia OS 64-bit.
Refer to sk103768.
01515984, 01516394 NTP synchronization does not work when using the FQDN of the NTP server instead of the IP address.
Refer to sk104819.
01493236, 01510892, 01493666 Output of top command shows that monitord and confd processes consume CPU at 100%.
Refer to sk102988.
01396067, 01397262 Login to Gaia Clish fails with "CLINFR0819 User: admin denied access via CLI" after clean installation.
Refer to sk100418.
01517800, 01520211, 01520218, 01520221
  • "Gaia Web-UI recognized a non-valid input data" error when adding SNMP Trap receiver in Gaia Portal.
  • "NMSSNM0025 Community names cannot contain spaces or special characters" error when adding SNMP Trap receiver in Gaia Clish.
Refer to sk107513.
01400893, 01401536, 01406408, 01521366 Hosts connected to a Gaia machine with enabled DHCP Server do not receive IP addresses.
Refer to sk100545.
01445570, 01445768, 01459433

Gaia command config_system (sk69701) does not complete the configuration:

  • Configuration of the Security Management Server product / Log Server product
  • Configuration of the Default Gateway on Gaia OS
  • Configuration of the SmartEvent Server product and Correlation Unit product
Refer to sk101712.
01458160, 01461805, 01470402, 01510462, 01511898, 01512051 Output of "ps auxw" command after reboot shows multiple "clishd" processes in state "Z" (zombie) with "defunct" arguments.
Refer to sk105953.
01521745, 01522591, 01647302 "Nothing needed to be done" is returned when running "set user <username> lock-out off" command in Clish to unlock a user that was locked out per the "Deny Access to Unused Accounts" configuration.
Refer to sk103596.
01474647, 01499686, 01496521 RouteD daemon crashes due to a memory leak in a Cluster with exactly two members when RouteD sync connection is re-established by the Standby cluster member.
01558083, 01559220 The output of the "ss -a" command does not show all ports and their current state. Refer to sk104245.
01499739, 01500368, 01652671, 01658690 "syslogd" daemon crashes after a reboot of the Gaia OS. Refer to sk103254.
01576134, 01585104, 01585189, 01613901 "RTGRTG0019  tclproc: can't read "Part_Of_Password_After_$_Character": no such variable" error in Gaia Clish after entering OSPF secret that contains "$" character(s).
Refer to sk106305.
01406917, 01407062 State of VLAN interface that was created on Bond interface and was administratively set to "Down", is changed to "Up" after adding a comment on the Bond interface.
Refer to sk100788.
01537857, 01842664, 01547505 Gaia Portal - "Network Management" section - "Network Interfaces" page might get stuck (does not load entries) if multiple interfaces (several dozen) are configured.
Refer to sk108435.

Enhancement: Policy Installation shows a warning if there is a VPN community with a weak encryption algorithm:

"Community <COMMUNITY_NAME> is configured with the <ENCRYPTION_ALGORITHM> algorithm in IKE|IPsec Security Association ("<PHASE>"), which provides weak confidentiality."

These encryption algorithms are considered weak:

  • DES
  • DES-40CP
  • CAST
  • CAST-40
  • NULL
01413687, 01419272 Enhancement: Print all Visitor Mode clients, their IP addresses and usernames.
Refer to sk106139.
01368629, 01443028 To comply with new Federal Information Processing Standards (FIPS) standards, certificates are no longer signed using a hash algorithm weaker than SHA-256.
01450978 To comply with new Federal Information Processing Standards (FIPS) standards, only the these symmetric encryption algorithms are allowed on the Security Gateway (if other algorithms are configured, then policy installation will fail):


  • IKEv1, IKEv2: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256
  • ESP: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256
01404026, 01404567, 01556384, 01571967 The SSL Network Extender VPN portal is available on port 444 in clear. Refer to sk100646.
01503050, 01907907 Improved IKEv2 exchange.
01424048, 01424181, 01466269, 01520616, 01528345, 01554579, 01602916 Memory consumption on VPN Gateway constantly increases. Refer to sk102267.
01532401, 01539196, 01560781, 01621047, 01621087 Remote Access clients that authenticate with username and password, cannot connect to a Security Gateway working in Hybrid Mode if it does not have an ICA and uses 3rd party certificate.
Refer to sk105566.
01500432, 01519542, 01552227, 01552900;
01585429, 01600788, 01600951
VPN tunnel cannot be established / no traffic passes when SHA-384 is configured for data integrity.
Refer to sk104578.
01430907, 01432266 Policy installation during link probing session sometimes causes VPN outage. Refer to sk101532.
01401345, 01401349, 01469398 A peer gateway in a Site-to-Site VPN that is the NAT-T responder cannot work with IKEv2.
01456238, 01595992 A Security Gateway with dual stack (IPv4 and IPv6) cannot work with a Cisco router in a Site-to-Site VPN.
01406280, 01571331, 01571340,
L2TP authentication with a machine certificate sometimes fails on Windows client.
01078280, 01361857, 01377165, 01629560 Office Mode IP addresses are not correctly released from the DHCP Server.
00650516, 01287519 IKE Phase 1 with DAIP device fails after IP address of DAIP device was changed.
Refer to sk101911.
01478729, 01479380
"Failed to allocate an IP address" error when using ipassignment.conf file to assign Office Mode IP address.
Refer to sk95088.
01466380, 01466599 No logs are shown in SmartView Tracker when selecting 'Link Selection' or 'Permanent Tunnels' in 'VPN Feature' filter.
Refer to sk102332.
01269753 Traffic sent over VPN tunnel does not reach its destination because SecureXL does not start fragmenting the packets.
Refer to sk98070.
01468444, 01469027 IKE fails with message "Traffic Selector Unacceptable" if there are more than 255 Traffic Selectors.
Refer to sk102437.
01395684, 01402909 LDAP user fails to connect with Remote Access clients - error "Failed to download Topology".
Refer to sk100466.
01511779, 01536687, 01556032 VPND daemon crashes every ~30 minutes on Security Gateway due to memory leak. Refer to sk105841.
01493720, 01513252, 01551056 VPND daemon might crash during SSL handshake. Refer to sk104474.
01469093, 01469743, 01556273 VPND daemon might crash during logging.
01455936, 01456884, 01571134 Authentication to SNX / CheckPoint Mobile VPN with 3rd party certificate fails.
Refer to sk33319.
01340539, 01592300, 01369908 Some Remote Access users are not able to connect to large Remote Access VPN Communities.
Refer to sk105181.
01464632, 01465318 Client configured with always_connect enabled tries to reconnect even though certificate revoked or expired.
Refer to sk102408.
01395232, 01396707;
01532845, 01579042, 01535285
The vpn tu command shows the real IP address when using the command to show the tunnels, but when using one of the delete commands, it does not accept the real IP address to delete the tunnel.
Refer to sk100346.
01474694, 01558870, 01559881, 01559938, 01580640, 01606476;
01463675, 01559835, 01559883, 01559932, 01580632, 01606626, 01654788
Remote Access VPN clients are not assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file, but from a general Office Mode IP Pool.
Refer to sk105162.
01434100, 01479667, 01437953 Check Point Security Gateway is not able to establish VPN tunnel correctly with Edge cluster after failover if Edge devices are managed by SmartProvisioning.
Refer to sk101680.
01453022, 01602039, 01453615, 01556311

Kernel memory leak detection procedure sk35496 shows memory leak in fwmspi.c:

;Starting SMEM alllocations report
... ... ...
fw_drv_fini: XXX bytes allocated by 'fwmspi.c:N' leaked at ... allocation time ...
... ... ...
FW-1: SMEM Leak in: fwmspi.c:N: smem bytes XXX, smem num of allocations YYY
... ... ...
;Ended SMEM alllocations report
01464684, 01469758, 01556271 Memory leak when there is an error saving data into kernel table "inbound_SPI".
01410361, 01439990 Certificate Signing Requests could only be encoded with UTF8 String, and not TeleTex string.
HTTPS Inspection
01418393, 01456436, 01467522, 01470952, 01471765, 01474667, 01479662, 01510285, 01516601, 01522323, 01546352, 01551219, 01556280, 01577129 Added ECDHE support to HTTPS Inspection and Multi Portals.
Refer to sk104717.
01482072 Improved HTTPS Inspection Bypass mechanism.
Refer to sk104717.
01439385, 01495016, 01493588, 01493594, 01481655, 01508906;
01433683, 01495015, 01493587, 01493590, 01481652, 01508914
Improvement in negotiation rate of HTTPS traffic through Security Gateway R76 and above.
Refer to sk103081.
01467047, 01495926, 01614223, 01624869 RC4 cipher is allowed for Inbound HTTPS inspection.
Refer to sk104095.
01521925, 01523439, 01539818, 01523437, 01523353 Security Gateway with enabled HTTPS Inspection crashes repeatedly.
Refer to sk108653.
Application Control
01522437, 01528311, 01528847, 01530694, 01539945 Application Control policy with distributed Identity Awareness rules may cause Security Gateway to crash when processing a UDP domain connection.
01412965, 01413413, 01500608, 01502786, 01516725, 01525401, 01551242, 01553991, 01554511, 01558819, 01575200 TLSv1 Server Hello packets being dropped by Application Control of HTTPS in SmartView Tracker and debug.
Refer to sk100971.
01518127, 01556228 Access to web sites fails with multiple "Internal System Error" logs from Application Control / URL Filtering.
Refer to sk64162.
00267191, 01493069, 01495399 Amount of transmitted traffic in Application Control Accounting logs is much higher than the amount of transmitted traffic reported by the relevant outbound interface (e.g., 'TX' counter in the output of 'ifconfig -a' command)..
Refer to sk103071.
01457139, 01556295, 01457569 Traffic fails after rebooting the Security Gateway with enabled Application Control blade.
Refer to sk102135.
01653873, 01655271, 01655835, 01662792 HTTP traffic is blocked by Application Control with "HTTP parsing error occurred, blocking request (as configured in engine settings)" log.
Refer to sk106288.
URL Filtering
01430167, 01434385 URL Filtering blocks HTTPS web sites with "Internal System Error occured" log when "Categorize HTTPS sites" and "Fail-close" are enabled.
Refer to sk64162.
01448602, 01449446, 01450281

R77.20 URL Filtering blocks HTTPS traffic with this log in SmartView Tracker:

User <UserName> was blocked access to ... from <IP Address>

Source = <IP Address> and <UserName>
Protocol = tcp
Service = https (443)
Action = Block
Reason = Internal System Error occurred, blocking request (as configured in engine settings). See sk64162 for more information.

Refer to sk64162.
01466938, 01474787, 01476226

URL Filtering intermittently blocks some HTTPS requests with this SmartView Tracker logs:

Action = Block
Reason = Internal System Error occurred, blocking request (as configured in engine settings). See SK64162 for more information.

Refer to sk64162.
01431893, 01480952, 01433702

URL Filtering R76 and above blocks non-HTTPS traffic (e.g., SFTP) with "Internal System Error occurred" log in SmartView Tracker:

Blade = URL Filtering
Action = Block
Reason = Internal System Error occurred, blocking request (as configured in engine settings). See SK64162 for more information.

Refer to sk64162.
Threat Prevention (Anti-Bot / Anti-Virus / Threat Emulation)
01434059, 01436435, 01445037, 01448961, 01450819, 01457322 Anti-Virus and Threat Emulation blades miss inspection.
Refer to sk101708.
01536719 Threat Prevention policy is installed on all Security Gateways regardless of explicit Policy Targets.
Refer to sk104559.
01477760, 01549918 Security Gateway R77.20 fails to fetch new IntelliStore feeds for Anti-Bot / Anti-Virus.
Refer to sk102649.
01534587, 01550413, 01554630, 01562032 Security Gateway might crash when Threat Prevention "Fail Mode" is set to "Block all connections (Fail-close)".
Refer to sk104866.
01602329, 01613027, 01611875, 01611607 Amount of consumed memory constantly increases on a Security Gateway with enabled Anti-Virus blade.
Refer to sk105572.
01571753, 01578807, 01600189, 01627049, 01629010, 01634746 Specific web sites are not reachable when Anti-Virus/Anti-Bot blade is enabled and the packet is generated by the Security Gateway.
Refer to sk104638.
01428602, 01431817, 01441828, 01512656 SmartEvent shows "Severity = <4GB" in Anti-Virus / Anti-Bot event.
Refer to sk106130.
01532558, 01619863 /var/log/messages file on Security Gateway repeatedly shows "ld_commit_ex: Attempting to commit unbound ld 7981" during policy installation.
Refer to sk105545.
Identity Awareness
01427389, 01502416, 01427823, 01510189;
01427391, 01510361, 01427825;
01433720, 01502418, 01434036
It is not possible to exclude networks from Identity Awareness Captive Portal's keepalive feature.
Refer to sk101449.
01424973, 01425440, 01426025, 01482791, 01542491 Identity Agent on Mac OS X asks to trust the Identity Server's certificate during each boot.
Refer to sk101327.
01416765, 01410342, 01416767, 01424641, 01449848, 01410174, 01416765, 01424645, 01449845 Browser-based Authentication guests are timed out by Identity Awareness after 10 minutes.
Refer to sk101503.
01474077, 01555626, 01494408, 01474405 PDP daemon crashes when logging a MUH authentication.
Refer to sk105069.
01393374, 01420182, 01569611, 01569641, 01574012 When Identity Sharing configuration is used, it can take as long as 10 minutes for the components to sync after restart.
01470526, 01473354, 01608568, 01613406 User login events are logged by Identity Awareness as separate logins for different users if username is written in upper case letters, or in lower case letters - in all Check Point logs, the user is identified by the username with which the user has actually logged in - as if different user names were used ('USERNAME' / 'UserName' / 'username').
Refer to sk102398.
01574462, 01580691 In a VSX Gateway, Captive Portal's customized company logo is shared between all Virtual Systems. As a result, when the policy is installed on one of the Virtual Systems, customized company logos are overwritten on all the other Virtual Systems.
01505808, 01506056, 01556019 VPN clients authenticated by the RADIUS protocol are not in PDP listed groups. Therefore, they are not assigned to the correct Access roles.
01553174, 01553863, 01554012, 01569537 Identity Awareness RADIUS Accounting clients are not assigned their specific user-defined RADIUS Message Attributes.
Refer to sk105786.
01157206, 01159941, 01159942, 01159943, 01209559, 01321563, 01351162, 01363762, 01395591;
01459004, 01459085, 01489476

These messages appear repeatedly in $FWDIR/log/fwd.elg file on an Identity Awareness gateway:

  • CLogFormat::create failed - field already exists (xxx) of type (string) !
  • CFormatsDict::registerFormat - bad format string !
Refer to sk102171.
01505808, 01506056, 01556019 VPN clients authenticated by RADIUS protocol are not mapped to an Access Role.
Refer to sk105173.
01415512, 01418757 Output of "pdp monitor ip <IP_ADDRESS>" command on the Security Gateway shows multiple users associated with the same Source IP address.
Refer to sk101115.
01425676, 01431642;
Identities are not shared with all gateways.
Refer to sk101369.
01552306, 01555558 Output of command "pep show user query cid <IP_Address_of_Terminal_Server>" does not show any identities when Identity Agent is installed on Terminal Server / Citrix Server.
Refer to sk104115.
01494506, 01494654 Output of "fw tab -s | grep -E "PEAK|pep" command on Identity Awareness Gateway shows that the current (VALS) number of entries and the peak (PEAK) number of entries in the pep_identity_index table has reached 25000.
Refer to sk103221.
01403516, 01487394 PEPD process consumes CPU at 100%.
Refer to sk100641.
01507444, 01510887 Improved handling of URL in Captive Portal.
01432854, 01433432 After a failover in a VRRP cluster, the connection between the PDP and the PEP stays connected to the "old" MASTER PEP.
01438363, 01439077 "MADService.exe" process consumes CPU at high level on the Terminal Server.
01376945, 01585397;
01383114, 01471725 
Memory leak in PDPD daemon related to ADQuery.
Refer to sk106422.
01410448, 01419319 "Table pdp_sessions entries limit (90000) reached" critical system alert messages repeatedly appear in SmartView Tracker.
Refer to sk101288.
01459986, 01471398 "Group membership of the required account (user or machine) could not be retrieved from the AD" log from Identity Awareness blade in SmartView Tracker.
Refer to sk106133.
01410233, 01525141, 01834591, 01862252 Improved generation of new session ID (to make sure this ID is not assigned to some other basic or super session).
Mobile Access
01361273, 01438252, 01437810

Enhancement: New apache directive CvpnTranslateResponseHeader that enables the translation of URLs in the headers.

To add a new header:

  1. Edit the $CVPNDIR/conf/includes/Web_inside.location.conf file on Mobile Access gateway
  2. Search for CvpnTranslateResponseHeader
  3. Add your header using this format: CvpnTranslateResponseHeader <header_name>
  4. Save the file
  5. Reload the Mobile Access policy with cvpnd_admin policy command
01428128, 01431248;
01476439, 01476439
Mobile Access support for SHA-256 signed certificates.
Refer to sk101541.
01467856, 01471445, 01613474, 01614665 Link Translation domain does not work - some links are not included/excluded from translation domain.
Refer to sk105565.
00776003, 01323079, 01323080, 01346323, 01360113, 01376976, 01377147, 01393090, 01394078, 01397611, 01408848, 01476174, 01495176, 01513491 Traffic initiated from internal host towards SSL VPN client is dropped with "Unauthorized SSL VPN traffic" log.
Refer to sk97811.
Note: Must add a new variable in Check Point Registry on Management Server - 'SNX_ALLOW_GW_TO_GW' and set its value to 1.
01499536, 01501020, 01499541, 01501008, 01501161, 01501308, 01501438, 01501891, 01526621 Push Notifications are not received on the mobile phones due to IPS protection "Secure Socket Layer (SSL) v3.0".
Refer to sk103080.
01459334, 01463070, 01569322 HTTP Based SSO authentication fails to internal Web / Application servers if Single Sign On (SSO) is disabled in the application properties.
Refer to sk102308.
01432236, 01432548 The Mobile Access portal homepage does not show the time zone for the last logon.
01410021, 01410492;
01430262, 01430684
Disabling Mobile Access 'Content-Analyzer' feature for specific host.
Refer to sk101076.
01367460, 01373577 "This content cannot be displayed in a Frame" error when accessing an application through Mobile Access using Hostname Translation (HT).
Refer to sk99072.
01399802, 01402334, 01513710 When a user connects to two e-mail accounts using ActiveSync (for example, a personal account and a group account) from a single mobile device, multiple Mobile Access sessions are created (instead of two expected sessions).
Refer to sk100552.
01273495, 01368685, 01368687 Padding in the HTTP POST request body causes an internal server error.
Accessing Mobile Access Portal applications takes a very long time.
Refer to sk105525.
01456061, 01463349, 01569353 Kerberos authentication fails on Mobile Access Gateway.
Refer to sk102194.
01508210, 01508222 Mobile Access Blade option to change language in webmail does not work.
Refer to sk104001.
01450216, 01452166, 01575638 Mobile Access blade translates all URLs with IP addresses.
Refer to sk102032.
01454984, 01455527, 01463441 Windows Domain specified in Single Sign On (SSO) configuration of File Shares applications is not enforced by Mobile Access.
Refer to sk102307.
01399854, 01400184, 01531213 When enabling ESOD, Mobile Access policy installation fails with "Failed to install policy on Mobile Access blade - previous configuration is used".
Refer to sk100539.
01512514, 01512731 Mobile Access Blade connectivity issue to Citrix server.
01498075, 01498678 Disables SSLv3 (and forces TLSv1.0) in Mobile Access Blade when connecting to internal HTTPS servers.
01417659, 01418553 "This file is invalid for use as the following: Personal Information Exchange" error during certificate enrollment process in the Mobile Access Portal when using a language other than English in the Mobile Access Portal.
Refer to sk101007.
01568636, 01550222 SSL sessions for outgoing connections are not resumed by Mobile Access gateway.
Refer to sk106423.
01465740, 01469307, 01493223, 01844638 Some web sites can not be reached through Mobile Access Gateway with Hostname Translation.
Refer to sk108593.
01679094, 01866036 Mobile Access users do not receive push notifications if their usernames contain domain name.
Refer to sk108836.
01443252, 01502258 New: Maximal SNX session duration can be increased from 1 day (1440 minutes) to 1 week (10080 minutes).
Refer to sk102288.
Dynamic Routing
00263386, 00266252, 01528113;
New feature on Gaia OS: OSPF Graceful Restart with VRRP.
Refer to sk104441.
01539457, 01546505, 01567556, 01577303 Time stamps in RouteD traces on Gaia OS will be printed with milliseconds as well.
Refer to sk105852.
01448634, 01448859, 01450278 Security Gateway / Cluster Member on Gaia OS with configured BGP that uses MD5 Authentication might randomly crash (tcp_v4_calc_md5_hash(...) at crypto.h).
Refer to sk101976.
01524538, 01524594, 01526450, 01526769, 01594168 Missing BGP routes after failover in a cluster with BGP Graceful Restart configured on Gaia OS.
Refer to sk103724.
01563234, 01564383, 01565007 RouteD daemon on Gaia OS might crash due to memory leak when PIM Sparse Mode multicast is configured.
Refer to sk104518.
01565294, 01656917, 01573437 RouteD daemon in VRRP cluster might crash in the loop, if only one cluster member is active and it was rebooted or 'cpstop;cpstart' commands were executed.
Refer to sk106045.
01523452, 01531276;
01355732, 00265619;
00265931, 01645351, 01557546
RouteD daemon on Gaia OS might crash on cluster member when PIM Sparse Mode multicast is configured and multicast traffic arrives from peer cluster member.
Refer to sk104847.
00266170, 00266274, 00266193 PIM multicast traffic does not pass correctly through the nSecurity Gateway on SecurePlatform Pro.
Refer to sk100219.
01544573, 01546503 Random flapping of OSPF neighbors in Gaia OS cluster under load.
Refer to sk105865.
01468506, 01470238, 01509726, 01509815, 01509822 Output of Clish command "show ospf neighbors" does not show any OSPF neighbors over the Virtual Tunnel Interfaces (VTI) if "Use Virtual Address" is enabled for OSPF.
Refer to sk105163.
01413420, 01414872 /var/log/messages file on VRRP cluster member running on Gaia OS and configured RIP repeatedly shows:
routed[PID]: cpcl_should_send() returns -1
Refer to sk106128.
01480023, 01496492 RouteD daemon might crash after the state of an interface changes several times (flaps) when OSPF with Graceful Restart is configured.
01366638, 01879973, 01438233 OSPF with enabled MD5 authentication is not establishing adjacency due to MTU mismatch.
Refer to sk109092
01509785, 02083430, 01518596, 01518594, 01696761 RouteD daemon on Gaia OS / IPSRD daemon on IPSO OS might crash when processing PIM-DM traffic.
Refer to sk113622.
00266698, 00267039, 01437178, 01604531 Some connections are dropped as out of state after failover in ClusterXL HA mode on 21000 appliances with SAM card.
Refer to sk101287.
01557358, 01605468, 01557500 Security Gateway with enabled SecureXL and passing multicast traffic crashes every several days.
Refer to sk105854.
01574333, 01575168, 01921759, 01810487, 01704611 Improved SAM card log collection when host appliance crashes with "ADP slot N possibly hung" message.
01401927, 01402267, 01515140, 01610334, 01612989, 01613022 Security Gateway using the be2net NIC driver crashes when SecureXL is enabled.
01024708, 01479524, 01499685, 01500107, 01513093 SecureXL is now able to copy DiffServ mark from the packet's IP header (inner header) to the IPSec header of the encrypted packet after encapsulation (outer header).
Refer to sk105722.
01380466, 01529968, 01467341, 01467342;
01461944, 01559697, 01534647;
01465882, 01530180, 00267265, 00267264
Check Point 21000 series appliance with SAM card might crash when removing a slave interface from bonding group defined on SAM ports.
Refer to sk104358.
01426122, 01550640, 01443313, 01444855;
01429933, 01531479, 01443315;
01510636, 01523681, 01513427, 01513825
Check Point 21000 series appliance with SAM card crashes when disabling SecureXL during / after policy installation.
Refer to sk101451.
01385280; 01673919, 01489973, 01467347 Check Point 21000 series appliance with SAM card might crash due to exhaustion of all memory when there is an inbound clear traffic that should have been encrypted (such traffic is correctly dropped, but sending notifications from SAM card to the FireWall about such clear text packets received on encrypted connections might consume valuable memory).
01565618, 01577958, 01674183, 01677466 Check Point 21000 series appliance with SAM card might drop traffic with "Virtual defragmentation error: Timeout" log when sent over a VPN tunnel.
Refer to sk106292.
01458115, 00267136, 00267390, 01481039, 01513355, 01522999, 01526474, 01526491, 01528105, 01528107 When enabling SAM card with SecureXL and ClusterXL Unicast Mode, traffic is dropped.
Refer to sk102246.
01397083, 01397729, 01638997 SAM card on Check Point 21000 appliances might crash during boot if the number of configured CoreXL FW instances is equal to the number of CPU cores on the appliance (for example, there are 16 CPU cores, and 16 CoreXL FW instances were configured).
Refer to sk100546.
01499723, 01500455, 01675110, 01676648 21000 series appliance with SAM card might crash in a specific scenario when accessing the /dev/tilegxpci*/boot for reading or writing.
Refer to sk103209.
00266155, 00267073, 01674942

Enhancement for Check Point 21000 series appliance with SAM card: Statistics for network memory buffers is now available via "ipsctl -a" command under:

Description: An "mbuf" is a basic unit of memory management in the kernel IPC subsystem. Network packets and socket buffers are stored in mbufs. A network packet may span multiple mbufs arranged into a mbuf chain (linked list), which allows adding or trimming network headers with little overhead.
01392081, 01476360, 01392620, 01523990 SecureXL does not accelerate IPv4 packets with VLAN tag on a Security Gateway in Bridge mode when IPv6 is enabled.
Refer to sk100170.
01323769, 01516673 The Security Gateway might crash during boot if drop optimization is enabled in 'Firewall Policy Optimization'.
Refer to sk105182.
01472346, 00267397 When SecureXL is enabled, traffic through the VPN trusted interface is sent encrypted instead of clear.
Refer to sk102742.
01447865, 01448372 IPSO cluster member crashes when SecureXL is enabled and services are configured to start synchronization after a delay.
Refer to sk101909.
01475197, 01475246, 01476946, 01555628 Intermittent traffic outage on a Security Gateway with enabled NetFlow.
Refer to sk102553.
01560458, 01560789, 01561579, 01566368, 01567351, 01573268, 01573318 A Security Gateway configured in Monitor Mode (per sk101670) with enabled SecureXL might freeze intermittently.
Refer to sk105842.
01501271, 01505007, 01506385, 01514600 Output of "fwaccel stat" command shows:
Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)).
Refer to sk100467 (Scenario 2 - "Collision of partial connections in SecureXL due to SecureXL Optimized Drops feature").
00266712, 00266721, 00266756, 00266890, 00267014, 01531274, 01625640, 01625653, 01625654, 01625656 Additional information will be added to the core dump file if SAM card crashes.
01446679, 01448860, 01554558

Security Gateway might crash in this scenario:

  1. SecureXL is enabled
  2. Value of kernel parameter sim_ipsec_dont_fragment is set to 1
  3. VPN tunnel needs to pass fragmented packets
Refer to sk101219.
01475359, 01631637, 01479665 SecureXL in Virtual Router drops packets on Anti-Spoofing if SecureXL is disabled on the connected Virtual System (example topology: Host - VS with SXL off - VR with SXL on - Host).
00266889, 01516730 SecureXL instability when SecureXL NAT Templates are enabled and Hide NAT is configured on VSX.
Refer to sk106709.
01778058, 01745305, 01545578, 01605342 SecureXL sends the traffic with Destination MAC Address 00:00:00:00:00:00.
Refer to sk107436.
01585371, 01809152, 01585371 Security Gateway with enabled SecureXL and IPSec VPN blade might crash when traffic passes over VPN tunnel.
Refer to sk107912.
01532511, 01532943
  • IPv6 traffic does not pass through Security Gateway with configured CoreXL IPv6 FW instances.
  • Kernel debug ('fw ctl debug -m fw + drop') shows that IPv6 traffic is dropped by CoreXL SND:
    ;[cpu_X];[fw6_X];fw_log_drop_ex: Packet proto=58 ... dropped by fwmultik_dispatch_outbound Reason: No instance (outbound);
Refer to sk93000.
01441450, 01626569, 01447005 CoreXL can not be enabled on the Security Gateway in this scenario:
  • IP Pool NAT is already enabled
  • IPv6 is already enabled
Refer to sk105886.
01061497, 01552423 Traffic that depends on Dynamic Objects stops passing after policy installation - it is actually dropped by the rule that should accept it.
Refer to sk107079.
01386525, 01391815;
Gaia OS / SecurePlatform OS: Compliance errors in SMI syntax in Check Point MIB files show in MIB browsers or MIB validation websites.
Refer to sk73440.
01427113, 01427355 Gaia OS: SNMP VRRP Traps do not appear in Gaia Clish / Gaia Portal after upgrading from R77.
Refer to sk101407.
01289099, 01289976, 01289977, 01289978, 01312680, 01359227, 01380612, 01395468, 01428848, 01493327 Gaia OS: "Could not resolve 'Sensor' within the trap 'Trap'" errors in Spectrum CA when importing Check Point 'GaiaTrapsMIB.mib' file.
Refer to sk97410.
01466901, 01473389, 01467051, 01493167, 01634466 Gaia OS: SNMP functionality breaks intermittently (stops answering SNMP Queries, stops sending SNMP Traps).
Refer to sk102271.
01446615, 01447324 Gaia OS: "The value of sensor could not be read" error in /var/log/messages file and SNMP Traps about hardware sensors are sent repeatedly.
Refer to sk101898.
01421392, 01422059;
01421419, 01422061
Gaia OS: Querying Check Point SNMP OID . returns IPv4 addresses instead of IPv6 addresses.
Refer to sk101231.
01428542, 01428702 Gaia OS: SNMP Trap for a monitored process that runs under different names generates SNMP Trap Alert although this process is not down.
Refer to sk101446.
01481801, 01490663 Gaia OS: SNMPD daemon occasionally crashes with a segmentation fault.
Refer to sk103817.
00431330, 01217380;
00560935, 01240901

SecurePlatform OS:

  • Although multiple 'trap2sink' commands were added to /etc/snmp/snmpd.conf file, the 'snmpmonitor' sends traps only to the sink server specified in the last 'trap2sink' entry in /etc/snmp/snmpd.conf file.
  • SecurePlatform OS sends SNMP Traps with 'public' community name, although a different community was configured in /etc/snmp/snmpd.conf file.
Refer to sk66581.
01523786, 01528656 Gaia OS / SecurePlatform OS: SNMP configuration per RFC2925 "DISMAN-PING-MIB" does not work.
Refer to sk103817.
01530562, 01534523, 01579063 Gaia OS / SecurePlatform OS / X-Series XOS: SNMP v1 query on port 260 (via CPSNMPD daemon) for Check Point OIDs (. returns "Wrong Type (should be INTEGER): Counter32".
Refer to sk105178.
01455870, 01666037, 01456126, 01555587 Gaia OS / SecurePlatform OS: SNMP Response for OID . ( is "Active" from all members of R77.20 ClusterXL High Availability mode.
Refer to sk106291.
01507852, 01508950 Gaia OS / SecurePlatform OS: SNMP request for OID 'fwAcceptBytesIn' and OID 'fwAcceptBytesOut' returns '0' on all interfaces.
Refer to sk105395.
01445626, 01512960, 01561558, 01585337;
01406101, 01433481, 01420495, 01515539;
01421738, 01520921, 01598784, 01614545;
01469339, 01474529, 01614538
Virtual System does not respond to SNMP query after in-place upgrade to R75.40VS / R76 / R77 / R77.10 / R77.20.
Refer to sk102232.
01367090, 01436486, 01436558

In VSLS, when a Management interface is disconnected from a cluster member:

  • Cannot install policy on Virtual Systems on the member with the disconnected Management interface
  • Active Virtual Systems on that member do not failover
01520879, 01523332 The "vsx_util view_vs_conf" command shows "!NH" for IPv6 interface routes configured on VSX.
Refer to sk105397.
01469254, 01470204 SNMP query for CPU usage by each Virtual System (OID returns 0 (zero) values.
Refer to sk102434.
01321203 During reboot of Active member in VSX cluster, the state of Standby member is "HA not started" instead of "Active".
Refer to sk98021.
01428068, 01430436
"NMINST0069 cannot access to the virtual-system" error when a user that is authenticated on RADIUS (rba role 'radius-group-any') connects to Security Gateway in VSX mode over SSH and tries to switch from context of VS0 to other contexts with "set virtual-system <VSID>" command (and output of "show virtual-system all" command is empty).
Refer to sk93507.
01427690, 01476310 Virtual System in HTTP/HTTPS Proxy mode intermittently stops passing traffic.
Refer to sk103122.
00890032, 01547534 "cphaprob syncstat" command on VSX cluster member fails with "get_fwha_debug_from_kernel: ioctl failed. size is 2048: Invalid argument".
Refer to sk104059.
01455016, 01455601, 01636910, 01638700 VSX machine with enabled IPv6 might crash when running 'netstat' command.
Refer to sk102028.
01459347, 01465758, 01465937, 01498468, 01547995 R77.10 / R77.20 VSX Gateway intermittently stops passing traffic during high traffic load.
Refer to sk102310.
01537853, 01539535 SNMP request for Virtual System's SIC state "vsxStatusSicTrustState" (OID . returns wrong data.
Refer to sk104035.
01620408, 01629040, 01629043, 01629049, 01629050, 01629051, 01636953 FWK process might crash with core dump when collecting kernel debug.
01493208, 01477107, 01646244 Improved stability of FWK process to resolve traffic being dropped with "Internal system error" log due to RAD timing out.
01396472, 01396841, 01619725

After issuing 'cpstop;cpstart' commands on the Standby VSX cluster member, the output of 'cphaprob -a if' command shows this state of the Sync interface configured on Bond interface:

  • The state of Sync interface as 'UP' in the context of VSX itself (VS0).
  • The state of Sync interface as 'DOWN' for each Virtual System.
Refer to sk100450.
01404063, 01413547, 01409322 VSX does not generate syslog messages and SNMP traps about Connections Table capacity.
Refer to sk106137.
01472068, 01499711, 01496518 Memory leak in RouteD daemon on VSX cluster.
01583403 After VSX Gateway reboot or start of RouteD daemon, static IPv6 routes between Virtual Routers are sometimes deleted.
01415749, 01481408, 01423985 VSX cluster member is in 'Down' state after reboot.
If SecureXL is disabled on Virtual System(s) and enabled on Virtual Switch(es), then SecureXL on Virtual Switch(es) would drop CCP packets due to a tagging issue. This causes a pnote 'Interface Active Check' on Virtual System(s) to report its status as 'problem', which in turn causes the VSX cluster member to report its state as 'Down'.
As an immediate workaround, disable SecureXL with fwaccel off command in the context of involved Virtual Switch(es).
01432186, 01436581, 01556086 MGCP traffic is NATed to port range of 10000.
Refer to sk101587.
01433546, 01439174, 01499676, 01526701

MGCP Call Agent and Media Gateway are not able to register in this scenario:

  1. SIP services are used in the rulebase
  2. MGCP service "mgcp_MG" is not used in the rulebase
Refer to sk102049.
00545410, 01431240, 01556349

VoIP SIP traffic without the '@' character in the 'FROM' or 'TO' part of the header (i.e., when there is no user) is dropped by IPS with this log:

Attack: Malformed SIP datagram
Attack information: "Illegall 'FROM' user in request packet"

Refer to sk68221.
Check Point appliances
01380239, 01381238, 01600716, 01600757, 01612423 "Error while reading mask" and "fw: Corrupt affinity value Unsupported" errors when running fw ctl affinity -l command on Check Point appliances 12000 / 13000 / 21000.
Refer to sk99078.
01610292 Policy installation on 1100 appliance object fails with "Commit function failed" error when the IPS "Recommended_Protection" or a manually created IPS profile is assigned to 1100 appliance object.
Refer to sk105217.
01463257, 01501391 Boot Menu is not seen during boot when connected via LOM card to Check Point Smart-1 25B, Smart-1 225 or 13500 / 13800 appliances.
Refer to sk102178.
01529412, 01529627, 01560695, 01562794 Slow traffic / traffic latency through RuggedCom Appliance.
Refer to sk103890.
01401670, 01402659 Gaia Clish command "show asset memory" returns wrong data on 12200 appliances.
Refer to sk100786.
01427915, 00266881 On IP Series Appliances running R77.10/R77.20, output of fwaccel conns command shows interfaces as offloaded to the ADP, even if there is no ADP card installed.
00266983, 00267068, 01557560 On IP1280 / IP1285 and IP2450 / IP2455 appliances, the VTT minimal value has to be changed to 1.045V.
Refer to sk92780.
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document