• General
• Security Gateway
• Security Management
• Multi-Domain Security Management
• SmartDashboard
• SmartDomain Manager
• SmartProvisioning
• SmartEvent / SmartReporter
• SmartLog
• SmartUpdate
• Cluster

• DLP
• IPS
• Gaia and SecurePlatform
• Gaia
• VPN
• HTTPS Inspection
• Application Control
• URL Filtering
• Threat Prevention
• Anti-Spam
• Identity Awareness

• Mobile Access
• SNX
• Dynamic Routing
• SecureXL
• CoreXL
• SNMP
• VSX
• VoIP
• Check Point appliances

Memory leak detection procedure (sk35496) reports a memory leak:

• Policy installation on R77 Security Gateways fails with the following errors:

  "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: syntax error
... ... ...
"/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: table <auth_services> has no predefined format
... ... ...
"/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: table <client_was_auth> has no predefined format
... ... ...
"/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: syntax error
Error compiling IPv6 flavor.
Compilation failed.
Operation ended with errors.
  
  
• UFP IPv6 logs in SmartView Tracker show wrong hit rate statistics.

• Security Gateway / VSX Gateway / Cluster member might crash while inspecting multicast traffic.
• SecureXL does not accelerate multicast traffic.

Threat Prevention policy installation fails:

• In SmartDashboard with "Compilation failed" error.
  
  

• When manually loading the policy under debug, with these errors:

  amw_add_key: fread() failed
amw_load: amw_add_key() failed
amw_load_main: amw_load has failed
main: amw_load_main() failed

Special sub-directories in $FWDIR/conf/ are not synchronized between Security Management Servers / Multi-Domain Security Management Servers in HA configuration:

• $FWDIR/conf/lists
• $FWDIR/conf/XML
• $FWDIR/conf/vs_repository
• $FWDIR/conf/syslog
• $FWDIR/conf/snmpTrap
• $FWDIR/conf/recovery

"The Converter failed to convert policy. Possibly wrong policy name." error in SmartDashboard during policy installation on Edge device:

• After creating rules with new R77.20 DHCP / DHCP Relay services per sk98839 (dhcp-request and dhcp-reply), policy installation on Edge device fails with:

  Firewall and Address Translation Policy Verification:
  Failed during authorization_domains_list convertion
  Verifier warnings: The Converter failed to convert policy. Possibly wrong policy name. "Name_of_Policy"
  

• Policy installation under debug per sk60745 (fwm -d load -S ...) shows:

  dhcp-reply Protocol type is not supported in Backward Compatibility mode
  Security Policy Verification Errors/Warnings:
  The Converter failed to convert policy. Possibly wrong policy name. "Name_of_Policy"
  Policy verification failed.
  ... ... ...
  dhcp-reply Protocol type is not supported in Backward Compatibility mode
  Objects conversion failed. Conversion failed.
  

mds_backup fails with one of these errors:

• Variable name too long
• -: No such file or directory

When reassigning/assigning/installing Global Policy in SmartDomain Manager and checking the box 'Install last Advanced Security Policy on all Gateways of assigned Domains', the following errors are displayed about VSX Virtual Systems in Bridge Mode:

Name_of_Target_Domain : Starting Advanced Security Policy Installation Process
Name_of_Target_Domain : Advanced Security Policy Installation aborted - no candidates to install on
Name_of_Target_Domain : Target (Name_of_Virtual_System) - no policy is installed on this module. Can't select a policy to install

• Anti-Spoofing setting changes to "Undefined" when a VSX cluster object is edited in SmartDashboard.
• Policy installation fails with error: "The Topology information must be configured for object <Object Name>, interface <Interface Name>, in order to use the Anti-Spoofing feature".

"No relevant data found to generate report" message when generating one of the reports listed:

• "Endpoint Security VPN Users Activity"
• "Successful Logins"
• "Login Failures"
• "Login Activity"

State of R77.10 / R77.20 ClusterXL member changes to "Down" due to Critical Device "Interface Active Check" in the following scenario:

1. Monitoring of the lowest and highest VLANs is enabled (default; fwha_monitor_low_high_vlans=1)
2. A new VLAN is added on the ClusterXL member with VLAN ID, which is lower/higher than any existing VLAN ID

VMCORE dump file is not created correctly on a machine that has more than 4GB of RAM and runs Gaia OS with 32-bit / 64-bit kernel:

• In Gaia OS with 32-bit kernel:
  VMCORE dump file created during the crash is incomplete - its size is only 1.9 GB
• In Gaia OS with 64-bit kernel:
  VMCORE dump file is not created during the crash

Issues with default routes via PPPoE interfaces on Gaia OS:

• All default routes are deleted when running multiple PPPoE tunnels and one PPPoE tunnel disconnects.
  
  
• Multiple PPPoE tunnels with the same peer address cause RouteD daemon to exit (e.g., two PPPoE tunnels receive the same peer address from the ISP, who is not willing to change such configuration).
  The following message appears in /var/log/messages file:
  routed[PID]: if_get_address: duplicate address detected: X.X.X.X/Y

• When running Clish command "show configuration", user is sometimes logged out from Clish / SSH / console.
• When running in Expert mode command clish -c "show configuration", user is not logged out, but the command does not produce any output.
• When running Clish command "save configuration <filename>", the command fails with "glibc detected" error, and only a part of the configuration is saved in the <filename>.

• Output of Clish command "show configuration rba" shows that "readonly" roles have "readwrite" features.
• Output of Expert command "grep roles /config/active" shows that roles only have the defined "readonly" features.

• After adding scheduled backup (add backup-scheduled) and setting scheduled backup (set backup-scheduled) in Gaia Clish, the command show backup-scheduled NAME returns:
  The scheduled backup is performed localy.
The backup is not scheduled
• Deleting the scheduled backup in Gaia Clish (with 'delete backup-scheduled NAME') does not delete its cron job - output of Expert command 'crontab -l' still shows the deleted scheduled backup (as '/bin/scheduled_backup NAME').

• "Gaia Web-UI recognized a non-valid input data" error when adding SNMP Trap receiver in Gaia Portal.
• "NMSSNM0025 Community names cannot contain spaces or special characters" error when adding SNMP Trap receiver in Gaia Clish.

Gaia command config_system (sk69701) does not complete the configuration:

• Configuration of Security Management Server product / Log Server product
• Configuration of Default Gateway on Gaia OS
• Configuration of SmartEvent Server product and Correlation Unit product

Enhancement: Policy Installation shows a warning if there is a VPN community with a weak encryption algorithm:

"Community <COMMUNITY_NAME> is configured with the <ENCRYPTION_ALGORITHM> algorithm in IKE|IPsec Security Association ("<PHASE>"), which provides weak confidentiality."

Where the following encryption algorithms are considered weak:

• DES
• DES-40CP
• CAST
• CAST-40
• NULL

• IKEv1, IKEv2: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256
• ESP: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256

Kernel memory leak detection procedure sk35496 shows memory leak in fwmspi.c:

R77.20 URL Filtering blocks HTTPS traffic with the following log in SmartView Tracker:

User <UserName> was blocked access to ... from <IP Address>

URL Filtering intermittently blocks some HTTPS requests with the following SmartView Tracker logs:

URL Filtering R76 and above blocks non-HTTPS traffic (e.g., SFTP) with "Internal System Error occurred" log in SmartView Tracker:

The following messages appear repeatedly in $FWDIR/log/fwd.elg file on Identity Awareness gateway:

• CLogFormat::create failed - field already exists (xxx) of type (string) !
• CFormatsDict::registerFormat - bad format string !

Enhancement: New apache directive CvpnTranslateResponseHeader that enables the translation of URLs in the headers.

To add a new header:

1. Edit the $CVPNDIR/conf/includes/Web_inside.location.conf file on Mobile Access gateway
2. Search for CvpnTranslateResponseHeader
3. Add your header using this format: CvpnTranslateResponseHeader <header_name>
4. Save the file
5. Reload the Mobile Access policy with cvpnd_admin policy command

Enhancement for Check Point 21000 series appliance with SAM card: Statistics for network memory buffers is now available via "ipsctl -a" command under:
net:dev:adp:ipsctl:slot:<N>:kern:mbuf:stats

Security Gateway might crash in the following scenario:

1. SecureXL is enabled
2. Value of kernel parameter sim_ipsec_dont_fragment is set to 1
3. VPN tunnel needs to pass fragmented packets

• IPv6 traffic does not pass through Security Gateway with configured CoreXL IPv6 FW instances.
• Kernel debug ('fw ctl debug -m fw + drop') shows that IPv6 traffic is dropped by CoreXL SND:
  ;[cpu_X];[fw6_X];fw_log_drop_ex: Packet proto=58 ... dropped by fwmultik_dispatch_outbound Reason: No instance (outbound);

• IP Pool NAT is already enabled
• IPv6 is already enabled

SecurePlatform OS:

• Although multiple 'trap2sink' commands were added to /etc/snmp/snmpd.conf file, the 'snmpmonitor' sends traps only to the sink server specified in the last 'trap2sink' entry in /etc/snmp/snmpd.conf file.
• SecurePlatform OS sends SNMP Traps with 'public' community name, although different community was configured in /etc/snmp/snmpd.conf file.

In VSLS, when a Management interface is disconnected from a cluster member:

• Cannot install policy on Virtual Systems on the member with the disconnected Management interface
• Active Virtual Systems on that member do not failover

After issuing 'cpstop;cpstart' commands on the Standby VSX cluster member, the output of 'cphaprob -a if' command shows the following state of the Sync interface configured on Bond interface:

• The state of Sync interface as 'UP' in the context of VSX itself (VS0).
• The state of Sync interface as 'DOWN' for each Virtual System.

MGCP Call Agent and Media Gateway are not able to register in the following scenario:

1. SIP services are used in the rulebase
2. MGCP service "mgcp_MG" is not used in the rulebase

VoIP SIP traffic without the '@' character in the 'FROM' or 'TO' part of the header (i.e., when there is no user) is dropped by IPS with the following log:

Attack: Malformed SIP datagram
Attack information: "Illegall 'FROM' user in request packet"