|01469332, 01476439, 01431248, 01540945
||Check Point update and online services migration to SHA-256 based certificates.
Refer to sk103839.
|Check Point's response to Leap Second, introduced in UTC on 30 June 2015.
Refer to sk104560.
||Check Point's response to CVE-2015-0235 (glibc - GHOST).
Refer to sk104443.
||Check Point's response to TLS FREAK Attack (CVE-2015-0204).
Refer to sk105062.
||Check Point's response to TLS 1.x padding vulnerability.
Refer to sk103683.
|Check Point's response to the POODLE Bites vulnerability (CVE-2014-3566).
Refer to sk102989.
Note: All the fixes mentioned in sk102989 were integrated.
|Check Point's response to CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability (Shellshock).
Refer to sk102673.
|01516988, 01552223, 01525773
||Security Gateway / Active cluster member might crash rarely, when one of these blades is enabled: IPS, URL Filtering, Application Control, Anti-Bot.
Refer to sk104250.
||Security Gateway configured as a Proxy occasionally stops processing all traffic.
Refer to sk102134.
|01430609, 01432668, 01438923, 01450221, 01555515, 01570507, 01585395
||Security Gateway with enabled Non-Transparent Proxy causes some sites to no longer function properly, because HTTP 'OPTIONS' method is not recognized by the Security Gateway in Proxy mode.
Refer to sk102188.
|01426380, 01428952, 01556352
Memory leak detection procedure (sk35496) reports a memory leak:
;FW-1: In fw_hmem_report_leaks
;fw_drv_fini: XXX bytes allocated by 'fw_spii_pset_create' leaked at ...
... ... ...
;FW-1: fw_hmem_stat_report: total unfreed hmem allocations: ..., bytes ...
;Starting SMEM alllocations report
... ... ...
;FW-1: Leak in: fw_spii_pset_create: hmem_bytes ...
;Ended SMEM alllocations report
... ... ...
;FW-1: In fw_hmem_report_leaks
Refer to sk101330.
|01407754, 01413708, 01416985, 01425115, 01425120, 01456747
||NFS-RPC traffic passes the Security Gateway when there is a rule that contains ALL_DCE_RPC service.
Refer to sk101128.
|00267452, 01526619, 01535357, 01529160
Refer to sk103698.
- Security Gateway / VSX Gateway / Cluster member might crash while inspecting multicast traffic.
- SecureXL does not accelerate multicast traffic.
|01321419, 01380507, 01393458, 01412903, 01446442, 01457510, 01488685, 01535858, 01535870, 01570407, 01576250
||"funcchain" process frequently crashes with core dump file on the Security Gateway.
Refer to sk98151.
|01513354, 01513406, 01513829, 01513872, 01513875
||The Security Gateway might crash when IPv6-over-IPv4 security rule is configured, but IPv6 is disabled.
Refer to sk103526.
|01443734, 01445232, 01446201
||IPv6 ICMP traffic is dropped by "0 - Implied Rules".
Refer to sk102390.
|01445232, 01443734, 01446201
||ICMPv6 traffic is dropped by the Security Gateway if there is a Firewall rule that contains the ssh2 service.
Refer to sk102390.
|01433313, 01433710, 01482416
||Policy installation fails due to a timeout on the Security Gateway with Broadcom NetXtreme interfaces that use bnx2x driver.
Refer to sk101547.
||TCP traffic is dropped on "IP options", and problematic IP option could not be found in kernel debug.
Refer to sk94085.
||The Security Gateway might crash during policy installation in rare scenarios.
Refer to sk102787.
||Memory consumption on the Security Gateway constantly increases.
Refer to sk103077.
||The Security Gateway might crash when working with Multi-Portal.
Refer to sk104698.
|01414168, 01420268, 01414888, 01416219, 01440122
||"Fetch Settings From Device: getStaticRoutes - no nextop type found for key X.X.X.X/Y" error in SmartDashboard after adding static routes on a Security Gateway in the Gaia Portal.
Refer to sk100611.
||The Security Gateway logs locally and does not attempt to reconnect to the Security Management Server / Domain Management Server / Log Server after restart of the Security Management Server / Domain Management Server / Log Server.
Refer to sk103760.
|01246785, 01561569, 01355222
||"Installation failed. Reason: Load on module failed, failed to load security policy" error in SmartDashboard when installing policy from the Security Management Server R77 (and above) onto Security Gateways R76 and lower.
Refer to sk33893.
|01516302, 01516817, 01556237
||Fetching policy on a DAIP gateway fails with "External interface is not properly defined. Please run cpconfig to define it."
Refer to sk103819.
|01495958, 01496338, 01496872, 01499687
||The FWD process on the Security Gateway might crash when working with Proxy ARP.
Refer to sk103214.
||Mounting a directory using NFSv3 over IPv6 through the Security Gateway fails because traffic is not matched to the relevant rule.
Refer to sk105843.
||Improved inspection of the CIFS protocol.
|01506203, 01506203, 01518764
||Improved inspection of the RPC protocol.
|01433903, 01446782, 01526229
||"fw tab -s" command might fail to print the output with "Failed to get table status for .." when there are multiple security rules with numerous Domain Objects.
Refer to sk106132.
||Client Authentication logs for Single-Sign On are always generated even if "Successful Authentication Tracking" in Client Authentication properties is set to "None".
Refer to sk106131.
||Memory leak in in.ahttpd daemon.
|01462129, 01462555, 01481937, 01598761
||Enhancement: Configure ISP Redundancy Link to fail over, only when all configured hosts are not answering to pings.
Refer to sk102848.
|01469476, 01489869, 01523002, 01539690, 01466177
||A Security Gateway with enabled SecureXL might crash when processing a packet with Multicast Source IP address and Unicast Destination IP address.
Refer to sk108818.
|01446920, 01447343, 01476881
||Added debug prints in the FWD process for sending logs to OPSEC LEA clients.
|01445077, 01445354, 01576280
||Log actions are not filtered by the fw log -c command.
Refer to sk101905.
||When defining an ICMP service with Type and Code and installing it on Cisco router, the ICMP code value is ignored.
Refer to sk101500.
01189860, 01168429, 01433749
|Cannot connect OPSEC log service to the Security Management Server running on Windows OS.
Refer to sk101398.
||The cp_merge policy command overwrites the original policy. The policies should have merged.
01527202, 01531650, 01530121, 01530122, 01556090
|R76 / R77 / R77.10 / R77.20 takes long time to reboot / start Check Point services.
Refer to sk103822.
||Policy Verification error is not displayed when installing policy on Clusters R75.X and lower with configured IPv6 address.
Refer to sk103734.
Threat Prevention policy installation fails:
Refer to sk105783.
||Policy installation on R77 Security Gateways fails with errors: "syntax error" and "table has no predefined format".
Refer to sk101330.
|01395422, 01396110, 01624406
||Policy installation fails with "Operation incomplete due to timeout" error.
Refer to sk109236 - Scenario 5.
|01408654, 01433847, 01501001
||During policy installation, SmartDashboard suddenly disconnects. After that Edge devices are not able to connect to this Service Center.
Refer to sk103118.
||"Failed to update administrator object (Reason: No write permission for object: XXX)" error in SmartDashboard when an Administrator with Read-Only permissions tries to change their own password.
Refer to sk103738.
|01533783, 01535163, 01576237
||User" field shows "
*** Confidential ***" in logs when connection to OPSEC server is on non-authenticated port (clear port).
Refer to sk101570.
|01552113, 01554842, 01554870
Special sub-directories in $FWDIR/conf/ are not synchronized between the Security Management Servers / Multi-Domain Security Management Servers in High Availability configuration:
Refer to sk104298.
"The Converter failed to convert policy. Possibly wrong policy name." error in SmartDashboard during policy installation on an Edge device:
Refer to sk57840 - "Scenario 7".
After creating rules with new R77.20 DHCP / DHCP Relay services per sk98839 (dhcp-request and dhcp-reply), policy installation on the Edge device fails with:
Firewall and Address Translation Policy Verification:
Failed during authorization_domains_list convertion
Verifier warnings: The Converter failed to convert policy. Possibly wrong policy name. "Name_of_Policy"
Policy installation under debug per sk60745 (fwm -d load -S ...) shows:
dhcp-reply Protocol type is not supported in Backward Compatibility mode
Security Policy Verification Errors/Warnings:
The Converter failed to convert policy. Possibly wrong policy name. "Name_of_Policy"
Policy verification failed.
... ... ...
dhcp-reply Protocol type is not supported in Backward Compatibility mode
Objects conversion failed. Conversion failed.
||Changes in the Administrator password and allowed GUI clients are not synchronized in Management High Availability deployment.
Refer to sk103053.
|01492692, 01492806, 01526283
||"router_load -cisco" command wrongly shows "Download was successful" although it was not able to connect to a Cisco OSE device (e.g., user does not have permissions to folder "/tftpboot").
Refer to sk102996.
|01429626, 01431234, 01462250
||"IPv6 addresses domain is not supported in Remote Access VPN community" error during policy installation, even though IPv6 is not enabled.
Refer to sk101506.
|00740016, 01459891, 01521269, 01433486
||Policy verification does not warn about rules containing Address Ranges.
Refer to sk102627.
||FWM process frequently crashes due to a memory leak on the Security Management Server.
Refer to sk106289.
||Policy installation on an Identity Awareness gateway with defined IPv6 address fails with "ERROR: forward declaration of table was not completed".
Refer to sk101396.
||"Failed to fetch the file" message when trying to open a packet capture in a SmartView Tracker log that was sent from VSX Gateway..
Refer to sk101210.
|01457310, 01457392, 01474470;
|Sync with User Center in SmartDashboard (per sk94064) fails with "Internal Error: Failed to complete licensing information operation".
Refer to sk102186.
||"User" field in SmartView Tracker logs is masked with stars ****** even though this field is empty.
Refer to sk102251.
|01459091, 01459410, 01657107, 01502815
||"Warning: The IP address of the license does not match the IP address of the host" during policy installation or database installation.
Refer to sk105358.
|Multi-Domain Security Management
mds_backup fails with one of these errors:
Refer to sk104107.
Variable name too long
-: No such file or directory
||When running the mds_backup using "mds_backup -g -L best -d /var/backup/files -b -l >> /var/backup/mds_backup.log" command, the procedure is stuck at "Releasing all databases".
Refer to sk103741.
||Status of the Multi-Domain Security Management is shown as "Disconnected" from the High Availability Multi-Domain Servers.
Refer to sk101234.
||Global Policy fails to install due to a large number of target gateways.
||Pushing VSX configuration fails with "Domain Management Server <NAME_of_DOMAIN> is not responding".
Refer to sk103616.
||"shell-init: could not get current directory: getcwd: cannot access parent directories" error during upgrade from SecurePlatform to Gaia.
Refer to sk103843.
|01446678, 01449567, 01450004
||High memory and CPU usage of all Multi-Domain Management servers in a multi-site environment.
Refer to sk101830.
||After upgrading the MDS, Domain Manager user can no longer log into the Global SmartLog GUI:
"The connection to Multi-Domain Server 'x.x.x.x' has been refused because the database could not be opened".
Refer to sk105401.
When reassigning/assigning/installing Global Policy in SmartDomain Manager and checking the box 'Install last Advanced Security Policy on all Gateways of assigned Domains', these errors are displayed about VSX Virtual Systems in Bridge Mode:
Refer to sk65321.
Name_of_Target_Domain : Starting Advanced Security Policy Installation Process
Name_of_Target_Domain : Advanced Security Policy Installation aborted - no candidates to install on
Name_of_Target_Domain : Target (Name_of_Virtual_System) - no policy is installed on this module. Can't select a policy to install
|"Unspecified error" or "Failed to create a new version" error in SmartDashboard during policy installation and/or when creating a new Database Revision Control version.
Refer to sk103407.
||After changing the administrator's Authentication Scheme from 'Check Point Password' to 'OS Password' with the 'mdscmd setadminauth <ADMIN_NAME> os' command, administrator is still able to authenticate in the SmartDomain Manager with 'Check Point Password'.
Refer to sk102946.
|01473624, 01619573, 01622756, 01474743
||FWM process in the context of MDS consumes CPU at 100% on all Multi-Domain Management Servers / Multi-Domain Log Servers.
Refer to sk105139.
|01433686, 01433688, 00750155, 00747320, 00753738, 00782482, 00829978
||"No license for FloodGate-1 Management" error when installing QoS policy from an R75 Domain Management Server.
Refer to sk69723.
||Gateway object Link Selection redundancy settings are not preserved when converted to Global object.
|01606313, 01606356, 01672563, 01674054
||"mdscmd" command with "-i" option fails to resolve the Domain Management Server Name by IP address.
Refer to sk105172.
||The "mdscmd adddomain ..." command / "mdscmd addlogserver ..." command creates a Domain Management Server / Domain Log Server with wrong build number - as a result, SmartDashboard shows "R77" version instead of the real version "R77.10" / "R77.20".
Refer to sk103958.
|01441367, 01441431, 01805702
||Login to an external SmartLog server GUI with MDM accounts fails with "
Authentication failed" error.
Refer to sk101677.
||Enhancement: The SmartDashboard shows a warning ""This is restricted environment, access is allowed for authorized administrators only"" prior to the Administrator session establishment.
Refer to sk102665.
|01426687, 01431408, 01466682
Failed to launch the application" error when right-clicking on a Log Server in the SmartDomain Manager to launch the SmartView Tracker.
Refer to sk101507.
||SmartDashboard allows spaces in the name of Cluster Virtual interface.
Refer to sk100470.
|01445522, 01448852, 01450594
||Less results when using the Objects list in SmartDashboard to search for an object by typing all or a part of its name.
Refer to sk101908.
|01429170, 01444105, 01429397
||Not possible to select a specific user when editing / creating an Identity Awareness Access Role in SmartDashboard:
Open Identity Awareness Gateway object - go to "Identity Awareness" pane - check the box "Identity Agents" - click on "Settings..." button - go to "Authentication Settings" section and click on "Settings..." button - in "Users Directories" section, check the box "LDAP users" - select "Specific" - click on the green [+] to add a user - a red [X] is displayed for for all AUs, and users are never shown.
||Changes are not saved in "Threat Prevention" tab - open "Traditional Anti-Virus" - open "Security Gateway" - open "Mail Protocols" - click on "Mail Anti-Virus".
||The "Comment" section in the Application Control policy does not show all lines.
Refer to sk101906.
|01522265, 01522660, 01523578
Refer to sk92646.
- Anti-Spoofing setting changes to "Undefined" when a VSX cluster object is edited in SmartDashboard.
- Policy installation fails with error: "The Topology information must be configured for object <Object Name>, interface <Interface Name>, in order to use the Anti-Spoofing feature".
||Cannot clear the options 'Timeframe' in 'Hits' column of rulebase.
Refer to sk101586.
||Incorrect time in the administrator notification state in SmartDashboard.
Refer to sk101426.
||Query Syntax for the Firewall Policy to show rules that contain "Any".
Refer to sk101061.
||SmartDashboard fails to get IPS updates when a proxy server is configured via a Group Policy.
Refer to sk98078.
|01407037, 01408005, 01460140
||Checking the box "Automatically authenticate users from machines in the domain" is not saved in the Identity Awareness settings.
Refer to sk100789.
||Checking the box "Turn on QoS Logging" is not saved in Centrally Managed 600 / 1100 / Security Gateway 80 object.
Refer to sk102046.
||"Some URLs are invalid and therefore were not added" message in SmartDashboard when importing URLs from a CSV file.
Refer to sk101338.
||GuiDBedit Tool crashes on every search or double-click on any object.
Refer to sk116863.
||SmartDashboard becomes unresponsive when navigating in the policy with SmartWorkflow blade enabled.
|01456659, 01456848, 01570096
||After renaming the Interoperable Device object, pre-shared secret disappears from the object.
Refer to sk102170.
||SmartDomain Manager crashes when attempting to connect to the Multi-Domain Security Management Server.
||Edge devices managed by SmartProvisioning connect to the wrong VPN community after policy installation.
Refer to sk105683.
|01439666, 01446485, 01449094, 01449266, 01461149, 01541541, 01556316
||1100 Appliances managed by SmartProvisioning get wrong VPN certificate.
Refer to sk102033.
||SmartProvisioning design flaw when editing Office Mode interface in Edge configuration.
Refer to sk101868.
|SmartEvent / SmartReporter
|01412839, 01413746, 01441222, 01456781, 01553039, 01657422
"No relevant data found to generate report" message when generating one of the reports listed:
Refer to sk100966.
- "Endpoint Security VPN Users Activity"
- "Successful Logins"
- "Login Failures"
- "Login Activity"
||"Validation error in field "corr_unit_list" of element #1 at object "OnlineJob" @ "Eventia Jobs"" when trying to select an object as the SmartEvent Log Server.
Refer to sk103533.
|01431846, 01431972, 01491280, 01477751
||DLP events are not created in SmartEvent even though there are DLP logs.
Refer to sk101491.
||.NET error "System.ArgumentOutOfRangeException: Value of 'XXX' is not valid for 'Value'. 'Value' should be between 'Minimum' and 'Maximum'" in SmartEvent GUI when accessing 'Policy' menu - 'Database Maintenance' after increasing the size of the SmartEvent database to more than 1 TB per sk69706 and installing the Event policy.
Refer to sk104241.
||SmartEvent reports for AD groups do not show all users.
Refer to sk101509.
|01450736, 01453019, 01473184, 01479259, 01502583
||Configuring SmartEvent to work with an LEA server on different ports with different authentication methods.
Refer to sk101928.
|01477749, 01477950, 01502255, 01546478
||SmartEvent dialog box is empty when working with 'Top Users' widget on 'Application & URL Filtering' tab in SmartDashboard.
Refer to sk102629.
|01466229, 01466876, 01466862
||Some reports are missing in SmartEvent GUI on the 'Reports' tab when logging in from Domain Management Server.
Refer to sk102272.
||postgres process on SmartEvent server consumes CPU at high level.
Refer to sk102660.
||SmartReporter fails to generate a report for selected hours with "ERROR: syntax error at or near ','LINE 1: SELECT MOD(((EXTRACT(HOUR FROM , SUM(...".
Refer to sk105840.
||Application Risk events in SmartEvent show lower levels of risk than what is defined for the application.
|After creating a report, it is not possible to view the results in SmartReporter GUI and an error message is displayed.
Refer to sk61180.
|01473131, 01473192, 01503175, 01584670
||Generation of a user activity report while filtering on application fails.
Refer to sk102655.
Object name contains space" warning when adding a Log Field to a Filter in SmartEvent GUI.
Refer to sk112992.
||When using a special Permissions Profile, the username of an administrator that viewed the DLP 'Incident' logs in SmartLog GUI is not logged in the 'Management' ('Audit') logs in SmartView Tracker. Instead, the value 'localhost' is displayed in the 'Admin' column of the 'Management' ('Audit') logs.
Refer to sk101528.
|01458259, 01459317, 01463006
||SmartUpdate does not allow to upload files to Check Point Service Requests that start with digit "5".
Refer to sk102133.
||Contracts update from the User Center in SmartUpdate fails with "Could not fetch contracts from User Center" error on computers with SecureClient installed.
Refer to sk102429.
||cpinfo generation via SmartUpdate with "add log files" option fails.
Refer to sk102826.
||Cluster Global ID, configurable in First Time Wizard and persistent after upgrade, resolves issues when multiple clusters are connected to the same network segment.
Refer to sk25977.
||Proxy ARP entries for Automatic NAT rules are not written to the ARP table on VRRP Cluster.
Refer to sk101907.
||CCP transmission mode (multicast, broadcast) is not persistent across a CPUSE upgrade.
Workaround: After the CPUSE upgrade is completed, set the desired CCP transmission mode per sk20576 (with "cphaconf set_ccp <multicast|broadcast>" command).
||Starting in Gaia R77.20 and Gaia R75.47, the $FWDIR/conf/discntd.if file is not needed anymore. An interface, which is not part of the cluster topology is treated as "disconnected".
Refer to sk69180.
|01462163, 01465843, 01577576
||Simultaneous ping to IPv6 addresses of cluster members and to Cluster Virtual IPv6 address does not work.
Refer to sk102235.
|01434159, 01440652, 01554504, 01600743
||ClusterXL administrators cannot suppress the messages printed by the Cluster Under Load (CUL) mechanism (see sk92723) in the /var/log/messages file and in the dmesg.
Refer to sk101649.
|01401092, 01404180, 01473298, 01501607, 01614412, 01621354, 01625365
||RouteD daemon might consume CPU at a very high level on a ClusterXL member running Gaia OS, when there are issues with cluster sync interfaces.
Refer to sk102737.
|01312467, 01354117, 01472107, 01461376
||Although CCP mode is set to Broadcast, Delta Sync packets are sent over Sync interface(s) as Multicast.
Refer to sk101132.
|01444902, 01445205, 01568063
||ClusterXL interfaces are not displayed correctly in SmartView Monitor.
Refer to sk101891.
|01449608, 00267074, 01510489
||Random failovers in VRRP cluster with configured BGP on Gaia OS.
Refer to sk102006.
||Suppress the Cluster Under Load (CUL) messages in the /var/log/messages file and in the dmesg.
Note: Must set the value of kernel parameter fwha_enable_cul_logging to 0.
Refer to sk101649.
|01394541, 01481322, 01394737;
01392662, 01495372, 00267059
|Standby cluster member with enabled SecureXL drops packets on Anti-Spoofing when VMAC mode is enabled.
Refer to sk100405.
|01489439, 01509596, 01510332
||VRRPv3 cluster on Gaia OS goes into Master / Master state after failover is initiated over IPv6 links.
Refer to sk102850.
|01443738, 01495302, 01560272, 00267123
||RouteD process (routed -N) consumes CPU at 100% on a cluster member running Gaia OS.
Refer to sk102436.
|01516713, 01546299, 01546302, 01547500, 01582543
||RouteD daemon might consume CPU at high level on Standby / VRRP Backup cluster member running Gaia OS.
Refer to sk105863.
|01544799, 01545225, 01644686
||Some interfaces are missing in the output of "cpstat -f all ha" command on VRRP / OPSec cluster members running Gaia OS compared to the output of Clish command "show vrrp summary" and output of Expert command "cphaprob -a if".
Refer to sk105868.
|01532706, 01536326, 01651492, 01653126, 01655747, 01656044
||RouteD daemon might crash on a Gaia VRRP cluster member if a fail-over is triggered on an interface with VLANs.
Refer to sk105957.
||Output of Gaia Clish command "show vrrp summary" might incorrectly show "VRRP: VRRP not enabled" during VRRP failover in Gaia VRRP cluster.
Refer to sk112614.
State of R77.10 / R77.20 ClusterXL member changes to "Down" due to Critical Device "Interface Active Check" in this scenario:
Refer to sk106776.
- Monitoring of the lowest and highest VLANs is enabled (default; fwha_monitor_low_high_vlans=1)
- A new VLAN is added on the ClusterXL member with VLAN ID, which is lower/higher than any existing VLAN ID
|01476281, 01477456, 01515235, 01593791
||After fail-over in VRRP cluster, the connection to VRRP VIP address is wrongly NATed (folded) to the physical IP address of previous Master member (now Backup member) instead of being NATed to the physical IP address of new Master.
|01563293, 01570131, 01570138
||DLP is not enforced on Korean language.
Refer to sk102548.
|01517177, 01280494, 01511668, 01530458;
|"DLP Recipients" field in DLP log contains truncated e-mail addresses.
Refer to sk103635.
||DLP Gateway occasionally hangs/freezes due to crash of 'fwdlp' process.
Refer to sk100407.
||DLP Gateway might crash during DLP session.
Refer to sk103070.
|01402677, 01502447, 01554541, 01409267, 01657016
||DNS 'NOTIFY' (Zone Change Notification) packets are dropped by the IPS blade with SmartView Tracker log "Non Complaint DNS - Illegal number of Resource Records".
|01424004, 01430984, 01432213, 01457549, 01467431, 01468837, 01481392, 01493902
||RTSP over HTTP traffic might cause high CPU load on the Security Gateway when HTTP inspection on non-standard ports is enabled.
Refer to sk103113.
|00508495, 01087845, 01573511, 01573552, 01433163
||Security Gateway with enabled IPS blade might crash in "cmi_context_get_status ()" function.
Refer to sk104642.
||Permanently setting the desired value of kernel parameter fwpslglue_log_ctrl in the $FWDIR/boot/modules/fwkern.conf file does not survive policy installation or reboot - the value is reset to the default value.
Refer to sk63160.
|01481858, 01481996, 01498296
||'Follow Up' flag disappears from IPS logs in SmartView Tracker. No logs are shown in SmartView Tracker - 'Network Security Blades' - 'IPS Blade' - 'Follow Up' view.
Refer to sk102733.
|01465073, 01472536, 01473776
||Windows OS updates traffic is rejected by the IPS blade with "Block HTTP Non Compliant - Failed to handle connection data".
Refer to sk102671.
|01412270, 01493901, 01451658
||Kernel debug 'fw ctl debug -m WS + stream' (and 'fw ctl debug -m WS all') causes high load on CPU, which might cause the machine to freeze.
Refer to sk103111.
|01488103, 01560056, 01511647
||IPS protection "TCP Off-Path Sequence Inference" drops TCP packets originated by Security Gateway.
Important Note: The default value of kernel parameter psl_offpath_allow_local_packet is 1 (one).
Refer to sk104637.
|Gaia and SecurePlatform
|01401927, 01610334, 01402267
||Security Gateway on Open Server using the be2net NIC driver might crash.
|01434138, 01445642, 01492259, 01601885, 01614909
||"syslogd: local sendto: Invalid argument" error in /var/log/messages file.
Refer to sk83160.
||Usage of a relative FTP path in the backup wizard can cause errors.
A comment was added to the Gaia Portal: "You should use full server side path to remote directory, e.g. /var/log/CPbackup/backups/".
|01530077, 01531603, 01614907
||Date stamp in R77.20 Gaia backup file was set to "DD_MMM_YYYY_HH_MM". Now it is derived from the Clish "set format date" setting.
Refer to sk104106.
||In the Gaia Portal - Network Management pane - Network Interfaces configuration, when editing a slave interface, which is shown on a different page from its parent Bond interface, the "IPv4" tab and "IPv6" tab are not grayed out (although they should be).
Refer to sk105839.
|01502687, 01502803, 01505698;
VMCORE dump file is not created correctly on a machine that has more than 4GB of RAM and runs Gaia OS with 32-bit / 64-bit kernel:
Refer to sk103328.
- In Gaia OS with 32-bit kernel:
VMCORE dump file created during the crash is incomplete - its size is only 1.9 GB
- In Gaia OS with 64-bit kernel:
VMCORE dump file is not created during the crash
|01574444, 01575917, 01581226, 01594203, 01595732;
01600184, 01603889, 01605966
|confd process consumes CPU at high level on Gaia OS due to large size of Gaia Database (/config/db/initial_db).
Refer to sk104761.
|01149077, 01150321, 01150322, 01150323, 01288447;
01149080, 01150324, 01150325, 01150327, 01288450, 01540885, 01545648
Issues with default routes via PPPoE interfaces on Gaia OS:
Refer to sk92948.
- All default routes are deleted when running multiple PPPoE tunnels and one PPPoE tunnel disconnects.
- Multiple PPPoE tunnels with the same peer address cause RouteD daemon to exit (for example, two PPPoE tunnels receive the same peer address from the ISP, who is not willing to change such configuration).
This message appears in /var/log/messages file:
routed[PID]: if_get_address: duplicate address detected: X.X.X.X/Y
|01433011, 01661885, 01433334, 01516391
||"sudo: sorry, you must have a tty to run sudo" error upon SCP connection to Gaia OS using RADIUS user with default shell /bin/bash and uid=0 on the involved Gaia OS.
Refer to sk106044.
||Scroll stops working in Gaia Portal on "Network Interfaces" page inside the table with interfaces.
Refer to sk102799.
|01426068, 01426160, 01445202, 01452026, 01469580, 01473270, 01500557, 01507021, 01513212, 01515176, 01515237
||After reboot, Gaia system loads without Clish and without static routes.
Refer to sk101501.
|01489986, 01490967, 01493295, 01495178, 01496126, 01496169, 01497490, 01499306, 01499337, 01499340, 01499343, 01502649, 01502699;
|New law in Russia regarding Daylight Savings Time 2014.
Refer to sk103054.
|01488900, 01491395, 01505055
||"tcpdump" / "arp" (and other) commands do not work when authenticating with a RADIUS user, even if the user is a SuperUser on Gaia OS (UID 0).
Refer to sk105175.
|01467555, 01468600, 01614910
Refer to sk113266.
- When running Clish command "show configuration", the user is sometimes logged out from Clish / SSH / console.
- When running in Expert mode command clish -c "show configuration", the user is not logged out, but the command does not produce any output.
- When running Clish command "save configuration <filename>", the command fails with "glibc detected" error, and only a part of the configuration is saved in the <filename>.
|01423170, 01423468, 01437168, 01569853
||"Authentication failure" error when authenticating with a TACACS user that has special characters in their password.
Refer to sk101332.
|01471255, 01475263, 01496788
||Gaia Clish is very slow when making any changes in the Gaia OS configuration.
Refer to sk102994.
|01381595, 01385234, 01513659
||RADIUS secret can be seen in Gaia Database - /config/db/initial file.
Refer to sk99039.
||Configuring an interface in Gaia Portal to obtain an IP address from DHCP causes all other interfaces with configured static addresses to lose their current IP addresses and also obtain an IP address from DHCP.
Refer to sk101513.
||Clish command "show asset all" returns incorrect Chassis and Motherboard information on 21000 appliances.
Refer to sk103711.
|IPv6 traffic from some hosts stops passing randomly through the Security Gateway / Active ClusterXL member running Gaia OS.
Refer to sk103226.
||Intermittent outages of TCP traffic on 10GbE interfaces in IP Appliances running Gaia OS.
Refer to sk102969.
||RouteD daemon might crash when running routing commands in Gaia Clish.
Refer to sk103432.
||syslog messages forwarded by Gaia OS to an external Syslog server do not contain timestamp.
Refer to sk100727.
Note: Additional fix for timestamp format is required (Issue 01711921).
||A user created in Gaia Portal with '/bin/bash' shell and 'monitorRole' role gets admin permissions upon login - this user is able to execute any command in Expert mode and in Clish.
Refer to sk101650.
|01383404, 01403777, 01408257, 01414106, 01419203
||Intel X520-2 NICs (8086:10fb, 8086:0003) are not recognized by Gaia OS in 64-bit mode - output of Expert command 'ifconfig -a' or Clish command 'show interfaces' does not show these interfaces.
Refer to sk101412.
|00267458, 01526068, 01539200, 01563854
||Gaia IP Broadcast Helper does not forward Directed Broadcast traffic.
Refer to sk103963.
||User authenticated by TACACS, does not see the 'Blades' and 'Network Configuration' widgets on Gaia Portal's "System Overview" page.
Refer to sk101088.
|01354491, 01394076, 01394990
Refer to sk104009.
- Output of Clish command "show configuration rba" shows that "readonly" roles have "readwrite" features.
- Output of Expert command "grep roles /config/active" shows that roles only have the defined "readonly" features.
||syslog daemon crashes after enabling 'Send Syslog messages to management server' in the Gaia Portal.
Refer to sk113266.
|01570045, 01570872, 01612421
||Output of "raid_diagnostic" command shows "State:MISSING" for one of the hard disks on a Check Point Appliance with RAID / Open Server with RAID.
Refer to sk104580.
|01469180, 01494277, 01502550, 01578108
Refer to sk104878.
- After adding scheduled backup (add backup-scheduled) and setting scheduled backup (set backup-scheduled) in Gaia Clish, the command show backup-scheduled NAME returns:
The scheduled backup is performed localy.
The backup is not scheduled
- Deleting the scheduled backup in Gaia Clish (with '
delete backup-scheduled NAME') does not delete its cron job - output of Expert command 'crontab -l' still shows the deleted scheduled backup (as '
||In Gaia Portal, Link Status of VLAN interface defined on a Bond interface does not change when the Link Status of the Bond's physical slave interfaces changes.
Refer to sk101514.
|01428735, 01432295, 01432973, 01518522, 01553076
||Changes made in the value of 'vmalloc' in the /boot/grub/grub.conf file on Gaia OS do not survive reboot.
Refer to sk103506.
|01410324, 01410662, 01571828
||User is not able to connect to Gaia Portal after enabling Federal Information Processing Standards (FIPS) compliance in Windows OS.
Refer to sk100994.
|01445836, 00267031, 01465986
||/var/log/messages file on Gaia OS repeatedly shows: routed[PID]: ifa_unnumbered_find_proxy: no proxy interface found.
Refer to sk101899.
||Gaia Portal crashes with error "Unable to connect to the server. Press OK to reconnect." when a TACACS / RADIUS user with "adminRole" privileges changes "Roles" settings in Gaia Portal.
Refer to sk91420.
|01458064, 01519461, 01355465
||"cp_ipaddrs:SIOCGIFCONF failed: Bad address" error when starting a user mode process under valgrind on Gaia OS 64-bit.
Refer to sk103768.
||NTP synchronization does not work when using the FQDN of the NTP server instead of the IP address.
Refer to sk104819.
|01493236, 01510892, 01493666
||Output of top command shows that monitord and confd processes consume CPU at 100%.
Refer to sk102988.
||Login to Gaia Clish fails with "CLINFR0819 User: admin denied access via CLI" after clean installation.
Refer to sk100418.
|01517800, 01520211, 01520218, 01520221
Refer to sk107513.
- "Gaia Web-UI recognized a non-valid input data" error when adding SNMP Trap receiver in Gaia Portal.
- "NMSSNM0025 Community names cannot contain spaces or special characters" error when adding SNMP Trap receiver in Gaia Clish.
|01400893, 01401536, 01406408, 01521366
||Hosts connected to a Gaia machine with enabled DHCP Server do not receive IP addresses.
Refer to sk100545.
|01445570, 01445768, 01459433
Gaia command config_system (sk69701) does not complete the configuration:
Refer to sk101712.
- Configuration of the Security Management Server product / Log Server product
- Configuration of the Default Gateway on Gaia OS
- Configuration of the SmartEvent Server product and Correlation Unit product
|01458160, 01461805, 01470402, 01510462, 01511898, 01512051
||Output of "ps auxw" command after reboot shows multiple "clishd" processes in state "Z" (zombie) with "defunct" arguments.
Refer to sk105953.
|01521745, 01522591, 01647302
||"Nothing needed to be done" is returned when running "set user <username> lock-out off" command in Clish to unlock a user that was locked out per the "Deny Access to Unused Accounts" configuration.
Refer to sk103596.
|01474647, 01499686, 01496521
||RouteD daemon crashes due to a memory leak in a Cluster with exactly two members when RouteD sync connection is re-established by the Standby cluster member.
||The output of the "ss -a" command does not show all ports and their current state. Refer to sk104245.
|01499739, 01500368, 01652671, 01658690
||"syslogd" daemon crashes after a reboot of the Gaia OS. Refer to sk103254.
|01576134, 01585104, 01585189, 01613901
||"RTGRTG0019 tclproc: can't read "Part_Of_Password_After_$_Character": no such variable" error in Gaia Clish after entering OSPF secret that contains "$" character(s).
Refer to sk106305.
||State of VLAN interface that was created on Bond interface and was administratively set to "Down", is changed to "Up" after adding a comment on the Bond interface.
Refer to sk100788.
|01537857, 01842664, 01547505
||Gaia Portal - "Network Management" section - "Network Interfaces" page might get stuck (does not load entries) if multiple interfaces (several dozen) are configured.
Refer to sk108435.
Enhancement: Policy Installation shows a warning if there is a VPN community with a weak encryption algorithm:
"Community <COMMUNITY_NAME> is configured with the <ENCRYPTION_ALGORITHM> algorithm in IKE|IPsec Security Association ("<PHASE>"), which provides weak confidentiality."
These encryption algorithms are considered weak:
||Enhancement: Print all Visitor Mode clients, their IP addresses and usernames.
Refer to sk106139.
||To comply with new Federal Information Processing Standards (FIPS) standards, certificates are no longer signed using a hash algorithm weaker than SHA-256.
||To comply with new Federal Information Processing Standards (FIPS) standards, only the these symmetric encryption algorithms are allowed on the Security Gateway (if other algorithms are configured, then policy installation will fail):
- IKEv1, IKEv2: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256
- ESP: AES-GCM-128, AES-GCM-256, AES-CBC-128, and AES-CBC-256
|01404026, 01404567, 01556384, 01571967
||The SSL Network Extender VPN portal is available on port 444 in clear. Refer to sk100646.
||Improved IKEv2 exchange.
|01424048, 01424181, 01466269, 01520616, 01528345, 01554579, 01602916
||Memory consumption on VPN Gateway constantly increases. Refer to sk102267.
|01532401, 01539196, 01560781, 01621047, 01621087
||Remote Access clients that authenticate with username and password, cannot connect to a Security Gateway working in Hybrid Mode if it does not have an ICA and uses 3rd party certificate.
Refer to sk105566.
|01500432, 01519542, 01552227, 01552900;
01585429, 01600788, 01600951
|VPN tunnel cannot be established / no traffic passes when SHA-384 is configured for data integrity.
Refer to sk104578.
||Policy installation during link probing session sometimes causes VPN outage. Refer to sk101532.
|01401345, 01401349, 01469398
||A peer gateway in a Site-to-Site VPN that is the NAT-T responder cannot work with IKEv2.
||A Security Gateway with dual stack (IPv4 and IPv6) cannot work with a Cisco router in a Site-to-Site VPN.
|01406280, 01571331, 01571340,
|L2TP authentication with a machine certificate sometimes fails on Windows client.
|01078280, 01361857, 01377165, 01629560
||Office Mode IP addresses are not correctly released from the DHCP Server.
||IKE Phase 1 with DAIP device fails after IP address of DAIP device was changed.
Refer to sk101911.
|"Failed to allocate an IP address" error when using ipassignment.conf file to assign Office Mode IP address.
Refer to sk95088.
||No logs are shown in SmartView Tracker when selecting 'Link Selection' or 'Permanent Tunnels' in 'VPN Feature' filter.
Refer to sk102332.
||Traffic sent over VPN tunnel does not reach its destination because SecureXL does not start fragmenting the packets.
Refer to sk98070.
||IKE fails with message "Traffic Selector Unacceptable" if there are more than 255 Traffic Selectors.
Refer to sk102437.
||LDAP user fails to connect with Remote Access clients - error "Failed to download Topology".
Refer to sk100466.
|01511779, 01536687, 01556032
||VPND daemon crashes every ~30 minutes on Security Gateway due to memory leak. Refer to sk105841.
|01493720, 01513252, 01551056
||VPND daemon might crash during SSL handshake. Refer to sk104474.
|01469093, 01469743, 01556273
||VPND daemon might crash during logging.
|01455936, 01456884, 01571134
||Authentication to SNX / CheckPoint Mobile VPN with 3rd party certificate fails.
Refer to sk33319.
|01340539, 01592300, 01369908
||Some Remote Access users are not able to connect to large Remote Access VPN Communities.
Refer to sk105181.
||Client configured with always_connect enabled tries to reconnect even though certificate revoked or expired.
Refer to sk102408.
01532845, 01579042, 01535285
|The vpn tu command shows the real IP address when using the command to show the tunnels, but when using one of the delete commands, it does not accept the real IP address to delete the tunnel.
Refer to sk100346.
|01474694, 01558870, 01559881, 01559938, 01580640, 01606476;
01463675, 01559835, 01559883, 01559932, 01580632, 01606626, 01654788
|Remote Access VPN clients are not assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file, but from a general Office Mode IP Pool.
Refer to sk105162.
|01434100, 01479667, 01437953
||Check Point Security Gateway is not able to establish VPN tunnel correctly with Edge cluster after failover if Edge devices are managed by SmartProvisioning.
Refer to sk101680.
|01453022, 01602039, 01453615, 01556311
Kernel memory leak detection procedure sk35496 shows memory leak in fwmspi.c:
;Starting SMEM alllocations report
... ... ...
fw_drv_fini: XXX bytes allocated by 'fwmspi.c:N' leaked at ... allocation time ...
... ... ...
FW-1: SMEM Leak in: fwmspi.c:N: smem bytes XXX, smem num of allocations YYY
... ... ...
;Ended SMEM alllocations report
|01464684, 01469758, 01556271
||Memory leak when there is an error saving data into kernel table "inbound_SPI".
||Certificate Signing Requests could only be encoded with UTF8 String, and not TeleTex string.
|01418393, 01456436, 01467522, 01470952, 01471765, 01474667, 01479662, 01510285, 01516601, 01522323, 01546352, 01551219, 01556280, 01577129
||Added ECDHE support to HTTPS Inspection and Multi Portals.
Refer to sk104717.
||Improved HTTPS Inspection Bypass mechanism.
Refer to sk104717.
|01439385, 01495016, 01493588, 01493594, 01481655, 01508906;
01433683, 01495015, 01493587, 01493590, 01481652, 01508914
|Improvement in negotiation rate of HTTPS traffic through Security Gateway R76 and above.
Refer to sk103081.
|01467047, 01495926, 01614223, 01624869
||RC4 cipher is allowed for Inbound HTTPS inspection.
Refer to sk104095.
|01521925, 01523439, 01539818, 01523437, 01523353
||Security Gateway with enabled HTTPS Inspection crashes repeatedly.
Refer to sk108653.
|01522437, 01528311, 01528847, 01530694, 01539945
||Application Control policy with distributed Identity Awareness rules may cause Security Gateway to crash when processing a UDP domain connection.
|01412965, 01413413, 01500608, 01502786, 01516725, 01525401, 01551242, 01553991, 01554511, 01558819, 01575200
||TLSv1 Server Hello packets being dropped by Application Control of HTTPS in SmartView Tracker and debug.
Refer to sk100971.
||Access to web sites fails with multiple "Internal System Error" logs from Application Control / URL Filtering.
Refer to sk64162.
|00267191, 01493069, 01495399
||Amount of transmitted traffic in Application Control Accounting logs is much higher than the amount of transmitted traffic reported by the relevant outbound interface (e.g., 'TX' counter in the output of 'ifconfig -a' command)..
Refer to sk103071.
|01457139, 01556295, 01457569
||Traffic fails after rebooting the Security Gateway with enabled Application Control blade.
Refer to sk102135.
|01653873, 01655271, 01655835, 01662792
||HTTP traffic is blocked by Application Control with "HTTP parsing error occurred, blocking request (as configured in engine settings)" log.
Refer to sk106288.
||URL Filtering blocks HTTPS web sites with "Internal System Error occured" log when "Categorize HTTPS sites" and "Fail-close" are enabled.
Refer to sk64162.
|01448602, 01449446, 01450281
R77.20 URL Filtering blocks HTTPS traffic with this log in SmartView Tracker:
User <UserName> was blocked access to ... from <IP Address>
Source = <IP Address> and <UserName>
Protocol = tcp
Service = https (443)
Action = Block
Reason = Internal System Error occurred, blocking request (as configured in engine settings). See sk64162 for more information.
Refer to sk64162.
|01466938, 01474787, 01476226
URL Filtering intermittently blocks some HTTPS requests with this SmartView Tracker logs:
Action = Block
Reason = Internal System Error occurred, blocking request (as configured in engine settings). See SK64162 for more information.
Refer to sk64162.
|01431893, 01480952, 01433702
URL Filtering R76 and above blocks non-HTTPS traffic (e.g., SFTP) with "Internal System Error occurred" log in SmartView Tracker:
Blade = URL Filtering
Action = Block
Reason = Internal System Error occurred, blocking request (as configured in engine settings). See SK64162 for more information.
Refer to sk64162.
|Threat Prevention (Anti-Bot / Anti-Virus / Threat Emulation)
|01434059, 01436435, 01445037, 01448961, 01450819, 01457322
||Anti-Virus and Threat Emulation blades miss inspection.
Refer to sk101708.
||Threat Prevention policy is installed on all Security Gateways regardless of explicit Policy Targets.
Refer to sk104559.
||Security Gateway R77.20 fails to fetch new IntelliStore feeds for Anti-Bot / Anti-Virus.
Refer to sk102649.
|01534587, 01550413, 01554630, 01562032
||Security Gateway might crash when Threat Prevention "Fail Mode" is set to "Block all connections (Fail-close)".
Refer to sk104866.
|01602329, 01613027, 01611875, 01611607
||Amount of consumed memory constantly increases on a Security Gateway with enabled Anti-Virus blade.
Refer to sk105572.
|01571753, 01578807, 01600189, 01627049, 01629010, 01634746
||Specific web sites are not reachable when Anti-Virus/Anti-Bot blade is enabled and the packet is generated by the Security Gateway.
Refer to sk104638.
|01428602, 01431817, 01441828, 01512656
||SmartEvent shows "Severity = <4GB" in Anti-Virus / Anti-Bot event.
Refer to sk106130.
||/var/log/messages file on Security Gateway repeatedly shows "ld_commit_ex: Attempting to commit unbound ld 7981" during policy installation.
Refer to sk105545.
|01427389, 01502416, 01427823, 01510189;
01427391, 01510361, 01427825;
01433720, 01502418, 01434036
|It is not possible to exclude networks from Identity Awareness Captive Portal's keepalive feature.
Refer to sk101449.
|01424973, 01425440, 01426025, 01482791, 01542491
||Identity Agent on Mac OS X asks to trust the Identity Server's certificate during each boot.
Refer to sk101327.
|01416765, 01410342, 01416767, 01424641, 01449848, 01410174, 01416765, 01424645, 01449845
||Browser-based Authentication guests are timed out by Identity Awareness after 10 minutes.
Refer to sk101503.
|01474077, 01555626, 01494408, 01474405
||PDP daemon crashes when logging a MUH authentication.
Refer to sk105069.
|01393374, 01420182, 01569611, 01569641, 01574012
||When Identity Sharing configuration is used, it can take as long as 10 minutes for the components to sync after restart.
|01470526, 01473354, 01608568, 01613406
||User login events are logged by Identity Awareness as separate logins for different users if username is written in upper case letters, or in lower case letters - in all Check Point logs, the user is identified by the username with which the user has actually logged in - as if different user names were used ('
USERNAME' / '
UserName' / '
Refer to sk102398.
||In a VSX Gateway, Captive Portal's customized company logo is shared between all Virtual Systems. As a result, when the policy is installed on one of the Virtual Systems, customized company logos are overwritten on all the other Virtual Systems.
|01505808, 01506056, 01556019
||VPN clients authenticated by the RADIUS protocol are not in PDP listed groups. Therefore, they are not assigned to the correct Access roles.
|01553174, 01553863, 01554012, 01569537
||Identity Awareness RADIUS Accounting clients are not assigned their specific user-defined RADIUS Message Attributes.
Refer to sk105786.
|01157206, 01159941, 01159942, 01159943, 01209559, 01321563, 01351162, 01363762, 01395591;
01459004, 01459085, 01489476
These messages appear repeatedly in $FWDIR/log/fwd.elg file on an Identity Awareness gateway:
Refer to sk102171.
- CLogFormat::create failed - field already exists (xxx) of type (string) !
- CFormatsDict::registerFormat - bad format string !
|01505808, 01506056, 01556019
||VPN clients authenticated by RADIUS protocol are not mapped to an Access Role.
Refer to sk105173.
||Output of "pdp monitor ip <IP_ADDRESS>" command on the Security Gateway shows multiple users associated with the same Source IP address.
Refer to sk101115.
|Identities are not shared with all gateways.
Refer to sk101369.
||Output of command "pep show user query cid <IP_Address_of_Terminal_Server>" does not show any identities when Identity Agent is installed on Terminal Server / Citrix Server.
Refer to sk104115.
||Output of "fw tab -s | grep -E "PEAK|pep" command on Identity Awareness Gateway shows that the current (VALS) number of entries and the peak (PEAK) number of entries in the pep_identity_index table has reached 25000.
Refer to sk103221.
||PEPD process consumes CPU at 100%.
Refer to sk100641.
||Improved handling of URL in Captive Portal.
||After a failover in a VRRP cluster, the connection between the PDP and the PEP stays connected to the "old" MASTER PEP.
||"MADService.exe" process consumes CPU at high level on the Terminal Server.
|Memory leak in PDPD daemon related to ADQuery.
Refer to sk106422.
||"Table pdp_sessions entries limit (90000) reached" critical system alert messages repeatedly appear in SmartView Tracker.
Refer to sk101288.
||"Group membership of the required account (user or machine) could not be retrieved from the AD" log from Identity Awareness blade in SmartView Tracker.
Refer to sk106133.
|01410233, 01525141, 01834591, 01862252
||Improved generation of new session ID (to make sure this ID is not assigned to some other basic or super session).
|01361273, 01438252, 01437810
Enhancement: New apache directive CvpnTranslateResponseHeader that enables the translation of URLs in the headers.
To add a new header:
- Edit the $CVPNDIR/conf/includes/Web_inside.location.conf file on Mobile Access gateway
- Search for CvpnTranslateResponseHeader
- Add your header using this format: CvpnTranslateResponseHeader <header_name>
- Save the file
- Reload the Mobile Access policy with cvpnd_admin policy command
|Mobile Access support for SHA-256 signed certificates.
Refer to sk101541.
|01467856, 01471445, 01613474, 01614665
||Link Translation domain does not work - some links are not included/excluded from translation domain.
Refer to sk105565.
|00776003, 01323079, 01323080, 01346323, 01360113, 01376976, 01377147, 01393090, 01394078, 01397611, 01408848, 01476174, 01495176, 01513491
||Traffic initiated from internal host towards SSL VPN client is dropped with "Unauthorized SSL VPN traffic" log.
Refer to sk97811.
Note: Must add a new variable in Check Point Registry on Management Server - 'SNX_ALLOW_GW_TO_GW' and set its value to 1.
|01499536, 01501020, 01499541, 01501008, 01501161, 01501308, 01501438, 01501891, 01526621
||Push Notifications are not received on the mobile phones due to IPS protection "Secure Socket Layer (SSL) v3.0".
Refer to sk103080.
|01459334, 01463070, 01569322
||HTTP Based SSO authentication fails to internal Web / Application servers if Single Sign On (SSO) is disabled in the application properties.
Refer to sk102308.
||The Mobile Access portal homepage does not show the time zone for the last logon.
|Disabling Mobile Access 'Content-Analyzer' feature for specific host.
Refer to sk101076.
||"This content cannot be displayed in a Frame" error when accessing an application through Mobile Access using Hostname Translation (HT).
Refer to sk99072.
|01399802, 01402334, 01513710
||When a user connects to two e-mail accounts using ActiveSync (for example, a personal account and a group account) from a single mobile device, multiple Mobile Access sessions are created (instead of two expected sessions).
Refer to sk100552.
|01273495, 01368685, 01368687
||Padding in the HTTP POST request body causes an internal server error.
|Accessing Mobile Access Portal applications takes a very long time.
Refer to sk105525.
|01456061, 01463349, 01569353
||Kerberos authentication fails on Mobile Access Gateway.
Refer to sk102194.
||Mobile Access Blade option to change language in webmail does not work.
Refer to sk104001.
|01450216, 01452166, 01575638
||Mobile Access blade translates all URLs with IP addresses.
Refer to sk102032.
|01454984, 01455527, 01463441
||Windows Domain specified in Single Sign On (SSO) configuration of File Shares applications is not enforced by Mobile Access.
Refer to sk102307.
|01399854, 01400184, 01531213
||When enabling ESOD, Mobile Access policy installation fails with "Failed to install policy on Mobile Access blade - previous configuration is used".
Refer to sk100539.
||Mobile Access Blade connectivity issue to Citrix server.
||Disables SSLv3 (and forces TLSv1.0) in Mobile Access Blade when connecting to internal HTTPS servers.
||"This file is invalid for use as the following: Personal Information Exchange" error during certificate enrollment process in the Mobile Access Portal when using a language other than English in the Mobile Access Portal.
Refer to sk101007.
||SSL sessions for outgoing connections are not resumed by Mobile Access gateway.
Refer to sk106423.
|01465740, 01469307, 01493223, 01844638
||Some web sites can not be reached through Mobile Access Gateway with Hostname Translation.
Refer to sk108593.
||Mobile Access users do not receive push notifications if their usernames contain domain name.
Refer to sk108836.
||New: Maximal SNX session duration can be increased from 1 day (1440 minutes) to 1 week (10080 minutes).
Refer to sk102288.
|00263386, 00266252, 01528113;
|New feature on Gaia OS: OSPF Graceful Restart with VRRP.
Refer to sk104441.
|01539457, 01546505, 01567556, 01577303
||Time stamps in RouteD traces on Gaia OS will be printed with milliseconds as well.
Refer to sk105852.
|01448634, 01448859, 01450278
||Security Gateway / Cluster Member on Gaia OS with configured BGP that uses MD5 Authentication might randomly crash (
tcp_v4_calc_md5_hash(...) at crypto.h).
Refer to sk101976.
|01524538, 01524594, 01526450, 01526769, 01594168
||Missing BGP routes after failover in a cluster with BGP Graceful Restart configured on Gaia OS.
Refer to sk103724.
|01563234, 01564383, 01565007
||RouteD daemon on Gaia OS might crash due to memory leak when PIM Sparse Mode multicast is configured.
Refer to sk104518.
|01565294, 01656917, 01573437
||RouteD daemon in VRRP cluster might crash in the loop, if only one cluster member is active and it was rebooted or 'cpstop;cpstart' commands were executed.
Refer to sk106045.
00265931, 01645351, 01557546
|RouteD daemon on Gaia OS might crash on cluster member when PIM Sparse Mode multicast is configured and multicast traffic arrives from peer cluster member.
Refer to sk104847.
|00266170, 00266274, 00266193
||PIM multicast traffic does not pass correctly through the nSecurity Gateway on SecurePlatform Pro.
Refer to sk100219.
||Random flapping of OSPF neighbors in Gaia OS cluster under load.
Refer to sk105865.
|01468506, 01470238, 01509726, 01509815, 01509822
||Output of Clish command "show ospf neighbors" does not show any OSPF neighbors over the Virtual Tunnel Interfaces (VTI) if "
Use Virtual Address" is enabled for OSPF.
Refer to sk105163.
||/var/log/messages file on VRRP cluster member running on Gaia OS and configured RIP repeatedly shows:
routed[PID]: cpcl_should_send() returns -1
Refer to sk106128.
||RouteD daemon might crash after the state of an interface changes several times (flaps) when OSPF with Graceful Restart is configured.
|01366638, 01879973, 01438233
||OSPF with enabled MD5 authentication is not establishing adjacency due to MTU mismatch.
Refer to sk109092.
|01509785, 02083430, 01518596, 01518594, 01696761
||RouteD daemon on Gaia OS / IPSRD daemon on IPSO OS might crash when processing PIM-DM traffic.
Refer to sk113622.
|00266698, 00267039, 01437178, 01604531
||Some connections are dropped as out of state after failover in ClusterXL HA mode on 21000 appliances with SAM card.
Refer to sk101287.
|01557358, 01605468, 01557500
||Security Gateway with enabled SecureXL and passing multicast traffic crashes every several days.
Refer to sk105854.
|01574333, 01575168, 01921759, 01810487, 01704611
||Improved SAM card log collection when host appliance crashes with "
ADP slot N possibly hung" message.
|01401927, 01402267, 01515140, 01610334, 01612989, 01613022
||Security Gateway using the be2net NIC driver crashes when SecureXL is enabled.
|01024708, 01479524, 01499685, 01500107, 01513093
||SecureXL is now able to copy DiffServ mark from the packet's IP header (inner header) to the IPSec header of the encrypted packet after encapsulation (outer header).
Refer to sk105722.
|01380466, 01529968, 01467341, 01467342;
01461944, 01559697, 01534647;
01465882, 01530180, 00267265, 00267264
|Check Point 21000 series appliance with SAM card might crash when removing a slave interface from bonding group defined on SAM ports.
Refer to sk104358.
|01426122, 01550640, 01443313, 01444855;
01429933, 01531479, 01443315;
01510636, 01523681, 01513427, 01513825
|Check Point 21000 series appliance with SAM card crashes when disabling SecureXL during / after policy installation.
Refer to sk101451.
|01385280; 01673919, 01489973, 01467347
||Check Point 21000 series appliance with SAM card might crash due to exhaustion of all memory when there is an inbound clear traffic that should have been encrypted (such traffic is correctly dropped, but sending notifications from SAM card to the FireWall about such clear text packets received on encrypted connections might consume valuable memory).
|01565618, 01577958, 01674183, 01677466
||Check Point 21000 series appliance with SAM card might drop traffic with "Virtual defragmentation error: Timeout" log when sent over a VPN tunnel.
Refer to sk106292.
|01458115, 00267136, 00267390, 01481039, 01513355, 01522999, 01526474, 01526491, 01528105, 01528107
||When enabling SAM card with SecureXL and ClusterXL Unicast Mode, traffic is dropped.
Refer to sk102246.
|01397083, 01397729, 01638997
||SAM card on Check Point 21000 appliances might crash during boot if the number of configured CoreXL FW instances is equal to the number of CPU cores on the appliance (for example, there are 16 CPU cores, and 16 CoreXL FW instances were configured).
Refer to sk100546.
|01499723, 01500455, 01675110, 01676648
||21000 series appliance with SAM card might crash in a specific scenario when accessing the /dev/tilegxpci*/boot for reading or writing.
Refer to sk103209.
|00266155, 00267073, 01674942
Enhancement for Check Point 21000 series appliance with SAM card: Statistics for network memory buffers is now available via "ipsctl -a" command under:
Description: An "mbuf" is a basic unit of memory management in the kernel IPC subsystem. Network packets and socket buffers are stored in mbufs. A network packet may span multiple mbufs arranged into a mbuf chain (linked list), which allows adding or trimming network headers with little overhead.
|01392081, 01476360, 01392620, 01523990
||SecureXL does not accelerate IPv4 packets with VLAN tag on a Security Gateway in Bridge mode when IPv6 is enabled.
Refer to sk100170.
||The Security Gateway might crash during boot if drop optimization is enabled in 'Firewall Policy Optimization'.
Refer to sk105182.
||When SecureXL is enabled, traffic through the VPN trusted interface is sent encrypted instead of clear.
Refer to sk102742.
||IPSO cluster member crashes when SecureXL is enabled and services are configured to start synchronization after a delay.
Refer to sk101909.
|01475197, 01475246, 01476946, 01555628
||Intermittent traffic outage on a Security Gateway with enabled NetFlow.
Refer to sk102553.
|01560458, 01560789, 01561579, 01566368, 01567351, 01573268, 01573318
||A Security Gateway configured in Monitor Mode (per sk101670) with enabled SecureXL might freeze intermittently.
Refer to sk105842.
|01501271, 01505007, 01506385, 01514600
||Output of "fwaccel stat" command shows:
Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)).
Refer to sk100467 (Scenario 2 - "Collision of partial connections in SecureXL due to SecureXL Optimized Drops feature").
|00266712, 00266721, 00266756, 00266890, 00267014, 01531274, 01625640, 01625653, 01625654, 01625656
||Additional information will be added to the core dump file if SAM card crashes.
|01446679, 01448860, 01554558
Security Gateway might crash in this scenario:
Refer to sk101219.
- SecureXL is enabled
- Value of kernel parameter sim_ipsec_dont_fragment is set to 1
- VPN tunnel needs to pass fragmented packets
|01475359, 01631637, 01479665
||SecureXL in Virtual Router drops packets on Anti-Spoofing if SecureXL is disabled on the connected Virtual System (example topology: Host - VS with SXL off - VR with SXL on - Host).
||SecureXL instability when SecureXL NAT Templates are enabled and Hide NAT is configured on VSX.
Refer to sk106709.
|01778058, 01745305, 01545578, 01605342
||SecureXL sends the traffic with Destination MAC Address 00:00:00:00:00:00.
Refer to sk107436.
|01585371, 01809152, 01585371
||Security Gateway with enabled SecureXL and IPSec VPN blade might crash when traffic passes over VPN tunnel.
Refer to sk107912.
Refer to sk93000.
- IPv6 traffic does not pass through Security Gateway with configured CoreXL IPv6 FW instances.
- Kernel debug ('
fw ctl debug -m fw + drop') shows that IPv6 traffic is dropped by CoreXL SND:
;[cpu_X];[fw6_X];fw_log_drop_ex: Packet proto=58 ... dropped by fwmultik_dispatch_outbound Reason: No instance (outbound);
|01441450, 01626569, 01447005
||CoreXL can not be enabled on the Security Gateway in this scenario:
Refer to sk105886.
- IP Pool NAT is already enabled
- IPv6 is already enabled
||Traffic that depends on Dynamic Objects stops passing after policy installation - it is actually dropped by the rule that should accept it.
Refer to sk107079.
|Gaia OS / SecurePlatform OS: Compliance errors in SMI syntax in Check Point MIB files show in MIB browsers or MIB validation websites.
Refer to sk73440.
||Gaia OS: SNMP VRRP Traps do not appear in Gaia Clish / Gaia Portal after upgrading from R77.
Refer to sk101407.
|01289099, 01289976, 01289977, 01289978, 01312680, 01359227, 01380612, 01395468, 01428848, 01493327
||Gaia OS: "Could not resolve 'Sensor' within the trap 'Trap'" errors in Spectrum CA when importing Check Point 'GaiaTrapsMIB.mib' file.
Refer to sk97410.
|01466901, 01473389, 01467051, 01493167, 01634466
||Gaia OS: SNMP functionality breaks intermittently (stops answering SNMP Queries, stops sending SNMP Traps).
Refer to sk102271.
||Gaia OS: "The value of sensor could not be read" error in /var/log/messages file and SNMP Traps about hardware sensors are sent repeatedly.
Refer to sk101898.
|Gaia OS: Querying Check Point SNMP OID .22.214.171.124.4.1.26126.96.36.199.1.12 returns IPv4 addresses instead of IPv6 addresses.
Refer to sk101231.
||Gaia OS: SNMP Trap for a monitored process that runs under different names generates SNMP Trap Alert although this process is not down.
Refer to sk101446.
||Gaia OS: SNMPD daemon occasionally crashes with a segmentation fault.
Refer to sk103817.
Refer to sk66581.
- Although multiple 'trap2sink' commands were added to /etc/snmp/snmpd.conf file, the 'snmpmonitor' sends traps only to the sink server specified in the last 'trap2sink' entry in /etc/snmp/snmpd.conf file.
- SecurePlatform OS sends SNMP Traps with 'public' community name, although a different community was configured in /etc/snmp/snmpd.conf file.
||Gaia OS / SecurePlatform OS: SNMP configuration per RFC2925 "DISMAN-PING-MIB" does not work.
Refer to sk103817.
|01530562, 01534523, 01579063
||Gaia OS / SecurePlatform OS / X-Series XOS: SNMP v1 query on port 260 (via CPSNMPD daemon) for Check Point OIDs (.188.8.131.52.4.1.2620) returns "Wrong Type (should be INTEGER): Counter32".
Refer to sk105178.
|01455870, 01666037, 01456126, 01555587
||Gaia OS / SecurePlatform OS: SNMP Response for OID .184.108.40.206.4.1.26220.127.116.11 (
.iso.org.dod.internet.private.enterprises.checkpoint.products.ha.haState) is "Active" from all members of R77.20 ClusterXL High Availability mode.
Refer to sk106291.
||Gaia OS / SecurePlatform OS: SNMP request for OID 'fwAcceptBytesIn' and OID 'fwAcceptBytesOut' returns '0' on all interfaces.
Refer to sk105395.
|01445626, 01512960, 01561558, 01585337;
01406101, 01433481, 01420495, 01515539;
01421738, 01520921, 01598784, 01614545;
01469339, 01474529, 01614538
|Virtual System does not respond to SNMP query after in-place upgrade to R75.40VS / R76 / R77 / R77.10 / R77.20.
Refer to sk102232.
|01367090, 01436486, 01436558
In VSLS, when a Management interface is disconnected from a cluster member:
- Cannot install policy on Virtual Systems on the member with the disconnected Management interface
- Active Virtual Systems on that member do not failover
||The "vsx_util view_vs_conf" command shows "!NH" for IPv6 interface routes configured on VSX.
Refer to sk105397.
||SNMP query for CPU usage by each Virtual System (OID 18.104.22.168.4.1.2622.214.171.124.2) returns 0 (zero) values.
Refer to sk102434.
||During reboot of Active member in VSX cluster, the state of Standby member is "HA not started" instead of "Active".
Refer to sk98021.
|"NMINST0069 cannot access to the virtual-system" error when a user that is authenticated on RADIUS (rba role 'radius-group-any') connects to Security Gateway in VSX mode over SSH and tries to switch from context of VS0 to other contexts with "set virtual-system <VSID>" command (and output of "show virtual-system all" command is empty).
Refer to sk93507.
||Virtual System in HTTP/HTTPS Proxy mode intermittently stops passing traffic.
Refer to sk103122.
||"cphaprob syncstat" command on VSX cluster member fails with "get_fwha_debug_from_kernel: ioctl failed. size is 2048: Invalid argument".
Refer to sk104059.
|01455016, 01455601, 01636910, 01638700
||VSX machine with enabled IPv6 might crash when running 'netstat' command.
Refer to sk102028.
|01459347, 01465758, 01465937, 01498468, 01547995
||R77.10 / R77.20 VSX Gateway intermittently stops passing traffic during high traffic load.
Refer to sk102310.
||SNMP request for Virtual System's SIC state "vsxStatusSicTrustState" (OID .126.96.36.199.4.1.26188.8.131.52.1.1.8) returns wrong data.
Refer to sk104035.
|01620408, 01629040, 01629043, 01629049, 01629050, 01629051, 01636953
||FWK process might crash with core dump when collecting kernel debug.
|01493208, 01477107, 01646244
||Improved stability of FWK process to resolve traffic being dropped with "Internal system error" log due to RAD timing out.
|01396472, 01396841, 01619725
After issuing 'cpstop;cpstart' commands on the Standby VSX cluster member, the output of 'cphaprob -a if' command shows this state of the Sync interface configured on Bond interface:
Refer to sk100450.
- The state of Sync interface as 'UP' in the context of VSX itself (VS0).
- The state of Sync interface as 'DOWN' for each Virtual System.
|01404063, 01413547, 01409322
||VSX does not generate syslog messages and SNMP traps about Connections Table capacity.
Refer to sk106137.
|01472068, 01499711, 01496518
||Memory leak in RouteD daemon on VSX cluster.
||After VSX Gateway reboot or start of RouteD daemon, static IPv6 routes between Virtual Routers are sometimes deleted.
|01415749, 01481408, 01423985
||VSX cluster member is in 'Down' state after reboot.
If SecureXL is disabled on Virtual System(s) and enabled on Virtual Switch(es), then SecureXL on Virtual Switch(es) would drop CCP packets due to a tagging issue. This causes a pnote 'Interface Active Check' on Virtual System(s) to report its status as 'problem', which in turn causes the VSX cluster member to report its state as 'Down'.
As an immediate workaround, disable SecureXL with fwaccel off command in the context of involved Virtual Switch(es).
|01432186, 01436581, 01556086
||MGCP traffic is NATed to port range of 10000.
Refer to sk101587.
|01433546, 01439174, 01499676, 01526701
MGCP Call Agent and Media Gateway are not able to register in this scenario:
Refer to sk102049.
- SIP services are used in the rulebase
- MGCP service "
mgcp_MG" is not used in the rulebase
|00545410, 01431240, 01556349
VoIP SIP traffic without the '@' character in the 'FROM' or 'TO' part of the header (i.e., when there is no user) is dropped by IPS with this log:
Refer to sk68221.
Attack: Malformed SIP datagram
Attack information: "Illegall 'FROM' user in request packet"
|Check Point appliances
|01380239, 01381238, 01600716, 01600757, 01612423
||"Error while reading mask" and "fw: Corrupt affinity value Unsupported" errors when running fw ctl affinity -l command on Check Point appliances 12000 / 13000 / 21000.
Refer to sk99078.
||Policy installation on 1100 appliance object fails with "Commit function failed" error when the IPS "Recommended_Protection" or a manually created IPS profile is assigned to 1100 appliance object.
Refer to sk105217.
||Boot Menu is not seen during boot when connected via LOM card to Check Point Smart-1 25B, Smart-1 225 or 13500 / 13800 appliances.
Refer to sk102178.
|01529412, 01529627, 01560695, 01562794
||Slow traffic / traffic latency through RuggedCom Appliance.
Refer to sk103890.
||Gaia Clish command "show asset memory" returns wrong data on 12200 appliances.
Refer to sk100786.
||On IP Series Appliances running R77.10/R77.20, output of fwaccel conns command shows interfaces as offloaded to the ADP, even if there is no ADP card installed.
|00266983, 00267068, 01557560
||On IP1280 / IP1285 and IP2450 / IP2455 appliances, the VTT minimal value has to be changed to 1.045V.
Refer to sk92780.