The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Jumbo Hotfix Accumulator for R77.30 (R77_30_jumbo_hf)
Technical Level
Solution ID
sk106162
Technical Level
Product
All
Version
R77.30 (EOL)
OS
Gaia
Platform / Model
All
Date Created
17-Nov-2016
Last Modified
18-Feb-2021
Solution
Table of Contents:
Introduction
Availability
General Availability Take
Important Notes
List of resolved issues in the General Availability Takes
Installation instructions
Uninstall instructions
List of replaced files
Revision History
Introduction
R77.30 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.
This Incremental Hotfix and this article are periodically updated with new fixes.
The list of resolves issues below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date, when this take was made available is also listed in the table.
Availability
General Availability Take
Take_351 is the latest General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:
Note: Effective Oct 6th 2019, General Availability Take_351 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_345).
Notes:
For Smart-1 405 / 410 appliances, it is necessary to install Take_266 and higher (refer to sk117578).
Effective February 17th 2017, the GA Take_216 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_205).
Effective December 15th 2016, the GA Take_205 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_185).
Effective November 10th 2016, the GA Take_185 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_159).
Effective June 20th 2016, the GA Take_159 is available for CPUSE online installation in Gaia Portal and Gaia Clish (first General Availability Take).
For 15000 / 23000 appliances with 40 GbE cards, it is necessary to install Take_162 and higher (refer to sk112517).
For 23900 appliances, it is necessary to install Take_327 or Take_331 and higher (refer to sk107516).
Online installation - use CPUSE identifier either in Gaia Portal, or in Gaia Clish.
Offline installation - use CPUSE offline / exported package either in Gaia Portal, or in Gaia Clish.
Important Notes
Users with extended support for R77.30, who are using Client Authentication, and who need to handle the POODLE Bites vulnerability (CVE-2014-3566) (sk102989), contact Check Point Support to get a Hotfix for this issue.
On Security Gateway running in Amazon Web Services (AWS), it is not supported to install Takes 189 and higher of this Jumbo Hotfix Accumulator when the user's shell is configured to /etc/cli.sh (the default shell).
Before installing Takes 189 and higher, the user's shell must be changed to any shell other than /etc/cli.sh - e.g., /bin/bash, /bin/csh, /bin/tcsh (refer to R77 versions Gaia Administration Guide - chapter "User Management" - section "Users").
After installing Takes 189 and higher, it is not supported to change the user's shell back to /etc/cli.sh.
Each "Take" of this Jumbo Hotfix Accumulator is always based on latest GA Take of Check Point R77.30.
It is not supported to install this Jumbo Hotfix Accumulator using the ISOmorphic Tool (do not add this Jumbo Hotfix Accumulator in the "Select hotfixes:" section of the ISOmorphic Tool).
It is recommended to install Jumbo Hotfix Accumulator on all the R77.30 machines in the environment - Security Gateways / Management Servers / etc. running on Gaia OS.
This Jumbo Hotfix Accumulator is suitable for these products and configurations:
Security Gateway
Cluster
VSX
Security Management Server
Multi-Domain Security Management Server
Standalone machine (Gateway + Management)
Endpoint Security Server
Log Server
SmartEvent Server
SmartReporter Server
There is no conflict between this Jumbo Hotfix Accumulator and the R77.30 Add-On. These two packages can be installed in parallel without any issues on R77.30 Security Management Server / Multi-Domain Security Management Server / Log Server / Endpoint Security Management Server / Endpoint Security Policy Server.
Starting in Take_266, this Jumbo Hotfix Accumulator supports TLS 1.2 in the following products / features:
To get an improved SmartConsole that supports TLS 1.2, refer to sk107166.
For Smart-1 405 / 410 appliances, it is necessary to install Take_266 and higher (refer to sk117578).
For 15000 / 23000 appliances with 40 GbE cards, it is necessary to install Take_162 and higher (refer to sk112517).
On 21000 appliances with SAM card, due to specific stability issues, Take 210, Take 213 and Take 216 should not be installed. Refer to sk116070.
This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
List of resolved issues in the General Availability Takes
Enter the string to filter this table:
ID
Product
Description
Take 351 (06 Oct 2019) - General Availability Take
PRJ-2376, PRJ-2358
Gaia OS
CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1330, 02541089
SecureXL
Resolved issue in multicast routing lookup.
PMTR-27365, IDA-1609
Identity Awareness
In some scenarios, the Identity Agent fails to authenticate using Kerberos SSO due to very large Kerberos ticket, and the agent fallsback to User/Password authentication. Refer to sk145832.
PRJ-366, PMTR-33177
Identity Awareness
In some scenarios, when using Load Sharing, upon the same IP address used by two different users, users may be able to access or to be restricted from accessing resources without proper roles.
Removed unnecessary identity update, during Identity Agent or Terminal Server Agent IP address change, that results in corruption of PEP database.
GAIA-3010, PMTR-23157
Gaia OS
CVE-2018-15473: Username enumeration is possible due to a premature bail-out while dealing with a malformed packet. The issue exists in several authentication protocols.
IDA-1225, PMTR-33364
Identity Awareness
Fixed possible session corruption on PDP side that could lead to unexpected behavior.
Certificate validation: In compliance with RFC 2560 - added support for empty 'nextUpdate' fields in OCSP response.
PMTR-23443, 02757621
Endpoint Security
"Cannot create certificate" error message, when cannot enroll user certificate on Endpoint Security VPN client after January 24th 2018. Refer to sk122874.
PMTR-23326, PRHF-1352
Gaia OS
"set fcd revert" command fails, between Take 309 and 343 of Jumbo Hotfix Accumulator for R77.30
PMTR-19536 CLUS-1073
ClusterXL
Improved Cluster stability during policy installation, reduced interface flapping events and high CPU load on the Cluster Gateways. Refer to sk133372
Take 342 (26 Dec 2018) - General Availability Take
PMTR-19062, 02305365
SecureXL
In rare cases, in SIP implementations, call might disconnect after a few minutes. Refer to sk112913
PMTR-17227, UP-225
Security Gateway
Fixed SAM rules corruption after reboot.
PMTR-19771, 02645755
Security Gateway, CoreXL
SecureXL forwards non-accelerated packets to the gateway causing it to crash.
PMTR-15680, 02508263
SecureXL
Connectivity issue during policy installation, when NAT templates are enabled between CPUs.
PMTR-15586, PMTR-10842
SecureXL
Reduce/eliminate drops on interface during install policy with high load traffic.
PMTR-22572, PMTR-3899
HW Accelerator
Additional fixes to resolve crashes for certain conditions with logs indicating "ADP Slot hung."
PMTR-19551, 02694599
Gaia OS
Output of "show message motd" clish command is corrupted if the "motd" message is too long. Refer to sk122199.
PMTR-22724, 02059238
VPN
Improved VPN connectivity when using Diffie Hellman groups 19 or 20 with 3rd parties. Refer to sk112156
PMTR-17522, SWG-1078
DLP
Memory leaks when HTTPS Inspection and Probe Bypass are enabled.
PMTR-19863, 01619775
Security Gateway
Policy installation failure when number of SAM rules is higher than 25000. Refer to sk110560
02763128
Web Intelligence
Enhanced HTTP parser to distinguish between malformed HTTP traffic and valid HTTP traffic that is not RFC compliant, but exists in the real world.
Take 339 (31 Oct 2018)
02669997
Hardware
Improved forensic data collection for SAM stability.
02366690
Gaia OS
Improved stability of CPD process on Multi Domain Server, during hardware sensor reading. Refer to sk114936.
02413299
VoIP
CPU peaks may be experienced when using H323 (VoIP protocol).
IDA-648
Identity Awareness
Improved pdpd stability with AD Query in specific manual configuration overriding per gateway for Account Unit.
02708339
VPN
Improved IKEv2 compatibility in clustered CloudGuard Azure environments. Refer to sk123374.
02436860
Content Awareness
Improved DLP NCR encoding support.
Take 338 (20 Sep 2018) - General Availability Take
02481671
Threat Extraction
When Threat Extraction is configured to block access to original files and to block corrupted/encrypted files (both not default) - The email that indicates that the encrypted/corrupted file has been removed is not received by email recipient.
01850251
Anti-Malware
UDP performance with Threat Prevention was improved.
SA-31
Gaia OS
Fixing an issue which can lead to the loss of connectivity.
02421166, 02482081, 02468381
VPN
Added Azure VPN IKEv2 enhancement. Refer to sk116157.
02431088
VPN
Stability improvements for IKEv2 and Azure gateways.
02058553
VPN
IKEv2 support for more than 8 proposals.
02471564
SSL Inspection
Improved stability of WSTLSD daemon.
IDA-949
Identity Awareness
RADIUS accounting server does not understand accounting-response from Check Point gateway. Refer to sk130532.
01786753
Identity Awareness
AD users with special characters in their names cannot authenticate. Refer to sk131872.
01500409
Identity Awareness
"Group membership of the required account (user or machine) could not be retrieved from the AD. Make sure the account exists in the AD." log is received from Identity Awareness blade when format of RADIUS user is "user@domain". Refer to scenario 6 in sk106133.
IDA-1150
Identity Awareness
Fixed a MUH Agent issue of sending unnecessary MUH updates causing high CPU on PEP. This lead to delays with getting identities and can cause connectivity issues.
IDA-735
Identity Awareness
Identities are not synced to PEP if two PDPs will report the same network Refer to sk130373.
Take 336 (21 Aug 2018)
PMTR-20184
Security Gateway
Check Point response to SegmentSmack (CVE-2018-5390) & FragmentSmack (CVE-2018-5391). Refer to sk134253.
PMTR-20189 & PMTR-20188
UserCheck, VSX
In VSX environment portals are down after uninstalling R77.30 Jumbo Hotfix take 266 or later and there are multiple defunc instances of mpdaemon.
02729238
SSL Inspection
Improved accuracy of HTTPS Inspection rule-base matching.
01699431
Mobile Access
Improving stability of SNX roaming feature.
02408359
QoS
VPN Stability improvements in setups with NAT.
PMTR-19603
Gaia
Jumbo Hotfix uninstall causes issues in boot and communication in TEX product line.
01855951
VPN
Improved stability for VPN Remote Access when using tcpt.
Take 331 (26 Jul 2018)
GAIA-2269
Data Center Security Appliances
Added support for 23900 appliances. Refer to sk107516.
02396869
VPN
Improved tunnel stability in site to site setups.
02447010
VPN
"You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) that tries to connect to a Cluster in High Availability mode. Refer to sk120652
Take 329 (10 Jul 2018) – Not supported on 23900 appliances
02006858
VPN
Improving consistency and stability of supernet encryption domains of gateways with Mobile Access blade.
PMTR-14587
Gaia OS
Security hardening for Gaia WebUI
PMTR-14615
Gaia OS
Security hardening for Gaia WebUI
PMTR-14614
Gaia OS
Security hardening for Gaia WebUI
01944349
Gaia OS
When browsing to the Time page in the GAIA WebUI, two messages are spammed in /var/log/messages (flag is ... and data is...).
02049361
Gaia OS
Intel X520 DP 10Gb DA/SFP+ Server Adapter is not detected by GAIA OS.
01876093
Mobile Access
Adding configurable option to allow compressed https connections to internal servers. Refer to sk128513
PMTR-15763
Gaia OS
Gaia Portal shows blank page after login with Firefox 5x or Chrome 66. Refer to sk121373.
THREATEMUL-4272
Threat Emulation
If Threat Emulation disk space threshold is higher than Log disk space threshold, then Threat Emulation will stop emulation while the logs will continue to accumulate, resulting in the emulation entering fail open.
Take 327 (26 Jul 2018) – to be installed only on 23900 appliances
GAIA-2269
Data Center Security Appliances
Added support for 23900 appliances. Refer to sk107516.
Take 322 (18 Jun 2018)
02725585
Mobile Access
CVPN daemon stability.
Take 320 (11 Jun 2018)
02764970
Gaia OS
lspci utility showing unknown devices on HP G9 server with 4TH gen Xeon CPU's.
02764972
Gaia OS
Fixed the output of raid_diagnostics command.
PMTR-9275
Security Gateway
In rare scenarios, CPD process stops working when running for a long time.
02757263
SSL Inspection
Improved resumption handshake behavior in SSL inspection.
02757276
SSL Inspection
Improved handshake handling in case of re-negotiation.
CPDIAG-936
Check Point Diagnostic tool
New cpview capability to collect and present IO data.
Enabled cpview history collection on Management machines
Take 317 (27 Jun 2018) - General Availability Take
02734847
Web Intelligence
Improved non-compliant HTTP handling.
02365162
Multi-Domain Security Management Server
When using the Compliance blade with Management HA, FWM might consume high CPU.
Take 315 (26 Apr 2018)
02329735
Check Point Appliances
Customers using 40Gbe Cards with firmware version 12.12.3072 might experience unexpected behavior while using port beacon (ethtool –p) and RMA diagnostics tool. Contact Check Point Support for a new firmware version.
02718182
SSL Inspection
Improved handling of trusted CAs certificates when HTTPS inspection is enabled. Refer to sk122973.
02420344
vSEC VE Security Gateway
vSEC Virtual Edition (running on Azure, AWS, GCP, KVM, Hyper-V) 'too many internal hosts' error in /var/log/messages on Security Gateway. Fix for identifying only VMware platform as vSEC Virtual Edition.
Take 311 (4 Apr 2018)
IDA-650
UserCheck
When users try to access an non-existing page in the portal it will redirected to the base home page instead of getting an HTTP 404 response.
01678514
DLP
Improved connectivity of DLP and FTPS.
Take 310 (14 Mar 2018)
02694299
Cluster
Deleting last backup IP address from VRRP Interface triggers a transition from master state to backup.
02722259, MCFG-101
Identity Awareness
Captive Portal Kerberos SSO redirection does not work in VSX in new installed VS.
Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 266 and Take 309 (inclusive).
02693681
Gaia OS
fwm logexport -f command does not properly export some fields from the log file to an ASCII file.
Take 309 (26 Feb 2018)
GAIA-1737
Gaia OS
Security hardening for Gaia Clish
Take 308 (19 Feb 2018)
THREATEMUL-1861
Threat Emulation
Integrated Threat Emulation forensics report update capability. For more details, refer to sk120357
02685256
Threat Emulation
Fixed an issue causing Gaia backup size to increase significantly when using Threat Emulation.
IDA-621 (Giraffe)
Identity Awareness
Identity Awareness Feature Pack (including Identity Collector support) scale and quality enhancements. For more details, refer to sk120979.
02449938
SecureXL
SAM enabled interfaces have a maximum MTU of 3950 bytes.
Take 302 (27 Mar 2018) - General Availability Take
02660171
SecureXL
In a very rare scenario, interface state could change midway through handling of fragmented packet causing SAM to crash.
02701723
IPS Blade
In rare conditions, following policy installation with an IPS update, some IPS inspected traffic is being dropped, and message logs include messages like: "FW-1 - ips_cmi_handler_match_cb_ex: signature (XXX) does not have a policy"
02703382
Gaia OS
In some cases, "missing state" is erroneously displayed when checking the disk's status via raid_diagnostic, cpstat and snmpwalk commands.
PMTR-4786
DLP
Stability improvement of dlpu process when DLP blade is enabled.
IDA-636
DLP, User Check
Stability improvement of fwucd process during process exit.
02669195
Multi-Domain Security Management Server
Upon MDS startup in large MDM environments, the fwm process may consume high CPU resources for some time.
Take 301 (16 Jan 2018)
02704101
Security Management Server
After installing R77.30 Jumbo HF take 297, CPD\SNMPD cores are found on the machine.
02685526
Security Gateway
In SmartDashBoard, the "Hits" counter in a specific rule does not increase even though traffic was matched to this rule. Refer to sk115098.
02694079
VPN
Simplifying MSS clamping configuration.
02694314
VPN
Improved stability of vpnd daemon.
02528926
SecureXL
Improved stability while pushing policy after extended longevity of 8 months on SAM enabled gateways.
02693271
Gaia OS
PIM hello packets dropped in SmartView Tracker.
02445000
SecureXL
On rare occasions, multiple iterations of multicast join and leave may result in memory leak.
Take 297 (18 Dec 2017)
This Take is not supported with SNMP Monitoring.
01986657
VPN
cpd stability improvements.
02676734
VPN
Remote Access users cannot connect when using a certificate issued by subordinate CA.
02689074
VPN
Prevent defaulting Remote Access TTM Configuration files (such as trac_client_1.ttm) during jumbo installation after installing any Take higher than Take 266 up to Take 294 (inclusive) of R77.30 Jumbo Hotfix Accumulator.
02676736
VPN
IKE negotiation fails when using certificates from subordinate CAs.
02439945
VPN
RIM routes not removed when MEP node fails.
02439913
VPN
RIM routes are not added to the routing table after failover and immediate failback.
02440245
VPN
VPN stability improvements.
02678619
VPN, HTTPS Inspection
Improved stability of WSTLSD daemon during CRL validation.
02655364
Security Gateway
Improved stability when processing VoIP traffic
02661935
Security Management Server
If there are more than ten thousand Binary Large Objects (BLOBs) on the Log Server, there may be a delay before new logs show in SmartConsole after a policy installation.
Improved stability of CPD process in Multi-Domain server, Security Gateway and VSX Gateway.
Take 294 (23 Nov 2017)
02110663
VPN
Tunnel to Azure fails periodically.
02489908
SSL Inspection
Improved SSL handshake for HTTPS inspection.
02674931
Identity Awareness
httpd process repeatedly failing during startup.
Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 266 and Take 292 (inclusive).
For VSX configurations, refer to 02722259 (Take_310 )
02575864
VPN
IKEv2 - response not send if failed to decode request message.
02455007
Data Center Security Appliances
On rare occasions (with a very large uptime of more than 250 days), traffic can be dropped after policy installation because a SecureXL template is deleted prematurely from FireWall kernel. Refer to sk119999
02449938
Check Point Appliances
For SAM enabled interfaces, jumbo frames beyond 4k size may cause instability. Hence, for SAM enabled interfaces, the max MTU is limited to 3950.
02478098
UserCheck
UserCheck is not presented because the error page was already triggered by another blade in the same session.
02668257
VSX
When attempting to debug fwk process using the fw debug command, some debugs do not appear correctly.
02658404
ClusterXL
Traffic interruption on VLAN interfaces during policy installation on ClusterXL Load Sharing Multicast mode.
02489933
Gaia OS
Output of dmesg command shows "bonding: bond<N>: Error: bond_3ad_get_active_agg_info failed" when working with 802.3ad link aggregation
02564276
Identity Awareness
After IDA agent sends NACHello request, it receives response with empty portal names.
02582480
Security Management
Policy installation fails on DAIP gateways after changing Domain Server from Standby to Active.
Take 292 (19 Dec 2017) - General Availability Take
02563960
IPS
fwd process or fw_full process on Security Gateway consumes memory at high level after installing Take 206 of R77.30 Jumbo Hotfix Accumulator (sk117655)
02569432
Threat Emulation
When Threat Emulation was configured to send some of the files to the cloud and some locally, the files were sent only locally and not to the cloud. In this release, the configuration in the GUI will take effect and files will be sent to emulation according to the policy.
02659361
ClusterXL
SNMP query returns wrong outputs for haClusterIpTable
02665619
SNX
In rare cases, client running Windows 10 Anniversary update experiences disconnections within SNX tunnel.
02656968
Security Gateway
In rare scenarios, when working with Dynamic Objects, NAT rules are not applied anymore after policy installation or update of software blades signatures. This causes traffic outage for all connections that should undergo NAT.
02536207
VSX
Added:
Ability to query specific Virtual Device directly using the IP address of the Virtual System.
Ability to query SNMP daemons in the contexts of Virtual Devices sent to the IP Address of VSX Gateway itself using SNMPv1, SNMPv2 and SNMPv3.
New OIDs in the SNMP VSX tree:
Memory usage for each Virtual System.
CPU usage for each Virtual System for each core.
02659849
VoIP
Data connections of H323 protocol were not opened correctly in VSX cluster environments.
02660349
DLP, Threat Extraction
Security enhancements for Data Loss Prevention and Threat Extraction blades
02659678
Threat Emulation
Links inside email with Domain suffix (e.g. www.example.com) were emulated as com files.
02661043
SmartLog
Improved stability of "smartlog_server" process when running queries in SmartLog GUI to several Log Servers. Refer to sk112826. Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 198 and Take 286 including.
02655985
SmartLog
Improved stability of "smartlog_server" process when activating the "Auto Refresh" button in SmartLog GUI (upper right corner) for several hours.
02555984
Security Gateway, Security Management Server, Multi-Domain Security Management Server
Improved memory consumption by FW process and FWD process. Refer to sk117655. Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 206 and Take 286 including.
02590882
SmartEvent
New events are not created in SmartEvent GUI, and "ERROR: duplicate key value violates unique constraint "seam_event_XXX_pkey"" in $RTDIR/log/cpsemd.elg file. Refer to sk105185.
02532160
SecureXL
For 21000 appliances with SAM card, improved stability of SAM card when running the "cpstop -fwflag -driver" command as a part of kernel memory leak detection procedure. Refer to sk35496.
02401494
VoIP
Improved check for memory allocation failures under heavy load of VoIP traffic.
02573235
VSX
Improved support for Connectivity Upgrade (CU) in VSX VSLS. Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 198 and Take 286 including.
Take 286 (13 Sep 2017)
02646492
Gaia OS
In very rare cases, Gaia Portal is not accessible after installing any Take higher than Take 226 up to Take 282 (including) of R77.30 Jumbo Hotfix Accumulator.
Take 282 (24 Aug 2017)
02562476
Threat Emulation
Mail Transfer Agent does not process e-mails queued prior to installation/upgrade/uninstall of Jumbo Hotfix Accumulator. Relevant only to Takes 221, 225, 226, 266, 272, and 280. Refer to sk119515.
02567302
HTTPS Inspection
HTTPS Inspection fails occasionally during CRL validation failure.
Take 280 (16 Aug 2017)
02498183
HTTPS Inspection, Security Management Server, Multi-Domain Security Management Server
Applications, Dynamic objects and Domain objects are available for use in the HTTPS Inspection policy, but these objects are not enforced on the Security Gateway. Refer to sk119276.
02498239
Threat Prevention, Security Management Server, Multi-Domain Security Management Server
Domain objects are available in the Threat Prevention policy in the following columns: Source, Destination and Scope, although they are not supported in the Threat Prevention policy.
02557325
Threat Extraction, DLP
Security enhancements for Threat Extraction and Data Loss Prevention blades.
02570146
HTTPS Inspection, Security Gateway
Improved stability of Security Gateway when HTTPS Inspection is enabled and/or Security Gateway is configured as Proxy (this issue is relevant only to Take 272 of R77.30 Jumbo Hotfix Accumulator).
02561565
Anti-Virus, Anti-Bot, URL Filtering
Improved URL recognition mechanism for Anti-Virus, Anti-Bot, and URL Filtering blades.
02548031
Client Authentication Portal
Security hardening for Client Authentication Portal.
02040869
VSX
"kernel: VRF ERROR: Illegal parameters during call to sock_setsockopt() @ net/core/sock.c:<N> : sk_family=<X> sk_type=<Y> sk_state=<Z>" error appears randomly in /var/log/messages file on Active member of VSX cluster. Refer to sk111101.
02552177
Gaia OS
SNMP Query for the following OID trees does not return the expected information (snmpwalk command returns "No Such Instance currently exists at this OID"):
A "malformed protocol name in request" log is seen in SmartView Tracker / SmartLog for HTTP traffic. HTTP traffic that contains "HEAD" request is mistakenly identified as non-compliant HTTP traffic by the HTTP parser. As a result, the connection is rejected/bypassed either according to the non-compliant HTTP settings, or according to the "Fail Open"/"Fail Close" settings.
01778991, 02443602; 02453169
HTTPS Inspection
Improved stability of HTTPS Inspection with enabled Probe Bypass. Refer to sk111600.
02538223
URL Filtering
Improved URL recognition mechanism for Anti-Virus, Anti-Bot, and URL Filtering blades.
02459918
Anti-Virus
Improved inspection of "Unknown" file types according to the Threat Prevention policy (when the option "Process specific file types families" is selected in the Threat Prevention profile - "Anti-Virus Settings").
02524486
Security Gateway
CIFS traffic is dropped on certain CIFS requests.
02519295, 02519439
VPN
Improved stability of VPND process in IKEv2 flows.
02537316
VSX, SmartView Monitor
Virtual Switches in VSX cluster are shown in "PROBLEM" status in SmartView Monitor without any error message. Refer to sk112067.
Take 266 (03 July 2017) This Take is not supported on Cluster High Availability configured in Bridge mode.
Support for Online Certificate Status Protocol (OCSP): The Security Gateway now validates the certificate from the server (on the Internet) using the OCSP standard, which is faster and uses much less memory than CRL Validation..
-
Mobile Access
Support for Mobile Access Reverse Proxy. Refer to sk110348.
-
Mobile Access
Support for Capsule Workspace App Wrapping. Refer to sk111558.
02517569
Mobile Access
Improved stability of Mobile Access WebMail application.
02531747
Check Point Appliances
Added support for Smart-1 405 and 410 appliances. Refer to sk117578.
02514370; 02429601
Threat Emulation
Large files downloaded over HTTP are not inspected by Threat Emulation blade if they are encoded with "gzip".
02517497
DLP
DLP supports Microsoft Office only from versions lower than 2016 (this issue is relevant only to R77.30 Jumbo Hotfix Accumulator).
02508656
SSL Network Extender, Endpoint Security On Demand, SecureWorkspace
Unable to connect with SNX, ESOD and SWS after updating the Java to version 8 update 131. The SNX connection remains at 'initializing' state.
02497785, 02510894
HTTPS Inspection
Improved stability of WSTLSD daemon by removing Issue ID 02439917 (sk109096) that was added in Take 210 (this issue is relevant only to R77.30 Jumbo Hotfix Accumulator - Takes 210, 213, 216, and 225).
02498309
HTTPS Inspection
Connection to an HTTPS web site can get stuck in the following scenario:
HTTPS Inspection is enabled on Security Gateway
"Website categorization mode" is set to "Hold" (in R77X SmartDashboard, go to the "Application & URL Filtering" tab - expand the "Advanced" - click on the "Engine Settings")
The HTTPS web site's category is not in RAD daemon's cache yet (i.e., categorization of this HTTPS web site will require a "Hold")
Fixed Mail Transfer Agent (MTA) enforcement issue.
02513169
Threat Emulation, Threat Extraction
Security Gateway configured as MTA does not forward e-mails / forward e-mails very slowly that contain attachments in the TNEF format. Refer to sk117312.
Take 225 (22 Mar 2017)
02486948
Security Gateway, SmartView Monitor
SmartView Monitor incorrectly shows R77.30 Security Gateway as "Disconnected" and its software blades as "not responding". This cosmetic issue appears only after installing Take_221 of R77.30 Jumbo Hotfix Accumulator. Refer to sk116366.
02485155
MTA, DLP, UserCheck
E-mails are not passing through the DLP Gateway configured as Mail Transfer Agent (MTA). Refer to sk116469.
Improved processing of e-mails and attachments when Security Gateway is configured as Mail Transfer Agent (MTA) - improved an internal mechanism that generates random internal IDs for processed e-mails / attachments.
This prevents failures to clean attachments by Threat Extraction blade / strip attachments by Threat Emulation blade.
Take 221 (06 Mar 2017)
02468493
URL Filtering, HTTPS Inspection
Improved Security Gateway stability when URL Filtering and HTTPS Inspection are enabled after installing Takes 209, 210, 213, or 216 of R77.30 Jumbo Hotfix Accumulator.
02057763, 02059521
HTTPS Inspection
Added support of SHA384 and SHA512 hash algorithms that are used by some HTTPS sites to sign their certificates. This specific fix (ID 02325804) was reverted in Take 184 (ID 02366619) to resolve the issue of not being able to open some HTTPS web sites in Chrome browser when HTTPS Inspection is enabled after installing Take 172, Take 174, or Take 178 of R77.30 Jumbo Hotfix Accumulator. Refer to sk112672.
02267698, 02465120
HTTPS Inspection
Some HTTPS sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE cipher is used. Refer to sk112954.
02468724
SecureXL
21000 appliance with SAM card is not able to boot after installing Take 210, Take 213 or Take 216 of R77.30 Jumbo Hotfix Accumulator. Refer to sk116070.
02071893
Threat Emulation
New feature in Threat Emulation and Mail Transfer Agent (MTA): Detecting links to malicious files inside e-mails. Refer to sk115313.
02279050
Threat Emulation
New feature in Threat Emulation: Support for encrypted (password protected) archives - Threat Emulation blade tries to decrypt the protected archive and extract it based on a preconfigured passwords dictionary. Refer to sk112821.
02367623, 02369699
Threat Emulation
New feature in Mail Transfer Agent (MTA): File Classifier for MTA - MTA will use the same File Classifier that is used by the Threat Emulation blade, and will be able to detect the real type of a file.
02074197
Threat Emulation
New feature in Mail Transfer Agent (MTA): Ability to configure load balancing / high availability based on the DNS configuration for Mail Transfer Agent (MTA). Refer to sk110369.
02333089
Threat Emulation
New features in Mail Transfer Agent (MTA):
Improved debug messages for MTA flow. During the debug of in.emaild.mta daemon (per sk60387), postfix "Message-ID" will appear in the $FWDIR/log/emaild.mta.elg file on the Security Gateway to assist in the analysis of the e-mail flow.
Logs will be generated (will appear in SmartLog / SmartView Tracker) by the Security Gateway if e-mails are piling up in the queue, or if there has been a delay in e-mail processing. Refer to sk109699 - Section "Control intervals and thresholds for MTA logs".
02002951
Threat Emulation
New features in Mail Transfer Agent (MTA):
Postfix was upgraded to version 3.1 New Postfix version includes full protection against "Drown" attack, and serves as a vehicle for other future features, such as LDAP support.
New monitoring utility for Postfix queue - cpqshape. Refer to sk109699 - Section "Troubleshooting" - subsection "Analyze Postfix bottlenecks using the cpqshape utility".
02472626
Threat Emulation
Security Gateway configured as Mail Transfer Agent (MTA), does not forward e-mails that contain more levels of nested MIME content (attachment inside attachment inside attachment etc.) than configured in the Threat Prevention Profile (Threat Emulation Settings - "Mail (SMTP)" - "Configure...") - such e-mails are discarded due to timeout).
02462393
Threat Emulation
Improved handling of e-mail attachments with long names.
02466877
Gaia OS
"Wrong Type (should be Gauge32 or Unsigned32): INTEGER" message in SNMP Response. Refer to sk115119.
01951357, 02388316
Gaia OS
/var/log/messages file shows the line "sshd[<PID>]: pam_radius_auth: Got response from RADIUS server" even when the RADIUS server is not accessible.
01961177, 02388317
Gaia OS
The "Network Interfaces" page in the Gaia Portal does not load if the text string "NAN" or "inf" is saved in the interface's "Comment" field.
02466343
Gaia OS, VSX
"Wrong Type (should be INTEGER)" errors when querying SNMP OID 'vsxCountersTable' (.1.3.6.1.4.1.2620.1.16.23.1) on VSX Gateway. Refer to sk109469.
02466231
VSX
Commands executed in Gaia OS on VSX Gateway are logged in /var/log/messages file without VSID of Virtual Systems. Refer to sk113128.
02465996
VPN
In certain cases, depending on encryption domain configuration, the "ike_enable_supernet" parameter (refer to sk101219) does not create the correct supernetting pattern - the subnet mask does not correlate to the original subnet mask that was defined by the user.
02450974, 02454119
SSL Network Extender
"Cannot establish connection to SSL Network Extender gateway. Try to reconnect." error from SNX client on Mac OS X / macOS after disabling both RC4 and 3DES cipher suites on the Mobile Access Gateway. Refer to sk116156.
02331736
Mobile Access
Occasionally, the Mobile Access Deployment Agent fails to invoke SNX, ESOD Compliance or SecureWorkspace in FireFox browser. "Java unavailable" error message is displayed to the user.
02440490
Security Management Server, Multi-Domain Security Management Server
"Bad Response format" error in SmartDashboard when enrolling a VPN certificate using SCEP from the external CA based on Windows Server 2008 and higher. Refer to sk106405.
Take 216 (17 Feb 2017) - General Availability Take On 21000 appliances with SAM card, this Take should not be installed (refer to sk116070).
If Bond or Bridge interfaces are configured on the Security Gateway, then the following cosmetic message is displayed on the screen during boot, or when executing the "cpstart" / "sim affinity" commands: basename: missing operand Try basename -help for more information.
Take 213 (05 Feb 2017) On 21000 appliances with SAM card, this Take should not be installed (refer to sk116070).
02442459; 02443332; 02442078; 02443892
DLP, Threat Extraction
R77.30 Security hotfix for DLP and Threat Extraction blades. Refer to sk115596.
02448398
Threat Extraction
Added ability to block corrupted files that could not be emulated
Added ability to block access to original corrupted files that could not be emulated
Take 210 (25 Jan 2017) Note: This take replaces Take 209 released on 25 Jan 2017 On 21000 appliances with SAM card, this Take should not be installed (refer to sk116070).
02419870
URL Filtering, HTTPS Inspection
Access to HTTPS sites is intermittent - web site opens only after the user refreshes the page several times when URL Filtering blade and HTTPS Inspection are enabled. Refer to sk115638.
02344419
Security Gateway
Intermittent access to some web sites because in.ahttpd process constantly consumes CPU at 100% in certain scenarios. Refer to sk106916.
02045637, 02389862
Security Gateway
Proxy ARP table is not loaded when Bond interface changes MAC address during reboot. Refer to sk111675.
01963489. 02388707
Security Gateway
The Client Authentication in.ahclientd process crashes with core dump files.
02356285, 02419742
Security Gateway
H.323 VoIP call drops after exactly one hour because Keep Alive "ACK" packets are not forwarded to the VoIP client. Refer to sk113749.
01873031, 02387645
Security Gateway
"Via" field in HTTP Request sent to a web server by Security Gateway in Non Transparent proxy mode contains incomplete HTTP version. Refer to sk108900.
01709059
Security Gateway, Cluster, SecureXL
"Error: bond_3ad_get_active_agg_info failed" in the output of "dmesg" command when using 802.3ad mode. Refer to sk110344.
02368502, 02419738
SecureXL
In rare cases, Security Gateway with enabled SecureXL crashes during policy installation when SAM card is not installed on 21000 appliance. Refer to sk114153.
02399631, 02441021
Cluster
"Try to update state to ACTIVE because member is down and state might should be changed" message in /var/log/messages file. Refer to sk115228.
02079428, 02394915
Cluster, SecureXL
ClusterXL in Load Sharing mode with SAM card installed may restart when an interface is administratively shut down (e.g., with 'ifconfig ethX down' command).
02434403
CoreXL
"BUG: soft lockup - CPU#X stuck for 10s! [fw_worker_Z:...]" appears repeatedly in /var/log/messages file
When VLAN interfaces are configured, the /var/log/messages file repeatedly shows:
;FW-1: _fwhamultik_set_mem: changing IF_UNIQUE(i) from X to Y(changed by [fwhaif.c:N]); ;FW-1: _fwhamultik_set_mem: changing IF_UNIQUE(ifn) from Y to X(changed by [fwhaif.c:M]);
"SmartView Monitor error has occurred (error code: 2147483647)" pop-up in SmartView Monitor GUI when viewing data from a VSX Gateway / VSX Cluster Member. Refer to sk112154.
01931909, 02420752
VSX
If there are interfaces on VSX Gateway / VSX Cluster Members, whose name is longer than 11 characters, then the following occurs:
"Illegal routing gateway or interface retrieved from the VSX GW" error when creating a new VSX Gateway / VSX Cluster object.
Result of SNMP Query for OID .1.3.6.1.4.1.2620.1.6.6 (iso.org.dod.internet.private.enterprises.checkpoint.products.svn.routingTable) does not show those interfaces.
Sign out from Mobile Access Portal does not run application that were configured to run at SNX disconnection.
02421847; 02424129
Mobile Access
Login page of Apache Guacamole web application is blank when published via Mobile Access using Path Translation. Refer to sk134075.
02395361, 02414919
Mobile Access
"Error:Request Time-out" message when trying to upload files larger than 5 MB via Outlook Web App (OWA). Refer to sk114695.
02422452
Identity Awareness
Configuring ADQuery with a non-administrator user without membership in "Server Operators" group. Refer to sk104900. This option will be fully available in future Takes. Relevant note about it will be published.
02422440
Identity Awareness
Decreased the timeout for WMI query (ADQuery) from 30 min to 5 min.
01817285, 02422448
Identity Awareness
"Status: At least one DC is currently disconnected" when running "cpstat identityServer -f default" command on Identity Awareness Gateway. Refer to sk107838.
02367904
Gaia OS
Improved behavior of the routed daemon on cluster members: OSPF Hello packets are now forced to be sent out even when the routed daemon is busy processing the LS Updates, SPF calculation or synchronizing OSPF routes to other cluster member. Refer to sk95968 and sk115117.
02441209
Gaia OS
In rare cases, the confd process might trigger high CPU load on Check Point appliance (that has LOM card installed), if more than 512 "show asset lom-info" / "show asset all" commands were invoked. Refer to sk115634.
02413967
Gaia OS
In some configurations (where one of the Power Supply Units is not plugged to a power outlet), the following message might appear in /var/log/messages file: xpand[PID]: [ERR] i2c_smbus_read_byte_data STATUS_WORD 0x2848. Refer to sk112829.
02110490, 02110665
Gaia OS
The routed daemon crashes in rare scenario, if PIM is configured and machine is rebooted when all network cables are disconnected. Refer to sk112251.
02434509
VPN
When IKEv2 is used in Site-to-Site VPN tunnel, the "IKE current SAs" value in the output of the "cpstat -f IKE vpn" command is larger than then actual number of IKE SAs in the kernel as seen in the output of the "fw tab -t ikev2_sas -s" command.
02436837
VPN
VPN Central Gateway drops SIP RTP traffic between the SIP Call Manager and the phone behind VPN Satellite Gateway, where the SIP call was initiated. Refer to sk111839.
02439917
VPN
In certain scenarios, if the corresponding Certificate Revocation List (CRL) is very long, the vpnd daemon consumes the CPU at 90-100% for several minutes after policy installation. Refer to sk109096.
01877490, 02429368
SmartEvent, SmartReporter
"Dev Mode: ON - Syntax error" in SmartEvent / SmartReporter reports when creating reports from SmartEvent Intro GUI client.
SmartEvent / SmartReporter reports are missing full pages.
In rare scenario, Security Gateway with enabled SecureXL crashes during policy installation. Refer to sk111411.
01952431, 02420157
VPN
IKEv2 fails repeatedly with "Message::addPayload: Too many payloads" error in the debug of the vpnd daemon. Refer to sk110156.
01933566, 02420155
VPN
Improved stability of the vpnd daemon when handling Visitor Mode traffic.
01877586, 02420570
SmartReporter
SmartReporter PDF reports are displayed in landscape view, and the tables are not displayed in proportion to the page layout. Refer to sk104840.
02387947; 01835442
Security Gateway
Issues related to Suspicious Activity Module (SAM) rules:
SAM rules do not survive reboot, and therefore SAM policy is not enforced.
Policy installation after rebooting the Security Gateway fails in SmartDashboard with: Error Reason: Load on Module Failed - Failed to Load Security Policy
Fetching the policy on Security Gateway under debug shows: fw_sam_recover_state: failed to read XXX entries
Attempt to reviewing the SAM kernel table with fails: # fw tab -t sam_requests -s Cannot read the formats structure from localhost: No such file or directory
Check Point response to CVE-2016-2183 (Sweet32). Added the fix for Mobile Access curl - for SSL connections from Mobile Access Gateway to internal servers. Refer to sk113114.
02421829
Mobile Access
Issue publishing in Mobile Access a web application that uses WebSocket.
01949612
Mobile Access
When using Mobile Access blade, error occurs in web application as a result of an incorrect HTTP code from destination web server. Refer to sk109040.
02418422
Check Point appliances
Updated the "sysObjectID" for 3200 / 5000 / 15000 / 23000 / Sandblast Threat Emulation TE100X, TE250X, TE1000X, TE2000X appliances in the chkpnt.mib file. Refer to sk90470.
Take 206 (26 Dec 2016)
02359254, 02412348
Security Gateway, Security Management Server, Multi-Domain Security Management Server
In rare scenarios, the fwd process or fw_full process on Security Gateway consumes memory at high level and crashes with core dump file. Refer to sk113736.
02329308, 02386581
Security Gateway
In rare scenarios, Security Gateway crashes with kernel panic when connecting to web sites that prefer AES GCM (Galois Counter Mode) cipher. Refer to sk113873.
Some web sites do not load completely when connecting through Check Point Security Gateway configured as Proxy in Non-Transparent Mode. Refer to sk114736.
02295419, 02397150
Mobile Access
SSO Kerberos Authentication is not triggered in Mobile Access Web Application when 'SPNegoTokenRequested' header is being sent by the internal Web Server. Refer to sk114555.
02334659
SecureXL
Improved stability of SAM card.
02420705
Security Gateway
"sip reason: Too many streams in SDP" drop log in SmartView Tracker when passing VoIP SIP SDP messages that exceed 4 streams. Refer to sk93752.
02400714
vSEC Virtual Edition
vSEC Virtual Edition (running on Linux KVM) might hang during its boot under heavy traffic load.
02390872
vSEC Virtual Edition
vSEC Virtual Edition (running on Linux KVM) exhibits low network performance when working with Virtio network configuration (issues with virtio_net driver).
02397378
vSEC Virtual Edition
vSEC Virtual Edition (running on Linux KVM) is not able to configure SecureXL SIM Affinity for Virtio interfaces.
02404454
vSEC Virtual Edition
vSEC Virtual Edition does not support SR-IOV for following Intel network adapters: 82599, x540, x550 (issues with ixgbevf driver).
02402663
SmartReporter, SmartEvent
The 'evs_backup' command sometimes fails with "Failed to start postgres service" due to long database startup duration. Refer to sk104839.
Take 205 (15 Dec 2016) - General Availability Take
02390116
Check Point Appliances
/var/log/messages file might show the following on 23500 appliance: xpand[PID]: [ERR] i2c_smbus_read_block_data failed <X>
SNMP Trap for Power Failure / PSU Failure might be sent at the same time.
02413912
HTTPS Inspection
The wstlsd daemon might crash.
02405257
Threat Extraction
"An error has occurred while extracting file" message in Threat Extraction log when processing an attached image file. Refer to sk115107.
02357493
Security Gateway, Threat Emulation
Firewall-1 information is not restored from a Gaia OS backup file when Threat Emulation is enabled. Refer to sk113594.
Take 198 (23 Nov 2016)
-
Check Point Appliances
Support for the new improved R77.30 Gaia image (released 16 Dec 2016) for 3200 / 5000 / 15000 / 23000 / TE100X / TE250X / TE1000X / TE2000X appliances.
-
Threat Extraction
Threat Extraction image cleaning and other enhancements hotfix. Stability and quality fixes resolving issues, as well as new features on Threat Extraction products. Refer to sk114613.
02005542
Threat Extraction
Ability to add support for new file types in Threat Extraction. Refer to sk112240.
02387864
All
Check Point response to CVE-2016-5195 (Dirty Cow). Refer to sk114161.
02297576
SmartLog
Issues with SmartLog GUI in Multi-Domain environment with multiple Domain Log Servers:
"Server is disconnected!" message for connected clients
SmartLog GUI fails to open; Sometimes, it loads to 35%, an then displays a message that SmartLog is unreachable
Running the smartlogstop;smartlogstart commands resolves the issue only temporarily.
01984127, 01984392
SmartLog
SmartLog GUI of Global SmartLog does not sort the logs by time when running a query. Refer to sk112826.
01935060, 01936585
SmartLog
In some records, the Origin field in SmartLog is displayed with 0.0.0.x format. Refer to sk109820.
01910154, 02386501
SmartLog
The smartlog process crashes occasionally on R77.30 Log Server that runs SmartLog. Refer to sk114417.
01725423, 01725724
SmartLog
SmartLog GUI freezes occasionally, and it is not possible to log in to SmartLog GUI again. Refer to sk107153.
01710875, 01711097
SmartLog
After upgrade to R77.30, SmartLog becomes non-responsive. The "smartlog_server" process consumes CPU at 100%. Refer to sk106782.
01702895, 01703025
SmartLog, Multi-Domain Security Management Server
Global SmartLog R77.30 does not show logs from remote Multi-Domain Server. Refer to sk106600.
01864909, 01865057
SmartLog, Multi-Domain Security Management Server
"User" column in Global SmartLog GUI shows asterisks "******" instead of "User@Domain". Refer to sk108771.
02387363
Mobile Access
Mobile Access Web Form SSO login fails if the password contains special characters (e.g., exclamation sign "!", asterisk "*", plus "+", minus "-", etc.). Refer to sk114458.
01982715, 02385180
Mobile Access, VSX
SNX packages are not updated on VSX Gateway in the contexts of Virtual Systems during the installation of R77.30 Jumbo Hotfix Accumulator. Refer to sk114624.
01939363
SecureXL
"sim dropcfg -l" command incorrectly shows "Enforced on external interfaces only". Refer to sk109960.
02358210, 02364750
Cluster
VRRP Backup member on Gaia OS sends BGP traffic to BGP peers. Refer to sk114265.
02079535
Cluster
Dynamic Routing routes are not synchronized during Connectivity Upgrade (CU), which causes outage during the CU fail-over. Refer to sk107042 - section "(3) Upgrade paths with Dynamic Routing synchronization".
01961260, 02381185
Cluster, CoreXL
Traffic between ClusterXL members is dropped randomly. Refer to sk110312.
02367867, 02369381
Cluster, Gaia OS
Improved stability of the routed daemon on Standby cluster member.
02367871, 02369379
Cluster, Gaia OS
Improved behavior of the routed daemon on cluster members: Wait at least 15 seconds after the routes are synchronized between cluster members to bring the Critical Device "routed" back to the "up" state. This gives the routed daemon enough time to run the SPF calculation and push OSPF routes down to the kernel.
01995709, 01996404
CoreXL
The "fw -i <id> ctl pstat" command shows "memory used: 0%". Refer to sk110881.
01852502, 02388218
CoreXL
Session Authentication fails for all connections when CoreXL is enabled on Security Gateway. Refer to sk109838.
02361143
Appliances
Multi-Queue does not work on 3200 / 5000 / 15000 / 23000 appliances when it is enabled for on-board interfaces. Refer to sk114625.
02333130; 02382905
VPN
Traffic over VPN tunnel does not pass for several seconds during policy installation on Security Gateway (which causes traffic loss). Refer to sk55244.
Take 189 (07 Nov 2016)
01961629, 01965728
Gaia OS
All OSPF routes are lost after configuring "Add redistribution from Aggregate" in Gaia Portal. Refer to sk110337.
02355536
Gaia OS
mail daemon writes its logs to the /var/log/messages file although the "mail.none" directive was added to the /etc/syslog.conf file.
cron daemon writes its logs to the /var/log/messages file although the "cron.none" directive was added to the /etc/syslog.conf file.
02325549
VPN
When using AES-128 with SHA256, negotiation succeeds, but VPN tunnel fails. Refer to sk111132.
02364953
VPN
Site-to-Site VPN with 3rd party DAIP Gateway fails with "no proposal chosen" error. Refer to sk114834 (Scenario 1).
02008783, 02351118
Cluster
Cluster member with highest priority is not able to become new Active after changing the Members' Priorities. Refer to sk110999.
02351092
Cluster
Only lowest VLAN is monitored on Bond interface, instead of lowest and highest. Refer to sk106776.
02273695, 02366138
SecureXL
Improved stability of SAM card when processing the handled notification for a connection that was created from a template in SAM card.
02366189
SecureXL
DHCP Relay / DHCP Server stops working on ClusterXL with enabled VMAC mode installing Takes 128, 138, 143, 145 of R77.30 Jumbo Hotfix Accumulator. Refer to sk111588.
02057286, 02366103
SecureXL, Cluster
Cluster member might crash when processing a NAT connection, if SecureXL is not enabled on all cluster members. Refer to sk111888.
01916191, 01932799
Identity Awareness
If an access role is set to have identified machines, it will sometimes disappear from sessions (refer to the output of "pdp m a" command) that have user and machine sessions. As a result, users can lose access to resources. Issue is most likely to occur when using access role with identified machines in policy and working with sessions with both user and machine.
02350625, 01941785
Threat Emulation
SmartView Tracker / SmartLog does not show all e-mail recipients when an e-mail is received through the Mail Transfer Agent (MTA). Refer to sk114416.
02380610
Threat Emulation
Fixed Mail Transfer Agent (MTA) protection bypass. Refer to sk114664.
02366239
Application Control
Memory leak on loaded Security Gateway with UserCheck rules in the policy. Refer to sk110362.
02370708
SmartEvent
"ERROR: duplicate key value violates unique constraint "seam_event_XXX_pkey"" in $RTDIR/log/cpsemd.elg file. Refer to sk105185.
02135303, 02364625
Multi-Domain Security Management Server
Global Policy assign fails with "There is already local object with the name: <Name> among the Domain Management Server's objects" error. Refer to sk112342.
Take 185 (20 Oct 2016) - General Availability Take
02332164, 02350096
Data Center Security Appliances
Hardware Sensors on 15000 and 23000 appliances show zero (0) values after completing the Gaia OS First Time Configuration Wizard. Refer to sk112829.
01960960, 02342230
Security Management Server, Multi-Domain Security Management Server
The fwm process crashes after the size of $FWDIR/tmp/fwmtrace.log file reaches 2GB limit. Refer to sk105579.
01820334, 02364974
Security Gateway
Security Gateway might crash after running 'cpstop' command if MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (fw_clamp_vpn_mss=1). Refer to sk101219.
01912515, 02364959
SecureXL
Connections are broken for short time after disabling SecureXL, or after installing a policy. Refer to sk109468.
Take 184 (13 Oct 2016)
02366619
HTTPS Inspection
Removed support of SHA384 and SHA512 hash algorithms (that was integrated in Take 172 as ID 02325804) that are used by some HTTPS sites to sign their certificates. Refer to sk112672.
02352496
Check Point Appliances
Check Point Appliance might freeze and not reboot in the following scenario:
Threat Emulation blade is enabled
KVM is enabled
Kernel crash / panic occurs (kdump or kdb)
02359428
VoIP
VoIP data on non-encrypted connection is dropped with "Failed to initialize data connection paramters" log.
02339267
Gaia OS
Some eBGP routes are advertised with the source IP address of BGP peer as the next-hop, instead of the next-hop configured in routemap. Refer to sk112834.
02361295
Gaia OS
Routes get stuck in the OSPF database even though they were deleted from Linux kernel (issue might mostly occur for RIM routes not being removed when a VPN tunnel is dropped).
01996800, 02356078
Gaia OS
The routed daemon might crash when working with PIM Sparse Mode.
02070300
Gaia OS
"getaddrinfo: "::1" invalid host address" message appears repeatedly in the /var/log/messages file after enabling NTP while IPv6 is disabled.
01818839, 02336244
VPN
Randomly, new VPN tunnels are not being established with the peers. Randomly, traffic is not passing over multiple VPN tunnels. Refer to sk113837.
02325549
VPN
Security Gateway / Cluster member might crash / go into kernel panic during policy installation if using AES encryption and AES-NI is enabled.
02351733
VPN
IPsec SAs are deleted when value of configuration parameter ike_keep_child_sa_interop_devices is set to "true". Refer to sk105860 (Scenario 4).
02336379
Security Management Server, Multi-Domain Security Management Server
User is not able to re-connect with any SmartConsole application to Security Management Server. Refer to sk105860.
02340121
Security Management Server, Multi-Domain Security Management Server
"Bridge uses two different VLAN tags for interfaces. This configuration cannot be used with Active-Active bridge mode" error when creating a Virtual System in Bridge mode. Refer to sk107972.
01993128, 01994944
Security Management Server, Multi-Domain Security Management Server
Users are deleted after installation of R77.30 Management Add-on. Refer to sk110887.
02013718, 02015361
Security Management Server, Multi-Domain Security Management Server
"Where used" does not show results while logged into Log Server with SmartDashboard. Refer to sk111077.
02340062
Multi-Domain Security Management Server
Global Policy assignment problem after failing IPS update. Refer to sk110498.
02337143
Threat Emulation
Improved Mail Transfer Agent (MTA) ability to insert a text-only disclaimer into e-mails that have no body.
01825619, 01962131
Security Gateway, Cluster, VSX
Security Gateway / Virtual System might crash due to double record of a connection in Connections Table. Refer to sk110476.
Take 178 (29 Sep 2016)
This specific Take package was recalled for additional testing. Users who have already installed this specific Take, should install either Take 184, or a hotfix from sk112672.
02349820
Threat Emulation
Added support for SHA-256 based certificates for Threat Emulation Engine self-update. Refer to sk113333 and sk103839.
Take 174 (22 Sep 2016)
This specific Take package was recalled for additional testing. Users who have already installed this specific Take, should install either Take 184, or a hotfix from sk112672.
02346611
HTTPS Inspection, Mobile Access, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI
Check Point response to CVE-2016-2183 (Sweet32). Refer to sk113114.
02348603
Security Gateway
Security Gateway might crash if a connection that was closed, but was not yet deleted from the Connections table is reused.
02331952, 02331960
Cluster
"Warning! No active machines were found" message in /var/log/messages file on ClusterXL Load Sharing Unicast members. Refer to sk105063.
01989782
Gaia OS
Routes redistributed by Gaia OS to BGP peer are sent without BGP community value. Refer to sk110563.
Take 172 (01 Sep 2016)
This specific Take package was recalled for additional testing. Users who have already installed this specific Take, should install either Take 184, or a hotfix from sk112672.
02325804
HTTPS Inspection
Added support of SHA384 and SHA512 hash algorithms to resolve a failure accessing some HTTPS sites if the site's certificate is signed with SHA384 / SHA512 hash algorithm. Important Note: This specific fix was reverted in Take 184. Refer to sk112672.
Security Gateway becomes unresponsive and memory consumption increases when HTTP traffic passes through. Refer to sk109801.
02103280
Security Gateway
Check Point Response to Logjam Vulnerability CVE-2015-4000. Refer to sk106147.
02336294
Security Gateway
The cpd process crashes on Security Gateway during Anti-Virus update, when both Primary and Secondary Management Servers are not accessible from the Security Gateway. Refer to sk110684.
02049960
DLP, Threat Emulation
Added ability to monitor the Postfix process by WatchDog. Refer to sk111783.
02194784
Gaia OS
Improved handling of a scenario where VRRP cluster members are communicating with two OSPF neighbors advertising the same routes, where one OSPF neighbor has a lower metric than the other:
When the OSPF neighbor with lower metric goes down, OSPF routes are re-installed on the VRRP Master member with the new nexthop. However, when the OSPF routes with the new nexthop are synchronized to the VRRP Backup member, instead of deleting the old nexthop and installing the new one, the VRRP Backup member just adds the new nexthop. Output of Expert command "route -n" shows an OSPF route to a destination with two separate nexthops, which is incorrect. Output of Clish command "show route" shows the correct single nexthop.
02054453
Gaia OS
"Performance Optimization" page in Gaia Portal is either stuck at "Please wait a few moments while the data is loaded..." pop up, or freezes when applying changes to CoreXL or Multi-Queue configuration on 15000 / 23000 appliances. Refer to sk112897.
02209721
CoreXL
Although CoreXL Affinity was configured to assign only a specific process to certain CPU cores, some interfaces are still being assigned to those CPU cores. Refer to sk110940.
02296180
CoreXL
Session Authentication fails for all connections when CoreXL is enabled on Security Gateway. Refer to sk109838.
01863108; 02220278
CoreXL, SecureXL
After upgrading a Security Gateway with enabled CoreXL on machine with 2 CPU cores (i.e., each CPU runs a CoreXL FW instance and as SND) to R77.30, only CPU0 is handling IRQs, and CPU1 is not handling any IRQs - all interfaces are affined only to CPU0 (i.e., each CPU runs a CoreXL FW instance, but only one CPU runs as SND). Refer to sk110422.
02290247
IPS
When transferring a large file via FTP, fw_worker process consumes 100% CPU. Refer to sk105411.
02334185
Application Control
When Security Gateway configured as proxy, Skype is blocked by Application Control. Refer to sk113124.
01669385
Threat Emulation, Anti-Spam
Improved stability of in.emaild.mta process and mdq process.
02182146, 02327167
SecureXL
Improved stability of SAM card.
02113430, 02327965
SecureXL
Improved stability of SAM card when processing a mix of multicast and unicast traffic.
02162414, 02328150
SecureXL
Improved stability of SAM card when processing multicast traffic.
02164796, 02328938
SecureXL
Improved stability of SAM card when processing multicast traffic.
02171440, 02329106
SecureXL
Improved stability of SAM card when processing multicast traffic.
02114009, 02328096
SecureXL
Improved stability of SAM card when connections are deleted from the Connections Table.
02135463, 02329152
SecureXL
Improved stability of SAM card when running the tcpdump utility.
02164746, 02329227
SecureXL
Improved stability of SAM card under large amount of traffic.
02326054, 02326630
VPN
The vpnd daemon might crash when running under debug (per sk89940) and SNX user connects and authenticates on Security Gateway.
02337360
VPN
Improved Security Gateway stability.
01888621, 02221764
Cluster
NAT rule installed on cluster does not hide the Source IP address behind the Cluster VIP address if the packet is sent to Cluster VIP address. Refer to sk113163.
01971837, 02290543
Security Management Server, Multi-Domain Security Management Server
"Gaia OS Best Practices" on the Compliance tab of SmartDashboard shows status "N/A" for clusters. Refer to sk110474.
01940333, 02332728
VPN, Security Management Server, Multi-Domain Security Management Server
"Warning: on gw 'Name_of_Security_Gateway', for the range (127.0.0.1, 127.0.0.1), peers were found in communities 'Name_of_Community_1' and 'Name_of_Community_2', peers from the second community will be ignored" during policy installation. Refer to sk110562.
02257309
Multi-Domain Security Management Server
SmartUpdate in MDS level shows different licensing information than SmartUpdate in Domain level. Refer to sk98898.
Take 171 (25 Aug 2016)
-
Mobile Access
Stability enhancement for Windows 10 support.
Take 165 (08 Aug 2016)
-
Enterprise Appliances
Added support for 5000 appliances. Refer to sk110053.
-
Small and Medium Business Appliances
Added support for 3200 appliances. Refer to sk110052.
01951006, 02152601
Small and Medium Business Appliances, Enterprise Appliances
"Factory" button on the front panel is now functioning on 3200 and 5200/5400/5600 appliances.
02158983; 02159087; 02159457
HTTPS Inspection
Added support for ECDH p-384 elliptic curve (to resolve an issue with specific HTTPS sites that use ECDHE ciphers not being accessible when HTTPS Inspection is enabled). Refer to sk110883.
02009223
SecureXL
Improved performance on Security Gateway configured in Monitor Mode (Mirror Port mode) per sk101670. Refer to sk112798.
01957968
Cluster
Previously reachable BGP routes are still advertised to BGP peers on ClusterXL after switch that connects these members goes down.
Take 164 (01 Aug 2016)
02173793
Mobile Access, VSX
Mobile Access Portal on VSX Gateway is unresponsive with "HTTP 500" error after installing takes between Take_143 and Take_162 of R77.30 Jumbo Hotfix Accumulator because $CVPNDIR/template/phpincs/php-ews/ExchangeWebServices.php file is not copied to the contexts of Virtual Systems. Refer to sk111677 (Scenario 2).
01712179
Security Gateway
ISP Redundancy in Load Sharing mode is disabled when Non-Transparent Proxy is defined. Refer to sk111678.
02167277
Application Control
Improved stability.
Take 162 (20 July 2016)
02159332
Data Center Security Appliances
Added support for 40 GbE fiber cards on 15000 / 23000 appliances. Refer to sk112517.
02150866
Security Management Server, Multi-Domain Security Management Server
The cpd daemon might crash when working in SmartProvisioning GUI with ROBO Gateways (e.g., when clicking on "Get Actual Settings").
02151317
Security Management Server, Multi-Domain Security Management Server
"Communication has been aborted by the peer" error in SmartDashboard connected to Active Security Management Server / Domain Management Server in High Availability mode, after the state was changed from Active to Standby for the third time. Issue occurs when the state is changed while the the fwm processes run under debug (per sk86186/sk33207) on both Primary and Secondary Security Management Server / Domain Management Server.
02082365
Security Management Server, Multi-Domain Security Management Server
Pushing VSX configuration fails with "Internal Error - Failed to commit changes in the OS". Refer to sk103844.
02103175
Security Management Server, Multi-Domain Security Management Server
Memory leak in the cpd daemon when thresholds are enabled with "threshold_config" command. Refer to sk111880.
02103182
Security Management Server, Multi-Domain Security Management Server
Memory leak in the cpd daemon (in licutil) causes the daemon to crash (due to exhaustion of available memory).
01911675, 02103172
Security Management Server, Multi-Domain Security Management Server
Memory leak in the cpd daemon (in cpmon) causes the daemon to crash (due to exhaustion of available memory).
02098132
Security Management Server, Multi-Domain Security Management Server
In Management HA environment, the fwm daemon might crash during an attempt to delete Security Gateway / Cluster object in SmartDashboard. Refer to sk110748.
02151722
Multi-Domain Security Management Server
The fwm daemon on MDS server might randomly crash during assignment of Global Policy.
02150810
Multi-Domain Security Management Server
Assignment of Global Policy might fail randomly with "Failed to open connection with Domain Management Server or connection with Domain Management Server ended unexpectedly" error message.
02150773
Multi-Domain Security Management Server
Removal of Global Policy with IPS might fail with:
error: Failed to (delete) object (<UID>) from table (asm) in Domain Management Server database. Error received: (Object References Deletion Failed - Failed to remove references of object <UID>) error: Disconnected from Domain Management Server. Check Domain Management Server status. Operation failed.
in the following scenario:
Domain Management Server is subscribed to Global Policy with IPS
Compliance blade is enabled on Domain Management Server
Alternatively, removal of Global Policy with IPS might end successfully, but the global IPS profile is not removed.
02150871
Multi-Domain Security Management Server
Assignment of Global Policy might freeze randomly because the fwm mds fwmconnect proccess hangs.
02150774
Multi-Domain Security Management Server
Assignment of Global Policy might fail randomly, and core dump files for the fwm process are generated (with size of 2 GB) after running mdsstop ; mdsstart commands.
Traffic over VPN tunnel does not pass for several seconds during policy installation on Security Gateway (which causes traffic loss). Refer to sk55244.
02151898; 01959895, 01987676
VSX
Virtual Systems are "Down" after reboot of VSX Cluster Member. Refer to sk110073.
02024874
Gaia OS
Apache HTTP server daemon (httpd) crashes with core dump file during shutdown of Gaia OS.
Take 161 (14 July 2016)
02043721
Anti-Virus
"cmi_execute_ex: cmik_loader_fw_context_match_cb(context_apps=1000 buf_len=14) failed;" message appears repeatedly in /var/log/messages file on Security Gateway.
02066100
Identity Awareness
Machine sessions that are used by various users receive an incorrect large session timeout (TTL is set to one week from the discovery time).
02071227
Identity Awareness
Identity Awareness Gateway might crash when running 'cpstop' command. Refer to sk111315.
02077462
Mobile Access
Kerberos Single Sign On (SSO using Kerberos) for Web Applications might fail from time to time.
02058573
Mobile Access
Web Applications do not work as expected when accessing Mobile Access Portal with Web Form SSO enabled and the web page contains a form with encoded "+" sign (%2B).
02059445
Mobile Access
Manual SSO does not work when the password contains special characters such as "%".
02029758
Threat Emulation
"Maximum delay time" setting for Mail Transfer Agent is not applied if the defined value is greater than 15 minutes. Refer to sk109893.
02039586
Multi-Domain Security Management Server
Users and GUI clients are overwritten on Security Management Server during MDS synchronization when Domain Management Server and Security Management Server are configured in HA mode. Refer to sk111175.
01904538, 02052848
HTTPS Inspection
HTTPS Inspection Bypass rules that use Destination IP or Source IP stop working after enabling Probe Bypass. Refer to sk111617.
01819431
SecureXL
Improved handling of Bond Group IDs greater than 35 when creating bond interface of SAM card ports.
01959704; 02158515
Gaia OS
Not able to configure routemap for each BGP peer on Gaia OS. Refer to sk110477.
Take 159 (20 June 2016) - General Availability Take
-
General
Minor improvement in Jumbo Hotfix Accumulator package to support software updates to this Jumbo Hotfix Accumulator.
Take 158 (16 June 2016)
01621251; 02077494; 01621253
Cluster
Gratuitous ARP Request packets (GARP) are not sent during cluster fail-over for IP addresses configured in the $FWDIR/conf/local.arp file (per sk30197), if those IP addresses and Cluster VIP address are on different subnets. Refer to sk105645.
02042497; 01834487, 02006059
HTTPS Inspection
Probe Bypass is initiated on non-SSL connection. Refer to sk108294.
Important Note:
For this fix to work correctly, at least this Take_158must be installed on both sides - on Security Management Server and Security Gateway. Otherwise, HTTPS Inspection Probe Bypass feature will not work at all.
Take 156 (30 May 2016)
02051292
Gaia OS
Gaia OS might crash when removing a Bond interface in Gaia Portal. Refer to sk111673.
02021344
Gaia OS
"CLINFR0412 Inconsistent ValFlag & MultiValue" message appears repeatedly in /var/log/messages file on Gaia OS. Refer to sk111632.
02027698; 02027733; 02027775
Security Gateway
HTTP/HTTPS connections that should be accepted on a rule with 'Domain Object', do not pass through the Security Gateway. Refer to sk110687.
02029554
Mobile Access
Version of ESOD Compliance Updates on Mobile Access Gateway does not change after successful update. Refer to sk111627.
02051629
Mobile Access, VSX
Mobile Access Portal on VSX Gateway is unresponsive with "HTTP 500" error after installing Takes 143, 145 of R77.30 Jumbo Hotfix Accumulator because $CVPNDIR/phpincs/php-ews/EWSType/*.php files are not copied to the contexts of Virtual Systems. Refer to sk111677 (Scenario 1).
"This notification page has expired" error in UserCheck page when a user tries to download the original file that was blocked by Threat Extraction. Refer to sk106249.
02015157
Cluster
Configuring PIM Sparse Mode with dynamic Rendezvous Point (RP) fails in cluster environment. Refer to sk110939.
02045987
Cluster
DHCP Relay stops working on ClusterXL with enabled VMAC mode installing Takes 128, 138, 143, 145 of R77.30 Jumbo Hotfix Accumulator. Refer to sk111588.
01680839, 02006901
Security Management Server, Multi-Domain Security Management Server
Fixed Cross-Site Scripting (XSS) vulnerability in Management Portal.
Take 155 (26 May 2016)
This specific Take package was recalled for additional testing and was replaced by Take 156.
Take 145 (10 May 2016)
02010218
VPN, SecureXL
Site-to-Site VPN using IKEv2 fails when SecureXL is enabled. Refer to sk114834 (Scenario 5).
02022420
VPN
The vpnd daemon might crash when processing CRL cache.
02017992
VPN
VPN Central Gateway drops SIP RTP traffic between the SIP Call Manager and the VPN Satellite Gateway, where the SIP call was initiated. Refer to sk111839.
01998381, 02022414
HTTPS Inspection
The wstlsd daemon might crash.
02027270
Security Management Server, Multi-Domain Security Management Server
Policy installation fails, and the fwm process crashes with core dump file when Security Gateway and Security Management Server run R77.30. Refer to sk109616.
Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Management Server R77.30 and below fails on fresh installation after January 24th 2018. Refer to sk122612
-
2012 Models Security Appliances, Data Center Security Appliances
R77.30 NGTP, NGTX and HTTPS Inspection performance and memory consumption optimization. Refer to sk109772.
02012973
Mobile Access, Endpoint Security On Demand Secure Workspace (SWS)
The "User must use Check Point Secure Workspace" setting on Mobile Access Gateway is not enforced when a user running on Windows 10 signs on to the Mobile Access Portal. Refer to sk111115.
01898695
Mobile Access, Cluster
Push Notifications are not shown on handheld devices after failover in Mobile Access cluster. Refer to sk109318.
01807600, 01807879
Mobile Access
Accessing SSLVPN portal without providing certificate, results in unclear log in SmartView Tracker. Refer to sk107812.
01989333
Mobile Access
Capsule Workspace Push Notifications do not work on iOS 9.3 (or higher). Refer to sk110623.
01982148, 01984883
Mobile Access
No Push Notifications in Capsule Messages. Refer to sk110215.
01832865, 01834664
Mobile Access
Mobile Access fails to perform SSL handshake with web servers that use SHA-512 certificates. Refer to sk108283.
02019281
Threat Emulation
File download from some web sites over HTTP through Threat Emulation gateway times out. Refer to sk111136.
02019094
Threat Emulation
Improved Threat Emulation performance in CoreXL by reducing the ratio of the dlpu processes per CoreXL FW instances:
from 1:2 = 1 dlpu process for each 2 CoreXL FW instances
to 1:4 = 1 dlpu process for each 4 CoreXL FW instances
02008306
Threat Emulation
"File is pending emulation. Threat scan failed" log in SmartView Tracker / SmartLog. Refer to sk106739 (Scenario 1 - "E-mail attachment is encoded in Base64 charset").
02013906
Application Control, URL Filtering
When the "Categorize HTTPS Sites" option is enabled, accessing HTTP URLs can cause an "Internal System Error" logs in SmartView Tracker and failure to open the web page.
01953147
Gaia OS
In cluster with PIM Sparse Mode, multicast outgoing interfaces (refer to the output of "ip mroute" command") for some or all multicast groups are deleted and never restored by themselves after rebooting both cluster members at the same time.
01946518, 01953158
Gaia OS
Security Gateway randomly stops forwarding the IGMP / PIM Sparse Mode multicast traffic - in PIM Sparse Mode, low amount of arriving multicast traffic causes the local multicast members to be pruned early. Refer to sk106858.
01953146
Gaia OS
Improved stability of the routed daemon when working with PIM Sparse Mode.
01956738, 01957576
Gaia OS
Output of Clish command "show sysEnv all" / Expert mode command "dbget sysEnv:all" on Gaia OS is corrupted (text is not ordered). Refer to sk110220.
01990563
Gaia OS
RIM (Route Injection Module) routes are removed from Gaia OS routing table when running "ifdown <Name_of_Interface>" command in Expert mode. However, these RIM routes still appear when running "show route" command in Clish. Refer to sk105527.
02004564
Gaia OS, Cluster
The routed daemon on the active cluster with configured PIM might crash after a peer cluster member is rebooted.
02003221
Security Gateway
The "X-Forward-For" (XFF) header is not stripped from web traffic when Security Gateway is configured as HTTP/HTTPS Proxy in Non Transparent mode. Refer to sk111016.
02011289
Security Gateway, Security Management Server, Multi-Domain Security Management Server
SNMP counters for "packets rate" / "throughput" show incorrect values - .1.3.6.1.4.1.2620.1.1.25.9 and .1.3.6.1.4.1.2620.1.1.25.16 - "fwDroppedBytesTotalRate" counter and "fwDroppedTotalRate" counter always show "0" value. Refer to sk104882.
02002926
Security Management Server, Multi-Domain Security Management Server
"Unexpected error" message pops up in the SmartDashboard when trying to connect to Primary Security Management Server after two failovers - from Primary Security Management Server to Secondary Security Management Server and back. Refer to sk107176.
01972280
Security Management Server, Multi-Domain Security Management Server
Topology in SmartDashboard for interfaces named "Internal" and "External" (e.g., on UTM-1, Power-1, DLP-1 appliances) is always set based on their names. Refer to sk111017.
01834487, 02006059
HTTPS Inspection
Probe Bypass is initiated on non-SSL connection. Refer to sk108294.
02003519, 02019844
HTTPS Inspection, CoreXL
Improved SSL handshake performance in CoreXL by reducing the ratio of the wstlsd processes per CoreXL FW instances to be either:
1:4 = 1 wstlsd process for each 4 CoreXL FW instances
1:2 = 1 wstlsd process for each 2 CoreXL FW instances
any other ratio
Default is:
1:1 - if SMT (HyperThreading) is disabled (sk93000)
Integrated SandBlast Parallel Extraction Hotfix. Refer to sk108074.
01978917
Threat Extraction
Increased the size of files that can be scanned by Threat Extraction Extension to 15MB.
01915777, 01936336
Mobile Access
Kerberos is not supported as SSO method for registration to Exchange Server for Mobile Access Push Notifications. Refer to sk110629.
01892929
Mobile Access
Mobile Access Portal does not work after uninstalling Jumbo Hotfix Accumulator from Mobile Access gateway. Workaround: After uninstall, run: # $CVPNDIR/scripts/cvpn_post_utility.csh
01811956
Mobile Access, Endpoint Security On Demand (ESOD) Compliance Scanner
Added support for Windows 10 in:
Endpoint Security On Demand (ESOD) Compliance Scanner
HTTPS traffic is not routed according to Policy Base Routing (PBR) when HTTPS Inspection is enabled. Refer to sk110690.
01947356, 01976641
IPS
Global IPS Exception for protection "Any" does not work for e-mail traffic when using IPS with Anti-Virus or another blade. Refer to sk110023.
01964380
VSX
The fwk process might crash "with signal 7, Bus error" when H323 traffic passes through CPAS on Virtual System.
01974230
DLP
"Quarantined email is about to expire" notifications from Data Loss Prevention blade are not sent to some e-mail accounts. Refer to sk109015.
01979887
Gaia OS
The routed daemon crashes after receiving an OSPF LSA packet that contains invalid netmask. Refer to sk104519.
01915798
SecureXL
Output of "fwaccel stat" command shows: Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)). Refer to sk100467 (Scenario 3 - "UDP traffic causes too many general errors").
01916631
SecureXL, Cluster
Traffic sent to IP addresses X.X.X.255 (last octet is "255", but is not a broadcast address on this network) is dropped by ClusterXL in Load Sharing Unicast mode with "cluster error". Refer to sk107853.
Take 117 (10 Mar 2016)
01960407, 01961587
Mobile Access
Added "cvpnd_admin debug trunc" command that moves all existing content of the current $CVPNDIR/log/cvpnd.elg file into a new file and empties the current $CVPNDIR/log/cvpnd.elg file (to be used when the current $CVPNDIR/log/cvpnd.elg file becomes corrupted - filled with NULL characters).
01960012
Mobile Access, SSL Network Extender
When user connects to Mobile Access Portal with RADIUS challenge and starts SNX, re-authentication before end of session does not restart counter. Refer to sk110175.
01898695
Mobile Access, Cluster
Push Notifications are not shown on handheld devices after failover in Mobile Access cluster. Refer to sk109318.
01927612
Security Gateway
Security Gateway now drops and logs TCP SYN packets that contain data (even if CPAS / PSL in not used).
01955875
Security Gateway, Security Management Server, Multi-Domain Security Management Server
SNMP counters for "packets rate" / "throughput" show incorrect values - .1.3.6.1.4.1.2620.1.1.25.9 and .1.3.6.1.4.1.2620.1.1.25.16 - "fwDroppedBytesTotalRate" counter and "fwDroppedTotalRate" counter always show "0" value. Refer to sk104882.
01846456, 01960991
Security Management Server, Multi-Domain Security Management Server
Manual NAT policy verification passes while it should fail. Refer to sk108389.
01281728, 01866926
HTTPS Inspection
Unable to access some HTTPS sites after enabling HTTPS Inspection "Probe Bypass" mechanism. Refer to sk107744.
01959400
VPN
IPv6 routing issue in Star community when VPN Routing is set to "To center, or through the center to other satellites, to internet and other VPN targets" (VPN Community properties - "Advanced Settings" - "VPN Routing"):
If IPv6 is enabled on the Center Gateway, then all IPv6 traffic will be sent through the Center Gateway
If IPv6 is disabled on the Center Gateway, then IPv6 traffic between internal networks will be dropped by the Center Gateway with "Clear text packet should be encrypted"
01947521
IPS
"Countries DB download has failed" logs in SmartView Tracker even when Geo Protection is set to "Inactive". Refer to sk106294.
01973174
URL Filtering
Some HTTPS web sites are not categorized correctly when "Categorize HTTPS sites" is enabled. Refer to sk110475.
01959509
URL Filtering, Application Control
Random issues with HTTP web browsing - traffic latency increases, and at some point web browsing stops working. Refer to sk64162.
01948312
Anti-Virus
HTTP 206 "Partial Content" error in SmartView Tracker. Refer to sk106446.
QoS (Floodgate) policy install randomly causes Security Gateway to crash and reboot. Refer to sk109840.
01915918, 01961123
Threat Emulation
The download of files that are being emulated on "Hold" times out even though the Threat Emulation ends successfully. Refer to sk110479.
01963649
Cluster, CoreXL
Hide NAT port exhaustion on Standby cluster member in ClusterXL HA mode. Refer to sk98828.
01972270
Gaia OS
"admin" user's password expiry is affected when password-policy is enabled on Gaia OS. Refer to sk106160.
01972282
Gaia OS
The snmpd daemon crashes.
01962335
Gaia OS
Removed "[getTACProles(...)]: RBA role not found for admin!generated" message from /var/log/messages file that appeared (since Take_95) after each authentication to Clish with Local / RADIUS user.
01948282; 01948283
Gaia OS
'clish' and 'confd' processes consume CPU at high level after SSH session for non-local TACACS user has been expired/killed. Refer to sk104579.
01965115
Gaia OS
snmpd process might crash with core dump file (due to Segmentation fault) when it exits.
01936069
Gaia OS
"Wrong IP Please try again" error in LCD (go to "Network" - go to "Set MGMT interface") when changing the IP address of management interface on Check Point appliances that run takes from Take_95 to Take_111. Refer to sk106447.
01937716, 01937817
Gaia OS
Backup restore includes the original MAC addresses of the machine. Refer to sk109934.
01963688
Gaia OS
SNMP query for OID .1.3.6.1.4.1.2620.1.6.16.3 (.iso.org.dod.internet.private.enterprises.checkpoint.products.svn.svnApplianceInfo.svnApplianceSerialNumber.0) returns "umber: <Serial_Number>".
01719131, 01957088
SecureXL
Security Gateway might crash when disabling and re-enabling SecureXL. Refer to sk106934.
Take 111 (23 Feb 2016)
-
Gaia OS
Resolved error when installing Take_105 using CPUSE: Detected inconsistent files for installing this package. In order to successfully install the package, refer to sk97699.
-
Data Center Security Appliances
Added support for 15000 and 23000 appliances. Refer to sk107516.
Take 105 (11 Feb 2016) Important Note: Installation of this specific Take is supported only using Legacy CLI
01944440
Cluster
Occasionally, SCCP (Skinny) VoIP phones unregister from Call Manager during cluster failover. Refer to sk110025.
01932329, 01940409
Mobile Access
"Error: Page cannot be displayed. An error occurred while processing the request" in web browser after entering the credentials in Mobile Access Portal. Refer to sk110072.
01890990, 01946973
VSX
Virtual Systems are in "Unknown" state after reboot of VSX Cluster Member. Refer to sk110074.
01896617
Threat Emulation
E-mail client receives timeout error, e-mails do not reach their destinations, and SmartView Tracker shows duplicated Threat Emulation logs from a cluster. Refer to sk109198.
01879709, 01937995
SmartView Monitor
The rtmd process crashes due to memory corruption.
Take 102 (08 Feb 2016) Important Note: Installation of this specific Take is supported only using Legacy CLI
01872488, 01916408
Gaia OS
The routed daemon might crash on VSX Gateway when Traces (debug) are enabled.
01940689, 01944426
Gaia OS
Cannot change OSPF settings in Gaia Portal using Internet Explorer (IE) browser. Refer to sk109946.
01916400
Gaia OS
The routed daemon might crash when BGP is configured on Gaia OS. Refer to sk105698.
01702790, 01935921
Gaia OS
"libdb set: missing or invalid argument" error in Gaia Portal when creating snapshot. Refer to sk106646.
01928277
SecureXL
Check Point 21000 series appliance with SAM card incorrectly forwards connections to 21000 appliance. Note: This fix is an additional improvement of 01850540 integrated into Take_75. Refer to sk108589.
01900767
SecureXL
Improved detecting and reporting of hardware errors in SAM card.
01906737
SecureXL
SAM card statistics was unavailable for 3600 sec after reboot.
01818639
SecureXL
TCP packets are not dropped as Out-of-State when SecureXL is enabled. Refer to sk104557.
01886179, 01873994
HTTPS Inspection, CoreXL
Difficulties in connecting to untrusted sites when both HTTPS Inspection and CoreXL Dynamic Dispatcher are enabled. Refer to sk108894.
01939568
SmartView Monitor
"Use only external interfaces" option shows wrong traffic rate in SmartView Monitor. Refer to sk107353.
01938186
VPN
The vpnd daemon might crash if IKE packets arrive fragmented.
01821434
Mobile Access
User is able to access Mobile Access Portal even if Secure Workspace is forced, but fails to load. Refer to sk107603.
01939446
Anti-Virus, Anti-Bot
Security Gateway with enabled Anti-Virus blade / Anti-Bot blade and Log Suppression might crash during cpstop.
Take 101 (28 Jan 2016)
01921776
Security Gateway, VSX
Security Gateway / VSX FWK daemon might crash if Hide NAT is configured on Network object(s).
01697910
Gaia OS
The snmpd daemon consumes CPU at 90-100% when polling OID raIkeOverTCP (1.3.6.1.4.1.2620.500.9000.1.22) while Endpoint Security Client is connected. Workaround: Restart SNMP Agent either in Gaia Portal ('System Management' section - 'SNMP' page), or in Gaia Clish ('set snmp agent off' and 'set snmp agent on' commands).
01917104; 01917106; 01917110
Gaia OS
Improved support of allowed ASCII characters for passwords on Gaia OS. Refer to sk109148.
01931796
Gaia OS
Added support for charset ISO-8859-8-I (Hebrew, logical order).
01878129
Gaia OS
"Out of normal bound" error for PWRS_FAN and VTT seen in SmartView Monitor. Refer to sk107855.
01584565
Gaia OS
The snmpd daemon crashes due to SIGXFSZ signal.
01584749
Gaia OS, Cluster
Clish crashes with Segmentation fault after running any 'show cloning-group ...' Clish command on cluster members. Refer to sk104885.
01929775
Security Gateway, Security Management Server
Removing ECDHE from CURL cipher proposal list.
01932161
Application Control, URL Filtering
RAD daemon might incorrectly parse its configuration, which causes it to assume that proxy is configured. This leads to categorization failures.
01931123
Threat Emulation
SmartView Tracker displays e-mail subject as ISO string if it is written not in English. Refer to sk105164 (Scenario 4).
Packets are not routed correctly when PBR is configured and SecureXL is enabled. Refer to sk109741.
01892651
SecureXL
Traffic is dropped by IPS protection "TCP Segment Limit Enforcement" due to attack "TCP segment out of maximum allowed sequence" when SecureXL is enabled and traffic passes through Medium Path. Refer to sk66576.
Take 98 (17 Jan 2016)
01910745
Security Gateway
When running fw monitor command, it returns "cp: cannot stat '/opt/CPsuite-R77/fw1/conf/updates.def': No such file or directory" error.
01914959
Gaia OS
Monitoring of the routed daemon is now disabled completely:
In Gaia Portal - the following checkbox was removed: In the tree view, go to Advanced Routing section - click on Routing Options page - in the Advanced Routing Options area - the box PNOTE Reporting
In Gaia Clish - the following commands were removed: set router-options pnote-reporting ...
Gaia OS on Check Point 21000 series appliance with SAM card becomes unresponsive when trying to delete a VLAN interface after passing multicast traffic through that VLAN interface. Refer to sk115420.
01844424, 01880511
SecureXL
NAT is not applied by Security Gateway to multicast packets in the following scenario:
SecureXL is enabled on Security Gateway
NAT is configured for multicast sender as "Hide behind Gateway"
As a result, the multicast receiver host "sees" the original IP address of the multicast sender.
01844428, 01882993
SecureXL
SecureXL incorrectly drops multicast control packets (such as 224.0.0.252 - RFC 4795 LLMNR) when Security Gateway / VSX Virtual System runs in Bridge mode.
01907475, 01912368
Application Control, URL Filtering
Users occasionally are not able to access HTTPS sites when "Categorize HTTPS sites" option is enabled. Refer to sk109581.
01917498
URL Filtering
Connection fails with the following URL Filtering log in SmartView Tracker: "Internal System Error occurred, allowing / blocking request (as configured in engine settings). See sk64162 for more information". Refer to sk103859.
01896185, 01899771
Mobile Access
Disabling the Floating Navigation Bar (FNB) via GuiDBedit Tool does not disable the FNB in the Web Application. Refer to sk109254.
01907197
LTE
GTP-C traffic that is matched on IP/UDP part of a rule and mismatched on the GTP part of the rule (for example IMSI prefix filter on GTP service) is dropped. As a result, multiple GTP-C services that include GTP service filters can not be used for the same IP/UDP networks (e.g., mobile carrier core network provides roaming services for multiple MNO subscribers, each of which has different PLMN ID prefix in IMSI, and carrier wants to filter outbound roaming to its network to those multiple IMSI prefixes) - the relevant rule either accepts the packet, or drops the packet when first service is matched.
01907262
LTE
"Handover Group" field is not shown in SmartView Tracker logs for GTP-C traffic.
Take 95 (04 Jan 2016)
01883475
General
MiniWrapper installation is aborted with "This installation is not suitable for gateways only" error when there are more than 50 installed packages (of any type) on the machine.
01879869, 01822961, 01882245
Gaia OS
Security Gateway / Cluster randomly stops forwarding the IGMP traffic - multicast traffic times out and not resuming. Refer to sk106858.
01879870
Gaia OS
PIM neighbor refresh is slow on Check Point Security Gateway / Cluster after neighbor PIM router failover:
After failover of neighboring PIM router (after disconnecting a router link), multicast traffic is recovered after 6 seconds.
After failback of neighboring PIM router (after reconnecting a router link), multicast traffic is recovered after 10-15 seconds.
Deleting an IP address from the Management interface without adding a new IP address is now blocked. Refer to sk106447.
01576432
Gaia OS
Gaia Clish crashes when running show configuration ... commands if the /web/cgi-bin/validate.tcl file does not exist. Refer to sk104647.
01697615; 01614716
Gaia OS
When TACACS+ non-local user runs clish -c "some_clish_syntax" command from Expert mode (e.g., clish -c "show interface eth0"), the following errors appear:
[Expert@HostName:0]# clish -c "some_clish_syntax"
CLINFR0829 Unable to get user permissions.
CLINFR0599 Failed to build ACLs.
When TACACS+ non-local user runs clish -c "some_clish_syntax" command from Expert mode (e.g., clish -c "show interface eth0") on VSX Gateway, the following error appears:
[Expert@HostName:0]# clish -c "some_clish_syntax"
CLINFR0220 User is not allowed to access any virtual-system.
DHCP Relay and DHCP Server do not function when configured together on the same Gaia OS.
Between DHCP Relay (routed) process and DHCP Server (dhcpd) process, the last process to start up will receive all the UDP unicast traffic. The first process sees no unicast traffic.
Both DHCP Relay (routed) process and DHCP Server (dhcpd) process will see UDP broadcasts.
If DHCP Server (dhcpd) process starts first, then this joint configuration will work, because dhcpd process only cares about UDP broadcasts. If DHCP Relay (routed) process starts first, then this joint configuration would fail to work, because the replies from DHCP Server that should be relayed are UDP unicasts.
R77.30 cluster member might go Down after disabling CoreXL Dynamic Dispatcher only on one member. Refer to sk108856.
01869737
Cluster, SecureXL
"First packet isn't SYN" drop logs in SmartView Tracker for TCP traffic from ClusterXL in Load Sharing Unicast mode with enabled SecureXL. Refer to sk107618.
01878266, 01848272, 01880216, 01855069
Cluster
Cluster "Interface table" is empty in SmartView Monitor and in output of "cpstat -f all ha" command. Refer to sk108546.
01883357
Security Gateway
in.ahttpd process crashes repeatedly with core dump files on Security Gateway with HTTP/HTTPS User Authentication rules. Refer to sk103974.
01852286, 01852966
Mobile Access
Occasionally Mobile Access gateway becomes non-responsive after enabling Push Notifications. Refer to sk108532.
01898695
Mobile Access
Push Notifications are not shown on handheld devices after failover in Mobile Access cluster. Refer to sk109318.
01907717, 01909788
Mobile Access
Custom logo can no longer be applied / seen in SSL VPN portal after installing hotfix for issue ID 01732329 (since Take 49). Refer to sk107454.
01811956
Mobile Access, Endpoint Security On Demand Secure Workspace (SWS)
Added support for Windows 10 in:
Endpoint Security On Demand Secure Workspace (SWS)
SecureXL on Standby cluster member drops traffic with "Address spoofing" log. Refer to sk108502.
01893950, 01893952, 01908788
SecureXL
When NAT is configured on the network/host where SecureXL is enabled, not all entries in SecureXL Connections Table (run 'fwaccel conns' command) are deleted after the "UDP virtual session timeout" when traffic is stopped.
01906167
SecureXL
Check Point 21000 series appliance with SAM card might crash during frequent policy installations, or during failover and failback in cluster environment (due to disabling and enabling of watchdog monitoring in SAM card). Refer to sk108643.
01870140
VPN
"Accept all encrypted traffic" option does not work on VSX clusters. Refer to sk105344.
01879422
VPN
The vpnd daemon might crash when connecting more than ~1024 SNX Application Mode clients to Mobile Access gateway.
01691222, 01904577
VPN
Not possible to establish Site-to-Site VPN tunnel with Large Scale VPN (LSV) peer, which is a DAIP device. Refer to sk109473.
01894511
Threat Emulation
Ability to change the default size of the /var/log/maillog file when using Mail Transfer Agent (MTA). Refer to sk93505.
01664717, 01891039
Threat Emulation
Files are emulated even though their MD5 is added as 'Exception' to Threat Prevention policy. Refer to sk109438.
01909632, 01879389
Identity Awareness
Identity Awareness Agent disconnects with no apparent reason after some time of operation when Kerberos SSO is defined. Refer to sk107155.
01707734, 01909020
IPS
Geo Protection mechanism logs connections from internal IP addresses. Refer to sk106838.
Resource Advisor (RAD) does not reuse connections (opens new connection for each request). Refer to sk103422.
01861543, 01884021
URL Filtering, Application Control
Ability to increase the speed of RAD daemon's connection creation/deletion by configuring the number of categorization queries sent by RAD daemon to Check Point cloud in one connection (via parameter RAD_QUERIES_NUMBER_PER_CONNECTION in Check Point Registry). Refer to sk103422.
01856214, 01904755
Anti-Virus
High CPU utilization on Security Gateway during Anti-Virus scan of large files transferred over CIFS/SMB2 (Windows Sharing on port 445). Refer to sk109582.
01910660
Security Management Server, Multi-Domain Security Management Server
The fwm daemon might crash when running "fwm getcap" command (to fetch the packet capture from a log).
01896487
Multi-Domain Security Management Server
Authentication with MDS user or RADIUS user fails in SmartLog GUI, when SmartLog server is cofigured locally on one of the Domain Management Servers (it is possible to log in only with administrator that was localy defined on that Domain Management Server).
01894840, 01909714
Multi-Domain Security Management Server
Assigning of Global Policy fails on some Domain Management Servers after modifying a global object. Refer to sk109436.
Take 84 (06 Dec 2015)
-
Check Point Appliances
Support for the new improved R77.30 Gaia image (released 16 Dec 2016) for 2200 / 4000 / 12000 / 13000 / 21000 / TE250 / TE1000 / TE2000 appliances.
01867054
Gaia OS
User is not able to log in to Gaia OS after configuring a password that contains backslash "\". Refer to sk106368.
01786538, 01866514
Gaia OS
"Gaia Web-UI recognized a non-valid input data" error in Gaia Portal when adding a Scheduled Job. Refer to sk107513.
01842491, 01855837
Gaia OS
BGP routemaps stop working correctly after upgrade from R75.4X / R76 versions to R77.10 and later versions. Refer to sk108497.
01711169
Gaia OS
Specific VPN tunnel is not retrieved on first SNMP querying. Refer to sk106788.
01711135
Gaia OS
The routes are not sorted based on the IP address in Gaia Portal - "Network Management" section - "IPv4 Static Routes" page - "Gateways" column. Refer to sk106747.
01868833
Cluster, CoreXL
Hide NAT port exhaustion on Standby cluster member in ClusterXL HA mode. Refer to sk98828.
01877245, 01820037
Cluster
Improved handling of invalid ClusterXL Control Protocol (CCP) packets received on non-trusted (non-sync) interfaces. Refer to sk108360 and to sk108192.
01803716, 01816518
SecureXL
Check Point appliance with SAM card crashes during policy installation. Refer to sk107857.
01801507, 01754473
SecureXL
Memory leak in SecureXL acceleration. Refer to sk108192.
01870777, 01861396
SecureXL
Traffic does not pass through ClusterXL with enabled VMAC mode and SecureXL. Refer to sk105577.
01848712
Security Gateway
Policy installation fails with error "Reason: Load on Module failed - failed to load Security Policy" because internal mapping of IPS protections fails due to kernel table "spii_multi_pset2kbuf_map" getting full. Refer to sk33893 (Scenario 22).
01875713, 01821877
Security Gateway
Proprietary SSL tunnel protocols (e.g., Skype) are not enforced correctly when Security Gateway acts as Proxy (Non-transparent proxy, without the next proxy). Refer to sk108192.
01871427
Security Gateway
When Dynamic Object is not resolved on the Security Gateway, all traffic that should have been accepted by the rule with this Dynamic Object, is dropped.
01872347
Security Gateway VE
Security Gateway Virtual Edition (VE) Network Mode is now licensed using a new and improved licensing model. With the new licensing model, managed Security Gateway VE Network Mode is licensed by the total amount of its assigned virtual cores. Affected SKUs: CPSG-VEN-NGTP-GW, CPSG-VEN-NGTX-GW, CPSG-VEN-NGFW-GW. For further licensing details, go to User Center - at the top, go to QUOTING TOOLS menu - click on Product Catalog & Quoting - go to section More Appliances & Solutions - click on Virtual Security - in Virtual Edition row, select a model - click on Select button - click on Licensing instructions link at the top. Refer to sk109713.
01853689
HTTPS Inspection
Users do not receive UserCheck page for blocked HTTPS content. Refer to sk93184.
01875832
IPS
Improved handling of HTTP compressions. Refer to sk108192.
01880104, 01830381
VSX, IPS
Rare crash of the fwk process on VSX Gateway with enabled IPS blade and activated protection "Non-Compliant HTTP". Refer to sk108192.
01859145
VSX
SNMP OID vsxCountersConnTableLimit (.1.3.6.1.4.1.2620.1.16.23.1.1.4) returns wrong value on VSX if IPv6 is enabled. Refer to sk106736.
01854127
Mobile Access
Mobile Access log in SmartView Tracker shows Browser version instead of OS version. Refer to sk108711.
01734925, 01854129
Mobile Access
"[CVPN_ERROR] statusToString: Unrecognized status: 5" error in the debug of the cvpnd daemon on Mobile Access Gateway. Refer to sk108876.
01802714
Multi-Domain Security Management Server
"Error: Cannot assign the Global IPS policy - The version of IPS on the Domain Management Server and in the Global policy must be the same". Refer to sk108877.
01867540
Multi-Domain Security Management
Global Policy cannot be assigned after IPS reset due to duplicated objects or profiles. Refer to sk107817.
01867540
Multi-Domain Security Management
Licenses attached to Domain are shown as unattached in SmartUpdate. Refer to sk104884.
01626339, 01871531
Security Management Server, Multi-Domain Security Management Server
The fwm daemon cannot start due to the size of $FWDIR/tmp/fwmtrace.log file reaching 2GB limit. Refer to sk105579.
01732223, 01863656
Security Management Server
Policy verification fails abnormally on R77.30 Security Management Server. Refer to sk107182.
01858483
Security Management Server
"Multiple account units are using the same domain name" warning during security policy installation. Refer to sk104248.
01864379, 01850825
Security Management Server
IPS scheduled update fails with "Failed to create db revision". Refer to sk108382.
01875570, 01827950
VPN
Not possible to force a minimal allowed Endpoint Security Client version for Remote Access connection (Note: Does not apply to Endpoint Connect Clients). Refer to instructions in sk108192.
01749088, 01782611, 01875953
Anti-Virus
High memory utilization on Security Gateway during Anti-Virus scan of large files transferred over HTTP. Refer to sk107384 and sk108192.
Take 75 (12 Nov 2015)
01848714
SecureXL
Output of "fwaccel stat" command shows: Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)). Refer to sk100467 (Scenario 3 - "UDP traffic causes too many general errors").
01848202, 01850540
SecureXL
Check Point 21000 series appliance with SAM card might crash while handling fragmented TCP packets. Refer to sk108589.
01845461, 01853546
SecureXL
Check Point 21000 series appliance with SAM card might crash during policy installation. Refer to sk108643.
01847635
SecureXL
Check Point 21000 series appliance with SAM card might crash due to removal of Layer 2 header by SAM card. Refer to sk108652.
01820185, 01847696
Multi-Domain Security Management Server
mds_backup procedure is stuck at "Releasing all databases" stage. Refer to sk107862.
01857577
VPN
Some VPN clients are not able to connect to Security Gateway because kernel table "ccc_sessions" fills up very rapidly. Refer to sk105721.
01831743, 01842525
Identity Awareness
Policy installation on Identity Awareness Gateway fails randomly. Refer to sk108290.
01811956
Mobile Access, SSL Network Extender
Added support for Windows 10 in:
SSL Network Extender (SNX) - both Network Mode and Application Mode
Following cluster failover, the routed daemon sends OSPF "Hello" packets with no DR/BDR. Refer to sk105169.
01844830
Gaia OS
"Gaia Web-UI recognized a non-valid input data" error in Gaia Portal when adding SNMP Trap receiver
"NMSSNM0025 Community names cannot contain spaces or special characters" error in Gaia Clish when adding SNMP Trap receiver
Now, the dollar sign "$" is accepted as well in SNMP Community. Refer to sk107513 (Scenario 2 "Adding SNMP Trap receiver in Gaia Portal").
01787201; 01831464; 01827496; 01818312
Gaia OS
Enhancement in authentication for SNMPv3 USM user on Gaia OS:
"Authentication Protocol" for SNMPv3 USM user can be set to either MD5, or SHA1
Interactive configuration of "Privacy Protocol" and "Authentication Protocol" in Clish
When adding new SNMPv3 USM user:
If no "Privacy Protocol" is specified, then "DES" will be set by default
If no "Authentication Protocol" is specified, then "MD5" will be set by default
"Privacy Protocol" for Read-Write users will be displayed only if those users were defined with Security Level "AuthPriv" (just like for Read-Only users)
Configuration of "Privacy Protocol" and "Authentication Protocol" in Clish was improved to be case-insensitive
Refer to sk90860 - section "(IV-5) Advanced SNMP configuration - Configure SNMPv3 users to use SHA / AES authentication".
01843846
Gaia OS
"Could not resolve 'Sensor' within the trap 'Trap'" errors in Spectrum CA when importing Check Point 'GaiaTrapsMIB.mib' file. Refer to sk97410.
01702566
Gaia OS
OSPF might break upon fail-over in cluster on Gaia OS. Refer to sk108655.
01835145
Cluster
ClusterXL in High Availability mode fails over during policy installations due to missing CUL remote freeze notification. Refer to sk106576.
01834555
Appliances
Outputs of "show sysenv all" and "cpstat os -f power_supply" commands show different status for Power Supply units. Refer to sk107672.
01750204, 01842632
VSX
Clients behind a Virtual System configured as Non Transparent HTTP/HTTPS Proxy are not able to connect to any site. Refer to sk107313.
01730708, 01847073
HTTPS Inspection
Added ability to control support for SSLv2 handshake in HTTPS Inspection. Refer to sk108654.
Take 67 (29 Oct 2015)
01829460
SecureXL
ADP monitor hangs and crashes with "ADP slot N possibly hung" on Check Point appliance with SAM card.
01801032, 01829886
CoreXL
Issues with traffic passing through Security Gateway with enabled CoreXL Dynamic Dispatcher. Refer to sk108432.
01751483
Mobile Access
User is sometimes asked to re-authenticate when accessing web application in Mobile Access Portal. Refer to sk107314.
01815100
VSX, Mobile Access
Backup (scheduled or manual) on VSX Gateway fails while File Shares are open for Mobile Access users: "not enough space in /var/log/CPbackup/backups". Refer to sk106046.
Take 63 (20 Oct 2015)
01825587
VSX
The fwk daemon crashes during boot of VSX Cluster member with configured Bond interface(s), on which VLAN interfaces are defined.
01817941, 01812866
Security Management Server, Multi-Domain Security Management Server
False alerts in SmartEvent GUI / SmartView Monitor about low disk space on Security Gateway. Refer to sk106040.
01823793
Cluster
IPv6 static route in Gaia OS with "ping" option fails to send ping in a ClusterXL with IPv6 Virtual IP. Refer to sk106572.
01685521
Anti-Spam
in.emaild.mta process crashes when overloaded with Anti-Spam block. Refer to sk106240.
01826612
Gaia OS
Output of top command on an Open Server shows that kipmi0 daemon consumes CPU at 100%. Refer to sk104316.
01825932
Gaia OS
Custom changes made to the /etc/cpshell/log_rotation.conf file following sk36798, do not survive Jumbo hotfix installation - after installation it goes back to the default.
Take 61 (30 Sep 2015)
01752513, 01752529, 01752531
Security Gateway
Misconfiguration of "Management" interface on Check Point Security Gateway causes outage. Refer to sk106447.
01801629, 01811077
Security Management Server, Multi-Domain Security Management Server
"Warning: Rule <N> contains a domain object. It will not be enforced by IPv6 policy." during policy verification refers to wrong rule number. Refer to sk107601.
01813036
SmartEvent
When using send report by mail ('Reports' tab - Report name - Manage - Email Setting - Send By Mail), the SmartEvent sends 'HELO localhost' and gets blocked by the SMTP server. Refer to sk105279.
01769402, 01803573
SecureXL
"cphwd_pslglue_can_offload_template: error, psl_opaque is NULL" error appears repeatedly in /var/log/messages file after upgrade to R77.30. Refer to sk107258.
01814997
Gaia OS
"Loading..." message is stuck in Gaia Portal when trying to open the 'Snapshot Management', 'System Backup' or 'Status and Actions' page after installing a Hotfix / Jumbo Hotfix. Refer to sk111167 (Scenario 5 - "Maintenance - Snapshot Management" page and "Maintenance - System Backup" page is stuck at "Loading..." after installing a Hotfix).
01817116
Gaia OS
/etc/snmp/userDefinedSettings.conf file on Gaia OS (see sk90860) is overwritten during a hotfix installation. Refer to sk107861.
01820060
Gaia OS
A snapshot image cannot be deleted in Gaia Portal - after clicking on the 'Delete' button (on 'Maintenance' pane - 'Snapshot Management' page), the "Loading..." message is stuck. Refer to sk111167 (Scenario 8 - "Maintenance - Snapshot Management" page is stuck at "Loading..." when trying to delete a snapshot).
01693582
VPN, Mobile Access
Memory leak in the vpnd daemon when Mobile Access blade is enabled.
01736208, 01817908
Mobile Access
Web Form SSO with configured login page does not work. Refer to sk107254.
01808903
IPS
IPS related kernel tables are kept in memory even when disabled in a later policy, causing table duplication and a memory leak. Leak may lead to an error message "reached the maximum number of ghtabs" and install policy failure.
01802551, 01809183
CoreXL, VSX
Creating a Virtual System with one CoreXL FW instance might end with an error and cause the VSX Gateway / VSX Cluster member to crash with kernel core dump.
01704012, 01720219
CoreXL
VoIP traffic (or traffic that uses reserved VoIP ports) is interrupted / stops passing after enabling CoreXL Dynamic Dispatcher per sk105261. Refer to sk106665.
Take 54 (07 Sep 2015)
01787367
Security Gateway
Failure in QoS policy installation can cause Security Gateway to crash during the next network policy installation.
01747684
Gaia OS
PIM SM: multicast traffic received on an interface, which is in non-DR, but assert winner state is not processed by Security Gateway. Refer to sk107186.
01800253
Gaia OS
Output of Clish command "show asset memory" shows less RAM than is actually installed on Check Point appliance. Refer to sk107032.
01803002
Gaia OS
The following commands were added to Gaia Clish:
show lom - displays LOM card IP address and firmware version
show lom ip-address - displays LOM card IP address
show lom version - displays LOM card firmware version
01803039
Gaia OS
Not able to log in to Gaia OS with username authenticated by TACACS.
01803024
Gaia OS
Improved support for multiple roles defined on RADIUS server that are separated by space character (e.g., CP-Gaia-User-Role="rwRole, roRole")
01803483
Gaia OS
Added the ability to get the comment defined on an interface in Gaia OS via SNMP Request by querying the OID IF-MIB::ifAlias (in case ifXtable.ifAlias field is empty). Refer to sk107615.
01803493; 01803506
Gaia OS
After enabling the SNMP Trap "coldStart" in Gaia OS, it is sent every time the SNMP Agent (the snmpd daemon) is started, regardless of the current system up-time. Refer to sk107616.
01717878
Cluster
Output of "cpstat ha -f all" command shows status of some VLAN interfaces as "Partially up". Refer to sk106488.
01801408, 01699396
Cluster
Both the VRRP Master and VRRP Backup members in Gaia VRRP cluster respond to ARP Requests for Proxy ARP entries (configured per sk30197). Refer to sk107614.
Take 49 (24 Aug 2015)
01783813
VPN
Improved specific debug message.
01745911
Mobile Access
Kerberos does not work for Secure Mail (e.g., Exchange Web Services (EWS) mail app).
01710533, 01732329
Mobile Access
"Error while processing the request" occasional error in SSL Portal Web Application after clicking on the Back button / Home button / repeatedly pressing F5 key. During the issue, SSL Portal stops responding and mobile users are disconnected. Refer to sk107454.
01749317
Gaia OS
Gaia configuration commands are not saved sorted in way that guarantees continuation when loading them. Refer to sk107286.
01779716
Gaia OS
Not able to log in to Gaia Portal anymore after running Clish command "show user <username> homedir". Refer to sk106427.
01778888
Gaia OS
/var/log/messages file on Gaia OS repeatedly shows: xpand[PID]: image_mgmt_get_version: version was get from registry major=[X] minor=[.Y] xpand[PID]: version is X.Y
"This page is currently in read only mode, the requested action cannot be performed" message appears in Gaia Portal when logging in with the TACACS+ user and clicking on the "Enable TACACS+ authentication" button at the top. Refer to sk106324.
01707909
HTTPS Inspection
HTTPS Inspection drops traffic to a web site that uses untrusted server certificate even when the "Untrusted server certificate" is disabled. Refer to sk107288.
01749545
VPN
IKE negotiation fails at Main Mode packet 5 between Security Gateway and DAIP non-Centrally Managed Gateway. Refer to sk104880.
01745741, 01746482, 01780378
Security Gateway
Security Gateway might crash in some scenarios when inspecting H.323 traffic. Refer to sk107184 and to sk106994.
01718196, 01721499, 01721502, 01782570
Security Management Server, Multi-Domain Security Management Server
Policy Verification fails to find overlapping rules. Refer to sk106854 and to sk106994.
01784203, 01784730, 01784728, 01787564
Security Management Server, Multi-Domain Security Management Server
Policy Verification fails with "Diameter rule service's check: Failed to flatten services list". Refer to sk107322 and to sk106994.
01749879
Security Management Server, Multi-Domain Security Management Server
After policy installation, traffic that was supposed to be matched on specific "accept" rule is dropped on the Clean Up rule (issue is caused by a corruption in one of the policy files).
Take 45 (06 Aug 2015)
01713997
Gaia OS
Gaia OS syslogd daemon and Check Point syslog daemon can not run simultaneously on Security Management Server / Domain Management Server / Log Server on Gaia OS in the following scenario:
"Accept Syslog messages" is enabled in the properties of Management Server / Log Server object (SmartDashboard - object properties - "Logs" menu - "Additional Logging Configuration").
Gaia OS on Management Server / Log Server is configured to forward the received syslog messages to another Syslog server (Gaia Portal - "System Management" pane - "System Logging" - click on "Add" - enter the IP address of another Syslog server).
"show asset network" command does not display all installed cards on Check Point appliance. Refer to sk106785.
01727625, 01730966
VPN
"vpn debug on TDERROR_ALL_ALL=5" command does not update the previously set debug flags. Refer to sk107172.
01731020
VPN
Improved a print out of "GwSupportCrashRec" debug messages in debug of the vpnd daemon.
01619868, 01725472
Security Management Server, Multi-Domain Security Management Server
Installing policy on R77.X Security Gateway(s) and UTM-1 Edge device(s) at the same time might fail during Policy Compilation with the following error: cpp: line N, Error: Inside #ifdef block at end of input, depth = X 1 error in preprocessor
Security Management Server, Multi-Domain Security Management Server
"install/uninstall has been improperly terminated" error when trying to Install Database. Refer to sk104998.
01595501
Mobile Access
A Mobile device, which is known to be non-compliant, is still able to connect with Mobile VPN / Capsule Connect app to Mobile Access Gateway, and SmartView Tracker log shows this device as compliant. This mobile device had to be checked for compliance by an MDM vendor based on the $FWDIR/conf/mdm.conf file on Mobile Access Gateway.
Important Note: You must manually edit the $FWDIR/conf/mdm.conf file on Mobile Access Gate - add the following section at the bottom of the file to block the Dummy MAC address "02:00:00:00:00:00":
Windows 8.1 VPN plugin can connect, but user is unable to reach resources behind the VPN Gateway. Refer to sk104619.
01702733
Mobile Access
The "cvpnd_settings" command crashes when used without full path. Refer to sk106673.
01715981
Gaia OS
Clish on Gaia OS crashes with "Segmentation fault" when running "show configuration user" command. Refer to sk101974.
01722085
Anti-Bot, Anti-Virus
CPU load and traffic latency after activating Anti-Bot and/or Anti-Virus blade on Security Gateway (especially for complex traffic like CIFS, NFS). Refer to sk106062.
01717808, 01647153
Security Gateway, Cluster
"fw_getifs: filter interface <interface_name> - no IP" message appears for every interface when running "fw getifs" command under "TDERROR" debug, although those interfaces have an IP address assigned. Refer to sk106856.
01692246
Cluster
Cluster members crash simultaneously when running kernel debug of Delta Sync ('fw ctl debug -m fw + sync') and IPv6 traffic is passing through the cluster, which is inspected by IPS (PSL). Refer to sk106571.
SmartView Tracker displays ROBO gateways / Edge devices managed by SmartProvisioning in the "Origin" column as Device ID "0.0.0.X" instead of the Device real IP address. Refer to sk106966.
Take 33 (16 July 2015)
01703881; 01704019; 01704130; 01704076
All
Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789. Refer to sk106499.
01678465, 01709620
VPN, DLP, Security Management Server, Multi-Domain Security Management Server
Policy installation might fail with "ERROR: stab identifier <lsv_profiles> for host redefined" in the following scenario:
R77.30 Security Management Server running on Gaia OS or IPSO OS.
There are two R77.x Security Gateways / Clusters (e.g., "GW_1" and "GW_2") managed by this server:
"GW_1" has IPSec VPN blade enabled
"GW_2" has DLP blade enabled, IPSec VPN blade disabled, and belongs to VPN Encryption Domain of "GW_1"
21000 appliance with SAM card might reboot in a loop after configuring a Bond interface on 10Gb card ports.
01710137
Security Gateway
Issues with traffic and with web pages when Security Gateway is configured in Proxy Non-Transparent mode. Refer to sk106663.
01709135
Security Gateway
If Security Gateway is configured as HTTP/HTTPS Proxy, then unloading of the Check Point kernel modules might fail with the following errors when running kernel memory leak detection per sk35496:
[Expert@HostName:0]# cpstop ... ... ... [Expert@HostName:0]# service cpboot stop ... ... ... [Expert@HostName:0]# cpstop -fwflag -driver ... ... ... ERROR: Module fw_0 is in use FireWall-1: failed to remove IPv4 module cpstop error: Failed to execute fwstop -f . Please check fwflag syntax -driver
01711501
Mobile Access
Connection to Citrix through Mobile Access fails if Citrix is configured to use HTML 5. Refer to sk106574.
01695987, 01704522
Gaia OS
Scheduled Gaia backup in R77.30 fails to transfer backup file to remote server. Refer to sk106647.
01522914, 01683799
Security Management Server, Multi-Domain Security Management Server
The fwm daemon frequently crashes due to memory leak on the Security Management Server (triggered when a Security Gateway with Dynamic IP address is monitored in SmartView Monitor and an IP address is changed on that DAIP Security Gateway).
01710257
IPS
IPS Exception with Protection "ANY" does not work. Refer to sk105074.
01697239
Cluster
SmartView Monitor shows the status of cluster interfaces as "Partially up" (in the upper pane, click on the cluster member object - in the lower pane, go to section "ClusterXL" - click on "More..." - refer to the "Interface table"). Refer to sk106488.
Take 18 (01 July 2015)
01594658
Gaia OS
Different number of IPv6 neighbors is shown in Expert mode and in Gaia Clish:
In Expert mode, output of command "ip -6 neighbour show" shows all expected IPv6 neighbors.
In Gaia Clish, output of command "show neighbor dynamic-table" shows up to 50 IPv6 neighbors.
Improved memory training logic for "SAM-108-V2" card (memory training is a task performed by the hypervisor to get a sense of the timing necessary for the pins out of the memory controller on the card's processor to achieve maximum throughput to the onboard DIMMs while maintaining reliability).
01690456
Mobile Access
Added ability to force Kerberos authentication (instead of NTLM) against Capsule Workspace Mail application and Web applications.
01690471
Mobile Access
The cvpnd daemon crashes when the user/application calls for two factor authentication in Mobile Access Portal using SMS, but the user has no phone number defined.
01690589
Mobile Access
Added support for Citrix Connection floating bar in Internet Explorer browser when connecting to Citrix Server through external interface on Mobile Access gateway.
Take 17 (18 June 2015)
01685651, 01693669; 01688883, 01694383
SecureXL, Security Management Server / Multi-Domain Security Management Server
Output of "fwaccel stat" command on R77.30 Security Gateway / Cluster members shows that Accept Templates are not disabled starting from the expected rule (per sk32578).
Problematic scenario (issue occurs only if all these conditions are met):
R77.30 Security Management Server / Multi-Domain Security Management Server with installed R77.30 Add-On (either cleanly installed R77.30 with R77.30 Add-on, or upgraded to R77.30 from R77.20 with R77.20 Add-on).
Involved rulebase is installed on R77.30 Security Gateway / Cluster members.
SecureXL is enabled on R77.30 Security Gateway / Cluster members.
Involved rulebase contains rules, starting from which SecureXL Accept Templates should not be created anymore (per sk32578) - e.g., rules for FTP/ICMP traffic, rules with Dynamic objects.
Involved rulebase contains a rule with service "dhcp-request" and/or service "dhcp-reply" (refer to sk98839) and this rule is located above all other rules, which disable SecureXL Accept Templates.
01692710
Security Gateway
Connectivity issues through Security Gateway in Proxy mode due to an extra space in DNS Query sent by the Security Gateway. Refer to sk106428.
01685214, 01693432
Anti-Virus
Memory consumption on Security Gateway with enabled Anti-Virus blade increases during inspection of CIFS traffic. Refer to sk106334.
01668422
Mobile Access, Security Management Server / Multi-Domain Security Management Server
Policy installation succeeds even if Mobile Access rules contain only services that are not supported by Native Applications - such as Compound TCP and Citrix TCP types. Refer to sk106502.
01647109
Security Management Server, Multi-Domain Security Management Server
SmartView Tracker does not show successful "Log In" or "Log Out" Audit logs for SmartLog GUI. Refer to sk105881.
01688838
Security Management Server, Multi-Domain Security Management Server
Obfuscated information in Application Control/URL Filtering mail alerts - printing ****** instead of real information. Refer to sk106430.
01568620
SmartView Monitor, VPN
SmartView Monitor shows "no data" in tunnel information under "Tunnels on gateway" for R77.20 / R77.30 gateways using Traditional Mode VPN. Refer to sk104103.
In the $CVPNDIR/conf/httpd.conf file, add the following lines: # This directive overrides the hotfix sk102989 - POODLE Bites (CVE-2014-3566) # and allows access from Mobile Access gateway to internal application servers over SSLv3 CvpnEnableSSLv3 On
Reload the Mobile Access policy: [Expert@HostName:0]# cvpnd_admin policy
01681471
Mobile Access
"Authentication Failure" error when launching SNX via Mobile Access Portal using an LDAP user account with OU path that includes asterisk "*" (wildcard) character. Refer to sk106299.
01581791
SmartReporter
A new consolidation database table does not appear in SmartReporter GUI - 'Database Maintenance' tab - 'Tables' tab. Refer to sk104842.
01599078
SmartReporter
"No data available for [SmartReporter]" error in reports. Refer to sk102007.
01626310
SmartView Monitor
E-mail alerts from SmartView Monitor arrive with MIME boundary headers "_NextPart_..". Refer to sk105578.
01666230
SmartDashboard
Security Management Server that was configured to forward local log files to a Log Server without deleting them per sk106039, forwards all existing local log files instead of forwarding only the new log files that were created since the last scheduled forwarding event (i.e., also all those local log file that were already forwarded during the past scheduled forwarding events). Refer to sk106039.
01607383
Security Gateway
Kernel panic on Security gateway due to memory access violation.
01594559
Security Gateway
HTTP traffic with non-common HTTP methods does not pass through Security Gateway configured as Proxy. Refer to sk104887.
01621272
Gaia OS
"syntax error" when adding an interface to the redistribution of routes in Gaia OS. Refer to sk105643.
01621251; 01621253
Cluster
Gratuitous ARP Request packets (GARP) are not sent during cluster fail-over for IP addresses configured in the $FWDIR/conf/local.arp file (per sk30197), if those IP addresses and Cluster VIP address are on different subnets. Refer to sk105645.
01614571
Cluster
TCP state logs are sent from all cluster member instead of only the active member. Refer to sk101221.
01596291
SecureXL
SecureXL Accept Templates not created when ISP Redundancy is enabled in Primary/Backup mode. Refer to sk104679.
01619159
VoIP
SIP Call Transfer stopped working after upgrade to R77.20 / R77.30. Refer to sk105564.
01607850
Identity Awareness, Application Control
Security Gateway might crash when Identity sharing and Application Control rules (with access roles) are configured. Refer to sk106420 and to sk106994.
01605254
DLP
DLP fingerprint scan failure on Full HA cluster. Refer to sk105157.
01692002
DLP, Threat Emulation
Downloaded file might be bypassed instead of being blocked by DLP in the following scenario:
DLP blade is enabled.
Threat Emulation blade is enabled.
Threat Emulation Connection Handling Mode is set to "Background"
Threat Prevention Engine Fail Mode is set to "Allow all connections (Fail-open)"
CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1330, 02541089
SecureXL
Resolved issue in multicast routing lookup.
PMTR-27365, IDA-1609
Identity Awareness
In some scenarios, the Identity Agent fails to authenticate using Kerberos SSO due to very large Kerberos ticket, and the agent fallsback to User/Password authentication. Refer to sk145832.
PRJ-366, PMTR-33177
Identity Awareness
In some scenarios, when using Load Sharing, upon the same IP address used by two different users, users may be able to access or to be restricted from accessing resources without proper roles.
Removed unnecessary identity update, during Identity Agent or Terminal Server Agent IP address change, that results in corruption of PEP database.
GAIA-3010, PMTR-23157
Gaia OS
CVE-2018-15473: Username enumeration is possible due to a premature bail-out while dealing with a malformed packet. The issue exists in several authentication protocols.
IDA-1225, PMTR-33364
Identity Awareness
Fixed possible session corruption on PDP side that could lead to unexpected behavior.
Improved stability when Push Notifications are enabled on Mobile Access blade.
02657434
VPN
Improved connectivity with 3rd party VPN peers using IKEv2. Refer to sk120835
02100804
VPN
After Cluster failover, VPN tunnel is down and "Unknown SPI for IPsec packet" log is shown. Refer to sk112339.
PRHF-608
SecureXL
Improved stability of VSX gateway when under heavy load when SecureXL is enabled.
JPMC-284
SecureXL
Improved stability of SAM card when running multicast jumbo traffic packets.
JPMC-316
SecureXL
Improved stability of SAM card when PIM is configured in Sparse Mode on its interfaces.
Installation instructions
Important Notes:
This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
Before installing this Jumbo Hotfix Accumulator, back up any configuration file that was edited manually. List of the most important files (many others exist):
$FWDIR/boot/modules/fwkern.conf
$FWDIR/boot/modules/vpnkern.conf
$PPKDIR/boot/modules/simkern.conf
$PPKDIR/boot/modules/sim_aff.conf
$FWDIR/conf/fwaffinity.conf
$FWDIR/conf/local.arp
$FWDIR/conf/discntd.if
$FWDIR/conf/cphaprob.conf
$FWDIR/conf/cpha_bond_ls_config.conf
$FWDIR/conf/fwauthd.conf
$FWDIR/conf/resctrl
$FWDIR/conf/vsaffinity_exception.conf
$FWDIR/database/qos_policy.C
/var/ace/sdconf.rec
/var/ace/sdopts.rec
/etc/snmp/snmpd.conf
/etc/snmp/userDefinedSettings.conf
/etc/snmp/vsx-proxy/snmpd.vsx.proxy.conf
/etc/snmp/snmpmonitor.conf
It is not supported to install this Jumbo Hotfix Accumulator using the ISOmorphic Tool.
In cluster environment: Jumbo Hotfix Accumulator must be installed on all members of the cluster. To assure synchronization without losing connectivity, cluster administrator should use either Optimal Service Upgrade (OSU) method, or Connectivity Upgrade (CU) method. For additional information and limitations, refer to sk107042 - ClusterXL upgrade methods and paths.
In Management HA environment: Jumbo Hotfix Accumulator must be installed on both Management Servers.
On Multi-Domain Security Management Server: Note: To check the current Take number, run the "installed_jumbo_take" command.
When running Take 205 and higher of this Jumbo Hotfix Accumulator: Higher Take can be installed over the current Take.
When running Take 198 and lower of this Jumbo Hotfix Accumulator: Before installing a higher Take, the current Take must be uninstalled (refer to section "Uninstall instructions" - "Show / Hide instructions for uninstall of Jumbo Hotfix Accumulator Take 198 and lower on Multi-Domain Security Management Server").
On VSX Gateways: Jumbo Hotfix Accumulator should be installed only using CPUSE in Clish (requires the latest build of CPUSE Agent).
For Smart-1 405 / 410 appliances: It is necessary to install Take_266 and higher (refer to sk117578).
For 15000 / 23000 appliances with 40 GbE cards: It is necessary to install Take_162 and higher (refer to sk112517).
On 21000 appliances with SAM card: Due to specific stability issues, Take 210, Take 213 and Take 216 should not be installed (refer to sk116070).
It is recommended to install Jumbo Hotfix Accumulator on all the R77.30 machines in the environment - Security Gateways / Management Servers / etc. running on Gaia OS.
Installation of a newer Take of Jumbo Hotfix Accumulator on top of the current Take (refer to sk107320):
If the previous Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then the next Take can be installed using the CPUSE.
If the previous Take of Jumbo Hotfix Accumulator was installed using CPUSE, then all subsequent Takes must also be installed using CPUSE.
When running CPUSE Agent build 1005 and lower (users should upgrade to the latest build): All Takes of Jumbo Hotfix Accumulator must be installed in the same way:
If the Jumbo Hotfix Accumulator was installed for the first time using CPUSE, then all subsequent Takes must also be installed using CPUSE.
If the Jumbo Hotfix Accumulator was installed for the first time using Legacy CLI, then all subsequent Takes must also be installed using Legacy CLI.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
In the upper right corner, click on the Add hotfixes from the cloud button in the upper right corner.
Paste the CPUSE Identifier and start the search Note: Contact Check Point Support to get the CPUSE Identifier.
When the package is found, click on the link to add the package to the list of available packages.
Select the hotfix package - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select the package - click on Install Update button on the toolbar.
Machine will be rebooted automatically.
Online installation for General Availability Take
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
Click on the filter button near the help icon and select All.
Select the hotfix package - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select the package - click on Install Update button on the toolbar.
Machine will be rebooted automatically.
Offline installation
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
In the upper right corner, click on the Import Package button.
In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
Select the imported package - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select the imported package - click on Install Update button on the toolbar.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from Check Point cloud: HostName:0> installer import cloud <CPUSE Identifier> Note: Contact Check Point Support to get the CPUSE Identifier.
Show the packages that are available for download: Note: Refer to the top section "Hotfixes" - refer to "Jumbo Hotfix Accumulator for ..." HostName:0> show installer packages available-for-download
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Download the package from Check Point cloud: HostName:0> installer download <Package_Number>
Install the downloaded package: HostName:0> installer install <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Machine will be rebooted automatically.
Online installation for General Availability Take
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Check the available packages: Note: Refer to the top section "Hotfixes" - refer to "Jumbo Hotfix Accumulator for ..." HostName:0> show installer packages available-for-download
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Download the hotfix package from the Check Point Cloud: HostName:0> installer download <Package_Number>
Show the downloaded packages: HostName:0> show installer packages downloaded
Install the downloaded package: HostName:0> installer install <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Machine will be rebooted automatically.
Offline installation
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Transfer the offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/).
Connect to command line on target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from the hard disk: Note: When import completes, this package might be deleted from the original location. HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "<Package_File_Name>" HostName:0> show installer packages imported
Verify that this package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Install the imported package: HostName:0> installer install <Package_Number>
Machine will be rebooted automatically.
Uninstall instructions
Important Notes:
This Jumbo Hotfix Accumulator removes all its packages during uninstall.
Uninstall of Jumbo Hotfix Accumulator Take (refer to sk107320):
If a Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then it can be uninstalled using the CPUSE.
If a Take of Jumbo Hotfix Accumulator was installed using CPUSE, then it must be uninstalled using CPUSE.
When running CPUSE Agent build 1005 and lower (users should upgrade to the latest build): All Takes of Jumbo Hotfix Accumulator must be uninstalled in the same way as they were installed:
If a Take of Jumbo Hotfix Accumulator was installed using CPUSE, then it must be uninstalled using CPUSE.
If a Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then it must be uninstalled using Legacy CLI.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Gaia machine and navigate to the Upgrades (CPUSE) section - click on Status and Actions.
Above the list of all software packages, click on the Showing Recommended packages button - select All.
Right-click on the Jumbo Hotfix Accumulator package - click on Uninstall.
A warning will be displayed that after this uninstall, the machine will be automatically rebooted. Click on OK to start the uninstall.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Uninstall the package: HostName:0> installer uninstall <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Important Note: When running Take 198 and lower of this Jumbo Hotfix Accumulator, before installing a higher Take, the current Take must be uninstalled.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Uninstall the current Take using CPUSE:
Connect to the Gaia Portal on your Gaia machine and navigate to the Upgrades (CPUSE) section - click on Status and Actions.
Above the list of all software packages, click on the Showing Recommended packages button - select All.
Right-click on the Jumbo Hotfix Accumulator package - click on Uninstall.
A warning will be displayed that after this uninstall, the machine will be automatically rebooted. Click on OK to start the uninstall.
Remove the references to the "SecurePlatform" package:
Connect to the command line.
Log in to Expert mode.
Remove the references from Check Point Registry: [Expert@HostName:0]# mdsenv [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_BKP [Expert@HostName:0]# $CPDIR/bin/ckp_regedit -d //SOFTWARE//CheckPoint//SecurePlatform//6.0//HOTFIX_R77_30_JUMBO_HF [Expert@HostName:0]# $CPDIR/bin/ckp_regedit -d //SOFTWARE//CheckPoint//SecurePlatform//6.0//HotFixes HOTFIX_R77_30_JUMBO_HF
Remove the references from crs.xml file: [Expert@HostName:0]# $CPDIR/bin/CRSValidator -l /opt/SecurePlatform/conf/crs.xml -remove R77_30_JUMBO_HF
List of replaced files
List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.
Corrected the description of the Issue ID 02351092 in Take 189.
25 Sep 2017
General Availability Take 286 is now available in Gaia Portal and Gaia Clish for CPUSE online installation (it replaces General Availability Take_216).
18 Sep 2017
Added the CPUSE Identifier for Ongoing Take 286.
13 Sep 2017
Release of Ongoing Take 286.
24 Aug 2017
Release of Ongoing Take 282.
16 Aug 2017
Release of Ongoing Take 280.
Moved Issue ID 02040869 from Take 156 to Take 280.
27 July 2017
Improved installation instructions for CPUSE Offline package in Gaia Portal.
26 July 2017
Release of Ongoing Take 272.
Added a note that it is not supported to install this Jumbo Hotfix Accumulator using the ISOmorphic Tool.
Added "and reboot" at the end of the note that this Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard.
16 July 2017
Added a note that Take 266 is not supported on Cluster High Availability configured in Bridge mode.
04 July 2017
Added a note that following the integration of support for TLS 1.2, for Threat Emulation customers that do not allow automatic updates from the Check Point Cloud, it is important to update the Threat Emulation Engine according to sk92509 - Offline updates for Threat Emulation images and engine.
03 July 2017
Release of Ongoing Take 266.
Added a note that support for TLS 1.2 was integrated starting in Take_266.
15 May 2017
Added the note to back up any configuration file that was edited manually (and added the list of the most important files).
Removed Issue ID 01562489 (that fix was not integrated yet) from Take 33.
09 Apr 2017
Added Issue ID 01916631 in Take 128.
30 Mar 2017
Updated the description of Issue ID 02002951.
29 Mar 2017
Updated the description of Issue ID 02333089.
22 Mar 2017
Release of Ongoing Take 225.
06 Mar 2017
Release of Ongoing Take 221.
23 Feb 2017
Added a note that on 21000 appliances with SAM card, due to specific stability issues, Take 210, Take 213 and Take 216 should not be installed (refer to sk116070).
Improved the description of Issue ID 02441209.
Improved the description of Issue ID 02413967.
Improved the description of Issue ID 02079428.
Improved the description of Issue ID 01931909.
Changed the description of Issue ID 02422452 to say: "This option will be fully available in future Takes".
22 Feb 2017
Added sk115575 in Take 216.
17 Feb 2017
General Availability Take 216 is now available in Gaia Portal and Gaia Clish for CPUSE online installation (it replaces General Availability Take_205).
Some changes in the design of this article, e.g., separated the "List of resolved issues per Take" section into these sections:
"List of resolved issues in the General Availability Takes".
"List of resolved issues in the Ongoing Take".
.
05 Feb 2017
Release of Ongoing Take 213.
Added sk114613 in Take 198.
Added sk112240 in Take 198.
29 Jan 2017
Added Issue ID 02364390 in Take 207.
25 Jan 2017
Release of Ongoing Take 210 (that replaced Take 209).
23 Jan 2017
Release of Ongoing Take 209.
08 Jan 2017
Release of Ongoing Take 207.
26 Dec 2016
Release of Ongoing Take 206.
22 Dec 2016
Added relevant notes about the CPUSE Agent.
16 Dec 2016
Added notes that R77.30 Jumbo Hotfix Accumulator supports the new improved R77.30 Gaia image (released 16 Dec 2016):
Since Take 198 - new R77.30 Gaia image for 3200 / 5000 / 15000 / 23000 / TE100X / TE250X / TE1000X / TE2000X appliances.
Since Take 84 - new R77.30 Gaia image for 2200 / 4000 / 12000 / 13000 / 21000 / TE250 / TE1000 / TE2000 appliances.
.
15 Dec 2016
General Availability Take 205 is now available in Gaia Portal and Gaia Clish for CPUSE online installation (it replaces General Availability Take_185).
23 Nov 2016
Release of Ongoing Take 198.
17 Nov 2016
Updated a note that R77.30 instances running in Microsoft Azure are supported starting in Take 189.
15 Nov 2016
Updated a note that R77.30 instances running in Amazon Web Services (AWS) are supported starting in Take 189 (instead on Take 184).
13 Nov 2016
General Availability Take 185 is now available in Gaia Portal and Gaia Clish for CPUSE online installation (it replaces General Availability Take_159).
07 Nov 2016
Release of Ongoing Take 189.
06 Nov 2016
Added a note that this Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard.
20 Oct 2016
Release of Ongoing Take 185.
19 Oct 2016
Removed instructions for Legacy CLI package (deprecated) - CPUSE should be used instead.
18 Oct 2016
Removed a note that until further notice, R77.30 Jumbo Hotfix Accumulator should NOT be installed on Check Point Threat Emulation appliances (TE / TEX series) - no degradation / issue was found.
16 Oct 2016
Added a note that until further notice, R77.30 Jumbo Hotfix Accumulator should NOT be installed on Check Point Threat Emulation appliances (TE / TEX series).
13 Oct 2016
Release of Ongoing Take 184.
10 Oct 2016
Reverted to Ongoing Take 171
The following Take packages were temporarily recalled for additional testing:
Ongoing Take 178.
Ongoing Take 174.
Ongoing Take 172.
.
29 Sep 2016
Release of Ongoing Take 178.
22 Sep 2016
Release of Ongoing Take 174.
01 Sep 2016
Release of Ongoing Take 172.
25 Aug 2016
Release of Ongoing Take 171.
08 Aug 2016
Release of Ongoing Take 165.
01 Aug 2016
Release of Ongoing Take 164.
27 July 2016
General Availability Take 159 is now available in Gaia Portal and Gaia Clish for CPUSE online installation.
20 July 2016
Release of Ongoing Take 162.
14 July 2016
Release of Ongoing Take 161.
30 June 2016
First release of General Availability Take (Take 159).
Moved all Legacy CLI instructions into a separate section.
This solution is about products that are no longer supported and it will not be updated
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?