Support Center > Search Results > SecureKnowledge Details
Jumbo Hotfix Accumulator for R77.30 (R77_30_jumbo_hf)
Solution

Table of Contents:

  • Introduction
  • Availability
    • General Availability Take
  • Important Notes
  • List of resolved issues in the General Availability Takes
  • Installation instructions
  • Uninstall instructions 
  • List of replaced files
  • Revision History

 

Introduction

R77.30 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.

This Incremental Hotfix and this article are periodically updated with new fixes.

The list of resolves issues below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date, when this take was made available is also listed in the table.

 

Availability

  • General Availability Take

    • Take_351 is the latest General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:

      Take Date CPUSE Identifier CPUSE offline package
      Take_351 06 Oct 2019
      Check_Point_R77_30_JUMBO_HF_1_Bundle_T351_FULL.tgz (TGZ)

      Note: Effective Oct 6th 2019, General Availability Take_351 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_345).

      Notes:

      1. For Smart-1 405 / 410 appliances, it is necessary to install Take_266 and above (refer to sk117578).
      2. Effective February 17th 2017, the GA Take_216 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_205).
      3. Effective December 15th 2016, the GA Take_205 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_185).
      4. Effective November 10th 2016, the GA Take_185 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_159).
      5. Effective June 20th 2016, the GA Take_159 is available for CPUSE online installation in Gaia Portal and Gaia Clish (first General Availability Take).
      6. For 15000 / 23000 appliances with 40 GbE cards, it is necessary to install Take_162 and above (refer to sk112517).
      7. For 23900 appliances, it is necessary to install Take_327 or Take_331 and above (refer to sk107516).
    • Online installation - use CPUSE identifier either in Gaia Portal, or in Gaia Clish.

    • Offline installation - use CPUSE offline / exported package either in Gaia Portal, or in Gaia Clish.

 

Important Notes

  • Refer to sk98028 - Jumbo Hotfix Accumulator FAQ.

  • This Jumbo Hotfix Accumulator is suitable only for Gaia OS (SecurePlatform / Linux / IPSO / XOS / Windows OS are not supported).

  • This Jumbo Hotfix Accumulator (starting in Take 189) can be applied to R77.30 instances running in Amazon Web Services (AWS), or in Microsoft Azure.
    Refer to sk109141 - Installing the Jumbo Hotfix Accumulator on Security Gateways in Amazon Web Services (AWS) and Microsoft Azure for additional information.

    On Security Gateway running in Amazon Web Services (AWS), it is not supported to install Takes 189 and above of this Jumbo Hotfix Accumulator when the user's shell is configured to /etc/cli.sh (the default shell).

    1. Before installing the Takes 189 and above, the user's shell must be changed to any shell other than /etc/cli.sh - e.g., /bin/bash, /bin/csh, /bin/tcsh (refer to R77 versions Gaia Administration Guide - chapter "User Management" - section "Users").
    2. After installing the Takes 189 and above, it is not supported to change the user's shell back to /etc/cli.sh.
  • This Jumbo Hotfix Accumulator (all its Takes) is not supported on vSEC for Google Cloud Platform.

  • Each "Take" of this Jumbo Hotfix Accumulator is always based on latest GA Take of Check Point R77.30.

  • It is not supported to install this Jumbo Hotfix Accumulator using the ISOmorphic Tool
    (do not add this Jumbo Hotfix Accumulator in the "Select hotfixes:" section of the ISOmorphic Tool).

  • It is recommended to install Jumbo Hotfix Accumulator on all the R77.30 machines in the environment - Security Gateways / Management Servers / etc. running on Gaia OS.

  • This Jumbo Hotfix Accumulator is suitable for these products and configurations:

    • Security Gateway
    • Cluster
    • VSX
    • Security Management Server
    • Multi-Domain Security Management Server
    • Standalone machine (Gateway + Management)
    • Endpoint Security Server
    • Log Server
    • SmartEvent Server
    • SmartReporter Server
  • There is no conflict between this Jumbo Hotfix Accumulator and the R77.30 Add-On. These two packages can be installed in parallel without any issues on R77.30 Security Management Server / Multi-Domain Security Management Server / Log Server / Endpoint Security Management Server / Endpoint Security Policy Server.

  • Starting in Take_266, this Jumbo Hotfix Accumulator supports TLS 1.2 in the following products / features:

    • ICA Management Portal / Management Portal
    • Secure Internal Communication (SIC)
    • Gaia Portal
    • Platform Portal
    • Software Updates
    • Mobile Access blade
    • Endpoint Security Management Server
    • SSL Network Extender (SNX)

    Notes:

  • For Smart-1 405 / 410 appliances, it is necessary to install Take_266 and above (refer to sk117578).

  • For 15000 / 23000 appliances with 40 GbE cards, it is necessary to install Take_162 and above (refer to sk112517).

  • On 21000 appliances with SAM card, due to specific stability issues, Take 210, Take 213 and Take 216 should not be installed. Refer to sk116070.

  • This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.

 

List of resolved issues in the General Availability Takes

Enter the string to filter this table:

ID Product Description

Take 351 (06 Oct 2019) - General Availability Take

PRJ-2376,
PRJ-2358
Gaia OS CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1330,
02541089
SecureXL Resolved issue in multicast routing lookup.
PMTR-27365,
IDA-1609
Identity Awareness In some scenarios, the Identity Agent fails to authenticate using Kerberos SSO due to very large Kerberos ticket, and the agent fallsback to User/Password authentication. Refer to sk145832.
PRJ-366,
PMTR-33177
Identity Awareness In some scenarios, when using Load Sharing, upon the same IP address used by two different users, users may be able to access or to be restricted from accessing resources without proper roles.

Take 348 (24 Apr 2019)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T348_FULL.tgz

IDA-1689,
PMTR-31034
Identity Awareness Removed unnecessary identity update, during Identity Agent or Terminal Server Agent IP address change, that results in corruption of PEP database.
GAIA-3010,
PMTR-23157
Gaia OS CVE-2018-15473: Username enumeration is possible due to a premature bail-out while dealing with a malformed packet. The issue exists in several authentication protocols.
IDA-1225,
PMTR-33364
Identity Awareness Fixed possible session corruption on PDP side that could lead to unexpected behavior.

Take 347 (27 Mar 2019)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T347_FULL.tgz

PMTR-26171,
PMTR-26174
SSL Inspection Changed SSL Network Extender on MacOS to 64-bit architecture to support 32 bit apps depreciation in OSX.
PMTR-35032,
PRJ-99
VPN Important security update for IPSec Site-to-Site (S2S) VPN.

Take 346 (13 Feb 2019)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T346_FULL.tgz

02468036
UserCheck Improved stability when Push Notifications are enabled on Mobile Access blade.
02657434
VPN
Improved connectivity with 3rd party VPN peers using IKEv2. Refer to sk120835
02100804 VPN After Cluster failover, VPN tunnel is down and "Unknown SPI for IPsec packet" log is shown. Refer to sk112339.
PRHF-608
SecureXL
Improved stability of VSX gateway when under heavy load when SecureXL is enabled.
JPMC-284
SecureXL
Improved stability of SAM card when running multicast jumbo traffic packets.
JPMC-316
SecureXL
Improved stability of SAM card when PIM is configured in Sparse Mode on its interfaces.

Take 345 (25 Feb 2019) - General Availability Take

PMTR-19734
IPS Blade Legitimate EDNS queries are dropped with "Non Compliant DNS - Bad Resource Record format, Illegal EDNS0 RR" log. Refer to  sk112578
PMTR-26587 Identity Awareness On some occasions, Terminal Server users are not enforced by the correct access role.

Take 344 (10 Jan 2019)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T344_FULL.tgz

PMTR-24897
VoIP H323 - Connection might fail when Gatekeeper initiate the call to endpoint.
PMTR-18093,
PMTR-11941, PMTR-13827, 02482488 
 CoreXL CoreXL FW instance offloads a partial/anticipated connection that already exists. Refer to Scenario 5 in sk100467
PMTR-27889
Threat Extraction When /tmp/scrub folder has large amount of files (over 5000) it won't be cleaned.
PMTR-23309
Security Gateway
In some MGCP clients - Source port changes even when MGCP protocol is disabled which cause MGCP traffic to not reach its destination properly.
PMTR-20131
SecureXL Connectivity issues with following drops: 'handle_outbound_pac, Reason: connection not found' - Refer to sk101134, Scenario 2
PMTR-24938
VoIP SIP packets that contain * in the 'contact' field are being dropped.
PMTR-26139 SSL Inspection
HTTPS inspection added support to custom extension used by Apple.
PMTR-22966
SSL Inspection HTTPS categorization: add support for certificates up to 16KB in size.
PMTR-26020 Web Intelligence
In rare cases, XFF header obfuscation may not work when HTTPs Inspection is enabled.

Take 343 (17 Dec 2018)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T343_FULL.tgz

PMTR-22951,
02490101
VPN ikeV2 stability improvement with 3rd party peers.
PMTR-18922,
PMTR-24797
VPN Certificate validation: In compliance with RFC 2560 - added support for empty 'nextUpdate' fields in OCSP response.
PMTR-23443,
02757621
Endpoint Security "Cannot create certificate" error message, when cannot enroll user certificate on Endpoint Security VPN client after January 24th 2018.
Refer to sk122874.
PMTR-23326,
PRHF-1352
Gaia OS "set fcd revert" command fails, between Take 309 and 343 of Jumbo Hotfix Accumulator for R77.30
PMTR-19536
CLUS-1073
ClusterXL Improved Cluster stability during policy installation, reduced interface flapping events and high CPU load on the Cluster Gateways.
Refer to sk133372

Take 342 (26 Dec 2018) - General Availability Take

PMTR-19062,
02305365
SecureXL
In rare cases, in SIP implementations, call might disconnect after a few minutes. Refer to sk112913
PMTR-17227,
UP-225
Security Gateway
Fixed SAM rules corruption after reboot.
PMTR-19771,
02645755
Security Gateway,
CoreXL
SecureXL forwards non-accelerated packets to the gateway causing it to crash. 
PMTR-15680,
02508263
SecureXL
Connectivity issue during policy installation, when NAT templates are enabled between CPUs.
PMTR-15586,
PMTR-10842
SecureXL
Reduce/eliminate drops on interface during install policy with high load traffic.
PMTR-22572,
PMTR-3899
HW Accelerator
Additional fixes to resolve crashes for certain conditions with logs indicating "ADP Slot hung."
PMTR-19551,
02694599
Gaia OS
Output of "show message motd" clish command is corrupted if the "motd" message is too long. Refer to sk122199.
PMTR-22724,
02059238
VPN Improved VPN connectivity when using Diffie Hellman groups 19 or 20 with 3rd parties. Refer to sk112156
PMTR-17522,
SWG-1078
DLP
Memory leaks when HTTPS Inspection and Probe Bypass are enabled.
PMTR-19863,
01619775
Security Gateway
Policy installation failure when number of SAM rules is higher than 25000. Refer to sk110560
02763128 Web Intelligence
Enhanced HTTP parser to distinguish between malformed HTTP traffic and valid HTTP traffic that is not RFC compliant, but exists in the real world.

Take 339 (31 Oct 2018)

02669997
Hardware
Improved forensic data collection for SAM stability.
02366690
Gaia OS
Improved stability of CPD process on Multi Domain Server, during hardware sensor reading. Refer to sk114936.
02413299
VoIP
CPU peaks may be experienced when using H323 (VoIP protocol).
IDA-648
Identity Awareness  Improved pdpd stability with AD Query in specific manual configuration overriding per gateway for Account Unit.
02708339
VPN
Improved IKEv2 compatibility in clustered CloudGuard Azure environments. Refer to sk123374.
02436860
Content Awareness
Improved DLP NCR encoding support.

Take 338 (20 Sep 2018) - General Availability Take

02481671
Threat Extraction
When Threat Extraction is configured to block access to original files and to block corrupted/encrypted files (both not default) - The email that indicates that the encrypted/corrupted file has been removed is not received by email recipient.
01850251 Anti-Malware UDP performance with Threat Prevention was improved.
SA-31 Gaia OS Fixing an issue which can lead to the loss of connectivity.
02421166,
02482081,
02468381
VPN
Added Azure VPN IKEv2 enhancement. Refer to sk116157.
02431088 VPN
Stability improvements for IKEv2 and Azure gateways.
02058553
VPN
IKEv2 support for more than 8 proposals.
02471564
SSL Inspection
Improved stability of WSTLSD daemon.
IDA-949
Identity Awareness
RADIUS accounting server does not understand accounting-response from Check Point gateway. Refer to sk130532.
01786753
Identity Awareness
AD users with special characters in their names cannot authenticate.
Refer to sk131872.
01500409 Identity Awareness
"Group membership of the required account (user or machine) could not be retrieved from the AD. Make sure the account exists in the AD." log is received from Identity Awareness blade when format of RADIUS user is "user@domain".
Refer to scenario 6 in sk106133.
IDA-1150
Identity Awareness
Fixed a MUH Agent issue of sending unnecessary MUH updates causing high CPU on PEP. This lead to delays with getting identities and can cause connectivity issues.
IDA-735
Identity Awareness
Identities are not synced to PEP if two PDPs will report the same network
Refer to sk130373.

Take 336 (21 Aug 2018)

PMTR-20184 Security Gateway
Check Point response to SegmentSmack (CVE-2018-5390) & FragmentSmack (CVE-2018-5391).
Refer to sk134253.
PMTR-20189 &
PMTR-20188
UserCheck,
VSX
In VSX environment portals are down after uninstalling R77.30 Jumbo Hotfix take 266 or later and there are multiple defunc instances of mpdaemon.
02729238  SSL Inspection  Improved accuracy of HTTPS Inspection rule-base matching.
01699431 Mobile Access Improving stability of SNX roaming feature.
02408359 QoS
VPN Stability improvements in setups with NAT.
PMTR-19603 Gaia Jumbo Hotfix uninstall causes issues in boot and communication in TEX product line.
01855951 VPN
Improved stability for VPN Remote Access when using tcpt.

Take 331 (26 Jul 2018)

GAIA-2269
Data Center Security Appliances
Added support for 23900 appliances. Refer to sk107516.
02396869 VPN Improved tunnel stability in site to site setups.
02447010 VPN
"You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) that tries to connect to a Cluster in High Availability mode.
Refer to sk120652

Take 329 (10 Jul 2018) – Not supported on 23900 appliances

02006858
VPN Improving consistency and stability of supernet encryption domains of gateways with Mobile Access blade.
PMTR-14587
Gaia OS Security hardening for Gaia WebUI
PMTR-14615
Gaia OS
Security hardening for Gaia WebUI
PMTR-14614
Gaia OS
Security hardening for Gaia WebUI
01944349
Gaia OS
When browsing to the Time page in the GAIA WebUI, two messages are spammed in /var/log/messages (flag is ... and data is...).
02049361
Gaia OS
Intel X520 DP 10Gb DA/SFP+ Server Adapter is not detected by GAIA OS.
01876093
Mobile Access
Adding configurable option to allow compressed https connections to internal servers. Refer to sk128513
PMTR-15763
Gaia OS
Gaia Portal shows blank page after login with Firefox 5x or Chrome 66. Refer to sk121373.
THREATEMUL-4272 Threat Emulation If Threat Emulation disk space threshold is higher than Log disk space threshold, then Threat Emulation will stop emulation while the logs will continue to accumulate, resulting in the emulation entering fail open.

Take 327 (26 Jul 2018) – to be installed only on 23900 appliances

GAIA-2269
Data Center Security Appliances Added support for 23900 appliances. Refer to sk107516.

Take 322 (18 Jun 2018)

02725585 Mobile Access
CVPN daemon stability.

Take 320 (11 Jun 2018)

02764970 Gaia OS
lspci utility showing unknown devices on HP G9 server with 4TH gen Xeon CPU's.
02764972
Gaia OS
Fixed the output of raid_diagnostics command.
PMTR-9275 Security Gateway In rare scenarios, CPD process stops working when running for a long time.
02757263
SSL Inspection
Improved resumption handshake behavior in SSL inspection.
02757276
SSL Inspection
Improved handshake handling in case of re-negotiation.
CPDIAG-936 Check Point Diagnostic tool
  • New cpview capability to collect and present IO data. 
  • Enabled cpview history collection on Management machines

Take 317 (27 Jun 2018) - General Availability Take

02734847
Web Intelligence
Improved non-compliant HTTP handling.
02365162 Multi-Domain Security Management Server
When using the Compliance blade with Management HA, FWM might consume high CPU.

Take 315 (26 Apr 2018)

02329735 Check Point Appliances
Customers using 40Gbe Cards with firmware version 12.12.3072 might experience unexpected behavior while using port beacon (ethtool –p) and RMA diagnostics tool. Contact Check Point Support for a new firmware version.
02718182
SSL Inspection
Improved handling of trusted CAs certificates when HTTPS inspection is enabled. Refer to sk122973.
02420344 vSEC VE Security Gateway
vSEC Virtual Edition (running on Azure, AWS, GCP, KVM, Hyper-V) 'too many internal hosts' error in /var/log/messages on Security Gateway. Fix for identifying only VMware platform as vSEC Virtual Edition.

Take 311 (4 Apr 2018)

IDA-650 UserCheck
When users try to access an non-existing page in the portal it will redirected to the base home page instead of getting an HTTP 404 response.
01678514
DLP Improved connectivity of DLP and FTPS.

Take 310 (14 Mar 2018)

02694299
Cluster
Deleting last backup IP address from VRRP Interface triggers a transition from master state to backup.
02722259,
MCFG-101
Identity Awareness

Captive Portal Kerberos SSO redirection does not work in VSX in new installed VS.

Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 266 and Take 309 (inclusive).

02693681
Gaia OS
fwm logexport -f command does not properly export some fields from the log file to an ASCII file.

Take 309 (26 Feb 2018)

GAIA-1737 Gaia OS
Security hardening for Gaia Clish

Take 308 (19 Feb 2018)

THREATEMUL-1861
Threat Emulation
Integrated Threat Emulation forensics report update capability. For more details, refer to sk120357
02685256 Threat Emulation
Fixed an issue causing Gaia backup size to increase significantly when using Threat Emulation.
IDA-621 (Giraffe)
Identity Awareness
Identity Awareness Feature Pack (including Identity Collector support) scale and quality enhancements. For more details, refer to sk120979.
02449938
SecureXL
SAM enabled interfaces have a maximum MTU of 3950 bytes.

Take 302 (27 Mar 2018) - General Availability Take

02660171
SecureXL
In a very rare scenario, interface state could change midway through handling of fragmented packet causing SAM to crash.
02701723 IPS Blade
In rare conditions, following policy installation with an IPS update, some IPS inspected traffic is being dropped, and message logs include messages like:
"FW-1 - ips_cmi_handler_match_cb_ex: signature (XXX) does not have a policy"
02703382 Gaia OS In some cases, "missing state" is erroneously displayed when checking the disk's status via raid_diagnostic, cpstat and snmpwalk commands.
PMTR-4786 DLP
Stability improvement of dlpu process when DLP blade is enabled.
IDA-636 DLP, User Check
Stability improvement of fwucd process during process exit.
02669195 Multi-Domain Security Management Server
Upon MDS startup in large MDM environments, the fwm process may consume high CPU resources for some time.

Take 301 (16 Jan 2018) 

02704101
Security Management Server
After installing R77.30 Jumbo HF take 297, CPD\SNMPD cores are found on the machine.
02685526
Security Gateway
In SmartDashBoard, the "Hits" counter in a specific rule does not increase even though traffic was matched to this rule. Refer to sk115098.
02694079
VPN Simplifying MSS clamping configuration. 
02694314
VPN
Improved stability of vpnd daemon.
02528926
SecureXL

Improved stability while pushing policy after extended longevity of 8 months on SAM enabled gateways.

02693271
Gaia OS
PIM hello packets dropped in SmartView Tracker.
02445000
SecureXL
On rare occasions, multiple iterations of multicast join and leave may result in memory leak.

Take 297 (18 Dec 2017)

This Take is not supported with SNMP Monitoring.

01986657 VPN cpd stability improvements.
02676734 VPN
Remote Access users cannot connect when using a certificate issued by subordinate CA.
02689074
VPN
Prevent defaulting Remote Access TTM Configuration files (such as trac_client_1.ttm) during jumbo installation after installing any Take higher than Take 266 up to Take 294 (inclusive) of R77.30 Jumbo Hotfix Accumulator.
02676736 VPN IKE negotiation fails when using certificates from subordinate CAs.
02439945 VPN RIM routes not removed when MEP node fails.
02439913 VPN RIM routes are not added to the routing table after failover and immediate failback.
02440245 VPN VPN stability improvements.
02678619 VPN, HTTPS Inspection Improved stability of WSTLSD daemon during CRL validation.
02655364 Security Gateway Improved stability when processing VoIP traffic
02661935 Security Management Server If there are more than ten thousand Binary Large Objects (BLOBs) on the Log Server, there may be a delay before new logs show in SmartConsole after a policy installation.
02677133 Security Management Server, Multi-Domain Security Management Server, VSX Improved stability of CPD process in Multi-Domain server, Security Gateway and VSX Gateway.

Take 294 (23 Nov 2017)

02110663 VPN Tunnel to Azure fails periodically.
02489908 SSL Inspection Improved SSL handshake for HTTPS inspection.
02674931 Identity Awareness

httpd process repeatedly failing during startup.

Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 266 and Take 292 (inclusive).

For VSX configurations, refer to 02722259 (Take_310 )

02575864 VPN IKEv2 - response not send if failed to decode request message.
02455007
Data Center Security Appliances
On rare occasions (with a very large uptime of more than 250 days), traffic can be dropped after policy installation because a SecureXL template is deleted prematurely from FireWall kernel. Refer to sk119999
02449938 Check Point Appliances
For SAM enabled interfaces, jumbo frames beyond 4k size may cause instability. Hence, for SAM enabled interfaces, the max MTU is limited to 3950.
02478098 UserCheck
UserCheck is not presented because the error page was already triggered by another blade in the same session. 
02668257 VSX
When attempting to debug fwk process using the fw debug command, some debugs do not appear correctly.
02658404 ClusterXL
Traffic interruption on VLAN interfaces during policy installation on ClusterXL Load Sharing Multicast mode.
02489933 Gaia OS
Output of dmesg command shows "bonding: bond<N>: Error: bond_3ad_get_active_agg_info failed" when working with 802.3ad link aggregation
02564276 Identity Awareness
After IDA agent sends NACHello request, it receives response with empty portal names.
02582480 Security Management Policy installation fails on DAIP gateways after changing Domain Server from Standby to Active.

Take 292 (19 Dec 2017) - General Availability Take

02563960 IPS fwd process or fw_full process on Security Gateway consumes memory at high level after installing Take 206 of R77.30 Jumbo Hotfix Accumulator (sk117655)
02569432 Threat Emulation
When Threat Emulation was configured to send some of the files to the cloud and some locally, the files were sent only locally and not to the cloud. In this release, the configuration in the GUI will take effect and files will be sent to emulation according to the policy. 
02659361 ClusterXL SNMP query returns wrong outputs for haClusterIpTable
02665619 SNX In rare cases, client running Windows 10 Anniversary update experiences disconnections within SNX tunnel.
02656968 Security Gateway In rare scenarios, when working with Dynamic Objects, NAT rules are not applied anymore after policy installation or update of software blades signatures. This causes traffic outage for all connections that should undergo NAT.
02536207 VSX

Added:

  • Ability to query specific Virtual Device directly using the IP address of the Virtual System.
  • Ability to query SNMP daemons in the contexts of Virtual Devices sent to the IP Address of VSX Gateway itself using SNMPv1, SNMPv2 and SNMPv3.
  • New OIDs in the SNMP VSX tree: 
    • Memory usage for each Virtual System.
CPU usage for each Virtual System for each core.
02659849 VoIP Data connections of H323 protocol were not opened correctly in VSX cluster environments.
02660349 DLP, Threat Extraction Security enhancements for Data Loss Prevention and Threat Extraction blades
02659678
Threat Emulation Links inside email with Domain suffix (e.g. www.example.com) were emulated as com files.
02661043 SmartLog Improved stability of "smartlog_server" process when running queries in SmartLog GUI to several Log Servers.
Refer to sk112826.
Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 198 and Take 286 including.
02655985 SmartLog Improved stability of "smartlog_server" process when activating the "Auto Refresh" button in SmartLog GUI (upper right corner) for several hours.
02555984 Security Gateway, Security Management Server, Multi-Domain Security Management Server Improved memory consumption by FW process and FWD process.
Refer to sk117655.
Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 206 and Take 286 including.
02590882 SmartEvent New events are not created in SmartEvent GUI, and "ERROR: duplicate key value violates unique constraint "seam_event_XXX_pkey"" in $RTDIR/log/cpsemd.elg file.
Refer to sk105185.
02532160 SecureXL For 21000 appliances with SAM card, improved stability of SAM card when running the "cpstop -fwflag -driver" command as a part of kernel memory leak detection procedure.
Refer to sk35496.
02401494 VoIP Improved check for memory allocation failures under heavy load of VoIP traffic.
02573235 VSX Improved support for Connectivity Upgrade (CU) in VSX VSLS.
Note: This fix is relevant for any Take of R77.30 Jumbo Hotfix Accumulator between Take 198 and Take 286 including.
Take 286 (13 Sep 2017)
02646492 Gaia OS In very rare cases, Gaia Portal is not accessible after installing any Take higher than Take 226 up to Take 282 (including) of R77.30 Jumbo Hotfix Accumulator.
Take 282 (24 Aug 2017)
02562476 Threat Emulation Mail Transfer Agent does not process e-mails queued prior to installation/upgrade/uninstall of Jumbo Hotfix Accumulator.
Relevant only to Takes 221, 225, 226, 266, 272, and 280.
Refer to sk119515.
02567302 HTTPS Inspection HTTPS Inspection fails occasionally during CRL validation failure.
Take 280 (16 Aug 2017)
02498183 HTTPS Inspection, Security Management Server, Multi-Domain Security Management Server Applications, Dynamic objects and Domain objects are available for use in the HTTPS Inspection policy, but these objects are not enforced on the Security Gateway.
Refer to sk119276.
02498239 Threat Prevention, Security Management Server, Multi-Domain Security Management Server Domain objects are available in the Threat Prevention policy in the following columns: Source, Destination and Scope, although they are not supported in the Threat Prevention policy.
02557325 Threat Extraction, DLP Security enhancements for Threat Extraction and Data Loss Prevention blades.
02570146 HTTPS Inspection, Security Gateway Improved stability of Security Gateway when HTTPS Inspection is enabled and/or Security Gateway is configured as Proxy (this issue is relevant only to Take 272 of R77.30 Jumbo Hotfix Accumulator).
02561565 Anti-Virus, Anti-Bot, URL Filtering Improved URL recognition mechanism for Anti-Virus, Anti-Bot, and URL Filtering blades.
02548031 Client Authentication Portal Security hardening for Client Authentication Portal.
02040869 VSX "kernel: VRF ERROR: Illegal parameters during call to sock_setsockopt() @ net/core/sock.c:<N> : sk_family=<X> sk_type=<Y> sk_state=<Z>" error appears randomly in /var/log/messages file on Active member of VSX cluster.
Refer to sk111101.
02552177 Gaia OS

SNMP Query for the following OID trees does not return the expected information (snmpwalk command returns "No Such Instance currently exists at this OID"):

  • 1.3.6.1.4.1.2620.1.24 (.iso.org.dod.internet.private.enterprises.checkpoint.products.avi)
  • 1.3.6.1.4.1.2620.1.29 (.iso.org.dod.internet.private.enterprises.checkpoint.products.uf)
  • 1.3.6.1.4.1.2620.1.30 (.iso.org.dod.internet.private.enterprises.checkpoint.products.ms)

Note: Issue occurs only in Take 221, 225, 226, 266, and 272.

- Endpoint Security Server Added support for Endpoint Security Server R77.30.03.
Refer to sk119893.
Take 272 (26 July 2017)
02552331 IPS, Application Control, URL Filtering, Anti-Virus, Anti-Bot, Threat Emulation, DLP A "malformed protocol name in request" log is seen in SmartView Tracker / SmartLog for HTTP traffic. HTTP traffic that contains "HEAD" request is mistakenly identified as non-compliant HTTP traffic by the HTTP parser. As a result, the connection is rejected/bypassed either according to the non-compliant HTTP settings, or according to the "Fail Open"/"Fail Close" settings.
01778991, 02443602;
02453169
HTTPS Inspection Improved stability of HTTPS Inspection with enabled Probe Bypass.
Refer to sk111600.
02538223 URL Filtering Improved URL recognition mechanism for Anti-Virus, Anti-Bot, and URL Filtering blades.
02459918 Anti-Virus Improved inspection of "Unknown" file types according to the Threat Prevention policy (when the option "Process specific file types families" is selected in the Threat Prevention profile - "Anti-Virus Settings").
02524486 Security Gateway CIFS traffic is dropped on certain CIFS requests.
02519295, 02519439 VPN Improved stability of VPND process in IKEv2 flows.
02537316 VSX, SmartView Monitor Virtual Switches in VSX cluster are shown in "PROBLEM" status in SmartView Monitor without any error message.
Refer to sk112067.
Take 266 (03 July 2017)
This Take is not supported on Cluster High Availability configured in Bridge mode.
- Gaia, Security Gateway, Management Server, etc. Support for TLS 1.2
Refer to sk107166.
Note: For Threat Emulation customers that do not allow automatic updates from the Check Point Cloud, it is important to update the Threat Emulation Engine according to sk92509 - Offline updates for Threat Emulation images and engine.
- VPN Support for Online Certificate Status Protocol (OCSP):
The Security Gateway now validates the certificate from the server (on the Internet) using the
OCSP standard, which is faster and uses much less memory than CRL Validation..
- Mobile Access Support for Mobile Access Reverse Proxy.
Refer to sk110348.
- Mobile Access Support for Capsule Workspace App Wrapping.
Refer to sk111558.
02517569 Mobile Access Improved stability of Mobile Access WebMail application.
02531747 Check Point Appliances Added support for Smart-1 405 and 410 appliances.
Refer to sk117578.
02514370;
02429601
Threat Emulation Large files downloaded over HTTP are not inspected by Threat Emulation blade if they are encoded with "gzip".
02517497 DLP DLP supports Microsoft Office only from versions lower than 2016
(this issue is relevant only to R77.30 Jumbo Hotfix Accumulator).
02508656 SSL Network Extender, Endpoint Security On Demand, SecureWorkspace Unable to connect with SNX, ESOD and SWS after updating the Java to version 8 update 131.
The SNX connection remains at 'initializing' state.
02497785, 02510894 HTTPS Inspection Improved stability of WSTLSD daemon by removing Issue ID 02439917 (sk109096) that was added in Take 210
(this issue is relevant only to R77.30 Jumbo Hotfix Accumulator - Takes 210, 213, 216, and 225).
02498309 HTTPS Inspection

Connection to an HTTPS web site can get stuck in the following scenario:

  1. HTTPS Inspection is enabled on Security Gateway
  2. "Website categorization mode" is set to "Hold"
    (in R77X SmartDashboard, go to the "Application & URL Filtering" tab - expand the "Advanced" - click on the "Engine Settings")
  3. The HTTPS web site's category is not in RAD daemon's cache yet
    (i.e., categorization of this HTTPS web site will require a "Hold")
Refer to sk119273.
Take 226 (14 June 2017)
02516659, 02521220 Threat Emulation, Threat Extraction Fixed Mail Transfer Agent (MTA) enforcement issue.
02513169 Threat Emulation, Threat Extraction Security Gateway configured as MTA does not forward e-mails / forward e-mails very slowly that contain attachments in the TNEF format.
Refer to sk117312.
Take 225 (22 Mar 2017)
02486948 Security Gateway, SmartView Monitor SmartView Monitor incorrectly shows R77.30 Security Gateway as "Disconnected" and its software blades as "not responding".
This cosmetic issue appears only after installing Take_221 of R77.30 Jumbo Hotfix Accumulator.
Refer to sk116366.
02485155 MTA, DLP, UserCheck E-mails are not passing through the DLP Gateway configured as Mail Transfer Agent (MTA).
Refer to sk116469.
02487339 MTA, Threat Emulation, Threat Extraction, DLP, Anti-Spam

Improved processing of e-mails and attachments when Security Gateway is configured as Mail Transfer Agent (MTA) -
improved an internal mechanism that generates random internal IDs for processed e-mails / attachments.

This prevents failures to clean attachments by Threat Extraction blade / strip attachments by Threat Emulation blade.
Take 221 (06 Mar 2017)
02468493 URL Filtering, HTTPS Inspection Improved Security Gateway stability when URL Filtering and HTTPS Inspection are enabled after installing Takes 209, 210, 213, or 216 of R77.30 Jumbo Hotfix Accumulator.
02057763, 02059521 HTTPS Inspection Added support of SHA384 and SHA512 hash algorithms that are used by some HTTPS sites to sign their certificates.
This specific fix (ID 02325804) was reverted in Take 184 (ID 02366619) to resolve the issue of not being able to open some HTTPS web sites in Chrome browser when HTTPS Inspection is enabled after installing Take 172, Take 174, or Take 178 of R77.30 Jumbo Hotfix Accumulator.
Refer to sk112672.
02267698, 02465120 HTTPS Inspection Some HTTPS sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE cipher is used.
Refer to sk112954.
02468724 SecureXL 21000 appliance with SAM card is not able to boot after installing Take 210, Take 213 or Take 216 of R77.30 Jumbo Hotfix Accumulator.
Refer to sk116070.
02071893 Threat Emulation New feature in Threat Emulation and Mail Transfer Agent (MTA):
Detecting links to malicious files inside e-mails.
Refer to sk115313.
02279050 Threat Emulation New feature in Threat Emulation:
Support for encrypted (password protected) archives - Threat Emulation blade tries to decrypt the protected archive and extract it based on a preconfigured passwords dictionary.
Refer to sk112821.
02367623, 02369699 Threat Emulation New feature in Mail Transfer Agent (MTA):
File Classifier for MTA - MTA will use the same File Classifier that is used by the Threat Emulation blade, and will be able to detect the real type of a file.
02074197 Threat Emulation New feature in Mail Transfer Agent (MTA):
Ability to configure load balancing / high availability based on the DNS configuration for Mail Transfer Agent (MTA).
Refer to sk110369.
02333089 Threat Emulation

New features in Mail Transfer Agent (MTA):

  • Improved debug messages for MTA flow.
    During the debug of in.emaild.mta daemon (per sk60387), postfix "Message-ID" will appear in the $FWDIR/log/emaild.mta.elg file on the Security Gateway to assist in the analysis of the e-mail flow.

  • Logs will be generated (will appear in SmartLog / SmartView Tracker) by the Security Gateway if e-mails are piling up in the queue, or if there has been a delay in e-mail processing.
    Refer to sk109699 - Section "Control intervals and thresholds for MTA logs".

02002951 Threat Emulation

New features in Mail Transfer Agent (MTA):

  • Postfix was upgraded to version 3.1
    New Postfix version includes full protection against "Drown" attack, and serves as a vehicle for other future features, such as LDAP support.

  • New monitoring utility for Postfix queue - cpqshape.
    Refer to sk109699 - Section "Troubleshooting" - subsection "Analyze Postfix bottlenecks using the cpqshape utility".

02472626 Threat Emulation Security Gateway configured as Mail Transfer Agent (MTA), does not forward e-mails that contain more levels of nested MIME content (attachment inside attachment inside attachment etc.) than configured in the Threat Prevention Profile (Threat Emulation Settings - "Mail (SMTP)" - "Configure...") - such e-mails are discarded due to timeout).
02462393 Threat Emulation Improved handling of e-mail attachments with long names.
02466877 Gaia OS "Wrong Type (should be Gauge32 or Unsigned32): INTEGER" message in SNMP Response.
Refer to sk115119.
01951357, 02388316 Gaia OS /var/log/messages file shows the line "sshd[<PID>]: pam_radius_auth: Got response from RADIUS server" even when the RADIUS server is not accessible.
01961177, 02388317 Gaia OS The "Network Interfaces" page in the Gaia Portal does not load if the text string "NAN" or "inf" is saved in the interface's "Comment" field.
02466343 Gaia OS, VSX "Wrong Type (should be INTEGER)" errors when querying SNMP OID 'vsxCountersTable' (.1.3.6.1.4.1.2620.1.16.23.1) on VSX Gateway.
Refer to sk109469.
02466231 VSX Commands executed in Gaia OS on VSX Gateway are logged in /var/log/messages file without VSID of Virtual Systems.
Refer to sk113128.
02465996 VPN In certain cases, depending on encryption domain configuration, the "ike_enable_supernet" parameter (refer to sk101219) does not create the correct supernetting pattern - the subnet mask does not correlate to the original subnet mask that was defined by the user.
02450974, 02454119 SSL Network Extender "Cannot establish connection to SSL Network Extender gateway. Try to reconnect." error from SNX client on Mac OS X / macOS after disabling both RC4 and 3DES cipher suites on the Mobile Access Gateway.
Refer to sk116156.
02331736 Mobile Access Occasionally, the Mobile Access Deployment Agent fails to invoke SNX, ESOD Compliance or SecureWorkspace in FireFox browser.
"Java unavailable" error message is displayed to the user.
02440490 Security Management Server, Multi-Domain Security Management Server "Bad Response format" error in SmartDashboard when enrolling a VPN certificate using SCEP from the external CA based on Windows Server 2008 and above.
Refer to sk106405.
Take 216 (17 Feb 2017) - General Availability Take
On 21000 appliances with SAM card, this Take should not be installed (refer to sk116070).
02447851 Check Point Appliances Added support for 3100 and 5100 models.
02449825 Check Point Appliances Added support for 5900 model.
- Check Point Appliances
  • "VBAT3 Voltage" is shown as "Low" in Gaia Portal on the Hardware Health page on 3200 appliance.
  • Alert LED is red on 3200 appliance.
Refer to sk115575.
02463143 SecureXL If Bond or Bridge interfaces are configured on the Security Gateway, then the following cosmetic message is displayed on the screen during boot, or when executing the "cpstart" / "sim affinity" commands:
basename: missing operand
Try basename -help for more information.
Take 213 (05 Feb 2017)
On 21000 appliances with SAM card, this Take should not be installed (refer to sk116070).
02442459;
02443332;
02442078;
02443892
DLP, Threat Extraction R77.30 Security hotfix for DLP and Threat Extraction blades.
Refer to sk115596.
02448398 Threat Extraction
  • Added ability to block corrupted files that could not be emulated
  • Added ability to block access to original corrupted files that could not be emulated
Refer to sk115792.
Take 210 (25 Jan 2017)
Note: This take replaces Take 209 released on 25 Jan 2017
On 21000 appliances with SAM card, this Take should not be installed (refer to sk116070).
02419870 URL Filtering, HTTPS Inspection Access to HTTPS sites is intermittent - web site opens only after the user refreshes the page several times when URL Filtering blade and HTTPS Inspection are enabled.
Refer to sk115638.
02344419 Security Gateway Intermittent access to some web sites because in.ahttpd process constantly consumes CPU at 100% in certain scenarios.
Refer to sk106916.
02045637, 02389862 Security Gateway Proxy ARP table is not loaded when Bond interface changes MAC address during reboot.
Refer to sk111675.
01963489. 02388707 Security Gateway The Client Authentication in.ahclientd process crashes with core dump files.
02356285, 02419742 Security Gateway H.323 VoIP call drops after exactly one hour because Keep Alive "ACK" packets are not forwarded to the VoIP client.
Refer to sk113749.
01873031, 02387645 Security Gateway "Via" field in HTTP Request sent to a web server by Security Gateway in Non Transparent proxy mode contains incomplete HTTP version.
Refer to sk108900.
01709059 Security Gateway, Cluster, SecureXL "Error: bond_3ad_get_active_agg_info failed" in the output of "dmesg" command when using 802.3ad mode.
Refer to sk110344.
02368502, 02419738 SecureXL In rare cases, Security Gateway with enabled SecureXL crashes during policy installation when SAM card is not installed on 21000 appliance.
Refer to sk114153.
02399631, 02441021 Cluster "Try to update state to ACTIVE because member is down and state might should be changed" message in /var/log/messages file.
Refer to sk115228.
02079428, 02394915 Cluster, SecureXL ClusterXL in Load Sharing mode with SAM card installed may restart when an interface is administratively shut down (e.g., with 'ifconfig ethX down' command).
02434403 CoreXL
  • "BUG: soft lockup - CPU#X stuck for 10s! [fw_worker_Z:...]" appears repeatedly in /var/log/messages file

  • When VLAN interfaces are configured, the /var/log/messages file repeatedly shows:

    ;FW-1: _fwhamultik_set_mem: changing IF_UNIQUE(i) from X to Y(changed by [fwhaif.c:N]);
    ;FW-1: _fwhamultik_set_mem: changing IF_UNIQUE(ifn) from Y to X(changed by [fwhaif.c:M]);
Refer to sk116870.
02337475 Anti-Spam Fixed memory leak in the in.msd process.
02084934, 02344067 VSX "SmartView Monitor error has occurred (error code: 2147483647)" pop-up in SmartView Monitor GUI when viewing data from a VSX Gateway / VSX Cluster Member.
Refer to sk112154.
01931909, 02420752 VSX

If there are interfaces on VSX Gateway / VSX Cluster Members, whose name is longer than 11 characters, then the following occurs:

  • "Illegal routing gateway or interface retrieved from the VSX GW" error when creating a new VSX Gateway / VSX Cluster object.
  • Result of SNMP Query for OID .1.3.6.1.4.1.2620.1.6.6 (iso.org.dod.internet.private.enterprises.checkpoint.products.svn.routingTable) does not show those interfaces.
Refer to sk109815.
02341399, 02339540 Mobile Access Sign out from Mobile Access Portal does not run application that were configured to run at SNX disconnection.
02421847;
02424129
Mobile Access Login page of Apache Guacamole web application is blank when published via Mobile Access using Path Translation.
Refer to sk134075.
02395361, 02414919 Mobile Access "Error:Request Time-out" message when trying to upload files larger than 5 MB via Outlook Web App (OWA).
Refer to sk114695.
02422452 Identity Awareness Configuring ADQuery with a non-administrator user without membership in "Server Operators" group.
Refer to sk104900.
This option will be fully available in future Takes.
Relevant note about it will be published.
02422440 Identity Awareness Decreased the timeout for WMI query (ADQuery) from 30 min to 5 min.
01817285, 02422448 Identity Awareness "Status: At least one DC is currently disconnected" when running "cpstat identityServer -f default" command on Identity Awareness Gateway.
Refer to sk107838.
02367904 Gaia OS Improved behavior of the routed daemon on cluster members:
OSPF Hello packets are now forced to be sent out even when the routed daemon is busy processing the LS Updates, SPF calculation or synchronizing OSPF routes to other cluster member.
Refer to sk95968 and sk115117.
02441209 Gaia OS In rare cases, the confd process might trigger high CPU load on Check Point appliance (that has LOM card installed), if more than 512 "show asset lom-info" / "show asset all" commands were invoked.
Refer to sk115634.
02413967 Gaia OS In some configurations (where one of the Power Supply Units is not plugged to a power outlet), the following message might appear in /var/log/messages file:
xpand[PID]: [ERR] i2c_smbus_read_byte_data STATUS_WORD 0x2848.
Refer to sk112829.
02110490, 02110665 Gaia OS The routed daemon crashes in rare scenario, if PIM is configured and machine is rebooted when all network cables are disconnected.
Refer to sk112251.
02434509 VPN When IKEv2 is used in Site-to-Site VPN tunnel, the "IKE current SAs" value in the output of the "cpstat -f IKE vpn" command is larger than then actual number of IKE SAs in the kernel as seen in the output of the "fw tab -t ikev2_sas -s" command.
02436837 VPN VPN Central Gateway drops SIP RTP traffic between the SIP Call Manager and the phone behind VPN Satellite Gateway, where the SIP call was initiated.
Refer to sk111839.
02439917 VPN In certain scenarios, if the corresponding Certificate Revocation List (CRL) is very long, the vpnd daemon consumes the CPU at 90-100% for several minutes after policy installation.
Refer to sk109096.
01877490, 02429368 SmartEvent, SmartReporter
  • "Dev Mode: ON - Syntax error" in SmartEvent / SmartReporter reports when creating reports from SmartEvent Intro GUI client.
  • SmartEvent / SmartReporter reports are missing full pages.
Refer to sk108979.
Take 207 (08 Jan 2017)
02020740, 02023251 SecureXL In rare scenario, Security Gateway with enabled SecureXL crashes during policy installation.
Refer to sk111411.
01952431, 02420157 VPN IKEv2 fails repeatedly with "Message::addPayload: Too many payloads" error in the debug of the vpnd daemon.
Refer to sk110156.
01933566, 02420155 VPN Improved stability of the vpnd daemon when handling Visitor Mode traffic.
01877586, 02420570 SmartReporter SmartReporter PDF reports are displayed in landscape view, and the tables are not displayed in proportion to the page layout.
Refer to sk104840.
02387947;
01835442
Security Gateway

Issues related to Suspicious Activity Module (SAM) rules:

  • SAM rules do not survive reboot, and therefore SAM policy is not enforced.
  • Policy installation after rebooting the Security Gateway fails in SmartDashboard with:
    Error Reason: Load on Module Failed - Failed to Load Security Policy
  • Fetching the policy on Security Gateway under debug shows:
    fw_sam_recover_state: failed to read XXX entries
  • Attempt to reviewing the SAM kernel table with fails:
    # fw tab -t sam_requests -s
    Cannot read the formats structure from localhost: No such file or directory
Refer to sk101368.
02364390 Mobile Access Check Point response to CVE-2016-2183 (Sweet32).
Added the fix for Mobile Access curl - for SSL connections from Mobile Access Gateway to internal servers.
Refer to sk113114.
02421829 Mobile Access Issue publishing in Mobile Access a web application that uses WebSocket.
01949612 Mobile Access When using Mobile Access blade, error occurs in web application as a result of an incorrect HTTP code from destination web server.
Refer to sk109040.
02418422 Check Point appliances Updated the "sysObjectID" for 3200 / 5000 / 15000 / 23000 / Sandblast Threat Emulation TE100X, TE250X, TE1000X, TE2000X appliances in the chkpnt.mib file.
Refer to sk90470.
Take 206 (26 Dec 2016)
02359254, 02412348 Security Gateway, Security Management Server, Multi-Domain Security Management Server In rare scenarios, the fwd process or fw_full process on Security Gateway consumes memory at high level and crashes with core dump file.
Refer to sk113736.
02329308, 02386581 Security Gateway In rare scenarios, Security Gateway crashes with kernel panic when connecting to web sites that prefer AES GCM (Galois Counter Mode) cipher.
Refer to sk113873.
02407215 URL Filtering, Application Control, HTTPS Inspection Some web sites do not load completely when connecting through Check Point Security Gateway configured as Proxy in Non-Transparent Mode.
Refer to sk114736.
02295419, 02397150 Mobile Access SSO Kerberos Authentication is not triggered in Mobile Access Web Application when 'SPNegoTokenRequested' header is being sent by the internal Web Server.
Refer to sk114555.
02334659 SecureXL Improved stability of SAM card.
02420705 Security Gateway "sip reason: Too many streams in SDP" drop log in SmartView Tracker when passing VoIP SIP SDP messages that exceed 4 streams.
Refer to sk93752.
02400714 vSEC Virtual Edition vSEC Virtual Edition (running on Linux KVM) might hang during its boot under heavy traffic load.
02390872 vSEC Virtual Edition vSEC Virtual Edition (running on Linux KVM) exhibits low network performance when working with Virtio network configuration (issues with virtio_net driver).
02397378 vSEC Virtual Edition vSEC Virtual Edition (running on Linux KVM) is not able to configure SecureXL SIM Affinity for Virtio interfaces.
02404454 vSEC Virtual Edition vSEC Virtual Edition does not support SR-IOV for following Intel network adapters: 82599, x540, x550 (issues with ixgbevf driver).
02402663 SmartReporter, SmartEvent The 'evs_backup' command sometimes fails with "Failed to start postgres service" due to long database startup duration.
Refer to sk104839.
Take 205 (15 Dec 2016) - General Availability Take
02390116 Check Point Appliances

/var/log/messages file might show the following on 23500 appliance:
xpand[PID]: [ERR] i2c_smbus_read_block_data failed <X>

SNMP Trap for Power Failure / PSU Failure might be sent at the same time.
02413912 HTTPS Inspection The wstlsd daemon might crash.
02405257 Threat Extraction "An error has occurred while extracting file" message in Threat Extraction log when processing an attached image file.
Refer to sk115107.
02357493 Security Gateway, Threat Emulation Firewall-1 information is not restored from a Gaia OS backup file when Threat Emulation is enabled.
Refer to sk113594.
Take 198 (23 Nov 2016)
- Check Point Appliances Support for the new improved R77.30 Gaia image (released 16 Dec 2016) for 3200 / 5000 / 15000 / 23000 / TE100X / TE250X / TE1000X / TE2000X appliances.
- Threat Extraction Threat Extraction image cleaning and other enhancements hotfix.
Stability and quality fixes resolving issues, as well as new features on Threat Extraction products.
Refer to sk114613.
02005542 Threat Extraction Ability to add support for new file types in Threat Extraction.
Refer to sk112240.
02387864 All Check Point response to CVE-2016-5195 (Dirty Cow).
Refer to sk114161.
02297576 SmartLog

Issues with SmartLog GUI in Multi-Domain environment with multiple Domain Log Servers:

  • "Server is disconnected!" message for connected clients
  • SmartLog GUI fails to open; Sometimes, it loads to 35%, an then displays a message that SmartLog is unreachable

Running the smartlogstop;smartlogstart commands resolves the issue only temporarily.

01984127, 01984392 SmartLog SmartLog GUI of Global SmartLog does not sort the logs by time when running a query.
Refer to sk112826.
01935060, 01936585 SmartLog In some records, the Origin field in SmartLog is displayed with 0.0.0.x format.
Refer to sk109820.
01910154, 02386501 SmartLog The smartlog process crashes occasionally on R77.30 Log Server that runs SmartLog.
Refer to sk114417.
01725423, 01725724 SmartLog SmartLog GUI freezes occasionally, and it is not possible to log in to SmartLog GUI again.
Refer to sk107153.
01710875, 01711097 SmartLog After upgrade to R77.30, SmartLog becomes non-responsive.
The "smartlog_server" process consumes CPU at 100%.
Refer to sk106782.
01702895, 01703025 SmartLog, Multi-Domain Security Management Server Global SmartLog R77.30 does not show logs from remote Multi-Domain Server.
Refer to sk106600.
01864909, 01865057 SmartLog, Multi-Domain Security Management Server "User" column in Global SmartLog GUI shows asterisks "******" instead of "User@Domain".
Refer to sk108771.
02387363 Mobile Access Mobile Access Web Form SSO login fails if the password contains special characters (e.g., exclamation sign "!", asterisk "*", plus "+", minus "-", etc.).
Refer to sk114458.
01982715, 02385180 Mobile Access, VSX SNX packages are not updated on VSX Gateway in the contexts of Virtual Systems during the installation of R77.30 Jumbo Hotfix Accumulator.
Refer to sk114624.
01939363 SecureXL "sim dropcfg -l" command incorrectly shows "Enforced on external interfaces only".
Refer to sk109960.
02358210, 02364750 Cluster VRRP Backup member on Gaia OS sends BGP traffic to BGP peers.
Refer to sk114265.
02079535 Cluster Dynamic Routing routes are not synchronized during Connectivity Upgrade (CU), which causes outage during the CU fail-over.
Refer to sk107042 - section "(3) Upgrade paths with Dynamic Routing synchronization".
01961260, 02381185 Cluster, CoreXL Traffic between ClusterXL members is dropped randomly.
Refer to sk110312.
02367867, 02369381 Cluster, Gaia OS Improved stability of the routed daemon on Standby cluster member.
02367871, 02369379 Cluster, Gaia OS Improved behavior of the routed daemon on cluster members:
Wait at least 15 seconds after the routes are synchronized between cluster members to bring the Critical Device "routed" back to the "up" state.
This gives the routed daemon enough time to run the SPF calculation and push OSPF routes down to the kernel.
01995709, 01996404 CoreXL The "fw -i <id> ctl pstat" command shows "memory used: 0%".
Refer to sk110881.
01852502, 02388218 CoreXL Session Authentication fails for all connections when CoreXL is enabled on Security Gateway.
Refer to sk109838.
02361143 Appliances Multi-Queue does not work on 3200 / 5000 / 15000 / 23000 appliances when it is enabled for on-board interfaces.
Refer to sk114625.
02333130;
02382905
VPN Traffic over VPN tunnel does not pass for several seconds during policy installation on Security Gateway (which causes traffic loss).
Refer to sk55244.
Take 189 (07 Nov 2016)
01961629, 01965728 Gaia OS All OSPF routes are lost after configuring "Add redistribution from Aggregate" in Gaia Portal.
Refer to sk110337.
02355536 Gaia OS
  • mail daemon writes its logs to the /var/log/messages file although the "mail.none" directive was added to the /etc/syslog.conf file.
  • cron daemon writes its logs to the /var/log/messages file although the "cron.none" directive was added to the /etc/syslog.conf file.
02325549 VPN When using AES-128 with SHA256, negotiation succeeds, but VPN tunnel fails.
Refer to sk111132.
02364953 VPN Site-to-Site VPN with 3rd party DAIP Gateway fails with "no proposal chosen" error.
Refer to sk114834 (Scenario 1).
02008783, 02351118 Cluster Cluster member with highest priority is not able to become new Active after changing the Members' Priorities.
Refer to sk110999.
02351092 Cluster Only lowest VLAN is monitored on Bond interface, instead of lowest and highest.
Refer to sk106776.
02273695, 02366138 SecureXL Improved stability of SAM card when processing the handled notification for a connection that was created from a template in SAM card.
02366189 SecureXL DHCP Relay / DHCP Server stops working on ClusterXL with enabled VMAC mode installing Takes 128, 138, 143, 145 of R77.30 Jumbo Hotfix Accumulator.
Refer to sk111588.
02057286, 02366103 SecureXL, Cluster Cluster member might crash when processing a NAT connection, if SecureXL is not enabled on all cluster members.
Refer to sk111888.
01916191, 01932799 Identity Awareness If an access role is set to have identified machines, it will sometimes disappear from sessions (refer to the output of "pdp m a" command) that have user and machine sessions. As a result, users can lose access to resources.
Issue is most likely to occur when using access role with identified machines in policy and working with sessions with both user and machine.
02350625, 01941785 Threat Emulation SmartView Tracker / SmartLog does not show all e-mail recipients when an e-mail is received through the Mail Transfer Agent (MTA).
Refer to sk114416.
02380610 Threat Emulation Fixed Mail Transfer Agent (MTA) protection bypass.
Refer to sk114664.
02366239 Application Control Memory leak on loaded Security Gateway with UserCheck rules in the policy.
Refer to sk110362.
02370708 SmartEvent "ERROR: duplicate key value violates unique constraint "seam_event_XXX_pkey"" in $RTDIR/log/cpsemd.elg file.
Refer to sk105185.
02135303, 02364625 Multi-Domain Security Management Server Global Policy assign fails with "There is already local object with the name: <Name> among the Domain Management Server's objects" error.
Refer to sk112342.
Take 185 (20 Oct 2016) - General Availability Take
02332164, 02350096 Data Center Security Appliances Hardware Sensors on 15000 and 23000 appliances show zero (0) values after completing the Gaia OS First Time Configuration Wizard.
Refer to sk112829.
01960960, 02342230 Security Management Server, Multi-Domain Security Management Server The fwm process crashes after the size of $FWDIR/tmp/fwmtrace.log file reaches 2GB limit.
Refer to sk105579.
01820334, 02364974 Security Gateway Security Gateway might crash after running 'cpstop' command if MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (fw_clamp_vpn_mss=1).
Refer to sk101219.
01912515, 02364959 SecureXL Connections are broken for short time after disabling SecureXL, or after installing a policy.
Refer to sk109468.
Take 184 (13 Oct 2016)
02366619 HTTPS Inspection Removed support of SHA384 and SHA512 hash algorithms (that was integrated in Take 172 as ID 02325804) that are used by some HTTPS sites to sign their certificates.
Refer to sk112672.
02352496 Check Point Appliances

Check Point Appliance might freeze and not reboot in the following scenario:

  1. Threat Emulation blade is enabled
  2. KVM is enabled
  3. Kernel crash / panic occurs (kdump or kdb)
02359428 VoIP VoIP data on non-encrypted connection is dropped with "Failed to initialize data connection paramters" log.
02339267 Gaia OS Some eBGP routes are advertised with the source IP address of BGP peer as the next-hop, instead of the next-hop configured in routemap.
Refer to sk112834.
02361295 Gaia OS Routes get stuck in the OSPF database even though they were deleted from Linux kernel
(issue might mostly occur for RIM routes not being removed when a VPN tunnel is dropped).
01996800, 02356078 Gaia OS The routed daemon might crash when working with PIM Sparse Mode.
02070300 Gaia OS "getaddrinfo: "::1" invalid host address" message appears repeatedly in the /var/log/messages file after enabling NTP while IPv6 is disabled.
01818839, 02336244 VPN Randomly, new VPN tunnels are not being established with the peers.
Randomly, traffic is not passing over multiple VPN tunnels.
Refer to sk113837.
02325549 VPN Security Gateway / Cluster member might crash / go into kernel panic during policy installation if using AES encryption and AES-NI is enabled.
02351733 VPN IPsec SAs are deleted when value of configuration parameter ike_keep_child_sa_interop_devices is set to "true".
Refer to sk105860 (Scenario 4).
02336379 Security Management Server, Multi-Domain Security Management Server User is not able to re-connect with any SmartConsole application to Security Management Server.
Refer to sk105860.
02340121 Security Management Server, Multi-Domain Security Management Server "Bridge uses two different VLAN tags for interfaces. This configuration cannot be used with Active-Active bridge mode" error when creating a Virtual System in Bridge mode.
Refer to sk107972.
01993128, 01994944 Security Management Server, Multi-Domain Security Management Server Users are deleted after installation of R77.30 Management Add-on.
Refer to sk110887.
02013718, 02015361 Security Management Server, Multi-Domain Security Management Server "Where used" does not show results while logged into Log Server with SmartDashboard.
Refer to sk111077.
02340062 Multi-Domain Security Management Server Global Policy assignment problem after failing IPS update.
Refer to sk110498.
02337143 Threat Emulation Improved Mail Transfer Agent (MTA) ability to insert a text-only disclaimer into e-mails that have no body.
01825619, 01962131 Security Gateway, Cluster, VSX Security Gateway / Virtual System might crash due to double record of a connection in Connections Table.
Refer to sk110476.
Take 178 (29 Sep 2016)
This specific Take package was recalled for additional testing.
Users who have already installed this specific Take, should install either Take 184, or a hotfix from sk112672.
02349820 Threat Emulation Added support for SHA-256 based certificates for Threat Emulation Engine self-update.
Refer to sk113333 and sk103839.
Take 174 (22 Sep 2016)
This specific Take package was recalled for additional testing.
Users who have already installed this specific Take, should install either Take 184, or a hotfix from sk112672.
02346611 HTTPS Inspection, Mobile Access, Mobile Access Portal, Identity Awareness Portal, ICA Portal, SmartManagement Portal, SecurePlatform WebUI Check Point response to CVE-2016-2183 (Sweet32).
Refer to sk113114.
02348603 Security Gateway Security Gateway might crash if a connection that was closed, but was not yet deleted from the Connections table is reused.
02331952, 02331960 Cluster "Warning! No active machines were found" message in /var/log/messages file on ClusterXL Load Sharing Unicast members.
Refer to sk105063.
01989782 Gaia OS Routes redistributed by Gaia OS to BGP peer are sent without BGP community value.
Refer to sk110563.
Take 172 (01 Sep 2016)
This specific Take package was recalled for additional testing.
Users who have already installed this specific Take, should install either Take 184, or a hotfix from sk112672.
02325804 HTTPS Inspection Added support of SHA384 and SHA512 hash algorithms to resolve a failure accessing some HTTPS sites if the site's certificate is signed with SHA384 / SHA512 hash algorithm.
Important Note: This specific fix was reverted in Take 184. Refer to sk112672.
01817004, 02158447;
01891486, 02158426;
01817044, 02279342
IPS, URL Filtering, Application Control Security Gateway becomes unresponsive and memory consumption increases when HTTP traffic passes through.
Refer to sk109801.
02103280 Security Gateway Check Point Response to Logjam Vulnerability CVE-2015-4000.
Refer to sk106147.
02336294 Security Gateway The cpd process crashes on Security Gateway during Anti-Virus update, when both Primary and Secondary Management Servers are not accessible from the Security Gateway.
Refer to sk110684.
02049960 DLP, Threat Emulation Added ability to monitor the Postfix process by WatchDog.
Refer to sk111783.
02194784 Gaia OS

Improved handling of a scenario where VRRP cluster members are communicating with two OSPF neighbors advertising the same routes, where one OSPF neighbor has a lower metric than the other:

When the OSPF neighbor with lower metric goes down, OSPF routes are re-installed on the VRRP Master member with the new nexthop.
However, when the OSPF routes with the new nexthop are synchronized to the VRRP Backup member, instead of deleting the old nexthop and installing the new one, the VRRP Backup member just adds the new nexthop.
Output of Expert command "route -n" shows an OSPF route to a destination with two separate nexthops, which is incorrect.
Output of Clish command "show route" shows the correct single nexthop.
02054453 Gaia OS "Performance Optimization" page in Gaia Portal is either stuck at "Please wait a few moments while the data is loaded..." pop up, or freezes when applying changes to CoreXL or Multi-Queue configuration on 15000 / 23000 appliances.
Refer to sk112897.
02209721 CoreXL Although CoreXL Affinity was configured to assign only a specific process to certain CPU cores, some interfaces are still being assigned to those CPU cores.
Refer to sk110940.
02296180 CoreXL Session Authentication fails for all connections when CoreXL is enabled on Security Gateway.
Refer to sk109838.
01863108;
02220278
CoreXL, SecureXL After upgrading a Security Gateway with enabled CoreXL on machine with 2 CPU cores (i.e., each CPU runs a CoreXL FW instance and as SND) to R77.30, only CPU0 is handling IRQs, and CPU1 is not handling any IRQs - all interfaces are affined only to CPU0 (i.e., each CPU runs a CoreXL FW instance, but only one CPU runs as SND).
Refer to sk110422.
02290247 IPS When transferring a large file via FTP, fw_worker process consumes 100% CPU.
Refer to sk105411.
02334185 Application Control When Security Gateway configured as proxy, Skype is blocked by Application Control.
Refer to sk113124.
01669385 Threat Emulation, Anti-Spam Improved stability of in.emaild.mta process and mdq process.
02182146, 02327167 SecureXL Improved stability of SAM card.
02113430, 02327965 SecureXL Improved stability of SAM card when processing a mix of multicast and unicast traffic.
02162414, 02328150 SecureXL Improved stability of SAM card when processing multicast traffic.
02164796, 02328938 SecureXL Improved stability of SAM card when processing multicast traffic.
02171440, 02329106 SecureXL Improved stability of SAM card when processing multicast traffic.
02114009, 02328096 SecureXL Improved stability of SAM card when connections are deleted from the Connections Table.
02135463, 02329152 SecureXL Improved stability of SAM card when running the tcpdump utility.
02164746, 02329227 SecureXL Improved stability of SAM card under large amount of traffic.
02326054, 02326630 VPN The vpnd daemon might crash when running under debug (per sk89940) and SNX user connects and authenticates on Security Gateway.
02337360 VPN Improved Security Gateway stability.
01888621, 02221764 Cluster NAT rule installed on cluster does not hide the Source IP address behind the Cluster VIP address if the packet is sent to Cluster VIP address.
Refer to sk113163.
01971837, 02290543 Security Management Server, Multi-Domain Security Management Server "Gaia OS Best Practices" on the Compliance tab of SmartDashboard shows status "N/A" for clusters.
Refer to sk110474.
01940333, 02332728 VPN, Security Management Server, Multi-Domain Security Management Server "Warning: on gw 'Name_of_Security_Gateway', for the range (127.0.0.1, 127.0.0.1), peers were found in communities 'Name_of_Community_1' and 'Name_of_Community_2', peers from the second community will be ignored" during policy installation.
Refer to sk110562.
02257309 Multi-Domain Security Management Server SmartUpdate in MDS level shows different licensing information than SmartUpdate in Domain level.
Refer to sk98898.
Take 171 (25 Aug 2016)
- Mobile Access Stability enhancement for Windows 10 support.
Take 165 (08 Aug 2016)
- Enterprise Appliances Added support for 5000 appliances.
Refer to sk110053.
- Small and Medium Business Appliances Added support for 3200 appliances.
Refer to sk110052.
01951006, 02152601 Small and Medium Business Appliances, Enterprise Appliances "Factory" button on the front panel is now functioning on 3200 and 5200/5400/5600 appliances.
02158983;
02159087;
02159457
HTTPS Inspection Added support for ECDH p-384 elliptic curve (to resolve an issue with specific HTTPS sites that use ECDHE ciphers not being accessible when HTTPS Inspection is enabled).
Refer to sk110883.
02009223 SecureXL Improved performance on Security Gateway configured in Monitor Mode (Mirror Port mode) per sk101670.
Refer to sk112798.
01957968 Cluster Previously reachable BGP routes are still advertised to BGP peers on ClusterXL after switch that connects these members goes down.
Take 164 (01 Aug 2016)
02173793 Mobile Access, VSX Mobile Access Portal on VSX Gateway is unresponsive with "HTTP 500" error after installing takes between Take_143 and Take_162 of R77.30 Jumbo Hotfix Accumulator because $CVPNDIR/template/phpincs/php-ews/ExchangeWebServices.php file is not copied to the contexts of Virtual Systems.
Refer to sk111677 (Scenario 2).
01712179 Security Gateway ISP Redundancy in Load Sharing mode is disabled when Non-Transparent Proxy is defined.
Refer to sk111678.
02167277 Application Control Improved stability.
Take 162 (20 July 2016)
02159332 Data Center Security Appliances Added support for 40 GbE fiber cards on 15000 / 23000 appliances.
Refer to sk112517.
02150866 Security Management Server, Multi-Domain Security Management Server The cpd daemon might crash when working in SmartProvisioning GUI with ROBO Gateways (e.g., when clicking on "Get Actual Settings").
02151317 Security Management Server, Multi-Domain Security Management Server "Communication has been aborted by the peer" error in SmartDashboard connected to Active Security Management Server / Domain Management Server in High Availability mode, after the state was changed from Active to Standby for the third time.
Issue occurs when the state is changed while the the fwm processes run under debug (per sk86186/sk33207) on both Primary and Secondary Security Management Server / Domain Management Server.
02082365 Security Management Server, Multi-Domain Security Management Server Pushing VSX configuration fails with "Internal Error - Failed to commit changes in the OS".
Refer to sk103844.
02103175 Security Management Server, Multi-Domain Security Management Server Memory leak in the cpd daemon when thresholds are enabled with "threshold_config" command.
Refer to sk111880.
02103182 Security Management Server, Multi-Domain Security Management Server Memory leak in the cpd daemon (in licutil) causes the daemon to crash (due to exhaustion of available memory).
01911675, 02103172 Security Management Server, Multi-Domain Security Management Server Memory leak in the cpd daemon (in cpmon) causes the daemon to crash (due to exhaustion of available memory).
02098132 Security Management Server, Multi-Domain Security Management Server In Management HA environment, the fwm daemon might crash during an attempt to delete Security Gateway / Cluster object in SmartDashboard.
Refer to sk110748.
02151722 Multi-Domain Security Management Server The fwm daemon on MDS server might randomly crash during assignment of Global Policy.
02150810 Multi-Domain Security Management Server Assignment of Global Policy might fail randomly with "Failed to open connection with Domain Management Server or connection with Domain Management Server ended unexpectedly" error message.
02150773 Multi-Domain Security Management Server

Removal of Global Policy with IPS might fail with:

error: Failed to (delete) object (<UID>) from table (asm) in Domain Management Server database.
Error received: (Object References Deletion Failed - Failed to remove references of object <UID>)
error: Disconnected from Domain Management Server. Check Domain Management Server status. Operation failed.

in the following scenario:

  1. Domain Management Server is subscribed to Global Policy with IPS
  2. Compliance blade is enabled on Domain Management Server

Alternatively, removal of Global Policy with IPS might end successfully, but the global IPS profile is not removed.

02150871 Multi-Domain Security Management Server Assignment of Global Policy might freeze randomly because the fwm mds fwmconnect proccess hangs.
02150774 Multi-Domain Security Management Server Assignment of Global Policy might fail randomly, and core dump files for the fwm process are generated (with size of 2 GB) after running mdsstop ; mdsstart commands.
02071813 VPN IPSec instability with IKEv2.
Refer to sk112160.
01961523 VPN Traffic over VPN tunnel does not pass for several seconds during policy installation on Security Gateway (which causes traffic loss).
Refer to sk55244.
02151898; 01959895, 01987676 VSX Virtual Systems are "Down" after reboot of VSX Cluster Member.
Refer to sk110073.
02024874 Gaia OS Apache HTTP server daemon (httpd) crashes with core dump file during shutdown of Gaia OS.
Take 161 (14 July 2016)
02043721 Anti-Virus "cmi_execute_ex: cmik_loader_fw_context_match_cb(context_apps=1000 buf_len=14) failed;" message appears repeatedly in /var/log/messages file on Security Gateway.
02066100 Identity Awareness Machine sessions that are used by various users receive an incorrect large session timeout (TTL is set to one week from the discovery time).
02071227 Identity Awareness Identity Awareness Gateway might crash when running 'cpstop' command.
Refer to sk111315.
02077462 Mobile Access Kerberos Single Sign On (SSO using Kerberos) for Web Applications might fail from time to time.
02058573 Mobile Access Web Applications do not work as expected when accessing Mobile Access Portal with Web Form SSO enabled and the web page contains a form with encoded "+" sign (%2B).
02059445 Mobile Access Manual SSO does not work when the password contains special characters such as "%".
02029758 Threat Emulation "Maximum delay time" setting for Mail Transfer Agent is not applied if the defined value is greater than 15 minutes.
Refer to sk109893.
02039586 Multi-Domain Security Management Server Users and GUI clients are overwritten on Security Management Server during MDS synchronization when Domain Management Server and Security Management Server are configured in HA mode.
Refer to sk111175.
01904538, 02052848 HTTPS Inspection HTTPS Inspection Bypass rules that use Destination IP or Source IP stop working after enabling Probe Bypass.
Refer to sk111617.
01819431 SecureXL Improved handling of Bond Group IDs greater than 35 when creating bond interface of SAM card ports.
01959704;
02158515
Gaia OS Not able to configure routemap for each BGP peer on Gaia OS.
Refer to sk110477.
Take 159 (20 June 2016) - General Availability Take
- General Minor improvement in Jumbo Hotfix Accumulator package to support software updates to this Jumbo Hotfix Accumulator.
Take 158 (16 June 2016)
01621251;
02077494;
01621253
Cluster Gratuitous ARP Request packets (GARP) are not sent during cluster fail-over for IP addresses configured in the $FWDIR/conf/local.arp file (per sk30197), if those IP addresses and Cluster VIP address are on different subnets.
Refer to sk105645.
02042497;
01834487,
02006059
HTTPS Inspection

Probe Bypass is initiated on non-SSL connection.
Refer to sk108294.

Important Note: For this fix to work correctly, at least this Take_158 must be installed on both sides -
on Security Management Server and Security Gateway.
Otherwise, HTTPS Inspection Probe Bypass feature will not work at all.
Take 156 (30 May 2016)
02051292 Gaia OS Gaia OS might crash when removing a Bond interface in Gaia Portal.
Refer to sk111673.
02021344 Gaia OS "CLINFR0412 Inconsistent ValFlag & MultiValue" message appears repeatedly in /var/log/messages file on Gaia OS.
Refer to sk111632.
02027698;
02027733;
02027775
Security Gateway HTTP/HTTPS connections that should be accepted on a rule with 'Domain Object', do not pass through the Security Gateway.
Refer to sk110687.
02029554 Mobile Access Version of ESOD Compliance Updates on Mobile Access Gateway does not change after successful update.
Refer to sk111627.
02051629 Mobile Access, VSX Mobile Access Portal on VSX Gateway is unresponsive with "HTTP 500" error after installing Takes 143, 145 of R77.30 Jumbo Hotfix Accumulator because $CVPNDIR/phpincs/php-ews/EWSType/*.php files are not copied to the contexts of Virtual Systems.
Refer to sk111677 (Scenario 1).
02042653 VPN The vpnd daemon crashes after installing R77.30 Jumbo Hotfix Accumulator over sk108192: R77.30 Recommended Hotfix #5.
Refer to sk111555.
02020823;
02020869
Threat Extraction "This notification page has expired" error in UserCheck page when a user tries to download the original file that was blocked by Threat Extraction.
Refer to sk106249.
02015157 Cluster Configuring PIM Sparse Mode with dynamic Rendezvous Point (RP) fails in cluster environment.
Refer to sk110939.
02045987 Cluster DHCP Relay stops working on ClusterXL with enabled VMAC mode installing Takes 128, 138, 143, 145 of R77.30 Jumbo Hotfix Accumulator.
Refer to sk111588.
01680839, 02006901 Security Management Server, Multi-Domain Security Management Server Fixed Cross-Site Scripting (XSS) vulnerability in Management Portal.
Take 155 (26 May 2016)
This specific Take package was recalled for additional testing and was replaced by Take 156.
Take 145 (10 May 2016)
02010218 VPN, SecureXL Site-to-Site VPN using IKEv2 fails when SecureXL is enabled.
Refer to sk114834 (Scenario 5).
02022420 VPN The vpnd daemon might crash when processing CRL cache.
02017992 VPN VPN Central Gateway drops SIP RTP traffic between the SIP Call Manager and the VPN Satellite Gateway, where the SIP call was initiated.
Refer to sk111839.
01998381, 02022414 HTTPS Inspection The wstlsd daemon might crash.
02027270 Security Management Server, Multi-Domain Security Management Server Policy installation fails, and the fwm process crashes with core dump file when Security Gateway and Security Management Server run R77.30.
Refer to sk109616.
Take 143 (21 Apr 2016)
01979082  Security Management, SmartDomain Manager, Multi-Domain Management / Provider-1 Connectivity between SmartDashboard / SmartDomain Manager and Security Management / Multi-Domain Management Server R77.30 and below fails on fresh installation after January 24th 2018.
Refer to sk122612
- 2012 Models Security Appliances, Data Center Security Appliances R77.30 NGTP, NGTX and HTTPS Inspection performance and memory consumption optimization.
Refer to sk109772.
02012973 Mobile Access, Endpoint Security On Demand Secure Workspace (SWS) The "User must use Check Point Secure Workspace" setting on Mobile Access Gateway is not enforced when a user running on Windows 10 signs on to the Mobile Access Portal.
Refer to sk111115.
01898695 Mobile Access, Cluster Push Notifications are not shown on handheld devices after failover in Mobile Access cluster.
Refer to sk109318.
01807600, 01807879 Mobile Access Accessing SSLVPN portal without providing certificate, results in unclear log in SmartView Tracker.
Refer to sk107812.
01989333 Mobile Access Capsule Workspace Push Notifications do not work on iOS 9.3 (or higher).
Refer to sk110623.
01982148, 01984883 Mobile Access No Push Notifications in Capsule Messages.
Refer to sk110215.
01832865, 01834664 Mobile Access Mobile Access fails to perform SSL handshake with web servers that use SHA-512 certificates.
Refer to sk108283.
02019281 Threat Emulation File download from some web sites over HTTP through Threat Emulation gateway times out.
Refer to sk111136.
02019094 Threat Emulation

Improved Threat Emulation performance in CoreXL by reducing the ratio of the dlpu processes per CoreXL FW instances:

  • from 1:2 = 1 dlpu process for each 2 CoreXL FW instances
  • to 1:4 = 1 dlpu process for each 4 CoreXL FW instances
02008306 Threat Emulation "File is pending emulation. Threat scan failed" log in SmartView Tracker / SmartLog.
Refer to sk106739 (Scenario 1 - "E-mail attachment is encoded in Base64 charset").
02013906 Application Control, URL Filtering When the "Categorize HTTPS Sites" option is enabled, accessing HTTP URLs can cause an "Internal System Error" logs in SmartView Tracker and failure to open the web page.
01953147 Gaia OS In cluster with PIM Sparse Mode, multicast outgoing interfaces (refer to the output of "ip mroute" command") for some or all multicast groups are deleted and never restored by themselves after rebooting both cluster members at the same time.
01946518, 01953158 Gaia OS Security Gateway randomly stops forwarding the IGMP / PIM Sparse Mode multicast traffic - in PIM Sparse Mode, low amount of arriving multicast traffic causes the local multicast members to be pruned early.
Refer to sk106858.
01953146 Gaia OS Improved stability of the routed daemon when working with PIM Sparse Mode.
01956738, 01957576 Gaia OS Output of Clish command "show sysEnv all" / Expert mode command "dbget sysEnv:all" on Gaia OS is corrupted (text is not ordered).
Refer to sk110220.
01990563 Gaia OS RIM (Route Injection Module) routes are removed from Gaia OS routing table when running "ifdown <Name_of_Interface>" command in Expert mode. However, these RIM routes still appear when running "show route" command in Clish.
Refer to sk105527.
02004564 Gaia OS, Cluster The routed daemon on the active cluster with configured PIM might crash after a peer cluster member is rebooted.
02003221 Security Gateway The "X-Forward-For" (XFF) header is not stripped from web traffic when Security Gateway is configured as HTTP/HTTPS Proxy in Non Transparent mode.
Refer to sk111016.
02011289 Security Gateway, Security Management Server, Multi-Domain Security Management Server SNMP counters for "packets rate" / "throughput" show incorrect values - .1.3.6.1.4.1.2620.1.1.25.9 and .1.3.6.1.4.1.2620.1.1.25.16 - "fwDroppedBytesTotalRate" counter and "fwDroppedTotalRate" counter always show "0" value.
Refer to sk104882.
02002926 Security Management Server, Multi-Domain Security Management Server "Unexpected error" message pops up in the SmartDashboard when trying to connect to Primary Security Management Server after two failovers - from Primary Security Management Server to Secondary Security Management Server and back.
Refer to sk107176.
01972280 Security Management Server, Multi-Domain Security Management Server Topology in SmartDashboard for interfaces named "Internal" and "External" (e.g., on UTM-1, Power-1, DLP-1 appliances) is always set based on their names.
Refer to sk111017.
01834487, 02006059 HTTPS Inspection Probe Bypass is initiated on non-SSL connection.
Refer to sk108294.
02003519, 02019844 HTTPS Inspection, CoreXL

Improved SSL handshake performance in CoreXL by reducing the ratio of the wstlsd processes per CoreXL FW instances to be either:

  • 1:4 = 1 wstlsd process for each 4 CoreXL FW instances
  • 1:2 = 1 wstlsd process for each 2 CoreXL FW instances
  • any other ratio

Default is:

  • 1:1 - if SMT (HyperThreading) is disabled (sk93000)
  • 1:2 - if SMT (HyperThreading) is enabled sk93000
01926907, 02005808 CoreXL "Dynamic Hide NAT" feature reuses NAT ports too quickly.
Refer to sk103656.
02012536, 02013035 CoreXL Traffic outage on ClusterXL after enabling both CoreXL Dynamic Dispatcher (sk105261) and SecureXL NAT Templates (sk71200).
Refer to sk111015.
01925621, 01946714 SecureXL Non-tagged packets are sent out VLAN over SAM card bond in PXL path.
01980215, 01961276 DLP "Your emails are about to expire" notifications from DLP. However, there are no e-mails in the DLP portal.
Refer to sk110314.
Take 138 (14 Apr 2016)
This specific Take package was recalled for additional testing.
Take 135 (07 Apr 2016)
This specific Take was recalled for additional testing.
Take 128 (31 Mar 2016)
01685521;
01713626;
01724275;
01782998;
01814720;
01820258;
01821776;
01834453;
01852560
Threat Extraction, Threat Emulation Integrated SandBlast Parallel Extraction Hotfix.
Refer to sk108074.
01978917 Threat Extraction Increased the size of files that can be scanned by Threat Extraction Extension to 15MB.
01915777, 01936336 Mobile Access Kerberos is not supported as SSO method for registration to Exchange Server for Mobile Access Push Notifications.
Refer to sk110629.
01892929 Mobile Access Mobile Access Portal does not work after uninstalling Jumbo Hotfix Accumulator from Mobile Access gateway.
Workaround: After uninstall, run: # $CVPNDIR/scripts/cvpn_post_utility.csh
01811956 Mobile Access, Endpoint Security On Demand (ESOD) Compliance Scanner Added support for Windows 10 in:
  • Endpoint Security On Demand (ESOD) Compliance Scanner
Refer to sk107132.
01958625, 01959114 Mobile Access, SSL Network Extender After one SNX user disconnects, all other connected users are disconnected. Mobile Access gateway becomes non responsive.
Refer to sk110316.
01978856 Mobile Access, SSL Network Extender

SNX user is unable to connect to resources via Proxy server with authentication:

  • Example topology:
    (SNX usert)--(Proxy)--(Mobile Access Gateway)--(SNX resource).
  • The expected flow:
    Log in to the SNX portal -> connect to SNX -> provide credentials for Proxy authentication -> open connection.
  • The observed flow:
    Log in to the SNX portal -> connect to SNX -> web browser shows "HTTP error 407".
01726719, 01971151 Cluster Gaia VRRP member freezes when deleting a VLAN interface previously associated with VRRP.
Refer to sk106226.
01975771 SmartEvent SmartEvent R77.20 / R77.30 stops showing new events occasionally due to failure to get the valid license.
Refer to sk110016.
01974185;
01974187
Security Gateway

Due to wrong handling of some kernel tables:

  • Connectivity issue without any relevant logs in SmartView Tracker.
  • Policy installation fails with "Load on Module failed".
Refer to sk109797.
01980269 HTTPS Inspection HTTPS traffic is not routed according to Policy Base Routing (PBR) when HTTPS Inspection is enabled.
Refer to sk110690.
01947356, 01976641 IPS Global IPS Exception for protection "Any" does not work for e-mail traffic when using IPS with Anti-Virus or another blade.
Refer to sk110023.
01964380 VSX The fwk process might crash "with signal 7, Bus error" when H323 traffic passes through CPAS on Virtual System.
01974230 DLP "Quarantined email is about to expire" notifications from Data Loss Prevention blade are not sent to some e-mail accounts.
Refer to sk109015.
01979887 Gaia OS The routed daemon crashes after receiving an OSPF LSA packet that contains invalid netmask.
Refer to sk104519.
01915798 SecureXL Output of "fwaccel stat" command shows:
Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)).
Refer to sk100467 (Scenario 3 - "UDP traffic causes too many general errors").
01916631 SecureXL, Cluster Traffic sent to IP addresses X.X.X.255 (last octet is "255", but is not a broadcast address on this network) is dropped by ClusterXL in Load Sharing Unicast mode with "cluster error".
Refer to sk107853.
Take 117 (10 Mar 2016)
01960407, 01961587 Mobile Access Added "cvpnd_admin debug trunc" command that moves all existing content of the current $CVPNDIR/log/cvpnd.elg file into a new file and empties the current $CVPNDIR/log/cvpnd.elg file (to be used when the current $CVPNDIR/log/cvpnd.elg file becomes corrupted - filled with NULL characters).
01960012 Mobile Access, SSL Network Extender When user connects to Mobile Access Portal with RADIUS challenge and starts SNX, re-authentication before end of session does not restart counter.
Refer to sk110175.
01898695 Mobile Access, Cluster Push Notifications are not shown on handheld devices after failover in Mobile Access cluster.
Refer to sk109318.
01927612 Security Gateway Security Gateway now drops and logs TCP SYN packets that contain data (even if CPAS / PSL in not used).
01955875 Security Gateway, Security Management Server, Multi-Domain Security Management Server SNMP counters for "packets rate" / "throughput" show incorrect values - .1.3.6.1.4.1.2620.1.1.25.9 and .1.3.6.1.4.1.2620.1.1.25.16 - "fwDroppedBytesTotalRate" counter and "fwDroppedTotalRate" counter always show "0" value.
Refer to sk104882.
01846456, 01960991 Security Management Server, Multi-Domain Security Management Server Manual NAT policy verification passes while it should fail.
Refer to sk108389.
01281728, 01866926 HTTPS Inspection Unable to access some HTTPS sites after enabling HTTPS Inspection "Probe Bypass" mechanism.
Refer to sk107744.
01959400 VPN

IPv6 routing issue in Star community when VPN Routing is set to "To center, or through the center to other satellites, to internet and other VPN targets" (VPN Community properties - "Advanced Settings" - "VPN Routing"):

  • If IPv6 is enabled on the Center Gateway, then all IPv6 traffic will be sent through the Center Gateway
  • If IPv6 is disabled on the Center Gateway, then IPv6 traffic between internal networks will be dropped by the Center Gateway with "Clear text packet should be encrypted"
01947521 IPS "Countries DB download has failed" logs in SmartView Tracker even when Geo Protection is set to "Inactive".
Refer to sk106294.
01973174 URL Filtering Some HTTPS web sites are not categorized correctly when "Categorize HTTPS sites" is enabled.
Refer to sk110475.
01959509 URL Filtering, Application Control Random issues with HTTP web browsing - traffic latency increases, and at some point web browsing stops working.
Refer to sk64162.
01948312 Anti-Virus HTTP 206 "Partial Content" error in SmartView Tracker.
Refer to sk106446.
01938571, 01967411;
01938659, 01967415;
01938796, 01967423
QoS QoS (Floodgate) policy install randomly causes Security Gateway to crash and reboot.
Refer to sk109840.
01915918, 01961123 Threat Emulation The download of files that are being emulated on "Hold" times out even though the Threat Emulation ends successfully.
Refer to sk110479.
01963649 Cluster, CoreXL Hide NAT port exhaustion on Standby cluster member in ClusterXL HA mode.
Refer to sk98828.
01972270 Gaia OS "admin" user's password expiry is affected when password-policy is enabled on Gaia OS.
Refer to sk106160.
01972282 Gaia OS The snmpd daemon crashes.
01962335 Gaia OS Removed "[getTACProles(...)]: RBA role not found for admin!generated" message from /var/log/messages file that appeared (since Take_95) after each authentication to Clish with Local / RADIUS user.
01948282;
01948283
Gaia OS 'clish' and 'confd' processes consume CPU at high level after SSH session for non-local TACACS user has been expired/killed.
Refer to sk104579.
01965115 Gaia OS snmpd process might crash with core dump file (due to Segmentation fault) when it exits.
01936069 Gaia OS "Wrong IP Please try again" error in LCD (go to "Network" - go to "Set MGMT interface") when changing the IP address of management interface on Check Point appliances that run takes from Take_95 to Take_111.
Refer to sk106447.
01937716, 01937817 Gaia OS Backup restore includes the original MAC addresses of the machine.
Refer to sk109934.
01963688 Gaia OS SNMP query for OID .1.3.6.1.4.1.2620.1.6.16.3 (.iso.org.dod.internet.private.enterprises.checkpoint.products.svn.svnApplianceInfo.svnApplianceSerialNumber.0) returns "umber: <Serial_Number>".
01719131, 01957088 SecureXL Security Gateway might crash when disabling and re-enabling SecureXL.
Refer to sk106934.
Take 111 (23 Feb 2016)
- Gaia OS Resolved error when installing Take_105 using CPUSE:
Detected inconsistent files for installing this package.
In order to successfully install the package, refer to sk97699
.
- Data Center Security Appliances Added support for 15000 and 23000 appliances.
Refer to sk107516.
Take 105 (11 Feb 2016)
Important Note: Installation of this specific Take is supported only using Legacy CLI
01944440 Cluster Occasionally, SCCP (Skinny) VoIP phones unregister from Call Manager during cluster failover.
Refer to sk110025.
01932329, 01940409 Mobile Access "Error: Page cannot be displayed. An error occurred while processing the request" in web browser after entering the credentials in Mobile Access Portal.
Refer to sk110072.
01890990, 01946973 VSX Virtual Systems are in "Unknown" state after reboot of VSX Cluster Member.
Refer to sk110074.
01896617 Threat Emulation E-mail client receives timeout error, e-mails do not reach their destinations, and SmartView Tracker shows duplicated Threat Emulation logs from a cluster.
Refer to sk109198.
01879709, 01937995 SmartView Monitor The rtmd process crashes due to memory corruption.
Take 102 (08 Feb 2016)
Important Note: Installation of this specific Take is supported only using Legacy CLI
01872488, 01916408 Gaia OS The routed daemon might crash on VSX Gateway when Traces (debug) are enabled.
01940689, 01944426 Gaia OS Cannot change OSPF settings in Gaia Portal using Internet Explorer (IE) browser.
Refer to sk109946.
01916400 Gaia OS The routed daemon might crash when BGP is configured on Gaia OS.
Refer to sk105698.
01702790, 01935921 Gaia OS "libdb set: missing or invalid argument" error in Gaia Portal when creating snapshot.
Refer to sk106646.
01928277 SecureXL Check Point 21000 series appliance with SAM card incorrectly forwards connections to 21000 appliance.
Note: This fix is an additional improvement of 01850540 integrated into Take_75.
Refer to sk108589.
01900767 SecureXL Improved detecting and reporting of hardware errors in SAM card.
01906737 SecureXL SAM card statistics was unavailable for 3600 sec after reboot.
01818639 SecureXL TCP packets are not dropped as Out-of-State when SecureXL is enabled.
Refer to sk104557.
01886179, 01873994 HTTPS Inspection, CoreXL Difficulties in connecting to untrusted sites when both HTTPS Inspection and CoreXL Dynamic Dispatcher are enabled.
Refer to sk108894.
01939568 SmartView Monitor "Use only external interfaces" option shows wrong traffic rate in SmartView Monitor.
Refer to sk107353.
01938186 VPN The vpnd daemon might crash if IKE packets arrive fragmented.
01821434 Mobile Access User is able to access Mobile Access Portal even if Secure Workspace is forced, but fails to load.
Refer to sk107603.
01939446 Anti-Virus, Anti-Bot Security Gateway with enabled Anti-Virus blade / Anti-Bot blade and Log Suppression might crash during cpstop.
Take 101 (28 Jan 2016)
01921776 Security Gateway, VSX Security Gateway / VSX FWK daemon might crash if Hide NAT is configured on Network object(s).
01697910 Gaia OS The snmpd daemon consumes CPU at 90-100% when polling OID raIkeOverTCP (1.3.6.1.4.1.2620.500.9000.1.22) while Endpoint Security Client is connected.
Workaround: Restart SNMP Agent either in Gaia Portal ('System Management' section - 'SNMP' page), or in Gaia Clish ('set snmp agent off' and 'set snmp agent on' commands).
01917104; 01917106; 01917110 Gaia OS Improved support of allowed ASCII characters for passwords on Gaia OS.
Refer to sk109148.
01931796 Gaia OS Added support for charset ISO-8859-8-I (Hebrew, logical order).
01878129 Gaia OS "Out of normal bound" error for PWRS_FAN and VTT seen in SmartView Monitor.
Refer to sk107855.
01584565 Gaia OS The snmpd daemon crashes due to SIGXFSZ signal.
01584749 Gaia OS, Cluster Clish crashes with Segmentation fault after running any 'show cloning-group ...' Clish command on cluster members.
Refer to sk104885.
01929775 Security Gateway, Security Management Server Removing ECDHE from CURL cipher proposal list.
01932161 Application Control, URL Filtering RAD daemon might incorrectly parse its configuration, which causes it to assume that proxy is configured. This leads to categorization failures.
01931123 Threat Emulation SmartView Tracker displays e-mail subject as ISO string if it is written not in English.
Refer to sk105164 (Scenario 4).
01917419 Application Control, URL Filtering, Anti-Bot, Anti-Virus RAD daemon might shutdown due to SIGPIPE signal, which causes functionality issues with various Software Blades that rely on this daemon.
01921779 SecureXL Connections are dropped as Out-of-State after some idle time when SecureXL is enabled.
Refer to sk101232.
01901962 SecureXL Now it is possible to configure IP address of loopback interface as source address in NetFlow.
01929294 Security Gateway, Security Management Server Standby Cluster member fails to fetch policy from Active member during cpstart.
Refer to sk109393.
01925676 Security Management Server, Multi-Domain Security Management Server SmartView Monitor "Interface table" shows only one configured cluster interface on IPSO-based cluster members.
Refer to sk109143.
01622993 Security Management Server, Multi-Domain Security Management Server

Objects and policies are not restored from Gaia Backup (SmartDashboard shows only default objects), although the restore operation succeeded.

Code was improved:
  • Matching of Backed-up products and Local installed products made stricter.
  • Improved validation for Threat Emulation blade being enabled.
  • Improved validation for VSX mode being enabled (resolves false positives).
Refer to sk105641.
Take 99 (20 Jan 2016)
01642962, 01885055 SecureXL Packets are not routed correctly when PBR is configured and SecureXL is enabled.
Refer to sk109741.
01892651 SecureXL Traffic is dropped by IPS protection "TCP Segment Limit Enforcement" due to attack "TCP segment out of maximum allowed sequence" when SecureXL is enabled and traffic passes through Medium Path.
Refer to sk66576.
Take 98 (17 Jan 2016)
01910745 Security Gateway When running fw monitor command, it returns "cp: cannot stat '/opt/CPsuite-R77/fw1/conf/updates.def': No such file or directory" error.
01914959 Gaia OS Monitoring of the routed daemon is now disabled completely:
  • In Gaia Portal - the following checkbox was removed:
    In the tree view, go to Advanced Routing section - click on Routing Options page - in the Advanced Routing Options area - the box PNOTE Reporting
  • In Gaia Clish - the following commands were removed:
    set router-options pnote-reporting ...
Refer to sk108069.
01844422 Gaia OS, SecureXL Gaia OS on Check Point 21000 series appliance with SAM card becomes unresponsive when trying to delete a VLAN interface after passing multicast traffic through that VLAN interface.
Refer to sk115420.
01844424, 01880511 SecureXL NAT is not applied by Security Gateway to multicast packets in the following scenario:
  • SecureXL is enabled on Security Gateway
  • NAT is configured for multicast sender as "Hide behind Gateway"
As a result, the multicast receiver host "sees" the original IP address of the multicast sender.
01844428, 01882993 SecureXL SecureXL incorrectly drops multicast control packets (such as 224.0.0.252 - RFC 4795 LLMNR) when Security Gateway / VSX Virtual System runs in Bridge mode.
01907475, 01912368 Application Control, URL Filtering Users occasionally are not able to access HTTPS sites when "Categorize HTTPS sites" option is enabled.
Refer to sk109581.
01917498 URL Filtering Connection fails with the following URL Filtering log in SmartView Tracker: "Internal System Error occurred, allowing / blocking request (as configured in engine settings). See sk64162 for more information".
Refer to sk103859.
01896185, 01899771 Mobile Access Disabling the Floating Navigation Bar (FNB) via GuiDBedit Tool does not disable the FNB in the Web Application.
Refer to sk109254.
01907197 LTE GTP-C traffic that is matched on IP/UDP part of a rule and mismatched on the GTP part of the rule (for example IMSI prefix filter on GTP service) is dropped. As a result, multiple GTP-C services that include GTP service filters can not be used for the same IP/UDP networks (e.g., mobile carrier core network provides roaming services for multiple MNO subscribers, each of which has different PLMN ID prefix in IMSI, and carrier wants to filter outbound roaming to its network to those multiple IMSI prefixes) - the relevant rule either accepts the packet, or drops the packet when first service is matched.
01907262 LTE "Handover Group" field is not shown in SmartView Tracker logs for GTP-C traffic.
Take 95 (04 Jan 2016)
01883475 General MiniWrapper installation is aborted with "This installation is not suitable for gateways only" error when there are more than 50 installed packages (of any type) on the machine.
01879869, 01822961, 01882245 Gaia OS Security Gateway / Cluster randomly stops forwarding the IGMP traffic - multicast traffic times out and not resuming.
Refer to sk106858.
01879870 Gaia OS

PIM neighbor refresh is slow on Check Point Security Gateway / Cluster after neighbor PIM router failover:

  • After failover of neighboring PIM router (after disconnecting a router link), multicast traffic is recovered after 6 seconds.
  • After failback of neighboring PIM router (after reconnecting a router link), multicast traffic is recovered after 10-15 seconds.
Refer to sk107595.
01887289 Gaia OS Deleting an IP address from the Management interface without adding a new IP address is now blocked.
Refer to sk106447.
01576432 Gaia OS Gaia Clish crashes when running show configuration ... commands if the /web/cgi-bin/validate.tcl file does not exist.
Refer to sk104647.
01697615;
01614716
Gaia OS
  • When TACACS+ non-local user runs clish -c "some_clish_syntax" command from Expert mode (e.g., clish -c "show interface eth0"), the following errors appear:

    [Expert@HostName:0]# clish -c "some_clish_syntax"
    CLINFR0829  Unable to get user permissions.
    CLINFR0599  Failed to build ACLs.
    
  • When TACACS+ non-local user runs clish -c "some_clish_syntax" command from Expert mode (e.g., clish -c "show interface eth0") on VSX Gateway, the following error appears:

    [Expert@HostName:0]# clish -c "some_clish_syntax"
    CLINFR0220  User is not allowed to access any virtual-system.
    
Refer to sk105322.
01822237 Gaia OS DHCP Relay and DHCP Server do not function when configured together on the same Gaia OS.
  • Between DHCP Relay (routed) process and DHCP Server (dhcpd) process, the last process to start up will receive all the UDP unicast traffic. The first process sees no unicast traffic.
  • Both DHCP Relay (routed) process and DHCP Server (dhcpd) process will see UDP broadcasts.
  • If DHCP Server (dhcpd) process starts first, then this joint configuration will work, because dhcpd process only cares about UDP broadcasts.
    If DHCP Relay (routed) process starts first, then this joint configuration would fail to work, because the replies from DHCP Server that should be relayed are UDP unicasts.
Refer to sk98839.
01799658 Gaia OS Backup Schedule Name and Backup Type changed after joining Gaia Cloning Group.
Refer to sk107495.
01884462, 01783081 Gaia OS, Security Gateway, Cluster Security Gateway / Cluster member on Gaia OS with configured Dynamic Routing and ECMP might freeze in the following scenarios:
  • After adding a new VPN Tunnel Interface "vpnt"
  • After disconnecting all cables from Bond interface on the VSX Virtual Router (reconnecting the cables does not help)
  • After administratively bringing the VSX cluster member "down" with "clusterXL_admin down" command
Refer to sk107418.
01884966 Cluster, CoreXL R77.30 cluster member might go Down after disabling CoreXL Dynamic Dispatcher only on one member.
Refer to sk108856.
01869737 Cluster, SecureXL "First packet isn't SYN" drop logs in SmartView Tracker for TCP traffic from ClusterXL in Load Sharing Unicast mode with enabled SecureXL.
Refer to sk107618.
01878266, 01848272, 01880216, 01855069 Cluster Cluster "Interface table" is empty in SmartView Monitor and in output of "cpstat -f all ha" command.
Refer to sk108546.
01883357 Security Gateway in.ahttpd process crashes repeatedly with core dump files on Security Gateway with HTTP/HTTPS User Authentication rules.
Refer to sk103974.
01852286, 01852966 Mobile Access Occasionally Mobile Access gateway becomes non-responsive after enabling Push Notifications.
Refer to sk108532.
01898695 Mobile Access Push Notifications are not shown on handheld devices after failover in Mobile Access cluster.
Refer to sk109318.
01907717, 01909788 Mobile Access Custom logo can no longer be applied / seen in SSL VPN portal after installing hotfix for issue ID 01732329 (since Take 49).
Refer to sk107454.
01811956 Mobile Access, Endpoint Security On Demand Secure Workspace (SWS) Added support for Windows 10 in:
  • Endpoint Security On Demand Secure Workspace (SWS)
Refer to sk107132.
01846041, 01897357;
01861402, 01897362
SecureXL, Cluster SecureXL on Standby cluster member drops traffic with "Address spoofing" log.
Refer to sk108502.
01893950, 01893952, 01908788 SecureXL When NAT is configured on the network/host where SecureXL is enabled, not all entries in SecureXL Connections Table (run 'fwaccel conns' command) are deleted after the "UDP virtual session timeout" when traffic is stopped.
01906167 SecureXL Check Point 21000 series appliance with SAM card might crash during frequent policy installations, or during failover and failback in cluster environment (due to disabling and enabling of watchdog monitoring in SAM card).
Refer to sk108643.
01870140 VPN "Accept all encrypted traffic" option does not work on VSX clusters.
Refer to sk105344.
01879422 VPN The vpnd daemon might crash when connecting more than ~1024 SNX Application Mode clients to Mobile Access gateway.
01691222, 01904577 VPN Not possible to establish Site-to-Site VPN tunnel with Large Scale VPN (LSV) peer, which is a DAIP device.
Refer to sk109473.
01894511 Threat Emulation Ability to change the default size of the /var/log/maillog file when using Mail Transfer Agent (MTA).
Refer to sk93505.
01664717, 01891039 Threat Emulation Files are emulated even though their MD5 is added as 'Exception' to Threat Prevention policy.
Refer to sk109438.
01909632, 01879389 Identity Awareness Identity Awareness Agent disconnects with no apparent reason after some time of operation when Kerberos SSO is defined.
Refer to sk107155.
01707734, 01909020 IPS Geo Protection mechanism logs connections from internal IP addresses.
Refer to sk106838.
01874752, 01913185 Application Control Resource Advisor (RAD) performance improvement (increased internal URL parsing speed).
01896491 URL Filtering, Application Control Resource Advisor (RAD) does not reuse connections (opens new connection for each request).
Refer to sk103422.
01861543, 01884021 URL Filtering, Application Control Ability to increase the speed of RAD daemon's connection creation/deletion by configuring the number of categorization queries sent by RAD daemon to Check Point cloud in one connection (via parameter RAD_QUERIES_NUMBER_PER_CONNECTION in Check Point Registry).
Refer to sk103422.
01856214, 01904755 Anti-Virus High CPU utilization on Security Gateway during Anti-Virus scan of large files transferred over CIFS/SMB2 (Windows Sharing on port 445).
Refer to sk109582.
01910660 Security Management Server, Multi-Domain Security Management Server The fwm daemon might crash when running "fwm getcap" command (to fetch the packet capture from a log).
01896487 Multi-Domain Security Management Server Authentication with MDS user or RADIUS user fails in SmartLog GUI, when SmartLog server is cofigured locally on one of the Domain Management Servers (it is possible to log in only with administrator that was localy defined on that Domain Management Server).
01894840, 01909714 Multi-Domain Security Management Server Assigning of Global Policy fails on some Domain Management Servers after modifying a global object.
Refer to sk109436.
Take 84 (06 Dec 2015)
- Check Point Appliances Support for the new improved R77.30 Gaia image (released 16 Dec 2016) for 2200 / 4000 / 12000 / 13000 / 21000 / TE250 / TE1000 / TE2000 appliances.
01867054 Gaia OS User is not able to log in to Gaia OS after configuring a password that contains backslash "\".
Refer to sk106368.
01786538, 01866514 Gaia OS "Gaia Web-UI recognized a non-valid input data" error in Gaia Portal when adding a Scheduled Job.
Refer to sk107513.
01842491, 01855837 Gaia OS BGP routemaps stop working correctly after upgrade from R75.4X / R76 versions to R77.10 and later versions.
Refer to sk108497.
01711169 Gaia OS Specific VPN tunnel is not retrieved on first SNMP querying.
Refer to sk106788.
01711135 Gaia OS The routes are not sorted based on the IP address in Gaia Portal - "Network Management" section - "IPv4 Static Routes" page - "Gateways" column.
Refer to sk106747.
01868833 Cluster, CoreXL Hide NAT port exhaustion on Standby cluster member in ClusterXL HA mode.
Refer to sk98828.
01877245, 01820037 Cluster Improved handling of invalid ClusterXL Control Protocol (CCP) packets received on non-trusted (non-sync) interfaces.
Refer to sk108360 and to sk108192.
01803716, 01816518 SecureXL Check Point appliance with SAM card crashes during policy installation.
Refer to sk107857.
01801507, 01754473 SecureXL Memory leak in SecureXL acceleration.
Refer to sk108192.
01870777, 01861396 SecureXL Traffic does not pass through ClusterXL with enabled VMAC mode and SecureXL.
Refer to sk105577.
01848712 Security Gateway Policy installation fails with error "Reason: Load on Module failed - failed to load Security Policy" because internal mapping of IPS protections fails due to kernel table "spii_multi_pset2kbuf_map" getting full.
Refer to sk33893 (Scenario 22).
01875713, 01821877 Security Gateway Proprietary SSL tunnel protocols (e.g., Skype) are not enforced correctly when Security Gateway acts as Proxy (Non-transparent proxy, without the next proxy).
Refer to sk108192.
01871427 Security Gateway When Dynamic Object is not resolved on the Security Gateway, all traffic that should have been accepted by the rule with this Dynamic Object, is dropped.
01872347 Security Gateway VE Security Gateway Virtual Edition (VE) Network Mode is now licensed using a new and improved licensing model. With the new licensing model, managed Security Gateway VE Network Mode is licensed by the total amount of its assigned virtual cores.
Affected SKUs: CPSG-VEN-NGTP-GW, CPSG-VEN-NGTX-GW, CPSG-VEN-NGFW-GW.
For further licensing details, go to User Center - at the top, go to QUOTING TOOLS menu - click on Product Catalog & Quoting - go to section More Appliances & Solutions - click on Virtual Security - in Virtual Edition row, select a model - click on Select button - click on Licensing instructions link at the top.
Refer to sk109713.
01853689 HTTPS Inspection Users do not receive UserCheck page for blocked HTTPS content.
Refer to sk93184.
01875832 IPS Improved handling of HTTP compressions.
Refer to sk108192.
01880104, 01830381 VSX, IPS Rare crash of the fwk process on VSX Gateway with enabled IPS blade and activated protection "Non-Compliant HTTP".
Refer to sk108192.
01859145 VSX SNMP OID vsxCountersConnTableLimit (.1.3.6.1.4.1.2620.1.16.23.1.1.4) returns wrong value on VSX if IPv6 is enabled.
Refer to sk106736.
01854127 Mobile Access Mobile Access log in SmartView Tracker shows Browser version instead of OS version.
Refer to sk108711.
01734925, 01854129 Mobile Access "[CVPN_ERROR] statusToString: Unrecognized status: 5" error in the debug of the cvpnd daemon on Mobile Access Gateway.
Refer to sk108876.
01802714 Multi-Domain Security Management Server "Error: Cannot assign the Global IPS policy - The version of IPS on the Domain Management Server and in the Global policy must be the same".
Refer to sk108877.
01867540 Multi-Domain Security Management Global Policy cannot be assigned after IPS reset due to duplicated objects or profiles.
Refer to sk107817.
01867540 Multi-Domain Security Management Licenses attached to Domain are shown as unattached in SmartUpdate.
Refer to sk104884.
01626339, 01871531 Security Management Server, Multi-Domain Security Management Server The fwm daemon cannot start due to the size of $FWDIR/tmp/fwmtrace.log file reaching 2GB limit.
Refer to sk105579.
01732223, 01863656 Security Management Server Policy verification fails abnormally on R77.30 Security Management Server.
Refer to sk107182.
01858483 Security Management Server "Multiple account units are using the same domain name" warning during security policy installation.
Refer to sk104248.
01864379, 01850825 Security Management Server IPS scheduled update fails with "Failed to create db revision".
Refer to sk108382.
01875570, 01827950 VPN Not possible to force a minimal allowed Endpoint Security Client version for Remote Access connection
(Note: Does not apply to Endpoint Connect Clients).
Refer to instructions in sk108192.
01749088, 01782611, 01875953 Anti-Virus High memory utilization on Security Gateway during Anti-Virus scan of large files transferred over HTTP.
Refer to sk107384 and sk108192.
Take 75 (12 Nov 2015)
01848714 SecureXL Output of "fwaccel stat" command shows:
Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)).
Refer to sk100467 (Scenario 3 - "UDP traffic causes too many general errors").
01848202, 01850540 SecureXL Check Point 21000 series appliance with SAM card might crash while handling fragmented TCP packets.
Refer to sk108589.
01845461, 01853546 SecureXL Check Point 21000 series appliance with SAM card might crash during policy installation.
Refer to sk108643.
01847635 SecureXL Check Point 21000 series appliance with SAM card might crash due to removal of Layer 2 header by SAM card.
Refer to sk108652.
01820185, 01847696 Multi-Domain Security Management Server mds_backup procedure is stuck at "Releasing all databases" stage.
Refer to sk107862.
01857577 VPN Some VPN clients are not able to connect to Security Gateway because kernel table "ccc_sessions" fills up very rapidly.
Refer to sk105721.
01831743, 01842525 Identity Awareness Policy installation on Identity Awareness Gateway fails randomly.
Refer to sk108290.
01811956 Mobile Access, SSL Network Extender Added support for Windows 10 in:
  • SSL Network Extender (SNX) - both Network Mode and Application Mode
Refer to sk107132.
01850215 SSL Network Extender Added support for Mac OS X 10.11 in:
  • SSL Network Extender (SNX) - both Network Mode and Application Mode
Refer to sk107973.
01736812 Gaia OS Following cluster failover, the routed daemon sends OSPF "Hello" packets with no DR/BDR.
Refer to sk105169.
01844830 Gaia OS
  • "Gaia Web-UI recognized a non-valid input data" error in Gaia Portal when adding SNMP Trap receiver
  • "NMSSNM0025 Community names cannot contain spaces or special characters" error in Gaia Clish when adding SNMP Trap receiver
Now, the dollar sign "$" is accepted as well in SNMP Community.
Refer to sk107513 (Scenario 2 "Adding SNMP Trap receiver in Gaia Portal").
01787201; 01831464; 01827496; 01818312 Gaia OS Enhancement in authentication for SNMPv3 USM user on Gaia OS:
  • "Authentication Protocol" for SNMPv3 USM user can be set to either MD5, or SHA1
  • Interactive configuration of "Privacy Protocol" and "Authentication Protocol" in Clish
  • When adding new SNMPv3 USM user:
    • If no "Privacy Protocol" is specified, then "DES" will be set by default
    • If no "Authentication Protocol" is specified, then "MD5" will be set by default
  • "Privacy Protocol" for Read-Write users will be displayed only if those users were defined with Security Level "AuthPriv" (just like for Read-Only users)
  • Configuration of "Privacy Protocol" and "Authentication Protocol" in Clish was improved to be case-insensitive
Refer to sk90860 - section "(IV-5) Advanced SNMP configuration - Configure SNMPv3 users to use SHA / AES authentication".
01843846 Gaia OS "Could not resolve 'Sensor' within the trap 'Trap'" errors in Spectrum CA when importing Check Point 'GaiaTrapsMIB.mib' file.
Refer to sk97410.
01702566 Gaia OS OSPF might break upon fail-over in cluster on Gaia OS.
Refer to sk108655.
01835145 Cluster ClusterXL in High Availability mode fails over during policy installations due to missing CUL remote freeze notification.
Refer to sk106576.
01834555 Appliances Outputs of "show sysenv all" and "cpstat os -f power_supply" commands show different status for Power Supply units.
Refer to sk107672.
01750204, 01842632 VSX Clients behind a Virtual System configured as Non Transparent HTTP/HTTPS Proxy are not able to connect to any site.
Refer to sk107313.
01730708, 01847073 HTTPS Inspection Added ability to control support for SSLv2 handshake in HTTPS Inspection.
Refer to sk108654.
Take 67 (29 Oct 2015)
01829460 SecureXL ADP monitor hangs and crashes with "ADP slot N possibly hung" on Check Point appliance with SAM card.
01801032, 01829886 CoreXL Issues with traffic passing through Security Gateway with enabled CoreXL Dynamic Dispatcher.
Refer to sk108432.
01751483 Mobile Access User is sometimes asked to re-authenticate when accessing web application in Mobile Access Portal.
Refer to sk107314.
01815100 VSX, Mobile Access Backup (scheduled or manual) on VSX Gateway fails while File Shares are open for Mobile Access users: "not enough space in /var/log/CPbackup/backups".
Refer to sk106046.
Take 63 (20 Oct 2015)
01825587 VSX The fwk daemon crashes during boot of VSX Cluster member with configured Bond interface(s), on which VLAN interfaces are defined.
01817941, 01812866 Security Management Server, Multi-Domain Security Management Server False alerts in SmartEvent GUI / SmartView Monitor about low disk space on Security Gateway.
Refer to sk106040.
01823793 Cluster IPv6 static route in Gaia OS with "ping" option fails to send ping in a ClusterXL with IPv6 Virtual IP.
Refer to sk106572.
01685521 Anti-Spam in.emaild.mta process crashes when overloaded with Anti-Spam block.
Refer to sk106240.
01826612 Gaia OS Output of top command on an Open Server shows that kipmi0 daemon consumes CPU at 100%.
Refer to sk104316.
01825932 Gaia OS Custom changes made to the /etc/cpshell/log_rotation.conf file following sk36798, do not survive Jumbo hotfix installation - after installation it goes back to the default.
Take 61 (30 Sep 2015)
01752513, 01752529, 01752531 Security Gateway Misconfiguration of "Management" interface on Check Point Security Gateway causes outage.
Refer to sk106447.
01801629, 01811077 Security Management Server, Multi-Domain Security Management Server "Warning: Rule <N> contains a domain object. It will not be enforced by IPv6 policy." during policy verification refers to wrong rule number.
Refer to sk107601.
01813036 SmartEvent When using send report by mail ('Reports' tab - Report name - Manage - Email Setting - Send By Mail), the SmartEvent sends 'HELO localhost' and gets blocked by the SMTP server.
Refer to sk105279.
01769402, 01803573 SecureXL "cphwd_pslglue_can_offload_template: error, psl_opaque is NULL" error appears repeatedly in /var/log/messages file after upgrade to R77.30.
Refer to sk107258.
01814997 Gaia OS "Loading..." message is stuck in Gaia Portal when trying to open the 'Snapshot Management', 'System Backup' or 'Status and Actions' page after installing a Hotfix / Jumbo Hotfix.
Refer to sk111167 (Scenario 5 - "Maintenance - Snapshot Management" page and "Maintenance - System Backup" page is stuck at "Loading..." after installing a Hotfix).
01817116 Gaia OS /etc/snmp/userDefinedSettings.conf file on Gaia OS (see sk90860) is overwritten during a hotfix installation.
Refer to sk107861.
01820060 Gaia OS A snapshot image cannot be deleted in Gaia Portal - after clicking on the 'Delete' button (on 'Maintenance' pane - 'Snapshot Management' page), the "Loading..." message is stuck.
Refer to sk111167 (Scenario 8 - "Maintenance - Snapshot Management" page is stuck at "Loading..." when trying to delete a snapshot).
01693582 VPN, Mobile Access Memory leak in the vpnd daemon when Mobile Access blade is enabled.
01736208, 01817908 Mobile Access Web Form SSO with configured login page does not work.
Refer to sk107254.
01808903 IPS IPS related kernel tables are kept in memory even when disabled in a later policy, causing table duplication and a memory leak. Leak may lead to an error message "reached the maximum number of ghtabs" and install policy failure.
01802551, 01809183 CoreXL, VSX Creating a Virtual System with one CoreXL FW instance might end with an error and cause the VSX Gateway / VSX Cluster member to crash with kernel core dump.
01704012, 01720219 CoreXL VoIP traffic (or traffic that uses reserved VoIP ports) is interrupted / stops passing after enabling CoreXL Dynamic Dispatcher per sk105261.
Refer to sk106665.
Take 54 (07 Sep 2015)
01787367 Security Gateway Failure in QoS policy installation can cause Security Gateway to crash during the next network policy installation.
01747684 Gaia OS PIM SM: multicast traffic received on an interface, which is in non-DR, but assert winner state is not processed by Security Gateway.
Refer to sk107186.
01800253 Gaia OS Output of Clish command "show asset memory" shows less RAM than is actually installed on Check Point appliance.
Refer to sk107032.
01803002 Gaia OS The following commands were added to Gaia Clish:
  • show lom - displays LOM card IP address and firmware version
  • show lom ip-address - displays LOM card IP address
  • show lom version - displays LOM card firmware version
01803039 Gaia OS Not able to log in to Gaia OS with username authenticated by TACACS.
01803024 Gaia OS Improved support for multiple roles defined on RADIUS server that are separated by space character (e.g., CP-Gaia-User-Role="rwRole, roRole")
01803483 Gaia OS Added the ability to get the comment defined on an interface in Gaia OS via SNMP Request by querying the OID IF-MIB::ifAlias (in case ifXtable.ifAlias field is empty).
Refer to sk107615.
01803493; 01803506 Gaia OS After enabling the SNMP Trap "coldStart" in Gaia OS, it is sent every time the SNMP Agent (the snmpd daemon) is started, regardless of the current system up-time.
Refer to sk107616.
01717878 Cluster Output of "cpstat ha -f all" command shows status of some VLAN interfaces as "Partially up".
Refer to sk106488.
01801408, 01699396 Cluster Both the VRRP Master and VRRP Backup members in Gaia VRRP cluster respond to ARP Requests for Proxy ARP entries (configured per sk30197).
Refer to sk107614.
Take 49 (24 Aug 2015)
01783813 VPN Improved specific debug message.
01745911 Mobile Access Kerberos does not work for Secure Mail (e.g., Exchange Web Services (EWS) mail app).
01710533, 01732329 Mobile Access "Error while processing the request" occasional error in SSL Portal Web Application after clicking on the Back button / Home button / repeatedly pressing F5 key. During the issue, SSL Portal stops responding and mobile users are disconnected.
Refer to sk107454.
01749317 Gaia OS Gaia configuration commands are not saved sorted in way that guarantees continuation when loading them.
Refer to sk107286.
01779716 Gaia OS Not able to log in to Gaia Portal anymore after running Clish command "show user <username> homedir".
Refer to sk106427.
01778888 Gaia OS

/var/log/messages file on Gaia OS repeatedly shows:
xpand[PID]: image_mgmt_get_version: version was get from registry major=[X] minor=[.Y]
xpand[PID]: version is X.Y

Refer to sk109038.
01692050, 01709890, 01693135 Gaia OS "This page is currently in read only mode, the requested action cannot be performed" message appears in Gaia Portal when logging in with the TACACS+ user and clicking on the "Enable TACACS+ authentication" button at the top.
Refer to sk106324.
01707909 HTTPS Inspection HTTPS Inspection drops traffic to a web site that uses untrusted server certificate even when the "Untrusted server certificate" is disabled.
Refer to sk107288.
01749545 VPN IKE negotiation fails at Main Mode packet 5 between Security Gateway and DAIP non-Centrally Managed Gateway.
Refer to sk104880.
01745741, 01746482, 01780378 Security Gateway Security Gateway might crash in some scenarios when inspecting H.323 traffic.
Refer to sk107184 and to sk106994.
01718196, 01721499, 01721502, 01782570 Security Management Server, Multi-Domain Security Management Server Policy Verification fails to find overlapping rules.
Refer to sk106854 and to sk106994.
01784203, 01784730, 01784728, 01787564 Security Management Server, Multi-Domain Security Management Server Policy Verification fails with "Diameter rule service's check: Failed to flatten services list".
Refer to sk107322 and to sk106994.
01749879 Security Management Server, Multi-Domain Security Management Server After policy installation, traffic that was supposed to be matched on specific "accept" rule is dropped on the Clean Up rule (issue is caused by a corruption in one of the policy files).
Take 45 (06 Aug 2015)
01713997 Gaia OS

Gaia OS syslogd daemon and Check Point syslog daemon can not run simultaneously on Security Management Server / Domain Management Server / Log Server on Gaia OS in the following scenario:

  • "Accept Syslog messages" is enabled in the properties of Management Server / Log Server object (SmartDashboard - object properties - "Logs" menu - "Additional Logging Configuration").
  • Gaia OS on Management Server / Log Server is configured to forward the received syslog messages to another Syslog server (Gaia Portal - "System Management" pane - "System Logging" - click on "Add" - enter the IP address of another Syslog server).
Refer to sk105580.
01708195, 01708998 Gaia OS "show asset network" command does not display all installed cards on Check Point appliance.
Refer to sk106785.
01727625, 01730966 VPN "vpn debug on TDERROR_ALL_ALL=5" command does not update the previously set debug flags.
Refer to sk107172.
01731020 VPN Improved a print out of "GwSupportCrashRec" debug messages in debug of the vpnd daemon.
01619868, 01725472 Security Management Server, Multi-Domain Security Management Server

Installing policy on R77.X Security Gateway(s) and UTM-1 Edge device(s) at the same time might fail during Policy Compilation with the following error:
cpp: line N, Error: Inside #ifdef block at end of input, depth = X
1 error in preprocessor

Refer to sk105488.
01732552 Security Management Server, Multi-Domain Security Management Server "install/uninstall has been improperly terminated" error when trying to Install Database.
Refer to sk104998.
01595501 Mobile Access

A Mobile device, which is known to be non-compliant, is still able to connect with Mobile VPN / Capsule Connect app to Mobile Access Gateway, and SmartView Tracker log shows this device as compliant.
This mobile device had to be checked for compliance by an MDM vendor based on the $FWDIR/conf/mdm.conf file on Mobile Access Gateway.

Important Note: You must manually edit the $FWDIR/conf/mdm.conf file on Mobile Access Gate - add the following section at the bottom of the file to block the Dummy MAC address "02:00:00:00:00:00":

:custom_macs ( 
    :020000000000 ("block") 
)
Refer to sk107207.
Take 43 (27 July 2015)
01605509 VPN Windows 8.1 VPN plugin can connect, but user is unable to reach resources behind the VPN Gateway.
Refer to sk104619.
01702733 Mobile Access The "cvpnd_settings" command crashes when used without full path.
Refer to sk106673.
01715981 Gaia OS Clish on Gaia OS crashes with "Segmentation fault" when running "show configuration user" command.
Refer to sk101974.
01722085 Anti-Bot, Anti-Virus CPU load and traffic latency after activating Anti-Bot and/or Anti-Virus blade on Security Gateway (especially for complex traffic like CIFS, NFS).
Refer to sk106062.
01717808, 01647153 Security Gateway, Cluster "fw_getifs: filter interface <interface_name> - no IP" message appears for every interface when running "fw getifs" command under "TDERROR" debug, although those interfaces have an IP address assigned.
Refer to sk106856.
01692246 Cluster Cluster members crash simultaneously when running kernel debug of Delta Sync ('fw ctl debug -m fw + sync') and IPv6 traffic is passing through the cluster, which is inspected by IPS (PSL).
Refer to sk106571.
01705870 Security Management Server, Multi-Domain Security Management Server, SmartProvioning SmartView Tracker displays ROBO gateways / Edge devices managed by SmartProvisioning in the "Origin" column as Device ID "0.0.0.X" instead of the Device real IP address.
Refer to sk106966.
Take 33 (16 July 2015)
01703881; 01704019; 01704130; 01704076 All Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789.
Refer to sk106499.
01678465, 01709620 VPN, DLP, Security Management Server, Multi-Domain Security Management Server

Policy installation might fail with "ERROR: stab identifier <lsv_profiles> for host redefined" in the following scenario:

  1. R77.30 Security Management Server running on Gaia OS or IPSO OS.
  2. There are two R77.x Security Gateways / Clusters (e.g., "GW_1" and "GW_2") managed by this server:
    • "GW_1" has IPSec VPN blade enabled
    • "GW_2" has DLP blade enabled, IPSec VPN blade disabled, and belongs to VPN Encryption Domain of "GW_1"
Refer to sk106196.
01705404 SecureXL 21000 appliance with SAM card might reboot in a loop after configuring a Bond interface on 10Gb card ports.
01710137 Security Gateway Issues with traffic and with web pages when Security Gateway is configured in Proxy Non-Transparent mode.
Refer to sk106663.
01709135 Security Gateway

If Security Gateway is configured as HTTP/HTTPS Proxy, then unloading of the Check Point kernel modules might fail with the following errors when running kernel memory leak detection per sk35496:

[Expert@HostName:0]# cpstop
... ... ...
[Expert@HostName:0]# service cpboot stop
... ... ...
[Expert@HostName:0]# cpstop -fwflag -driver
... ... ...
ERROR: Module fw_0 is in use
FireWall-1: failed to remove IPv4 module
cpstop error: Failed to execute fwstop -f . Please check fwflag syntax -driver
01711501 Mobile Access Connection to Citrix through Mobile Access fails if Citrix is configured to use HTML 5.
Refer to sk106574.
01695987, 01704522 Gaia OS Scheduled Gaia backup in R77.30 fails to transfer backup file to remote server.
Refer to sk106647.
01522914, 01683799 Security Management Server, Multi-Domain Security Management Server The fwm daemon frequently crashes due to memory leak on the Security Management Server (triggered when a Security Gateway with Dynamic IP address is monitored in SmartView Monitor and an IP address is changed on that DAIP Security Gateway).
01710257 IPS IPS Exception with Protection "ANY" does not work.
Refer to sk105074.
01697239 Cluster SmartView Monitor shows the status of cluster interfaces as "Partially up" (in the upper pane, click on the cluster member object - in the lower pane, go to section "ClusterXL" - click on "More..." - refer to the "Interface table").
Refer to sk106488.
Take 18 (01 July 2015)
01594658 Gaia OS

Different number of IPv6 neighbors is shown in Expert mode and in Gaia Clish:

  • In Expert mode, output of command "ip -6 neighbour show" shows all expected IPv6 neighbors.
  • In Gaia Clish, output of command "show neighbor dynamic-table" shows up to 50 IPv6 neighbors.
Refer to sk106622.
01681589, 01688680 SecureXL Improved memory training logic for "SAM-108-V2" card (memory training is a task performed by the hypervisor to get a sense of the timing necessary for the pins out of the memory controller on the card's processor to achieve maximum throughput to the onboard DIMMs while maintaining reliability).
01690456 Mobile Access Added ability to force Kerberos authentication (instead of NTLM) against Capsule Workspace Mail application and Web applications.
01690471 Mobile Access The cvpnd daemon crashes when the user/application calls for two factor authentication in Mobile Access Portal using SMS, but the user has no phone number defined.
01690589 Mobile Access Added support for Citrix Connection floating bar in Internet Explorer browser when connecting to Citrix Server through external interface on Mobile Access gateway.
Take 17 (18 June 2015)
01685651, 01693669; 01688883, 01694383 SecureXL, Security Management Server / Multi-Domain Security Management Server

Output of "fwaccel stat" command on R77.30 Security Gateway / Cluster members shows that Accept Templates are not disabled starting from the expected rule (per sk32578).

Problematic scenario (issue occurs only if all these conditions are met):

  1. R77.30 Security Management Server / Multi-Domain Security Management Server with installed R77.30 Add-On
    (either cleanly installed R77.30 with R77.30 Add-on, or upgraded to R77.30 from R77.20 with R77.20 Add-on).
  2. Involved rulebase is installed on R77.30 Security Gateway / Cluster members.
  3. SecureXL is enabled on R77.30 Security Gateway / Cluster members.
  4. Involved rulebase contains rules, starting from which SecureXL Accept Templates should not be created anymore (per sk32578) - e.g., rules for FTP/ICMP traffic, rules with Dynamic objects.
  5. Involved rulebase contains a rule with service "dhcp-request" and/or service "dhcp-reply" (refer to sk98839) and this rule is located above all other rules, which disable SecureXL Accept Templates.
01692710 Security Gateway Connectivity issues through Security Gateway in Proxy mode due to an extra space in DNS Query sent by the Security Gateway.
Refer to sk106428.
01685214, 01693432 Anti-Virus Memory consumption on Security Gateway with enabled Anti-Virus blade increases during inspection of CIFS traffic.
Refer to sk106334.
01668422 Mobile Access, Security Management Server / Multi-Domain Security Management Server Policy installation succeeds even if Mobile Access rules contain only services that are not supported by Native Applications - such as Compound TCP and Citrix TCP types.
Refer to sk106502.
01647109 Security Management Server, Multi-Domain Security Management Server SmartView Tracker does not show successful "Log In" or "Log Out" Audit logs for SmartLog GUI.
Refer to sk105881.
01688838 Security Management Server, Multi-Domain Security Management Server Obfuscated information in Application Control/URL Filtering mail alerts - printing ****** instead of real information.
Refer to sk106430.
01568620 SmartView Monitor, VPN SmartView Monitor shows "no data" in tunnel information under "Tunnels on gateway" for R77.20 / R77.30 gateways using Traditional Mode VPN.
Refer to sk104103.
Take 15 (16 June 2015)
01688001 Mobile Access

Ability to override the sk102989 - Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) using the "CvpnEnableSSLv3" directive to allow Mobile Access gateway to connect to internal application servers over SSLv3 (connection from outside to Mobile Access gateway is still over TLS).

To allow internal connection over SSLv3:

  1. In the $CVPNDIR/conf/httpd.conf file, add the following lines:
    # This directive overrides the hotfix sk102989 - POODLE Bites (CVE-2014-3566)
    # and allows access from Mobile Access gateway to internal application servers over SSLv3
    CvpnEnableSSLv3 On
  2. Reload the Mobile Access policy:
    [Expert@HostName:0]# cvpnd_admin policy
01681471 Mobile Access "Authentication Failure" error when launching SNX via Mobile Access Portal using an LDAP user account with OU path that includes asterisk "*" (wildcard) character.
Refer to sk106299.
01581791 SmartReporter A new consolidation database table does not appear in SmartReporter GUI - 'Database Maintenance' tab - 'Tables' tab.
Refer to sk104842.
01599078 SmartReporter "No data available for [SmartReporter]" error in reports.
Refer to sk102007.
01626310 SmartView Monitor E-mail alerts from SmartView Monitor arrive with MIME boundary headers "_NextPart_..".
Refer to sk105578.
01666230 SmartDashboard Security Management Server that was configured to forward local log files to a Log Server without deleting them per sk106039, forwards all existing local log files instead of forwarding only the new log files that were created since the last scheduled forwarding event (i.e., also all those local log file that were already forwarded during the past scheduled forwarding events).
Refer to sk106039.
01607383 Security Gateway Kernel panic on Security gateway due to memory access violation.
01594559 Security Gateway HTTP traffic with non-common HTTP methods does not pass through Security Gateway configured as Proxy.
Refer to sk104887.
01621272 Gaia OS "syntax error" when adding an interface to the redistribution of routes in Gaia OS.
Refer to sk105643.
01621251; 01621253 Cluster Gratuitous ARP Request packets (GARP) are not sent during cluster fail-over for IP addresses configured in the $FWDIR/conf/local.arp file (per sk30197), if those IP addresses and Cluster VIP address are on different subnets.
Refer to sk105645.
01614571 Cluster TCP state logs are sent from all cluster member instead of only the active member.
Refer to sk101221.
01596291 SecureXL SecureXL Accept Templates not created when ISP Redundancy is enabled in Primary/Backup mode.
Refer to sk104679.
01619159 VoIP SIP Call Transfer stopped working after upgrade to R77.20 / R77.30.
Refer to sk105564.
01607850 Identity Awareness, Application Control Security Gateway might crash when Identity sharing and Application Control rules (with access roles) are configured.
Refer to sk106420 and to sk106994.
01605254 DLP DLP fingerprint scan failure on Full HA cluster.
Refer to sk105157.
01692002 DLP, Threat Emulation

Downloaded file might be bypassed instead of being blocked by DLP in the following scenario:

  • DLP blade is enabled.
  • Threat Emulation blade is enabled.
  • Threat Emulation Connection Handling Mode is set to "Background"
  • Threat Prevention Engine Fail Mode is set to "Allow all connections (Fail-open)"
Refer to sk106421.

 

List of resolved issues in the Ongoing Take

These fixes were added on top of the latest General Availability Take.

Enter the string to filter this table:

ID Product Description

Take 351 (02 Jul 2019)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T351_FULL.tgz

PRJ-2376,
PRJ-2358
Gaia OS CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1330,
02541089
SecureXL Resolved issue in multicast routing lookup.
PMTR-27365,
IDA-1609
Identity Awareness In some scenarios, the Identity Agent fails to authenticate using Kerberos SSO due to very large Kerberos ticket, and the agent fallsback to User/Password authentication. Refer to sk145832.
PRJ-366,
PMTR-33177
Identity Awareness In some scenarios, when using Load Sharing, upon the same IP address used by two different users, users may be able to access or to be restricted from accessing resources without proper roles.

Take 348 (24 Apr 2019)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T348_FULL.tgz

IDA-1689,
PMTR-31034
Identity Awareness Removed unnecessary identity update, during Identity Agent or Terminal Server Agent IP address change, that results in corruption of PEP database.
GAIA-3010,
PMTR-23157
Gaia OS CVE-2018-15473: Username enumeration is possible due to a premature bail-out while dealing with a malformed packet. The issue exists in several authentication protocols.
IDA-1225,
PMTR-33364
Identity Awareness Fixed possible session corruption on PDP side that could lead to unexpected behavior.

Take 347 (27 Mar 2019)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T347_FULL.tgz

PMTR-26171,
PMTR-26174
SSL Inspection Changed SSL Network Extender on MacOS to 64-bit architecture to support 32 bit apps depreciation in OSX.
PMTR-35032,
PRJ-99
VPN Important security update for IPSec Site-to-Site (S2S) VPN.

Take 346 (13 Feb 2019)

CPUSE Identifier: Check_Point_R77_30_JUMBO_HF_1_Bundle_T346_FULL.tgz

02468036
UserCheck Improved stability when Push Notifications are enabled on Mobile Access blade.
02657434
VPN
Improved connectivity with 3rd party VPN peers using IKEv2. Refer to sk120835
02100804 VPN After Cluster failover, VPN tunnel is down and "Unknown SPI for IPsec packet" log is shown. Refer to sk112339.
PRHF-608
SecureXL
Improved stability of VSX gateway when under heavy load when SecureXL is enabled.
JPMC-284
SecureXL
Improved stability of SAM card when running multicast jumbo traffic packets.
JPMC-316
SecureXL
Improved stability of SAM card when PIM is configured in Sparse Mode on its interfaces.

 

Installation instructions

Important Notes:

  • This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
  • Before installing this Jumbo Hotfix Accumulator, back up any configuration file that was edited manually.
    List of the most important files (many others exist):
    • $FWDIR/boot/modules/fwkern.conf
    • $FWDIR/boot/modules/vpnkern.conf
    • $PPKDIR/boot/modules/simkern.conf
    • $PPKDIR/boot/modules/sim_aff.conf
    • $FWDIR/conf/fwaffinity.conf
    • $FWDIR/conf/local.arp
    • $FWDIR/conf/discntd.if
    • $FWDIR/conf/cphaprob.conf
    • $FWDIR/conf/cpha_bond_ls_config.conf
    • $FWDIR/conf/fwauthd.conf
    • $FWDIR/conf/resctrl
    • $FWDIR/conf/vsaffinity_exception.conf
    • $FWDIR/database/qos_policy.C
    • /var/ace/sdconf.rec
    • /var/ace/sdopts.rec
    • /etc/snmp/snmpd.conf
    • /etc/snmp/userDefinedSettings.conf
    • /etc/snmp/vsx-proxy/snmpd.vsx.proxy.conf
    • /etc/snmp/snmpmonitor.conf
  • It is not supported to install this Jumbo Hotfix Accumulator using the ISOmorphic Tool.
  • In cluster environment:
    Jumbo Hotfix Accumulator must be installed on all members of the cluster. To assure synchronization without losing connectivity, cluster administrator should use either Optimal Service Upgrade (OSU) method, or Connectivity Upgrade (CU) method. For additional information and limitations, refer to sk107042 - ClusterXL upgrade methods and paths.
  • In Management HA environment:
    Jumbo Hotfix Accumulator must be installed on both Management Servers.
  • On Multi-Domain Security Management Server:
    Note: To check the current Take number, run the "installed_jumbo_take" command.
    • When running Take 205 and above of this Jumbo Hotfix Accumulator:
      Higher Take can be installed over the current Take.
    • When running Take 198 and lower of this Jumbo Hotfix Accumulator:
      Before installing a higher Take, the current Take must be uninstalled (refer to section "Uninstall instructions" - "Show / Hide instructions for uninstall of Jumbo Hotfix Accumulator Take 198 and lower on Multi-Domain Security Management Server").
  • On VSX Gateways:
    Jumbo Hotfix Accumulator should be installed only using CPUSE in Clish (requires the latest build of CPUSE Agent).
  • For Smart-1 405 / 410 appliances:
    It is necessary to install Take_266 and above (refer to sk117578).
  • For 15000 / 23000 appliances with 40 GbE cards:
    It is necessary to install Take_162 and above (refer to sk112517).
  • On 21000 appliances with SAM card:
    Due to specific stability issues, Take 210, Take 213 and Take 216 should not be installed (refer to sk116070).
  • It is recommended to install Jumbo Hotfix Accumulator on all the R77.30 machines in the environment - Security Gateways / Management Servers / etc. running on Gaia OS.
  • Installation of a newer Take of Jumbo Hotfix Accumulator on top of the current Take (refer to sk107320):
    • When running CPUSE Agent build 1127 and above:
      • If the previous Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then the next Take can be installed using the CPUSE.
      • If the previous Take of Jumbo Hotfix Accumulator was installed using CPUSE, then all subsequent Takes must also be installed using CPUSE.
    • When running CPUSE Agent build 1005 and lower (users should upgrade to the latest build):
      All Takes of Jumbo Hotfix Accumulator must be installed in the same way:
      • If the Jumbo Hotfix Accumulator was installed for the first time using CPUSE, then all subsequent Takes must also be installed using CPUSE.
      • If the Jumbo Hotfix Accumulator was installed for the first time using Legacy CLI, then all subsequent Takes must also be installed using Legacy CLI.

 

Procedure:

  • Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)

    Note: You can also use the sk111158 - Central Deployment Tool (CDT) to install this Jumbo Hotfix Accumulator on Security Gateways.

    For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".

    • Online installation for Latest Ongoing Take

      1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
        Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
      3. In the upper right corner, click on the Add hotfixes from the cloud button in the upper right corner.
      4. Paste the CPUSE Identifier and start the search
        Note: Contact Check Point Support to get the CPUSE Identifier.
      5. When the package is found, click on the link to add the package to the list of available packages.
      6. Select the hotfix package - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      7. Select the package - click on Install Update button on the toolbar.
      8. Machine will be rebooted automatically.
    • Online installation for General Availability Take

      1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
        Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
      3. Click on the filter button near the help icon and select All.
      4. Select the hotfix package - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      5. Select the package - click on Install Update button on the toolbar.
      6. Machine will be rebooted automatically.
    • Offline installation

      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
      3. In the upper right corner, click on the Import Package button.
      4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
      5. Select the imported package - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      6. Select the imported package - click on Install Update button on the toolbar.
      7. Machine will be rebooted automatically.


  • Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)

    Note: You can also use the sk111158 - Central Deployment Tool (CDT) to install this Jumbo Hotfix Accumulator on Security Gateways.

    For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE"

    • Online installation for Latest Ongoing Take

      1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
        Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
      2. Connect to command line on Gaia OS.
      3. Log in to Clish.
      4. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      5. Import the package from Check Point cloud:
        HostName:0> installer import cloud <CPUSE Identifier>
        Note: Contact Check Point Support to get the CPUSE Identifier.
      6. Show the packages that are available for download:
        Note: Refer to the top section "Hotfixes" - refer to "Jumbo Hotfix Accumulator for ..."
        HostName:0> show installer packages available-for-download
      7. Verify that this package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      8. Download the package from Check Point cloud:
        HostName:0> installer download <Package_Number>
      9. Install the downloaded package:
        HostName:0> installer install <Package_Number>
        Note: The progress (in per cent) will be displayed in Clish.
      10. Machine will be rebooted automatically.
    • Online installation for General Availability Take

      1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
        Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
      2. Connect to command line on Gaia OS.
      3. Log in to Clish.
      4. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      5. Check the available packages:
        Note: Refer to the top section "Hotfixes" - refer to "Jumbo Hotfix Accumulator for ..."
        HostName:0> show installer packages available-for-download
      6. Verify that this package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      7. Download the hotfix package from the Check Point Cloud:
        HostName:0> installer download <Package_Number>
      8. Show the downloaded packages:
        HostName:0> show installer packages downloaded
      9. Install the downloaded package:
        HostName:0> installer install <Package_Number>
        Note: The progress (in per cent) will be displayed in Clish.
      10. Machine will be rebooted automatically.
    • Offline installation

      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Transfer the offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/).
      3. Connect to command line on target Gaia OS.
      4. Log in to Clish.
      5. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      6. Import the package from the hard disk:
        Note: When import completes, this package might be deleted from the original location.
        HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
      7. Show the imported packages:
        Note: Refer to the top section "Hotfixes" - refer to "<Package_File_Name>"
        HostName:0> show installer packages imported
      8. Verify that this package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      9. Install the imported package:
        HostName:0> installer install <Package_Number>
      10. Machine will be rebooted automatically.

 

Uninstall instructions

Important Notes:

  • This Jumbo Hotfix Accumulator removes all its packages during uninstall.
  • Uninstall of Jumbo Hotfix Accumulator Take (refer to sk107320):
    • When running CPUSE Agent build 1127 and above:
      • If a Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then it can be uninstalled using the CPUSE.
      • If a Take of Jumbo Hotfix Accumulator was installed using CPUSE, then it must be uninstalled using CPUSE.
    • When running CPUSE Agent build 1005 and lower (users should upgrade to the latest build):
      All Takes of Jumbo Hotfix Accumulator must be uninstalled in the same way as they were installed:
      • If a Take of Jumbo Hotfix Accumulator was installed using CPUSE, then it must be uninstalled using CPUSE.
      • If a Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then it must be uninstalled using Legacy CLI.

Procedure:

  • Show / Hide instructions for uninstall in Gaia Portal - using CPUSE (Check Point Update Service Engine)

    1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
      Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
    2. Connect to the Gaia Portal on your Gaia machine and navigate to the Upgrades (CPUSE) section - click on Status and Actions.
    3. Above the list of all software packages, click on the Showing Recommended packages button - select All.
    4. Right-click on the Jumbo Hotfix Accumulator package - click on Uninstall.
    5. A warning will be displayed that after this uninstall, the machine will be automatically rebooted.
      Click on OK to start the uninstall.


  • Show / Hide instructions for uninstall in Gaia Clish - using CPUSE (Check Point Update Service Engine)

    1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
      Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
    2. Connect to command line on Gaia OS.
    3. Log in to Clish.
    4. Acquire the lock over Gaia configuration database:
      HostName:0> lock database override
    5. Uninstall the package:
      HostName:0> installer uninstall <Package_Number>
      Note: The progress (in per cent) will be displayed in Clish.
    6. Machine will be rebooted automatically.


  • Show / Hide instructions for uninstall of Jumbo Hotfix Accumulator Take 198 and lower on Multi-Domain Security Management Server:

    Important Note: When running Take 198 and lower of this Jumbo Hotfix Accumulator, before installing a higher Take, the current Take must be uninstalled.

    1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
      Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
    2. Uninstall the current Take using CPUSE:

      1. Connect to the Gaia Portal on your Gaia machine and navigate to the Upgrades (CPUSE) section - click on Status and Actions.
      2. Above the list of all software packages, click on the Showing Recommended packages button - select All.
      3. Right-click on the Jumbo Hotfix Accumulator package - click on Uninstall.
      4. A warning will be displayed that after this uninstall, the machine will be automatically rebooted.
        Click on OK to start the uninstall.
    3. Remove the references to the "SecurePlatform" package:

      1. Connect to the command line.
      2. Log in to Expert mode.
      3. Remove the references from Check Point Registry:
        [Expert@HostName:0]# mdsenv
        [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_BKP
        [Expert@HostName:0]# $CPDIR/bin/ckp_regedit -d //SOFTWARE//CheckPoint//SecurePlatform//6.0//HOTFIX_R77_30_JUMBO_HF
        [Expert@HostName:0]# $CPDIR/bin/ckp_regedit -d //SOFTWARE//CheckPoint//SecurePlatform//6.0//HotFixes HOTFIX_R77_30_JUMBO_HF
      4. Remove the references from crs.xml file:
        [Expert@HostName:0]# $CPDIR/bin/CRSValidator -l /opt/SecurePlatform/conf/crs.xml -remove R77_30_JUMBO_HF

 

List of replaced files

List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

 

Revision History

Show / Hide revision history

Enter the string to filter this table:

Date Description
06 Oct 2019
  • General Availability Take 351
02 Jul 2019
  • Release of Ongoing take 351
24 Apr 2019
  • Release of Ongoing take 348
27 Mar 2019
  • Release of Ongoing take 347
25 Feb 2019 
  • General Availability Take 345
13 Feb 2019
  • Release of Ongoing take 346
23 Jan 2019
  • Release of Ongoing take 345
10 Jan 2019
  •  Release of Ongoing Take 344
26 Dec 2018
  • General Availability Take 342
17 Dec 2018
  • Release of Ongoing Take 343
20 Nov 2018
  • Release of Ongoing Take 342
31 Oct 2018
  • Release of Ongoing Take 339
16 Oct 2018
  • General Availability Take 338
20 Sep 2018
  • Release of Ongoing Take 338
21 Aug 2018
  • Release of Ongoing Take 336
26 Jul 2018
  • Release of Ongoing Take 331
10 Jul 2018
  • Release of Ongoing Take 329
26 Jul 2018
  • Release of Ongoing Take 327
27 Jun 2018
  • General Availability Take 317
18 Jun 2018
  • Release of Ongoing Take 322
11 Jun 2018
  • Release of Ongoing Take 320
15 May 2018
  • Release of Ongoing Take 317
26 Apr 2018
  • Release of Ongoing Take 315
4 Apr 2018
  • Release of Ongoing Take 311
27 Mar 2018
  • General Availability Take 302
14 Mar 2018
  • Release of Ongoing Take 310
26 Feb 2018
  • Release of Ongoing Take 309
19 Feb 2018
  • Release of Ongoing Take 308
06 Feb 2018
  • Release of Ongoing Take 302
16 Jan 2018
  • Release of Ongoing Take 301 
19 Dec 2017
  • General Availability Take 292
18 Dec 2017
  • Release of Ongoing Take 297
23 Nov 2017
  • Release of Ongoing Take 294 
08 Nov 2017
  • Release of Ongoing Take 292 
24 Oct 2017
  • Release of Ongoing Take 288.
17 Oct 2017
  • Corrected the description of the Issue ID 02351092 in Take 189.
25 Sep 2017
  • General Availability Take 286 is now available in Gaia Portal and Gaia Clish for CPUSE online installation (it replaces General Availability Take_216).
18 Sep 2017
  • Added the CPUSE Identifier for Ongoing Take 286.
13 Sep 2017
  • Release of Ongoing Take 286.
24 Aug 2017
  • Release of Ongoing Take 282.
16 Aug 2017
  • Release of Ongoing Take 280.
  • Moved Issue ID 02040869 from Take 156 to Take 280.
27 July 2017
  • Improved installation instructions for CPUSE Offline package in Gaia Portal.
26 July 2017
  • Release of Ongoing Take 272.
  • Added a note that it is not supported to install this Jumbo Hotfix Accumulator using the ISOmorphic Tool.
  • Added "and reboot" at the end of the note that this Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard.
16 July 2017
  • Added a note that Take 266 is not supported on Cluster High Availability configured in Bridge mode.
04 July 2017
03 July 2017
  • Release of Ongoing Take 266.
  • Added a note that support for TLS 1.2 was integrated starting in Take_266.
15 May 2017
  • Added the note to back up any configuration file that was edited manually (and added the list of the most important files).
11 May 2017
20 Apr 2017
  • Removed Issue ID 01562489 (that fix was not integrated yet) from Take 33.
09 Apr 2017
  • Added Issue ID 01916631 in Take 128.
30 Mar 2017
  • Updated the description of Issue ID 02002951.
29 Mar 2017
  • Updated the description of Issue ID 02333089.
22 Mar 2017
  • Release of Ongoing Take 225.
06 Mar 2017
  • Release of Ongoing Take 221.
23 Feb 2017
  • Added a note that on 21000 appliances with SAM card, due to specific stability issues,
    Take 210, Take 213 and Take 216 should not be installed (refer to sk116070).
  • Improved the description of Issue ID 02441209.
  • Improved the description of Issue ID 02413967.
  • Improved the description of Issue ID 02079428.
  • Improved the description of Issue ID 01931909.
  • Changed the description of Issue ID 02422452 to say:
    "This option will be fully available in future Takes".
22 Feb 2017
  • Added sk115575 in Take 216.
17 Feb 2017
  • General Availability Take 216 is now available in Gaia Portal and Gaia Clish for CPUSE online installation (it replaces General Availability Take_205).
  • Some changes in the design of this article, e.g., separated the "List of resolved issues per Take" section into these sections:
    • "List of resolved issues in the General Availability Takes".
    • "List of resolved issues in the Ongoing Take".
    .
05 Feb 2017
  • Release of Ongoing Take 213.
  • Added sk114613 in Take 198.
  • Added sk112240 in Take 198.
29 Jan 2017
  • Added Issue ID 02364390 in Take 207.
25 Jan 2017
  • Release of Ongoing Take 210 (that replaced Take 209).
23 Jan 2017
  • Release of Ongoing Take 209.
08 Jan 2017
  • Release of Ongoing Take 207.
26 Dec 2016
  • Release of Ongoing Take 206.
22 Dec 2016
  • Added relevant notes about the CPUSE Agent.
16 Dec 2016
  • Added notes that R77.30 Jumbo Hotfix Accumulator supports the new improved R77.30 Gaia image (released 16 Dec 2016):

    • Since Take 198 - new R77.30 Gaia image for 3200 / 5000 / 15000 / 23000 / TE100X / TE250X / TE1000X / TE2000X appliances.
    • Since Take 84 - new R77.30 Gaia image for 2200 / 4000 / 12000 / 13000 / 21000 / TE250 / TE1000 / TE2000 appliances.
    .
15 Dec 2016
  • General Availability Take 205 is now available in Gaia Portal and Gaia Clish for CPUSE online installation (it replaces General Availability Take_185).
23 Nov 2016
  • Release of Ongoing Take 198.
17 Nov 2016
  • Updated a note that R77.30 instances running in Microsoft Azure are supported starting in Take 189.
15 Nov 2016
  • Updated a note that R77.30 instances running in Amazon Web Services (AWS) are supported starting in Take 189 (instead on Take 184).
13 Nov 2016
  • General Availability Take 185 is now available in Gaia Portal and Gaia Clish for CPUSE online installation (it replaces General Availability Take_159).
07 Nov 2016
  • Release of Ongoing Take 189.
06 Nov 2016
  • Added a note that this Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard.
20 Oct 2016
  • Release of Ongoing Take 185.
19 Oct 2016
  • Removed instructions for Legacy CLI package (deprecated) - CPUSE should be used instead.
18 Oct 2016
  • Removed a note that until further notice, R77.30 Jumbo Hotfix Accumulator should NOT be installed on Check Point Threat Emulation appliances (TE / TEX series) - no degradation / issue was found.
16 Oct 2016
  • Added a note that until further notice, R77.30 Jumbo Hotfix Accumulator should NOT be installed on Check Point Threat Emulation appliances (TE / TEX series).
13 Oct 2016
  • Release of Ongoing Take 184.
10 Oct 2016
  • Reverted to Ongoing Take 171

    The following Take packages were temporarily recalled for additional testing:

    • Ongoing Take 178.
    • Ongoing Take 174.
    • Ongoing Take 172.
    .
29 Sep 2016
  • Release of Ongoing Take 178.
22 Sep 2016
  • Release of Ongoing Take 174.
01 Sep 2016
  • Release of Ongoing Take 172.
25 Aug 2016
  • Release of Ongoing Take 171.
08 Aug 2016
  • Release of Ongoing Take 165.
01 Aug 2016
  • Release of Ongoing Take 164.
27 July 2016
  • General Availability Take 159 is now available in Gaia Portal and Gaia Clish for CPUSE online installation.
20 July 2016
  • Release of Ongoing Take 162.
14 July 2016
  • Release of Ongoing Take 161.
30 June 2016
  • First release of General Availability Take (Take 159).
  • Moved all Legacy CLI instructions into a separate section.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment