Support Center > Search Results > SecureKnowledge Details
Check Point R80 Known Limitations
Solution

This article lists all of the R80 specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter -> ASSETS / INFO -> My Subscriptions.


Important notes:

 

Table of Contents

  • General
  • Upgrade
  • Networking
  • Gaia
  • Security Management Server
  • Multi-Domain Security Management
  • Licensing
  • Compliance
  • SmartConsole
  • SmartEndpoint
  • IPS
  • Threat Prevention
  • Application Control / URL Filtering
  • SmartEvent
  • SmartUpdate
  • SmartView Monitor
  • SmartLog
  • Logging
  • Mobile Access
  • VPN
  • Desktop security
  • QoS
  • Small and Medium Business Appliances (SMB)
  • vSEC Controller
  • VSX
  • 60000 / 40000 appliances


Enter the string to filter the below table:

ID Symptoms
General
- These blades and features are not supported in R80:
  • SmartMap
  • Legacy Management Portal - Web-based management functionality - Similar and more advanced functionality can be implemented with the new API in R80.
  • SmartEvent Intro
  • Session authentication
Upgrade
01887799 In R80, indexing is done by a new process called Indexer. Indexer works similar to SmartLog R77.xx but has its own configuration files stored in $INDEXERDIR directory.
Customers who defined manually indexing configuration from remote Log servers (via LEA) in SmartLog R77.x or below should manually move them to the new configuration files.
To copy settings from SmartLog R77.x configuration files to the new Indexer process configuration files:
  • For SmartLog servers only:
    After upgrading to R80, copy the remote Log servers configured in $SMARTLOGDIR/smartlog_settings.txt file to $INDEXERDIR/log_indexer_custom_settings.conf.

  • For SmartEvent with SmartLog server:
    Remote Log servers configured in $SMARTLOGDIR/smartlog_settings.txt file are not automatically upgraded. Manually configure the Log servers in SmartEvent GUI -> correlation unit policy.
    For more, refer to the R80 Logging and Monitoring Administration Guide.
01815141 Policy revisions are not migrated to R80 Management server during the upgrade process.
01505445 After upgrading to R80, SmartConsole disconnects from the server during the first policy install.
Before a first policy installation on Standalone servers, allow the CPM service in the Services & Applications column of the rulebase.
01868136 After upgrading, the Gateway Properties -> HTTP inspection page shows "Failed to load Plug-in Page: SSLInpectionPage".
To resolve the issue, perform the following on the Security Management server:
  1. Run cpstop
  2. Delete the $FWDIR/conf/newDleSchema.xsd file
  3. Run cpstart
01876717 SmartEvent blade disabled after advanced upgrade to R80 Management. On the Security Management server, run "evconfig" to enable the SmartEvent server.
01732941

After upgrading to R80, there is no visible way to switch between Classic mode and Wizard mode to create a Security Gateway object. New gateways can only be created depending on the setting in Global Properties -> SmartDashboard customization prior to upgrade. To restore both options:

  1. Close all SmartConsole windows.
  2. Connect to Security Management / Domain Management Server with GuiDBedit Tool.
  3. On the Tables tab, open Global Properties -> Properties.
  4. Select the firewall_properties object.
  5. In the Field Name column, select "hide_use_CP_GW_wizard".
  6. Change the value to false.
01970614 After Multi-Domain Server upgrade, the Domain Management Server version and operating system are not updated. You must manually update this information in SmartConsole.
01929622 After upgrading to R80, the Gateways & Servers view does not show version numbers in the Version column. To see the version numbers, open the gateway object for editing, make sure the correct version is selected and click OK.
01905978

In a High Availability deployment of Multi-Domain Security Management Servers, until the MDS that hosts the active Domain server has been upgraded, it is not possible:

  • To edit an administrator assigned to that Domain
  • To edit a client assigned to that Domain
  • To view global assignments of that Domain
01986530 Importing a large SmartEvent database can take a long time to complete. Check the upgrade status for progress.
01972676 CPUSE is not supported for installation of / upgrade to R80.
Networking
01622840 IPv6 addresses for management interface are not supported on R80 Security Management Server.
Gaia
01995629, 01985269
If you refresh the browser while running the First Time Configuration Wizard, or try to run the Wizard twice, one of these messages will show:
  • Cannot install Check Point Security Management Server. Incompatible hardware
  • Internal Error: Cannot install Check Point Security Management Server
  • Cannot install Check Point Security Management Server. Please contact Check Point Technical Support.
After seeing one of these messages, you must reinstall the device or revert to the factory image.
01441743 If you change the members of a Gaia Cloning Group with many members down, you are logged out of the Gaia Portal with an incorrect error message: "Unable to connect to server". The correct message is: "An error occurred while applying configuration change to all cloning group members" - the operation was successful only for online members. This is the normal behavior of the cloning group. This error does not indicate a critical failure.
01967996 When connecting to the network interfaces page in the Gaia Portal, an "Unable to connect to server" error shows. To resolve, disable the Adblock EasyPrivacy extension of the Adblock plus add-on and try again.
01983922 The last stage of the First Time Configuration Wizard takes a long time on some machines.
To see the progress of the First Time Configuration Wizard, the user must check if these files were created on the machine:
  • /etc/.wizard_accepted - means that the First Time Configuration Wizard has finished.
  • /var/log/ftw_install.log - means the First Time Configuration Wizard has started and the user must wait until the file /etc/.wizard_accepted is created.
02415816, 02425190
Different numbers of recommended updates are displayed in R80 SmartConsole and in R80 Gaia Portal. Refer to sk115456.
02483806,
02490757
External NIC is not detected after upgrade to R80 / clean install of R80.
Refer to sk116587.
Security Management Server
02017237 When the Gaia portal on the Security Management server does not use the default port 443, the following issues may occur:
  • Management commands using the GUI do not work.
  • Management commands using the Management command line "mgmt_cli" tool do not work.
  • Management commands using clish do not work.
  • The api status command fails with "test failed" error.
Refer to sk111075.
01786890 If you create an administrator in cpconfig, you must run cpstop and cpstart, as instructed by cpconfig. After cpstart, no administrators are shown in cpconfig. Administrators configured before the upgrade to R80 are also not shown in cpconfig. Manage administrator accounts through SmartConsole.
01999344,
02000493
Login to the Secondary Management from the Management High Availability window fails. Make sure the SmartEvent Server and SmartEvent Correlation Unit blades are not be enabled on the secondary Management object.
01989947 Fail to add a VSX objects (router, switch, or system) from the secondary Multi-Domain Server when the primary server is powered off. The creation wizard fails to open and an "Operation finished successfully message" shows. To resolve the issue, power on the primary Multi-Domain Server and try again.
01536203 When selecting the "Use Gaia administrator: admin" option in the First Time Wizard, it lets to reuse the Gaia administrator password for SmartConsole. If you later change this password in SmartConsole, the Gaia administrator password remains unchanged.
01984835 Connection to the Security Management server after running cpstart command fails.
The cpstart process may not have finished. Give it more time then try again.
01810119 High Availability CLI commands like 'set standby' and 'set active' that are part of the send_command tool, are no longer available.
01989012 Domain server fails to start with "Check valid licence" error message. If licensing is not the issue, make sure the name of the domain server starts with a letter (and not with a number).
01493302 Internal user names must contain only English language characters. Names in other languages (unicode) will show as question marks in the Users and Administrators window.
01861349 "Check your connection settings (Proxy, DNS and gateway)" error shows after IPS and Application Control & URL Filtering update fails if there is no proxy defined.
To resolve the problem, run cpstop and cpstart and try again.
01647690, 01646000 If policy installation fails on R75.20 1100 gateways, the selected version of the gateway object is probably incorrect. Solution: In the gateway object properties, make sure the correct version is selected.
01884883 Publishing fails with validation error regarding unique names. SmartConsole will let you create new objects with the same name as an existing object. But before you publish you must give the object or objects a unique name.
01908530 These commands are not supported in the SmartConsole's CLI: login, logout, discard and publish. Use the SmartConsole GUI instead.
01848420 Applications like Provider.exe and Fwpolicy.exe (SmartDashboard) cannot be used to connect directly to the Security Management server or the Multi-Domain Security Management server.
01861412

When creating a new object with IP address or name of a deleted object, the following message might show:

  1. "There is another network object with the same IP address, are you sure you want to continue?"
  2. "Name already used!"
To resolve the issue, close and reopen SmartConsole.
01859599 After converting a gateway to a cluster member and publishing, this error message shows: "com.checkpoint.management.coresvc.ObjectNotFounfException: Satellite object of type GatewayAggregator not found for core object..."
To resolve, click Discard.
01950023 SIC is not allowed by default with upgraded OPSEC applications (OPSEC applications not compiled with SHA-256 support).
To fix:
  1. On the Security Management server, run: cpca_client set_sign_hash sha1 (refer to sk103840)
  2. Install Database.
01948138 The initial full synchronization of a new High Availability server, either Security Management or Multi-Domain, can take a long time in large environments.
01965750 If you create or delete Domain servers of the same Domain from many Multi-Domain Servers, the Domain can become corrupted, with recovery from Check Point Support required.
01963189 Changing the Security Management server's time, for example using an NTP server, while there are SmartConsole clients connected, may cause the client to disconnect from the server.
01829764, 01381300 For Gateways below R80, 2nd layer behaves like Application Control policy.
01713602, 01626242, 01896195, 01626310 A SmartView Monitor email alert sometimes has a closing "_NextPart_..." boundary, which causes the email to be blocked by some mail servers as spam.
Refer to sk105578.
01896673, 01282706 At irregular intervals, the session information fails to update. To see the most updated session, switch to another view and then switch back.
01968118 Automating a Check Point Management server using the Management API blade is supported only on Gaia OS Management servers.
01964575 Login to primary Domain SmartConsole fails with "Database is locked by another application" error.
To resolve, run the cprestart command on the Security Management Server.
01825584 Sync failure between primary and secondary servers in a High Availability deployment. To prevent this, make sure the interfaces are enabled before starting the processes (cpstart, mdsstart).
01988291 Install database task hangs if SmartConsole is closed before the task completes. Reconnect and install the database again.
01459162 R80 does not support Security Gateway / VSX gateway conversion, or conversion in the opposite direction.
01952495

lvm_manager fails to resize partitions with "ERROR :Cannot kill process (id XXXXX)".

Workaround: Boot the machine into Maintenance Mode and then run lvm_manager.
01984056 "Internal error occurred during the verification process" during policy installation after reverting to a previous policy revision that has a disabled rule with an object that has been deleted since then.
Refer to sk110614.
01990873

In a High Availability deployment, purging revisions causes the High Availability incremental sync to all Standby Security Management servers to fail with "NGM Failed to import data" error message. To resolve the issue, after purging revisions, perform a full sync.

01989615 "Authentication to server failed"error shows when logging in to the SmartEvent server using the local administrator account (created in cpconfig).
Create a new administrator account with a name not used on the remote SmartEvent server or the Multi-Domain server managing the SmartEvent server.
01785216,
01996056
OSE devices are not supported in R80. The Pre-Upgrade verifier warns about this and policy installation from R80 Security Management on an OSE Device fails.
01545489 The CLI command fwm dbexport is not supported. After running the command to export the user database, the process finishes successfully but the file contains only headers, no data.
01986179 Global assignment removal fails with "Object could not be deleted because it is referenced by other objects" error. If the search fails to locate the object in the domain, check each application object in the Domain for a reference to the permission profile specified in the error message.
Refer to sk110630.
02349143, 02349405, 02350931 Although it is possible to create a Time group object with a long name, policy installation fails with "Time objects name cannot be more than 11 characters" error.
Refer to sk113498.
02458624 Migration of Security Management server or CMA R80.x to R80.x Multi-Domain Security Management is not supported.
02459792, 02462601, 02468700 Publishing Gateway objects rewrites manual changes in database.
Refer to sk116194.
02036535, 02483434 "Get Interfaces" in the Cluster object does not update the Topology after changing a physical interface to VLAN interface with the same IP address, or vice versa.
Refer to sk116582.
02512117,
02512194
Wrong license status for 'virtual systems' blade for VSX objects in R80 SmartConsole.
Refer to sk117675.
02530338,
02530675
SMS daemon does not start on startup.
Refer to sk118083.
Multi-Domain Security Management
-

Unsupported Multi-Domain Security Management Domain features:

  • Global VPN Communities
  • Dynamic Global Objects
  • Install policy from Multi-Domain Server - the ability to directly install the policy on all Domain gateways as part of assigning the Global Policy on the Domains is not supported. Install the policy from the specified Domains.
  • For Multi-Domain Log Servers, Remote Log Servers that are not defined as Domain Log Servers are not supported.
01916186 After you upgrade a Multi-Domain Server with a IP address change, you must remove the license with the old IP address. If you do not do this, failures will occur in the License view and on some Management Blades.
01810161 A Security Management server cannot be installed as a secondary Management for a Domain server.
01605414 There is no cross-Domain search for network objects. Search in each Domain for the specific network object.
01995628,
01993689
After a Global policy has been assigned to a Domain, the revert option in the Domain "Network Layer -> History" window no longer functions.
01654519,
01606491
You cannot assign only the Global objects used in a specific Access Control policy or Threat Prevention policy. All the global objects are assigned to the Domain.
01961532 Multi-Domain Management server unexpectedly terminates after assigning a Global policy to a Domain imported using the cma_migrate command. To avoid the issue, run mdsstop;mdsstart after running the cma_migrate command.
01989136 An administrator defined on the Multi-Domain Server, can log in to the Global SmartEvent server in read-only mode only.
To resolve this, connect to the SmartEvent server with the local administrator account (created in mdsconfig), configure the relevant Domains and install the Event policy.
01964862 Some domains might be missing from the drop-down list of the Multi Domain Security Management connection launcher. To resolve this, run: mdsstop;mdsstart
01582933 Private sessions are not synchronized between Multi-Domain Servers. A session that is open on one Multi-Domain Server cannot be seen or moved to a different Multi-Domain Server
01537986 An administrator with Manage Session permissions on a Multi-Domain Server but not on a specific domain, can manage the session from sessions view in the MDS level. Session publish may fail.
01718384 You cannot add licenses from the Multi-Domain Server or Domain Management configuration windows or wizards. To add licenses, click "Manage Licenses and Packages" in the SmartConsole main menu.
01694997 Administrator groups and Domain groups are not supported in R80 and cannot be viewed or used in the SmartConsole.
01891116 In Multi-Domain Security Management, OPSEC application permission profiles are not visible on the Domain's object bar. Use the OPSEC application editor to change the permissions.
01967817, 01982135 The Multi-Domain Management Server must have 4 or more cores.
01954364 When upgrading a Multi-Domain Security Management environment, you can change the IP address of the primary MDM, but not the IP address of secondary MDMs.
01976542, 01980886 Each database can be migrated only once with cma_migrate. If you try to migrate the same database to another Domain Server, migration fails with the "Internal runtime error"... "The folder in the dleObject can't be null." error.
01980812 After you define the SmartEvent object in the global database, first you must assign Global Policy to Domain Servers in order the Domain Level Only administrators can log in to SmartEvent.
01933775 Multi-Domain Super User has no permission to install policy when connected the Domain Server.
Workaround: Restart SmartConsole, connect to the Domain server, and try again.
01987333,
02002922

"Unexpected error" message is shown when an administrator with insufficient permissions on a Domain assigns or reassigns a Global Policy to the Domain.
Make sure the administrator account has the required permissions.

02359963, 02361015, 02361167 Multi-Domain Management server (MDS) creates a snapshot during the OS level backup procedure, causing the backup to fail or be extremely small.
Refer to sk113740.
02486936 FWM daemon becomes unstable when using RADIUS Authentication.
02490895 Getting "Cannot create a new Domain server. Reason: License violation detected: Multi-Domain Server HostName. The license of Multi-Domain Server HostName allows to manage 0 Domain Management/Log Servers. X is already defined" error when trying to create a new Domain.
Refer to sk116499.
02528737,
02529416,
02533097
Several cpsm-domains-X licenses are counted only once.
Refer to sk118316.
Licensing
01909120

These products do not support the new licensing visibility features:

Network Security: Advanced Networking and Clustering, Capsule Cloud and Capsule Workspace.

Security Management: Endpoint Policy Management, SmartPortal, User Directory (LDAP)

Multi-Domain Security Management: Security Domain

Remote Access & Endpoint
01925987 "Licensing status not available for current OS" message shows in the Logs & Monitoring view. SmartConsole does not support licensing information for Windows, SecurePlatform and Virtual Systems. Use the licenses tab in SmartUpdate to see the licensing information for the OS.
01963269 If the SmartEvent Software Blade is activated, but only the SmartEvent Intro license is installed, the License Status shows "N/A".
01961299 The Device and License Status of Threat Emulation is incorrect. Use the Logging -> License Status view.
01934260 When loaded for the first time, web components such as the licensing or monitoring view can take up to thirty seconds to show.
01972866 In the License Status View, the Additional Info column is not available for pre-R80 gateways and servers.
01972951 The proxy that synchronizes license information with the User Center, must be an R80 server.
01951434

On a Pre-R80 SmartEvent NGSE dedicated machine, license information is not automatically updated when Installing Database.

When you enable or disable a blade, one of the following will update the license information with the change:

  • If you force a license update, changes occur immediately.
    To force a license update: On the R80 Management Server, run the following command in Expert mode:
    [Expert@HostName:0]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
  • Automatic update at midnight
  • If you manually change a license or contract on a dedicated machine, changes take effect within 20 minutes
01972866 In the License Status View, quota information and quota statuses are not available for pre-R80 gateways and servers.
01972797 Automatic license activation on Check Point appliances is not available on pre-R80 appliances.
01972899

On pre-R80 gateways, license information is updated every 20 minutes.
To force a license update, perform one of the following actions:

  • Either install security policy on the pre-R80 gateway

  • Or on the R80 Management Server, run the following command in Expert mode:

    • On Security Management Server:

      [Expert@HostName:0]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
    • On Multi-Domain Security Management Server:

      [Expert@HostName:0]# mdsenv <Name of Domain Management Server>
      [Expert@HostName:0]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
01913451

License Data for all supported software blades shows on all machines, even if the blade is not relevant to the role of the machine. For example, license data for the Network Policy Management blade shows on a Log server.

01976925 Automatic license activation on a Multi-Domain Management Server machine works only on the MDS level and not on the Domain level. Add licenses manually for each Domain.
01972917 After installation, the Device License Status shows N/A and the Device License View is not accessible until Install Policy or Install Database is performed. When blades are enabled or disabled, the changes are not visible in the Device LIcense Views and Status until Install Policy or Install Database is performed.
Compliance
01958788 The SmartConsole client is not aware of license or quota changes in real time.
Reopen SmartConsole in Compliance blade to see the license changes.
Quota data changes in the entitlement or Compliance will be updated after:
  • Compliance midnight scan
  • License changes
  • cpstop;cpstart
SmartConsole
- SmartConsole installed on a computer without access to the Internet cannot open Help files. Refer to sk110774.
01854287

"Import Applications / Sites" option (the same feature that was under "Application & URL Filtering" tab - > "Applications/Sites" - > Actions - > Import) is missing in R80 SmartConsole.

01878112 Cannot log into SmartConsole after changing the time in the Gaia Portal.
To resolve the problem, restart the Management server using cpstop;cpstart commands or, for Multi-Domain Security Management, run mdsstop;mdsstart
01944489,
02007657
These rules are not shown in SmartConsole:
  1. Implied rules.
  2. A VPN rule created using the "Accept all encrypted traffic" option in the VPN community object.
01996428

Slow rendering and reaction to user interactions. SmartConsole is a Windows-based application that uses the Windows Presentation Foundation (WPF) for rendering graphics and the user-interface. WPF applications are optimized to work with hardware acceleration. Under certain circumstances, the framework falls back on software-rendering only, causing SmartConsole to render slowly and react slowly to user interactions. This occurs when SmartConsole runs:

  1. Via Remote Desktop session (RDP).
  2. When installed on Windows-Server 2012.
  3. In environments with old graphics hardware drivers.
  4. In virtual environments that lack the required integration with graphics hardware.
01748274 "<VSX object name> is used by another object and cannot be deleted" error in R80 SmartConsole when attempting to delete a newly created VSX object (Virtual System, Virtual Router, VSX Gateway / VSX Cluster).
Refer to sk113932.
01800770 Disconnecting the SmartConsole session while creating or configuring VSX objects, can cause the management database corruption and Administrator will be unable to do any changes with VS.
"Internal Error: Cannot get object XXX from table vs_slot_object" message pops-up.
01864532

After a failure in the VSX cluster creation wizard, if Cancel is clicked, the wizard closes, but the VSX cluster and VSX cluster member objects are not deleted.

Workaround: Delete the VSX cluster and VSX cluster member objects manually.
01652566, 01693617 When publishing remote session, through the Sessions View, there is no option for updating the session name and the description. Before you can publish a session, you must connect to it and set the session name and description.
01931336, 01816368 A customized role that has no write permissions, does not appear as read-only in the session view, although it is actually read-only.
01960696 The Tasks tab -> Script Results supports up to 10,000 characters only.
01953640

"The communication with the server was lost" error shows after pushing the configuration to VSX objects - Virtual Systems, Virtual Routers, and Virtual Switches.
To resolve the issue:

  1. Open the directory where SmartConsole is installed.
  2. Open "SmartConsole.exe.config" file in some advanced editor.
  3. Locate: "<WorkSessionService CloseTimeout="00:01:00" OpenTimeout="00:01:00" ReceiveTimeout="00:01:00" SendTimeout="00:01:00" />
  4. Change all three instances of 00:01:00 to 00:05:00.
  5. Save and close.
  6. Reconnect with SmartConsole.
02053188, 02053623, 02053974 Cannot scroll down to find the relevant gateway in "Satellite gateway" list in IPSEC VPN Star community window. Refer to sk111736.
02066282 Sorting is not correct in the Security Gateways & Servers view in SmartConsole. Refer to sk111846.
02085892, 02088162, 02088167 After creating "interoperable" device and adding it to a star community, cannot add a shared secret password to this device because it is not listed in the "Shared Secret" tab. Refer to sk112182.
02346641,
02351839
In SmartConsole, "Get topology" button is not displayed.
Refer to sk113455.
02279544, 02459709 Different numbers of recommended updates are displayed in R80 SmartConsole and in R80 Gaia Portal. Refer to sk115456.
02034329,
02290957
R80 SmartConsole crashes when FIPS is enabled on Windows OS.
Refer to sk111585
PMTR-10186, PMTR-567  SmartConsole is not disconnected after time specified in SmartConsole -> Manage & Settings -> Permissions & Administrators -> Administrators -> Idle Timeout.
SmartEndpoint
02058477,
02058497
SmartEndpoint GUI error on UserCheck message property. Refer to sk112157.
02062057,
02064416
"Challenge Format" column text, shown in a table within the "Installation" dialog of SmartEndpoint is wrong.
Refer to sk112158.
IPS
01612788 When configuring a Threat Prevention rule to save packet captures, the packets are saved only for Anti-Virus and Anti-Bot. Packet capture is not activated on IPS. Use the IPS Protections window to configure packet capture for individual IPS protections.
01964022

"Internal error occurred" message if you assign/reassign a Global Configuration at the same time that an IPS update is running on a local Domain.

Workaround: First run the IPS update on the local Domain, then assign/reassign the Global Configuration.
- Some IPS protocols from early releases are discontinued. If these are mistakenly included in the Firewall Rule Base, policy installation will fail.
For the list of Deprecated protocols and services that are no longer used by the IPS blade, refer to sk103766
- Snort protections are not supported in R80.
Threat Prevention
01852063 A Forensics Tracking option is shown in Threat Prevention rules. This feature will be supported with R80.x gateways.
01991099 Install policy will fail if the name of the profile contains a forward slash (/). Remove the invalid character.
Application Control / URL Filtering
- Application Control offline updates are supported from command line only.
01835979, 01830427 When the "Categorize HTTPS Sites" option is enabled, accessing HTTP URLs can cause an "Internal System Error" logs in SmartLog and failure to open the web page.
01820710, 01919422 After upgrading to R80, services defined in the Application Control rulebase are overridden with the Application's recommended services.
Refer to sk109711.
01809131, 01824869 Security Gateway might sometimes crash when the user tries to send a failure log of an Application Control event.
02011440, 02014104
Application Control updates fail for SMB appliances 1100 / 1200R / 1400 that are Centrally Managed by R80 Security Management Server.
Refer to sk111073.
SmartEvent
01940335 In R80, you can only define SmartEvent at the global level and then configure it to read logs from one domain or a number of domains. SmartEvent cannot be defined in a specified domain.
01969895 When connecting R80 SmartEvent to an R77.30 Security Management Server, only local administrators (that are configured from cpconfig) are supported.
02101182, 02107751 SmartEvent R80 crashes with core dump while attempting to connect to R77.30 Multi-Domain Management. Refer to sk112238.
02310643, 02310889, 02333477
"No Permissions Events or Reports permissions are required to view this page" error when authenticating with Check Point certificate to R80 Legacy SmartEvent GUI.
Refer to sk113034.
02332081, 02333401
Authentication into R80 Legacy SmartEvent GUI from R80 SmartConsole fails when using Check Point certificates.
Refer to sk113036.
01995448

On a R80 dedicated SmartEvent server which assigned to MDS, when you enable or disable a blade, the license information is not immediately updated. An automatic updates takes place at midnight. To update immediately:

  1. On server's command line, run:
    $CPDIR/bin/esc_db_complete_linux_50 activation_data entitlement_data.

  2. If you manually change a license or contract, the changes take effect immediately.
02331551
Not possible to generate separate report for each Domain Management Server in R80 SmartEvent. Refer to sk113494.
02369957, 02372519
  • Not possible to set a value greater than 250 in the "Number of values (up to)" field of a SmartEvent report
  • Not possible to set a value greater than 2000 in the "Maximum number of logs" field of a SmartEvent report
Refer to sk114193.
02409205
Wrong object name is displayed in R80 SmartEvent Domain-based report when different Domain Management Servers contain objects with identical IP address.
Refer to sk115861.
SmartUpdate
01885225 Gateway packages do not show for Domain gateways, when you open SmartUpdate from the SmartConsole Multi-Domain view. You must connect to SmartConsole for each Domain to see the packages for its gateways.
01885337 You cannot detach a Domain license from the SmartConsole Multi-Domain view. Instead, connect to each Domain with SmartConsole and detach the license there.
SmartView Monitor
00545271
Block Intruder (SAM) is not supported.
SmartLog
- If you upgrade a management server or log server running SmartLog, SmartLog indexing files will be lost. To keep the logs, do one of these:
- Users connected with SmartConsole to specific Domain, will not be able to see Global objects assigned to this Domain in SmartLog logs results, and cannot search by Global objects (but can search by IP address).
- SmartLog Indexing mode is not enabled by default after upgrade or new installation, on Smart-1 205, Smart-1 210, or Open Servers with less than 4 cores.
- A mix of SmartLog Indexing Mode and Non-Indexing mode on Domain Management Servers or Domain Log Servers is not supported.
- To change SmartLog mode from Indexing to Non-Indexing on a Domain Management Server or Domain Log Server, edit the Domain Server object on the Domain level. There is no option to change the entire Multi-Domain Server or Multi-Domain Log Server to Non-Indexing mode.
- The Open Log File Form in the SmartConsole of a Multi-Domain Server will not show log files of Domain Management Servers or Domain Log Servers. You must open SmartConsole to the domain, to open log files.
- If you change a High Availability server to Non-Index mode, you must force a failover to the standby server and then run evstop;evstart from the Expert mode.
If you change a dedicated Log server to Non-index mode, you must run evstop;evstart from the Expert mode.
- You cannot see log files of different servers in Non-Index mode. You must open SmartConsole directly to the Security Management or Log server with the required log file.
- If you connect a SmartEvent R80 server to an R77.x or lower management server, you must enable SmartLog to avoid CPSEMD crashes.
- In SmartLog Non-Index mode: free text search is applied only on specific fields like source, destination, service, etc.. , there is no Top results pane, and the Threat Prevention Rulebases and Profiles logs tab do not show log results.
Logging
02022295
Log export is supported on visible logs only.
02022292 Save As to a log file is not supported
02022294 Fetch local files from a remote machine is available from command line only.
01873374 A "SmartView in not available" message shows after opening a new tab in the Logs & Monitor view.
You may have changed the Gaia port number using the clish command "set web ssl-port".
  1. After setting the Gaia port, open the Security Management object -> General Properties and click "Get".
  2. Save and publish to update the object with the new port number.
01914623 SmartView graphics do not display properly in Internet Explorer. Accessing SmartEvent server from the web (SmartView) is supported only from Google Chrome and Mozilla Firefox.
01847602 Log Server can work in non-index mode to save disk storage, but if you deactivate the "Enable Log Indexing" option in the Log Server object, the following limitations will apply:
  • All Log Servers in the environment must be in non-index mode.
  • There is no unified view for all Log Servers. You must query each Log Server separately.
  • In each Log Server you must open the specific log file to run a search. (Refer to the R80 Logging and Monitoring Administration Guide.)
  • You cannot enable SmartEvent or Correlation Unit.
01945644 Disabling log indexing on a distributed Log server does not stop the indexing processes. To stop the indexing processes, run: cpstop;cpstart.
01986752,
01988662

Connections from SmartConsole to a Multi-Domain log server are not supported. To view logs stored on the Multi-Domain log server, connect to each Domain log server separately.

Note
: if the "lockout administrator account after x failed authentication attempts" option is selected, failed attempts to login to the Multi-Domain log server will also lock the administrator out of the Domain Log server. To resolve, run the "unlock-administrator" command on the API command line.

01964600 Correlation units can be added to a remote Log server in this way only:
  1. In SmartConsole, edit the Correlation unit object and configure it as a Log server.
  2. On the SmartEvent server, go to the Correlation unit policy configuration and configure the Correlation unit on the SmartEvent server to read the logs from the remote Log server configured in step 1.
- In a Multi-Domain Management environment, you cannot have a dedicated Log server for a specific Domain/CMA.
  • Workaround: configure a Multi-Domain Log servers with only one CLM.
Mobile Access
01244809, 01386596, 01353737, 01244809, 01294173 SSL Network Extender in Application Mode does not support applications that connect to IPV4-mapped IPV6 addresses.
Refer to sk97444.
01659093 If the "Policy Source" of a Mobile Access gateway is configured to "Unified Access Policy", rules that contain Network Object with IPv6 addresses are not matched by the Mobile Access blade.
01184657, 01356327 Disabling the Floating Navigation Bar (FNB) via GuiDBedit Tool does not disable the FNB in the Web Application.
Refer to sk109254.
01595256, 01586057 The Mobile Access Portal does not support Web-Form SSO for Citrix StoreFront Web interface.
01942470, 01930132, 01941216, 01938019, 01952790, 01929775, 01881116, 01945563, 01883785, 01931914 Removed ECDHE from the CURL cipher proposal list.
VPN
01311326, 01455241, 01357377 When using a VPN client, activity logs are not generated for ICMP traffic.
01874986 Convert Traditional VPN to Simplified is not supported.
Desktop security
01940363 "Desktop Security policy is empty. At least one rule should be configured. Desktop policies will not be installed on Policy Servers." error shows during policy install when removing a Desktop policy (that was imported with a policy package) and adding it back.
Refer to sk110656.
QoS
- Convert QoS from Express to Traditional is not supported.
Small and Medium Business Appliances (SMB)
01921211 R80 Security Management cannot manage Security Gateway 80 appliance with a firmware version that is lower than R75.20
01939263 If there is a "Commit function failed" error on policy installation failure on 1100 series appliance, refer to sk105217. With R80 Management, make sure that "Optimized profile" is selected and that only the server protections are deactivated.
01914944, 01917280 SIC error status might occur when the gateway object is defined in a "Management first" scenario before it is deployed, but the device's IP address is already accessible. The Security Management tries to create SIC with the gateway's IP address. Instead of the policy ending in a "waiting for first connection" status, an error message states the SIC status must be rectified first.
vSEC Controller
02160116 Upgrade from vSEC Controller R77.30 with Data Center objects to Security Management Server / Multi-Domain Security Management Server R80 is not supported.
Refer to sk109796.
VSX
02166135, 02166160 "vsx_util vsls" command fails with "Failed to redistribute the virtual systems. Can't save database." error on R80 Management Server.
Refer to sk115029.
60000 / 40000 appliances
02506836 R80 is not able to manage 60000 / 40000 appliances running R76SP.40 and above, when Threat Emulation blade is enabled.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment