Support Center > Search Results > SecureKnowledge Details
Check Point R80.10 Resolved Issues
Solution

This article lists all of the issues that have been resolved in R80.10.

Important notes:

 

Table of Contents

  • Upgrade
  • Security Gateway
  • Gaia
  • Licensing
  • Security Management
  • Multi-Domain Security Management
  • Endpoint Security Server
  • HTTPS Inspection
  • IPS
  • DLP
  • Threat Prevention
  • Identity Awareness
  • Application Control & URL Filtering
  • Anti-Virus
  • SmartConsole / Management Console
  • SmartEvent
  • SmartView Monitor
  • SmartLog
  • Logging
  • SmartUpdate
  • Dynamic Routing / Advanced Routing
  • Mobile Access
  • VPN
  • Cluster
  • SecureXL
  • CoreXL
  • VSX
  • Desktop Security
  • VoIP
  • SNMP


Enter the string to filter the below table:

ID Symptoms
Upgrade
01970614 After Multi-Domain Server upgrade, the Domain Management Server version and operating system are not updated. You must manually update this information in SmartConsole.
01972676 CPUSE is not supported for installation of / upgrade to R80.
Security Gateway
02100543,
02358434
Enhancement: Enabled interactive options (ASK/INFORM) with UserCheck External portal.
01873031,
02296621,
02387645,
02403039
"Via" field in HTTP Request sent to a web server by Security Gateway in Non Transparent proxy mode contains incomplete HTTP version.
Refer to sk108900
01710137, 01848363, 01707360, 01856715 Issues with traffic and with web pages when Security Gateway is configured in Proxy Non-Transparent mode.
Refer to sk106663.
01822697,
01820334,
01821023,
01958358
Security Gateway crashes after running the 'cpstop' command if MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (fw_clamp_vpn_mss=1) per sk101219.
02327295,
02220666
Cannot connect to FTP from a Windows 10 client. This happens either when DLP is enabled, or when the following are used in the Rule Base: 'User Auth' or 'Client Auth' Action, or a 'Service With Resource'.
02057072, 02049251 In SmartDashBoard, the "Hits" counter in a specific rule does not increase even though traffic was matched to this rule.
Refer to sk115098.
01778083, 01707477, 01584203, 01709063, 01709301 Out of bound memory allocations/freeing prevented if memory corruption occurs.
Refer to sk110344.
02109271,
01885201
Unresolved Dynamic Object causes NAT rule matching to fail and packet drop.
Refer to sk109216.
01745741, 01746482, 01780378, 01744553, 01734383 Security Gateway might crash in some scenarios when inspecting H.323 traffic.
Refer to sk107184 and sk106994.
02106730,
02025743
Automatic SIM Affinity does not use all the cores on Open Servers with a multi-core license that allows less cores than the server has.
Refer to sk110422.
02219375,
01991091
On Open Servers with a default affinity configuration and limited Multi-Core licenses, the $FWDIR/scripts/fwaffinity_used_cpus script returns an incorrect output.
Refer to sk110940.
02062053 When accessing a web server through a Security Gateway in Non-Transparent Proxy mode without the next proxy, this error shows: "Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data".
Refer to sk111741.
01644740, 01680224, 01689641, 01712179, 02165363, 02200445 ISP Redundency in Load Sharing mode is disabled when Non-Transparent Proxy is defined.
Refer to sk111678.
02410825,
01902041
When SQLNET2-1521 is used in the rule base, SQLNET2 traffic that contains a REDIRECT request is dropped by the Firewall.
Refer to sk110078.
02103719,
01911675,
02107359,
02103172,
02014173
Memory leak in CPD daemon (cpmon). Users occasionally see N/A as the device status.
02337597,
01696483
Customized HTML pages for Legacy Client Authentication are not displayed.
Refer to sk106583.
Gaia
01997585 Enhancement: Improved log file rotation.
Refer to sk93505.
01342543 Cannot add role names with more than 30 characters. (Maximum role name length is now 128 characters).
02384157,
01885860,
02384114
Due to a missing driver, resetting the Gaia admin password using an Emergendisk USB flash driver fails on some appliances.
Refer to sk92663.
02382304,
02366831
Updated time zone package tzdata 2016g:Turkey's Daylight Saving Time (DST) is permanently cancelled since Sep 2016.
Refer to sk114037
02453635,
02451884
Security Gateway with PIM Sparse-Mode registers multicast traffic for non-local subnets.
Refer to sk115852.
02361028,
02045637
MAC address for Bond interface changes after reboot. After the reboot, the Proxy ARP table is not loaded. Bond interfaces that use different MAC addresses are no longer up to date.
01992034,
02007961,
02007928,
02018541,
02103280,
02409788
Logjam Vulnerability CVE-2015-4000, which tricks servers into using weaker 512-bit keys which can be decrypted.
  • Issue resolved by disabling by default Diffie-Helman-sha1 key exchange algorithm in /etc/sshd_config. If you need to restore the algorithm, add "LegacyKex=1" to /etc/sshd_config file.
Refer to sk106147.
01938317, 01704725, 01702790, 01935921 "libdb set: missing or invalid argument" error in Gaia Portal when creating snapshot.
Refer to sk106646
01691878, 01693135, 01692055, 01709890, 01692050 "This page is currently in read only mode, the requested action cannot be performed" message appears in Gaia Portal when logging in with the TACACS+ user and clicking on the "Enable TACACS+ authentication" button at the top.
Refer to sk106324.
01816851 Enhancement: In Gaia R77.30, RIP MD5 authentication does not work if configured through clish.
During upgrade from such systems to R80, you may see the following log message "RIP MD5 auth config on eth13, which didn't work in R77.30 due to a bug, is being removed, to avoid loss of connectivity. If needed, re-set the RIP MD5 secret."
If you see this message, check the settings for RIP MD5 secret.
01832307,
01670224,
01619301,
01619525
Temporary short traffic outage on Check Point appliance running Gaia OS when viewing and clicking one of the options in Gaia Portal - "Maintenance" section - "Hardware Health" page.
Refer to sk105563.
02395036,
02334826
Commands executed in Gaia OS on VSX Gateway are logged to the /var/log/messages file. The commands do not contain the VSID of the Virtual Systems for which the commands were executed.
Refer to sk113128.
02059192, 02361963 Changing the IP address of the management interface on appliances ends in error: "Wrong IP Please try again".
Refer to sk106447.
02085712, 01806088, 01806618 RADIUS users with CLISH as default shell, cannot login via SSH.
Refer to sk107648.
02360892 Random traffic outage when a fail-over occurs in 3rd party Cluster in the following topology:
[Check Point machine on Gaia OS / SecurePlatform OS] -- [3rd party Cluster, e.g., Citrix NetScaler cluster]
Refer to sk106852.
02124891,
02107584
Improved policy installation stability on appliances with a SAM card.
02168812,
02046467
After installing R77_30_jumbo_hf Take 111, or after a fresh install on 15000 / 23000 appliances, multi-queue interfaces cannot be set via the WebUI, but can be set via CLI.
The "Performance Optimization" page in Gaia Portal is either stuck at "Please wait a few moments while the data is loaded..." message pops up, or freezes when applying changes to CoreXL or Multi-Queue configuration.
Refer to sk112897.
02011822,
02074215,
02025040,
02015364,
02075570
clish and cpmon cannot detect a Power Supply Unit attached to the Check Point appliance.
02360993,
01961177
The "Network Interfaces" page in the Gaia Portal does not load if the text string "NAN" or "inf" is saved in the interface's "Comment" field.
02078869,
01950634
RouteD daemon on the active cluster with configured PIM might terminate after a peer cluster member is rebooted.
01995629, 01985269 If you refresh the browser while running the First Time Configuration Wizard, or try to run the Wizard twice, one of these messages will show:
  • Cannot install Check Point Security Management Server. Incompatible hardware 
  • Internal Error: Cannot install Check Point Security Management Server
  • Cannot install Check Point Security Management Server. Please contact Check Point Technical Support. 
After seeing one of these messages, you must reinstall the device or revert to the factory image.
01691878,
01692055
Cannot enable TACACS options after TACACS user authenticates via webUI.

01687266,
01688974 

"IMAGE MANAGEMENT: going to restore system image ..
Error: 'Couldn't connect to /tmp/xgets: No such file or directory" message when reverting to a Snapshot, or to Factory Defaults (FCD).
01673299 SecurePlatform WebUI "Snapshot" page looks corrupted.
01985269,
01995629
If you refresh the browser while running the First Time Configuration Wizard, or try to run the Wizard twice, one of these messages will show:
  • Cannot install Check Point Security Management Server. Incompatible hardware
  • Internal Error: Cannot install Check Point Security Management Server
  • Cannot install Check Point Security Management Server. Please contact Check Point Technical Support.
After seeing one of these messages, you must reinstall the device or revert to the factory image.
01989855,
02297237,
02482697
confd process stuck in deep sleep mode.
02356738, 02365245, 02357833 confd process crashes with core dump file when collected the CPinfo command file.
Refer to sk113750.
02332735,
02456323,
02335269
"unknown devices" errors in /var/log/messages file on HP G9 open server with 4th generation Xeon CPUs.
02039589 If the backup schedule is changed to an invalid date or time, all backup schedules are lost.
Error message will be displayed: "Backup schedule failed. The backup will not be scheduled".
Licensing
01913451 License Data for all supported software blades shows on all machines, even if the blade is not relevant to the role of the machine. For example, license data for the Network Policy Management blade shows on a Log server.
Security Management
02333225,
01922555
Packages uploaded with SmartUpdate or the cppkg command cannot be found in the file repository, and installation fails.
01861412

When creating a new object with IP address or name of a deleted object, the "There is another network object with the same IP address, are you sure you want to continue? Name already used!" message pops up.

01713602, 01626242, 01896195, 01626310 A SmartView Monitor email alert sometimes has a closing "_NextPart_..." boundary, which causes the email to be blocked by some mail servers as spam.
Refer to sk105578.
01990873,
02006998

In a High Availability deployment, purging revisions causes the High Availability incremental sync to all Standby Security Management servers to fail with "NGM Failed to import data" error message.

  • To make the fix work, purge all old revisions from the specific Security Management / Domain.
02017237 When the Gaia portal on the Security Management server does not use the default port 443, the following issues may occur:
  • Management commands using the GUI do not work.
  • Management commands using the Management command line "mgmt_cli" tool do not work.
  • Management commands using clish do not work.
  • The api status command fails with "test failed" error.
Refer to sk111075.
01896673, 01282706 At irregular intervals, the session information fails to update. To see the most updated session, switch to another view and then switch back.
01968118 Automating a Check Point Management server using the Management API blade is supported only on Gaia OS Management servers.
01785216,
01996056
OSE devices are not supported in R80. The Pre-Upgrade verifier warns about this and policy installation from R80 Security Management on an OSE Device fails.
02349143, 02349405, 02350931,
02414309
Although it is possible to create a Time group object with a long name, policy installation fails with "Time objects name cannot be more than 11 characters" error.
Refer to sk113498.
02103761,
02001366,
02103175,
02103182,
01911675
Improved CPD daemon stability that caused policy installation failure.
Refer to sk111880.
01984835,
02049194
Failed to connect to the Security Management server after running cpstart.
01647690, 01646000 If policy installation fails on R75.20 1100 gateways, the selected version of the gateway object is probably incorrect.
  • In the gateway object properties, make sure the correct version is selected.
Multi-Domain Security Management
-

The following Domain features are supported starting from R80.10:

  • Dynamic Global Objects
  • Install policy from Multi-Domain Server - the ability to directly install the policy on all Domain gateways as part of assigning the Global Policy on the Domains is not supported. Install the policy from the specified Domains.
01961532,
01998271
Multi-Domain Management server unexpectedly terminates after assigning a Global policy to a Domain imported using the cma_migrate command.
02061008,
01933775
Multi-Domain Super User has no permission to install policy when connected the Domain Server.
  • Workaround: Restart SmartConsole, connect to the Domain server, and try again. 
02359963, 02361015, 02361167 Multi-Domain Management server (MDS) creates a snapshot during the OS level backup procedure, causing the backup to fail or be extremely small.
Refer to sk113740.
02423360,
02425735
A snapshot is created when the Multi-Domain Server is backed up, causing the backup to fail, due to size.
Endpoint Security Server
02058477,
02058497
SmartEndpoint GUI error on UserCheck message property.
Refer to sk112157.
HTTPS Inspection
02411541,
02031602
Enhancement: Minimum and maximum SSL/TLS versions are enforced on HTTPS inspection connections.
02506753 When the probe bypass feature is enabled, sites that fail the probe do not show in the browser. This behavior is intended for security.
02329308, 02372288, 02386581, 02337643, 02350226, 02338417, 02379483, 02386578, 02378512, 02413808 Improved stability issue on Security Gateway while connecting to some web sites with HTTPS Inspection enabled.
Refer to sk113873.
02158026,
01897723;
02157957, 01921664
Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled. ECDHE curves using 384 bit keys are not supported.
Refer to sk110883.
02413999,
02267698
Some sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE is used.
Refer to sk112954.
02507729, 02449969 Some sites do not load correctly in Chrome when SSL inspection is enabled.
Refer to sk115877.
IPS
- Snort protections are not supported in R80
02336619,
02333892
Outage after IPS database upgrade and install policy.
Refer to sk113251.
DLP
01980215 UserCheck Daemon sends notifications for DLP portal that are not marked as quarantined. In such case, DLP will send "your emails are about to expire" notifications, for incidents which were not quarantined.
01560455,
01692002
Downloaded file can be bypassed instead of blocked by DLP when the Anti-Virus blade is working on the same connection.
Threat Prevention
01991099 Install policy fails if the name of the profile contains a forward slash (/).
Identity Awareness
01916487 Enhancement: You can configure the time interval of the terminal server Identity agent (MUH agent) to scan the OS process list and update the "User - process" mapping.
02032343,
01987753
Enhancement: Support for MUH authentication of UPN formats, for terminal server users.
02203036,
02005632
The Identity Agent does not identify machine information under some conditions.
01868691, 01831743, 01868655, 01852689, 02182578, 02438756, 01842394, 01866902, 01868652, 01835922, 01868710, 01842525 Policy installation on Identity Awareness Gateway fails randomly.
Refer to sk108290.
02049522,
01981012
Identity Agent Packet Tagging does not function in specific scenarios.
02049469,
01896256
Improved Security gateway stability when agent connects to the portal for the first time.
01924855,
01511858
Automatic update of LDAP group membership does not work in multiple users update.
01916538,
01542830
Client creates empty cookie requests from known portals.
02055789,
01631923
IDA groups are not updated automatically if the LDAP cache is activated and the changed user is in the cache.
Application Control & URL Filtering
- Application Control offline updates are supported from command line only.
02310196, 02323510, 02334185, 02323506, 02329183, 02330718 When Security Gateway configured as proxy, Skype is blocked by Application Control.
Refer to sk113124.
01835979, 01830427 When the "Categorize HTTPS Sites" option is enabled, accessing HTTP URLs can cause an "Internal System Error" logs in SmartLog and failure to open the web page.
01871981, 01875943 FTP traffic speed decreases when Application Control blade is enabled.
Refer to sk109012.
02030331,
02011440,
02014104
Application Control updates fail for 1100 / 1200R / 1400 Small Office Appliances that are centrally managed by R80 Security Management Server.
Refer to sk111073.
01843029 UserCheck block page is not shown when some sites are blocked and HTTPS Inspection is on.
Refer to sk110689.
01872944,
01907475
Users occasionally are not able to access HTTPS sites when the "Categorize HTTPS sites" option is enabled.
Refer to sk109581.
Anti-Virus
02336228,
01680856
Improved stability of Security Gateway's CPD process during an Anti-Virus update.
Refer sk110684.
SmartConsole / Management Console
01381144 Access roles objects are not synchronized with the Log server. Refer to sk112359.
01854287 "Import Applications / Sites" option (the same feature that was under "Application & URL Filtering" tab - > "Applications/Sites" - > Actions - > Import) is missing in R80 SmartConsole.
Refer to sk111054.
01944489, 02007657 Implied rules are not shown in SmartConsole.
02346641,
02351839
In SmartConsole, "Get topology" button is not displayed when Windows zoom is set at 125% / 150%.
Refer to sk113455.
01785636,
02297484,
01907657
When cloning an interoperable Device in SmartDashboard, the following error is displayed and the name cannot be changed: "Rename is not allowed because the object contains shared secrets. First, remove the shared secrets from the object and click OK."
Refer to sk107455
02333171,
01851861
Prompt to save Rule Base changes does not appear within Application & URL Filtering and DLP tab.
Refer to sk109813.
02104312,
02053188, 02053623, 02053974
Cannot scroll down to find the relevant gateway in "Satellite gateway" list in IPSEC VPN Star community window.
Refer to sk111736.
02066282,
02104255,
02100655
Sorting is not correct in the Security Gateways & Servers view in SmartConsole.
Refer to sk111846.
02085892,
02189659,
02088162, 02088167,
After creating "interoperable" device and adding it to a star community, cannot add a shared secret password to this device because it is not listed in the "Shared Secret" tab.
Refer to sk112182.
02509228,
02508478
When upgrading with Traditional mode VPN, allowed Peer Gateway is set to Any instead of the object it was defined with.
02297625,
01964494
SMTP page is missing on VSX Cluster Object (VSX Cluster Properties > Other).
Refer to sk110266.
SmartEvent
02310643, 02310889, 02333477, 02445895, 02328886 "No Permissions Events or Reports permissions are required to view this page" error when authenticating with Check Point certificate to R80 Legacy SmartEvent GUI.
Refer to sk113034.
02369957, 02372519 Not possible to set a value greater than 250 in the "Number of values (up to)" field of a SmartEvent report. Not possible to set a value greater than 2000 in the "Maximum number of logs" field of a SmartEvent report.
Refer to sk114193.
01969895,
02008340
When connecting R80 SmartEvent to an R77.30 Security Management Server, only local administrators (that are configured from cpconfig) are supported.
SmartView Monitor
02423908,
01684937
Smartview Monitor unexpectedly terminates when opening the FireWall History report.
Refer to sk106449.
SmartLog
- The Open Log File Form in the SmartConsole of a Multi-Domain Server will not show log files of Domain Management Servers or Domain Log Servers. You must open SmartConsole to the domain, to open log files.
- If you change a High Availability server to Non-Index mode, you must force a failover to the standby server and then run evstop;evstart from the Expert mode.
If you change a dedicated Log server to Non-index mode, you must run evstop;evstart from the Expert mode.
- You cannot see log files of different servers in Non-Index mode. You must open SmartConsole directly to the Security Management or Log server with the required log file.
- If you connect a SmartEvent R80 server to an R77.x or lower Management server, you must enable SmartLog to avoid CPSEMD crashes.
Logging
01945644 Disabling log indexing on a distributed Log server does not stop the indexing processes. To stop the indexing processes, run: cpstop;cpstart.
01986752,
01988662

Connections from SmartConsole to a Multi-Domain log server are not supported. To view logs stored on the Multi-Domain log server, connect to each Domain log server separately.

Note
: if the "lockout administrator account after x failed authentication attempts" option is selected, failed attempts to login to the Multi-Domain log server will also lock the administrator out of the Domain Log server. To resolve, run the "unlock-administrator" command on the API command line.

SmartUpdate
01885337 You cannot detach a Domain license from the SmartConsole Multi-Domain view. Instead, connect to each Domain with SmartConsole and detach the license there.
Dynamic Routing / Advanced Routing
01632138,
01413772,
01414025
VRRP cluster member on Gaia OS crashes when using 'arping' command.
Refer to sk101087.
02080671,
01622407
PIM SM outgoing interface deleted shortly after cluster members reboot.
02292458,
01976708,
01976875
Improved routed stability while enabling RIP.
Refer to sk110616.
00265762,
01294197
Output of the "show ospf interfaces" CLISH command shows DR/BDR Router IDs in the column titled Interface, which is confusing.
00265732,
01322631,
00265680
When configured to use the default value for BGP peer weight, WebUI, Advanced Routing section shows an empty value.
00266235,
01181005
CLISH command "set igmp interface router-alert" does not show autocomplete options ON and OFF when pressing the Tab.
02386072,
02110490
Improved routed daemon stability while PIM is configured and machine is rebooted when all network cables are disconnected.
Refer to sk112251.
01901962, 01932737 Loopback address is not allowed as a source address in Netflow configuration.
01980694, 01989783, 01989782, 01993946 Routes redistributed by Gaia OS to BGP peer are sent without BGP community value.
Refer to sk110563.
00266239,
01183378
On and Off options do not show up in autocomplete or in help for the "set ipv6 rdisc6 interface <mgmt._interface> on-link" command.
02364752, 02358210, 02364750 VRRP Backup member on Gaia OS sends BGP traffic to BGP peers.
Refer to sk114265.
00265869,
01319236,
00265679
When pressing question mark at the end of the "set ping interval" command, the clish help incorrectly shows the default value of 30, instead of 10.
02347309 When using two or more routes with a different priority, the ping counter shows incorrect values. With each configuration change, the ping counter for the static route resets and prevents removal.
00266243,
01158325
Output of the"show pim neighbors" clish command shows only time, but not the date of user creation.
00266241,
01187431
clish Help of the "set igmp interface query-response-interval" command shows "(null)" in the last line of the output.
00266246,
01192221
Output of the "show ipv6 route bgp aspath" clish command is not aligned.
00265810,
01346684
Output of the "show commands feature router-options" command shows "show router-options" twice.
01395305 Autocomplete of the following commands is missing the "all" option:
  • show route aggregate 
  • show route bgp 
  • show route direct 
  • show route kernel 
  • show route ospf 
  • show route rip 
  • show route static 
  • show ipv6 route aggregate 
  • show ipv6 route bgp 
  • show ipv6 route direct 
  • show ipv6 route kernel 
  • show ipv6 route ospf3 
  • show ipv6 route static 
00266231,
01183576
When pressing Tab after entering the "set ipv6 static route nexthop gateway" clish command, no autocomplete values are listed.
02008843,
01943294
Logs show that Active member drops PIM packets from Standby member due to address spoofing.
Refer to sk110015.
01778857, 01783081 Security Gateway on Gaia OS with configured Dynamic Routing and ECMP might freeze when an interface is added/removed.
Refer to sk107418.
02080673,
01946518
Security Gateway randomly stops forwarding the IGMP/PIM Sparse Mode multicast traffic.
Refer to sk106858.
02080688,
01940689
Cannot change OSPF settings in the Gaia Portal with Internet Explorer (IE) browser.
Refer to sk109946.
Mobile Access
01931354 Enhancement: Proxy Settings for DynamicID authentication are configured in the Gateway's Proxy Settings. In earlier versions it was configured in the Mobile Access Proxy Settings.
01736208,
01738947
Web Form SSO with configured login page does not work.
Refer to sk107254
02372424,
02379680
When Mobile Access is enabled, proxy traffic is matched by implied rule instead of explicit security rule when HTTP/HTTPS Proxy is configured on the Security Gateway.
Refer to sk114453.
VPN
02413890,
02107058
Enhancement: Improved usability for tunnel management in the CLI.
01521101,
01495114
Enhancement: SSLv3 is not supported due to security vulnerabilities in the protocol.
01538720,
00160508
Enhancement: IPSec VPN Gateways can act as NAT-T initiators.
01469356,
01977237
Enhancement: PKCS#10 certificate requests are signed with SHA 256 by default.
01695487,
01425219
If a gateway is configured for NAT and belongs to a community with IKEv2, the IKEv2 negotiation fails sometimes.
01676457,
01677149, 02411493
Enrolling a certificate using SCEP from the external CA based on Windows Server 2008 and above fails because SCEP replies are assumed to be using MD5 regardless of the hash algorithm used in the request.
Refer to sk106405.
02372395,
02052250
RIM routes are not removed when a MEP node fails.
02411149,
01936893
The vpnd executable accepts SSLv3 on Windows platform.
01471620, 01471913, 01492978 If Visitor Mode port is changed, Endpoint Security VPN cannot establish site.
Refer to Scenario 3 in sk128652.
01429354,
01534246
If multicore support for SSL is enabled, VoIP inspection over SSL Network Extender tunnel does not work.
Note: Multicore SSL is always enabled in R80.10.
01455936, 01456884, 01571134, 02411552 Authentication to SSL Network Extender or Check Point Mobile VPN with 3rd party certificate fails.
Refer to sk33319.
01940333, 02332728, 02332725 "Warning: on gw 'Name_of_Security_Gateway', for the range (127.0.0.1, 127.0.0.1), peers were found in communities 'Name_of_Community_1' and 'Name_of_Community_2', peers from the second community will be ignored" message during policy installation.
02411549 IKE negotiation fails when using certificates from subordinate CAs.
02010580, 02277594, 02338534, 02333130, 02333130 Traffic over VPN tunnel does not pass for several seconds during or after policy installation on Security Gateway (which causes traffic loss).
Refer to sk55244.
01957717,
01503096
When "Accept All Traffic" option is enabled on a VPN community, it is not applied to VSX clusters or cluster members.
02410942,
01896799
If a RADIUS user belongs to 15 or more runtime RADIUS groups, the user cannot connect to the VPN site.
Refer to sk109336.
02430215 Improved stability of vpnd daemon during policy installation.
ClusterXL
01383377,
01413125,
01450163,
00267167,
01458523,
01458527
Active member in ClusterXL HA Primary Up mode running on Gaia OS frequently reboots when PIM SM is configured and multicast traffic is passing through.
Refer to sk99042.
02079428,
02394915,
02104201
ClusterXL member in Load Sharing mode with installed SAM card might crash when an interface is administratively shut down (e.g., with ifconfig ethX down command).
01954267,
01993970
Previously reachable BGP routes are still advertised to BGP peers on ClusterXL after switch that connects these members goes down.
02435504,
02388344
Syslog does not generate an alert when the cluster member's state is changed from 'Active' to 'Active Attention'.
01820037,
01877245
ClusterXL member's state changes to 'Ready' after sending an invalid CCP packet.
02510466,
02512536,
02512651,
02054768
"RTGRTG0019  VRRP: System not ready or invalid configuration. Please retry later" error when running Gaia Clish command "show vrrp".
Refer to sk112580.
01780069, 01995597;
02501075
ClusterXL Virtual MAC (VMAC) mode and Cisco Conversational MAC Learning are not compatible. 
Refer to sk117412.
SecureXL
01827637,
02029717,
02009223
Low performance on Security Gateway configured in Monitor Mode (Mirror Port mode) per sk101670.
Refer to sk112798.
02020740,
02292137
Security Gateway with enabled SecureXL might crash during policy installation.
Refer to sk111411
01574329,
01844422,
01973806,
01973814
Gaia OS on Check Point 21000 series appliance with SAM card becomes unresponsive when trying to delete a VLAN interface after passing multicast traffic through that VLAN interface.
Refer to sk115420
01844426,
01780689
Multicast receivers do not receive packets when they join and leave multiple times.
01522999,
01458115
SAM cards do not pass traffic correctly in SecureXL Pivot Mode in an Active/Active configuration.
01969527,
01861402,
01846041,
01852946,
01846244
In VMAC mode, multicast traffic that is received on a standby member is dropped. This can cause stability issues on the cluster member.
Refer to sk108502.
01885675,
01916638,
01885670,
01883395,
01885675
Cluster XL in Load Sharing Unicast mode drops taffic sent to IP addresses X.X.X.255 (last octet is "255", but is not a broadcast address on this network).
Refer to sk107853.
01942468,
01893950,
01893952,
01908788
When NAT is configured on the network/host where SecureXL is enabled, not all entries in SecureXL Connections Table (run 'fwaccel conns' command) are deleted after the "UDP virtual session timeout" when traffic is stopped. The non-deleted entries will not expire. This issue applies when the traffic is multicast from an internal NATed network.
01392081,
01476360,
01392620,
01523990
SecureXL does not accelerate IPv4 packets with VLAN tag on Security Gateway in Bridge mode when IPv6 is enabled.
Refer to sk100170.
02372653,
02468724
Check Point 21000 series appliance with SAM card is not able to boot after installing Take 210, Take 213 or Take 216 of R77.30 Jumbo Hotfix Accumulator.
Refer to sk116070
01845461, 01853546; 01906167 Check Point 21000 series appliance with SAM card might crash during policy installation.
Refer to sk108643
01825599,
01847635
Check Point 21000 series appliance with SAM card might crash due to removal of Layer 2 header by SAM card.
Refer to sk108652
01848202,
01850540
Check Point 21000 series appliance with SAM card might crash while handling fragmented TCP packets.
Refer to sk108589
01769402,
01777881,
01771790
Multiple "cphwd_pslglue_can_offload_template: error, psl_opaque is NULL" errors in /var/log/messeges file.
Refer to sk107258
01554849,
01576112,
01611699
TCP packets are not dropped as Out-of-State when SecureXL is enabled.
Refer to sk104557.
01385943, 00266287;
01463835,
00267250
TCPdump shows wrong IP addresses for NATed traffic when SecureXL is enabled.
Refer to sk100194
01919249,
01915798,
01915162
Output of "fwaccel stat" command shows: "Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function))".
Refer to sk100467 (Scenario 3 - "UDP traffic causes too many general errors"). 
01506385,
01501271
When the DHCP relay and Drop templates are enabled, SecureXL is automatically turned OFF.
For more information, see scenario 2 in sk100467.
01397083,
01397729,
01638997
SAM card stability issue on Check Point 21000 appliances during boot if the number of configured CoreXL FW instances is equal to the number of CPU cores on the appliance (e.g., there are 16 CPU cores, and 16 CoreXL FW instances were configured).
Refer to sk100546.
02081183 NAT is not applied by the Security Gateway to multicast packets in the following scenario:
  1. SecureXL is enabled on Security Gateway
  2. NAT is configured for multicast sender as "Hide behind Gateway"
As a result, the multicast receiver host gets the original IP address of the multicast sender.
01893950,
01893952,
01908788,
01997516
When NAT is configured on the network/host where SecureXL is enabled, not all entries in SecureXL Connections Table (run the fwaccel conns command) are deleted after the "UDP virtual session timeout" when traffic is stopped.
02433949,
01719131,
01957088
During policy installation or signature updates, if there are medium path connections, stability issues may occur when SecureXL is turned OFF and ON.
Refer to sk106934.
02399154,
02368502
There is a stability issue after policy installation when SecureXL is enabled.
Refer to sk114153.
02080447, 01952690,
01906737
SAM Card error statistics were not available immediately after the reboot.
02389980,
02383351
Stability issue on Cluster members when the SecureXL SIM NAC feature is disabled and SecureXL is restarted.
Refer to sk114424 for more information.
VSX
01319800, 01347115, 01347125, 01347130, 01360704, 01369939 After running the "vsx_util reconfigure" command on Security Management Server / Domain Management Server for a VSX gateway, in rare scenario, the output of the 'vsx stat -v' command on VSX gateway shows Virtual Systems with 'InitialPolicy' and/or 'No Trust'.
Refer to sk98311.
01809452 Sporadic packet drops in SecureXL when the virtual system is in bridge mode.
01880104, 01830381 Rare crash of FWK process on VSX Gateway with enabled IPS blade and activated protection "Non-Compliant HTTP".  
Refer to sk108192.
01449721, 01725440, 01396841, 01495166, 01396472, 01619725 After running 'cpstop;cpstart' commands on the Standby VSX cluster member, the output of cphaprob -a if command shows the following state of the Sync interface configured on Bond interface:

The state of Sync interface as 'UP' in the context of VSX itself (VS0).

The state of Sync interface as 'DOWN' for each Virtual System.

Refer to sk100450.
01513312,
01528076,
01470302,
01770848
Enhancement: This release includes improved support for multicast acceleration in VSX.
01712482, 02360975, 02297100, 01894637, 01782778, 01714649, 02366381 Adding a static ARP entry in a Virtual System does not survive reboot.
Refer to sk106794.
02411964,
02166135, 02166160
"vsx_util vsls" command fails with "Failed to redistribute the virtual systems. Can't save database." error on R80 Management Server.
Refer to sk115029.
01510367,
01615464, 02082365
When tried to re-install the VSX cluster member and use vsx_util reconfigure to build it, the reconfiguration failed with the following error: "<Name_of_Interface> already belongs to a bridge interface and therefor cannot be bridged"
01848953 Crash when fwfonic.conf is missing from the context of the VS.
01750204, 02327235, 01849369 All HTTP Proxy connections are dropped on VSX.
02032862, 02423243 "vsx_util reconfigure" fails with "Failed to commit changes in the OS.Management interface must have an IP address." error in non-DMI configuration.
Refer to sk115131.
01931909, 02278701 "Illegal routing gateway or interface retrieved from the VSX GW" error in SmartDashboard when creating a new VSX Gateway / VSX Cluster object..
Refer to sk105540.
02297327;
02103463
After reboot of VSX Cluster Member, output of "cphaprob state" command shows that Virtual Systems are "Down".
Refer to sk110073.
CoreXL
02378995,
02378614,
02378995
Interface affinity configuration is not visible for 40GB interfaces configured in BOND mode.
Refer to sk114396.
Desktop Security
01940363,
02007018
"Desktop Security policy is empty. At least one rule should be configured. Desktop policies will not be installed on Policy Servers." error shows during policy install when removing a Desktop policy (that was imported with a policy package) and adding it back.
Refer to sk110656.
VoIP

01811945,
02297333,
02421531

When DLCX has no call id the response is dropped because of "no call_id in mgcp_tid entry for this response".
SNMP

01817116,
02270441,
01828627

/etc/snmp/userDefinedSettings.conf file is overwritten after Jumbo Hotfix Accumulator installation.
02422592,
02419635
"Wrong Type (should be Gauge32 or Unsigned32): INTEGER" message in SNMP Response.
Refer to sk115119.
02037152,
01852956
Incorrect serial number is returned when querying the Operating system using cpstat and snmpwalk commands on 21700/24100 appliances.
01689724,
01803493
SNMP Trap "coldStart" is sent every time the SNMPD daemon is started on Gaia OS.
01513636,
01705377,
01469254,
01470204,
01502560,
01746639,
01469413
SNMP query for CPU usage by each Virtual System returns zero.
Refer to sk102434.
01610111 There is no response when querying SNMP 64-bit counters after upgrading VSX R77.x to R77.30.
Refer to sk105540.
01362643,
01614707
During in-place upgrade from VSX R77.x, the $FWDIR/conf/amon_vsx_refresh_interval file is overwritten.
If the refresh interval of VSX SNMP counters should be a value other than default 30 (seconds), you will have to edit the file manually after the upgrade as described in sk101713 (and in sk97947).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment