| ID |
Symptoms |
| Upgrade |
| 01970614 |
After Multi-Domain Server upgrade, the Domain Management Server version and operating system are not updated. You must manually update this information in SmartConsole. |
| 01972676 |
CPUSE is not supported for installation of / upgrade to R80. |
| Security Gateway |
02100543,
02358434 |
Enhancement: Enabled interactive options (ASK/INFORM) with UserCheck External portal. |
01873031,
02296621,
02387645,
02403039 |
"Via" field in HTTP Request sent to a web server by Security Gateway in Non Transparent proxy mode contains incomplete HTTP version.
Refer to sk108900. |
| 01710137, 01848363, 01707360, 01856715 |
Issues with traffic and with web pages when Security Gateway is configured in Proxy Non-Transparent mode.
Refer to sk106663. |
01822697,
01820334,
01821023,
01958358 |
Security Gateway crashes after running the 'cpstop' command if MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (fw_clamp_vpn_mss=1) per sk101219. |
02327295,
02220666 |
Cannot connect to FTP from a Windows 10 client. This happens either when DLP is enabled, or when the following are used in the Rule Base: 'User Auth' or 'Client Auth' Action, or a 'Service With Resource'. |
| 02057072, 02049251 |
In SmartDashBoard, the "Hits" counter in a specific rule does not increase even though traffic was matched to this rule.
Refer to sk115098. |
| 01778083, 01707477, 01584203, 01709063, 01709301 |
Out of bound memory allocations/freeing prevented if memory corruption occurs.
Refer to sk110344. |
02109271,
01885201 |
Unresolved Dynamic Object causes NAT rule matching to fail and packet drop.
Refer to sk109216. |
| 01745741, 01746482, 01780378, 01744553, 01734383 |
Security Gateway might crash in some scenarios when inspecting H.323 traffic.
Refer to sk107184 and sk106994. |
02106730,
02025743 |
Automatic SIM Affinity does not use all the cores on Open Servers with a multi-core license that allows less cores than the server has.
Refer to sk110422. |
02219375,
01991091 |
On Open Servers with a default affinity configuration and limited Multi-Core licenses, the $FWDIR/scripts/fwaffinity_used_cpus script returns an incorrect output.
Refer to sk110940. |
| 02062053 |
When accessing a web server through a Security Gateway in Non-Transparent Proxy mode without the next proxy, this error shows: "Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data".
Refer to sk111741. |
| 01644740, 01680224, 01689641, 01712179, 02165363, 02200445 |
ISP Redundency in Load Sharing mode is disabled when Non-Transparent Proxy is defined.
Refer to sk111678. |
02410825,
01902041 |
When SQLNET2-1521 is used in the rule base, SQLNET2 traffic that contains a REDIRECT request is dropped by the Firewall.
Refer to sk110078. |
02103719,
01911675,
02107359,
02103172,
02014173 |
Memory leak in CPD daemon (cpmon). Users occasionally see N/A as the device status. |
02337597,
01696483 |
Customized HTML pages for Legacy Client Authentication are not displayed.
Refer to sk106583. |
| Gaia |
| 01997585 |
Enhancement: Improved log file rotation. Refer to sk93505. |
01996097,
01639840 |
If you restore a Security Management Server from a backup, all hotfixes installed after the backup was created will not be included on the restored server. Refer to sk91400. |
| 01342543 |
Cannot add role names with more than 30 characters. (Maximum role name length is now 128 characters). |
02384157,
01885860,
02384114 |
Due to a missing driver, resetting the Gaia admin password using an Emergendisk USB flash driver fails on some appliances. Refer to sk92663. |
02382304,
02366831 |
Updated time zone package tzdata 2016g:Turkey's Daylight Saving Time (DST) is permanently cancelled since Sep 2016. Refer to sk114037. |
02453635,
02451884 |
Security Gateway with PIM Sparse-Mode registers multicast traffic for non-local subnets. Refer to sk115852. |
02361028,
02045637 |
MAC address for Bond interface changes after reboot. After the reboot, the Proxy ARP table is not loaded. Bond interfaces that use different MAC addresses are no longer up to date. |
01992034,
02007961,
02007928,
02018541,
02103280,
02409788 |
Logjam Vulnerability CVE-2015-4000, which tricks servers into using weaker 512-bit keys which can be decrypted.
- Issue resolved by disabling by default Diffie-Helman-sha1 key exchange algorithm in /etc/sshd_config. If you need to restore the algorithm, add "LegacyKex=1" to /etc/sshd_config file.
Refer to sk106147. |
| 01938317, 01704725, 01702790, 01935921 |
"libdb set: missing or invalid argument" error in Gaia Portal when creating snapshot.
Refer to sk106646 |
| 01691878, 01693135, 01692055, 01709890, 01692050 |
"This page is currently in read only mode, the requested action cannot be performed" message appears in Gaia Portal when logging in with the TACACS+ user and clicking on the "Enable TACACS+ authentication" button at the top. Refer to sk106324. |
| 01816851 |
Enhancement: In Gaia R77.30, RIP MD5 authentication does not work if configured through clish.
During upgrade from such systems to R80, you may see the following log message "RIP MD5 auth config on eth13, which didn't work in R77.30 due to a bug, is being removed, to avoid loss of connectivity. If needed, re-set the RIP MD5 secret."
If you see this message, check the settings for RIP MD5 secret. |
01832307,
01670224,
01619301,
01619525 |
Temporary short traffic outage on Check Point appliance running Gaia OS when viewing and clicking one of the options in Gaia Portal - "Maintenance" section - "Hardware Health" page.
Refer to sk105563. |
02395036,
02334826 |
Commands executed in Gaia OS on VSX Gateway are logged to the /var/log/messages file. The commands do not contain the VSID of the Virtual Systems for which the commands were executed.
Refer to sk113128. |
| 02059192, 02361963 |
Changing the IP address of the management interface on appliances ends in error: "Wrong IP Please try again". Refer to sk106447. |
| 02085712, 01806088, 01806618 |
RADIUS users with CLISH as default shell, cannot login via SSH. Refer to sk107648. |
| 02360892 |
Random traffic outage when a fail-over occurs in 3rd party Cluster in the following topology:
[Check Point machine on Gaia OS / SecurePlatform OS] -- [3rd party Cluster, e.g., Citrix NetScaler cluster]
Refer to sk106852. |
02124891,
02107584 |
Improved policy installation stability on appliances with a SAM card. |
02168812,
02046467 |
After installing R77_30_jumbo_hf Take 111, or after a fresh install on 15000 / 23000 appliances, multi-queue interfaces cannot be set via the WebUI, but can be set via CLI.
The "Performance Optimization" page in Gaia Portal is either stuck at "Please wait a few moments while the data is loaded..." message pops up, or freezes when applying changes to CoreXL or Multi-Queue configuration.
Refer to sk112897. |
02011822,
02074215,
02025040,
02015364,
02075570 |
clish and cpmon cannot detect a Power Supply Unit attached to the Check Point appliance. |
02360993,
01961177 |
The "Network Interfaces" page in the Gaia Portal does not load if the text string "NAN" or "inf" is saved in the interface's "Comment" field. |
02078869,
01950634 |
RouteD daemon on the active cluster with configured PIM might terminate after a peer cluster member is rebooted. |
| 01995629, 01985269 |
If you refresh the browser while running the First Time Configuration Wizard, or try to run the Wizard twice, one of these messages will show:
- Cannot install Check Point Security Management Server. Incompatible hardware
- Internal Error: Cannot install Check Point Security Management Server
- Cannot install Check Point Security Management Server. Please contact Check Point Technical Support.
After seeing one of these messages, you must reinstall the device or revert to the factory image. |
01691878,
01692055 |
Cannot enable TACACS options after TACACS user authenticates via webUI. |
|
01687266,
01688974
|
"IMAGE MANAGEMENT: going to restore system image ..
Error: 'Couldn't connect to /tmp/xgets: No such file or directory" message when reverting to a Snapshot, or to Factory Defaults (FCD). |
| 01673299 |
SecurePlatform WebUI "Snapshot" page looks corrupted. |
01985269,
01995629 |
If you refresh the browser while running the First Time Configuration Wizard, or try to run the Wizard twice, one of these messages will show:
- Cannot install Check Point Security Management Server. Incompatible hardware
- Internal Error: Cannot install Check Point Security Management Server
- Cannot install Check Point Security Management Server. Please contact Check Point Technical Support.
After seeing one of these messages, you must reinstall the device or revert to the factory image. |
01989855,
02297237,
02482697 |
confd process stuck in deep sleep mode. |
| 02356738, 02365245, 02357833 |
confd process crashes with core dump file when collected the CPinfo command file. Refer to sk113750. |
02332735,
02456323,
02335269 |
"unknown devices" errors in /var/log/messages file on HP G9 open server with 4th generation Xeon CPUs. |
| Licensing |
| 01913451 |
License Data for all supported software blades shows on all machines, even if the blade is not relevant to the role of the machine. For example, license data for the Network Policy Management blade shows on a Log server. |
| Security Management |
02333225,
01922555 |
Packages uploaded with SmartUpdate or the cppkg command cannot be found in the file repository, and installation fails. |
| 01861412 |
When creating a new object with IP address or name of a deleted object, the "There is another network object with the same IP address, are you sure you want to continue? Name already used!" message pops up.
|
| 01713602, 01626242, 01896195, 01626310 |
A SmartView Monitor email alert sometimes has a closing "_NextPart_..." boundary, which causes the email to be blocked by some mail servers as spam. Refer to sk105578. |
01990873,
02006998 |
In a High Availability deployment, purging revisions causes the High Availability incremental sync to all Standby Security Management servers to fail with "NGM Failed to import data" error message.
- To make the fix work, purge all old revisions from the specific Security Management / Domain.
|
| 02017237 |
When the Gaia portal on the Security Management server does not use the default port 443, the following issues may occur:
- Management commands using the GUI do not work.
- Management commands using the Management command line "
mgmt_cli" tool do not work.
- Management commands using clish do not work.
- The
api status command fails with "test failed" error.
Refer to sk111075. |
| 01896673, 01282706 |
At irregular intervals, the session information fails to update. To see the most updated session, switch to another view and then switch back. |
| 01968118 |
Automating a Check Point Management server using the Management API blade is supported only on Gaia OS Management servers. |
01785216,
01996056 |
OSE devices are not supported in R80. The Pre-Upgrade verifier warns about this and policy installation from R80 Security Management on an OSE Device fails. |
02349143, 02349405, 02350931,
02414309 |
Although it is possible to create a Time group object with a long name, policy installation fails with "Time objects name cannot be more than 11 characters" error. Refer to sk113498. |
02103761,
02001366,
02103175,
02103182,
01911675 |
Improved CPD daemon stability that caused policy installation failure. Refer to sk111880. |
01984835,
02049194 |
Failed to connect to the Security Management server after running cpstart. |
| 01647690, 01646000 |
If policy installation fails on R75.20 1100 gateways, the selected version of the gateway object is probably incorrect.
- In the gateway object properties, make sure the correct version is selected.
|
02590945,
02592411 |
In some scenarios, Security Management server stops receiving logs from all gateways. Refer to sk120316. |
| Multi-Domain Security Management |
| - |
The following Domain features are supported starting from R80.10:
- Dynamic Global Objects
- Install policy from Multi-Domain Server - the ability to directly install the policy on all Domain gateways as part of assigning the Global Policy on the Domains is not supported. Install the policy from the specified Domains.
|
01961532,
01998271 |
Multi-Domain Management server unexpectedly terminates after assigning a Global policy to a Domain imported using the cma_migrate command. |
02061008,
01933775 |
Multi-Domain Super User has no permission to install policy when connected the Domain Server.
- Workaround: Restart SmartConsole, connect to the Domain server, and try again.
|
| 02359963, 02361015, 02361167 |
Multi-Domain Management server (MDS) creates a snapshot during the OS level backup procedure, causing the backup to fail or be extremely small. Refer to sk113740. |
02423360,
02425735 |
A snapshot is created when the Multi-Domain Server is backed up, causing the backup to fail, due to size. |
| Endpoint Security Server |
02058477,
02058497 |
SmartEndpoint GUI error on UserCheck message property. Refer to sk112157. |
| HTTPS Inspection |
02411541,
02031602 |
Enhancement: Minimum and maximum SSL/TLS versions are enforced on HTTPS inspection connections. |
| 02506753 |
When the probe bypass feature is enabled, sites that fail the probe do not show in the browser. This behavior is intended for security. |
| 02329308, 02372288, 02386581, 02337643, 02350226, 02338417, 02379483, 02386578, 02378512, 02413808 |
Improved stability issue on Security Gateway while connecting to some web sites with HTTPS Inspection enabled. Refer to sk113873. |
02158026,
01897723;
02157957, 01921664 |
Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled. ECDHE curves using 384 bit keys are not supported.
Refer to sk110883. |
02413999,
02267698 |
Some sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE is used. Refer to sk112954. |
| 02507729, 02449969 |
Some sites do not load correctly in Chrome when SSL inspection is enabled. Refer to sk115877. |
| IPS |
| - |
Snort protections are not supported. |
02336619,
02333892 |
Outage after IPS database upgrade and install policy. Refer to sk113251. |
01612788,
PMTR-47467 |
For pre-R80.10 gateways, when configuring a Threat Prevention rule to save packet captures, the packets are saved only for Anti-Virus and Anti-Bot. Packet capture is not activated on IPS. |
02658128,
02658437,
PMTR-41632 |
IPS blade is automatically enabled on R7X Security Gateway during policy installation from R80.x Management Server, although IPS blade is disabled in the Security Gateway object. Refer to sk121152. |
| DLP |
| 01980215 |
UserCheck Daemon sends notifications for DLP portal that are not marked as quarantined. In such case, DLP will send "your emails are about to expire" notifications, for incidents which were not quarantined. |
01560455,
01692002 |
Downloaded file can be bypassed instead of blocked by DLP when the Anti-Virus blade is working on the same connection. |
| Threat Prevention |
| 01991099 |
Install policy fails if the name of the profile contains a forward slash (/). |
| Identity Awareness |
| 01916487 |
Enhancement: You can configure the time interval of the terminal server Identity agent (MUH agent) to scan the OS process list and update the "User - process" mapping. |
02032343,
01987753 |
Enhancement: Support for MUH authentication of UPN formats, for terminal server users. |
02203036,
02005632 |
The Identity Agent does not identify machine information under some conditions. |
| 01868691, 01831743, 01868655, 01852689, 02182578, 02438756, 01842394, 01866902, 01868652, 01835922, 01868710, 01842525 |
Policy installation on Identity Awareness Gateway fails randomly.
Refer to sk108290. |
02049522,
01981012 |
Identity Agent Packet Tagging does not function in specific scenarios. |
02049469,
01896256 |
Improved Security gateway stability when agent connects to the portal for the first time. |
01924855,
01511858 |
Automatic update of LDAP group membership does not work in multiple users update. |
01916538,
01542830 |
Client creates empty cookie requests from known portals. |
02055789,
01631923 |
IDA groups are not updated automatically if the LDAP cache is activated and the changed user is in the cache. |
| Application Control & URL Filtering |
| - |
Application Control offline updates are supported from command line only. |
| 02310196, 02323510, 02334185, 02323506, 02329183, 02330718 |
When Security Gateway configured as proxy, Skype is blocked by Application Control.
Refer to sk113124. |
| 01835979, 01830427 |
When the "Categorize HTTPS Sites" option is enabled, accessing HTTP URLs can cause an "Internal System Error" logs in SmartLog and failure to open the web page. |
| 01871981, 01875943 |
FTP traffic speed decreases when Application Control blade is enabled.
Refer to sk109012. |
02030331,
02011440,
02014104 |
Application Control updates fail for 1100 / 1200R / 1400 Small Office Appliances that are centrally managed by R80 Security Management Server.
Refer to sk111073. |
| 01843029 |
UserCheck block page is not shown when some sites are blocked and HTTPS Inspection is on.
Refer to sk110689. |
01872944,
01907475 |
Users occasionally are not able to access HTTPS sites when the "Categorize HTTPS sites" option is enabled.
Refer to sk109581. |
| Anti-Virus |
02336228,
01680856 |
Improved stability of Security Gateway's CPD process during an Anti-Virus update.
Refer sk110684. |
| SmartConsole / Management Console |
PMTR-48569,
MB-77 |
Administrators with Customized permission profile cannot manage VSX objects. |
| 01381144 |
Access roles objects are not synchronized with the Log server. Refer to sk112359. |
| 01854287 |
"Import Applications / Sites" option (the same feature that was under "Application & URL Filtering" tab - > "Applications/Sites" - > Actions - > Import) is missing in R80 SmartConsole.
Refer to sk111054. |
| 01944489, 02007657 |
Implied rules are not shown in SmartConsole. |
02346641,
02351839 |
In SmartConsole, "Get topology" button is not displayed when Windows zoom is set at 125% / 150%.
Refer to sk113455. |
01785636,
02297484,
01907657 |
When cloning an interoperable Device in SmartDashboard, the following error is displayed and the name cannot be changed: "Rename is not allowed because the object contains shared secrets. First, remove the shared secrets from the object and click OK."
Refer to sk107455. |
02333171,
01851861 |
Prompt to save Rule Base changes does not appear within Application & URL Filtering and DLP tab.
Refer to sk109813. |
| 01944489, 02007657 |
A VPN rule created using the "Accept all encrypted traffic" option in the VPN community object, is not shown in SmartConsole. |
02104312,
02053188, 02053623, 02053974 |
Cannot scroll down to find the relevant gateway in "Satellite gateway" list in IPSEC VPN Star community window.
Refer to sk111736. |
02066282,
02104255,
02100655 |
Sorting is not correct in the Security Gateways & Servers view in SmartConsole.
Refer to sk111846. |
02085892,
02189659,
02088162, 02088167, |
After creating "interoperable" device and adding it to a star community, cannot add a shared secret password to this device because it is not listed in the "Shared Secret" tab.
Refer to sk112182. |
02509228,
02508478 |
When upgrading with Traditional mode VPN, allowed Peer Gateway is set to Any instead of the object it was defined with. |
02297625,
01964494 |
SMTP page is missing on VSX Cluster Object (VSX Cluster Properties > Other).
Refer to sk110266. |
| SmartEvent |
| 02310643, 02310889, 02333477, 02445895, 02328886 |
"No Permissions Events or Reports permissions are required to view this page" error when authenticating with Check Point certificate to R80 Legacy SmartEvent GUI.
Refer to sk113034. |
| 02369957, 02372519 |
Not possible to set a value greater than 250 in the "Number of values (up to)" field of a SmartEvent report. Not possible to set a value greater than 2000 in the "Maximum number of logs" field of a SmartEvent report.
Refer to sk114193. |
01969895,
02008340 |
When connecting R80 SmartEvent to an R77.30 Security Management Server, only local administrators (that are configured from cpconfig) are supported. |
| SmartView Monitor |
02423908,
01684937 |
Smartview Monitor unexpectedly terminates when opening the FireWall History report.
Refer to sk106449. |
| SmartLog |
| - |
The Open Log File Form in the SmartConsole of a Multi-Domain Server will not show log files of Domain Management Servers or Domain Log Servers. You must open SmartConsole to the domain, to open log files. |
| - |
If you change a High Availability server to Non-Index mode, you must force a failover to the standby server and then run evstop;evstart from the Expert mode.
If you change a dedicated Log server to Non-index mode, you must run evstop;evstart from the Expert mode. |
| - |
You cannot see log files of different servers in Non-Index mode. You must open SmartConsole directly to the Security Management or Log server with the required log file. |
| - |
If you connect a SmartEvent R80 server to an R77.x or lower Management server, you must enable SmartLog to avoid CPSEMD crashes. |
| Logging |
| 01945644 |
Disabling log indexing on a distributed Log server does not stop the indexing processes. To stop the indexing processes, run: cpstop;cpstart. |
01986752,
01988662 |
Connections from SmartConsole to a Multi-Domain log server are not supported. To view logs stored on the Multi-Domain log server, connect to each Domain log server separately.
Note: if the "lockout administrator account after x failed authentication attempts" option is selected, failed attempts to login to the Multi-Domain log server will also lock the administrator out of the Domain Log server. To resolve, run the "unlock-administrator" command on the API command line.
|
02022292,
PMTR-47206 |
"Save As" to a log file is not supported.
|
| SmartUpdate |
| 01885337 |
You cannot detach a Domain license from the SmartConsole Multi-Domain view. Instead, connect to each Domain with SmartConsole and detach the license there. |
| Dynamic Routing / Advanced Routing |
01632138,
01413772,
01414025 |
VRRP cluster member on Gaia OS crashes when using 'arping' command.
Refer to sk101087. |
| 01888022, 01959704, 01968564 |
Cannot configure routemap for each BGP peer on Gaia OS.
Refer to sk110477. |
02080671,
01622407 |
PIM SM outgoing interface deleted shortly after cluster members reboot. |
02292458,
01976708,
01976875 |
Improved routed stability while enabling RIP.
Refer to sk110616. |
00265762,
01294197 |
Output of the "show ospf interfaces" CLISH command shows DR/BDR Router IDs in the column titled Interface, which is confusing. |
00265732,
01322631,
00265680 |
When configured to use the default value for BGP peer weight, WebUI, Advanced Routing section shows an empty value. |
00266235,
01181005 |
CLISH command "set igmp interface router-alert" does not show autocomplete options ON and OFF when pressing the Tab. |
02386072,
02110490 |
Improved routed daemon stability while PIM is configured and machine is rebooted when all network cables are disconnected.
Refer to sk112251. |
| 01901962, 01932737 |
Loopback address is not allowed as a source address in Netflow configuration. |
| 01980694, 01989783, 01989782, 01993946 |
Routes redistributed by Gaia OS to BGP peer are sent without BGP community value.
Refer to sk110563. |
00266239,
01183378 |
On and Off options do not show up in autocomplete or in help for the "set ipv6 rdisc6 interface <mgmt._interface> on-link" command. |
| 02364752, 02358210, 02364750 |
VRRP Backup member on Gaia OS sends BGP traffic to BGP peers.
Refer to sk114265. |
00265869,
01319236,
00265679 |
When pressing question mark at the end of the "set ping interval" command, the clish help incorrectly shows the default value of 30, instead of 10. |
| 02347309 |
When using two or more routes with a different priority, the ping counter shows incorrect values. With each configuration change, the ping counter for the static route resets and prevents removal. |
00266243,
01158325 |
Output of the"show pim neighbors" clish command shows only time, but not the date of user creation. |
00266241,
01187431 |
clish Help of the "set igmp interface query-response-interval" command shows "(null)" in the last line of the output. |
00266246,
01192221 |
Output of the "show ipv6 route bgp aspath" clish command is not aligned. |
00265810,
01346684 |
Output of the "show commands feature router-options" command shows "show router-options" twice. |
| 01395305 |
Autocomplete of the following commands is missing the "all" option:
- show route aggregate
- show route bgp
- show route direct
- show route kernel
- show route ospf
- show route rip
- show route static
- show ipv6 route aggregate
- show ipv6 route bgp
- show ipv6 route direct
- show ipv6 route kernel
- show ipv6 route ospf3
- show ipv6 route static
|
00266231,
01183576 |
When pressing Tab after entering the "set ipv6 static route nexthop gateway" clish command, no autocomplete values are listed. |
02008843,
01943294 |
Logs show that Active member drops PIM packets from Standby member due to address spoofing.
Refer to sk110015. |
| 01778857, 01783081 |
Security Gateway on Gaia OS with configured Dynamic Routing and ECMP might freeze when an interface is added/removed.
Refer to sk107418. |
02080673,
01946518 |
Security Gateway randomly stops forwarding the IGMP/PIM Sparse Mode multicast traffic.
Refer to sk106858. |
02080688,
01940689 |
Cannot change OSPF settings in the Gaia Portal with Internet Explorer (IE) browser.
Refer to sk109946. |
| Mobile Access |
| 01931354 |
Enhancement: Proxy Settings for DynamicID authentication are configured in the Gateway's Proxy Settings. In earlier versions it was configured in the Mobile Access Proxy Settings. |
01736208,
01738947 |
Web Form SSO with configured login page does not work.
Refer to sk107254. |
02372424,
02379680 |
When Mobile Access is enabled, proxy traffic is matched by implied rule instead of explicit security rule when HTTP/HTTPS Proxy is configured on the Security Gateway.
Refer to sk114453. |
| VPN |
02413890,
02107058 |
Enhancement: Improved usability for tunnel management in the CLI. |
01521101,
01495114 |
Enhancement: SSLv3 is not supported due to security vulnerabilities in the protocol. |
01538720,
00160508 |
Enhancement: IPSec VPN Gateways can act as NAT-T initiators. |
01469356,
01977237 |
Enhancement: PKCS#10 certificate requests are signed with SHA 256 by default. |
01695487,
01425219 |
If a gateway is configured for NAT and belongs to a community with IKEv2, the IKEv2 negotiation fails sometimes. |
01676457,
01677149, 02411493 |
Enrolling a certificate using SCEP from the external CA based on Windows Server 2008 and higher fails because SCEP replies are assumed to be using MD5 regardless of the hash algorithm used in the request.
Refer to sk106405. |
02372395,
02052250 |
RIM routes are not removed when a MEP node fails. |
02411149,
01936893 |
The vpnd executable accepts SSLv3 on Windows platform. |
| 01471620, 01471913, 01492978 |
If Visitor Mode port is changed, Endpoint Security VPN cannot establish site.
Refer to Scenario 3 in sk128652. |
01429354,
01534246 |
If multicore support for SSL is enabled, VoIP inspection over SSL Network Extender tunnel does not work.
Note: Multicore SSL is always enabled in R80.10. |
| 01455936, 01456884, 01571134, 02411552 |
Authentication to SSL Network Extender or Check Point Mobile VPN with 3rd party certificate fails.
Refer to sk33319. |
| 01940333, 02332728, 02332725 |
"Warning: on gw 'Name_of_Security_Gateway', for the range (127.0.0.1, 127.0.0.1), peers were found in communities 'Name_of_Community_1' and 'Name_of_Community_2', peers from the second community will be ignored" message during policy installation. |
| 02411549 |
IKE negotiation fails when using certificates from subordinate CAs. |
| 02010580, 02277594, 02338534, 02333130, 02333130 |
Traffic over VPN tunnel does not pass for several seconds during or after policy installation on Security Gateway (which causes traffic loss).
Refer to sk55244. |
01957717,
01503096 |
When "Accept All Traffic" option is enabled on a VPN community, it is not applied to VSX clusters or cluster members. |
02410942,
01896799 |
If a RADIUS user belongs to 15 or more runtime RADIUS groups, the user cannot connect to the VPN site.
Refer to sk109336. |
| 02430215 |
Improved stability of vpnd daemon during policy installation. |
| ClusterXL |
01383377,
01413125,
01450163,
00267167,
01458523,
01458527 |
Active member in ClusterXL HA Primary Up mode running on Gaia OS frequently reboots when PIM SM is configured and multicast traffic is passing through.
Refer to sk99042. |
02079428,
02394915,
02104201 |
ClusterXL member in Load Sharing mode with installed SAM card might crash when an interface is administratively shut down (e.g., with ifconfig ethX down command). |
01954267,
01993970 |
Previously reachable BGP routes are still advertised to BGP peers on ClusterXL after switch that connects these members goes down. |
02435504,
02388344 |
Syslog does not generate an alert when the cluster member's state is changed from 'Active' to 'Active Attention'. |
01820037,
01877245 |
ClusterXL member's state changes to 'Ready' after sending an invalid CCP packet. |
02510466,
02512536,
02512651,
02054768 |
"RTGRTG0019 VRRP: System not ready or invalid configuration. Please retry later" error when running Gaia Clish command "show vrrp".
Refer to sk112580. |
01780069, 01995597;
02501075 |
ClusterXL Virtual MAC (VMAC) mode and Cisco Conversational MAC Learning are not compatible.
Refer to sk117412. |
| SecureXL |
01827637,
02029717,
02009223 |
Low performance on Security Gateway configured in Monitor Mode (Mirror Port mode) per sk101670.
Refer to sk112798. |
02020740,
02292137 |
Security Gateway with enabled SecureXL might crash during policy installation.
Refer to sk111411. |
01574329,
01844422,
01973806,
01973814 |
Gaia OS on Check Point 21000 series appliance with SAM card becomes unresponsive when trying to delete a VLAN interface after passing multicast traffic through that VLAN interface.
Refer to sk115420. |
01844426,
01780689 |
Multicast receivers do not receive packets when they join and leave multiple times. |
01522999,
01458115 |
SAM cards do not pass traffic correctly in SecureXL Pivot Mode in an Active/Active configuration. |
01969527,
01861402,
01846041,
01852946,
01846244 |
In VMAC mode, multicast traffic that is received on a standby member is dropped. This can cause stability issues on the cluster member.
Refer to sk108502. |
01885675,
01916638,
01885670,
01883395,
01885675 |
Cluster XL in Load Sharing Unicast mode drops taffic sent to IP addresses X.X.X.255 (last octet is "255", but is not a broadcast address on this network).
Refer to sk107853. |
01942468,
01893950,
01893952,
01908788 |
When NAT is configured on the network/host where SecureXL is enabled, not all entries in SecureXL Connections Table (run 'fwaccel conns' command) are deleted after the "UDP virtual session timeout" when traffic is stopped. The non-deleted entries will not expire. This issue applies when the traffic is multicast from an internal NATed network. |
01392081,
01476360,
01392620,
01523990 |
SecureXL does not accelerate IPv4 packets with VLAN tag on Security Gateway in Bridge mode when IPv6 is enabled.
Refer to sk100170. |
02372653,
02468724 |
Check Point 21000 series appliance with SAM card is not able to boot after installing Take 210, Take 213 or Take 216 of R77.30 Jumbo Hotfix Accumulator.
Refer to sk116070. |
| 01845461, 01853546; 01906167 |
Check Point 21000 series appliance with SAM card might crash during policy installation.
Refer to sk108643. |
01825599,
01847635 |
Check Point 21000 series appliance with SAM card might crash due to removal of Layer 2 header by SAM card.
Refer to sk108652. |
01848202,
01850540 |
Check Point 21000 series appliance with SAM card might crash while handling fragmented TCP packets.
Refer to sk108589. |
01769402,
01777881,
01771790 |
Multiple "cphwd_pslglue_can_offload_template: error, psl_opaque is NULL" errors in /var/log/messeges file.
Refer to sk107258. |
01554849,
01576112,
01611699 |
TCP packets are not dropped as Out-of-State when SecureXL is enabled.
Refer to sk104557. |
01385943, 00266287;
01463835,
00267250 |
TCPdump shows wrong IP addresses for NATed traffic when SecureXL is enabled.
Refer to sk100194. |
01919249,
01915798,
01915162 |
Output of "fwaccel stat" command shows: "Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function))".
Refer to sk100467 (Scenario 3 - "UDP traffic causes too many general errors"). |
01506385,
01501271 |
When the DHCP relay and Drop templates are enabled, SecureXL is automatically turned OFF.
For more information, see scenario 2 in sk100467. |
01397083,
01397729,
01638997 |
SAM card stability issue on Check Point 21000 appliances during boot if the number of configured CoreXL FW instances is equal to the number of CPU cores on the appliance (e.g., there are 16 CPU cores, and 16 CoreXL FW instances were configured).
Refer to sk100546. |
| 02081183 |
NAT is not applied by the Security Gateway to multicast packets in the following scenario:
- SecureXL is enabled on Security Gateway
- NAT is configured for multicast sender as "Hide behind Gateway"
As a result, the multicast receiver host gets the original IP address of the multicast sender. |
01893950,
01893952,
01908788,
01997516 |
When NAT is configured on the network/host where SecureXL is enabled, not all entries in SecureXL Connections Table (run the fwaccel conns command) are deleted after the "UDP virtual session timeout" when traffic is stopped. |
02433949,
01719131,
01957088 |
During policy installation or signature updates, if there are medium path connections, stability issues may occur when SecureXL is turned OFF and ON.
Refer to sk106934. |
02399154,
02368502 |
There is a stability issue after policy installation when SecureXL is enabled.
Refer to sk114153. |
02080447, 01952690,
01906737 |
SAM Card error statistics were not available immediately after the reboot. |
02389980,
02383351 |
Stability issue on Cluster members when the SecureXL SIM NAC feature is disabled and SecureXL is restarted.
Refer to sk114424 for more information. |
| VSX |
| 01319800, 01347115, 01347125, 01347130, 01360704, 01369939 |
After running the "vsx_util reconfigure" command on Security Management Server / Domain Management Server for a VSX gateway, in rare scenario, the output of the 'vsx stat -v' command on VSX gateway shows Virtual Systems with 'InitialPolicy' and/or 'No Trust'.
Refer to sk98311. |
| 01809452 |
Sporadic packet drops in SecureXL when the virtual system is in bridge mode. |
| 01880104, 01830381 |
Rare crash of FWK process on VSX Gateway with enabled IPS blade and activated protection "Non-Compliant HTTP".
Refer to sk108192. |
| 01449721, 01725440, 01396841, 01495166, 01396472, 01619725 |
After running 'cpstop;cpstart' commands on the Standby VSX cluster member, the output of cphaprob -a if command shows the following state of the Sync interface configured on Bond interface:
The state of Sync interface as 'UP' in the context of VSX itself (VS0).
The state of Sync interface as 'DOWN' for each Virtual System.
Refer to sk100450. |
01513312,
01528076,
01470302,
01770848 |
Enhancement: This release includes improved support for multicast acceleration in VSX. |
| 01712482, 02360975, 02297100, 01894637, 01782778, 01714649, 02366381 |
Adding a static ARP entry in a Virtual System does not survive reboot.
Refer to sk106794. |
02411964,
02166135, 02166160 |
"vsx_util vsls" command fails with "Failed to redistribute the virtual systems. Can't save database." error on R80 Management Server.
Refer to sk115029. |
01510367,
01615464, 02082365 |
When tried to re-install the VSX cluster member and use vsx_util reconfigure to build it, the reconfiguration failed with the following error: "<Name_of_Interface> already belongs to a bridge interface and therefor cannot be bridged" |
| 01848953 |
Crash when fwfonic.conf is missing from the context of the VS. |
| 01750204, 02327235, 01849369 |
All HTTP Proxy connections are dropped on VSX. |
| 02032862, 02423243 |
"vsx_util reconfigure" fails with "Failed to commit changes in the OS.Management interface must have an IP address." error in non-DMI configuration.
Refer to sk115131. |
| 01931909, 02278701 |
"Illegal routing gateway or interface retrieved from the VSX GW" error in SmartDashboard when creating a new VSX Gateway / VSX Cluster object..
Refer to sk105540. |
02297327;
02103463 |
After reboot of VSX Cluster Member, output of "cphaprob state" command shows that Virtual Systems are "Down".
Refer to sk110073. |
| CoreXL |
02378995,
02378614,
02378995 |
Interface affinity configuration is not visible for 40GB interfaces configured in BOND mode.
Refer to sk114396. |
| Desktop Security |
01940363,
02007018 |
"Desktop Security policy is empty. At least one rule should be configured. Desktop policies will not be installed on Policy Servers." error shows during policy install when removing a Desktop policy (that was imported with a policy package) and adding it back.
Refer to sk110656. |
| VoIP |
|
01811945,
02297333,
02421531
|
When DLCX has no call id the response is dropped because of "no call_id in mgcp_tid entry for this response". |
| SNMP |
|
01817116,
02270441,
01828627
|
/etc/snmp/userDefinedSettings.conf file is overwritten after Jumbo Hotfix Accumulator installation. |
02422592,
02419635 |
"Wrong Type (should be Gauge32 or Unsigned32): INTEGER" message in SNMP Response.
Refer to sk115119. |
02037152,
01852956 |
Incorrect serial number is returned when querying the Operating system using cpstat and snmpwalk commands on 21700/24100 appliances. |
01689724,
01803493 |
SNMP Trap "coldStart" is sent every time the SNMPD daemon is started on Gaia OS. |
01513636,
01705377,
01469254,
01470204,
01502560,
01746639,
01469413 |
SNMP query for CPU usage by each Virtual System returns zero.
Refer to sk102434. |
| 01610111 |
There is no response when querying SNMP 64-bit counters after upgrading VSX R77.x to R77.30.
Refer to sk105540. |
01362643,
01614707 |
During in-place upgrade from VSX R77.x, the $FWDIR/conf/amon_vsx_refresh_interval file is overwritten.
If the refresh interval of VSX SNMP counters should be a value other than default 30 (seconds), you will have to edit the file manually after the upgrade as described in sk101713 (and in sk97947). |
