Support Center > Search Results > SecureKnowledge Details
Check Point R80.10 Known Limitations
Solution

This article lists all of the R80.10 specific known limitations, including limitations from the previous versions.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.


Important notes:

 

Table of Contents

  • Installation and Upgrade
  • Licensing
  • Networking
  • Security Gateway
  • Gaia
  • Security Management
  • Management High Availability
  • Multi-Domain Security Management
  • SmartConsole / Management Console    
  • Application Control & URL Filtering
  • Content Awareness
  • Identity Awareness
  • Threat Prevention
  • IPS
  • DLP
  • Logging
  • SmartLog
  • SmartView Monitor
  • SmartEvent
  • SmartUpdate
  • SmartProvisioning
  • SecureXL
  • ClusterXL
  • CoreXL
  • Dynamic Routing / Advanced Routing    
  • VSX
  • Endpoint Security (SmartEndpoint)
  • Mobile Access
  • SSL Network Extender
  • VPN
  • Compliance
  • QoS
  • Small Office Appliances
  • 60000 / 40000 appliances
  • vSEC Controller
  • LTE
  • VoIP
  • SNMP


Enter the string to filter the below table:

ID Symptoms Found in version
Installation and Upgrade
01549207,
01884161
Gaia OS: Clean install from USB device fails on Open Server because the installation process (anaconda) includes the USB installation media as part of the installation target.
Refer to sk100566.
R77.30
01868136 After upgrading, the Gateway Properties -> HTTP inspection page shows "Failed to load Plug-in Page: SSLInpectionPage".
To resolve the issue, perform the following on the Security Management server:
  1. Run cpstop
  2. Delete the $FWDIR/conf/newDleSchema.xsd file
  3. Run cpstart
R80
01505445 After upgrade, SmartConsole disconnects from the server during the first policy install.
Before a first policy installation on Standalone servers, allow the CPM service in the Services & Applications column of the rulebase.
R80
01876717 SmartEvent blade disabled after advanced upgrade to R80.10 Management. On the Security Management server, run "evconfig" to enable the SmartEvent server. R77.30
01611022 If you have gateways of different R77 versions and GX is enabled on a R77.30 Security Gateway only, policy installation will fail.
  • To resolve, use the "Install On" column for the GTP rules.
R77.30
01986530 Importing a large SmartEvent database can take a long time to complete. Check the upgrade status for progress. R80
02411778,
02421533,
02421989
After upgrading a Full HA deployment, policy installation fails due to SIC problem with the secondary member.
  • To resolve, re-establish SIC between the active and standby members.
R80.10
01815141 Database Revisions are not upgraded to R80.10 Security Management Server during the upgrade process from Pre-R80 versions. R80
01732941

After upgrading to R80.10, there is no visible way to switch between Classic mode and Wizard mode to create a Security Gateway object. New gateways can only be created depending on the setting in Global Properties -> SmartDashboard customization prior to upgrade. To restore both options:

  1. Close all SmartConsole windows.
  2. Connect to Security Management / Domain Management Server with GuiDBedit Tool.
  3. On the Tables tab, open Global Properties -> Properties.
  4. Select the firewall_properties object.
  5. In the Field Name column, select "hide_use_CP_GW_wizard".
  6. Change the value to false.
R80
01929622 After upgrading to R80.10, the "Gateways & Servers" view does not show version numbers in the Version column.
  • To see the version numbers, open the gateway object for editing, make sure the correct version is selected and click OK.
R80.10
01887799,
02058605
In R80, indexing is done by a new process called Indexer. Indexer works similar to SmartLog R77.xx but has its own configuration files stored in $INDEXERDIR.
Customers who defined manually indexing configuration from remote log servers (via LEA) in SmartLog R77.x or below, should manually move them to the new configuration files.

To copy settings from SmartLog R77.x configuration files to the new Indexer process configuration files:
For SmartLog servers only:
After upgrading to R80, copy the remote log servers configured in $SMARTLOGDIR/smartlog_settings.txt file to $INDEXERDIR/log_indexer_custom_settings.conf.

For SmartEvent with SmartLog server:
Remote log servers configured in $SMARTLOGDIR/smartlog_settings.txt are not automatically upgraded. Manually configure the log servers in SmartEvent GUI -> correlation unit policy.

For more, see the R80.10 Logging and Monitoring Administration Guide.
R80
Licensing
01909120,
02015912

These products do not support the new licensing visibility features:

  • Network Security: Advanced Networking and Clustering, Capsule Cloud and Capsule Workspace.
  • Security Management: Endpoint Policy Management, SmartPortal, User Directory (LDAP).
  • Multi-Domain Management: Security Domain
  • Remote Access & Endpoint
R80
01925987 "Licensing status not available for current OS" message shows in the Logs & Monitoring view. SmartConsole does not support licensing information for Windows, SecurePlatform and Virtual Systems. Use the licenses tab in SmartUpdate to see the licensing information for the OS. R80
01963269 If the SmartEvent Software Blade is activated, but only the SmartEvent Intro license is installed, the License Status shows "N/A". R80
01961299 The Device and License Status of Threat Emulation is incorrect. Use the Logging -> License Status view. R80
01934260 When loaded for the first time, web components such as the licensing or monitoring view can take up to thirty seconds to show. R80
01972866 In the License Status View, the Additional Info column, quota information and quota statuses are not available for pre-R80 gateways and servers. R80
01972951 The proxy that synchronizes license information with the User Center, must be at least R80 server.
R77.30
01951434

On a Pre-R80 SmartEvent NGSE dedicated machine, license information is not automatically updated when Installing Database.

When you enable or disable a blade, one of the following will update the license information with the change:

  • If you force a license update, changes occur immediately.
    To force a license update: On the R80.10 Security Management Server, run the following command in Expert mode:
    [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
  • Automatic update at midnight
  • If you manually change a license or contract on a dedicated machine, changes take effect within 20 minutes
R77.30
01972797 Automatic license activation on Check Point appliances is not available on pre-R80 appliances. R80
01972899

On pre-R80 gateways, license information is updated every 20 minutes.
To force a license update, perform one of the following actions:

  • Either install security policy on the pre-R80 gateway

  • Or on the R80.10 Management Server, run the following command in Expert mode:

    • On Security Management Server:

      [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
    • On Multi-Domain Security Management Server:

      [Expert@HostName]# mdsenv <Name of Domain Management Server>
      [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
R80
01976925 Automatic license activation on a Multi-Domain Management Server machine works only on the MDS level and not on the Domain level. Add licenses manually for each Domain. R80
01972917 After installation, the Device License Status shows N/A and the Device License View is not accessible until policy or database are installed.
When blades are enabled or disabled, the changes are not visible in the Device License Views and Status until policy or database are installed.
R80
Networking
01622840 IPv6 addresses for management interface are not supported on R80.10 Security Management Server. R77.30
02517341 NAT64 is not supported.  R80.10 
Security Gateway
01584742 "Get Interfaces" action on gateway returns error "Failed to save cpmi interfaces" if interface name includes space. Gateway interface names must not include spaces. R80
02518174

If you do an exception on 'Any' Inspection Settings, the exception will not be enfocred on these inspection settings:

  • ASCII only response
  • ASCII only request
R80.10
01820334,
01822697,
02364974
With MSS clamping enabled, cpstop command on the Security gateway can cause a reboot.
Refer to sk101219.
R77.30
02473855, 02479570 Once the Log server is down for a long period of time, the gateways do not try to reconnect to it and logs are being saved locally.
Refer to sk116233.
R77.30
02470061 When using the 'Drop' action in a layer for SMTP, HTTP, and FTP protocols with the Application Control and URL Filtering or Content Awareness blades enabled on the layer: if the Security Gateway matches a connection not on the first packet (for example, on a rule with an application) the gateway rejects the packet instead of silently dropping it. The gateway sends a TCP reset for HTTP/FTP or sends a '554 error message' for SMTP. The client already received some packets from the server before the rejection. R80.10
02472857,
02470077
When Using a rule with legacy object, in or below a rule with one of the new features that are integrated in the unified policy, install policy on a Security Gateway fails with a verification message.
  • Workaround: change the order of the rules so that rules with legacy objects are above rules with new features.
Refer to sk115961.
R80.10
Gaia
01816080,
01822237,
01822236

DHCP Relay and DHCP Server do not function when configured together on the same Gaia OS.

  • Between DHCP Relay (routed) process and DHCP Server (dhcpd) process, the last process to start up will receive all the UDP unicast traffic. The first process sees no unicast traffic.
  • Both DHCP Relay (routed) process and DHCP Server (dhcpd) process will see UDP broadcasts.
  • If DHCP Server (dhcpd) process starts first, then this joint configuration will work, because dhcpd process only cares about UDP broadcasts.
    If DHCP Relay (routed) process starts first, then this joint configuration would fail to work, because the replies from DHCP Server that should be relayed are UDP unicasts.
Refer to sk98839.
R77.30
02039589 If the backup schedule is changed to an invalid date or time, all backup schedules are lost and error message "Backup schedule failed. The backup will not be scheduled" is displayed. R80.10
02167050,
02500673,
02491287,
02359422
Setting state of some interfaces to "off" on Gaia OS does not turn off the link on that interface.
Refer to sk112598.
R77.30
01987789,
01996692
"WARNING The following features: NameOfFeature, , provide a privilege level equivalent to that of 'adminRole'" message in Clish when adding some read-only commands to RBA role.
Refer to sk110772.
R77.30
02359678, 02360935 The /var/log/messages file is filled with Audit Logs for Gaia Clish commands:

clish[PID]: user logged from admin
clish[PID]: cmd by admin: Start executing : xxx (cmd md5: ...)
clish[PID]: cmd by admin: Processing : xxx (cmd md5: ...)
clish[PID]: cmd by admin: Start executing : exit (cmd md5: ...)

Refer to sk113897.
R77.30
02085699, 02189660 Hardware Diagnostic Tool test fails on "Self-test" for 1GbE expansion cards when an SFP transceiver for RJ45 (Copper) is connected to the appliance.
Refer to sk112857.
R77.30
01111060,
02356903,
01309032
Saving the configuration on Gaia OS times out with 'NMSCFD0026 Timeout waiting for response from database server' error.
Refer to sk113746.
R77.30
02084298, 02089780 Syslog Protocol version is not sent in syslog packets as per RFC 5424.
Refer to sk112159.
R77.30
01441743 If you change the members of a Gaia Cloning Group with many members down, you are logged out of the Gaia Portal with an incorrect error message: "Unable to connect to server".
The correct message is: "An error occurred while applying configuration change to all cloning group members" - the operation was successful only for online members. This is the normal behavior of the cloning group. This error does not indicate a critical failure.
R80
02423303, 02423845 Newly configured user (with UID that is not 0) is not able to log in from Gaia Clish to Expert mode on VSX Gateway.
Refer to sk115221.
R77.30
01621547 In a Hyper-V environment, the Virtual Machine's clock (OS time) moves faster than the hardware (Host) time. As a result, the Virtual Machine's clock drift can accumulate rapidly and prevent NTP from working correctly.
Refer to sk105862.
R77.30
01967996 When connecting to the network interfaces page in the Gaia Portal, an "Unable to connect to server" error shows.
  • To resolve, disable the Adblock EasyPrivacy extension of the Adblock plus add-on and try again.
R80
02067966 In Gaia Portal, PPPoE interfaces cannot be used as an SNMP agent interface.
In CLISH, if the user runs the command "add snmp interface ", the operation does not succeed but the user does not see a message that it failed.
R77.30
01996097,
01639840
If you restore a Security Management Server from a backup, all hotfixes installed after the backup was created will not be included on the restored server.
Refer to sk91400.
R77.30
01985269 If you refresh the browser while running the First Time Configuration Wizard, or try to run the wizard twice, one of these messages will show: "Cannot install Check Point Security Management Server. Incompatible hardware" "Internal Error: Cannot install Check Point Security Management Server" "Cannot install Check Point Security Management Server. Please contact Check Point Technical Support."
  • After seeing one of these messages, you must reinstall the device or revert to the factory image.
R80
01983922 The last stage of the First Time Configuration Wizard takes a long time on some machines.
To see the progress of the First Time Configuration Wizard, the user must check if these files were created on the machine:
  • /etc/.wizard_accepted - means that the First Time Configuration Wizard has finished.
  • /var/log/ftw_install.log - means the First Time Configuration Wizard has started and the user must wait until the file /etc/.wizard_accepted is created.
R77.30
02386300 The Maintenance -> Maintenance page in the Gaia portal was removed. R80.10
Security Management
01786890 After upgrading to R80.10, cpconfig no longer shows an administrator.
  • You do not have to redefine the administator. Manage administrator accounts through SmartConsole.
R80
02512932,
02518236,
02522447
Source Hide NAT is performed even a no-NAT rule is configured.
Refer to sk117612.
R80
02475794 If a connection is matched on a limit action rule, and the connection is not configured to be rematched (the 'Keep all connections' option is selected in the Security Gateway object, or the 'Keep connections open after the policy has been installed' option is selected in the Service object), a new policy installation will cause the limit on the connection not to be enforced. R80.10
01940812 URL Filtering does not work on Edge device.
Refer to sk110219.
R77.30
02167186,
02169523,
02483407,
02496644
The "URL" field shows "*** Confidential ***" in HTTPS Inspection logs on 3rd party LEA OPSEC client.
Refer to sk101570.
R77.30
01810182, 01810870 "Unable to contact Certificate Authority on the Security Management Server" error in SmartDashboard after running "cpstop ; cpstart" commands.
Refer to sk107593.
R77.30
00419335, 01134550, 01648694 The $CPDIR/tmp/ directory is filled with 'CKP_mutex::_opt_CPsuite-RXX_fw1_log__...' files..
Refer to sk36754.
R77.30
02505270 When removing Threat Prevention from a Policy package, SmartConsole disconnects from the Security Management Server.
  • Workaround: delete the rules from the Threat Prevention policy before removing Threat Prevention from the policy package.
R80.10
02491987 "Revert exception" error and log of: "ManagementPlg.RevertToRevisionCommand - Unable to extract targetWorkSessionId from parameter" when removing a blade that is used in rules from an Ordered Layer, and then reverting revisions. R80.10
02496239

Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".

  • Workaround: for all hosts with a server configuration, unselect the servers. Publish. Select the servers again, and publish again.
R80.10
02514237 If you upgrade a Security Management Server to R80.10 with a user.def file that has been edited manually, make sure that the file name includes each gateway version that is managed by the server.
Refer to sk98239 for the user.def naming convention.
Refer to sk30919 for more information about the user.def file.
R77.30
02497583 Upgrade to R80.10 is not supported for a Multi-Domain Management server that contains Data Center objects imported from the Global Domain. Objects must be removed from the Global Domain prior to installing the upgrade.
  • Workaround: if you have not removed the objects, you will receive a verification failure error in the beginning of the upgrade from R80. In this case you should restart the Multi-Domain Management server (run mdsstop ; mdsstart commands) before you connect to SmartConsole.
R80.10
02496583 Managing Indicators of Compromise is not supported by command-line, only in SmartConsole. R80.10
02454086,
02452505
User p12 certificates are exported without the CA certificate.
Refer to sk115859.
R80.10
02480549 After upgrading from R80 to R80.10, SmartConsole login fails if there is an internal user with the same name as the administrator login name.
  • To resolve the conflict:
    1. Open a command prompt on the Management server
    2. Run cpconfig to create a new administrator account with a unique name
    3. Run cpstop;cpstart
R80.10
01965750 If you create or delete Domain servers of the same Domain from many Multi-Domain Servers, the Domain can become corrupted, with recovery from Check Point Support required. R80
01861349 "Check your connection settings (Proxy, DNS and gateway)" error shows after IPS and Application Control & URL Filtering update fails if there is no proxy defined.
  • To resolve the problem, run cpstop and cpstart and try again.
R80
01989947 Fail to add a VSX objects (router, switch, or system) from the secondary Multi-Domain Server when the primary server is powered off. The creation wizard fails to open and an "Operation finished successfully message" shows. To resolve the issue, power on the primary Multi-Domain Server and try again. R77.30
01536203 When selecting the "Use Gaia administrator: admin" option in the First Time Wizard, it lets to reuse the Gaia administrator password for SmartConsole. If you later change this password in SmartConsole, the Gaia administrator password remains unchanged. R77.30
02361323 Sometimes re-assign or removal of global assignments creates conflicts with private changes on the Domain. The SmartConsole for the Domain becomes unstable and can show: "Could not load selected policy".
  • In this situation, Discard the session.
R80.10
02049156,
01712637
The Revisions View is not updated for changes in: Administrators, Permission Profiles, Trusted Clients, and some environment settings in Management & Settings. R77.30
01908530 These commands are not supported in the SmartConsole's CLI: login, logout, discard and publish. Use the SmartConsole GUI instead. R77.30
02067095 When the trial license is expired, and after adding a new license, the Security Management server does not accept any connections.
  • Workaround: stop and start the server (run cpstop;cpstart) after adding the new license.
R80.10
01963367,
01098502

QoS policy installation on 1100, 1200R and 1400 Small Office appliances succeeds, but the following warnings are displayed: "WARNING: SharedLibLoad(Name_of_Library_File.so): called from statically-linked code!"

  • These warnings may be ignored.
R80.10
01848420 Applications like Provider.exe and Fwpolicy.exe (SmartDashboard) cannot be used to connect directly to the Security Management server or the Multi-Domain Security Management server. R77.30
01493302,
01977241
Internal user names must contain only English characters. Names in other languages (unicode) will show as question marks in the Users and Administrators window. R80
02414257,
02403960
It is not possible to convert a Standalone deployment (Security Gateway and Security Management on one computer) to a cluster member of a Full HA deployment - or vice versa. R77.30
01859599 After converting a gateway to a cluster member and publishing, this error message shows: "com.checkpoint.management.coresvc.ObjectNotFounfException: Satellite object of type GatewayAggregator not found for core object..."
  • To resolve, click Discard.
R80
01950023 SIC is not allowed by default with upgraded OPSEC applications (OPSEC applications not compiled with SHA-256 support).
To fix:
  1. On the Security Management server, run: cpca_client set_sign_hash sha1 (refer to sk103840)
  2. Install Database.
R80
01963189 Changing the Security Management server's time, for example using an NTP server, while there are SmartConsole clients connected, may cause the client to disconnect from the server. R77.30
01964575 Login to primary Domain SmartConsole fails with "Database is locked by another application" error.
  • To resolve, run the cprestart command on the Security Management Server.
R80
01829764, 01381300 For Gateways below R80, 2nd layer behaves like Application Control policy. R77.30
01459162 Security Gateway / VSX gateway conversion, or conversion in the opposite direction, is not supported. R80
01952495

lvm_manager fails to resize partitions with "ERROR :Cannot kill process (id XXXXX)".

  • Workaround: boot the machine into Maintenance Mode and then run lvm_manager.
R80
01984056 "Internal error occurred during the verification process" during policy installation after reverting to a previous policy revision that has a disabled rule with an object that has been deleted since then.
Refer to sk110614.
R80
01545489 The CLI command fwm dbexport is not supported. After running the command to export the user database, the process finishes successfully but the file contains only headers, no data. R80
01988291 Install database task hangs if SmartConsole is closed before the task completes.
  • Reconnect and install the database again.
R80
01986179 Global assignment removal fails with "Object could not be deleted because it is referenced by other objects" error. If the search fails to locate the object in the domain, check each application object in the Domain for a reference to the permission profile specified in the error message.
Refer to sk110630.
R80
01989615 "Authentication to server failed" error shows when logging in to the SmartEvent server using the local administrator account (created in cpconfig).
  • Create a new administrator account with a name not used on the remote Security Management server or the Multi-Domain server managing the SmartEvent server.
R77.30
02520084

Upgrade of Secondary Management Server from R80 to R80.10 using CPUSE fails with error:
Security Gateway / Security Management R80.10 - Failed on installation:
Internal error in a hook script: fw1/bin/hook_fw1_wrapper_HOTFIX_R80.10. Contact CheckPoint Technical Services for further assistance.

Refer to sk117539.

R80.10
02449460

Clean install of secondary SMC R80.10, requires same installation path as the primary. If you have HA setup in R80 and you installed also the R80 Jumbo Hotfix on primary and secondary servers, the upgrade to R80.10 is as follows:

  • Upgrade the primary to R80.10
  • Install clean secondary with R80
  • Install the R80 Jumbo Hotfix on it
  • Upgrade it to R80.10
  • Perform sic between the primary and secondary and sync

Refer to sk117539.

R80.10
02532395 R80.10 Security Gateway might get specific security rules of another Security Gateway.
Refer to sk118153.
R80.10
Management High Availability
02367246 When a secondary Management server is added, the initial synchronization task starts automatically. Until it completes, the secondary peer status shows as "Failed to communicate with peer".
Wait for the initial synchronization task to complete. The peer status in the High Availability Status window will then show that the synchronization was successful.
R80
01825584 Sync failure between primary and secondary servers in a Management High Availability deployment.
  • To prevent this, make sure the interfaces are enabled before starting the processes (cpstart, mdsstart).
R80
02429653 In a Management High Availability environment which includes an invalid license, sync fails with "Failed to apply shared licenses" message.
  • Workaround: remove the invalid license according to the signature that appears in the error message.
R80.10
01810119 High Availability CLI commands like 'set standby' and 'set active' that are part of the send_command tool, are no longer available. R77.30
01948138 The initial full synchronization of a new High Availability server, either Security Management or Multi-Domain, can take a long time in large environments. R80
01999344,
02000493
Login to the Secondary Management from the Management High Availability window fails. Make sure the SmartEvent Server and SmartEvent Correlation Unit blades are not be enabled on the secondary Management object. R80
01905978

In a High Availability deployment of Multi-Domain Security Management Servers, until the MDS that hosts the active Domain server has been upgraded, it is not possible:

  • To edit an administrator assigned to that Domain
  • To edit a client assigned to that Domain
  • To view global assignments of that Domain
R77.30
02497932 In a High Availability environment, if an administrator is locked on the Standby Management Server, the administrator is not locked and does not show as locked on the Active Management Server. Therefore, you cannot unlock the administrator from the Active Management Server.
  • To unlock the administrator, run the CLI command unlock-administrator on the Standby Management Server.
R80.10
Multi-Domain Security Management
01829312

Global VPN Communities are not supported in Multi-Domain Security Management.

R80
02422260,
02383687
In a High Availability environment that includes more than two Multi-Domain Servers, a synchronization problem between 2 specific Multi-Domain servers only shows when connected to one of those servers. The problem does not show when connected to a different Multi-Domain server in the environment. R80
01408631 You can use only one Global Domain, which is created automatically during installation. R80
02509073

When running Global Domain Assignment on one Multi-Domain Server for a Domain that is active on a different Multi-Domain Server, the task can stall at 5%. After a few minutes a message shows : "timeout during task progress: Could not get information regarding task completion from MDS_1 'MDS_2'.

  • Workaround: Run Reassign Global Assignment on the Domain from the first or second Multi-Domain Server.
R80.10
01891116

In Multi-Domain Security Management, OPSEC application permission profiles are not visible on the Domain's object bar.

  • Use the OPSEC application editor to change the permissions.
R80
- For Multi-Domain Log Servers, Remote Log Servers that are not defined as Domain Log Servers are not supported. R80
02491210 If two administrators create an admin account with the same name, after the first admin publishes a session, the second admin will not be able to publish or edit the admin account.
  • To fix, the session changes must be discarded.
R80.10
02506522

If you have a tag on the local host object of a global dynamic object, you cannot assign or re-assign Global Policy.

  • Workaround: remove the tag from the local object, assign or re-assign Global Policy, and then add the tag again.
R80.10
02482338 For Global SmartEvent connected to Multi-Domain Management Server, search suggestions from SmartConsole appear only for a Super user (Multi-Domain Super User and Domain Super user). R80.10
02510367 The ability to edit the list of additional information fields that can be added to a Domain, administrator, and gateway is not supported in R80.10. R80.10
02510379 The ability to find and unify similar Permission Profiles is not supported in R80.10. R80.10
01810161 A Security Management server cannot be installed as a secondary Management for a Domain server. R77.30
02507469 Domain Super User profile cannot be cloned. R80.10
01989136 An administrator defined on the Multi-Domain Server, can log in to the Global SmartEvent server in read-only mode only.
To resolve this, connect to the SmartEvent server with the local administrator account (created in mdsconfig), configure the relevant Domains and install the Event policy.
R77.30
01916186 After you upgrade a Multi-Domain Server with a IP address change, remove the license with the old IP address. If you do not do this, failures will occur in the License view and on some Management Blades. R77.30
01605414 There is no cross-Domain search for network objects. Search in each Domain for the specific network object. R77.30
01995628,
01993689
After a Global policy has been assigned to a Domain, the revert option in the Domain "Network Layer -> History" window no longer functions. R80
01654519, 01606491 You cannot assign only the Global objects used in a specific Access Control policy or Threat Prevention policy. All the global objects are assigned to the Domain. R80
01582933 Private sessions are not synchronized between Multi-Domain Servers. A session that is open on one Multi-Domain Server cannot be seen or moved to a different Multi-Domain Server. R77.30
01537986 An administrator with Manage Session permissions on a Multi-Domain Server but not on a specific Domain, can manage the session from Sessions view in the MDS level. Session publish may fail. R77.30
01718384 You cannot add licenses from the Multi-Domain Server or Domain Management configuration windows or wizards. To add licenses, click "Manage Licenses and Packages" in the SmartConsole main menu. R80
01694997 Administrator groups and Domain groups are not supported in R80 and cannot be viewed or used in the SmartConsole. R80
02513874
In Multi-Domain Security Management, OPSEC application permission profiles are not visible on the Domain's object bar. Use the OPSEC application editor to change the permissions. R80
02408361 During mds_import, the incorrect "Failed to open file 'obsolete_objects.C' " message shows.
  • This message can be ignored.
R80.10
02408823 The same system object (administrator, domain, permission profile, trusted client or Multi-Domain Server) cannot be managed from multiple peers. It can create sync failures between Multi-Domain servers.
  • If there is a sync failure, make sure sessions on a different peers do not lock the same object.
R80.10
02463142 From a secondary Multi-Domain Management Server, cma_migrate gets stuck.
  • Run cma_migrate on the server with the active global policy.
R80.10
01954364 When upgrading a Multi-Domain Security Management environment, you can change the IP address of the primary MDM, but not the IP address of secondary MDMs. R80
01976542, 01980886 Each database can be migrated only once with cma_migrate. If you try to migrate the same database to another Domain Server, migration fails with the "Internal runtime error"... "The folder in the dleObject can't be null." error. R80
01980812 After you define the SmartEvent object in the global database, first you must assign Global Policy to Domain Servers in order the Domain Level Only administrators can log in to SmartEvent. R80
02496769 The "Show Unused Objects" feature only shows unused objects in the local domain. It does not show unused global objects in each domain (as in earlier versions). R80.10
02432471,
02380613
After an upgrade, the global assignment fails with an error regarding multiple objects with the same name. If the search fails to locate the object in the domain, the object might be an unused OPSEC application permission profile and it can be deleted or modified using dbedit.
Refer to sk116059.
R80.10
02533587,
02534238,
02535285 
Wrong gtar version after upgrade from R80 Multi-Domain Management server to R80.10.
Refer to sk118653.
R80.10
SmartConsole / Management Console
01282274 SmartConsole installed on a computer without access to the Internet cannot open Help files.
Refer to sk110774.
R80
02418418 After a Security Management server upgrade from R80 to R80.10, 0 applications appear in object bar although all applications appear in the rule base picker.
  • Workaround: perform Application Control & URL Filtering update.
R80.10
02446266

A Remote Access community object is not supported in the parent rule of an inline layer where the action is "Inline Layer".

  • Workaround: use "Any" instead of the Remote Access community object. You can use the Remote Access community object in the rules in the inline layer.
R80.10
02500777 When session details enforcement is configured, publishing a remote session is not blocked even if session details are not provided. R80.10
02500051 In R80 and higher, multiple administrators can connect to the management with SmartConsole in write mode, at the same time. Therefore, switching between Read only and read-write mode, which was often used in previous versions, is not an option in SmartConsole. R80
01878112 Cannot log into SmartConsole after changing the time in the Gaia Portal.
  • To resolve the problem, restart the Management server using cpstop;cpstart commands or, for Multi-Domain Security Management, run mdsstop;mdsstart
R80
02502463,
02491577
When cloning an Access Control policy with a shared Inline Layer, it is not possible to change the action of the rules in the cloned shared Inline Layer of the cloned policy.
  • Workaround: Add a rule to the cloned policy, copy the shared Inline Layer, and delete the original rules of the Inline layer.
R80.10
02492692

This procedure for renewing an expired HTTPS Inspection certificate does not work:

  1. Open the SmartDashboard GUI client
  2. Renew the HTTPS Inspection certificate.
  3. Close SmartDashboard.
  4. Install the Policy in SmartConsole.

    SmartConsole shows the certificate is still expired, and the certificate is not renewed.
  • Workaround: After following the procedure, close and reopen SmartConsole.;
R80.10
02083394,
01961299
The Device and License Status of Threat Emulation is incorrect when there is a trial license on the Security Gateway.
  • Use the Logging -> License Status view.
R80
02450861 In SmartConsole, when creating a new object in a second Object Editor, the new object is not in the list in the original Object Editor.
  • Workaround: After you close the second Editor, click OK in the IF-MAP server editor. Open the IF-MAP server editor again.
R80.10
01944489, 02007657 A VPN rule created using the "Accept all encrypted traffic" option in the VPN community object, is not shown in SmartConsole. R80
02445396 The SmartConsole package cannot be installed in a directory whose path includes non-English characters. R80.10
02475601 "No errors" is shown in the Cluster object Errors tab, while cluster members do show errors. R77.30
01693797,
02297465,
01694050,
01932180
"Changing the hardware to <New_Selected_Check_Point_Appliance> Appliances is blocked" warning in R77.30 SmartDashboard when changing a hardware platform in a gateway object that is used in Identity Sharing of another gateway.
Refer to sk106434.
R77.30
01834373,
01834983
SmartDashboard does not display one of cluster interfaces because of case sensitive name uniqueness.
Refer to sk108264.
R77.30
01996428

Slow rendering and reaction to user interactions. SmartConsole is a Windows-based application that uses the Windows Presentation Foundation (WPF) for rendering graphics and the user-interface. WPF applications are optimized to work with hardware acceleration. Under certain circumstances, the framework falls back on software-rendering only, causing SmartConsole to render slowly and react slowly to user interactions. This occurs when SmartConsole runs:

  1. Via Remote Desktop session (RDP).
  2. When installed on Windows-Server 2012.
  3. In environments with old graphics hardware drivers.
  4. In virtual environments that lack the required integration with graphics hardware.
R80
01800770 Disconnecting the SmartConsole session while creating or configuring VSX objects, can cause the management database corruption and Administrator will be unable to do any changes with VS.
"Internal Error: Cannot get object XXX from table vs_slot_object" message pops-up.
R80
01875766,
01893219
"An unexpected error occurred - Sorry for the inconvenience, please restart the application" error in SmartEndpoint when going to Deployment tab, expanding Advanced Package Settings - clicking on VPN Client Settings - selecting a VPN Site, whith "CAPI-certificate" as Authentication method.
Refer to sk109126 - Scenario 2.
R77.30
01864532

After a failure in the VSX cluster creation wizard, if Cancel is clicked, the wizard closes, but the VSX cluster and VSX cluster member objects are not deleted.

  • Workaround: Delete the VSX cluster and VSX cluster member objects manually.
R80
01652566, 01693617 When publishing remote session, through the Sessions View, there is no option for updating the session name and the description. Before you can publish a session, you must connect to it and set the session name and description. R80
01931336, 01816368 A customized role that has no write permissions, does not appear as read-only in the session view, although it is actually read-only. R77.30
01960696 The Tasks tab -> Script Results supports up to 10,000 characters only. R80
01953640,
02040770

"The communication with the server was lost" error shows after pushing the configuration to VSX objects - Virtual Systems, Virtual Routers, and Virtual Switches.
To resolve the issue:

  1. Open the directory where SmartConsole is installed.
  2. Open "SmartConsole.exe.config" file in some advanced editor.
  3. Locate: "<WorkSessionService CloseTimeout="00:01:00" OpenTimeout="00:01:00" ReceiveTimeout="00:01:00" SendTimeout="00:01:00" />
  4. Change all three instances of 00:01:00 to 00:05:00.
  5. Save and close.
  6. Reconnect with SmartConsole.
R80
02458203 Policy installation includes an implicit database install operation. As a result, the policy installation task in SmartConsole only completes after the end of the database installation task. This does not delay policy enforcement on the gateway. R80.10
02346641,
02351839
In SmartConsole, "Get topology" button is not displayed when Windows zoom is set at 125% / 150%.
Refer to sk113455.
R77.30
02405050 If an administrator deletes an Access Policy or Threat Prevention Policy that was cloned by another administrator, the cloned policy cannot be published. R80.10
02475372,
02500649
When connected to a machine that runs both Security Management and Security Gateway (Standalone deployment) and has less than 6GB of RAM, SmartConsole will perform slowly and disconnections may occur during policy installation or an IPS update.
Running R80.10 Standalone configuration requires at least 6GB RAM. Running this configuration with less than 6GB RAM is not supported.
Specifically, 4400-12400 appliance models do support Standalone with their default RAM (4GB), and require a memory upgrade to 8GB.
R80.10
Application Control & URL Filtering
01820710, 01919422 After upgrading to R80.10, services defined in the Application Control rulebase are overridden with the Application's recommended services.
Refer to sk109711.
R80
01910074,
01973174,
02327112
In some rare cases, some HTTPS web sites are not categorized correctly when "Categorize HTTPS sites" is enabled.
Refer to sk110475.
R77.30
Content Awareness
02436860 Content Awareness supports HTML forms using URL encoding (also known as Percent-encoding). HTML traffic, encoded (binary to text encoding) as Base64 and NCR, is not properly inspected for content.
R80.10
02455334 Content Awareness can inspect different types of files, of any size. A Web browser or FTP client may use several connections to upload or downloaded a file. For web browser this typically happens when downloading large PDF files from the Internet. In those cases, the Security Gateway inspects each connection separately. This may affect its ability to inspect text inside the file. R80.10
01917734 Binary Certificate *.cer files are not properly matched to the 'Certificates and Private Keys' Data Type. R80.10
02467456, 02338194, 02330606 Content Awareness supports HTTP, HTTPS, SMTP and FTP protocols on any ports and it is fully integrated with the Access Control unified rule base. Traffic over QUIC and WebSocket is not inspected. However, it is possible to use 'Quic protocol' / 'WebSocket protocol' in a new Application rule to either block or allow this traffic.
Google Drive has its own internal methods within its protocol, therefore file downloads and uploads, from and to Google Drive are not properly scanned by Content Awareness. However, it is possible to use Google Drive in a new Application rule to either block or allow this traffic.
R80.10
01998174 Content Awareness supports more than 60 character sets for text files, including Japanese, Korean, Greek, and Arabic. If the inspected traffic does not include a supported character set, Content Awareness uses UTF-8 for decoding.
To see the list of supported charsets, and to learn how to change the default charset, see sk116155.
R80.10
02452100 Content Awareness supports Data Types based on file name. In specific HTTP traffic where the file name is not part of the URL or content-disposition header, the file name may be incorrect. R80.10
Identity Awareness
02536241,
02536491
"ResolveUPN" registry key is not a part of the collected registry keys of IDA Config Tool while creating a new MSI package.
R80.10
Threat Prevention
02381073 Custom Indicators CLI (load_indicators) is not supported. R80.10
02506918 These products do not apply Threat Prevention layer policy according to the strictest rule, but according to the order of layers:
  1. Threat Emulation blade
  2. MTA
  3. UserCheck
R80.10
02511908 On pre-R80.10 gateways managed by R80.10 Security Management server, Access Roles and vSEC are not supported in all Threat Prevention and IPS rules on the gateway. This limitation does not apply to R80.10 gateways. R80.10
02516659, 02521220, 02521398
A malicious attachment bypasses MTA and is received by an e-mail recipient even though a "Prevent" log was generated.
R77.30
02523152, 02160279
Security Gateway with enabled Anti-Virus blade crashes in rare scenario.
Refer to sk117897.
R77.30
02526956, 02531120, 02529150 The text that was configured in the Threat Emulation Profile (e.g, "[Malicious]"), is not added to the mail subject of some e-mails with malicious attachment.
Refer to sk118277.
R77.30
IPS
- Some IPS protocols from early releases are discontinued. If these are mistakenly included in the Firewall Rule Base, policy installation will fail.
For the list of Deprecated protocols and services that are no longer used by the IPS blade, refer to sk103766.
R80
01964022,
02029515
"Internal error occured" message when trying to assign/reassign a Global Configuration at the same time that an IPS update is running on a local Domain.
  • Workaround: First run the IPS update on the local Domain. Then assign/reassign the Global configuration.
R77.30
02515164,
02513631

When you do an exception for 'Any' Core Protection, the exception will not be enforced on these protections:

  • HTTP Header Patterns
  • HTTP URL Patterns
  • CIFS File Name Patterns
R80.10
02513631,
02515164
When an IPS protection is overidden, creating an IPS blade exception will not cause acceleration.
  • To cause acceleration, create a rule in the Rule Base to match connections on a profile that has IPS deactivated.
R80.10
02512561 IPS is not supported on Dynamic IP Gateways after upgrading to R80.10. R80.10
02219579,
02252490
Thresholds for 'IPS Bypass under load' are not tunable in Full HA environment.
Refer to sk112659.
R77.30
02506866 Core Protections are activated according to the Confidence/Severity/Performance impact and not according to IPS tags. R80.10
01612788 For pre-R80.10 gateways, when configuring a Threat Prevention rule to save packet captures, the packets are saved only for Anti-Virus and Anti-Bot. Packet capture is not activated on IPS.
  • Use the IPS Protections window to configure packet capture for individual IPS protections.
R77.30
02335004,
02199090
Geo-protection does not support whitelists. You cannot block all countries and only allow specific ones.
  • Workaround: create Block rules for countries to block, and an Allow rule for "Policy for Other Countries".
R77.30
02506792 When upgrading from a pre-R80 version with the IPS Recommended Profile to R80.10, the Profile does not automatically change to the new Optimized Profile.
We highly recommend that you manually change the IPS Profile to the Optimized Profile for improved protection and performance.
R80.10
- IPS Protection Date and Time format cannot be changed from European format (dd/mm/yyyy) to American one (mm/dd/yyyy).
Refer to sk117537.
R80
DLP
02514785,
02515902
DLP can apply visible or hidden Watermark (for forensic tracking) to Office Open XML formats (DOCX, PPTX and XLSX) as a rule action in a DLP rule base.
Refer to sk117413 if DLP Watermark is used.
R80.10
Logging
02326352 Reading logs through LEA which were configured manually on the SmartLog custom settings file is not available in R80.10. R80.10
02022295 Log export is supported on visible logs only. R80
02459033 On Security Management Server with "Enable Log Indexing" option not selected, and a dedicated Log Server with "Enable Log Indexing" option selected: When you connect with SmartConsole to the Security Management Server, the Logs view shows the logs of individual log files. It is not possible to get a unified view of all the logs. R80.10
02022292 Save As to a log file is not supported. R80
02478533 SAM rules are not supported from SmartConsole. R80.10
02478527 Purge, log switch and fetch file are not supported from SmartConsole. R80.10
02022294 Fetch local files from a remote machine is available from command line only. R80
01914623 SmartView graphics do not display properly in Internet Explorer. Accessing SmartEvent server from the web (SmartView) is supported only from Google Chrome and Mozilla Firefox. R80
01913226 Missing predefined reports. Many SmartEvent Reports are not accessible if permissions to monitor user-specific logs with Identity Awareness has not been enabled.
  • To enable, open the administrators permission profile -> Monitoring and Logs, and select Identities.
R80
01964600

Correlation units can be added to a remote Log server in this way only:

  1. In SmartConsole, edit the Correlation unit object and configure it as a Log server.
  2. On the SmartEvent server, go to the Correlation unit policy configuration and configure the Correlation unit on the SmartEvent server to read the logs from the remote Log server configured in Step 1.
R80
02444795
When using the Check Point Management Server as an external log server for a locally managed Small Office appliance, SmartLog is not supported. Only SmartViewTracker is supported for this configuration.
R80.10
02354039
Sometimes, in specific scenarios, Mail Alert does not work.
R80.10
02488000 In Management High Availability, the indexing mode should be the same on both primary and secondary servers. R80.10
02495815 Correlated "Web Browsing" events are not shown by default.
  • To see: in SmartEvent, go to Event Policy -> Legacy ->Web Browsing, right-click and select "Event Format". Replace the field "URL" with the field "Resource".
R80.10
02515998

After upgrade from R80 to R80.10 with a distributed Correlation Unit, the Correlated Events Report does not contain all events.

  • Workaround: Re-index the data by running the following on the SmartEvent:
    evstop
    rm $INDEXERDIR/data/FetchedFiles
    rm -r $RTDIR/log_indexes/audit*
    rm -r $RTDIR/log_indexes/other*
    rm -r $RTDIR/log_indexes/firewallandvpn*
    rm -r $RTDIR/log_indexes/smartevent*
    evstart 
R80.10 
SmartLog
- If you upgrade a Security Management server or Log server running SmartLog, SmartLog indexing files will be lost.
To keep the logs, do one of these:
  • After the upgrade, copy the log files from the old server to the new server and re-index (refer to R80.10 Logging and Monitoring Administration Guide)
  • Use the new Open a Log File feature in the SmartConsole Logs and Monitor view
R80
- SmartLog Indexing mode is not enabled by default after upgrade or new installation, on Smart-1 205, Smart-1 210, or Open Servers with less than 4 cores. R80
- To change SmartLog mode from Indexing to Non-Indexing on a Domain Management Server or Domain Log Server, edit the Domain Server object on the Domain level. There is no option to change the entire Multi-Domain Server or Multi-Domain Log Server to Non-Indexing mode. R80
- In SmartLog Non-Index mode: free text search is applied only on specific fields like source, destination, service, etc. , there is no Top results pane, and the Threat Prevention Rulebases and Profiles logs tab do not show log results. R80
- Users connected with SmartConsole to specific Domain, will not be able to see Global objects assigned to this Domain in SmartLog logs results, and cannot search by Global objects (but can search by IP address). R77.30
SmartView Monitor
00545271
Block Intruder (SAM) is not supported. R80
SmartEvent
- SmartEvent Intro is not supported. R80.10
01940335 In R80.10, you can only define SmartEvent at the global level and then configure it to read logs from one domain or a number of domains. SmartEvent cannot be defined in a specified domain. R77.30
02101182,
02107751
SmartEvent stability problem while connecting to R77.30 Multi-Domain Management.
Refer to sk112238.
R80
02502558 SmartEvent cannot be enabled on a 5400 Security Appliance. R80.10
02478455 Events Grid is missing from SmartEvent. R80.10;
02478452 The Ticketing feature is missing from SmartEvent. R80.10
02422716 For R80.10 SmartEvent connected to R77.x Security Management Server or Multi-Domain Management Server: If an object is not listed in the Log Servers table in the Correlation Unit settings, change the object from the SmartConsole (for example, its color). This will cause the re-synchronization of the object. R80.10
01995448

On a R80.10 dedicated SmartEvent server which assigned to MDS, when you enable or disable a blade, the license information is not immediately updated. An automatic updates takes place at midnight. To update immediately:

  1. On server's command line, run:
    $CPDIR/bin/esc_db_complete_linux_50 activation_data entitlement_data.

  2. If you manually change a license or contract, the changes take effect immediately.
R80
02331551 Not possible to generate separate report for each Domain Management Server in R80.10 SmartEvent.
Refer to sk113494.
R77.30
02484638 After disabling Firewall sessions in the SmartEvent policy, the records of Firewall sessions disappear from reports and views . If you enabled Firewall sessions in order to see Firewall data in reports or views, generate the report or examine the view *before* disabling Firewall sessions. R80.10
02499980 For R80.10 Global SmartEvent connected to a Multi-Domain Management Server: Search suggestions from SmartConsole appear for Super Users only (Multi-Domain Super User and Domain Super User). R80.10
SmartUpdate
01885225 Gateway packages do not show for Domain gateways, when you open SmartUpdate from the SmartConsole Multi-Domain view. You must connect to SmartConsole for each Domain to see the packages for its gateways. R77.30
02415990, 02419964, 02416200, 02419960 In SmartUpdate, on Windows Servers, "Generate cpinfo" not working.
Refer to sk115193.
R77.30
SmartProvisioning
- SmartLSM and SmartProvisioning are not supported in R80.10.
Refer to sk117159 for details. In addition, you can register for the LSM EA program by sending an e-mail to EA_SUPPORT@checkpoint.com.
R80.10
SecureXL
02390699,
02507195,
02500038,
02398953
Asymmetric traffic is dropped on Security Gateway with enabled SecureXL and several Bridge interfaces.
Refer to sk114976.
R77.30
02459107,
02461409
Computers with dynamically assigned IP addresses are not able to access web sites by their URLs when SecureXL is enabled.
Refer to sk116160.
R77.30
02528028

The commands "sim nonaccel [-s |-c] <interface_name>" work as expected, but their output is misleading:

  • Both the "sim nonaccel -s <interface_name>" command and "sim nonaccel -c <interface_name>" command display the following output:

    Changes will take affect until the next time acceleration is started
    or the relevant interface(s) are restarted.

    The correct meaning is "Changes will NOT take affect until..."
  • The "sim nonaccel -c <interface_name>" command displays the following output:

    <interface_name>: set as not accelerated.

    The correct meaning is "<interface_name>: set as accelerated".
R77.30
ClusterXL
01646584,
01879544,
01657956
Various traffic issues on cluster due to FWD daemon taking all slots on cluster subscriber list.
Refer to sk109596.
R77.30
02409452, 02416469 Flapping of cluster members with Bond configured in Load Sharing mode when the neighboring switch is rebooted.
Refer to sk114993.
R77.30
01709078,
02292039
Some Remote Access VPN clients are not able to connect to ClusterXL in Load Sharing Unicast mode with enabled CoreXL.
Refer to sk106745.
R77.30
01715078,
01717878
Output of "cpstat ha -f all" command shows status of some VLAN interfaces as "Partially up".
Refer to sk106488.
R77.30
00545387,
01104217,
01145895,
01153486, 01295463,
01345084,
01348870,
01531739
Host on network shows an error about duplication of its IP address when ClusterXL with VMAC is used.
Refer to sk92364.
R77.30
CoreXL
02512795 CoreXL FW Instance #0 is processing most of the traffic when VPN blade was enabled, but VPN encryption domain was not defined.
Refer to sk117435.
R77.30
Dynamic Routing / Advanced Routing
02014942,
01664745
RIPNG runs only on the master router which has the link-local address. Since VRRPv3 installs the link-local address only on a master, during failover, the new master gets the link-local address, and RIPNG runs only on it. This causes RIPNG to not synchronize the RIPNG states or routes between the VRRPv3 group members. R80
01842491, 01844272 BGP routemaps stop working correctly after Gaia OS upgrade from R75.4X / R76 versions to R77.10 and later versions.
Refer to sk108497.
R77.30
01888022,
01959704,
01968564
Not able to configure routemap for each BGP peer on Gaia OS.
Refer to sk110477.
R77.30
02426496,
02427038
RouteD support for OSPF LSA of Type 10 and Type 11.
Refer to sk115314.
R77.30
02422231,
02446097
Traffic outage on VSX Gateway with configured OSPF when adding a new Virtual System.
Refer to sk115333.
R77.30
02454663,
02455061
RouteD daemon crashes with core dump file when a BGP route is configured with an invalid nexthop. R77.30
01721813,
02292520,
02044390,
02074144,
02043549,
02040259
New routes configured in Virtual System object are not shown as "Hidden" on Virtual System, which causes VSX internal IP addresses to be published to Dynamic Routing protocols.
Refer to sk109738.
R77.30
01338366,
02014813

On a Security Gateway that is configured with DHCP relay and automatic Hide NAT for the network(s) that the DHCP requests come from, DHCP offers are dropped at the gateway.
This message shows: fw_log_drop_ex: Packet proto=17 40.81.81.3:67 -> 44.81.81.6:67 dropped by fw_conn_inspect Reason: post lookup verification failed;

  • Workaround: before the Hide NAT rule, add a NAT rule that prevents the translation when traffic is on port 67, and is going to the DHCP server. Make the NAT similar to this:
    Original Packet:
    Source = Source network(s) for DHCP requests
    Destination = DHCP server
    Service = UDP_bootp.

    Translated Packet:
    Source = Original
    Destination= Original
    Service = Original
R80.10
02368204,
02385742
The current length limit on the values of database bindings is 128 characters. Therefore, any value which exceeds that limit is susceptible to truncating on display. R80.10
01474954 Fast failback with OSPF GR is not supported. A restart or failover during GR results in traffic outage.
  • To prevent: wait for OSPF GR to finish. Use "show ospf interfaces" or "show ospf summary" commands to see the status.
R80.10
01685327 BGP routes cannot be used to establish connections to Multi-hop peers. R80.10
02048037 If the interface is deleted from the SmartDashboard without deleting the associated cluster VIP, the routing daemon has no way to delete the VIP later on.
  • Do not delete an interface before deleting the associated cluster VIP from the SmartDashboard.
R80.10
01849054 IPv6 ECMP is not supported.
  • Workaround: disable ECMP for BGP when using IPv6.
R80.10
01490849 In VRRP mode, the OSPF state is not synchronized and a new master cannot take the helper responsibility from the previous master.
  • To prevent: do not fail over members if an OSPF neighbor is in the process of restart.
R80.10
01499120 A change in topology can cause an unsuccessful exit of OSPF GR.
  • To prevent: make sure there are no route or topology changes during the process.
R80.10
01910711,
01921543
In VSX, BGP Multihop does not work correctly when configured on a Virtual Router. Do not configure it. R80.10
01920724 RouteD with BGP Multi-hop consumes 100% CPU. If RouteD gets a route to the BGP peer from the peer itself and that route has a lower rank than the route used to establish the BGP connection then this route becomes active and routed starts using it to connect to the peer. This causes the BGP peer route to be deleted and return back to the original route since in BGP Multi-hop routed cannot use BGP routes to connect to peers. This scenario repeats endlessly and causes the high CPU utilization.
  • To prevent: make sure that self-routes do not become active in a BGP Multi-hop deployment.
R80.10
- OSPF configured on a loopback interface is not added to OSPF database in Cluster on Gaia OS.
Refer to sk117794.
R75.40
VSX
01748274,
02029526
<VSX object name > is used by another object and cannot be deleted." error in SmartConsole when trying to delete a virtual system, virtual router, or VSX gateway.
  • Before deleting a virtual system, virtual router, or VSX gateway, first disable the IPS blade on the VSX object and push the configuration (requires SIC).
Refer to sk113932.
R80
00892773 VTI interfaces are not supported in VSX mode. R77.30
01298013,
01347319,
01356763
The "vsx_util reconfigure" command fails with "Failed to fetch configuration information from".
Refer to sk98001.
R77.30
01465442,
01436496

An upgraded cluster member goes into Ready state after the reboot, even before the rest of the cluster members are upgraded.

  • Workaround:
    1. Run the cphaprob state command to verify that all the Virtual Systems are in Ready state.
    2. Run the ps -elL | grep fwk command to verify that fwk process is running on every Virtual System.
R77.30
02037129 To allow switching from 32bit to 64bit fwk processes, run the vs_bits script command only from a VS0 context. Switching to vs_bits 64 from a context other than 0 will cause vs processes to go down. R80.10
01275204,
01978034
In SmartView Monitor, Firewall History and System History system counters do not show any data. R77.30
01562612 If a Virtual System is the Hub of a Star VPN Community, it cannot support SmartLSM gateways as satellites. R77.30
01618097 The vsx_util reconfigure command on Security Management Server / Domain Management Server fails to resume with "Error: Interface 'Interface_Name' exists in the management database, but not on the gateway".
Refer to sk105441.
R77.30
02338729,
02338820,
02338954,
02338696
During policy installation, Virtual Systems on VSX VSLS cluster shortly go to "Down" state due to "Interface Active Check" pnote.
Refer to sk114234.
R77.30
01459867,
01472369
When you create a new bond in Gaia Clish with only two physical slaves, the output of cphaconf show_bond command shows the second added slave as "Not available", and the bond cannot fail over.
Refer to sk105999.
R77.30
01548786 The vsx_util change_mgmt_subnet command does not support IPv6. R77.30
Endpoint Security (SmartEndpoint)
02089667 Concurrent sessions are not supported in SmartEndpoint. Only one administrator may use SmartEndpoint to make policy changes at any time. R80
02410161 After CPUSE upgrade from R80, if you open SmartEndpoint and install policy, the "General Properties" policy sometimes shows as disabled.
  • Workaround: Press the Install Policy button and continue your work.
R80.10
02062057,
02064416
"Challenge Format" column text, shown in a table within the "Installation" dialog of SmartEndpoint is wrong.
Refer to sk112158.
R80
02082518 Permission profiles with Endpoint Security-specific permissions cannot be configured. R80
02488912 The 30-day trial license is not automatically installed when you activate Endpoint Security. You can use the 15-day Demo license that is automatically installed and then you must get an Evaluation or Product license. R80.10
01907703, 01909558 Garbled characters in Action name in SmartEndpoint.
Refer to sk109575.
R77.30
01483870 On E80.64 Endpoint Security clients managed by R80.10 Endpoint Security Management Servers, temporary pre-boot bypass is not supported. R80.10
02493400 After upgrade from R77.30, customized Endpoint administrator roles get read-only permissions only. R80.10
Mobile Access
02434256 Multiple authentication schemes or realms that were configured in GuiDBedit do not persist after an upgrade to R80.10.
Refer to sk115856.
R80
02466757 When Mobile Access is included in the Unified Access Policy, in Mobile Access Authorization logs -> Log Details -> Matched Rules, the Mobile Access Application name and Category do not show. R77.30
02361011 When using Mobile Access file shares with VSX, the DNS resolving of the hostname might not work correctly with file shares.
  • Make sure that the /etc/resolve.conf file is configured properly or use this workaround:
    Change the value of 'vsxMountWithIPAddress' property in $CVPNDIR/conf/cvpnd.C from 'false' to 'true'. The file share will use the host IP address for the mount instead of the hostname.
R80.10
01945563,
01881116
ECDHE was removed from the cipher list, because it is incompatible with the fix for CVE-2015-2808.
Refer to sk106499.
R77.30
02441423 "Dynamic ID authentication failed" error shows due to incorrect proxy settings after upgrading a Mobile Access gateway to R80.10.
  • Workaround: Configure the correct proxy settings in Gateway Properties -> Network Management -> Proxy. In earlier versions, Dynamic ID authentication took proxy settings from Gateway Properties -> Mobile Access -> HTTP Proxy.
R80.10
01838105 Internet Explorer 9 does not allow the HTML5-based new user interface of Mobile Access File Sharing. If you attempt to use IE9, the Security Gateway uses the old UI for File Sharing. R80.10
02475436 If you use Outlook Anywhere application with Mobile Access Reverse Proxy, and then want to disable Outlook Anywhere or Reverse Proxy, perform:
  1. Delete Outlook Anywhere rule from reverse proxy.
  2. Run "cvpnrestart --with-pinger" to close all Outlook Anywhere open connections.
    If you do not perform step 2, open connections of Outlook Anywhere will not be closed and users can still work with it.
R80.10
02383560,
02398086
When users are connected to the Mobile Access Gateway with SSL Network Extender in Application Mode, Downloaded-from-Gateway applications do not work inside Endpoint Security On Demand Secure Workspace. R80.10
01244809,
01386596,
01353737,
01294173
SSL Network Extender in Application Mode does not support applications that connect to IPV4-mapped IPV6 addresses.
Refer to sk97444.
R77.30
01659093 If the "Policy Source" of a Mobile Access gateway is configured to "Unified Access Policy", rules that contain Network Object with IPv6 addresses are not matched by the Mobile Access blade. R80.10
01184657,
01356327,
01913441
Disabling the Floating Navigation Bar (FNB) via GuiDBedit Tool does not disable the FNB in the Web Application.
Refer to sk109254.
R77.30
01595256,
01586057
The Mobile Access Portal does not support Web-Form SSO for Citrix StoreFront Web interface. R80.10
02421046 After upgrading a Standalone (Management and Gateway) or VSX deployment with Mobile Access blade enabled, the "Allow Dynamic ID for mobile devices" option might be enabled by default, even if Dynamic ID was not configured prior to the upgrade.
  • If you do not want Dynamic ID authentication for Capsule Workspace users, disable it in:
    Gateway Properties -> Mobile Access -> Authentication -> Compatibility with Older clients -> Settings -> Capsule Workspace section -> clear Enable DynamicID.

    For VSX, this configuration is done per Virtual System.
R80.10
02452563 Mobile Access Portal users who use Outlook Web Access 2013 in the portal with NTLM authentication get authentication messages similar to: "Authentication Required https://mab-portal-addr requires a username and password".
Refer to sk115936.
R80.10
02457791 Occasionally on Windows XP, the desktop background inside SecureWorkspace might appear distorted. R77.30
01147075,
02302626
Mobile Access Portal supports Outlook Web App 2013 / 2016 only with the Path Translation (PT) method. The Hostname Translation (HT) method is supported when cookies on the endpoint machine are configured. The URL Translation (UT) method is not supported. R77.30
02526048,
01838814 
Endpoint Security on Demand Secure Workspace does not automatically support Windows 10 Creators Update or later versions.
R77.30 
- Mobile Access does not support viewing or editing files with 'Office Online apps', Microsoft's browser-based Office applications. Outlook Web Access is supported, however you cannot open or edit Office Online app files from emails. R77 
02550531,
02551894
Sometimes mail addresses are truncated when sending the one-time password for DynamicID.
Refer to sk119254
 
SSL Network Extender
01432574,
01432727,
01461593
The SSL Network Extender connection from command line "snx -l <CA_Di>> -s <Server>" fails with "SNX: Authentication failed" when authenticating with a user certificate.
Refer to sk101588.
R77.30
VPN
01311326,
01455241,
01357377
When using a VPN client, activity logs are not generated for ICMP traffic. R77.30
02498996 When using Trusted links, encrypt and decrypt logs are issued even though the traffic on the links is not encrypted. R80.10
02065326 R77.30 and lower gateways do not support R80.10 gateways that are configured as NAT-T initiators. The R77.30 and lower gateways only recognize 3rd-party devices for NAT-T initiation. R77.30
02455402 The VPN client shows as "Not Compliant" when it is not compliant according to the local.scv file, even if SCV is disabled.
  • Workaround: Configure the VPN site again on the client.
R80.10
01874986 Convert Traditional VPN to Simplified is not supported. R80
02369930 NAT-T initiator is not supported on VSX Gateways. R80.10
02514005;
02534915;
02529275
  • DAIP devices deployed as VPN Satellite gateways, do not support VPN link fail-over between a static link (using permanent IP address) to the DAIP link, and vice-versa.
  • Trusted interfaces are not supported for DAIP devices.
R77.30
Compliance
01958788,
02030225

The SmartConsole client is not aware of license or quota changes in real time - Alert for 'License quota Exceeded' does not pop-up immediately when the license quota is exceeded.

Reopen SmartConsole in Compliance blade to see the license changes.
Quota data changes in the entitlement or Compliance will be updated after:

  • Compliance midnight scan
  • License changes
  • cpstop;cpstart
R80
02458793 In a Multi-Domain Management environment, in the local domain policy, some Compliance best practices, which validate the status of rules in the policy, incorrectly identify the section header, "Parent section for domain rules," as a rule, and report it as not valid.
  • Workaround: manually exclude this result from the Best Practices view.
    In the Best Practices view, select the practice. In the bottom pane -> Relevant Object section -> double-click the desired rulebase object and disable the rule/section from the list.
R80.10
02478814 When there is more than one policy, and a rule changes, Application Control and URL Filtering Best Practices will show incorrect scores until a full scan is run. R80.10
02510421

In the Compliance blade, if you deactivate a relevant object of a best practice and then make a change in the relevant object, the relevant object changes to be active.

  • Workaround: deactivate the relevant object again.
R80.10
02449324, 02478559 In a Multi-Domain environment, policy changes in the Global Compliance Policy do not trigger a partial Compliance scan. R80.10
QoS
- Convert QoS from Express to Traditional is not supported. R80.10
Small Office Appliances
01921211 R80 Security Management cannot manage Security Gateway 80 appliance with a firmware version that is lower than R75.20 R80
01939263 "Commit function failed" error on policy installation failure on 1100 series appliance.
Refer to sk105217.
R77.30
01914944,
01917280
SIC error status might occur when the gateway object is defined in a "Management first" scenario before it is deployed, but the device's IP address is already accessible. The Security Management tries to create SIC with the gateway's IP address. Instead of the policy ending in a "waiting for first connection" status, an error message states the SIC status must be rectified first. R77.30
02403004

When installing policy on a Small Office Appliance without establishing SIC, an incorrect warning message is shown for the Threat Prevention policy: "Installation pending, waiting for first connection".

  • Establishing SIC resolves the issue and policy installation can be performed.
R80.10
02473736,
02300903
A QoS policy cannot be prepared in advance for R75.20 1100 appliances, to be fetched later. QoS policies must be installed and cannot be pulled. R80.10
02513131

In Small Office appliance policy installation, services that are manually configured with INSPECT code including the definition "CALL_XLATE_FOLD_FUNC (..." will cause a policy installation failure.

  • Workaround: remove the "_FUNC" from the definition and use "CALL_XLATE_FOLD (..."
R80.10
60000 / 40000 appliances
02506836 R80 / R80.10 Security Management cannot manage 41000 / 44000 / 61000 / 64000 appliances running R76SP.40 and above, when Threat Emulation blade is enabled. R80
vSEC Controller
- vSEC objects (Data Center Servers and Data Center Objects) are not supported in NAT policy. R80
- In case of replacement of the Data Center Server's certificate that has been trusted by the user, communication with the Data Center Server would fail and log will be sent.
  • To resolve, open the Data Center Server object in SmartConsole and click on "Test connection".
R80
01970321

vSEC objects (Data Center Servers and Data Center Objects) are not supported in:

  • Network Group objects
  • Global Domain
R80
- A Multi Domain Server that contains imported Data Center Objects in the Global Domain is not supported in the upgrade. Objects must be removed from the Global Domain prior to installing the upgrade. R80
01683557 Changes of the IP address of a Data Center object will be enforced after approximately 30 seconds. This autoUpdateIntervalInSeconds parameter can be configured globally or per Data Center server type as described in sk112855. R80
- Upgrade from R77.30 Security Management Server with installed R77.30 vSEC Controller to R80 Security Management Server is not supported. R80
- CPRID communication (TCP port 18208) must be allowed between the Management Server to the Security Gateway and throughout the network (use the Check Point predefined service 'FW1_CPRID').
Refer to sk52421 and open the ports used by Check Point (especially, TCP port 18208).
R80
- Update of the vSEC Gateway with IP mappings for newly imported Data Center objects:
When performing "Import of Data Center Objects" into the policy and policy installation, a time interval that is greater than / equal to the value of the enforcementUpdateIntervalTime parameter will pass before the IP mapping of the new objects will be communicated to the vSEC Gateway, and the new rules will be enforced (refer to sk112855).
R80
- vSEC Controller does not support overlapping or duplicate IP addresses on the same Security Gateway. R80
- Logs for rules with Subnets, AWS Security Groups, Microsoft Azure Network Security Groups or VMware NSX Security Groups will contain only the IP address and will not contain the instance name. R80
- Non-ASCII characters in 'Data Center Object' names might lead to bad parsing of object text while updating it on the vSEC Security Gateways and in SmartLog logs as well. R80
- In case Data Center object's name includes non-English characters, enforcement would work, but the name of this Data Center object will not appear in SmartLog log. R80
02438266 Official VMware Tools must be installed on a VM in order for vSEC Controller to successfully pool IP addresses.
Install the VMware Tools for your specific version.
For more information, refer to:VMware Knowledge Base 2004754: Installing and upgrading VMware Tools in vSphere.
R80
02413946 "Failed to update Data Center server objects on gateway <Name of the Deleted vSEC Gateway object>" log in SmartLog on R80 vSEC Controller.
Refer to sk114956.
R80
02419442 There is no Policy Verification for overlapping and contradicting rules for Data Center Objects hierarchy. Policy Verification checks that rules do not contradict or hide other rules taking into account network objects containment. For Data Center objects, the verification is done for rules using the same objects. Data Center Objects containment that results from the objects' hierarchy (for example, Resource Pool that contains a Virtual Machine) is not considered. R80
02419560 Policy that contains Data Center Objects is not enforced immediately after the policy installation.
It takes time for the vSEC Controller to update the vSEC Gateway.
R80
- Significantly low throughput when using "Virtio" Interfaces in vSEC Gateway Network Mode running on KVM.
Refer to sk114499.
R77.30
00566886

CPU consumption for the vSEC Gateway for NSX might show inaccurate results. To resolve this issue, reserve CPU resources on the ESX:

  1. In the vSphere client, right click the vSEC Gateway for NSX.
  2. Select Edit Settings.
  3. On the Resources tab, move the Reservation slider to allocate a guaranteed CPU share (in MHz).
R77.30
02420907 Non-ASCII characters (non-English languages) in 'Data Center Server' properties (i.e., user, password and shared secret fields) are not supported.
(In case an object name contain one of the above characters, enforcement will not work.)
R80
02413226

'Data Center Object' names should not contain the following characters in their name:

  • "{" - opening curly bracket
  • "}" - closing curly bracket
  • "[" - opening square bracket
  • "]" - closing square bracket
  • "<" - less than
  • ">" - greater than

(In case an object name contains one of the above characters, enforcement will not work.)

R80
02462704 Data Center object with empty name can not be imported to security policy. R80
02457148 In the $VSECDIR/conf/vsec.conf configuration file (sk112855), there is no verification for minimal value of the enforcementSessionTimeoutInMinutes parameter. R80
02459679 The $VSECDIR/conf/vsec.conf configuration file (sk112855) is not synchronized in Management HA and must be edited on both Management Servers separately. R80
02499863 For MDS HA managing a VSX gateway, a domain server must be deployed on all MDS servers that manages the VSX gateway installed with imported data center objects.
Note : this instruction applies to the VSX object. This is not mandatory for the virtual systems.
R80
02500446 VS Cluster first policy installation should not include Data Center Objects.
Note: If this cannot be achieved, a full-sync must be run on the cluster by running the following on the standby member:
  1. fw ctl setsync off
  2. fw ctl setsync start
R80
02500441

Integrating Data Center server to a Domain Server created with an IP address that was used in previously deleted Domain Server may cause vSEC Controller to malfunction.

  • To resolve, restart the vSEC Controller process using the vsec_controller_stop command.
R80
- Resource Group object name (in terms of lower/upper case) might not be consistent and differ from the Resource Group, as appear in the Microsoft Azure Portal. R80
- The time on the Gaia OS must be synchronized with the current time.
Otherwise, polling of information from AWS might fail.
R80
- The region name that was selected in the "Create New AWS Server" view, might appear as the region code name in the import view. R80
- The value of the AWS Tag "Name" that appears as part of the object's name, will be truncated after the first 100 characters. R80
02472202 IPv6 information is not imported for Data Center Objects in Public Cloud.
vSEC Gateways in Public Cloud do not support IPv6.
R80
- Imported Data Center Tag Object ("Key"or "Value") with zero members will be marked as "Object is inaccessible / deleted on Data Center Server" in the SmartConsole, and you will not see updates for this object. The object will remain in this state even if new members are added to this object.
On the other hand, the dynamic enforcement would start working again at the moment new members are added to this object.
  • Workaround: Re-import the object.
R80
- Data Center Tags:
  1. Tags keys and values longer than 100 characters will be truncated to the first 100 characters and "..." will be padded to the end of the tag.
  2. In Microsoft Azure, Tag keys are case-insensitive, whereas Tag values are case-sensitive.
    In vSEC Controller, both Tag key and Tag value will be treated as case-sensitive.
    Meaning, the same key/value in different case will be shown on 2 separate lines in the picker.
R80
- VSX mode is not supported on R77.30 Gateway installed on Amazon Web Services or on Microsoft Azure. R80
02462845 OpenStack HTTPS authentication is using tokens that expire according to OpenStack configuration. Upon token expiration, new HTTPS session is created, and log indicating authentication failure is sent. R80
01372023 vSEC Controller is supported only on Gaia OS. R80
- Upgrading to R80.10 - Before upgrading the vSEC Controller Hotfix from the R80 Security Management Server / Multi-Domain Security Management Server with the vSEC Service Registration Hotfix, you must first uninstall the vSEC Service Registration Hotfix. This ensures that services that are deployed are not impacted during the upgrade process.
Refer to "Upgrading the vSEC Controller" in the R80.10 vSEC Controller Administration Guide.
R80
- Changes in connection properties (such as credentials or URL) of existing Data Center Server will take effect only after the changes are published in SmartConsole (e.g., importing objects, updating objects updates, etc.) and policy is installed on the vSEC Gateway (so it would update mappings of IP addresses for Data Center objects). R80
- Changes in connection properties (such as credentials or URL) of existing Data Center Server followed by policy installation, will require the Security Gateway to initialize all mappings of IP addresses for Data Center objects in all enforcement session. R80
01968060 If either Identity Awareness API is not installed on the Security Gateway, or installed, but disabled, then vSEC objects (Data Center Servers and Data Center Objects) are not enforced by the Security Gateway, and are considered as objects without IP address.
There is no indication in SmartConsole about the missing configuration.
R80
-

To enforce security policy with imported Data Center objects, the following conditions must be met on every vSEC Gateway, on which such policy is installed:

  • vSEC Controller Enforcer Hotfix must be installed
  • Identity Awareness blade must be activated with Terminal Servers authentication
The R80.10 vSEC Controller Administration Guide describes the procedure for enabling this functionality.
R80
01965783

In case a Security Gateway works with vSEC Controller and other IDA identity sources, there must not be IP addresses belonging to Data Center objects also associated to Machines in other IDA Identity Sources. Such overlapping can result in disassociation of the IP addresses from either the Data Center object or Access roles with such Machines and improper Security Policy enforcement.

R80
02010025 Data Center objects and standard network objects are not supported in the same rule cell. R80
- Security Tag names must contain only alpha-numeric characters. Otherwise, Threat Prevention Tagging will not work. R80
- The IP Address of a vSEC Gateway for NSX that is configured in SmartConsole must be the same IP Address assigned to interface eth0. R80
- Threat Prevention Tagging is disabled when Security Tag is removed. No log is sent in such a case. R80
-; VMware NSX object - IP Set objects are not supported. R80
02070398 Importing 'Data Center Object' hierarchy object that contains one of the vSEC Gateway's IP addresses might lead to service drops. Therefore, vSEC Gateway's IP addresses must be excluded in additional rule. R80
-

Running the command fw unloadlocal on a Security Gateway with Security Policy that include Data Center objects will disassociate the IPs from the Data Center objects.

  • To restore this information, after policy is installed run vsec_controller_cli and resend the enforcement data to the appropriate Security Gateway.
R80
- vSEC objects (Data Center objects) are not supported in Threat Prevention Exceptions that are installed on R77.20 and R77.30 vSEC Gateways
(R80.10 SmartConsole - "SECURITY POLICIES" app - "Threat Prevention" section - "Exceptions").
R80
- vSEC for Cisco ACI controller IP addresses mapping and updates are based on ACI fabric IP learning capabilities, which requires enabling of unicast routing on the Bridge Domain containing the EPG. R80
- Cisco APIC object - L3 External EPG objects are not supported. R80
- Cisco APIC versions lower than 2.1:
The Cisco ACI fabric does not age out individual endpoint IP addresses mappings as long as one of the IP addresses responds to keep-alive ARP Requests from the fabric. As a result, these stale IP addresses will also be learned by the vSEC Controller.
R80
-

Supported fabric size: The total amount of all the following objects must not exceed 100,000:

  • Tenants
  • Application Profiles
  • EPGs
  • IP addresses
R80
- APIC HTTP URLs, which redirect to HTTPS, are not supported.
  • Use either HTTPS URLs directly, or HTTP without redirection.
R80
- Mixing both HTTP and HTTPS APIC URLs in the connection properties is not supported. R80
- When multiple APIC URLs are specified, the connectivity test will succeed, as long as one of the URLs will connect.
There is no requirement for initial verification for all the URLs.
R80
- On failure to connect to all the given APIC URLs, the returned error message is for the first unsuccessful URL. R80
- Changes to privileges of the APIC user that was used to create the Data Center object, are not reflected during an active login session.
For example, if a new security domain is added to the user, which allows him to see a new tenant, this will not be visible to the APIC scanner.
  • Workaround: run the vsec_controller_stop command on the vSEC Controller to restart the vSEC Controller services and force a new login.
R80
-

If an imported APIC object is deleted in the APIC, and then re-created with the same name, then this object will remain marked as "Object was deleted on Server" in the GUI, and you will not see updates for this object (IP changes, description changes, etc.).
On the other hand, the dynamic enforcement would start working again at the moment the object is re-created.

  • Workaround: re-import the object.
R80
-

Only the following TLS cipher suites are supported for APIC HTTPS connectivity:

  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
R80
02499469 In-place upgrades in Public Cloud environments (AWS, Microsoft Azure and Google Cloud Platform) are not supported. R77.30
- Traffic does not pass through Bridge interface of vSEC Virtual Edition (VE) in Network Mode when using "vmxnet3" drivers.
Refer to sk112520.
R80
LTE
00773195

When using the IPS and the Full Intra-Tunnel features, GTP traffic may not be inspected.

  • Workaround: change the IPS protection scope from "Protect internal hosts" only to "Perform IPS inspection on all traffic":
    1. Double-click on the FireWall-1 GX object in SmartDashboard.
    2. Go to IPS pane (if IPS pane is missing, verify the IPS blade was enabled).
    3. In Protection Scope, select Perform IPS inspection on all traffic and click on OK.
    4. Install the Policy.
    When using the default "Protect internal hosts only" mode, the IPS blade inspects traffic from either the Internal to External interface, or vice versa, using the Security Gateway's topology (which is set in the GX object). Since the inner-GTP traffic does not have its own distinct topology settings and rule base, the IPS blade inspects the inner-GTP packet using the GX object's topology settings, which may cause it to skip the inspection. To override this, you must set the "Perform IPS inspection on all traffic" option.
R77.30
00788268 Full Intra-Tunnel inspection is enforced only on encapsulated IPv4 traffic. R77.30
00780056 GTP Bandwidth Management using QoS is not supported. R77.30
01011519 IPS "Aggressive Aging" protection is not supported by FireWall-1 GX gateway (if you enable IPS blade in FireWall-1 GX object, you must set this protection to "Inactive" in the IPS profile applied to FireWall-1 GX. Otherwise, unexpected behavior can occur). R77.30
00829371 SCTP or Diameter objects cannot be the service of a manual NAT rule. Static NAT will still be applied for rules that match SCTP if the service is set to "Any". All NAT methods can be applied for Diameter over TCP traffic if the service is set to "Any". R77.30
VoIP
02413299,
02414451
Security Gateway / Active cluster member freezes / locks up randomly when processing H.323 traffic.
Refer to sk114977.
R77.30
02305365,
02312153
SIP VoIP call is disconnected / stops working several minutes after establishing the connection when SecureXL is enabled.
Refer to sk112913.
R77.30
02441588 Avaya VoIP calls with Avaya Call Manager fail through Check Point Security Gateway.
Refer to sk104786.
R77.30
SNMP
01852762,
01858277
Output of the "snmptranslate" command returns different OIDs for objects in "chkpntTrap" branch.
Refer to sk108697.
R77.30

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment