R80 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.
This Incremental Hotfix and this article are periodically updated with new fixes.
The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below.
Availability
General Availability Take
R80 Jumbo Hotfix Accumulator is a General Availability release that can be directly downloaded from Check Point Cloud using CPUSE (Check Point Update Service Engine) and from this article:
Online installation - using CPUSE either in Gaia Portal, or in Gaia Clish.
Offline installation - using offline / exported package either in Gaia Portal, or in Gaia Clish.
Take
Date
CPUSE offline package
SmartConsole package
Take_76
22 September 2016
(TGZ)
(EXE)*
Legacy CLI package can be downloaded from here.
* Effective November 20th, 2016, SmartConsole package has been updated with additional support for SHA-256. See sk114579.
Important Notes
For CPUSE installation, must use CPUSE Agent build 1127 and above (refer to sk92449).
Each "Take" of this Jumbo Hotfix Accumulator is always based on latest GA Take of Check Point R80.
Effective July 3rd, 2016, the R80 Gaia image has been replaced. By installing the new Gaia image, the R80 Security Management will automatically install R80 Jumbo Hotfix Take 29 on top of the R80 installation.
It is recommended to install Jumbo Hotfix Accumulator on all the R80 Security Management Servers running on Gaia OS.
This Jumbo Hotfix Accumulator is suitable for these products and configurations:
Security Management Server
Multi-Domain Security Management Server
Log Server
Multi-Domain Log Server
SmartEvent Server
It is recommended to install the new SmartConsole package provided by this Jumbo Hotfix Accumulator.
R80 Security and stability enhancements for Security Management server (Hotfix #1) content is part of R80 Jumbo Hotfix Accumulator.
This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard.
List of resolved issues per HotFix
Enter the string to filter the below table:
ID
Symptoms
R80 Jumbo HotFix - Take 76 (22 September 2016)
Security Management
02093495
Administrator without permissions to edit layers is allowed to create/edit/delete rules inside the layers via CLI or API.
02336729
Administrator suddenly fails to log in.
02350035
Running Policy Verification while the Policy Installation task is still running can cause the policy to be incorrectly installed.
VPN
02339829
Enhancement: The 3DES encryption algorithm is supported (see sk113114 for instructions).
Enhancement: Logging Capacity improvements. Refer to sk112797.
02068363
Enhancement: New menu item "Hide Identities" which will enable exchange of identity log field values with asterisks.
02092189
No Events / Logs on SmartEvent / SmartLog servers configured with external LEA connections.
02083980, 02046226
Empty logs entries in logs view, since filtering of Qos product was not configured in LEA filter logs in log_indexer_settings.conf file.
02074068
SmartView, WebUI and Logs Views statistics widgets do not show an estimation of the logs data.
02069539
Logs and monitor tab load slowly.
02022108
An administrator without superuser Multi-Domain permission profile cannot connect to the Multi-Domain Server from the SmartView Web Application.
02071820, 02049053
includeEmptyValues="false" in estimated request query causes to failing to find data in cache and as a result, an empty response is sent instead.
02071933
Administrator can see log files, but does not have permission to open them via "Open log file" pane (no data inside).
02071939, 01954397, 02071976
URL encoding problem: any query containing '#' (hash sign) does not return, any two non-consecutive '#' query fail and restart.
02071980, 02033272
After import the smartlog_server process is terminated after receiving the old configuration.
02128375
Filtering correlated events in SmartEvent by event name returns no result.
02192646
The following dbsync problems may arise when SmartEvent R80 is connected to the Security Management R77.xx:
dbsync crashes on the start and the synchronization of objects is not finished.
dbsync crashes during synchronization - the synchronization takes long time and there are dbsync core dumps in /var/log/dump/usermode/ directory.
the objects are synchronized multiple times with the same name – the policy tab in SmartEvent contains multiple objects with the same name.
02278578
FWD process crashes during logswitch and cannot start.
02190280
No logs are shown after uninstalling the hotfix.
02158472
Query containing two consecutive hash signs (##) is ignored from GUI query and is not resolved.
02208899
Machine become unresponsive when disabling Log indexing
02128379
Not all objects from CMAs are synhronized and administrator cannot see logs from all Domains in SmartEvent GUI when SmartEvent R80 connected to R77.xx.
Multi-Domain Management Server
02103573, 02099799
Protections changes are not enforced on 1100 gateways in Multi-Domain Management Server / single domain configuration.
02070268
Gateway with radius_accounting_setting configuration defined on Domain's level is not seen when connected to Multi-Domain Management Server.
02157451
When reassigning global policy to more than ~40 domains, it works only for the first ~40.
Security Management
02049207
Global policy assign fails with 'More than one object named 'autoupdate_and_obj_user_modified' exists' error.
02036290
HA sync / set Active to Standby fails when Endpoint blade is enabled on one of the Security Management objects.
02015346
"An internal error has occurred" error on reassignment of Global Access and Threat Policies failure.
02002865, 01987757
MDS removal attempt fails with the "Certificate Athority on <MDS name> is in Read Only Mode. Try to run it again on the Multi-Domain Server that holds the active global Domain" message when user is connected to the MDS, on which the global domain is active.
02007020
Advanced upgrade crashes with core dump due to corrupted cache in IBM SR9 FP20. The IBM version was promoted to SR9 FP30.
02019255
SmartConsole crashes when several administrators work simultaneously on TP rulebase.
02015548
"An error occurred while performing a rulebase operation" message after removing assigned global policy.
02015300
Rulebase error and reload due to multi-user work on the rulebase and changing it's structure.
02002930
"... Administrator <name> is connected from IP null with application CPM Server ...." error on creation of secondary Domain / Log server failure.
02002922
Global manager administrator with Read Only permissions to Domain can select to run Global policy assignment on the domain, causing "Unexpected error".
02200824
Session disconnects when opening log file (non-index mode).
02172205
Removing AGP finished unsuccessfully with a server crash.
02209010
No logs after disabling log indexing; the session is invalid or expired.
02160321
On AGP, when there are multiple errors, they do not show any additional info.
SmartConsole
02170680
Fail-Close engine setting for Threat Prevention is not enforced after upgrade to R80 Security Management. Refer to sk112533.
02100655
Fields that contains numeric values are sorted lexicographically.
02103723
No filter of users/machines by Active Directory node in Access Role editor.
02103757
The APPI update text shown in the view does not work when machine is behind a proxy server (the connection does not use proxy settings configured on the Windows machine).
02121738
"Execution error" message when cloning the Threat Prevention global recommended protection profile at local domain.
02088167
After creating "interoperable" device and adding it to a star community, cannot add a shared secret password to this device because it is not listed in the "Shared Secret" tab. Refer to sk112182.
02043973
When connecting to another version, the link to the web points to a generic page, which does not have a download link for SmartConsole.
02035612
When the login welcome message image added by user is missing or corrupted, the SmartConsole crushes.
02041985
Latest updates are not retrieved and client reports to be update-to-date although it is not.
02082971
When opening shell, the encoded password will be written in the audit log.
02053623
Cannot scroll down to find the relevant gateway in "Satellite gateway" list in IPSec VPN Star community window. Refer to sk111736.
02056363
SmartDashboard components are not loaded when connecting with SmartConsole to CMA that is behind NAT.
02070225
GUI crash when performing "Get Interfaces" on "Network Management" page when launched from SmartDashboard.
02070227
SmartConsole does not response for a long time or crashes when there are many VLANs on a physical interface on getInterface command.
02100860
Cannot scroll down in Gateways tab of VPN Community Editor.
02110524
In rare occasions, the user.config file becomes corrupted while logging into the SmartConsole. This corruption is not being recovered well, and crashes the console.
02110528
With Anti-Spam blade enabled, when adding a comment in the MTA and publishing the change, the comment will not be saved.
02118776
QoS classes are not shown in the list on the QoS external interface tab.
02119446
"Failed to load SmartDashboard component. Please make sure Check Point SmartDashboard is installed." error when trying to view or edit an object in Gateways & Servers tab.
02012562
SmartConsole crashes when logging to domain with domain name containing illegal path characters.
02302227
IPS protection with severity NA is inactive, but appears active in the GUI.
02160397
Global policy re-assignment is not executed on all the selected domains.
02062201
SmartConsole crashes on certain scenarios when Cancel button was pressed at the administrator Editor.
02086486
On Multi-Domain Management Server, installation of Threat Prevention policy fails on 1100 / 1200R / 1400 appliances.
Anti-Bot overrides are not enforced on 1100 / 1200R / 1400 appliances.
02300960
Minimum supported version of application is incorrect in SmartConsole.
Security Gateway
02119721
HTTPD process fails with core dumps created under folder /var/log/dump/usermode/ directory.
02183677
Policy installation failes caused by invalid objects (other services) configuration allowed from the SmartDashboard.
R80 Jumbo HotFix - Take 29 (09 June 2016)
Multi-Domain Management Server
02002954
Manual full sync on a Multi-Domain Management Server Domain fails.
02005764
Administrator lock status is not synchronized between primary and secondary Multi-Domain Management Servers.
01990150
After Assign Global Policy with 'Manage protection actions' and custom Threat Prevention profiles in the global domain, Remove Assign Global Policy gets stuck with a 'Server disconnected' error.
02000379
The first time that Assign Global Policy is run, global objects do not appear on the local domain.
Security Management
02007965
After installing a policy on gateways of R77.xx and lower, connectivity issues may occur if policy rules contain an RDP_TPC_UDP service group in the Application layer.
02006161
After removing a cluster member from a cluster in a user domain, synchronization in System Domain fails.
02005525
If User Check objects with Invalid names (space or special characters) are used in Threat Prevention profiles, after Threat Prevention install policy, Anti-Bot an Anti-Virus blades will not be enforced.
02013068
The path cannot be changed during restore with TFTP.
01998604
"Failed to monitor SAM rules" message appears when choosing "Show on Gateway_Name" in the Suspicious Activity Rules editor in SmartView Monitor. New SAM (Suspicious Activity Monitoring) rules cannot be added in SmartView Monitor. After Add -> Enforce (to add a new SAM rule), the "The block process failed" message appears.
02027028, 02027018
In some VSX configurations, the packet capture cannot be fetched.
02006959
"Internal error occurred during the verification process" error on policy installation failure if you revert to a policy with a disabled rule that has a non-existent object.
02011440
Application Control update does not work on 1100 Small and Medium Business Appliances.
02006013
The mgmt_cli does not work with the IP address of the domain.
02006160
After upgrade, login to a user domain fails with "Failed to authenticate null" message.
SmartConsole
02013032
Gateway status and health information is not displayed on a secondary Security Management Server.
02006088
SmartConsole shows a crash dialog on some server disconnection scenarios.
02001594
"Failed to apply shared licenses" error on synchronization failure.
02024604
The Group Selected Objects command in a rule can cause a crash.
02006112
Domain Management Server names must begin with an alphabetical character. But there is no input validation to stop you from naming a Domain Management Server with a string that starts with a numeric character.
02000497
An administrator without "HA Operations" permissions is not blocked from performing switch-to-active on a standby Domain server.
02021024
SmartConsole crashes when the DLP tab is opened twice.
02024591
Closing the Compliance tab causes other Compliance tabs to be stuck with a white screen.
02007535
Image of 1470/1490 SMB appliances is incorrectly presented.
02021021
SmartConsole becomes unresponsive after opening the Audit Log from Revisions view.
01953640
Client connection lost while editing a VS in a Multi-Domain Security environment.
02009867
Creating/Editing a Threat Prevention profile in one domain, blocks all the profile's operations in all other domains.
01996714
Clone Threat Prevention profile will not copy the IPS static protection overrides from the cloned profile.
02010661
There are duplicate profile activations in IPS Static or Inspection Settings protection editor, in a post upgrade environment with assign global policy and 'Manage protection actions'.
01991664
An administrator without write permissions on IPS protections appears to have the ability to create or edit a Threat Prevention profile, but the profile cannot be saved.
02002862
Removing Virtual Router my cause a crash.
02006842
The show threat-rule-exception-rulebase command cannot work with UID.
02013455
If you use the set command to edit the mask length of a network object, the command does not work and it locks the object.
02016221
API commands fail when working with non-standard ports.
01987575
After assigning a Global Access policy, the ‘Where Used’ feature may show an incorrect number for objects in the access policy.
02000508, 01945475
An OPSEC application is automatically removed, if it refers to a host that was changed.
02002956
A global manger can edit the GUI client in Domain view, but the operation fails with "General Error". The GUI client object remains locked.
01991160
After the assigned policy is deleted from the Global domain, policy re-assign fails with "Global assignment failed: cannot find parameter for class com.checkpoint.management.threat.coresvc.IpsAgpProvider class" error.
02001875
SmartConsole generates an unexpected error on launch of a Domain Management Server from a Multi-Domain Management Server that was connected with CAPI.
01962431
Navigation to Threat Prevention rules from the Log view of a Multi-Domain Server shows "could not navigate to rule" message.
SmartEvent
02022132
Custom View name cannot be change through action.
02022116
No option to clone and edit reports.
02020919
SmartEvent does not filter by the Application Risk field.
02008340
R80 SmartEvent cannot connect to an R77.30 Multi-Domain Management Server.
02012424
When connecting to a global SmartEvent with SmartConsole, in Logs view, only local logs (monitoring) of the SmartEvent server are displayed. Logs from Domain Management Servers are not shown. If a SmartView is opened, there are data and widgets for drill down in the Logs view.
02022051, 01962293
After upgrade, some network objects may appear more than once in Global SmartEvent.
02022076
Global SmartEvent is not updated with global changes made when it is down.
SmartLog
02012419
A high number of GEO protection logs affects performance (disk space, indexing rate, etc.).
02022112
The Audit Logs view shows logs' card with log details.
02012416
Logs from forwarded log files are not indexed (only one file is indexed when there are several log files with the same file ID).
02012415
Groups with exclusions are not searchable immediately after creation.
02020052
Interface names are not searchable in SmartLog for logs of type "firewall".
When choosing "Show on Gateway_Name" in the Suspicious Activity Rules editor in SmartView Monitor, the following message appears: "Failed to monitor SAM rules".
New SAM (Suspicious activity Monitoring) rules cannot be added in SmartView Monitor. The following message appear after using the Add -> Enforce option to add a new SAM rule: "The block process failed".
01997794, 02006927
In rare scenarios login to SmartDashboard in Management HA environment fails after failover.
01999269, 02004412, 02015303
Primary Multi-Domain Management server may crash with cpm core file. All FWM processes were in pending state and machine was out of memory.
01998131, 02005525, 02005566
If the Threat Prevention profiles action is Ask, malicious sites can be reached with no redirection to the Anti-Virus ask page.
01998970, 02000508, 02004471, 01945475
OPSEC Server Application object is missing after database import to R80.
02001921, 02016425
RDP (UDP/port 259) is changed to RDP (UDP/port 3389) after upgrade to R80.
02004016, 02016247
Pre-Upgrade Verifier crashes on export if the GUI client list ($FWDIR/conf/gui-clients) includes an empty line.
02020403, 02020470, 02020452
"Services port conflict" warning when installing Security policy after upgrade to R80. Refer to sk111114.
Installation instructions
Important Notes:
This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard.
In Management HA environment: Jumbo Hotfix Accumulator must be installed on both Management Servers.
It is recommended to install Jumbo Hotfix Accumulator on all the R80 machines in the environment running on Gaia OS.
For CPUSE installation, must use CPUSE Agent build 1127 and above (refer to sk92449).
Installation of a newer Take of Jumbo Hotfix Accumulator on top of the current Take when running CPUSE Agent build 1127 and above (refer to sk107320):
If the previous Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then the next Take can be installed using the CPUSE.
If the previous Take of Jumbo Hotfix Accumulator was installed using CPUSE, then all subsequent Takes must also be installed using CPUSE.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
Select the hotfix package Check Point R80 Jumbo hotfix T<number> for sk111536 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select this hotfix package and click on Install Update button on the toolbar.
Offline installation
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
In the upper right corner, click on the Import Package button.
In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
Above the list of all software packages, click on the Showing Recommended packages button - selectAll.
Select the imported package Check Point R80 Jumbo hotfix T<number> for sk111536 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select this package and click on Install Update button on the toolbar.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Show the packages that are available for download: Note: Refer to the top section "Hotfixes" - refer to "Check Point R80 Jumbo hotfix T<number> for sk111536" HostName:0> show installer packages available-for-download
Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Download the package from Check Point cloud: HostName:0> installer download <Package_Number>
Install the downloaded package: HostName:0> installer install <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Offline installation
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
On the toolbar, click on the More button and select Import Package.
In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Upload.
Transfer the offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/).
Connect to command line on target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from the hard disk: Note: When import completes, this package is deleted from the original location. HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "Check Point R80 Jumbo hotfix T<number> for sk111536" HostName:0> show installer packages imported
Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Install the imported package: HostName:0> installer install <Package_Number>
Uninstall instructions
Important Notes:
This Jumbo Hotfix Accumulator removes all its packages during uninstall.
Requires CPUSE Agent build 1127 and above (refer to sk92449).
In case the UEPM process is not running after uninstalling this Jumbo Hotfix Accumulator, refer to sk113023.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
A warning will be displayed that after this uninstall, the machine will be automatically rebooted. Click on 'OK' to start the uninstall.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Uninstall the package: HostName:0> installer uninstall <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
In Management HA environment: Jumbo Hotfix Accumulator must be installed on both Management Servers.
It is recommended to install Jumbo Hotfix Accumulator on all the R80 machines in the environment running on Gaia OS.
All Takes of Jumbo Hotfix Accumulator must be installed in the same way (refer to sk107320):
If the Jumbo Hotfix Accumulator was installed for the first time using Legacy CLI, then all subsequent Takes must also be installed using Legacy CLI.
Procedure:
Transfer the Jumbo Hotfix Accumulator package to the machine (into some directory, e.g., /some_path_to_fix/).
Unpack the Jumbo Hotfix Accumulator package: [Expert@HostName:0]# cd /some_path_to_fix/ [Expert@HostName:0]# tar -zxvf Check_Point_R80_JUMBO_HF_T<number>_sk111536.Gaia.tgz
Install the Jumbo Hotfix Accumulator: [Expert@HostName:0]# ./UnixInstallScript Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
Legacy CLI Uninstall instructions:
Important Notes:
This Jumbo Hotfix Accumulator removes all its packages during uninstall.
All Takes of Jumbo Hotfix Accumulator must be uninstalled in the same way as they were installed (refer to sk107320):
If a Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then it must be uninstalled using Legacy CLI.
Procedure:
Unpack the Jumbo Hotfix Accumulator (you need to use the Take that is currently installed or higher): [Expert@HostName:0]# cd /some_path_to_fix/ [Expert@HostName:0]# tar -zxvf Check_Point_R80_JUMBO_HF_T<number>_sk111536.Gaia.tgz
Run the installation with '-u' flag: [Expert@HostName:0]# ./UnixInstallScript -u
Should get the following text on the screen:
***********************************************************
Welcome to Check Point <HOTFIX_NAME> Uninstall Utility
***********************************************************
All <HOTFIX_NAME> packages will be uninstalled.
Uninstallation program is about to stop all Check Point processes.
Do you want to continue (y/n) ?
Reboot the machine.
List of replaced files
List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.
