Support Center > Search Results > SecureKnowledge Details
60000 / 40000 Appliances - Known Limitations
Solution

Table of Contents:

  • Introduction
  • Non Supported Features
  • Known Limitations
  • Related documentation
  • Related solutions

 

Introduction

This article lists all of the 60000 / 40000 Security Platforms specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

 

Important notes:


This article contains two sections:

  • Non Supported Features
  • Known Limitations

Note: If not stated otherwise, all items listed below apply to both Security Gateway and VSX Gateway.

 

Non Supported Features

The following features are not supported in 60000 / 40000 Security Systems, and may be supported in future versions.

  • General
    • General
    • Gaia OS
    • Hardware
    • Management and Policy
  • Infrastructure
    • SecureXL
    • VSX
  • Networking
    • Networking
    • IPv6
    • Carrier Grade NAT (CGNAT)
  • Software Blades
    • Firewall
    • VPN
    • Threat Prevention
    • HTTPS Inspection
    • DLP
    • SmartView Monitor
    • QoS
    • SmartProvisioning

Enter the string to filter this table:

ID Symptoms Reported
In		 Resolved
In
Non Supported Features - General
General
SPC-99 Traditional Anti-Virus is not supported on SP appliance.  R76SP
SPC-89  "Unified MAC for data ports" mode is not supported by VSX.  R76SP.50
SPC-1682 Using Hide NAT with external distribution in an inbound interface, and internal distribution in an outbound interface, is not supported. R76SP.50
01517974 ISP Redundancy is not supported. R76SP.10 -
00772706 60000 / 40000 Security System does not have a WebUI to configure and monitor the system.
HTTP access to the system is blocked.		 R76SP -
01350464 R76SP.X supports only hotfixes that were created specifically for this version.
Hotfixes created for maintrain R76 version are not supported.		 R76SP -
00595914 Security Server (FTP/HTTP with Resource) is not supported. R76SP -
00824847 60000 / 40000 Security System does not support OPSEC SDK. R76SP -
00838552 IP Pool NAT for clear (unencrypted) traffic is not supported. R76SP -
00841044 SmartView Tracker "Active Mode" is not supported. R76SP -
01166720 CPView tool is not supported. R76SP R76SP.50
01800842 Hide NAT for traffic initiated from Management interface of 60000 / 40000 Security System is not supported. R76SP -
01322440 60000 / 40000 Security System can not be configured as DHCP Server. R76SP -
01096550 Dedicated log interface is not supported. Pre-R76SP R76SP
01096551 Management interface monitoring is not supported. Pre-R76SP R76SP
Gaia OS
00966001 The "asg_pingable_hosts" utility is not supported. R76SP -
Hardware
02501658 Dual Dual Configuration (4 SSMs) is not supported for SGM400 and SSM440. R76SP.50 -
02447213 On 44000 / 64000 chassis, DC Power Entry Modules (PEM) are not supported. R76SP.50 -
02457673 On SSM440, interfaces eth<X>-Mgmt1 and eth<X>-Mgmt2 will not be used and should not be configured.
The management interfaces are eth<X>-Mgmt4 and eth<X>-Mgmt3.		 R76SP.50 -
02439135 On SSM440, the auto-negotiation for Forward Error Correction (FEC) on 100Gb ports is not supported.
FEC is enabled by default.
User can disable it manually in accordance with the settings on the peer side.		 R76SP.50 -
02160144 N+N Type Chassis (new model) and N+1 Type Chassis (old model) are not supported together in a cluster (Dual Chassis setup). R76SP.40 -
01007477 All SGMs in environment must have the same number of CPU cores.
Hybrid Systems (61000 Security Systems with SGMs that have a different number of CPU cores) are not supported.		 Pre-R76SP -
Management and Policy
01080058 Security Gateway: When using R76 Management Server to manage the 41000 / 61000 Security System, and selecting "41000 Appliances" / "61000 Appliances" in the "Hardware:" field of the Security Gateway object, some of the supported Software Blades may be grayed out.
To enable these Software Blades, select "Open Server" in the "Hardware:" field.
Refer to the Release Notes of your R76SP.X version for a list of supported Software Blades (e.g., R76SP, R76SP.10, R76SP.10_VSLS, R76SP.20, R76SP.30, R76SP.40, R76SP.50).		 R76SP -
01129902

VSX Gateway: Application Control / URL Filtering / Anti-Virus / Anti-Bot updates do not take place for two hours after installing a policy on a newly installed VSX Gateway / VSX Cluster.

Workaround:

  1. Connect with SmartDashboard to Security Management Server / Main Domain Management Server that manages this VSX Gateway / VSX Cluster.
  2. Open the VSX Gateway / VSX Cluster object.
  3. Enable the Application Control blade and/or the URL Filtering blade and/or Anti-Virus blade and/or Anti-Bot blade on the VSX Gateway / VSX Cluster.
  4. Install the policy on this VSX Gateway / VSX Cluster object.
  5. Check these software blades are able to perform the updates.
  6. Connect with SmartDashboard to Security Management Server / Target Domain Management Server that manages the relevant Virtual System.
  7. Open the Virtual System object.
  8. Enable the Application Control blade and/or the URL Filtering blade and/or Anti-Virus blade and/or Anti-Bot blade on the Virtual System.
  9. Install the policy on this Virtual System object.
  10. Connect with SmartDashboard to Security Management Server / Main Domain Management Server that manages this VSX Gateway / VSX Cluster.
  11. Open the VSX Gateway / VSX Cluster object.
  12. Disable the Application Control blade and/or the URL Filtering blade and/or Anti-Virus blade and/or Anti-Bot blade on the VSX Gateway / VSX Cluster.
  13. Install the policy on this VSX Gateway / VSX Cluster object.
 Pre-R76SP -
Non Supported Features - Infrastructure
SecureXL
02011900 SecureXL Fast Accelerator does not support IPv6. R76SP.40 R76SP.50 Jumbo Take 180
VSX
01413513 Virtual Routers are not supported. R76SP.10 -
01050994 Conversion of a Security Gateway to a VSX Gateway is not supported. R76SP -
01290516, 01295822, 01338428, 01358508, 01359798, 01430927, 01478852 Gaia Clish command "show virtual-system all" displays empty virtual system list when logging with TACACS+ / RADIUS user (non-local) to VSX Gateway.
Refer to sk105342.		 R76SP R76SP.10
01096568

The VSX Gateway can not be managed from data ports.
The supported Management interfaces are:

  • eth1-Mgmt1, eth1-Mgmt2, eth1-Mgmt3, eth1-Mgmt4
  • eth2-Mgmt1, eth2-Mgmt2, eth2-Mgmt3, eth2-Mgmt4
 R76SP -
01008901 Backup and restore functionality using the "backup_system" command is not supported in VSX mode. R76SP -
01493899;
01494841		 When connections are created from templates and NATed on far Virtual System, the return SYN-ACK packet is dropped on out of state on VS1 (client side). R76SP R76SP.10 Jumbo Take 62
01095537 Resource Control enforcement is not supported (only monitoring is supported). Pre-R76SP -
Non Supported Features - Networking
Networking
02003875 LACP is not supported with Management Aggregation (MAGG). R76SP.40 -
01262356 PIM Sparse mode is not supported when the 60000 / 40000 Security System is defined as a Rendezvous Point (RP). R76SP -
01096548 Policy Based Routing (PBR) is supported on SGW mode only.
 R76SP

R76SP.50 Jumbo Take 96
01069764 When Security Gateway is in Bridge mode, or VSX Gateway has at least one Virtual System in Bridge Mode, the Distribution Mode is set to "General".
Other Distribution Modes (User, Network and per port) are not supported in this scenario.		 R76SP R76SP.10
01096558 Jumbo Frames are not supported. Pre-R76SP R76SP.20
SPC-1104 Connections that arrive via the data interface and are sent out via the management interface are not supported.  R76SP.50 -
 SPC-1593 General Distribution with SSM Layer4 Distribution enabled is not supported for bridge interfaces.  R76SP.50  -
IPv6
02621541 IPv6 VPN is not supported. R76SP -
Carrier Grade NAT (CGNAT)
02536512 Layer4 CoreXL Distribution is not supported for Carrier Grade NAT (CGNAT) traffic. R76SP.50 -
Non Supported Features - Software Blades
Firewall
02641733 The "fw sam" command (sk112061) is not supported. R76SP -
02641729 The "fw samp" command (sk112454) is not supported. R76SP -
SPC-986 Carrier Security (LTE) is supported only on SGW.  R76SP -
VPN
02492514 VSX Gateway: VPN with SPI distribution is not supported on a Virtual System that uses a WRP interface (e.g., when Virtual System is connected to Virtual Switch). User should configure Sticky SA mode instead. R76SP.50 -
01988881 Enabling VPN Link Selection with "Calculate IP based on network topology" and VPN Sticky SA is not supported. R76SP.40 -
01685300 SSL VPN is not supported for deployments that use NAT on Office Mode network. R76SP.20 -
01445638 Traditional mode VPN is not supported. R76SP.10 -
00737055 Virtual Tunnel Interfaces (VTI) are not supported. R76SP -
00750851 Route based probing configuration is not supported for VPN Link Selection in High Availability mode. R76SP -
01208774 SecureXL Templates for encrypted traffic are not supported.
To disable VPN acceleration templates, run from Expert shell:
# g_fw ctl set int cphwd_offload_vpn_templates 0
# g_update_conf_file fwkern.conf cphwd_offload_vpn_templates=0		 R76SP -
01344987 Per-gateway VPN is not supported. R76SP -
01340588 Corporate Enforcement is not supported. R76SP -
Threat Prevention (Anti-Virus, Anti-Bot, Anti-Spam, Threat Emulation)
02506836 R80 / R80.10 Management Server is not able to manage 60000 / 40000 appliance running R76SP.40 / R76SP.50 when Threat Emulation blade is enabled.
Refer to sk111405.
 R76SP.40 -
01952206 Anti-Virus inspection of files transferred over CIFS (Windows Sharing) is not supported. R76SP.40 -
02007264 Threat Emulation counter "Files Emulated (Cloud)" is not supported (always shows 0)
(in SmartDashboard, go to "Threat Prevention" tab - click on "Gateways" pane).		 R76SP.40 -
02020283 VSX Gateway: Threat Emulation on Virtual System in Bridge mode is not supported. R76SP.40 -
00748928 Anti-Virus blade does not provide protection for POP3 and FTP connections. R76SP -
01029078 SmartView Tracker Packet Capture for Anti-Bot logs is not supported. R76SP R76SP.10
02747758 Anti-Spam is not supported for all Scalable Platforms (SP) versions.  Pre-R76SP
 -
HTTPS Inspection
02485781 SSM Layer4 Distribution Mode is not supported if HTTPS Inspection is enabled.
Refer to sk116693.		 R76SP.50 -
02485779 HTTPS Inspection is not supported if Layer4 CoreXL Distribution Mode is enabled.
Refer to sk116693.		 R76SP.50 -
01193080

These SSL ciphers are supported on internal HTTPS servers when the value of kernel parameter choose_active_streaming is set to 0:

  • RSA+AES
  • RSA+RC4
  • RSA+3DES
You must update the list of supported SSL ciphers on the protected HTTPS servers.		 R76SP -
DLP
01157859, 01349731 DLP Fingerprint is not supported. R76SP -
01265404 DLP policies with the "Ask User" / "Inform User" action are not supported. R76SP -
01157478 Security Gateway: DLP blade is supported only on an IPv4 Security Gateway.
DLP Capabilities are the same as for R75.40VS, excluding:
  • "Ask User" action
  • UserCheck (Portal and Agent)
  • Watermarking
  • FTP protocol
 R76SP -
SmartView Monitor
00593173 SmartView Monitor is not supported for the 60000 / 40000 Security System.
Statistics are only collected from a single SGM and do not describe all traffic that is passing through the system.		 R76SP -
QoS
01248880 QoS blade is not supported. R76SP -
SmartProvisioning
01511158 SmartProvisioning of 60000 / 40000 Security System is not supported. R76SP -

 

Known Limitations

The following limitations are known in 60000 / 40000 Security Systems.

  • General
    • General
    • Gaia OS (Global Shell / Commands)
    • Hardware
    • Management and Policy
    • Multiple Security Groups


  • Installation
    • Installation / Upgrade
    • Licensing
  • Infrastructure
    • Security Gateway
    • VSX
    • SecureXL
    • CoreXL


  • Networking
    • Networking
    • Dynamic Routing
    • IPv6
  • Software Blades
    • IPS
    • VPN
    • Threat Prevention
    • URL Filtering
    • HTTPS Inspection
    • Identity Awareness
    • ConnectControl
    • DLP
  • Monitoring
    • SNMP
    • CPView

Enter the string to filter this table:

ID Symptoms Reported
In		 Resolved
In
Known Limitations - General
General
02496724 "asg if" command will fail with "can't read "interface_data(asg,tx)": no such element in array" error while setup is in hybrid version during upgrade procedure. R76SP.50 -
02501687 "cores_verifier" script will fail on SGM400 when IPv6 is enabled, and the number of IPv4 CoreXL FW instances is set to 40. R76SP.50 -
02476852 Before importing a snapshot on SGM, user must check if there is enough free disk space.
If necessary, delete old snapshots and other unneeded files to free up disk space.
SGMs that do not have enough disk space, will not create the snapshot in their database, and there will be no error message to indicate it.		 R76SP.50 -
02514252, 02514273, 02515068 After copying a file to other SGM blades using the "asg_cp2blades" command, the file permissions on the copied files are set to "644" ("-rw-r--r--") instead of the file permissions of the original file.
Refer to sk117735.		 R76SP.30 -
02393014, 02399683, 02450727 "ssm_xlate" process crashes with core dump files on the SGM after SSM reboot on 60000 / 40000 appliance.
Refer to sk116676.		 R76SP.30 R76SP.30 Jumbo Take 72,
R76SP.50
01462650 Extreme clock changes may lead to system instability. It is recommended to reboot the system after such change. R76SP.10 -
01247865 "cpstop" and "cpstart" commands are not supported for 60000 / 40000 Security System. R76SP -
00649865 After a rewind of the clock, it is necessary to restart some tasks.
Enter the Expert mode and run the "g_timewrap_fix" command, so that CMD and CPD daemon are restarted.		 R76SP -
00767143 After running the "backup_system restore" command, you must reboot all blades.
From gclish on the local SGM, run the "reboot -b all" command.		 R76SP R76SP.10
00738754 If SGMs lose connectivity to the CMM, the "asg stat" command displays the most recent status of the system.
For example, a chassis module that was "UP" before the CMM lost connectivity, continues to have the status "UP".
The state of the CMM is changed to "DOWN".		 R76SP -
01260226

If time synchronization fails, the Skew too high error message shows when you run "asg diag verify <clock_id>".

This can occur because the value of the "replies_from_any_port" parameter was set to "true" for the "ntp-udp" service using the GuiDBedit Tool.
The SGMs cannot complete local NTP synchronization because the SGM that receives the response does not know to which SGMs to send the response.

To correct this NTP synchronization issue:

  1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
    Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.
  2. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
  3. In the upper left pane, go to Table - Services - services.
  4. In the upper right pane, select the ntp-udp object.
  5. Press CTRL+F (or go to Search menu - Find) - paste replies_from_any_port - click on Find Next.
  6. In the lower pane, right-click on the replies_from_any_port - select Edit... - select "false" - click on OK.
  7. Save the changes: go to File menu - click on Save All.
  8. Close the GuiDBedit Tool.
  9. Connect with SmartDashboard to Security Management Server / Domain Management Server.
  10. Install the policy.
 R76SP R76SP.10
Gaia OS (Global Shell / Commands)
02476859

Gaia Clish command "show snapshots" can display an error:
"NMSNAP9999  Timeout waiting for response from database server".

Workaround: Run the "show snapshots" command again.		 R76SP.50 -
02476902

Gaia Clish command "show snapshots" can display an error:
"NMSNAP0042  Snapshot mechanism is not supported in this system".

Workaround: Run the "show snapshots" command again.		 R76SP.50 -
02525364, 02529652, 02529653, 02529791 "NMSUSR0056  Cannot add homedir for user USERNAME, homedir already in use" error in Gaia Clish when adding a new user.
Refer to sk118082.		 R76SP.30 -
02515878, 02516425 /home/<UserName>/.ssh is a symbolic link to the /home/admin/.ssh directory.
Refer to sk117738.		 R76SP.30 -
01223855 The Gaia "emergendisk" command does not work with a USB drive that has more than one partition. R76SP -
00738300 The "asg" commands are an extension to native gclish commands.
The "asg" commands have different syntax and there is no auto-completion.		 R76SP -
00621838 From gclish, running the "show hostname" command returns the hostname shared by all the SGMs, but not the specific ID for each SGM.
The specific ID is displayed as %m.		 R76SP -
00634412 To perform hardware related control commands on SGMs in a remote chassis (for example, "asg_reboot", "asg_hard_start" or "asg_hard_shutdown"), at least one remote chassis SGM must be in the "UP" state.
For example, running the "asg_hard_start" command on a remote chassis, when the SGMs in this chassis are not "UP", has no effect on the system.		 R76SP -
00778451 The "fw monitor" command (refer to sk30583) uses quotation marks (") for filter expression instead of apostrophes (').
Example: fw monitor -e "port(161) or port(162), accept;"		 R76SP -
00642401 A CLI command that uses a range for the <SGM IDs> parameter, can only operate if all the relevant SGMs are defined in the security group. R76SP -
00761330 The "asg_ifconfig analyze" command and the "asg_ifconfig banalyze" command do not support interfaces with alias IP addresses. R76SP -
00616216 The "asg search" command can display unaccelerated connections as accelerated.
After installing a policy or restarting SecureXL, the "asg search" command incorrectly displays some connections as accelerated, when they are actually handled by the firewall.
After a few minutes, these connections are no longer displayed in the "asg search" output.		 R76SP -
00633262 The arguments of the global commands are processed before the local (native) arguments and this can cause the local arguments to being ignored.
For example, the "g_ls -l /tmp/" command is processed as "ls /tmp/" on the local SGM instead of "ls -l /tmp/" on all SGMs.
Relocating the local arguments within the command (where applicable) can resolve the problem.
For example, run the "g_ls /tmp/ -l" command instead of the "g_ls -l /tmp/" command.		 R76SP -
01061553 When exporting or importing a snapshot, you must export from or import to the /var/log directory.
To export a snapshot, run the "set snapshot export <image_name> path /var/log/" command.
To import a snapshot, run the "set snapshot import <image_name> path /var/log/ name <new_name_for_image>" command.		 R76SP -
01061498 The "set snapshot import <image_to_import>" command does not give an error message when the image to import does not exist. R76SP -
01089206 Running the "asg_hard_shutdown" command on an SGM two times, one after the other, causes a reboot and not a shutdown.
It takes one minute for the SGM to shut down after running the "asg_hard_shutdown" command.
During this interval, do not run the "asg_hard_shutdown" command again.		 R76SP -
01091884 Running a gclish command on an SGM that is not part of a Security Group, runs the command on the SGMs in the Security Group.
To run a gclish command on a non-Security Group SGM, run the "set global-mode 0" command on the on non-Security Group SGM before running the gclishcommand.		 R76SP R76SP.10
01237799 When you run multiple gclish "set ..." commands, one after another, some of these commands can stop running.
In this case, the message "Processing Transaction" shows in the output.		 R76SP -
01286991, 01238764

By default, the "asg diag resource verifier" option only shows a warning about resource mismatches between SGMs.
The verification test results show as "Passed" in the output and no further action is taken.
You can change the default behavior with this procedure:

  1. Edit the $FWDIR/conf/asg_diag_config file:
    [Expert@HostName:0]# vi $FWDIR/conf/asg_diag_config
  2. Search for the parameter MismatchSeverity
  3. Set the value of this parameter to one of these values:
    • fail - Verification test result will be set to "Failed"
    • warn - Verification test result will be to "Passed", and a warning will be shown
    • ignore - Verification test result will be to "Ignore", and no errors will be shown
 R76SP -
01287010, 01268531 You must use the "asg_port_speed" or "asg if" commands to work with interface speed (changes or queries).
This is because it is necessary to communicate directly with the SSM to change or run queries on interfaces.
Results received from the ifconfig, ethtool or other gclish commands can be inaccurate because of the nature of the 60000 / 40000 configuration process.		 R76SP -
01367410 When you work with the "asg diag" command, error messages can show inappropriately:
  • In VSX mode - When there is a bond configured with no VLANs.
  • In Bridge mode - When the bridge interface is not configured.
You can safely ignore these messages.		 R76SP R76SP.10
02728408,
02728571 		 SNMP memory leak in R76SP.30 and R76SP.50. 
Refer to sk126472.		 R76SP.50
R76SP.30		 -
Hardware
02434343 On SSM440, errors "Dot3Ah: Failed getting variable <XXX> from bm" can appear when running the "system reload" command. R76SP.50 -
02169635 On SSM440, the MTU is limited to the maximum of 9000 bytes. R76SP.50 -
02496928

Verification is needed after changing QSFP mode on SSMs:
"show smo verifiers print name <Port_Speed>".

If verification failed, then change the QSFP mode on SSMs again:
"set ssm id <SSM_ID> qsfp-ports-mode <Port_Speed>"

 R76SP.50 -
02439227 On 44000 chassis, PXE installation on Slot 6 (SGM 2_06 / SGM 1_06) is supported by changing the kdevice to eth3. R76SP.50 -
00624269 The Ethernet ports on the SGMs are not used.
Each SGM has two Ethernet ports that are not used by the system and must not be configured.
Output of the "ifconfig" command displays these ports as eth1 and eth2.		 R76SP -
00894653 60000 / 40000 Security System transceivers are not interchangeable with transceivers from other Check Point appliances.
Only transceivers provided with the 60000 / 40000 are certified for this system.
 R76SP -
01258300 When working with a three SSM configuration on a 61000 system, you must put SGMs in these slots only:
1, 2, 3, 4, 5, 10, 11, 12, 13, or 14.		 R76SP -
SPC-103
 "asg diag" hardware verification fails when PSUÂ’s are not placed in consecutive order.  R76SP.50 R76SP.50
Jumbo Take 39
SPC-214 On SSM440, when working with 1G copper transceiver in ethX-Mgmt4, after SSM reboot the interface will show the link as up but traffic will not pass. 
Refer to sk126612.		 R76SP.50 R76SP.50 Jumbo Take 72
Management and Policy
00758678 When installing a new Desktop Policy in SmartDashboard, make sure that you also install a Firewall policy. R76SP -
01179727

Dynamic Objects configured in SmartDashboard are not synchronized on all SGMs.

Workaround:
After you add a Dynamic Object to a rule and install the policy, run the relevant "dynamic_objects ..." command on every SGM to manually add the desired Dynamic Object(s).
For example: dynamic_objects -n object -r 192.168.1.1 192.168.1.40 -a

 R76SP -
01383053

You cannot install 41000 Security System licenses with SmartUpdate versions earlier than R77.20.

Workaround:

  1. Copy the license file to /var/log/ directory on all SGMs.
  2. In gclish, run the following command to install the license file: cplic put -l /var/log/<License_File>
 R76SP -
02712085,
02712223		 "Trying to change the stress flag on a disconnected instance XX" error message during policy installation.
Refer to sk123012		 R76SP.50
Jumbo Take 31		  
Multiple Security Groups  
- Monitoring and enforcing SSM Load Balancing interfaces (sk121094) is not supported when Multiple Security Groups are enabled.  R76SP.50
 - The SSM allow management loss feature (sk145792) is not supported when Multiple Security Groups are enabled. R76SP.50   -
SPC-1755 Enabling SSM Layer4 Distribution is not supported when Multiple Security Groups are enabled. R76SP.50  -
SPC-1864 MAGG interface is not supported when Multiple Security Groups are enabled. R76SP.50  -
SPC-1865 Shared Bridge interface is not supported when Multiple Security Groups are enabled.  R76SP.50  -
SPC-1924 SSM SPI distribution mode is not supported when Multiple Security Groups are enabled.   R76SP.50
SPC-1925 Manual-general distribution mode is not supported when Multiple Security Groups are enabled.   R76SP.50  -
SPC-2019 Using the same bridging group interface for more than one Security Group is not allowed. R76SP.50   -
Known Limitations - Installation
Installation / Upgrade
02030480 VSX Gateway: Upgrade from R76SP.10 / R76SP.20 in VSX mode to R76SP.40 cannot be completed if any Virtual System is running with Initial Policy.
To complete the upgrade, install the relevant policy on all Virtual Systems.		 R76SP.40 -
02020256 VSX Gateway: Before upgrading to R76SP.30 / R76SP.40 in VSX mode, Bond interfaces that are not connected to any Virtual System should be deleted from Topology. R76SP.40 -
01731299 During upgrade from R76SP.10 to R76SP.20, when running in hybrid setup stage (one chassis is still running R76SP.10 and one chassis is already running R76SP.20), change in configuration might bring down some blades on Standby chassis for up to 2 minutes (the blades will recover afterwards).
No impact on the Active chassis.		 R76SP.20 -
01277055, 01337003, 01338220, 01427685, 01427694, 01500719, 01501293, 01427703, 01498850, 01277018, 01368863

Traffic inspected by the following Software Blades does not survive cluster Connectivity Upgrade:

  • Mobile Access
  • DLP
  • VPN - Remote Access
  • IPv6
  • Dynamic Routing
  • Identity Awareness (if a session authenticated with Identity Awareness is open when you start Connectivity Upgrade, then the session will be terminated)
 R76SP.10 -
01488400 Running "asg" or other global commands before the setup wizard completes is not supported. R76SP.10 -
00554039 When running the setup wizard, pressing the Print Screen key causes the configuration process to exit.
To restart, run the setup wizard again.		 R76SP -
00572338

When running setup wizard and configuring the first SGM, pressing CTRL+C keys after clicking on "Finish", cancels the installation, and the SGM state remains unstable.

Recovery: Enter gclish and revert to the Factory Defaults snapshot.		 R76SP -
00787247

When running the First Time Wizard from PuTTY, the Backspace key does not work.

Workaround: Change the configuration of the Backspace key in PuTTY:

  • Go to "Terminal" - "Keyboard".
  • In "The Backspace key" section, select "Control-H.
 R76SP -
01177073 When a Security Gateway Module (SGM) joins a Security Group after reverting to a snapshot, it reports: "Installation problem exist in SGM".
This error can be safely ignored.		 R76SP R76SP.10
Licensing
01951566 Installation of a Central license with SmartUpdate requires a policy installation on the Security Gateway / VSX Gateway (context of VS0) in order to propagate the license. R76SP.40 -
Known Limitations - Infrastructure
Security Gateway
02496076, 02501180 FWK daemon crashes when Dynamic NAT is enabled. R76SP.40 R76SP.40 Jumbo Take 14
02086151 Changing the distribution mode of Dynamic NAT port allocation (refer to sk103656) between "User-Network" and "General" causes a short outage because all existing connections must be deleted. R76SP.30 R76SP.30 Jumbo Take 50
VSX
02447397

In VSX environment, where a Virtual System is connected with a Wrp interface to a Virtual Switch, and that Virtual Switch is connected to a physical interface (VS, wrp -- wrpj, VSW - ethX), and the Distribution mode on the Wrp interface is different from the Distribution mode on the physical interface, changing of the Distribution mode on the Wrp interface might lead to the traffic being dropped as out-of-state (with the log "First packet isn't syn").

Example:
  • Topology: eth1-01 --- [VS1] wrp128 --- wrpj128 [VSW] eth2-01
  • Interface eth1-01 on VS has a USER distribution mode
  • Interface wrp128 on VS has a USER distribution mode
  • Interface eth2-01 on VSW has a NETWORK distribution mode
  • Changing the distribution mode of wrp128 on VS to NETWORK might cause some connections to be dropped
 R76SP.50 -
02527165 "Command fw vsx db_cleanup report local failed to run" error when running "vsx verify" command.
Refer to sk117917.		 R76SP.50 -
02024482 After running the "vsx_util reconfigure" command on Management Server, VLAN interface on 60000 / 40000 chassis in VSX mode might come up without an IP address if VLAN's MTU was set to a value larger than 1500.
Refer to sk111513.		 R76SP.40 -
02035641 Virtual Systems on 60000 / 40000 chassis running R76SP.40 do not respond to SNMPv3 queries (no errors, no timeout).
Refer to sk111512.		 R76SP.40 -
02019930 On VSX cluster member with ~250 Virtual Systems, CPU load (Soft IRQ) on CPU core 19 (which is allocated to SecureXL), is at 80-100% due to large amount of CCP packets. R76SP.40 -
01982310 During IPv6 first time configuration, Virtual System must be stopped. This will cause traffic downtime. R76SP.40 -
02030480 Upgrade from R76SP.10 / R76SP.20 in VSX mode to R76SP.40 cannot be completed if any Virtual System is running with Initial Policy.
To complete the upgrade, install the relevant policy on all Virtual Systems.		 R76SP.40 -
02020256 Before upgrading to R76SP.30 / R76SP.40 in VSX mode, Bond interfaces that are not connected to any Virtual System should be deleted from Topology. R76SP.40 -
01821671 In VSX HA mode, VLAN trunk ports cannot be monitored from the context of Virtual Systems (only from the context of VSX Gateway itself - VS0). R76SP.30 -
01812597 No local configuration should be performed on 60000 / 40000 chassis while "vsx_util reconfigure" is running on Management Server.
It is necessary to wait until all SGMs and Virtual Systems are up and running (otherwise, the local configuration will not be applied).		 R76SP.30 -
02353537 The "add arp proxy" command is supported only for the context of VSX Gateway itself (VS0). R76SP.30 -
01829724 VSX cluster setup with Dynamic Routing:
SMO SGM will go down upon any reconfiguration of CoreXL due to Critical Device "routed".
The SMO will failback once all routes are synchronized again.		 R76SP.30 R76SP.40
01620389 You cannot configure Bond interfaces on chassis Management ports after you create the VSX object in SmartDashboard. R76SP.20 -
01284809 To use the Sync Lost mechanism, you must keep the Management interfaces for both chassis connected. R76SP -
01341918 You cannot enable IPv6 before you create and configure a new VSX Gateway.
You must first create the new VSX Gateway and then enable and configure IPv6 using gclish.		 R76SP -
01059581 When creating a snapshot image of the VSX Gateway, you must also create a snapshot of all other VSX Gateways and the Security Management Server.
When restoring, you must restore all VSX Gateways and the Security Management Server at the same time.
Refer to sk100395.		 R76SP -
01143469

When the FWK process is down, and there is no connectivity in the chassis, the only way to restore connectivity is to restore snapshot from the local hard disk. It is also possible to restore to the factory default image.

  • To check if the FWK process is down, run this command in Expert mode:
    [Expert@HostName]# fw ctl affinity -l -x -vsid 0 | grep fwk

  • To restore a snapshot, from gclish, run:
    HostName:0> set snapshot revert <Snapshot_Name>

  • To restore to factory default image, reboot and from Boot menu choose "Restore Default".

 R76SP -
01053518 After the "vsx_util reconfigure" operation is completed, you must install a policy from SmartDashboard on all Virtual Devices. R76SP -
01055910 To create a to VSX Gateway object in SmartDashboard, make sure that the following setting is selected in the SmartDashboard:
Global Properties - "Firewall" pane - "Firewall Implied Rules" section - "Accept SmartUpdate connections".		 R76SP -
01087321 VSX Gateway creation in SmartDashboard and "vsx_util reconfigure" command are supported when the left-most SGM only is in the Security Group. R76SP -
01120835

When pushing a VSX configuration to a VSX Gateway object in SmartDashboard (by clicking on "OK" in the VSX Gateway object) or removing/adding a VLAN interface in gclish and changing the VLAN enhancement state, the Active and Standby chassis freeze for 5 seconds. This is by design.

If the freeze happens during another Chassis HA freeze, the previous freeze stops and a new freeze starts.

The reasons for the Chassis HA freeze are:

  1. After every regular failover (not caused by one chassis going to "Down" state), the chassis is in freeze mode for 30 seconds.
    Refer to sk32488.
  2. When the grade of Standby chassis is changed, and this chassis becomes Active because of the new grade, there is another freeze before the chassis becomes Active.
    The reason for this freeze is to let the chassis grade stabilize before the chassis becomes Active, and to avoid grade flapping (for example: fan goes up, down, up, down, ...).
 R76SP -
01109586

Activating the IPS blade in the context of VSX Gateway itself (VS0) may cause failures in firmware file transfer between SGMs and SSMs.

Workaround:

  1. Open the VSX Gateway object - disable the IPS blade and click on OK - install the policy
  2. Copy the firmware to all SSMs
  3. Open the VSX Gateway object - enable the IPS blade and click on - install the policy
 R76SP -
00972636 If an interface is defined as a VLAN trunk in SmartDashboard, do not add it to a bonding group. R76SP -
01097957

If you reduce the Connections Table limit of a Virtual System ,and one of the SGMs has more or the same number of connections than the limit, the new value is rejected for that SGM.
The new Connections Table limit may be accepted by other SGMs.

Notes:

  • To see the current number of entries in Connections Table, run this command in Expert mode:
    [Expert@HostName:0]# fw tab -t connections -s

  • To configure the Connections Table limit of a Virtual System:
    In SmartDashboard - open the Virtual System object - go to "Capacity Optimization" pane - set the value in the field "Limit the maximum concurrent connections" - click on OK - install the policy

 R76SP -
01136064

When an interface is defined as VLAN trunk with no VLAN interfaces and no link, the chassis grade is reduced.

Workaround:

  1. Open the the VSX Gateway object
  2. Go to the "Physical Interfaces" pane
  3. Clear the "VLAN Trunk" checkbox
  4. Click on OK to push VSX configuration
 R76SP -
01012013 The "asg perf" command is not supported on a Virtual Switch. R76SP -
01047969

After changing the Distribution Mode with the "asg dxl dist_mode set" command, the change is automatically verified.
This verification can fail with a message "Found matrix inconsistency" and "verification failed".

If this happens:

  1. Ignore the message.
  2. After a few seconds, run the "asg dxl dist_mode verify" command to make sure the verification succeeded.
  3. After a few seconds, run the "asg dxl dist_mode verify" command again to make sure the verification succeeded.
 R76SP R76SP.20
00922958

The Alerts configuration wizard does not allow setting of performance thresholds per Virtual System.
You can manually configure thresholds for Virtual Systems using the "dbset" command from the Expert shell:

[Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:<alert_name> <value>

Where <value> is the percentage of the default threshold per SGM.

Example:

    [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:packet_rate_threshold_high 30
    In this example, alert is triggered when any Virtual System packet rate is higher than 30% x 1.8MB (1.8MB is the default packet rate threshold per SGM)

Default values:

  • [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:concurr_conn_threshold_high 10
    Default value is: 10% x 3000000
  • [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:conn_rate_threshold_high 10
    Default value is: 10% x 90000
  • [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:throughput_threshold_high 10
    Default value is: 10% x 16000000000
  • [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:packet_rate_threshold_high 10
    Default value is: 10% x 1800000

Notes:

  • One ratio applies to all Virtual Systems.
 R76SP -
01122041 When VPN blade is enabled on Virtual Systems, the outbound physical interface (the port in the SSM), from which the encrypted traffic exits the firewall, must be configured either with "Network" or "General" Distribution mode.
This includes cases, where the Virtual System is connected via a WARP interface to Virtual Router / Virtual Switch, and the encrypted traffic is sent over that WARP interface.
Configure the WARP interface of the Virtual System connected to the Virtual Router / Virtual Switch in the same way.		 R76SP R76SP.20
01468554 Proxy ARP does not work on 60000 / 40000 Security Systems in VSX mode.
Refer to sk105180.		 R76SP R76SP.10 Jumbo Take 62,
R76SP.20
01365942 Slave interfaces must be in the "off" state when you assign them to a Bridging group. R76SP -
SecureXL
01743942, 01744365, 01745184, 01745751 SmartView Tracker shows duplicate logs when SecureXL is enabled in the cluster.
Refer to sk107179.		 R76SP.10 R76SP.10 Jumbo Take 70
CoreXL
02484749 On SGM260, when changing the number of CoreXL instances with the "cpconfig corexl instances <N>" command, the output incorrectly shows a number of "rx_num" larger than 16 (which is the possible maximum).
Example: rx_num for ixgbe interfaces was set to: 22		 R76SP.50 -
00739034

The "fw ctl affinity -l -r" command does not provide correct information about interface affinity to CPU cores.
The 60000 / 40000 Security System supports multiple queues on network drivers, and each driver can have an affinity to multiple CPU cores.

Enter the Expert mode and run the "g_mq_affinity -v" command to display interface affinity per queue.		 R76SP -
02503327  VPN can be used with Layer4 CoreXL, but specifically the VPN traffic will use the legacy distribution and will be handled by FW instance 0 only. R76SP.50
  -
Known Limitations - Networking
Networking
- When using SGM400, 40GB Back Plane (BP) connectivity speed is supported for both SSM160 and SSM440.
In order to switch to 40GB, the SSM's downlink ports should be set to 'Auto' Speed.
Refer to sk118435.		 R76SP.50 -
01785717 Monitoring interfaces port speed should be done only using the Expert command "asg_port_speed verify".
The Clish command "show interface <interface_name> link-speed" is not supported.		 R76SP.30 -
02552061 Traffic outage can occur on SSMs during large traffic volume on Mgmt interfaces on the SSMs.
Refer to sk119956.		 R76SP.30 R76SP.30 Jumbo Take 88
01550509 Bonds on chassis Management interface are always monitored by default (cannot be disabled). R76SP.20 R76SP.30
01824488 Unique IP address per Chassis (UIPC) addresses cannot be configured on Bond interface defined on Management ports (error: "Illegal IP address (must be on some existing network)").
Refer to sk107955.		 R76SP.20 R76SP.30 Jumbo Take 5,
R76SP.40
01416186

Mandatory steps to connect remotely to a Chassis with enabled "Unique IP address per Chassis" (UIPC):

  1. Create a security rule that allows UIPC traffic (remote connections to unique IP addresses configured on Chassis).
  2. Install the policy on all SGMs.
 R76SP.10 -
01433076

In order to activate Jumbo Frames on chassis installed with SSM60, follow these steps for each SSM60 in the chassis.
In a Dual Chassis systems, perform this procedure for both Chassis.

  1. Connect to the SSM from one of the SGMs over Telnet (the default password is admin).
  2. Go to the Enable mode:
    # enable
  3. Go to the configuration terminal:
    # configure terminal
  4. Configure all the downlink interfaces:
    # interface range 1/2/1-1/14/1
  5. Configure the MTU:
    # packet-size-limit 9146
  6. Configure the required front panel ports:
    # interface range 1/15/1-1/15/5
  7. Set the required MTU:
    # packet-size-limit 9146
  8. Close the configuration terminal:
    # end
  9. Save the configuration:
    # write
R76SP.10 -
01440870

Follow these steps to disable Jumbo Frames configuration in VSX environment where VLAN interfaces are configured:

  1. In SmartDashboard, set the MTU values on all VLAN interfaces back to standard 1500
  2. From Expert mode, manually set the MTU value to standard 1500 on each physical/bond interface that has VLAN configured. Run the following command for each such interface:
    [Expert@HostName:0]# dbset interface:<Name_of_Interface>:mtu 1500
 R76SP.10 -
00830674 Security Gateway: To ensure the best performance, it is recommended that you shut down unused interfaces.
From gclish, run the "set interface <Name_of_Interface> state off" command.		 R76SP -
01205997 If you use a Management interface other than eth1-Mgmt4, you must not remove the IP address from the eth1-Mgmt4 interface. R76SP R76SP.10
02554714 Alias IP is not supported on Data interfaces. R76SP -
01164020
  1. Per-port distribution mode is limited to 1024 interfaces at the SSM level.
  2. The total number of topology interfaces that are allowed to be configured decreases
    when Bond interfaces are configured with multiple slave interfaces on the same SSM.
    Each VLAN is counted per each Bond slave interface, on which it is configured.

Example:

  1. Bond interface bond3 is configured with slave interfaces eth1-03 and eth1-04.
  2. Both of these slave interfaces are located on the same SSM.
  3. VLAN 300 is configured on bond3 interface (bond3.300) on the Security Gateway.
  4. SSM1 counts VLAN 300 twice - once for port eth1-03 and once for port eth1-04.
 R76SP -
01239664 If you change a unique MAC address (Magic MAC) with the "asg_unique_mac_utility" command and IPv6 is enabled, you must reboot the system. R76SP -
01361484;
01358915		 You must run the applicable "asg_span_port set" / "asg_span_port unset" command on the SGMs when you delete or replace a span port interface. R76SP -
01191304 After failover of an SGM or a chassis, the output of the "asg_route --summary" command can incorrectly show 4294967294 networks in the kernel. R76SP -
00830270

When deleting an IP address from an interface with UIPC, the UIPC address is not deleted from that interface.

Workaround: From gclish, run the "delete chassis id <1 | 2 | all> general unique_ip" command.		 R76SP -
00846789 You cannot use VLANs on a Management interface. R76SP -
01200477 When working with Bridge that sends IPv6 traffic, you must explicitly allow the ICMPv6 Neighbor Discovery Protocol for all bridged networks in your Firewall rules. R76SP -
01153080

Connectivity issues can occur when you work with 4 SSMs and Link Aggregation LACP in these cases:

  • You restart SSM1 and the LACP ports are located on SSM1 and SSM3.
  • You restart SSM2 and the LACP ports are located on SSM2 and SSM4.

This occurs because the adjacent switch "sees" the LACP link on the ports as UP, but the SGMs see the ports as DOWN.

Workaround: Perform one of these steps:

  • Configure the LACP ports on SSM1 and SSM4
  • Configure the LACP ports on SSM2 and SSM3
  • Configure fast LACP rate on the adjacent switch
 R76SP -
00774693 GRE tunnel is not supported when the internal connection is asymmetric. R76SP -
00826228 It is possible to configure two interfaces with IP addresses that reside on the same subnet.
To avoid overlapping entries in the routing table, do not use this configuration.		 R76SP -
01052419 Connections may break when changing the System Distribution Mode using either "set distribution configuration" command, or "set distribution interface" command. R76SP -
01176232 Virtual System with VLAN interfaces in Bridge Mode does not support non-IP protocols. R76SP -
00648861

Bonded High Availability mode cannot switch from "Primary Up" to "Active Up".

Workaround: Delete the bonding group and create it again with the required settings.		 R76SP -
00763165 Bonding of Management interfaces is not supported. R76SP R76SP.20
00628388 The "show_bond" command in Expert mode is not supported. R76SP R76SP.20
00650191 When working with LACP 802.3ad mode, the recommended distribution mode for the other LACP peer is Layer 3 and Layer 4.
Working with that distribution mode allows traffic to span multiple SSM slaves.		 R76SP -
-

Cannot set slave interface to "ON" when it is part of bonding group.

Workaround:

  1. Delete all slaves from bonding group:
    HostName:0> delete bonding group <bond_id> interface <slave_ifn>
  2. Set the slave interfaces state to on:
    HostName:0> set interface state on
  3. Add interfaces back to bonding group:
    HostName:0> add bonding group <bond_id> interface <slave_ifn>
R76SP -
Dynamic Routing
SPC-1331  BGP IPv6 neighborship is not supported.  R76SP.50  -
01944813 There is only one Router ID for the entire system. R76SP.40 -
01862808

Critical Device (pnote) named "routed" was added to prevent traffic outage by allowing RouteD daemon to synchronize BGP routes.

  • In BGP DR Manager failback scenarios, old BGP DR manager will go down for 2 minutes
  • When RouteD daemon restarts on BGP DR Manager, BGP DR Manager will go down for 2 minutes
 R76SP.30 -
02434688, 02501910 DHCP Relay messages get dropped by 60000 / 40000 appliances.
Refer to sk117053.		 R76SP.30 -
01655978 For BGP, when the SMO recovers from a failure, allow at least 2 minutes for the previous SMO to recover the BGP routes. R76SP.20 R76SP.30
01655905 For OSPF/BGP, allow at least 2 minutes time interval between SMO failovers/failbacks. Otherwise, traffic disruption can occur because of inconsistent routes synchronization between SGMs (applies for a fully populated chassis). R76SP.20 R76SP.30
00736037 OSPF is not supported on Management interfaces. R76SP -
00771247 Route Filters are not supported. You can use Route Maps from gclish. R76SP -
00771254 BGP confederations are not supported. R76SP -
00829137 When using Dynamic Routing, do not configure different routemaps with the same preference. Otherwise, the routing daemon fails to start. R76SP -
01174600 After failover of an SGM or a chassis, the output of the "asg_dr_verifier all" command may incorrectly report that the BGP peers are different.
The message is: "Inconsistency found on some of the SGMs".		 R76SP -
01174710 After failover of an SGM or a chassis, the output of the "asg_dr_verifier" command may incorrectly show 4294967294 networks in the kernel. R76SP -
01174826 The BGP route cost may show different values in the output of "show route bgp" command on different Security Gateways.
This is a display issue. The route costs are in fact correct.		 R76SP -
01262496 BGP MD5 authentication cannot be used for BGP neighbors included in a peer-group. R76SP -
IPv6
02487403 SSM Layer4 Distribution Mode is supported for IPv4 only. The IPv6 traffic will be distributed based on the Source/Destination IP addresses only

Note: a system can use SSM Layer4 Distribution Mode along while IPv4 and IPv6 is inspected by the gateway. Each IP version will use a different mechanism to distribute traffic, as described above.

  R76SP.50 -
SPC-1666 When working with distribution modes combination of SSM Layer4 + General + IPv6, correction entries for the IPv6 traffic may not be created and the traffic will be dropped.  R76SP.50  -
Known Limitations - Software Blades
IPS
00778836 When IPS Geo protection is enabled, internal chassis traffic (for example, between SGMs and SSMs) can be reported to SmartView Tracker as Geo logs. R76SP -
VPN
02019144 VPND daemon might crash with core dump after running the "ccutil restart_sgm" command. R76SP.40 -
02525379 VPN traffic is dropped with "fwha_pkt_is_forwarded_from_other_member, drop;" (in kernel debug) when VPN Sticky SA is enabled.
Refer to sk118084.		 R76SP.30 -
01508963, 01509387 VPN Tunnel connections (new and existing) might fail during a SYN Attack. R76SP.20 -
01524590

IPSec VPN Link Selection Limitations:

  • IP Selection by Remote Peer - supports only the "Selected address from topology table" option.
  • Outgoing Route Selection - supports only the "Operating system routing table" option.
 R76SP.10 -
00776293 When connecting with Endpoint Connect R73 client and/or Endpoint Security (VPN) R75 client to 60000 / 40000 Security System, the static route via external interface should be configured to Office Mode subnet. R76SP -
00761853

Sometimes users cannot reconnect with Endpoint Security (VPN) R75 client to 60000 / 40000 Security System from a computer that is configured with different users within the same user group.

Workaround: Delete the VPN Site on the client and create it again.		 R76SP -
01185295 When IPv6 is enabled on a 60000 / 40000 Security System, you must configure IPv6 for at least one interface in order for IPv4 VPN to work flawlessly. R76SP -
02487412  VPN can be used with SSM Layer4 Distribution Mode, but specifically the VPN traffic will be distributed based on the Source/Destination IP addresses. R76SP.50  -
Threat Prevention (Anti-Virus, Anti-Bot, Threat Emulation)
01976712 UserCheck Portal does not work with Threat Emulation. R76SP.40 -
01976906 UserCheck Agent does not work with Threat Emulation. R76SP.40 -
02031724 Mail Transfer Agent (MTA) does not work with Threat Emulation. R76SP.40 -
02011559 When setup is going up without SMO and other SGMs being up, there is no automatic pull of the latest Threat Prevention policy and signatures from the Security Management Server / Domain Management Server. R76SP.40 -
02361107, 02391559 "Reason: Failed to process the file" log from Anti-Virus blade in SmartLog / SmartView Tracker.
Refer to sk114573.		 R76SP.30 -
URL Filtering
00774579

Long URL addresses through a proxy are not blocked.

Workaround:

  1. Connect with GuiDBEdit Tool to Security Management Server / Domain Management Server.
  2. In the upper left pane, go to Table - Global Properties - properties.
  3. In the upper right pane, click on firewall_properties.
  4. Press CTRL+F (or go to Search menu - Find) - paste enable_extenstive_search - click on Find Next.
  5. In the lower pane, right-click on the enable_extenstive_search - select Edit... - select "true" - click on OK.
  6. Save the changes: go to File menu - click on Save All.
  7. Close the GuiDBedit Tool.
  8. Connect with SmartDashboard to Security Management Server / Domain Management Server.
  9. Install the policy onto this 60000 / 40000 Security System object.
 R76SP -
HTTPS Inspection
01040680 When HTTPS Inspection is enabled, HTTPS and Proxy connections do not survive cluster failover. R76SP -
Identity Awareness
01551891 The Captive Portal does not respond during a SYN Attack. R76SP.20 -
SPC-990
 Identity sharing must be configured with ethX-MgmtX and for communicating with PDP side.  R76SP.50  -
SPC-1569 Identity Sharing is not supported with "Smart Pull". Contact Customer Support for assistance with replacing the configuration.  R76SP.50  -
ConnectControl
00782927 ConnectControl does not work if the Logical Server is configured as HTTP and CoreXL is enabled. R76SP -
DLP
01842449 "View email" option in SmartView Tracker does not fetch the mail. R76SP -
Known Limitations - Monitoring
SNMP
02562742, 02564356, 02566067, 02564352 Query for SNMP OID .1.3.6.1.4.1.2620.1.48.26.1.1.11 (Received Bytes on an interface - .iso.org.dod.internet.private.enterprises.checkpoint.products.asg.asgSetup.asgNetIfTable.asgNetIfEntry.asgNetIfRx) or SNMP OID .1.3.6.1.4.1.2620.1.48.26.1.1.12 (Transmitted Bytes on an interface - .iso.org.dod.internet.private.enterprises.checkpoint.products.asg.asgSetup.asgNetIfTable.asgNetIfEntry.asgNetIfTx) returns inconsistent values - instead of expected increasing values of Received / Transmitted bytes, the SNMP query sometimes returns 0 values, and sometimes returns lower values than in the previous query.
Refer to sk120078.		 R76SP.30 -
01466190, 01499483 Performance counters sub-trees (asgIPv4PerformanceCounters and asgIPv6PerformanceCounters) are updated 10 seconds after SGM failover. R76SP.10 R76SP.10 Jumbo Take 3
01255170 For monitoring the 60000 / 40000 Security System over the SNMP, the only supported OIDs are under iso.org.dod.internet.private.enterprise.checkpoint.products.asg (OID 1.3.6.1.4.1.2620.1.48). R76SP -
00630753 The "snmpwalk or "snmpget" commands on OIDs that have prefixes with 1.3.6.1.4.1.2620.1.44.20 (asgIPv4PerformanceCounters) or 1.3.6.1.4.1.2620.1.44.21 (asgIPv6PerformanceCounters), display values calculated on the Active Chassis only. R76SP -
00750041 Cannot use the gclish "set snmp traps" command to configure SNMP traps.
SNMP traps should be configured from the "asg alert" configuration wizard.		 R76SP R76SP.10
01392172, 01392626

Not able to load the Check Point MIB files from R76SP into MIB Browser (e.g., CA Spectrum OneClick) - MIB Browser shows multiple errors:

  • Could not parse the file CHECKPOINT-MIB.
  • Could not parse the file CHECKPOINT-GAIA-TRAP-MIB.
  • The MIB CHECKPOINT-MIB referenced by the selected file appears to contain more than one MIB definition.
  • The MIB RFC1155-SMI referenced by the selected file appears to contain more than one MIB definition.
Refer to sk100169.		 R76SP R76SP.10
CPView
02497472

If the CPView is running while adding SGMs to a security group, then SGM private statistics will not be presented until CPView is reopened.

Recommendation: Add SGMs to the security group and only then run the CPView.		 R76SP.50 -
02497531

After new installation or changes in hardware, it will take up to 24 hours for the CPView to automatically collect and present the hardware information in "Hardware" - "Version" tab.

For an immediate manual update, run:
[Expert@HostName:0]# g_all rm -f /var/log/cpview/last_update_times		 R76SP.50 -
02489296

"Unable to open '/vs<VSID>/dev/fw6v0': Connection refused" error is displayed when running the "cpview" command on 60000 / 40000 chassis when there are some Virtual Systems configured with both IPv6 and IPv4, and there are some Virtual Systems configured with only IPv4.

  • This error message is cosmetic and does not indicate any performance / configuration issue
  • This error message appears during each CPView refresh time
  • This error message appears when CPView is ran from the context of a Virtual System configured with only IPv4

Example (for VS 21):

[Expert@R76SP_50_VSX-ch01-02:21:ACTIVE]# cpview
 Unable to open '/vs21/dev/fw6v0': Connection refused 
 fw_get_kernel_instance_num: Invalid instance num 0 - return 0 
|-----------------------------------------------------------------------------------| 
| CPVIEW.Scalable_Platform                       SGM:1_2 VSid:21 21Mar2017 15:48:27 | 
|-----------------------------------------------------------------------------------| 
| Scalable_Platform Local_SGM                                                       | 
... ...
R76SP.50 -

 

 

Applies To:
  • This article replaces: sk94688, sk102789, sk105704, sk105939, sk108196, sk110516, sk115736

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment