| ID |
Symptoms |
Reported
In |
Resolved
In |
| Known Limitations - General |
| General |
| 02496724 |
"asg if" command will fail with "can't read "interface_data(asg,tx)": no such element in array" error while setup is in hybrid version during upgrade procedure. |
R76SP.50 |
- |
| 02501687 |
"cores_verifier" script will fail on SGM400 when IPv6 is enabled, and the number of IPv4 CoreXL FW instances is set to 40. |
R76SP.50 |
- |
| 02476852 |
Before importing a snapshot on SGM, user must check if there is enough free disk space.
If necessary, delete old snapshots and other unneeded files to free up disk space.
SGMs that do not have enough disk space, will not create the snapshot in their database, and there will be no error message to indicate it. |
R76SP.50 |
- |
| 02514252, 02514273, 02515068 |
After copying a file to other SGM blades using the "asg_cp2blades" command, the file permissions on the copied files are set to "644" ("-rw-r--r--") instead of the file permissions of the original file.
Refer to sk117735. |
R76SP.30 |
- |
| 02393014, 02399683, 02450727 |
"ssm_xlate" process crashes with core dump files on the SGM after SSM reboot on 60000 / 40000 appliance.
Refer to sk116676. |
R76SP.30 |
R76SP.30 Jumbo Take 72,
R76SP.50 |
| 01462650 |
Extreme clock changes may lead to system instability. It is recommended to reboot the system after such change. |
R76SP.10 |
- |
| 01247865 |
"cpstop" and "cpstart" commands are not supported for 60000 / 40000 Security System. |
R76SP |
- |
| 00649865 |
After a rewind of the clock, it is necessary to restart some tasks.
Enter the Expert mode and run the "g_timewrap_fix" command, so that CMD and CPD daemon are restarted. |
R76SP |
- |
| 00767143 |
After running the "backup_system restore" command, you must reboot all blades.
From gclish on the local SGM, run the "reboot -b all" command. |
R76SP |
R76SP.10 |
| 00738754 |
If SGMs lose connectivity to the CMM, the "asg stat" command displays the most recent status of the system.
For example, a chassis module that was "UP" before the CMM lost connectivity, continues to have the status "UP".
The state of the CMM is changed to "DOWN". |
R76SP |
- |
| 01260226 |
If time synchronization fails, the Skew too high error message shows when you run "asg diag verify <clock_id>".
This can occur because the value of the "replies_from_any_port" parameter was set to "true" for the "ntp-udp" service using the GuiDBedit Tool.
The SGMs cannot complete local NTP synchronization because the SGM that receives the response does not know to which SGMs to send the response.
To correct this NTP synchronization issue:
- Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.
- Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
- In the upper left pane, go to Table - Services - services.
- In the upper right pane, select the ntp-udp object.
- Press CTRL+F (or go to Search menu - Find) - paste replies_from_any_port - click on Find Next.
- In the lower pane, right-click on the replies_from_any_port - select Edit... - select "false" - click on OK.
- Save the changes: go to File menu - click on Save All.
- Close the GuiDBedit Tool.
- Connect with SmartDashboard to Security Management Server / Domain Management Server.
- Install the policy.
|
R76SP |
R76SP.10 |
| Gaia OS (Global Shell / Commands) |
| 02476859 |
Gaia Clish command "show snapshots" can display an error:
"NMSNAP9999 Timeout waiting for response from database server".
Workaround: Run the "show snapshots" command again. |
R76SP.50 |
- |
| 02476902 |
Gaia Clish command "show snapshots" can display an error:
"NMSNAP0042 Snapshot mechanism is not supported in this system".
Workaround: Run the "show snapshots" command again. |
R76SP.50 |
- |
| 02525364, 02529652, 02529653, 02529791 |
"NMSUSR0056 Cannot add homedir for user USERNAME, homedir already in use" error in Gaia Clish when adding a new user.
Refer to sk118082. |
R76SP.30 |
- |
| 02515878, 02516425 |
/home/<UserName>/.ssh is a symbolic link to the /home/admin/.ssh directory.
Refer to sk117738. |
R76SP.30 |
- |
| 01223855 |
The Gaia "emergendisk" command does not work with a USB drive that has more than one partition. |
R76SP |
- |
| 00738300 |
The "asg" commands are an extension to native gclish commands.
The "asg" commands have different syntax and there is no auto-completion. |
R76SP |
- |
| 00621838 |
From gclish, running the "show hostname" command returns the hostname shared by all the SGMs, but not the specific ID for each SGM.
The specific ID is displayed as %m. |
R76SP |
- |
| 00634412 |
To perform hardware related control commands on SGMs in a remote chassis (for example, "asg_reboot", "asg_hard_start" or "asg_hard_shutdown"), at least one remote chassis SGM must be in the "UP" state.
For example, running the "asg_hard_start" command on a remote chassis, when the SGMs in this chassis are not "UP", has no effect on the system. |
R76SP |
- |
| 00778451 |
The "fw monitor" command (refer to sk30583) uses quotation marks (") for filter expression instead of apostrophes (').
Example: fw monitor -e "port(161) or port(162), accept;" |
R76SP |
- |
| 00642401 |
A CLI command that uses a range for the <SGM IDs> parameter, can only operate if all the relevant SGMs are defined in the security group. |
R76SP |
- |
| 00761330 |
The "asg_ifconfig analyze" command and the "asg_ifconfig banalyze" command do not support interfaces with alias IP addresses. |
R76SP |
- |
| 00616216 |
The "asg search" command can display unaccelerated connections as accelerated.
After installing a policy or restarting SecureXL, the "asg search" command incorrectly displays some connections as accelerated, when they are actually handled by the firewall.
After a few minutes, these connections are no longer displayed in the "asg search" output. |
R76SP |
- |
| 00633262 |
The arguments of the global commands are processed before the local (native) arguments and this can cause the local arguments to being ignored.
For example, the "g_ls -l /tmp/" command is processed as "ls /tmp/" on the local SGM instead of "ls -l /tmp/" on all SGMs.
Relocating the local arguments within the command (where applicable) can resolve the problem.
For example, run the "g_ls /tmp/ -l" command instead of the "g_ls -l /tmp/" command. |
R76SP |
- |
| 01061553 |
When exporting or importing a snapshot, you must export from or import to the /var/log directory.
To export a snapshot, run the "set snapshot export <image_name> path /var/log/" command.
To import a snapshot, run the "set snapshot import <image_name> path /var/log/ name <new_name_for_image>" command. |
R76SP |
- |
| 01061498 |
The "set snapshot import <image_to_import>" command does not give an error message when the image to import does not exist. |
R76SP |
- |
| 01089206 |
Running the "asg_hard_shutdown" command on an SGM two times, one after the other, causes a reboot and not a shutdown.
It takes one minute for the SGM to shut down after running the "asg_hard_shutdown" command.
During this interval, do not run the "asg_hard_shutdown" command again. |
R76SP |
- |
| 01091884 |
Running a gclish command on an SGM that is not part of a Security Group, runs the command on the SGMs in the Security Group.
To run a gclish command on a non-Security Group SGM, run the "set global-mode 0" command on the on non-Security Group SGM before running the gclishcommand. |
R76SP |
R76SP.10 |
| 01237799 |
When you run multiple gclish "set ..." commands, one after another, some of these commands can stop running.
In this case, the message "Processing Transaction" shows in the output. |
R76SP |
- |
| 01286991, 01238764 |
By default, the "asg diag resource verifier" option only shows a warning about resource mismatches between SGMs.
The verification test results show as "Passed" in the output and no further action is taken.
You can change the default behavior with this procedure:
- Edit the $FWDIR/conf/asg_diag_config file:
[Expert@HostName:0]# vi $FWDIR/conf/asg_diag_config
- Search for the parameter MismatchSeverity
- Set the value of this parameter to one of these values:
fail - Verification test result will be set to "Failed"warn - Verification test result will be to "Passed", and a warning will be shownignore - Verification test result will be to "Ignore", and no errors will be shown
|
R76SP |
- |
| 01287010, 01268531 |
You must use the "asg_port_speed" or "asg if" commands to work with interface speed (changes or queries).
This is because it is necessary to communicate directly with the SSM to change or run queries on interfaces.
Results received from the ifconfig, ethtool or other gclish commands can be inaccurate because of the nature of the 60000 / 40000 configuration process. |
R76SP |
- |
| 01367410 |
When you work with the "asg diag" command, error messages can show inappropriately:
- In VSX mode - When there is a bond configured with no VLANs.
- In Bridge mode - When the bridge interface is not configured.
You can safely ignore these messages. |
R76SP |
R76SP.10 |
02728408,
02728571 |
SNMP memory leak in R76SP.30 and R76SP.50.
Refer to sk126472. |
R76SP.50
R76SP.30 |
- |
| Hardware |
| 02434343 |
On SSM440, errors "Dot3Ah: Failed getting variable <XXX> from bm" can appear when running the "system reload" command. |
R76SP.50 |
- |
| 02169635 |
On SSM440, the MTU is limited to the maximum of 9000 bytes. |
R76SP.50 |
- |
| 02496928 |
Verification is needed after changing QSFP mode on SSMs:
"show smo verifiers print name <Port_Speed>".
If verification failed, then change the QSFP mode on SSMs again:
"set ssm id <SSM_ID> qsfp-ports-mode <Port_Speed>"
|
R76SP.50 |
- |
| 02439227 |
On 44000 chassis, PXE installation on Slot 6 (SGM 2_06 / SGM 1_06) is supported by changing the kdevice to eth3. |
R76SP.50 |
- |
| 00624269 |
The Ethernet ports on the SGMs are not used.
Each SGM has two Ethernet ports that are not used by the system and must not be configured.
Output of the "ifconfig" command displays these ports as eth1 and eth2. |
R76SP |
- |
| 00894653 |
60000 / 40000 Security System transceivers are not interchangeable with transceivers from other Check Point appliances.
Only transceivers provided with the 60000 / 40000 are certified for this system. |
R76SP |
- |
| 01258300 |
When working with a three SSM configuration on a 61000 system, you must put SGMs in these slots only:
1, 2, 3, 4, 5, 10, 11, 12, 13, or 14. |
R76SP |
- |
| SPC-103 |
"asg diag" hardware verification fails when PSU’s are not placed in consecutive order. |
R76SP.50 |
R76SP.50
Jumbo Take 39 |
| SPC-214 |
On SSM440, when working with 1G copper transceiver in ethX-Mgmt4, after SSM reboot the interface will show the link as up but traffic will not pass.
Refer to sk126612. |
R76SP.50 |
R76SP.50 Jumbo Take 72 |
| Management and Policy |
| 00758678 |
When installing a new Desktop Policy in SmartDashboard, make sure that you also install a Firewall policy. |
R76SP |
- |
| 01179727 |
Dynamic Objects configured in SmartDashboard are not synchronized on all SGMs.
Workaround:
After you add a Dynamic Object to a rule and install the policy, run the relevant "dynamic_objects ..." command on every SGM to manually add the desired Dynamic Object(s).
For example: dynamic_objects -n object -r 192.168.1.1 192.168.1.40 -a
|
R76SP |
- |
| 01383053 |
You cannot install 41000 Security System licenses with SmartUpdate versions earlier than R77.20.
Workaround:
- Copy the license file to /var/log/ directory on all SGMs.
- In gclish, run the following command to install the license file: cplic put -l /var/log/<License_File>
|
R76SP |
- |
02712085,
02712223 |
"Trying to change the stress flag on a disconnected instance XX" error message during policy installation.
Refer to sk123012 |
R76SP.50
Jumbo Take 31 |
|
| Multiple Security Groups |
| - |
Monitoring and enforcing SSM Load Balancing interfaces (sk121094) is not supported when Multiple Security Groups are enabled. |
R76SP.50 |
- |
| - |
The SSM allow management loss feature (sk145792) is not supported when Multiple Security Groups are enabled. |
R76SP.50 |
- |
| SPC-1755 |
Enabling SSM Layer4 Distribution is not supported when Multiple Security Groups are enabled. |
R76SP.50 |
- |
| SPC-1864 |
MAGG interface is not supported when Multiple Security Groups are enabled. |
R76SP.50 |
- |
| SPC-1865 |
Shared Bridge interface is not supported when Multiple Security Groups are enabled. |
R76SP.50 |
- |
| SPC-1924 |
SSM SPI distribution mode is not supported when Multiple Security Groups are enabled. |
R76SP.50 |
- |
| SPC-1925 |
Manual-general distribution mode is not supported when Multiple Security Groups are enabled. |
R76SP.50 |
- |
| SPC-2019 |
Using the same bridging group interface for more than one Security Group is not allowed. |
R76SP.50 |
- |
| Known Limitations - Installation |
| Installation / Upgrade |
| 02030480 |
VSX Gateway: Upgrade from R76SP.10 / R76SP.20 in VSX mode to R76SP.40 cannot be completed if any Virtual System is running with Initial Policy.
To complete the upgrade, install the relevant policy on all Virtual Systems. |
R76SP.40 |
- |
| 02020256 |
VSX Gateway: Before upgrading to R76SP.30 / R76SP.40 in VSX mode, Bond interfaces that are not connected to any Virtual System should be deleted from Topology. |
R76SP.40 |
- |
| 01731299 |
During upgrade from R76SP.10 to R76SP.20, when running in hybrid setup stage (one chassis is still running R76SP.10 and one chassis is already running R76SP.20), change in configuration might bring down some blades on Standby chassis for up to 2 minutes (the blades will recover afterwards).
No impact on the Active chassis. |
R76SP.20 |
- |
| 01277055, 01337003, 01338220, 01427685, 01427694, 01500719, 01501293, 01427703, 01498850, 01277018, 01368863 |
Traffic inspected by the following Software Blades does not survive cluster Connectivity Upgrade:
- Mobile Access
- DLP
- VPN - Remote Access
- IPv6
- Dynamic Routing
- Identity Awareness (if a session authenticated with Identity Awareness is open when you start Connectivity Upgrade, then the session will be terminated)
|
R76SP.10 |
- |
| 01488400 |
Running "asg" or other global commands before the setup wizard completes is not supported. |
R76SP.10 |
- |
| 00554039 |
When running the setup wizard, pressing the Print Screen key causes the configuration process to exit.
To restart, run the setup wizard again. |
R76SP |
- |
| 00572338 |
When running setup wizard and configuring the first SGM, pressing CTRL+C keys after clicking on "Finish", cancels the installation, and the SGM state remains unstable.
Recovery: Enter gclish and revert to the Factory Defaults snapshot. |
R76SP |
- |
| 00787247 |
When running the First Time Wizard from PuTTY, the Backspace key does not work.
Workaround: Change the configuration of the Backspace key in PuTTY:
- Go to "Terminal" - "Keyboard".
- In "The Backspace key" section, select "Control-H.
|
R76SP |
- |
| 01177073 |
When a Security Gateway Module (SGM) joins a Security Group after reverting to a snapshot, it reports: "Installation problem exist in SGM".
This error can be safely ignored. |
R76SP |
R76SP.10 |
| Licensing |
| 01951566 |
Installation of a Central license with SmartUpdate requires a policy installation on the Security Gateway / VSX Gateway (context of VS0) in order to propagate the license. |
R76SP.40 |
- |
| Known Limitations - Infrastructure |
| Security Gateway |
| 02496076, 02501180 |
FWK daemon crashes when Dynamic NAT is enabled. |
R76SP.40 |
R76SP.40 Jumbo Take 14 |
| 02086151 |
Changing the distribution mode of Dynamic NAT port allocation (refer to sk103656) between "User-Network" and "General" causes a short outage because all existing connections must be deleted. |
R76SP.30 |
R76SP.30 Jumbo Take 50 |
| VSX |
| 02447397 |
In VSX environment, where a Virtual System is connected with a Wrp interface to a Virtual Switch, and that Virtual Switch is connected to a physical interface (VS, wrp -- wrpj, VSW - ethX), and the Distribution mode on the Wrp interface is different from the Distribution mode on the physical interface, changing of the Distribution mode on the Wrp interface might lead to the traffic being dropped as out-of-state (with the log "First packet isn't syn").
Example:
- Topology: eth1-01 --- [VS1] wrp128 --- wrpj128 [VSW] eth2-01
- Interface eth1-01 on VS has a USER distribution mode
- Interface wrp128 on VS has a USER distribution mode
- Interface eth2-01 on VSW has a NETWORK distribution mode
- Changing the distribution mode of wrp128 on VS to NETWORK might cause some connections to be dropped
|
R76SP.50 |
- |
| 02527165 |
"Command fw vsx db_cleanup report local failed to run" error when running "vsx verify" command.
Refer to sk117917. |
R76SP.50 |
- |
| 02024482 |
After running the "vsx_util reconfigure" command on Management Server, VLAN interface on 60000 / 40000 chassis in VSX mode might come up without an IP address if VLAN's MTU was set to a value larger than 1500.
Refer to sk111513. |
R76SP.40 |
- |
| 02035641 |
Virtual Systems on 60000 / 40000 chassis running R76SP.40 do not respond to SNMPv3 queries (no errors, no timeout).
Refer to sk111512. |
R76SP.40 |
- |
| 02019930 |
On VSX cluster member with ~250 Virtual Systems, CPU load (Soft IRQ) on CPU core 19 (which is allocated to SecureXL), is at 80-100% due to large amount of CCP packets. |
R76SP.40 |
- |
| 01982310 |
During IPv6 first time configuration, Virtual System must be stopped. This will cause traffic downtime. |
R76SP.40 |
- |
| 02030480 |
Upgrade from R76SP.10 / R76SP.20 in VSX mode to R76SP.40 cannot be completed if any Virtual System is running with Initial Policy.
To complete the upgrade, install the relevant policy on all Virtual Systems. |
R76SP.40 |
- |
| 02020256 |
Before upgrading to R76SP.30 / R76SP.40 in VSX mode, Bond interfaces that are not connected to any Virtual System should be deleted from Topology. |
R76SP.40 |
- |
| 01821671 |
In VSX HA mode, VLAN trunk ports cannot be monitored from the context of Virtual Systems (only from the context of VSX Gateway itself - VS0). |
R76SP.30 |
- |
| 01812597 |
No local configuration should be performed on 60000 / 40000 chassis while "vsx_util reconfigure" is running on Management Server.
It is necessary to wait until all SGMs and Virtual Systems are up and running (otherwise, the local configuration will not be applied). |
R76SP.30 |
- |
| 02353537 |
The "add arp proxy" command is supported only for the context of VSX Gateway itself (VS0). |
R76SP.30 |
- |
| 01829724 |
VSX cluster setup with Dynamic Routing:
SMO SGM will go down upon any reconfiguration of CoreXL due to Critical Device "routed".
The SMO will failback once all routes are synchronized again. |
R76SP.30 |
R76SP.40 |
| 01620389 |
You cannot configure Bond interfaces on chassis Management ports after you create the VSX object in SmartDashboard. |
R76SP.20 |
- |
| 01284809 |
To use the Sync Lost mechanism, you must keep the Management interfaces for both chassis connected. |
R76SP |
- |
| 01341918 |
You cannot enable IPv6 before you create and configure a new VSX Gateway.
You must first create the new VSX Gateway and then enable and configure IPv6 using gclish. |
R76SP |
- |
| 01059581 |
When creating a snapshot image of the VSX Gateway, you must also create a snapshot of all other VSX Gateways and the Security Management Server.
When restoring, you must restore all VSX Gateways and the Security Management Server at the same time.
Refer to sk100395. |
R76SP |
- |
| 01143469 |
When the FWK process is down, and there is no connectivity in the chassis, the only way to restore connectivity is to restore snapshot from the local hard disk. It is also possible to restore to the factory default image.
-
To check if the FWK process is down, run this command in Expert mode:
[Expert@HostName]# fw ctl affinity -l -x -vsid 0 | grep fwk
-
To restore a snapshot, from gclish, run:
HostName:0> set snapshot revert <Snapshot_Name>
-
To restore to factory default image, reboot and from Boot menu choose "Restore Default".
|
R76SP |
- |
| 01053518 |
After the "vsx_util reconfigure" operation is completed, you must install a policy from SmartDashboard on all Virtual Devices. |
R76SP |
- |
| 01055910 |
To create a to VSX Gateway object in SmartDashboard, make sure that the following setting is selected in the SmartDashboard:
Global Properties - "Firewall" pane - "Firewall Implied Rules" section - "Accept SmartUpdate connections". |
R76SP |
- |
| 01087321 |
VSX Gateway creation in SmartDashboard and "vsx_util reconfigure" command are supported when the left-most SGM only is in the Security Group. |
R76SP |
- |
| 01120835 |
When pushing a VSX configuration to a VSX Gateway object in SmartDashboard (by clicking on "OK" in the VSX Gateway object) or removing/adding a VLAN interface in gclish and changing the VLAN enhancement state, the Active and Standby chassis freeze for 5 seconds. This is by design.
If the freeze happens during another Chassis HA freeze, the previous freeze stops and a new freeze starts.
The reasons for the Chassis HA freeze are:
- After every regular failover (not caused by one chassis going to "Down" state), the chassis is in freeze mode for 30 seconds.
Refer to sk32488.
- When the grade of Standby chassis is changed, and this chassis becomes Active because of the new grade, there is another freeze before the chassis becomes Active.
The reason for this freeze is to let the chassis grade stabilize before the chassis becomes Active, and to avoid grade flapping (for example: fan goes up, down, up, down, ...).
|
R76SP |
- |
| 01109586 |
Activating the IPS blade in the context of VSX Gateway itself (VS0) may cause failures in firmware file transfer between SGMs and SSMs.
Workaround:
- Open the VSX Gateway object - disable the IPS blade and click on OK - install the policy
- Copy the firmware to all SSMs
- Open the VSX Gateway object - enable the IPS blade and click on - install the policy
|
R76SP |
- |
| 00972636 |
If an interface is defined as a VLAN trunk in SmartDashboard, do not add it to a bonding group. |
R76SP |
- |
| 01097957 |
If you reduce the Connections Table limit of a Virtual System ,and one of the SGMs has more or the same number of connections than the limit, the new value is rejected for that SGM.
The new Connections Table limit may be accepted by other SGMs.
Notes:
-
To see the current number of entries in Connections Table, run this command in Expert mode:
[Expert@HostName:0]# fw tab -t connections -s
-
To configure the Connections Table limit of a Virtual System:
In SmartDashboard - open the Virtual System object - go to "Capacity Optimization" pane - set the value in the field "Limit the maximum concurrent connections" - click on OK - install the policy
|
R76SP |
- |
| 01136064 |
When an interface is defined as VLAN trunk with no VLAN interfaces and no link, the chassis grade is reduced.
Workaround:
- Open the the VSX Gateway object
- Go to the "Physical Interfaces" pane
- Clear the "VLAN Trunk" checkbox
- Click on OK to push VSX configuration
|
R76SP |
- |
| 01012013 |
The "asg perf" command is not supported on a Virtual Switch. |
R76SP |
- |
| 01047969 |
After changing the Distribution Mode with the "asg dxl dist_mode set" command, the change is automatically verified.
This verification can fail with a message "Found matrix inconsistency" and "verification failed".
If this happens:
- Ignore the message.
- After a few seconds, run the "asg dxl dist_mode verify" command to make sure the verification succeeded.
- After a few seconds, run the "asg dxl dist_mode verify" command again to make sure the verification succeeded.
|
R76SP |
R76SP.20 |
| 00922958 |
The Alerts configuration wizard does not allow setting of performance thresholds per Virtual System.
You can manually configure thresholds for Virtual Systems using the "dbset" command from the Expert shell:
[Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:<alert_name> <value>
Where <value> is the percentage of the default threshold per SGM.
Example:
[Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:packet_rate_threshold_high 30
In this example, alert is triggered when any Virtual System packet rate is higher than 30% x 1.8MB (1.8MB is the default packet rate threshold per SGM)
Default values:
- [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:concurr_conn_threshold_high 10
Default value is: 10% x 3000000
- [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:conn_rate_threshold_high 10
Default value is: 10% x 90000
- [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:throughput_threshold_high 10
Default value is: 10% x 16000000000
- [Expert@HostName:0]# g_all dbset chassis:vs:0:alert_threshold:packet_rate_threshold_high 10
Default value is: 10% x 1800000
Notes:
- One ratio applies to all Virtual Systems.
|
R76SP |
- |
| 01122041 |
When VPN blade is enabled on Virtual Systems, the outbound physical interface (the port in the SSM), from which the encrypted traffic exits the firewall, must be configured either with "Network" or "General" Distribution mode.
This includes cases, where the Virtual System is connected via a WARP interface to Virtual Router / Virtual Switch, and the encrypted traffic is sent over that WARP interface.
Configure the WARP interface of the Virtual System connected to the Virtual Router / Virtual Switch in the same way. |
R76SP |
R76SP.20 |
| 01468554 |
Proxy ARP does not work on 60000 / 40000 Security Systems in VSX mode.
Refer to sk105180. |
R76SP |
R76SP.10 Jumbo Take 62,
R76SP.20 |
| 01365942 |
Slave interfaces must be in the "off" state when you assign them to a Bridging group. |
R76SP |
- |
| SecureXL |
| 01743942, 01744365, 01745184, 01745751 |
SmartView Tracker shows duplicate logs when SecureXL is enabled in the cluster.
Refer to sk107179. |
R76SP.10 |
R76SP.10 Jumbo Take 70 |
| CoreXL |
| 02484749 |
On SGM260, when changing the number of CoreXL instances with the "cpconfig corexl instances <N>" command, the output incorrectly shows a number of "rx_num" larger than 16 (which is the possible maximum).
Example: rx_num for ixgbe interfaces was set to: 22 |
R76SP.50 |
- |
| 00739034 |
The "fw ctl affinity -l -r" command does not provide correct information about interface affinity to CPU cores.
The 60000 / 40000 Security System supports multiple queues on network drivers, and each driver can have an affinity to multiple CPU cores.
Enter the Expert mode and run the "g_mq_affinity -v" command to display interface affinity per queue. |
R76SP |
- |
| 02503327 |
VPN can be used with Layer4 CoreXL, but specifically the VPN traffic will use the legacy distribution and will be handled by FW instance 0 only. |
R76SP.50
|
- |
| Known Limitations - Networking |
| Networking |
| MBS-2991, MBS-6601, SPC-994 |
Configuration of RX/TX ringsize is supported only on eth<X>-Mgmt4 and BPEth<X> interfaces (either with the Expert command 'ethtool -g', or the Gaia Clish command 'set interface ...'). |
R76SP.50 |
- |
| - |
When using SGM400, 40GB Back Plane (BP) connectivity speed is supported for both SSM160 and SSM440.
In order to switch to 40GB, the SSM's downlink ports should be set to 'Auto' Speed.
Refer to sk118435. |
R76SP.50 |
- |
| 01785717 |
Monitoring interfaces port speed should be done only using the Expert command "asg_port_speed verify".
The Clish command "show interface <interface_name> link-speed" is not supported. |
R76SP.30 |
- |
| 02552061 |
Traffic outage can occur on SSMs during large traffic volume on Mgmt interfaces on the SSMs.
Refer to sk119956. |
R76SP.30 |
R76SP.30 Jumbo Take 88 |
| 01550509 |
Bonds on chassis Management interface are always monitored by default (cannot be disabled). |
R76SP.20 |
R76SP.30 |
| 01824488 |
Unique IP address per Chassis (UIPC) addresses cannot be configured on Bond interface defined on Management ports (error: "Illegal IP address (must be on some existing network)").
Refer to sk107955. |
R76SP.20 |
R76SP.30 Jumbo Take 5,
R76SP.40 |
| 01416186 |
Mandatory steps to connect remotely to a Chassis with enabled "Unique IP address per Chassis" (UIPC):
- Create a security rule that allows UIPC traffic (remote connections to unique IP addresses configured on Chassis).
- Install the policy on all SGMs.
|
R76SP.10 |
- |
| 01433076 |
In order to activate Jumbo Frames on chassis installed with SSM60, follow these steps for each SSM60 in the chassis.
In a Dual Chassis systems, perform this procedure for both Chassis.
- Connect to the SSM from one of the SGMs over Telnet (the default password is admin).
- Go to the Enable mode:
# enable
- Go to the configuration terminal:
# configure terminal
- Configure all the downlink interfaces:
# interface range 1/2/1-1/14/1
- Configure the MTU:
# packet-size-limit 9146
- Configure the required front panel ports:
# interface range 1/15/1-1/15/5
- Set the required MTU:
# packet-size-limit 9146
- Close the configuration terminal:
# end
- Save the configuration:
# write
|
R76SP.10 |
- |
| 01440870 |
Follow these steps to disable Jumbo Frames configuration in VSX environment where VLAN interfaces are configured:
- In SmartDashboard, set the MTU values on all VLAN interfaces back to standard 1500
- From Expert mode, manually set the MTU value to standard 1500 on each physical/bond interface that has VLAN configured. Run the following command for each such interface:
[Expert@HostName:0]# dbset interface:<Name_of_Interface>:mtu 1500
|
R76SP.10 |
- |
| 00830674 |
Security Gateway: To ensure the best performance, it is recommended that you shut down unused interfaces.
From gclish, run the "set interface <Name_of_Interface> state off" command. |
R76SP |
- |
| 01205997 |
If you use a Management interface other than eth1-Mgmt4, you must not remove the IP address from the eth1-Mgmt4 interface. |
R76SP |
R76SP.10 |
| 02554714 |
Alias IP is not supported on Data interfaces. |
R76SP |
- |
| 01164020 |
- Per-port distribution mode is limited to 1024 interfaces at the SSM level.
- The total number of topology interfaces that are allowed to be configured decreases
when Bond interfaces are configured with multiple slave interfaces on the same SSM.
Each VLAN is counted per each Bond slave interface, on which it is configured.
Example:
- Bond interface bond3 is configured with slave interfaces eth1-03 and eth1-04.
- Both of these slave interfaces are located on the same SSM.
- VLAN 300 is configured on bond3 interface (bond3.300) on the Security Gateway.
- SSM1 counts VLAN 300 twice - once for port eth1-03 and once for port eth1-04.
|
R76SP |
- |
| 01239664 |
If you change a unique MAC address (Magic MAC) with the "asg_unique_mac_utility" command and IPv6 is enabled, you must reboot the system. |
R76SP |
- |
01361484;
01358915 |
You must run the applicable "asg_span_port set" / "asg_span_port unset" command on the SGMs when you delete or replace a span port interface. |
R76SP |
- |
| 01191304 |
After failover of an SGM or a chassis, the output of the "asg_route --summary" command can incorrectly show 4294967294 networks in the kernel. |
R76SP |
- |
| 00830270 |
When deleting an IP address from an interface with UIPC, the UIPC address is not deleted from that interface.
Workaround: From gclish, run the "delete chassis id <1 | 2 | all> general unique_ip" command. |
R76SP |
- |
| 00846789 |
You cannot use VLANs on a Management interface. |
R76SP |
- |
| 01200477 |
When working with Bridge that sends IPv6 traffic, you must explicitly allow the ICMPv6 Neighbor Discovery Protocol for all bridged networks in your Firewall rules. |
R76SP |
- |
| 01153080 |
Connectivity issues can occur when you work with 4 SSMs and Link Aggregation LACP in these cases:
- You restart SSM1 and the LACP ports are located on SSM1 and SSM3.
- You restart SSM2 and the LACP ports are located on SSM2 and SSM4.
This occurs because the adjacent switch "sees" the LACP link on the ports as UP, but the SGMs see the ports as DOWN.
Workaround: Perform one of these steps:
- Configure the LACP ports on SSM1 and SSM4
- Configure the LACP ports on SSM2 and SSM3
- Configure fast LACP rate on the adjacent switch
|
R76SP |
- |
| 00774693 |
GRE tunnel is not supported when the internal connection is asymmetric. |
R76SP |
- |
| 00826228 |
It is possible to configure two interfaces with IP addresses that reside on the same subnet.
To avoid overlapping entries in the routing table, do not use this configuration. |
R76SP |
- |
| 01052419 |
Connections may break when changing the System Distribution Mode using either "set distribution configuration" command, or "set distribution interface" command. |
R76SP |
- |
| 01176232 |
Virtual System with VLAN interfaces in Bridge Mode does not support non-IP protocols. |
R76SP |
- |
| 00648861 |
Bonded High Availability mode cannot switch from "Primary Up" to "Active Up".
Workaround: Delete the bonding group and create it again with the required settings. |
R76SP |
- |
| 00763165 |
Bonding of Management interfaces is not supported. |
R76SP |
R76SP.20 |
| 00628388 |
The "show_bond" command in Expert mode is not supported. |
R76SP |
R76SP.20 |
| 00650191 |
When working with LACP 802.3ad mode, the recommended distribution mode for the other LACP peer is Layer 3 and Layer 4.
Working with that distribution mode allows traffic to span multiple SSM slaves. |
R76SP |
- |
| - |
Cannot set slave interface to "ON" when it is part of bonding group.
Workaround:
- Delete all slaves from bonding group:
HostName:0> delete bonding group <bond_id> interface <slave_ifn>
- Set the slave interfaces state to on:
HostName:0> set interface state on
- Add interfaces back to bonding group:
HostName:0> add bonding group <bond_id> interface <slave_ifn>
|
R76SP |
- |
| Dynamic Routing |
| SPC-2764 |
When working with PIM, moving from dense mode to sparse mode or vice versa requires PIM restart. |
R76SP |
- |
| SPC-1331 |
BGP IPv6 neighborship is not supported. |
R76SP.50 |
- |
| 01944813 |
There is only one Router ID for the entire system. |
R76SP.40 |
- |
| 01862808 |
Critical Device (pnote) named "routed" was added to prevent traffic outage by allowing RouteD daemon to synchronize BGP routes.
- In BGP DR Manager failback scenarios, old BGP DR manager will go down for 2 minutes
- When RouteD daemon restarts on BGP DR Manager, BGP DR Manager will go down for 2 minutes
|
R76SP.30 |
- |
| 02434688, 02501910 |
DHCP Relay messages get dropped by 60000 / 40000 appliances.
Refer to sk117053. |
R76SP.30 |
- |
| 01655978 |
For BGP, when the SMO recovers from a failure, allow at least 2 minutes for the previous SMO to recover the BGP routes. |
R76SP.20 |
R76SP.30 |
| 01655905 |
For OSPF/BGP, allow at least 2 minutes time interval between SMO failovers/failbacks. Otherwise, traffic disruption can occur because of inconsistent routes synchronization between SGMs (applies for a fully populated chassis). |
R76SP.20 |
R76SP.30 |
| 00736037 |
OSPF is not supported on Management interfaces. |
R76SP |
- |
| 00771247 |
Route Filters are not supported. You can use Route Maps from gclish. |
R76SP |
- |
| 00771254 |
BGP confederations are not supported. |
R76SP |
- |
| 00829137 |
When using Dynamic Routing, do not configure different routemaps with the same preference. Otherwise, the routing daemon fails to start. |
R76SP |
- |
| 01174600 |
After failover of an SGM or a chassis, the output of the "asg_dr_verifier all" command may incorrectly report that the BGP peers are different.
The message is: "Inconsistency found on some of the SGMs". |
R76SP |
- |
| 01174710 |
After failover of an SGM or a chassis, the output of the "asg_dr_verifier" command may incorrectly show 4294967294 networks in the kernel. |
R76SP |
- |
| 01174826 |
The BGP route cost may show different values in the output of "show route bgp" command on different Security Gateways.
This is a display issue. The route costs are in fact correct. |
R76SP |
- |
| 01262496 |
BGP MD5 authentication cannot be used for BGP neighbors included in a peer-group. |
R76SP |
- |
| IPv6 |
| 02487403 |
SSM Layer4 Distribution Mode is supported for IPv4 only. The IPv6 traffic will be distributed based on the Source/Destination IP addresses only
Note: a system can use SSM Layer4 Distribution Mode along while IPv4 and IPv6 is inspected by the gateway. Each IP version will use a different mechanism to distribute traffic, as described above.
|
R76SP.50 |
- |
| SPC-1666 |
When working with distribution modes combination of SSM Layer4 + General + IPv6, correction entries for the IPv6 traffic may not be created and the traffic will be dropped. |
R76SP.50 |
R76SP.50 Jumbo Take 196 |
| Known Limitations - Software Blades |
| IPS |
| 00778836 |
When IPS Geo protection is enabled, internal chassis traffic (for example, between SGMs and SSMs) can be reported to SmartView Tracker as Geo logs. |
R76SP |
- |
| VPN |
| 02019144 |
VPND daemon might crash with core dump after running the "ccutil restart_sgm" command. |
R76SP.40 |
- |
| 02525379 |
VPN traffic is dropped with "fwha_pkt_is_forwarded_from_other_member, drop;" (in kernel debug) when VPN Sticky SA is enabled.
Refer to sk118084. |
R76SP.30 |
- |
| 01508963, 01509387 |
VPN Tunnel connections (new and existing) might fail during a SYN Attack. |
R76SP.20 |
- |
| 01524590 |
IPSec VPN Link Selection Limitations:
- IP Selection by Remote Peer - supports only the "
Selected address from topology table" option.
- Outgoing Route Selection - supports only the "
Operating system routing table" option.
|
R76SP.10 |
- |
| 00776293 |
When connecting with Endpoint Connect R73 client and/or Endpoint Security (VPN) R75 client to 60000 / 40000 Security System, the static route via external interface should be configured to Office Mode subnet. |
R76SP |
- |
| 00761853 |
Sometimes users cannot reconnect with Endpoint Security (VPN) R75 client to 60000 / 40000 Security System from a computer that is configured with different users within the same user group.
Workaround: Delete the VPN Site on the client and create it again. |
R76SP |
- |
| 01185295 |
When IPv6 is enabled on a 60000 / 40000 Security System, you must configure IPv6 for at least one interface in order for IPv4 VPN to work flawlessly. |
R76SP |
- |
| 02487412 |
VPN can be used with SSM Layer4 Distribution Mode, but specifically the VPN traffic will be distributed based on the Source/Destination IP addresses. |
R76SP.50 |
- |
| Threat Prevention (Anti-Virus, Anti-Bot, Threat Emulation) |
| 01976712 |
UserCheck Portal does not work with Threat Emulation. |
R76SP.40 |
- |
| 01976906 |
UserCheck Agent does not work with Threat Emulation. |
R76SP.40 |
- |
| 02031724 |
Mail Transfer Agent (MTA) does not work with Threat Emulation. |
R76SP.40 |
- |
| 02011559 |
When setup is going up without SMO and other SGMs being up, there is no automatic pull of the latest Threat Prevention policy and signatures from the Security Management Server / Domain Management Server. |
R76SP.40 |
- |
| 02361107, 02391559 |
"Reason: Failed to process the file" log from Anti-Virus blade in SmartLog / SmartView Tracker.
Refer to sk114573. |
R76SP.30 |
- |
| URL Filtering |
| 00774579 |
Long URL addresses through a proxy are not blocked.
Workaround:
- Connect with GuiDBEdit Tool to Security Management Server / Domain Management Server.
- In the upper left pane, go to Table - Global Properties - properties.
- In the upper right pane, click on firewall_properties.
- Press CTRL+F (or go to Search menu - Find) - paste enable_extenstive_search - click on Find Next.
- In the lower pane, right-click on the enable_extenstive_search - select Edit... - select "true" - click on OK.
- Save the changes: go to File menu - click on Save All.
- Close the GuiDBedit Tool.
- Connect with SmartDashboard to Security Management Server / Domain Management Server.
- Install the policy onto this 60000 / 40000 Security System object.
|
R76SP |
- |
| HTTPS Inspection |
| 01040680 |
When HTTPS Inspection is enabled, HTTPS and Proxy connections do not survive cluster failover. |
R76SP |
- |
| Identity Awareness |
| 01551891 |
The Captive Portal does not respond during a SYN Attack. |
R76SP.20 |
- |
| SPC-990 |
Identity sharing must be configured with ethX-MgmtX and for communicating with PDP side. |
R76SP.50 |
- |
| SPC-1569 |
Identity Sharing is not supported with "Smart Pull". Contact Customer Support for assistance with replacing the configuration. |
R76SP.50 |
- |
| - |
IA (Captive Portal) is not supported when L4 distribution mode is enabled. |
R76SP.50 |
R80.20SP |
| ConnectControl |
| 00782927 |
ConnectControl does not work if the Logical Server is configured as HTTP and CoreXL is enabled. |
R76SP |
- |
| DLP |
| 01842449 |
"View email" option in SmartView Tracker does not fetch the mail. |
R76SP |
- |
| Known Limitations - Monitoring |
| SNMP |
| 02562742, 02564356, 02566067, 02564352 |
Query for SNMP OID .1.3.6.1.4.1.2620.1.48.26.1.1.11 (Received Bytes on an interface - .iso.org.dod.internet.private.enterprises.checkpoint.products.asg.asgSetup.asgNetIfTable.asgNetIfEntry.asgNetIfRx) or SNMP OID .1.3.6.1.4.1.2620.1.48.26.1.1.12 (Transmitted Bytes on an interface - .iso.org.dod.internet.private.enterprises.checkpoint.products.asg.asgSetup.asgNetIfTable.asgNetIfEntry.asgNetIfTx) returns inconsistent values - instead of expected increasing values of Received / Transmitted bytes, the SNMP query sometimes returns 0 values, and sometimes returns lower values than in the previous query.
Refer to sk120078. |
R76SP.30 |
- |
| 01466190, 01499483 |
Performance counters sub-trees (asgIPv4PerformanceCounters and asgIPv6PerformanceCounters) are updated 10 seconds after SGM failover. |
R76SP.10 |
R76SP.10 Jumbo Take 3 |
| 01255170 |
For monitoring the 60000 / 40000 Security System over the SNMP, the only supported OIDs are under iso.org.dod.internet.private.enterprise.checkpoint.products.asg (OID 1.3.6.1.4.1.2620.1.48). |
R76SP |
- |
| 00630753 |
The "snmpwalk or "snmpget" commands on OIDs that have prefixes with 1.3.6.1.4.1.2620.1.44.20 (asgIPv4PerformanceCounters) or 1.3.6.1.4.1.2620.1.44.21 (asgIPv6PerformanceCounters), display values calculated on the Active Chassis only. |
R76SP |
- |
| 00750041 |
Cannot use the gclish "set snmp traps" command to configure SNMP traps.
SNMP traps should be configured from the "asg alert" configuration wizard. |
R76SP |
R76SP.10 |
| 01392172, 01392626 |
Not able to load the Check Point MIB files from R76SP into MIB Browser (e.g., CA Spectrum OneClick) - MIB Browser shows multiple errors:
Could not parse the file CHECKPOINT-MIB.Could not parse the file CHECKPOINT-GAIA-TRAP-MIB.The MIB CHECKPOINT-MIB referenced by the selected file appears to contain more than one MIB definition.The MIB RFC1155-SMI referenced by the selected file appears to contain more than one MIB definition.
Refer to sk100169. |
R76SP |
R76SP.10 |
| CPView |
| 02497472 |
If the CPView is running while adding SGMs to a security group, then SGM private statistics will not be presented until CPView is reopened.
Recommendation: Add SGMs to the security group and only then run the CPView. |
R76SP.50 |
- |
| 02497531 |
After new installation or changes in hardware, it will take up to 24 hours for the CPView to automatically collect and present the hardware information in "Hardware" - "Version" tab.
For an immediate manual update, run:
[Expert@HostName:0]# g_all rm -f /var/log/cpview/last_update_times |
R76SP.50 |
- |
| 02489296 |
"Unable to open '/vs<VSID>/dev/fw6v0': Connection refused" error is displayed when running the "cpview" command on 60000 / 40000 chassis when there are some Virtual Systems configured with both IPv6 and IPv4, and there are some Virtual Systems configured with only IPv4.
- This error message is cosmetic and does not indicate any performance / configuration issue
- This error message appears during each CPView refresh time
- This error message appears when CPView is ran from the context of a Virtual System configured with only IPv4
Example (for VS 21):
[Expert@R76SP_50_VSX-ch01-02:21:ACTIVE]# cpview
Unable to open '/vs21/dev/fw6v0': Connection refused
fw_get_kernel_instance_num: Invalid instance num 0 - return 0
|-----------------------------------------------------------------------------------|
| CPVIEW.Scalable_Platform SGM:1_2 VSid:21 21Mar2017 15:48:27 |
|-----------------------------------------------------------------------------------|
| Scalable_Platform Local_SGM |
... ...
|
R76SP.50 |
- |
This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to 