R80.10 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.
This Incremental Hotfix and this article are periodically updated with new fixes.
The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below.
R80.20 GA release is aligned with R80.10 Jumbo Hotfix Accumulator Take 142.
R80.30 GA release is aligned with R80.10 Jumbo Hotfix Accumulator Take 203.
For CPUSE installation, CPUSE Agent build 1298 and above (refer to sk92449) must be used.
It is recommended to install Jumbo Hotfix Accumulator on all the R80.10 machines running on Gaia OS.
This Jumbo Hotfix Accumulator is suitable for these products and configurations:
Security Management Server
Multi-Domain Security Management
Multi-Domain Log Server
Endpoint Security Server
CloudGuard / vSEC for AWS, Microsoft Azure and Google Cloud (see sk109141)
This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
To check the Take number of the currently installed R80.10 Jumbo Hotfix Accumulator (if it is installed): [Expert@HostName:0]# cpinfo -y all
List of resolved issues per HotFix
R80.10 Jumbo HotFix - General Availability Take 225 (04 August 2019, GA from 04 September 2019)
Added ability for R80.10 Security Management or Multi-Domain Server to manage R80.30 Security gateway. Refer to sk149272.
This fix requires R80.10 SmartConsole Build 137 to be installed.
PRJ-714, PMTR-36761, CPM-2191
Enhancement: added feature for tracking random CPM process crashes on Security Management server. Refer to sk150913.
After opening and searching in pickers for a few times, the "error retrieving results" message appears when opening a picker.
In some scenarios, Check Point services fail to start and the CPM log shows that there are duplicate session aggregators.
In a rare scenario, CPM server does nоt start after failure in deleting domain.
In a rare scenario, upgrade from R77.x to R80.x fails with cpdb core dump file created.
API is missing a validation letting you assign permissions to Multi-Domain Server Super User.
When running 'add-domain' Web API command on an existing Domain, the original Domain is deleted.
High CPU utilization by FWM process when SmartEvent is enabled on the Security Management Server. Refer to sk147563.
In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message.
Multi-Domain Server processes must be down when running cma_migrate.
PRJ-1400 PMTR-29769, CPM-1730
The Multi-Domain Management database size grows significantly causing operations like "mds restore" and HA full sync to take much longer time.
"Delete Domain Server failed: 'Could not send Message.'" error on Domain deletion attempt failure when there is a large amount of gateways in this Domain.
In a rare scenario, CPM server fails to start after successful Domain deletion.
API is missing a validation allowing the assignment of permissions to MDS Super-User.
PRJ-2302, PMTR-39001, GAIA-3984
Added Management support for 16000 and 26000 appliances.
This fix requires R80.10 SmartConsole Build 137 to be installed.
In some scenarios, SmartConsole unexpectedly terminates when installing policy on many targets simultaneously.
In some scenarios, Installation Targets do not show the correct gateways when cloning and editing the installation targets in the same session.
Management API command "put file" can be used for command execution with certain permissions.
Redundant layers appear in the output of show-package command when Global policy holding more than 1 layer is assigned to Domain.
In a rare scenario, invalid IPS packages and empty lines appear in 'Switch version' window under IPS update.
"Runtime error: java.lang.String incompatible with com.checkpoint.management.web_api_is.common.multi_values.objects.MultiStringForSet" error when trying to set a tag to ICMP and ICMP6 services or set those services into a group with API command.
In some scenarios, when Graceful Restart is enabled, not all BGP routes are advertised.
In a rare scenario, routed process stops working when ECMP is enabled for both IBGP and EBGP.
PRJ-843, PMTR-35251, PMTR-34543
OpenSSL is vulnerable to Padding Oracle Timing / Side Channel Attack.
Added ability to monitor the number of SYN packets on the Security Gateway.
PMTR-32539, IDA-1803, PRJ-1861
Users are not authenticated when an identity source provides the login name in an 'User Principal Name' format "user@domain". Refer to sk147417.
PMTR-32057, PMTR-36871, PMTR-37867, PRJ-1861
The output of pep show pdp all command on the Identity Gateway (PEP) contains "inx invalid type (0)" instead of an Identity server (PDP) IP address. Refer to Scenario #3 in sk156953.
IDA-1981, IDA-2032, PRJ-1629, PRJ-1861
In some scenarios, users are not propagated from the Identity server (PDP) to the Identity Gateway (PEP) on a specific network.
IDA-1987, PRHF-4175, PRJ-1955
In a rare scenario, sessions longer than 24 hours disappear from the Identity Gateway (PEP) but exist on the Identity server (PDP).
IDA-1966, PRHF-4508, PRJ-1748
In a rare scenario, identities are missing from all connected Identity Gateways (PEPs).
IDA-2067, IDA-1892, PRJ-1947
Performance improvement of Identity Awareness kernel tables for Cluster and multi-fw1 instances gateways.
PRJ-942, UP-258, PMTR-23445
Application Control, URL Filtering
In some scenarios, it takes time to load a website when certain applications/links in Application Control/URL Filtering rulebase are blocked. Refer to sk135132.
In some scenarios with low disk space and customized retention configuration, logs and indexes may be deleted contrary to the configuration.
In some cases, logs are not forwarded when log forwarding in enabled on a Log server machine.
PRJ-345, PMTR-19854, PRHF-1915
SNMP variables for VRRP MIB are now available in R80.10. Refer to sk141334.
PRJ-1329, PRHF-3032, 02541089
In a rare scenario, Security Gateway freezes / crashes when SecureXL is enabled and multicast routing is configured. Refer to sk119299.
CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
Clish command "show system init-services" and Expert command "service --status-all" run "mdsstart" on the server.
R80.10 Jumbo HotFix - Ongoing Take 214 (04 June 2019)
PMTR-22530, PMTR-22677, MBS-2739
Management API on an R80.10 Management Server does not support Security Gateways R80.20SP.
False message "peer failed to synchronized me" appears in Multi-Domain Server HA window although machines are successfully synced. Refer to sk151392.
In some scenarios, the postgres.elg file grows and fills up the disk space. Refer to sk143852.
In a rare scenario, Application Control policy installation fails with "Load on Module failed - failed to load security policy" error, caused by the string dictionary table overflow on the Security gateway. Refer to scenario 3G in sk33893.
The size of the policy has a significant performance impact when adding a rule to the bottom of policy via API.
When using the Threat Exception API and specifying Anti-Virus or Anti-Bot protection, the request fails with "Protection cannot be found" error message.
In some scenarios, Access Policy Hitcount shows zero in the Hitcount column. Refer to sk150492.
Enhanced the policy verification error message related to end of Legacy URL Filtering support by adding the list of gateways that are using it. Refer to sk110116.
In some scenarios, "show package" API command fails with "generic_server_error", reporting "Unable to get all policies because access policy container not used". Refer to sk136432.
"Get Gateway Data" returns "Execution error" for cluster object in SmartUpdate.
In some scenarios, SNX client is not seen in SmartView Monitor tracking page after connecting to the Security gateway.
SmartView Time filter does not work correctly if the server Time Zone is different than the client Time Zone.
When using an inline layer in a Global policy, during installation of a policy with "rule hide rule" verification, the wrong rule numbers show in the Policy Installation window. Refer to sk125672.
In some scenarios, Global policy assignment fails with "An internal error has occurred" error. Refer to sk155412.
PRJ-65, PRHF-1880, PMTR-245
In some scenarios, the following error appears in dmesg: "cmik_loader_fw_dyn_parsers_is_set_conn_flag_on_up_conn: failed to retreive the 'parsers_is_opq' or it doesn't exists on that connection".
In a rare scenario, Security gateway starts to log locally even if logs are sent to backup server.
When logging in with web app to a Domain, the application name and correct IP address are not displayed in SmartConsole Sessions tab.
In rare scenario during Identity Agent or Terminal Server Agent IP change, PEP database becomes corrupted.
In some scenarios, when using Load Sharing, upon the same IP address used by two different users, users may be able to access or to be restricted from accessing resources without proper roles.
In some scenarios, session becomes corrupted on PDP side, leading to unexpected behavior.
R77.x gateways managed by R80.x Security Management show that IPS blade is enabled while it is disabled on the gateway object. Refer to sk146592.
When inspecting raw logs, entries with "origin = 0.0.0.0" can be seen under IPS logs, while logs in the SmartConsole appear fine.
New validation added: Starting from R80.20, ClusterXL does not support Load Sharing mode. SmartConsole blocks such configuration with a warning message.
After installing R80.10 Jumbo Hotfix on 6800/6500 appliances running R80.10 installed from Dual ISO, the Hardware diagnostic tool cannot recognize certain NICs.
R80.10 Jumbo HotFix - General Availability Take 203 (25 March 2019, GA from 12 May 2019)
Added support for 6500 and 6800 appliances. Refer to sk139932.
Added ability to manage Check Point R80.20SP and Check Point Maestro.
OSE policy cannot be viewed without installing it on device.
Manual changes in INSPECT files under $FWDIR/lib directory of compatibility packages are not synchronized from active to standby Management servers. Refer to sk143792.
PMTR-29584, PMTR-29856, PMTR-29855
Policy installation fails with "IPv6 addresses domain is not supported for Remote Access VPN community" message when using Domain object in Remote Access encryption domain. Refer to sk142832.
PMTR-29921, PMTR-28958, PMTR-29923
"Error retrieving results" message is displayed in SmartConsole after searching for unused objects in Object Explorer.
Unjustified validation error is displayed when installing Threat Prevention policy on Cluster object: "Threat Prevention requires topology to be defined. At least one internal, one external, and no undefined interfaces are required. Incorrectly defined topology impacts performance and security. Please install both Access Control and Threat Prevention policies after fixing the topology."
In some scenarios, running the fwm sic_reset command from Domain fails with "reset_objects: updateMultiple failed" message. Refer to sk142512.
PMTR-17991, PRHF-359, PRHF-714
In some scenarios, the Interpreter process stops working. Refer to sk132892.
CPView is not supported on Multi-Domain Server environments.
Multi-Domain Server GUI randomly does not reflect the Domain Management objects change.
When using the "add/set simple-gateway" API command and specifying backup log servers, the input servers are not saved in the same order as listed in the request.
Number of sessions in "Changes" list does not match the value of 'total'.
When an administrator publishes session for a different administrator, the name of the administrator that invoked the action will be written in the audit logs as the publisher.
When searching in the SmartConsole main search bar for network groups we can see some number of network groups, but the search inside the Logical Server object shows the different number of Logical server objects groups.
Group update request is sent specifically to the originator LDAP server even if it is down. Refer to sk127833.
In rare scenarios, Security Gateway runs out of kernel memory and may stop processing traffic, printing "double record of connection" message in /var/log/messages file. Refer to sk143432.
In some scenarios, TCP state information is not displayed in the log despite being enabled in SmartConsole.
A large number of Time objects used in the rule base may cause rulebase matching failures resulting in connectivity issues.
When working with NAT on DNS payload and having disabled NAT rules, NAT on DNS payload may not work. Refer to sk132032.
When X-Forwarded-For (XFF) settings are enabled on one of the policy layers or/and on the Security gateway object, the /var/log/messages file shows errors related to asynchronous identity fetch. Refer to sk145673.
In some scenarios, creation of a new gateway upgrade to R80.10 fails with "An internal error has occurred. (Code: 0x8003001D, Could not access file for write operation)" message.
In some scenarios, IPS purge makes a deadlock for some GUI clients, resulting in "Timeout error" error. Refer to sk150312.
In some scenarios, extracted Microsoft Azure files contain only blank pages.
Non-ASCII named files cause the undecoded non-ASCII characters to appear in the Threat Emulation log.
Traffic from the client to the bogus IP address is handled according to the Access Control policy, but not logged as "prevented". Refer to sk141853.
In rare scenarios, when the Log server miscalculates the available disk space, it may stop receiving logs from the connected gateways and cause the logs to accumulate locally on the Security gateway. Refer to sk146152.
"A general error has occurred" message appears when trying to edit the IPS Protection settings.
Some SMTP-related IPS Core Protections remain enabled despite the IPS is disabled.
Mobile Access Portal Agent installation page is vulnerable for XSS attack in Chrome and Firefox.
PMTR-15461, PMTR-21043, PMTR-28348
Added support for i40evf driver.
PMTR-22503, MB-166, PMTR-28064
In some scenarios, virtio_net is not able to run multiqueue.
Important security update for IPSec Site-to-Site (S2S) VPN.
Improved connectivity with 3rd party VPN peers using IKEv2. Refer to sk120835.
Connectivity improvements for certain Windows L2TP client versions. Refer to sk145895.
PMTR-19379, PMTR-23292, PMTR-23293, 02031663
The CLISH command "show arp table dynamic all" and Bash command "arp -an" show different entries. Refer to sk112753.
In some scenarios, routed process stops working when a VPN tunnel interface is deleted without removing the dynamic routing protocols.
PMTR-18254, PMTR-18255 EPS-17135
In some scenarios, SmartEndpoint shows different numbers of reported "Anti-Malware signature was not upgraded in the last 72 hours" between the warnings and the Active alerts section.
R80.10 Jumbo HotFix - General Availability Take 189 (12 February 2019, GA from 03 March 2019)
Log servers are not seen in the SmartConsole Log Server tab after Advanced Upgrade to Jumbo Hotfix Accumulator Take 33 or after adding new MLM to the environment.
After new Domain creation, logs from this Domain are not seen in SmartConsole.
Before R80.10 Jumbo Hotfix Accumulator Take 189, the Probing feature is set, by default, to Fail Open. From Take 189, the default behavior is changed to Fail Close. Refer to sk104717.
R80.10 Jumbo HotFix - Ongoing Take 185 (22 January 2019)
Values updated in resourceProfiles files to handle high CPU utilization for "Java" process (described in sk123417) are not resistant and get overridden after Jumbo Hotfix Accumulator installation or backup/restore or export/import procedures.
Once user performs any change to his configuration, the Compliance blade performs a partial scan and calculates the relevant Best practices. During this scan, exceptions of relevant objects for these Best practices are deleted. Meaning, if previously obj1 was excluded from applying Best practice #1, during partial scan obj1 will be relinked to Best practice #1.
Added support for NAT on payload of H323 packets when different IP addresses are used for payload and control.
In some scenarios, traffic is dropped when using non-FQDN Domain object in policy.
No service enforcement when creating "Other services" without match expression for TCP, UDP or SCTP.
In some scenarios, Identity Agent fails to authenticate using Kerberos SSO due to very large Kerberos ticket and the agent fallback to User/Password authentication. Refer to sk145832.
Added support for more than 10000 IOC indicators to improve capacity and performance.
Added ability to update Threat Emulation file types in an offline environment.
The scrub_cleanup script fails to delete files when there is a large amount of files (over 5000) in the /tmp/scrub directory.
"Error: SIC initialization failed because of failure in parsing the certificate file" error when user attempts to log in with certificate to API (mgmt_cli) with password including "!".
"Synchronization with Check Point UserCenter" feature displays "Synchronization with Check Point UserCenter requires a valid license." warning message even though all licenses are valid.
Web API show-package fails if the package was installed on a cluster member which is already deleted. Refer to sk144132.
When Security gateway is configured to send alerts only to a specific Log server, logs may be written locally on the gateway instead to be sent to the Log server.
After configuring mail alerts to be sent using "internal_sendmail" script, emails from Check Point server arrive with blank email body.. Refer to sk142492.
When scheduled log switch is set to midnight in SmartConsole, logs and indexes are not being deleted according to configuration.
PMTR-26697, PMTR-26696, CP-11
After Daylight saving time change, the logs from the time of change until the end of the day are not indexed and the "Illegal instant due to time zone offset transition (daylight savings time 'gap')" error is displayed in solr.elg file.
In some scenarios, Log indexer stopped indexing logs because of a corrupted row in FetchedFiles.
Remote Access VPN connectivity process when authenticating with certificates was improved.
After Cluster failover, VPN tunnel is down and "Unknown SPI for IPsec packet" log is shown. Refer to sk112339.
When HTTPS Inspection is enabled and "Hide X-Forwarded-For in outgoing traffic" option is selected, the XFF header is not obfuscated on HTTPs traffic.
Change SSL Network Extender on MacOS to 64-bit architecture to support 32-bit apps depreciation in OSX.
Traffic to HTTPS websites is dropped on "Unknown Traffic" category, if the certificate length sent from web server exceeds the limit. Refer to sk105321.
Added support to custom extension used by Apple.
In some scenarios, local traffic between cluster members is dropped due to out of state. Refer to sk123795.
Memory consumption on Security Gateway increases after enabling NetFlow v9 in Gaia OS. Refer to sk118719.
Connectivity issues with "handle_outbound_pac, Reason: connection not found" debug messages on dropped traffic. Refer to sk101134, Scenario 2.
When using conv2db to recreate Gaia database from /config/active, comments are not skipped and the new database file may contain irrelevant information. Refer to sk139832. Note: the issue is cosmetic only.
The "iotop" command does not work on Smart-1 525, 5050 and 51580 appliances.
PMTR-23155, GAIA-3010, PMTR-26453
CVE-2018-15473: Username enumeration is possible due to a premature bail-out while dealing with a malformed packet. The issue exists in several authentication protocols.
Connectivity problem for 10 Gigabit fiber network interfaces (be2net driver) after upgrade from R77.30.
PMTR-13024, PMTR-9624, GAIA-3597
In some scenarios, BIOS sensor randomly goes into "unknown" state. Refer to sk138332.
In some scenarios, vpnd process stops working and there is no decrypt log.
There is no failover after disabling a monitored VLAN after upgrade to R80.10. Refer to sk128692.
Traffic from a Virtual System in VSX Cluster to Security Management Server is dropped with "Local interface address spoofing" log. Refer to sk110473.
R80.10 Jumbo HotFix - Ongoing Take 177 (26 December 2018)
When creating a Security Gateway object and click OK, SmartConsole terminates with "The connection with the server was lost...." error.
Cannot create new object from SmartConsole after upgrading Security Management server to R80.10. Refer to sk139812.
When Database is more than 100 objects and searching for the objects in the Objects Explorer and scrolling down, list of items disappears and the results in the bottom-left show "No items found". Refer to sk139793.
PMTR-23377, PMTR-25006, PRHF-1385
In some scenarios, purge operation fails with "Task was interrupted because of server restart" message and the CPM process stops working, producing core dump file.
PMTR-22755, PMTR-21811, PMTR-21868
When using Global Dynamic Network objects, creating a new policy package in a local Domain fails with 'Internal error' if it is assigned to the Global Domain.
Access role changes of public sessions are missing audit logs and causing synchronization error.
Cannot export logs to Excel from SmartView connected to Multi-Domain Log Server. Refer to sk140433.
PMTR-26180, PMTR-21125, PMTR-26133
In large-scale environments, log_indexer process may unexpectedly stop working producing 3.5GB core file.
Upon resuming purge operation that was not completed in a single-domain server, the "purge is already in progress" message is displayed repeatedly, although there is no purge operation in progress.
PMTR-23295, PMTR-23080, PMTR-26750, PMTR-23297
HTTPS Inspection rule with mixed Access Role and network object cannot be enforced.
"SessionInWorkLoginException" error when using the API "discard" to discard a connected session other than the current session. Refer to sk142534.
UDP server to client connections are not getting rematched. Refer to sk121933.
Memory leak in FWD process.
PMTR-12764, PRHF-173, UP-216
Many "fw_up_get_application_opaque: Failed to retrieve conn_opaq" messages in the /var/log/messages file.
In some scenarios, when configuring rule with CIFS resource, policy enforcement does not work as expected and is denied to access all the permitted CIFS shares. As a result, all CIFS traffic is dropped.
In some scenarios, the /var/log/messages file is full with messages "Error:up_classifier_notify_clob_from_cmi: _up_handle structure is corrupt 0000000000000000"
Potential Security gateway crash after running "cpstop" when using IP pool NAT.
DNS NAT does not work when the DNS parser encounters an IPv6 record in DNS servers answer. Refer to sk121346.
In rare scenarios, Security gateway crashes due to certain flow in NAT dynamic port allocation.
Security gateway does not load policy after reboot when number of SAM rules reaches its limit of 25000. Refer to sk110560.
A Domain administrator connected to a specific Domain in Multi-Domain Server environment cannot see suggestions when typing in logs search box.
PMTR-22564, SL-1594, PMTR-22562
In rare scenarios, monitoring information (such as licensing information, CPU usage, etc.) displayed in SmartConsole and SmartView Monitor is not updated. Refer to sk137092.
PMTR-17242, PMTR-17241, SL-1536
Reports with enabled "Add summary row" feature fail to be processed.
Unable to export a 3 month report to PDF for any period other than up to current date. Refer to sk135452.
PMTR-26423, AVIR-125, PMTR-21436, PMTR-11534
Anti-Spam bypass shows "Temporary Scan failure" message on IP Reputation.
In some scenarios, Advanced Upgrade fails with different errors due to NULL pointer exception check.
In rare scenarios, Threat Emulation log card description "File is pending emulation" is incorrect.
While reporting miscategorized items using email through UserCheck Portal in the event that the activity contains the & character, the rest of the email message is truncated. Refer to sk124073.
In some scenarios, MUH session Access Role is missing on PDP but exists on PEP, causing next PEP to PDP sync to be removed from PEP and thus the accessibility loss.
Added support for SecureXL Fast Accelerator (sim fastaccel). For more information, refer to sk139772. Note: This functionality is supported only for R80.10 with Jumbo HFA Take 177 and above. Customers who upgrade to releases other than R80.10 will lose this functionality.
In rare scenarios, traffic is accepted or dropped although not in the time frame, defined by the Time object.
In rare scenarios, Security gateway crashes when offloading multicast nexthops to SAM when configuring PIM in Sparse mode on the interfaces.
In rare scenarios, Security gateway crashes when running multicast jumbo traffic packets while the SAM Acceleration card is enabled.
If SecureXL is enabled, output of "fwaccel stat" command shows "Accelerator Status : off by Firewall (failed to update link selection due to error 3)" after a policy installation. Refer to sk119833.
SNMP data and CPView count statistics for outgoing interfaces differs after upgrade.
When working in Load Sharing mode, the value of "Not held due to no members" counter in the output of "cphaprob syncstat" command is displayed wrong.
Unable to connect with SHA-512 user certificate on Windows Capsule. Refer to sk121418.
Attempt to install central license on CloudGuard gateway fails with "not vSec product" error.
After adding the RBA roles Gaia commands (add rba role TACP-0 virtual-system-access all), the lines are missing from the "show configuration" command output, but the values can be seen in Expert mode (/config/active). Refer to sk119394.
PMTR-20499, PRHF-1259, PRHF-1882, PRHF-1571
Added SHA2 encryption for Gaia users passwords for Smart-1 525, 5050 and 5150.
PMTR-11335, PMTR-25658, 01579916
Added the host name column to the Syslog messages. Refer to sk100727.
Security Management / Multi-Domain Management server OS backup fails due to package compression errors. Refer to sk121212.
R80.10 Jumbo HotFix - General Availability Take 169 (27 November 2018, GA from 26 December 2018)
Policy installation fails with "Policy installation had failed due to an internal error" message when Security gateway has more than hundred interfaces. Refer to sk138592.
Remote Access users configured with Pre-Shared Secret Key (PSK) cannot connect after upgrade from R77.x.
PMTR-22277, PMTR-23219, PMTR-23217
Log in to the primary Multi-Domain Server GUI fails due to HA and logging objects synchronization generating high load.
PMTR-22725, PMTR-22508, PMTR-23500
Upgrade from R77.30 fails with "Object SyncUsrCntr could not be deleted because it is referenced by other objects" exception.
The /var/log partition fills up with the core dump files when Management server is overloaded.
The following errors may be displayed while uploading archive with several data types:
"Application Control - HTTP parsing error occurred"
"Content Awareness - Error: Invalid state in protocol (11)"
"HTTP parsing error occurred, bypass request"
DCOM traffic (part of DCERPC services) is dropped by Security gateway when allowing specific DCOM services.
PMTR-25227, PMTR-25078, PMTR-25181, IDA-1226
Improved error handing when Identity Sharing is used and remote PDP server does not respond due to prolong outage. Refer to sk141152.
Improved error handling when Identity Sharing is used and XFF is enabled but parsing the XFF headers is not required.
PMTR-25286, PMTR-25287, PMTR-25106
User's access to a network resource may fail in the following scenario:
Access to a network resource is through an Identity Awareness Gateway (configured as PEP)
In SmartConsole, the Identity Awareness Gateway object is configured with "Identity Awareness -> Identity Sharing -> Get identities from other gateways -> All sharing gateways"
The sharing Identity Awareness Gateway (configured as PDP) that shares identities with the affected Identity Awareness Gateway (configured as PEP), opens an identity sharing connection not from its main IP address
Identity sharing fails when XFF is enabled and remote PDP does not respond.
Added new "GDPR security report" report.
The "Security Checkup report" was updated with the new content.
VPN Tunnel instability problem when working with Cisco Gateway using IKEv2. Refer to sk116776.
CloudGuard Controller Data Center objects are not enforced on Multi-Domain Server. Refer to sk139372.
R80.10 Jumbo HotFix - Ongoing Take 167 (12 November 2018)
Added ability for R80.10 Security Management or Multi-Domain Server to manage R80.20 Security gateway. To enable this:
Install R80.10 Jumbo Hotfix Accumulator Take 167 or higher
Install R80.10 SmartConsole Build 89 or higher (refer to sk119612)
Note that if you choose to not upgrade to R80.20 Security Management server or Multi-Domain Server, the new features will not be supported.
Added SHA2 encryption for Gaia users passwords (excluding Smart-1 525, 5050 and 5150).
PMTR-16440, PRHF-530, 01743689
Sensors display order is incorrect in the output of "cpstat os -f sensors" command. Refer to sk107672.
"/opt/CPInstLog/uninstall_SecurePlatform_R80_10_JHF_PLATO:Uninstallation failed!" error during uninstallation of Jumbo Hotfix Take on Smart-1 device. Newer version of RPMs remain installed after uninstall.
PMTR-11977, PMTR-20018, 02567615
An event logged in /var/log/messages is generated multiple times in consecutive order, and the syslog daemon compresses all repeated attempts with entry "last message repeated X times" in /var/log/messages file. Refer to sk119913.
PMTR-20425, PMTR-14191, PMTR-20370
In some scenarios, machines with the igb driver (on-board Mgmt/Sync and 1G expansion cards) receive the "Detected Tx Unit Hang" messages in /var/log/messages file.
In rare scenarios, the CPM service does not start on machine startup.
The license status for the MDS shows as "N/A" in SmartConsole's License Report. Refer to sk132575.
After cloning a policy package that has an assigned Global Policy package, the Domain layers in the placeholder of some of the assigned global layers are not cloned and empty. Refer to sk134012.
Cannot synchronize secondary Domain Server after migrating new Domain with cma_migrate. Refer to sk127954.
When specifying from-date in the "show-changes" Management API command, changes of the first session in range are not displayed.
SmartUpdate hangs on launch due to over 4000+ unattached licenses. Refer to sk136512.
In some scenarios, SmartView Monitor shows more throughput than what actually goes through the Security gateway.
Content Awareness supports HTML forms using URL encoding (also known as Percent-encoding). HTML traffic, encoded (binary to text encoding) as Base64 and NCR, is not properly inspected for content.
TIFF images replacement on PDF files sometimes fails and can corrupt the file.
In rare scenarios, a Security gateway crashes in mail_security code due to out of bound memory access.
Improved DLP file type detection when uploading files to Gmail.
High CPU usage after policy installation when PDPD is running. Refer to sk122352.
Enabling Packet Tagging and MUH traffic enforcement takes effect only after reboot.
Several applications are not matched correctly when Application Control and HTTPS Inspection are enabled.
HTTPS traffic is inspected when it is configured to be bypassed: when HTTPS Inspection is enabled and probe bypass is 0. Refer to sk132913.
PIM standby node crashes when adding multiple VPN tunnels with the same local endpoint as PIM interfaces.
"sume_from_fw_forward: dropping packet of for vsid=0 due to loop prevention" dmesg errors during policy installation failure.
PMTR-11941, PMTR-13827, 02482488
CoreXL FW instance offloads a partial/anticipated connection that already exists. Refer to Scenario 5 in sk100467.
When running the "fw ctl multik stop" command several times, only the target instance of the last command is stopped, while others start working again.
In some scenarios, Capsule Workspace Push notifications are not received. Refer to sk120334.
In rare scenarios, Security gateway randomly drops all SNX packets on a connection attempt.
When a second user behind the same router connects with an L2TP client, the first user that is already connected gets disconnected. Refer to sk119141.
PMTR-12787, IDA-982, PMTR-23382
User cannot connect to a VPN site that belongs to a group that has a special character in its name. Refer to sk124514.
MUH Agent sends unnecessary MUH updates causing high CPU on PEP, which leads to delays with getting identities and can cause connectivity issues.
PMTR-19154, IDA-1250, IDA-648
PDPD daemon stops working periodically when the configured Account Unit contains Domain Controllers that are all defined as "Ignored".
In rare scenarios, PDPD daemon stops working repeatedly during groups update process.
PMTR-20144, IDA-1176, PRHF-721
Update with "-" machine name from the Domain Controller causes the Identity Collector to create un-authenticated sessions on the PDP.
PMTR-16060, PMTR-10601, IDA-763
In some cases, users are associated not with all LDAP groups to which they actually belong. Therefore, data from the LDAP server may be sent in different order.
PMTR-8958, PMTR-21600, SL-690
"No matches found for your search" message in the browser when searching for a user's name when it starts with 0 and contains only numbers. Refer to sk122294.
When setting 'log_delete_below_metrics' to MBytes, 'log_delete_below_value' cannot be set to more than quarter of disk size. When setting it with 'log_delete_below_metrics' to percent, 'log_delete_below_value' is unlimited. Refer to sk133473.
SmartConsole exits at the "Initializing Services" stage of login.
PMTR-15841, PMTR-2085, PMTR-19958, PMTR-14469
Running "Get Interfaces without Topology" automatically enables Anti-Spoofing. Refer to sk136372.
PMTR-9858, GAIA-2202 02526946
tcpdump exits with "Buffer overflow" messages when running "tcpdump -i any -eP" command.
PMTR-8477, PMTR-8479, PMTR-2295
New connections to the gateway are rejected due to too many "kernel: dst cache overflow" messages in /var/log/messages file.
Route based VPN stability was improved.
MSS clamping cooperation with SecureXL in certain scenarios was improved.
Improving IPSEC renegotiation stability in S2S with 3rd parties.
PMTR-15949, PMTR-15954, PMTR-15955, PMTR-16379
R80.10 Security Gateway send some wrong SNMP VRRP OIDs. Refer to sk130412.
PMTR-5259, PMTR-18368, 02536701
Client packets stay not NATed in connection table if NAT fails.
Link collisions in Security Gateway due to race condition in cluster environment.
ClusterXL stability during policy installation was improved. Refer to sk133372.
When there is a large number of BGP peers and interfaces and ClusterXL failover occurs, resulting CPU utilization can be high for a few minutes on the old active member. During this time, routed did not respond to queries such as "show route" command in clish.
With a large number of eBGP peers (>200), RouteD daemon repeatedly stops working.
R80.10 Jumbo HotFix - Ongoing Take 142 (21 August 2018)
Added new Threat Prevention capabilities. For more information, refer to sk122853. New feature in Mail Transfer Agent (MTA): MTA is now updatable (refer to sk123174). The first MTA engine update contains several enhancements and new features, including:
Setting a next-hop server by Domain name.
Removing/replacing malicious links & attachments from e-mails with a customizable text.
Adding a customized text to a malicious e-mail's body or subject.
Malicious e-mail tagging using an X-header.
Sending a copy of the malicious e-mail.
Inplace upgrade from R77.30 to R80.10 fails with "Invalid white space character" message. Refer to sk122098.
Security Management migration to R80.10 fails due to NumberFormatException. Refer to sk125272.
Following an upgrade from R77 to R80.10, 'Inspection Settings' view will not correctly reflect overridden actions. This does not affect the Security Gateway that continues to receive the correct overridden actions.
Performance issues in the Management HA incremental HA synchronization mechanism of the Global Domain.
Performance optimization of Compliance Blade in large scale environment.
Added infrastructure support for AWS Transit VPC.
Security Management, Multi-Domain Management
Upgrade to R80.10 fails with "Maximum Number of Child Elements limit (50000) Exceeded" message. Refer to sk123857.
Global Domain Assignment fails with "Missing protection 'Protection_Name' in profile 'Default Inspection' in the global domain" message. Refer to sk130492.
When attempting to import Multi-Domain Server or Multi-Domain Log Server database onto R80.10 machine, the import script fails with "The IP address of the source and target Secondary Multi-Domain Servers/Multi-Domain Log Servers must be the same." error. Refer to sk129092.
DBsync stops working during a CMA import from R77.x.
After changing the name of a Multi-Domain Server, the previous name is still shown in the Domain editor.
"No MD role specified" error when migration\upgrade of Multi-Domain Server pre-R80 MDS to R80.10 fails. Refer to sk123862.
The mdsstat command was updated for Smart-1 525, 5050 and 5150 Appliances.
"dleserver.utils.UidManager" errors on cma_migrate failure on Multi-Domain Server upgraded from R80.
Upgrade from R77.X to R80.10 of Multi-Domain Server environments that use partial assignments and have more than 50 Domains and local policies (combined), has inconsistent assignment settings (loss of data).
Cannot log in to upgraded Multi-Domain Server due to IP duplication source database.
Check Point response to SegmentSmack (CVE-2018-5390) & FragmentSmack (CVE-2018-5391). Refer to sk134253.
After upgrade to R80.10, BGP peer is stuck in Active state. Refer to sk131592.
Dynamic ID does not send correctly a username using the $NAME tag.
Dynamic ID fails with "Dynamic ID authentication failed" error after upgrade to R80.10. Refer to sk124953.
PMTR-9982, PMTR-6005, IDA-775
Dynamic ID does not work with specific vendors that require user's phone number.
BGP communities are not correctly matched by routemaps, resulting BGP routes not being populated and not advertised.
BGP connections from point-to-point clustered interfaces are rejected.
Security Gateway stops working in some scenarios when Mobile Access blade is enabled in Unified Policy mode and Security Zones are used in the security policy.
Traffic drops after adding rules with Domain objects and installing policy. Refer to sk133253.
Emails remain in the spool when SMTP Resource Rule is defined. Refer to sk122010.
"dynamic objects -c" command returns partial output when more than 20 Dynamic objects are defined on the Security Gateway.
Traffic to span port interfaces is dropped when Security Zones are used in Access policy.
Security Gateway, Security Management
The CPView Utility was improved:
Added new capability to collect and present I/O data.
Enabled CPView History collection on Management machines.
NetFlow IPv6 daemon cannot be started after upgrade from R77.30 due to missing bindings in configuration file.
PMTR-10917, 02426496, 02474798
RouteD daemon stops working or OSPF Adjacency is stuck in "Loading" state when receiving OSPF LSA of Type 10 and Type 11. Refer to sk115314.
VRRP member freezes when deleting a VLAN interface. Refer to sk106226.
Enabling ping option for static routes causes the routes to disappear on the standby member.
After upgrade to R80.10, validation incidents do not disappear although solving the error. Refer to sk123357.
"Policy installation had failed due to an internal error" message on policy installation failure when using Native Mobile Access application that uses '*Any' services (with no other existing Native Mobile Access applications that use other services in the system).
Cannot update the Security gateway object when using permission profile without write permissions for Threat Prevention policy.
API is missing targets information in reply of "install-policy" command when installing on more than 50 targets. The reply holds the first 50 targets only.
SmartEvent's Automatic Reaction emails are missing information in some fields. Refer to sk133032.
In 'LOGS & MONITOR' tab, HTTPS Inspection queries show no results. Refer to sk133392.
PMTR-7545, PMTR-7405, 02489539
When certain security rule definition includes the "Alert -> mail" log track option, email alerts have ".." at the end which means some fields were truncated. Refer to sk123240.
When running "SmartConsole -> Logs & Monitor -> Queries -> Threat Prevention -> IPS Blade -> Staging" query in non-index mode, the "There is a problem to read log file. Try again" error is displayed.
PMTR-10071, PMTR-3322, 02503468
When generating a view of any report, the "Problem has occurred during search" errorpops up with details: "Query resolution failed. Logs might not display properly".
Multi-factor authentication with Dynamic ID using Email does not work when the email address ends with 't' or 'n'.
Identities are not synced to PEP if two PDPs will report the same network Refer to sk130373.
PMTR-6226, IDA-550, PMTR-8718
When using multiple PEP gateways with the same internal IP address, only one of the PEP gateways gets identities from PDP.
RADIUS accounting server does not understand accounting-response from Check Point gateway. Refer to sk130532.
"Group membership of the required account (user or machine) could not be retrieved from the AD. Make sure the account exists in the AD." log is received from Identity Awareness blade when format of RADIUS user is "user@domain". Refer to scenario 6 in sk106133.
AD users with special characters in their names cannot authenticate. Refer to sk131872.
The dlp_fingerprint and cp_file_convert processes consume CPU at high level although DLP blade is disabled. Refer to sk102213.
New logs of IPS update tool are created in $FWDIR/log directory on a daily basis. For more information refer to sk131652.
PMTR-7252, PMTR-17432, PMTR-3135
No packet capture is received with IPS protection log. Refer to sk121605.
Failures during batch update of IPS objects.
Snort protections are not fully enforced after upgrade from R77.x to R80.10. Refer to sk123575.
Threat Prevention policy installation fails with "malware_policy_get_ioc_override() failed" message when disabling the "Enable indicator scanning" option.
Some non-SSL applications are identified as 'Unknown Traffic' when Application Control, URL Filtering and 'Categorize HTTPS Sites' are enabled.
Non-SSL traffic is dropped with "appi_rad_uf_cmi_handler_server_response: no hello done, failed" error message in dmesg when "Categorize HTTPS sites" feature is enabled. Refer to sk64162.
PMTR-9355, PMTR-17726, 02694599
Output of "show message motd" clish command is corrupted if the "motd" message is too long. Refer to sk122199.
Pressing <TAB> (autocomplete mechanism) from the Expert mode of Smart-1 525, 5050 and 5150 does not convert paths stored in variables (like $FWDIR) to full paths.
Trusted Source feature does not work in VSX environment. Refer to sk122533.
Multiple RX drops during policy installation under high load traffic. Refer to sk123312.
Connectivity issue during policy installation when NAT templates are enabled between CPUs.
EIGRP traffic going through Security Gateway in bridge mode with SecureXL enabled, is randomly dropped. Refer to sk125632.
When the Dynamic Dispatcher is enabled together with SecureXL NAT templates, traffic on port 80 and 443 is dropped with "Instance mismatch (inbound)" messages. Refer to sk113398.
"You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) that tries to connect to a Cluster in High Availability mode. Refer to sk120652.
Improved forensics with host-side PCIe drivers during shutdown, during Seurity gateway crash triggered by a SAM-related problem.
After installing policy, when adding a new Data Center object and running "Menu" -> "Verify Access Control Policy", the verification might fail with the "Rule 1 Hides rule 2 for Services & Applications: Any" error message. Refer to sk123572.
R80.10 Jumbo HotFix - Ongoing Take 131 (19 July 2018)
Monitoring view does not show the ClusterXL status of VSX members.
PMTR-14149, PMTR-14416, PMTR-16997
In some scenarios, API login requests fail with "errorCode [CP_ERR_COULD_NOT_CONNECT_FWM]" error in api.elg file.
When changing the administrator profile by API in Multi-Domain Server, the following scenarios may occur:
Modifying administrator's profile may not take effect, previous permissions are still configured and might be enforced.
User can configure "Permission profile per domain" in addition to "Multi-Domain Super User" or "Domain Super User" not knowing it may not take effect.
In some scenarios, the "show package" API command fails due to timeout.
On environments with many revisions, "show-changes" API calls take long time to finish and can cause API server to terminate unexpectedly.
Using two Domain objects for the same domain name, one with "www." prefix and the other without, in different rules in the rulebase might cause those rules not to be enforced correctly.
Domain objects of domain names that are defined in local hosts file are not enforced.
A rule with Security Zone object may not be correctly matched for broadcast traffic.
Performance optimization of services and applications matching process. Refer to sk128452.
PMTR-9133, PMTR-12783, SL-982
After upgrade of a dedicated SmartEvent server, Object synchronization status appears as "Failed" in the status window of SmartEvent GUI.
When setting up clear connection between the Security Management server and R80.10 SmartEvent server per sk101928, Log indexer clear connection could not be established. Refer to sk123580.
Added ability to filter logs in queries and reports using the "Packets" field.
PMTR-10072, PMTR-3320, 02504996
Automatic reaction is not initiated when selecting the "Send automatic reactions but do not generate an event" option in SmartEvent policy.
In some scenarios, the "Logs & Monitor" view is stuck on searching and does not respond to any query.
The system cannot emulate files due to lack of disk space. Refer to sk124712.
In CloudGuard Azure clusters environments, some packets are incorrectly identified as Cluster Control Protocol packets, potentially causing error logs related to cluster state. In some cases, this can lead to a cluster failover.
In some scenarios, when SecureXL is enabled, Security gateway crashes under heavy load while opening a new connection from template mask.
R80.10 Jumbo HotFix General Availability Take 121 (24 June 2018, GA from 19 June 2018)
Data Center Security Appliances
Added support for 23900 appliances. Refer to sk107516.
When configuring Legacy User Authentication rules, it is not possible to choose 'Group-With-Exclusion' in the option. Refer to sk122100.
FWM process stops working during initialization when there are many VSs in database.
PMTR-9350, CPM-1454, PMTR-12823
Domain migration from R77.30 to R80.10 fails when the exported Domain is of a standalone machine.
PMTR-10811, PMTR-10803, CPM-1525
It is impossible to install policy from Domain Server after failing attempt to install policy from Multi-Domain Server.
Import of R77.30 Security Management to R80.10 Multi-Domain Server using cma_migrate fails with "error 0x80004005 (Unspecified error)" in upgrade log. Refer to sk120497.
In some cases, SmartConsole exits when changing a name entry in the user field. Refer to sk122917.
When creating new 1400 SMB appliance in SmartConsole, the Platform Type menu is empty. Refer to sk111292.
The "api status" command was enhanced to include Apache status and to collect additional log files.
When reinstalling policy on two cluster members, the override policy dialog does not display all cluster members in the list.
"Update operation failed" error when editing a group of Applications/Sites which are used in a Threat Prevention Exception rule. Refer to sk124932.
In some scenarios, when trying to remove gateways from VPN community or edit a VPN community object, the operation fails with "Update operation failed" error.
VSECC-551, PMTR-10257, PMTR-10344
OpenStack v3 is now supported on Keystone server v3.
DynamicID authentication randomly stops working after policy installation. Refer to sk121213.
No "query resolution failed" logs on natted Management after following solution for Scenario 1 from sk100583.
The 'Access Rule Name' field is blank/missing in "Logs & Monitor" view when using filter blade: "URL Filtering" or blade:"Application Control". Refer to sk123974.
When searching for logs in "Logs & Monitor" view with specific time filter from the past, the response may contain logs generated after that time range.
PMTR-12009, PMTR-12000, PMTR-3665
In SmartView Monitor, changes to the Threshold settings of a Gateway are not properly saved or shown.
Various traffic issues on cluster due to FWD daemon taking all slots on cluster subscriber list. Refer to sk109596.
PMTR-11902, PMTR-13723, PMTR-13723, UP-11, UP-211
Firewall session logs without application or protocol are generated. Refer to sk123715.
R80.10 Jumbo HotFix - General Availability 112 (23 May 2018, GA from 19 June 2018)
PMTR-2477, PMTR-10469, PMTR-2468
Gaia Portal shows blank page after log in with Firefox 5x or Chrome 66. Refer to sk121373.
Security Management, Multi-Domain Management
Creating a Domain (Log) Server using an IP address that is already in use, fails with an uninformative error message "Update Domain 'name' failed:Create Domain: 'name' - Create Domain server 'name'.Cannot create domain 'name'".
FWM process stops working when there is a soft link to $FWDIR/tmp/fwmtrace.log file that reaches 2GB due to enabling debug for a long period of time.
fw_loader process stops working due to invalid VPN community configuration.
"An internal error has occurred" message when trying to discard the disconnected session. Refer to sk123741.
PMTR-6048, PMTR-7403, 02512737
In some scenarios, Compliance blade Best practices show incorrect N/A status. Refer to sk117292.
In some scenarios, CPM and Solr may consume high CPU, causing SmartConsole to disconnect.
When connecting to an earlier revision version, some objects may not be visible if you:
ran Purge Revisions and rebooted your machine.
performed HA full sync from a Security Management server that ran Purge Revisions.
"You have reached the maximum number of active sessions" error on login failure when expired Web API sessions appear as disconnected in SmartConsole Sessions view and cannot be discarded.
Performance and stability improvements in Security Management Server when using CloudGuard IaaS.
In some scenarios, policy installation does not progress when installing policy from several Domains simultaneously.
Global Domain Assignment may fail with "Global Domain Assignment Failed: Failed to connect to FWM" message when FWM is busy or not responsive.
PMTR-10840, PMTR-8562, 02686845, 02686649
Some Security gateway objects are missing from the Gateways view in R80.10 Multi-Domain Server after migration. Refer to sk121890.
When editing Security Management or Gateway object, the "The referred entity does not exist in the Certificate Authority" or Failed to save object. Server error is: An internal error has occurred. error pops up. Refer to sk118938.
When running multiple scripts on short time intervals from the Management API, the progres of some of the scripts stops at 10-20%.
In Multi-Domain Server, reassign or removal of a Global Domain assignment fails if you clone an assigned Threat Prevention profile in the Local Domain.
In Multi-Domain Server, when the user overrides global values in the UI or the API and then performs 'show service', the global values are displayed instead of the changes made by user. When the user tries to override the global values twice, the second try fails with "Validation error" message. Refer to sk123334.
The web_api_show_package.sh script fails if TLSv1.0 is disabled on Apache server, displaying errors:
ERROR: failed connecting to the server: 127.0.0.1 Script stopped running due to severe error!
Cluster object still appears in the MDS level after it was deleted from a Domain. Refer to sk123343.
Cannot open WebUI to cluster member if SecurePlatofrm Main URL of the cluster has been changed. Refer to sk123195.
"Validation error - Invalid Domain name at .<Domain name>" message after successful upgrade to R80.10 or when creating a Domain object with an invalid name.
Using Management API to get Access rule hit count values without specifying start date returns 0 hits for all rules. Refer to sk123736.
When clicking "Generate CPInfo" in SmartUpdate, the progress bar indicates that action is successful but CPInfo file is not created.
Data Center objects can be deleted for a short period of time due to disconnections of a Data Center.
Improved connectivity when using Domain objects and/or when gateway is configured as HTTP/HTTPs proxy.
In rare scenarios, CPD process stops working when running for a long time period.
Traffic is droped with "Rulebase - ERROR" error in kernel debug. Refer to sk133176.
In some scenarios, routed process stops working when OSPF is configured.
Gaia OS hardening fix.
In some scenarios, routed process stops working when unnumbered interfaces are configured.
PMTR-7741, 02553209, 02669458
When receiving logs with ELA protocol, FWD process core file may be generated. Refer to sk121594.
When sending multicast packets to multiple receivers behind several interfaces and SecureXL enabled, either only the hosts behind the VLAN outgoing interfaces receive the multicast packets or none will receive them. Refer to sk122481.
PEP opens an unnecessary connection to PDP while there is no sharing configured between the PDP and PEP. Refer to sk129392.
PMTR-10466, 02758290, 02722485
Improved handling of Trusted CAs certificates when HTTPS Inspection is enabled. Refer to sk122973.
SNX traffic is dropped by Security Gateway with "Rulebase - ERROR" message in "fw ctl zdebug drop" debug. Refer to sk123336.
CPM Server fails to start due to postgres idle open connections.
R80.10 Jumbo HotFix - General Availability Take 103 (12 Apr 2018, GA from 03 May 2018)
Management HA fails to synchronize with "The Security Management Servers contain different Hotfixes" error even though the same packages are installed on servers. Refer to sk123048.
Upgrade might get stuck if there is not enough memory allocated to the upgrade process. Refer to sk123136.
Externally managed gateways are displayed in SmartView Monitor although they should not be.
For each externally managed gateway that was already defined in the database, after Take installation, open this gateway object in SmartConsole, close the window and publish the session. After this you will not see them anymore in the SmartView Monitor.
If one administrator creates a rule, deletes it, and publishes the changed policy (meaning that the rule's creation and deletion were published together), other administrators connected via SmartConsole will see an "any any drop" rule in the policy where the original rule was meant to be created.
Management HA performance improvements. Refer to sk123313.
Security fix for Client Authentication rule matching.
SecureXL forwards non-accelerated packets to the gateway, causing it to crash if the packet contains corrupted data.
"Could not delete object. An internal error has occurred" error when removing old Security gateway object. Refer to sk121593.
After IPS update, protections with release date older than one year are removed from staging if they were changed during the update.
Performance improvement in basic Access policy functionalities (like add/remove rules and layer scroll).
PMTR-7565, CPM-1375, CPM-1277
Delete operation of a service, source or destination in a single Publish operation does not appear in audit log, although it does exists in the Security Management server database. Refer to sk123324.
"An error occurred while receiving the HTTP response to..." error when trying to log in to the R80.10 SmartConsole. Refer to sk122073.
When publishing operation via API fails, the failure reason is not displayed. Refer to sk121414.
Policy installation via API ends with unclear status: within the response, the "statusCode" field value is "in progress" and the "statusDescription" field value is "Performing Legacy data dump". Refer to sk121217.
In rare scenarios where R80.10 SmartEvent is managed by an R77.x Security Management server and there are many Domains which are updated/deleted/added, the dbsync process may stop working.
Added ability to filter the "File operation" field in SmartLog.
In environments with large amount of gateways managed by a single Security Management server or Domain, FWM process stops working printing the "T_get_event: cannot register socket x (1024 sockets already registered for exp)" error to the fwm.elg file.
On Multi-Domain Server, log storage maintenance does not work with SmartEvent, thus not freeing up the disk space.
In environments with many log activities, report generation may fail causing progress bar to stuck.
Deleting last backup IP address from VRRP Interface triggers a transition from master state to backup.
When a user invokes tcpdump on a 40GbE/100GbE interface, using mlx5_core driver 3.2-188.8.131.52, a small packet in a narrow size range causes a driver to crash.
Multi-Queue (MQ) cores performance optimization.
After installing R80.10 Jumbo Hotfix Take_70, data and rules are not restored correctly with backup/restore via Gaia Portal -> Maintenance -> System Backup or CLISH backup/restore commands. Refer to sk123352.
In ClusterXL, when using VMAC, Gratuitous ARP Request (GARP) packets are generated with both VMAC address and physical MAC address.
Enhancement: adding a grace period before failover when detecting 'Interface Active Check' state to prevent unneeded failovers.
Files are not deleted from the $FWDIR/tmp/dlpu directory causing the Security gateway's hard drive to fill up.
In rare scenarios, when Terminal Server Identity Agent is used and SecureXL is enabled, connections from the Terminal Server can be matched on the wrong user.
PMTR-6581, 02398542, 02500815
In some scenarios, Kerberos based authentication fails when Kerberos ticket is encrypted using AES-128. Refer to sk111945.
MAGB-254, MAGB-268, PMTR-5386
"Mobile Access - Reject. Reason: Error in disconnecting user. Access Denied." message in SmartLog when user tries to use the SNX Network Mode. Refer to sk123037.
When a browser sends a cookie that it got from another page on a different port, the Mobile Access gateway does not recognize the cookie.
In a certain Remote Access flow, Security gateway crashes when kernel cannot allocate memory.
First Scan must be performed after R80.10 Jumbo Hotfix installation to update the Best Practice IPS114. Initial First Scan in Compliance blade:
From the CLI, enter Expert mode, run dbedit and press Enter for Server name.
In DBedit type: grc_test_elements grc_interpreter first_scan true. Then type update_all You should get a message "grc_test_elements::grc_interpreter Updated Successfully".
Verify the value of first_scan is true by typing: print grc_test_elements grc_interpreter
Perform Full Scan in Compliance blade via the SmartConsole or type interpreter full_scan.
On Smart-1 525 appliance, Raid diagnostics from Clish and WebUI display status "Degraded" instead of "Optimized" when two disks are 100% synced. Refer to sk123847.
After updating Virtual System object and pushing configuration to VSX object, most of the routes are removed.
R80.10 Jumbo HotFix - General Availability Take 91 (6 Mar 2018, GA from 01 Apr 2018)
PMTR-5419, PMTR-2799, PMTR-5418
Cannot delete OPSEC application with AMON entity. Refer to sk121377.
FWM process stops working in case a malformed license file is reported from the Security gateway.
When installing policy following Global Domain Assignment a false message of policy installation is currently in progress" appears, while there isnt any. Refer to sk122253.
"Get License" operation in SmartUpdate of Multi-Domain Server hangs on "Operation started" stage.
PMTR-6825, PMTR-7453, CPM-456
Cannot change the IP address of Domain Server when using R80.10 GA Take 462 or Takes 70, 79 and 85 of the R80.10 Jumbo Hotfix Accumulator.
Synchronization failure after purge operation in MDS level.
Only a single report is generated in SmartView MDS level when selecting multiple Domain Management Servers.
"SmartView server certificate is invalid" error when connecting to Domain (via SmartConsole) from MDS level and navigating to 'Logs and Monitor' tab. Refer to sk121443.
When installing policy on gateways with different profiles (where netquota or malicious IPs protection is enabled on one of the profiles), traffic is dropped with "dropped by fw_runfilter_ex Reason: function does not exist" error. Refer to sk123040.
In rare scenarios, enabling log forwarding may trigger a memory leak.
Random routes are sometimes missing after rebooting the system.
routed process stucks at slave/slave state in ClusterXL setup.
routed process restarts infrequently when Bootp/DHCP Relay is enabled.
routed process repeatedly exits on standby cluster member when VPN is configured on a cluster.
Security hardening for Gaia Clish.
Security gateway may crash during unmount operation on a remote network filesystem (samba).
Active member in ClusterXL HA sends an ARP request for cluster VIP causing a temporary outage. This can happen in a rare scenario as described in sk121846.
DLP Exchange Server Agent load when Security gateway is configured as MTA was optimized to enable a better stability of MTA functionality.
Threat Prevention blade failure can occure in the following scenarios:
No Threat Prevention blade is active on VS0 and a Threat Prevention blade is active on a different VS
That VS has no connectivity to the Internet
VS0 has connectivity to the Internet but through a proxy
BGP traffic initiated by the gateway is not matched by the VPN directional rule.
IPsec renegotiation fails with peer DAIP gateways.
R80.10 Jumbo HotFix - General Availability Take 85 (15 Feb 2018) Note: include support for Smart-1 525/5050/5150 appliances
Added support for Smart-1 525 / 5050 / 5150 appliances. Refer to sk120453.
R80.10 Jumbo HotFix - Ongoing Take 79 (05 Feb 2018)
Some API commands fail with "Internal error" message when called with "details-level" flag set to "full". Refer to sk121475.
The "show gateways-and-servers" API command fails with the "Runtime error: An internal error has occurred." error.
After global policy assignment, when running the "show access-rulebase" API command with a filter, no results are shown.
When executing an API request via CLI, cannot set the custom timeout using the "-conn-timeout" flag. The default timeout of 3 minutes is always used.
Stabilization improvement of fwm, fw_loader and dbedit Security Management processes.
Enhancement: Improved policy installation performance when installing policy on multiple targets.
Deletion of Domain Management Server might fail on timeout when few dozens of administrators with customized permission profiles are assigned to the Domain Management Server.
When Full Identity Agent is used with packet tagging feature, Anti-Spoofing may not be enforced for some of the connection packets.
Many "ida_classifier_send_log_cb: dst clob is active but there is no identity sharing!" errors in /var/log/messages file after upgrade to R80.10.
Logs are shown with delay after policy installation if there are more than ten thousands Binary Large Objects (BLOBs) on the Log Server.
When more than 50 Log servers are created in SmartEvent, sometimes a Log server the administrator is searching for is not in the query and is not available for service.
R80.10 Jumbo HotFix - General Availability Take 70 (15 Jan 2018)
Global policy assignment fails after removing staging overrides in the Global Domain.
Attaching a central license from Multi-Domain Server to a Domain/CMA creates duplicate license objects in SmartUpdate, which cannot be deleted. Refer to sk120833.
Enhancement: New flags to control the API commands output in full details level. Refer to sk121292.
The "show-access-rulebase" API command fails if the rulebase contains rules with "Encrypt" or "Client Encrypt" action.
There is no status in the SmartView Monitor for Mobile Access blade.
querydb_util generates core file when cannot connect to Security Management server.
fwm process is down during gateway creation after configuring shared secret for VPN community.
After reboot or HA Full sync, some objects are not visible in a specific private session.
CPD process exits with core dump generated while stopping CPD / rebooting the system / restarting watchdog.
In some scenarios, the Security gateway crashes when installing Access Control Policy and Threat Prevention Policy in parallel. Refer to sk140172.
Connections configured with Drop and Block message were actually dropped, but log appears as Accept log.
Upon packet loss, the clients' retransmit "strategy" triggers an issue of reassembling the TCP stream incorrectly. The SSL stream cannot be decrypted like this, so the SSL session is closed. Refer to sk121738.
When DHCP is configured to work with VPN, DHCP Relay traffic is dropped.
Enhancement: Allow viewing HTTPS related fields according to permission profile in LEA. When configuring a permission profile that allows HTTPS, you will be able to see the related fields when receiving them with LEA OPSEC client, instead of obfuscating them.
Gaia backup files are not created on Multi-Domain Server. Refer to sk119401.
Configuring more than 200 logical interfaces can cause routed to crash upon the next change in configuration.
SmartConsole search does not work for strings that include non-English characters. For example, Cyrillic characters and characters with accent marks. Refer to sk120293.
After performing a Gradual Upgrade of the Domain Management Server, no logs are displayed in the relevant domain until running the mdsstop;mdsstart commands on MLM.
Security enhancements for Data Loss Prevention and Threat Extraction blades
Links inside email with domain suffix (e.g. www.example.com) are emulated as .com files.
Connection to internal sites or Capsule Docs server via Mobile Access Blade's Reverse Proxy feature fails due to an incorrectly forwarded 'Host' header.
An incorrect policy installation warning "R80.10 gateways cannot be included in the Mobile Access Legacy Policy when Mobile Access Unified Policy is the selected policy source" is shown when installing the Access Control policy on a Mobile Access gateway and the legacy Mobile Access policy is empty.
Enhancements in categorization in cases where only URL Filtering is enabled.
HTTPS based traffic is bypassed when using a category based HTTPS inspection rulebase on a SMB gateway without URL Filtering blade enabled.
R80.10 Jumbo HotFix - General Availability Take 56 (23 Nov 2017)
Users that are not configured with Multi-Domain super user permissions, experience slowness in running queries.
FWM process restarts when trying to read the $FWDIR/tmp/fwmtrace.log file from an incorrect directory where this file does not exist.
R80.10 Jumbo HotFix - Ongoing Take 53 (25 Oct 2017)
Policy installation fails when Access Role is configured in the Access Control policy on a gateway with no Identity Awareness enabled.
When policy installation fails with "Operation incomplete due to timeout" error, timeout can be increased via GuiDBedit Tool. Refer to sk112353.
FWM process crash in Management HA environment when $FWDIR/tmp/fwmtrace.log file reaches 2GB.
Cluster member IP addresses is not added correctly during policy generation.
Outputs of "top" and "ps -aux" commands show lspci as zombie process. Refer to sk121891.
Enhancement: Maximum allowed SMTP headers length can be configured. Refer to sk119293.
Enhancement: Improved DLP stability.
Enhancement: IPv6 support for 700 / 1200R / 1400 SMB Appliances. Refer to sk118816.
R80.10 Jumbo HotFix - General Availability Take 42 (17 Sept 2017) Note: This Take replaces Take 40 released on 12 Sept 2017. It is recommended to install Take 42
SIC status is "Not Communicating" and CPD process restarts after installing R80.10 Jumbo HotFix Take 40. Refer to sk120494.
Websites with short Host headers (like ab.com) cannot be loaded.
Security gateway hangs when enabling Threat Extraction Web API.
The API command "show threat-profile" wrongly reports configuration of internal settings which causes failure in certain scenarios.
Crash in Anti-Virus & Anti-Bot blades.
Policy installation fails on DAIP gateways after changing Domain Server from Standby to Active.
After upgrade to R80.x, Administrator's "email" field does not show in SmartConsole.
Rulebase initialization fails after CMA migration from R77.30 to R80.10 via cma_migrate.
After a period of time in which multiple IPS updates have been performed, the database size can become very large because of unused data.
Enhancement: new procedure to clean old / unused IPS version in the database
Geo policy allows to configure several rules for the same country, causing incorrect policy enforcement.
In SmartEvent policy, when selecting two 'Event Fields' with the same 'Log Field' in 'Event Format' tab, the Event fails to generate.
When automatic reaction mail is sent, the resolving name of source and destination is missing and only the source and destination IP address is shown.
When automatic reaction email is sent, wrong "Start time" is displayed.
R80.10 Jumbo HotFix - Take 37 (04 Sept 2017)
export_p12 feature is missing in VPN utilities.
Security Gateway / Active cluster member freezes / locks up randomly. Refer to sk114977.
Login to Smart Console fails with "The server did not provide a meaningful replay; This might be caused by a contract mismatch, a Premature session shutdown or an internal server error" error.
FWM process consumes high CPU in case of unreachable DAIP objects existing in the system.
Enhancement: Performance of Global Domain Assignment for Open Servers with 9-24 GB memory is improved.
Enhancement: Improved Security Gateway stability when it is configured as proxy.
Some objects are missing when querying for unused objects.
In environment with more than 50 Log servers, log queries return results only from 50 log servers.
Enhancement: Improved clish stability.
Log Server status in Monitoring view is not presented for cluster members of Full HA environment.
Global policy assignment fails after section manipulation in the Global Domain's rulebase.
Policy installation from Multi-Domain Server following a Threat policy uninstall, fails.
Security Management API server fails under heavy load. Refer to sk119553.
API "show-packages" (when set to "details-level" : "full") fails where the revision in one of the packages installation targets has been purged from the database.
If object is used inside a disabled rule, the "where-used" Security Management API command shows that the rule is enabled.
Reply to Security Management API "show-gateways-and-servers" misspells the name of the "identity-awareness" blade as "identical-awareness".
Under certain conditions, after restarting Security Management Server, the API server, although configured to accept requests from GUI clients, no longer does so, but reverts to the default behavior of accepting only calls from the local host.
R80.10 Jumbo HotFix - General Availability Take 35 (22 Aug 2017)
Improved stability of Mobile Access WebMail application.
Security hardening for Client Authentication portal.
migrate_global_policies and cma_migrate commands can run when processes are down.
Long duration of policy installation for large number of NAT rules.
Check Point Appliances
"Can't validate base version is a GA take of R80.10" error message when installing Jumbo Hotfix Accumulator Take 24 on 405 / 410 appliances.
R80.10 Jumbo HotFix - General Availability Take 24 (01 Aug 2017)
Support for user-defined application with encoded escaped characters within the URL.
BGP does not work for VTIs and Point-to-Point interfaces with mask length of 32 with Virtual IPs.
DLP, Threat Extraction
Security enhancements for Data Loss Prevention and Threat Extraction blades.
On Open Servers with 24G-35G of RAM running R80.10 Jumbo Hotfix (Take 10/15/18) logs are not indexed and SmartLogs queries fail.
R80.10 Jumbo HotFix - General Availability Take 18 (24 July 2017)
Improved Policy Verification for Pre-R80.10 Security Gateways that support only services of type "TCP" or "UDP" in the Application Control layer.
Improved Access Role identification for different login/logout scenarios.
Automatic NAT rule is not removed after the corresponding network object is removed.
Policy installation fails in some cases when installing policy on all managed Security Gateways at once, if Security Management manages both standard Security Gateways and UTM-1 Edge devices.
R80.10 Jumbo HotFix - General Availability Take 15 (11 July 2017)
Improved URL recognition mechanism for Anti-Virus, Anti-Bot, and URL Filtering blades.
vSEC objects are not enforced on part of the gateways. Problem is relevant only for large scale environment with more than 50 gateways/cluster/vs/member.
In large scale Azure environments, Data Center objects are partialy imported.
Security hardening of SmartView.
Security Management access hardening.
R80.10 Jumbo HotFix - General Availability Take 10 (28 June 2017)
Added support for Smart-1 405 / 410 appliances. Refer to sk117578.
Wrong license status for 'Virtual Systems' blade for VSX objects in R80 SmartConsole.
R80.10 Jumbo HotFix - Take 7 (22 June 2017)
02528737, 02529416, 02533097, CPM-535
Several cpsm-domains-X licenses are counted only once. Refer to sk118316.
Upgrade failure of secondary Multi-Domain Log Server when using NGX license.
mds_import fails with "CPM server failed to start, see server logs" message when trying to import a database exported from R80.10 Multi-Domain Server.
While updating a User name, the logged in User name in the logs is wrongly reported with the old User name.
Management High Availability synchronization between primary server upgraded from R80 Jumbo Hotfix to R80.10 and new R80.10 secondary server, fails.
Security Management, Security Gateway
Security rules that should be installed on a specific Security Gateway wrongly can be installed on another R80.10 Security Gateway. Refer to sk118153.
Improved non-compliant HTTP protection to enforce more rare cases of non-compliant HTTP traffic.
in.emaild.mta process may crash randomly (once every few days was observed) when the Security gateway is configured as Mail Transfer Agent (MTA). Mails under inspection may be delayed by up to a few minutes.
When an IPS protection is overridden, it is enforced correctly however it may cause higher performance load.
Translated Source column with "Original" object wrongly has a Hide NAT option.
R80.10 Jumbo HotFix - General Availability Take 3 (06 June 2017)
Fixed Mail Transfer Agent (MTA) enforcement issue.
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
In the upper right corner, click on the Import Package button.
In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
Above the list of all software packages, click on the Showing Recommended packages button - selectAll.
Select the imported package Check Point R80.10 Jumbo hotfix T<number> for sk116380 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select this package and click on Install Update button on the toolbar.
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to command line on target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from the hard disk: HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.10 Jumbo hotfix T<number> for sk116380" HostName:0> show installer packages imported
Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Install the imported package: HostName:0> installer install <Package_Number>
Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
A warning will be displayed that after this uninstall, the machine will be automatically rebooted. Click on 'OK' to start the uninstall.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Uninstall the package: HostName:0> installer uninstall <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
Machine will be rebooted automatically.
List of replaced files
List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.