Support Center > Search Results > SecureKnowledge Details
60000 / 40000 Appliances - Jumbo Hotfix Accumulator for R76SP.50
Solution

Table of Contents:

  • Introduction
  • Availability
  • Important Notes
  • List of resolved issues per Take
  • Installation instructions
  • List of replaced files
  • Troubleshooting instructions
  • Revision History
Click Here to Show Entire Article

 

Introduction

R76SP.50 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues on 60000 / 40000 products running R76SP.50.

This Incremental Hotfix and this article are periodically updated with new fixes.

The list of resolved issues below describes each resolved issue and provides a Take number, in which the fix was included.
A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive).
The date on which this take was made available is listed near the Take's number.

 

Availability

The Latest General Availability Take:

Take Date Download Package
Take_205 01 Sep 2019 (TGZ)

Previous General Availability Takes:

Take Date Download Package
Take_198 03 July 2019 (TGZ)
Take_196 30 June 2019 (TGZ)
Take_187 27 May 2019 (TGZ)
Take_184 07 May 2019 (TGZ)
Take_180 21 April 2019 (TGZ)
Take_161 20 February 2019 (TGZ)
Take_105 20 Nov 2018  (TGZ)
Take_96 30 Sep 2018 (TGZ)
Take_84 28 August 2018  (TGZ)
Take_83 20 August 2018  (TGZ)
Take_82 14 August 2018  (TGZ)
Take_76 12 July 2018  (TGZ)
Take_72 28 June 2018  (TGZ)
Take_62 26 April 2018  (TGZ)
Take_55 29 March 2018  (TGZ)
Take_40 04 February 2018  (TGZ)
Take_31 07 January 2018  (TGZ)
Take_20 17 Sep 2017  (TGZ)
Take_16 27 August 2017  (TGZ)

Important Notes

  • This Jumbo Hotfix Accumulator is suitable only for 41000 / 44000 / 61000 / 64000 running:
    • R76SP.50 OS build 84 clean installation
    • R76SP.50 OS build 84 with lower (than the latest) Takes of this Jumbo Hotfix Accumulator

    To see the OS version you are running, run one of the below commands from CLISH/GCLISH:
    • show version os build
      The correct output should be:
      OS build 84
    • asg_version 
      The correct output should be:
      blades
      ======
      OS version
      ----------
      -*- 1 blade: 1_02 -*-
      OS build 84, OS kernel version 2.6.18-92cpx86_64, OS edition 64-bit    
             
    If you are running an earlier R76SP.50 OS build, you should upgrade to OS build 84 before installing this Jumbo Hotfix Accumulator.

  • If you have previously installed any private hotfixes on top of your current version, contact Check Point Support before applying this Jumbo Hotfix Accumulator to verify that it is compatible with your environment.
  • Changing between Static NAT port allocation and Dynamic NAT port allocation (refer to sk103656) requires a full system reboot.

 

List of resolved issues per Take

Enter the string to filter this table:

ID Product Description
Take 205 (01 September 2019)
SPC-1519 General  General Stability fixes
SPC-2772  General "asg diag" hardware verification fails when PSUs are not placed in consecutive order (degradation from Take 196). 
SPC-2413 General CPD memory leak due to cpmon threshold. 
SPC-2186 General Added the ability to collect asg_info on SGMs in down state. 
SPC-1470 General The $CPDIR/tmp/ directory is filled with 'file...' files. Refer to sk98567.
SPC-2581 General  The asg_serial_info command returns wrong output - shows "Not in the security group" for SGMs on chassis 1.
SPC-2604 General Added time estimation when adding/removing bond’s primary slaves with more than 60 VLANs. 
SPC-2041 General Fixed general issues with asg_hw_monitor command.
SPC-1222 General DC power consumption optimization for 41K Chassis.
SPC-2623 General Added support for INTEL SSD SC2KB240G8
SPC-2211 General  When using Blade State Events feature, backplane interface flaps may cause cluster instability. 
SPC-2323 General  Improved the ability to monitor kernel crashes. 
SPC-2584 General Added ability to skip SSM upgrade confirmation on JHF Upgrade Script. 
SPC-1418 General  Threat Emulation engine will be copied from SMO when using Image Clone. 
SPC-2201 General  Blade State Events feature is updated only on chassis monitor task SGM. 
SPC-2603 RouteD Security Gateway randomly stops forwarding the IGMP / PIM Sparse Mode multicast traffic. Refer to sk106858.
SPC-2588 RouteD RouteD daemon might crash when PIM packets are received in an unsupported IP format group. Refer to sk111891.
SPC-2599 RouteD  RouteD daemon might crash on cluster member when PIM Sparse Mode multicast is configured and multicast traffic arrives from peer cluster member. Refer to sk104847.
SPC-2240 RouteD  Previously reachable BGP routes are still advertised to BGP peers on ClusterXL after the switch that connects these members goes down.
SPC-2598  FireWall-1  As a result of a large rule base, the string_dictionary_table kernel table on the Security Gateway can fill up. Refer to sk66342.
SPC-2585  SGW  Policy installation fails with error "Reason: Load on Module failed - failed to load Security Policy" due to a problem with spii_multi_pset2kbuf_map kernel table.
Refer to Scenario 22 in sk33893.
SPC-2567 VSX VSW does not pull the manually 'set affinity' from the SMO.
SPC-2606  VSX VSX configuration push causes all routes/interface to be deleted from single SGM. Refer to sk160572.
SPC-2238  VSX  "Fetching Security Policy Succeeded fw ctl affinity -l can only run from the context of the VSX (VS0)" warning appears when running the 'fw fetchlocal' command on non-VS0.
SPC-2203 Threat Emulation The maximal size of extension for a file that is uploaded for emulation was increased.
SPC-2405 VoIP SIP connections may be regularly dropped with "Number of reinvites exceeded the limit" error.
New "sip_expire" parameter added to enable users to customize how much time a registration request should take. 
Take 198 (03 July 2019)
SPC-2574 General Software blades cannot be updated due to a certificate validation error. This is a degradation from Take 180.
SPC-2577 VSX Deleting a VLAN in VSX mode shuts down (admin-state) the Trunk interface on the SSM. This is a degradation from Take 159.
Take 196 (30 June 2019)
SPC-2309,
SPC-2277,
SPC-2237,
SPC-448
General General stability fixes. 
SPC-1639 General  Added support for MAGG with LACP configuration.
SPC-381 General  Added port 28581 to TCP Management forward list.
SPC-2297 General asg_drop_monitor enhancement. For details, refer to the "Packet Drop Monitoring (asg_drop_monitor)" section in the R76SP.50 Administration Guide.
SPC-2084 General VSX configuration fails because the SMO fails to tar zip the local.vs file to tgz.
SPC-1990,
SPC-1666
General IPv6 traffic may be dropped when working with a distribution mode combination of SSM L4 + General + IPv6.
SPC-1803 General The ARP table is cleared after a policy installation.
SPC-1718 General Working with eth1-Mgmt3 causes incorrect logs on the SSM2's interfaces.
SPC-538 General  asg_hf_installer gets stuck when the user reboots the SGMs.
SPC-749 General  hw_utilization fails to execute.
SPC-2202 General  In rare cases, the SGM goes DOWN afer a policy installation.
SPC-930 General  Changing the SGM's slot-ID when using only one SSM could result in unnecessary reboots.
SPC-728 Gaia OS  The 'show smo log auditlog' command is unavailable.
SPC-727 Gaia OS When the user presses ENTER, the expert audit log regards it as a repetition of the previous command.
SPC-2506,
SPC-2521
FireWall-1  Check Point response to TCP SACK PANIC - Linux Kernel vulnerabilities - CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479 - refer to sk156192.
SPC-2156 FireWall-1 Security Gateway logging issues to the log server when the active_remote_servers parameter value is set to 0.
SPC-2155 FireWall-1 Logs do not arrive at the log server when the active_remote_servers parameter value is set to 0.
SPC-2315 Multiple Security Groups When the Gateway is in Multiple Security Groups, adding an interface to a bonding group results in an error. 
SPC-2130 Multiple Security Groups When the Gateway is in Multiple Security Groups, interface eth1-09 does not receive traffic on SSM440.
Take 187 (27 May 2019)
SPC-2209 General Added new SSM440 firmware: 5.5.R5.7.CP.T-ATCA510.
SPC-2207 General Added new SSM160 firmware: 5.5.R1.6.CP.T-ATCA404.
SPC-2089 General A disorderly exit (Ctrl + c) from asg alert ("Full Configuration Wizard" section) causes the alert messages to not be sent.
SPC-2068 General You can now change the severity of asg alert events. Refer to the "Configuring Alerts for SGM and Chassis Events" section in the R76SP.50 Administration Guide.
SPC-1830 General  Running the fw6 tab -t connections -s command in a non-VS0 context generates a fw6 core dump.
SPC-2288
VSX Reverted 'Policy Based Routing' feature for VSX only.
Take 184 (07 May 2019)
SPC-2192,
SPC-2151
General  General stability fixes. 
SPC-2138 General "SSM Management Loss" enhancement. For details, refer to sk145792.
SPC-2150 General Fix for situations in which the CPD hangs. 
SPC-2119 General  The Chassis Monitor daemon brings the CMMs down after a failover without a grace period.
SPC-2088 General  Post installation succeeds, but the admin state script fails.
SPC-2173 General  Mail alerts are sent with VS0 statistics only, instead of with statistics for the entire SGM.
SPC-2153 General  asg_perf_hogs does not properly alert the user of ARP table overflow.
SPC-2083 VSX  For VSLS only: VSs are not on the primary chassis due to a failure to load the chassis kernel parameters.
Take 180 (21 April 2019)
SPC-1215,
SPC-1422,
SPC-1461,
SPC-1805,
SPC-1965,
SPC-1979,
SPC-2007,
SPC-2015,
SPC-2037,
SPC-1771,
SPC-1914,
SPC-1554,
SPC-1611,
SPC-1970
General  General stability fixes. 
SPC-1417 General 'asg_drop_monitor -r' does not reset NIC drops on a i40e driver.

SPC-616

General Added IDs of SGMs to the headline of 'asg_provision'.
SPC-803 General asg_cp2blade fails to copy a file larger than 2 GB.
SPC-1516 General Error message while running asg_swb_perf status: line 43: [: -eq: unary operator expected.
SPC-1467 General Error message while running cpview: Unable to open '/vs5/dev/fw6v0': Connection refused.
SPC-1587 General SSM logs are flooded with error messages about packets larger than 1519 Bytes.
SPC-1631 General g_tcpdump deletes packet captures from remote SGMs when using the -mcap flag.
SPC-810 General When the user works with one SSM, 'distutil verify -v' fails.
SPC-2038 General asg alert configuration is reset after the installation of JHF takes 84-161 on top of JHF takes 72-83. Refer to sk151472.
SPC-1134
FireWall-1
Added IPv6 support for Fast Accelerator (sim6 fastaccel).
SPC-1706 FireWall-1 CPPCAP integration. Refer to sk141412.
SPC-1322 FireWall-1 cpview stability fixes.
SPC-1994 FireWall-1 FWD crashes when domain objects are in use during a heavy load.
SPC-1616 FireWall-1 Support for Unified IPv6 link-local IP between both chassis. 
SPC-2009 FireWall-1 For VSX only: 'sim fastaccel' stops accelerating traffic in specific cases.
SPC-1627 FireWall-1 Added support for 'IPv4/IPv6 reject static' routes on VSX systems. Refer to sk151473.
SPC-1630 LTE GTP Non Existent and Version not supported response messages are sent with the wrong length and checksum.
SPC-1978 CGNAT CGNAT stability fixes. 
Take 161 (20 February 2019)
SPC-1247 Multiple Security Groups

Introducing Multiple Security Groups (supported only with the new R76SP.50 ISO for Multiple Security Groups).

SPC-1564,
SPC-1921,
SPC-1880,
SPC-1840,
SPC-1892,
SPC-1876
General General stability fixes. 
SPC-1629 General Added statistics and detection for unconfigured VLAN in the local network. Refer to sk145652.
SPC-1656 General Added support for SGM400 IPMC firmware 1.14. Refer to sk123571
SPC-1724 General Added support for 10G SFP transceiver for SSM160 (BTI10GSRSFPP)
SPC-1839 General Enables default auditing for expert user.
SPC-1565 General Enhanced SSM monitoring. Refer to sk145792. 
SPC-1662 General Fix for asg_info.
SPC-1862,
SPC-1903
General Disabling Resource Control Monitoring (resctrl).
SPC-1507 General Inconsistent port admin state between Gaia OS database and SSMs.
SPC-723
General Added support for N+1 chassis CMM Firmware 3.70-rev6.1, to address high rotation of fans.
SPC-1083 General Jumbo Hotfix upgrade will fail if 'Image auto cloning' is activated. Refer to sk145955
SPC-1585 General After reboot, the image.md5 file is different among SGMs.
SPC-1621 General Configuring BGP MD5 with several other neighbors might cause a kernel crash.
SPC-1416 General On SGW only: cpha_blade_config now uses FW cores instead of SecureXL cores. Refer to sk145953.
SPC-1582 General SGM does not recover from local logging after the connection to the log server is reestablished.
SPC-1415 General  On SGM440 only: During heavy load, the i40e driver may become unresponsive and reset itself.
SPC-1904 General asg_perf_hogs reports false alert about soft lockups.
SPC-1447 General Fix for general errors with the format: Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function))
SPC-1998 VSX VSX reconfiguration fails because of a degradation in Take 159 (SPC-1564).
SPC-1581 Cluster  Improved decision for chassis failover.
SPC-1608 FireWall-1 Desktop Policy on SP50 is not enforced on all members. Refer to sk140752.
SPC-1773 FireWall-1 Policy installation enhancement. 
SPC-1759 FireWall-1 GTP stability fixes.
SPC-1889 FireWall-1 IPS false positive - "Non Compliant DNS" - illegal EDNS0 RR. Refer to sk112578
Take 105 (20 November 2018)
SPC-1386,
SPC-1423,
SPC-931,
SPC-1515,
SPC-1345,
SPC-1191,
SPC-827,
SPC-376,
SPC-94,
SPC-1265,
SPC-875,
SPC-65,
SPC-1430,
SPC-1475
General General stability fixes.
SPC-569
General

Improved run time for asg_version -v.

SPC-445 General Added support for asg_info with a new timestamp flag that collects relevant information between timestamps.
SPC-1542 General Added new firmware (3.70-rev6) for CMM700. Refer to sk138652 for instructions on how  to distinguish between CMM700-AA and CMM700-CC.
SPC-1406 General 

'asg_arp' enhancements:

  • Will now ignore proxy arp entries
  • Will now ignore SSM / CMM arp entries
  • Will not resolve IP address to hostname
SPC-1298 General Management over data-port redirection to the SMO. For details, refer to sk140834.
SPC-1245,
SPC-1246
Cluster Cluster enhancements.
SPC-567 FireWall-1 Added support for RAD protocol encryption between the Security Gateway and the Cloud. Refer to sk140292
SPC-837 FireWall-1 Added support for ISP Redundancy on Scalable Platforms. Refer to sk140512
SPC-1515 FireWall-1 Protects fw code against fragment/segment smack attack. Refer to sk134253
SPC-1223 Gaia OS asg_route shows, in specific cases, inconsistent routes between the OS and the DB.
SPC-818 Gaia OS Exposed password on .clish_history file.
SPC-946 Routing Default route learned via BGP is temporarily deleted after a chassis failover. 
SPC-876 Routing Multicast PIM traffic register packets are sent with an incorrect checksum.
SPC-935 SecureXL Fragmented reply traffic, for a connection created by a template, is dropped by the clean-up rule.
SPC-874 SecureXL Multiple port-less temporary connections are dropped in SecureXL - "Connection not found".
SPC-1010 SecureXL When IPv6 is enabled, SecureXL ignores VLAN tagged packets in a bridge interface.
SPC-1204 VSX vsx verify tool fails on routes with weights.
SPC-789 NAT Added support for NAT monitor. Refer to sk140152.
SPC-199 VPN Optimized division of VPN-office-mode IP pool. Refer to sk97795
Take 96 (30 September 2018)

SPC-1329,
SPC-1284,
SPC-1267,
SPC-1136,
SPC-1006,
SPC-960,
SPC-900,
SPC-884,
SPC-1393,
SPC-1353

General General stability fixes. 
SPC-1323 General config_verify -v command fails on te_attributes.conf.
SPC-1300 General Routes get stuck in the OSPF database.
SPC-883 General Added support for excluding specific IP addresses from acceleration.
SPC-1297  VSX Added support for PBR in VSX (Policy Based Routing). For details, refer to sk137232
SPC-1392  LTE TEID log field is not shown in GTPv2 drop log when TEID exceeds 0x7FFFFFFF
Take 84 (28 August 2018)
SPC-1319
General asg alert configuration is reset after installation of JHF Take_72 and above.
SPC-2038 General 

The $FWDIR/conf/alert.conf file on SGMs is overwritten when the user upgrades from Takes 72 - 83 to a higher Take of the R76SP.50 Jumbo Hotfix Accumulator. To upgrade from Takes 72 - 83 to Take 84 (or higher) of the R76SP.50 Jumbo Hotfix Accumulator:

  1. Back up the current $FWDIR/conf/alert.conf file on all SGMs.
  2. Upgrade to Take 84 (or higher) of the R76SP.50 Jumbo Hotfix Accumulator.
  3. Restore the $FWDIR/conf/alert.conf file you backed up on all SGMs.
Take 83 (21 August 2018)
SPC-1293 Security Gateway
Check Point response to SegmentSmack (CVE-2018-5390) & FragmentSmack (CVE-2018-5391).
Refer to sk134253.
SPC-1192 General 

Added support for:

  • 10G SFP transceiver for SSM440 (BTI10GSRSFPP) 
  • 40G QSFP transceiver for SSM440 (BTI40GSRDDQSFP)
  • 100G QSFP transceiver for SSM440 (100GLR4LCW2SMLC)
  • 100G QSFP transceiver for SSM440 (100GLR4LN10SMLC)
Take 82 (15 August 2018)
SPC-1029,
SPC-1009,
SPC-1077,
SPC-1041
General General stability fixes.
SPC-747 General The asg stat -v command displays '0' PSUs and fans if only PSUs 5 and 6 are used (applies only to 64K).
SPC-1084 General Added new SSD firmware (SCV10142).
SPC-1122 General Improved failure detection response. Refer to sk132934.
SPC-1120 General In some cases, syslog is sent only by the SMO. 
SPC-276 General Added support for L4 and General Distribution mode combination.
SPC-831  General  CIN traffic between the SGM and the SSM is dropped by Security Gateway. Refer to sk133376.
SPC-1214  SNMP snmpv3_dbget_conf_engineBoots errors are printed in the log for each event. 
SPC-1220  LTE Valid GTPv1 echo messages are logged as expired with no response (GTP Code:310).
SPC-1228  LTE SNMP GTP counters for active bearers are not decremented.
SPC-1229  LTE Incorrect lookup in gtpv2_ignore_elements table cause GTPv2 IEs failure to be ignored.
SPC-1028  LTE Added parsing for GTPv2 EUTRAN-NB-IoT Radio access type.
Take 76 (12 July 2018)
SPC-1092,
SPC-1089,
SPC-1075,
SPC-1074,
SPC-916,
SPC-1072
Gaia OS General stability fixes.
SPC-1073,
01738910 
General
When trying to access a website with URL in upper case (including WWW), the RAD normalization is done wrong and 'www.' is not removed. 
SPC-136 General  In a rare scenarios, traffic is dropped with "dropped by fwkdrv_enqueue_packet_user_ex Reason: VS or Instance Down (vsid <number>);" message.
Refer to sk120984.
SPC-1071,
01687181
HTTPS Inspection HTTPS Categorization with Hold configuration sometimes drops big URLs. 
SPC-1004 SNMP  SNMPv3 infrastructure enhancement. 
Take 72 (28 June 2018)
SPC-817,
SPC-938,
SPC-783,
SPC-784,
SPC-823,
SPC-581,
SPC-583,
SPC-585,
SPC-740,
SPC-767
Gaia OS General stability fixes.
SPC-597 Gaia OS Improved "Warning" infrastructure to asg_pef_hogs and added warning for NAT templates test instead of an error.
SPC-903 Gaia OS "Invalid MAC address" error on "vsx verify" command failure after upgrade to R76SP.50.
SPC-909 Gaia OS "MAC learning packet" debug messages are flooding the syslog.
SPC-214,
SPC-377,
SPC-576,
SPC-812
General Added support for new SSM firmeware.
Refer to sk93332 under section: "Software and Hardware Compatibility" and "Hardware software revision"
SPC-826,
01579916
General syslog messages forwarded to external Syslog server, do not contain the host name. Refer to sk100727.
SPC-950 General Setting PBR rule priority X match to X.X.X.X/XX" returns "Syntax error" message.
SPC-89 General Added support for "Unified MAC for data ports" mode (Only for SGW). 
Refer to "Added support for "unified MAC for data ports"" chapter in 60000/40000 Security Platform R76SP.50 Administration Guide.
SPC-785,
01897723,
02757903
General Added support for ECDHE P-384 curve.
SPC-976 General Added support for transceiver per SSM440 (SJ8512-X5ATOS)  
SPC-520 General LACP Bond slave is down after reboot under some conditions.
SPC-879,
SPC-549
General Failing ICMPv6 traffic does not display error message.
Refer to sk129732
SPC-853 General  After performing chassis failover while generating user logs, PDP constantly disappearing from the "pep sh pdp all" list after reaching approx 13-14k users.
SPC-906 SNMP Added support for SHA1/AES for SNMP USM users. 
SPC-825 SNMP SNMP trap is not sent upon interface Up/Down event.
SPC-586,
01204836
SNMP The snmpwalk command fails with "Timeout: No Response from" message when runnig OID 1.3.6.1.4.1.2620.1.16 on VSX machine with large number of Virtual Systems. Refer to sk97947.
SPC-927,
SPC-922
SNMP snmpwalk for asgIF table (1.3.6.1.4.1.2620.1.48.26) fails after upgrade to R76SP.50 Jumbo Hotfix Take_40. Refer to sk123355.
SPC-651,
02525379
VPN VPN packets are dropped when VPN Sticky SA is enabled.
Refer to sk118084.
SPC-667,
02721008
Logging Logs with Track "None" in rule base are being logged to SmartLog, although logging is disabled. 
SPC-886 VSX In some scenarios, IPv6 Scopelocal routes are missing after adding new VLAN in VSX.
SPC-579,
01178961
VoIP "sip reason: Too many streams in SDP" drop log in SmartView Tracker. 
Refer to sk93752.
SPC-857,
02356285
VoIP H.323 VoIP Keep Alive "ACK" packets are not forwarded to the client. 
Refer to sk113749.
SPC-939,
02729238
SSL Inspection Rule mismatch on SSL inspection rulebase if partial match higher than full match.
Refer to sk123718.
SPC-699,
01427150
DLP Enabling DLP and TE software blades cause the DLPU process to stop working producing core dump after policy installation.
SPC-18 LTE Carrier Security (LTE) stability fixes. Refer to sk130212.
Take 62 (26 Apr 2018)
SPC-571,
SPC-662
Gaia OS The distutil verify command fails in specific scenarios.
Refer to sk123777.
SPC-537,
02620877
Gaia OS When monitored by CPWD, FWD process stops working in specific scenarios.
SPC-655,
SPC-656
Gaia OS Added support for multiple IPv4 addresses per interface. 
For more information, refer to "Alias IP" chapter in 60000/40000 Security Platform R76SP.50 Administration Guide
SPC-653,
02509382
Gaia OS Packet drops due to static NAT configuration with VPN.
SPC-527,
SPC-534,
SPC-532,
SPC-535
Gaia OS General stability fixes.
SPC-530 Gaia OS ADlog returns wrong FQDN for some domains.
SPC-557 Gaia OS coredumps_bt script fails if debug tools were not installed or for fwk coredumps. 
SPC-813 Gaia OS asg_serial_info command returns corrupted output. 
SPC-607 General Added support for 1G transceivers for SSM160 (BTIMGBICMTX). 
SPC-531 General Policy installation fails if HTTP Methods protection is enabled.
SPC-657,
SPC-528
General SSMs are monitored as "down" during policy installation.
SPC-806 Cluster Soft lockups infrastructure enhancement.
SPC-256 SecureXL SecureXL concurrent connections counter is inaccurate. 
SPC-802 HTTPS Inspection Streaming infrastructure degradation fix for SPC-612. 
Take 55 (29 Mar 2018)
SPC-517,
SPC-649
Gaia OS Security hardening for Gaia Clish. The patch command is now removed from Clish.
SPC-497 Gaia OS The asg_info command does not collect information for non-VS0 VSs. 
SPC-372 Gaia OS The asg_dr_verifier command fails with "Dynamic Routing Failed to query routing data" error in some scenarios. Refer to sk123192.
SPC-486,
02648278
Gaia OS It is not possible to disable cpWatchDog monitoring of FWD process.
Refer to sk120756
SPC-215 Gaia OS Enable set interface speed for Mgmt port.
SPC-592 Gaia OS After installing the os_net_snmp rpm, the /etc/snmp/vsx-proxy/snmpd.vsx.proxy.conf file is overriden with an empty file. 
SPC-97 Gaia OS In a certain condition, gateway crashes when passing the CIFS traffic. 
SPC-56,
02658222
Gaia OS The asg_arp command fails due to proxy ARP addresses.
Refer to sk121450.
SPC-99 General

Traditional Anti-Virus is not supported on Scalable Platforms. When it is enabled, the policy installation fails with "Load on module failed" error.

  • Starting from this Take, if the Traditional Anti-Virus is enabled, there is no option to install thе Security policy.
SPC-200 General
  • Support for Multi-Queue on Mgmt interfaces was added.
  • Support for CIN packet priority was added. 
Refer to sk119956.
SPC-539 General The SMO image cloning mechanism activation fails with error:
Error setting image auto-clone state to on
Image auto-clone state is off. 
SPC-213 General Add support for 64K with 1 SSM.
SPC-302,
SPC-303
General
  • Added new firmaware for SSM 160 and SSM 440.
  • Added support for BiDi Transceiver (13B8NIY4455).
SPC-91 General IPv6 logs are incorrectly unified with different SGM IDs.
SPC-278 General NTP cannot update itself after the upgrading to R76SP.50.
SPC-188 General After upgrade from R76SP.40 to R76SP.50, the asg diag command fails with "Matrix size error".
SPC-107 General Set Back Plane (BP) ports speed to "auto" when working with SSM440.
SPC-104 General Update SNX version to latest version. 
SPC-630 SecureXL After upgrade SGM400 to R76SP.50 JHF Take_44, number of SecureXL CPU cores reduced to 1.  Refer to sk123375
SPC-490,
02658128
IPS IPS is shown as enabled, although IPS blade is disabled on the gateway object in SmartConsole. Refer to sk121152.
SPC-612 HTTPS Inspection HTTPS Inspection stability fix.
SPC-31,
01166621
SNMP SNMPv3 with USM 'authentication' configuration does not survive reboot.
Refer to sk92937.
Take 40 (04 Feb 2018)
Note: This Take replaces Take 39 released on 01 Feb 2018. It is recommended to install Take 40
SPC-118,
SPC-418,
SPC-417,
SPC-416,
SPC-365
Gaia OS Enhanced monitoring and configuration of VLANs on SSM.
Refer to sk121094
SPC-179 Gaia OS Added support for CRON Jobs. 
SPC-178 Gaia OS Added ability for user to login without password by using synchronization of SSH keys.
SPC-177 Gaia OS Added ability to add files to the cross SGM synced files list.
SPC-19 General Added support for Online Certificate Status Protocol (OCSP). 
SPC-103 General "asg diag" hardware verification fails when PSU’s are not placed in consecutive order.
SPC-117 General Improved stability and functionality of RAD engine. 
SPC-34,
SPC-32,
SPC333
General Improved stability and functionality of WSTLD engine. 
SPC-67 General NetFlow Enhancement: Added separate fields for Check Point Enterprise, Memebr ID, VS-ID.
SPC-320,
SPC-498
VSX Extended SNMP Support for VSX on chassis hardware. 
Refer to "Best Practices - Monitoring" section in sk101556.
SPC-209 SecureXL SecureXL causes multiple traffic drops for different services (smtp/dns/ssh) after reboot.
SPC-180 Logging Added support for Audit logs for expert bash commands. 
Take 31 (07 Jan 2018)
SPC-17
SPC-111
SPC-110
SPC-109
SPC-108
General Enhancement: Added support for synchronization with User Center. 
SPC-149
General  Enhancement: Added support for new 100G transceivers for SSM440 (SPQ-CE-LR-CDFM)
SPC-93  General Enhancement: Added support for new transceiver per SSM440 (SPQ-CE-LR-CDFB)
SPC-160  General SSM loses verification signature when Layer4 distribution is enabled. 
SPC-105 General Aligned SGM clock and SSM440 clock when SSM comes up. 
SPC-69 General  The asg monitor command does not work with VSLS mode when SGM is down. 
SPC-57 General OSPF point-to-point configuration command is not updated for OSPF Multiple Instances. 
SPC-16 Identity Awareness
Enhancement: Added support for Scale IDA (PEPD side only) and Identity Collector.
SPC-49
HTTPS Inspection  Blocking HTTP Evader bypass Web Intelligence using evasions techniques. 
SPC-54  IPS  IPS signatures are not matched when NULL bytes are added to gzip files. 
SPC-51  IPS  Improved IPS inspection of 304 HTTP responses sent with body and no content length. 
SPC-130  Client Authentication Portal  Client Authentication portal does not add the required HTTP security headers. 
SPC-131  Anti-Virus, Anti-Bot, URL Filtering  URLs with whitespaces are wrongly matched against Anti-Virus, Anti-Bot and URL Filtering databases. 
SPC-43  VPN  Improved stability for vpnd process when using unsupported Windows client IKEv2 authentication. 
SPC-48 VPN  Improved stability for vpnd process in IKEv2 handshake when FQDN is sent as part of the request. 
SPC-44  VPN  Enhancement: Chain of certificates in IKEv2 authentication is allowed. 
SPC-86 SPC-36 VPN Enhancement: Added support for VPN Office mode with DHCP Forwarding.
SPC-161
SecureXL
Improved stability in SecureXL random NAT port allocation.
Refer to sk116977.
SPC-139 SecureXL Returning traffic is dropped on cleanup rule upon policy installation for some time, or until SecureXL is disabled.
Refer to sk121765
SPC-85  Gaia OS  Enhancement: Implemented confirm and audit mechanisms for "set fcd revert ..." command. 
SPC-106 SPC-84 SPC-83  Gaia OS  Improved stability of routed daemon.
SPC-81  Security Gateway  fw process crashes with Segmentation fault when running the fw fetch -n command. 
SPC-92  Security Gateway  DDoS mitigation (F2F Quota) mechanism is not activated after reboot, even if it is enabled in the configuration.
SPC-42  Security Gateway  DHCP relay traffic is dropped with Reason: PSL Drop: ASPII_MT in kernel debug output. 
Refer to sk100233
SPC-40  Security Gateway  Memory leak in TCP streaming when hold reaches timeout. 
SPC-37
Security Gateway When using non ASCII_US characters in Expert password, gclish crashes with Segmentation fault.
SPC-6  Security Gateway  cm_reset_cmm is not always resetting the correct CMM. 
Take 20 (27 Sep 2017)
02593026 General Check Point Registry is not updated with the proper build numbers after installing Jumbo Hotfix Accumulators.
02645803 HTTPS Inspection Interoperability issue with Chrome version 61 when HTTPS Inspection is enabled.
Refer to sk120457.
02631282 VPN Improved stability while working with VPN and IKEv2.
02521324 CloudGuard  Added support for CloudGuard. Refer to sk120464.
Take 16 (27 Aug 2017)
02535520;
02557258;
02539375
General
  • Added the transceiver 1G Source Photonics SP-GB-TX-CNFC to "asg diag verify" certified list.
  • Added the transceiver 10G Source Photonics SPP-10E-LR-CDFF to "asg diag verify" certified list.
  • Added the transceiver 40G Source Photonics SPQ-10E-LR-CDFB to "asg diag verify" certified list.
  • Added the transceiver 100G Innolight TR-FC13T-N00 to "asg diag verify" certified list.
  • Added the transceiver 40G Source Photonics SPQ-10E-SR-CDFG to "asg diag verify" certified list.
  • Added the transceiver 40G Finisar FTL410QE2C to "asg diag verify" certified list.
02527710 General Check Point response to CVE-2016-2183 (Sweet32).
It is now possible to control the use of 3DES in HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, Mobile Access curl (fix for SSL connections from a client to Mobile Access Gateway).
Refer to sk113114.
02527712 General Check Point response to OpenSSL CVE-2015-1789.
02560588;
02559202;
02564206;
02555471;
02555502
General

Added support for Check Point PRO Report service.

Notes:

  • At the end of the installation of this Take 16 (and above), if CPdiag RPM package was not installed before, the following message is shown to the user:
    Help us to enhance product usability and services by automatically sending daily diagnostic and usage data to the secure Check Point Cloud.
    For more information, see sk111080
  • This support for Check Point PRO Report only adds the ability for 60000 / 40000 appliance to send the relevant monitoring information to Check Point. A quote needs to be generated to benefit from Check Point PRO reports.
02560029;
02530894
General "asg_serial_info" is now the unified tool for showing serial information for all hardware components.
02531922 General Number of queries per connection from RAD daemon to Check Point cloud can be configured in Check Point Registry.
On 40000 / 60000 appliances the default is 50 queries per connection.
Refer to sk103422.
02504948 General The "asg diag" test for parity errors fails when parity counter's value is greater than zero, even when it does not increase over time.
02558360 General routed and syslogd daemons consume CPU at high level.
Refer to sk119138.
02556886 General Improved stability of routed daemon in BGP (when "aspath"/"community" are used).
02527652 General

The "asg_parity_verify" output shows inaccurate values in the SSM Parity Counters (cosmetic issue).

Example scenario:

  1. There were 10 SSM parity errors on Chassis1

  2. There were 0 SSM parity errors on Chassis2

  3. When running the "asg_parity_verify" command from Chassis1,
    the output will show the expected values in the SSM1 / SSM2 Parity Counters for both chassis:

    +---------------------------------------------------------------------+
    |SSMs Parity Counter Verifier                                         |
    +---------------------------+--------------------+--------------------+
    |                           |Chassis1            |Chassis2            |
    +---------------------------+--------------------+--------------------+
    ... ...
    +---------------------------+--------------------+--------------------+
    |SSM1 Parity Counter        |10                  |0                   |
    +---------------------------+--------------------+--------------------+
    ... ...
    +---------------------------+--------------------+--------------------+
    |SSM2 Parity Counter        |10                  |0                   |
    +---------------------------+--------------------+--------------------+
    ... ...
    
  4. When running the "asg_parity_verify" command from Chassis2 (on which there are no SSM parity errors),
    the output will incorrectly show the values in the SSM1 / SSM2 Parity Counters from Chassis1:

    +---------------------------------------------------------------------+
    |SSMs Parity Counter Verifier                                         |
    +---------------------------+--------------------+--------------------+
    |                           |Chassis1            |Chassis2            |
    +---------------------------+--------------------+--------------------+
    ... ...
    +---------------------------+--------------------+--------------------+
    |SSM1 Parity Counter        |10                  |10                  |
    +---------------------------+--------------------+--------------------+
    ... ...
    +---------------------------+--------------------+--------------------+
    |SSM2 Parity Counter        |10                  |10                  |
    +---------------------------+--------------------+--------------------+
    ... ...
    
02527687 General Added the ability to disable/enable SSM alerts:
run the "asg alert" command - select "Edit Configuration" - select "All" - select "Configure Excluded Modules"
02527688 General Improved the "asg_process_verifier -a" to kill all zombies and their parents.
Refer to sk116721.
02527711 General Despite RC4 being disabled on the web server, and applying the steps from sk93395, security reports show that the web server is still allowing RC4 ciphers.
Refer to sk104095.
02527683 General After reverting a snapshot, RMAed/new SGM restarts with wrong "SGM_ID".
Refer to sk115962.
02527699 General "Status: Table entries in fdb_shadow table is different between SGMs" failure for the Bridge test when running "asg diag verify".
02529655 General "asg_cp2blades" command does not preserve file permissions on the copied files. Instead, it sets the permissions to "644".
Refer to sk117735.
02567502 General Spelling corrections in the "asg vsx_verify" utility.
02565236 General MGCP traffic is NATed to port range of 10000.
Refer to sk101587.
02591245 General After SGM reboot, it is stuck in endless reboot loop.
Refer to sk119836.
02565249 General Traffic is being dropped as "Non Compliant HTTP".
Refer to sk119192.
02565246 General Traffic from ClusterXL to third party devices is dropped.
Refer to sk116975.
02549763 General Improved stability when processing NAT connections.
02525474 Security Gateway Security Gateway crashes during policy installation in rare scenarios.
Refer to sk102787.
02527693 Security Gateway, VSX Added ability to prevent chassis state flapping during policy installation.
Refer to sk116414.
02527662 VSX

Multiple 'gzip' processes in zombie state on VSX Gateway after VSX configuration push.

Example excerpt from the 'ps' command output:

UID        PID  PPID  C STIME TTY      STAT   TIME CMD
admin      352 15270  0 Mar12 ?        Z      0:00 [gzip] <defunct>
02520864 VSX When running 64-bit VSX system, changing distribution on VS0 does not change the distribution on other Virtual Systems.
02527668 VSX The "asg diag" fails due to wrong port count in VSLS mode.
02506815 VSX Memory leak detection tool (sk98387) now works in VSX mode as well.
02529849 VSX "vsx stat -n" command fails occasionally with "fwctl_setget_conns_number failed on VS <ID>" error.
02565250 VSX Virtual memory is used at 100% in VSX mode.
Refer to sk119613.
02527691 SecureXL Security Gateway with enabled SecureXL and IPSec VPN blade crashes when traffic passes over VPN tunnel.
Refer to sk107912.
02527659 SecureXL SGM crashes during policy installation if SecureXL Drop Templates are enabled.
Refer to sk117112.
02527660 SecureXL Kernel memory leak during policy installation.
02529650 Gaia OS "/home/<UserName>/.ssh" is a symbolic link to the "/home/admin/.ssh".
Refer to sk117738.
02527707 Gaia OS Following cluster failover, RouteD daemon sends OSPF "Hello" packets with no DR/BDR.
Refer to sk105169.
02527676 Gaia OS The "show configuration router-id" command shows Router ID as being configured, but configuration is not in the Gaia OS Database.
02527715 Gaia OS If user disabled SSLv3 in Gaia Portal per sk102989 - POODLE Bites (CVE-2014-3566), and then installed the hotfix from sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah), then the configuration will be overridden.
02529653 Gaia OS "NMSUSR0056 Cannot add homedir for user USERNAME, homedir already in use" error in Gaia Clish when adding a new user.
Refer to sk118082.
02584673 Threat Emulation Improved stability of Threat Emulation online updates.
02565255 Threat Emulation On VSX systems, Threat Emulation related links are not created properly during creation of a Virtual System.
The ted process does not run on the Virtual System after enabling Threat Emulation.
02565253 Threat Emulation Files are not sent for emulation to Check Point Cloud.
02539513 URL Filtering URL Filtering blocks access to sites that do not contain the dot character ('.') in URL.
Refer to sk64162.
02538345 URL Filtering URL Filtering log "Internal System Error occurred, allowing / blocking request (as configured in engine settings)" due to empty CN field in HTTPS site's certificate.
Refer to sk64162.
02527692 Identity Awareness Identity Awareness stops working, users are not identified and Access Roles are not enforced.
Refer to sk114575.
02532578 Identity Awareness Policy installation on Identity Awareness Gateway fails randomly.
Refer to sk108290.
02532702 Identity Awareness PDP daemon does not show user identities despite getting the correct information from the Domain Controllers.
Refer to sk101288.
02533450 Identity Awareness If Identity Awareness fails to insert an entry into a relevant kernel table because that table's limit was reached, then the relevant log will be generated (to be viewed in SmartView Tracker, SmartLog).
02522133 Identity Awareness "Login failed. If the problem persists please contact your administrator." error during login in Captive Portal using RADIUS on 60000 / 40000 appliance.
Refer to sk116612.
02539610 UserCheck Improved stability and memory consumption in UserCheck.
02522150 UserCheck Web sites are blocked as expected by 60000 / 40000 appliance running R76SP.30 / R76SP.40 / R76SP.50, but UserCheck page is not displayed.
Refer to sk114627.
02527702 SNMP SNMP Request for OID "asgNetIfTable" (1.3.6.1.4.1.2620.1.48.26) returns 0 for TX and RX values.
Refer to sk117280.

 

Installation instructions

For fresh installation, refer to Data Center Security Appliances 60000/40000 R76SP.50 Home Page.

For Jumbo Hotfix installation, refer to the R76SP.50 Upgrade Guide

List of replaced files

List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

 

Troubleshooting instructions

Click Here to Show Entire List

 

Revision History

Show / Hide revision history


Date Description
01 Sep 2019 Release of Take 205
03 July 2019 Release of Take 198
30 June 2019 Release of Take 196
27 May 2019 Release of Take 187
07 May 2019 Release of Take 184
21 April 2019 Release of Take 180
20 Feb 2019 Release of Take 161
11 Feb 2019 Release of Take 159
20 Nov 2018 Release of Take 105
30 Sep 2018 Release of Take 96
28 Aug 2018 Release of Take 84
21 Aug 2018 Release of Take 83
15 Aug 2018  Release of Take 82
12 July 2018 Release of Take 76
28 June 2018 Release of Take 72
17 June 2018 Release of Take 69
26 Apr 2018  Release of Take 62
29 Mar 2018 Release of Take 55
04 Feb 2018 Release of Take 40
07 Jan 2018 Release of Take 31
26 Oct 2017 Updated Important Notes
27 Sep 2017 Release of Take 20
04 Sep 2017 Issue ID 02560588 - updated the description
30 Aug 2017 Issue ID 02506815 - added link to sk98387
29 Aug 2017 Added "Revision History" section
27 Aug 2017 Release of Take 16

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment