60000 / 40000 Appliances - Jumbo Hotfix Accumulator for R76SP.50

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk117633
Product	Scalable Platforms Appliances
Version	R76SP.50
OS	Gaia
Platform / Model	41000, 44000, 61000, 64000
Date Created	27-Aug-2017
Last Modified	01-Sep-2019

Solution

Table of Contents:

Introduction
Availability
Important Notes
List of resolved issues per Take
Installation instructions
List of replaced files
Troubleshooting instructions
Revision History

Click Here to Show Entire Article

Introduction

R76SP.50 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues on 60000 / 40000 products running R76SP.50.

This Incremental Hotfix and this article are periodically updated with new fixes.

The list of resolved issues below describes each resolved issue and provides a Take number, in which the fix was included.
A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive).
The date on which this take was made available is listed near the Take's number.

Availability

The Latest General Availability Take:

Take	Date	Download Package
Take_205	01 Sep 2019	(TGZ)

Previous General Availability Takes:

Take	Date	Download Package
Take_198	03 July 2019	(TGZ)
Take_196	30 June 2019	(TGZ)
Take_187	27 May 2019	(TGZ)
Take_184	07 May 2019	(TGZ)
Take_180	21 April 2019	(TGZ)
Take_161	20 February 2019	(TGZ)
Take_105	20 Nov 2018	(TGZ)
Take_96	30 Sep 2018	(TGZ)
Take_84	28 August 2018	(TGZ)
Take_83	20 August 2018	(TGZ)
Take_82	14 August 2018	(TGZ)
Take_76	12 July 2018	(TGZ)
Take_72	28 June 2018	(TGZ)
Take_62	26 April 2018	(TGZ)
Take_55	29 March 2018	(TGZ)
Take_40	04 February 2018	(TGZ)
Take_31	07 January 2018	(TGZ)
Take_20	17 Sep 2017	(TGZ)
Take_16	27 August 2017	(TGZ)

Important Notes

This Jumbo Hotfix Accumulator is suitable only for 41000 / 44000 / 61000 / 64000 running:
- R76SP.50 OS build 84 clean installation
- R76SP.50 OS build 84 with lower (than the latest) Takes of this Jumbo Hotfix Accumulator
To see the OS version you are running, run one of the below commands from CLISH/GCLISH:
- show version os build
  The correct output should be:
```
OS build 84
```
- asg_version
  The correct output should be:
```
blades
======
OS version
----------
-*- 1 blade: 1_02 -*-
OS build 84, OS kernel version 2.6.18-92cpx86_64, OS edition 64-bit    
       
```
If you are running an earlier R76SP.50 OS build, you should upgrade to OS build 84 before installing this Jumbo Hotfix Accumulator.
If you have previously installed any private hotfixes on top of your current version, contact Check Point Support before applying this Jumbo Hotfix Accumulator to verify that it is compatible with your environment.
Changing between Static NAT port allocation and Dynamic NAT port allocation (refer to sk103656) requires a full system reboot.

List of resolved issues per Take

Enter the string to filter this table:

ID	Product	Description
Take 205 (01 September 2019)
SPC-1519	General	General Stability fixes
SPC-2772	General	"asg diag" hardware verification fails when PSUs are not placed in consecutive order (degradation from Take 196).
SPC-2413	General	CPD memory leak due to cpmon threshold.
SPC-2186	General	Added the ability to collect asg_info on SGMs in down state.
SPC-1470	General	The $CPDIR/tmp/ directory is filled with 'file...' files. Refer to sk98567.
SPC-2581	General	The asg_serial_info command returns wrong output - shows "Not in the security group" for SGMs on chassis 1.
SPC-2604	General	Added time estimation when adding/removing bonds primary slaves with more than 60 VLANs.
SPC-2041	General	Fixed general issues with asg_hw_monitor command.
SPC-1222	General	DC power consumption optimization for 41K Chassis.
SPC-2623	General	Added support for INTEL SSD SC2KB240G8
SPC-2211	General	When using Blade State Events feature, backplane interface flaps may cause cluster instability.
SPC-2323	General	Improved the ability to monitor kernel crashes.
SPC-2584	General	Added ability to skip SSM upgrade confirmation on JHF Upgrade Script.
SPC-1418	General	Threat Emulation engine will be copied from SMO when using Image Clone.
SPC-2201	General	Blade State Events feature is updated only on chassis monitor task SGM.
SPC-2603	RouteD	Security Gateway randomly stops forwarding the IGMP / PIM Sparse Mode multicast traffic. Refer to sk106858.
SPC-2588	RouteD	RouteD daemon might crash when PIM packets are received in an unsupported IP format group. Refer to sk111891.
SPC-2599	RouteD	RouteD daemon might crash on cluster member when PIM Sparse Mode multicast is configured and multicast traffic arrives from peer cluster member. Refer to sk104847.
SPC-2240	RouteD	Previously reachable BGP routes are still advertised to BGP peers on ClusterXL after the switch that connects these members goes down.
SPC-2598	FireWall-1	As a result of a large rule base, the string_dictionary_table kernel table on the Security Gateway can fill up. Refer to sk66342.
SPC-2585	SGW	Policy installation fails with error "Reason: Load on Module failed - failed to load Security Policy" due to a problem with spii_multi_pset2kbuf_map kernel table. Refer to Scenario 22 in sk33893.
SPC-2567	VSX	VSW does not pull the manually 'set affinity' from the SMO.
SPC-2606	VSX	VSX configuration push causes all routes/interface to be deleted from single SGM. Refer to sk160572.
SPC-2238	VSX	"Fetching Security Policy Succeeded fw ctl affinity -l can only run from the context of the VSX (VS0)" warning appears when running the 'fw fetchlocal' command on non-VS0.
SPC-2203	Threat Emulation	The maximal size of extension for a file that is uploaded for emulation was increased.
SPC-2405	VoIP	SIP connections may be regularly dropped with "Number of reinvites exceeded the limit" error. New "sip_expire" parameter added to enable users to customize how much time a registration request should take.
Take 198 (03 July 2019)
SPC-2574	General	Software blades cannot be updated due to a certificate validation error. This is a degradation from Take 180.
SPC-2577	VSX	Deleting a VLAN in VSX mode shuts down (admin-state) the Trunk interface on the SSM. This is a degradation from Take 159.
Take 196 (30 June 2019)
SPC-2309, SPC-2277, SPC-2237, SPC-448	General	General stability fixes.
SPC-1639	General	Added support for MAGG with LACP configuration.
SPC-381	General	Added port 28581 to TCP Management forward list.
SPC-2297	General	asg_drop_monitor enhancement. For details, refer to the "Packet Drop Monitoring (asg_drop_monitor)" section in the R76SP.50 Administration Guide.
SPC-2084	General	VSX configuration fails because the SMO fails to tar zip the local.vs file to tgz.
SPC-1990, SPC-1666	General	IPv6 traffic may be dropped when working with a distribution mode combination of SSM L4 + General + IPv6.
SPC-1803	General	The ARP table is cleared after a policy installation.
SPC-1718	General	Working with eth1-Mgmt3 causes incorrect logs on the SSM2's interfaces.
SPC-538	General	asg_hf_installer gets stuck when the user reboots the SGMs.
SPC-749	General	hw_utilization fails to execute.
SPC-2202	General	In rare cases, the SGM goes DOWN afer a policy installation.
SPC-930	General	Changing the SGM's slot-ID when using only one SSM could result in unnecessary reboots.
SPC-728	Gaia OS	The 'show smo log auditlog' command is unavailable.
SPC-727	Gaia OS	When the user presses ENTER, the expert audit log regards it as a repetition of the previous command.
SPC-2506, SPC-2521	FireWall-1	Check Point response to TCP SACK PANIC - Linux Kernel vulnerabilities - CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479 - refer to sk156192.
SPC-2156	FireWall-1	Security Gateway logging issues to the log server when the `active_remote_servers` parameter value is set to 0.
SPC-2155	FireWall-1	Logs do not arrive at the log server when the `active_remote_servers` parameter value is set to 0.
SPC-2315	Multiple Security Groups	When the Gateway is in Multiple Security Groups, adding an interface to a bonding group results in an error.
SPC-2130	Multiple Security Groups	When the Gateway is in Multiple Security Groups, interface eth1-09 does not receive traffic on SSM440.
Take 187 (27 May 2019)
SPC-2209	General	Added new SSM440 firmware: 5.5.R5.7.CP.T-ATCA510.
SPC-2207	General	Added new SSM160 firmware: 5.5.R1.6.CP.T-ATCA404.
SPC-2089	General	A disorderly exit (`Ctrl + c`) from asg alert ("Full Configuration Wizard" section) causes the alert messages to not be sent.
SPC-2068	General	You can now change the severity of asg alert events. Refer to the "Configuring Alerts for SGM and Chassis Events" section in the R76SP.50 Administration Guide.
SPC-1830	General	Running the fw6 tab -t connections -s command in a non-VS0 context generates a fw6 core dump.
SPC-2288	VSX	Reverted 'Policy Based Routing' feature for VSX only.
Take 184 (07 May 2019)
SPC-2192, SPC-2151	General	General stability fixes.
SPC-2138	General	"SSM Management Loss" enhancement. For details, refer to sk145792.
SPC-2150	General	Fix for situations in which the CPD hangs.
SPC-2119	General	The Chassis Monitor daemon brings the CMMs down after a failover without a grace period.
SPC-2088	General	Post installation succeeds, but the admin state script fails.
SPC-2173	General	Mail alerts are sent with VS0 statistics only, instead of with statistics for the entire SGM.
SPC-2153	General	asg_perf_hogs does not properly alert the user of ARP table overflow.
SPC-2083	VSX	For VSLS only: VSs are not on the primary chassis due to a failure to load the chassis kernel parameters.
Take 180 (21 April 2019)
SPC-1215, SPC-1422, SPC-1461, SPC-1805, SPC-1965, SPC-1979, SPC-2007, SPC-2015, SPC-2037, SPC-1771, SPC-1914, SPC-1554, SPC-1611, SPC-1970	General	General stability fixes.
SPC-1417	General	'asg_drop_monitor -r' does not reset NIC drops on a i40e driver.
SPC-616	General	Added IDs of SGMs to the headline of 'asg_provision'.
SPC-803	General	asg_cp2blade fails to copy a file larger than 2 GB.
SPC-1516	General	Error message while running asg_swb_perf status: `line 43: [: -eq: unary operator expected.`
SPC-1467	General	Error message while running cpview: `Unable to open '/vs5/dev/fw6v0': Connection refused.`
SPC-1587	General	SSM logs are flooded with error messages about packets larger than 1519 Bytes.
SPC-1631	General	g_tcpdump deletes packet captures from remote SGMs when using the -mcap flag.
SPC-810	General	When the user works with one SSM, 'distutil verify -v' fails.
SPC-2038	General	asg alert configuration is reset after the installation of JHF takes 84-161 on top of JHF takes 72-83. Refer to sk151472.
SPC-1134	FireWall-1	Added IPv6 support for Fast Accelerator (sim6 fastaccel).
SPC-1706	FireWall-1	CPPCAP integration. Refer to sk141412.
SPC-1322	FireWall-1	cpview stability fixes.
SPC-1994	FireWall-1	FWD crashes when domain objects are in use during a heavy load.
SPC-1616	FireWall-1	Support for Unified IPv6 link-local IP between both chassis.
SPC-2009	FireWall-1	For VSX only: 'sim fastaccel' stops accelerating traffic in specific cases.
SPC-1627	FireWall-1	Added support for 'IPv4/IPv6 reject static' routes on VSX systems. Refer to sk151473.
SPC-1630	LTE	`GTP Non Existent` and `Version not supported` response messages are sent with the wrong length and checksum.
SPC-1978	CGNAT	CGNAT stability fixes.
Take 161 (20 February 2019)
SPC-1247	Multiple Security Groups	Introducing Multiple Security Groups (supported only with the new R76SP.50 ISO for Multiple Security Groups). For a comprehensive technical description, refer to the R76SP.50 Administration Guide ("Multiple Security Groups" section). For installation instructions, refer to the R76SP.50 Upgrade Guide ("Multiple Security Groups" section).
SPC-1564, SPC-1921, SPC-1880, SPC-1840, SPC-1892, SPC-1876	General	General stability fixes.
SPC-1629	General	Added statistics and detection for unconfigured VLAN in the local network. Refer to sk145652.
SPC-1656	General	Added support for SGM400 IPMC firmware 1.14. Refer to sk123571.
SPC-1724	General	Added support for 10G SFP transceiver for SSM160 (BTI10GSRSFPP)
SPC-1839	General	Enables default auditing for expert user.
SPC-1565	General	Enhanced SSM monitoring. Refer to sk145792.
SPC-1662	General	Fix for asg_info.
SPC-1862, SPC-1903	General	Disabling Resource Control Monitoring (resctrl).
SPC-1507	General	Inconsistent port admin state between Gaia OS database and SSMs.
SPC-723	General	Added support for N+1 chassis CMM Firmware 3.70-rev6.1, to address high rotation of fans.
SPC-1083	General	Jumbo Hotfix upgrade will fail if 'Image auto cloning' is activated. Refer to sk145955.
SPC-1585	General	After reboot, the image.md5 file is different among SGMs.
SPC-1621	General	Configuring BGP MD5 with several other neighbors might cause a kernel crash.
SPC-1416	General	On SGW only: cpha_blade_config now uses FW cores instead of SecureXL cores. Refer to sk145953.
SPC-1582	General	SGM does not recover from local logging after the connection to the log server is reestablished.
SPC-1415	General	On SGM440 only: During heavy load, the i40e driver may become unresponsive and reset itself.
SPC-1904	General	asg_perf_hogs reports false alert about soft lockups.
SPC-1447	General	Fix for general errors with the format: `Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function))`
SPC-1998	VSX	VSX reconfiguration fails because of a degradation in Take 159 (SPC-1564).
SPC-1581	Cluster	Improved decision for chassis failover.
SPC-1608	FireWall-1	Desktop Policy on SP50 is not enforced on all members. Refer to sk140752.
SPC-1773	FireWall-1	Policy installation enhancement.
SPC-1759	FireWall-1	GTP stability fixes.
SPC-1889	FireWall-1	IPS false positive - "Non Compliant DNS" - illegal EDNS0 RR. Refer to sk112578.
Take 105 (20 November 2018)
SPC-1386, SPC-1423, SPC-931, SPC-1515, SPC-1345, SPC-1191, SPC-827, SPC-376, SPC-94, SPC-1265, SPC-875, SPC-65, SPC-1430, SPC-1475	General	General stability fixes.
SPC-569	General	Improved run time for asg_version -v.
SPC-445	General	Added support for asg_info with a new timestamp flag that collects relevant information between timestamps.
SPC-1542	General	Added new firmware (3.70-rev6) for CMM700. Refer to sk138652 for instructions on how to distinguish between CMM700-AA and CMM700-CC.
SPC-1406	General	'asg_arp' enhancements: Will now ignore proxy arp entries Will now ignore SSM / CMM arp entries Will not resolve IP address to hostname
SPC-1298	General	Management over data-port redirection to the SMO. For details, refer to sk140834.
SPC-1245, SPC-1246	Cluster	Cluster enhancements.
SPC-567	FireWall-1	Added support for RAD protocol encryption between the Security Gateway and the Cloud. Refer to sk140292.
SPC-837	FireWall-1	Added support for ISP Redundancy on Scalable Platforms. Refer to sk140512.
SPC-1515	FireWall-1	Protects fw code against fragment/segment smack attack. Refer to sk134253.
SPC-1223	Gaia OS	asg_route shows, in specific cases, inconsistent routes between the OS and the DB.
SPC-818	Gaia OS	Exposed password on .clish_history file.
SPC-946	Routing	Default route learned via BGP is temporarily deleted after a chassis failover.
SPC-876	Routing	Multicast PIM traffic register packets are sent with an incorrect checksum.
SPC-935	SecureXL	Fragmented reply traffic, for a connection created by a template, is dropped by the clean-up rule.
SPC-874	SecureXL	Multiple port-less temporary connections are dropped in SecureXL - "Connection not found".
SPC-1010	SecureXL	When IPv6 is enabled, SecureXL ignores VLAN tagged packets in a bridge interface.
SPC-1204	VSX	vsx verify tool fails on routes with weights.
SPC-789	NAT	Added support for NAT monitor. Refer to sk140152.
SPC-199	VPN	Optimized division of VPN-office-mode IP pool. Refer to sk97795.
Take 96 (30 September 2018)
SPC-1329, SPC-1284, SPC-1267, SPC-1136, SPC-1006, SPC-960, SPC-900, SPC-884, SPC-1393, SPC-1353	General	General stability fixes.
SPC-1323	General	config_verify -v command fails on te_attributes.conf.
SPC-1300	General	Routes get stuck in the OSPF database.
SPC-883	General	Added support for excluding specific IP addresses from acceleration.
SPC-1297	VSX	Added support for PBR in VSX (Policy Based Routing). For details, refer to sk137232.
SPC-1392	LTE	TEID log field is not shown in GTPv2 drop log when TEID exceeds 0x7FFFFFFF
Take 84 (28 August 2018)
SPC-1319	General	asg alert configuration is reset after installation of JHF Take_72 and above.
SPC-2038	General	The $FWDIR/conf/alert.conf file on SGMs is overwritten when the user upgrades from Takes 72 - 83 to a higher Take of the R76SP.50 Jumbo Hotfix Accumulator. To upgrade from Takes 72 - 83 to Take 84 (or higher) of the R76SP.50 Jumbo Hotfix Accumulator: Back up the current $FWDIR/conf/alert.conf file on all SGMs. Upgrade to Take 84 (or higher) of the R76SP.50 Jumbo Hotfix Accumulator. Restore the $FWDIR/conf/alert.conf file you backed up on all SGMs.
Take 83 (21 August 2018)
SPC-1293	Security Gateway	Check Point response to SegmentSmack (CVE-2018-5390) & FragmentSmack (CVE-2018-5391). Refer to sk134253.
SPC-1192	General	Added support for: 10G SFP transceiver for SSM440 (BTI10GSRSFPP) 40G QSFP transceiver for SSM440 (BTI40GSRDDQSFP) 100G QSFP transceiver for SSM440 (100GLR4LCW2SMLC) 100G QSFP transceiver for SSM440 (100GLR4LN10SMLC)
Take 82 (15 August 2018)
SPC-1029, SPC-1009, SPC-1077, SPC-1041	General	General stability fixes.
SPC-747	General	The asg stat -v command displays '0' PSUs and fans if only PSUs 5 and 6 are used (applies only to 64K).
SPC-1084	General	Added new SSD firmware (SCV10142).
SPC-1122	General	Improved failure detection response. Refer to sk132934.
SPC-1120	General	In some cases, syslog is sent only by the SMO.
SPC-276	General	Added support for L4 and General Distribution mode combination.
SPC-831	General	CIN traffic between the SGM and the SSM is dropped by Security Gateway. Refer to sk133376.
SPC-1214	SNMP	snmpv3_dbget_conf_engineBoots errors are printed in the log for each event.
SPC-1220	LTE	Valid GTPv1 echo messages are logged as expired with no response (GTP Code:310).
SPC-1228	LTE	SNMP GTP counters for active bearers are not decremented.
SPC-1229	LTE	Incorrect lookup in gtpv2_ignore_elements table cause GTPv2 IEs failure to be ignored.
SPC-1028	LTE	Added parsing for GTPv2 EUTRAN-NB-IoT Radio access type.
Take 76 (12 July 2018)
SPC-1092, SPC-1089, SPC-1075, SPC-1074, SPC-916, SPC-1072	Gaia OS	General stability fixes.
SPC-1073, 01738910	General	When trying to access a website with URL in upper case (including WWW), the RAD normalization is done wrong and 'www.' is not removed.
SPC-136	General	In a rare scenarios, traffic is dropped with "dropped by fwkdrv_enqueue_packet_user_ex Reason: VS or Instance Down (vsid <number>);" message. Refer to sk120984.
SPC-1071, 01687181	HTTPS Inspection	HTTPS Categorization with Hold configuration sometimes drops big URLs.
SPC-1004	SNMP	SNMPv3 infrastructure enhancement.
Take 72 (28 June 2018)
SPC-817, SPC-938, SPC-783, SPC-784, SPC-823, SPC-581, SPC-583, SPC-585, SPC-740, SPC-767	Gaia OS	General stability fixes.
SPC-597	Gaia OS	Improved "Warning" infrastructure to asg_pef_hogs and added warning for NAT templates test instead of an error.
SPC-903	Gaia OS	"Invalid MAC address" error on "vsx verify" command failure after upgrade to R76SP.50.
SPC-909	Gaia OS	"MAC learning packet" debug messages are flooding the syslog.
SPC-214, SPC-377, SPC-576, SPC-812	General	Added support for new SSM firmeware. Refer to sk93332 under section: "Software and Hardware Compatibility" and "Hardware software revision"
SPC-826, 01579916	General	syslog messages forwarded to external Syslog server, do not contain the host name. Refer to sk100727.
SPC-950	General	Setting PBR rule priority X match to X.X.X.X/XX" returns "Syntax error" message.
SPC-89	General	Added support for "Unified MAC for data ports" mode (Only for SGW). Refer to "Added support for "unified MAC for data ports"" chapter in 60000/40000 Security Platform R76SP.50 Administration Guide.
SPC-785, 01897723, 02757903	General	Added support for ECDHE P-384 curve.
SPC-976	General	Added support for transceiver per SSM440 (SJ8512-X5ATOS)
SPC-520	General	LACP Bond slave is down after reboot under some conditions.
SPC-879, SPC-549	General	Failing ICMPv6 traffic does not display error message. Refer to sk129732.
SPC-853	General	After performing chassis failover while generating user logs, PDP constantly disappearing from the "pep sh pdp all" list after reaching approx 13-14k users.
SPC-906	SNMP	Added support for SHA1/AES for SNMP USM users.
SPC-825	SNMP	SNMP trap is not sent upon interface Up/Down event.
SPC-586, 01204836	SNMP	The snmpwalk command fails with "Timeout: No Response from" message when runnig OID 1.3.6.1.4.1.2620.1.16 on VSX machine with large number of Virtual Systems. Refer to sk97947.
SPC-927, SPC-922	SNMP	snmpwalk for asgIF table (1.3.6.1.4.1.2620.1.48.26) fails after upgrade to R76SP.50 Jumbo Hotfix Take_40. Refer to sk123355.
SPC-651, 02525379	VPN	VPN packets are dropped when VPN Sticky SA is enabled. Refer to sk118084.
SPC-667, 02721008	Logging	Logs with Track "None" in rule base are being logged to SmartLog, although logging is disabled.
SPC-886	VSX	In some scenarios, IPv6 Scopelocal routes are missing after adding new VLAN in VSX.
SPC-579, 01178961	VoIP	"sip reason: Too many streams in SDP" drop log in SmartView Tracker. Refer to sk93752.
SPC-857, 02356285	VoIP	H.323 VoIP Keep Alive "ACK" packets are not forwarded to the client. Refer to sk113749.
SPC-939, 02729238	SSL Inspection	Rule mismatch on SSL inspection rulebase if partial match higher than full match. Refer to sk123718.
SPC-699, 01427150	DLP	Enabling DLP and TE software blades cause the DLPU process to stop working producing core dump after policy installation.
SPC-18	LTE	Carrier Security (LTE) stability fixes. Refer to sk130212.
Take 62 (26 Apr 2018)
SPC-571, SPC-662	Gaia OS	The distutil verify command fails in specific scenarios. Refer to sk123777.
SPC-537, 02620877	Gaia OS	When monitored by CPWD, FWD process stops working in specific scenarios.
SPC-655, SPC-656	Gaia OS	Added support for multiple IPv4 addresses per interface. For more information, refer to "Alias IP" chapter in 60000/40000 Security Platform R76SP.50 Administration Guide.
SPC-653, 02509382	Gaia OS	Packet drops due to static NAT configuration with VPN.
SPC-527, SPC-534, SPC-532, SPC-535	Gaia OS	General stability fixes.
SPC-530	Gaia OS	ADlog returns wrong FQDN for some domains.
SPC-557	Gaia OS	coredumps_bt script fails if debug tools were not installed or for fwk coredumps.
SPC-813	Gaia OS	asg_serial_info command returns corrupted output.
SPC-607	General	Added support for 1G transceivers for SSM160 (BTIMGBICMTX).
SPC-531	General	Policy installation fails if HTTP Methods protection is enabled.
SPC-657, SPC-528	General	SSMs are monitored as "down" during policy installation.
SPC-806	Cluster	Soft lockups infrastructure enhancement.
SPC-256	SecureXL	SecureXL concurrent connections counter is inaccurate.
SPC-802	HTTPS Inspection	Streaming infrastructure degradation fix for SPC-612.
Take 55 (29 Mar 2018)
SPC-517, SPC-649	Gaia OS	Security hardening for Gaia Clish. The patch command is now removed from Clish.
SPC-497	Gaia OS	The asg_info command does not collect information for non-VS0 VSs.
SPC-372	Gaia OS	The asg_dr_verifier command fails with "Dynamic Routing Failed to query routing data" error in some scenarios. Refer to sk123192.
SPC-486, 02648278	Gaia OS	It is not possible to disable cpWatchDog monitoring of FWD process. Refer to sk120756.
SPC-215	Gaia OS	Enable set interface speed for Mgmt port.
SPC-592	Gaia OS	After installing the os_net_snmp rpm, the /etc/snmp/vsx-proxy/snmpd.vsx.proxy.conf file is overriden with an empty file.
SPC-97	Gaia OS	In a certain condition, gateway crashes when passing the CIFS traffic.
SPC-56, 02658222	Gaia OS	The asg_arp command fails due to proxy ARP addresses. Refer to sk121450.
SPC-99	General	Traditional Anti-Virus is not supported on Scalable Platforms. When it is enabled, the policy installation fails with "Load on module failed" error. Starting from this Take, if the Traditional Anti-Virus is enabled, there is no option to install thе Security policy.
SPC-200	General	Support for Multi-Queue on Mgmt interfaces was added. Support for CIN packet priority was added. Refer to sk119956.
SPC-539	General	The SMO image cloning mechanism activation fails with error: Error setting image auto-clone state to on Image auto-clone state is off.
SPC-213	General	Add support for 64K with 1 SSM.
SPC-302, SPC-303	General	Added new firmaware for SSM 160 and SSM 440. Added support for BiDi Transceiver (13B8NIY4455).
SPC-91	General	IPv6 logs are incorrectly unified with different SGM IDs.
SPC-278	General	NTP cannot update itself after the upgrading to R76SP.50.
SPC-188	General	After upgrade from R76SP.40 to R76SP.50, the asg diag command fails with "Matrix size error".
SPC-107	General	Set Back Plane (BP) ports speed to "auto" when working with SSM440.
SPC-104	General	Update SNX version to latest version.
SPC-630	SecureXL	After upgrade SGM400 to R76SP.50 JHF Take_44, number of SecureXL CPU cores reduced to 1. Refer to sk123375.
SPC-490, 02658128	IPS	IPS is shown as enabled, although IPS blade is disabled on the gateway object in SmartConsole. Refer to sk121152.
SPC-612	HTTPS Inspection	HTTPS Inspection stability fix.
SPC-31, 01166621	SNMP	SNMPv3 with USM 'authentication' configuration does not survive reboot. Refer to sk92937.
Take 40 (04 Feb 2018) Note: This Take replaces Take 39 released on 01 Feb 2018. It is recommended to install Take 40
SPC-118, SPC-418, SPC-417, SPC-416, SPC-365	Gaia OS	Enhanced monitoring and configuration of VLANs on SSM. Refer to sk121094.
SPC-179	Gaia OS	Added support for CRON Jobs.
SPC-178	Gaia OS	Added ability for user to login without password by using synchronization of SSH keys.
SPC-177	Gaia OS	Added ability to add files to the cross SGM synced files list.
SPC-19	General	Added support for Online Certificate Status Protocol (OCSP).
SPC-103	General	"asg diag" hardware verification fails when PSUs are not placed in consecutive order.
SPC-117	General	Improved stability and functionality of RAD engine.
SPC-34, SPC-32, SPC333	General	Improved stability and functionality of WSTLD engine.
SPC-67	General	NetFlow Enhancement: Added separate fields for Check Point Enterprise, Memebr ID, VS-ID.
SPC-320, SPC-498	VSX	Extended SNMP Support for VSX on chassis hardware. Refer to "Best Practices - Monitoring" section in sk101556.
SPC-209	SecureXL	SecureXL causes multiple traffic drops for different services (smtp/dns/ssh) after reboot.
SPC-180	Logging	Added support for Audit logs for expert bash commands.
Take 31 (07 Jan 2018)
SPC-17 SPC-111 SPC-110 SPC-109 SPC-108	General	Enhancement: Added support for synchronization with User Center.
SPC-149	General	Enhancement: Added support for new 100G transceivers for SSM440 (SPQ-CE-LR-CDFM)
SPC-93	General	Enhancement: Added support for new transceiver per SSM440 (SPQ-CE-LR-CDFB)
SPC-160	General	SSM loses verification signature when Layer4 distribution is enabled.
SPC-105	General	Aligned SGM clock and SSM440 clock when SSM comes up.
SPC-69	General	The asg monitor command does not work with VSLS mode when SGM is down.
SPC-57	General	OSPF point-to-point configuration command is not updated for OSPF Multiple Instances.
SPC-16	Identity Awareness	Enhancement: Added support for Scale IDA (PEPD side only) and Identity Collector.
SPC-49	HTTPS Inspection	Blocking HTTP Evader bypass Web Intelligence using evasions techniques.
SPC-54	IPS	IPS signatures are not matched when NULL bytes are added to gzip files.
SPC-51	IPS	Improved IPS inspection of 304 HTTP responses sent with body and no content length.
SPC-130	Client Authentication Portal	Client Authentication portal does not add the required HTTP security headers.
SPC-131	Anti-Virus, Anti-Bot, URL Filtering	URLs with whitespaces are wrongly matched against Anti-Virus, Anti-Bot and URL Filtering databases.
SPC-43	VPN	Improved stability for vpnd process when using unsupported Windows client IKEv2 authentication.
SPC-48	VPN	Improved stability for vpnd process in IKEv2 handshake when FQDN is sent as part of the request.
SPC-44	VPN	Enhancement: Chain of certificates in IKEv2 authentication is allowed.
SPC-86 SPC-36	VPN	Enhancement: Added support for VPN Office mode with DHCP Forwarding.
SPC-161	SecureXL	Improved stability in SecureXL random NAT port allocation. Refer to sk116977.
SPC-139	SecureXL	Returning traffic is dropped on cleanup rule upon policy installation for some time, or until SecureXL is disabled. Refer to sk121765.
SPC-85	Gaia OS	Enhancement: Implemented confirm and audit mechanisms for "set fcd revert ..." command.
SPC-106 SPC-84 SPC-83	Gaia OS	Improved stability of routed daemon.
SPC-81	Security Gateway	fw process crashes with Segmentation fault when running the fw fetch -n command.
SPC-92	Security Gateway	DDoS mitigation (F2F Quota) mechanism is not activated after reboot, even if it is enabled in the configuration.
SPC-42	Security Gateway	DHCP relay traffic is dropped with Reason: PSL Drop: ASPII_MT in kernel debug output. Refer to sk100233
SPC-40	Security Gateway	Memory leak in TCP streaming when hold reaches timeout.
SPC-37	Security Gateway	When using non ASCII_US characters in Expert password, gclish crashes with Segmentation fault.
SPC-6	Security Gateway	cm_reset_cmm is not always resetting the correct CMM.
Take 20 (27 Sep 2017)
02593026	General	Check Point Registry is not updated with the proper build numbers after installing Jumbo Hotfix Accumulators.
02645803	HTTPS Inspection	Interoperability issue with Chrome version 61 when HTTPS Inspection is enabled. Refer to sk120457.
02631282	VPN	Improved stability while working with VPN and IKEv2.
02521324	CloudGuard	Added support for CloudGuard. Refer to sk120464.
Take 16 (27 Aug 2017)
02535520; 02557258; 02539375	General	Added the transceiver 1G Source Photonics SP-GB-TX-CNFC to "`asg diag verify`" certified list. Added the transceiver 10G Source Photonics SPP-10E-LR-CDFF to "`asg diag verify`" certified list. Added the transceiver 40G Source Photonics SPQ-10E-LR-CDFB to "`asg diag verify`" certified list. Added the transceiver 100G Innolight TR-FC13T-N00 to "`asg diag verify"` certified list. Added the transceiver 40G Source Photonics SPQ-10E-SR-CDFG to "`asg diag verify`" certified list. Added the transceiver 40G Finisar FTL410QE2C to "`asg diag verify`" certified list.
02527710	General	Check Point response to CVE-2016-2183 (Sweet32). It is now possible to control the use of 3DES in HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, Mobile Access curl (fix for SSL connections from a client to Mobile Access Gateway). Refer to sk113114.
02527712	General	Check Point response to OpenSSL CVE-2015-1789.
02560588; 02559202; 02564206; 02555471; 02555502	General	Added support for Check Point PRO Report service. Notes: At the end of the installation of this Take 16 (and above), if CPdiag RPM package was not installed before, the following message is shown to the user: `Help us to enhance product usability and services by automatically sending daily diagnostic and usage data to the secure Check Point Cloud. For more information, see sk111080` This support for Check Point PRO Report only adds the ability for 60000 / 40000 appliance to send the relevant monitoring information to Check Point. A quote needs to be generated to benefit from Check Point PRO reports.
02560029; 02530894	General	"`asg_serial_info`" is now the unified tool for showing serial information for all hardware components.
02531922	General	Number of queries per connection from RAD daemon to Check Point cloud can be configured in Check Point Registry. On 40000 / 60000 appliances the default is 50 queries per connection. Refer to sk103422.
02504948	General	The "`asg diag`" test for parity errors fails when parity counter's value is greater than zero, even when it does not increase over time.
02558360	General	routed and syslogd daemons consume CPU at high level. Refer to sk119138.
02556886	General	Improved stability of routed daemon in BGP (when "aspath"/"community" are used).
02527652	General	The "`asg_parity_verify`" output shows inaccurate values in the SSM Parity Counters (cosmetic issue). Example scenario: There were 10 SSM parity errors on `Chassis1` There were 0 SSM parity errors on `Chassis2` When running the "`asg_parity_verify`" command from `Chassis1`, the output will show the expected values in the SSM1 / SSM2 Parity Counters for both chassis: +---------------------------------------------------------------------+ \|SSMs Parity Counter Verifier \| +---------------------------+--------------------+--------------------+ \| \|Chassis1 \|Chassis2 \| +---------------------------+--------------------+--------------------+ ... ... +---------------------------+--------------------+--------------------+ \|SSM1 Parity Counter \|10 \|0 \| +---------------------------+--------------------+--------------------+ ... ... +---------------------------+--------------------+--------------------+ \|SSM2 Parity Counter \|10 \|0 \| +---------------------------+--------------------+--------------------+ ... ... When running the "`asg_parity_verify`" command from `Chassis2` (on which there are no SSM parity errors), the output will incorrectly show the values in the SSM1 / SSM2 Parity Counters from `Chassis1`: +---------------------------------------------------------------------+ \|SSMs Parity Counter Verifier \| +---------------------------+--------------------+--------------------+ \| \|Chassis1 \|Chassis2 \| +---------------------------+--------------------+--------------------+ ... ... +---------------------------+--------------------+--------------------+ \|SSM1 Parity Counter \|10 \|10 \| +---------------------------+--------------------+--------------------+ ... ... +---------------------------+--------------------+--------------------+ \|SSM2 Parity Counter \|10 \|10 \| +---------------------------+--------------------+--------------------+ ... ...
02527687	General	Added the ability to disable/enable SSM alerts: run the "`asg alert`" command - select "Edit Configuration" - select "All" - select "Configure Excluded Modules"
02527688	General	Improved the "`asg_process_verifier -a`" to kill all zombies and their parents. Refer to sk116721.
02527711	General	Despite RC4 being disabled on the web server, and applying the steps from sk93395, security reports show that the web server is still allowing RC4 ciphers. Refer to sk104095.
02527683	General	After reverting a snapshot, RMAed/new SGM restarts with wrong "SGM_ID". Refer to sk115962.
02527699	General	"`Status: Table entries in fdb_shadow table is different between SGMs`" failure for the Bridge test when running "`asg diag verify`".
02529655	General	"`asg_cp2blades`" command does not preserve file permissions on the copied files. Instead, it sets the permissions to "644". Refer to sk117735.
02567502	General	Spelling corrections in the "`asg vsx_verify`" utility.
02565236	General	MGCP traffic is NATed to port range of 10000. Refer to sk101587.
02591245	General	After SGM reboot, it is stuck in endless reboot loop. Refer to sk119836.
02565249	General	Traffic is being dropped as "Non Compliant HTTP". Refer to sk119192.
02565246	General	Traffic from ClusterXL to third party devices is dropped. Refer to sk116975.
02549763	General	Improved stability when processing NAT connections.
02525474	Security Gateway	Security Gateway crashes during policy installation in rare scenarios. Refer to sk102787.
02527693	Security Gateway, VSX	Added ability to prevent chassis state flapping during policy installation. Refer to sk116414.
02527662	VSX	Multiple '`gzip`' processes in zombie state on VSX Gateway after VSX configuration push. Example excerpt from the '`ps`' command output: UID PID PPID C STIME TTY STAT TIME CMD admin 352 15270 0 Mar12 ? Z 0:00 [gzip] <defunct>
02520864	VSX	When running 64-bit VSX system, changing distribution on VS0 does not change the distribution on other Virtual Systems.
02527668	VSX	The "`asg diag`" fails due to wrong port count in VSLS mode.
02506815	VSX	Memory leak detection tool (sk98387) now works in VSX mode as well.
02529849	VSX	"`vsx stat -n`" command fails occasionally with "`fwctl_setget_conns_number failed on VS <ID>`" error.
02565250	VSX	Virtual memory is used at 100% in VSX mode. Refer to sk119613.
02527691	SecureXL	Security Gateway with enabled SecureXL and IPSec VPN blade crashes when traffic passes over VPN tunnel. Refer to sk107912.
02527659	SecureXL	SGM crashes during policy installation if SecureXL Drop Templates are enabled. Refer to sk117112.
02527660	SecureXL	Kernel memory leak during policy installation.
02529650	Gaia OS	"`/home/<UserName>/.ssh"` is a symbolic link to the "`/home/admin/.ssh`". Refer to sk117738.
02527707	Gaia OS	Following cluster failover, RouteD daemon sends OSPF "Hello" packets with no DR/BDR. Refer to sk105169.
02527676	Gaia OS	The "`show configuration router-id`" command shows Router ID as being configured, but configuration is not in the Gaia OS Database.
02527715	Gaia OS	If user disabled SSLv3 in Gaia Portal per sk102989 - POODLE Bites (CVE-2014-3566), and then installed the hotfix from sk106478 - Check Point response to CVE-2015-2808 (Bar Mitzvah), then the configuration will be overridden.
02529653	Gaia OS	"`NMSUSR0056 Cannot add homedir for user USERNAME, homedir already in use`" error in Gaia Clish when adding a new user. Refer to sk118082.
02584673	Threat Emulation	Improved stability of Threat Emulation online updates.
02565255	Threat Emulation	On VSX systems, Threat Emulation related links are not created properly during creation of a Virtual System. The ted process does not run on the Virtual System after enabling Threat Emulation.
02565253	Threat Emulation	Files are not sent for emulation to Check Point Cloud.
02539513	URL Filtering	URL Filtering blocks access to sites that do not contain the dot character ('.') in URL. Refer to sk64162.
02538345	URL Filtering	URL Filtering log "`Internal System Error occurred, allowing / blocking request (as configured in engine settings)`" due to empty CN field in HTTPS site's certificate. Refer to sk64162.
02527692	Identity Awareness	Identity Awareness stops working, users are not identified and Access Roles are not enforced. Refer to sk114575.
02532578	Identity Awareness	Policy installation on Identity Awareness Gateway fails randomly. Refer to sk108290.
02532702	Identity Awareness	PDP daemon does not show user identities despite getting the correct information from the Domain Controllers. Refer to sk101288.
02533450	Identity Awareness	If Identity Awareness fails to insert an entry into a relevant kernel table because that table's limit was reached, then the relevant log will be generated (to be viewed in SmartView Tracker, SmartLog).
02522133	Identity Awareness	"`Login failed. If the problem persists please contact your administrator.`" error during login in Captive Portal using RADIUS on 60000 / 40000 appliance. Refer to sk116612.
02539610	UserCheck	Improved stability and memory consumption in UserCheck.
02522150	UserCheck	Web sites are blocked as expected by 60000 / 40000 appliance running R76SP.30 / R76SP.40 / R76SP.50, but UserCheck page is not displayed. Refer to sk114627.
02527702	SNMP	SNMP Request for OID "`asgNetIfTable`" (1.3.6.1.4.1.2620.1.48.26) returns 0 for TX and RX values. Refer to sk117280.

Installation instructions

For fresh installation, refer to Data Center Security Appliances 60000/40000 R76SP.50 Home Page.

For Jumbo Hotfix installation, refer to the R76SP.50 Upgrade Guide.

List of replaced files

List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

Troubleshooting instructions

Click Here to Show Entire List

"asg_hf_installer verify" shows that all hotfixes are installed on all SGMs, but "asg_provision" and "asg_version -v" fail on some SGMs

Reason:

Jumbo Hotfix Accumulator was not installed on some SGMs,but the Check Point Registry was pulled from the SMO, on which the Jumbo Hotfix Accumulator was already installed. Issue is most likely to occur when adding freshly installed SGM to Security Group.

Solution:

Run the following command on the problematic SGMs:
# ./AsgInstallScript -FORCED
Optional syntax:
# ./AsgInstallScript -b <chassis_ID | specific blade> force
Upgrade of SSM during Jumbo Hotfix Accumulator installation might fail with "Mismatch md5sum ... Retry again or fix manually" error
Symptom:

Upgrade of SSM during Jumbo Hotfix Accumulator installation might fail with "Mismatch md5sum ... Retry again or fix manually" error.

Example:
Upgrading SSM1 on Chassis2 ========================== Copying new firmware 2.4.C20.1 to SSM1 [ OK ] Checking md5sum of new firmware file [ FAILED ] Mismatch md5sum between GW and SSM1. Retry again or fix manually

Solution:
1. Select "No" when prompted to upgrade SSM.
2. Manually upgrade the SSM firmware per sk114753: 60000 / 40000 Appliances - SSM firmware 5.5.x.

Revision History

Show / Hide revision history

Date	Description
01 Sep 2019	Release of Take 205
03 July 2019	Release of Take 198
30 June 2019	Release of Take 196
27 May 2019	Release of Take 187
07 May 2019	Release of Take 184
21 April 2019	Release of Take 180
20 Feb 2019	Release of Take 161
11 Feb 2019	Release of Take 159
20 Nov 2018	Release of Take 105
30 Sep 2018	Release of Take 96
28 Aug 2018	Release of Take 84
21 Aug 2018	Release of Take 83
15 Aug 2018	Release of Take 82
12 July 2018	Release of Take 76
28 June 2018	Release of Take 72
17 June 2018	Release of Take 69
26 Apr 2018	Release of Take 62
29 Mar 2018	Release of Take 55
04 Feb 2018	Release of Take 40
07 Jan 2018	Release of Take 31
26 Oct 2017	Updated Important Notes
27 Sep 2017	Release of Take 20
04 Sep 2017	Issue ID 02560588 - updated the description
30 Aug 2017	Issue ID 02506815 - added link to sk98387
29 Aug 2017	Added "Revision History" section
27 Aug 2017	Release of Take 16

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating