The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
60000 / 40000 Appliances - Jumbo Hotfix Accumulator for R76SP.50
Scalable Platforms Appliances
Platform / Model
41000, 44000, 61000, 64000
Table of Contents:
List of resolved issues per Take
List of replaced files
R76SP.50 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues on 60000 / 40000 products running R76SP.50.
This Incremental Hotfix and this article are periodically updated with new fixes.
The list of resolved issues below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this take was made available is listed near the Take's number.
This Jumbo Hotfix Accumulator is suitable only for 41000 / 44000 / 61000 / 64000 running:
R76SP.50 OS build 84 clean installation
R76SP.50 OS build 84 with lower (than the latest) Takes of this Jumbo Hotfix Accumulator
To see the OS version you are running, run one of the below commands from CLISH/GCLISH:
show version os build The correct output should be:
OS build 84
asg_version The correct output should be:
-*- 1 blade: 1_02 -*-
OS build 84, OS kernel version 2.6.18-92cpx86_64, OS edition 64-bit
If you are running an earlier R76SP.50 OS build, you should upgrade to OS build 84 before installing this Jumbo Hotfix Accumulator.
If you have previously installed any private hotfixes on top of your current version, contact Check Point Supportbefore applying this Jumbo Hotfix Accumulator to verify that it is compatible with your environment.
Changing between Static NAT port allocation and Dynamic NAT port allocation (refer to sk103656) requires a full system reboot.
List of resolved issues per Take
Enter the string to filter this table:
Take 213 (01 January 2020)
Enhancement: Added the SSM uptime verification to 'asg diag'.
The Geo Policy IPToCountry database fails to update on Security Gateways (sk163672).
Description for the "-l" flag is missing from the 'AsgInstallScript' command.
When a Linux password is changed for a user on an SGM, it is not updated on other SGMs in the Security Group.
Output of the 'hw_utilization -d' command (the "HW Utilization" test) incorrectly shows "FWK cores:<EMPTY>".
SGMs instability in the following scenario:
Some SGMs in the same Security Group are installed with R76SP.50 only.
Some SGMs in the same Security Group are installed with R76SP.50 and R76SP.50 Jumbo Hotfix Accumulator.
The Identity Awareness Software Blade is enabled on the Security Group.
In cases in which Virtual Systems pass large volumes of traffic, SNMP query of OID .220.127.116.11.4.1.2618.104.22.168.90.10 (Throughput per VS per SGM) returns incorrect large values.
Take 208 (03 November 2019)
SPC-2431, SPC-2562, SPC-2713
General Stability fixes
The Chassis Monitor daemon does not continue monitoring hardware after the PSU fails.
TFTP connections might be dropped with a distribution mode combination of SSM L4 + General.
The 'hw_utilization –d' command misinterprets an unlimited connection limit.
SSM clock settings do not survive a reboot.
Added SSM long uptime verification on 'asg diag'.
Memory leak in CPD daemon might fail a policy push. Refer to sk111880.
Added VSX support for ‘asg_drop_monitor’ command.
Support for Internal CA certificate replacement.
fastaccel connections cause a large number of log messages.
Improved affinity distribution on gexec processes.
SPI Distribution should be disabled when VPN Sticky SA is enabled.
Even though incorrect Matching Criteria were configured, a tunnel is established.
Extended character limitation on snapshot names from 15 characters to 256 characters.
When the PDP deletes the 0.0.0.0/0 published network, the result is an endless loop.
Multiple Security Groups
SGRM server is not responsive after the SGM restarts.
Take 205 (01 September 2019)
General Stability fixes
"asg diag" hardware verification fails when PSUs are not placed in consecutive order (degradation from Take 196).
CPD memory leak due to cpmon threshold.
Added the ability to collect asg_info on SGMs in down state.
The $CPDIR/tmp/ directory is filled with 'file...' files. Refer to sk98567.
The asg_serial_info command returns wrong output - shows "Not in the security group" for SGMs on chassis 1.
Added time estimation when adding/removing bond’s primary slaves with more than 60 VLANs.
Fixed general issues with asg_hw_monitor command.
DC Power consumptions optimization for 41K Chassis.
Security Gateway randomly stops forwarding the IGMP / PIM Sparse Mode multicast traffic. Refer to sk106858.
RouteD daemon might crash when PIM packets are received in an unsupported IP format group. Refer to sk111891.
RouteD daemon might crash on cluster member when PIM Sparse Mode multicast is configured and multicast traffic arrives from peer cluster member. Refer to sk104847.
Previously reachable BGP routes are still advertised to BGP peers on ClusterXL after switch that connects these members goes down.
As the result of a large rule base, the string_dictionary_table kernel table on Security Gateway can fill up. Refer to sk66342.
Policy installation fails with error "Reason: Load on Module failed - failed to load Security Policy" due to a problem with spii_multi_pset2kbuf_map kernel table. Refer to Scenario 22 in sk33893.
VSW does not pull the manually 'set affinity' from the SMO.
VSX configuration push led all routes/interface to be deleted from single SGM. Refer to sk160572.
"Fetching Security Policy Succeeded fw ctl affinity -l can only run from the context of the VSX (VS0)" warning appears when running the 'fw fetchlocal' command on non-VS0.
The maximal size of extension for file which is uploaded for emulation was increased.
SIP connections may be regularly dropped with "Number of reinvites exceeded the limit" error. New "sip_expire" parameter added to enable users to customize how much time a registration request should take.
Take 198 (03 July 2019)
Software blades cannot be updated due to a certificate validation error. This is a degradation from Take 180.
Deleting a VLAN in VSX mode shuts down (admin-state) the Trunk interface on the SSM. This is a degradation from Take 159.
Take 196 (30 June 2019)
SPC-2309, SPC-2277, SPC-2237, SPC-448
General stability fixes.
Added support for MAGG with LACP configuration.
Added port 28581 to TCP Management forward list.
asg_drop_monitor enhancement. For details, refer to the "Packet Drop Monitoring (asg_drop_monitor)" section in the R76SP.50 Administration Guide.
VSX configuration fails because the SMO fails to tar zip the local.vs file to tgz.
IPv6 traffic may be dropped when working with a distribution mode combination of SSM L4 + General + IPv6.
The ARP table is cleared after a policy installation.
Working with eth1-Mgmt3 causes incorrect logs on the SSM2's interfaces.
asg_hf_installer gets stuck when the user reboots the SGMs.
hw_utilization fails to execute.
In rare cases, the SGM goes DOWN afer a policy installation.
Changing the SGM's slot-ID when using only one SSM could result in unnecessary reboots.
The 'show smo log auditlog' command is unavailable.
When the user presses ENTER, the expert audit log regards it as a repetition of the previous command.
Check Point response to TCP SACK PANIC - Linux Kernel vulnerabilities - CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479 - refer to sk156192.
Security Gateway logging issues to the log server when the active_remote_servers parameter value is set to 0.
Logs do not arrive at the log server when the active_remote_servers parameter value is set to 0.
Multiple Security Groups
When the Gateway is in Multiple Security Groups, adding an interface to a bonding group results in an error.
Multiple Security Groups
When the Gateway is in Multiple Security Groups, interface eth1-09 does not receive traffic on SSM440.
Take 187 (27 May 2019)
Added new SSM440 firmware: 5.5.R5.7.CP.T-ATCA510.
Added new SSM160 firmware: 5.5.R1.6.CP.T-ATCA404.
A disorderly exit (Ctrl + c) from asg alert ("Full Configuration Wizard" section) causes the alert messages to not be sent.
You can now change the severity of asg alert events. Refer to the "Configuring Alerts for SGM and Chassis Events" section in the R76SP.50 Administration Guide.
Running the fw6 tab -t connections -s command in a non-VS0 context generates a fw6 core dump.
Reverted 'Policy Based Routing' feature for VSX only.
Take 184 (07 May 2019)
General stability fixes.
"SSM Management Loss" enhancement. For details, refer to sk145792.
Fix for situations in which the CPD hangs.
The Chassis Monitor daemon brings the CMMs down after a failover without a grace period.
Post installation succeeds, but the admin state script fails.
Mail alerts are sent with VS0 statistics only, instead of with statistics for the entire SGM.
asg_perf_hogs does not properly alert the user of ARP table overflow.
For VSLS only: VSs are not on the primary chassis due to a failure to load the chassis kernel parameters.
config_verify -v command fails on te_attributes.conf.
Routes get stuck in the OSPF database.
Added support for excluding specific IP addresses from acceleration.
Added support for PBR in VSX (Policy Based Routing). For details, refer to sk137232.
TEID log field is not shown in GTPv2 drop log when TEID exceeds 0x7FFFFFFF
Take 84 (28 August 2018)
asg alert configuration is reset after installation of JHF Take_72 and above.
The $FWDIR/conf/alert.conf file on SGMs is overwritten when the user upgrades from Takes 72 - 83 to a higher Take of the R76SP.50 Jumbo Hotfix Accumulator. To upgrade from Takes 72 - 83 to Take 84 (or higher) of the R76SP.50 Jumbo Hotfix Accumulator:
Back up the current $FWDIR/conf/alert.conf file on all SGMs.
Upgrade to Take 84 (or higher) of the R76SP.50 Jumbo Hotfix Accumulator.
Restore the $FWDIR/conf/alert.conf file you backed up on all SGMs.
Take 83 (21 August 2018)
Check Point response to SegmentSmack (CVE-2018-5390) & FragmentSmack (CVE-2018-5391). Refer to sk134253.
Added support for:
10G SFP transceiver for SSM440 (BTI10GSRSFPP)
40G QSFP transceiver for SSM440 (BTI40GSRDDQSFP)
100G QSFP transceiver for SSM440 (100GLR4LCW2SMLC)
100G QSFP transceiver for SSM440 (100GLR4LN10SMLC)
Take 82 (15 August 2018)
SPC-1029, SPC-1009, SPC-1077, SPC-1041
General stability fixes.
The asg stat -v command displays '0' PSUs and fans if only PSUs 5 and 6 are used (applies only to 64K).
Added new SSD firmware (SCV10142).
Improved failure detection response. Refer to sk132934.
In some cases, syslog is sent only by the SMO.
Added support for L4 and General Distribution mode combination.
CIN traffic between the SGM and the SSM is dropped by Security Gateway. Refer to sk133376.
snmpv3_dbget_conf_engineBoots errors are printed in the log for each event.
Valid GTPv1 echo messages are logged as expired with no response (GTP Code:310).
SNMP GTP counters for active bearers are not decremented.
Incorrect lookup in gtpv2_ignore_elements table cause GTPv2 IEs failure to be ignored.
Added parsing for GTPv2 EUTRAN-NB-IoT Radio access type.
Added the transceiver 1G Source Photonics SP-GB-TX-CNFC to "asg diag verify" certified list.
Added the transceiver 10G Source Photonics SPP-10E-LR-CDFF to "asg diag verify" certified list.
Added the transceiver 40G Source Photonics SPQ-10E-LR-CDFB to "asg diag verify" certified list.
Added the transceiver 100G Innolight TR-FC13T-N00 to "asg diag verify" certified list.
Added the transceiver 40G Source Photonics SPQ-10E-SR-CDFG to "asg diag verify" certified list.
Added the transceiver 40G Finisar FTL410QE2C to "asg diag verify" certified list.
Check Point response to CVE-2016-2183 (Sweet32). It is now possible to control the use of 3DES in HTTPS Inspection, Mobile Access Portal, Identity Awareness Portal, Mobile Access curl (fix for SSL connections from a client to Mobile Access Gateway). Refer to sk113114.
At the end of the installation of this Take 16 (and above), if CPdiag RPM package was not installed before, the following message is shown to the user: Help us to enhance product usability and services by automatically sending daily diagnostic and usage data to the secure Check Point Cloud. For more information, see sk111080
This support for Check Point PRO Report only adds the ability for 60000 / 40000 appliance to send the relevant monitoring information to Check Point. A quote needs to be generated to benefit from Check Point PRO reports.
"asg_serial_info" is now the unified tool for showing serial information for all hardware components.
Number of queries per connection from RAD daemon to Check Point cloud can be configured in Check Point Registry. On 40000 / 60000 appliances the default is 50 queries per connection. Refer to sk103422.
The "asg diag" test for parity errors fails when parity counter's value is greater than zero, even when it does not increase over time.
routed and syslogd daemons consume CPU at high level. Refer to sk119138.
Improved stability of routed daemon in BGP (when "aspath"/"community" are used).
The "asg_parity_verify" output shows inaccurate values in the SSM Parity Counters (cosmetic issue).
There were 10 SSM parity errors on Chassis1
There were 0 SSM parity errors on Chassis2
When running the "asg_parity_verify" command from Chassis1, the output will show the expected values in the SSM1 / SSM2 Parity Counters for both chassis:
"NMSUSR0056 Cannot add homedir for user USERNAME, homedir already in use" error in Gaia Clish when adding a new user. Refer to sk118082.
Improved stability of Threat Emulation online updates.
On VSX systems, Threat Emulation related links are not created properly during creation of a Virtual System. The ted process does not run on the Virtual System after enabling Threat Emulation.
Files are not sent for emulation to Check Point Cloud.
URL Filtering blocks access to sites that do not contain the dot character ('.') in URL. Refer to sk64162.
URL Filtering log "Internal System Error occurred, allowing / blocking request (as configured in engine settings)" due to empty CN field in HTTPS site's certificate. Refer to sk64162.
Identity Awareness stops working, users are not identified and Access Roles are not enforced. Refer to sk114575.
Policy installation on Identity Awareness Gateway fails randomly. Refer to sk108290.
PDP daemon does not show user identities despite getting the correct information from the Domain Controllers. Refer to sk101288.
If Identity Awareness fails to insert an entry into a relevant kernel table because that table's limit was reached, then the relevant log will be generated (to be viewed in SmartView Tracker, SmartLog).
"Login failed. If the problem persists please contact your administrator." error during login in Captive Portal using RADIUS on 60000 / 40000 appliance. Refer to sk116612.
Improved stability and memory consumption in UserCheck.
Web sites are blocked as expected by 60000 / 40000 appliance running R76SP.30 / R76SP.40 / R76SP.50, but UserCheck page is not displayed. Refer to sk114627.
SNMP Request for OID "asgNetIfTable" (22.214.171.124.4.1.26126.96.36.199) returns 0 for TX and RX values. Refer to sk117280.
Jumbo Hotfix Accumulator was not installed on some SGMs,but the Check Point Registry was pulled from the SMO, on which the Jumbo Hotfix Accumulator was already installed. Issue is most likely to occur when adding freshly installed SGM to Security Group.
Run the following command on the problematic SGMs:
# ./AsgInstallScript -FORCED
# ./AsgInstallScript -b <chassis_ID | specific blade> force
Upgrade of SSM during Jumbo Hotfix Accumulator installation might fail with "Mismatch md5sum ... Retry again or fix manually" error.
Upgrading SSM1 on Chassis2 ========================== Copying new firmware 2.4.C20.1 to SSM1 [ OK ] Checking md5sum of new firmware file [ FAILED ] Mismatch md5sum between GW and SSM1. Retry again or fix manually