Support Center > Search Results > SecureKnowledge Details
R80.20 GA and R80.20 Management Feature Release Known Limitations
Solution

This article lists all Known Limitations in R80.20 GA and R80.20 Management Feature Release.

Important notes:

Visit Check Point CheckMates Community to ask questions or start a discussion and get our experts assistance.


This article contains two sections
:
  • List of R80.20 Security Gateway products Known Limitations

  • List of R80.20 Security Management products Known Limitations

 

List of R80.20 Security Gateway Products Known Limitations

Table of Contents

  • Installation and Upgrade
  • Gaia
  • Security Gateway 
  • Threat Prevention  
  • Identity Awareness
  • HTTPS Inspection
  • Application Control & URL Filtering
  • Content Awareness
  • IPS
  • DLP
  • SecureXL
  • ClusterXL
  • ICAP Server
  • Routing    
  • Mobile Access
  • VPN
  • Hardware
  • LTE
  • VSX
  • QoS
  • VoIP
  • SNMP



Enter the string to filter the below table:

ID Symptoms Found in version
Installation and Upgrade
PMTR-17316

To upgrade a R77.30 or R80.10 Security Gateway with ICAP Client hotfix to a R80.20 Security Gateway:

  1. On the R77.30/R80.10 Security Gateway, back up the current ICAP Client configuration file ($FWDIR/conf/icap_client_blade_configuration.C).
  2. Upgrade the R77.30/R80.10 Security Gateway to R80.20, or perform a Clean Install of the R80.20 Security Gateway.
  3. Configure the ICAP Client from scratch as described in the R80.20 Next Generation Security Gateway Guide - Chapter "ICAP Client".
    Note: 
    • You can use the backed up ICAP Client configuration file from the R77.30 Security Gateway as a reference only.
    • You must explicitly confirm the disclaimer (run the script IcapDisclaimer.sh in the Expert mode).
  4. To inspect the HTTPS traffic with the ICAP Client, enable the HTTPS Inspection and configure the HTTPS Inspection rules.
  5. Install the Access Control policy on the R80.20 Security Gateway.
Note: If one of the ICAP configuration parameters is not configured correctly, SmartConsole shows an error with the name of the applicable parameter.
R80.20
PMTR-13035

When you perform a clean install of an R80.20 on top of an existing previous version, the following error might appear after the keyboard layout selection screen: 

Warning: /dev/sda contains GPT signatures, indicating that it has a GPT table. However, it does not have a valid fake msdos partition table, as it should. Perhaps it was corrupted – possibly by a program that doesn't understand GPT partition tables. Or perhaps you deleted the GPT table, and are now using an msdos partition table. Is this a GPT partition table?

In such case, select "Yes" several times to continue with the installation.

R80.20 
Gaia
PMTR-21441,
PMTR-22269
On oVirt virtual platforms, it is not supported to use the "kvm-clock" as the clock source (/sys/devices/system/clocksource/clocksource0/current_clocksource). This can cause the management processes to stuck in an endless loop with a very high CPU usage (almost 100%).  R80.20
02039589 If the backup schedule is changed to an invalid date or time, all backup schedules are lost and "Backup schedule failed. The backup will not be scheduled" error message is displayed. R80.10
01441743 If you change the members of a Gaia Cloning Group with many members down, you are logged out of the Gaia Portal with an incorrect error message: "Unable to connect to server".
The correct message is: "An error occurred while applying configuration change to all cloning group members" - the operation was successful only for online members. This is the normal behavior of the cloning group. This error does not indicate a critical failure.
R80
02621916,
02644222
In some scenarios, when umounting an ext3 file system, Security gateway crashes with vmcore.  R77.30
02559704, 02561586;
02561478, 02561588,
PRHF-864
After adding the RBA roles Gaia commands (add rba role TACP-0 virtual-system-access all), the lines are missing from the "show configuration" command output, but the values can be seen in Expert mode (/config/active).
Refer to sk119394
R77.30
02730903 In some scenarios, unable to create snapshots. Refer to sk123612. R77.30
02559795,
02560843
Snapshot creation reaches 93% and stops, although there is enough space.
Refer to sk119675
R77.30
02423303,
02423845
Newly configured user (with UID that is not 0) is not able to log in from Gaia Clish to Expert mode on VSX Gateway.
Refer to sk115221
R77.30
Security Gateway
PMTR-17318

To upgrade an R77.30 Security Gateway with ICAP Server to an R80.20 Security Gateway:

  1. Back up the current ICAP Server configuration files (to use as a reference only):
    • $FWDIR/c-icap/etc/libsb_mod.conf
    • $FWDIR/c-icap/etc/c-icap.conf
    • $FWDIR/c-icap/etc/c-icap.magic
    • $FWDIR/c-icap/etc/virus_scan.conf
    • $FWDIR/c-icap/share/c_icap/templates/virus_scan/en/VIRUS_FOUND
  2. Upgrade the Security Gateway to R80.20, or clean install the R80.20 Security Gateway.
  3. Configure the ICAP Server from scratch in SmartConsole as described in the R80.20 Threat Prevention Administration Guide.
Important: You can use the backed up ICAP Server configuration files from the R77.30 Security Gateway as a reference only. In R80.20, the ICAP Server configuration is stored in the Management Database (for each Security Gateway object and the related Threat Prevention profile).
R80.20
02472857,
02470077
When Using a rule with legacy object, in or below a rule with one of the new features that are integrated in the unified policy, install policy on a Security Gateway fails with a verification message.
  • Workaround: change the order of the rules so that rules with legacy objects are above rules with new features.
Refer to sk115961.
R80.10
PMTR-8007 Complementary log feature is not supported.  R80.10
02518174

If you do an exception on 'Any' Inspection Settings, the exception will not be enfocred on these inspection settings:

  • ASCII only response
  • ASCII only request
R80.10
01584742 "Get Interfaces" action on gateway returns error "Failed to save cpmi interfaces" if interface name includes space. Gateway interface names must not include spaces.  R80
01820334,
02364974,
01821023
Security Gateway might crash after running 'cpstop' command if MSS Adjustment (Clamping) for IPsec VPN traffic is enabled (fw_clamp_vpn_mss=1).
Refer to sk101219.
R77.30
02473855,
02479570
Once the Log server is down for a long period of time, the gateways do not try to reconnect to it and logs are being saved locally.
Refer to sk116233
R77.30
02470061 When using the 'Drop' action in a layer for SMTP, HTTP, and FTP protocols with the Application Control and URL Filtering or Content Awareness blades enabled on the layer: if the Security Gateway matches a connection not on the first packet (for example, on a rule with an application) the gateway rejects the packet instead of silently dropping it. The gateway sends a TCP reset for HTTP/FTP or sends a '554 error message' for SMTP. The client already received some packets from the server before the rejection.  R77.30
01593807,
02728705,
01683689,
PRHF-66
SAM rules generate large amount of "fwsam_v1_filter: matched rule is not found" messages.
Refer to sk105347
R77.30
02340784,
02341504
TCP traffic fails to return from static NAT host when using ISP Redundancy and SecureXL.
Refer to sk113236
R77.30
02537839,
02539556
Logging session does not switch to the backup logging server after connectivity loss.
Refer to sk118697.
R77.30
02563963,
02564330
Cannot create events based on "sys_message:" filter.
Refer to sk119995
R77.30
02706593,
02706821
In some scenarios, Security Gateway crashes during policy installation.
Refer to sk122755
R77.30
02713205,
02715396
In some scenarios, Security Gateway sends wrong format BSD Syslog logs.
Refer to sk122952
R77.30
Threat Prevention / Threat Extraction
02506918

Threat Emulation blade, MTA and UserCheck do not apply Threat Prevention layer policy according to the strictest rule, but according to the order of layers.

R80.10
02511908 On pre-R80.10 gateways managed by R80.x Security Management server, Access Roles and CloudGuard are not supported in all Threat Prevention and IPS rules on the gateway. This limitation does not apply to R80.x gateways.  R80.10
02452806, 02454286, 02454288 The "Message-ID:" header of the original email is capitalized differently when Threat Extraction is enabled.
Refer to sk115954
R77.30
Identity Awareness
02312837,
PRHF-61,
PRHF-131,
PRHF-132
"Group membership of the required account (user or machine) could not be retrieved from the AD" log from Identity Awareness blade in SmartView Tracker.
Refer to sk106133
R77.30
02696520,
02697170
Captive login portal page is shown in a baby frame of web site.
Refer to sk122257
R77.30
02703712
02703689
02702724
AD testing generates core dumps.
Refer to sk122472.
R77.30
HTTPS Inspection
PMTR-19839

CRL validation is not supported in pure IPv6 environments (when IPv4 addresses are not configured on the Security Gateway's interfaces).

R80.20
Application Control & URL Filtering
01820710,
01919422
After upgrade, services defined in the Application Control rulebase are overridden with the Application's recommended services.
Refer to sk109711.
R80
01910074,
01973174,
02327112
In some rare cases, some HTTPS web sites are not categorized correctly when "Categorize HTTPS sites" is enabled.
Refer to sk110475.
R77.30
02561565,
02567387
In rare scenario, Security Gateway can crash when Anti-Virus, Anti-Bot, or URL Filtering blade is enabled.
Refer to sk119955.
R77.30
Content Awareness
PMTR-17156

The following apply to the "Archive File" Data Type: The Content Awareness blade inspects the "Archive File" Data Type. The "Archive File" Data Type is extracted, and its inner files are separately inspected together with the Data Type.
Therefore, during the policy configuration, administrator has to pay attention when using the "Archive File" Data Type in a Compound/Group Data Type and in an Inline layer parent rule. 

  • Using a Compound/Group of "Archive File" with, for example, "PCI - Credit Card Numbers", does not match the archive that contains a file with the credit card numbers. You can use a specific File Type with "PCI - Credit Card Numbers" in this rule.
  • Using the "Archive File" in a rule that leads to Inline Layer does not match the Data Type inside that layer. You can use a specific File Type in this rule.
  • If the "Archive File" is located above other Data Types, the lower rule can be matched for some of the inner files, in addition to the rule that contains the "Archive File".
R80.20
02436860 Content Awareness supports HTML forms using URL encoding (also known as Percent-encoding). HTML traffic, encoded (binary to text encoding) as Base64 and NCR, is not properly inspected for content.
R80.10
02455334 Content Awareness can inspect different types of files, of any size. A Web browser or FTP client may use several connections to upload or downloaded a file. For web browser this typically happens when downloading large PDF files from the Internet. In those cases, the Security Gateway inspects each connection separately. This may affect its ability to inspect text inside the file. R80.10
01917734 Binary Certificate *.cer files are not properly matched to the 'Certificates and Private Keys' Data Type. R80.10
02467456, 02338194, 02330606 Content Awareness supports HTTP, HTTPS, SMTP and FTP protocols on any ports and it is fully integrated with the Access Control unified rule base. Traffic over QUIC and WebSocket is not inspected. However, it is possible to use 'Quic protocol' / 'WebSocket protocol' in a new Application rule to either block or allow this traffic.
Google Drive has its own internal methods within its protocol, therefore file downloads and uploads, from and to Google Drive are not properly scanned by Content Awareness. However, it is possible to use Google Drive in a new Application rule to either block or allow this traffic.
R80.10
01998174 Content Awareness supports more than 60 character sets for text files, including Japanese, Korean, Greek, and Arabic. If the inspected traffic does not include a supported character set, Content Awareness uses UTF-8 for decoding.
To see the list of supported charsets, and to learn how to change the default charset, see sk116155.
R80.10
02452100 Content Awareness supports Data Types based on file name. In specific HTTP traffic where the file name is not part of the URL or content-disposition header, the file name may be incorrect. R80.10
IPS
02512561 IPS is not supported on Dynamic IP Gateways after upgrading to R80.10 or R80.20 GA.  R80.10
002506866 Core Protections are activated according to the Confidence/Severity/Performance impact and not according to IPS tags. R80.10
Some IPS protocols from early releases are discontinued. If these are mistakenly included in the Firewall Rule Base, policy installation will fail. For the list of Deprecated protocols and services that are no longer used by the IPS blade, refer to sk103766. R80
01612788  For pre-R80.10 gateways, when configuring a Threat Prevention rule to save packet captures, the packets are saved only for Anti-Virus and Anti-Bot. Packet capture is not activated on IPS.
  • Use the IPS Protections window to configure packet capture for individual IPS protections. 
R77.30 
02658128, 02658437  IPS blade is automatically enabled on R7X Security Gateway during policy installation from R80.X Management Server, although IPS blade is disabled in the Security Gateway object.
Refer to sk121152
R77.30 
02219579,
02252490
Thresholds for 'IPS Bypass under load' are not tunable in Full HA environment.
Refer to sk112659
R77.30
01964022,
02029515

"Internal error occured" message when trying to assign/reassign a Global Configuration at the same time that an IPS update is running on a local Domain.

  • Workaround: First run the IPS update on the local Domain. Then assign/reassign the Global configuration. 
R77.30
DLP
02514785,
02515902
DLP can apply visible or hidden Watermark (for forensic tracking) to Office Open XML formats (DOCX, PPTX and XLSX) as a rule action in a DLP rule base.
Refer to sk117413 if DLP Watermark is used.
R80.10
02693946,
02698363
In some scenarios, DLP fals to synchtonize a very large files between cluster members, causing failover. 
Refer to sk122258.
R77.30
SecureXL
PMTR-18774

On a 21000 series appliance with a SAM card (sk107157), after an upgrade to R80.20:

  • The packet acceleration is performed only by the software on the 21000 appliance (and not by the hardware on the SAM card).
  • Existing SAM-mode interfaces will be changed to x86 mode.
R80.20
02541089, 02551724, 02541431 Security Gateway freezes / crashes in rare scenario when SecureXL is enabled and multicast routing is configured.
Refer to sk119299
R77.30 
ClusterXL
MB-30

R80.20 ClusterXL does not support Load Sharing mode. Therefore, R80.20 SmartConsole blocks such configuration with a warning message.

This limitation is planned to be resolved during H1 2019.

R80.20
ICAP Server
PMTR-16958 The ICAP Server feature is not supported in VSX mode deployment.  R80.20
PMTR-22125 If you enabled the ICAP Server or MTA feature in the Security Gateway / Cluster object, then to disable all the Threat Prevention blades (IPS, Anti-Virus, Anti-Bot, Threat Emulation and Threat Extraction), you must first disable the ICAP Server or MTA feature.

Otherwise, SmartConsole shows this validation error: "One of the targets specified in a Threat Rule 'Install On' field doesn't comply with the field's conditions. Either enable one of the Threat-Prevention blades on the gateway, or remove it from Threat-Prevention policy, see usages using 'Where Used'"

R80.20 
Routing
PMTR-13658

In PIM Dense Mode, when a new PIM router joins the existing network, it may take up to two cycles of PIM prune timer and/or downstream IGMP report interval, for the intended multicast traffic to start flowing.

  • To improve the PIM-DM responsiveness, user can enforce the local-groups / static-groups configuration. 
R80.20
PMTR-19481 PIM is not supported on a Security Gateway / Cluster, when Route Based VPN is configured.  R80.20 
PMTR-4925

When advertising IPv4 routes over an IPv6 BGP session, one of the following needs to be true:

  1. Routemap is used to set the nexthop of the IPv4 routes
  2. The interface used for the BGP session needs to have an IPv4 address 

When advertising IPv6 routes over an IPv4 BGP session, one of the following needs to be true:

  1. Routemap is used to set the nexthop of the IPv6 routes 
  2. The interface used for the BGP session needs to have an IPv6 address
R80.20
01338366,
02014813

On a Security Gateway that is configured with DHCP relay and automatic Hide NAT for the network(s) that the DHCP requests come from, DHCP offers are dropped at the gateway.
This message shows: fw_log_drop_ex: Packet proto=17 40.81.81.3:67 -> 44.81.81.6:67 dropped by fw_conn_inspect Reason: post lookup verification failed;

  • Workaround: before the Hide NAT rule, add a NAT rule that prevents the translation when traffic is on port 67, and is going to the DHCP server. Make the NAT similar to this:
    Original Packet:
    Source = Source network(s) for DHCP requests      
    Destination = DHCP server
    Service = UDP_bootp 

    Translated Packet:
    Source = Original
    Destination= Original
    Service = Original

R80.10
01474954 Fast failback with OSPF GR is not supported. A restart or failover during GR results in traffic outage.
  • To prevent: wait for OSPF GR to finish. Use "show ospf interfaces" or "show ospf summary" commands to see the status.
R80.10
01685327 BGP routes cannot be used to establish connections to Multi-hop peers.  R80.10
02048037 If the interface is deleted from the SmartDashboard without deleting the associated cluster VIP, the routing daemon has no way to delete the VIP later on.
  • Do not delete an interface before deleting the associated cluster VIP from the SmartDashboard.
R80.10
01849054 IPv6 ECMP is not supported.
  • Workaround: disable ECMP for BGP when using IPv6.
R80.10
01490849 In VRRP mode, the OSPF state is not synchronized and a new master cannot take the helper responsibility from the previous master.
  • To prevent: do not fail over members if an OSPF neighbor is in the process of restart.
R80.10
01499120 A change in topology can cause an unsuccessful exit of OSPF GR.
  • To prevent: make sure there are no route or topology changes during the process.
R80.10
01910711,
01921543
In VSX, BGP Multihop does not work correctly when configured on a Virtual Router. Do not configure it. R80.10
01920724 RouteD with BGP Multi-hop consumes 100% CPU. If RouteD gets a route to the BGP peer from the peer itself and that route has a lower rank than the route used to establish the BGP connection then this route becomes active and routed starts using it to connect to the peer. This causes the BGP peer route to be deleted and return back to the original route since in BGP Multi-hop routed cannot use BGP routes to connect to peers. This scenario repeats endlessly and causes the high CPU utilization.
  • To prevent: make sure that self-routes do not become active in a BGP Multi-hop deployment.
R80.10
02662054 DHCP Relay traffic is dropped when running Unicast load-sharing cluster. Refer to sk121347. R80
Mobile Access
PMTR-70,
02475436
If you use Outlook Anywhere application with Mobile Access Reverse Proxy, and then want to disable Outlook Anywhere or Reverse Proxy, perform:
  1. Delete Outlook Anywhere rule from reverse proxy.
  2. Run "cvpnrestart --with-pinger" to close all Outlook Anywhere open connections.
    If you do not perform step 2, open connections of Outlook Anywhere will not be closed and users can still work with it.
R80.10
02361011 When using Mobile Access file shares with VSX, the DNS resolving of the hostname might not work correctly with file shares.
  • Make sure that the /etc/resolve.conf file is configured properly or use this workaround:
    Change the value of 'vsxMountWithIPAddress' property in $CVPNDIR/conf/cvpnd.C file from 'false' to 'true'. The file share will use the host IP address for the mount instead of the hostname. 
R80.10
02421046 After upgrading a Standalone (Management and Gateway) or VSX deployment with Mobile Access blade enabled, the "Allow Dynamic ID for mobile devices" option might be enabled by default, even if Dynamic ID was not configured prior to the upgrade.
  • If you do not want Dynamic ID authentication for Capsule Workspace users, disable it in:
    Gateway Properties -> Mobile Access -> Authentication -> Compatibility with Older clients -> Settings -> Capsule Workspace section -> clear Enable DynamicID.

    For VSX, this configuration is done per Virtual System.
R80.10
01595256,
01586057
The Mobile Access Portal does not support Web-Form SSO for Citrix StoreFront Web interface.  R80.10
02452563 Mobile Access Portal users who use Outlook Web Access 2013 in the portal with NTLM authentication get authentication messages similar to: "Authentication Required https://mab-portal-addr requires a username and password".
Refer to sk115936.
R80.10
01838105 Internet Explorer 9 does not allow the HTML5-based new user interface of Mobile Access File Sharing. If you attempt to use IE9, the Security Gateway uses the old UI for File Sharing.  R80.10
02383560, 02398086  When users are connected to the Mobile Access Gateway with SSL Network Extender in Application Mode, Downloaded-from-Gateway applications do not work inside Endpoint Security On Demand Secure Workspace.  R80.10
02434256 Multiple authentication schemes or realms that were configured in GuiDBedit do not persist after an upgrade to R80.10/20.
Refer to sk115856.
R80
02526048,
01838814
Endpoint Security on Demand Secure Workspace does not automatically support Windows 10 Creators Update or later versions.
R77.30
02466757 When Mobile Access is included in the Unified Access Policy, in Mobile Access Authorization logs -> Log Details -> Matched Rules, the Mobile Access Application name and Category do not show.  R77.30
01147075,
02302626
Mobile Access Portal supports Outlook Web App 2013 / 2016 only with the Path Translation (PT) method. The Hostname Translation (HT) method is supported when cookies on the endpoint machine are configured. The URL Translation (UT) method is not supported.  R77.30
02457791  Occasionally on Windows XP, the desktop background inside SecureWorkspace might appear distorted.  R77.30
02520551, 02522305  Untranslated links in iNotes Web Application when using Hostname Translation. Refer to sk118037 R77.30
02729238, 02730507  Rule mismatch on SSL inspection rulebase. Refer to sk123718. R77.30
01184657,
01356327,
01913441
Disabling the Floating Navigation Bar (FNB) via GuiDBedit Tool does not disable the FNB in the Web Application.
Refer to sk109254.
R77.30
- Mobile Access does not support viewing or editing files with 'Office Online apps', Microsoft's browser-based Office applications. Outlook Web Access is supported, however you cannot open or edit Office Online app files from emails. R77.30
VPN
PMTR-15415

Communication errors occur between the Security Gateways managed by R80.20 M1 Multi-Domain Server and participating in Global VPN Communities when there are more than one certificate for the same Internal CA.
Refer to sk136972.

R80.20
PMTR-8855 If a Remote Access VPN client roams from a NATT tunnel (which the Security Gateway accelerates) to a TCPT tunnel (which the Security Gateway does not accelerate), all the existing accelerated connections from the Remote Access VPN client are terminated on the Security Gateway. New connections from the Remote Access VPN client are established as expected. R80.20
02498996 When using Trusted links, encrypt and decrypt logs are issued even though the traffic on the links is not encrypted. R80.10
02455402 The VPN client shows as "Not Compliant" when it is not compliant according to the local.scv file, even if SCV is disabled.
  • Workaround: Configure the VPN site again on the client. 
R80.10
02369930  NAT-T initiator is not supported on VSX Gateways.  R80.10
01874986  Convert Traditional VPN to Simplified is not supported.  R80
01311326, 01455241, 01357377  When using a VPN client, activity logs are not generated for ICMP traffic.  R77.30
02065326  R77.30 and lower gateways do not support R80.10 gateways that are configured as NAT-T initiators. The R77.30 and lower gateways only recognize 3rd-party devices for NAT-T initiation.  R77.30
02514005; 02534915; 02529275 
  •  DAIP devices deployed as VPN Satellite gateways, do not support VPN link fail-over between a static link (using permanent IP address) to the DAIP link, and vice-versa.
  • Trusted interfaces are not supported for DAIP devices.
R77.30
02564507, 02570956  Client Setting "Calculate IP based on topology" breaks when using host. Refer to sk120121 R77.30
02564111, 02565222, 02590209 MTU on VPN traffic is limited by MTU of 1500. Refer to sk120122 R77.30
02663779, 02666335  Unable to connect with SHA-512 user certificate on Windows Capsule. Refer to sk121418 R77.30
02702969, 02706012  Security Gateway accepts an other Diffie-Helman group then is configred. Refer to sk122438 R77.30
02701519, 02701727  RADIUS authentication fails for LDAP users as the gateway uses sAMAccountName and not UPN when UPN is needed.
Refer to sk122477
R77.30 
Hardware
HCL-12 The HP ProLiant DL380 Gen10 does not detect all USB devices, including various USB flash drives (regardless of its content). This is not a software issue.
If a bootable USB device (with Check Point Gaia, CentOS or any other OS) is not recognized by this server, try a different USB device vendor. 
R80.20
LTE
PMTR-21435 Policy verification fails if the policy contains GTP or Diameter services, and you install it on an R80.20 Security Gateway.
Refer to sk120141
R77.30
00829371 SCTP or Diameter objects cannot be the service of a manual NAT rule. Static NAT will still be applied for rules that match SCTP if the service is set to "Any". All NAT methods can be applied for Diameter over TCP traffic if the service is set to "Any".  R77.30
VSX
00892773 VTI interfaces are not supported in VSX mode. R77.30
01298013,
01347319,
01356763
The "vsx_util reconfigure" command fails with "Failed to fetch configuration information from".
Refer to sk98001.
R77.30
01465442,
01436496

An upgraded cluster member goes into Ready state after the reboot, even before the rest of the cluster members are upgraded.

  • Workaround:
    1. Run the cphaprob state command to verify that all the Virtual Systems are in Ready state.
    2. Run the ps -elL | grep fwk command to verify that fwk process is running on every Virtual System.
R77.30
01275204, 01978034  In SmartView Monitor, Firewall History and System History system counters do not show any data.  R77.30
01548786 The "vsx_util change_mgmt_subnet" command does not support IPv6.  R77.30
02532554,
02532716
"CLINFR0699 Invalid command" error when a user with read-only Gaia OS role runs the "set virtual-system" command on VSX Gateway.
Refer to sk118693
R77.30
00892773 VTI interfaces are not supported in VSX mode.  R77.30
01562612  If a Virtual System is the Hub of a Star VPN Community, it cannot support SmartLSM gateways as satellites.  R77.30
01618097 "vsx_util reconfigure" command on Security Management Server / Domain Management Server fails to resume with "Error: Interface 'Interface_Name' exists in the management database, but not on the gateway".
Refer to sk105441
R77.30
QoS
- Convert QoS from Express to Traditional is not supported. R80.10
02563501,
02567776,
02567790
No warning is displayed if an empty network group object appears in the source or destination column.  R77.30
VoIP
02441588 Avaya VoIP calls with Avaya Call Manager fail through Check Point Security Gateway. Refer to sk104786. R80.10
SNMP
02721664,
02724294,
02726397
Several OIDs are in DisplayString format, while representing numbers.
Refer to sk123452.
R80.10
PMTR-4311 SNMP is not supported on Multi-Domain Management / Multi-Domain Log servers.  R77.30
02508239 "No Such Instance currently exists at this OID" error message after installing R77.30 Jumbo Hotfix Take_225. Refer to sk117353 R77.30
01852762, 01858277  Output of the "snmptranslate" command returns different OIDs for objects in "chkpntTrap" branch. Refer to sk108697 R77.30

 

 

List of R80.20 Security Management Products Known Limitations

Table of Contents

  • Installation and Upgrade
  • Gaia
  • Licensing
  • Security Management
  • Multi-Domain Security Management  
  • Management High Availability
  • SmartConsole / Management Console
  • SmartEvent
  • Logging / SmartLog
  • SmartView Monitor
  • SmartProvisioning    
  • Endpoint Security (SmartEndpoint)
  • SMB Appliances
  • Smart-1 Appliances
  • Networking
  • Compliance
  • CloudGuard Controller



Enter the string to filter the below table:

ID Symptoms Found in version
Installation and Upgrade
PMTR-14162

After you upgrade Management Server, or dedicated Log Server / SmartEvent to R80.20.M1: 

  • Only logs from the last 24 hours indexed. You can see all previous logs by opening the log file in SmartConsole.
  • New logs are indexed as expected according to the settings in the Management Server or Log Server / SmartEvent object -> Logs.

Refer to sk127652.

R80.20.M1
VSECPC-1341,
TP-1790,
TP-1953
  • It is not supported to perform a Clean Install of R80.20.M1 Security Management Server or Multi-Domain Security Management Server in CloudGuard for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud providers.
  • It is not supported to upgrade to R80.20.M1 a Security Management Server or Multi-Domain Security Management Server that runs in CloudGuard for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud providers.
R80.20.M1 
SMCUPG-500
  • To upgrade a Secondary Multi-Domain Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Secondary Multi-Domain Server and connect it to their next version Primary Multi-Domain Server.
  • To upgrade a Multi-Domain Log Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Multi-Domain Log Server and connect it to their next version Multi-Domain Server.
  • To upgrade a secondary Security Management Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Secondary Management Server and connect it to their next version Security Management Server.
R80.20.M1
SMCUPG-457 To upgrade an R80.20.M1 Multi-Domain Management Server with configured Global Policies to the next available version
  1. Connect with SmartConsole to the Global Domain on your R80.20.M1 Multi-Domain Server.
  2. Reassign all Global Policies to all applicable Domains.
  3. Do not publish any changes in the Global Domain until you complete the upgrade to the next available version.
    Note: This is necessary to avoid any potential issues caused by different policy revisions on the Global Domain and on the Domains.
  4. Perform the upgrade from the R80.20.M1 to the next available version.
R80.20.M1 
SMCUPG-502 Database Revisions are not kept when upgrading from R80.20.M1 to the next version. R80.20.M1
PMTR-9020 After upgrading to R80.20.M1 with CPUSE on Smart-1 525/5050/5150 appliance, in order to downgrade to R80.10, revert to the snapshot taken before the upgrade.
Users MUST manually take a Gaia OS Snapshot before upgrading to R80.20 M1 on Smart-1 525/5050/5150 appliances.
R80.20.M1
- R80.10 supports only ext3 & ext4 file systems on Red Hat Enterprise Linux. R80.10
02411778, 02421533, 02421989

After upgrading a Full HA deployment, policy installation fails due to SIC problem with the secondary member.

  • To resolve, re-establish SIC between the active and standby members.
R80.10
01929622

After upgrade, the "Gateways & Servers" view does not show version numbers in the Version column.

  • To see the version numbers, open the gateway object for editing, make sure the correct version is selected and click OK.
R80.10
01732941

After upgrading to R80.10, there is no visible way to switch between Classic mode and Wizard mode to create a Security Gateway object. New gateways can only be created depending on the setting in Global Properties -> SmartDashboard customization prior to upgrade. To restore both options:

  1. Close all SmartConsole windows.
  2. Connect to Security Management / Domain Management Server with GuiDBedit Tool.
  3. On the Tables tab, open Global Properties -> Properties.
  4. Select the firewall_properties object.
  5. In the Field Name column, select "hide_use_CP_GW_wizard".
  6. Change the value to false.
R80
01505445

After upgrade, SmartConsole disconnects from the server during the first policy install.

  • Before a first policy installation on Standalone servers, allow the CPM service in the Services & Applications column of the rulebase.
R80
01986530 Importing a large SmartEvent database can take a long time to complete. Check the upgrade status for progress. R80
01815141 Database Revisions are not upgraded to R80.x Security Management Server during the upgrade process from Pre-R80 versions. R80
01887799, 02058605 In R80.x, indexing is done by a new process called Indexer. Indexer works similar to SmartLog R77.xx but has its own configuration files stored in $INDEXERDIR.
Customers who defined manually indexing configuration from remote log servers (via LEA) in SmartLog R77.x or below, should manually move them to the new configuration files.

To copy settings from SmartLog R77.x configuration files to the new Indexer process configuration files:
For SmartLog servers only:
After upgrading to R80.x, copy the remote log servers configured in $SMARTLOGDIR/smartlog_settings.txt file to $INDEXERDIR/log_indexer_custom_settings.conf.

For SmartEvent with SmartLog server:
Remote log servers configured in $SMARTLOGDIR/smartlog_settings.txt are not automatically upgraded. Manually configure the log servers in SmartEvent GUI -> correlation unit policy.

For more, see the R80.20 M1 Logging and Monitoring Administration Guide.
R80
PMTR-10880,
PMTR-12915

"Database is locked" error message when running the migrate_export command on a R7x Security Management.

  • Run cpstop or mdsstop and attempt the export again to resolve.
R77.30
01876717 SmartEvent blade disabled after advanced upgrade to R80.20 M1 Management.
  • On the Security Management server, run "evconfig" to enable the SmartEvent server.
R77.30
01549207,
01884161
Gaia OS: Clean install from USB device fails on Open Server because the installation process (anaconda) includes the USB installation media as part of the installation target. Refer to sk100566 R77.30
01868136

After upgrading, the Gateway Properties -> HTTP inspection page shows "Failed to load Plug-in Page: SSLInpectionPage". 

  • To resolve, perform the following on the Security Management server:
    • Run cpstop 
    • Delete the $FWDIR/conf/newDleSchema.xsd file 
    • Run cpstart
R77.30
01611022

If you have gateways of different R77 versions and GX is enabled on a R77.30 Security Gateway only, policy installation will fail. 

  • Use the "Install On" column for the GTP rules.
R77.30
Gaia
PMTR-17540,
GAIA-2926

The Linux "iotop" utility might stop working when pressing the "i" key in the following rare scenarios:

  • Working in virtual environments (such as Hyper-V) 
  • Terminal application uses specific virtual terminal settings (such as specific SecureCRT terminal settings) 
R80.20.M1
PMTR-14334 The "scponly" shell (a limited shell for secure file transfers) is not included in R80.20.M1.
Other shells can be used instead - see the /etc/shells file. 
R80.20.M1
PMTR-13029,
PMTR-13021

"[Firmware Bug]: the BIOS has corrupted hw-PMU resources" message may appears in the output of "dmesg" command on any HP ProLiant Server running Gaia R80.20.M1. 

  • You can safely ignore this message - it does not indicate an issue with the functionality or performance of the Operating System or the server. 
    For details, see Hewlett Packard Enterprise Customer Advisory c03265132.
R80.20.M1
PMTR-13910 Intel 10Gbps Network Interface Cards might not be visible during OS installation however they will be available once OS installation completes.  R80.20.M1 
PMTR-13683 Saving the Hardware Diagnostic Tool logs to a USB stick is not supported if the USB stick is formatted as NTFS. R80.20.M1
PMTR-16059  Configuring Static ARP entries in R80.20.M1, either in Gaia Portal or Gaia Clish, is not supported. R80.20.M1
PMTR-10355 R80.20 Management Feature Release does not support SAN card. R80.20.M1
02386300 The Maintenance -> Maintenance page in the Gaia Portal was removed. R80.10
02707890 The "save configuration" command saves users real names without quotes.
Refer to sk122689.
R80.10
01967996

When connecting to the network interfaces page in the Gaia Portal, an "Unable to connect to server" error shows.

  • To resolve, disable the Adblock EasyPrivacy extension of the Adblock plus add-on and try again. 
R80
02483806, 02490757 External NIC is not detected after upgrade to R80.x / clean install of R80.x. 
Refer to sk116587
R80
01985269 If you refresh the browser while running the First Time Configuration Wizard, or try to run the wizard twice, one of these messages will show:
  • "Cannot install Check Point Security Management Server. Incompatible hardware
  • "Internal Error: Cannot install Check Point Security Management Server"
  • "Cannot install Check Point Security Management Server. Please contact Check Point Technical Support."
After seeing one of these messages, you must reinstall the device or revert to the factory image.
R80
02614360,
02614646
Gaia Clish "load configuration <file>" command fails to load some RADIUS and SNMP configuration commands.
Refer to sk120459.
R77.30
02067966 In Gaia Portal, PPPoE interfaces cannot be used as an SNMP agent interface.
In Clish, if the user runs the command "add snmp interface", the operation does not succeed but the user does not see a message that it failed. 
R77.30
01983922 The last stage of the First Time Configuration Wizard takes a long time on some machines.
To see the progress of the First Time Configuration Wizard, the user must check if these files were created on the machine:
  • /etc/.wizard_accepted - means that the First Time Configuration Wizard has finished.
  • /var/log/ftw_install.log - means the First Time Configuration Wizard has started and the user must wait until the file /etc/.wizard_accepted is created.
R77.30
02711255,
02712191
RADIUS user with special characters in a class attribute field is stuck on the spinning icon when logging into the WebUI.  R77.30
02490383,
02491329,
02491797
Multicast PIM traffic register packets are sent with checksum 0xd63f that non-compliant with RFC (should be 0xdeff).  R77.30
02722123 The "show asset" command does not display the network information.
Refer to sk123342
R77.30
02518465,
02520009
Gaia OS sets the timezone to "UTC" when the zone is entered with a space character in the "sysconfig" menu.
Refer to sk117737
R77.30
002694599 The "show message motd" Clish command output is corrupted.
Refer to sk122199
R77.30
01816080,
01822237,
01822236
DHCP Relay and DHCP Server do not function when configured together on the same Gaia OS.
  • Between DHCP Relay (routed) process and DHCP Server (dhcpd) process, the last process to start up will receive all the UDP unicast traffic. The first process sees no unicast traffic.
  • Both DHCP Relay (routed) process and DHCP Server (dhcpd) process will see UDP broadcasts.
  • If DHCP Server (dhcpd) process starts first, then this joint configuration will work, because dhcpd process only cares about UDP broadcasts.
    If DHCP Relay (routed) process starts first, then this joint configuration would fail to work, because the replies from DHCP Server that should be relayed are UDP unicasts.
Refer to sk98839.
R77.30
02167050,
02184450,
02491287,
02359422
Setting state of interface to "off" on Gaia OS does not turn off the link on that interface.
Refer to sk112598.
R77.30
01987789,
01996692
"WARNING The following features: NameOfFeature, , provide a privilege level equivalent to that of 'adminRole'" message in Clish when adding some read-only commands to RBA role.
Refer to sk110772.
R77.30
02359678,
02360935
The /var/log/messages file is filled with Audit Logs for Gaia Clish commands:
clish[PID]: user logged from admin
clish[PID]: cmd by admin: Start executing : xxx (cmd md5: ...)
clish[PID]: cmd by admin: Processing : xxx (cmd md5: ...)
clish[PID]: cmd by admin: Start executing : exit (cmd md5: ...)

Refer to sk113897.
R77.30
02085699,
02189660
Hardware Diagnostic Tool test fails on "Self-test" for 1GbE expansion cards when an SFP transceiver for RJ45 (Copper) is connected to the appliance.
Refer to sk112857.
R77.30
01111060,
02356903,
01309032
Saving the configuration on Gaia OS times out with "NMSCFD0026 Timeout waiting for response from database server" error.
Refer to sk113746
R77.30
02084298,
02089780
Syslog Protocol version is not sent in syslog packets as per RFC 5424.
Refer to sk100727.
R77.30
01996097,
01639840
If you restore a Security Management Server from a backup, all hotfixes installed after the backup was created will not be included on the restored server.
Refer to sk91400
R77.30
Licensing
01909120,
02015912

These products do not support the new licensing visibility features:

  • Network Security: Advanced Networking and Clustering, Capsule Cloud and Capsule Workspace.
  • Security Management: Endpoint Policy Management, SmartPortal, User Directory (LDAP).
  • Multi-Domain Management: Security Domain
  • Remote Access & Endpoint
R80
01925987 "Licensing status not available for current OS" message shows in the Logs & Monitoring view. SmartConsole does not support licensing information for Windows, SecurePlatform and Virtual Systems. Use the licenses tab in SmartUpdate to see the licensing information for the OS. R80
01963269 If the SmartEvent Software Blade is activated, but only the SmartEvent Intro license is installed, the License Status shows "N/A". R80
01961299 The Device and License Status of Threat Emulation is incorrect. Use the Logging -> License Status view. R80
01934260 When loaded for the first time, web components such as the licensing or monitoring view can take up to thirty seconds to show. R80
01972866 In the License Status View, the Additional Info column, quota information and quota statuses are not available for pre-R80 gateways and servers. R80
01972797 Automatic license activation on Check Point appliances is not available on pre-R80 appliances. R80
01972899

On pre-R80 gateways, license information is updated every 20 minutes.
To force a license update, perform one of the following actions:

  • Either install security policy on the pre-R80 gateway

  • Or on the R80.10 Management Server, run the following command in Expert mode:

    • On Security Management Server:

      [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
    • On Multi-Domain Security Management Server:

      [Expert@HostName]# mdsenv <Name of Domain Management Server>
      [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
R80
01976925 Automatic license activation on a Multi-Domain Management Server machine works only on the MDS level and not on the Domain level. Add licenses manually for each Domain. R80
01972917 After installation, the Device License Status shows N/A and the Device License View is not accessible until policy or database are installed.
When blades are enabled or disabled, the changes are not visible in the Device License Views and Status until policy or database are installed.
R80
01972951 The proxy that synchronizes license information with the User Center, must be at least R80 server.
R77.30
01951434

On a Pre-R80 SmartEvent NGSE dedicated machine, license information is not automatically updated when Installing Database.

When you enable or disable a blade, one of the following will update the license information with the change:

  • If you force a license update, changes occur immediately.
    To force a license update: On the R80.10 Security Management Server, run the following command in Expert mode:
    [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
  • Automatic update at midnight
  • If you manually change a license or contract on a dedicated machine, changes take effect within 20 minutes
R77.30
Security Management
PMTR-19608 R80.20 Management Server does not support R75.40VS Security Gateways (other R75.X versions are still supported as described in the R80.20 Release Notes). R80.20
PMTR-16114  An administrator fails to log in with SmartConsole after another user was configured in SmartConsole with a name identical to that administrator's name and the session was published.
Refer to sk133273
R80.20.M1
PMTR-16383 R80.20 Gateways cannot be managed by R80.20.M1 Management Server.  R80.20.M1 
PMTR-15234

"Publish failed" error on Publish / Discard operation failure after switching the Primary Management Server from Active to Standby and back to Active in Management HA deployment.
Refer to sk129952.

R80.20.M1
02475794 If a connection is matched on a limit action rule, and the connection is not configured to be rematched (the 'Keep all connections' option is selected in the Security Gateway object, or the 'Keep connections open after the policy has been installed' option is selected in the Service object), a new policy installation will cause the limit on the connection not to be enforced.  R80.10
02656671,
02653435
Memory leak in fw_commandline_cmd_sig function.  R80.10
CPM-1167 Management High Availability is supported only between Management High Availability servers with the same build number. To see the build number, run cpinfo -y FW1  R80.10
02696184,
02698605
Policy installation using management API partially succeeds when it should fail.
Refer to sk122211.
R80.10
02480549 After upgrading to R80.x, SmartConsole login fails if there is an internal user with the same name as the administrator login name.
  • To resolve the conflict:
    1. Open a command prompt on the Management server
    2. Run cpconfig to create a new administrator account with a unique name
    3. Run cpstop;cpstart
R80.10
02067095 When the trial license is expired, and after adding a new license, the Security Management server does not accept any connections.
  • Workaround: stop and start the server (run cpstop;cpstart) after adding the new license. 
R80.10
02361323

In some scenarios, re-assign or removal of global assignments succeeds, but changes that were not yet published at the Domain become conflicted. The SmartConsole for the Domain becomes unstable and can show: "Could not load selected policy".

  • In this situation, Discard the changes that were not published in SmartConsole.
R80.10
02505270 When removing Threat Prevention from a Policy package, SmartConsole disconnects from the Security Management Server.
  • Workaround: delete the rules from the Threat Prevention policy before removing Threat Prevention from the policy package.
R80.10
02491987 "Revert exception" error and log of: "ManagementPlg.RevertToRevisionCommand - Unable to extract targetWorkSessionId from parameter" when removing a blade that is used in rules from an Ordered Layer, and then reverting revisions.  R80.10
02496239

Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".

  • Workaround: for all hosts with a server configuration, unselect the servers. Publish the session, then select the servers again, and publish again. For details refer to sk131192.
R80.10
01786890

If you create an administrator in cpconfig, you must run cpstop and cpstart, as instructed by cpconfig. After cpstart, no administrators are shown in cpconfig. Administrators configured before the upgrade to R80 are also not shown in cpconfig.

  • Manage administrator accounts through SmartConsole. 
R80
01493302,
01977241
Internal user names must contain only English characters. Names in other languages (unicode) will show as question marks in the Users and Administrators window. R80
01965750 If you create or delete Domain servers of the same Domain from many Multi-Domain Servers, the Domain can become corrupted, with recovery from Check Point Support required.  R80
01861349

"Check your connection settings (Proxy, DNS and gateway)" error shows after IPS and Application Control & URL Filtering update fails if there is no proxy defined.

  • To resolve the problem, run cpstop and cpstart and try again. 
R80
01989947

Fail to add a VSX objects (router, switch, or system) from the secondary Multi-Domain Management Server when the primary server is powered off. The creation wizard fails to open and an "Operation finished successfully message" shows.

  • To resolve the issue, power on the primary Multi-Domain Management Server and try again.
R77.30
01536203

When selecting the "Use Gaia administrator: admin" option in the First Time Wizard, it lets to reuse the Gaia administrator password for SmartConsole. If you later change this password in SmartConsole, the Gaia administrator password remains unchanged.

R77.30
02049156,
01712637

The Revisions View is not updated for changes in Trusted Clients and some environment settings in Management & Settings.

R77.30
01908530

These commands are not supported in the SmartConsole's CLI: login, logout, discard and publish. Use the SmartConsole GUI instead.

R77.30
01848420

Applications like Provider.exe and Fwpolicy.exe (SmartDashboard) cannot be used to connect directly to the Security Management server or the Multi-Domain Security Management server. 

  • Workaround: use SmartConsole.exe
R77.30
02414257,
02403960
It is not possible to convert a Standalone deployment (Security Gateway and Security Management on one computer) to a cluster member of a Full HA deployment - or vice versa. R77.30
01950023 SIC is not allowed by default with upgraded OPSEC applications (OPSEC applications not compiled with SHA-256 support).
To fix:
  1. On the Security Management server, run: cpca_client set_sign_hash sha1 (refer to sk103840)
  2. Install Database.
R80
01963189 Changing the Security Management server's time, for example using an NTP server, while there are SmartConsole clients connected, may cause the client to disconnect from the server. R77.30
01829764,
01381300
For Gateways below R80, 2nd layer behaves like Application Control policy.  R77.30
01459162 Security Gateway / VSX gateway conversion, or conversion in the opposite direction, is not supported. R80
01952495

lvm_manager fails to resize partitions with "ERROR :Cannot kill process (id XXXXX)".

  • Workaround: Boot the machine into Maintenance Mode and then run lvm_manager.
R80
01984056 "Internal error occurred during the verification process" during policy installation after reverting to a previous policy revision that has a disabled rule with an object that has been deleted since then.
Refer to sk110614.
R80
01545489

The CLI command fwm dbexport is not supported. After running the command to export the user database, the process finishes successfully but the file contains only headers, no data.

  • Workaround: Use migrate export
R80
01986179 Global assignment removal fails with "Object could not be deleted because it is referenced by other objects" error. If the search fails to locate the object in the domain, check each application object in the Domain for a reference to the permission profile specified in the error message.
Refer to sk110630.
R80
02734048,
02734746
In some scenarios, CPD process stops working on Security Management server.  R80
02590945,
02592411 
In some scenarios, Security Management server stops receiving logs from all gateways.
Refer to sk120316
R77.30
02704776,
02705333
Creating secondary CMA/Domain overrides files in $FWDIR/lib/ directory оn the primary CMA/Domain.
Refer to sk122538
R77.30
01989615 "Authentication to server failed" error shows when logging in to the SmartEvent server using the local administrator account (created in cpconfig).
  • Create a new administrator account with a name not used on the remote Security Management server or the Multi-Domain Management server managing the SmartEvent server.
R77.30
02514237 If you upgrade a Security Management Server to R80.10 with a user.def file that has been edited manually, make sure that the file name includes each gateway version that is managed by the server.
Refer to sk98239 for the user.def naming convention.
Refer to sk30919 for more information about the user.def file.
R77.30
02693254,
02693478
Cannot choose 'Group-With-Exclusion' in the option when configuring Legacy User Authentication rules.
Refer to sk122100
R77.30
00419335, 01134550, 01648694 The $CPDIR/tmp/ directory is filled with 'CKP_mutex::_opt_CPsuite-RXX_fw1_log__...' files..
Refer to sk36754.
R77.30
02167186,
02169523,
02483407,
02496644
The "URL" field shows "*** Confidential ***" in HTTPS Inspection logs on 3rd party LEA OPSEC client.
Refer to sk101570.
R77.30
PMTR-7157 Policy installation fails on Security Gateways R76 and above, if the "RTP-RTCP" service exists in the Security Management Server database.
  • To resolve, delete this service completely from the Management database (in SmartConsole, go to Objects menu -> Object Explorer -> Services). 
R77.30
Multi-Domain Security Management
PMTR-22349 When reverting a Multi-Domain Server / Multi-Domain Log Server from the version R80.20 GA to R80.20 M1, it will cause reindexing of the logs based on the value of "days_to_index" (default is 1 day; see sk127652 and sk111766). The reindexing will cause duplicated entries for some of the records in the index.  R80.20
PMTR-19623

In Multi-Domain Servers Management HA environment, if Administrator installs policy from the Active Domain on the Security Gateway / Cluster object and performs Management HA from the Active Domain to the Standby Domain, Administrator must install policy from the new Active Domain on the Security Gateway or Cluster object. Otherwise, when upgrading the Multi-Domain Servers to R80.20, SIC communication can be lost with the Security Gateway or Cluster Members.

  • Workaround: Change the state of the Standby Domain to the Active, and manually synchronize the Domains.
R80.20 
PMTR-10397 Before upgrading Multi-Domain Management Servers in High Availability deployment, all Domain Management Servers on the Primary Multi-Domain Management Server must be in the Active state.  R80.20.M1
PMTR-15294 To perform "Enable Global Use" on a Security Gateway, you must set the Domain, which manages this Security Gateway, and the Global Domain to the "Active" state on the same Multi-Domain Management Server.  R80.20.M1 
PMTR-14989

R80.20.M1 Multi-Domain Security Management does not support IPv6 address configuration.

R80.20.M1
PMTR-15279

Threat Prevention policy fails to open with the "Rulebase initialization failed" and "One or more errors occurred" error message after upgrade of Multi-Domain Server to R80.20.M1.

  • Workaround:
    1. Assign the Global Policy (without assigning or installing other policies).
    2. Open the Threat Prevention policy.
    3. Remove the assignment of the Global Policy.
R80.20.M1
PMTR-12257 In case of license expiration on one of the servers of a Multi-Domain Management High Availability setup, a full sync is required after applying the new license. R80.20.M1
PMTR-14479 Creating a Security gateway object fails on the Domain Management server that is currently Active on the Secondary Multi-Domain Management server. R80.20.M1
PMTR-14479

"Failed to save object....Server error is: An internal error has occured. (Code: 0x8003001D, Could not access file for write operation)" error when creating a Security gateway object on the Domain Management Server that is currently active on the secondary Multi-Domain Management server.

  • To resolve, run the "mdsstop ; mdsstart" commands on the secondary Multi-Domain Management Server.
R80.20.M1
02509073

When running Global Domain Assignment on one Multi-Domain Server for a Domain that is active on a different Multi-Domain Server, the task can stall at 5%. After a few minutes a message shows : "timeout during task progress: Could not get information regarding task completion from MDS_1 'MDS_2'.

  • Workaround: Run Reassign Global Assignment on the Domain from the first or second Multi-Domain Management Server.
R80.10
02491210 If two administrators create an admin account with the same name, after the first admin publishes a session, the second admin will not be able to publish or edit the admin account.
  • To fix, the session changes must be discarded.
R80.10
02506522

If you have a tag on the local host object of a global Dynamic object, you cannot assign or re-assign Global Policy.

  • Workaround: remove the tag from the local object, assign or re-assign Global Policy, and then add the tag again.
R80.10
02482338 For Global SmartEvent connected to Multi-Domain Management Server, search suggestions from SmartConsole appear only for a Super user (Multi-Domain Super User and Domain Super user). R80.10
02510367 The ability to edit the list of additional information fields that can be added to a Domain, administrator, and gateway is not supported in R80.10. R80.10
02510379 The ability to find and unify similar Permission Profiles is not supported. R80.10
01810161 A Security Management server cannot be installed as a secondary Management for a Domain server. R77.30
02507469 Domain Super User profile cannot be cloned. R80.10
01605414 There is no cross-Domain search for network objects. Search in each Domain for the specific network object. R77.30
01995628,
01993689
After a Global policy has been assigned to a Domain, the revert option in the Domain "Network Layer -> History" window no longer functions. R80
01654519,
01606491
You cannot assign only the Global objects used in a specific Access Control policy or Threat Prevention policy. All the global objects are assigned to the Domain. R80
01916186 After you upgrade a Multi-Domain Server with a IP address change, you must remove the license with the old IP address. If you do not do this, failures will occur in the License view and on some Management Blades.  R80 
02422260,
02383687
In a High Availability environment that includes more than two Multi-Domain Management servers, a synchronization problem between 2 specific Multi-Domain Management servers only shows when connected to one of those servers. The problem does not show when connected to a different Multi-Domain Management server in the environment. R80
- For Multi-Domain Log Servers, Remote Log Servers that are not defined as Domain Log Servers are not supported. R80
01582933 Private sessions are not synchronized between Multi-Domain Management Servers. A session that is open on one Multi-Domain Management Server cannot be seen or moved to a different Multi-Domain Management Server. R77.30
01537986 An administrator with Manage Session permissions on a Multi-Domain Management Server but not on a specific Domain, can manage the session from Sessions view in the MDS level. Session publish may fail. R77.30
01718384 You cannot add licenses from the Multi-Domain Management Server or Domain Management configuration windows or wizards. To add licenses, click "Manage Licenses and Packages" in the SmartConsole main menu. R80
01408631 You can use only one Global Domain, which is created automatically during installation. R80
01694997 Administrator groups and Domain groups are not supported in R80 and cannot be viewed or used in the SmartConsole. R80
02513874 In Multi-Domain Management Server, OPSEC application permission profiles are not visible on the Domain's object bar. Use the OPSEC application editor to change the permissions. R80
02408361 During mds_import, the incorrect "Failed to open file 'obsolete_objects.C' " message shows.
  • This message can be ignored.
R80.10
02408823 The same system object (administrator, domain, permission profile, trusted client or Multi-Domain Server) cannot be managed from multiple peers. It can create sync failures between Multi-Domain servers.
  • If there is a sync failure, make sure sessions on a different peers do not lock the same object.
R80.10
02463142 From a secondary Multi-Domain Management Server, cma_migrate gets stuck.
  • Run cma_migrate on the server with the active global policy.
R80.10
01954364 When upgrading a Multi-Domain Security Management environment, you can change the IP address of the primary MDM, but not the IP address of secondary MDMs. R80
01976542,
01980886
Each database can be migrated only once with cma_migrate. If you try to migrate the same database to another Domain Server, migration fails with the "Internal runtime error"... "The folder in the dleObject can't be null." error. R80
01980812 After you define the SmartEvent object in the global database, first you must assign Global Policy to Domain Servers in order the Domain Level Only administrators can log in to SmartEvent. R80
02432471,
02380613
After an upgrade, the global assignment fails with an error regarding multiple objects with the same name. If the search fails to locate the object in the domain, the object might be an unused OPSEC application permission profile and it can be deleted or modified using dbedit.
Refer to sk116059.
R80.10
02702061,
02702704
The cma_migrate tool fails with "Command completed with error code 4" error due to a missing "No Global Access Policy" option on one of the Domains.  R77.30
Management High Availability
PMTR-14327 To move a Secondary Multi-Domain Management Server from one Multi-Domain Management HA environment to another, install the Secondary Multi-Domain Management Server from scratch in the new environment as a Secondary Multi-Domain Management Server and synchronize it with the Primary Multi-Domain Management Server.
R80.20.M1
02497932 In a High Availability environment, if an administrator is locked on the Standby Management Server, the administrator is not locked and does not show as locked on the Active Management Server. Therefore, you cannot unlock the administrator from the Active Management Server.
  • To unlock the administrator, run the CLI command unlock-administrator on the Standby Management Server.
R80.10
02429653 In a Management High Availability environment which includes an invalid license, sync fails with "Failed to apply shared licenses" message.
  • Workaround: remove the invalid license according to the signature that appears in the error message.
R80.10
CPM-1167 Management High Availability is supported only between Management High Availability servers with the same build number. 
To see the build number, run cpinfo -y FW1
R80.10
PMTR-15291 Administrator created using SmartConsole connected to the Primary Security Management Server in a Management HA environment are unable to log in to the secondary Management Server until full sync is performed. R80
02367246 When a secondary Management server is added, the initial synchronization task starts automatically. Until it completes, the secondary peer status shows as "Failed to communicate with peer".
Wait for the initial synchronization task to complete. The peer status in the High Availability Status window will then show that the synchronization was successful.
R80
01825584 Sync failure between primary and secondary servers in a Management High Availability deployment.
  • To prevent this, make sure the interfaces are enabled before starting the processes (cpstart, mdsstart).
R80
01948138 The initial full synchronization of a new High Availability server, either Security Management or Multi-Domain, can take a long time in large environments. R80
01999344,
02000493
Login to the Secondary Management from the Management High Availability window fails. Make sure the SmartEvent Server and SmartEvent Correlation Unit blades are not be enabled on the secondary Management object. R80
01810119 High Availability CLI commands like 'set standby' and 'set active' that are part of the send_command tool, are no longer available. R77.30
01905978

In a High Availability deployment of Multi-Domain Security Management Servers, until the MDS that hosts the active Domain server has been upgraded, it is not possible:

  • To edit an administrator assigned to that Domain
  • To edit a client assigned to that Domain
  • To view global assignments of that Domain
R77.30
SmartConsole / Management Console
PMTR-22691

Password configuration in SmartEndpoint for FDE preboot users, WebRH administrators and client uninstall password is limited to a maximum of 12 characters. 

R80.20
PMTR-20430 Installation of SmartConsole on Windows Redstone 5 complets successfully, but SmartConsole fails to start with this error message:
[Window Title] C:\Program Files (x86)\CheckPoint\SmartConsole\R80.20\PROGRAM\SmartConsole.exe
[Content]
C:\Program Files (x86)\CheckPoint\SmartConsole\R80.20\PROGRAM\SmartConsole.exe

The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail.
R80.20
PMTR-12439

Desktop Policy tab does not appear in the following scenario: 

  1. Open the SmartConsole in Read-Only mode, or log in with Read-Only credentials.
  2. In the left navigation panel, click Security Policies.
  3. In the Access Control section, click Desktop -> Open Desktop Policy in SmartDashboard.
  4. Legacy SmartDashboard opens without the Desktop Policy tab.
R80.20
PMTR-20287,
TP-1939

When creating a new Cluster object in SmartConsole with the Wizard Mode, if you do not add Cluster members or do not initialize SIC with the Cluster members, the "Optimizations" -> "Capacity Optimization" setting in the cluster object may set to "Manually", instead of the default "Automatically". The "Automatically" option is grayed out, if the OS of the Cluster object is unknown. 

Workaround:

  1. Open the Cluster object. 
  2. Go to the "General Properties" pane. 
  3. In the "Platform" section, in the OS field, change from the "Unknown OS" to the real operating systems of the cluster members.
  4. Go to the "Optimizations" pane. 
  5. In the "Capacity Optimization" section, select "Automatically". 
  6. Click OK and publish the session.
 R80.20.M1
PMTR-12437 In Full HA cluster, the "Install Database" operation is supported only on the Cluster object (and not on the individual cluster members objects). R80.20.M1
PMTR-15093 Domain Management Server and Domain Management Log Server must be removed form a policy package before deleting their representing objects. R80.20.M1
PMTR-15366 For R77.30 Gateway, the ICAP server is supported only from CLI and not in the SmartConsole GUI, although the ICAP Server tab is displayed in the Gateway properties.
R80.20.M1
PMTR-15156 Configuration of colors and icons in some Service objects does not survive upgrade from R77.x versions to R80.x versions   R80.20.M1
PMTR-14661

"SessionInWorkLoginException" error when using the API "discard" to discard a connected session other than the current session. 

  • Workaround: "Take over" the session you want to discard, and then use the API "discard"
    OR
    Disconnect the session by restarting Check Point services ("cpstop" and "cpstart"), and then use the API "discard".
R80.20.M1
02418418 After a Security Management server upgrade from R80 to R80.10, 0 applications appear in object bar although all applications appear in the rule base picker.
  • Workaround: Perform Application Control & URL Filtering update.
R80.10
02446266

A Remote Access community object is not supported in the parent rule of an inline layer where the action is "Inline Layer".

  • Workaround: use "Any" instead of the Remote Access community object. You can use the Remote Access community object in the rules in the inline layer.
R80.10
02083394, 01961299

The Device and License Status of Threat Emulation is incorrect when there is a trial license on the Security Gateway.

  • Use the Logging -> License Status view. 
R80.10
02502463,
02491577
When cloning an Access Control policy with a shared Inline Layer, it is not possible to change the action of the rules in the cloned shared Inline Layer of the cloned policy.
  • Workaround: Add a rule to the cloned policy, copy the shared Inline Layer, and delete the original rules of the Inline layer.
R80.10
02492692

This procedure for renewing an expired HTTPS Inspection certificate does not work:

  1. Open the SmartDashboard GUI client
  2. Renew the HTTPS Inspection certificate.
  3. Close SmartDashboard.
  4. Install the Policy in SmartConsole.

    SmartConsole shows the certificate is still expired, and the certificate is not renewed.
  • Workaround: After following the procedure, close and reopen SmartConsole.
R80.10
02458203 Policy installation includes an implicit database install operation. As a result, the policy installation task in SmartConsole only completes after the end of the database installation task. This does not delay policy enforcement on the gateway. R80.10
02475372,
02500649
When connected to a machine that runs both Security Management and Security Gateway (Standalone deployment) and has less than 6GB of RAM, SmartConsole will perform slowly and disconnections may occur during policy installation or an IPS update.
Running R80.10 Standalone configuration requires at least 6GB RAM. Running this configuration with less than 6GB RAM is not supported.
Specifically, 4400-12400 appliance models do not support Standalone with their default RAM (4GB), and require a memory upgrade to 8GB.
R80.10
01878112 Cannot log into SmartConsole after changing the time in the Gaia Portal.
  • To resolve, restart the Management server using cpstop;cpstart commands or, for Multi-Domain Security Management, run mdsstop;mdsstart 
R80.10 
02450861 In SmartConsole, when creating a new object in a second Object Editor, the new object is not in the list in the original Object Editor.
  • Workaround: After you close the second Editor, click OK in the IF-MAP server editor. Open the IF-MAP server editor again.
R80.10
02500777 When session details enforcement is configured, publishing a remote session is not blocked even if session details are not provided.  R80.10
01944489, 02007657 A VPN rule created using the "Accept all encrypted traffic" option in the VPN community object, is not shown in SmartConsole.  R80.10 
01834373,
01834983
SmartConsole does not display one of cluster interfaces because of case sensitive name uniqueness.
Refer to sk108264
R80.10
02445396 The SmartConsole package cannot be installed in a directory whose path includes non-English characters.  R80.10
02695694 VPN Community object cannot be opened after upgrade from R77.30 to R80.10 or R80.20.
Refer to sk122180.
R80.10
ACM-1140 Creating new services in R80.x is not supported via Embedded Dashboard. New service creation can be done only from SmartConsole.  R80.10
01282274 SmartConsole installed on a computer without access to the Internet cannot open Help files.
Refer to sk110774.
R80
01996428

Slow rendering of SmartConsole and reaction to user interactions. Slow rendering can be a result of:

  • Running SmartConsole through Remote Desktop (RDP) sessions. See sk123734.
  • Environments with lower-end graphic hardware drivers. 
    Typical environments include Windows-Server 2012 and Virtual Machines.
    In this case, consider upgrading your DirectX driver or Graphics Card hardware. 
R80
01800770 Disconnecting the SmartConsole session while creating or configuring VSX objects, can cause the management database corruption and Administrator will be unable to do any changes with VS. "Internal Error: Cannot get object XXX from table vs_slot_object" message pops-up.  R80 
01864532

After a failure in the VSX cluster creation wizard, if Cancel is clicked, the wizard closes, but the VSX cluster and VSX cluster member objects are not deleted.

  • Workaround: Delete the VSX cluster and VSX cluster member objects manually. 
R80
01960696 The Tasks tab -> Script Results supports up to 10,000 characters only.  R80
02500051 In R80 and higher, multiple administrators can connect to the management with SmartConsole in write mode, at the same time. Therefore, switching between Read only and read-write mode, which was often used in previous versions, is not an option in SmartConsole.  R80
01652566, 01693617 When publishing remote session, through the Sessions View, there is no option for updating the session name and the description. Before you can publish a session, you must connect to it and set the session name and description. R80
01885225 Gateway packages do not show for Domain gateways, when you open SmartUpdate from the SmartConsole Multi-Domain view. You must connect to SmartConsole for each Domain to see the packages for its gateways. R77.30
PMTR-10186,
PMTR-567
SmartConsole is not disconnected after time specified in SmartConsole -> Manage & Settings -> Permissions & Administrators -> Administrators -> Idle Timeout.  R77.30
01931336,
01816368
A customized role that has no write permissions, does not appear as read-only in the session view, although it is actually read-only. R77.30
02565748,
02566223
SmartConsole does not get the topology of VTI interfaces from cluster members running on Gaia Embedded OS.
Refer to sk119832
R77.30
MB-77

Administrators with Customized permission profile cannot manage VSX objects. 

  • Workaround: Use Read/Write all permission.
R77.30
SmartEvent
PMTR-21615 A query that refers to "Scan result" and "Destination DNS Hostname" fields will not be resolved. R80.20
PMTR-5701 The version of a dedicated SmartEvent Server has to be the same or higher than the version of the Security Management Server. Refer to sk133954. R80.20.M1
- SmartEvent Intro is not supported. R80.10
- SIC problem with the global SmartEvent object managing a Global SmartEvent object from the Domain/CMA that has the global object assigned to it. R80.10
02502558 SmartEvent cannot be enabled on a 5400 Security Appliance. R80.10
02478455 Events Grid is missing from SmartEvent. R80.10
02478452 The Ticketing feature is missing from SmartEvent. R80.10
02422716 For SmartEvent connected to R77.x Security Management Server or Multi-Domain Management Server: If an object is not listed in the Log Servers table in the Correlation Unit settings, change the object from the SmartConsole (for example, its color). This will cause the re-synchronization of the object. R80.10
02484638 After disabling Firewall sessions in the SmartEvent policy, the records of Firewall sessions disappear from reports and views. If you enabled Firewall sessions in order to see Firewall data in reports or views, generate the report or examine the view *before* disabling Firewall sessions. R80.10
02499980 For Global SmartEvent connected to a Multi-Domain Management Server: Search suggestions from SmartConsole appear for Super Users only (Multi-Domain Super User and Domain Super User). R80.10
02551294,
02569029,
02556817
Legacy SmartEvent GUI crashes with core dump file at 65% "Getting list of active products..." when connecting directly and not with SmartConsole R80.10.
Refer to sk120076.
R80.10
PMTR-7398,
PMTR-7474
Upgrade of SmartEvent server from R80 to R80.10 fails with "Internal error in a hook script: fw1/bin/hook_fw1_wrapper_HOTFIX_R80_10. Contact Check Point Technical Services for future assistance." error.
Refer to sk123013.
R80.10
02101182,
02107751
SmartEvent stability problem while connecting to Multi-Domain Management.
Refer to sk112238.
R80
01995448

On a R80.10/20 dedicated SmartEvent server which assigned to MDS, when you enable or disable a blade, the license information is not immediately updated. An automatic updates takes place at midnight. To update immediately:

  1. On server's command line, run:
    $CPDIR/bin/esc_db_complete_linux_50 activation_data entitlement_data.

  2. If you manually change a license or contract, the changes take effect immediately.
R80
02559461,
02562448
Mail alerts that contain IPv6 show 0.0.0.0 instead of the real IP address.
Refer to sk119714
R77.30
02331551 Not possible to generate separate report for each Domain Management Server in R80.x SmartEvent.
Refer to sk113494.
R77.30
PMTR-12033 "Update CONF failed: The plug-ins that are installed on the Security Management server do not match the plug-ins that are installed on the Log Server" error when installing database from pre-R80 Security Management server on SmartEvent or Correlation Unit running R80 and above.
Refer to sk110894.
R77.30
01940335 In R80.x, you can only define SmartEvent at the global level and then configure it to read logs from one Domain or a number of domains. SmartEvent cannot be defined in a specified domain. R77.30
Logging / SmartLog
PMTR-22007 After upgrade to R80.20, the Log Exporter does not start automatically.  R80.20 
PMTR-22189 After you revert from R80.20 GA to a R80.10 or R80 version, the log files and log indexes that were created on the R80.20 will be lost.
If you upgrade again to R80.20 GA, all logs will be visible again with one exception - the log index created on the day of the revert (from R80.20) may be partial. 
R80.20 
PMTR-22353,
PMTR-22349

After upgrading from R80.10 to R80.20 M1, the log indexes from R80.10 are unusable, but remain on the disk. If a maintenance routine to delete log files was running when the version is still M1, the R80.10 indexes are not deleted. When upgrading to R80.20 GA, this may cause empty lines on Smart Log.

  • To resolve, delete the R80.10 log indexes after upgrading to R80.20 M1. Refer to sk127652
R80.20.M1
PMTR-12635 When you right-click in an Anti-Virus or Anti-Bot log from R77.30 Security Gateways and select "Save as Packet Capture...", it opens an email file with the attached packet capture file, instead of saving it. This is the same behavior as in the option "View Packet Capture".  R80.20.M1
PMTR-14367 During upgrade, the Log Exporter configuration is not transferred.
  • Recommended solution: Rebuild the Log Exporter configuration from scratch using sk122323.
  • Alternative solution: Follow sk127653 to save the configuration manually before the upgrade, and then restore it after the upgrade. 
R80.20.M1
02326352 Reading logs through LEA which were configured manually on the SmartLog custom settings file is not available in R80.10. R80.10
02459033 On Security Management Server with "Enable Log Indexing" option not selected, and a dedicated Log Server with "Enable Log Indexing" option selected: When you connect with SmartConsole to the Security Management Server, the Logs view shows the logs of individual log files. It is not possible to get a unified view of all the logs. R80.10
02478533 SAM rules are not supported from SmartConsole. R80.10
02478527 Purge, log switch and fetch file are not supported from SmartConsole. R80.10
02444795 When using the Check Point Management Server as an external log server for a locally managed Small Office appliance, SmartLog is not supported. Only SmartViewTracker is supported for this configuration. R80.10
02488000 In Management High Availability, the indexing mode should be the same on both primary and secondary servers. R80.10
02495815 Correlated "Web Browsing" events are not shown by default.
  • To see: in SmartEvent, go to Event Policy -> Legacy ->Web Browsing, right-click and select "Event Format". Replace the field "URL" with the field "Resource".
R80.10
-

In a Multi-Domain Management environment, you cannot have a dedicated Log server for a specific Domain/CMA.

  • Workaround: configure a Multi-Domain Log servers with only one CLM.
R80
02022292 "Save As" to a log file is not supported. R80
02022294 Fetch local files from a remote machine is available from command line only.  R80
01914623 SmartView graphics do not display properly in Internet Explorer. Accessing SmartEvent server from the web (SmartView) is supported only from Google Chrome and Mozilla Firefox.  R80
01964600

Correlation units can be added to a remote Log server in this way only:

  1. In SmartConsole, edit the Correlation unit object and configure it as a Log server.
  2. On the SmartEvent server, go to the Correlation unit policy configuration and configure the Correlation unit on the SmartEvent server to read the logs from the remote Log server configured in Step 1.
R80
- SmartLog Indexing mode is not enabled by default after upgrade or new installation, on Smart-1 205, Smart-1 210, or Open Servers with less than 4 cores. R80
- To change SmartLog mode from Indexing to Non-Indexing on a Domain Management Server or Domain Log Server, edit the Domain Server object on the Domain level. There is no option to change the entire Multi-Domain Server or Multi-Domain Log Server to Non-Indexing mode. R80
- In SmartLog Non-Index mode: free text search is applied only on specific fields like source, destination, service, etc. , there is no Top results pane, and the Threat Prevention Rulebases and Profiles logs tab do not show log results. R80
- Users connected with SmartConsole to specific Domain, will not be able to see Global objects assigned to this Domain in SmartLog logs results, and cannot search by Global objects (but can search by IP address). R77.30
SmartView Monitor
00545271 Block Intruder (SAM) is not supported. R80
02537633, 02539688 "Top QoS Rules" view in SmartView Monitorshows that almost all traffic matches the "No Match" rule when SecureXL is enabled on Security Gateway. Refer to sk118720 R77.30
SmartProvisioning
PMTR-14226 When changes to a ROBO Gateway object are not published, unexpected shutdown of the Security Management Server or SmartProvisioning GUI client might leave the ROBO Gateway object in a locked state. 
R80.20.M1
PMTR-1568 When working with LSM managed Security gateways in a Management High Availability environment, creating and working with LSM gateways must be consistent, they can only be used in the Security Management server they are created in.
Using the secondary Security Management server might lead to inconsistent actions/status related to LSM objects.
R80.20.M1
PMTR-3724 It is not possible to configure internet connection over DSL for 1100, 1430, 1450 appliances using SmartProvisioning. R80.20.M1
PMTR-4436

After a major upgrade of the Multi-Domain Management Server, opening the SmartProvisioning client fails, displaying "SmartProvisioning was not enabled on the Security Management Server or no valid license was found..." error.

  • To resolve, enable LSM on each relevant Domain Management server by running the "LSMenabler on" command.
R80.20.M1
PMTR-15599 SmartProvisioning R80.20.M1 does not support LSM Profiles of type "Check Point Appliance/Open Server Gateway" with version "R80.10" (lower versions are supported).  R80.20.M1
PMTR-8209 After a major upgrade to a Security Management Server, LSM profiles lose their installed policy and new devices attached to them are not able to fetch a policy.
  • To resolve, install policy on the LSM profiles.
R77.30
Endpoint Security (SmartEndpoint)
PMTR-7431

When you enable the Endpoint Policy Management blade on a Security Management Server, the connection to these services automatically changes from the default port 443 to port 4434:

  • Gaia Portal 
  • SmartView Web Application 
  • Management API Web Services
If you disable the Endpoint Policy Management blade, the services connection port automatically changes back to the default 443.
R80.20
PMTR-11057

"An internal server fault has occured" server error is shown when logging in to the SmartEndpoint GUI client with a custom administrator created in SmartConsole with the name "endpoint".

  • Workaround: Create an administrator with a different name.
R80.20.M1
SMB Appliances
PMTR-3327 After upgrading to R80.20 M1, you must install Access Policy before installing Threat Prevention Policy. Otherwise, the Threat Prevention Policy installation may fail. R80.20 M1
02473736,
02300903
A QoS policy cannot be prepared in advance for R75.20 1100 appliances, to be fetched later. QoS policies must be installed and cannot be pulled.  R80.10
02403004

When installing policy on a Small Office Appliance without establishing SIC, an incorrect warning message is shown for the Threat Prevention policy: "Installation pending, waiting for first connection".

  • Establishing SIC resolves the issue and policy installation can be performed. 
R80.10
02513131

In Small Office appliance policy installation, services that are manually configured with INSPECT code including the definition "CALL_XLATE_FOLD_FUNC (..." will cause a policy installation failure.

  • Workaround: remove the "_FUNC" from the definition and use "CALL_XLATE_FOLD (..."
R80.10
01921211 R80.x Security Management cannot manage Security Gateway 80 appliance with a firmware version that is lower than R75.20.  R80
01939263 "Commit function failed" error on policy installation failure on 1100 series appliance.
Refer to sk105217.
R77.30
01914944,
01917280
"SIC error" status might occur when the gateway object is defined in a "Management first" scenario before it is deployed, but the device's IP address is already accessible. The Security Management tries to create SIC with the gateway's IP address. Instead of the policy ending in a "waiting for first connection" status, an error message states the SIC status must be rectified first. R77.30
Smart-1 Appliances
PMTR-13952 On Smart-1 25B, Smart-1 50, and Smart-1 150 appliances, it is not supported to run "set ip" and "add users" commands from Gaia Clish. These commands are still available directly in LOM UI.
R80.20.M1
Networking
01622840 IPv6 addresses for management interface are not supported on R80.20 Security Management Server. R77.30
Compliance
PMTR-9124

After an upgrade of a Management Server with enabled Compliance blade from R77.20 or lower versions to R80.x:

  1. The "Dev Mode: ON - Syntax error: Unable to get property 'icon' of undefined or null reference at line: undefined" error can appear in the Compliance blade reports.
  2. "Compliance Statuses" contains the words "Low" instead of "Poor" and "High" instead of "Good".
Refer to sk123613.
R80.20.M1
02458793 In a Multi-Domain Management environment, in the local domain policy, some Compliance best practices, which validate the status of rules in the policy, incorrectly identify the section header, "Parent section for domain rules," as a rule, and report it as not valid.
  • Workaround: manually exclude this result from the Best Practices view.
    In the Best Practices view, select the practice. In the bottom pane -> Relevant Object section -> double-click the desired rulebase object and disable the rule/section from the list.
R80.10
02510421 

In the Compliance blade, if you deactivate a relevant object of a best practice and then make a change in the relevant object, the relevant object changes to be active.

  • Workaround: deactivate the relevant object again. 
R80.10
02449324, 02478559  In a Multi-Domain environment, policy changes in the Global Compliance Policy do not trigger a partial Compliance scan.   R80.10 
02478814 When there is more than one policy, and a rule changes, Application Control and URL Filtering Best Practices will show incorrect scores until a full scan is run.  R80.10 
02167534

Compliance Blade does not contain Compliance Overview Report.

  • To have the Compliance Overview Report, deploy a SmartEvent server and enable SmartEvent. Then find it at Logs & Monitoring -> new tab -> Reports -> Compliance Blade. 
R80
01958788,
02030225

The SmartConsole client is not aware of license or quota changes in real time - Alert for 'License quota Exceeded' does not pop-up immediately when the license quota is exceeded.

Reopen SmartConsole in Compliance blade to see the license changes.
Quota data changes in the entitlement or Compliance will be updated after:

  • Compliance midnight scan
  • License changes
  • cpstop;cpstart
R80
-

Compliance Blade regulation reports do not contain the Best Practices themselves.

  • To see the Best Practices, deploy a SmartEvent Server, enable SmartEvent and create a customized report. 
R80
CloudGuard Controller
  For R80.20 CloudGuard Controller Known Limitations, refer to sk128612  



Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment