• We recommend to upgrade to R80.40 - the latest widely recommended version. 
  To upgrade to R80.30, install R80.30 Jumbo Hotfix after the advanced upgrade is completed.

To upgrade a R77.30 or R80.10 Security Gateway with ICAP Client hotfix to a R80.20 Security Gateway:

1. On the R77.30/R80.10 Security Gateway, back up the current ICAP Client configuration file ($FWDIR/conf/icap_client_blade_configuration.C).
2. Upgrade the R77.30/R80.10 Security Gateway to R80.20, or perform a Clean Install of the R80.20 Security Gateway.
3. Configure the ICAP Client from scratch as described in the R80.20 Next Generation Security Gateway Guide - Chapter "ICAP Client".
   Note: 
   
   • You can use the backed up ICAP Client configuration file from the R77.30 Security Gateway as a reference only.
   • You must explicitly confirm the disclaimer (run the script IcapDisclaimer.sh in the Expert mode).
4. To inspect the HTTPS traffic with the ICAP Client, enable the HTTPS Inspection and configure the HTTPS Inspection rules.
5. Install the Access Control policy on the R80.20 Security Gateway.

When you perform a clean install of an R80.20 on top of an existing previous version, the following error might appear after the keyboard layout selection screen: 

Warning: /dev/sda contains GPT signatures, indicating that it has a GPT table. However, it does not have a valid fake msdos partition table, as it should. Perhaps it was corrupted - possibly by a program that doesn't understand GPT partition tables. Or perhaps you deleted the GPT table, and are now using an msdos partition table. Is this a GPT partition table?

In such case, select "Yes" several times to continue with the installation.

Interface that uses the tg3 driver is not able to set the speed to 1000 Mbit/sec in the following scenario:

1. The interface is connected to a 1000 Mbit/sec switch port
2. Disable auto-negotiation of the speed on the interface
3. Manually configure the speed on the interface to 10 Mbit/sec or 100 Mbit/sec
4. The speed on the interface is set at 10 Mbit/sec or 100 Mbit/sec
5. Enable the auto-negotiation again
6. The speed on the interface stays at the previous value of 10 Mbit/sec or 100 Mbit/sec 

To upgrade an R77.30 Security Gateway with ICAP Server to an R80.20 Security Gateway:

1. Back up the current ICAP Server configuration files (to use as a reference only):
   • $FWDIR/c-icap/etc/libsb_mod.conf
   • $FWDIR/c-icap/etc/c-icap.conf
   • $FWDIR/c-icap/etc/c-icap.magic
   • $FWDIR/c-icap/etc/virus_scan.conf
   • $FWDIR/c-icap/share/c_icap/templates/virus_scan/en/VIRUS_FOUND
2. Upgrade the Security Gateway to R80.20, or clean install the R80.20 Security Gateway.
3. Configure the ICAP Server from scratch in SmartConsole as described in the R80.20 Threat Prevention Administration Guide.

• Workaround: change the order of the rules so that rules with legacy objects are above rules with new features.

CRL validation is not supported in pure IPv6 environments (when IPv4 addresses are not configured on the Security Gateway's interfaces).

The following apply to the "Archive File" Data Type: The Content Awareness blade inspects the "Archive File" Data Type. The "Archive File" Data Type is extracted, and its inner files are separately inspected together with the Data Type.
Therefore, during the policy configuration, administrator has to pay attention when using the "Archive File" Data Type in a Compound/Group Data Type and in an Inline layer parent rule. 

• Using a Compound/Group of "Archive File" with, for example, "PCI - Credit Card Numbers", does not match the archive that contains a file with the credit card numbers. You can use a specific File Type with "PCI - Credit Card Numbers" in this rule.
• Using the "Archive File" in a rule that leads to Inline Layer does not match the Data Type inside that layer. You can use a specific File Type in this rule.
• If the "Archive File" is located above other Data Types, the lower rule can be matched for some of the inner files, in addition to the rule that contains the "Archive File".

"Internal error occured" message when trying to assign/reassign a Global Configuration at the same time that an IPS update is running on a local Domain.

• Workaround: First run the IPS update on the local Domain. Then assign/reassign the Global configuration. 

In R80.20, SAM is supported only for non-accelerated usage. Traffic connected to the Acceleration-ready 10G Interface Card (CPAC-ACCL-4-10F-21000) will be handled by the host. 10G Ports on the CPAC-ACCL-4-10F-21000 cannot be assigned as SAM ports in R80.20.

ClusterXL R80.20 and higher does not support Load Sharing mode. Therefore, SmartConsole blocks such configuration with a warning message.

In PIM Dense Mode, when a new PIM router joins the existing network, it may take up to two cycles of PIM prune timer and/or downstream IGMP report interval, for the intended multicast traffic to start flowing.

• To improve the PIM-DM responsiveness, user can enforce the local-groups / static-groups configuration. 

When advertising IPv4 routes over an IPv6 BGP session, one of the following needs to be true:

1. Routemap is used to set the nexthop of the IPv4 routes
2. The interface used for the BGP session needs to have an IPv4 address 

When advertising IPv6 routes over an IPv4 BGP session, one of the following needs to be true:

1. Routemap is used to set the nexthop of the IPv6 routes 
2. The interface used for the BGP session needs to have an IPv6 address

On a Security Gateway that is configured with DHCP relay and automatic Hide NAT for the network(s) that the DHCP requests come from, DHCP offers are dropped at the gateway.
This message shows: fw_log_drop_ex: Packet proto=17 40.81.81.3:67 -> 44.81.81.6:67 dropped by fw_conn_inspect Reason: post lookup verification failed;

• Workaround: before the Hide NAT rule, add a NAT rule that prevents the translation when traffic is on port 67, and is going to the DHCP server. Make the NAT similar to this:
  

  Original Packet: Source = Source network(s) for DHCP requests       Destination = DHCP server Service = UDP_bootp

  Translated Packet: Source = Original Destination= Original Service = Original

• To prevent: wait for OSPF GR to finish. Use "show ospf interfaces" or "show ospf summary" commands to see the status.

• Do not delete an interface before deleting the associated cluster VIP from the SmartDashboard.

• Workaround: disable ECMP for BGP when using IPv6.

• To prevent: do not fail over members if an OSPF neighbor is in the process of restart.

• To prevent: make sure there are no route or topology changes during the process.

• To prevent: make sure that self-routes do not become active in a BGP Multi-hop deployment.

1. Delete Outlook Anywhere rule from reverse proxy.
2. Run "cvpnrestart --with-pinger" to close all Outlook Anywhere open connections.
   If you do not perform step 2, open connections of Outlook Anywhere will not be closed and users can still work with it.

• Make sure that the /etc/resolve.conf file is configured properly or use this workaround:
  Change the value of 'vsxMountWithIPAddress' property in $CVPNDIR/conf/cvpnd.C file from 'false' to 'true'. The file share will use the host IP address for the mount instead of the hostname. 

• If you do not want Dynamic ID authentication for Capsule Workspace users, disable it in:
  Gateway Properties -> Mobile Access -> Authentication -> Compatibility with Older clients -> Settings -> Capsule Workspace section -> clear Enable DynamicID.
  
  For VSX, this configuration is done per Virtual System.

Communication errors occur between the Security Gateways managed by R80.20 M1 Multi-Domain Server and participating in Global VPN Communities when there are more than one certificate for the same Internal CA.
Refer to sk136972.

• Workaround: Configure the VPN site again on the client.

•  DAIP devices deployed as VPN Satellite gateways, do not support VPN link fail-over between a static link (using permanent IP address) to the DAIP link, and vice-versa.
• Trusted interfaces are not supported for DAIP devices.

An upgraded cluster member goes into Ready state after the reboot, even before the rest of the cluster members are upgraded.

• Workaround:
  
  1. Run the cphaprob state command to verify that all the Virtual Systems are in Ready state.
  2. Run the ps -elL | grep fwk command to verify that fwk process is running on every Virtual System.

After you upgrade Management Server, or dedicated Log Server / SmartEvent to R80.20.M1: 

• Only logs from the last 24 hours indexed. You can see all previous logs by opening the log file in SmartConsole.
• New logs are indexed as expected according to the settings in the Management Server or Log Server / SmartEvent object -> Logs.

Refer to sk127652.

• It is not supported to perform a Clean Install of R80.20.M1 Security Management Server or Multi-Domain Security Management Server in CloudGuard for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud providers.
• It is not supported to upgrade to R80.20.M1 a Security Management Server or Multi-Domain Security Management Server that runs in CloudGuard for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud providers.

• To upgrade a Secondary Multi-Domain Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Secondary Multi-Domain Server and connect it to their next version Primary Multi-Domain Server.
• To upgrade a Multi-Domain Log Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Multi-Domain Log Server and connect it to their next version Multi-Domain Server.
• To upgrade a secondary Security Management Server from R80.20.M1 to the next version, users must perform a clean install of the next version on their Secondary Management Server and connect it to their next version Security Management Server.

1. Connect with SmartConsole to the Global Domain on your R80.20.M1 Multi-Domain Server.
2. Reassign all Global Policies to all applicable Domains.
3. Do not publish any changes in the Global Domain until you complete the upgrade to the next available version.
   Note: This is necessary to avoid any potential issues caused by different policy revisions on the Global Domain and on the Domains.
4. Perform the upgrade from the R80.20.M1 to the next available version.

• Upgrading Multi-Domain Servers in High Availability to R80.20 may fail with synchronization errors when a Domain exists on primary Multi-Domain Server but does not exist on secondary Multi-Domain Server, or when a Domain exists only in Secondary Multi-Domain Server (no High Availability in Domain level). 
• High Availability synchronization fails on Multi-Domain Server level after Domain deletion or after updating licenses or contracts in SmartUpdate.

Note:

• Refer to sk151072
• Resolved in R80.20 Jumbo HotFix Take 47 and R80.20 GA Take 117. Either run an Advanced upgrade with the latest Jumbo HFA or run the CPUSE Upgrade with the R80.20 GA Take 117 to avoid the upgrade failure.
• In the same MDM scenario, similar issues may occur post-upgrade when launching SmartUpdate in R80.20 without the resolution in Jumbo HotFix Take 47.

After upgrading a Full HA deployment, policy installation fails due to SIC problem with the secondary member.

• To resolve, re-establish SIC between the active and standby members.

After upgrade of 1180 and 1450 appliances, the "Gateways & Servers" view does not show version numbers in the Version column.

• To see the version numbers, open the gateway object for editing, make sure the correct version is selected and click OK.

After upgrade, SmartConsole disconnects from the server during the first policy install.

• Before a first policy installation on Standalone servers, allow the CPM service in the Services & Applications column of the rulebase.

"Database is locked" error message when running the migrate_export command on a R7x Security Management.

• Run cpstop or mdsstop and attempt the export again to resolve.

• On the Security Management server, run "evconfig" to enable the SmartEvent server.

After upgrading, the Gateway Properties -> HTTP inspection page shows "Failed to load Plug-in Page: SSLInpectionPage". 

• To resolve, perform the following on the Security Management server:
  • Run cpstop 
  • Delete the $FWDIR/conf/newDleSchema.xsd file 
  • Run cpstart

If you have gateways of different R77 versions and GX is enabled on a R77.30 Security Gateway only, policy installation will fail. 

• Use the "Install On" column for the GTP rules.

The Linux "iotop" utility might stop working when pressing the "i" key in the following rare scenarios:

• Working in virtual environments (such as Hyper-V) 
• Terminal application uses specific virtual terminal settings (such as specific SecureCRT terminal settings) 

"[Firmware Bug]: the BIOS has corrupted hw-PMU resources" message may appears in the output of "dmesg" command on any HP ProLiant Server running Gaia R80.20.M1. 

• You can safely ignore this message - it does not indicate an issue with the functionality or performance of the Operating System or the server. 
  For details, see Hewlett Packard Enterprise Customer Advisory c03265132.

When connecting to the network interfaces page in the Gaia Portal, an "Unable to connect to server" error shows.

• To resolve, disable the Adblock EasyPrivacy extension of the Adblock plus add-on and try again. 

• "Cannot install Check Point Security Management Server. Incompatible hardware" 
• "Internal Error: Cannot install Check Point Security Management Server"
• "Cannot install Check Point Security Management Server. Please contact Check Point Technical Support."

• /etc/.wizard_accepted - means that the First Time Configuration Wizard has finished.
• /var/log/ftw_install.log - means the First Time Configuration Wizard has started and the user must wait until the file /etc/.wizard_accepted is created.

These products do not support the new licensing visibility features:

• Network Security: Advanced Networking and Clustering, Capsule Cloud and Capsule Workspace.
• Security Management: Endpoint Policy Management, SmartPortal, User Directory (LDAP).
• Multi-Domain Management: Security Domain
• Remote Access & Endpoint

On pre-R80 gateways, license information is updated every 20 minutes.
To force a license update, perform one of the following actions:

• Either install security policy on the pre-R80 gateway

• Or on the R80.10 Management Server, run the following command in Expert mode:

  • On Security Management Server:

    [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>

  • On Multi-Domain Security Management Server:

    [Expert@HostName]# mdsenv <Name of Domain Management Server>
    [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>

• To resolve, run the cprestart command on the Management Server.

On a Pre-R80 SmartEvent NGSE dedicated machine, license information is not automatically updated when Installing Database.

When you enable or disable a blade, one of the following will update the license information with the change:

• If you force a license update, changes occur immediately.
  To force a license update: On the R80.10 Security Management Server, run the following command in Expert mode:
  [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
• Automatic update at midnight
• If you manually change a license or contract on a dedicated machine, changes take effect within 20 minutes

"cat: /proc/self/vrf: No such file or directory" message is displayed for a short period of time when running cpview.

• This is a cosmetic issue and has no affect on the system.

Exporting R80.20 database using migrate_server export may result with a "Failed to export: Export failed." or "Failed during export process" error message. For details see sk142752.

Login to the Secondary Management Server can fail if the SIC certificate is pushed to the Secondary Management Server before its CPM server is up. In this case, the SIC is established, but the login to the Secondary Management Server fails until the CPM server is restarted and reloads the new certificate.

• To resolve, wait until the CPM server is up, before you establish trust with the Secondary Management Server. This way, the CPM Server restarts automatically due to the SIC establishment and the login succeeds.

"Publish failed" error on Publish / Discard operation failure after switching the Primary Management Server from Active to Standby and back to Active in Management HA deployment.
Refer to sk129952.

• To resolve the conflict:
  
  1. Open a command prompt on the Management server
  2. Run cpconfig to create a new administrator account with a unique name
  3. Run cpstop;cpstart

• Workaround: stop and start the server (run cpstop;cpstart) after adding the new license. 

In some scenarios, re-assign or removal of global assignments succeeds, but changes that were not yet published at the Domain become conflicted. The SmartConsole for the Domain becomes unstable and can show: "Could not load selected policy".

• In this situation, Discard the changes that were not published in SmartConsole.

Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".

• Workaround: for all hosts with a server configuration, unselect the servers. Publish the session, then select the servers again, and publish again. For details refer to sk154435.

If you create an administrator in cpconfig, you must run cpstop and cpstart, as instructed by cpconfig. After cpstart, no administrators are shown in cpconfig. Administrators configured before the upgrade to R80 are also not shown in cpconfig.

• Manage administrator accounts through SmartConsole. 

"Check your connection settings (Proxy, DNS and gateway)" error shows after IPS and Application Control & URL Filtering update fails if there is no proxy defined.

• To resolve the problem, run cpstop and cpstart and try again. 

Fail to add a VSX objects (router, switch, or system) from the secondary Multi-Domain Management Server when the primary server is powered off. The creation wizard fails to open and an "Operation finished successfully message" shows.

• To resolve the issue, power on the primary Multi-Domain Management Server and try again.

When selecting the "Use Gaia administrator: admin" option in the First Time Wizard, it lets to reuse the Gaia administrator password for SmartConsole. If you later change this password in SmartConsole, the Gaia administrator password remains unchanged.

The Revisions View is not updated for changes in Trusted Clients and some environment settings in Management & Settings.

These commands are not supported in the SmartConsole's CLI: login, logout, discard and publish. Use the SmartConsole GUI instead.

Applications like Provider.exe and Fwpolicy.exe (SmartDashboard) cannot be used to connect directly to the Security Management server or the Multi-Domain Security Management server. 

• Workaround: use SmartConsole.exe

1. On the Security Management server, run: cpca_client set_sign_hash sha1 (refer to sk103840)
2. Install Database.

lvm_manager fails to resize partitions with "ERROR :Cannot kill process (id XXXXX)".

• Workaround: Boot the machine into Maintenance Mode and then run lvm_manager.

Upgrading a Multi-Domain Management Server with a Global VPN Community from R80.20.M1 to R80.20, from R80.20.M1 to R80.20.M2, and from R80.20 to R80.20.M2, is not supported.

Upgrade of a Multi-Domain Server from R80.20 GA to R80.20.M2 is not supported if Install Policy Presets are used. Refer to sk142132.

In Multi-Domain Servers Management HA environment, if Administrator installs policy from the Active Domain on the Security Gateway / Cluster object and performs Management HA from the Active Domain to the Standby Domain, Administrator must install policy from the new Active Domain on the Security Gateway or Cluster object. Otherwise, when upgrading the Multi-Domain Servers to R80.20, SIC communication can be lost with the Security Gateway or Cluster Members.

• Workaround: Change the state of the Standby Domain to the Active, and manually synchronize the Domains.

R80.20.M1 and R80.20 GA Multi-Domain Security Management does not support IPv6 address configuration.

Threat Prevention policy fails to open with the "Rulebase initialization failed" and "One or more errors occurred" error message after upgrade of Multi-Domain Server to R80.20.M1.

• Workaround:
  1. Assign the Global Policy (without assigning or installing other policies).
  2. Open the Threat Prevention policy.
  3. Remove the assignment of the Global Policy.

"Failed to save object....Server error is: An internal error has occured. (Code: 0x8003001D, Could not access file for write operation)" error when creating a Security gateway object on the Domain Management Server that is currently active on the secondary Multi-Domain Management server.

• To resolve, run the "mdsstop ; mdsstart" commands on the secondary Multi-Domain Management Server.

"Can not start the operation. You should disconnect all GUI Clients from this Security Management Server." error message when running the MDS backup. Refer to sk142534.

When running Global Domain Assignment on one Multi-Domain Server for a Domain that is active on a different Multi-Domain Server, the task can stall at 5%. After a few minutes a message shows : "timeout during task progress: Could not get information regarding task completion from MDS_1 'MDS_2'.

• Workaround: Run Reassign Global Assignment on the Domain from the first or second Multi-Domain Management Server.

• To fix, the session changes must be discarded.

• To change an OPSEC application permission profile, use the OPSEC application editor and create a new permission profile.
  Use dbedit/GuiDBEdit to delete old or unused profiles.

• This message can be ignored.

• If there is a sync failure, make sure sessions on a different peers do not lock the same object.

• Run cma_migrate on the server with the active global policy.

• To unlock the administrator, run the CLI command unlock-administrator on the Standby Management Server.

• Workaround: remove the invalid license according to the signature that appears in the error message.

• To prevent this, make sure the interfaces are enabled before starting the processes (cpstart, mdsstart).

In a High Availability deployment of Multi-Domain Security Management Servers, until the MDS that hosts the active Domain server has been upgraded, it is not possible:

• To edit an administrator assigned to that Domain
• To edit a client assigned to that Domain
• To view global assignments of that Domain

Password configuration in SmartEndpoint for FDE preboot users, WebRH administrators and client uninstall password is limited to a maximum of 12 characters.

Desktop Policy tab does not appear in the following scenario: 

1. Open the SmartConsole in Read-Only mode, or log in with Read-Only credentials.
2. In the left navigation panel, click Security Policies.
3. In the Access Control section, click Desktop -> Open Desktop Policy in SmartDashboard.
4. Legacy SmartDashboard opens without the Desktop Policy tab.

When creating a new Cluster object in SmartConsole with the Wizard Mode, if you do not add Cluster members or do not initialize SIC with the Cluster members, the "Optimizations" -> "Capacity Optimization" setting in the cluster object may set to "Manually", instead of the default "Automatically". The "Automatically" option is grayed out, if the OS of the Cluster object is unknown. Refer to sk141933.

• Workaround: Perform Application Control & URL Filtering update.

A Remote Access community object is not supported in the parent rule of an inline layer where the action is "Inline Layer".

• Workaround: use "Any" instead of the Remote Access community object. You can use the Remote Access community object in the rules in the inline layer.

The Device and License Status of Threat Emulation is incorrect when there is a trial license on the Security Gateway.

• Use the Logging -> License Status view. 

This procedure for renewing an expired HTTPS Inspection certificate does not work:

1. Open the SmartDashboard GUI client
2. Renew the HTTPS Inspection certificate.
3. Close SmartDashboard.
4. Install the Policy in SmartConsole.
   
   SmartConsole shows the certificate is still expired, and the certificate is not renewed.

• Workaround: After following the procedure, close and reopen SmartConsole.

• To resolve, restart the Management server using cpstop;cpstart commands or, for Multi-Domain Security Management, run mdsstop;mdsstart 

• Workaround: After you close the second Editor, click OK in the IF-MAP server editor. Open the IF-MAP server editor again.

• Workaround: The admin must first publish the new cluster object, then configure the correct IP address before enabling any blade. If the cluster is created via 'Classic' mode, there is no issue.

Slow rendering of SmartConsole and reaction to user interactions. Slow rendering can be a result of:

• Running SmartConsole through Remote Desktop (RDP) sessions. See sk123734.
• Environments with lower-end graphic hardware drivers. 
  Typical environments include Windows-Server 2012 and Virtual Machines.
  In this case, consider upgrading your DirectX driver or Graphics Card hardware. 

After a failure in the VSX cluster creation wizard, if Cancel is clicked, the wizard closes, but the VSX cluster and VSX cluster member objects are not deleted.

• Workaround: Delete the VSX cluster and VSX cluster member objects manually. 

On a R80.10/20 dedicated SmartEvent server which assigned to MDS, when you enable or disable a blade, the license information is not immediately updated. An automatic updates takes place at midnight. To update immediately:

1. On server's command line, run:
   $CPDIR/bin/esc_db_complete_linux_50 activation_data entitlement_data.
   
   
2. If you manually change a license or contract, the changes take effect immediately.

After upgrade, the Log Exporter does not start, fully update or show pre-upgrade exporters.

• To update and start, run: cp_log_export reconf; cp_log_export restart

• To see: in SmartEvent, go to Event Policy -> Legacy ->Web Browsing, right-click and select "Event Format". Replace the field "URL" with the field "Resource".

In a Multi-Domain Management environment, you cannot have a dedicated Log server for a specific Domain/CMA.

• Workaround: configure a Multi-Domain Log servers with only one CLM.

Correlation units can be added to a remote Log server in this way only:

1. In SmartConsole, edit the Correlation unit object and configure it as a Log server.
2. On the SmartEvent server, go to the Correlation unit policy configuration and configure the Correlation unit on the SmartEvent server to read the logs from the remote Log server configured in Step 1.

In VPN Community managed by SmartProvisioining:

• When adding SMB gateway to the VPN community, VPN tunnel may not been established.
• When changing security profile in VPN community, the VPN settings are not changed.
• Policy installation fails for cluster member of CO Gateway.
  
  
• Fixed in Jumbo Hotfix Accumulator for R80.20  Take 103

VPN tunnel of LSM gateway can not be established when CO gateway is managed by Security Management of higher version. Refer to sk106628.

• Fixed in Jumbo Hotfix Accumulator for R80.20  Take 103

• To resolve, refer to sk129894.

After a major upgrade of the Multi-Domain Management Server, opening the SmartProvisioning client fails, displaying "SmartProvisioning was not enabled on the Security Management Server or no valid license was found..." error.

• To resolve, enable LSM on each relevant Domain Management server by running the "LSMenabler on" command.

• To resolve, install policy on the LSM profiles.

When you enable the Endpoint Policy Management blade on a Security Management Server, the connection to these services automatically changes from the default port 443 to port 4434:

• Gaia Portal 
• SmartView Web Application 
• Management API Web Services

"An internal server fault has occured" server error is shown when logging in to the SmartEndpoint GUI client with a custom administrator created in SmartConsole with the name "endpoint".

• Workaround: Create an administrator with a different name.

When installing policy on a Small Office Appliance without establishing SIC, an incorrect warning message is shown for the Threat Prevention policy: "Installation pending, waiting for first connection".

• Establishing SIC resolves the issue and policy installation can be performed. 

In Small Office appliance policy installation, services that are manually configured with INSPECT code including the definition "CALL_XLATE_FOLD_FUNC (..." will cause a policy installation failure.

• Workaround: remove the "_FUNC" from the definition and use "CALL_XLATE_FOLD (..."

After an upgrade of a Management Server with enabled Compliance blade from R77.20 or lower versions to R80.x:

1. The "Dev Mode: ON - Syntax error: Unable to get property 'icon' of undefined or null reference at line: undefined" error can appear in the Compliance blade reports.
2. "Compliance Statuses" contains the words "Low" instead of "Poor" and "High" instead of "Good".

• Workaround: manually exclude this result from the Best Practices view.
  In the Best Practices view, select the practice. In the bottom pane -> Relevant Object section -> double-click the desired rulebase object and disable the rule/section from the list.

Compliance Blade does not contain Compliance Overview Report.

• To have the Compliance Overview Report, deploy a SmartEvent server and enable SmartEvent. Then find it at Logs & Monitoring -> new tab -> Reports -> Compliance Blade. 

The SmartConsole client is not aware of license or quota changes in real time - Alert for 'License quota Exceeded' does not pop-up immediately when the license quota is exceeded.

Reopen SmartConsole in Compliance blade to see the license changes.
Quota data changes in the entitlement or Compliance will be updated after:

• Compliance midnight scan
• License changes
• cpstop;cpstart

Compliance Blade regulation reports do not contain the Best Practices themselves.

• To see the Best Practices, deploy a SmartEvent Server, enable SmartEvent and create a customized report.