Support Center > Search Results > SecureKnowledge Details
R80.20 GA and R80.20 Management Feature Release Resolved Issues
Solution

This article lists all of the issues that have been resolved in R80.20 GA and R80.20 Management Feature Release.

Important notes:

Visit Check Point CheckMates Community to ask questions or start a discussion and get our experts assistance.


This article contains two sections
:
  • List of resolved issues in R80.20 Security Gateway products

  • List of resolved issues in R80.20 Security Management products

 

List of resolved issues in R80.20 Security Gateway products

Table of Contents

  • Installation and Upgrade
  • Gaia OS
  • Security Gateway
  • Identity Awareness 
  • Anti-Bot
  • Threat Extraction
  • Threat Prevention 
  • URL Filtering
  • HTTPS Inspection
  • DLP
  • IPS
  • Mobile Access 
  • SNMP
  • Networking
  • SecureXL
  • ClusterXL
  • Routing
  • Appliances
  • VSX
  • LTE
  • SSL Network Extender
  • VPN
  • QoS
  • VoIP


Enter the string to filter the below table:

ID Product Description
01868136 Installation and Upgrade After upgrading, the Gateway Properties -> HTTP inspection page shows "Failed to load Plug-in Page: SSLInpectionPage".
To resolve the issue, perform the following on the Security Management server:
  1. Run cpstop
  2. Delete the $FWDIR/conf/newDleSchema.xsd file
  3. Run cpstart
PMTR-9114 Installation and Upgrade Snort protections do not get enforced after upgrade from R77 to R80.10. Refer to sk123575.
02411778,
02421533,
02421989
Installation and Upgrade After upgrading a Full HA deployment, policy installation fails due to SIC problem with the secondary member. 
PMTR-14162,
SL-1121
Installation and Upgrade

After you upgrade Management Server, or dedicated Log Server / SmartEvent to R80.20.M1: 

  • Only logs from the last 24 hours indexed. You can see all previous logs by opening the log file in SmartConsole.
  • New logs are indexed as expected according to the settings in the Management Server or Log Server / SmartEvent object -> Logs.

Refer to sk127652.

  • Resolved in R80.20 GA
PMTR-23040 Installation and Upgrade

R80.20 Pre-Upgrade Verifier executed on a Multi-Domain Server incorrectly fails with message: 
"Security Gateway object must have a valid value in the 'SD_profile' field
Description:
To continue the upgrade, please select a valid profile before upgrading. You can use the GuiDBedit Tool to do so.
To resolve the issue, the following objects should be corrected:
Please refer to sk132172 

g<Name of Security Gateway object with 'Enable global use' setting>"

02536858,
02537075
Gaia OS /var/log/CPbackup.elg file shows the following errors:
Error:'get_xml_val': cannot find XML:nil
Error : 'xml_text_to_hash': Failed to read <nil> from content buffer
Refer to sk118718.
01621547 Gaia OS In a Hyper-V environment, the Virtual Machine's clock (OS time) moves faster than the hardware (Host) time. As a result, the Virtual Machine's clock drift can accumulate rapidly and prevent NTP from working correctly. Refer to sk105862
02717143 Gaia OS Security Gateway stops advertising default route into OSPF NSSA area. Refer to sk123074
02711037 Gaia OS Cannot run scheduled backup using a Windows SCP server. Refer to sk122792
02669317,
02670441
Gaia OS Routed process enters slave/slave state after FWD stops working. 
PMTR-13910 Gaia OS 

Intel 10Gbps Network Interface Cards might not be visible during OS installation however they will be available once OS installation completes. 

  • Resolved in R80.20 GA
PMTR-3479,
PMTR-6795,
PMTR-8235
Gaia OS Enhancement: OSPFv2 HMAC-SHA authentication (replaces OSPFv2 MD5 authentication)
PMTR-14334 Gaia OS

The "scponly" shell (a limited shell for secure file transfers) is not included in R80.20.M1. Other shells can be used instead - see the /etc/shells file.

  • Resolved in R80.20.M2
02707890 Gaia OS

The "save configuration" command saves users real names without quotes. Refer to sk122689.

  • Resolved in R80.20 GA
01584742 Security Gateway "Get Interfaces" action on Security gateway returns error "Failed to save cpmi interfaces" if interface name includes space. Gateway interface names must not include spaces.
02518174 Security Gateway

If you do an exception on 'Any' Inspection Settings, the exception will not be enfocred on these inspection settings:

  • ASCII only response
  • ASCII only request
02516897,
02518182
Security Gateway Memory leak in FWD process, followed by "Segmentation fault" error in /var/log/messages file.
ACM-1269,
PMTR-14597
Security Gateway

Enhancement: By default, R80.20 Security Gateway does not generate Firewall session logs (logs without application or protocol).
To enable the Firewall session logs:

  1. Open the Access Control policy
  2. In the relevant rule, click in the "Track" column, then click "More"
  3. In the "Track" field, select "Detailed Log"
  4. In the "Log Generation" section, select "Enable Firewall sessions" -> click OK
  5. Install the Access Control policy.
02422575,
02425040,
02428176,
02446698,
02447665
Security Gateway Stability issue on Security gateway.
02706593,
02706821
Security Gateway In some scenarios, Security Gateway crashes during policy installation.
Refer to sk122755.
02665634,
02671157
Identity Awareness DynamicID authentication randomly stops working after policy installation.
Refer to sk121213
IDA-630,
IDA-1041,
PRHF-171,
PRHF-208
Identity Awareness PDPD process stop working, creating a core dump file.
02329550,
02332115
Identity Awareness PDPD process stop working when traffic does not match the access roles. 
02696520,
02697170,
PMTR-13781
Identity Awareness  Captive login portal page is shown in a baby frame of web site.
Refer to sk122257
02312837,
PRHF-61,
PRHF-131,
PRHF-132
Identity Awareness "Group membership of the required account (user or machine) could not be retrieved from the AD" log from Identity Awareness blade in SmartView Tracker.
Refer to Scenario #6 in sk106133
01559273,
01912184,
01936759,
01668821,
01570158,
01975585,
01566538
Identity Awareness After memory utilization problem, PDP process stops working creating core dump and Identity Awareness stops.
02517753 Identity Awareness Improved stability of PDPD daemon related to Captive Portal. 
02714694 Identity Awareness UserCheck daemon (usrchkd) crashes every few days. Refer to sk122953
IDA-623 Identity Awareness High CPU usage after policy installation when PDPD is running. Refer to sk122352
02736134,
02742263
Identity Awareness Identity Agent disconnects due to secondary session caused by a rare pipe communication error.
02536241,
02536491
Identity Awareness "ResolveUPN" registry key is not a part of the collected registry keys of IDA Config Tool while creating a new MSI package.
PMTR-19121 Anti-Bot Enhancement: Performance impact of Suspicious Mail Activity protection in Anti-Bot was changed to high and is now off by default. 
AVIR-215 Anti-Bot Anti Bot is dropping traffic although it is disabled. Refer to sk123075
02541266,
02543053
Threat Extraction User connected from mobile phone cannot send original e-mail to their mailbox through UserCheck portal. Refer to sk118856
02687319,
02691461,
02696459
Threat Extraction Persistence of UserCheck incidents is not preserved when quarantine time is very high.
Refer to sk122099.
PRHF-19,
PRHF-35,
PRHF-45
Threat Extraction Threat Extraction incidents are not stored for longer than 15 minutes.
Refer to sk124792.
02381073 Threat Prevention Custom Indicators CLI (load_indicators) is not supported. 
02516659,
02521220,
02521398
Threat Prevention A malicious attachment bypasses MTA and is received by an e-mail recipient even though a "Prevent" log was generated. 
02523152,
02160279
Threat Prevention Security Gateway with enabled Anti-Virus blade crashes in rare scenario.
Refer to sk117897
02526956,
02531120,
02529150
Threat Prevention The text that was configured in the Threat Emulation Profile (e.g, "[Malicious]"), is not added to the mail subject of some e-mails with malicious attachment.
Refer to sk118277
02649945,
TPM-464
Threat Prevention Threat Prevention Indicators are not upgraded and are missing when upgrading from R77.x to R80.10.
Refer to sk120515
TPP-59,
TEX-679
Threat Prevention In some scenarios, the in.emaild.mta process stops working on Security Gateway.
Refer to sk123754
PMTR-460,
TPM-302
Threat Prevention When loading a Structured Threat Information eXpression (STIX) file format with a non-ASCII character, the STIX parsing fails.
02518836,
02521095
Threat Prevention CPD becomes unstable during contract / license entitlement. 
PMTR-3908 URL Filtering The "Categorize HTTPS sites" feature does not work when HTTPS Inspection is enabled.
Refer to sk108202
PMTR-19768 HTTPS Inspection HTTPS Inspection is not supported for IPv6 traffic. Refer to sk90840.  
02439065,
02439802
HTTPS Inspection Security Gateway crashes with vmcore while creating the report (fw ctl sdstat report\stop). 
02457781,
02498183
HTTPS Inspection Applications, Dynamic objects and Domain objects are available for use in the HTTPS Inspection policy, but these objects are not enforced on the Security Gateway. Refer to sk119276
02561565,
02567387
HTTPS Inspection In rare scenario, Security Gateway can crash when Anti-Virus, Anti-Bot, or URL Filtering blade is enabled.
Refer to sk119955.
01910074,
01973174,
02327112
HTTPS Inspection In some rare cases, some HTTPS web sites are not categorized correctly when "Categorize HTTPS sites" is enabled.
Refer to sk110475.
02669935 HTTPS Inspection Skype for Business not working when HTTPS inspection is enables and Security Gateway is configured as a proxy. Refer to sk121473
02535086,
02536889
DLP When Security gateway is enabled with proxy and DLP, HTTP connections to external sites are allowed on Implied rules.
Refer to sk118698
02515164 IPS

When you do an exception for 'Any' Core Protection, the exception will not be enforced on these protections: 

  • HTTP Header Patterns
  • HTTP URL Patterns
  • CIFS File Name Patterns
TPM-1093 IPS Enhancement: Check Point recommends not to set Staging mode for IPS protections in R80.20.
When activating IPS on a newly deployed R80.20 Security Management Server, Staging mode is not selected. The action of newly downloaded protections will be according to the profile settings (Prevent/Detect/Inactive).
When upgrading to R80.20, if IPS was using Check PointÂ’s out-of-the-box profiles: Optimized, Strict and Basic, Staging mode will no longer be selected. This means that the action of newly downloaded protections will be according to the profile settings (Prevent/Detect/Inactive).
02513631 IPS When an IPS protection is overidden, creating an IPS blade exception will not cause acceleration. 
02335004,
02199090
IPS Geo-protection does not support whitelists. You cannot block all countries and only allow specific ones. 
Refer to sk110683
02523277 IPS After upgrade to R80.10, the excluded protections are disabled on all profiles, regardless of the value they had before the upgrade. 
IPS-247,
IPS-261,
IPS-267,
IPS-277,
IPS-292,
IPS-298
IPS Usermode core dumps are generated on the Security gateway when the user activates certain IPS protections.
02550531,
02551894
Mobile Access Sometimes mail addresses are truncated when sending the one-time password for DynamicID. 
Refer to sk119254.
02510647,
02511628
Mobile Access Pages not translated when header Content-Type: */* in HT Link Translation. Refer to sk117514
02526048, 01838814  Mobile Access Endpoint Security on Demand Secure Workspace does not automatically support Windows 10 Creators Update or later versions. 
02729238, 02730507,
PMTR-17912
Mobile Access  Rule mismatch on SSL inspection rulebase. Refer to sk123718
PMTR-15718 SNMP

Enhancement: To query the Power Supply sensor "Pwr Consumption" over SNMP on Smart-1 525 / 5050 / 5150 appliances, use these SNMP OIDs: 

  • Smart-1 525 - 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.12.0
  • Smart-1 5050 - 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.29.0
  • Smart-1 5150 - 1.3.6.1.4.1.2620.1.6.7.8.3.1.3.28.0
02517341 Networking Added support for NAT64.
02459107,
02461409
SecureXL Computers with dynamically assigned IP addresses are not able to access web sites by their URLs when SecureXL is enabled.
Refer to sk116160.
02528028 SecureXL

The commands "sim nonaccel [-s |-c] <interface_name>" work as expected, but their output is misleading:

  • Both the "sim nonaccel -s <interface_name>" command and "sim nonaccel -c <interface_name>" command display the following output:

    Changes will take affect until the next time acceleration is started
    or the relevant interface(s) are restarted.

    The correct meaning is "Changes will NOT take affect until..."
  • The "sim nonaccel -c <interface_name>" command displays the following output:

    <interface_name>: set as not accelerated.

    The correct meaning is "<interface_name>: set as accelerated".
01769402,
01777881,
01771790
SecureXL Multiple "cphwd_pslglue_can_offload_template: error, psl_opaque is NULL" errors in /var/log/messages file after upgrade.
Refer to sk107258.
02063194,
02455007,
02366816;
02503790,
02528926,
02503796
SecureXL
Traffic disruption after policy installation on 21000 appliance with installed SAM card (with uptime of more than 250 days).
Refer to sk119999.
02054022,
02301812
SecureXL
VSX Gateway with enabled SecureXL crashes in rare scenario while collecting CPInfo file / running CPView Utility during high traffic load.
Refer to sk119992.
02613465,
02615348
SecureXL "First packet isn't SYN, TCP flags : FIN-ACK" drop log for RSH (remote shell) traffic sent from a Server.
Refer to sk120462.
02721304 SecureXL Security Gateway crashes when SecureXL is enabled. 
02661524 SecureXL Kernel panic after fw_worker_1 reaches 100% of CPU usage.
PMTR-12052,
01646584,
01879544,
01657956
ClusterXL Various traffic issues on cluster due to FWD daemon taking all slots on cluster subscriber list.
Refer to sk109596
02409452,
02416469
ClusterXL Flapping of cluster members with Bond configured in Load Sharing mode when the neighboring switch is rebooted. Refer to sk114993
01715078 ClusterXL  Output of "cpstat ha -f all" command shows status of some VLAN interfaces as "Partially up".
Refer to sk106488
00545387,
01104217,
01145895,
01153486,
01295463,
01345084, 01348870,
01531739
ClusterXL  Host on network shows an error about duplication of its IP address when ClusterXL with VMAC is used.
Refer to sk92364
PMTR-738,
02608827,
02613061
ClusterXL  Cluster member IP addresses is not added correctly during policy generation. 
Refer to sk120414.
PMTR-4374,
02677981 
ClusterXL  Active member in ClusterXL HA sends an ARP request for cluster VIP causing a temporary outage. This can happen in a rare scenario as described in sk121846
02344721, 02622869  ClusterXL  Traffic interruption on VLAN interfaces during policy installation on ClusterXL Load Sharing Multicast.
Refer to sk120593
01820037, 01820130, 01878926, 01881830, 01877156, 01877245, 01834660, 01828139, 01874732  ClusterXL By forging CCP packets, it is possible to "confuse" cluster members about the state of peer members and cause denial of service (cluster members could be forced to incorrectly change their state to "Ready").
Refer to sk108360
02512799  ClusterXL  Intermittent traffic issues and RouteD crash in ClusterXL on Gaia OS. Refer to sk117576
2554000, 02560538, 02556227  ClusterXL  Traffic through ClusterXL High Availability mode is interrupted when Standby member is rebooted.
Refer to sk120073
02622338, 02630620  ClusterXL  SmartView Tracker in "Active" mode shows the same log for the same connection from each ClusterXL High Availability member.
Refer to sk120343
02454663, 02455061  Routing  RouteD daemon stops working producing core dump file when a BGP route is configured with an invalid nexthop. 
02368204, 02385742  Routing  The current length limit on the values of database bindings is 128 characters. Therefore, any value which exceeds that limit is susceptible to truncating on display. 
02707988  Routing 'RTGRTG0019 tclproc: wrong # args: should be "bgp_lookup_ASNumberIPIn ASNumber peerAddr gtype"' error in Gaia Clish when trying to import routemaps for iBGP peer.
Refer to sk115140
02692890, 02458287  Routing Some BGP routes are not being advertised after BGP peer reset.
Refer to sk122272
02557132, 02557783, 02557147, 02557796  Routing  BGP over VTI tunnels are not "established" after upgrade.
Refer to sk119601
02660328, 02660955  Routing  BGP looses adjacency during failover and generates core dumps. Refer to sk121345
02758776 Appliances Power supply status is 'Dummy' in "cpstat" command output on 5100/5200/5400 appliances. Refer to sk125573
02506836 Appliances R80.x is not able to manage 60000 / 40000 appliances running R76SP.40 and above, when Threat Emulation blade is enabled.
01748274,
02029526
VSX <VSX object name > is used by another object and cannot be deleted." error in SmartConsole when trying to delete a virtual system, virtual router, or VSX gateway.
Refer to sk113932.
02037129 VSX  To allow switching from 32bit to 64bit fwk processes, run the "vs_bits script" command only from a VS0 context. Switching to vs_bits 64 from a context other than 0 will cause VS processes to go down. 
02338729,
02338820,
02338954,
02338696
VSX  During policy installation, Virtual Systems on VSX VSLS cluster shortly go to "Down" state due to "Interface Active Check" pnote.
Refer to sk114234.
01459867,
01472369
VSX  When you create a new bond in Gaia Clish with only two physical slaves, the output of cphaconf show_bond command shows the second added slave as "Not available", and the bond cannot fail over.
Refer to sk105999.
VSX-1542 VSX  Resource Control Monitoring does not work on a machine with more than 32 cores.
Refer to sk125112.
02555060, 02561749  VSX The resctrl process stops working when machine has large number of CPUs. 
02537316,
02151898, 02103463 
VSX Virtual Switches in VSX cluster are shown in "PROBLEM" status in SmartView Monitor without any error message.
Refer to sk112067
02651720, 02656447, 02652003  VSX  Traffic outage when rebooting a VSX cluster member in case there is no connectivity to the Management Server.
Refer to sk120842
LTE FireWall-1 GX is not supported on VSX Cluster. 
LTE  FireWall-1 GX is not supported on VSX Virtual System in Bridge mode. 
01011519  LTE  IPS "Aggressive Aging" protection is not supported by FireWall-1 GX gateway (if you enable IPS blade in FireWall-1 GX object, you must set this protection to "Inactive" in the IPS profile applied to FireWall-1 GX. Otherwise, unexpected behavior can occur). 
0780056  LTE  GTP Bandwidth Management using QoS is not supported. 
0788268 LTE  Full Intra-Tunnel inspection is enforced only on encapsulated IPv4 traffic. 
0773195 LTE 

When using the IPS and the Full Intra-Tunnel features, GTP traffic may not be inspected.

01432574, 01432727, 01461593  SSL Network Extender
The SSL Network Extender connection from command line "snx -l <CA_Di>> -s <Server>" fails with "SNX: Authentication failed" error when authenticating with a user certificate.
Refer to sk101588.
MAGB-254, MAGB-268, PMTR-5386  SSL Network Extender "Mobile Access - Reject. Reason: Error in disconnecting user. Access Denied." message in SmartLog when user tries to use the SNX Network Mode.
Refer to sk123037.
02509724  VPN DAIP gateway takes a long time to establish a VPN permanent tunnel (DPD) after reboot. Refer to sk117513
02536801,
02537327,
02540697 
VPN  IKEv1 using DH group 19/20 fails to encrypt / decrypt packets.
Refer to sk118713
02447010, 02542849  VPN  "You cannot receive an office Mode IP address because the security gateway does not have a license for Office mode" error on SSL Remote Access VPN client (SNX client / Capsule VPN client / Capsule Connect client / Endpoint Connect client) that tries to connect to a Cluster in High Availability mode.
Refer to sk120652
02700394.
02700552 
VPN 3rd party VPN peer rejects IDs proposed in IKE phase 2 and tunnel not established (unless initiated from peer side).
Refer to sk122478
02708339,
02710768 
VPN
Site-to-site VPN traffic issue in vSEC for Azure deployment. Refer to sk122754
02516674, 02517802  QoS QoS rule with Time object is enforced one hour later\earlier than time configured after daylight saving.
Refer to sk117893
02667570,
02668912 
QoS  Some QoS log fields are with gibberish. Refer to sk121476
02413299, 02414451  VoIP  Security Gateway / Active cluster member freezes / locks up randomly when processing H.323 traffic.
Refer to sk114977
02305365, 02312153  VoIP  SIP VoIP call is disconnected / stops working several minutes after establishing the connection when SecureXL is enabled.
Refer to sk112913
02490592, 02491121, 02491840  VoIP  SIP session progress packets are not being NATed. Refer to sk116739

 

List of resolved issues in R80.20 Security Management products

 

Table of Contents

  • Security Management 
  • Multi-Domain Management 
  • SmartConsole
  • CloudGuard  
  • Logging
  • SmartEvent
  • SmartProvisioning
  • Endpoint Security

Enter the string to filter the below table:

ID Product Description
R80.20 Management Feature Release M1/M2 and R80.20 GA
02512932,
02518236,
02522447
Security Management Source Hide NAT is performed even a no-NAT rule is configured.
Refer to sk117612.
01940812,
01940205,
PMTR-13240
Security Management URL Filtering does not work on Edge device.
Refer to sk110219.
02497583 Security Management Upgrade to R80.10 is not supported for a Multi-Domain Management server that contains Data Center objects imported from the Global Domain. Objects must be removed from the Global Domain prior to installing the upgrade.
02693254,
02693478
Security Management  Cannot choose 'Group-With-Exclusion' in the option when configuring Legacy User Authentication rules. Refer to sk122100
02496583 Security Management Managing Indicators of Compromise is not supported by command-line, only in SmartConsole. 
02650289,
PMTR-9284
Security Management Migrate import from R77.X to R80.10 hangs and never completes. Refer to sk120759
02454086,
02452505
Security Management User p12 certificates are exported without the CA certificate.
Refer to sk115859
01963367,
01098502
Security Management QoS policy installation on 1100, 1200R and 1400 Small Office appliances succeeds, but the following warnings are displayed: "WARNING: SharedLibLoad(Name_of_Library_File.so): called from statically-linked code!"
01859599 Security Management After converting a gateway to a cluster member and publishing, this error message shows: "com.checkpoint.management.coresvc.ObjectNotFounfException: Satellite object of type GatewayAggregator not found for core object..." 
01988291 Security Management Install database task hangs if SmartConsole is closed before the task completes.
02520084 Security Management

Upgrade of secondary Management Server using CPUSE fails with error:
Security Gateway / Security Management R80.10 - Failed on installation:
Internal error in a hook script: fw1/bin/hook_fw1_wrapper_HOTFIX_R80.10. Contact CheckPoint Technical Services for further assistance.

Refer to sk117539.

02449460 Security Management

Clean install of secondary SMC R80.10, requires same installation path as the primary. If you have HA setup in R80 and you installed also the R80 Jumbo Hotfix on primary and secondary servers, the upgrade to R80.10 is as follows:

  • Upgrade the primary to R80.10
  • Install clean secondary with R80
  • Install the R80 Jumbo Hotfix on it
  • Upgrade it to R80.10
  • Perform sic between the primary and secondary and sync

Refer to sk117539.

02532395 Security Management R80.10 Security Gateway might get specific security rules of another Security Gateway.
Refer to sk118153.
02556634,
02561603
Security Management Domain deletion fails with timeout after migrating to R80.10. 
02566107,
02566779
Security Management

"Log Server is not responding" error in SmartView Monitor.
Refer to sk119996.

02667797,
02668744,
02668754,
02669193
Security Management Cannot remove old object in database.
Refer to sk121593
02696314,
02696429,
02696431
Security Management Inplace upgrade from R77.30 to R80.10 fails with "Invalid white space character" message.
Refer to sk122098
02726588,
02727319,
PMTR-8055
Security Management File descriptors leak in FWM process.
02036535,
02483434
Security Management "Get Interfaces" in the Cluster object does not update the Topology after changing a physical interface to VLAN interface with the same IP address, or vice versa.
Refer to sk116582.
02512117,
02512194
Security Management Wrong license status for Virtual Systems blade for VSX objects in SmartConsole.
Refer to sk117675
02530338,
02530675
Security Management SMS daemon does not start on startup.
Refer to sk118083.
01846456,
01846721
Security Management Manual NAT policy verification passes while it should fail.
Refer to sk108389
01864424,
01864734
Security Management "Get Topology" action shows "fe80::" in results.
Refer to sk108760
01922184,
01922547
Security Management Policy installation fails with core dump when Security gateway and Security Management server run R77.30.
Refer to sk109616
01922555,
01922761
Security Management The "cprinstall install" command fails.
Refer to sk109617
01971837,
01974133
Security Management "Gaia OS Best Practices" on the Compliance tab of SmartDashboard shows status "N/A" for clusters.
Refer to sk110474.
02456777,
02456968,
02457349
Security Management FWM process stops working while pushing configuration to VSX cluster with Identity Awareness blade enabled and AD server configured.
02485375, 02486836 Security Management FWM process stops working sporadically when deleting the Security gateway object in SmartConsole.
02491211,
02492143
Security Management FWM process stops working after installation of Install R77.30 Add-On.
02503435,
02504502
Security Management FWM process stops working while debug is enabled.
02555706,
02556381,
02555760,
02556390
Security Management Memory leak in FWM CPM module.
02657790,
02659048
Security Management SmartConsole crashes at 40% on "Loading objects list" stage.
02666158,
02668798
Security Management R77.20/R77.30 Add-on activation or deactivation fails due to timeout.
Refer to sk121436
PMTR-15234,
PMTR-14170
Security Management 

"Publish failed" error on Publish / Discard operation failure after switching the Primary Management Server from Active to Standby and back to Active in Management HA deployment.
Refer to sk129952.

  • Resolved in R80.20 GA
PMTR-16383 Security Management

R80.20 Gateways cannot be managed by R80.20.M1 Management Server. 

  • Resolved in R80.20 GA
PMTR-10265,
PMTR-8811
Multi-Domain Management Incorrect policy installation warning "Install policy from the Multi-Domain Server does not support new or upgraded gateways" is shown during global Domain assignment and install from Multi-Domain Management server.
01973414,
01973521
Multi-Domain Management Global Policy assignment problem after failing IPS update.
Refer to sk110498.
02022345,
02022609
Multi-Domain Management Users ($FWDIR/conf/fwmusers file) and GUI clients ($FWDIR/conf/gui-clients file) are overwritten on Security Management Server during MDS synchronization when Domain Management Server and Security Management Server are configured in High Availability mode.
Refer to sk111175
02699530 Multi-Domain Management Top process is not killed after closing SSH session and running at 100%. 
01891116 Multi-Domain Management In Multi-Domain Security Management, OPSEC application permission profiles are not visible on the Domain's object bar.
01829312 Multi-Domain Management Global VPN Communities are not supported in Multi-Domain Security Management. 
02496769 Multi-Domain Management The "Show Unused Objects" feature only shows unused objects in the local Domain. It does not show unused global objects in each Domain (as in earlier versions). 
02533587,
02534238,
02535285
Multi-Domain Management Wrong gtar version after upgrade from R80 Multi-Domain Management server to R80.10.
Refer to sk118653
02684209,
02686649
Multi-Domain Management Missing Security gateway objects in R80.10 Multi-Domain Management server after migration.
Refer to sk121890
API-136,
02711853
Multi-Domain Management When searching/filtering a rulebase with the API after Global policy assignment, it returns no results, although the relevant data exists.
01987333,
02002922
Multi-Domain Management "Unexpected error" message is shown when an administrator with insufficient permissions on a Domain assigns or reassigns a Global Policy to the Domain. 
02486936,
PRHF-2359
Multi-Domain Management FWM daemon becomes unstable when using RADIUS Authentication.
02490895 Multi-Domain Management Getting "Cannot create a new Domain server. Reason: License violation detected: Multi-Domain Server HostName. The license of Multi-Domain Server HostName allows to manage 0 Domain Management/Log Servers. X is already defined" error when trying to create a new Domain.
Refer to sk116499.
02053188,
02053623,
02053974
Multi-Domain Management Cannot scroll down to find the relevant gateway in "Satellite gateway" list in IPSEC VPN Star community window.
Refer to sk111736.
02528737,
02529416,
02533097
Multi-Domain Management Several cpsm-domains-X licenses are counted only once.
Refer to sk118316
PMTR-15279,
PMTR-14728
Multi-Domain Management

Threat Prevention policy fails to open with the "Rulebase initialization failed" and "One or more errors occurred" error message after upgrade of Multi-Domain Server to R80.20.M1.

  • Resolved in R80.20 GA
PMTR-14479 Multi-Domain Management 

"Failed to save object....Server error is: An internal error has occured. (Code: 0x8003001D, Could not access file for write operation)" error when creating a Security gateway object on the Domain Management Server that is currently active on the secondary Multi-Domain Management server. 

  • Resolved in R80.20 GA
PMTR-21282,
PMTR-27321,
PMTR-21709,
PMTR-21787
Multi-Domain Management 

CPView is not supported on Multi-Domain Security Management environments.

  • Resolved in R80.20.M2
PMTR-10859,
PMTR-10777
SmartConsole When switching between policy packages and tabs, rulebase scrolling may reset its position. In some cases, this may cause SmartConsole to freeze.
Refer to sk127133.
01856760,
01857716,
01858017
SmartConsole SmartConsole displays "Internal error" message and exits when clicking on Threat Prevention tab and going to Policy and than back to overview.
Refer to sk108629.
01964494,
01965659
SmartConsole SMTP property is not shown on VSX Cluster Object. Refer to sk110266
02034329,
02290957
SmartConsole SmartConsole crashes when FIPS is enabled on Windows OS. Refer to sk111585
02695694,
PMTR-7735
SmartConsole VPN Community object cannot be opened after upgrade from R77.30 to R80.10 or R80.20.
Refer to sk122180.
02565748,
02566223
SmartConsole  SmartConsole does not get the topology of VTI interfaces from cluster members running on Gaia Embedded OS.
Refer to sk119832.
02502463,
02491577
SmartConsole When cloning an Access Control policy with a shared Inline Layer, it is not possible to change the action of the rules in the cloned shared Inline Layer of the cloned policy.
02554072,
02560357
SmartConsole It takes a long time to open a group object that contains a large number (> 500) of group member objects in SmartConsole R80.x.
Refer to sk120074
02405050 SmartConsole If an administrator deletes an Access Policy or Threat Prevention Policy that was cloned by another administrator, the cloned policy cannot be published.
PMTR-15067,
SL-1252
SmartConsole In SmartConsole -> Security Gateway, or Cluster object -> Device & License Information -> System Counters -> FireWall History, the data exported to CSV showed only 100 rows. 
01875766,
01893219
SmartConsole "An unexpected error occurred - Sorry for the inconvenience, please restart the application" error in SmartEndpoint when going to Deployment tab, expanding Advanced Package Settings - clicking on VPN Client Settings - selecting a VPN Site, whith "CAPI-certificate" as Authentication method.
Refer to sk109126 - Scenario 2. 
PMTR-15366 SmartConsole

For R77.30 Gateway, the ICAP server is supported only from CLI and not in the SmartConsole GUI, although the ICAP Server tab is displayed in the Gateway properties. 

  • Resolved in R80.20 GA
PMTR-26277,
PMTR-26269
SmartConsole

Copying a section from one policy package to another returns the "An error occurred while performing a rule base operation" message.

  • Resolved in R80.20.M2
PMTR-22691 SmartConsole

Password configuration in SmartEndpoint for FDE preboot users, WebRH administrators and client uninstall password is limited to a maximum of 12 characters. 

  • Resolved in R80.20.M2
PMTR-27978 SmartConsole An object (Gateway, Cluster, and so on) can become locked in the following scenario:
  1. Edit a VSX object and click OK
  2. A window opens that shows the progress of pushing the updated VSX Configuration for the VSX object
  3. The window that shows the progress of pushing the VSX Configuration closes
  4. Edit any other object
  5. The other edited object can become locked 
  • Resolved in R80.20.M2. SmartConsole now prevents changes to other objects until all the changes to a VSX object are pushed and the session is published
02457148 CloudGuard In the $VSECDIR/conf/vsec.conf configuration file (sk112855), there is no verification for minimal value of the enforcementSessionTimeoutInMinutes parameter.
02459679 CloudGuard The $VSECDIR/conf/vsec.conf configuration file (sk112855) is not synchronized in Management HA and must be edited on both Management Servers separately. 
PMTR-7172 CloudGuard Running the command fw unloadlocal on a Security Gateway with Security Policy that include Data Center objects will disassociate the IPs from the Data Center objects.

To restore this information, after policy is installed run vsec_controller_cli and resend the enforcement data to the appropriate Security Gateway.

VSECC-510 CloudGuard CloudGuard Controller does not support VSX Virtual System Load Sharing (VSLS). 
VSECC-277 CloudGuard Imported Data Center Tag Object ("Key" or "Value") that is not associated with any instance will be marked as "Object is inaccessible / deleted on Data Center Server" in the SmartConsole. The object will remain in this state until re-imported into the policy. Policy enforcement will resume once instances are associated with the Tag. 
02413226 CloudGuard

"Data Center Object" names should not contain the following characters in their name:

  • "{" - opening curly bracket
  • "}" - closing curly bracket
  • "[" - opening square bracket
  • "]" - closing square bracket
  • "<" - less than
  • ">" - greater than
If an object name contains one of the above characters, enforcement will not work.
- CloudGuard Upgrade path from R77.30 Security Management Server with installed R77.30 CloudGuard Controller to R80.20.M1 Security Management Server is supported.
PMTR-26157 CloudGuard In 41k/61k VSX gateway, CloudGuard objects are not supported.
02022295 Logging Log export is supported on visible logs only.
01913226 Logging Missing predefined reports. Many SmartEvent reports are not accessible if permissions to monitor user-specific logs with Identity Awareness has not been enabled.
02515998 Logging After upgrade to R80.10 with a distributed Correlation Unit, the Correlated Events Report does not contain all events.
- Logging When upgrading a Security Management server or Log server running SmartLog, SmartLog indexing files will be lost. 
02694895,
02694912,
02695201
Logging When sending report to Check Point from the Threat Emulation log card, the report fails with "Failed to send report! Please check the application log for more details" error.
Refer to sk122217
01935060,
01936585
Logging In some records, the Origin field in the SmartLog is displayed in the 0.0.0.0.x format.
Refer to sk109820
02515100,
02510942
Logging Cannot select local Security Management in SmartLog's "Servers" view, although it is displayed in the list.
Refer to sk117573
02655801,
02655956,
PMTR-13600
Logging "Xml Parse error" when trying to display Threat Emulation logs in SmartLog.
Refer to sk120982
PMTR-22189 Logging 

After you revert from R80.20 GA to a R80.10 or R80 version, the log files and log indexes that were created on the R80.20 will be lost.
If you upgrade again to R80.20 GA, all logs will be visible again with one exception - the log index created on the day of the revert (from R80.20) may be partial. 

  • Resolved in R80.20 GA
PMTR-22353,
PMTR-22349
Logging

After upgrading from R80.10 to R80.20 M1, the log indexes from R80.10 are unusable, but remain on the disk. If a maintenance routine to delete log files was running when the version is still M1, the R80.10 indexes are not deleted. When upgrading to R80.20 GA, this may cause empty lines on Smart Log.
Refer to sk127652

  • Resolved in R80.20 GA.
PMTR-14367 Logging  During upgrade, the Log Exporter configuration is not transferred on R80.20.M1 or not fully updated on R80.20.

For R80.20.M1:
  • Recommended solution: Rebuild the Log Exporter configuration from scratch using sk122323.
  • Alternative solution: Follow sk127653 to save the configuration manually before the upgrade, and then restore it after the upgrade. 

For R80.20, follow the "R80.20" section in sk127653, to fully update the Log Exporter.

  • Resolved in R80.20 GA
02354039 Logging

Sometimes, in specific scenarios, Mail Alert does not work. 

  • Resolved in R80.20 GA
02515998 Logging

After upgrade from R80 to R80.10 with a distributed Correlation Unit, the Correlated Events Report does not contain all events. 

  • Resolved in R80.20 GA
PMTR-14367 Logging

During upgrade, the Log Exporter configuration is not transferred on R80.20.M1 or not fully updated on R80.20.

  • Resolved in R80.20 GA. Follow the "R80.20" section in sk127653, to fully update the Log Exporter.
PMTR-22353, PMTR-22349 Logging

After upgrading from R80.10 to R80.20 M1, the log indexes from R80.10 are unusable, but remain on the disk. If a maintenance routine to delete log files was running when the version is still M1, the R80.10 indexes are not deleted. When upgrading to R80.20 GA, this may cause empty lines on Smart Log. 

  • Resolved in R80.20 GA
- Logging

If you upgrade a Security Management server or Log server running SmartLog, SmartLog indexing files will be lost.

  • Resolved in R80.20 GA
PMTR-27034,
PMTR-23553
Logging

After two or more upgrades of a Security gateway / Security Management server / Log server or SmartEvent server, log maintenance fails to delete logs from older version.

  • Resolved in R80.20.M2
02422716 SmartEvent For R80.10 SmartEvent connected to R77.x Security Management Server or Multi-Domain Management Server: If an object is not listed in the Log Servers table in the Correlation Unit settings, change the object from the SmartConsole (for example, its color). This will cause the re-synchronization of the object. 
SL-690 SmartEvent "No matches found for your search" message in the browser when searching for a user which name contains only numbers.
Refer to sk122294
01877586,
01877829
SmartEvent SmartEvent PDF reports are shown incorrectly.
Refer to sk104840
01877490,
01877827
SmartEvent "Dev Mode: ON - Syntax error" in SmartEvent  reports.
Refer to sk108979
01969321,
01969673
SmartEvent The CPSEMD process stops working due to signal 15 when SmartEvent machine is rebooted.
- SmartProvisioning Added suport for SmartLSM and SmartProvisioning.  
02089667 Endpoint Security Concurrent sessions are not supported in SmartEndpoint. Only one administrator may use SmartEndpoint to make policy changes at any time.
02410161 Endpoint Security After CPUSE upgrade from R80, if you open SmartEndpoint and install policy, the "General Properties" policy sometimes shows as disabled.
02062057,
02064416
Endpoint Security "Challenge Format" column text, shown in a table within the "Installation" dialog of SmartEndpoint is wrong.
Refer to sk112158
02082518 Endpoint Security Permission profiles with Endpoint Security-specific permissions cannot be configured. 
01907703,
01909558
Endpoint Security Garbled characters in Action name in SmartEndpoint.
Refer to sk109575
01483870 Endpoint Security On E80.64 Endpoint Security clients managed by R80.10 Endpoint Security Management Servers, temporary pre-boot bypass is not supported.
02488912 Endpoint Security The 30-day trial license is not automatically installed when you activate Endpoint Security. You can use the 15-day Demo license that is automatically installed and then you must get an Evaluation or Product license. 
02493400 Endpoint Security After upgrade from R77.30, customized Endpoint administrator roles get read-only permissions only. 
PMTR-4632 Endpoint Security

Endpoint URL Filtering is not supported with R80.20 Management Feature Release. 

  • Resolved in R80.20 GA
PMTR-16762 Endpoint Security

In the SmartEndpoint Policy tab, when a policy rule is locked because another administrator is working on the rule, there is a visual indication that the rule is locked but no indication of who locked it. Also, the Disconnect button for disconnecting an administrator who is locking a rule does not work. 

  • Resolved in R80.20 GA



Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment