Support Center > Search Results > SecureKnowledge Details
R77.20.80 for Small and Medium Business Appliances
Solution

This article is suitable for Check Point 600 / 700 / 1100 / 1200R / 1400 Small and Medium Business (SMB) Appliances

Table of Contents

  • What's New in Check Point R77.20.80 for SMB Appliances
  • Enhancements
  • Resolved Issues
  • Downloads
  • Known Limitations
  • Documentation

For more information, see the Check Point 600, Check Point 700, Check Point 1100, Check Point 1200R and Check Point 1400 Appliance Product Pages.
Visit Check Point CheckMates Community and the SMB Forum to ask questions or start a discussion and get our experts assistance.

 

What's New in Check Point R77.20.80 for SMB Appliances

  • Support additional deployments with ZeroTouch

    • Option to configure Internet connection before ZeroTouch deployment
    • Dynamic change of the default LAN subnet in case of a conflict with WAN IP address (provided by DHCP server), to allow connection to ZeroTouch server
  • Intermediate CA

    • Option to replace the gateway WebUI certificate and VPN certificate with a certificate signed by an intermediate CA
  • Logs management

    • Added an option to configure the gateway to log only outgoing blocked traffic
  • SMP connection

    • Retry mechanism in case of a failure in connection to the cloud services (SMP)
  • Performance and stability fixes

 

R77.20.80 for SMB Appliances Enhancements

ID Symptoms
SMB-4431
Added support for RFC 3021: you can use 31-Bit Prefixes for IPv4 point-to-point Internet links. 
SMB-4067  Removed unsafe ciphers/HMACs from SSH server supported chiphers/HMACs: hmac-sha1-96, hmac-md5, and *-cbc
SMB-3929 The user can change the number of years for which the internal VPN certificate and the internal CA certificates are valid. 

 

R77.20.80 for SMB Appliances Resolved Issues

The below table lists R77.20.80 resolved issues:

ID Symptoms
General
SMB-4077

POP3 session disconnects and the next attempt to fetch emails fails when:

  • POP3 AV/TE is enabled in locally-managed mode
  • Email was detected as malicious after more than 400Kb of data have passed to the POP3 client
SMB-4342 TCP traffic dropped by the gateway is logged under IPS "TCP Segment Limit Enforcement" log.
SMB-4417 Cluster configuration fails when using VLAN-associated interfaces. 
SMB-5310 Some Gateway name combinations in a cluster result in both members of the High Availability cluster becoming Active members and not being able to see that the other member exists. 
SMB-5458,
SMB-5662,
SMB-4998

In the Chrome browser, the Welcome page in the the First Time Configuration Wizard does not display properly and the Next button is disabled.

  • Workaround: Use a different Internet browser for when deploying for the first time. 
SMB-5414 After upgrade to R77.20.75, the admin Radius Authorization mode changes to the new mode which requires you to either define the Radius role on the Radius server, or to change the radius authorization mode to legacy mode (go to Administrators -> Edit permissions -> select "Use default role...").
If you upgrade directly from R77.20.70 to R77.20.80, you do not need to define the Radius role. 
GUI
SMB-4688 When creating a custom URL, it appears in the list of custom applications but is not saved. 
SMB-2534 The Infected / possibly infected hosts page (or relevant sections in the periodic report) might show IP addresses that are not in the appliance's internal networks.
Refer to sk126374
VPN
SMB-4604 VPN Site-to-Site connection cannot be established between a centrally managed SMB gateway and an Azure cloud VPN gateway.
SMB-3968 Added option to turn off the logging of the IKE key exchange in Advanced Settings -> VPN Site-to-Site global settings -> Successful key exchange tracking. 
SMB-4664 In locally-managed mode, Remote Access users are not able to connect when using a certificate trusted by a CA installed on the gateway. (Degradation from previous versions). 
SMB-4390,
SMB-3155
On SMB gateways with Dynamic IP, it takes a long time to establish a VPN permanent tunnel (DPD) after reboot. 
SMB-5982,
SMB-5981
When configuring client to site VPN (Remote Access ) using Endpoint Security VPN toward a 700 Security Gateway installed with R77.20.75, and the interface that accepts the connection is checked as VLAN, passing traffic to the LAN, may cause the appliance to crash. 
Application Control / URL Filtering
SMB-4511,
SMB-4437,
02678199
Application Control drops HTTP response traffic when the HTTP response contains two different host headers. This prevents access to some websites.
SMB-4430,
SMB-4429,
SMB-4430,
01835506
The UserCheck Block page might not be displayed for a website that is blocked by both the Anti-Virus and Application Control / URL Filtering blades.
Refer to sk64162.
Dynamic Routing
SMB-5151 In an SMB cluster, in some scenarios, the BGP & OSPF stop working after the first failover.
Refer to sk129792.

 

R77.20.80 for SMB Appliances Downloads

Important: check the MD5 string before installing the downloaded file.

Download Package 700 Appliance 1400 Appliance 600 Appliance 1100 Appliance 1200R Appliance
R77.20.80 Image (IMG) (IMG) (IMG) (IMG) (IMG)
R77.20.80 package for SmartUpdate - For R77.30 SmartUpdate and SmartProvisioing
(TGZ)
- (TGZ) (TGZ)
For R80.10 SmartUpdate
(TGZ)

Note: To download these packages you will need to have a Software Subscription or Active Support plan.


R77.20.80 for SMB Appliances Known Limitations

The below table lists R77.20.80 known limitations:

ID Symptoms
General
SMB-4587

When fetching settings from Zero Touch on the Welcome page of the First Time Configuration Wizard, if the internet configuration causes an IP conflict (if the WAN address received is in the 192.168.1.0/32 subnet, the IP address of the LAN network is automatically changed to 192.168.2.1), the Zero Touch feature fails and the First Time Configuration Wizard becomes stuck.

  • Workaround: Restart the appliance, connect to the First Time Configuration Wizard with IP address 192.168.2.1, and click the "Fetch settings from Zero Touch" link on the Welcome page.
VPN
SMB-4493 When you use a certificate signed by an intermediate CA to create a VPN tunnel with a gateway, the intermediate CA must be installed on the gateway as a trusted CA.
SMB-4506 When the VPN remote site certificate is limited to a specific CA, and the certificate is signed by an intermediate CA that is installed as trusted on the gateway, then the intermediate CA must be the specific CA to match and not the root CA.
Hardware
SMB-6076

The IP address or subnet assigned to the gateway using the DHCP server running on the modem may overlap with the user-configured LAN/Internet connection, causing an IP conflict. This may cause one or more of those interfaces to be unable to work as expected.

  • Change the conflicting LAN address manually.

 

R77.20.80 for SMB Appliances Documentation

Release Notes
Check Point R77.20.80 SMB Appliances Release Notes
Administration Guides
Check Point R77.20.80 600/700 Administration Guide
Check Point R77.20.80 1100/1200R/1400 Locally Managed Administration Guide
Check Point R77.20.80 1100/1200R/1400 Centrally Managed Administration Guide
Check Point R77.20.80 600/700/1100/1200R/1400 Appliance CLI Reference Guide
Related Solutions
sk97766 - Check Point 600 / 1100 / 1200R /700 / 1400 Appliances Releases
sk105380 - Check Point R77.20 for 600 / 700 /1100 / 1200R / 1400 Appliance Known Limitations

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment