• We recommend to upgrade to R80.40 - the latest widely recommended version. 
  To upgrade to R80.30, install R80.30 Jumbo Hotfix after the advanced upgrade is completed.

To upgrade a R77.30 or R80.10/20 Security Gateway with ICAP Client hotfix to a R80.30 Security Gateway:

1. On the R77.30/R80.10/R80.20 Security Gateway, back up the current ICAP Client configuration file ($FWDIR/conf/icap_client_blade_configuration.C).
2. Upgrade the R77.30/R80.10/R80.20 Security Gateway to R80.30, or perform a Clean Install of the R80.30 Security Gateway.
3. Configure the ICAP Client from scratch as described in the R80.30 Next Generation Security Gateway Guide - Chapter "ICAP Client".
   Note: 
   
   • You can use the backed up ICAP Client configuration file from the R77.30 Security Gateway as a reference only.
   • You must explicitly confirm the disclaimer (run the script IcapDisclaimer.sh in the Expert mode).
4. To inspect the HTTPS traffic with the ICAP Client, enable the HTTPS Inspection and configure the HTTPS Inspection rules.
5. Install the Access Control policy on the R80.30 Security Gateway.

When you perform a clean install of an R80.30 on top of an existing previous version, the following error might appear after the keyboard layout selection screen: 

Warning: /dev/sda contains GPT signatures, indicating that it has a GPT table. However, it does not have a valid fake msdos partition table, as it should. Perhaps it was corrupted - possibly by a program that doesn't understand GPT partition tables. Or perhaps you deleted the GPT table, and are now using an msdos partition table. Is this a GPT partition table?

In such case, select "Yes" several times to continue with the installation.

1. Connect with SmartConsole to the Global Domain on your R80.20.M2 Multi-Domain Server.
2. Reassign all Global Policies to all applicable Domains.
3. Do not publish any changes in the Global Domain until you complete the upgrade to the next available version.
   Note: This is necessary to avoid any potential issues caused by different policy revisions on the Global Domain and on the Domains.
4. Perform the upgrade from the R80.20.M1 to the next available version.

After upgrading a Full HA deployment, policy installation fails due to SIC problem with the secondary member.

• To resolve, re-establish SIC between the active and standby members.

After upgrade of 1180 and 1450 appliances, the "Gateways & Servers" view does not show version numbers in the Version column.

• To see the version numbers, open the gateway object for editing, make sure the correct version is selected and click OK.

After upgrade оf a Stand Alone Server, SmartConsole disconnects from the server during the first policy install.

• Before a first policy installation on Standalone servers, allow the CPM service in the Services & Applications column of the rulebase.

"Database is locked" error message when running the migrate_export command on a R7x Security Management.

• Run cpstop or mdsstop and attempt the export again to resolve.

• In the SmartEvent server object in the SmartConsole, re-enable the SmartEvent server Blade (and Correlation unit) -> Install database on it..

If you have gateways of different R77 versions and GX is enabled on a R77.30 Security Gateway only, policy installation will fail.

• Use the "Install On" column for the GTP rules.

After upgrading, the Gateway Properties -> HTTP inspection page shows "Failed to load Plug-in Page: SSLInpectionPage". 

• To resolve, perform the following on the Security Management server:
  • Run cpstop 
  • Delete the $FWDIR/conf/newDleSchema.xsd file 
  • Run cpstart

These products do not support the new licensing visibility features:

• Network Security: Advanced Networking and Clustering, Capsule Cloud and Capsule Workspace.
• Security Management: Endpoint Policy Management, SmartPortal, User Directory (LDAP).
• Multi-Domain Management: Security Domain
• Remote Access & Endpoint

On pre-R80 gateways, license information is updated every 20 minutes.
To force a license update, perform one of the following actions:

• Either install security policy on the pre-R80 gateway

• Or on the R80.10 Management Server, run the following command in Expert mode:

  • On Security Management Server:

    [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>

  • On Multi-Domain Security Management Server:

    [Expert@HostName]# mdsenv <Name of Domain Management Server>
    [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>

• To resolve, run the cprestart command on the Management Server.

On a Pre-R80 SmartEvent NGSE dedicated machine, license information is not automatically updated when Installing Database.

When you enable or disable a blade, one of the following will update the license information with the change:

• If you force a license update, changes occur immediately.
  To force a license update: On the R80.10 Security Management Server, run the following command in Expert mode:
  [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
• Automatic update at midnight
• If you manually change a license or contract on a dedicated machine, changes take effect within 20 minutes

To upgrade an R77.30 Security Gateway with ICAP Server to an R80.20/R80.30 Security Gateway:

1. Back up the current ICAP Server configuration files (to use as a reference only):
   • $FWDIR/c-icap/etc/libsb_mod.conf
   • $FWDIR/c-icap/etc/c-icap.conf
   • $FWDIR/c-icap/etc/c-icap.magic
   • $FWDIR/c-icap/etc/virus_scan.conf
   • $FWDIR/c-icap/share/c_icap/templates/virus_scan/en/VIRUS_FOUND
2. Upgrade the Security Gateway to R80.20/R80.30, or clean install the R80.20/R80.30 Security Gateway.
3. Configure the ICAP Server from scratch in SmartConsole as described in the R80.30 Threat Prevention Administration Guide.

• Workaround: change the order of the rules so that rules with legacy objects are above rules with new features.

The Linux "iotop" utility might stop working when pressing the "i" key in the following rare scenarios:

• Working in virtual environments (such as Hyper-V) 
• Terminal application uses specific virtual terminal settings (such as specific SecureCRT terminal settings) 

"[Firmware Bug]: the BIOS has corrupted hw-PMU resources" message may appears in the output of "dmesg" command on any HP ProLiant Server running Gaia. 

• You can safely ignore this message - it does not indicate an issue with the functionality or performance of the Operating System or the server. 
  For details, see Hewlett Packard Enterprise Customer Advisory c03265132.

When connecting to the network interfaces page in the Gaia Portal, an "Unable to connect to server" error shows.

• To resolve, disable the Adblock EasyPrivacy extension of the Adblock plus add-on and try again. 

• "Cannot install Check Point Security Management Server. Incompatible hardware" 
• "Internal Error: Cannot install Check Point Security Management Server"
• "Cannot install Check Point Security Management Server. Please contact Check Point Technical Support."

• /etc/.wizard_accepted - means that the First Time Configuration Wizard has finished.
• /var/log/ftw_install.log - means the First Time Configuration Wizard has started and the user must wait until the file /etc/.wizard_accepted is created.

Login to the Secondary Management Server can fail if the SIC certificate is pushed to the Secondary Management Server before its CPM server is up. In this case, the SIC is established, but the login to the Secondary Management Server fails until the CPM server is restarted and reloads the new certificate.

• To resolve, wait until the CPM server is up, before you establish trust with the Secondary Management Server. This way, the CPM Server restarts automatically due to the SIC establishment and the login succeeds.

Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".

• Workaround: for all hosts with a server configuration, unselect the servers. Publish the session, then select the servers again, and publish again. For details refer to sk154435.

• To resolve the conflict:
  
  1. Open a command prompt on the Management server
  2. Run cpconfig to create a new administrator account with a unique name
  3. Run cpstop;cpstart

• Workaround: stop and start the server (run cpstop;cpstart) after adding the new license. 

In some scenarios, re-assign or removal of global assignments succeeds, but changes that were not yet published at the Domain become conflicted. The SmartConsole for the Domain becomes unstable and can show: "Could not load selected policy".

• In this situation, Discard the changes that were not published in SmartConsole.

If you create an administrator in cpconfig, you must run cpstop and cpstart, as instructed by cpconfig. After cpstart, no administrators are shown in cpconfig. Administrators configured before the upgrade to R80 are also not shown in cpconfig.

• Manage administrator accounts through SmartConsole. 

"Check your connection settings (Proxy, DNS and gateway)" error shows after IPS and Application Control & URL Filtering update fails if there is no proxy defined.

• To resolve the problem, run cpstop and cpstart and try again. 

1. On the Security Management server, run: cpca_client set_sign_hash sha1 (refer to sk103840)
2. Install Database.

lvm_manager fails to resize partitions with "ERROR :Cannot kill process (id XXXXX)".

• Workaround: Boot the machine into Maintenance Mode and then run lvm_manager.

Cannot add a VSX objects (router, switch, or system) from the secondary Multi-Domain Management Server when the primary server is powered off. The creation wizard fails to open and an "Operation finished successfully message" shows.

• To resolve the issue, power on the primary Multi-Domain Management Server and try again.

When selecting the "Use Gaia administrator: admin" option in the First Time Wizard, it lets to reuse the Gaia administrator password for SmartConsole. If you later change this password in SmartConsole, the Gaia administrator password remains unchanged.

Applications like Provider.exe and Fwpolicy.exe (SmartDashboard) cannot be used to connect directly to the Security Management server or the Multi-Domain Security Management server. 

• Workaround: use SmartConsole.exe

These commands are not supported in the SmartConsole's CLI: login, logout, discard and publish. Use the SmartConsole GUI instead.

• To unlock the administrator, run the CLI command unlock-administrator on the Standby Management Server.

In a Management HA environment, Administrator created on the Primary Security Management Server via cpconfig cannot log in to SmartConsole of the Secondary Management Server until full sync from Primary to Secondary server is performed.

In a High Availability deployment of Multi-Domain Security Management Servers, until the MDS that hosts the active Domain server has been upgraded, it is not possible:

• To edit an administrator assigned to that Domain
• To edit a client assigned to that Domain
• To view global assignments of that Domain

In Multi-Domain Servers Management HA environment, if Administrator installs policy from the Active Domain on the Security Gateway / Cluster object and performs Management HA from the Active Domain to the Standby Domain, Administrator must install policy from the new Active Domain on the Security Gateway or Cluster object. Otherwise, when upgrading the Multi-Domain Servers to R80.30, SIC communication can be lost with the Security Gateway or Cluster Members.

• Workaround: Change the state of the Standby Domain to the Active, and manually synchronize the Domains.

Threat Prevention policy fails to open with the "Rulebase initialization failed" and "One or more errors occurred" error message after upgrade of Multi-Domain Server to R80.30.

• Workaround:
  1. Assign the Global Policy (without assigning or installing other policies).
  2. Open the Threat Prevention policy.
  3. Remove the assignment of the Global Policy.

"Failed to save object....Server error is: An internal error has occured. (Code: 0x8003001D, Could not access file for write operation)" error when creating a Security gateway object on the Domain Management Server that is currently active on the secondary Multi-Domain Management server.

• To resolve, run the "mdsstop ; mdsstart" commands on the secondary Multi-Domain Management Server.

R80.30 Multi-Domain Security Management does not support IPv6 address configuration.

When running Global Domain Assignment on one Multi-Domain Server for a Domain that is active on a different Multi-Domain Server, the task can stall at 5%. After a few minutes a message shows : "timeout during task progress: Could not get information regarding task completion from MDS_1 'MDS_2'.

• Workaround: Run Reassign Global Assignment on the Domain from the first or second Multi-Domain Management Server.

• To fix, the session changes must be discarded.

• This message can be ignored.

• If there is a sync failure, make sure sessions on a different peers do not lock the same object.

• Run cma_migrate on the server with the active global policy.

• To change an OPSEC application permission profile, use the OPSEC application editor and create a new permission profile.
  Use dbedit/GuiDBEdit to delete old or unused profiles.

• This error can be safely ignored.

1. Open the SmartConsole in Read-Only mode, or log in with Read-Only credentials.
2. In the left navigation panel, click Security Policies.
3. In the Access Control section, click Desktop -> Open Desktop Policy in SmartDashboard.
4. Legacy SmartDashboard opens without the Desktop Policy tab.

Workaround:

1. Open the Cluster object.
2. Go to the "General Properties" pane.
3. In the "Platform" section, in the OS field, change from the "Unknown OS" to the real operating systems of the cluster members.
4. Go to the "Optimizations" pane. 
5. In the "Capacity Optimization" section, select "Automatically".
6. Click OK and publish the session.

• To find the other occurrences of the rule, use the packet mode search with the rule's information. For more information about packet mode search, refer to sk118592 

• Workaround: Perform Application Control & URL Filtering update.

• Workaround: After you close the second Editor, click OK in the IF-MAP server editor. Open the IF-MAP server editor again.

A Remote Access community object is not supported in the parent rule of an inline layer where the action is "Inline Layer".

• Workaround: use "Any" instead of the Remote Access community object. You can use the Remote Access community object in the rules in the inline layer.

The Device and License Status of Threat Emulation is incorrect when there is a trial license on the Security Gateway.

• Use the Logging -> License Status view. 

1. Open the SmartDashboard GUI client
2. Renew the HTTPS Inspection certificate.
3. Close SmartDashboard.
4. Install the Policy in SmartConsole.
   
   SmartConsole shows the certificate is still expired, and the certificate is not renewed.

• Workaround: After following the procedure, close and reopen SmartConsole.

• To resolve, restart the Management server using cpstop;cpstart commands or, for Multi-Domain Security Management, run mdsstop;mdsstart 

• Workaround: The admin must first publish the new cluster object, then configure the correct IP address before enabling any blade. If the cluster is created via 'Classic' mode, there is no issue.

• default_{noformat} (example: default_MyCertificate)
• _default (example: MyCertificate_default)
• _default_ (example: My_default_Certificate)
• https_ (example: https_MyCertificate)
• _https (example: MyCertificate_https)
• _https_ (example: My_https_Certificate)
• ref_ (example: ref_MyCertificate)
• _ref (example: MyCertificate_ref)
• _ref_ (example: My_ref_Certificate)
• holder_ (example: holder_MyCertificate)
• _holder (example: MyCertificate_holder)
• _holder_ (example: My_holder_Certificate)

• At midnight
• When the size of the active log file reaches 2 GB
• Based on user configuration (explicitly)

Slow rendering of SmartConsole and reaction to user interactions. Slow rendering can be a result of:

• Running SmartConsole through Remote Desktop (RDP) sessions. See sk123734.
• Environments with lower-end graphic hardware drivers. 
  Typical environments include Windows-Server 2012 and Virtual Machines.
  In this case, consider upgrading your DirectX driver or Graphics Card hardware.

• Workaround: Delete the VSX cluster and VSX cluster member objects manually. 

• Using a Compound/Group of "Archive File" with, for example, "PCI - Credit Card Numbers", does not match the archive that contains a file with the credit card numbers. You can use a specific File Type with "PCI - Credit Card Numbers" in this rule.
• Using the "Archive File" in a rule that leads to Inline Layer does not match the Data Type inside that layer. You can use a specific File Type in this rule.
• If the "Archive File" is located above other Data Types, the lower rule can be matched for some of the inner files, in addition to the rule that contains the "Archive File".

CRL validation is not supported in pure IPv6 environments (when IPv4 addresses are not configured on the Security Gateway's interfaces).

"Internal error occured" message when trying to assign/reassign a Global Configuration at the same time that an IPS update is running on a local Domain.

• Workaround: First run the IPS update on the local Domain. Then assign/reassign the Global configuration. 

After upgrade, the Log Exporter does not start, fully update or show pre-upgrade exporters. 

• To update and start, run: cp_log_export reconf; cp_log_export restart

In a rare scenario on Multi-Domain Server/Multi-Domain Log Server, several Domain Indexer processes may fail with core dump, printing "Failed to start web server (Probably another server listens on the same port)" message into $INDEXERDIR/log/log_indexer.elg file.

• Workaround: recreate the IpPort.xml file by running the below commands on MDS/MLM:
  • evstop
  • rm -f $RTDIR/conf/IpPort.xml
  • mdsstart

• To see: in SmartEvent, go to Event Policy -> Legacy ->Web Browsing, right-click and select "Event Format". Replace the field "URL" with the field "Resource".

In a Multi-Domain Management environment, you cannot have a dedicated Log server for a specific Domain Management.

• Workaround: configure a Multi-Domain Log servers with only one CLM.

Correlation units can be added to a remote Log server in this way only:

1. In SmartConsole, edit the Correlation unit object and configure it as a Log server.
2. On the SmartEvent server, go to the Correlation unit policy configuration and configure the Correlation unit on the SmartEvent server to read the logs from the remote Log server configured in Step 1.

• Filtering ability is integrated to Jumbo Hotfix Accumulator for R80.30 since Take 107.

On a R80.x dedicated SmartEvent server which assigned to MDS, when you enable or disable a blade, the license information is not immediately updated. An automatic updates takes place at midnight. To update immediately:

1. On server's command line, run:
   $CPDIR/bin/esc_db_complete_linux_50 activation_data entitlement_data.
   
   
2. If you manually change a license or contract, the changes take effect immediately.

• To resolve, refer to sk129894.

After a major upgrade of the Multi-Domain Management Server, opening the SmartProvisioning client fails, displaying "SmartProvisioning was not enabled on the Security Management Server or no valid license was found..." error.

• To resolve, enable LSM on each relevant Domain Management server by running the "LSMenabler on" command.

• To resolve, install policy on the LSM profiles.

ClusterXL R80.20 and higher does not support Load Sharing mode. Therefore, SmartConsole blocks such configuration with a warning message.

• To improve the PIM-DM responsiveness, user can enforce the local-groups / static-groups configuration.

1. Routemap is used to set the nexthop of the IPv4 routes
2. The interface used for the BGP session needs to have an IPv4 address 

When advertising IPv6 routes over an IPv4 BGP session, one of the following needs to be true:

1. Routemap is used to set the nexthop of the IPv6 routes 
2. The interface used for the BGP session needs to have an IPv6 address

• Workaround: before the Hide NAT rule, add a NAT rule that prevents the translation when traffic is on port 67, and is going to the DHCP server. Make the NAT similar to this:
  

  Original Packet: Source = Source network(s) for DHCP requests       Destination = DHCP server Service = UDP_bootp

  Translated Packet: Source = Original Destination= Original Service = Original

• To prevent: wait for OSPF GR to finish. Use "show ospf interfaces" or "show ospf summary" commands to see the status.

• To prevent: do not fail over members if an OSPF neighbor is in the process of restart.

• To prevent: make sure there are no route or topology changes during the process.

• To prevent: make sure that self-routes do not become active in a BGP Multi-hop deployment.

An upgraded cluster member goes into Ready state after the reboot, even before the rest of the cluster members are upgraded.

• Workaround:
  
  1. Run the cphaprob state command to verify that all the Virtual Systems are in Ready state.
  2. Run the ps -elL | grep fwk command to verify that fwk process is running on every Virtual System.

After an upgrade to R80.30 with E2 AM engine (on the Primary Management Server and Policy Servers), the E2 AM engine fails to download updates.

• Workaround:
  1. Connect to the command line on the server
  2. Back up the $UEPMDIR/engine/conf/updates/bin/bdav/mirror.cnf file:
     cp -v $UEPMDIR/engine/conf/updates/bin/bdav/mirror.cnf{,_BKP}
  3. Edit the $UEPMDIR/engine/conf/updates/bin/bdav/mirror.cnf file with Vi editor.
  4. In the variables that point to paths, change the version to "R80.30"
  5. Save the changes and exit the Vi editor
  6. Create these empty directories:
     mkdir -p $UEPMDIR/engine/conf/updates/data/bdav/av32bit
     mkdir -p $UEPMDIR/engine/conf/updates/data/bdav/av64bit
     mkdir -p $UEPMDIR/engine/conf/updates/data/bdav/avc3_sig
     mkdir -p $UEPMDIR/engine/conf/updates/data/bdav/avc3_exc

When you enable the Endpoint Policy Management blade on a Security Management Server, the connection to these services automatically changes from the default port 443 to port 4434:

• Gaia Portal
• SmartView Web Application
• Management API Web Services

"An internal server fault has occured" server error is shown when logging in to the SmartEndpoint GUI client with a custom administrator created in SmartConsole with the name "endpoint".

• Workaround: Create an administrator with a different name.

1. Delete Outlook Anywhere rule from reverse proxy.
2. Run "cvpnrestart --with-pinger" to close all Outlook Anywhere open connections.
   If you do not perform step 2, open connections of Outlook Anywhere will not be closed and users can still work with it.

• Make sure that the /etc/resolve.conf file is configured properly or use this workaround:
  Change the value of 'vsxMountWithIPAddress' property in $CVPNDIR/conf/cvpnd.C file from 'false' to 'true'. The file share will use the host IP address for the mount instead of the hostname. 

• If you do not want Dynamic ID authentication for Capsule Workspace users, disable it in:
  Gateway Properties -> Mobile Access -> Authentication -> Compatibility with Older clients -> Settings -> Capsule Workspace section -> clear Enable DynamicID.
  
  For VSX, this configuration is done per Virtual System.

Communication errors occur between the Security Gateways managed by R80.20 M1 Multi-Domain Server and participating in Global VPN Communities when there are more than one certificate for the same Internal CA.
Refer to sk136972.

• Workaround: Configure the VPN site again on the client. 

• DAIP devices deployed as VPN Satellite gateways, do not support VPN link fail-over between a static link (using permanent IP address) to the DAIP link, and vice-versa.
• Trusted interfaces are not supported for DAIP devices.

After an upgrade of a Management Server with enabled Compliance blade from R77.20 or lower versions to R80.x:

1. The "Dev Mode: ON - Syntax error: Unable to get property 'icon' of undefined or null reference at line: undefined" error can appear in the Compliance blade reports.
2. "Compliance Statuses" contains the words "Low" instead of "Poor" and "High" instead of "Good".

• Workaround: manually exclude this result from the Best Practices view.
  In the Best Practices view, select the practice. In the bottom pane -> Relevant Object section -> double-click the desired rulebase object and disable the rule/section from the list.

Compliance Blade regulation reports do not contain the Best Practices themselves.

• To see the Best Practices, deploy a SmartEvent Server, enable SmartEvent and create a customized report. 

Compliance Blade does not contain Compliance Overview Report.

• To have the Compliance Overview Report, deploy a SmartEvent server and enable SmartEvent. Then find it at Logs & Monitoring -> new tab -> Reports -> Compliance Blade. 

The SmartConsole client is not aware of license or quota changes in real time - Alert for 'License quota Exceeded' does not pop-up immediately when the license quota is exceeded.

Reopen SmartConsole in Compliance blade to see the license changes.
Quota data changes in the entitlement or Compliance will be updated after:

• Compliance midnight scan
• License changes
• cpstop;cpstart

In Small Office appliance policy installation, services that are manually configured with INSPECT code including the definition "CALL_XLATE_FOLD_FUNC (..." will cause a policy installation failure.

• Workaround: remove the "_FUNC" from the definition and use "CALL_XLATE_FOLD (..."

In an extremely rare scenario, after an appliance boots, names of some interfaces might contain "_rename" after their usual names. For example: "eth5_rename", "Sync_rename".

• Workaround: Reboot the appliance.