Availability | Important Notes| List of resolved issues | Installation instructions | Uninstall instructions | Revision History

 

Introduction

R80.30 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.

This Incremental Hotfix and this article are periodically updated with new fixes.

The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below. List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

This Jumbo Hotfix Accumulator is suitable for these products and configurations: Security Gateway, StandAlone, Security Management Server, Multi-Domain Management Server, Log Server, Multi-Domain Log Server, SmartEvent Server, Endpoint Security Server, VSX and Cluster.

• This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
• For CPUSE installation, CPUSE Agent build 1786 and above (refer to sk92449) must be used.
• It is recommended to install Jumbo Hotfix Accumulator on all R80.30 machines running on Gaia OS 2.6.18 or Gaia OS 3.10.

Also refer to sk98028 - Jumbo Hotfix Accumulator FAQ.

 

Availability

• General Availability Take

  Take_50 is the latest R80.30 Jumbo Hotfix Accumulator General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:
  
  

  Product	Take	Date	CPUSE offline package	SmartConsole package
  Security Gateway / Standalone on Gaia 2.6.18	Take_50	03 Sep 2019	(TGZ)	(EXE) Build 36
  Security Gateway on Gaia 3.10			(TGZ)
  Security Management			(TGZ)

  • Effective October 3rd 2019, Take 50 has been replaced due to updated Metadata. The MD5 has been changed. No change of the Take's content.

  • To install Take 50, CPUSE Agent build 1786 (refer to sk92449) must be used.

  • Running "Verify" on Take 50 when Take 19 is already installed, may result in "Installation is not allowed" error. 
    No fix is required, the installation will successfully complete. Refer to sk162774. 




• Ongoing Take

  Product	Take	Date	CPUSE Offline package	SmartConsole package
  Security Gateway / Standalone Gaia 2.6.18	Take_107	20 Nov 2019	Check_Point_R80_30_JUMBO_HF_Bundle_T107_sk153152_Security_Gateway_and_Standalone_2_6_18_FULL.tgz	(EXE) Build 36
  Security Gateway Gaia 3.10			Check_Point_R80_30_JUMBO_HF_Bundle_T107_sk153152_Security_Gateway_3_10_FULL.tgz
  Security Management			Check_Point_R80_30_JUMBO_HF_Bundle_T107_sk153152_Security_Management_3_10_FULL.tgz

 

• Supported Jumbo Takes per R80.30 Take

  Jumbo HotFix	R80.30 Takes
  	Security Gateway / Standalone Gaia 2.6.18 Take 200	Security Gateway Gaia 3.10 Take 273	Security Gateway Gaia 3.10 Take 300	Security Management Take 200
  JHF Take 19	Supported	x	x	Supported
  JHF Take 50	Supported	Supported	x	Supported
  JHF Take 76* and above	Supported	Supported	Supported	Supported

  * Take 76 is an Ongoing Jumbo Take released on 11 October 2019

 

Take 107  | Take 76  | Take 50  | Take 19

Important Notes

• Starting from Take 50 of R80.30 Jumbo Hotfix:
  • All gateway related fixes are relevant for both Gaia 2.6.18 and Gaia 3.10 unless otherwise mentioned.
  • Each Take supports Security Gateway platforms listed in R80.30 3.10 and can be installed on CloudGuard IaaS products AWS, Azure, GCP.
• Customers who installed R80.20 Jumbo Hotfix Take 118 and below or R80.10 Jumbo Hotfix Take 245 and below, can safely upgrade to R80.30 Jumbo Hotfix Take 107.
• Effective November 20th 2019, SmartConsole package has been updated (Build 36).

 

List of resolved issues per HotFix Take

ID	Product	Description
R80.30 Jumbo HotFix - Ongoing Take 107 (20 November 2019)
PRJ-1336, PRHF-3455	Security Management	Inline layers are not verified when there are no selected targets in the 'install on' column.
PRJ-4875, PRHF-5274	Security Management	In some scenarios, when setting or modifying the Email/Phone fields of an administrator, the old values still appear at the bottom pane under "View Sessions" instead of the updated values.
PRJ-5557, PMTR-43278	Security Management	In some scenarios, policy installation fails with "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000117)". Refer to sk162554.
PRJ-5413, PRHF-5815	Security Management	In some scenarios, policy Installation fails with "Operation failed, install/uninstall has been improperly terminated" error. Refer to sk162855.
PRJ-2984, API-744	Security Management	In some scenarios, show generic-objects API command fails with "Management Server failed to execute command". Refer to sk157693.
PRJ-3379, PMTR-39797	Security Management	In a rare scenario, the $CPDIR/tmp/ directory is filled with "CKP_mutex::_opt_CPsuite-RXX_fw1_log__..." files. Refer to sk36754.
PRJ-5495, PRHF-5881	Security Management	NEW: Added the policy verifier memory enhancement and additional debugging options. Refer to sk162453.
PRJ-1248, PRHF-2012	Security Management	High CPU utilization by FWM process when SmartEvent is enabled on the Security Management Server. Refer to sk147563.
PRJ-5023, PRHF-4877	Security Management	In some scenarios, policy verification process fails for extremely large policies. Refer to sk161412.
PRJ-5424, PMTR-41518	Security Management	In some scenarios, policy fetch fails if name of the Security gateway that tries to fetch this policy is not defined in DNS. Refer to sk150472.
PRJ-5665, PRHF-6087	Security Management	In some scenarios, purge revisions fails and blank lines, that cannot be deleted, appear in SmartConsole Revisions view. Refer to sk163116.
PRJ-6942, PRHF-6754	Security Management	In a rare scenario, policy installation fails with "Policy installation had failed due to an internal error". Refer to sk163482.
PRJ-4666, PMTR-41210	Multi-Domain Management	The FWM process may stop working when there is no valid license on the Multi-Domain Server.
PRJ-7007, PRJ-6992	Multi-Domain Management	The Gaia restore of Multi-Domain Server fails when using Take 76 of R80.30 Jumbo Hotfix Accumulator. Refer to sk163473.
PRJ-6131, PMTR-40039	SmartConsole	NEW: Added LSM support for the 1500 SMB appliances. Requires R80.30 SmartConsole Build 36 (or higher).
PRJ-3138, PRJ-1343	SmartConsole	In some scenarios, DNS Maximum Reply Length IPS protection is not enforced. To fully resolve the issue, R80.30 SmartConsole Build 20 (or higher) should be installed.
PRJ-1511, PMTR-35845	SmartConsole	In some scenarios, Installation Targets do not show the correct gateways when cloning and editing the installation targets in the same session.
PRJ-1882, PRJ-783	SmartConsole	In some scenarios, user cannot delete a VS object since it is referenced by an automatically generated exception rule.
PRJ-4202, PMTR-40076	SmartView	NEW: Added support for "SmartView for QRadar" extension.
PRJ-5784, PRHF-6117	Compliance	In some scenarios, the Compliance blade checks the 'Parent rule for Domain's policy' placeholder as if it was a real rule and shows the rule index in the Firewall Best Practices relevant objects.
PRJ-5480, PRJ-5482, NAT-110	Security Gateway	NEW: Enhancement: NAT port exhaustion logs mechanism was updated. Refer to sk156852.
PRJ-4805, PMTR-41392	Security Gateway	NEW: Added ability to enable NAT over specific IP address avoiding a source port allocation.
PRJ-6036, PRJ-4165, PMTR-39641	Security Gateway	In some scenarios, when the ICAP server on the Security gateway is enabled, some web pages do not load.
PRJ-4749, PRHF-5313	Security Gateway	In a rare scenario, the FWK process stops working during debug.
PRJ-946, GAIA-4638	Security Gateway	Connectivity issues on some HTTPS sites (as login pages) when Security gateway is configured as proxy. Refer to sk147878.
PRJ-2919, UP-293	Security Gateway	In a rare scenario, Security gateway may crash due to NULL pointer reference.
PRJ-5326, PRJ-5433, PMTR-42553	Security Gateway	Non-FQDN domain objects may not be enforced correctly when used in the Access policy along with updatable objects.
PRJ-5820, PRJ-5821, PMTR-37949	Security Gateway	In some scenarios, traffic is dropped with 'up_transaction_notify_clob failed' error in dmesg when Application Control is enabled.
PRJ-5312, PRJ-5314, NAT-137	Security Gateway	In a rare scenario, Security gateway freezes when IP pool NAT and VPN are used.
PRJ-4356, PRJ-4405, SWG-2208	Security Gateway	In a rare scenario, Security gateway crashes when proxy is enabled.
PRJ-1872, PRJ-5114, PRHF-3940	Security Gateway	In some scenarios, when using Hide NAT with GRE tunnel, packets going through this GRE tunnel may get dropped. Refer to sk154492.
PRJ-4398, PRJ-4400, PMTR-34813	Security Gateway	In some scenarios, traffic is dropped with "[ERROR]: network_classifier_handle_dag: failed to get uuid of DAG bogus_ip" error in dmesg.
PRJ-3426, PMTR-35854	Security Gateway	In a rare scenario, changing the xmit-hash-policy of the bonding group while machine handling traffic, causes it to crash. Refer to sk154573.
PRJ-4180, PRJ-4362, SWG-2174	Security Gateway	Some Web sites cannot be opened when Content Awareness or Anti-Virus/Anti-Bot is enabled, and Security gateway is configured as proxy.
PRJ-4403, PRJ-4650, PMTR-40858	Security Gateway	In a rare scenario, when X-Forwarded-For (XFF) settings are enabled on one of the policy layers and on the Security Gateway object, traffic may be accepted although it should be dropped according to Access policy.
PRJ-771, PRJ-6035, SWG-1922	Security Gateway	In a rare scenario, memory usage may rise on Security gateway, when using service with resource with "Optimize URL logging" feature enabled. Refer to sk153052.
PRJ-4351, PRJ-4352, PMTR-41407	Security Gateway	Access rulebase might not be enforced properly when wildcard objects are used in source and destination columns. Refer to sk162692.
PRJ-5141, PMTR-38249	Security Gateway	In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy. Fix is relevant for Gaia 3.10 only.
PRJ-4114, PRHF-2796	Security Gateway	In some scenarios, logs cannot be seen because the log_indexer process stopped working.
PRJ-3276, PRJ-2310	Logging	Log Exporter filtering feature allows to decide which logs will be exported based on values from the various fields on the raw log.
PRJ-3210, PRHF-4497	Logging	In some Full HA environment scenarios, the "Logserver <Cluster virtual IP> is disconnected" error pops up in SmartConsole log view.
PRJ-1325, PRHF-3690	Logging	In some scenarios, when running mdsstart, the following error message is shown: "/opt/CPSmartLog-R80.20/bin/smartlogstop: line 65: /opt/CPmds-R80.20/customers//CPSmartLog-R80.20/log/smartlogRun.log: No such file or directory".
PRJ-1311, PRHF-3681	Logging	In the Logs & Monitor view, the "File size" field is missing from the logs generated by Media Encryption & Port Protection blade. Refer to sk157952.
PRJ-2019, PRHF-2607	Logging	In some scenarios, when SAM activity is defined and a Log server receives a high amount of packets, the FWD process on the Log server stops working.
PRJ-5338, PRJ-5295	Logging	NEW: Added new Log Exporter feature to export links to the relevant log and log attachments (such as Forensics\TE report).
PRJ-4677, PMTR-41228	Content Awareness	Incorrect Access policy decision in some scenarios when Content Awareness is enabled.
PRJ-4759, PMTR-40677	IPS	In some scenarios, IPS update fails as a result of error in management server installation.
PRJ-6658, PRJ-6659, PRJ-6655	Web Intelligence	NEW: HTTP traffic performance enhancement on VSX environment when Gzip enforcement is used.
PRJ-6078, PRJ-6086	ClusterXL	After installing Jumbo HotFix Take 76 only on a standby member, it's outgoing traffic does not pass.
PRJ-4591, PRJ-4592, PMTR-41002	ClusterXL	In some scenarios, arp table is not synchronized with master MAC address after fail-over.
PRJ-5080, PRJ-2152	ClusterXL	The message "fwlddist_debug_update_op: resetting to avoid overflow" should be printed only in debug mode since it's not an error.
PRJ-4584, PRJ-5258, PMTR-37812	ClusterXL	In some scenarios, installing policy in order to update the cluster topology during high load, causes the members to fail-over. Refer to sk154575.
PRJ-4409, PRJ-4583, PMTR-38208	ClusterXL	In some scenarios, when changing cluster topology and installing the policy, the cluster fails over. Refer to sk156335.
PRJ-5859, PRJ-1848	SecureXL	In a rare scenario, Host destination entries are memory leaking when neighbor entry is in incomplete state. Refer to sk157252. Fix is relevant for Gaia 3.10 only.
PRJ-5153, PMTR-37736	SecureXL	In some scenarios, IGMP packets are not forwarded across bridge interfaces. Fix is relevant for Gaia 3.10 only.
PRJ-5154, PMTR-37727	SecureXL	In some scenarios, packets with IP options are not forwarded across bridge interfaces. Refer to Issue #3 in sk154892. Fix is relevant for Gaia 3.10 only.
PRJ-2815, PRHF-3608	SecureXL	On cluster, Drop templates are disabled on reboot. Refer to sk153412.  Fix is relevant for Gaia 3.10 only.
PRJ-5152, 02541089	SecureXL	In a rare scenario, Security gateway freezes / crashes when SecureXL is enabled and multicast routing is configured. Refer to sk119299.  Fix is relevant for Gaia 3.10 only.
PRJ-4783, PRJ-4784, PMTR-40553	SecureXL	NEW: "sim if" and "sim nonaccel" commands will be deprecated. Instead, "fwaccel if" and "fwaccel nonaccel" commands will be used to accommodate multiple SecureXL instances.
PRJ-6850, PRJ-6851, PMTR-25095	SecureXL	In some scenarios, when SecureXL is enabled, the Security Gateway accepts the traffic, but no ARP request is sent. Refer to sk152093.
PRJ-6100, PRJ-6101, PRHF-5450	SecureXL	In some scenarios, SecureXL drops TCP packets with "Out of state" reason.
PRJ-5155, PRJ-5156, PMTR-23471	SecureXL	The "fwaccel conns" command has incorrect Help text.  The "fwaccel conns -n" command returns "invalid mask given" message.
PRJ-6779, PRJ-6108, PRHF-5706	SecureXL	In some scenarios, connection does not to expire correctly when NAT and some Software Blades are enabled.
PRJ-4360, PRJ-4361, PMTR-40826	SecureXL	In a rare scenario, Security gateway may crash if cpinfo reads from the /proc/ppk/cpls directory before SecureXL is initialized.
PRJ-6150, PRJ-4564	SecureXL	NEW: Added new SecureXL Fast Accelerator for Non-Scalable Platforms. Refer to sk156672.
PRJ-834, PMTR-36031	CoreXL	In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled.
PRJ-5469, PRJ-5684, PMTR-38358	SSL Inspection	In some scenarios, several applications are not matched correctly when HTTPS Inspection enabled and URL Filtering is in HOLD mode.
PRJ-5288, PRJ-4758	URL Filtering	NEW: Improved scalability and resiliency of URL Filtering service.
PRJ-6857, PRJ-6828, SWG-2314	URL Filtering	In a rare scenario, RAD process fails to process new kernel requests.
PRJ-3614, PRJ-4854, ROUT-679	Routing	In some scenarios, OSPFv3 LS updates of the default route are not accepted by the Security gateway for Stub/TSA areas. Refer to sk161472.
PRJ-6063, PRJ-6062, PRHF-2798	Routing	In a rare scenario, the routed process may stop working when a route with a local address as a nexthop is received.
PRJ-5551, PRJ-5596, PRHF-1739	Gaia OS	In some scenarios, Smart-1 405 and 410 appliances may show high voltage due to incorrect VBat thresholds.
PRJ-1030, GAIA-5047	Gaia OS	Changing the xmit-hash-policy of the bond may cause all static arp entries to disappear from the arp -a output. Refer to sk152892.
PRJ-2191, PRHF-5189	Gaia OS	Many "fwldbcast_new: too many hosts : 0" kernel messages appear in /var/log/messages file. Refer to sk153253.
PRJ-962, PRJ-2789, PRHF-2474	Gaia OS	In some scenarios, user cannot access terminal from WebUI in monitor role mode.
PRJ-6686, PRJ-6687, PRJ-6991, PMTR-44076	Gaia OS	In some scenarios, Gaia restore on Multi-Domain Server fails with error "failed to edit update registry". Refer to sk163312.
PRJ-2819, PMTR-39191	Gaia OS	While unplugging one of the Power supply cables on Smart-1 5150/5050/525 appliances a false 'No Read' message appears for ~5 seconds in both PSUs statuses (instead of Present/Input Lost/Absence).
PRJ-4156, PRHF-3929	Gaia OS	NEW: The ARP cache size limit on Clish was increased to 131072 hosts.
PRJ-4523, PRJ-4524, GAIA-5047	Gaia OS	Changing the xmit-hash-policy of the bond may cause all static arp entries to disappear from the arp -a output. Refer to sk152892.
PRJ-3122, PMTR-38890	Endpoint Security	In some scenarios, Endpoint Security Clients are in "Disconnected" state after Endpoint Security Server upgrade. Refer to sk161113.
PRJ-2321, EPS-21609	Endpoint Security	If there is a large amount of devices which are going to be removed from the Deleted Container, the server may fail to process the epmCommands, returning "FATAL: remaining connection slots are reserved for non-replication superuser connections" error.
PRJ-2014, EPS-20841	Endpoint Security	In some scenarios, SmartEndpoint shows "Unknown Error" when trying to open the "User and Computers" Tab "Top Bots" and software deployment by policy reports. Refer to sk151932.
PRJ-5352, PMTR-39950	Endpoint Security	In some scenarios, migrate_import fails with the "ERROR: Command completed with error code #2 and output: psql.bin: could not connect to server: No such file or directory" message in $UEPMDIR/logs/exportedFileManip*.log.
PRJ-2913, EPS-21658	Endpoint Security	In some scenarios, when searching for a machine in SmartEndpoint and selecting it, a "Server Error" message appears. Refer to sk158432.
PRJ-1810, PMTR-27831	VPN	NEW: Connectivity enhancements for Remote Access clients using internal Office mode allocation with a long timeout.
PRJ-4648, PRJ-6593, PRHF-4819	VPN	In some scenarios, traffic is not working over Site-to-Site VPN after an upgrade when SecureXL is enabled. Refer to sk162400.
PRJ-3557, VSX-1866	VSX	NEW: Added the option to configure reject routes via vsx_provisioning_tool on Scalable Platforms Appliances. Refer to sk151473.
PRJ-5922, PRHF-6345	VSX	In some scenarios, IGMP traffic is dropped by "local interface address spoofing" in VSX HA. Refer to sk162953.
PRJ-4674, PMTR-41221	VSX	VSX configuration cannot not be applied after upgrade from R77.x to R80.x, due to duplicated VSX routes.
R80.30 Jumbo HotFix - Ongoing Take 76 (11 October 2019) Note: This Take replaces Take 71 released on 03 Oct 2019. It is recommended to install Take 76
-	General	Added GUI support for Check Point 26000 and 16000 appliances. Refer to sk162832.
PRJ-2726, PMTR-38948	Upgrade	Added a pre-upgrade verification that Global network objects with NAT configuration are not supported.
PRJ-718, PMTR-36761	Security Management	Enhancement: added feature for tracking random CPM process crashes on Security Management server. Refer to sk150913.
PRJ-3604, PMTR-39644	Security Management	Added ability to automatically determine the API process memory allocation to avoid "Out of memory" errors. Refer to sk119553.
PRJ-4241, PMTR-38720	Security Management	When many users are connected to and actively working in the same domain in SmartConsole, they may experience: Slowness in SmartConsole responses Long duration of operations High load on the Management Server
PRJ-4729, PMTR-41157	Security Management	After deleting a network object that is part of a network group, the audit log of the group modification does not show who is the removed member.
PRHF-3242, PRJ-659	Security Management	In a rare scenario, the policy verifier ignores rules with object named "Internet" used with negate operator.
PRJ-4306, PMTR-40468	Security Management	Added a mechanism to prevent the Management Server from starting if an import process was interrupted.
PRJ-2339, PRHF-4046	Security Management	In some scenarios, user cannot discard or publish a work session, receiving the general message "Internal error".
PRJ-1762, PMTR-37924	Security Management	Due to a failed full sync, FWM was restarted unexpectedly and obsolete domain sessions were used in the global policy assignment.
PMTR-23492, PRJ-2847	Security Management	Added support for Internal CA certificate replacement.
PRJ-3874, PRHF-3463	Security Management	In some scenarios, size of the shadow_object.C file increases after each policy installation, eventually causing a failure in installing a policy.
PRJ-2341, PMTR-38095	Security Management	In a rare scenario, the Security Management server does not start due to a missing object, or a duplication of objects.
PRJ-1493, PMTR-38249	Security Management	In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy.
PRJ-1380, PRHF-3514	Security Management	In some scenarios, upgrade from R7x fails with core file of cpdb process due to an empty field in 'autoupdate_and_install_settings' object.
PRJ-1974, CPM-2300	Security Management	In some rare scenarios CPM server does not start after a failure in delete domain.
PRJ-1518, CPM-2264	Security Management	Performance and stability improvements in large High Availability setups.
PRJ-3879, PMTR-39361, PMTR-40489	Security Management	Cannot export a .pdf file from the License inventory view after Jumbo HotFix installation on the Management server.
PRJ-1375, CPM-2242	Security Management	In some scenarios, High Availability synchronization between Management Servers fails and HA menu is disabled.
PRJ-3689, PMTR-36555	Security Management	New policy creation may fail when there are no installation targets defined in this policy.
PRJ-1903, PRJ-1899	Security Management	After opening and searching in pickers for a few times, the "error retrieving results" message appears when opening a picker.
PRJ-2488, PMTR-38103	Security Management	In some scenarios, a validation incident about Invalid Email Address is presented in SmartConsole after upgrade from R77.
PRJ-2441, PMTR-38293	Security Management	In some scenarios, QoS policy installation fails when installing the blade without installing Access or Threat blades of the same policy first.
PRJ-2788, PMTR-37630	Multi-Domain Management	In some scenarios, Multi-Domain Server upgrade from R80 fails due to an internal error related to deprecated application objects. Refer to sk157752.
PRJ-5639	CPInfo	In some scenarios, the CPInfo tool does not show/collect the correct information after Jumbo Hotfix installation. Refer to sk162775.
PRJ-4415, PRHF-5177	Compliance	In some scenarios, some of the Best Practices show "N\A" status in the Compliance blade dashboard.
PRJ-1273, SL-1052	Logging	In a rare scenario, when an environment has many gateways (dozens), FWM on the log server might crash when reaching to 4 GB memory.
PRJ-4965 SL-2456	Logging	In a rare scenario, a specific log fails to be written and an alert informing on this is displayed in SmartConsole.
PRJ-2678, PRHF-3831	Logging	In a rare scenario, the accounting of bytes in a report is not accurate.
PRJ-871, PRHF-2806	Logging	In a rare scenario, SmartConsole does not show indexed logs because the log_indexer process stopped working. Refer to sk152934.
PRJ-1158, PRHF-3561	Logging	In SmartView, if a view contains 2 map widgets, one displaying source countries and the other displaying destination countries, drilling down on one of them may display incorrect data.
PRHF-4975, PRJ-4062	Logging	In some scenarios, when exporting logs with "Visible columns" option selected from SmartView, some columns return empty record. Refer to sk161712.
PRJ-2645, SL-2509	Logging	Running views and reports with a filter fails if the filter contains a "NOT" operator combined with parentheses.
PRJ-3529, PMTR-34580	Multi-Domain Management	In some scenarios, Administrator does not see that a revision was created in its Domain (on Domain level) after a Global policy was assigned to it.
PRJ-3048, PMTR-39455	Multi-Domain Management	If user deletes a CLM from a Domain (it's forbidden, the validation was added), the CLM remains as partially deleted and user cannot create a new one.
PRJ-3527, PMTR-40003	Multi-Domain Management	Objects on Domain level that should be shown on the Multi-Domain Server level, sometimes are not shown correctly.
PRJ-2385, PMTR-38670	Multi-Domain Management	In a rare scenario, CPM server fails to start after successful Domain deletion.
PMTR-38211, PRJ-2172	Multi-Domain Management	In some scenarios, logs are not saved under $MDS_FWDIR/log/failed_tasks directory.
PRJ-799, PMTR-36765	Multi-Domain Management	In some scenarios, the "Unable to connect to server. Please make sure the server is up and running." error appears when trying to log into single Domain from SmartConsole. Refer to sk153293.
PRJ-1567, SMCUPG-719	Multi-Domain Management	Deletion of Domain failed with "Could not send message" error when having large amount of gateways in the Domain. The Domain remain without Domain Servers.
PRJ-1303, PRJ-1305	Multi-Domain Management	When running the 'add-domain' Web API command on an existing Domain, the original Domain might be deleted.
PRJ-1444, PRHF-3783	Multi-Domain Management	In some scenarios, gateways are missing in the 'Gateways and Servers' view in SmartConsole on the MDS level.
PRJ-2245, PMTR-36614	Multi-Domain Management	The mds_backup command will generate an output file of format .tar instead of .tgz to improve the duration time of backup (mds_backup) and restore (mds_restore) of Multi-Domain Server. Refer to sk163300.
PRJ-1532	Multi-Domain Management	In a specific scenario, Global policy rules may change order after Multi-Domain Server upgrade. Refer to sk155432.
PRJ-374, PRHF-3285	Multi-Domain Management	In a rare scenario, FWM process stops working on the Domain level during login.
PRJ-1970, PRJ-4545, PRHF-3268	SmartConsole	In setups with a large quantity of network object, users may experience slowness when editing the HTTPS Inspection policy. Refer to sk147134 To fully resolve the issue, R80.30 SmartConsole Build 20 (or higher) should be installed.
PRJ-3870, PRHF-4655	SmartConsole	In a rare scenario, when user clicks on Mail Transfer Agent (MTA) options in the Security gateway settings or on 'Next hop' column inside MTA settings, SmartConsole shows "Not Responding" and freezes. Refer to sk161232. To fully resolve the issue, R80.30 SmartConsole Build 20 (or higher) should be installed.
PRJ-619, PRHF-3415	SmartConsole	In some scenarios, upgrade fails with "com.checkpoint.management.classes.dle.triggers.internal.VersionInfo.VersionInfo" exception in cpm.elg file.
PRJ-1879, PRJ-1864	SmartConsole	In some scenarios, SmartConsole stops working while adding or removing many objects via Web API.
PRJ-1210, PRHF-3465	SmartConsole	Pre-shared keys are missing after upgrade.
PRJ-832, PMTR-36527	SmartConsole	Redundant layers appear in the output of the 'show-package' command when Global policy holding more than one layer, is assigned to Domain.
PRJ-1144, API-549	SmartConsole	Management API command "put file" can be used for command execution with certain permissions.
PRJ-1434, PMTR-31155	SmartConsole	In some scenarios, SmartConsole terminates when installing policy on many targets at once.
PRHF-2194, PRJ-4434	SmartConsole	In some scenarios, Client certificate is removed when deleting Domain that is included in certificate's permissions.
PRJ-2142, PMTR-38301	SmartConsole	Added the protectionExternalInfo property in the overrides object that displays the CVEs in the output of 'show threat-profile' command.
PRJ-2419, PRJ-1407, PMTR-38710	SmartProvisioning	In VPN Community managed by SmartProvisioining: When adding SMB gateway to the VPN community, VPN tunnel may not been established.  When changing security profile in VPN community, the VPN settings are not changed.  Policy installation fails for cluster member of CO Gateway.
PROV-2068, PRJ-4672	SmartProvisioning	In some scenarios in SmartProvisioning: When executing Run Script on SmartProvisioning profile, the application disconnects from the server and is closed. When executing Push Settings and Actions the "The action was not performed due to maintenance mode" error appears.
MCFG-199, PRJ-2384	SmartProvisioning	SmartUpdate generates audit log even when no action was taken.
PRHF-3392, PRJ-869	SmartProvisioning	In VPN star community managed by SmartProvisioning, VPN tunnels may not be established after installing policy to CO gateway (center). Refer to sk152612.
PRJ-4311, PRJ-4314, GAIA-6260, STRM-149	Security Gateway	In some scenarios, a remote client disconnects after one hour although the session is not idle. Refer to sk160213.
PRJ-3589, STRM-109, PRJ-3564	Security Gateway	Disabling connections timestamp does not work on active streaming connections. Refer to sk62700.
PRJ-4416, QOS-22, PRJ-698	Security Gateway	In a rare scenario, Security gateway crashes during QoS policy installation.
PRJ-4804, PMTR-41392	Security Gateway	Enabled avoiding source port allocation for specific predefined connections.
PRJ-4147, UP-293	Security Gateway	In a rare scenario, Security gateway may crash due to NULL pointer reference.  Fix is relevant for Gaia 3.10 only.
PRJ-4615, PMTR-40937, PRJ-4554	Security Gateway	In some scenarios, VoIP traffic is dropped with "allocate_port_impl: could not find a free port;" error in dmesg.
PRJ-4758	URL Filtering	Improved scalability and resiliency of URL Filtering service. Fix is relevant for Gaia 3.10 only.
PRJ-4845, PRJ-4844, PMTR-4178	SSL Inspection	In a rare scenario, when SSL Inspection is enabled and there is big latency, Microsoft websites (for example Azure) may not respond. Refer to sk150175.
PRJ-1161	IPS	CMA migration may take a long time when there are many IPS protections local overrides.
PRJ-5173, PRJ-2168, PRJ-2108	IPS	In some scenarios, categorization of HTTPS sites over IPv6 does not work as expected.
PRJ-1666	Threat Emulation	Management Server upgrade may fail in these scenarios:  There are Threat Emulation settings, which remained from Security Gateway objects that were already removed. There are Threat Emulation settings, which are configured in the cluster member objects and not in the cluster object. Refer to sk150793.
PRJ-3370, PMTR-13884	Threat Prevention	Deleting a Threat Prevention profile might fail if the IPS profile has many overrides. Refer to sk136552.
PRJ-4148, PMTR-40174	Threat Prevention	Upgrade fails due to invalid Threat Emulation settings connected to gateways that no longer exist or to cluster members. Fix will affect only Advanced upgrade
PRJ-5077, PMTR-41915	Threat Prevention	In a rare scenario, R80.30 Security gateway managed by R80.30 Management crashes when running a Threat Prevention Software Blade with the Forensics feature enabled. Refer to sk161812.  Fix is relevant for Gaia 3.10 only.
PRJ-1919, PRJ-2416, PRJ-2417, PRJ-3510	Identity Awareness	Security hardening for Identity Awareness Agent (IDA) enforcement according to XFF IP.
PRJ-3478, PRJ-1952	Identity Awareness	Performance improvement of Identity Awareness kernel tables for Cluster and multi-fw1 instances gateways.
PRJ-3478, IDA-1966	Identity Awareness	In a rare scenario, identities are missing from all connected Identity Gateways (PEPs).
IDA-1987, PRJ-1956	Identity Awareness	In a rare scenario, sessions longer than 24 hours disappear from the Identity Gateway (PEP) but exist on the Identity server (PDP)
IDA-1981	Identity Awareness	Users are not propagated from the PDP to the PEP on a specific network due to a rare race condition between register and unregister requests triggered by different instances or cluster members.
PRJ-1926	Identity Awareness	The output of pep show pdp all command on the Identity Gateway (PEP) contains "inx invalid type (0)" instead of an Identity server (PDP) IP address. Refer to Scenario #3 in sk156953.
PMTR-32539, PRHF-3443	Identity Awareness	Users are not authenticated when an identity source provides the login name in an 'User Principal Name' format "user@domain". Refer to sk147417.
PRJ-3137, PRJ-5259, PMTR-38645	ClusterXL	Added support for Cluster Load Sharing without IPSec VPN.
PRJ-1657, PRJ-5035, PMTR-30582	ClusterXL	In some scenarios, unable to connect to the Standby Cluster member from a non-local subnet via SSH or WebUI. Refer to sk147493.
PRJ-2147, PRJ-3439, PRHF-4105	ClusterXL	In a rare scenario, the fw_workers process consumes high CPU on the Standby member of a ClusterXL. Refer to sk156333.
PRJ-3295, PRHF-4301	CoreXL	In a rare scenario, Custom affinity configuration is overwritten when HT is enabled. Refer to sk158112.
PRJ-998, PMTR-35350	CoreXL	In some scenarios, VPN connection's records remain in the Global connections table even after the connection expires. Refer to sk155332.
PRJ-2397	CoreXL	"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312.
PRJ-1299	SecureXL	In a rare scenario, multicast routing lookup may lead to SIM crash.
PRJ-631, PRHF-5533	SecureXL	In some scenarios, latency is observed on the Security gateway when SecureXL is enabled. Refer to sk162914.
PRJ-1177, PRJ-1176	SecureXL	Added sim module parameter "sim_anti_spoofing_enabled" to allow disable of anti-spoofing in Performance Pack without installing new Firewall policy.
PRJ-1642, PRJ-3660, PRHF-4350	SecureXL	In some scenarios, when SecureXL is enabled, it drops the TCP traffic for the particular connection for invalid state reasons. Refer to sk147093.
PRJ-5154, PMTR-37727, PRJ-1641, PMTR-37736, PRJ-1638	SecureXL	In some scenarios, packets with IP options are not forwarded across bridge interfaces. Refer to Issue #3 in sk154892
PRJ-4622, PMTR-40703, PRJ-4621	SecureXL	In some scenarios, sending IP fragmented traffic through a Virtual Switch or Virtual Router fails with "Virtual defragmentation error".
PRJ-4735, PRHF-3487, PRJ-1223, PRJ-1841	SecureXL	In some scenarios, Policy Based Routing (PBR) does not work properly when acceleration is enabled.
PRJ-2119, PRJ-1848	SecureXL	In a rare scenario, Host destination entries are memory leaking when neighbor entry is incomplete state. Refer to sk157252.
PRJ-1218, PMTR-37165	SecureXL	In some scenarios, multicast traffic is not forwarded across bridge interfaces.
PRJ-1252, PRHF-3608	SecureXL	On cluster, Drop templates are disabled on reboot. Refer to sk153412.
PRJ-3658, PMTR-39660, PRJ-3596	SecureXL	In a rare scenario, when SecureXL is enabled, a VSX gateway may crash. Refer to sk160912.
PRJ-806, PRHF-3498	SecureXL	In a rare scenario, when SecureXL is enabled, Policy Based Routing (PBR) does not work although configured.
PRJ-2323, PRJ-5078, PMTR-38429	Gaia OS	The restore backup operation fails if the machine was installed via ISO during the backup, and via CPUSE during the restore.
PRJ-1477, PRJ-5115, PMTR-37425	Gaia OS	Backup task may fail if SmartConsole is open during backup.
PRJ-3136, GAIA-2861	Gaia OS	In some scenarios, the IGB driver interfaces are occasionally down after reboot of a Management machine. Refer to sk135532.
PRJ-3365, PRJ-3361, PRJ-3364	Gaia OS	'|' and '-' characters cannot be used in the message banner.
PRJ-1677	Gaia OS	Clish command "show system init-services" and Expert command "service --status-all" run "mdsstart" on the server.
GAIA-4695, PRJ-615, PRJ-4527	Gaia OS	When running "service vmtoolsd restart" command on Gaia installation with VMware, the "Installing memory driver: FATAL: Module vmmemctl not found. [FAILED]" error is displayed although the vmw_balloon.ko driver is loaded. Note: this issue is only cosmetic.
PRJ-1771, GAIA-4793	Routing	The default OSPF instance binding is missing.
ROUT-484, PRJ-4849, PRJ-4850	Routing	In some scenarios, legitimate subnets of 0.0.0.0 (for example 0.0.0.0/1) cannot be configured for certain routing features, like static routes, PBR, routemaps, etc.
PRJ-4279, PRJ-4266, PRHF-5105	VSX	In a rare scenario, machine crashes when using VSX with Virtual Switch (VSW).
PRJ-4921, PMTR-32931	VSX	In some scenarios, the fwk process might crash when VSX gateway is upgraded to R80.30.
PRJ-4956, GAIA-6397, PRJ-4950	VSX	In some scenarios, traffic does not pass in VSX setup with VS-VSW-VS topology and some Threat Prevention blades enabled on VSs.
PRJ-1420, PRJ-4740, GAIA-5136	VPN	Improved the VPN connectivity for VSX and User-Space Firewall gateways.
PRJ-4740, PRJ-1420	VPN	In some scenarios, VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment. Refer to sk154692.
PRJ-1385, GAIA-5338	VPN	In some scenarios with acceleration enabled, traffic through VR for a VPN setup does not pass.
PMTR-38041, PRJ-4153, PRJ-4488	VPN	In some scenarios, the Phase-2 negotiation fails with "Reason: Wrong value for: Encapsulation Mode" after upgrade. Refer to sk157092.
R80.30 Jumbo HotFix - General Availability Take 50 (03 September 2019, GA from 24 September 2019) Note: This Take replaces Take 48 released on 1 Sept 2019. It is recommended to install Take 50
-	General	Added support for Gaia kernel 3.10.
-	General	Added support for Check Point 26000 and 16000T model appliances and CloudGuard IaaS products AWS, Azure, GCP.
PRJ-2300	Security Management	Added Management support for 16000 and 26000 appliances. GUI support was added in R80.30 Jumbo HotFix Take 71.
PRJ-5065, PRJ-3101	Multi-Domain Management	Import of Multi-Domain Management Server fails when Jumbo HotFix is installed on the target machine and the source machine is R77.x. Refer to sk162032.
PRHF-3248, PRJ-823, PRJ-2737	Security Gateway	In a rare scenario, Security gateway freezes when Priority Queue is enabled. Refer to sk149413.
PRJ-3736, PRJ-3737, PMTR-40259	Security Gateway	In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway.
PMTR-25703, PRJ-2694	Security Gateway	In a rare scenario, when configured as a proxy/ICAP client, a Security gateway may crash when using HTTPS Policy Categorization.  Fix is relevant for Gaia 3.10 only.
PRJ-5028	Threat Prevention	In a rare scenario, R80.30 Security gateway managed by R80.30 Management crashes when running a Threat Prevention Software Blade with the Forensics feature enabled. Refer to sk161812.
PRJ-2891, PMTR-31316	Logging	In some scenarios with low disk space and customized retention configuration, logs and indexes may be deleted contrary to the configuration. In some cases, logs are not forwarded when log forwarding in enabled on a Log server machine.
PRJ-1825, PRHF-3890	SSL Inspection	Added support of RDP over SSL inspection as part of HTTPS Inspection blade. (Relevant for Remote Desktop Protocol Vulnerability CVE-2019-0708.) Supported only on Gaia 3.10.
PRHF-4193, PRJ-2733	CoreXL	"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312. Fix is relevant for Gaia 3.10 only.
PMTR-35350, PRJ-2735	CoreXL	In some scenarios, VPN connection's records remain in the Global connections table even after the connection expires. Refer to sk155332. Fix is relevant for Gaia 3.10 only.
PRJ-2734, PMTR-36031	CoreXL	In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled. Fix is relevant for Gaia 3.10 only.
PRJ-2668, PRJ-2358	Gaia OS	CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1981, GAIA-5576	Gaia OS	IPv6 address configured on VLAN interfaces is missing after reboot. Fix is relevant for Gaia 3.10 only.
PRJ-2579, GAIA-5563	Gaia OS	Status of newly created VLAN interface is "off". Fix is relevant for Gaia 3.10 only.
PRJ-2561, GAIA-5815	Gaia OS	When adding more than 256 bridge interfaces, CPD process stops working, bringing down SIC. Fix is relevant for Gaia 3.10 only.
PRJ-2782, GAIA-5512	CPView	The SMT Status is "Unknown" instead of "Enabled" in CPView. Fix is relevant for Gaia 3.10 only. The SMT Status is removed from CPView on Gaia 3.10 kernel as there is no soft-disable of Hyper-Threading on this kernel version anymore.
PRJ-4055, GAIA-6172	VSX	In some scenarios, a new hotfix installation via CPUSE fails on VSX. Refer to sk159713. Fix is relevant for Gaia 3.10 only.
PMTR-39868, PRJ-3528, PRJ-3671	VSX	In some scenarios, traffic is dropped on VSX when SecureXL is enabled. Refer to sk160352.
R80.30 Jumbo HotFix - General Availability Take 19 (02 July 2019, GA from 04 Aug 2019)
PRJ-634, PMTR-15461	SecureXL	Added support for i40evf driver.
PRJ-451, PRHF-3283	Security Management	In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message.
PRJ-1647, PMTR-36840	Multi-Domain Management	Improved duration of Multi-Domain Server upgrade from R80.10.
PRJ-593, PRHF-3300	Multi-Domain Management	Multi-Domain Server processes must be down when running cma_migrate.
PRJ-1787, PMTR-37945	SmartConsole	In a rare scenario, when using "add-threat-exception" API command to empty rulebase, it fails with the "Runtime error: Index: -1, Size: 0" error.
PRJ-1552, PMTR-31316	Logging	In some scenarios with low disk space and customized retention configuration, logs and indexes may be deleted contrary to the configuration. In some cases, logs are not forwarded when log forwarding in enabled on a Log server machine.
PRJ-633, PRJ-2897	SecureXL	Debug messages are not printed when running "fwaccel dbg -m adp all" and sending multicast packets through the Security gateway.
PRJ-898, GAIA-4855	VSX	When SecureXL and IPS are enabled on VS connected to VR, HTTP traffic does not pass the internal Host.
PRJ-2371, PRJ-2358	Gaia OS	CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.

 

Installation instructions

Procedure:

• Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)
  
  

  • Offline installation

    Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

    1. Install the latest build of CPUSE Agent from sk92449.
    2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
    3. In the upper right corner, click on the Import Package button.
    4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
    5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
    6. Select the imported package Check Point R80.30 Jumbo hotfix T<number> for sk153152 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
    7. Select this package and click on Install Update button on the toolbar.

  
  
  
• Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)
  
  

  For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".

  • Offline installation

    Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

    1. Install the latest build of CPUSE Agent from sk92449.
    2. Connect to command line on target Gaia OS.
    3. Log in to Clish.
    4. Acquire the lock over Gaia configuration database:
       HostName:0> lock database override
    5. Import the package from the hard disk:
       HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
    6. Show the imported packages:
       Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.30 Jumbo hotfix T<number> for sk153152"
       HostName:0> show installer packages imported
    7. Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts:
       HostName:0> installer verify <Package_Number>
    8. Install the imported package:
       HostName:0> installer install <Package_Number>

 

Uninstall instructions

Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.

Procedure:

• Show / Hide instructions for uninstall in Gaia Portal - using CPUSE (Check Point Update Service Engine)
  
  

  1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
     Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
  2. Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
  3. Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
  4. Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
  5. A warning will be displayed that after this uninstall, the machine will be automatically rebooted.
     Click on 'OK' to start the uninstall.

  
  
  
• Show / Hide instructions for uninstall in Gaia Clish - using CPUSE (Check Point Update Service Engine)
  
  

  1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
     Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
  2. Connect to command line on Gaia OS.
  3. Log in to Clish.
  4. Acquire the lock over Gaia configuration database:
     HostName:0> lock database override
  5. Uninstall the package:
     HostName:0> installer uninstall <Package_Number>
     Note: The progress (in per cent) will be displayed in Clish.
  6. Machine will be rebooted automatically.

 

 

Revision History