Table of Contents:

• Introduction
• Availability
• Important Notes
• List of resolved issues per HotFix
• Installation instructions
• Uninstall instructions
• List of replaced files
• Revision History

 

Introduction

R80.30 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.

This Incremental Hotfix and this article are periodically updated with new fixes.

The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below.

Refer to sk98028 - Jumbo Hotfix Accumulator FAQ.

 

Availability

• General Availability Take

  Take_19 is the latest R80.30 Jumbo Hotfix Accumulator General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:
  
  

  Product	Take	Date	CPUSE offline package	SmartConsole package
  Security Gateway / Standalone	Take_19	02 July 2019	(TGZ)	(EXE) R80.30 Build 08
  Security Management			(TGZ)

  • Effective August 14th 2019, SmartConsole package has been updated (Build 08)

  • Jumbo Hotfix Accumulator Take 19 does not support Security Gateway R80.30 with Gaia 3.10, hence cannot be installed on Check Point 26000 and 16000 appliancess and CloudGuard IaaS products AWS, Azure, GCP.

  • Import of R77.x Multi-Domain Management Server may fail when the target machine has R80.30 Jumbo HotFix Take 19 installed.





• Ongoing Take

  Product	Take	Date	CPUSE Offline package	SmartConsole package
  Security Gateway / Standalone Gaia 2.6.18	Take_50	03 Sept 2019	Check_Point_R80_30_JUMBO_HF_Bundle_T50_sk153152_Security_Gateway_and_Standalone_2_6_18_FULL.tgz	(EXE) R80.30 Build 08
  Security Gateway Gaia 3.10			Check_Point_R80_30_JUMBO_HF_Bundle_T50_sk153152_Security_Gateway_3_10_FULL.tgz
  Security Management			Check_Point_R80_30_JUMBO_HF_Bundle_T50_sk153152_Security_Management_3_10_FULL.tgz

Important Notes

• Starting from Take 50 of R80.30 Jumbo Hotfix Accumulator:
  • Each Take is based on Check Point R80.30 with Gaia OS 2.6.18 GA Take 200 or Check Point R80.30 with Gaia OS 3.10 (R80.30 3.10) GA Take 273.
  • All gateway related fixes are relevant for both Gaia 2.6.18 and Gaia 3.10 unless otherwise mentioned.
  • Each Take supports Security Gateway R80.30 3.10 and can be installed on Check Point 26000 and 16000T model appliances and CloudGuard IaaS products AWS, Azure, GCP.
• For CPUSE installation, CPUSE Agent build 1573 and above (refer to sk92449) must be used.
• It is recommended to install Jumbo Hotfix Accumulator on all R80.30 machines running on Gaia OS 2.6.18 or Gaia OS 3.10.
• This Jumbo Hotfix Accumulator is suitable for these products and configurations:
  
  • Security Gateway
  • StandAlone
  • Security Management Server
  • Multi-Domain Management Server
  • Log Server
  • Multi-Domain Log Server
  • SmartEvent Server
  • Endpoint Security Server
  • VSX
  • Cluster
• This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
• To check the Take number of the currently installed R80.30 Jumbo Hotfix Accumulator (if it is installed): [Expert@HostName:0]# cpinfo -y all

 

List of resolved issues per HotFix

ID	Product	Description
R80.30 Jumbo HotFix - Ongoing Take 50 (03 September 2019) Note: This Take replaces Take 48 released on 1 Sept 2019. It is recommended to install Take 50
-	General	Added support for Gaia kernel 3.10.
-	General	Added support for Check Point 26000 and 16000T model appliances and CloudGuard IaaS products AWS, Azure, GCP.
PRJ-2300	Security Management	Added Management support for 16000 and 26000 appliances. This fix requires R80.30 SmartConsole Build 08 to be installed.
PRJ-5065, PRJ-3101	Multi-Domain Management	Import of Multi-Domain Management Server fails when Jumbo HotFix is installed on the target machine and the source machine is R77.x. Refer to sk162032.
PRHF-3248, PRJ-823, PRJ-2737	Security Gateway	In a rare scenario, Security gateway freezes when Priority Queue is enabled. Refer to sk149413.
PMTR-25703, PRJ-2694	Security Gateway	In a rare scenario, when configured as a proxy/ICAP client, a Security gateway may crash when using HTTPS Policy Categorization.  Fix is relevant for Gaia 3.10 only.
PRJ-5028	Threat Prevention	In a rare scenario, R80.30 Security gateway managed by R80.30 Management crashes when running a Threat Prevention Software Blade with the Forensics feature enabled. Refer to sk161812.
PRJ-2891, PMTR-31316	Logging	In some scenarios with low disk space and customized retention configuration, logs and indexes may be deleted contrary to the configuration. In some cases, logs are not forwarded when log forwarding in enabled on a Log server machine.
PRJ-1825, PRHF-3890	SSL Inspection	Added support of RDP over SSL inspection as part of HTTPS Inspection blade. (Relevant for Remote Desktop Protocol Vulnerability CVE-2019-0708.) Supported only on Gaia 3.10.
PRHF-4193, PRJ-2733	CoreXL	"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312. Fix is relevant for Gaia 3.10 only.
PMTR-35350, PRJ-2735	CoreXL	In some scenarios, VPN connection's records remain in the Global connections table even after the connection expires. Refer to sk155332. Fix is relevant for Gaia 3.10 only.
PRJ-2734, PMTR-36031	CoreXL	In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled. Fix is relevant for Gaia 3.10 only.
PRJ-2668, PRJ-2358	Gaia OS	CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1981, GAIA-5576	Gaia OS	IPv6 address configured on VLAN interfaces is missing after reboot. Fix is relevant for Gaia 3.10 only.
PRJ-2579, GAIA-5563	Gaia OS	Status of newly created VLAN interface is "off". Fix is relevant for Gaia 3.10 only.
PRJ-2561, GAIA-5815	Gaia OS	When adding more than 256 bridge interfaces, CPD process stops working, bringing down SIC. Fix is relevant for Gaia 3.10 only.
PRJ-2782, GAIA-5512	CPView	The SMT Status is "Unknown" instead of "Enabled" in CPView. Fix is relevant for Gaia 3.10 only. The SMT Status is removed from CPView on Gaia 3.10 kernel as there is no soft-disable of Hyper-Threading on this kernel version anymore.
PRJ-4055, GAIA-6172	VSX	In some scenarios, a new hotfix installation via CPUSE fails on VSX. Refer to sk159713. Fix is relevant for Gaia 3.10 only.
PMTR-39868, PRJ-3528, PRJ-3671	VSX	In some scenarios, traffic is dropped on VSX when SecureXL is enabled. Refer to sk160352.
R80.30 Jumbo HotFix - General Availability Take 19 (02 July 2019, GA from 04 Aug 2019)
PRJ-634, PMTR-15461	SecureXL	Added support for i40evf driver.
PRJ-451, PRHF-3283	Security Management	In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message.
PRJ-1647, PMTR-36840	Multi-Domain Management	Improved duration of Multi-Domain Server upgrade from R80.10.
PRJ-593, PRHF-3300	Multi-Domain Management	Multi-Domain Server processes must be down when running cma_migrate.
PRJ-1787, PMTR-37945	SmartConsole	In a rare scenario, when using "add-threat-exception" API command to empty rulebase, it fails with the "Runtime error: Index: -1, Size: 0" error.
PRJ-1552, PMTR-31316	Logging	In some scenarios with low disk space and customized retention configuration, logs and indexes may be deleted contrary to the configuration. In some cases, logs are not forwarded when log forwarding in enabled on a Log server machine.
PRJ-633, PRJ-2897	SecureXL	Debug messages are not printed when running "fwaccel dbg -m adp all" and sending multicast packets through the Security gateway.
PRJ-898, GAIA-4855	VSX	When SecureXL and IPS are enabled on VS connected to VR, HTTP traffic does not pass the internal Host.
PRJ-2371, PRJ-2358	Gaia OS	CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.

 

Installation instructions

Procedure:

• Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)
  
  

  • Offline installation

    Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

    1. Install the latest build of CPUSE Agent from sk92449.
    2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
    3. In the upper right corner, click on the Import Package button.
    4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
    5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
    6. Select the imported package Check Point R80.30 Jumbo hotfix T<number> for sk153152 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
    7. Select this package and click on Install Update button on the toolbar.

  
  
  
• Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)
  
  

  For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".

  • Offline installation

    Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").

    1. Install the latest build of CPUSE Agent from sk92449.
    2. Connect to command line on target Gaia OS.
    3. Log in to Clish.
    4. Acquire the lock over Gaia configuration database:
       HostName:0> lock database override
    5. Import the package from the hard disk:
       HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
    6. Show the imported packages:
       Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.30 Jumbo hotfix T<number> for sk153152"
       HostName:0> show installer packages imported
    7. Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts:
       HostName:0> installer verify <Package_Number>
    8. Install the imported package:
       HostName:0> installer install <Package_Number>

 

Uninstall instructions

Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.

Procedure:

• Show / Hide instructions for uninstall in Gaia Portal - using CPUSE (Check Point Update Service Engine)
  
  

  1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
     Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
  2. Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
  3. Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
  4. Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
  5. A warning will be displayed that after this uninstall, the machine will be automatically rebooted.
     Click on 'OK' to start the uninstall.

  
  
  
• Show / Hide instructions for uninstall in Gaia Clish - using CPUSE (Check Point Update Service Engine)
  
  

  1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
     Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
  2. Connect to command line on Gaia OS.
  3. Log in to Clish.
  4. Acquire the lock over Gaia configuration database:
     HostName:0> lock database override
  5. Uninstall the package:
     HostName:0> installer uninstall <Package_Number>
     Note: The progress (in per cent) will be displayed in Clish.
  6. Machine will be rebooted automatically.

  
  
  

 

List of replaced files

List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

Revision History