Support Center > Search Results > SecureKnowledge Details
Jumbo Hotfix Accumulator for R80.20SP

Table of Contents:

  • Introduction
  • Availability
  • Important Notes
  • List of resolved issues per Take
  • Installation Instructions
  • List of replaced files
  • Revision History


R80.20SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.20SP.

This Incremental Hotfix and article are updated periodically with new fixes.

The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this take was made available is listed near the Take's number.

Important: Upgrade of CPUSE Agent is not supported on R80.20SP version for chassis and Maestro products


General Availability Take:

Take_121 is the latest R80.20SP Jumbo Hotfix Accumulator General Availability release.

Product Take Date CPUSE Offline Package
Gateway Take_121 
31 July 2019
Orchestrator (TGZ)

Ongoing Take:

Product Take Date CPUSE Offline Package
Gateway Take_163
10 Sep 2019
Orchestrator (TGZ)


Important Notes

  1. Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.20SP.
  2. This Jumbo Hotfix Accumulator must be installed only after the successful completion of the Gaia First Time Configuration Wizard and a reboot.
  3. For Gateway installation: All CPUSE commands must be run via gclish shell only. 
  4. To check the Take number of the currently installed R80.20SP Jumbo Hotfix Accumulator (if it is installed), refer to the last section of the following command: [Expert@HostName:0]# asg_provision


List of resolved issues per Take

Enter the string to filter this table:

ID Product(s) Description
Take 163 (10 Sep 2019)
MBS-6460 Maestro  Added support for Dual Site deployment. You can deploy two Maestro Hyperscale Orchestrators on each physical site and connect the sites to each other. The sites synchronize both connections and configuration. Refer to the Known Limitations in the "Dual Site Deployment" section of sk148074 - Check Point Maestro Known Limitations
MBS-6577 General   Enhancement: Output of the 'asg_provision' command now shows SGM IDs in the headline.
MBS-5386 General Output of the 'asg_conns -b <SGM IDs> -6' command shows "IPv6 not enabled" even though it is enabled on the chassis.
MBS-6865 General The 'asg if' command shows "(NA)/(NA)" (instead of "(up)/(up)") in the "Link State" column for the ethX-MgmtY interfaces.
MBS-5710 General   The gClish command 'installer verify' shows "Action was aborted" if a CPUSE package was not imported on all members.
MBS-6510 General The 'asg_provision' command fails when there is an inconsistency between members in the installed Hotfixes / Jumbo Hotfix Accumulators.
MBS-6757 Maestro - General The gClish 'installer' commands fail with "expected integer but got <XX>" when explicitly specifying "member_ids" <site_id>-08 or <site_id>-09.
MBS-5913 Maestro - General Output of the 'cores_verifier' command does not show any information in the "Ppak core affinity on all SGMs is" section.
MBS-7246 Maestro - General Minimized the amount of packet drops during the reboot of Maestro Hyperscale Orchestrators. 
MBS-5381 Chassis - General
Maestro - General 
Output of the 'asg perf -p' command always shows the value "0" in the "VPN Performance" section > "VPN connections" counter.
MBS-7247 Chassis - General
Maestro - General
Output of the 'config_verify -v' command shows "Performing xfer files verification... Failed!" for the $FWDIR/conf/te_attributes.conf file. 
Chassis - General
Maestro - General
Output of the 'asg diag' command shows that the /etc/sysconfig/image.md5 file is not identical on all the SGMs.
MBS-6610 Gaia Output of the 'asg_perf_hogs' command incorrectly shows the status "FAILED" for the "Kernel soft lockups" test if the year has changed recently on the system.
MBS-7136 Maestro Gaia - OS  Failure to log in on Security Appliances after removing them from a Security Group. 
Maestro - Cluster
When running the 'clusterXL_admin' command, the output might incorrectly show "Operation failed: member is not down, run 'cphaprob list' for further details".
MBS-7332 Maestro - Security Groups  Improved stability of Security Appliances when they are added to a Security Group with configured "fw samp" rules.
MBS-7237 Maestro -Hardware Security Appliance may fail to revert to factory default (which must happen by design) when removing it from a Security Group.
Chassis - Hardware
Maestro - Hardware
Output of the 'smo verifiers report name "SSD Health"' command shows "Warning: SSD attributes getting towards low threshold".
MBS-6548 Chassis - Hardware Enhancement: Added support for 10G SFP transceiver for SSM160 (BTI10GSRSFPP). 
MBS-6530 Chassis - Hardware
On 64000 Scalable Platforms, the output of the 'asg stat -v' command shows "0" PSUs and "0" Fans, if only PSU 5 and PSU 6 are used.
MBS-6544 Chassis - Hardware  The "Dot3ahErrorAggregation: The threshold for the frame error was exceeded on port X/Y/Z" message appears repeatedly in SSM logs.
Take 121 (31 July 2019)
General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 87 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-6157 General & Maestro The 'asg_local_arp_verifier' command might show "Error: Problem found in configuration" even though the $FWDIR/conf/local.arp files contain the same, correct configuration on all Security Group members.
MBS-6613 General & Maestro The "asg diag verify" test, called "Security Group," fails with the "DB/Kernel/Configuration differ" message even though the Security Group configuration is correct on all members (as reported by the 'security_group_util diag' command).
MBS-6359 General & Maestro "Did not find any new packages" message may appear in the output of the 'installer install' command when the user installs the R80.20SP Jumbo Hotfix Accumulator.
MBS-6706 General & Maestro IPv6 traffic might fail to pass over a Bond interface. 
MBS-6834 SecureXL & Maestro Security Group members do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO.
MBS-5975 Maestro (Cluster)  After the user deletes a Security Appliance from a Security Group, the 'cphaprob stat' command might still show that Security Appliance (member).
MBS-6693 Maestro (Orchestrator)  The 'set maestro security-group apply-new-config' command fails with the error "NMSSG0429 can't read "output": no such variable" after the user deletes all Security Groups in Gaia Clish on a Maestro Orchestrator.
MBS-7032 Maestro (Orchestrator) Maestro Orchestrator's Gaia Portal shows the status "No connectivity" for Downlinks if the Maestro Orchestrator cannot detect the Security Appliance at this time.

Example (click to enlarge image):

MBS-6640 Maestro (Orchestrator)   Maestro Orchestrator logs are now written into the /var/log/maestro.log file instead of the /var/log/messages file on the Maestro Orchestrator.
MBS-6700 Maestro (Orchestrator) Improved stability of the lldpd daemon on Maestro Orchestrator.
MBS-6758 Maestro (Orchestrator) "Failed to get Orchestrators interfaces" error in Maestro Orchestrator's Gaia Portal in case the Maestro Orchestrator fails to resolve its "Orchestrator ID".
MBS-5807 Maestro (Orchestrator) Maestro Orchestrator's Gaia Portal now shows Downlinks that are in the Up state only.

Example 1 - The "Unassigned Gateways" pane (click to enlarge image):

Example 2 - The tooltip when the mouse cursor hovers over a Security Appliance (click to enlarge image):

MBS-7039 Maestro (Security Groups) If Security Appliances are removed from a Security Group and then added back to the same/other Security Group, some of these Security Appliances may remain out of the Security Group (appear as "DETACHED").
Take 105 (01 July 2019)
MBS-6494 Maestro / Gaia OS  The output of the 'config_verify -v' command shows "Configuration files inconsistent" for the /boot/grub/grub.conf file. 
MBS-5702 General Added support for the image auto-clone feature (set smo image auto-clone state on) that lets a remote SGM clone SMO images.
MBS-6269 General When the user runs the 'tcpdump' command with the '-mcap' flag in global mode (with either the 'tcpdump -mcap' command in gClish, or the '_g_tcpdump -mcap_' command in Expert mode), the command deletes all copies of the packet captures on the peer members.
MBS-5488 Gaia OS The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported.
MBS-6624 Gaia OS  CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
MBS-6306 VSX Log Server Distribution (asg_log_servers) is not supported on 40000 / 60000 chassis.
VSX Reverting a chassis in VSX mode to a snapshot might cause an additional reboot.
MBS-5636 VSX A reset of the SIC between the Scalable Platform or Maestro Security Appliance in VSX mode and the Management Server might cause the non-SMO members to change their state to DOWN. To recover, reboot the non-SMO members.
MBS-5864 Cluster In Dual Chassis, the user must install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster.
MBS-5610 SecureXL  An Accelerated SYN Defender configuration made with the 'fwaccel synatk' / 'fwaccel6 synatk' commands might not be applied on non-SMO members.
MBS-5837 Logging  The "distribution calculation completed successfully" message in Syslog is shown with an "Alert" priority instead of a "Notice" priority .
MBS-5595 Maestro (General) When the user adds a large number of Security Appliances at once to a Security Group in Orchestrator's Gaia Portal, it might disconnect with the message "Unable to connect to the server. Press OK to reconnect."
MBS-5849 Maestro (General)  Improved stability of the ssm_pmd process on Maestro Orchestrator.
MBS-6090 Maestro (General)  The cpdiag tool now supports Security Appliances.
MBS-5749 Maestro (Performance) After the user installs a Jumbo Hotfix Accumulator on a 23900 appliance connected to a Maestro Orchestrator, the Hyper-Threading (SMT) feature will be disabled by default.
MBS-6073 Maestro (Performance) Improved traffic distribution on Maestro Security Appliances. 

Maestro (Gaia)

On Maestro Security Appliances, Gaia gClish shows "KERLAG0029 Interface ethX-Mgmt4 cant be changed to state off" when the user runs the 'delete bonding group [ID] interface ethX-Mgmt4' command. 
MBS-6121 Maestro (Gaia)  On Maestro Orchestrator, the settings made with the following commands are not applied:
  • 'set maestro security-group id management-connectivity ...'
  • 'set maestro security-group id ftw-configuration ... '
MBS-5652 Maestro (Gaia)  On Maestro Orchestrator, a Gaia OS backup might fail due to low disk space (because large log files are not rotated).
MBS-5457 Maestro (VSX) If after creating a new Virtual System object, policy installation on a Security Group object fails with "Error code: 0-2000240", wait 2-3 minutes and install the policy again.
MBS-5592 Maestro (VSX) When creating a VSX Gateway object in SmartConsole, it recognizes only the interfaces that were assigned to the Security Group before the First Time Wizard.
MBS-6082 Maestro (VSX) When creating a VSX Gateway object in SmartConsole, it does not show the physical interfaces on which the VLAN interfaces were created and assigned to the Security Group. Example: The VLAN interface eth1-05.5 was assigned to the Security Group. The VSX Gateway object in SmartConsole does not show the physical interface eth1-05.
MBS-5104 Maestro (Networking) You can only connect one DAC / Fiber cable between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator. Connecting two cables between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator is not supported.
MBS-5927 Maestro (Cluster)  Improved the internal process of creating a Security Group in Maestro Orchestrator's Gaia Portal when the option "Set FTW configuration" is selected.
MBS-5594 Maestro (Cluster)  Security Appliances show the link state on ports as Down, while the Maestro Orchestrator shows the link state on these ports as Up.
MBS-5557 Maestro (Multi-Queue)   The output of the 'cpmq get -v' command shows an incorrect Multi-Queue configuration (the 'rx_num' does not show the expected value) in the following scenario:
  1. On Maestro Orchestrator, created a new Security Group, but in the First Time Wizard, did not select the option "Install as VSX".
  2. In SmartConsole, configured the SMO as a VSX Gateway.
  3. Installed the policy.
MBS-5838 Maestro (Hardware) On Maestro Security Appliances, the 'asg stat -v' command now monitors the ethX-08 interfaces.
MBS-5701 Maestro (Hardware) Added the ability to configure the Maestro Orchestrator port's QSFP mode to 1 GbE in the Gaia Clish.
- Maestro (Hardware) 23900 appliances support Maestro beginning in Jumbo Hotfix Accumulator Take 105.
MBS-6099 Maestro (Licensing) A Maestro Security Appliance that was removed from a Security Group and then added back to the same Security Group might not pull the license from the existing members of the Security Group. As a result, this Security Appliance remains in the DOWN state. 


Installation Instructions

List of Replaced Files

To receive a list of files replaced by this Jumbo Hotfix Accumulator, contact Check Point Support.

Revision History

Show / Hide revision history

Date Description
10 Sep 2019 Release of Take 163
31 July 2019 Release of Take 121
01 July 2019 Release of Take 105

Give us Feedback
Please rate this document