Support Center > Search Results > SecureKnowledge Details
Jumbo Hotfix Accumulator for R80.20SP

Table of Contents:

  • Introduction
  • Availability
  • Important Notes
  • List of resolved issues per Take
  • Installation Instructions
  • List of replaced files
  • Revision History


R80.20SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.20SP.

This Incremental Hotfix and article are updated periodically with new fixes.

The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this take was made available is listed near the Take's number.

Important: Upgrade of CPUSE Agent is not supported on R80.20SP version for chassis and Maestro products


General Availability Take:

Take_105 is the latest R80.20SP Jumbo Hotfix Accumulator General Availability release.

Product Take Date CPUSE Offline Package
Gateway Take_105 
01 July 2019
Orchestrator (TGZ)

Ongoing Take:

Product Take Date CPUSE Offline Package
Gateway Take_121
31 July 2019
Orchestrator (TGZ)


Important Notes

  1. Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.20SP.
  2. This Jumbo Hotfix Accumulator must be installed only after the successful completion of the Gaia First Time Configuration Wizard and a reboot.
  3. For Gateway installation: All CPUSE commands must be run via gclish shell only. 
  4. To check the Take number of the currently installed R80.20SP Jumbo Hotfix Accumulator (if it is installed), refer to the last section of the following command: [Expert@HostName:0]# asg_provision


List of resolved issues per Take

Enter the string to filter this table:

ID Product(s) Description
Take 121 (31 July 2019)
General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 87 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-6157 General & Maestro The 'asg_local_arp_verifier' command might show "Error: Problem found in configuration" even though the $FWDIR/conf/local.arp files contain the same, correct configuration on all Security Group members.
MBS-6613 General & Maestro The "asg diag verify" test, called "Security Group," fails with the "DB/Kernel/Configuration differ" message even though the Security Group configuration is correct on all members (as reported by the 'security_group_util diag' command).
MBS-6359 General & Maestro "Did not find any new packages" message may appear in the output of the 'installer install' command when the user installs the R80.20SP Jumbo Hotfix Accumulator.
MBS-6706 General & Maestro IPv6 traffic might fail to pass over a Bond interface. 
MBS-6834 SecureXL & Maestro Security Group members do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO.
MBS-5975 Maestro (Cluster)  After the user deletes a Security Appliance from a Security Group, the 'cphaprob stat' command might still show that Security Appliance (member).
MBS-6693 Maestro (Orchestrator)  The 'set maestro security-group apply-new-config' command fails with the error "NMSSG0429 can't read "output": no such variable" after the user deletes all Security Groups in Gaia Clish on a Maestro Orchestrator.
MBS-7032 Maestro (Orchestrator) Maestro Orchestrator's Gaia Portal shows the status "No connectivity" for Downlinks if the Maestro Orchestrator cannot detect the Security Appliance at this time.

Example (click to enlarge image):

MBS-6640 Maestro (Orchestrator)   Maestro Orchestrator logs are now written into the /var/log/maestro.log file instead of the /var/log/messages file on the Maestro Orchestrator.
MBS-6700 Maestro (Orchestrator) Improved stability of the lldpd daemon on Maestro Orchestrator.
MBS-6758 Maestro (Orchestrator) "Failed to get Orchestrators interfaces" error in Maestro Orchestrator's Gaia Portal in case the Maestro Orchestrator fails to resolve its "Orchestrator ID."
MBS-5807 Maestro (Orchestrator) Maestro Orchestrator's Gaia Portal now shows Downlinks that are in the Up state only.

Example 1 - The "Unassigned Gateways" pane (click to enlarge image):

Example 2 - The tooltip when the mouse cursor hovers over a Security Appliance (click to enlarge image):

MBS-7039 Maestro (Security Groups) If Security Appliances are removed from a Security Group and then added back to the same/other Security Group, some of these Security Appliances may remain out of the Security Group (appear as "DETACHED").
Take 105 (01 July 2019)
MBS-6494 Maestro / Gaia OS  The output of config_verify -v command shows "Configuration files inconsistent" for the /boot/grub/grub.conf file. 
MBS-5702 General Added support for the image auto-clone feature (set smo image auto-clone state on) that lets a remote SGM clone SMO images.
MBS-6269 General When the user runs the 'tcpdump' command with the '-mcap' flag in global mode (with either the 'tcpdump -mcap' command in gClish, or the '_g_tcpdump -mcap_' command in Expert mode), the command deletes all copies of the packet captures on the peer members.
MBS-5488 Gaia OS The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported.
MBS-6624 Gaia OS  CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
MBS-6306 VSX Log Server Distribution (asg_log_servers) is not supported on 40000 / 60000 chassis.
VSX Reverting a chassis in VSX mode to a snapshot might cause an additional reboot.
MBS-5636 VSX A reset of the SIC between the Scalable Platform or Maestro Security Appliance in VSX mode and the Management Server might cause the non-SMO members to change their state to DOWN. To recover, reboot the non-SMO members.
MBS-5864 Cluster In Dual Chassis, the user must install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster.
MBS-5610 SecureXL  An Accelerated SYN Defender configuration made with the 'fwaccel synatk' / 'fwaccel6 synatk' commands might not be applied on non-SMO members.
MBS-5837 Logging  The "distribution calculation completed successfully" message in Syslog is shown with an "Alert" priority instead of a "Notice" priority .
MBS-5595 Maestro (General) When the user adds a large number of Security Appliances at once to a Security Group in Orchestrator's Gaia Portal, it might disconnect with the message "Unable to connect to the server. Press OK to reconnect."
MBS-5849 Maestro (General)  Improved stability of the ssm_pmd process on Maestro Orchestrator.
MBS-6090 Maestro (General)  The cpdiag tool now supports Security Appliances.
MBS-5749 Maestro (Performance) After the user installs a Jumbo Hotfix Accumulator on a 23900 appliance connected to a Maestro Orchestrator, the Hyper-Threading (SMT) feature will be disabled by default.
MBS-6073 Maestro (Performance) Improved traffic distribution on Maestro Security Appliances. 

Maestro (Gaia)

On Maestro Security Appliances, Gaia gClish shows "KERLAG0029 Interface ethX-Mgmt4 cant be changed to state off" when the user runs the 'delete bonding group [ID] interface ethX-Mgmt4' command. 
MBS-6121 Maestro (Gaia)  On Maestro Orchestrator, the settings made with the following commands are not applied:
  • set maestro security-group id management-connectivity ...
  • set maestro security-group id ftw-configuration ... 
MBS-5652 Maestro (Gaia)  On Maestro Orchestrator, a Gaia OS backup might fail due to low disk space (because large log files are not rotated).
MBS-5457 Maestro (VSX) If after creating a new Virtual System object, policy installation on a Security Group object fails with "Error code: 0-2000240", wait 2-3 minutes and install the policy again.
MBS-5592 Maestro (VSX) When creating a VSX Gateway object in SmartConsole, it recognizes only the interfaces that were assigned to the Security Group before the First Time Wizard.
MBS-6082 Maestro (VSX) When creating a VSX Gateway object in SmartConsole, it does not show the physical interfaces on which the VLAN interfaces were created and assigned to the Security Group. Example: The VLAN interface eth1-05.5 was assigned to the Security Group. The VSX Gateway object in SmartConsole does not show the physical interface eth1-05.
MBS-5104 Maestro (Networking) You can only connect one DAC / Fiber cable between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator. Connecting two cables between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator is not supported.
MBS-5927 Maestro (Cluster)  Improved the internal process of creating a Security Group in Maestro Orchestrator's Gaia Portal when the option "Set FTW configuration" is selected.
MBS-5594 Maestro (Cluster)  Security Appliances show the link state on ports as Down, while the Maestro Orchestrator shows the link state on these ports as Up.
MBS-5557 Maestro (Multi-Queue)   The output of the 'cpmq get -v' command shows an incorrect Multi-Queue configuration (the 'rx_num' does not show the expected value) in the following scenario:
  1. On Maestro Orchestrator, created a new Security Group, but in the First Time Wizard, did not select the option "Install as VSX."
  2. In SmartConsole, configured the SMO as a VSX Gateway.
  3. Installed the policy.
MBS-5838 Maestro (Hardware) On Maestro Security Appliances, the 'asg stat -v' command now monitors the ethX-08 interfaces.
MBS-5701 Maestro (Hardware) Added the ability to configure the Maestro Orchestrator port's QSFP mode to 1 GbE in the Gaia Clish.
- Maestro (Hardware) 23900 appliances support Maestro beginning in Jumbo Hotfix Accumulator Take 105.
MBS-6099 Maestro (Licensing) A Maestro Security Appliance that was removed from a Security Group and then added back to the same Security Group might not pull the license from the existing members of the Security Group. As a result, this Security Appliance remains in the DOWN state. 


Installation Instructions

List of Replaced Files

A list of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

Revision History

Show / Hide revision history

Date Description
31 July 2019 Release of Ongoing Take 121
01 July 2019 Release of General Availability Take 105

Give us Feedback
Please rate this document