Support Center > Search Results > SecureKnowledge Details
Jumbo Hotfix Accumulator for R80.20SP Technical Level

Table of Contents:

  • Introduction
  • Availability
  • Important Notes
  • List of resolved issues per Take
  • Installation Instructions
  • List of replaced files
  • Revision History


R80.20SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.20SP.

This Incremental Hotfix and article are updated periodically with new fixes.

The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this take was made available is listed near the Take's number.

Important: Upgrade of CPUSE Agent is not supported on R80.20SP version for chassis and Maestro products.


General Availability Take:

Product  Take Date CPUSE Offline Package
Orchestrator Take_295 19 August 2020 (TGZ)
Maestro Gateway Take_295 30 September 2020 (TGZ)
Chassis Gateway

Ongoing Take:

Product  Take Date CPUSE Offline Package
Orchestrator Take_304 2 November 2020 (TGZ)
Maestro Gateway Take_304 2 November 2020 (TGZ)
Chassis Gateway


Important Notes

  1. Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.20SP.
  2. This Jumbo Hotfix Accumulator must be installed only after the successful completion of the Gaia First Time Configuration Wizard and a reboot.
  3. For Gateway installation: All CPUSE commands must be run via gclish shell only. 
  4. To check the Take number of the currently installed R80.20SP Jumbo Hotfix Accumulator (if it is installed), refer to the last section of the following command: [Expert@HostName:0]# asg_provision

Resolved Issues per Take

Enter the string to filter the below table:

ID Product(s) Description
Take 304 (2 November 2020)
MBS-11953 General Added support for the Threat Extraction Software Blade in VSX mode. 
MBS-12216 General Updated the Check Point Support Data Collector (CPSDC, see sk164414) not to collect unnecessary log files.
MBS-12217 General Updated the Check Point Support Data Collector (CPSDC, see sk164414):
  • By default, the CPSDC scripts collect the data from Security Group Members that are in the UP state and those that are in the DOWN state.
  • Added a new flag "exclude-down" to collect the data only from Security Group Members that are in the UP state.
  • Removed the "include-down" flag.
MBS-11956 General These Gaia gClish commands do not take effect on all Security Group Members: 
  • set user <username> password-hash
  • set user <username> force-password-change
MBS-12280 General If the IPSec Software Blade is disabled, this message appears repeatedly in the /var/log/messages file:
fwhandle_get(fwvpn.c:4288): Table kbufs - Invalid handle XXX (bad pool)
MBS-12362 Chassis & Maestro The CPD daemon consumes CPU at 100%.
To resolve this issue, the SNMP OID 'asgVSXDropTable' ( was removed from the $CPDIR/lib/snmp/chkpnt.mib file.
As a result, it is no longer possible to get information over SNMP about dropped packets by Virtual Systems.
This issue applies to:
  • VSX mode
  • R80.20SP Jumbo Hotfix Accumulator Take 302
MBS-11953 Chassis In a rare scenario, under a heavy load on the CPU cores that run SecureXL on SGM400, a traffic outage can occur when the i40e driver becomes unresponsive and resets itself (see sk170002).
MBS-10924 Maestro Major enhancement for configuration of VLAN interfaces on Maestro Orchestrators. See sk170294
MBS-11899 Maestro Reduced the memory consumption on Maestro Orchestrators.
MBS-6084 Maestro To support asymmetric connections, it is necessary to enable the cluster synchronization in the corresponding service's properties (Advanced pane > in the Cluster and synchronization section, select Synchronize connections if Synchronization is enabled on the cluster > install policy). 
MBS-12314 Maestro It is now possible to add these Check Point Appliance models to the same Security Group:
  • 26000 Turbo and 28000 Plus
  • 6900 Turbo and 7000 Plus
Important Note: All the Security Appliances assigned to the same Security Group must have identical Memory size and Hard Disk size.
Take 302 (05 October 2020)
MBS-11443 General The "config_verify -v" command shows "Performing xfer files verification... Failed!" because the /etc/smo_uptime files are not identical on all Security Group members.
MBS-11780 General The Gaia gClish command "add backup-scheduled name <Name> local" fails with "Segmentation fault (core dumped)". See sk168913
MBS-11892 General Non-SMO members of a Security Group can enter a reboot loop after the user installs Take 295 of the R80.20SP Jumbo Hotfix Accumulator. See sk169515.
MBS-10748 General Added support for the new SNMP OID Total number (from all cluster members) of packets dropped by a security policy on the Security Gateway or specified VSX Virtual System.

Note: You must use SNMP v3 in the VS mode as described in sk90860.
MBS-10123 General Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.

Configuration in expert mode:
  1. Run: g_all "vsx resctrl monitor enable"
  2. Run: g_all "vsx mstat enable"
  3. Run: g_all "reboot"
Configuration in Gaia gClish:
       4. Configure SNMP v3 in the VS mode as described in sk90860.

SNMP OIDs - statistics from the specified Virtual System, statistics from each cluster member:
  • Number of concurrent connections -*
  • Physical memory -*
  • CPU usage -*
  • Packet rate -*
  • Throughput -*
  • Interface packet rate -*
  • Total number of dropped packets -*
  • Connection rate -*
  • Virtual memory -*
SNMP OIDs - statistics from the specified Virtual System, total statistics from all cluster members:
  • Total number of concurrent connections -
  • Total packet rate -
  • Total throughput -
  • Total number of dropped packets -
  • Total connection rate -
MBS-11765 General Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell '/bin/bash' and the 'admin' role are configured.
MBS-11674 General Fetching packet capture from a violation log in SmartConsole fails with the error "Failed at getting the incident file from the gateway".
MBS-11806 General On VSX Cluster Members, the last octet of the MAC address on WRP interfaces is wrongly set based on the Global VMAC instead of the MAC Magic value.
MBS-12049 General Security Group member reboots in a loop after installing R80.20SP JHF Take 295, if IPv6 was enabled.
  • This issue applies to Take 295 released before 30 September 2020.
  • Take 295 released on 30 September 2020 resolves this issue.
MBS-11764 General The output of the "show smo verifiers" command shows that the "ARP Consistency" test fails. This issue was caused by an unused padding in the kernel table 'arp_table'.
MBS-11821 General The output of "asg diag" shows that a test failed because the $CPDIR/conf/skip_interfaces.conf file is not identical on Security Group Members. See sk169873
MBS-11367 General In rare cases, a Security Group member can crash (with the message "Entering kdb") during the installation of the R80.20SP Jumbo Hotfix Accumulator.
MBS-12001 General On VSX Cluster Members, VMAC address is set on WRP interfaces in the Decimal format instead of the Hexadecimal format.
MBS-9767 General VPN IKE packets are forwarded to a Security Group member even after its state changes to "Down".
MBS-10768 General The output of the "asg diag verify" command shows that the Proxy ARP test fails because the local.arp files are not consistent on Security Group Members.
MBS-4414 General While a Security Group member reboots, some existing connections can fail on the Security Group. See sk169765
MBS-2832 General Logs for session connections, generated by Software Blades on Scalable Platforms R80.20SP, do not show the SGM ID.
MBS-11831 General After installing Take 295 of the R80.20SP Jumbo Hotfix Accumulator, Gaia Clish commands for Dynamic Routing fail with these errors (see sk169232):
  • RTGRTG0019 source_tclfile(rtgmisc.tcl)
  • RTGRTG0019 tclproc: invalid command name <command>
MBS-11227 Chassis Scalable Platform automatically collects statistics and data in the /var/log/ssm_failure_reports/ directory in these cases:
  • An SSM enters the management loss state (see sk145792).
  • An SSM goes down.
MBS-11777 Chassis If the kernel parameters 'fw_reject_non_syn' and 'fw_reject_out_of_state_syn_resp' are enabled, and an administrator makes changes in SSM configuration (for example, adding a new interface to a Security Group), then Security Group Members can flood the chassis with reject packets.
MBS-10744 Maestro The "show maestro port X/Y/Z optic-info" command incorrectly returns "Not supported" for Check Point supported transceivers.
MBS-11844 Maestro In a Dual Site deployment, when one of the Maestro Orchestrators boots up on one of the sites, both sites might become active for a short time.
MBS-11611 Maestro The REST API server may remain down on the Maestro Orchestrator if it was forcefully unplugged from the electricity.
MBS-11847 Maestro It is now possible to add 16000 Turbo and 16200 Plus Security Appliance models to the same Security Group.

: All Security Appliances within the same Security Group must have an identical Memory size and HD size. 
PRJ-10396, MBS-12023 Maestro In some scenarios, transmit queues may stop, causing packet loss.

Applies to these Line Cards on Security Appliances:
  • 40 GbE Fiber card (CPAC-2-40F-B)
  • 100 GbE Fiber card (CPAC-2-100/25F-B)
Take 295 (19 August 2020, GA from 30 September 2020)
MBS-11071 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 161 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-11633 General UserCheck Portal does not work on a VSX Gateway after the user installs the R80.20SP Jumbo Hotfix Accumulator.
This applies to Take 279 to Take 283 (see sk168754). 
MBS-10095 General VPN outage when a Check Point Security Gateway renegotiates IPsec with a 3rd party VPN peer.
MBS-10263 General Clear packets that should be encrypted are not forwarded between Security Group members from interfaces whose MAC addresses start with the hexadecimal digits 02 (example: 02:AB:CD:EF:12:34).
MBS-11388 General The 'asg diag' command does not add failed tests to the Message Of The Day (MOTD) if the names of these failed tests contain a hyphen (for example, "Multi-Queue").
MBS-11177 General Terminal Escape Sequences appear around the "OK" and "FAILED" statuses of Software Blade verifications in the summary file, which the 'asg diag' command creates.
Note: These Terminal Escape Sequences add color to the status text.
MBS-11085 General The "Hits" counter value in the SmartConsole rulebase does not update when traffic reaches a non-SMO Security Group member. 
MBS-11359 General After every change to VSX objects in SmartConsole and pushing of VSX configuration, the output of the 'ps -auxw' command on the VSX Gateway / VSX Cluster Members shows the "[gzip] <defunct>" processes.
MBS-11427 General Improved stability of the FWD daemon when adding or deleting "fw samp" rules.
MBS-11295 General IPv6 traffic outage during cluster fail-overs. 
MBS-11375 General Memory leak in the stateless correction flows (example: local connections that pass through the Mgmt interface of a Security Group, like a connection from a non-SMO member of a Security Group to the Management Server).
MBS-10092 General Added new SNMP OIDs for Maestro Hyperscale Orchestrators in the chkpnt.mib file (the new branch "mho" with the OID .
  • . - Statistics for ports
    • . - RX statistics for ports
    • . - TX statistics for ports
    • . - RX buffer statistics for ports
    • . - State of ports (logical port ID, physical port / port label ID, link state, admin state, speed)
    • . - Summary information for ports (logical port ID, physical port / port label ID, link state, admin state, speed, RX statistics, TX statistics)
  • . - Number of ACL rule memory entries
    • . - Number of used ACL rule memory entries
    • . - Total number of ACL rule memory entries
    • . - Number of free/unused ACL rule memory entries
MBS-11397 Chassis Added support for 40G SFP transceiver for SSM440 (BTI40GSRQSFPP).
MBS-11063 Chassis & Maestro Security Group Members are now able to synchronize their Fast Acceleration rules (sk156672) with those on the SMO Security Group Member and load them without reboot.
MBS-11175 Maestro The 'asg_bond -v' command does not validate LACP system ID received from switches.
MBS-11283 Maestro Improved the stability of Gaia Clish operations on Security Groups topology on Maestro Orchestrators.
Take 283 (02 July 2020)
MBS-10870 General The '$SMODIR/bin/coredumps_bt' command shows the message "In order to use gdb, please run: /opt/CPsmo-R80.20/bin/debug_tools/install_debug_tools".
MBS-10921 General The autocomplete for the Gaia Clish command 'show bonding group <Group_ID>' shows "Sorry, no help available here" for the "interfaces" option.
MBS-6708 General When interrupting the 'asg_perf_hogs' command with the CTRL+C keys, the message on the screen shows "Operation was canceled/terminated by user" instead of "No issues were found".
MBS-10962 General Query for the SNMP OID "asgNetIfTx" (. returns inconsistent values. 
MBS-10407 General New feature:
The Custom Intelligence Feeds feature provides an ability to add custom cyber intelligence feeds into the Threat Prevention engine. It allows fetching feeds from a third-party server directly to the Security Gateway to be enforced by the Anti-Virus and Anti-Bot Software Blades. For more information, see sk132193.
Known Limitation:
When editing local source feeds, make sure to copy the edited files to all Security Group Members (with the 'asg_cp2blades <path_to_file>' command).
MBS-8473 Chassis Removed the 'ccutil reset_parity_counter' command from the code.
MBS-7630 Chassis The output of the 'asg stat vs' command in the section "Virtual System Status" shows "active chassis" in lowercase when a Virtual System is in a freeze. Now the output shows "Active chassis" with a capital letter.
MBS-11048 Chassis "KERLAG0429 cant read "set_list": no such variable" error in Gaia gClish when running the 'delete bonding group <Bond ID>' command and working with Multiple Security Groups.
MBS-11068 Chassis The output of the 'ps aux | grep defunct' command shows "vrf" processes after an SNMP query for one of these:
  • OID . - SSM CPU and RAM usage
  • OID . - SSM Ports (speed, link, packets)
The issue occurs from Take 210 of the R80.20SP Jumbo Hotfix Accumulator, in which these OIDs were added (see MBS-8719).
MBS-9798 Chassis & Maestro Fragmented packets are dropped with the "fwfrag_expires Reason: timeout has expired for fragment;" message in kernel debug.

: This issue was fixed in Gateway mode. A fix for VSX mode is planned.
MBS-11045 Maestro Improved stability of the ssm_pmd daemon when changing the QSFP mode. 
MBS-10929 Maestro "NMSSG0429 error copying "/tmp/sgdb.json": no such file or directory" in Gaia Clish on Maestro Orchestrator when modifying a Security Group topology.
MBS-10961 Maestro Maestro Orchestrator does not require a license. Therefore, this message was removed from the Gaia Portal on Maestro Orchestrator (from the Upgrades (CPUSE) > Status and Actions page):
"The trial license is currently active and will expire on <Date> <Time>".
MBS-10125 Maestro
  • Improved the stability of the sgm_pmd and lb_configd daemons.
  • Improved Security Appliance cluster stability.
MBS-10229 Gaia Added the new column "asgResourceTitle" to the SNMP Table "asgResourceTable". The new column contains the Security Group Member ID and the resource name.

Format of the output: "Site <Site-ID> Member <Member-ID> <Resource-Name>"

Example output: "Site 2 Member 1 Memory Utilization"

The SNMP OID of the new column is: asgResourceTable.1.8 (.

Note: The SNMP MIB file is $CPDIR/lib/snmp/chkpnt.mib
Take 279 (31 May 2020, GA from 30 June 2020)
MBS-10240 General Added support for the Threat Extraction blade.
Note: Does not apply to the VSX mode.
MBS-6180 General Removed the "-amw" flag from the syntax of the 'asg stat' command. Run the 'asg stat -v' command to get the required information.
MBS-10720 General Added support for secondary IPv4 addresses (aliases) on the data ports of a Security Group (Maestro and Scalable Platforms). See sk167073.
Note: This does not apply to VSX mode.
MBS-10833 General The 'asg_provision' command fails the "CVPN" test due to a different version of the CPinfo tool between the Security Group members and the SMO.
MBS-10732 Chassis The Chassis Monitor daemon (cmd) sometimes fails to retrieve the CPU temperatures due to an SNMP timeout.
MBS-10619 Chassis The test asg diag 'Software Versions' sometimes fails on CMM version mismatch due to a failure to retrieve the version from the CMM. 
MBS-10733 Chassis When restarting the active CMM (for example, with the 'ccutil restart_cmm active' command), a chassis may fail over, even if there is a Standby CMM.
MBS-5608 Chassis When the 'asg_hard_start' command is executed without the "-b <SGM_IDs>" flag, it applies to all SGMs.
Now the command's built-in help contains the description of the "-b <SGM_IDs>" flag, which allows you to run this command for the specified SGMs.
MBS-10812 Maestro The 'drop_monitor' command fails with "Got JSON status failed from blade . Error: Error - Was not able to get driver type._"
MBS-10757 Maestro After installation of the R80.20SP Jumbo Hotfix Accumulator Take 274, Maestro Security Appliances may fail to boot.
MBS-10600 Maestro The Check Point Support Data Collector (CPSDC) Tool (sk164414) now collects additional files and command outputs.
MBS-10506 Maestro If a Bond interface that is assigned to a Security Group is configured in the 802.3AD (LACP) mode, packet loss might occur on a Security Appliance when the Security Appliance becomes active after a reboot.
MBS-10763 Gaia When a Linux password is changed for a user on a Security Group member, it is not updated on other Security Group members.
Take 273 (04 May 2020)
MBS-9910 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 141 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-10630 General Improved stability of the lb_configd daemon. 
MBS-10289 General Remote Access Clients fail to connect to the VPN Gateway with the error "Negotiation with site failed", if the username is 6 or fewer characters long. 
MBS-10384 General Kernel memory utilization increases on non-SMO members after policy installation.
MBS-10388 General Improved the formatting in the output of the 'asw_swb_update_verifier' command for rows with "need_to_update" in the "status" column.
MBS-10384 General Kernel memory utilization increases on non-SMO members after policy installation.
MBS-10151 General The size of the dentry cache (see the output of the 'slabtop -o' command) can increase on non-SMO members during policy installation.
MBS-10418 General Enhancement: Moved the "/cpsdc_tmp/" directory from "/tmp/cpsdc_tmp/" to "/var/log/cpsdc_tmp/" (this directory contains temporary files for the Check Point Support Data Collector). 
MBS-10410 General Policy installation on a Security Gateway object fails after deleting the last configured URL with the 'url_block -d -n <URL>' command.
MBS-9949 General Corrected a spelling mistake ("Incosistent") in the output of the 'asg diag' commands in the "Reason" column.
MBS-10254 Chassis The SSM Allow Management Loss feature (sk145792) may not enter the "Management Loss Mode" when the total amount of backplane interface packets exceeds 2 billion.
MBS-10302 Chassis
  • The 'asg_reboot' command was changed to perform a software reboot only.
  • The 'asg_hard_reboot' command was added to perform a hardware reboot.
MBS-10093 Chassis The 'ccutil get_matrix_max_size' command returns the command usage instead of an expected value.
MBS-9523 Maestro It is now supported to create a Gaia snapshot on one Security Appliance and revert that Gaia snapshot on a different Security Appliance in the same Security Group (for example, with the command 'snapshot_recover').
MBS-10230 Maestro Connections to the Security Group over the Security Group's Mgmt interface may be interrupted. 
MBS-9550 Maestro Deleting the entire Security Group might cause the Security Group members to stay in the DETACH state. 
MBS-7433 VSX In VSX mode, UIPC does not work if a Virtual System (other than VS0) is configured with an IP address on the same subnet as the VS0 management network.
Take 266 (31 March 2020)
MBS-8558 General Improved stability of the fwk daemon for VSX mode.
MBS-9810 General Improved stability of the "asg perf" utility.
MBS-9300 General The output of the 'asg policy verify' command might show "Failed" for some Security Group members if a Mobile Access Policy in installed on this Security Group.
MBS-8799 General Remote Access VPN clients fail to get an Office Mode IP address when Office Mode Anti-Spoofing is enabled on the Security Gateway.
MBS-9750 General Security Group member on a Standby Chassis / Standby Maestro Site initiates an IKEv2 negotiation. 
MBS-9877 General Security Group members are not shown in Gaia Portal in this scenario:
  1. Connected to the Gaia Portal of the Security Group
  2. From the left tree, clicked Maintenance > Shut Down
  3. Clicked the option Selected members
  4. The Select cluster members pop up opens, but it is empty
MBS-9793 General When the 'asg_dr_verifier' command is run in the context of a Virtual System other than VS0, the output in the "BGP peers" section incorrectly shows: "Status: Inconsistency found on some of the SGMs"
MBS-4895 General The 'fw sam_policy' ('fw samp') commands are not supported for Scalable Platforms and Maestro Security Appliances in VSX mode. 
MBS-9831 General When the configured routes have comments (comments in the configured BGP peers, comments in the configured BGP AS, comments in the configured static routes, and so on), the 'asg_route' command reports a false positive for inconsistent routes, because the comment information is not synchronized.
MBS-9067 Chassis The "SSM Allow Management Loss" feature (sk145792) is now enabled by default.
MBS-9666 Chassis The output of the 'asg perf' command does not update the memory utilization counter during a reboot.
MBS-9731 Chassis Enhancement: Added support for the following transceivers:
  • 40G QSFP transceiver for SSM160 / SSM440 (APQPSR43CDM01NI)
  • 40G QSFP transceiver for SSM160 / SSM440 (BTI40GLRQSFPP)
  • 10G SFP transceiver for SSM160 / SSM440 (BTI10GLRSFPP)
MBS-3460 Chassis Added support for configuring the SSM backplane speed in Gaia gClish.

On SGM400:
  • set ssm backplane-speed Auto apply-on <chassis1 | chassis2>
  • Note: This configuration lets SGM400 work with the 40G link without the need to configure it manually on the SSM.
On SGMs other than SGM400:
  • set ssm backplane-speed 10GB
To get the current SSM backplane speed, run one of these commands:
  • asg_chassis_ctrl get_backplane_admin_speed <1 | 2 | all>
  • asg_port_speed verify
MBS-9714 Maestro The following message might appear when applying the change after removing Security Appliances from a Security Group:
Failed to apply Security Groups topology
Failed to execute 'tor_util remove_sgm <Security_Group_ID> <Member_ID>' on MHOs: <Orchestrator_ID>
MBS-9830 Maestro Installing a Hotfix / Jumbo Hotfix Accumulator on all Security Group members at the same time (and not gradually) overrides the configuration of traffic distribution to default: general and L4 Distribution is enabled.
MBS-9384 Maestro Improved the link stability on the ethX-Sync interfaces of the Maestro Hyperscale Orchestrator.
MBS-9762 Maestro In Maestro Dual Site environment, uninstall of a Hotfix might fail. 
MBS-9704 Maestro OSPF packets cannot pass through a Maestro bridging group. Kernel debug shows that packets are dropped:
"fwha_ccl_inbound_late: dir 1, X.X.X.X:0 -> IPP 89: failed to send to member 0, dropping"
MBS-9603 Multiple Security Groups Security Group Resource Manager processes CCP packets from Virtual Systems with IDs other than 0 (zero). This might cause the cluster state of Security Group members to change repeatedly between ACTIVE and DOWN.

Security Group Resource Manager will now process CCP packets only from the Virtual System with ID 0 (zero).
This avoids cluster state flapping when other Virtual Systems publish their cluster state as DOWN, when they do not have policy installed yet.
MBS-9877 Multiple Security Groups  When Multiple Security Groups are enabled, each Security Group incorrectly considers the member with the lowest ID as the Security Group Resource Manager. As a result, members in other Security Groups do not get updates from the correct Security Group Resource Manager.
Take 258 (10 March 2020, GA from 31 March 2020)
MBS-9528 General Although only OSPFv2 with Graceful Restart Helper is configured (without OSPFv3), the Critical Device "OSPF3 Graceful Restart" shows this message during the cluster failover: "OSPF3 Graceful Restart PROBLEM Master -> Standby. Waiting for GR".
MBS-9143 General  Improved the policy load functionality in the 'fw samp' command (for Security Gateway only). 
MBS-9136 General Security Group might assign the same Office Mode IP address to different Remote Access VPN clients. 
MBS-8734 General Traffic might fail to pass over a VPN tunnel with a DAIP peer.
MBS-9354 General VPN tunnel over NAT-T with a DAIP peer might not work when Layer 4 Distribution is enabled.
MBS-7208 General After a snapshot was reverted on a member, the output of the 'asg diag' command might show "Policy signature doesn't match on all SGMs". 
MBS-8672 General Enhancement: Avoid connection forwarding (when possible) between Security Group members in VSX mode.
MBS-8249 General Changed the configuration options in the 'asg_alert' command to allow sending of SNMP traps for each individual test result from the 'asg_diag' command.

Now it is possible to select for which tests to send individual SMNP traps, and to send these SNMP traps for either failed tests, successful tests, or both.
MBS-8923 General The output of the 'asg diag print' command shows an alert (which is a False Positive) for the Dynamic Routing Diagnostic test about differing interfaces and neighbors on the Security Group members.

Root cause: The configuration lock is owned elsewhere on one of the Security Group members, even when the interfaces and neighbors are the same.
MBS-8762 General The Geo Policy IPToCountry database fails to update on Security Gateways (sk163672). 
MBS-8460 General When connected with SSL Network Extender to a Mobile Access Gateway, the user is unable to open new connections after a fail-over in the Security Group until a policy is installed on the Security Group.
MBS-8853 General Enhancement: Added support for "Same VMAC Feature". Refer to sk165674.
MBS-9332 General Enhancement: Check Point Support Data Collector tool (cpdata_collector) and IP/URL Block features are able to self-update from the Check Point Cloud. This requires the Security Gateway to be connected to the Internet.
MBS-9778 Maestro  Memory leak in the "sgm_pmd" process.
MBS-8691 Maestro
  1. The time configuration in Gaia gClish is not applied on the Security Appliances of a Security Group.
  2. The $FWDIR/log/blade_config.* files on the Security Appliances of a Security Group may show the following error: "Error: Failed to update the date".
MBS-9179 Maestro Manual distribution settings might be overridden after reboot on Maestro Security Appliances.
MBS-9838 Maestro  Improved recovery for traffic distribution if there were communication issues between Security Appliances and Orchestrators. 
Take 242 (05 Feb 2020)
MBS-9661 General Resolved the issue with the installation of the Jumbo Hotfix Accumulator Take 240 on Dual Chassis / Maestro Dual Site with VSX Virtual Switch.
Take 240 (03 Feb 2020)
MBS-9390 General The output of the 'asg route' command shows "cost None" on some SGMs.
MBS-9473 General Threat Extraction processes do not start after an upgrade to Take 191 of the R80.20SP Jumbo Hotfix Accumulator. 
MBS-9235 General VPN tunnel might disconnect after ~30 seconds.
MBS-6173 General Enhancement: The 'asg diag' command is now able to verify the Multi-Queue status (the "multi-queue" test) on the backplane interfaces BPEthX.
MBS-9202 Chassis Added initial support for Multiple Security Groups on chassis. For implementation, contact Check Point Support.
MBS-8778 Maestro The output of the "cores_verifier" script in the section "Ppak core affinity on all SGMs is:" is broken, when more than 10 SecureXL instances are configured on the Security Appliances.
MBS-9394 Maestro Improved the stability of the orch_info utility.
MBS-9135 Maestro Deleting a Security Appliance from a Security Group in Gaia Clish and applying the new configuration might fail with errors.
MBS-7861 Maestro Enhancement: Improved the internal process of applying the Security Group topology. 
MBS-9311 Maestro Enhancement: Improved the stability of Quick FCD.
MBS-7445 Cluster BGP connections that pass through the cluster might break after a failover.
MBS-8901 Cluster ClusterXL does not monitor the external interface of VSX Virtual Switches.
Take 210 (05 Jan 2020)
MBS-8849 General  Enhancement: Added the new Check Point Support Data Collector tool (cpdata_collector). 
MBS-9130 General When the user runs the 'cpview' command on Security Group members, the "Overview" page shows "N/A" in all counters.
MBS-6638 General   In rare cases, during policy installation, traffic may be dropped on the cleanup rule for some time, or until SecureXL is disabled. 
MBS-8850 General Enhancement: Added new tools to block malicious traffic.
  • "ip_block": lets you block malicious traffic to or from certain IP addresses.
  • "url_block": lets you block malicious traffic to or from certain URLs.
For more information, refer to the R80.20SP Maestro Administration Guide and R80.20SP Scalable Platforms Administration Guide - section "IP and URL Block Feature".
MBS-7595 Gaia The size of the /var/log/ports file grows constantly because the file is not rotated. 
MBS-8427 Gaia Scheduled backup to a remote server does not work. 
MBS-8427  Chassis Enhancement: Added support for the "SSM Allow Management Loss feature" (sk145792).
MBS-8453 Chassis Added support for MAGG with LACP configuration.
Note: MAGG with LACP configuration is only supported in Chassis, not in Maestro.  
MBS-8851 Chassis Enhancement: Improved logging.
  1. Added support for Log Alerts.
  2. Improved the distribution of Log Servers - use the 'log_distributer' command in Gaia gClish to configure the distribution of logs and alerts between the configured Log Servers. 
MBS-8848 Chassis  Enhancement: Added the new utility "drop_monitor" to show detailed statistics in real time about packet drops on NICs and SSM ports.

For more information, refer to the R80.20SP Scalable Platforms Administration Guide - "Packet Drop Monitoring" section.

Note: This utility replaces the "asg_drop_monitor" utility. Runs from VS0 only.
MBS-8255 Chassis Enhancement: Added support for Management Data Plane Separation. See sk138672
MBS-8719 Chassis  Enhancement: Added SSM extended monitoring with SNMP.
  • OID . - SSM Ports (speed, link, packets)
  • OID . - SSM CPU and RAM usage

To see the current state, run in Gaia gClish:
'show ssm extended-snmp-monitoring state'

To enable, run in Gaia gClish:
'set ssm extended-snmp-monitoring state on'

To disable, run in Gaia gClish:
'set ssm extended-snmp-monitoring state off'
MBS-8663 Maestro Improved FCD stability when a Security Appliance is removed from a Security Group.
MBS-6220 Maestro Orchestrator  Security Appliance may crash after it is removed from the Security Group.
MBS-8839 Maestro Orchestrator   Enhancement: Added the ability to configure the MTU on the External Sync interface of the Maestro Orchestrator.  
MBS-7993 Maestro Orchestrator Enhancement: Added the ability to configure multiple physical ports as the Sync port on Maestro Orchestrator. Configuration is performed from Gaia Clish on the Maestro Orchestrator.
  • To configure multiple ports for the Internal Sync (between Orchestrators on the same site) run: 'set maestro port <port number>  type ssm_sync'
  • To configure multiple ports for the External Sync (between Orchestrators on different sites) run: 'set maestro port <port number> type site_sync'
MBS-5861 Maestro Orchestrator Failed to establish SIC with the Security Group object in SmartConsole if First Time Wizard settings were applied to that Security Group from the Orchestrator's Gaia Clish (for example, 'set maestro security-group id 1 ftw-configuration ...').
MBS-8948 Maestro Orchestrator Interface distribution mode is not identical on the Orchestrator and on the Security Appliances.
Take 191 (2 Dec 2019, GA from 05 Jan 2020)
MBS-8292 General  Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 118 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-6531 General  Layer 4 Distribution with "General Distribution" does not work as expected due to an incorrect calculation for Non-TCP / Non-UDP traffic.
MBS-8596 VPN The Security Group might mistakenly encrypt IKE NAT-T packets. 
MBS-8688 VPN Improved stability of VPN encrypted connections.
MBS-5886 VSX The output of the 'hw_utilization -d' command shows "0" in the "Conn. limit" column instead of "unlimited" for VSID 0. 
MBS-8483 Maestro "insmod: error inserting '<name of kernel module>.o':-1 Invalid module format" messages during the Maestro Orchestrator boot.
MBS-7556 Maestro Security Group mistakenly reports disconnected interfaces (uplinks) as LINK UP.
MBS-8010 Maestro   After the user installs R80.20SP Jumbo Hotfix Accumulator Take 163, the message "Failed to load Security Groups" appears in the Maestro Orchestrator's Gaia Portal. This message continues to appear until a Site ID is configured.
MBS-8448 Maestro  "Failed to run ['tor_util', 'clear_port', '2.0', '1']" error in Gaia Portal of the Maestro Orchestrator in Dual Site deployment.
MBS-7563 Maestro  Improved communication stability between the Security Appliances and the Maestro Orchestrators.
MBS-8622 Maestro  Output of the 'asg diag verify' command shows "SGM license is missing" warning in the "Licensing" category.
Take 178 (1 Nov 2019, GA from 02 Dec 2019)
MBS-7728 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 103 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-7589 General Installation of a CPUSE package might fail due to a timeout.
MBS-7538 General   Improved stability of IPv6 connections.
MBS-6206 General Added support for Gaia scheduled backup with the 'add backup-scheduled' command.
MBS-7460 General In rare cases, the Threat Emulation blade might not function and the '_g_allc tecli' commands might fail in this scenario:
  1. SMO Image Cloning is enabled.
  2. Threat Emulation blade is enabled.
  3. A new member is added to the Security Group.
MBS-6634 General When running PIM Sparse Mode / PIM SSM, PIM register packets are sent with an incorrect checksum. This causes the RP to drop these PIM packets.
MBS-6719 General Improved stability of the RouteD daemon when IGMP query-interval is set to a value of less than 4 seconds.
MBS-4495 General Added the ability to configure Proxy ARP in Gaia gClish with the 'add arp proxy' command.
MBS-6543 General The 'asg_drop_monitor -r' command does not reset the drop statistics for the BPEthX interfaces that use the i40e driver.
MBS-6418 Chassis - General   The clock on the CMM is not synchronized when an administrator changes the clock time in Gaia Clish, Gaia gClish, or Gaia Portal.
MBS-8393 SNMP SNMP query for the OID asgIPv6PeakUnits returns null values.
MBS-7670 VSX Added support for Policy-Based Routing (PBR) in VSX mode (see sk137232).
MBS-6563 VSX The ID in the names of these files now supports 4 digits (as the ID in the $FWDIR/conf/fwha_vsx_conf_id.conf file):
  • $FWDIR/conf/vsx_local_vs_files/local.vs. <ID>
  • $FWDIR/conf/vsx_local_vs_files/local.vskeep. <ID>
MBS-7671 VSX The Gaia gClish command 'set pbr rule priority X action table' does not show the PBR tables configured in the current Virtual System context.
MBS-7346 Maestro  Added support for VSX Virtual Switches in a Maestro Security Group.
MBS-7486 Maestro - Orchestrator Added support for configuring a VLAN Trunk interface that includes all VLAN IDs (2-4094) without adding each VLAN interface separately on the Orchestrator. Refer to sk165172
MBS-8142 Maestro - Orchestrator  Improved link stability on ethX-Sync interfaces of Maestro Hyperscale Orchestrator.
MBS-7569 Maestro - Orchestrator Improved connectivity between Security Appliances that belong to the same Security Group.
MBS-7869 Maestro - Orchestrator

In Dual Site, if different QSFP modes are configured for ports with the same port number on different Maestro Orchestrators, this error appears in Maestro Orchestrator's Gaia Portal when the user tries to load a Security Group topology:

Failed to load Security Groups
Failed to fetch Security Groups topology

MBS-7750 Maestro - Orchestrator Internal improvements for operations related to Security Groups (creating and removing Security Groups, adding and removing interfaces).
MBS-7793 Maestro - Orchestrator Error on Maestro Hyperscale Orchestrator: "Failed to apply configuration on remote Orchestrator(s) SG X has no hostname."
MBS-8206 Maestro - VSX "Error: Failed to find any routes on the machine" in SmartConsole when creating a VSX object.
Take 163 (10 Sep 2019)
MBS-6460 Maestro  Added support for Dual Site deployment. You can deploy two Maestro Hyperscale Orchestrators on each physical site and connect the sites to each other. The sites synchronize both connections and configuration. Refer to the Known Limitations in the "Dual Site Deployment" section of sk148074 - Check Point Maestro Known Limitations
MBS-6577 General   Enhancement: Output of the 'asg_provision' command now shows SGM IDs in the headline.
MBS-5386 General Output of the 'asg_conns -b <SGM IDs> -6' command shows "IPv6 not enabled" even though it is enabled on the chassis.
MBS-6865 General The 'asg if' command shows "(NA)/(NA)" (instead of "(up)/(up)") in the "Link State" column for the ethX-MgmtY interfaces.
MBS-5710 General   The gClish command 'installer verify' shows "Action was aborted" if a CPUSE package was not imported on all members.
MBS-6510 General The 'asg_provision' command fails when there is an inconsistency between members in the installed Hotfixes / Jumbo Hotfix Accumulators.
MBS-6757 Maestro - General The gClish 'installer' commands fail with "expected integer but got <XX>" when explicitly specifying "member_ids" <site_id>-08 or <site_id>-09.
MBS-5913 Maestro - General Output of the 'cores_verifier' command does not show any information in the "Ppak core affinity on all SGMs is" section.
MBS-7246 Maestro - General Minimized the amount of packet drops during the reboot of Maestro Hyperscale Orchestrators. 
MBS-5381 Chassis - General
Maestro - General 
Output of the 'asg perf -p' command always shows the value "0" in the "VPN Performance" section > "VPN connections" counter.
MBS-7247 Chassis - General
Maestro - General
Output of the 'config_verify -v' command shows "Performing xfer files verification... Failed!" for the $FWDIR/conf/te_attributes.conf file. 
MBS-6131 Chassis - General
Maestro - General
Output of the 'asg diag' command shows that the /etc/sysconfig/image.md5 file is not identical on all the SGMs.
MBS-6610 Gaia Output of the 'asg_perf_hogs' command incorrectly shows the status "FAILED" for the "Kernel soft lockups" test if the year has changed recently on the system.
MBS-7136 Maestro Gaia - OS  Failure to log in on Security Appliances after removing them from a Security Group. 
MBS-6440 Maestro - Cluster When running the 'clusterXL_admin' command, the output might incorrectly show "Operation failed: member is not down, run 'cphaprob list' for further details".
MBS-7332 Maestro - Security Groups  Improved stability of Security Appliances when they are added to a Security Group with configured "fw samp" rules.
MBS-7237 Maestro -Hardware Security Appliance may fail to revert to factory default (which must happen by design) when removing it from a Security Group.
MBS-7241 Chassis - Hardware
Maestro - Hardware
Output of the 'smo verifiers report name "SSD Health"' command shows "Warning: SSD attributes getting towards low threshold".
MBS-6548 Chassis - Hardware Enhancement: Added support for 10G SFP transceiver for SSM160 (BTI10GSRSFPP). 
MBS-6530 Chassis - Hardware On 64000 Scalable Platforms, the output of the 'asg stat -v' command shows "0" PSUs and "0" Fans, if only PSU 5 and PSU 6 are used.
MBS-6544 Chassis - Hardware  The "Dot3ahErrorAggregation: The threshold for the frame error was exceeded on port X/Y/Z" message appears repeatedly in SSM logs.
Take 121 (31 July 2019)
MBS-6399 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 87 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-6157 General & Maestro The 'asg_local_arp_verifier' command might show "Error: Problem found in configuration" even though the $FWDIR/conf/local.arp files contain the same, correct configuration on all Security Group members.
MBS-6613 General & Maestro The "asg diag verify" test, called "Security Group," fails with the "DB/Kernel/Configuration differ" message even though the Security Group configuration is correct on all members (as reported by the 'security_group_util diag' command).
MBS-6359 General & Maestro "Did not find any new packages" message may appear in the output of the 'installer install' command when the user installs the R80.20SP Jumbo Hotfix Accumulator.
MBS-6706 General & Maestro IPv6 traffic might fail to pass over a Bond interface. 
MBS-6834 SecureXL & Maestro Security Group members do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO.
MBS-5975 Maestro (Cluster)  After the user deletes a Security Appliance from a Security Group, the 'cphaprob stat' command might still show that Security Appliance (member).
MBS-6693 Maestro (Orchestrator)  The 'set maestro security-group apply-new-config' command fails with the error "NMSSG0429 can't read "output": no such variable" after the user deletes all Security Groups in Gaia Clish on a Maestro Orchestrator.
MBS-7032 Maestro (Orchestrator) Maestro Orchestrator's Gaia Portal shows the status "No connectivity" for Downlinks if the Maestro Orchestrator cannot detect the Security Appliance at this time.

Example (click to enlarge image):

MBS-6640 Maestro (Orchestrator)   Maestro Orchestrator logs are now written into the /var/log/maestro.log file instead of the /var/log/messages file on the Maestro Orchestrator.
MBS-6700 Maestro (Orchestrator) Improved stability of the lldpd daemon on Maestro Orchestrator.
MBS-6758 Maestro (Orchestrator) "Failed to get Orchestrators interfaces" error in Maestro Orchestrator's Gaia Portal in case the Maestro Orchestrator fails to resolve its "Orchestrator ID".
MBS-5807 Maestro (Orchestrator) Maestro Orchestrator's Gaia Portal now shows Downlinks that are in the Up state only.

Example 1 - The "Unassigned Gateways" pane (click to enlarge image):

Example 2 - The tooltip when the mouse cursor hovers over a Security Appliance (click to enlarge image):

MBS-7039 Maestro (Security Groups) If Security Appliances are removed from a Security Group and then added back to the same/other Security Group, some of these Security Appliances may remain out of the Security Group (appear as "DETACHED").
Take 105 (01 July 2019)
MBS-6494 Maestro / Gaia OS  The output of the 'config_verify -v' command shows "Configuration files inconsistent" for the /boot/grub/grub.conf file. 
MBS-5702 General Added support for the image auto-clone feature (set smo image auto-clone state on) that lets a remote SGM clone SMO images.
MBS-6201 General Layer 4 distribution can cause rapid NAT port exhaustion. 
MBS-6269 General When the user runs the 'tcpdump' command with the '-mcap' flag in global mode (with either the 'tcpdump -mcap' command in gClish, or the '_g_tcpdump -mcap_' command in Expert mode), the command deletes all copies of the packet captures on the peer members.
MBS-5488 Gaia OS The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported.
MBS-6624 Gaia OS  CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
MBS-6306 VSX Log Server Distribution (asg_log_servers) is not supported on 40000 / 60000 chassis.
MBS-6080 VSX Reverting a chassis in VSX mode to a snapshot might cause an additional reboot.
MBS-5636 VSX A reset of the SIC between the Scalable Platform or Maestro Security Appliance in VSX mode and the Management Server might cause the non-SMO members to change their state to DOWN. To recover, reboot the non-SMO members.
MBS-5864 Cluster In Dual Chassis, the user must install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster.
MBS-5610 SecureXL  An Accelerated SYN Defender configuration made with the 'fwaccel synatk' / 'fwaccel6 synatk' commands might not be applied on non-SMO members.
MBS-5837 Logging  The "distribution calculation completed successfully" message in Syslog is shown with an "Alert" priority instead of a "Notice" priority .
MBS-5595 Maestro (General) When the user adds a large number of Security Appliances at once to a Security Group in Orchestrator's Gaia Portal, it might disconnect with the message "Unable to connect to the server. Press OK to reconnect."
MBS-5849 Maestro (General)  Improved stability of the ssm_pmd process on Maestro Orchestrator.
MBS-6090 Maestro (General)  The cpdiag tool now supports Security Appliances.
MBS-5749 Maestro (Performance) After the user installs a Jumbo Hotfix Accumulator on a 23900 appliance connected to a Maestro Orchestrator, the Hyper-Threading (SMT) feature will be disabled by default.
MBS-6073 Maestro (Performance) Improved traffic distribution on Maestro Security Appliances. 

Maestro (Gaia)

On Maestro Security Appliances, Gaia gClish shows "KERLAG0029 Interface ethX-Mgmt4 cant be changed to state off" when the user runs the 'delete bonding group [ID] interface ethX-Mgmt4' command. 
MBS-6121 Maestro (Gaia)  On Maestro Orchestrator, the settings made with the following commands are not applied:
  • 'set maestro security-group id management-connectivity ...'
  • 'set maestro security-group id ftw-configuration ... '
MBS-5652 Maestro (Gaia)  On Maestro Orchestrator, a Gaia OS backup might fail due to low disk space (because large log files are not rotated).
MBS-5457 Maestro (VSX) If after creating a new Virtual System object, policy installation on a Security Group object fails with "Error code: 0-2000240", wait 2-3 minutes and install the policy again.
MBS-5592 Maestro (VSX) When creating a VSX Gateway object in SmartConsole, it recognizes only the interfaces that were assigned to the Security Group before the First Time Wizard.
MBS-6082 Maestro (VSX) When creating a VSX Gateway object in SmartConsole, it does not show the physical interfaces on which the VLAN interfaces were created and assigned to the Security Group. Example: The VLAN interface eth1-05.5 was assigned to the Security Group. The VSX Gateway object in SmartConsole does not show the physical interface eth1-05.
MBS-5104 Maestro (Networking) You can only connect one DAC / Fiber cable between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator. Connecting two cables between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator is not supported.
MBS-5927 Maestro (Cluster)  Improved the internal process of creating a Security Group in Maestro Orchestrator's Gaia Portal when the option "Set FTW configuration" is selected.
MBS-5594 Maestro (Cluster)  Security Appliances show the link state on ports as Down, while the Maestro Orchestrator shows the link state on these ports as Up.
MBS-5557 Maestro (Multi-Queue)   The output of the 'cpmq get -v' command shows an incorrect Multi-Queue configuration (the 'rx_num' does not show the expected value) in the following scenario:
  1. On Maestro Orchestrator, created a new Security Group, but in the First Time Wizard, did not select the option "Install as VSX".
  2. In SmartConsole, configured the SMO as a VSX Gateway.
  3. Installed the policy.
MBS-5838 Maestro (Hardware) On Maestro Security Appliances, the 'asg stat -v' command now monitors the ethX-08 interfaces.
MBS-5701 Maestro (Hardware) Added the ability to configure the Maestro Orchestrator port's QSFP mode to 1 GbE in the Gaia Clish.
- Maestro (Hardware) 23900 appliances support Maestro beginning in Jumbo Hotfix Accumulator Take 105.
MBS-6099 Maestro (Licensing) A Maestro Security Appliance that was removed from a Security Group and then added back to the same Security Group might not pull the license from the existing members of the Security Group. As a result, this Security Appliance remains in the DOWN state. 

Installation Instructions

List of Replaced Files

To receive a list of files replaced by this Jumbo Hotfix Accumulator, contact Check Point Support.

Revision History

Show / Hide revision history

Date Description
2 Nov 2020 Release of Take 304
05 October 2020 Release of Take 302
19 August 2020 Release of Take 295
02 July 2020 Release of Take 283
31 May 2020 Release of Take 279
04 May 2020 Release of Take 273
31 March 2020 Release of Take 266
10 March 2020 Release of Take 258
05 Feb 2020 Release of Take 242
03 Feb 2020 Release of Take 240
05 Jan 2020 Release of Take 210
02 Dec 2019 Release of Take 191
03 Nov 2019 Release of Take 178 for Maestro
01 Nov 2019 Release of Take 178
10 Sep 2019 Release of Take 163
31 July 2019 Release of Take 121
01 July 2019 Release of Take 105

Give us Feedback
Please rate this document