The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Check Point R80.20.X for 1500, 1600, and 1800 Appliances Known Limitations and Resolved Issues
Technical Level
Solution ID
sk159772
Technical Level
Product
Quantum Spark Appliances
Version
R80.20.x
OS
Gaia Embedded
Platform / Model
1500, 1600, 1800
Date Created
05-Aug-2019
Last Modified
15-Mar-2023
Solution
This article lists all Known Limitations and Resolved Issues for Check Point R80.20.x versions for Quantum Spark Appliances.
This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to UserCenter > ASSETS / INFO > My Subscriptions.
This article contains two sections:
Supported and Unsupported Features
Known Limitations and Resolved Issues
Important Notes:
Embedded Gaia software inherits its code base from the R80.20 GA version of enterprise appliances. Therefore, although not specifically mentioned, the R80.20 SMB Gateways inherit all maintrain limitations (see sk122486).
All Known Limitations with ID 010XXXX (not SMB-XXX) originate in R77.20 versions.
To see the latest firmware release, refer to sk97766.
Supported and Unsupported Features
Note - All features available under local management can be available via the SMP portal with CLI scripts.
Enter the string to filter this table:
Blade / Feature
Locally managed
Centrally managed
Comments
Unified Access
Access Rules
Yes
Yes
Application Control Blade
Yes
Yes
URL Filtering Blade
Yes
Yes
Content Awareness
No
No
QoS
Yes
Yes
Data Loss Prevention (DLP) Blade
No
No
Geo Protection
Yes
Yes
Network Address Translation (NAT)
Yes
Yes
HTTP/HTTPS proxy
No
No
UserCheck
Yes
Yes
UserCheck client is not supported
Hotspot portal
Yes
Yes
Rule Hit Count
No
Yes
Domain Object
Yes
Yes
Locally Managed: Available from R80.20.10
Centrally Managed: Available from R80.20 GA
Time Objects
Yes
Yes
Updatable Objects
Partial
Yes
Locally Managed: Available from R80.20.10 (Geo objects only)
Centrally Managed: Available from R80.20.05
Suspicious Activity Monitoring (SAM) Rules
No
No
Rulebase Layers
No
Yes
Security Zones
No
Yes
Security Zones are not supported in centrally managed in the Threat Prevention Policy (for versions below R81.10)
SSL Inspection
Inbound HTTPS Inspection
No
Yes
Probing
No
No
Categorization enabled with full SSL inspection
Yes
Yes
Identity Awareness
AD Query
Yes
Yes
Azure AD
No
No
RADIUS Accounting
No
No
Identity Collector
No
Yes
Supported for Centrally Managed appliances in versions R80.20.35 and higher.
Identity Broker
No
No
VPN and Remote Access
Central VPN Gateway
No
No
Satellite VPN Gateway
Yes
Yes
IPSec VPN Blade
Yes
Yes
Mobile Access Blade
Partial
Partial
Remote Access clients are supported (Endpoint, SNX)
Mobile Access Web Portal is not supported
VPN VTI
Yes
Yes
Traditional VPN Mode
No
No
Secure Configuration Verification (SCV) and Desktop policy
The following limitations are known in R80.20 for SMB Appliances. Note that for each entry, there is a column for the version the limitation was found in, and another column for the version in which this limitation was fixed (thus becoming a resolved issue).
All previous limitations are relevant to the following version unless stated as resolved.
Enter the string to filter the below table:
ID
Description
Found In
Resolved In
General
SMB-15959
Although a Quantum Spark appliance is configured to forward only Security Logs to an external Syslog server, it forwards both Security Logs and System Logs.
R80.20.35
R81.10.05
SMB-16203
During boot, the Quantum Spark appliance might revert to factory default as a result of a rare condition in which files were wrongly deleted from the /pfrm2.0/etc/ directory.
R80.20.x
R80.20.35 Build 2577
PMTR-58520
Enforcement of IoT assets in the Access Control policy is not supported on Centrally Managed Quantum Spark appliances running Gaia Embedded OS.
SMB-15326
In appliances running versions lower than R80.20.30, a kernel memory leak may occur in some environments. This may result in functionality issues and an appliance reboot after 20+ days of uptime.
R80.20.01
R80.20.30
SMB-13276
Every time "dsa_rcv: Got invalid source port" is seen in the kernel logs (dmesg), a small kernel memory leak occurs. This may eventually result in out-of-memory and a reboot of 1500 appliances.
R80.20.15
R80.20.10 Build 992001491
SMB-14095
In rare scenarios in locally-managed mode (such as an unexpected reboot during signature updates), the command fw_configload fails during boot. As a result, you must manually reboot the appliance.
R80.20.15
R80.20.20 Build 992001844
SMB-13100
A rare memory corruption may lead to unexpected reboots on 1500 appliances.
R80.20.05
R80.20.10 Build 992001491
SMB-12309
Cloud Services activation fails when the registration key is more than 9 characters in length.
R80.20.05
R80.20.10
SMB-10301
IPv6 packet inspection is not supported and therefore IPv6 traffic will be dropped.
To allow IPv6 traffic:
Go to Device > Advanced Settings > Stateful Inspection - Allow IPv6 packets.
Set the parameter to "true".
R80.20 GA
R80.20.30
01668937
Configuring appliances with a DNS server that does not resolve public domain names, may cause issues in various features, including timeouts during SIC establishment, log page not being responsive, and more. Make sure to configure DNS servers that can be reached from the appliance.
Long connections with many HTTP sessions, that transfer files to the server and back, cause a high memory consumption.
R77.20
-
Gaia Embedded
SMB-17482
The RNDIS USB plugin is missing some validations, which in rare cases may allow access to kernel data.
R80.20.35
R80.20.35 GA replacement
SMB-13930
In R80.20, commands with adlog a query used to provide output with adlog information result in an error message: "wrong number of arguments."
For example: adlog a query ip 1.1.1.1 wrong number of arguments
R80.20.15
R80.20.20 Build 992001844
SMB-10543
Embedded Gaia appliances conform to the Maintrain bridge (L2) limitations listed in sk101371.
R80.20 GA
-
SMB-12790
1570, 1570R and 1590 appliances do not support the use of SFP ports for installation using the Uboot menu.
R80.20 GA
-
SMB-12119
A USB storage device used for clean installation of a new image on the 1500 series must be formatted with FAT32 file-system.
R80.20.05
-
-
'Gaia OS' Best Practices are not supported for 1550 / 1590 appliances. Refer to sk108416.
R80.20 GA
-
SMB-10086
Certain CLISH commands allow configuration of a DMZ interface even though there is no DMZ port on the appliance (relevant to v0 only).
R80.20 GA
-
SMB-10169
Protected devices with names in a non-English language are not displayed properly in the WebUI or on a mobile device due to database restrictions.
R80.20 GA
-
SMB-10266
Audit Logs will not be displayed for the following operations:
Operations that are done before the First Time Configuration Wizard has finished.
Operations that are done from SmartProvisioning.
Dynamic routing, fw, cpwd_admin, upgrade and restore CLI commands.
For some operations, the audit log will be "admin executed <command_name> command". The log will be written even if the command failed.
R80.20 GA
R80.20.00
Threat Prevention
SMB-15551
Threat emulation is not supported in pure ipv6 mode. It is only supported in dual stack mode.
R80.20.30
-
SMB-13183
Applying user or user group objects in Threat Prevention exceptions is possible but not supported.
R80.20.05
R80.20.10 Build 992001491
SMB-13013
In locally-managed 1500 appliances, a leak in kernel memory may cause out-of-memory to occur when POP3 Anti-Virus/Threat Emulation inspection is enabled.
R80.20.02
R80.20.10 Build 992001491
SMB-12961
After an upgrade to R80.20.05 and higher, mail send/receive over POP3S operation frequently times out.
R80.20.05
R80.20.10 Build 992001491
SMB-12798
A Threat Prevention exception for an attachment specified by the MD5 of the file does not work for POP3 connections and the email is blocked.
R80.20.05
R80.20.10 Build 992001433
SMB-12723
In a specific scenario for 1500 appliances running version R80.20.05: When emails are inspected in the SMTP protocol (Anti-Spam or Anti-Virus), the appliance may reboot due to a kernel panic.
R80.20.05
R80.20.10 Build 992001433
SMB-12009
In a rare scenario, malicious emails detected by IMAP inspection are not deleted from the client. Note: The malicious content is NOT downloaded.
R80.20.02
-
SMB-11853
A vulnerability in the code enables an attacker to cause a buffer overflow which can lead to a Denial of Service condition.
R80.20.00
R80.20.05
SMB-11307
The Threat Emulation detect log does not display the "Interface" and "Resource" fields.
Workaround: "Interface" can be concluded from the Source IP. Most of the information about the "Resource" can be seen in the "Destination" and "File name" fields..
R80.20.01
R80.20.05
SMB-9351
Threat emulation is not supported with remote emulation appliances.
R80.20 GA
R80.20.05
SMB-13721
SNORT rules are not supported.
R80.20 GA
-
SMB-10848
In locally managed mode, the Threat Emulation blade stops working properly after disabling and re-enabling the blade.
R80.20.00
R80.20.01
SMB-9808
FTP traffic is not inspected by the Anti-Virus blade.
R80.20 GA
R81.10.00
SMB-10233
IMAPS is not supported in the Threat Prevention Software Blades.
R80.20 GA
R80.20.02
SMB-9988
The "Import IPS protections" option fails if done via the WebUI. Offline updates can be installed via CLI.
R80.20 GA
-
SMB-12965
In locally managed appliances: When the Anti-Spam blade is on, SMTP traffic from external mail clients to mail servers behind the gateway is sent with the gateway IP as the source IP instead of the IP of the mail client, even though static NAT is defined for the server. For the workaround, refer to sk168061.
R80.20 GA
-
SMB-10433
In Centrally Managed Gateways, you can not fetch the IPS package from Management.
Workaround:
To install the package:
Enter expert mode.
Copy $FWDIR/state/local/AMW/local.sd_updates to /storage partition.
SIC between Quantum Spark Security Gateway cluster members is lost 5 years after a locally-managed cluster is created due to the SIC certificate expiration.
Workaround: Contact Check Point Support to get a Hotfix for this issue, then follow the procedure in sk176326.
R77.20 (700/1400), R80.20 GA
R80.20.35
SMB-14975
Failure to establish SIC to any Quantum Spark appliances after ICA certificate replacement on the Management Server. For a workaround, contact Check Point Support (Issue ID reference: SMB-14976).
R80.20 GA
R81.10.00
SMB-12604
In appliances running R80.20.05 firmware in locally-managed mode, direct connections to the appliance (e.g. SNMP) might be rejected even when an Incoming policy rule is defined for the relevant service.
R80.20.05
R80.20.15
01441874
Gradual deployments are not supported.
R80.20 GA
-
01536437
When configuring the First Time Configuration Wizard from the WAN interface you cannot set the SIC One-Time-Password immediately after the FTW. To set it you need to refresh your web browser first.
R80.20 GA
-
Hardware
SMB-19564
Use of the EXT port on 1800 Quantum Spark appliance is currently not supported.
R80.20
-
SMB-14263
To disable the "Connect to the appliance by name from the Internet (DDNS)" option, it is necessary to enter the DDNS password again.
R80.20.20
-
SMB-13955
These statistics are not available from the SFP DSL modem:
RS Code Words
RS Corrected Errors
Configured G.Inp
Vectoring
HEC Errors
R80.20.20
-
SMB-13373
In 1800 appliances: When working in manual mode on the DMZ port, only 100Mbps and 10Mbps link speed are supported.
R80.20.20
-
SMB-12254
1570R, 1600 and 1800 WAN and DMZ ports support copper RJ45 and fiber interfaces. Each port can only use one interface. If both the copper and fiber of the same port are plugged in, the port may experience stability issues.
R80.20 GA
-
SecureXL
SMB-17073
Internal traffic for which the source and destination are both bridges is dropped when SXL is enabled.
R80.20.35 JHF Build 2613
-
SMB-15723
When SecureXL is enabled, TCP traffic is dropped with these messages in the kernel debug:
update_tcp_state: invalid state detected
do_inbound: Possible TCP state violation
R80.20.25
R80,20.35
SMB-12100
Connectivity failures occur when the internal network is configured in bridge mode and the IP address is assigned to one of these bridge types: LAN port or multiple LAN ports + wireless interface(s), LAN port(s) + WAN.
R80.20.02
R80.20.10 Build 992001433
01478091
The SecureXL penalty box mechanism is not supported.
R80.20 GA
-
ClusterXL
SMB-16461
In locally managed Quantum Spark appliance clusters: When you configure a new network interface to High Availability after the secondary member was already connected, the cluster breaks.
Creating a cluster with multiple interfaces configured takes a long time and the appliance disconnects during the process.
R80.20.25
R80.20.35
SMB-15252
When a cluster consists of gateways whose names contain more than 30 characters, there is an unexpected reboot upon cluster-failover.
R80.20 GA
R80.20.30
SMB-14395
In a locally managed cluster, if a custom port number is defined for Remote Access connections, these connections to the cluster Virtual IP address are not allowed by default.
R80.20.15
R80.20.20 Build 992001869
SMB-12955
In cluster gateways which are managed as part of an LSM cluster profile, implied rules are not enforced correctly. This may lead to one of the cluster members being down.
R80.20.05
R80.20.15
SMB-19193
It is not supported to configure a Cluster of Quantum Spark Appliances when an Internet connection is a Bond interface
R80.20.05
R81.10.00, R81.10.05
SMB-11948
In locally managed mode, a bond cannot be part of a cluster interface (same as with a switch and bridge).
R80.20.05
-
01125000
When configuring a cluster and setting DHCP on one of the cluster interfaces, a DHCP server might include the other cluster member's IP address in its available IP addresses range. Therefore, the DHCP server might serve this IP to another computer in the same network which will cause connectivity issues.
Workaround: Manually exclude the other cluster member's IP address from the range.
R80.20 GA
-
01124242
Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device -> Local Network page in the WebUI.
R80.20 GA
-
01502833
Cluster mode configuration of the gateway is not supported in CLI.
R80.20 GA
-
01119896
When configuring a cluster, you cannot use a wireless interface as the Sync interface.
R80.20 GA
-
01117967
Configuring a Cluster Virtual IP address in a PPP interface is not supported, but the interface can still be monitored by ClusterXL.
R80.20 GA
-
01216507
When defining a local cluster with the "Strict" Firewall mode enabled, a manual internal rule must be defined to allow connectivity between the cluster members on the sync interface.
R80.20 GA
-
01615874
When defining a locally managed cluster, the Virtual IP address of a clustered interface has to be in the same subnet as the real IP addresses of the cluster members.
R80.20 GA
R81.10.00
01618299
In rare cases, during cluster creation or after upgrading a cluster, an "Error 00361" message is shown. This error may indicate a temporarily busy database.
Workaround: Go to the secondary cluster member, disconnect it from the cluster, and then reconnect it.
R80.20 GA
-
01622228
In locally managed small office appliances, after resetting cluster settings it is recommended to wait a few minutes before redefining the cluster to avoid failure.
R80.20 GA
-
01615544
The user cannot configure a locally managed cluster with SMP or an externally managed log server.
R80.20 GA
R80.20.10
01585228
Following cpstop;cpstart of an HA cluster member that is standby or down, it can take a few minutes for the cpha state to come back up. During this time, the active member is up and running so there is no connectivity loss.
R80.20 GA
-
SMB-9837
The "Force Member Down" button does not work in a local cluster configuration when the Internet connection interface is set to "Monitored" and the cluster members do not have similar Internet connection names.
Workaround: Rename the Internet connections so that they are the same for both cluster members.
R77.20
-
-
Configuring Switch on network interfaces is not supported in Cluster High Availability mode. Configuring bridge on network interfaces is supported in Cluster High Availability in centrally managed mode only.
R77.20
-
Networking
SMB-17652
Bidirectional Forwarding Detection (BFD - "IP Reachability Detection") is not supported.
R80.20 GA
-
SMB-16788
In Quantum Spark appliances, the SSH server does not respond to SSH keepalive messages.
R80.20.30
R80.0.35 JHF
SMB-16800
RTP traffic may be dropped with this message displayed: "CPAS: failed to init streamh"
R80.20 GA
R80.20.35 JHF Build 2613
SMB-16992
The appliance responds to TCP/5060-5061 connections even though no explicit SIP rule exists in the incoming policy.
R80.20 GA
R80.20.35 JHF Build 2613
SMB-14380
Static routes are sometimes created with the wrong netmask/prefix (in the destination network). For example, a static route with the netmask 255.255.255.128 (prefix 25) is created with the netmask 255.255.255.255 (prefix 32).
R80.20.02
R80.20.15
SMB-14272
Global Configuration of DSL is not supported for SFP-DSL connections.
R80.20.20
-
SMB-15419
Configuring a LAN port as internet connection is not supported with IPv6 internet connection types.
R80.20.30
-
VPNS2S-2220
When you use the "Connection Monitoring" feature, you must specify a reachable server or the system will disconnect. If no reachable DNS server exists within the network, disable the "Connection Monitoring" feature.
R80.20.20
-
SMB-13424
In 1600 and 1800 appliances, if auto-negotiation is disabled on a port, the port supports only the speeds of 10 Mbps and 100 Mbps.
R80.20.30
-
SMB-13424
In 1600 and 1800 appliances, if auto-negotiation is disabled on a port, the port supports only the speeds of 10 Mbps and 100 Mbps.
R80.20.25
-
SMB-13424
In 1600 and 1800 appliances, if auto-negotiation is disabled on a port, the port supports only the speeds of 10 Mbps and 100 Mbps.
R80.20.20
-
SMB-14226
If an interface is a Bond slave, the Clish commands set interface <Name of Interface> state off and set interface <Name of Interface> down fail and this error message appears: "Could not set interface: Internal Error."
R80.20.20
-
SMB-14304
Occasionally, after you insert the SIM tray, the cellular connection is not restored and the message "Detecting SIM" shows repeatedly.
R80.20.20
R80.20.20 Build 992001869
SMB-14401
SMB 1500 devices are vulnerable to DNSPooQ on internal (LAN, Wi-Fi) networks. The issue is resolved in R80.20.20 B992001850 and higher for 1500.
R80.20.20
R80.20.20 Build 992001869
SMB-13620
When you configure the Virtual MAC address feature on a 1500 cluster, a kernel panic may occur.
R80.20.10
R80.20.20 Build 992001844
SMB-12990
The Wireless "MAC Address Filtering" configuration does not save a newly added MAC address.
R80.20.10
R80.20.15
SMB-13472
Multicast traffic passing through the gateway may cause a memory leak in the kernel. This results in an out-of-memory condition and you must reboot the appliance.
R80.20.10
R80.20.15
SMB-13463
In 1500 appliances: On rare occasions when the WAN interface goes down, a kernel panic occurs.
R80.20.10
R80.20.15
SMB-12100
Connectivity failures occur when the internal network is configured in bridge mode and the IP address is assigned to one of these bridge types: LAN port or multiple LAN ports + wireless interface(s), LAN port(s) + WAN.
R80.20.05
R80.20.10
SMB-12431
If you change the MAC address of a port (MAC clone), it reverts back to the previous address after a reboot.
R80.20.10
R80.20.15
SMB-12090
In the Local Network page, the MAC address that appears next to bridge member interfaces shows the bridge MAC address instead of the physical interface MAC address.
R80.20.05
R80.20.10
SMB-11450
Connection Monitoring for all internet connections is disabled when a bridge is configured.
R80.20.05
R80.20.05
SMB-11891
The LAN1 port cannot be configured as part of a Link Aggregation (Bond) interface.
R80.20.05
R80.20.05
SMB-11514
DHCP domain name (option 15) does not work from the DHCP custom options table. The date is saved properly but not propagated to the network.
R80.20.02
R80.20.05
SMB-11969
The physical port for a VLAN created through clish commands is always LAN1.
R80.20.02
R80.20.05
SMB-13639
Monitor mode can only be configured for LAN1, LAN2, LAN5, LAN6, and LAN7.
R80.20 GA
-
SMB-11641
Static routes and source based routing are fully supported, but service based routing does not work on all 1500 appliances.
R80.20 GA
R80.20.15
SMB-11473
Routing inbound traffic from a bridge slave to an internet connection which is not part of the same bridge interface is not supported.
R80.20 GA
R80.20.10
SMB-10135
DMZ port does not exist on 1550 appliances
R80.20 GA
-
01662062
It is not possible to configure a bridge if interfaces have not been assigned in the Local Networks WebUI page.
R80.20 GA
-
01678009
When trying to add a disabled LAN interface to a bridge, the operation fails with an irrelevant message about wireless.
Workaround: enable the LAN interface before adding it to the bridge.
R80.20 GA
-
01664588, 01803277
When the WAN Internet connection is configured as PPPoE, an Anti-Spoofing warning appears in SmartView Tracker. You can safely ignore the warning.
R80.20 GA
-
02340232
Configuration of a bridge to the Internet (one leg on an external interface) with additional Internet connections (MISP configuration / Multiple ISPs) is not supported.
R80.20 GA
-
01663019
Bridge interfaces cannot be disabled.
R77.20
-
SMB-13068
In rare conditions, when you enable DHCP or Relay for the bridged interface between LAN and WiFi, this message appears: "Can not add more DHCP scopes for that network." This message can be safely ignored.
R77.20
-
SMB-6597, SMB-6663
When multiple Internet connections are configured in High Availability mode, and primary connection failover occurs without the main connection going down/restarting, traffic will continue to be routed for the previous primary connection for more than the routing cache lifetime (20 seconds) if the QoS blade is configured.
R77.20
-
SMB-12567
Asymmetric-routing is not supported for SNMP traffic.
R77.20
-
Dynamic Routing
SMB-14228
The 1600/1800 appliances support up to 1000 routes of all types.
R80.20.20
-
SMB-14106
If it is necessary to change the default value of the "Multiple ISP Route Refresh" setting, you must do only in one of these ways:
In WebUI > Advanced Settings > the parameter "Multiple ISP Route Refresh"
In Clish with the set misp-refresh-route command
Important - It is not supported to change the value of the kernel parameter "cphwd_misp_refresh_routing" with the "fw ctl set int cphwd_misp_refresh_routing" command.
R80.20.20
R80.20.25 Build 992002123
SMB-13975
When a primary Internet port is down, the connection drops and the secondary Internet connection takes over but the immediate network route is not removed. As a result, traffic to hosts on that network are not sent out from the default route on the secondary connection.
R80.20.15
R80.20.20 Build 992001844
SMB-13015
When using "Hide internal networks behind the Gateway's external IP" in addition to a destination NAT for a server behind the gateway, the connection is routed incorrectly.
R80.20.05
R80.20.15
SMB-12012
The BGP peer connection does not close after holdtimer expires.
R80.20.02
R80.20.05
01475633
The CLISH command "show configuration" does not show dynamic routing configuration.
R80.20 GA
-
01966190
BGP MD5 is not supported.
R80.20 GA
-
01432740
Policy based routing rules are not enforced on POP3 traffic when the Anti-Virus or Anti-Spam blades are active and set to inspect POP3 traffic. Policy based routing rules are also not enforced on SMTP traffic when inspecting outgoing SMTP traffic is configured.
R80.20 GA
-
SMB-13078
Connectivity that relies on OSPF routes is lost in a ClusterXL environment with OSPF configured when a cluster failover and fallback events occur. As a result, a short delay may occur between the failover and until the OSPF routes are re-established.
R80.20 GA
R81.10.00
CLI
SMB-17019
CLI command "add internal-certificate" does not work.
R80.20.35
R80.20.35 GA replacement
SMB-14292
Use of the show diag command causes irrelevant error messages to appear.
R80.20.20
R80.20.20 Build 992001869
SMB-12375
Attempting to assign the pivot port of a switch to a bridge using the CLI fails, but does not display an error.
R80.20 GA
-
SMB-11644
Adding a VLAN interface to the DMZ port using clish commands fails.
R80.20.05
R80.20.05
01502857
File related configuration (certificates, customized logo for portals) is not supported.
R80.20 GA
-
HTTPS Inspection
SMB-14381
HTTPS inspection cannot be opened on some sites because the gateway does not trust the CA.
R80.20.20
R80.20.20 Build 992001869
SMB-13344
IMAP/POP3 with STARTTLS is never inspected, even when the user selects IMAP/POP3 or IMAPS/POP3S inspection.
R80.20 GA
-
IPS
SMB-16771
On a locally managed Quantum Spark appliance, a URLs whitelist Threat Prevention exception does not prevent the enforcement of IPS protections.
R80.20 GA
R81.10.00
SMB-15035
Every time a security policy is installed, and when signature updates with the IPS blade are enabled, a small amount of memory is leaked. Over a long period of time (months), this may cause memory shortage issues.
R80.20.25
R80.20.25
SMB-10104
"Import IPS protections" option fails if done via the WebUI. Offline updates can be installed via CLI.
The IPS protection "Non compliant HTTP" drops a valid HTTP reply containing an empty zip file.
R80.20 GA
-
01530780
Using autocomplete in CLISH after the parameter protection-name in IPS configuration takes several minutes to show all options.
R80.20 GA
-
SMB-12874
On a locally managed SMB appliance, you can configure exceptions for the IPS protections listed below even though they do not support Threat Prevention exceptions. Note - The protections are still enforced.
Ping of Death
SYN Attack
Sequence Verifier
Teardrop
R80.20 GA
-
SMB-14662
When HTTP service is configured with "Handle parser failure" = "Accept" in the IPS Settings tab, "Non Complaint HTTP" protection still can be activated.
R80.20 GA
R80.20.25
Application Control
SMB-16846
Websites that are set to blocked by URL categorization may not be blocked the first time they are accessed.
In SmartDashboard, the Application Control & URLF Rule Base does not support the "securityZone" type object. Beginning with the R80 Management version, such objects can be used in the unified Rule Base for rules that do not include any matching for applications and categories.
R80.20 GA
R81.10.00
01453249
Using autocomplete in CLISH after the parameter application name in Application Control configuration takes several minutes to show all options.
R80.20 GA
-
-
In locally managed devices, it is not possible to configure Applications in policy base for incoming / VPN traffic.
R80.20 GA
-
SMB-14610
Application Control/URL Filtering during Remote access VPN is not supported.
In locally managed mode: After changing the action of the default Application Control rule to 'Ask', the user receives a system notification that an error occurred while applying the firewall.
R80.20.00
R80.20.00 JHF
SMB-2558
Adding a CLI category name for Application Awareness/URL filtering or SSL inspection configuration results in "Failed to find the requested category-name" error when the name is more than one word.
Use the category ID instead of the application name.
R77.20
-
Access Policy
SMB-19492
It is not supported to use these predefined objects in the Access Policy > Firewall > Policy:
Trusted Wireless Networks
Untrusted Wireless Networks
R80.20 GA
-
SMB-17498
A device object cannot be used in a network object group.
R80.20.35 JHF
-
SMB-16848
Using dynamic objects in the firewall policy may cause general system errors.
R80.20.35 JHF Build 2613
R81.10.00
SMB-14540
"This gateway" destination object in access-rules has no effect on internal traffic through a LAN Interface on 1500 appliances.
R80.20.10
R80.20.25
SMB-14293
In a rare scenario in locally managed 1500 appliances, a gateway crash may occur during email inspection in the IMAP protocol.
R80.20.20
R80.20.20 Build 992001869
SMB-13713
If the email client is configured with IMAP with STARTTLS then the emails will get stuck when they are downloaded from the email server.
R80.20.20
R80.20.25 Build 992002123
SMB-13077
When you configure a Geo policy rule with negated objects, the source address in the log is matched to the country in the policy instead of the country of origin.
R80.20.10
R80.20.10 Build 992001491
SMB-12961
After an upgrade to R80.20.05 and higher, mail send/receive over POP3S operation frequently times out.
R80.20.05
R80.20.05 JHF
SMB-12869
Use of a "VPN Remote Access" object in the Access Policy is not supported on locally managed R80 appliances.
Workaround: Create a network object with the office mode address and use it in the access rule.
R80.20 GA
R80.20.25
SMB-12786
Creating a server object and network object with the same name is not allowed, but succeeds with an error message "00351" if you use one of the objects in an access rule.
R80.20.05
R80.20.10 Build 992001433
SMB-12092
In locally managed appliances: When configuring Firewall Policy to Strict mode, traffic between two LAN ports may still be allowed.
R80.20.01
R80.20.05
SMB-11420
In locally managed SMB appliances, you cannot configure an access policy rule with a download/upload limit.
R80.20.00
R80.20.01
SMB-10398
FQDN objects are only supported in the destination column (not in the source).
R80.20 GA
-
SMB-13645
Access policy rules with Updatable Objects are not enforced correctly on SmartLSM SMB Security Gateways.
R80.20 GA
R80.20.10
01467515
When creating a Firewall or NAT rule in CLI, the source/destination value must be a network object and not just an IP address.
R80.20 GA
-
01538860
CLI does not support reordering Firewall and QoS rules.
R80.20 GA
-
-
In locally managed devices, configuring FQDN objects is not supported.
R80.20 GA
R80.20.10
NAT
SMB-13031
Potential NAT issues occur when you use "Hide internal networks behind the Gateway's external IP" with a destination NAT due to route change.
R80.20.05
R80.20.15
SMB-12643
If you add a NAT rule which uses the Web Browsing service, this error message appears: "Error has occurred while applying the NAT setting."
R80.20.05
R80.20.10 Build 992001433
User Check
01488784
User Check client is not supported in either centrally or locally managed mode of appliances.
R80.20 GA
-
01571705
To search the security logs on the local web portal for a specific UserCheck incident ID, use this filter string "UserCheck Incident UID:" followed by the ID.
R80.20 GA
-
02443426
In Centrally Managed Small Office appliances, the UserCheck portal does not appear if the configuration for the main URL of the UserCheck portal under gateway settings is set to use the gateway's external IP address.
R80.20 GA
-
User / Identity Awareness
SMB-13006
In 1500 appliances, users are not shared from the PEP to PDP in Identity Awareness.
R80.20.10
R80.20.15
-
If the same username is defined on AD and Radius, the Security gateway tries to authenticate only with the AD Server.
R80.20 GA
-
SMB-12189
Traffic is blocked if the User Awareness blade is turned off and Browser Based Authentication is turned on.
R80.20.05
-
SMB-16255
Identity Awareness Gateway as an Active Directory Proxy feature is not supported on 1500, 1600, and 1800 Quantum Spark Appliances.
R80.20 GA
R80.20.50 for R81.20 Management
SMB-12516
LDAP connection is only supported on port 389.
R80.20 GA
-
SMB-14519
Identity Awareness supports authentication of AD users, user groups, organization units. In addition, you can define LDAP groups with more advanced filtering.
Identity Awareness does not support authentication of Primary Groups of user and computer accounts. By default, the Primary Groups are 'Domain Users' and 'Domain Computers.'
R80.20 GA
-
Identity Agent is not supported on 1500, 1600, and 1800 Quantum Spark Appliances.”
R80.20 GA
-
01193839
On locally managed appliances, only single DC is supported per AD server.
R80.20 GA
-
01116406
An AD Domain Controller used for authenticating users that is located in the external zone of a device using Hide-NAT is not supported.
Workaround: Install another Domain Controller in the internal zone of the device.
R80.20 GA
-
01481995
In centrally managed appliances, these user identifications methods are not supported (even though they appear in SmartDashboard):
RADIUS accounting
Terminal servers
R80.20 GA
-
01508334
In locally managed appliances, when using Active Directory Queries, user and user group names are not supported in unicode.
R80.20 GA
-
02060386
Use of AD Query with NTLMv2 is not supported for Small Office appliances.
R80.20 GA
R80.20.35
01619298
AD group and user names that include non-English characters such as the letter o or e with an accent (') are not supported.
R80.20 GA
-
SMB-6586
Automatic update of LDAP group membership does not work.
The PDP gateway becomes aware of added/removed users in LDAP groups only after policy installation.
Access Roles are not enforced for some of the users.
AD Query does not update user groups locally when a change is made to them on the Active Directory Server.
R77.20
-
SMB-6786
Check Point Identity Agent is not supported together with Remote Access (RA). It is highly not recommended to enable them simultaneously.
R77.20
-
Identity awareness AD query functionality is supported when the domain controller server is part of one of the internal networks.
R80.20 GA
-
Administrators
02103715
If the same administrator name is defined in both the local and RADIUS databases, the locally defined administrator permissions (read only, etc.) always take precedence over the permissions defined in the RADIUS server. We recommend you define unique administrator names for each database.
R80.20 GA
-
02444244
When you use a RADIUS server to define the device to authenticate administrators, the password defined in the RADIUS server for each administrator must comply with the allowed characters for a password on the device: a-z A-Z 0-9 ! @ # $ % ^ & * ( ) ? - _ = + : ; . , /
R80.20 GA
-
VPN and Remote Access
SMB-18547
When Capsule VPN for Windows/mobile devices is established on a Quantum Spark appliance, the device connects but cannot reach internal resources.
R80.20.35 Build 614
R81.10.00
SMB-16493
When debug is on and any activity with CRL occurs, the number of rep_x debug files may grow with no limits. This eventually causes the /fwtmp partition to be 100% full.
R80.20 GA
R80.20.35 JHF
SMB-15470
Connected Remote-Access users do not appear in SmartMonitor.
R80.20.25
R80.20.35
SMB-14474
Centrally managed 1500 appliances may fail to establish a VPN tunnel when installed with multiple VPN certificates.
R80.20 GA
R80.20.20 JHF, R80.20.25
SMB-15573
IPv4 IPsec tunnel over an IPv6 non-IPsec tunnel is not supported.
R80.20.30
-
SMB-15391
Site to site and remote access VPN are not supported when the internet connection is of type DS-Lite.
R80.20.30
R81.10.00
SMB-12802
L2TP does not work when two-factor authentication is turned on.
R80.20.10
R81.10.00
SMB-12802
VPN SNX client is not supported when Two-Factor Authentication is turned on.
R80.20.10
R81.10.00
SMB-14970
When office mode is disabled on locally managed 1500 appliances, you can configure a manual rule with VPN Remote Access, but the rule is not enforced.
R80.20.25
-
SMB-14665
In locally managed 1500 appliances, creating a manual rule that uses "VPN Remote Access" objects is not supported.
R80.20.01
R80.20.25
SMB-14488
Encryption domain per VPN community is not supported on these SMB appliances: 1100, 1400 and 1500 series Encryption domain per VPN community policy is not supported if an SMB appliance running pre-R80 management is one of the policy targets.
R80.20. GA
R81.10.00
SMB-14246
On Locally Managed appliances, the VPN Aggressive mode is not supported.
R80.20.20
R80.20.20 Build 992001961,
R80.20.25 Build 992002123
SMB-14035
Capsule VPN and Linux VPN client users are unable to connect unless Two-Factor Authentication is enabled.
R80.20.10
R80.20.20 Build 992001844
SMB-13427
When traffic is routed through VPN site to site, redirection to the Hotspot page does not work.
R80.20.10
R80.20.15
SMB-13319
Remote access clients fail to connect with a PFX file that contains multiple CRLs.
R80.20.05
R80.20.10 Build 992001491
SMB-12555
Outgoing VPN traffic is blocked by APPI due to wrongfully applied policy.
R80.20.05
R80.20.10 Build 992001433
SMB-15262
Layer 2 Tunneling Protocol (L2TP) clients are disconnected after two hours when a non-Windows client is used.
Workaround: Increase the renegotiation-interval time for Phase 2.
R80.20.25
-
SMB-12173
VPN site to site is not supported when an Alias IP is assigned to one of the Gateway interfaces.
R80.20.05
-
SMB-12086
In centrally-managed mode, a VPN IKE error may show in SmartView logs, and VPN tunnel establishment may fail.
R80.20.01
R80.20.05
SMB-12084
In centrally-managed mode, VPN Tunnel Test packets were sometimes not sent from the IP address of the internal network interface.
R80.20.01
R80.20.05
SMB-12055
In locally managed 1500 appliances, creating a manual rule using "VPN Remote Access" objects is not supported.
R80.20.01
R80.20.25
SMB-12066
Alias IP cannot be configured on LAN ports assigned to internet connections.
R80.20.05
R80.20.10
SMB-11929
Remote Access VPN cannot connect when the DPD responder mode is enabled.
R80.20.01
R80.20.05
SMB-13597
When using smartLSM with ISP redundancy in which failover occurs, VPN does not failover to the secondary interface.
R80.20 GA
R80.20.25
SMB-13552
When a site is defined with a host name, the “Test” button in the Web portal which initiates a tunnel test is grayed-out. This is by design, as the "Test" operation is based on a VPN tunnel test which is not supported when peer is configured with hostname or dynamic IP.
R80.20 GA
-
SMB-10109, SMB-9846
When changing the configuration of an existing VPN Tunnel interface (VTI) from numbered to unnumbered or vice versa, routes which contain the VTI interface as a destination must be redefined.
R80.20 GA
R80.20.00
SMB-10127
In the Logs & Monitoring tab, the "Decrypt" action does not appear on some configurations (for example, PPPoE) but the functionality still works.
R80.20 GA
-
SMB-10115
In locally managed mode: When configuring a VPN tunnel with PSK/certificate authentication methods in IKEv2 mode, and a peer in the community is configured with dynamic IP, the tunnel fails to establish.
Workaround:
Go to the VPN tab > Site > Encryption settings.
Select a specific encryption method instead of the default suites.
R80.20 GA
-
SMB-10431
During a cluster failover, connected Remote Access users may be disconnected.
R80.20 GA
-
SMB-12842
Route base VPN (VTI) is not supported with policy based routing.
R80.20 GA
-
SMB-12591
You cannot create a firewall rule where the source/destination is "VPN Remote Access."
R80.20 GA
-
-
Site-to-Site VPN is not supported with layer 2 (bridge) connection types
R80.20 GA
-
01118273
Configuring VPN site to site or VPN RA for CP Mobile with certificate-based authentication on a locally managed cluster is not supported.
R80.20 GA
-
01613042
Unnumbered VTIs can only be associated with external interfaces through the Internet connection definition. Other interface types are not supported.
R80.20 GA
-
01629314
When using numbered VTI, the traffic on Rx and Tx in vpnt interfaces is shown as z
R80.20 GA
-
01620625
In locally managed appliances, the parameter "vpn_force_nat_t" does not force NAT-T if the remote site is configured using a hostname.
R80.20 GA
--
01107581
The WebUI Home -> Security Dashboard page shows the VPN Remote Access blade as turned "ON" only if the Gateway object in SmartDashboard is set with IPSec VPN and the gateway is part of the Remote Access community.
When the object is defined but not part of the Remote Access community, the WebUI Home > Security Dashboard page shows the VPN Remote Access blade as turned "OFF".
R80.20 GA
-
01512007
In locally managed appliances, VPN sites configured with the IKEv2 encryption method and "Default (Most compatible)" encryption settings only support peer sites configured with Diffie-Helman group 2.
Workaround: Configure an encryption suite that matches the peer's configuration.
R80.20 GA
-
01598717
In locally managed appliances with a defined proxy, if a 3rd party external Trusted CA is used in a certificate, CRL validation does not work. Disable CRL validation for the CA or disable the proxy.
R80.20 GA
-
01606549
In locally managed appliances, a remote site can only initiate connections when it is configured with IKEv2 and uses a pre-shared secret.
R80.20 GA
-
01603584
Remote Access SecurID authentication is not supported in locally managed mode of appliances.
R80.20 GA
-
01599245
In locally managed mode, when submitting a certificate signing request that contains alternative subject names, the resulting certificate contains only the DN as the subject and not the alternative names.
R80.20 GA
-
01663253
When the Gateway is behind NAT, the use of IKEv2 with a pre-shared secret in VPN site to site is not supported.
Workaround: Use a certificate.
R80.20 GA
-
01625041
When a VPN community includes dynamic IP addresses for remote sites (behind NAT or connection via hostname), only Diffie-Helman group 2 is supported.
R80.20 GA
-
01624917
In centrally managed appliances, the VPN overview page in SmartDashboard does not show tunnels from small office appliances.
R80.20 GA
-
01619432
When a small office appliance is configured as the center of a VPN Star community, MEP configuration using IP Pool NAT is currently not supported.
R80.20 GA
-
01663225
When configuring a remote site using a certificate and aggressive mode in VPN site to site in locally managed appliances, a peer ID string in aggressive mode must be configured.
R80.20 GA
R80.20.XX
01663202
The combined use of IKEv2 and aggressive mode is not supported.
R80.20 GA
-
01654907
In centrally managed Small Office Appliances, VPN Traditional Mode is not supported.
R80.20 GA
-
01664759
When configuring the aggressive mode peer ID field for VPN remote sites in locally managed appliances, you can only enter alphanumeric characters and these special characters: _ - . @ ~ ! # % $
R80.20 GA
-
01658035
When configuring DHCP relay on centrally managed appliances, if the DHCP server is in a VPN peer's encryption domain, the implied rule "Accept Dynamic Address modules' outgoing Internet connections" must be disabled in SmartDashboard for the DHCP requests to be sent encrypted.
Workaround: Create manual rules that allow DHCP.
R80.20 GA
-
01675202
When using aggressive mode with user peer_id, the remote VPN peer has to be a mobile peer for authentication to succeed.
R80.20 GA
-
01637449
In locally managed appliances, when defining a remote site using a custom encryption suite and IKEv2 is selected, multiple selection of Diffie-Helman groups may cause issues.
Workaround: Choose the specific Diffie-Helman group that the remote site uses.
R80.20 GA
-
01663162
When using Aggressive mode with peer ID in VPN site to site in locally managed appliances, the VPN Remote Access bladed must be turned on (even if no users are defined with remote access privileges).
R80.20 GA
-
01679057
When the external interface is used as a bridge to local networks, VPN site to site traffic is not supported.
R80.20 GA
-
01717741
When you connect to the appliance with Remote Access VPN, the appliance only uses the default internal certificate.
R80.20 GA
-
01922567
RIM configuration is not supported in this firmware. RIM functionality is usually needed in the center Gateways of a VPN star community. This image is primarily used in satellite Gateways.
R80.20 GA
-
02115796
The "Route all traffic through gateway" option is not supported for SSL Network Extender clients.
R80.20 GA
-
01260760
In locally managed small office appliances, when a cluster failover happens, VPN Remote Access clients need to re-establish the connection. Also, a different certificate is seen when re-connecting.
R80.20 GA
-
-
2-Factor-Authentication using mobile access is not supported.
R80.20 GA
-
SMB-12201
Site to site directional VPN is not supported.
R77.20
-
02066383
Admin access (WebUI+SSH) fails when connecting via VPN Remote Access using L2TP in SMB appliances.
Use Check Point Endpoint Security VPN instead.
R77.20
R80.20 GA
SMB-11978
The Remote Access feature "Location Aware Connectivity" is not supported on locally managed SMB appliances.
R77.20
-
SMB-9711
Locally managed appliances do not support subordinate certificates. Resolved in R77.20.80 for *.P12 files only. For .crt files, refer to sk157413.
R77.20
-
SMB-9710
MEP is not supported in Remote Access VPN.
R77.20
-
SMB-2689
The "New Certificate Request" feature that allows an external CA to sign the device's certificate does not include the defined Alternative Names in the request.
R77.20
-
SMB-2668
When a VPN tunnel goes down, routes that use the associated VTI as a target (next hop) remain active. Therefore, you cannot use metric-based failover between routes to different VTIs.
R77.20
-
SMB-3002
In locally managed Gateways with a dynamic IP address: A site to site VPN configured with IKEv2 and a pre-shared key is supported only with Check Point peers and requires identifier settings.
R77.20
-
SMB-1895
Locally managed appliances cannot establish a VPN connection to a remote site that consists of multiple centrally managed hub VPN gateways in a MEP configuration.
R77.20
-
SMB-1149
Trusted links configuration for centrally managed Small Office appliances is the same as described in the VPN Administration Guide. Automatic topology is not supported. The Gateway object must be configured with manual topology.
R77.20
R81.10.00
VoIP
SMB-15958
On a locally managed appliance, when a "device" network object is added in the WebUI VoIP page, fw_configload fails.
R80.20.35 JHF
R81.10.00
SMB-13742
VoIP (SIP) call initiation over a bridged internet connection may fail.
R80.20.10
R80.20.15
SMB-13230
On 1500 appliances, NAT is not done correctly for VoIP SIP traffic from an external PBX to phones in the internal network.
R80.20.05
R80.20.10 JHF
SMB-12742
SIP does not work when the "call id" field (usually generated randomly) of the SIP packets includes the IP address of the phone.
R80.20.05
R80.20.10 Build 992001433
SMB-12358
VoIP rule supports the following for the service column:
SIP_UDP built-in service.
Custom-service based on the SIP_UDP service (has SIP_UDP as protocol-type).
Service Group that contains (1) or (2).
R80.20.05
R80.20.10 Build 992001433
SMB-12366
VoIP rule does not support a custom-service based on the SIP_UDP service, or a service group that contains this custom-service.
R80.20.05
R80.20.10
SMB-10136
In locally managed appliances, H.323 is not supported in the hide NAT configuration.
R80.20 GA
-
Anti-Bot
01448274
The Suspicious email outbreak engine in the Anti-Bot software blade is not supported.
R80.20 GA
-
Anti-Virus
SMB-19073
When an EICAR virus test-file (handled as a special case of AV detection) is downloaded, a push notification is not published with the "block" security log.
R80.20.40 Build 493
R81.10.00
SMB-9941
The Anti-Virus engine supports these protocols only: HTTP, SMTP, and POP3. FTP traffic is not inspected by the Anti-Virus blade.
R80.20 GA
R81.10.00
SMB-14858
In 1500, 1600 and 1800 appliances: FTP protocol is not supported as an Anti-Virus scanned protocol.
R80.20 GA
R81.10.00
02282436
Connectivity issues with FTP traffic on centrally managed devices when Traditional Anti-Virus with IPS is activated.
R80.20 GA
R81.10.00
SMB-12362
MD5-based exceptions in Threat Prevention do not work on some of the variations of the Eicar test file when it is transferred over non-HTTP protocols (FTP, POP3, IMAP, SMTP).
R77.20
-
Anti-Spam
SMB-17993
Secured mail ports (like 995.993.465) not supported and not checked
R80.20.40
R81.10.00
SMB-14407
In the Locally Managed mode, when the Anti-Spam Software Blade is configured to scan outgoing emails, SMTP traffic is dropped if the mail server is behind a VPN peer.
R80.20.20
R80.20.20 Build 992001869
SmartDashboard / SmartConsole
SMB-18388
In Centrally Managed appliances, SmartConsole sometimes shows inaccurate license information for Software Blades such as "No License" or "About to Expire."
R80.20 GA
-
SMB-15025
When managed by R81.x Security Management Server, and in a setup where the gateway only fetches policy (e.g. Large Scale Management), the same policy may be re-installed every time the policy is fetched, even if there are no changes to the policy which is pending on the Security Management Server.
R80.20.25
R80.20.25
SMB-14325
Use of SmartConsole to perform a firmware upgrade is not supported in 1600/1800 appliances.
R80.20.20
R80.20.20 Build 992001869
SMB-13511
In centrally managed SMB gateways, the wrong license-status is displayed in SmartConsole.
R80.20.05
R80.20.15
01508830
The VPN Advanced option to perform an organized shutdown of tunnels upon gateway restart is not supported.
R80.20 GA
-
01537760
Install policy fails on centrally managed appliances when a rule contains an action set to User authentication.
R80.20 GA
-
01563471
The "Monitoring" blade (Real Time Monitoring) is not supported.
R80.20 GA
-
01585541
In centrally managed appliances, in some instances a policy fetch success pop up message is shown before the Firewall or QoS policy is actually installed.
R80.20 GA
-
02337281
Installing Security policy is supported to up to 25 centrally managed appliances simultaneously. For installing policy on a larger number of appliances it’s advised to do in smaller batches.
R80.20 GA
-
SMB-3241
When a DMZ interface is used as a Local Network interface, the "Get Topology" action shows the DMZ interface as network type "Internal" instead of "DMZ."
Workaround: Manually change the network type to "DMZ."
R77.20
-
SMB-5608
Policy installation fails on a centrally manged environment with more than 255 interfaces (in total) whose "security zone" is not set to "none" (ex: internal,external, etc.).
Workaround: If there are no policy rules that use these security zones, change their configuration to "none" (in the Gateway properties -> Topology tab).
R77.20
R80.20 GA
SmartProvisioning
SMB-12923
In centrally managed mode: If you use SmartProvisioning to configure 802.1q VLAN interfaces on a base LAN interface which has no IP address configured on it, those interfaces may become disabled.
In addition, if you use SmartProvisioning to configure several static routes, some static routes may be deleted.
R80.20.05
R80.20.10 Build 992001433
-
SmartProvisioning is not supported.
R80.20 GA
R80.20.02
SMB-1383
In Small Office appliances, Identity Sharing is not supported when managed through the SmartProvisioning LSM profile.
R77.20
-
SMB-12955
In cluster gateways which are managed as part of an LSM cluster profile, implied rules are not enforced correctly. This may lead to one of the cluster members being down.
R80.20.02
R80.20.10 Build 992001491
SMB-12284
The first attempt to fetch policy from the LSM server may fail.
R80.20.05
R80.20.10
SmartView Monitor
01575868
In centrally managed appliances, SmartView Monitor has limitations when working with inaccessible Gateways (for example, Gateways behind NAT). Since it requires connecting from the Security Management Server to the gateways, many of the monitoring capabilities are unavailable.
R80.20 GA
-
SSL Inspection
SMB-14567
When full SSL inspection is enabled, the "sfwd" daemon might crash, and this line appears in the $CPDIR/log/cpwd.elg file:
[ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped
R80.20.20
R80.20.25
SMB-13922
In R80.20.15: When full SSL inspection is enabled, the 'sfwd' daemon might exit or hang. This may cause issues with VPN, URL filtering and security logs.
R80.20.15
R80.20.20 Build 992001844
SMB-13885
In Locally Managed 1500 appliances, the HTTPS URL Filtering may not be enforced properly when the full SSL inspection is enabled.
R80.20.15
R80.20.15 JHF
SMB-13549
SSL traffic that is matched on one or more rules listed in the SSL exceptions is inspected instead of bypassed.
R80.20.15
R80.20.15
SMB-13454
If you create a new Application Group that contains one application that does not require SSL inspection and another application that does, the custom application group icon shows a lock icon even after you delete application signatures that require SSL inspection.
R80.20.10,
R80.20.20
R80.20.20 Build 992001844,
R80.20.25 Build 992002123
SMB-11142
In locally managed mode, SSL Inspection performance is lower than expected.
R80.20.00
R80.20.01
Logging and Monitoring
SMB-13870
In rare scenarios, logs are not sent to the Log Server or written locally on the Security Gateway.
R80.20.20
R80.20.20
SMB-15352
In centrally managed 1550 appliances, the accounting-fields (e.g. "Received Bytes", "Sent Bytes") do not appear in logs when policy rules for accounting are enabled.
R80.20 GA
R80.20.30
SMB-14303
The SMB appliance may generate logs in which the Origin field shows "0.0.0.0" even though the correct value shows in the MGMT console. This may occur when using Log Exporter or when filtering logs.
R80.20.20
R80.20.20 Build 992001869
SMB-13355
In locally managed appliances: Logs might be seen in the first few minutes after a policy change for the default outgoing rule even though the rule is configured not to generate logs.
Workaround: Turn on the connection persistence flag in Advanced Settings (this keeps established connections when installing a new policy).
R80.20 GA
-
SMB-13120
The rule numbering is incorrect for the last rule (cleanup rule "any,any.accept"). For example if you have 5 rules, the traffic that matches rule 5 is logged with rule number 6.
R80.20.01
R80.20.10 Build 992001491
SMB-12721
Use of the SNMP to collect serial numbers is not supported in 1500 devices.
R80.20.02
R80.20.10 Build 992001433
SMB-12588
In 1530/1570 appliances with a valid license, an SNMP query fails to get CPU and memory stats.
R80.20.02
R80.20.10 Build 992001433
SMB-12332
Missing icons in the Security Logs page which is part of the appliance portal.
R80.20.02
R80.20.10 Build 992001433
SMB-11640
System logs are not available on the Safari web browser. Refer to sk165452.
R80.20.01
R80.20.02
01628654
In locally managed appliances, multiple logs from different blades' engines can be shown for a single event (specifically Anti-Bot, Anti-Virus, and Application Control).
R80.20 GA
-
01595069
In local management, in specific scenarios, a large number of requests and logs are created, each time an attempt is made to browse to a Web site.
Workaround: when you define a proxy on the browser, make sure to exclude the local IP address or the network of the appliance.
R80.20 GA
-
02385779
Use of non-English characters in AD server user names is not supported in local monitoring and reports on the Small Office Appliances.
R80.20 GA
-
-
External Security Log Server cannot be configured when High Availability is turned on (not supported) on locally managed appliances
R80.20 GA
-
-
Gaia Embedded appliances cannot send logs to more than one Security Management Server or Customer Log Server.
R80.20 GA
-
SMP-2018
Security logs that are sent from the SMB Security Gateway to an external Check Point Log Server are sent with the gateway time instead of UTC. If the time on the Check Point Log Server is earlier than the log time the log will not appear on the Log Server.
R77.20
-
SSL Network Extender
01634523
The SNX command line for Linux (script that can be download from the SNX portal using the "Download command line SNX for Linux") fails on Small Office appliances.
R80.20 GA
R80.20.XX
Compliance
SMB-113
Procedures found in the "Gaia OS Best Practices" section of the Compliance blade are not supported in Small Office appliances.
R77.20
-
Online Updates
SMB-883
If the Time Zone is set after the command that turns off the First Time Wizard in a preset or auto conf script, the initial service updates might not start automatically in the first 12 hours after installation. The service updates can still be initiated manually.
Best practice: the command that turns off the First Time Wizard should be the last command in a preset or auto conf script.
R77.20
-
SMB-2914
If a firmware upgrade procedure is interrupted, intentionally or due to error, online updates might fail.
Workaround: reboot the device.
R77.20
R77.20
SMB-13685
After you change the SMP firmware upgrade topic from immediate upgrade to scheduled upgrade, the Security Gateway is upgraded with the new firmware (if the defined firmware is newer) immediately. Workaround:
Change the firmware upgrade topic from immediate upgrade to scheduled upgrade.
Install policy on the Security Gateways.
Update the firmware topic on the SMP with the version to be installed.
R77.20
R81.10.00
Wi-Fi
SMB-13533
Changing the VAP configuration (enable, disable, create, clone) causes all networks on the same wireless radio (2.4GHz or 5GHz) to stop working for a short period of time.
R80.20 GA
-
01667462
In wireless appliances, to use WEP you must use the first defined Network Password. It does not support multiple passwords.
R80.20 GA
-
01679176
In the local networks page in the local WebUI, the status of a wireless network for wireless appliances shows as UP even if the wireless radio is off.
R80.20 GA
-
SMB-2286
In centrally managed appliances, the standby member does not bring down the wireless networks.
R77.20
-
Hotspot Portal
SMB-14898
On centrally managed gateways: After you install the security policy, the hotspot configured on an interface stops working and allows unauthenticated access.
R80.20.25
R80.20.25
SMB-3188
Hotspot portal redirection does not work when you browse to HTTPS sites.
First, browse to an HTTP site, and you will be redirected to a Hotspot portal.
R77.20
-
QoS
SMB-11098
On centrally managed 1500 appliances, the QoS feature does not work on an LTE interface.
R80.20.02
R80.20.15
01593577
In centrally managed appliances configured with QoS in Express mode, internal interfaces should not be configured for QoS as it may cause loss of connectivity.
In R77.20.20, QoS works by default in accelerated mode. This decreases the chance of an interruption to internal traffic. Still, the common use-case for QoS is to be activated on the external interfaces.
R80.20 GA
-
01659155
In connected centrally managed small office appliances, when a push policy of QoS and Firewall is attempted on a Gateway that has been cleanly installed, the policy installation might show a failure icon on the QoS blade without additional error messages even though the push policy succeeded. If a Firewall policy push was attempted before the QoS policy installation it will also succeed.
R80.20 GA
-
01073326
When configuring QoS rules in SmartDashboard, the Bulk option in Delay Sensitivity is not supported.
In addition, when the Delay Sensitivity feature is configured, limit and guarantee values for the same rule are ignored. All rules that are configured with Delay Sensitivity = Interactive will share a joint limit. This limit is by default 20 percent of the interfaces bandwidth. This value can be changed through GuiDBedit Tool (firewall_properties -> floodgate_preferences -> llq_max_percent). Note that setting this value to more than 20 percent can lead to starvation of all other traffic.
R80.20 GA
-
-
Centrally managed SMB appliance can be configured to use Delay Sensitivity and Differential Services marking features only under Express QoS mode. Configuration is done in the "Advanced" section of the QoS action configuration window which is unique for Edge/SG80 appliances. Under Traditional QoS mode only Best Effort QoS class is supported, using other classes will disable QoS policy.
R80.20 GA
-
SMB-9793
QoS supports marking the traffic with Differential Services (DiffServ) tags and preserving existing DiffServ tags. QoS does not support matching packets based on DiffServ tagging.
R77.20
R80.20
Unified Access
SMB-15218
The use of object names that contain spaces is not supported in clish commands. Use the object ID instead of the object name when possible.
R80.20 GA
-
SMB-13120
The rule numbering is incorrect for the last rule (cleanup rule "any,any.accept"). For example if you have 5 rules, the traffic that matches rule 5 is logged with rule number 6.
R80.20.01
R80.20.15
SMB-13080
SNI is not supported on SMB R80.20 gateways. As a result, site categorization might fail.
R80.20.05
R81.10.00
SMB-13077
When you configure a Geo policy rule with negated objects, the source address in the log is matched to the country in the policy instead of the country of origin.
R80.20.10
R80.20.15
SMB-13002
In 1500 appliances, you cannot add services to the "Web Browsing" Service group because no spaces are allowed in the service group name.
R80.20.02
R80.20.10 Build 992001491
SMB-12786
Creating a server object and network object with the same name is not allowed, but succeeds with an error message "00351" if you use one of the objects in an access rule.
R80.20.05
R80.20.10
SMB-12742
SIP does not work when the "call id" field (usually generated randomly) of the SIP packets includes the IP address of the phone.
R80.20.02
R80.20.15
SMB-12734
SIP does not work with non-standard ports (ports other than 5060).
R80.20.02
R80.20.10 Build 992001433
SMB-12604
In appliances running R80.20.05 firmware in locally-managed mode, direct connections to the appliance (e.g. SNMP) might be rejected even when an Incoming policy rule is defined for the relevant service.
R80.20.05
R80.20.10 Build 992001433
SMB-11150
In appliances running version R80.20.00 in locally-managed mode: When the user configures a server object with "Manually configure access policy to this server", manually-configured access policy rules with the server object as the destination are not enforced correctly.
R80.20.00
R80.20.01
SMB-8464
When a QoS rule is configured to be applied to a specific time/day/date, it is not limited to those specifications.
R80.20 GA
R80.20
SMB-7992
In locally managed appliances, H.323 is not supported in the hide NAT configuration.
R80.20 GA
-
-
Identity awareness AD query functionality is supported when the domain controller server is part of one of the internal networks.
R80.20 GA
-
WebUI
SMB-12733
When you create an internet connection with a static IP, the default gateway field does not appear in the WebUI if the appliance's DNS servers are configured manually.
R80.20.05
R80.20.10 Build 992001433
SMB-12426
The administrator can not log in to the WebUI after logging out multiple times while browsing the Active Devices page.
R80.20.05
R80.20.10 Build 992001433
SMB-11423
Changing the Web and SSH admin access ports (4434 and 22, respectively) to customized values does not take effect.
Workaround: Add an incoming access rule to allow the customized ports.
R80.20.01
R80.20.05
SMB-11555
Before a license is applied to 1530 and 1570 appliances, the 1550 and 1590 appliance names appear in the First Time Configuration wizard and the WebUI. After the license is applied, the correct appliance names appear in the WebUI.
R80.20.01
R80.20.05
SMB-10029
Changing the order of the SSL inspection exceptions in the WebUI does not show in the WebUI display even though the order is changed and this can be seen in CLI.
Workaround: To change the order, delete the exception and then add it in the new location.
R80.20 GA
-
SMB-14832
This pop-up error message may appear in the WebUI when CPU usage is temporarily high: "Connectivity with the appliance was temporarily lost during the last operation"
Workaround: Refresh the browser
R80.20 GA
-
SMB-10218
Active devices do not support object names in Hebrew.
R80.20 GA
-
SMB-12761
In 1590 appliances: In Firewall Access rules of the type "Incoming, Internal and VPN traffic", you cannot select "internet" as a source or destination in the WebUI.
R80.20 GA
-
01261065
These characters cannot be used in WebUI textual fields:
single quote - '
double quote - "
backslash - \
R80.20 GA
-
01098614
Toggling between Central and Local Management modes of the appliance is not supported when a cluster is configured. To change to Central Management mode, an administrator must first disable the local cluster
R80.20 GA
-
01102696
RADIUS servers are deleted by clearing the contents of the fields in the Configure RADIUS servers window in the WebUI (VPN tab -> Authentication Servers page -> RADIUS servers link) since there is no direct Delete option.
R80.20 GA
-
01469798
Configuration of the serial port through Advanced Settings is not supported when an Internet connection is configured to an analog modem through the serial port.
R80.20 GA
-
01610850
When defining server objects, the "Force translated traffic to return to the gateway" is important for traffic originating from internal sources. However, currently, sources of all traffic to the server will be translated and hidden behind the gateway's IP address.
R80.20 GA
-
01596220
Host objects can be defined with up to 32 characters.
R80.20 GA
-
01582663
When a log in a locally managed appliance shows the "myown_obj" object, it in fact means "this appliance".
R80.20 GA
-
01675566
In locally managed appliances, in the Threat Prevention Exception page -> Malware Exceptions section, if the "Scope" field is not configured to "Any" it may result in the exception not being matched.
R80.20 GA
-
01667323
The Identity Awareness portal sometimes does not show correctly in a Chrome browser.
When more than one VAP is added to a local network switch or bridge, it cannot be unassigned.
Workaround: delete it and then recreate it.
R80.20 GA
-
SMB-4869
After replacing the web portal certificate, login to the administration web portal fails with a "Connectivity error. Refresh page and retry" message due to the browser's certificate caching mechanism.
Workaround: refresh the page.
R77.20
-
SMB-4792
Attempting to configure the same specific feature through WebUI and CLI interfaces at the same time may cause settings to be overridden or subject to submission timing.
R77.20
-
WatchTower
SMB-12288
When the user opens the Device Details page in the WatchTower application, a gateway permission error appears.
R80.20.01
R80.20.10 Build 992001433
Zero Touch
SMB-14915
When Zero Touch is used, the appliance is always set to locally-managed mode before the clish script (defined by the user in the ZeroTouch server) runs, as the command set security-management mode locally-managed is injected by default from the ZeroTouch servers before the user-defined script.
R80.20 GA
-
SMB-13704
Zero Touch works with WAN and LTE interfaces but not with DMZ.
R80.20.15
-
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
This is a live document that may be updated without special notice. We recommend that you register for our weekly updates in order to stay up to date. To register, go to 