This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

For more information on R80.40, see the R80.40 Release Notes, R80.40 Home Page and R80.40 Resolved Issues.
Visit Check Point CheckMates Community to ask questions or start a discussion and get our experts assistance.

Important notes:

• To see if an issue has been fixed in other releases or Jumbo Hotfixes, search for the issue ID in Support Center.
  
  
• To get a fix for an issue listed below contact Check Point Support with the issue ID. 

Unsupported Features

ID	Description	Found in version
Installation and Upgrade
LOM-899	Installing R80.40 in LOM Card on 21400 appliances is not supported.	R80.40
Gaia OS
PMTR-48258	The Gaia "Cloning Group" feature (all its modes) is not supported in a Multi-Version Cluster (while cluster members run different release versions).	R80.40
PMTR-42987	Running Hardware Diagnostic Tool on 3100 & 3200 appliances is not supported for loopback test on eth1 through eth4.	R80.40
PMTR-29460	Gaia Snapshot operations for importing files larger than 4GB are not supported with Internet Explorer 11.	R80.30
PMTR-53785	These strings are forbidden for use in Gaia Portal and Gaia Clish (they cannot be part of any name or any user input): eval, after, apply, catch, subset, exec.	R80.20
PMTR-13683	Saving the Hardware Diagnostic Tool logs to a USB stick is not supported if the USB stick is formatted as NTFS.	R80.20.M1
GAIA-3267, GAIA-2907, GAIA-2909	Hardware Diagnostic Tool is not supported using Disk on Key (USB).	R80.10
Security Management
PMTR-58843	Revert to Revision is not supported in these scenarios: The Endpoint Security Management Server is enabled. If SmartConsole and the Security Management Server are connected through a proxy server, the GUI for this feature is not supported. In this case, use the applicable API command. VSX configuration or related networks differ between the source and target revisions. A new Domain Management Server or a Check Point object was created or deleted after the target revision date. The corresponding revision of the Global Domain, or the IPS or Application Control components was purged.	R80.40
PRHF-15143	The SmartConsole "Extensions" feature is supported only when SmartConsole connects to the IP address defined as the main IP address of the Management Server object. Example: If a Security Management Server or Multi-Domain Server has more than one interface with assigned IP addresses, SmartConsole must connect to the main IP address defined in the Management Server object.	R80.20
02510367, PMTR-47633	The ability to edit the list of additional information fields that can be added to a Domain, administrator, and gateway is not supported.	R80.10
01459162, PMTR-47144	Security Gateway / VSX gateway conversion, or conversion in the opposite direction, is not supported.	R80
Management High Availability
CPM-1167	Management High Availability is supported only between Management High Availability servers with the same build number. To see the build number, run cpinfo -y FW1	R80.10
Multi-Domain Management
PMTR-17365	The "Install Policy" action from a Multi-Domain Server (also through "Install Policy Presets") does not support QoS and Desktop policies.	R80.20.M1
PMTR-14989	Multi-Domain Security Management does not support IPv6 address configuration.	R80.20.M1
PMTR-47582	For Multi-Domain Log Servers, Remote Log Servers that are not defined as Domain Log Servers are not supported.	R80
PMTR-45085	The "p1shell" command is not supported on Multi-Domain Server.	R80
01694997, PMTR-47182	Administrator groups and Domain groups are not supported and cannot be viewed or used in the SmartConsole.	R80
SmartConsole / Management Console
PMTR-49506	LSMcli "Convert ROBO" and "Convert Gateway" commands are not supported.	R80.40
PMTR-29092	Sorting users according to expiration date is not supported.	R80.20
PMTR-20430	R80.x SmartConsole is not supported for case-sensitive installation folder. Installation of SmartConsole complets successfully, but SmartConsole fails to start with this error message: [Window Title] C:\Program Files (x86)\CheckPoint\SmartConsole\R80.20\PROGRAM\SmartConsole.exe [Content] C:\Program Files (x86)\CheckPoint\SmartConsole\R80.20\PROGRAM\SmartConsole.exe The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail.	R80.20
PMTR-12437	In Full HA cluster, the "Install Database" operation is supported only on the Cluster object (and not on the individual cluster members objects).	R80.20.M1
PMTR-50263	No warning is displayed, if an empty Network Group object appears in the "Source" or "Destination" column of an Access Control policy rule.	R80.10
ACM-1140	Creating new services in R80.x is not supported via Embedded Dashboard. New service creation can be done only from SmartConsole.	R80.10
PMTR-57122	Search for section titles is not supported.| Search strings that contain non-alphanumeric character (whitespace, underscore, and so on) are not supported. Example: If you enter a search string "obj_ho", the search results show all strings that contain "obj" and "ho", such as: "obj_host", "object1", "host2". The search does not highlight the results as expected.	R80
-	Changes to the Traditional Anti-Virus file types policy are not supported since R80. Use the Anti-Virus blade to change the out-of-the-box Check Point policy.	R80
Licensing
01909120, 02015912, PMTR-47087	These products do not support the new licensing visibility features: Network Security: Advanced Networking and Clustering, Capsule Cloud and Capsule Workspace. Security Management: Endpoint Policy Management, SmartPortal, User Directory (LDAP). Multi-Domain Management: Security Domain Remote Access & Endpoint	R80
SNMP
PMTR-4311, CPM-1174	SNMP is not supported on Multi-Domain Management / Multi-Domain Log servers.	R7x
Logging / SmartLog
PMTR-40514	In the SmartConsole -> Logs & Monitor view -> [ + ] New Tab -> Views, sorting of the Favorites and Shared columns is not supported.	R80.40
02478527, PMTR-47703	Purge, log switch and fetch file are not supported from SmartConsole.	R80.10
ICAP
PMTR-28828	ICAP is not supported when Anti-Virus Deep Scan, Threat Extraction over HTTP or Threat Emulation hold mode is set.	R80.30
PMTR-16958	The ICAP Server feature is not supported in VSX mode deployment.	R80.20
SmartProvisioning
PMTR-54979	When managing devices with the SmartProvisioning Software Blade, on the devices you must configure the connection with the Security Management Server using the IPv4 address in the "connect security-management mgmt-addr <IPv4 address of Security Management Server>" command (it is not supported to use the FQDN of the Security Management Server in this command).	R80.40
SmartEvent
PMTR-39873	Login to SmartView Web application is supported only using Check Point Password authentication.	R80
-	SmartEvent is not supported on Full HA environment.	R7x
Security Gateway
PMTR-68991	ISP Redundancy is not supported if Dynamic Routing is configured (because the ISP Redundancy feature must create a static default route that overrides the default route created by dynamic routing).	R7x
ClusterXL
PMTR-70257	In an Active-Active cluster, all multi-portals are not supported (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Portal, and so on).	R80.40
PMTR-70258	In an Active-Active cluster, NAT on the IP addresses that belong to cluster interfaces is not supported (because it does not survive cluster failover).	R80.40
PMTR-70259	In an Active-Active cluster, in the cluster object properties, go the Network Management page, select a cluster interface and click Edit. In the Network Type field, it is not supported to select "Cluster+Sync" when you deploy a cluster in a cloud (for example: AWS, Azure).	R80.40
CLUS-1582	Site-to-Site (IPSec VPN) is not supported with ClusterXL in Load Sharing mode.	R80.40
MB-30, PMTR-21154, PMTR-48562	Load Sharing mode is not supported starting from ClusterXL R80.20. For more information about this configuration, refer to sk162637.	R80.30
PMTR-48477	ICAP Client and ICAP Server are not supported with ClusterXL Load Sharing modes. ICAP Server is not supported with VSX Virtual System Load Sharing (VSLS).	R80.10
PMTR-71376	Check Point cluster does not support PPPoE (Point-to-Point Protocol over Ethernet).	R80
CoreXL
PMTR-49510	Dynamic Split is not supported on a Security Gateway (or Cluster Members) with Bridge interfaces. Support is added in Jumbo Hotfix Accumulator for R80.40 Take 25	R80.40
Dynamic Routing / Advanced Routing
PMTR-19481	PIM is not supported on a Security Gateway / Cluster, when Route Based VPN is configured.	R80.20
QoS
PMTR-47609	Convert QoS from Express to Traditional is not supported.	R80.10
VSX
PMTR-47590	Explicit conversion is not supported.	R80
00892773, PMTR-47781, GNG-1373	VTI interfaces are not supported in VSX mode.	R7x
Identity Awareness
-	Using Identity Awareness Captive Portal with an external SAML identity provider is not supported with Internet Explorer version 10 or lower.	R80.40
PMTR-44737	Multi-User Host (MUH) version 2 is not supported with IPv6 and does not initiate a connection to an IPv6 Security Gateway. It stays in "Disconnected" state and users are not identified.	R80.40
00592404, PMTR-64495	Identity Awareness does not support authentication of Primary Groups of user and computer accounts. By default, the Primary Groups are 'Domain Users' and 'Domain Computers'. Access roles that are defined with User groups do not work for users with which those user groups are their primary group. To use the entire Accounting Unit in an Access Role, use an LDAP group.	R7x
Mobile Access
PMTR-47591	Mobile Access does not support viewing or editing files with 'Office Online apps', Microsoft's browser-based Office applications. Outlook Web Access is supported, however you cannot open or edit Office Online app files from emails.	R7x
01147075, 02302626	Mobile Access Portal supports Outlook Web App 2013 / 2016 only with the Path Translation (PT) method. The Hostname Translation (HT) method is supported when cookies on the endpoint machine are configured. The URL Translation (UT) method is not supported.	R7x
01595256, 01586057, PMTR-47745	The Mobile Access Portal does not support Web-Form SSO for Citrix StoreFront Web interface.	R80.10
VPN
02369930, PMTR-47783	NAT-T initiator is not supported on VSX Gateways.	R80.10
01874986, PMTR-47235	Convert Traditional VPN to Simplified is not supported.	R80
Networking
01622840, PMTR-47313	IPv6 addresses for management interface are not supported on R80.x Security Management Server.	R7x

Installation and Upgrade

ID	Description	Found in version
Installation and Upgrade
SMCUPG-1248	In case of a failure in one of the Domains, during an upgrade of a Multi-Domain Server from R80.20.M1, R80.20, R80.20.M2, or R80.30 to R80.40 using an Advanced upgrade, the entire upgrade process stops and does not continue to upgrade additional Domains. To resolve: Follow the instructions in the HTML upgrade report. After the issue is resolved, start the entire upgrade again.	R80.40
PMTR-17316	To upgrade a Security Gateway with ICAP Client hotfix to a R80.40 Security Gateway: On the origin Security Gateway, back up the current ICAP Client configuration file ($FWDIR/conf/icap_client_blade_configuration.C). Upgrade the Security Gateway to R80.40, or perform a Clean Install of the R80.40 Security Gateway. Configure the ICAP Client from scratch as described in the R80.40 Next Generation Security Gateway Guide - Chapter "ICAP Client". Note:  You can use the backed up ICAP Client configuration file from the R77.30 Security Gateway as a reference only. You must explicitly confirm the disclaimer (run the script IcapDisclaimer.sh in the Expert mode). To inspect the HTTPS traffic with the ICAP Client, enable the HTTPS Inspection and configure the HTTPS Inspection rules. Install the Access Control policy on the R80.40 Security Gateway. Note: If one of the ICAP configuration parameters is not configured correctly, SmartConsole shows an error with the name of the applicable parameter.	R80.20
PMTR-13035	When you perform a clean install of an R80.x on top of an existing previous version, the following error might appear after the keyboard layout selection screen:  Warning: /dev/sda contains GPT signatures, indicating that it has a GPT table. However, it does not have a valid fake msdos partition table, as it should. Perhaps it was corrupted - possibly by a program that doesn't understand GPT partition tables. Or perhaps you deleted the GPT table, and are now using an msdos partition table. Is this a GPT partition table? In such case, select "Yes" several times to continue with the installation.	R80.20
VSECPC-1341, TP-1790, TP-1953	It is not supported to perform an in-place upgrade to R80.40 Security Management Server or Multi-Domain Security Management Server that runs in CloudGuard for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud providers.	R80.20.M1
SMCUPG-457	To upgrade an R80.20.M1 Multi-Domain Management Server with configured Global Policies to the next available version:  Connect with SmartConsole to the Global Domain on your R80.20.M2 Multi-Domain Server. Reassign all Global Policies to all applicable Domains. Do not publish any changes in the Global Domain until you complete the upgrade to the next available version. Note: This is necessary to avoid any potential issues caused by different policy revisions on the Global Domain and on the Domains. Perform the upgrade from the R80.20.M1 to the next available version.	R80.20.M1
-	R80.x supports only ext3 & ext4 file systems on Red Hat Enterprise Linux.	R80.10
01929622, PMTR-47045	After upgrade of 1180 and 1450 appliances, the "Gateways & Servers" view does not show version numbers in the Version column. To resolve and see the version numbers, open the gateway object for editing, make sure the correct version is selected and click OK.	R80.10
01505445, PMTR-47047	After upgrade оf R7X Stand Alone Server, SmartConsole disconnects from the server during the first policy install. To resolve, before a first policy installation on Standalone servers, allow the CPM service in the Services & Applications column of the rulebase.	R80
01986530, PMTR-47079	Importing a large SmartEvent database can take a long time to complete. Check the upgrade status for progress.	R80
01815141, PMTR-47084	Database Revisions are not upgraded to R80.x Security Management Server during the upgrade process from Pre-R80 versions.	R80
01887799, 02058605, PMTR-47077	In R80.x, indexing is done by a new process called Indexer. Indexer works similar to SmartLog R77.xx but has its own configuration files stored in $INDEXERDIR. Customers who defined manually indexing configuration from remote log servers (via LEA) in SmartLog R77.x or below, should manually move them to the new configuration files. To copy settings from SmartLog R77.x configuration files to the new Indexer process configuration files: For SmartLog servers only: After upgrading to R80.x, copy the remote log servers configured in $SMARTLOGDIR/smartlog_settings.txt file to $INDEXERDIR/log_indexer_custom_settings.conf. For SmartEvent with SmartLog server: Remote log servers configured in $SMARTLOGDIR/smartlog_settings.txt are not automatically upgraded. Manually configure the log servers in SmartEvent GUI -> correlation unit policy.	R80
PMTR-10880, PMTR-12915	"Database is locked" error message when running the migrate_export command on a R7x Security Management. To resolve: run cpstop or mdsstop and attempt the export again.	R7x
01549207, 01884161, PRHF-7325, PMTR-47257	Clean install from USB device fails on Open Server because the installation process (anaconda) includes the USB installation media as part of the installation target. Refer to sk100566.	R7x
01876717, PMTR-47252	SmartEvent blade disabled after advanced upgrade to R80.x. To resolve: in the SmartEvent server object in the SmartConsole, re-enable the SmartEvent server Blade (and Correlation unit) -> Install database on it.	R7x
Deployment
PMTR-46384	Hotfix central deployment depends on the status reports from the gateways. Therefore, it is recommended to wait for 2 minutes after the gateways are up before running any operation.	R80.40
PMTR-48483	R80.40 for Open Servers is supported only for Security Management. Security Gateways and Standalone configuration are supported on VMware, Hyper-V and KVM. R80.40 is fully supported on all Check Point appliances Security Gateway support for Open Servers was added in R80.40 Jumbo Hotfix Accumulator Take 25.	R80.40
PMTR-46427	Central Deployment in SmartConsole does not support installation of a Hotfix or a Jumbo Hotfix Accumulator on a ClusterXL in the Load Sharing mode.	R80.40

Licensing

ID	Description	Found in version
Licensing
01925987, PMTR-47089	"Licensing status not available for current OS" message shows in the Logs & Monitoring view. SmartConsole does not support licensing information for Windows, SecurePlatform and Virtual Systems. Use the licenses tab in SmartUpdate to see the licensing information for the OS.	R80
01963269, PMTR-47091	If the SmartEvent Software Blade is activated, but only the SmartEvent Intro license is installed, the License Status shows "N/A".	R80
01934260, PMTR-47532	When loaded for the first time, web components such as the licensing or monitoring view can take up to thirty seconds to show.	R80
01972866, PMTR-47101	In the License Status View, the Additional Info column, quota information and quota statuses are not available for pre-R80 gateways and servers.	R80
01972797, PMTR-47103	Automatic license activation on Check Point appliances is not available on pre-R80 appliances.	R80
01972899, PMTR-47105	On pre-R80 gateways, license information is updated every 20 minutes. To resolve, force a license update, perform one of the following actions: Either install security policy on the pre-R80 gateway Or on the R80.x Management Server, run the following command in Expert mode: On Security Management Server: [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object> On Multi-Domain Security Management Server: [Expert@HostName]# mdsenv <Name of Domain Management Server> [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>	R80
01976925, PMTR-47108	Automatic license activation on a Multi-Domain Management Server machine works only on the MDS level and not on the Domain level. Add licenses manually for each Domain.	R80
01964575, PMTR-47112	Login to primary Domain SmartConsole fails with "Database is locked by another application" error. To resolve: run the cprestart command on the Management Server.	R80
01972917, PMTR-47116	After installation, the Device License Status shows N/A and the Device License View is not accessible until policy or database are installed. When blades are enabled or disabled, the changes are not visible in the Device License Views and Status until policy or database are installed.	R80
01972951, PMTR-47308	The proxy that synchronizes license information with the User Center, must be at least R80 server.	R7x
01951434, PMTR-47531	On a Pre-R80 SmartEvent NGSE dedicated machine, license information is not automatically updated when Installing Database. When you enable or disable a blade, one of the following will update the license information with the change: If you force a license update, changes occur immediately. To force a license update: On the R80.10 Security Management Server, run the following command in Expert mode: [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object> Automatic update at midnight If you manually change a license or contract on a dedicated machine, changes take effect within 20 minutes	R7x

Security Gateway and Gaia OS

ID	Description	Found in version
Networking
PMTR-50502	On a CloudGuard Security Gateway for Google Cloud Platform (GCP), KVM, or OpenStack, outputs of these commands show empty RX and TX statistics for VirtIO: ethtool -S <name of interface that uses the 'virtio' driver> cat /proc/interrupts mq_mng --show -v	R80.40
Security Gateway
PMTR-56297	In a rare scenario, the Security Gateway may crash and reboot if multiple slave interfaces are deleted at the same time from an 802.3AD bond interface (for example, with the "clish -f" command).	R80.40
PMTR-37712	It is not possible to add updatable objects to network groups.	R80.40
GAIA-1953	Multi-Queue configuration is not preserved during a Security Gateway upgrade from a Gaia OS with the Linux 2.6 kernel to a Gaia OS with the Linux 3.10 kernel. After the upgrade, it is necessary to configure Multi-Queue again (sk153373). Example: Upgrade from R80.20 to R80.30 v3.10, from R80.20 to R80.40, and so on.	R80.30
PMTR-48661	When changing the Gaia Management interface, on which Multi-Queue is configured, to a different interface, the Multi-Queue state on the original interface will remain 'off', even when using a global Multi-Queue mode 'auto'. To resolve: refer to sk167200.	R80.30
PMTR-38747	Output of the "fw ctl zdebug + drop" command shows messages about connection drops, in addition to Firewall drops.  These are internal debug messages that do not reflect real Firewall drops. To avoid them, use one of these: The "fw ctl zdebug drop" command without the "+" character in the syntax The full debug procedure	R80.20
02472857, 02470077, PMTR-42525	When Using a rule with legacy object, in or below a rule with one of the new features that are integrated in the unified policy, install policy on a Security Gateway fails with a verification message. To resolve: change the order of the rules so that rules with legacy objects are above rules with new features. Refer to sk115961.	R80.10
01584742, PMTR-47866	"Get Interfaces" action on gateway returns error "Failed to save cpmi interfaces" if interface name includes space. Gateway interface names must not include spaces.	R80
02537839, 02539556, PMTR-17546	Logging session does not switch to the backup logging server after connectivity loss. Refer to sk118697.	R7x
PRHF-66, 01593807, 02728705, 01683689	SAM rules generate large amount of "fwsam_v1_filter: matched rule is not found" messages. Refer to sk105347.	R7x
02508239, PMTR-47567	"No Such Instance currently exists at this OID" error message after installing R77.30 Jumbo Hotfix Take_225. Refer to sk117353.	R77.30
Gaia OS
PMTR-18774	To upgrade a 21000 series appliance with the SAM card (sk107157) from R80.10 (or lower) to R80.40 (or higher), you must disable the SAM Mode on all the interfaces before the upgrade: Disable the SAM mode on all the interfaces in either Gaia Portal or Gaia Clish: In Gaia Portal: In the Network Management section, click Network Interfaces > edit each interface > go to the SAM tab > clear the box Enable SAM Mode > click OK In Gaia Clish: set interface <Name of Interface> sam-mode off save config Reboot the appliance Upgrade the appliance Reboot the appliance	R80.40
PRJ-8583, PMTR-48127	Multi-Queue configuration cannot be assigned to interfaces that use the "mlx5_core" driver (to check, run the "ethtool -i <name of interface>" command).	R80.40
PMTR-50501	Output of the "ethtool --show-channels <name of interface>" command does not show the actual number of queues on an interface. Example: Although an interface was affined to a single CPU core with this command: mq_mng --set-mode manual --interface <name of interface> --core <ID> Output of this command shows the wrong value in the "Combined" field: ethtool --show-channels <name of interface>	R80.40
SMCUPG-1254	When connected to Gaia Portal with Internet Explorer and during an upgrade with CPUSE click the "Upgrade Report" link, the report window opens blank and does not show any information. To resolve: Connect to Gaia Portal with another browser (for example, Chrome, Firefox).	R80.40
PMTR-45939	When the system goes into reboot, the message "umount: /var/log: target is busy" appears on the console, as the system attempts to unmount partitions.	R80.40
GAIA-6676	When using the 'set-time-and-date' API call, the administrator may be reacquired to log in again if the session expires.	R80.40
PMTR-46932	In R80.40, the default value of the Linux kernel parameter /proc/sys/net/ipv6/conf/all/accept_dad is set to '0'. The IPv6 Duplicate Address Detection (DAD) feature is still enabled by default ('set neighbor duplicate-detection state on').	R80.40
PMTR-46762	Instead of the Gaia Clish command "show neighbors dynamic-table", use the Expert mode command "ip -6 neigh" to see the IPv6 neighbors.	R80.40
PMTR-40973	It is not supported to downgrade with CPUSE from R80.40 with kernel 3.10 to R80.30 with kernel 2.6, R80.20, R80.10, or lower versions. Refer to sk170954.	R80.40
ACCL-417	The following were removed: CPView Network -> Top-Protocols and Network -> Top-Connections tabs.	R80.30
GAIA-5737	Duplicate ping messages may appear when configuring bonding groups (~30 sec), one over the X722 based network interfaces and the other on Intel X710 Based network interfaces.	R80.30
GAIA-3490	10GbE i40e NICs determine their link-speed based on the type of connected transceiver (1G ot 10G) and cannot be changed manually.	R80.30
GAIA-3345	Changing the MTU on the directly connected switches may cause drops of fragmented traffic due to a MTU mismatch.	R80.30
GAIA-3205	Cannot change interface link speed to 1000MB after it is changed to 100MB.	R80.30
GAIA-3180	On HP Open servers with onboard NIC, the Interface status in the switch might be shown as "Connected" even though the state in Gaia is "off".	R80.30
GAIA-2650	On CloudGuard for AWS, speed and duplex information is not available when using the ethtool.	R80.30
PMTR-17540, GAIA-2926	The Linux "iotop" utility might stop working when pressing the "i" key in the following rare scenarios: Working in virtual environments (such as Hyper-V) Terminal application uses specific virtual terminal settings (such as specific SecureCRT terminal settings)	R80.20.M1
PMTR-13029, PMTR-13021	"[Firmware Bug]: the BIOS has corrupted hw-PMU resources" message may appears in the output of "dmesg" command on any HP ProLiant Server running Gaia. You can safely ignore this message - it does not indicate an issue with the functionality or performance of the Operating System or the server.  For details, see Hewlett Packard Enterprise Customer Advisory c03265132.	R80.20.M1
02039589, PMTR-47577	If the backup schedule is changed to an invalid date or time, all backup schedules are lost and "Backup schedule failed. The backup will not be scheduled" error message is displayed.	R80.10
02386300, PMTR-47574	The Maintenance -> Maintenance page in the Gaia Portal was removed.	R80.10
01967996, PMTR-47120	When connecting to the network interfaces page in the Gaia Portal, an "Unable to connect to server" error shows. To resolve: disable the Adblock EasyPrivacy extension of the Adblock plus add-on and try again.	R80
01441743, PMTR-47126	If you change the members of a Gaia Cloning Group with many members down, you are logged out of the Gaia Portal with an incorrect error message: "Unable to connect to server". The correct message is: "An error occurred while applying configuration change to all cloning group members" - the operation was successful only for online members. This is the normal behavior of the cloning group. This error does not indicate a critical failure.	R80
01983922, PMTR-47335	The last stage of the First Time Configuration Wizard takes a long time on some machines. To see the progress of the First Time Configuration Wizard, the user must check if these files were created on the machine: /etc/.wizard_accepted - means that the First Time Configuration Wizard has finished. /var/log/ftw_install.log - means the First Time Configuration Wizard has started and the user must wait until the file /etc/.wizard_accepted is created.	R7x
02423303, 02423845, PMTR-47323	Newly configured user (with UID that is not 0) is not able to log in from Gaia Clish to Expert mode on VSX Gateway. Refer to sk115221.	R7x
01987789, 01996692, PMTR-47328	"WARNING The following features: NameOfFeature, , provide a privilege level equivalent to that of 'adminRole'" message in Clish when adding some read-only commands to RBA role. Refer to sk110772.	R7x
02085699, 02189660, PMTR-47330	Hardware Diagnostic Tool test fails on "Self-test" for 1GbE expansion cards when an SFP transceiver for RJ45 (Copper) is connected to the appliance.  Refer to sk112857.	R7x
01111060, 02356903, 01309032, PMTR-29320	Saving the configuration on Gaia OS times out with "NMSCFD0026 Timeout waiting for response from database server" error.  Refer to sk113746	R7x
Hardware
HCL-12	The HP ProLiant DL380 Gen10 does not detect all USB devices, including various USB flash drives (regardless of its content). This is not a software issue. If a bootable USB device (with Check Point Gaia, CentOS or any other OS) is not recognized by this server, try a different USB device vendor.	R80.20
ACCHA-802	On a Check Point appliance with an Expansion Line Card installed, the output of the "dmesg" command shows these errors: pci 0000:XX:00.X: BAR <NUMBER>: failed to assign [mem size 0x<NUMBER> 64bit pref] You can safely ignore these messages.	R80.10
CoreXL
PMTR-50242	Changes in CoreXL configuration are not preserved after a reboot on a CloudGuard Security Gateway in AWS or Azure.	R80.40
SecureXL
PMTR-18774	SAM is supported only for non-accelerated usage. Traffic connected to the Acceleration-ready 10G Interface Card (CPAC-ACCL-4-10F-21000) is handled by the host. 10G Ports on the CPAC-ACCL-4-10F-21000 cannot be assigned as SAM ports.	R80.20
ClusterXL
PMTR-70255	In an Active-Active cluster, only these Software Blades are supported: Firewall IPS	R80.40
PMTR-70251	In an Active-Active cluster, only two cluster members are supported - one cluster member on each site.	R80.40
PMTR-70256	In an Active-Active cluster, names of interfaces that belong to the same "side" must be identical on all cluster members. Example: If you connected the interface eth1 to Switch #A on one Cluster Member, then you must connect the interface eth1 to Switch #A on all other Cluster Members.	R80.40
PMTR-70260	In an Active-Active cluster, in the cluster object properties, go the Network Management page, select a cluster interface and click Edit. In the Topology section, only these options are supported for cluster interfaces: Override > Network defined by routes (this is the default). Override > Specific > select the applicable Network object or Network Group object.	R80.40
PROV-1645	In the output of the "show-simple-cluster" API command, the "last-modify-time" is not updated when the cluster member object is changed (for example: the IP address is changed or a comment is added). This field is only updated when a cluster member is added to a cluster object.	R80.40
PROV-1953, PROV-1958	The "show-gateways-and-servers" API shows the Cluster Member object type as "type": "CpmiClusterMember". The "show-gateways-and-servers" API shows the Cluster object type as "type": "CpmiGatewayCluster". The "show-simple-cluster" API (or "show-simple-clusters" API) shows the Cluster object type as "type": "simple-cluster".	R80.40
PROV-2054	The "cphaprob -a if" command does not recognize ClusterXL VIP addresses in this scenario:  The cluster object was created with Cluster API  The Cluster VIP addresses and the Cluster Members' IP addresses belong to different subnets  Policy was installed on the cluster object To resolve, perform one of the below solutions: Create this cluster object in SmartConsole instead of Cluster API. Use GuiDBEdit Tool / dbedit / Generic API to change the value of the "member_network" field in the cluster object to contain the subnet of cluster members.	R80.40
PMTR-41292	In an Active-Active cluster, if you enabled Dynamic Routing on each Cluster Member, you must enable the Bidirectional Forwarding Detection (BFD - 'ip-reachability-detection') on each interface that is configured for dynamic routing.	R80.40
CLUS-1752	ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel. To resolve: In SmartConsole, install the applicable Access Control policy on this cluster.	R80.10
Dynamic Routing / Advanced Routing
PMTR-13658	In PIM Dense Mode, when a new PIM router joins the existing network, it may take up to two cycles of PIM prune timer and/or downstream IGMP report interval, for the intended multicast traffic to start flowing. To improve the PIM-DM responsiveness, user can enforce the local-groups / static-groups configuration.	R80.20
PMTR-4925	When advertising IPv4 routes over an IPv6 BGP session, one of the following needs to be true: Routemap is used to set the nexthop of the IPv4 routes The interface used for the BGP session needs to have an IPv4 address  When advertising IPv6 routes over an IPv4 BGP session, one of the following needs to be true: Routemap is used to set the nexthop of the IPv6 routes  The interface used for the BGP session needs to have an IPv6 address	R80.20
01338366, 02014813, PMTR-47725	On a Security Gateway that is configured with DHCP relay and automatic Hide NAT for the network(s) that the DHCP requests come from, DHCP offers are dropped at the gateway. This message shows: fw_log_drop_ex: Packet proto=17 40.81.81.3:67 -> 44.81.81.6:67 dropped by fw_conn_inspect Reason: post lookup verification failed; To resolve: before the Hide NAT rule, add a NAT rule that prevents the translation when traffic is on port 67, and is going to the DHCP server. Make the NAT similar to this: Original Packet: Source = Source network(s) for DHCP requests       Destination = DHCP server Service = UDP_bootp  Translated Packet: Source = Original Destination= Original Service = Original	R80.10
VSX
PMTR-59845	Installation or upgrade of Mobile Access Portal Agent on an end-user's computer may fail on a VSX Gateway or VSX Cluster. For more information, see sk169614.	R80.40
PMTR-47869	The "vsx stat -v" command does not work after reverting to Gaia Autosnapshot (a snapshot created automatically by the CPUSE Upgrade). To resolve: Use the "fw vsx stat -v" command instead.	R80.40
PMTR-65592	The name of the VSX Gateway / VSX Cluster object must be shorter than 27 characters.	R80.10
01298013, 01347319, PMTR-47561	The "vsx_util reconfigure" command fails with "Failed to fetch configuration information from". Refer to sk98001.	R7x
01275204, 01978034, PMTR-47563	In SmartView Monitor, Firewall History and System History system counters do not show any data.	R7x
01618097, PMTR-47497	"vsx_util reconfigure" command on Security Management Server / Domain Management Server fails to resume with "Error: Interface 'Interface_Name' exists in the management database, but not on the gateway". Refer to sk105441.	R7x
VPN
PMTR-25046, PMTR-33694	After running the "cpstop ; cpstart" commands, the "FW-1: fwconn_chain_get_opaque: invalid id -1" message appears repeatedly on the screen and in the dmesg. This is a cosmetic issue only.	R80.20
PMTR-15415	Communication errors occur between the Security Gateways managed by R80.20 M1 Multi-Domain Server and participating in Global VPN Communities when there are more than one certificate for the same Internal CA. Refer to sk136972.	R80.20
02455402, PMTR-47752	The VPN client shows as "Not Compliant" when it is not compliant according to the local.scv file, even if SCV is disabled. To resolve: Configure the VPN site again on the client.	R80.10
01311326, 01455241, PMTR-47501	When using a VPN client, activity logs are not generated for ICMP traffic.	R7x
02065326, PMTR-47503	R77.30 and lower gateways do not support R80.x gateways that are configured as NAT-T initiators. The R77.30 and lower gateways only recognize 3rd-party devices for NAT-T initiation.	R7x
02564507, 02570956, PMTR-17557	Client Setting "Calculate IP based on topology" breaks when using host. Refer to sk120121.	R7x
02701519, 02701727, PMTR-32305	RADIUS authentication fails for LDAP users as the gateway uses sAMAccountName and not UPN when UPN is needed. Refer to sk122477.	R7x
LTE
PMTR-21435	Policy verification fails if the policy contains GTP or Diameter services, and you install it on an R80.30 Security Gateway. To resolve, refer to sk120141.	R7x
00829371, PMTR-47540	SCTP or Diameter objects cannot be the service of a manual NAT rule. Static NAT will still be applied for rules that match SCTP if the service is set to "Any". All NAT methods can be applied for Diameter over TCP traffic if the service is set to "Any".	R7x
QoS
PMTR-26017	Values set for Maximum rule weight and Default weight of rule in the QoS Global properties window in SmartConsole are not applied when creating a new QoS rule.	R80.30
02563501, 02567776, 02567790, PMTR-47566	No warning is displayed if an empty network group object appears in the source or destination column.	R7x

Security Management

ID	Description	Found in version
Security Management
PMTR-59442	SmartConsole may show the popup "SmartDashboard component failed to connect to server <IP Address>" if you upgraded a Management Server and you open a Security Gateway / Cluster object for the first time after the server's upgrade. To resolve: Restart the Check Point services on the Management Server: On a Security Management Server, run in the Expert mode: cpstop ; cpstart On a Multi-Domain Security Management Server, run in the Expert mode: mdsstop ; mdsstart	R80.40
PMTR-68323	SmartConsole shows the error "Publish failed due to session validation errors. Resolve the errors shown in the validation pane and publish again." when publishing a session after editing more than one interface in a cluster object and clicking OK. However, no errors or messages appear in the Validation Pane.	R80.40
PMTR-56332	"Unable to set cluster ID due to exception: Action cannot be executed on object: firewall_properties due to: Object 'firewall_properties' is locked by another session" message on the Management Server when creating 2 or more cluster objects at the same time (for example, with the API "add-simple-cluster"). To resolve:  Create cluster objects one after another (even when different administrators do this task).	R80.40
PMTR-49586	In some scenarios, R77.x custom defined  “Additional info” data might be lost while upgrading using CPUSE offline mode from R80.20/R80.30 Multi-Domain environments to R80.40. To resolve: Use the latest Upgrade Tools package from sk135172.	R80.40
PMTR-41786	Error: "Failed to initiate application list update" is displayed when attempting to update the Application Control & URL Filtering signatures while a migration from a Security Management Server to a Multi-Domain Management Server is in progress. To prevent database corruptions updates are blocked during a migration process.	R80.40
PMTR-48607	To work with an R80.40 Management Server, you must upgrade the User and Device Management (UDM) R77.30.01 to Hotfix #8 according to sk164718.	R80.40
PMTR-45593	The administrator created in the First Time Wizard cannot login to SmartEvent or Log Server. Refer to sk163773.	R80.40
PMTR-63264	Exporting any policy to a CSV file in SmartConsole ('Actions' menu > 'Export') fails with the "An internal error has occurred" message, and the CSV file is empty. The issue occurs if the policy name or a rule name is in the format of UUID (for example, 038645be-e080-4b57-830e-3e58a907dfbb).	R80.20.M2
PMTR-25696	Login to the Secondary Management Server can fail if the SIC certificate is pushed to the Secondary Management Server before its CPM server is up. In this case, the SIC is established, but the login to the Secondary Management Server fails until the CPM server is restarted and reloads the new certificate. To resolve: wait until the CPM server is up, before you establish trust with the Secondary Management Server. This way, the CPM Server restarts automatically due to the SIC establishment and the login succeeds.	R80.20.M2
PMTR-16114	An administrator fails to log in with SmartConsole after another user was configured in SmartConsole with a name identical to that administrator's name and the session was published. Refer to sk133273.	R80.20.M1
PMTR-85342	Security Gateways object managed by R80.40 and below has a missing title on the Anti-Bot / Anti-Virus page.	R80.10
PRHF-14607	Running a one time script on a Security Gateway (that reads files or outputs of commands) using a "One Time Script" feature in SmartConsole or with API may fail after 5 minutes with the "Operation timed out" error. The limit for reading files is 9,730 lines or 730 KB (whichever is reached first).	R80.10
02475794, PMTR-47579	If a connection is matched on a limit action rule, and the connection is not configured to be rematched (the 'Keep all connections' option is selected in the Security Gateway object, or the 'Keep connections open after the policy has been installed' option is selected in the Service object), a new policy installation will cause the limit on the connection not to be enforced.	R80.10
02067095, PMTR-47620	When the trial license is expired, and after adding a new license, the Security Management server does not accept any connection. To resolve: stop and start the server (run cpstop;cpstart) after adding the new license.	R80.10
02361323, PMTR-47622	In some scenarios, re-assign or removal of global assignments succeeds, but changes that were not yet published at the Domain become conflicted. The SmartConsole for the Domain becomes unstable and can show: "Could not load selected policy". To resolve: Discard the changes that were not published in SmartConsole.	R80.10
02496239, PMTR-47777	Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>". To resolve: for all hosts with a server configuration, unselect the servers. Publish the session, then select the servers again, and publish again. For details refer to sk154435.	R80.10
01786890, PMTR-47131	If you create an administrator in cpconfig, you must run cpstop and cpstart, as instructed by cpconfig. After cpstart, no administrators are shown in cpconfig. Administrators configured before the upgrade to R80 are also not shown in cpconfig. To resolve: Manage administrator accounts through SmartConsole.	R80
01986179, PMTR-47149	Global assignment removal fails with "Object could not be deleted because it is referenced by other objects" error. If the search fails to locate the object in the domain, check each application object in the Domain for a reference to the permission profile specified in the error message. Refer to sk110630.	R80
01493302, 01977241, PMTR-47133	Internal user names must contain only English characters. Names in other languages (unicode) will show as question marks in the Users and Administrators window.	R80
01861349, PMTR-47140	"Check your connection settings (Proxy, DNS and gateway)" error shows after IPS and Application Control & URL Filtering update fails if there is no proxy defined. To resolve: Run cpstop and cpstart and try again.	R80
01950023, PMTR-47142	SIC is not allowed by default with upgraded OPSEC applications (OPSEC applications not compiled with SHA-256 support). To resolve: On the Security Management server, run: cpca_client set_sign_hash sha1 (refer to sk103840) Install Database.	R80
01952495, PMTR-47153	lvm_manager fails to resize partitions with "ERROR :Cannot kill process (id XXXXX)". To resolve: Boot the machine into Maintenance Mode and then run lvm_manager.	R80
01848420, PMTR-47444	Applications like Provider.exe and Fwpolicy.exe (SmartDashboard) cannot be used to connect directly to the Security Management server or the Multi-Domain Security Management server. To resolve: Use SmartConsole.exe	R7x
01908530, PMTR-47450	These commands are not supported in the SmartConsole's CLI: login, logout, discard and publish. Use the SmartConsole GUI instead.	R7x
02704776, 02705333, PMTR-41626	Creating secondary Domain Management overrides files in $FWDIR/lib/ directory оn the primary Domain Management. Refer to sk122538.	R7x
01989947, PMTR-47535	Cannot add a VSX objects (router, switch, or system) from the secondary Multi-Domain Management Server when the primary server is powered off. The creation wizard fails to open and an "Operation finished successfully message" shows. To resolve: power on the primary Multi-Domain Management Server and try again.	R7x
02514237, PMTR-47448	If you upgrade a Security Management Server to R80.x with a user.def file that has been edited manually, make sure that the file name includes each gateway version that is managed by the server. Refer to sk98239 for the user.def naming convention. Refer to sk30919 for more information about the user.def file.	R7x
02167186, PMTR-41764 02169523, 02483407, 02496644	The "URL" field shows "*** Confidential ***" in HTTPS Inspection logs on 3rd party LEA OPSEC client. Refer to sk101570.	R7x
02414257, 02403960, PMTR-47457	It is not possible to convert a Standalone deployment (Security Gateway and Security Management on one computer) to a cluster member of a Full HA deployment - or vice versa.	R7x
01536203, PMTR-47438	When selecting the "Use Gaia administrator: admin" option in the First Time Wizard, it lets to reuse the Gaia administrator password for SmartConsole. If you later change this password in SmartConsole, the Gaia administrator password remains unchanged.	R7x
01829764, 01381300, PMTR-47453	For Gateways below R80, 2nd layer behaves like Application Control policy.	R7x
Management High Availability
PMTR-14327	To move a Secondary Multi-Domain Management Server from one Multi-Domain Management HA environment to another, install the Secondary Multi-Domain Management Server from scratch in the new environment as a Secondary Multi-Domain Management Server and synchronize it with the Primary Multi-Domain Management Server.	R80.20.M1
02497932, PMTR-47624	In a High Availability environment, if an administrator is locked on the Standby Management Server, the administrator is not locked and does not show as locked on the Active Management Server. Therefore, you cannot unlock the administrator from the Active Management Server. To resolve, unlock the administrator by running the command unlock-administrator on the Standby Management Server.	R80.10
PMTR-15291	In a Management HA environment, Administrator created on the Primary Security Management Server via cpconfig cannot log in to SmartConsole of the Secondary Management Server until full sync from Primary to Secondary server is performed.	R80
02367246, PMTR-47159	When a secondary Management server is added, the initial synchronization task starts automatically. Until it completes, the secondary peer status shows as "Failed to communicate with peer". Wait for the initial synchronization task to complete. The peer status in the High Availability Status window will then show that the synchronization was successful.	R80
01948138, PMTR-47161	The initial full synchronization of a new High Availability server, either Security Management or Multi-Domain, can take a long time in large environments.	R80
01905978, PMTR-47462	In a High Availability deployment of Multi-Domain Security Management Servers, until the MDS that hosts the active Domain server has been upgraded, it is not possible: To edit an administrator assigned to that Domain To edit a client assigned to that Domain To view global assignments of that Domain	R7x
Multi-Domain Management
PMTR-17303	Policy installation from the Primary Multi-Domain Server to a Domain fails with an error, if that Domain exists only on the Secondary Multi-Domain Server: Install policy cannot be executed Multi-Domain '<Name of Multi-Domain Server Object>' does not have domain server for: 'Name of Domain Object'.	R80.20
PMTR-31302	You can run the mds_import command on the Multi-Domain Server only after a Clean Install. If the mds_import command fails, you must reinstall the Multi-Domain Server.	R80.20
PMTR-19623	In Multi-Domain Servers Management HA environment, if Administrator installs policy from the Active Domain on the Security Gateway / Cluster object and performs Management HA from the Active Domain to the Standby Domain, Administrator must install policy from the new Active Domain on the Security Gateway or Cluster object. Otherwise, when upgrading the Multi-Domain Servers to R80.30, SIC communication can be lost with the Security Gateway or Cluster Members. To resolve: Change the state of the Standby Domain to the Active, and manually synchronize the Domains.	R80.20
PMTR-15294	To perform "Enable Global Use" on a Security Gateway, you must set the Domain, which manages this Security Gateway, and the Global Domain to the "Active" state on the same Multi-Domain Management Server.	R80.20.M1
PMTR-14479	"Failed to save object...Server error is: An internal error has occured. (Code: 0x8003001D, Could not access file for write operation)" error when creating a Security gateway object on the Domain Management Server that is currently active on the secondary Multi-Domain Management server. To resolve: Run the "mdsstop ; mdsstart" commands on the secondary Multi-Domain Management Server.	R80.20.M1
PMTR-12257	In case of license expiration on one of the servers of a Multi-Domain Management High Availability setup, a full sync is required after applying the new license.	R80.20.M1
02509073, PMTR-47629	When running Global Domain Assignment on one Multi-Domain Server for a Domain that is active on a different Multi-Domain Server, the task can stall at 5%. After a few minutes a message shows : "timeout during task progress: Could not get information regarding task completion from MDS_1 'MDS_2'. To resolve: Run Reassign Global Assignment on the Domain from the first or second Multi-Domain Management Server.	R80.10
02491210, PMTR-47631	If two administrators create an admin account with the same name, after the first admin publishes a session, the second admin will not be able to publish or edit the admin account. To resolve: The session changes must be discarded.	R80.10
02408361, PMTR-47778	During mds_import, the incorrect "Failed to open file 'obsolete_objects.C' " message shows. This message can be ignored.	R80.10
02463142, PMTR-47640	From a secondary Multi-Domain Management Server, cma_migrate gets stuck. To resolve: Run cma_migrate on the server with the active global policy.	R80.10
02408823, PMTR-47638	The same system object (administrator, domain, permission profile, trusted client or Multi-Domain Server) cannot be managed from multiple peers. It can create sync failures between Multi-Domain servers. If there is a sync failure, make sure sessions on a different peers do not lock the same object.	R80.10
02432471, 02380613, PMTR-47642	After an upgrade, the global assignment fails with an error regarding multiple objects with the same name. If the search fails to locate the object in the domain, the object might be an unused OPSEC application permission profile and it can be deleted or modified using dbedit. To resolve: refer to sk116059.	R80.10
02422260, 02383687, PMTR-47173	In a High Availability environment that includes more than two Multi-Domain Management servers, a synchronization problem between 2 specific Multi-Domain Management servers only shows when connected to one of those servers. The problem does not show when connected to a different Multi-Domain Management server in the environment.	R80
01980812, PMTR-47175	After you define the SmartEvent object in the global database, first you must assign Global Policy to Domain Servers in order the Domain Level Only administrators can log in to SmartEvent.	R80
01976542, 01980886, PMTR-42634	Each database can be migrated only once with cma_migrate. If you try to migrate the same database to another Domain Server, migration fails with the "Internal runtime error"... "The folder in the dleObject can't be null." error.	R80
01718384, PMTR-47177	You cannot add licenses from the Multi-Domain Management Server or Domain Management configuration windows or wizards. To resolve: To add licenses, click "Manage Licenses and Packages" in the SmartConsole main menu.	R80
01408631, PMTR-47546	You can use only one Global Domain, which is created automatically during installation.	R80
01954364, PMTR-47548	When upgrading a Multi-Domain Security Management environment, you can change the IP address of the primary MDM, but not the IP address of secondary MDMs.	R80
02513874, PMTR-47550	In a Multi-Domain Management Server, OPSEC application permission profiles cannot be edited and are not visible on the Objects Explorer bar. To resolve: To change an OPSEC application permission profile, use the OPSEC application editor and create a new permission profile. Use dbedit/GuiDBEdit to delete old or unused profiles.	R80
01582933, PMTR-47551	Private sessions are not synchronized between Multi-Domain Management Servers. A session that is open on one Multi-Domain Management Server cannot be seen or moved to a different Multi-Domain Management Server.	R7x
01810161, PMTR-47186	A Security Management server cannot be installed as a secondary Management for a Domain server.	R7x
01605414, PMTR-47188	There is no cross-Domain search for network objects. Search in each Domain for the specific network object.	R7x
01537986, PMTR-47552	An administrator with Manage Session permissions on a Multi-Domain Management Server but not on a specific Domain, can manage the session from Sessions view in the MDS level. Session publish may fail.	R7x
SmartConsole / Management Console
PMTR-82157	HTTP Inspection Legacy SmartDashboard can unexpectedly close when exceeding the number of maximum possible hosts (100K).	R80.40
PMTR-47434	On SMB 1100 appliances, after initializing SIC the hardware must be edited manually to 1100 appliance instead of Open Server.	R80.40
PMTR-42956	In HTTPS Inspection policy rules, when selecting the same action that already appears in the "Action" column, the Management Server counts it as part of the session changes.	R80.40
PMTR-44804	In SmartProvisioning, policy installation fails after enabling QoS on the profile.	R80.40
PMTR-60358	When working in SmartConsole over Remote Desktop solutions such as Citrix, there might be sporadic cosmetic issues in certain SmartConsole windows (for example, a dialog window that opens only partially). Usually, these issues are caused by an incompatibility of 3rd party components within SmartConsole. To resolve: Resize the main SmartConsole window, or close and open again the problematic window in SmartConsole.	R80.40
PMTR-39807	"Identity Provider authentication factor cannot be used in Capsule Workspace" error appears in SmartConsole in the following scenario: Open a Security Gateway object with Mobile Access blade enabled. From the left tree, expand "Mobile Access" and click "Authentication". Refer to the "Multiple Authentication Clients Settings" section. When editing an existing login option with "Identity Provider" as the Authentication Factor, the "Use in Capsule Workspace" option appears as selected (on the "Login Option" tab > in the "Usage in Gateway" section). When clicking "OK" to save the changes, the error "Identity Provider authentication factor cannot be used in Capsule Workspace" appears. To resolve: Clear the "Use in Capsule Workspace" option before clicking "OK".	R80.40
PMTR-49269	After opening a number of logs in the Logs and Monitor view, then using the Revert to Revision feature in Manage & Settings, the revert to revision window may show this message: "HTTP ERROR 404". To resolve: Close and open SmartConsole and then perform revert without viewing the logs again	R80.40
PMTR-46715	In very large environments running "show-mdss" with "details-level full" parameter fails to retrieve all Domains on the Multi-Domain Server.	R80.40
PMTR-32873	IPS, Application Control and URL Filtering blades Best Practices are displayed as "active" by the Compliance blade overview even though they are not configured for the Security gateway.	R80.40
PMTR-48072	The "Restore all messages" button is disabled in Manage & settings -> Preferences -> User Preferences -> "Restore all messages". To resolve, restore all messages to the default settings. To do so, close the SmartConsole and delete the content of "%localappdata%\Check Point\SmartConsole\R80.XX\UserSettings" folder.	R80.40
PMTR-44457	Error: "Error while trying to open certificate : The specified network password is not correct." when attempting to view a new HTTPS certificate that uses a password different from the previous one. To resolve and view the certificate, open SmartDashboard -> HTTPS Inspection -> Gateways -> Export.	R80.40
PMTR-45924	When using API batch commands, the "set-if-exists", "ignore-warnings" and "ignore-errors" flags are not used. Errors that come up while running a batch command have to be handled manually by using the "show-validations" API command.	R80.40
PMTR-45567	The "object is used by a policy or by other objects" error is displayed when attempting to delete a LDAP account unit. Running the "Where used" query yields with not result. To resolve: the issue is resolved within 24 hours, during this time period the object is entirely removed from the database.	R80.40
PMTR-38804	The "Import Node" action in SmartDashboard (accessible from the SmartDashboard Network Object tree -> Nodes -> Import) might fail with "Internal Error" message.	R80.40
PMTR-47146	Updatable Objects cannot be added to a network group.	R80.40
PMTR-32595	"Take over failed" error appears when canceling an administrator session takeover. This error can be safely ignored.	R80.30
PMTR-31556	Detaching a cluster member from a cluster is not supported, it cannot be converted into a regular Security Gateway.	R80.30
PMTR-33894	Maestro Security Group supports version R80.20SP only.	R80.30
PMTR-27027	SmartConsole displays an image of the appliance series rather than the specific appliance.	R80.30
PMTR-27705	When installing a policy, "The policy included Blades that have an expired contract or a contract that is about to expire" warnings are displayed only for Application Control and URL Filtering and not for all Service Blades.	R80.30
PMTR-31193	Search for disabled or expired rules in Access Control policy does not work.	R80.30
PMTR-25063	The "Groups" page / tab is not shown if you edit a predefined service.	R80.20.M2
PMTR-65106	In SmartConsole, the sorting in table columns with numeric values is alphabetical and not numerical. Examples: In the "Gateways & Servers" view - the columns "Accepted Packets/Sec", "Dropped Packets/Sec", and so on. Service Group objects - the "Port" column.	R80.20
PMTR-39387	Hitcount of Shared Inline Layer rules shows the sum of all rules it is used in as it is shared between all of them.	R80.20
PMTR-24110	The "Lockout administrator's account after X failed authentication attempts" setting affects only the main SmartConsole application. For Legacy GUI client applications, SmartEvent servers and Log Servers, administrator accounts are not locked out after multiple failed login attempts.	R80.20
PMTR-38550	In some scenarios, the "<Object_Name> is no longer supported. Enforcing security for this object is not possible." validation warning appears regarding an updatable object. However, the object is still available in the updatable objects picker. To resolve, restart the CloudGuard controller by running these commands on the Management server: cloudguard stop cloudguard start	R80.20
PMTR-12439	Desktop Policy tab does not appear in the following scenario: Open the SmartConsole in Read-Only mode, or log in with Read-Only credentials. In the left navigation panel, click Security Policies. In the Access Control section, click Desktop -> Open Desktop Policy in SmartDashboard. Legacy SmartDashboard opens without the Desktop Policy tab.	R80.20
PMTR-15156	Configuration of colors and icons in some Service objects does not survive upgrade from R77.x versions to R80.x versions	R80.20.M1
PMTR-20287, TP-1939	When creating a new Cluster object in SmartConsole with the Wizard Mode, if you do not add Cluster members or do not initialize SIC with the Cluster members, the "Optimizations" -> "Capacity Optimization" setting in the cluster object may set to "Manually", instead of the default "Automatically". The "Automatically" option is grayed out, if the OS of the Cluster object is unknown. To resolve: Open the Cluster object. Go to the "General Properties" pane. In the "Platform" section, in the OS field, change from the "Unknown OS" to the real operating systems of the cluster members. Go to the "Optimizations" pane.  In the "Capacity Optimization" section, select "Automatically". Click OK and publish the session.	R80.20.M1
PMTR-42889	The "Could not locate an appropriate editor for the target object" message appears in SmartConsole in the HTTPS Inspection Policy, when double-clicking a certificate object.	R80.10
PMTR-42458	Network groups that are used in a group with exclusion cannot contain non IP-based objects (for example, Dynamic Objects, Domain Objects etc.).	R80.10
PMTR-40848	When an inline layer appears more than once in an ordered layer, in logs that are generated from rules in that layer, the "Go to rule" link does not always navigate to the correct occurrence of the rule in the policy. To find the other occurrences of the rule, use the packet mode search with the rule's information. For more information about packet mode search, refer to sk118592.	R80.10
02083394, 01961299, PMTR-47652, PMTR-47095	The Device and License Status of Threat Emulation is incorrect when there is a trial license on the Security Gateway. To resolve: Use the Logging -> License Status view.	R80.10
01878112, PMTR-47664	Cannot log into SmartConsole after changing the time in the Gaia Portal. To resolve: Restart the Management server using cpstop;cpstart commands or, for Multi-Domain Security Management, run mdsstop;mdsstart	R80.10
02500777, PMTR-47656	When session details enforcement is configured, publishing a remote session is not blocked even if session details are not provided.	R80.10
PMTR-23836, PMTR-23835	When you create an SMB cluster using the Wizard mode, SmartConsole automatically assigns an incorrect IP "0.0.0.X" as the cluster main IP address. To resolve: The admin must first publish the new cluster object, then configure the correct IP address before enabling any blade. If the cluster is created via 'Classic' mode, there is no issue.	R80.10
PMTR-45007	In a rare scenario, SmartConsole installation might stuck at 36%. Refer to sk163592.	R80.10
02418418, PMTR-47644	After a Security Management server upgrade to R80.x, 0 applications appear in object bar although all applications appear in the rule base picker. To resolve: Perform Application Control & URL Filtering update.	R80.10
CIS-68, 01513503	After upgrading Security Management Server from to R80.x, users cannot add suggestions to add objects to group - the options are grayed out. Refer to sk118276.	R80.10
PMTR-34983	Cannot find the "Override categorization" object in the objects bar search.	R80.10
02450861, PMTR-47646	In SmartConsole, when creating a new object in a second Object Editor, the new object is not in the list in the original Object Editor. To resolve: After you close the second Editor, click OK in the IF-MAP server editor. Open the IF-MAP server editor again.	R80.10
02446266, PMTR-47650	A Remote Access community object is not supported in the parent rule of an inline layer where the action is "Inline Layer". To resolve: Use "Any" instead of the Remote Access community object. You can use the Remote Access community object in the rules in the inline layer.	R80.10
02445396, PMTR-47654	The SmartConsole package cannot be installed in a directory whose path includes non-English characters.	R80.10
02492692, PMTR-47658	This procedure for renewing an expired HTTPS Inspection certificate does not work: Open the SmartDashboard GUI client Renew the HTTPS Inspection certificate. Close SmartDashboard. Install the Policy in SmartConsole. SmartConsole shows the certificate is still expired, and the certificate is not renewed. To resolve: After following the procedure, close and reopen SmartConsole.	R80.10
PMTR-36940	When selecting a source or destination for a user object, cluster objects are not available for selection.	R80.10
01834373, 01834983, PMTR-47666	SmartConsole does not display one of cluster interfaces because of case sensitive name uniqueness. Refer to sk108264.	R80.10
-	R80.x SmartConsole on Windows 10 requires .NET Framework version higher than 4.0.	R80
PMTR-70637	If the name of an imported HTTPS Inspection certificate file contains one of these strings, then Legacy SmartDashboard does not show this certificate in "HTTPS Inspection" > "Server Certificates": default_{noformat} (example: default_MyCertificate) _default (example: MyCertificate_default) _default_ (example: My_default_Certificate) https_ (example: https_MyCertificate) _https (example: MyCertificate_https) _https_ (example: My_https_Certificate) ref_ (example: ref_MyCertificate) _ref (example: MyCertificate_ref) _ref_ (example: My_ref_Certificate) holder_ (example: holder_MyCertificate) _holder (example: MyCertificate_holder) _holder_ (example: My_holder_Certificate) Note: SmartConsole is able to show such certificate.	R80
PMTR-66532	SmartConsole > "Logs & Monitor" view > "Logs" tab may show duplicate log records with partial data, if log entries are spread over several log files due to a log switch. Log switch operation occurs in these scenarios on a Management Server / Log Server: At midnight When the size of the active log file reaches 2 GB Based on user configuration (explicitly)	R80
PMTR-57122	If a search string is not a prefix of a word, the search does not show results. Example: If you enter a search string "bject", the search does not show the string "object". If a search string is surrounded by asterisks, the search highlights the entire word or a prefix in the field. Example: If you enter a search string "*obj*", and there is a rule with a comment such as "the object is hidden", the search shows the rule with this comment, but highlights the entire comment or a prefix of it.	R80
PMTR-48835	Device status in SmartConsole is only presented after applying changes to it and publishing the session.	R80
01652566, 01693617, PMTR-47195	Before you can publish a session, you must connect to it and set the session name and description.	R80
01996428, PMTR-47553	Slow rendering of SmartConsole and reaction to user interactions. Slow rendering can be a result of: Running SmartConsole through Remote Desktop (RDP) sessions. Refer to sk123734. Environments with lower-end graphic hardware drivers.  Typical environments include Windows-Server 2012 and Virtual Machines. In this case, consider upgrading your DirectX driver or Graphics Card hardware.	R80
01864532, PMTR-47557	After a failure in the VSX cluster creation wizard, if Cancel is clicked, the wizard closes, but the VSX cluster and VSX cluster member objects are not deleted. To resolve: Delete the VSX cluster and VSX cluster member objects manually.	R80
01960696, PMTR-47197	The Tasks tab -> Script Results supports up to 10,000 characters only.	R80
01282274, PMTR-47555	SmartConsole installed on a computer without access to the Internet cannot open Help files. To resole: refer to sk110774.	R80
01800770, PMTR-47556	Disconnecting the SmartConsole session while creating or configuring VSX objects, can cause the management database inconsistency and Administrator will be unable to do any changes with VS. "Internal Error: Cannot get object XXX from table vs_slot_object" message pops-up.	R80
02500051, PMTR-47199	In R80 and higher, multiple administrators can connect to the Management with SmartConsole in write mode, at the same time. Therefore, switching between Read only and read-write mode, which was often used in previous versions, is not an option in SmartConsole.	R80
01931336, 01816368, PMTR-47202	A customized role that has no write permissions, does not appear as read-only in the session view, although it is actually read-only.	R80
PMTR-10186, PMTR-567	In some scenarios (depending on Windows activity), SmartConsole is not disconnected after time specified in SmartConsole -> Manage & Settings -> Permissions & Administrators -> Administrators -> Idle Timeout.	R7x
Compliance
PMTR-9124	After an upgrade of a Management Server with enabled Compliance blade from R77.20 or lower versions to R80.x: The "Dev Mode: ON - Syntax error: Unable to get property 'icon' of undefined or null reference at line: undefined" error can appear in the Compliance blade reports. "Compliance Statuses" contains the words "Low" instead of "Poor" and "High" instead of "Good". To resolve: refer to sk123613.	R80.20.M1
02458793, PMTR-47756	In a Multi-Domain Management environment, in the local domain policy, some Compliance best practices, which validate the status of rules in the policy, incorrectly identify the section header, "Parent section for domain rules," as a rule, and report it as not valid. To resolve: Manually exclude this result from the Best Practices view. In the Best Practices view, select the practice. In the bottom pane -> Relevant Object section -> double-click the desired rulebase object and disable the rule/section from the list.	R80.10
PMTR-47592	Compliance Blade regulation reports do not contain the Best Practices themselves. To resolve and see the Best Practices, deploy a SmartEvent Server, enable SmartEvent and create a customized report.	R80
02167534, PMTR-47237	Compliance Blade does not contain Compliance Overview Report. To resolve and have the Compliance Overview Report, deploy a SmartEvent server and enable SmartEvent. Then find it at Logs & Monitoring -> new tab -> Reports -> Compliance Blade.	R80
01958788, 02030225, PMTR-47239	The SmartConsole client is not aware of license or quota changes in real time - alert for 'License quota Exceeded' does not pop-up immediately when the license quota is exceeded. To resolve: Reopen SmartConsole in Compliance blade to see the license changes. Quota data changes in the entitlement or Compliance will be updated after: Compliance midnight scan License changes cpstop;cpstart	R80
Logging / SmartLog
PMTR-46049	In a rare scenario on a Multi-Domain Server/Multi-Domain Log Server, several Domain smartlog_server processes may fail to load printing a "Failed to start web server (Probably another server listens on the same port)" message into the $SMARTLOGDIR/log/smartlog_server.elg file. Refer to sk164776.	R80.40
PMTR-44559	When querying logs in the SmartView web Logs tab, the numbers shown in the timeline section do not correlate to the log list if the indexing retention policy in SmartEvent and the Log Server are not the same.	R80.40
PMTR-48225	Exporting a large number of logs (100K and higher) to Excel using SmartView may fail on servers with 8 GB of memory or lower.	R80.40
PMTR-34649, PMTR-42613	User log in to SmartView in a Multi-Domain Server High Availability environment fails. Explanation: In a Multi-Domain Server High Availability environment, administrators can add a Domain-Management Server that is not synchronized and thus not available in the corresponding Multi-Domain Server. However, when opening SmartView, the Domain picker displays ALL the Domain-Management Servers available on both Multi-Domain servers.	R80.40
PMTR-45956	In Logs View, the IP address is shown instead of the name for Data Center objects, and it is not possible to filter for logs by the object name.	R80.30
PMTR-45323	Updatable objects are not resolved in SmartLog/SmartEvent queries: You cannot create a filter or SmartView query which contains an Updatable object name.  When viewing logs/events, the IP address of an Updatable object is not resolved to a name.	R80.20.M2
PMTR-22189	After reverting to a R80.10 or R80 version, the log files and log indexes that were created on the R80.40 will be lost. If you upgrade again to R80.40, all logs will be visible again with one exception - the log index created on the day of the revert (from R80.40) may be partial.	R80.20
PMTR-22007	After upgrade, the Log Exporter does not start, fully update or show pre-upgrade exporters. To resolve, update and start, run: cp_log_export reconf; cp_log_export restart	R80.20
PMTR-37258	In a rare scenario on Multi-Domain Server/Multi-Domain Log Server, several Domain Indexer processes may fail with core dump, printing "Failed to start web server (Probably another server listens on the same port)" message into $INDEXERDIR/log/log_indexer.elg file. To resolve: Recreate the IpPort.xml file by running the below commands on MDS/MLM: evstop rm -f $RTDIR/conf/IpPort.xml mdsstart	R80.20
PMTR-12100	Log Exporter exports logs from a Domain Management Server with the IP address of the Multi-Domain Server when using UDP protocol.	R80.20.M1
PMTR-12635	When you right-click in an Anti-Virus or Anti-Bot log from R77.30 Security Gateways and select "Save as Packet Capture...", it opens an email file with the attached packet capture file, instead of saving it. This is the same behavior as in the option "View Packet Capture".	R80.20.M1
PMTR-44569	A single Log Server can support up to 1024 clients sending logs to it.	R80.10
02459033, PMTR-47696	On Security Management Server with "Enable Log Indexing" option not selected, and a dedicated Log Server with "Enable Log Indexing" option selected: When you connect with SmartConsole to the Security Management Server, the Logs view shows the logs of individual log files. It is not possible to get a unified view of all the logs.	R80.10
02444795, PMTR-47706	When using the Check Point Management Server as an external log server for a locally managed Small Office appliance, logs that are saved on this external log server will not be accessible from SmartConsole that is connected to the management server of the internal environment. To see the logs that are saved on this log server, open SmartConsole to this Log server itself.	R80.10
02326352, PMTR-47694	Reading logs through LEA which were configured manually on the SmartLog custom settings file is not available in R80.x.	R80.10
02478533, PMTR-47699	In a global SmartEvent configured in Multi-Domain environment, SAM rules are not being created by events auto-reactions. To resolve: refer to sk86941.	R80.10
02488000, PMTR-47708	In Management High Availability, the indexing mode should be the same on both primary and secondary servers.	R80.10
02495815, PMTR-47711	Correlated "Web Browsing" events are not shown by default. To resolve: in SmartEvent, go to Event Policy -> Legacy ->Web Browsing, right-click and select "Event Format". Replace the field "URL" with the field "Resource".	R80.10
PMTR-47585	In a Multi-Domain Management environment, you cannot have a dedicated Log server for a specific Domain Management. To resolve: Configure a Multi-Domain Log servers with only one CLM.	R80
PMTR-47587	To change SmartLog mode from Indexing to Non-Indexing on a Domain Management Server or Domain Log Server, edit the Domain Server object on the Domain level. There is no option to change the entire Multi-Domain Server or Multi-Domain Log Server to Non-Indexing mode.	R80
01964600, PMTR-47210	Correlation units can be added to a remote Log server in this way only: In SmartConsole, edit the Correlation unit object and configure it as a Log server. On the SmartEvent server, go to the Correlation unit policy configuration and configure the Correlation unit on the SmartEvent server to read the logs from the remote Log server configured in Step 1.	R80
02022294, PMTR-47208	Fetch local files from a remote machine is available from command line only.	R80
01914623, PMTR-47212	SmartView graphics do not display properly in Internet Explorer. Accessing SmartEvent server from the web (SmartView) is supported only from Google Chrome and Mozilla Firefox.	R80
PMTR-47586	SmartLog Indexing mode is not enabled by default after upgrade or new installation, on Smart-1 205, Smart-1 210, or Open Servers with less than 4 cores.	R80
PMTR-47589	Users connected with SmartConsole to specific Domain, will not be able to see Global objects assigned to this Domain in SmartLog logs results, and cannot search by Global objects (but can search by IP address).	R7x
02537633, 02539688, PMTR-47558	"Top QoS Rules" view in SmartView Monitor shows that almost all traffic matches the "No Match" rule when SecureXL is enabled on Security Gateway. Refer to sk118720.	R7x
SmartEvent
PMTR-47989	Error: "CRLs failed to be downloaded" when attempting to log in to SmartEvent. To resolve: Run cpstop;cpstart on the SmartEvent server.	R80.40
PMTR-71408	In SmartConsole > Logs & Monitor view > Logs tab, the "Last Update Time" column is empty for IPS logs. This occurs if the SmartEvent Server is also a Log Server, to which Security Gateways send their logs. To resolve: Open a specific log entry and refer to the field "Lastupdatetime".	R80.20
PMTR-21615	A query that refers to "Scan result" and "Destination DNS Hostname" fields will not be resolved.	R80.20
PMTR-5701	The version of a dedicated SmartEvent Server has to be the same or higher than the version of the Security Management Server. Refer to sk133954.	R80.20.M1
PMTR-47608	SIC problem with the global SmartEvent object managing a Global SmartEvent object from the Domain/CMA that has the global object assigned to it.	R80.10
02478455, PMTR-47715	Events Grid is missing from SmartEvent.	R80.10
02502558, PMTR-47713	SmartEvent cannot be enabled on a 5400 Security Appliance.	R80.10
02551294, 02569029, PMTR-47723	Legacy SmartEvent GUI crashes with core dump file at 65% "Getting list of active products..." when connecting directly and not with SmartConsole R80.x. Refer to sk120076.	R80.10
02478452, PMTR-47717	The Ticketing feature is missing from SmartEvent.	R80.10
02422716, PMTR-47719	For SmartEvent connected to R77.x Security Management Server or Multi-Domain Management Server: If an object is not listed in the Log Servers table in the Correlation Unit settings, change the object from the SmartConsole (for example, its color). This will cause the re-synchronization of the object.	R80.10
02484638, PMTR-47721	When using R77.30 gateways, after disabling Firewall sessions in the SmartEvent policy, the records of Firewall sessions disappear from reports and views. If you enabled Firewall sessions in order to see Firewall data in reports or views, generate the report or examine the view *before* disabling Firewall sessions.	R80.10
02496726, PMTR-47227	Global SmartEvent's disk space maintenance policy is not configurable via GUI. Minimum default threshold for cleanup is 5GB (5000Mb). Refer to sk117317 for manual configuration instructions.	R80
02101182, 02107751, PMTR-47215	SmartEvent stability problem while connecting to Multi-Domain Management. Refer to sk112238.	R80
01995448, PMTR-47559	On a R80.x dedicated SmartEvent server which assigned to MDS, when you enable or disable a blade, the license information is not immediately updated. An automatic updates takes place at midnight. To resolve and update immediately: On server's command line, run: $CPDIR/bin/esc_db_complete_linux_50 activation_data entitlement_data. If you manually change a license or contract, the changes take effect immediately.	R80
MPTT-265	Users using the "Check Point Password" method for authentication to SmartConsole and are configured with the "User must change password on next login" option, must login to SmartConsole and change their password before using SmartView Web application.	R80
PMTR-12033	"Update CONF failed: The plug-ins that are installed on the Security Management server do not match the plug-ins that are installed on the Log Server" error when installing database from pre-R80 Security Management server on SmartEvent or Correlation Unit running R80 and higher. Refer to sk110894.	R7x
01940335, PMTR-47476	In R80.x, you can only define SmartEvent at the global level and then configure it to read logs from one Domain or a number of domains. SmartEvent cannot be defined in a specified domain.	R7x
SmartProvisioning
PMTR-48496	After manually unloading policy from Gaia cluster members which are managed by SmartProvisioning, the cluster does not fetch the policy again and push policy from SmartProvisioning is not effective.	R80.40
PMTR-45475	The status of an SMB device in SmartProvisioning may show "not responding" for a short time, even though the status is OK.	R80.40
PMTR-49044	SmartLSM (Smart Provisioning) running on R80 and higher Security Management Server cannot manage R80.40 Security Gateways.	R80
PMTR-1568	When working with LSM managed Security gateways in a Management High Availability environment, creating and working with LSM gateways must be consistent, they can only be used in the Security Management server they are created in. Using the secondary Security Management server might lead to inconsistent actions/status related to LSM objects.	R80.20.M1
PMTR-3724	It is not possible to configure internet connection over DSL for 1100, 1430, 1450 appliances using SmartProvisioning.	R80.20.M1
PMTR-4436	After a major upgrade of the Multi-Domain Management Server, opening the SmartProvisioning client fails, displaying "SmartProvisioning was not enabled on the Security Management Server or no valid license was found..." error. To resolve: Enable LSM on each relevant Domain Management server by running the "LSMenabler on" command.	R80.20.M1
PMTR-15599	SmartProvisioning R80.40 does not support LSM Profiles of type "Check Point Appliance/Open Server Gateway" with version "R80.10".	R80.20.M1
PMTR-70744	The "Enable Provisioning" checkbox is greyed out in SmartProvisioning > SmartLSM Security Gateway object properties > "General" tab > "Provisioning" section, if the user who logged into SmartConsole has a profile with assigned permissions other than "Read/Write All".	R80.10
PMTR-8209	After a major upgrade to a Security Management Server, LSM profiles lose their installed policy and new devices attached to them are not able to fetch a policy. To resolve: Install policy on the LSM profiles.	R7x

Access Control

ID	Description	Found in version
Mobile Access
PMTR-41608	Error: "Failed to generate RADIUS auth request" when a Mobile Access user browses to a resource that requires authentication.	R80.40
PMTR-70, 02475436	If you use Outlook Anywhere application with Mobile Access Reverse Proxy, and then want to disable Outlook Anywhere or Reverse Proxy, perform: Delete Outlook Anywhere rule from reverse proxy. Run "cvpnrestart --with-pinger" to close all Outlook Anywhere open connections. If you do not perform step 2, open connections of Outlook Anywhere will not be closed and users can still work with it.	R80.10
02383560, 02398086, PMTR-47748	When users are connected to the Mobile Access Gateway with SSL Network Extender in Application Mode, Downloaded-from-Gateway applications do not work inside Endpoint Security On Demand Secure Workspace.	R80.10
02421046, PMTR-47782	After upgrading a Standalone (Management and Gateway) or VSX deployment with Mobile Access blade enabled, the "Allow Dynamic ID for mobile devices" option might be enabled by default, even if Dynamic ID was not configured prior to the upgrade. If you do not want Dynamic ID authentication for Capsule Workspace users, disable it in: Gateway Properties -> Mobile Access -> Authentication -> Compatibility with Older clients -> Settings -> Capsule Workspace section -> clear Enable DynamicID. For VSX, this configuration is done per Virtual System.	R80.10
02466757, PMTR-47499	When Mobile Access is included in the Unified Access Policy, in Mobile Access Authorization logs -> Log Details -> Matched Rules, the Mobile Access Application name and Category do not show.	R7x
Content Awareness
PMTR-17156	The following apply to the "Archive File" Data Type: The Content Awareness blade inspects the "Archive File" Data Type. The "Archive File" Data Type is extracted, and its inner files are separately inspected together with the Data Type. Therefore, during the policy configuration, administrator has to pay attention when using the "Archive File" Data Type in a Compound/Group Data Type and in an Inline layer parent rule. Using a Compound/Group of "Archive File" with, for example, "PCI - Credit Card Numbers", does not match the archive that contains a file with the credit card numbers. You can use a specific File Type with "PCI - Credit Card Numbers" in this rule. Using the "Archive File" in a rule that leads to Inline Layer does not match the Data Type inside that layer. You can use a specific File Type in this rule. If the "Archive File" is located above other Data Types, the lower rule can be matched for some of the inner files, in addition to the rule that contains the "Archive File".	R80.20
01917734, PMTR-47670	Binary Certificate *.cer files are not properly matched to the 'Certificates and Private Keys' Data Type.	R80.10
02467456, 02338194, 02330606, PMTR-47675	Content Awareness supports HTTP, HTTPS, SMTP and FTP protocols on any ports and it is fully integrated with the Access Control unified rule base. Traffic over QUIC and WebSocket is not inspected. However, it is possible to use 'Quic protocol' / 'WebSocket protocol' in a new Application rule to either block or allow this traffic.	R80.10
01998174, PMTR-47785	Content Awareness supports more than 60 character sets for text files, including Japanese, Korean, Greek, and Arabic. If the inspected traffic does not include a supported character set, Content Awareness uses UTF-8 for decoding. To see the list of supported charsets, and to learn how to change the default charset, see sk116155.	R80.10
02452100, PMTR-47678	Content Awareness supports Data Types based on file name. In specific HTTP traffic where the file name is not part of the URL or content-disposition header, the file name may be incorrect.	R80.10
DLP
02514785, 02515902, PMTR-47691	DLP can apply visible or hidden Watermark (for forensic tracking) to Office Open XML formats (DOCX, PPTX and XLSX) as a rule action in a DLP rule base. Refer to sk117413 if DLP Watermark is used.	R80.10
Application Control & URL Filtering
01820710, 01919422, PMTR-47204	After upgrade, services defined in the Application Control rulebase are overridden with the Application's recommended services. Refer to sk109711.	R80

Threat Prevention

ID	Description	Found in version
Threat Prevention
PMTR-42100	SHA-1 and SHA-256 Indicators Of Compromise (IOC) are only supported with Gateway version R80.40 and higher.	R80.40
PMTR-39388	In some scenarios, during a file download, Packet Captures do not appear in Security gateway logs when the Strict-Hold setting is enabled.	R80.40
PMTR-41415	In a ClusteXL Load Sharing mode: Due to the nature of transferring files over multiple connections, the following protocol features might not be inspected properly: HTTP 206 Partial Content SMBv3 Multi-Channel FTP REST command used over multiple connections Protection based on threshold count (between connections) might not work properly: Static protections (DNS tunnel, Sweep Scan protection, VoIP SIP, MGCP protection may not work over NAT) Protections that contain cross-connection logic	R80.30
PMTR-50420	FTP inspection with the Anti-Virus, Threat Emulation, or Content Awareness blade is not supported when Security Gateway works in Monitor Mode (SPAN port).	R80.30
PMTR-19839	CRL validation is not supported in pure IPv6 environments (when IPv4 addresses are not configured on the Security Gateway's interfaces).	R80.20
PMTR-43623	In some scenarios, Packet Captures do not appear in Security Gateway logs (from Anti-Virus, Anti-Bot, and IPS blades): When detection is done by RAD cloud (not using the RAD cache on the Security Gateway) for Reputation and MD5 When detection is done by the DeepScan engine When passive streaming is not the active infrastructure layer When active streaming is used (e.g., for HTTPS) When there is no streaming at all (slow path)	R80.10
02511908, PMTR-47684	On pre-R80.10 gateways managed by R80.x Security Management server, Access Roles and CloudGuard are not supported in all Threat Prevention and IPS rules on the gateway. This limitation does not apply to R80.x gateways.	R80.10

IPS

ID	Description	Found in version
IPS
01964022, 02029515, PMTR-47471	"Internal error occured" message may be displayed when trying to assign/reassign a Global Configuration at the same time that an IPS update is running on a local Domain. To resolve: First run the IPS update on the local Domain. Then assign/reassign the Global configuration.	R7x

Endpoint Security (SmartEndpoint)

ID	Description	Found in version
Endpoint Security (SmartEndpoint)
PMTR-49209	A standalone Remote Help Server for Endpoint may not automatically start syncing with the primary Endpoint Management server when it connects for the first time. The result is that users and devices do not show in the SmartEndpoint Pre-boot Remote Help and Web Remote Help. To check if there is problem with the sync: On the standalone Remote Help Server, run PgOnlineSyncUtil full_status  The output shows:  The current node was not added to sym_node_security table yet. Initial load didn't start yet. On the Primary Management Server, run PgOnlineSyncUtil full_status The output shows that Symmetricds engine status is Server Running: false To resolve: On the Primary Management Server run: PgOnlineSyncUtil start_engine	R80.40
PMTR-36556	After an upgrade to R80.40 with E2 AM engine (on the Primary Management Server and Policy Servers), the E2 AM engine fails to download updates. To resolve: Connect to the command line on the server Back up the $UEPMDIR/engine/conf/updates/bin/bdav/mirror.cnf file: cp -v $UEPMDIR/engine/conf/updates/bin/bdav/mirror.cnf{,_BKP} Edit the $UEPMDIR/engine/conf/updates/bin/bdav/mirror.cnf file with Vi editor. In the variables that point to paths, change the version to "R80.40" Save the changes and exit the Vi editor Create these empty directories: mkdir -p $UEPMDIR/engine/conf/updates/data/bdav/av32bit mkdir -p $UEPMDIR/engine/conf/updates/data/bdav/av64bit mkdir -p $UEPMDIR/engine/conf/updates/data/bdav/avc3_sig mkdir -p $UEPMDIR/engine/conf/updates/data/bdav/avc3_exc	R80.30
PMTR-7431	When you enable the Endpoint Policy Management blade on a Security Management Server, the connection to these services automatically changes from the default port 443 to port 4434: Gaia Portal SmartView Web Application Management API Web Services If you disable the Endpoint Policy Management blade, the services connection port automatically changes back to the default 443.	R80.20
PMTR-11057	"An internal server fault has occured" server error is shown when logging in to the SmartEndpoint GUI client with a custom administrator created in SmartConsole with the name "endpoint". To resolve: Create an administrator with a different name.	R80.20.M1

Small Office Appliances

ID	Description	Found in version
Small Office Appliances
PMTR-47300, SMB-11103	When trying to configure a 1400 appliance with firmware for a 1500 appliance and vice versa, a policy installation error message appears.	R80.40
PMTR-3327	After upgrade, you must install Access Policy before installing Threat Prevention Policy. Otherwise, the Threat Prevention Policy installation may fail.	R80.20.M1
02513131, PMTR-47765	In Small Office appliance policy installation, services that are manually configured with INSPECT code including the definition "CALL_XLATE_FOLD_FUNC (..." will cause a policy installation failure. To resolve: Remove the "_FUNC" from the definition and use "CALL_XLATE_FOLD (..."	R80.10
01939263, PMTR-47518	"Commit function failed" error on policy installation failure on 1100 series appliance. Refer to sk105217.	R7x
01914944, 01917280, PMTR-47520	"SIC error" status might occur when the gateway object is defined in a "Management first" scenario before it is deployed, but the device's IP address is already accessible. The Security Management tries to create SIC with the gateway's IP address. Instead of the policy ending in a "waiting for first connection" status, an error message states the SIC status must be rectified first.	R7x

CloudGuard Controller

ID	Description	Found in version
CloudGuard Controller
CloudGuard Controller - General Limitations
PRJ-8142	Data Center objects are not supported with ClusterXL configured in Active/Active mode.	R80.40
PRJ-8570	The Management API add-data-center-server for vCenter Data Center uses an optional parameter "unsafe-auto-accept" to allow usage of unsafe certificates. Its default value is set to false for not allowing unsafe certificates. To avoid unexpected behavior, explicitly use "unsafe-auto-accept=false" when using the Management API.	R80.40
VSECC-1057	In case of replacement of a Data Center Server's certificate that has been trusted by the user, communication with the Data Center Server fails and a log is sent. To resolve: Open the Data Center Server Object in SmartConsole, and click on "Test connection".	R80.20
VSECC-589	Changes in connection properties (such as credentials or URL) of existing Data Center Servers will take effect (e.g., importing objects, updating objects updates, etc.) only after policy is installed on all the Security Gateways that have Data Center Objects from this Data Center Server.	R80.20
VSECC-1059	Cluster objects (ClusterXL and 3rd party Cluster with the exception of CloudGuard for NSX) must be configured with reachable VIP as the main Cluster IP address to receive updates on Data Center imported objects.	R80.20
PMTR-3442	Connections to/from Data Center Objects that appear for the first time in a policy package pushed to the Security gateway will not be re-matched even if the rematch connection option was chosen enabled in the Security Gateway policy. Connections involving the Data Center Objects that were included in previous policy installations on the Security Gateway are re-matched.	R80.20
CloudGuard Controller - Security Policy
VSECC-875	Data Center Objects in a Network Group are only supported in Access Control policy. A policy that contains a Network Group with Data Center Objects can be installed only on Security Gateways R80.10 and higher.	R80.40
VSECC-1060	Data Center Objects are not supported in NAT policy and HTTPS policy.	R80.20
VSECC-1066	Policy Verification for overlapping, hiding or contradicting rules that include Data Center Objects is not supported.	R80.20
VSECC-1063	CloudGuard Objects (Data Center Servers and Data Center Objects) are not supported in Global Domain.	R80.20
VSECC-1062	Data Center Objects are not supported in Threat Prevention Exceptions that are installed on R77.20 and R77.30 Security Gateways (R80.x SmartConsole -> SECURITY POLICIES App -> Threat Prevention section -> Exceptions).	R80.20
CloudGuard Controller - CloudGuard Objects Naming
VSECC-1064	Non-ASCII characters (non-English languages) in 'Data Center Server' properties (i.e., user, password and shared secret fields) are not supported. (If an object name contains one of the above characters, enforcement will not work.) If Data Center Object's name includes Non-ASCII characters (non-English languages), enforcement will work, but its name might not be displayed properly in Security Logs and Events.	R80.20
VSECC-1065	If Data Center Object name contains the following characters in its name: "{" - opening curly bracket  "}" - closing curly bracket  "[" - opening square bracket  "]" - closing square bracket "<" - less than ">" - greater than Then, the Data Center Object name will appear in SmartLog with "_", instead of of each of the above characters. For example: {Name1} will appear as _Name1_	R80.20
CloudGuard Controller Server
VSECC-1067	A policy that contains Data Center Objects is not enforced immediately after the policy installation. It takes time for the CloudGuard Controller to update the Security Gateway.	R80.20
VSECC-1068	In a Multi-Domain Security Management Server environment, VSX Gateway / VSX Cluster and all Virtual Systems that enforce a policy with Data Center Objects, must reside on the same Domain Management Server.	R80.20
VSECC-1069	For MDS HA managing a VSX gateway, a domain server must be deployed on all MDS servers that manage the VSX gateway installed with imported Data Center Objects. Note: This instruction applies to the VSX object. This is not mandatory for the virtual systems.	R80.20
VSECC-1070	VS Cluster first policy installation should not include Data Center Objects. Note: If this cannot be achieved, a full-sync must be run on the cluster by running the following on the standby member: fw ctl setsync off fw ctl setsync start	R80.20
CloudGuard Controller Enforcement
VSECC-1071	If a Security Gateway works with CloudGuard Controller and other Identity Sources, there must not be IP addresses belonging to Data Center Objects also associated with Machines in other Identity Sources. Such overlapping can result in disassociation of the IP addresses from either the Data Center Object, or Access Roles with such Machines, and improper Security Policy enforcement.	R80.20
CloudGuard Controller Monitoring
VSECC-422	After executing these commands, reboot, cprestart, and cloudguard off, Data Centers that have no imported objects, will not automatically show in the Data Center table. To see the Data Centers in the table, open each Data Center individually in SmartConsole.	R80.20
VSECC-1072	Data Centers that have no imported objects, will not appear in the Data Center table, after the cloudguard off command is run.	R80.20
VSECC-346	Problems in Data Center will not always change the status of the Security Management server in SmartConsole. To resolve: Open the Device & License information window to see the real status and update the status in SmartConsole.	R80.20
CloudGuard Controller - Nuage Networks
VSECC-1073	Virtual IPs and Floating IPs are currently not supported.	R80.20
CloudGuard Controller - VMware NSX and vCenter
VSECC-1075	VMware NSX Object - IP Set Objects with ranges or CIDR block notations are not supported. IP Set Objects representing one, or more, individual IP address/es are supported.	R80.20
VSECC-1076	Official VMware Tools must be installed on a VM in order for CloudGuard Controller to successfully pool IP addresses.	R80.20
CloudGuard Controller - Cisco APIC
VSECC-1084	CloudGuard for Cisco ACI controller IP address mapping and updates are based on ACI fabric IP learning capabilities, which requires enabling of unicast routing on the Bridge Domain containing the EPG.	R80.20
VSECC-1085	Cisco APIC versions lower than 2.1: The Cisco ACI fabric does not age out individual endpoint IP address mappings, as long as one of the IP addresses responds to keep-alive ARP Requests from the fabric. As a result, these stale IP addresses will also be learned by the CloudGuard Controller.	R80.20
VSECC-1086	Supported fabric size: The total amount of all the following objects must not exceed 100,000: Tenants Application Profiles EPGs IP addresses	R80.20
VSECC-1087	APIC HTTP URLs, which redirect to HTTPS, are not supported. Use either HTTPS URLs directly, or HTTP without redirection.	R80.20
VSECC-1088	Mixing both HTTP and HTTPS APIC URLs in the connection properties is not supported.	R80.20
VSECC-1089	When multiple APIC URLs are specified, the connectivity test will succeed, as long as one of the URLs connects. There is no requirement for initial verification for all the URLs.	R80.20
VSECC-1090	On failure to connect to all the given APIC URLs, the returned error message is for the first unsuccessful URL.	R80.20
VSECC-1091	Changes to privileges of the APIC user that was used to create the Data Center Object, are not reflected during an active login session. For example, if a new security domain is added to the user, which allows him to see a new tenant, this will not be visible to the APIC scanner. To resolve: Run the vsec_controller_stop command on the CloudGuard Controller to restart the CloudGuard Controller services and force a new login.	R80.20
VSECC-1092	If an object imported from Cisco APIC is deleted on the APIC, and then created again, the object must be re-imported into Check Point Policy. Enforcement will work properly once the object has been recreated in APIC, however the re-import is required to maintain updates for the object in the Security Management Server.	R80.20
VSECC-1093	Only the following TLS cipher suites are supported for APIC HTTPS connectivity: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	R80.20
CloudGuard Controller - Cisco ISE
VSECC-1094	Supports up to 10 concurrent connections. This may cause intermittent failures to refresh IP information in an MDM environment where many domains use the ISE controller.	R80.20
VSECC-1095	Filtering IP-to-SGT mappings by SG name uses a wildcard ('*SG_NAME*') search, so incorrect IPs may be returned, in case two SGs have overlapping names (one is contained in the other).	R80.20
CloudGuard Controller - Public Cloud: Amazon Web Services, Microsoft Azure and Google Cloud Platform
PMTR-50503	Multi-Queue does not work on StandAlone deployment in CloudGuard IaaS for Azure or AWS, if it is deployed with a Management image	R80.40
VSECC-1096	Logs for rules with Subnets, AWS Security Groups, Microsoft Azure Network Security Groups or VMware NSX Security Groups will contain only the IP address, and will not contain the instance name.	R80.20
VSECC-1097	IPv6 information is not imported for Data Center Objects in Public Cloud. CloudGuard Gateways in Public Cloud do not support IPv6.	R80.20
VSECC-1098	Data Center Tags: Tags keys and values longer than 100 characters will be truncated to the first 100 characters and "..." will be padded to the end of the tag. In Microsoft Azure, Tag keys are case-insensitive, whereas Tag values are case-sensitive. In CloudGuard Controller, both Tag key and Tag value will be treated as case-sensitive. Meaning, the same key/value in different cases will be shown on 2 separate lines in SmartConsole.	R80.20