| ID |
Symptoms |
| Installation and Upgrade |
01868136,
PMTR-47259 |
After upgrading, the Gateway Properties -> HTTP inspection page may show "Failed to load Plug-in Page: SSLInpectionPage". |
02411778,
02421533,
02421989,
PMTR-47570 |
After upgrading a Full HA deployment, policy installation fails due to SIC problem with the secondary member. |
| Gaia OS |
| - |
Connеctivity upgrade is not supported. |
| - |
Stand-Alone deployment is not supported on Gaia 3.10. |
| 02730903 |
In some scenarios, unable to create snapshots. Refer to sk123612. |
02559795,
02560843 |
Snapshot creation reaches 93% and stops, although there is enough space. Refer to sk119675. |
02483806,
02490757,
PMTR-47124 |
External NIC is not detected after upgrade to R80.x / Clean install of R80.x. Refer to sk116587. |
02167050,
02184450,
02491287,
02359422 |
Setting state of interface to "off" on Gaia OS does not turn off the link on that interface. Refer to sk112598. |
| GAIA-4937 |
Installing R80.20, R80.20.M2 and R80.30 Security Management Server with CPUSE or Blink on a machine previously installed as a R80.30 Security Gateway that uses the Linux Kernel version 3.10 is not supported. |
| GAIA-6992 |
CPUSE Clean install is not supported for 23000 appliances. |
| GAIA-2648 |
On CloudGuard for Azure, the 'ethtool -G' command is not supported. |
| GAIA-2649 |
On CloudGuard for AWS, the 'ethtool -G' command is not supported. |
| GAIA-6184 |
"Error while stopping check point processes" error when installing packages on a VSX environment. |
PRJ-2583,
GAIA-5732 |
The fw ctl multik utilize command is not supported in the User Mode Firewall (USFW). |
| GAIA-5914 |
Drop templates are not disabled for USFW (User space Firewall mode). |
GAIA-3944,
GAIA-3957 |
When running the Hardware Diagnostic options of the RMA tool, "ipsctl_get_family_id:received error" messages may appear. |
| GAIA-4849 |
OSPF is not supported with unnumbered VTIs. |
| GAIA-4573 |
Upgrade is only supported between kernel 3.10 versions (R80.20 3.10 and R80.30 3.10). |
PMTR-46091,
CPDIAG-1615 |
CPview may show partial information, if there are more than 256 interfaces configured on the system. |
| Security Management |
| PMTR-32627 |
Added support for UTM-1 Edge X series devices. |
| PMTR-44738 |
Error: "Management HA synchronization failed due to insufficient disk space in the root partition." may appear in SmartConsole. |
PMTR-44844,
PRHF-6754 |
In a rare scenario, policy installation fails with "Policy installation had failed due to an internal error". Refer to sk163482. |
| Multi-Domain Management |
| 01965750 |
If you create or delete Domain servers of the same Domain from many Multi-Domain Servers, the Domain can become corrupted, with recovery from Check Point Support required. |
| PRJ-5065 |
Import of Multi-Domain Management Server fails when R80.30 Jumbo HotFix Take 19 is installed on the target machine and the source machine is R77.x. Refer to sk162032. |
01995628,
01993689,
PMTR-47544 |
After a Global policy has been assigned to a Domain, the revert option in the Domain "Network Layer -> History" window no longer functions. |
| IPS |
| PMTR-47530 |
In some specific scenarios, IPS update operation failed after an upgrade from R80.10. |
02219579,
02252490 |
Thresholds for 'IPS Bypass under load' are not tunable in Full HA environment. Refer to sk112659. |
| Content Awarenes |
| 02455334 |
Content Awareness can inspect different types of files, of any size. A Web browser or FTP client may use several connections to upload or downloaded a file. For web browser this typically happens when downloading large PDF files from the Internet. In those cases, the Security Gateway inspects each connection separately. This may affect its ability to inspect text inside the file. |
02436860,
PMTR-47668 |
Content Awareness supports HTML forms using URL encoding (also known as Percent-encoding). HTML traffic, encoded (binary to text encoding) as Base64 and NCR, is not properly inspected for content. |
| Threat Prevention |
PMTR-33033,
AVIR-602 |
Threat Extraction for Web-downloaded files is not supported on IPv6 traffic. |
| SmartConsole / Management Console |
| PMTR-35845 |
In some scenarios, Installation Targets do not show the correct gateways when cloning and editing the installation targets in the same session. |
| PMTR-34087 |
Access roles are not shown in the Object explorer -> "Unused objects" filter. |
| PMTR-43325 |
In Dynamic IP configuration, when entering SMS Provider details and email not in order (mail: first then sms, policy installation fails with "internal error". Refer to sk120358. |
02458203,
PMTR-47660 |
Policy installation includes an implicit database install operation. As a result, the policy installation task in SmartConsole only completes after the end of the database installation task. This does not delay policy enforcement on the gateway. |
| PMTR-45443 |
When creating SecuRemote DNS object with more than 6 characters as Domain suffix, it fails with the "Domain suffix contains illegal characters" error. |
| PMTR-15093 |
Domain Management Server and Domain Management Log Server must be removed form a policy package before deleting their representing objects. |
PMTR-46635,
PMTR-46701 |
For SmartConsole installed on Windows 10, legacy gateway editors and the Global Properties editor to not display correctly when Windows 10 display scaling is set to more than 125 percent. Refer to sk155892. |
| SmartProvisioning |
PMTR-34425,
00904551 |
VPN tunnel with ROBO Gateway managed via SmartProvisioning can not be established after upgrading the Security Management Server. Refer to sk106628. |
| PMTR-38799 |
In some scenarios, SmartLSM (Smart Provisioning) unexpectedly crashes when editing topology of Security gateway or Cluster. |
| SmartEvent |
| 02499980 |
For Global SmartEvent connected to a Multi-Domain Management Server: Search suggestions from SmartConsole appear for Super Users only (Multi-Domain Super User and Domain Super User). |
| SL-1767 |
In SmartEvent policy, adding an exclusion for sensor alert event by event id (e.g. id=20300) causes policy install failure. Refer to sk139854. |
| SmartUpdate |
PMTR-38669,
MCFG-199 |
SmartUpdate generates Audit log even when no action was taken. |
| Logging / SmartLog |
| - |
Added support for Log Exporter 'Filter' feature. For details and updates, refer to sk122323. |
| ClusterXL |
| CLUS-1752 |
ClusterXL in Load Sharing mode may drop traffic after a cluster member is rebooted, due to inconsistency of MAC addresses saved in the Firewall kernel and in SecureXL kernel. |
| VSX |
01465442,
01436496 |
An upgraded cluster member goes into Ready state after the reboot, even before the rest of the cluster members are upgraded. |
01562612,
PMTR-47565 |
If a Virtual System is the Hub of a Star VPN Community, it cannot support SmartLSM gateways as satellites. |
02532554,
02532716,
PMTR-47564 |
"CLINFR0699 Invalid command" error when a user with read-only Gaia OS role runs the "set virtual-system" command on VSX Gateway. Refer to sk118693. |
01548786,
PMTR-47490 |
The "vsx_util change_mgmt_subnet" command does not support IPv6. |
| VPN |
| PMTR-8855 |
If a Remote Access VPN client roams from a NATT tunnel (which the Security Gateway accelerates) to a TCPT tunnel (which the Security Gateway does not accelerate), all the existing accelerated connections from the Remote Access VPN client are terminated on the Security Gateway. New connections from the Remote Access VPN client are established as expected. |
02702969, 02706012,
PMTR-40748 |
Security Gateway accepts an other Diffie-Helman group then is configred. Refer to sk122438. |
02514005,
02534915,
PMTR-47505,
PMTR-42268 |
- DAIP devices deployed as VPN Satellite gateways, do not support VPN link fail-over between a static link (using permanent IP address) to the DAIP link, and vice-versa.
- Trusted interfaces are not supported for DAIP devices.
|
| Smart-1 |
PMTR-43686,
PMTR-40161,
GAIA-6587 |
Smart-1 3050 / 3150 appliance fails to install or upgrade to R80.20/R80.30 if Intel 82598ES 10G network card is active. Refer to sk146512. |
| SNMP |
01852762,
01858277 |
Output of the "snmptranslate" command returns different OIDs for objects in "chkpntTrap" branch. Refer to sk108697. |
| Hardware |
| PMTR-26873 |
In an extremely rare scenario, after an appliance boots, names of some interfaces might contain "_rename" after their usual names. For example: "eth5_rename", "Sync_rename". |
| Dynamic Routing / Advanced Routing |
01910711,
01921543,
PMTR-47780 |
In VSX, BGP Multi-hop does not work correctly when configured on a Virtual Router. Do not configure it. |
01920724,
PMTR-47739 |
RouteD with BGP Multi-hop consumes 100% CPU. If RouteD gets a route to the BGP peer from the peer itself and that route has a lower rank than the route used to establish the BGP connection then this route becomes active and routed starts using it to connect to the peer. This causes the BGP peer route to be deleted and return back to the original route since in BGP Multi-hop routed cannot use BGP routes to connect to peers. This scenario repeats endlessly and causes the high CPU utilization. |
01490849,
PMTR-47732 |
In VRRP mode, the OSPF state is not synchronized and a new master cannot take the helper responsibility from the previous master. |
01474954,
PMTR-47727 |
Fast failback with OSPF GR is not supported. A restart or failover during GR results in traffic outage. |
01685327,
PMTR-47729 |
BGP routes cannot be used to establish connections to Multi-hop peers. |
01499120,
PMTR-47734 |
A change in topology can cause an unsuccessful exit of OSPF GR. |
| CloudGuard |
| 00525805 |
User cannot configure a VLAN using the VM Guest Operating system in an ESX environment. |
| Mobile Access |
02361011,
PMTR-47742 |
When using Mobile Access file shares with VSX, the DNS resolving of the hostname might not work correctly with file shares. |
