Support Center > Search Results > SecureKnowledge Details
Maestro R80.30SP Jumbo Hotfix Accumulator Technical Level

Table of Contents:

  • Introduction
  • Availability
  • Important Notes
  • Resolved Issues per Take
  • Installation Instructions
  • Replaced Files
  • Revision History


R80.30SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.30SP.

This Incremental Hotfix and article will be updated periodically with new fixes.

The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this Take was released appears next to the Take number. 


Recommended Take 

Product  Take Date CPUSE Offline Package
Orchestrator Take 210 and above  02 Dec. 2019 See sk155832
Maestro Gateway Take 97 30 Nov. 2021 (TGZ)

Latest Take 

Product  Take Date CPUSE Offline Package
Orchestrator Take 210 and above  02 Dec. 2019 See sk155832
Maestro Gateway Take 108 02 Jan. 2023 (TGZ)

Important Notes

  • Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.30SP.

  • Upgrade of CPUSE Agent is not supported on R80.30SP.

  • R80.30SP is not supported on Orchestrator appliances MHO140 and MHO170. For Orchestrators, use R80.20SP with the Jumbo Hotfix indicated in the table above. 

  • This Jumbo Hotfix Accumulator must be installed only after the successful completion of the Gaia First Time Configuration Wizard and a reboot.

  • For Gateway installation: All CPUSE commands must be run through the gclish shell only.

  • To check the Take number of the currently installed R80.30SP Jumbo Hotfix Accumulator (if it is installed), refer to the last section of this command: [Expert@HostName:0]# asg_provision

  • For Known Limitations, refer to sk148074: Known Limitations for Scalable Platform and Maestro Appliances. . 

Resolved Issues per Take

ID Description
Take 108 (02 January 2023)
MBS-15907 UPDATE: Added configurable protection for blocking brute-force attacks on VPN's SNX portal. Refer to sk180271.
MBS 14488
All Security Group Members but the SMO may go into the "Down" state after an Anti-Malware policy installation fails. Refer to sk177607.
MBS-15750, PMTR-83873 CPUSE upgrade packages are not available when working in "High Availability over Load Sharing" mode with VPN enabled. 
MBS-16342, PMTR-88702 In some scenarios, the sp_upgrade script does not recognize that a Security Gateway is in VSX mode. As a result, the upgrade fails.  
MBS-15631, PMTR-71738 In rare scenarios, when you change the number of CoreXL instances in a VS, the procedure fails, and the SMO goes down (SMO failover occurs). Then the modified VS does not run on the SMO.

Rebooting the applicable SGM or executing the "cpstart" command from the applicable VS returns the SMO to the ACTIVE state.
After an upgrade to Jumbo Hotfix Accumulator R80.30SP Take 97 or Take 101, a member may be in Down state with a "pull_config" pnote.
Take 101 (03 February 2022)
MBS-15151,  PMTR-76352 The clock verifier test (clock_verifier -v) does not work.
In the VSLS mode, you cannot configure the Security Group to forward specific inbound connections to the SMO with the "asg_excp_conf" command.
ADLOG stops working during policy installation.
When the user connects more than one cluster to the same network segment (see sk25977), port flapping can occur because two different cluster members have the same correction MAC address.
Changing the VLAN ID of an existing interface might cause a traffic interruption. See sk176929.
Security Group Members may drop internal connections over the sync interface because the kernel table "cluster_members_ips" is empty. See sk176404
Improved the stability of the Gaia backup functionality in Scalable Platforms.
In some scenarios, link flapping on a Maestro Gateway may cause an unexpected site failover, cluster state flapping on the other Gateways, or packet drops.
In a rare scenario, the CPD process may crash during policy installation. The issue occurs from Take 82 of the R80.30SP Jumbo Hotfix Accumulator.
The Message of the Day (MOTD) is not updated with the results of the "asg diag verify" command when the default shell is gClish (see sk175963).  
MBS-15075 When the user runs the "reconfigure_snmp_alerts" script with the "/usr/scripts/reconfigure_snmp_alerts" command, the script does not correctly parse authentication passwords that include a  ">" character. 
The "ip_block" command now supports comments using the "#" character in the feed file and ignores the lines that start with this character. 
Take 97 (30 November 2021)
MBS-13650 Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 237 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
MBS-15049 The R80.30SP Jumbo Hotfix Accumulator supports upgrade to R81.10.
PRHF-15323 In a Dual Site Maestro environment, traffic is interrupted intermittently when a Domain object is used in the Rule Base. 
MBS-14519 Multicast traffic may cause high CPU load on all SGMs.
PMTR-70886 Security Group might drop traffic (drops by PSL) when it passes over a Bridge interface and failover occurs.  
MBS-8410 Enhancements:
  • Added IPv6 dynamic routing support.
  • Changes to IPv6 link-local addresses:
    • By default, all Chassis / Sites in the Security Group will have the same IPv6 link-local address for a given logical interface (previously, each Chassis / Site had its own IPv6 link-local address due to different MAC addresses).
    • By default, all VLANs on a particular physical interface will have unique IPv6 link-local addresses (previously, each VLAN shared the same IPv6 link-local address as the parent physical interface).
Take 82 (05 September 2021)
MBS-14597 Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 317 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
MBS-13605 Enhancement: The asg perf command calculates memory use differently from CPView. For the most accurate value, refer to the output of the asg perf command. 
PMTR-71419 Using Static NAT for the destination in asymmetric connections may lead to Out of State traffic drops.
MBS-13975 In rare scenarios, the core dump files are created for the fw_full process.
Take 75 (06 April 2021)
MBS-13520 During a gradual Jumbo Hotfix upgrade on a Security Group’s Gateways, LACP bond slaves may get suspended if there are active Gateways in the same Security Group and in the same site with different Jumbo Hotfix versions. The issue may continue until the upgrade completes and all of the Gateways’ Jumbo Hotfix versions are aligned.  
Take 73 (07 March 2021)
MBS-13420 Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 310 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
MBS-12809 Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414). Changed the name of the cpdata_collector_sp command to cpdata_collector.
MBS-10123 Enhancement: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.

Configuration in Gaia gClish
  1. Run: g_all "vsx mstat enable"
  2. Run: g_all "reboot"
  3. Configure SNMP v3 in the VS mode as described in sk90860.
SNMP OIDs - statistics from the specified Virtual System, statistics from each cluster member:

Number of concurrent connections -*
Physical memory -*
Packet rate -*
Throughput -*
Interface packet rate -*
Connection rate -*
Virtual memory -*

SNMP OIDs - statistics from the specified Virtual System, total statistics from all cluster members
Total number of concurrent connections -
Total packet rate -
Total throughput -
Total connection rate -
MBS-12230 Enhancement: Ability to configure SNMP Traps in Gaia gClish. For more information and configuration instructions, see sk171394.
MBS-11953 Enhancement: Added support for the Threat Extraction Software Blade in VSX mode
MBS-4414 While a Security Group Member reboots, some existing connections can fail on the Security Group. See sk169765
PRHF-9930 In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg.
MBS-2581 Logs generated by Software Blades on Scalable Platforms, do not show the Group ID and SGM ID. 
MBS-12714 Remote Access client using the Visitor Mode, or connecting to a Mobile Access Portal, may disconnect several seconds after it connected.
MBS-12669 Improved the stability of the VPND process when a "CCCclientRequest" packet is sent. 
MBS-12375 Commands in Gaia gClish fail with:
CLINFR0739 error in command execution; see "/var/log/messages"
The /var/log/messages file shows:
clish[<PID>]: timeout on read from all remote nodes; connections lost
Refer to sk170301
PRHF-14951 Improved the stability of IP Pool NAT.

Added full support for VSX Virtual Switches.

Important Note: If you created Virtual Switches in R80.30SP with the R80.30SP Jumbo Hotfix Accumulator Take 56 or Take 49, you must install a special hotfix before you install the R80.30SP Jumbo Hotfix Accumulator Take 73 or higher. Refer to sk171917. 

MBS-11367 In rare cases, a Security Group member can crash (with the message "Entering kdb") during the installation of the R80.30SP Jumbo Hotfix Accumulator.
MBS-9716 After a Security Group Member reboot, the output of the "asg monitor" command shows its state as "Detached". See sk169764.
PRHF-14952 Improved Security Gateway operation during a large number of connections per second.
PRHF-14534 Improved access to kernel global tables preventing lock contention. 
  1. Enabled configuration of more than one CPU core for the MDPS Management plane.
  2. Resolved an issue when a policy installation overrides the MDPS resource configuration. For more information about Management Data Plane Separation (MDPS), see sk138672.
MBS-11674 Fetching packet capture from a violation log in SmartConsole fails with the error "Failed at getting the incident file from the gateway".
MBS-11670 The configuration of Rate Limiting for DoS mitigation in SecureXL (the $FWDIR/conf/fwaccel_dos_rate_on_install script) is not synchronized between Security Group Members.
MBS-13282 The /var/log/send_alert* files repeatedly show this message for different interfaces: "Site <X> eth<X>-<XX> link is up".
MBS-11765 Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell '/bin/bash' and the 'admin' role are configured.
MBS-9767 VPN IKE packets are forwarded to a Security Group member even after its state changes to "Down".
MBS-11764 The output of the "show smo verifiers" command shows that the "ARP Consistency" test fails. This issue was caused by an unused padding in the kernel table 'arp_table'.
MBS-11956 These Gaia gClish commands do not take effect on all Security Group Members:
  • set user <username> password-hash
  • set user <username> force-password-change
MBS-9820 Added support for the Management Data Plane Separation (MDPS). See sk138672.
MBS-12280 If the IPSec Software Blade is disabled, this message appears repeatedly in the /var/log/messages file (refer to sk170852):
fwhandle_get(fwvpn.c:4288): Table kbufs - Invalid handle XXX (bad pool).    
MBS-8379 Added support for secondary IPv4 addresses (aliases) on the data ports of a Security Group (Maestro and Scalable Platforms). See sk167073.
Note: This does not apply to VSX mode.
PRHF-11517 The FWD process stops working randomly on Security Group Members on Scalable Chassis and Maestro (for more information and configuration instructions, see sk168692).
PRHF-15535, PMTR-65841 Added support for the SNMP sysOID . for Maestro Orchestrators.
MBS-11960 Added support for ISP Redundancy.
MBS-13224 Added support for Policy-Based Routing (PBR) in VSX mode.
MBS-12143 Static routes with the "ping" option enabled (to ping the next hop gateways) do not appear on some Security Group Members.
Take 56 (26 January 2021)
MBS-12874 Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 226 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
MBS-8558 Improved stability of the FWK daemon.
PRHF-14900 Improved stability of the QoS Software Blade when an interface goes down and up.
  • Output of the asg diag command shows that the "License" test fails because of the IPS license.
  • Output of the asg_license_verifier command shows "ERROR: No license for 'IPS-1' [mandatory feature 'ips']". 
MBS-7805 After adding a slave interface to a Bond interface, the output of the asg diag command shows that the "Distribution Mode" test failed because of an issue with the slave interface.
MBS-11927 The output of the asg_dr_verifier command contains the line cat: /proc/self/vrf: No such file or directory. Refer to sk171073
  1. Output of the asg monitor command shows that the state of the SMO Security Group Member is "Down".
  2. Output of the cphaprob list command shows that the Critical Device "Pull_config" reports its state as "problem".
  3. The $FWDIR/log/fwd.elg file on the SMO contains this message repeatedly: "fwauthd_init: got known service port XXX ... choosing another one".
  1. Output of the asg monitor command shows that the state of a Security Group Member is "DOWN".
  2. Output of the cphaprob list command shows that the Critical Device "Policy" reports its state as "problem" on the Security Group Member.
  3. Output of the asg_policy verify -a command shows "Failed" in the "Status" column for the Security Group Member.
  4. Output of the asg_policy verify -a command shows "Policy date is lower than max policy date" in the "Summary" section for the Security Group Member.
PRHF-14165 Memory leak may appear in VPN and CPAS configuration.
Fix is relevant for Gaia 3.10 only.
PMTR-62477 Half-closed accelerated TCP connections may take too long time to expire.
PRHF-14268 Certain scenarios do not free allocated memory after sending a packet from kernel addressing fragment correction.
MBS-12525 The output of the ps -aef | grep [d]efunc command shows multiple zombie processes "[sh] <defunct>".
The issue occurs after a reboot or policy installation.
MBS-12490, PMTR-61822 Connections may be wrongly matched on Domain or Updatable objects used in Security policy.
MBS-12642 Gaia scheduled backup fails to run.
The /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup".
Take 49 (26 October 2020)
MBS-12224 If only one CPU core runs as a CoreXL SND on Security Group Members, these cosmetic issues can occur:
  • Output of the asg_perf command is empty.
  • Output of the cores_verifier command shows "Error: unable to obtain value from smodb". 
  • Output of the cores_verifier command shows "Error: BPEth0 doesn't exist in /proc/interrupts". 
MBS-12182 Output of the asg monitor -v command shows "0 / 0" in the "Bond" unit. The cluster does not monitor the bond interfaces as part of the site grade.
MBS-12386 Mobile Access fails to start on all Security Group Members after the installation of the R80.30SP Jumbo Hotfix Accumulator Take 45.
Take 45 (02 October 2020)
MBS-11529 Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 215 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
  • Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 215 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
  • Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 295 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
Take 32 (07 April 2020)
MBS-10318 Take 32 of the R80.30SP Jumbo Hotfix Accumulator blocks its installation on top of the R80.30SP Take 41 and above image (because all these fixes are already integrated).
Take 31 (10 March 2020)
(Take 31 was replaced with Take 32.)
MBS-7208 After a snapshot was reverted on a member, the output of the asg diag command may show "Policy signature doesn't match on all SGMs".
MBS-9401 Connections may fail, if their packets need to be forwarded internally more than one time.
MBS-9427 Output of the asg perf command may show incorrect number of CPU cores that run as CoreXL SND.
MBS-9582 Configuration actions may fail in the Gaia Portal of a Maestro Security Group.
MBS-9778 Memory leak in the sgm_pmd process.
MBS-9838 Improved recovery for traffic distribution if there were communication issues between Security Appliances and Orchestrators.
MBS-8900 External interface of a VSX Virtual Switch is not monitored by the VSX cluster. As a result, cluster failover does not occur if there are issues with that interface.
MBS-9400 In VSX mode, packets are not forwarded correctly to other members if packets arrive at a wrp interface.
MBS-9354 VPN tunnel over NAT-T with a DAIP peer might not work when Layer 4 distribution is enabled.

Installation Instructions

For installation instructions, refer to the "Installing and Uninstalling a Hotfix" section of the Check Point Maestro R80.30SP Administration Guide.  

Replaced Files

To receive a list of files replaced by this Jumbo Hotfix Accumulator, contact Check Point Support.

Revision History

Show / Hide this section
Date Description Aligned with R80.30 JHFA Take (sk153152)
02 Jan. 2023 Release of Take 108 Take 237
03 Feb. 2022 Release of Take 101 Take 237
30 Nov. 2021 Release of Take 97 Take 237
05 Sep. 2021 Release of Take 82 Take 226
06 Apr. 2021 Release of Take 75 Take 226
07 Mar. 2021 Release of Take 73 Take 226
26 Jan. 2021 Release of Take 56 Take 226
26 Oct. 2020 Release of Take 49 Take 215
02 Oct. 2020 Release of Take 45 Take 215
07 Apr. 2020 Release of Take 32 -
10 Mar. 2020 First release of this document (Take 31). -

Give us Feedback
Please rate this document