UPDATE: CPView Network -> Top-Protocols and Network -> Top-Connections tabs were added back. Refer to sk167903.
UPDATE: Improved Multi-Queue distribution of IPsec SPI traffic. Notes:
This enhancement is supported on the Check Point "CPAC-4-10F-C" expansion line card.
This enhancement is supported only on network interface cards that are based on the Intel controllers X710, XXV710 and XL710 (which use the i40e driver). Applies to Check Point Appliances and Open Servers.
This feature is not supported on network interface cards that are based on the Intel X722 controller (which also uses the i40e driver).
For the non-supported interfaces, the message "Failed to fetch loaded profiles" can appear in the dmesg. You can safely ignore this message. Applies to Open Servers only.
Multi-Queue configuration cannot be assigned to interfaces that use the "mlx5_core" driver (to check, run the "ethtool -i <name of interface>" command).
Multicast PIM traffic register packets are sent with checksum 0xd63f that non-compliant with RFC (should be 0xdeff).
The "show neighbors dynamic-table" Gaia Clish command does not show any output.
Hardware Diagnostic Tool test fails on "Self-test" for 1GbE expansion cards when an SFP transceiver for RJ45 (Copper) is connected to the appliance. Refer to sk112857.
PMTR-50501, PMTR-51666, VSECNSX-1511
Output of the "ethtool --show-channels <name of interface>" command does not show the actual number of queues on an interface.
When connected to Gaia Portal with Internet Explorer and during an upgrade with CPUSE click the "Upgrade Report" link, the report window opens blank and does not show any information.
Applications like Provider.exe and Fwpolicy.exe (SmartDashboard) cannot be used to connect directly to the Security Management server or the Multi-Domain Security Management server.
An administrator fails to log in with SmartConsole after another user was configured in SmartConsole with a name identical to that administrator's name and the session was published. Refer to sk133273.
You can run the mds_import command on the Multi-Domain Server only after a Clean Install. If the mds_import command fails, you must reinstall the Multi-Domain Server.
There is no cross-Domain search for network objects.
Creating secondary Domain Management overrides files in $FWDIR/lib/ directory оn the primary Domain Management. Refer to sk122538.
A Security Management server cannot be installed as a secondary Management for a Domain server.
An administrator with Manage Session permissions on a Multi-Domain Management Server but not on a specific Domain, can manage the session from Sessions view in the MDS level. Session publish may fail.
For Multi-Domain Log Servers, Remote Log Servers that are not defined as Domain Log Servers are not supported.
The "p1shell" command is obsolete and was removed from the "mdsconfig" menu.
SmartConsole / Management Console
UPDATE: LSMcli "Convert ROBO" and "Convert Gateway" commands are now supported.
UPDATE: Geo Policy is now supported through Updatable Objects in the Access Control Policy as described in sk126172. R81 Security Gateways and Clusters no longer support Geo Policy configured in SmartConsole > Security Policies > Shared Polices > Geo Policy.
The Device and License Status of Threat Emulation may be incorrect when there is a trial license on the Security Gateway.
The Tasks tab -> Script Results supports up to 10,000 characters only.
Before you can publish a session, you must connect to it and set the session name and description.
A customized role that has no write permissions, does not appear as read-only in the session view, although it is actually read-only.
Disconnecting the SmartConsole session while creating or configuring VSX objects, can cause the management database inconsistency and Administrator will be unable to do any changes with VS. "Internal Error: Cannot get object XXX from table vs_slot_object" message pops-up.
Cannot log into SmartConsole after changing the time in the Gaia Portal.
When session details enforcement is configured, publishing a remote session is not blocked even if session details are not provided.
After opening a number of logs in the Logs and Monitor view, then using the Revert to Revision feature in Manage & Settings, the revert to revision window may show this message: "HTTP ERROR 404".
In some scenarios, the "<Object_Name> is no longer supported. Enforcing security for this object is not possible." validation warning appears regarding an updatable object. However, the object is still available in the updatable objects picker.
In some scenarios (depending on Windows activity), SmartConsole is not disconnected after time specified in SmartConsole -> Manage & Settings -> Permissions & Administrators -> Administrators -> Idle Timeout.
Importing a large SmartEvent database can take a long time to complete.
Correlated "Web Browsing" events are not shown by default.
In R80.x, you can only define SmartEvent at the global level and then configure it to read logs from one Domain or a number of domains. SmartEvent cannot be defined in a specified domain.
For SmartEvent connected to R77.x Security Management Server or Multi-Domain Management Server: If an object is not listed in the Log Servers table in the Correlation Unit settings, change the object from the SmartConsole (for example, its color). This will cause the re-synchronization of the object.
SmartEvent cannot be enabled on a 5400 Security Appliance.
Logging / SmartLog
In a Multi-Domain Management environment, you cannot have a dedicated Log server for a specific Domain Management.
In a rare scenario on Multi-Domain Server/Multi-Domain Log Server, several Domain Indexer processes may fail with core dump, printing "Failed to start web server (Probably another server listens on the same port)" message into $INDEXERDIR/log/log_indexer.elg file.
In some scenarios, Correlation units cannot be added to a remote Log server.
When there is more than one policy, and a rule changes, Application Control and URL Filtering Best Practices will show incorrect scores until a full scan is run.
When changing the Gaia Management interface, on which Multi-Queue is configured, to a different interface, the Multi-Queue state on the original interface will remain 'off', even when using a global Multi-Queue mode 'auto'. Refer to sk167200.
Enhancement: Starting from R81, the "exe" file type is selected by default in Threat Prevention profiles.
UPDATE: Added these fields to the "Policy" section of Threat Extraction logs:
Threat Prevention Rule id
Threat Prevention Policy
Threat Prevention Rule Name
In a ClusteXL Load Sharing mode:
Due to the nature of transferring files over multiple connections, the following protocol features might not be inspected properly:
HTTP 206 Partial Content
FTP REST command used over multiple connections
Protection based on threshold count (between connections) might not work properly:
Static protections (DNS tunnel, Sweep Scan protection, VoIP SIP, MGCP protection may not work over NAT)
Protections that contain cross-connection logic
UPDATE: VTI interfaces are now supported in VSX mode.
01298013, 01347319, PMTR-47561
The "vsx_util reconfigure" command fails with "Failed to fetch configuration information from". Refer to sk98001.
The "vsx_util reconfigure" command on Security Management Server / Domain Management Server fails to resume with "Error: Interface 'Interface_Name' exists in the management database, but not on the gateway". Refer to sk105441.
In some scenarios, Remote VPN client disconnects immediately after a successful connection.
VPNRA-297, VPNRA-298, PMTR-45844
The vpnd daemon may stop working during policy installation when the Mobile Access blade is used.
PRJ-8794, VPNRA-316, PMTR-48740
Improved the Access Control Policy installation time for environments with high amount of objects and enabled IPSec VPN blade. Refer to sk166321.
Capsule Connect clients may fail to connect to the Security Gateway with the "CCCKMP: Internal error (1008)" error.
In some scenarios, Remote Access VPN users are not matched against the Access Control policy, and traffic is dropped.
Added stability improvement for Remote Access VPN.
Policy verification fails if the policy contains GTP or Diameter services, and you install it on an R8x Security Gateway.
Endpoint Security (SmartEndpoint)
A standalone Remote Help Server for Endpoint may not automatically start syncing with the primary Endpoint Management server when it connects for the first time. The result is that users and devices do not show in the SmartEndpoint pre-boot Remote Help and Web Remote Help.
When you enable the Endpoint Policy Management blade on a Security Management Server, the connection to these services automatically changes from the default port 443 to port 4434:
SmartView Web Application
Management API Web Services
If you disable the Endpoint Policy Management blade, the services connection port automatically changes back to the default 443.
CloudGuard Controller - General Limitations
NEW: Added support for Data Center objects with ClusterXL configured in Active/Active mode.
CloudGuard Controller - Security Policy
NEW: Added support for Data Center Objects on NAT and HTTPS policies.
CloudGuard Controller - Public Cloud: Amazon Web Services, Microsoft Azure and Google Cloud Platform
Multi-Queue does not work on StandAlone deployment in CloudGuard IaaS for Azure or AWS, if it is deployed with a Management image
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?