Support Center > Search Results > SecureKnowledge Details
Check Point R81.10 Known Limitations Technical Level

This article lists all of the R81.10 GA specific known limitations and unsupported features, including limitations from the previous versions.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

For more information on R81.10, see the R81.10 Release Notes, R81.10 Home Page and R81.10 Resolved Issues.
Visit Check Point CheckMates Community to ask questions or start a discussion and get our experts assistance.

Important notes:

  • To see if an issue has been fixed in other releases or Jumbo Hotfixes, search for the issue ID in Support Center.

  • To get a fix for an issue listed below, contact Check Point Support with the issue ID.


Click Here to Show the Entire Article

Unsupported Features


Table of Contents
  • Installation and Upgrade
  • Licensing
  • Gaia OS
  • Security Management / Management High Availability
  • Multi-Domain Management
  • SmartConsole / Management Console
  • Logging / SmartLog
  • SmartProvisioning
  • SmartEvent
  • Security Gateway
  • ClusterXL
  • CoreXL
  • Dynamic Routing / Advanced Routing
  • ICAP
  • VSX
  • Threat Prevention
  • Identity Awareness
  • HTTPS Inspection
  • Mobile Access
  • VPN

Enter the string to filter the below table:

ID Description Found in version
Unsupported Features - Installation and Upgrade
PMTR-59345 Central Deployment in SmartConsole does not support:
  • Connection from SmartConsole Client to the Management Server through a proxy server. In this case, use the applicable API command
  • ClusterXL in Load Sharing mode
  • VRRP Cluster
  • Installation of a package on a VSX VSLS Cluster that contains more than 3 members.
  • On Multi-Domain Servers: Global Domain, or the MDS context
  • Standalone server
  • Standby Security Management Server or Multi-Domain Security Management
  • Scalable Platforms 40000 / 60000
  • SMB Appliances
PMTR-45775 From R80.40, Management Servers do not support UTM-1 Edge devices. Upgrade Verification fails with "The Database includes UTM-1 Edge objects. The upgrade process cannot be performed while the database contains references to UTM-1 Edge objects."
  • To delete the UTM-1 Edge objects from the database, use the LSMcli "Remove" command (see the CLI Reference Guide for your Management Server version).
PMTR-46427 Central Deployment in SmartConsole does not support installation of a Hotfix or a Jumbo Hotfix Accumulator on a ClusterXL in the Load Sharing mode. R80.40
Unsupported Features - Licensing
PMTR-47087 These products do not support the new licensing visibility features:
  • Network Security: Advanced Networking and Clustering, Capsule Cloud and Capsule Workspace.
  • Security Management: Endpoint Policy Management, SmartPortal, User Directory (LDAP).
  • Multi-Domain Management: Security Domain
  • Remote Access & Endpoint
Unsupported Features - Gaia OS
PMTR-59328 Multi-Version Cluster (MVC) does not support the restart of BGP, OSPF, OSPFv3, and PIM protocols while the cluster members run different software versions.
This applies to the Gaia Clish commands "restart <protocol>" and to the "Restart" option in the Gaia Portal on the applicable protocol pages.
PMTR-51923 The Detection of IP Address Conflicts feature does not support VLAN interfaces. R81
PMTR-48258 The Gaia "Cloning Group" feature (all its modes) is not supported in a Multi-Version Cluster (while cluster members run different release versions). R80.40
PMTR-42987 Running Hardware Diagnostic Tool on 3100 & 3200 appliances is not supported for loopback test on eth1 through eth4. R80.40
PMTR-40973 It is not supported to downgrade with CPUSE from R81.10 with kernel 3.10 to R80.x with kernel 2.6. Refer to sk170954. R80.40
PMTR-29460 Gaia Snapshot operations for importing files larger than 4GB are not supported with Internet Explorer 11. R80.30
PMTR-53785 These strings are forbidden for use in Gaia Portal and Gaia Clish (they cannot be part of any name or any user input):
eval, after, apply, catch, subset, exec
PMTR-13683 Saving the Hardware Diagnostic Tool logs to a USB stick is not supported if the USB stick is formatted as NTFS. R80.20.M1
Hardware Diagnostic Tool is not supported using Disk on Key (USB). R80.10
Unsupported Features - Security Management / Management High Availability
PMTR-58843 Revert to Revision is not supported in these scenarios:
  • The Endpoint Security Management Server is enabled.
  • If SmartConsole and the Security Management Server are connected through a proxy server, the GUI for this feature is not supported. In this case, use the applicable API command.
  • VSX configuration or related networks differ between the source and target revisions.
  • A new Domain Management Server or a Check Point object was created or deleted after the target revision date.
  • The corresponding revision of the Global Domain, or the IPS or Application Control components was purged.
PMTR-47633 The ability to edit the list of additional information fields that can be added to a Domain, administrator, and gateway is not supported. R80.10
PMTR-47144 Security Gateway / VSX gateway conversion, or conversion in the opposite direction, is not supported. R80
PMTR-47450 These commands are not supported in the SmartConsole's CLI: login, logout, discard and publish. Use the SmartConsole GUI instead. R7x
PMTR-47313 IPv6 addresses for management interface are not supported on Security Management Server. R7x
CPM-1167 Management High Availability is supported only between Management High Availability servers with the same build number. To see the build number, run cpinfo -y FW1 R80.10
Unsupported Features - Multi-Domain Management
PMTR-60851 Connecting with SmartConsole to the Domain Dedicated Log Server to see Security Policies is not supported. R81
PMTR-17365 The "Install Policy" action from a Multi-Domain Server (also through "Install Policy Presets") does not support QoS and Desktop policies. R80.20.M1
PMTR-14989 Multi-Domain Security Management does not support IPv6 address configuration. R80.20.M1
PMTR-45085 The "p1shell" command is not supported on Multi-Domain Server. R80
SNMP is not supported on Multi-Domain Management / Multi-Domain Log servers. R7x
Unsupported Features - SmartConsole / Management Console
PMTR-68286 SmartConsole does not support (or has a limited support) the High Contrast Theme in these sections and windows:
  • "Gateways & Servers" view > select a Security Gateway / Cluster object > at the top, click the Actions menu > click Install Hotfix, or Version Upgrade
  • "Gateways & Servers" view > select a Security Gateway / Cluster object > in the lower pane, click the Licenses tab
  • "Gateways & Servers" view > at the top, click Changes
  • "Security Policies" view > Autonomous Threat Prevention > click Policy, or File Protections
  • "Security Policies" view > Access Control policy or Threat Prevention policy > at the top, click Changes
  • "Manage & Settings" view > Sessions > View Sessions > at the top, click Changes
  • "Manage & Settings" view > Sessions > Revisions > at the top, click Changes
  • "Manage & Settings" view > Sessions > Revisions > select a revision > at the top, click the Actions menu > Revert to this Revision
  • "Manage & Settings" view > Package Repository
PMTR-63447 In SmartConsole, multi-faceted selection is not supported. You can select only one value in each category. R81.10
- Changes (Diff) report does not support:
  • A Standalone server
  • Changes made in the Legacy SmartDashboard
PROV-2200 The "Get Interfaces" operation on the "Network Management" page of a Security Gateway (or Cluster) object only supports up to 500 interfaces of all types.
  • To resolve: If the Security Gateway (or Cluster) has 500 or more interfaces of all types, use the API "get-interfaces" on the Management Server to pull this information.
    1) get-interfaces target-name <Name of Security Gateway> with-topоlogy false
    2) get-interfaces target-name <Name of Cluster Object> with-topоlogy true
    For more information refer to Management API.
PMTR-29092 Sorting users according to expiration date is not supported. R80.20
PMTR-20430 R80.x SmartConsole is not supported for case-sensitive installation folder.
Installation of SmartConsole complets successfully, but SmartConsole fails to start with this error message:
[Window Title] C:\Program Files (x86)\CheckPoint\SmartConsole\R80.20\PROGRAM\SmartConsole.exe
C:\Program Files (x86)\CheckPoint\SmartConsole\R80.20\PROGRAM\SmartConsole.exe

The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail.
PMTR-12437 In Full HA cluster, the "Install Database" operation is supported only on the Cluster object (and not on the individual cluster members objects). R80.20.M1
ACM-1140 Creating new services in R80.x is not supported via Embedded Dashboard. New service creation can be done only from SmartConsole. R80.10
  • If a search string is not a prefix of a word, the search does not show results.
    If you enter a search string "bject", the search does not show the string "object".
  • If a search string is surrounded by asterisks, the search highlights the entire word or a prefix in the field.
    If you enter a search string "*obj*", and there is a rule with a comment such as "the object is hidden", the search shows the rule with this comment, but highlights the entire comment or a prefix of it.
- Changes to the Traditional Anti-Virus file types policy are not supported starting from R80. Use the Anti-Virus blade to change the out-of-the-box Check Point policy. R80
Unsupported Features - Logging / SmartLog
PMTR-54765 In a Multi-Domain Server environment, configuring the same SmartEvent Server on the Global Domain and on another Domain is not supported. This configuration causes duplication of the logs. R81
PMTR-59739 Filtering and TLS configurations for Log Exporter are not supported in SmartConsole, but are supported when you configure Log Exporter manually on the CLI. For more information, see sk122323. R81
PMTR-59736 In a Multi-Domain Server environment, Log Exporter configuration in SmartConsole is not supported on:
  • The MDS level (applies to Multi-Domain Server and Multi-Domain Log Server)
  • The Global SmartEvent Server
PMTR-40514 In the SmartConsole -> Logs & Monitor view -> [ + ] New Tab -> Views, sorting of the Favorites and Shared columns is not supported. R80.40
PMTR-47703 Purge, log switch and fetch log file tasks are not supported from SmartConsole.
  • Fetch log files from a remote server is available from command line only. Run: fw fetchlogs <Gateway-Name/IP>
Unsupported Features - SmartProvisioning
  • The QoS blade is not supported in R80.20 Quantum Spark Appliances (15xx/1600/1800) LSM Profile.
  • The "Pending" policy installation state that is specific to Quantum Spark Appliances is not supported for QoS policy installation on R80.20 Security Gateways (15xx/1600/1800).
PMTR-42313 This action is not supported in SmartProvisioning GUI on the "Devices" tab: Right-click on the Security Gateway R77.30 object that is managed through a Profile > click Actions > Packages > Get Gateway Data.
Available options are:
  • Upgrade the Security Gateway to R80.10 or higher
  • Manage the Security Gateway R77.30 in SmartConsole and not in SmartProvisioning
PMTR-56758 It is not supported to remove an IP address from one interface and assign the same IP address to another interface in the device object in the same edit action. "Error field: ipAddr, Desc: IP address is in the subnet of an existing network" is displayed. R81
PMTR-54979 When managing devices with the SmartProvisioning Software Blade, on the devices you must configure the connection with the Security Management Server using the IPv4 address in the "connect security-management mgmt-addr <IPv4 address of Security Management Server>" command (it is not supported to use the FQDN of the Security Management Server in this command). R80.40
Unsupported Features - SmartEvent
PMTR-39873 Login to SmartView Web application is supported only using Check Point Password authentication. R80
- SmartEvent is not supported on Full HA environment. R7x
Unsupported Features - Security Gateway
PMTR-60143 The "perf" command is not supported on Threat Emulation appliances and on all other Check Point appliances that have only one or two CPU cores.
  • On these appliances, use the "top" and "turbostat" commands to monitor the performance.
PMTR-66296 The Management Data Plane Separation (MPDS) does not support the Gaia OS "LLDP" feature. R81
PMTR-68338 TLS 1.3 is not supported in HTTPS Inspection when the Security Gateway is configured as an ICAP client or as an HTTP proxy server.
HTTPS Inspection remains limited to TLS 1.2 in this configuration even if TLS 1.3 support was enabled.
PMTR-58361 Intra-Tunnel Inspection of GTP-U user traffic is not supported. R81
PMTR-58366 The "Produce extended logs on unmactched PDUs" option is not supported in the Security Gateway (Cluster) object > 'Carrier Security' pane > 'Track' section.
As a result, it is not possible to generate informative logs for unmatched GTP-C control packets (except for a plain clean up rule logging).
PMTR-60382 ISP Redundancy is not supported with CGNAT. R81
PMTR-68991 ISP Redundancy is not supported if Dynamic Routing is configured (because the ISP Redundancy feature must create a static default route that overrides the default route created by dynamic routing). R7x
Unsupported Features - ClusterXL
PMTR-60458 Changing the ClusterXL mode to Load Sharing Multicast with the Management REST API is not supported. You must change the mode only in SmartConsole in the cluster object. R81
PMTR-59404 Geo Cluster does not support IPv6 traffic. Therefore, it is not supported to configure an IPv6 address on the Cluster and Sync interfaces. R81
PMTR-70257 In an Active-Active cluster, all multi-portals are not supported (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Portal, and so on). R80.40
PMTR-70258 In an Active-Active cluster, NAT on the IP addresses that belong to cluster interfaces is not supported (because it does not survive cluster failover). R80.40
PMTR-70259 In an Active-Active cluster, in the cluster object properties, go the Network Management page, select a cluster interface and click Edit.
In the Network Type field, it is not supported to select "Cluster+Sync" when you deploy a cluster in a cloud (for example: AWS, Azure).
Site-to-Site (IPSec VPN) is not supported with ClusterXL in Load Sharing mode. R80.40
ClusterXL Load Sharing mode is not supported in R80.20 and R80.30 Recommended versions (GA). For more information about this configuration, refer to sk162637. R80.20
PMTR-48477 ICAP Client and ICAP Server are not supported with ClusterXL Load Sharing modes.
ICAP Server is not supported with VSX Virtual System Load Sharing (VSLS).
PMTR-71376 Check Point cluster does not support PPPoE (Point-to-Point Protocol over Ethernet). R80
Unsupported Features - CoreXL
PMTR-58368 CoreXL Dynamic Dispatcher is not supported with CGNAT.
Before you install a policy with CGNAT rules, you must disable the CoreXL Dynamic Dispatcher. Refer to sk105261.
Unsupported Features - Dynamic Routing / Advanced Routing
PMTR-19481 PIM is not supported on a Security Gateway / Cluster, when Route Based VPN is configured. R80.20
Unsupported Features - ICAP
PMTR-28828 ICAP is not supported when Anti-Virus Deep Scan, Threat Extraction over HTTP or Threat Emulation hold mode is set.  R80.30
PMTR-16958 The ICAP Server feature is not supported in VSX mode deployment. R80.20
Unsupported Features - VSX
PMTR-69098 VSX Cluster in Active-Active mode does not support bridge interfaces on regular Virtual Systems (those not configured in the Bridge Mode):
  • You cannot add a bridge interface to regular Virtual Systems, if these Virtual Systems belong to a VSX Cluster in the Active-Active mode.
  • You cannot change the Cluster Mode of a VSX Cluster object to Active-Active, if there are bridge interfaces on regular Virtual Systems.
PMTR-66295 VSX does not support the Gaia OS "LLDP" feature. R81
PMTR-60113 Configuration with a Non-Dedicated Management Interface (Non-DMI, shared interface) is deprecated and not supported. R81
PMTR-60112 Unnumbered VTI is not supported. R81
PMTR-47590 Explicit conversion is not supported. R80
Unsupported Features - Threat Prevention
PMTR-59492 In a Multi-Domain Server environment, R81.10 Infinity Threat Prevention does not support the Global Domain. Other Domains are supported. R81
PMTR-59491 R81.10 Infinity Threat Prevention does not support MTA. Users can manage Security Gateways configured as MTA only in the Traditional Threat Prevention mode. R81
PMTR-42537 Threat Prevention Software blades do not support files with the HTTP 206 partial format with multiple ranges in the same HTTP connection (multipart). R80.40
PMTR-59837 SSH Deep Packet Inspection limitations:
  • SSH DPI is only supported for Security Gateways R80.40 and above, managed by Management Servers R80.40 and above.
  • Inspection of IPv6 connections is not supported.
  • Bridge Mode is not supported.
  • Cluster members do not synchronize the data about the inspected SSH traffic.
  • Cluster members do not synchronize the SSH DPI configuration.
  • Inspection of SSH traffic generated by clients, which do not support the 'Diffie-Hellman group exchange' algorithm, is not supported.
  • These SSH clients are not supported:
    • PuTTY versions 0.64 and lower.
    • OpenSSH versions 2.5.2 and lower.
    • WinSCP versions 5.7.4 and lower.
    • SecureCRT versions 5.2 and lower.
Unsupported Features - Identity Awareness
- Using Identity Awareness Captive Portal with an external SAML identity provider is not supported with Internet Explorer version 10 or lower.  R80.40
PMTR-44737 Multi-User Host (MUH) version 2 is not supported with IPv6 and does not initiate a connection to an IPv6 Security Gateway. It stays in "Disconnected" state and users are not identified.  R80.40
PMTR-64495 Identity Awareness does not support authentication of Primary Groups of user and computer accounts. By default, the Primary Groups are 'Domain Users' and 'Domain Computers'.
Access roles that are defined with User groups do not work for users with which those user groups are their primary group.
  • To use the entire Accounting Unit in an Access Role, use an LDAP group.
Unsupported Features - HTTPS Inspections
CRYPTOIS-2197 HTTPS Inspection does not support Hardware Security Modules (HSM) when inspection of TLS 1.3 traffic is enabled.
With HTTPS Inspection, you can enable only one of these features - TLS 1.3 or HSM.
Unsupported Features - Mobile Access
PMTR-60331 These limitations apply to the Guacamole feature:
  1. A dedicated Apache Guacamole Server version 1.1.0 or higher is required.
  2. The following Guacamole features are not supported:
    • The VNC protocol
    • RDP file transfer
    • The SFTP protocol
    • Session recording
  3. RDP/SSH is not supported from Capsule Workspace.
  4. RDP/SSH is supported only by web browsers with HTML5 support.
  5. RDP and SSH applications can be configured only by using their corresponding service objects in SmartConsole:
    • “Remote_Desktop_Protocol”
    • “SSH”
    • “SSH_version_2”
  6. The Clipboard function in RDP sessions is supported with these limitations:
    • Text only
    • Supported browsers: Chrome and Explorer
  7. This Single Sign-On option is not supported for Guacamole applications: 'This application reuses the portal credentials. If authentication fails, Mobile Access prompts users and stores their credentials'
  8. In a VSX environment where the 'custom user directory attribute' feature is used, adding a new Virtual System requires manually adding the customUserRecordAttribute.conf file as well.
PMTR-58003 Mobile Access rules in the Unified Access Policy do not support Native Applications that authorize non-TCP or non-UDP services (for example, "icmp-proto"). R81
PMTR-47745 The Mobile Access Portal does not support Web-Form SSO for Citrix StoreFront Web interface. R80.10
PMTR-47591 Mobile Access does not support viewing or editing files with 'Office Online apps', Microsoft's browser-based Office applications. Outlook Web Access is supported, however you cannot open or edit Office Online app files from emails. R7x
PMTR-62828 Mobile Access Portal provides optimal support for Outlook Web Access 2013 / 2016 with the Host-name Translation (HT) method, and only when 'cookies on the endpoint machine' is enabled. The Path Translation (PT) method is partially supported, while the URL Translation (UT) method is not supported. R7x
Unsupported Features - VPN
PMTR-60396 Large Scale VPN (LSV) does not support:
  • IPv6
  • Route Based VPN (VTI)
  • Two VPN peers behind the same NAT device
  • Suite-B-GCM-128
  • Suite-B-GCM-256 with IKEv1-only (it is necessary to change the global properties of Phase 1 for Remote Access VPN)
  • Multiple Hubs
  • Route Injection Mechanism (RIM)
  • IKE Aggressive Mode
  • Permanent Tunnel
  • Multiple Entry Point (MEP) VPN
  • Dead Peer Detection (DPD)
  • Global VPN Community (GVC)
  • Tunnel Per Security Gateway pair (Universal Tunnel)
PMTR-47783 NAT-T initiator is not supported on VSX Gateways. R80.10
PMTR-47235 Convert Traditional VPN to Simplified is not supported. R80

Installation and Upgrade

Enter the string to filter the below table:

ID Description Found in version
Installation and Upgrade
DP-7857 Installing policy immediately after the gateway is upgraded might fail if the Threat Prevention Policy is applicable. Refer to sk174151. R81.10
PMTR-59512 To upgrade an R77.30 Management Server that manages R77.30 Firewall-1 GX, you must follow sk169415. R81
R81 includes new logs indexing mechanism, so when upgrading Management server/Log Server/Multi-Domain Server/Multi-Domain Log Server/SmartEvent from R80.x, old log indexes are not upgraded.
The indexing mechanism will re-index the last 24 hours automatically. To increase the period of offline indexing (how far in the past to re-index the logs), see sk111766.
PMTR-61069 SmartEvent upgrade is allowed only after all Multi-Domain Servers with Active Domain Management Servers are upgraded. R81
PMTR-46384 Hotfix central deployment depends on the status reports from the gateways. Therefore, it is recommended to wait for 2 minutes after the gateways are up before running any operation. R80.40
In case of a failure in one of the Domains, during an upgrade of a Multi-Domain Server from R80.20.M1, R80.20, R80.20.M2, or R80.30 using an Advanced upgrade, the entire upgrade process stops and does not continue to upgrade additional Domains.
  • To resolve
    1. Follow the instructions in the HTML upgrade report.
    2. After the issue is resolved, start the entire upgrade again.
PMTR-13035 When you perform a clean install of an R81 on top of an existing previous version, the following error might appear after the keyboard layout selection screen: 

Warning: /dev/sda contains GPT signatures, indicating that it has a GPT table. However, it does not have a valid fake msdos partition table, as it should. Perhaps it was corrupted - possibly by a program that doesn't understand GPT partition tables. Or perhaps you deleted the GPT table, and are now using an msdos partition table. Is this a GPT partition table?

In such case, select "Yes" several times to continue with the installation.

To upgrade an R80.x Multi-Domain Management Server with configured Global Policies to the next available version: 
  1. Connect with SmartConsole to the Global Domain on your R80.x Multi-Domain Server.
  2. Reassign all Global Policies to all applicable Domains.
  3. Do not publish any changes in the Global Domain until you complete the upgrade to the next available version.
    Note: This is necessary to avoid any potential issues caused by different policy revisions on the Global Domain and on the Domains.
  4. Perform the upgrade from the R80.x to the next available version.
It is not supported to perform an in-place upgrade to R80.40 Security Management Server or Multi-Domain Security Management Server that runs in CloudGuard for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud providers. R80.20.M1
- R80.x supports only ext3 & ext4 file systems on Red Hat Enterprise Linux. R80.10
PMTR-47047 After upgrade оf R7X Stand Alone Server, SmartConsole disconnects from the server during the first policy install.
  • To resolve, before a first policy installation on Standalone servers, allow the CPM service in the Services & Applications column of the rulebase.
Clean install from USB device fails on Open Server because the installation process (anaconda) includes the USB installation media as part of the installation target.
Refer to sk100566.
PMTR-47252 SmartEvent blade disabled after advanced upgrade to R80.x.
  • To resolve: in the SmartEvent server object in the SmartConsole, re-enable the SmartEvent server Blade (and Correlation unit) -> Install database on it..


Enter the string to filter the below table:

ID Description Found in version
PMTR-47091 If the SmartEvent Software Blade is activated, but only the SmartEvent Intro license is installed, the License Status shows "N/A". R80
PMTR-47095 The Device and License Status of Threat Emulation is incorrect. Use the Logging -> License Status view. R80
PMTR-47532 When loaded for the first time, web components such as the licensing or monitoring view can take up to thirty seconds to show. R80
PMTR-47101 In the License Status View, the Additional Info column, quota information and quota statuses are not available for pre-R80 gateways and servers. R80
PMTR-47103 Automatic license activation on Check Point appliances is not available on pre-R80 appliances. R80
PMTR-47105 On pre-R80 gateways, license information is updated every 20 minutes.
  • To resolve, force a license update, perform one of the following actions:
    • Either install security policy on the pre-R80 gateway
    • Or on the R81 Management Server, run the following command in Expert mode:

      • On Security Management Server:

        [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
      • On Multi-Domain Security Management Server:

        [Expert@HostName]# mdsenv <Name of Domain Management Server>
        [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
PMTR-47108 Automatic license activation on a Multi-Domain Management Server machine works only on the MDS level and not on the Domain level. Add licenses manually for each Domain. R80
PMTR-47112 Login to primary Domain SmartConsole fails with "Database is locked by another application" error.
  • To resolve: run the cprestart command on the Management Server.
PMTR-47116 After installation, the Device License Status shows N/A and the Device License View is not accessible until policy or database are installed.
When blades are enabled or disabled, the changes are not visible in the Device License Views and Status until policy or database are installed.
PMTR-47308 The proxy that synchronizes license information with the User Center, must be at least R80 server. R7x
PMTR-47531 On SmartEvent NGSE dedicated machine, license information is not automatically updated when Installing Database.
When you enable or disable a blade, one of the following will update the license information with the change:
  • If you force a license update, changes occur immediately.
    To force a license update: On the R81 Security Management Server, run the following command in Expert mode:
    [Expert@HostName]# $CPDIR/bin/esc_db_complete_linux_50 bc_refresh <Name of Target Object>
  • Automatic update at midnight
  • If you manually change a license or contract on a dedicated machine, changes take effect within 20 minutes

Quantum Security Gateway and Gaia   Hardware / CoreXL / SecureXL / Cluster / Routing / VSX / VPN / LTE / QoS

Quantum Security Gateway | Gaia OS | Hardware | CoreXL | SecureXL | Cluster | Dynamic Routing / Advanced Routing | VSX | VPN | LTE | QoS

Enter the string to filter the below table:

ID Description Found in version
Quantum Security Gateway
PMTR-58364 During policy installation, reverse rules are not generated. See the R81 Carrier Security Administration Guide. R81
PMTR-54110 Proxy ARP entries are not generated automatically for CGNAT translated Address Ranges.
  • To resolve: Configure the Proxy ARP entries manually. Refer to sk30197.
PMTR-59152 Traffic on a single GRE tunnel cannot be distributed to multiple CoreXL Firewall instances.
Therefore, the maximum throughput of a single GRE tunnel is limited by the throughput of a single CoreXL Firewall instance.
PMTR-56389 "Authentication failure: check your username and password" message on a Security Gateway when raising the "TACP" privileges of a TACACS user in the following scenario:
  1. Configured the Management Data Plane Separation (MDPS) as described in sk138672.
  2. Configured Gaia OS roles with different privileges for TACACS users.
  3. Configured a TACACS server.
  4. Logged in with a TACACS user.
  5. Raised the "TACP" privileges in Gaia Portal (at the top of the "Overview" page, clicked "Enable") or in Gaia Clish (with the "tacacs_enable <Role>" command).
  6. Entered the TACACS user password.
To resolve
  1. Log in to Gaia Clish on the Security Gateway
  2. Add the Gaia OS "confd" process to the Management Plane. Run: add mdps task process confd
  3. Save changes. Run: save config
PMTR-56297 In a rare scenario, the Security Gateway may crash and reboot if multiple slave interfaces are deleted at the same time from an 802.3AD bond interface (for example, with the "clish -f" command). R80.40
PMTR-37712 It is not possible to add updatable objects to network groups. R80.40
GAIA-1953 Multi-Queue configuration is not preserved during a Security Gateway upgrade from a Gaia OS with the Linux 2.6 kernel to a Gaia OS with the Linux 3.10 kernel. After the upgrade, it is necessary to configure Multi-Queue again (sk153373).
Example: Upgrade from R80.20 to R80.30 v3.10, from R80.20 to R80.40, and so on.
PMTR-38747 Output of the "fw ctl zdebug + drop" command shows messages about connection drops, in addition to Firewall drops. 
These are internal debug messages that do not reflect real Firewall drops. To avoid them, use one of these:
  1. The "fw ctl zdebug drop" command without the "+" character in the syntax
  2. The full debug procedure
PMTR-42525 When Using a rule with legacy object, in or below a rule with one of the new features that are integrated in the unified policy, install policy on a Security Gateway fails with a verification message.
  • To resolve: change the order of the rules so that rules with legacy objects are above rules with new features. Refer to sk115961.
PMTR-47866 "Get Interfaces" action on gateway returns error "Failed to save cpmi interfaces" if interface name includes space. Gateway interface names must not include spaces. Refer to sk124813. R80
PMTR-17546 Logging session does not switch to the backup logging server after connectivity loss. Refer to sk118697. R7x
PRHF-66 SAM rules generate large amount of "fwsam_v1_filter: matched rule is not found" messages. Refer to sk105347. R7x
PMTR-47567 "No Such Instance currently exists at this OID" error message may appear after installing Jumbo Hotfix. Refer to sk117353. R77x
Gaia OS
PMTR-51440 While the 4x10G Fiber NIC (CPAC-4-10F-B) is installed in the appliance, the HW Diagnostics "Network Test" fails with these messages:
Network Test: Failed
General Error
PMTR-18774 To upgrade a 21000 series appliance with the SAM card (sk107157) from R80.10 (or lower) to R80.40 (or higher), you must disable the SAM Mode on all the interfaces before the upgrade:
  1. Disable the SAM mode on all the interfaces in either Gaia Portal or Gaia Clish:
    • In Gaia Portal: In the Network Management section, click Network Interfaces > edit each interface > go to the SAM tab > clear the box Enable SAM Mode > click OK
    • In Gaia Clish:
      set interface <Name of Interface> sam-mode off
      save config
  2. Reboot the appliance
  3. Upgrade the appliance
  4. Reboot the appliance
PMTR-45939 When the system goes into reboot, the message "umount: /var/log: target is busy" appears on the console, as the system attempts to unmount partitions.  R80.40
When using the 'set-time-and-date' API call, the administrator may be reacquired to log in again if the session expires.  R80.40
PMTR-46932 The default value of the Linux kernel parameter /proc/sys/net/ipv6/conf/all/accept_dad is set to '0'. The IPv6 Duplicate Address Detection (DAD) feature is still enabled by default ('set neighbor duplicate-detection state on').  R80.40
GAIA-5737 Duplicate ping messages may appear when configuring bonding groups (~30 sec), one over the X722 based network interfaces and the other on Intel X710 Based network interfaces. R80.30
GAIA-3490 10GbE i40e NICs determine their link-speed based on the type of connected transceiver (1G ot 10G) and cannot be changed manually. R80.30
Changing the MTU on the directly connected switches may cause drops of fragmented traffic due to a MTU mismatch.  R80.30
GAIA-3205 Cannot change interface link speed to 1000MB after it is changed to 100MB. R80.30
GAIA-3180 On HP Open servers with onboard NIC, the Interface status in the switch might be shown as "Connected" even though the state in Gaia is "off". R80.30
GAIA-2650 On CloudGuard for AWS, speed and duplex information is not available when using the ethtool. R80.30
MPTT-527 Importing Gaia OS configuration collected on pre-R81.10 version with the "load configuration <file>" Clish command may fail with the error "CLICMD0159 Error at line XXX. Could not execute all commands successfully."
  • This is caused by the order, in which Gaia OS commands are saved in the exported file - commands for configuring RBA roles are located before the commands for creating users. 
The Linux "iotop" utility might stop working when pressing the "i" key in the following rare scenarios:
  • Working in virtual environments (such as Hyper-V)
  • Terminal application uses specific virtual terminal settings (such as specific SecureCRT terminal settings)
"[Firmware Bug]: the BIOS has corrupted hw-PMU resources" message may appears in the output of "dmesg" command on any HP ProLiant Server running Gaia.
  • You can safely ignore this message - it does not indicate an issue with the functionality or performance of the Operating System or the server. 
    For details, see Hewlett Packard Enterprise Customer Advisory c03265132.
PMTR-47577 If the backup schedule is changed to an invalid date or time, all backup schedules are lost and "Backup schedule failed. The backup will not be scheduled" error message is displayed. R80.10
PMTR-47574 The Maintenance -> Maintenance page in the Gaia Portal was removed.  R80.10
PMTR-47120 When connecting to the network interfaces page in the Gaia Portal, an "Unable to connect to server" error shows.
  • To resolve: disable the Adblock EasyPrivacy extension of the Adblock plus add-on and try again.
PMTR-47126 If you change the members of a Gaia Cloning Group with many members down, you are logged out of the Gaia Portal with an incorrect error message: "Unable to connect to server".
The correct message is: "An error occurred while applying configuration change to all cloning group members" - the operation was successful only for online members. This is the normal behavior of the cloning group. This error does not indicate a critical failure.
PMTR-47335 The last stage of the First Time Configuration Wizard takes a long time on some machines.
To see the progress of the First Time Configuration Wizard, the user must check if these files were created on the machine:
  • /etc/.wizard_accepted - means that the First Time Configuration Wizard has finished.
  • /var/log/ftw_install.log - means the First Time Configuration Wizard has started and the user must wait until the file /etc/.wizard_accepted is created.
PMTR-47323 Newly configured user (with UID that is not 0) is not able to log in from Gaia Clish to Expert mode on VSX Gateway. Refer to sk115221 R7x
PMTR-42485 Multicast PIM traffic register packets are sent with checksum 0xd63f that non-compliant with RFC (should be 0xdeff). R7x
PMTR-47328 "WARNING The following features: NameOfFeature, , provide a privilege level equivalent to that of 'adminRole'" message in Clish when adding some read-only commands to RBA role. Refer to sk110772. R7x
PMTR-29320 Saving the configuration on Gaia OS times out with "NMSCFD0026 Timeout waiting for response from database server" error. 
Refer to sk113746
HCL-12 The HP ProLiant DL380 Gen10 does not detect all USB devices, including various USB flash drives (regardless of its content). This is not a software issue.
If a bootable USB device (with Check Point Gaia, CentOS or any other OS) is not recognized by this server, try a different USB device vendor.
ACCHA-802 On a Check Point appliance with an Expansion Line Card installed, the output of the "dmesg" command shows these errors:
pci 0000:XX:00.X: BAR <NUMBER>: failed to assign [mem size 0x<NUMBER> 64bit pref]
  • You can safely ignore these messages.
PMTR-50242 Changes in CoreXL configuration are not preserved after a reboot on a CloudGuard Security Gateway in AWS or Azure. R80.40
PMTR-18774 SAM is supported only for non-accelerated usage. Traffic connected to the Acceleration-ready 10G Interface Card (CPAC-ACCL-4-10F-21000) is handled by the host. 10G Ports on the CPAC-ACCL-4-10F-21000 cannot be assigned as SAM ports. R80.20
To prevent an OSPFv2 traffic outage, enable the OSPFv2 Graceful Restart on ClusterXL members only if all cluster members run version R81.10 or higher.
  • Best Practice: In ClusterXL High Availability mode, first enable the OSPFv2 Graceful Restart on the Active member, only then enable it on the Standby members.
PMTR-59397 If a Geo Cluster is deployed on-premises (and not in a cloud - e.g., AWS, Azure), then it is not supported to configure IP addresses from different subnets on these cluster interfaces:
  • Interfaces with the Network Type "Cluster".
  • Interfaces with the Network Type "Cluster+Sync".
PMTR-70255 In an Active-Active cluster, only these Software Blades are supported:
  • Firewall
  • IPS
PMTR-70251 In an Active-Active cluster, only two cluster members are supported - one cluster member on each site. R80.40
PMTR-70256 In an Active-Active cluster, names of interfaces that belong to the same "side" must be identical on all cluster members.

Example: If you connected the interface eth1 to Switch #A on one Cluster Member, then you must connect the interface eth1 to Switch #A on all other Cluster Members.
PMTR-70260 In an Active-Active cluster, in the cluster object properties, go the Network Management page, select a cluster interface and click Edit.
In the Topology section, only these options are supported for cluster interfaces:
    • Override > Network defined by routes (this is the default).
    • Override > Specific > select the applicable Network object or Network Group object.
PMTR-68064 TCP connections initiated from a Standby cluster member are not supported in a Multi-Version Cluster when:
  1. The Standby cluster member runs version R77.30 or R80.10
  2. IPS is enabled in the cluster
  • The "show-gateways-and-servers" API shows the Cluster Member object type as "type": "CpmiClusterMember".
  • The "show-gateways-and-servers" API shows the Cluster object type as "type": "CpmiGatewayCluster".
  • The "show-simple-cluster" API (or "show-simple-clusters" API) shows the Cluster object type as "type": "simple-cluster".
PROV-2054 The "cphaprob -a if" command does not recognize ClusterXL VIP addresses in this scenario: 
  1. The cluster object was created with Cluster API 
  2. The Cluster VIP addresses and the Cluster Members' IP addresses belong to different subnets 
  3. Policy was installed on the cluster object
To resolve, perform one of the below solutions:
  1. Create this cluster object in SmartConsole instead of Cluster API.
  2. Use GuiDBEdit Tool / dbedit / Generic API to change the value of the "member_network" field in the cluster object to contain the subnet of cluster members.
PMTR-41292 Configuration of an Active-Active cluster, requires enabling of the Bidirectional Forwarding Detection (BFD - 'ip-reachability-detection') in the dynamic routing protocol on each cluster interface and on the cluster sync interface.  R80.40
PMTR-57258 Connections do not survive failover in a ClusterXL configured in the Active/Standby Bridge mode. R80.30 3.10
Dynamic Routing / Advanced Routing
In PIM Dense Mode, when a new PIM router joins the existing network, it may take up to two cycles of PIM prune timer and/or downstream IGMP report interval, for the intended multicast traffic to start flowing.
  • To improve the PIM-DM responsiveness, user can enforce the local-groups / static-groups configuration.
PMTR-4925 When advertising IPv4 routes over an IPv6 BGP session, one of the following needs to be true:
  1. Routemap is used to set the nexthop of the IPv4 routes
  2. The interface used for the BGP session needs to have an IPv4 address 

When advertising IPv6 routes over an IPv4 BGP session, one of the following needs to be true:

  1. Routemap is used to set the nexthop of the IPv6 routes 
  2. The interface used for the BGP session needs to have an IPv6 address
PMTR-71236 In a rare scenario, after running the "vsx_util reconfigure" command or upgrading the VSX Gateway / VSX Cluster, a Virtual System might load the "InitialPolicy" instead of its regular policy.
  • To view the loaded policy: On the VSX Gateway / each VSX Cluster Member, run the "vsx stat -v" command in the Expert mode.
  • To resolve: In SmartConsole, install the policy on the Virtual System.
PMTR-60160 You can use the "vsx_util downgrade" command only if you did not make any configuration changes after you used the "vsx_util upgrade" command. R81
PMTR-88874 In vsx_util, old interface cannot be removed when changes are applied to both Security Management and Security Gateway. R80.40
PMTR-47869 The "vsx stat -v" command does not work after reverting to Gaia Autosnapshot (a snapshot created automatically by the CPUSE Upgrade).
  • To resolve: Use the "fw vsx stat -v" command instead.
PMTR-65592 The name of the VSX Gateway / VSX Cluster object must be shorter than 27 characters. R80.10
PMTR-47563 In SmartView Monitor, Firewall History and System History system counters do not show any data. R7x
PMTR-68228 If the Diffie-Hellman (DH) group configuration is changed (SmartConsole > Global Properties > Remote Access > VPN - Authentication and Encryption > Encryption algorithms > Edit > Phase 1 > Use Diffie-Hellman group) while an Endpoint VPN client is connected, the client disconnects during the next Phase 2 negotiation. R81
PMTR-55445 Site to Site VPN with a Large Scale VPN profile can drop traffic after decryption with the log "According to policy traffic shouldn't have been decrypted".

To prevent this traffic drop:

1. Edit the Large Scale VPN profile object:
  1. On the 'VPN domain' page, in the section 'IP addresses allowed in the VPN Domain' select 'Restrict to these groups or networks'
  2. Select the applicable 'Host', 'Network', and 'Group' objects.
2. Edit the LSV peer object: 
  1. In the VPN Domain (Encryption Domain), select the 'Address Range' objects, whose IP addresses contain the IP addresses of the 'Host', 'Network', and 'Group' objects you selected in the Large Scale VPN profile object.
3. Install the Security Policy.
After running the "cpstop ; cpstart" commands, the "FW-1: fwconn_chain_get_opaque: invalid id -1" message appears repeatedly on the screen and in the dmesg. This is a cosmetic issue only. R80.20
Communication errors occur between the Security Gateways managed by R80.20 M1 Multi-Domain Server and participating in Global VPN Communities when there are more than one certificate for the same Internal CA. Refer to sk136972. R80.20
PMTR-58668 If a Security Gateway with PIM configured is part of a VPN community, PIM service must be added to the Excluded Services in the VPN community object.
This only applies in one of these scenarios:
  • Security Gateway is directly connected to a multicast sender
  • Security Gateway is configured as a PIM Rendezvous Point
PMTR-47752 The VPN client shows as "Not Compliant" when it is not compliant according to the local.scv file, even if SCV is disabled.
  • To resolve: Configure the VPN site again on the client.
PMTR-47501 When using a VPN client, activity logs are not generated for ICMP traffic. R7x
Client Setting "Calculate IP based on topology" breaks when using host. Refer to sk120121. R7x
PMTR-32305 RADIUS authentication fails for LDAP users as the gateway uses sAMAccountName and not UPN when UPN is needed. Refer to sk122477 R7x
PMTR-47540 SCTP or Diameter objects cannot be the service of a manual NAT rule. Static NAT will still be applied for rules that match SCTP if the service is set to "Any". All NAT methods can be applied for Diameter over TCP traffic if the service is set to "Any". R7x
PMTR-26017 Values set for Maximum rule weight and Default weight of rule in the QoS Global properties window in SmartConsole are not applied when creating a new QoS rule. R80.30
PMTR-47566 No warning is displayed if an empty network group object appears in the source or destination column.  R7x

Quantum Security Management   Management HA / Multi-Domain Management / SmartConsole / Compliance / SmartLog / SmartEvent / SmartProvisioning

Management HA | Multi-Domain Management | SmartConsole | Compliance | Logging / SmartLog / SmartView | SmartEvent | SmartProvisioning

Enter the string to filter the below table:

ID Description Found in version
Quantum Security Management
PMTR-51456 The value configured in SmartConsole > Global properties > Advanced > Configure > Central Device Management > "device_settings_max_script_length_in_KB" field is not applied.
The upper limit is always 8 kilobytes.
PMTR-57020 If you rename interfaces on a Security Gateway (or Cluster Member) and run the API "get-interfaces" on a Management Server, this operation deletes all interfaces that were renamed in the Security Gateway (Cluster) object and adds the renamed interfaces as new. As a result, it is necessary to configure the interface settings in SmartConsole again.
You must complete all operations on the interfaces on a Security Gateway (or Cluster Member) before you pull them on a Management Server and configure their settings in SmartConsole (such as Topology, Cluster Virtual IP address).
When installing Access Control Policy on a Security Gateway with an enabled VPN blade, the policy installation succeeds but shows this message: "dlopen: /opt/CPsuite-R8x.x/fw1/tmp/install_policy/<UID>/FW1/lib/ cannot open shared object file: No such file or directory"
This is a cosmetic issue only.
PMTR-59442 SmartConsole may show the popup "SmartDashboard component failed to connect to server <IP Address>" if you upgraded a Management Server and you open a Security Gateway / Cluster object for the first time after the server's upgrade.
  • To resolve: Restart the Check Point services on the Management Server:
    • On a Security Management Server, run in the Expert mode: cpstop ; cpstart
    • On a Multi-Domain Security Management Server, run in the Expert mode: mdsstop ; mdsstart
PMTR-68323 SmartConsole shows the error "Publish failed due to session validation errors. Resolve the errors shown in the validation pane and publish again." when publishing a session after editing more than one interface in a cluster object and clicking OK.
However, no errors or messages appear in the Validation Pane.
PMTR-50315 "Certificate with the same Distinguished Name already installed for another CA" message in SmartConsole in the following scenario:
  1. A user started to create a new Trusted CA object with a certificate
  2. A user discarded the session
  3. A user tried to create a new Trusted CA object with the same certificate
PMTR-56332 "Unable to set cluster ID due to exception: Action cannot be executed on object: firewall_properties due to: Object 'firewall_properties' is locked by another session" message on the Management Server when creating 2 or more cluster objects at the same time (for example, with the API "add-simple-cluster").
  • To resolve: Create cluster objects one after another (even when different administrators do this task).
PMTR-49586 In some scenarios, R77.x custom defined  “Additional info” data might be lost while upgrading using CPUSE offline mode from R80.20/R80.30 Multi-Domain environments to R80.40.
  • To resolve: Use the latest Upgrade Tools package from sk135172.
Error: "Failed to initiate application list update" is displayed when attempting to update the Application Control & URL Filtering signatures while a migration from a Security Management Server to a Multi-Domain Management Server is in progress.
To prevent database corruptions updates are blocked during a migration process.
PMTR-45593 The administrator created in the First Time Wizard cannot login to SmartEvent or Log Server. Refer to sk163773. R80.40
PMTR-63264 Exporting any policy to a CSV file in SmartConsole ('Actions' menu > 'Export') fails with the "An internal error has occurred" message, and the CSV file is empty.
The issue occurs if the policy name or a rule name is in the format of UUID (for example, 038645be-e080-4b57-830e-3e58a907dfbb).
PMTR-25696 Login to the Secondary Management Server can fail if the SIC certificate is pushed to the Secondary Management Server before its CPM server is up. In this case, the SIC is established, but the login to the Secondary Management Server fails until the CPM server is restarted and reloads the new certificate.
  • To resolve: wait until the CPM server is up, before you establish trust with the Secondary Management Server. This way, the CPM Server restarts automatically due to the SIC establishment and the login succeeds.
Running a one time script on a Security Gateway (that reads files or outputs of commands) using a "One Time Script" feature in SmartConsole or with API may fail after 5 minutes with the "Operation timed out" error.
The limit for reading files is 9,730 lines or 730 KB (whichever is reached first).
PMTR-54350 The API "show access-rule" with the specified values "from-date" or "to-date" in the "hits-setting" parameter, returns accurate data only when these timestamps cover more than the last 24 hours.
For example, on May 27th at 14:00, the query must not cover any part of the last 24 hours (between May 26th at 14:00 and May 27th at 14:00).
PMTR-47579 If a connection is matched on a limit action rule, and the connection is not configured to be rematched (the 'Keep all connections' option is selected in the Security Gateway object, or the 'Keep connections open after the policy has been installed' option is selected in the Service object), a new policy installation will cause the limit on the connection not to be enforced.  R80.10
PMTR-47620 When the trial license is expired, and after adding a new license, the Security Management server does not accept any connection.
  • To resolve: stop and start the server (run cpstop;cpstart) after adding the new license. 
PMTR-47622 In some scenarios, re-assign or removal of global assignments succeeds, but changes that were not yet published at the Domain become conflicted. The SmartConsole for the Domain becomes unstable and can show: "Could not load selected policy".
  • To resolve: Discard the changes that were not published in SmartConsole.
PMTR-47777 Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".
  • To resolve: for all hosts with a server configuration, unselect the servers. Publish the session, then select the servers again, and publish again. For details refer to sk154435.
PMTR-47131 If you create an administrator in cpconfig, you must run cpstop and cpstart, as instructed by cpconfig. After cpstart, no administrators are shown in cpconfig. Administrators configured before the upgrade to R80 are also not shown in cpconfig.
  • To resolve: Manage administrator accounts through SmartConsole.
PMTR-47133 Internal user names must contain only English characters. Names in other languages (unicode) will show as question marks in the Users and Administrators window.  R80
PMTR-47140 "Check your connection settings (Proxy, DNS and gateway)" error shows after IPS and Application Control & URL Filtering update fails if there is no proxy defined.
  • To resolve: Run cpstop and cpstart and try again. 
PMTR-47448 If you upgrade a Security Management Server to R80.x with a user.def file that has been edited manually, make sure that the file name includes each gateway version that is managed by the server.
Refer to sk98239 for the user.def naming convention.
Refer to sk30919 for more information about the user.def file.
PMTR-41764 The "URL" field shows "*** Confidential ***" in HTTPS Inspection logs on 3rd party LEA OPSEC client. Refer to sk101570. R7x
PMTR-47457 It is not possible to convert a Standalone deployment (Security Gateway and Security Management on one computer) to a cluster member of a Full HA deployment - or vice versa. R7x
PMTR-47438 When selecting the "Use Gaia administrator: admin" option in the First Time Wizard, it lets to reuse the Gaia administrator password for SmartConsole. If you later change this password in SmartConsole, the Gaia administrator password remains unchanged. R7x
PMTR-47453 For Gateways below R80, 2nd layer behaves like Application Control policy. R7x
Management High Availability
PMTR-60441 Synchronization on the MDS level fails after creating a new Domain server on the secondary MDS, while an initial full synchronization from the new Secondary device is performed. R81.10
PMTR-14327 To move a Secondary Multi-Domain Management Server from one Multi-Domain Management HA environment to another, install the Secondary Multi-Domain Management Server from scratch in the new environment as a Secondary Multi-Domain Management Server and synchronize it with the Primary Multi-Domain Management Server. R80.20.M1
PMTR-47624 In a High Availability environment, if an administrator is locked on the Standby Management Server, the administrator is not locked and does not show as locked on the Active Management Server. Therefore, you cannot unlock the administrator from the Active Management Server.
  • To resolve, unlock the administrator by running the command unlock-administrator on the Standby Management Server.
PMTR-15291 In a Management HA environment, Administrator created on the Primary Security Management Server via cpconfig cannot log in to SmartConsole of the Secondary Management Server until full sync from Primary to Secondary server is performed. R80
PMTR-47159 When a secondary Management server is added, the initial synchronization task starts automatically. Until it completes, the secondary peer status shows as "Failed to communicate with peer".
Wait for the initial synchronization task to complete. The peer status in the High Availability Status window will then show that the synchronization was successful. 
Multi-Domain Management
PMTR-62123 In Multi-Domain Servers, you cannot create an install policy preset with a policy package that has an OSE device as the target, due to an internal error when trying to get target information. R81.10
PMTR-79917 This limitation applies when working with Domain Dedicated Log Servers:
When a Domain administrator connects to the SmartView on the MDS level or Global SmartEvent Server, the login window shows a picker with the options MDS, Global, and allowed Domains. The Domain administrator must select "Global" or a specific allowed Domain, according to the assigned permissions.
PMTR-60051 After you configure a Security Management Server for Management High Availability with a Domain:
  • If you connect with SmartConsole to the Primary Domain server and open the Management High Availability dialog, it shows the connected peers including the Security Management Server.
  • If you connect with SmartConsole to the Secondary Domain server and open the Management High Availability dialog, it does not show the Security Management Server. This is an issue in SmartConsole.
PMTR-60201 If it is necessary to delete a Security Management Server object that was configured for Management High Availability with a Domain and create that object again, you must follow these steps:
  1. Delete the Security Management Server object
  2. Publish the session
  3. Restart the Multi-Domain Server with: mdsstop ; mdsstart
PMTR-60854 When working with Domain Dedicated Log Servers:
Opening attachments in logs can fail while SmartConsole is connected to the MDS level or Global SmartEvent Server, if the Global SmartEvent Server is configured to read logs with LEA from an external Domain Log Server.
PMTR-60856 To correlate logs from the Domain Management Server in a NAT environment, in which a Domain Management Server is hidden behind a NATed address, and a Domain Dedicated SmartEvent Server has an external IP address, an administrator must follow these steps:
  1. Connect with SmartConsole to the Domain Management Server
  2. Create a dummy Check Point Host object with the external IP address of the Domain Management Server
  3. Enable the "Logging" Software Blade in this Check Point Host object
  4. Install database on the Domain Management Server
  5. Open the SmartEvent GUI and connect to the Dedicated SmartEvent Server
  6. In the list of the log servers, from which the Correlation Unit reads the data: remove the Domain Management Server object with the real IP address and add the dummy Check Point Host object (with the external IP address)
  7. Install the Event Policy and close the SmartEvent GUI
PMTR-60855 Administrator connected to a Domain Dedicated Log Server in the assigned Domain cannot see the Domain's data in Views, Reports, and Correlated Events that are based on events from the Global SmartEvent Server. R81
PMTR-60853 To configure the Global SmartEvent Server to read logs from a Domain Dedicated Log Server, you must follow sk35288. R81
PMTR-60852 When connecting with SmartConsole to a Domain Dedicated Log Server or Domain Dedicated SmartEvent Server, and right-clicking a policy rule, the "Go to rule” button is disabled. R81
PMTR-17303 Policy installation from the Primary Multi-Domain Server to a Domain fails with an error, if that Domain exists only on the Secondary Multi-Domain Server:
Install policy cannot be executed
Multi-Domain '<Name of Multi-Domain Server Object>' does not have domain server for: 'Name of Domain Object'.
PMTR-19623 In Multi-Domain Servers Management HA environment, if Administrator installs policy from the Active Domain on the Security Gateway / Cluster object and performs Management HA from the Active Domain to the Standby Domain, Administrator must install policy from the new Active Domain on the Security Gateway or Cluster object. Otherwise, when upgrading the Multi-Domain Servers to R80.30, SIC communication can be lost with the Security Gateway or Cluster Members.
  • To resolve: Change the state of the Standby Domain to the Active, and manually synchronize the Domains.
PMTR-15294 To perform "Enable Global Use" on a Security Gateway, you must set the Domain, which manages this Security Gateway, and the Global Domain to the "Active" state on the same Multi-Domain Management Server. R80.20.M1
"Failed to save object...Server error is: An internal error has occured. (Code: 0x8003001D, Could not access file for write operation)" error when creating a Security gateway object on the Domain Management Server that is currently active on the secondary Multi-Domain Management server.
  • To resolve: Run the "mdsstop ; mdsstart" commands on the secondary Multi-Domain Management Server.
PMTR-47629 When running Global Domain Assignment on one Multi-Domain Server for a Domain that is active on a different Multi-Domain Server, the task can stall at 5%. After a few minutes a message shows: "timeout during task progress: Could not get information regarding task completion from MDS_1 'MDS_2'.
  • To resolve: Run Reassign Global Assignment on the Domain from the first or second Multi-Domain Management Server.
PMTR-47631 If two administrators create an admin account with the same name, after the first admin publishes a session, the second admin will not be able to publish or edit the admin account.
  • To resolve: The session changes must be discarded.
PMTR-47778 During mds_import, the incorrect "Failed to open file 'obsolete_objects.C' " message shows.
  • This message can be ignored.
PMTR-47638 The same system object (administrator, domain, permission profile, trusted client or Multi-Domain Server) cannot be managed from multiple peers. It can create sync failures between Multi-Domain servers.
  • If there is a sync failure, make sure sessions on a different peers do not lock the same object.

After an upgrade, the global assignment fails with an error regarding multiple objects with the same name. If the search fails to locate the object in the domain, the object might be an unused OPSEC application permission profile and it can be deleted or modified using dbedit.

PMTR-47173 In a High Availability environment that includes more than two Multi-Domain Management servers, a synchronization problem between 2 specific Multi-Domain Management servers only shows when connected to one of those servers. The problem does not show when connected to a different Multi-Domain Management server in the environment. R80
PMTR-47546 You can use only one Global Domain, which is created automatically during installation. R80
PMTR-47175 After you define the SmartEvent object in the global database, first you must assign Global Policy to Domain Servers in order the Domain Level Only administrators can log in to SmartEvent. R80
PMTR-42634 Each database can be migrated only once with cma_migrate. If you try to migrate the same database to another Domain Server, migration fails with the "Internal runtime error"... "The folder in the dleObject can't be null." error. R80
PMTR-47177 You cannot add licenses from the Multi-Domain Management Server or Domain Management configuration windows or wizards.
  • To resolve: To add licenses, click "Manage Licenses and Packages" in the SmartConsole main menu.
PMTR-47551 Private sessions are not synchronized between Multi-Domain Management Servers. A session that is open on one Multi-Domain Management Server cannot be seen or moved to a different Multi-Domain Management Server. R7x
SmartConsole / Management Console
PMTR-56385 When upgrading VSX, the upgrade status is considered a success even if the Policy state is not valid. R81.10
PMTR-70168 Open connections may not survive VSLS upgrade using SmartConsole Central Deployment. R81.10
PMTR-62419 When you add an Updatable Object in a rule, you must wait for the object to load its data (see the sign for loading near the object).
If you add an Updatable Object before it loads its data, all the sub-objects are added in the rule cell instead.
PMTR-70829 Central Deployment Package Repository is local to the Multi-Domain Server. In a Multi-Domain High Availability environment, make sure to initiate Central Deployment operations on the server to which the package was added. R81.10
PMTR-58448 When the screen resolution is low, changes in Log View widgets are not exported in PDF files:
  1. In SmartConsole, from the left navigation panel click Logs & Monitoring.
  2. Click + to open a new tab.
  3. From the left, click Views, and open any view.
  4. Click Options > Edit.
  5. Make some layout changes - move, resize, delete, or add widgets, and click Done.
  6. Click Options > Export > Export to PDF.
  7. Download the PDF and open it.
  8. The PDF file has the default layout.
PMTR-47608 "State: Secure Internal Communication is not operation with <Name of Global SmartEvent Server object>. Verify that SIC is initialized or was not reset." appears in SmartConsole (or SmartView Monitor) connected to a Domain when you open a Global SmartEvent Server object.
  • This is only a cosmetic issue that does not have an effect on the functionality. Domains do not have SIC connectivity with the Global SmartEvent Server. Therefore, Domains cannot report the real SIC status of the Global SmartEvent Server. To see the real SIC status, open the Global SmartEvent Server object in SmartConsole connected to the MDS context.
PMTR-68527 When you enter a search query that starts with “*” in various search fields (for example, *168.20), SmartConsole shows only objects that contain this partial string in their "Name", "Comment", or "IP Address" field. R81.10
PMTR-58272 In the "Gateways & Servers" view, the "Task" tab in the bottom pane does not show messages about a successful license attachment (shows messages only about a failed license attachment). R81.10
PMTR-60830 A link named "" appears in a policy (above the Shared Policies section) in this scenario:
  1. From the left navigation panel, click the Security Policies view
  2. Open a policy with the HTTPS Inspection
  3. Click Access Control > HTTPS Inspection
  4. In the Certificate column, right-click a certificate and select Where Used
  5. In the Where Used window, click the Policies tab
  6. Double-click a policy that does not contain the Access Control (contains only Threat Prevention or QoS)
  7. The policy opens, but instead of HTTPS Inspection section, a link named "" appears
  • To resolve:
    1. Close the Where Used window
    2. Manually open the affected policy
CIS-3291 When you start a legacy application directly from the SmartConsole installation folder C:\Program Files (x86)\CheckPoint\SmartConsole, you must start the application from the version folder (for example: C:\Program Files (x86)\CheckPoint\SmartConsole\R81\81.0.9500.5) and not from the "PROGRAM" folder (for example: C:\Program Files (x86)\CheckPoint\SmartConsole\R81\PROGRAM).
This prevents a possible unexpected exit of legacy applications while SmartConsole updates itself.
For more information, see sk171315.
SmartConsole must be installed on an NTFS volume. R81.10
PMTR-78482 If you delete an existing object of a Centrally Managed Quantum Spark appliance with the model 1800 or lower and some name (for example, "XXX"), then you cannot create another object of a Centrally Managed Quantum Spark appliance:
  1. With the same name "XXX" - SmartConsole shows "Name already used!"
  2. With the name of that contains the previous name (for example, "XXXnew") - SmartConsole shows "There is another network object [XXX] with the same IPv4 address"
  1. Policy installation fails with "This operation cannot be done when unpublished changes are present".
  2. The Changes Report window shows "Error: Failed to get changes".
  • To resolve:
    1. Close SmartConsole
    2. Log in SmartConsole
    3. Click Publish (do not click the "Changes" button).
PMTR-58838 In changes (Diff) report, there is inconsistency between the number of changes which appears in the session toolbar and the Revisions view. R81
PMTR-60910 "RunCommandInNgm('CreateNgmInterfacesCommand') failed" error in SmartConsole after clicking "Get Interfaces > Get Interfaces with Topology" in a Cluster object for a second time after the interfaces were already loaded.
  • To resolve: Before you click "Get Interfaces" in a Cluster object for a second time:
    1. Double-click the cluster object and click Network Management pane.
    2. Double-click each interface and write down the current configuration.
    3. If the Network Type is set to "Sync" or "Cluster+Sync", then select "Private" and click OK.
    4. Click "Get Interfaces > Get Interfaces with Topology" and accept.
    5. Click OK and publish the session.
    6. Double-click the cluster object and click Network Management pane.
    7. Double-click each interface, in which the Network Type was earlier set to "Sync" or "Cluster+Sync" and you selected "Private".
    8. Select the applicable Network Type.
    9. Click OK and install policy on this cluster object.
- The Changes (Diff) report does not track rule numbers or rule positions in the policy (If a sub-rule is changed, the report only shows the number of the sub-rule and not the number of the parent rule). R81
- The Changes (Diff) report does not show changes made in: Inspection Settings, Software Blade Engine settings, Multi-Domain Server settings, and administrator settings (including permission profiles and all other options in Manage & Settings > Permissions & Administrators). R81
PRHF-11063 The QoS and Desktop policies are not displayed in Legacy SmartDashboard when an administrator with read-only permissions is logged in and the Desktop policy blade is enabled. R81
PMTR-54196 In some scenarios, the Carrier Security option in Gateway Properties (under Other -> More Settings) cannot be selected.
  • To resolve: select another gateway property not under "Other', then return to the Carrier Security option and try again.
PMTR-90653 After using "View in policy" on an object, the action will be repeated every time we open the relevant policy tab. This will stop when we switch to a different navigation item that is not "Security Policies" or perform publish.

In rare scenarios, it can cause the following error to appear when opening the policy: "Failed to go to requested rule". The reason it fails to find a rule is that it was deleted after "View in policy" was performed and took us to it.
PMTR-47434 On SMB 1100 appliances, after initializing SIC the hardware must be edited manually to 1100 appliance instead of Open Server. R80.40
PMTR-42956 In HTTPS Inspection policy rules, when selecting the same action that already appears in the "Action" column, the Management Server counts it as part of the session changes. R80.40
PMTR-82157 HTTP Inspection Legacy SmartDashboard can unexpectedly close when exceeding the number of maximum possible hosts (100K). R80.40
PMTR-44804 In SmartProvisioning, policy installation fails after enabling QoS on the profile. R80.40
PMTR-60358 When working in SmartConsole over Remote Desktop solutions such as Citrix, there might be sporadic cosmetic issues in certain SmartConsole windows (for example, a dialog window that opens only partially).
Usually, these issues are caused by an incompatibility of 3rd party components within SmartConsole.
  • To resolve: Resize the main SmartConsole window, or close and open again the problematic window in SmartConsole.
PMTR-39807 "Identity Provider authentication factor cannot be used in Capsule Workspace" error appears in SmartConsole in the following scenario:
  1. Open a Security Gateway object with Mobile Access blade enabled.
  2. From the left tree, expand "Mobile Access" and click "Authentication".
  3. Refer to the "Multiple Authentication Clients Settings" section.
  4. When editing an existing login option with "Identity Provider" as the Authentication Factor, the "Use in Capsule Workspace" option appears as selected (on the "Login Option" tab > in the "Usage in Gateway" section).
  5. When clicking "OK" to save the changes, the error "Identity Provider authentication factor cannot be used in Capsule Workspace" appears.
To resolve: Clear the "Use in Capsule Workspace" option before clicking "OK".
PMTR-46715 In very large environments running "show-mdss" with "details-level full" parameter fails to retrieve all Domains on the Multi-Domain Server. R80.40
PMTR-32873 IPS, Application Control and URL Filtering blades Best Practices are displayed as "active" by the Compliance blade overview even though they are not configured for the Security gateway. R80.40
PMTR-48072 The "Restore all messages" button is disabled in Manage & settings -> Preferences -> User Preferences -> "Restore all messages".
  • To resolve, restore all messages to the default settings. To do so, close the SmartConsole and delete the content of "%localappdata%\Check Point\SmartConsole\R80.XX\UserSettings" folder.
PMTR-44457 Error: "Error while trying to open certificate : The specified network password is not correct." when attempting to view a new HTTPS certificate that uses a password different from the previous one.
  • To resolve and view the certificate, open SmartDashboard -> HTTPS Inspection -> Gateways -> Export. 
PMTR-45924 When using API batch commands, the "set-if-exists", "ignore-warnings" and "ignore-errors" flags are not used. Errors that come up while running a batch command have to be handled manually by using the "show-validations" API command. R80.40
PMTR-45567 The "object is used by a policy or by other objects" error is displayed when attempting to delete a LDAP account unit. Running the "Where used" query yields with not result.
  • To resolve: the issue is resolved within 24 hours, during this time period the object is entirely removed from the database. 
PMTR-38804 The "Import Node" action in SmartDashboard (accessible from the SmartDashboard Network Object tree -> Nodes -> Import) might fail with "Internal Error" message. R80.40
PMTR-47146 Updatable Objects cannot be added to a network group.  R80.40
PMTR-31345 In languages other than English, the blades in the summary tab are not arranged correctly. R80.30
PMTR-32595 "Take over failed" error appears when canceling an administrator session takeover.
  • This error can be safely ignored.
PMTR-27705 When installing a policy, "The policy included Blades that have an expired contract or a contract that is about to expire" warnings are displayed only for Application Control and URL Filtering and not for all Service Blades. R80.30
PMTR-31193 Search for disabled or expired rules in Access Control policy does not work.  R80.30
PMTR-25063 The "Groups" page / tab is not shown if you edit a predefined service. R80.20.M2
PMTR-65106 In SmartConsole, the sorting in table columns with numeric values is alphabetical and not numerical.
  • In the "Gateways & Servers" view - the columns "Accepted Packets/Sec", "Dropped Packets/Sec", and so on.
  • Service Group objects - the "Port" column.
PMTR-39387 Hitcount of Shared Inline Layer rules shows the sum of all rules it is used in as it is shared between all of them.  R80.20
PMTR-12439 Desktop Policy tab does not appear in the following scenario:
  1. Open the SmartConsole in Read-Only mode, or log in with Read-Only credentials.
  2. In the left navigation panel, click Security Policies.
  3. In the Access Control section, click Desktop -> Open Desktop Policy in SmartDashboard.
  4. Legacy SmartDashboard opens without the Desktop Policy tab.
When creating a new Cluster object in SmartConsole with the Wizard Mode, if you do not add Cluster members or do not initialize SIC with the Cluster members, the "Optimizations" -> "Capacity Optimization" setting in the cluster object may set to "Manually", instead of the default "Automatically". The "Automatically" option is grayed out, if the OS of the Cluster object is unknown.

To resolve:

  1. Open the Cluster object.
  2. Go to the "General Properties" pane.
  3. In the "Platform" section, in the OS field, change from the "Unknown OS" to the real operating systems of the cluster members.
  4. Go to the "Optimizations" pane. 
  5. In the "Capacity Optimization" section, select "Automatically".
  6. Click OK and publish the session.
PMTR-42889 The "Could not locate an appropriate editor for the target object" message appears in SmartConsole in the HTTPS Inspection Policy, when double-clicking a certificate object. R80.10
PMTR-50263 No warning is displayed, if an empty Network Group object appears in the "Source", "Destination", or "Protected Scope" column of a Threat Prevention policy rule. R80.10
PMTR-42458 Network groups that are used in a group with exclusion cannot contain non IP-based objects (for example, Dynamic Objects, Domain Objects etc.).  R80.10
PMTR-40848 When an inline layer appears more than once in an ordered layer, in logs that are generated from rules in that layer, the "Go to rule" link does not always navigate to the correct occurrence of the rule in the policy.
  • To find the other occurrences of the rule, use the packet mode search with the rule's information. For more information about packet mode search, refer to sk118592.
PMTR-47652 The Device and License Status of Threat Emulation is incorrect when there is a trial license on the Security Gateway.
  • To resolve: Use the Logging -> License Status view. 
When you create an SMB cluster using the Wizard mode, SmartConsole automatically assigns an incorrect IP "0.0.0.X" as the cluster main IP address.
  • To resolve: The admin must first publish the new cluster object, then configure the correct IP address before enabling any blade. If the cluster is created via 'Classic' mode, there is no issue.
PMTR-45007 In a rare scenario, SmartConsole installation might stuck at 36%. Refer to sk163592. R80.10
After upgrading Security Management Server from to R80.x, users cannot add suggestions to add objects to group - the options are grayed out. Refer to sk118276 R80.10
PMTR-34983 Cannot find the "Override categorization" object in the objects bar search. R80.10
PMTR-47646 In SmartConsole, when creating a new object in a second Object Editor, the new object is not in the list in the original Object Editor.
  • To resolve: After you close the second Editor, click OK in the IF-MAP server editor. Open the IF-MAP server editor again.
PMTR-47650 A Remote Access community object is not supported in the parent rule of an inline layer where the action is "Inline Layer".
  • To resolve: Use "Any" instead of the Remote Access community object. You can use the Remote Access community object in the rules in the inline layer.
PMTR-47654 The SmartConsole package cannot be installed in a directory whose path includes non-English characters. R80.10
PMTR-47658 This procedure for renewing an expired HTTPS Inspection certificate does not work:
  1. Open the SmartDashboard GUI client
  2. Renew the HTTPS Inspection certificate.
  3. Close SmartDashboard.
  4. Install the Policy in SmartConsole.

    SmartConsole shows the certificate is still expired, and the certificate is not renewed.
  • To resolve: After following the procedure, close and reopen SmartConsole.
PMTR-36940 When selecting a source or destination for a user object, cluster objects are not available for selection. R80.10
PMTR-47666 SmartConsole does not display one of cluster interfaces because of case sensitive name uniqueness. Refer to sk108264. R80.10
- R80.x SmartConsole on Windows 10 requires .NET Framework version higher than 4.0. R80
MB-933 Administrators with the "Customized" Permission Profile cannot create Web Application objects. R80
PMTR-70637 If the name of an imported HTTPS Inspection certificate file contains one of these strings, then Legacy SmartDashboard does not show this certificate in "HTTPS Inspection" > "Server Certificates":
  • default_{noformat} (example: default_MyCertificate)
  • _default (example: MyCertificate_default)
  • _default_ (example: My_default_Certificate)
  • https_ (example: https_MyCertificate)
  • _https (example: MyCertificate_https)
  • _https_ (example: My_https_Certificate)
  • ref_ (example: ref_MyCertificate)
  • _ref (example: MyCertificate_ref)
  • _ref_ (example: My_ref_Certificate)
  • holder_ (example: holder_MyCertificate)
  • _holder (example: MyCertificate_holder)
  • _holder_ (example: My_holder_Certificate)
Note: SmartConsole is able to show such certificate.
PMTR-66532 SmartConsole > "Logs & Monitor" view > "Logs" tab may show duplicate log records with partial data, if log entries are spread over several log files due to a log switch.
Log switch operation occurs in these scenarios on a Management Server / Log Server:
  • At midnight
  • When the size of the active log file reaches 2 GB
  • Based on user configuration (explicitly)
PMTR-48835 Device status in SmartConsole is only presented after applying changes to it and publishing the session. R80
PMTR-47199 In R80 and higher, multiple administrators can connect to the Management with SmartConsole in write mode, at the same time. Therefore, switching between Read only and read-write mode, which was often used in previous versions, is not an option in SmartConsole. R80
PMTR-9124 After an upgrade of a Management Server with enabled Compliance blade from R77.20 or lower versions to R80.x:
  1. The "Dev Mode: ON - Syntax error: Unable to get property 'icon' of undefined or null reference at line: undefined" error can appear in the Compliance blade reports.
  2. "Compliance Statuses" contains the words "Low" instead of "Poor" and "High" instead of "Good".
PMTR-47756 In a Multi-Domain Management environment, in the local domain policy, some Compliance best practices, which validate the status of rules in the policy, incorrectly identify the section header, "Parent section for domain rules," as a rule, and report it as not valid.
  • To resolve: Manually exclude this result from the Best Practices view. To do so, in the Best Practices view, select the practice. In the bottom pane -> Relevant Object section -> double-click the desired rulebase object and disable the rule/section from the list.
In a Multi-Domain environment, policy changes in the Global Compliance Policy do not trigger a partial Compliance scan. R80.10
PMTR-47237 Compliance Blade does not contain Compliance Overview Report.
  • To resolve and have the Compliance Overview Report, deploy a SmartEvent server and enable SmartEvent. Then find it at Logs & Monitoring -> new tab -> Reports -> Compliance Blade. 
PMTR-47239 The SmartConsole client is not aware of license or quota changes in real time - alert for 'License quota Exceeded' does not pop-up immediately when the license quota is exceeded.

To resolve: Reopen SmartConsole in Compliance blade to see the license changes. Quota data changes in the entitlement or Compliance will be updated after:
  • Compliance midnight scan
  • License changes
  • cpstop;cpstart
Logging / SmartLog / SmartView
PMTR-69394 SmartConsole and SmartView default time frame values are not synchronized. R81.10
PMTR-55182 In the Logs view, the sessions timeline widget is missing when connecting to the SmartView web interface of a Dedicated Log Server or a Domain Log Server. R81.10
PMTR-64199 On SmartView, when using the copy paste functionality, the copied widget or view does not include the filter of the source view or report. R81.10
PMTR-58287 When deleting a Log Server object, and recreating it (same IP address and same SIC name), logs that were sent to the Log server before the deletion and recreation, are not shown in Logs view. R81.10
PMTR-67490 Export of a SmartEvent report that contains a huge amount of data to PDF/CSV, may fail when the device is very loaded.
For example, if there are multiple concurrent requests, like multiple scheduled reports that are running at the same time, or in case of a very high log rate. 
PMTR-44559 When querying logs in the SmartView web Logs tab, the numbers shown in the timeline section do not correlate to the log list if the indexing retention policy in SmartEvent and the Log Server are not the same. R80.40
PMTR-48225 Exporting a large number of logs (100K and higher) to Excel using SmartView may fail on servers with 8 GB of memory or lower.  R80.40
User log in to SmartView in a Multi-Domain Server High Availability environment fails. Explanation: In a Multi-Domain Server High Availability environment, administrators can add a Domain-Management Server that is not synchronized and thus not available in the corresponding Multi-Domain Server. However, when opening SmartView, the Domain picker displays ALL the Domain-Management Servers available on both Multi-Domain servers.  R80.40
PMTR-45323 Updatable objects are not resolved in SmartLog/SmartEvent queries:
  1. You cannot create a filter or SmartView query which contains an Updatable object name. 
  2. When viewing logs/events, the IP address of an Updatable object is not resolved to a name.
PMTR-22189 After reverting to a R80.10 or R80 version, the log files and log indexes that were created on the R80.40 will be lost.
If you upgrade again to R80.40, all logs will be visible again with one exception - the log index created on the day of the revert (from R80.40) may be partial. 
PMTR-22007 After upgrade, the Log Exporter does not start, fully update or show pre-upgrade exporters.
  • To resolve, update and start, run: cp_log_export reconf; cp_log_export restart 
PMTR-12100 Log Exporter exports logs from a Domain Management Server with the IP address of the Multi-Domain Server when using UDP protocol. R80.20.M1
PMTR-12635 When you right-click in an Anti-Virus or Anti-Bot log from R77.30 Security Gateways and select "Save as Packet Capture...", it opens an email file with the attached packet capture file, instead of saving it. This is the same behavior as in the option "View Packet Capture".  R80.20.M1
PMTR-47696 On Security Management Server with "Enable Log Indexing" option not selected, and a dedicated Log Server with "Enable Log Indexing" option selected: When you connect with SmartConsole to the Security Management Server, the Logs view shows the logs of individual log files. It is not possible to get a unified view of all the logs. R80.10
PMTR-47706 When using the Check Point Management Server as an external log server for a locally managed Small Office appliance, logs that are saved on this external log server will not be accessible from SmartConsole that is connected to the management server of the internal environment. To see the logs that are saved on this log server, open SmartConsole to this Log server itself.  R80.10
PMTR-47694 Reading logs through LEA which were configured manually on the SmartLog custom settings file is not available in R80.x.  R80.10
PMTR-47699 In a global SmartEvent configured in Multi-Domain environment, SAM rules are not being created by events auto-reactions. R80.10
PMTR-47587 To change SmartLog mode from Indexing to Non-Indexing on a Domain Management Server or Domain Log Server, edit the Domain Server object on the Domain level. There is no option to change the entire Multi-Domain Server or Multi-Domain Log Server to Non-Indexing mode. R80
PMTR-47212 SmartView graphics do not display properly in Internet Explorer. Accessing SmartEvent server from the web (SmartView) is supported only from Google Chrome and Mozilla Firefox.  R80
PMTR-47586 SmartLog Indexing mode is not enabled by default after upgrade or new installation, on Smart-1 205, Smart-1 210, or Open Servers with less than 4 cores. R80
PMTR-47589 Users connected with SmartConsole to specific Domain, will not be able to see Global objects assigned to this Domain in SmartLog logs results, and cannot search by Global objects (but can search by IP address). R7x
PMTR-47558 "Top QoS Rules" view in SmartView Monitor shows that almost all traffic matches the "No Match" rule when SecureXL is enabled on Security Gateway. Refer to sk118720 R7x
PMTR-50435 On a dedicated SmartEvent server, the user that was configured in the First Time Configuration wizard cannot share items and view shared items In the SmartView application. R81
PMTR-60038 The software version of an R81 SmartEvent Server must be identical to the software version of its R81 Management Server. R81
PMTR-47608 SIC problem with the global SmartEvent object managing a Global SmartEvent object from the Domain/CMA that has the global object assigned to it. R80.40
Error: "CRLs failed to be downloaded" when attempting to log in to SmartEvent.
  • To resolve: Run cpstop;cpstart on the SmartEvent server.
PMTR-71408 In SmartConsole > Logs & Monitor view > Logs tab, the "Last Update Time" column is empty for IPS logs.
This occurs if the SmartEvent Server is also a Log Server, to which Security Gateways send their logs.
  • To resolve: Open a specific log entry and refer to the field "Lastupdatetime".
PMTR-21615 A query that refers to "Scan result" and "Destination DNS Hostname" fields will not be resolved. R80.20
PMTR-47715 Events Grid is missing from SmartEvent. R80.10
PMTR-47717 The Ticketing feature is missing from SmartEvent. R80.10
PMTR-47721 When using R77.30 gateways, after disabling Firewall sessions in the SmartEvent policy, the records of Firewall sessions disappear from reports and views. If you enabled Firewall sessions in order to see Firewall data in reports or views, generate the report or examine the view *before* disabling Firewall sessions. R80.10
PMTR-47227 Global SmartEvent's disk space maintenance policy is not configurable via GUI. Minimum default threshold for cleanup is 5GB (5000Mb). Refer to sk117317 for manual configuration instructions. R80
PMTR-47215 SmartEvent stability problem while connecting to Multi-Domain Management. Refer to sk112238. R80
PMTR-47559 On a R80.x dedicated SmartEvent server which assigned to MDS, when you enable or disable a blade, the license information is not immediately updated. An automatic updates takes place at midnight.
  • To resolve and update immediately, оn server's command line, run:
    $CPDIR/bin/esc_db_complete_linux_50 activation_data entitlement_data
    If you manually change a license or contract, the changes take effect immediately.
MPTT-265 Users using the "Check Point Password" method for authentication to SmartConsole and are configured with the "User must change password on next login" option, must login to SmartConsole and change their password before using SmartView Web application.  R80
PMTR-66989 In SmartProvisioning, the Push Policy operation fails on SmartLSM objects R80.40 and lower, in which the selected SmartLSM Security Profile has any of the Threat Prevention Software Blades enabled. R81
PMTR-53925 After you upgrade a Security Gateway (or Cluster) managed with SmartProvisioning, you must enable the SmartProvisioning again. R81
PMTR-56630 When you configure an LSM profile topology, do not reopen interface properties after you make a change.
Instead, close the Topology grid and click OK to close the editor.
When you reopen it, you will see the correct interface topology settings.
PMTR-49235 A new object called "NewObject" is left in SmartConsole when an administrator creates a new object with same name as an object that exists in SmartProvisioning.
  • To resolve: Either click "No" when SmartConsole shows "Do you want to keep changes anyway?"
    or manually delete the new object called "NewObject".
On a Management Server, the command "LSMcli <Server> <User> <Pswd> AddROBO VPN1 <RoboName> <Profile>" fails with the error "Failed to create prv_config object".
  • To resolve: Create the ROBO object in SmartProvisioning GUI.
PMTR-48496 After manually unloading policy from Gaia cluster members which are managed by SmartProvisioning, the cluster does not fetch the policy again and push policy from SmartProvisioning is not effective. R80.40
PMTR-45475 The status of an SMB device in SmartProvisioning may show "not responding" for a short time, even though the status is OK. R80.40
PMTR-49044 SmartLSM (Smart Provisioning) running on R80.30 Security Management Server cannot manage R80.40 Security Gateways. R80.40
PMTR-1568 When working with LSM managed Security gateways in a Management High Availability environment, creating and working with LSM gateways must be consistent, they can only be used in the Security Management server they are created in.
Using the secondary Security Management server might lead to inconsistent actions/status related to LSM objects.
PMTR-3724 It is not possible to configure internet connection over DSL for 1100, 1430, 1450 appliances using SmartProvisioning. R80.20.M1
PMTR-15599 SmartProvisioning R80.40 does not support LSM Profiles of type "Check Point Appliance/Open Server Gateway" with version "R80.10". R80.20.M1
PMTR-70744 The "Enable Provisioning" checkbox is greyed out in SmartProvisioning > SmartLSM Security Gateway object properties > "General" tab > "Provisioning" section, if the user who logged into SmartConsole has a profile with assigned permissions other than "Read/Write All". R80.10
PMTR-8209 After a major upgrade to a Security Management Server, LSM profiles lose their installed policy and new devices attached to them are not able to fetch a policy.
  • To resolve: Install policy on the LSM profiles.

Access Control   Mobile Access / Content Awareness / DLP

Mobile Access | Content Awareness | DLP

Enter the string to filter the below table:

ID Description Found in version
Mobile Access
SmartView shows "Error in disconnecting user" with the description "SNX connection failed" every time the user opens the main page of Mobile Access portal. R81
PMTR-41608 Error: "Failed to generate RADIUS auth request" when a Mobile Access user browses to a resource that requires authentication. R80.40
PMTR-70 If you use Outlook Anywhere application with Mobile Access Reverse Proxy, and then want to disable Outlook Anywhere or Reverse Proxy, perform:
  1. Delete Outlook Anywhere rule from reverse proxy.
  2. Run "cvpnrestart --with-pinger" to close all Outlook Anywhere open connections.
    If you do not perform step 2, open connections of Outlook Anywhere will not be closed and users can still work with it.
PMTR-47748 When users are connected to the Mobile Access Gateway with SSL Network Extender in Application Mode, Downloaded-from-Gateway applications do not work inside Endpoint Security On Demand Secure Workspace.  R80.10
PMTR-47782 After upgrading a Standalone (Management and Gateway) or VSX deployment with Mobile Access blade enabled, the "Allow Dynamic ID for mobile devices" option might be enabled by default, even if Dynamic ID was not configured prior to the upgrade.
  • If you do not want Dynamic ID authentication for Capsule Workspace users, disable it in:
    Gateway Properties -> Mobile Access -> Authentication -> Compatibility with Older clients -> Settings -> Capsule Workspace section -> clear Enable DynamicID.

    For VSX, this configuration is done per Virtual System.
PMTR-47499 When Mobile Access is included in the Unified Access Policy, in Mobile Access Authorization logs -> Log Details -> Matched Rules, the Mobile Access Application name and Category do not show. R7x
Content Awareness
PMTR-17156 The following apply to the "Archive File" Data Type: The Content Awareness blade inspects the "Archive File" Data Type. The "Archive File" Data Type is extracted, and its inner files are separately inspected together with the Data Type.
Therefore, during the policy configuration, administrator has to pay attention when using the "Archive File" Data Type in a Compound/Group Data Type and in an Inline layer parent rule.
  • Using a Compound/Group of "Archive File" with, for example, "PCI - Credit Card Numbers", does not match the archive that contains a file with the credit card numbers. You can use a specific File Type with "PCI - Credit Card Numbers" in this rule.
  • Using the "Archive File" in a rule that leads to Inline Layer does not match the Data Type inside that layer. You can use a specific File Type in this rule.
  • If the "Archive File" is located above other Data Types, the lower rule can be matched for some of the inner files, in addition to the rule that contains the "Archive File".
PMTR-47670 Binary Certificate *.cer files are not properly matched to the 'Certificates and Private Keys' Data Type.  R80.10
PMTR-47675 Content Awareness supports HTTP, HTTPS, SMTP and FTP protocols on any ports and it is fully integrated with the Access Control unified rule base. Traffic over QUIC and WebSocket is not inspected. However, it is possible to use 'Quic protocol' / 'WebSocket protocol' in a new Application rule to either block or allow this traffic. R80.10
PMTR-47785 Content Awareness supports more than 60 character sets for text files, including Japanese, Korean, Greek, and Arabic. If the inspected traffic does not include a supported character set, Content Awareness uses UTF-8 for decoding.
To see the list of supported charsets, and to learn how to change the default charset, see sk116155.
PMTR-47678 Content Awareness supports Data Types based on file name. In specific HTTP traffic where the file name is not part of the URL or content-disposition header, the file name may be incorrect. R80.10
PMTR-66930 This error popup appears in the Check Point UserCheck web page, if an administrator dragged an Action from one DLP rule to another in SmartDashboard:
An unexpected error has occurred.
You may still be able to continue working normally.
Please retry accessing the web page in a short while.
PMTR-47691 DLP can apply visible or hidden Watermark (for forensic tracking) to Office Open XML formats (DOCX, PPTX and XLSX) as a rule action in a DLP rule base.
Refer to sk117413 if DLP Watermark is used.

Threat Prevention

ID Description Found in version
Threat Prevention
PMTR-73043 "Unauthorized: Access is denied due to invalid credentials (401)" error in SmartConsole while trying to add a custom IoC feed, although IoC feed configuration in CLI with the same credentials works as expected. R81
PMTR-42100 SHA-1 and SHA-256 Indicators Of Compromise (IOC) are only supported with Gateway version R80.40 and higher.  R80.40
PMTR-39388 In some scenarios, during a file download, Packet Captures do not appear in Security gateway logs when the Strict-Hold setting is enabled.  R80.40
PMTR-50420 FTP inspection with the Anti-Virus, Threat Emulation, or Content Awareness blade is not supported when Security Gateway works in Monitor Mode (SPAN port). R80.30
PMTR-19839 CRL validation is not supported in pure IPv6 environments (when IPv4 addresses are not configured on the Security Gateway's interfaces). R80.20
PMTR-43623 In some cases, Packet Captures do not appear in Security Gateway logs (from Anti-Virus, Anti-Bot, and IPS blades):
  • When detection is done by RAD cloud (not using the RAD cache on the Security Gateway) for Reputation and MD5
  • When detection is done by the DeepScan engine
  • When connections undergo SSL encryption
PMTR-47684 On pre-R80.10 gateways managed by R80.x Security Management server, Access Roles and CloudGuard are not supported in all Threat Prevention and IPS rules on the gateway. This limitation does not apply to R80.x gateways.  R80.10
PMTR-47471 "Internal error occured" message may be displayed when trying to assign/reassign a Global Configuration at the same time that an IPS update is running on a local Domain.
  • To resolve: First run the IPS update on the local Domain. Then assign/reassign the Global configuration. 

Harmony Endpoint

ID Description Found in version
Endpoint Security (SmartEndpoint)
PMTR-62510 When you create a new Active Director Scanner in the Endpoint Server Web Management Portal, you cannot scan user certificates from the Active Directory. R81
PMTR-11057 "An internal server fault has occured" server error is shown when logging in to the SmartEndpoint GUI client with a custom administrator created in SmartConsole with the name "endpoint".
  • To resolve: Create an administrator with a different name.

Check Point Appliances Small Office Appliances / Maestro and Scalable Chassis

ID Description Found in version
Small Office Appliances
PMTR-3327 After upgrade, you must install Access Policy before installing Threat Prevention Policy. Otherwise, the Threat Prevention Policy installation may fail.  R80.20.M1
PMTR-47520 "SIC error" status may occur when the gateway object is defined in a "Management first" scenario before it is deployed, but the device's IP address is already accessible. The Security Management tries to create SIC with the gateway's IP address. Instead of the policy ending in a "waiting for first connection" status, an error message states the SIC status must be rectified first. R7x
Maestro and Scalable Chassis
For the list of limitations and unsupported features, refer to sk148074.

CloudGuard Controller  Monitoring / Nuage Networks / VMware NSX and vCenter / Cisco APIC / Cisco ISE / Public Cloud

Controller General Limitations | CloudGuard Controller Server | Security Policy and Objects Naming | Enforcement | Monitoring | Nuage Networks | VMware NSX and vCenter | Cisco APIC | Cisco ISE | Public Cloud

Enter the string to filter the below table:

ID Description Found in version
CloudGuard Controller
CloudGuard Controller - General Limitations
PMTR-60092 SmartConsole > "Menu" > "Verify Access Control Policy" fails when there are Data Center objects in rules.
The Verify Policy window shows: 
Status: Verification of policy '<Name of Policy>' completed with errors
Details: Error: Invalid network object <Name of Object> in Rule X
Note: Policy installation succeeds, only policy verification fails
PRHF-20096 CloudGuard Controller is not supported on Active/Active cluster (Geo cluster) in AWS. Refer to sk175904. R80.40
PMTR-69263 Policy Verification fails in this specific scenario:
  1. There are two specific rules in the policy - one below the other (not necessarily adjacent)
  2. The lower rule of the two:
    Contains one or more Data Center objects in the Source or Destination column
  3. The upper rule of the two:
    1. Contains the "Negate" condition in the same column where the Data Center objects are used in the lower rule
    2. Contains the same objects in the "Services & Applications" column as the lower rule
PRJ-8570 The Management API add-data-center-server for vCenter Data Center uses an optional parameter "unsafe-auto-accept" to allow usage of unsafe certificates. Its default value is set to false for not allowing unsafe certificates.

To avoid unexpected behavior, explicitly use "unsafe-auto-accept=false" when using the Management API.
VSECC-589 Changes in connection properties (such as credentials or URL) of existing Data Center Servers will take effect (e.g., importing objects, updating objects updates, etc.) only after policy is installed on all the Security Gateways that have Data Center Objects from this Data Center Server.  R80.20
VSECC-1059 Cluster objects (ClusterXL and 3rd party Cluster with the exception of CloudGuard for NSX) must be configured with reachable VIP as the main Cluster IP address to receive updates on Data Center imported objects.  R80.20
PMTR-3442 Connections to/from Data Center Objects that appear for the first time in a policy package pushed to the Security gateway will not be re-matched even if the rematch connection option was chosen enabled in the Security Gateway policy. Connections involving the Data Center Objects that were included in previous policy installations on the Security Gateway are re-matched.  R80.20
CloudGuard Controller - Security Policy and Objects Naming
VSECC-1066 Policy Verification for overlapping, hiding or contradicting rules that include Data Center Objects is not supported.  R80.20
VSECC-1063 CloudGuard Objects (Data Center Servers and Data Center Objects) are not supported in Global Domain.  R80.20
  • Non-ASCII characters (non-English languages) in 'Data Center Server' properties (i.e., user, password and shared secret fields) are not supported. (If an object name contains one of the above characters, enforcement will not work.)
  • If Data Center Object's name includes Non-ASCII characters (non-English languages), enforcement will work, but its name might not be displayed properly in Security Logs and Events.
VSECC-1065 If Data Center Object name contains the following characters in its name:
  • "{" - opening curly bracket 
  • "}" - closing curly bracket 
  • "[" - opening square bracket 
  • "]" - closing square bracket
  • "<" - less than
  • ">" - greater than
Then, the Data Center Object name will appear in SmartLog with "_", instead of of each of the above characters. For example: {Name1} will appear as _Name1_
CloudGuard Controller Server
VSECC-1069 For MDS HA managing a VSX gateway, a domain server must be deployed on all MDS servers that manage the VSX gateway installed with imported Data Center Objects.
Note: This instruction applies to the VSX object. This is not mandatory for the virtual systems. 
VSECC-1070 VS Cluster first policy installation should not include Data Center Objects.
Note: If this cannot be achieved, a full-sync must be run on the cluster by running the following on the standby member:
  1. fw ctl setsync off
  2. fw ctl setsync start
CloudGuard Controller Enforcement
VSECC-1071 If a Security Gateway works with CloudGuard Controller and other Identity Sources, there must not be IP addresses belonging to Data Center Objects also associated with Machines in other Identity Sources. Such overlapping can result in disassociation of the IP addresses from either the Data Center Object, or Access Roles with such Machines, and improper Security Policy enforcement.  R80.20
CloudGuard Controller Monitoring
VSECC-422 After executing these commands, reboot, cprestart, and cloudguard off, Data Centers that have no imported objects, will not automatically show in the Data Center table.
To see the Data Centers in the table, open each Data Center individually in SmartConsole. 
VSECC-1072 Data Centers that have no imported objects, will not appear in the Data Center table, after the cloudguard off command is run.  R80.20
VSECC-346 Problems in Data Center will not always change the status of the Security Management server in SmartConsole.
  • To resolve: Open the Device & License information window to see the real status and update the status in SmartConsole. 
CloudGuard Controller - VMware NSX and vCenter
VSECC-1075 VMware NSX Object - IP Set Objects with ranges or CIDR block notations are not supported. IP Set Objects representing one, or more, individual IP address/es are supported. R80.20
VSECC-1076 Official VMware Tools must be installed on a VM in order for CloudGuard Controller to successfully pool IP addresses. R80.20
CloudGuard Controller - Cisco APIC
VSECC-1085 Cisco APIC versions lower than 2.1: The Cisco ACI fabric does not age out individual endpoint IP address mappings, as long as one of the IP addresses responds to keep-alive ARP Requests from the fabric. As a result, these stale IP addresses will also be learned by the CloudGuard Controller.  R80.20
VSECC-1086 Supported fabric size: The total amount of all the following objects must not exceed 100,000:
  • Tenants
  • Application Profiles
  • EPGs
  • IP addresses
VSECC-1087 APIC HTTP URLs, which redirect to HTTPS, are not supported. Use either HTTPS URLs directly, or HTTP without redirection.  R80.20
VSECC-1089 When multiple APIC URLs are specified, the connectivity test will succeed, as long as one of the URLs connects. There is no requirement for initial verification for all the URLs.  R80.20
VSECC-1090 On failure to connect to all the given APIC URLs, the returned error message is for the first unsuccessful URL.  R80.20
VSECC-1091 Changes to privileges of the APIC user that was used to create the Data Center Object, are not reflected during an active login session.
For example, if a new security domain is added to the user, which allows him to see a new tenant, this will not be visible to the APIC scanner.
  • To resolve: Run the vsec_controller_stop command on the CloudGuard Controller to restart the CloudGuard Controller services and force a new login. 
VSECC-1092 If an object imported from Cisco APIC is deleted on the APIC, and then created again, the object must be re-imported into Check Point Policy. Enforcement will work properly once the object has been recreated in APIC, however the re-import is required to maintain updates for the object in the Security Management Server.  R80.20
CloudGuard Controller - Cisco ISE
VSECC-1095 Filtering IP-to-SGT mappings by SG name uses a wildcard ('*SG_NAME*') search, so incorrect IPs may be returned, in case two SGs have overlapping names (one is contained in the other).  R80.20
CloudGuard Controller - Public Cloud: Amazon Web Services, Microsoft Azure and Google Cloud Platform
VSECC-1096 Logs for rules with Subnets, AWS Security Groups, Microsoft Azure Network Security Groups or VMware NSX Security Groups will contain only the IP address, and will not contain the instance name. R80.20
VSECC-1097 IPv6 information is not imported for Data Center Objects in Public Cloud. CloudGuard Gateways in Public Cloud do not support IPv6.  R80.20
VSECC-1098 Data Center Tags:
  • Tags keys and values longer than 100 characters will be truncated to the first 100 characters and "..." will be padded to the end of the tag.
  • In Microsoft Azure, Tag keys are case-insensitive, whereas Tag values are case-sensitive. In CloudGuard Controller, both Tag key and Tag value will be treated as case-sensitive. Meaning, the same key/value in different cases will be shown on 2 separate lines in SmartConsole.

Give us Feedback
Please rate this document