Support Center > Search Results > SecureKnowledge Details
R70 Known Limitations
Solution

This article lists all of the R70 specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > My Profile > My Subscriptions.

Important notes:

  • To get a fix for an issue listed below contact Check Point Support with the issue ID.
  • To see if an issue has been fixed, search for the issue ID in Support Center.

For more information on R70 see the R70 Release Notes and R70 home page.

Visit our discussion forums to ask questions and get answers from technical peers and Support experts.
Popular forums:

Table of Contents

 

ID Symptoms
Upgrades and Downgrades - General
- Upgrade from VPN-1 Power/UTM NGX R65.4 to R70 is not supported.
00435764 If you have the NGX R65 Messaging Security plug-in installed on Security Management (SmartCenter) or Provider-1 MDS, Messaging Security should only be enabled on gateways that have NGX R65 HFA 25 or higher installed.
00335134,
00335748
Full Connectivity Upgrade from previous versions is not supported in ClusterXL.
00441611 After upgrading to SecurePlatform R70, the "ARP Target Polling IP" parameter is removed. To fix, reboot the system and manually define the parameter.
00434080 Before uninstallation from Windows Server 2003 and above, run cpstop from the command line; otherwise, uninstall will not be complete.
00426948 Upgrade from the CoreXL image in Power-1 9070 or Power-1 5070 is not supported. When upgrading from Power-1 9070 or Power-1 5070 to R70, restore the NGX R65 image and only then start the upgrade process. Restoring the R65 image can be done using the LCD panel, the Web UI, or the console boot menu. After upgrade, CoreXL can be enabled using cpconfig, assuming that no unsupported features are enabled.
00439253 The Endpoint Security server may be unreachable after upgrading the SmartCenter server to R70. All files in the /var/CPIntegrity/data/ should have owner "integrity".
00426017 To uninstall R70 after upgrading from R65 with Plug-ins, see sk37252 to avoid potential problems.
00523419,
00523471
upgrade_import from versions prior to R70 fails on Windows if Security Management is installed in a path containing a space (e.g. in "C:\Program Files\").
00523404,
00523404
Upgrading SecurePlatform VPN-1 Power/UTM NGX R65 HFA 30, 40 or 50 to R70 or later may cause severe problems and instability. For more information and solution refer to sk43247.
00537124,
00537580
User Authority kernel module cannot be installed on UTM-130.
Security Gateway
Firewall
00450311, 00499947, 00499949, 00526088, 00566521, 00734363, 00751670, 01056335
Truncated UDP DNS packets are dropped by IPS protection "Non Compliant DNS" as attack "Bad domain format, empty domain".
Refer to sk106483.
00632698,
00634176
Memory leak in VPN when L2TP is used.
00627591,
00628170,
00628172,
00654258
All cluster members restart randomly.
00501307 IPSO 6 does not support any UTM feature.
00560258 Traffic interruption when one of the ClusterXL members, gated with Bond HA/LS interface is rebooted.
00566796,
00566847
High CPU when VPN is disabled and SecureXL is enabled.
00511160,
00524403,
00511694,
00511693,
00511694
Traffic from VPN domain to Office Mode IP leaves the gateway unencrypted.
00524492 When sam_requests table gets too big, the Security Management server fails to list all sam_requests table entries.
00527424,
00528137
The fw tab action crashed with Segmentation Fault when reading an empty sam table.
00528195,
00528126
When adding a central license via SmartUpdate, the VPN feature becomes disabled.
00531249,
00530465
Incorrect NAT rule is shown in logs when using NAT hide for DNS traffic. For more information and solution refer to sk43826.
00551612,
00552552,
00552551,
00553050
High port cannot be opened for DCE-RPC data connection.
00445735 If you have edited $FWDIR/conf/user.def.NGX_R60 to include new INSPECT code, and then upgraded to R70, the new INSPECT code will not be transferred to a security gateway during a policy install. To transfer the new INSPECT code, copy the code from user.def.NGX_R60 to user.def.NGXCMP.
00445890 Some Firewall services (such as CIFS) use the Security Gateway TCP Engine to ensure validity and correct streaming. When TCP issues are found by the engine, it may incorrectly issue logs marked as IPS rather than Firewall.
00420616 Do not put more than 80 services in one security rule.
00423291 If an IMAP connection is dropped in the middle of a session due to security issues, the server continues sending packets to the client.
00417058 Routing protocol connections usually last for a long period of time, as the connection is refreshed whenever a packet is sent.
00532758 Many mutex files can be created while SecureClient is connected to the Policy server.
00549582,
00548940
High CPU when using URI resource with UFP server.
00547460,
00551252,
00550565,
00547505
The fw ctl fwinstall command fails when the Windows-based firewall has more than 4GB of memory.
00555157,
00555530,
00555532
Traffic is dropped when "dst cache overflow" message is displayed is /var/log/messages.
00555904,
00556014
Setting affinity to a process does not survive cpstop/cpstart or reboot.
00570822,
00570831,
00570833,
00571524,
00571709
"FW-1: fwconnoxid_get_connoxid_data: fwconn_chain_get_opaque failed" error message appears on the console. See sk57540.
00571321,
00572335
NAT fails after Security policy installation.
00572044,
00572056,
00572254
File descriptors leak in CPD process after Security policy installation.
00576465,
00576659,
00576661
ACK packets originated on the security gateway, may become corrupted.
00623745 Added a new kernel parameter fwfrag_timeout_override that allows you to
set the fwfrag_table timeout.
00664033,
00665506,
00665507
Log cannot be seen in SmartView Tracker when using the RPC connection.
00600452 R70 Web Visualization Tool does not show interfaces IP addresses.
00737572 UDP 500 traffic is dropped after Security policy installation.
00848375,
00854429,
00854430,
00855853
Unable to pass some HTTP requests due to gateway dropping or rejecting traffic for request to proxy other than next proxy, because the HTTP header contains a proxy that is neither the gateway nor the next proxy.
00871275,
00876361
The vpn overlap_encdom traditional -s command hangs on Check Point installation with huge database of objects. As a result, the CPinfo utility crashes.
00870490,
00870566
snmpd logging fails with "diskio.c: don^t know how to handle" error in /var/log/messages file.
01049783,
01051085,
01052011,
01052012,
01052013
SNMP incorrect stats CPU usage.
01048946 CIFS traffic is dropped by the IPS protection "Blaster attacks".
01068422 Site2Site tunnel fails constantly. "3Oct2012 21:02:55.372801" messages in debug.
01060846,
01080786,
01080787,
01080788
DCERPC packet dropped by fw_runfilter_ex Reason: function does not exist.
IPSEC VPN
00412380 VPNX is no longer supported. For enhanced performance please use SecureXL.
00354952 VPN-1 Acceleration Card is not supported.
IPS
00445839 Exceptions on Success Events category protections are not enforced.
00445496 The default protection configuration is not saved for web servers or HTTP servers; settings can be saved only for each specific server.
00422129 The Spoofed Reset Attack protection protects only against attacks originating in External networks and designated for the Internal network.
0042348 You may receive the following log details:Attack name: 'Block HTTP Non Compliant' and Reason: 'WSE0020012 found request with POST method without Content-Type header'. If you receive this log entry and you think it is not correct, you can remove this inspection by doing the following: In the protection, 'Block HTTP Non Compliant,' deselect the 'Enforce strict HTTP request parsing' button, and install policy.
00411987 In the SSL Tunneling protection, exclusion settings for pre NGX R65 gateways will not be maintained after upgrade.
00444192 Some IPS-related processes are on a per-profile basis, so a setup with many defined profiles may experience performance issues with the IPS UI and during policy installation. Workaround: Remove unused profiles.
00520435,
00521072,
00521430,
00520488,
00520490
"cmi_execute_ex: Failed to execute the pattern matcher!;" error message on the console on R70 with IPS enabled.
00441886 If you create a new profile in Detect mode, protections' actions may be displayed as Prevent. To fix: open a protection and then refresh the IPS protections list.
00444141 The following IPS features are not supported in Bridge mode configuration:
  • Syn Defender.
  • Header Spoofing.
  • Send error page (Attacks are blocked but no error page will be sent to the client).
  • Client/Server notification about connection termination (TCP RST packet).
00419564 "Report to DShield" does not support the new DShield website requirements. At this stage, this feature is not operational. See sk33359 for additional information and the procedure to overcome this issue.
00497758 Legitimate DCE-RPC (DCOM) bind packets dropped in R70 with "UUID is not allowed through the Rule Base" log. See sk42402.
00528932,
00528956,
00529164,
00529285
Security gateway running R70 on IPSO 6.2 got kernel panic while running IPS.
00420144 'Open Selected Policy' and 'Open Selected Policy RO' should open the SmartDashboard application with the policy of the selected device. Those actions will not work unless the SmartDashboard is already open and minimized.
00443473 In the Device page, when selecting all objects in a filter, gateways which are not SecurePlatform or Edge are not displayed in the list. To Update Corporate Office of a non-listed gateway, the CLI must be used.
00413757 Do not perform any Connectra related configurations while in Demo Mode as Connectra is not supported in Demo Mode.
00518761,
00518153
Kernel memory might be corrupted when Web security protections is enabled.
00371055 In R70 gateways, the 'FTP Bounce' protection can be deactivated or configured as an exception. When the protection is deactivated, older gateways will act as if they were placed ?under "monitor only" with track set to "none."
00375809 The 'Dynamic Ports' protection now contains a "track" option. However, this option is not backwards compatible and older version gateways will disregard the value in the new "track" option.
00340595 IPS profiles are not supported on VPN-1 VSX. Only the default IPS-1 profile applies.
00355285 Almost all protections in IPS support exception rules and a "capture packets" option. These 2 option are not supported in older versions.
00532685,
00532753,
00532802
Security gateway crashes when a certain CIFS traffic passes through and the IPS is enabled.
00552564,
00553503
IPS does not block some SQL Injection attack in cluster environment.
- IPS inspects the SMTP traffic only when it is directed to a mail server.
00569731,
00569925
Memory leak in fwscv process.
00569059,
00573022
DCE_RPC high ports traffic from Windows 2008 server is dropped.
00589289 HTTPS traffic with TLS 1.1 is dropped by IPS.
00726457,
00728144
"Citrix Application Enforcement" defense allows application names encoded in Unicode.
00616181 IPS Exception is not working for HTTP Non Compliant traffic.
00629935,
00630092,
00630095,
00630097,
00643805,
00643828,
00645209
Gateway's kernel may crash while updating the Geo Protections.
00628103,
00545006
Geo Protection updates fail when working with a direct Internet connection.
00528327,
00750090,
00750089
Geo Protection shows 'OTR' instead of country code for allowed connections.
00644648 Security Gateway crashes when running 'fw ctl tcpstrstat -p' command while IPS blade is not enabled in SmartDashboard. See sk64540.
00573296,
00574610,
00658331,
00736708,
00762625,
00763192
After disabling the H.323 IPS protection "Block connection redirection" the connection dropped on redirection.
SecurePlatform
00441808 The Intel PRO/1000 VT/ET/EF interfaces using IGB driver must have a minimum MTU of 1050.
00445267 Intel 10 Gigabit PCI Express adapters are not supported in bridge configuration on SecurePlatform.
00433509 The Export Setup option that appears in the sysconfig menu, after executing sysconfig from the command line, is not supported.
00439554 Broadcom NetXtreme II BCM5706/5708/5709 network interfaces that use the bnx2 driver cannot be configured for smp_affinity, due to a limitation in the driver.
00445120 SecurePlatform with Bond configuration may experience instability during reboot under heavy load.
00494019,
00528094
Incorrect mapping of interface names to physical ports causes major confusion.
00506300,
00465081
Cannot install SecurePlatform from SATA CD-ROM on Dell PowerEdge 2970 server. For more information refer to sk43145.
00552930,
00553302
'kernel: BUG: soft lockup - CPU#1 stuck for 10s! [bondN:PID]' in /var/log/messages. Refer to sk66782.
00553445,
00553444,
00547140,
00548020,
00548320,
00552380,
00553442,
00567059,
00574093,
00574430,
00647906,
00648633,
00648958,
00765541,
00774981,
00815732,
00848407;
00904918,
00906772,
00923135,
00968476,
01007249,
01007599
IOWait consumes 100% CPU on Security Gateway after security policy installation.
Refer to sk60703.
00555490,
00555935
Kernel RPM installation causes parsing error messages in awk script.
00573900,
00573952
When creating a Bond interface using WebUI, the Primary Member Interface is not saved.
00645534 snmp poll command for ifHighSpeed of 10Gb NICs returns incorrect values.
00556596,
00557059,
00613041,
00746137
"Note that creating the snapshot can take up to 20 minutes, and all Check Point products will be stopped and re-started" message after the snapshot completes.
01041607,
01041689,
01041690,
01041691,
01041692,
01041763,
01041764,
01041765
When choosing FTP storage, the Scheduled Backup does not work on SecurePlatform.
00732936,
00733468,
00733481,
00733485,
00787576,
00827602
Quering tree .1.3.6.1.4.1.2021.4 (memory statistics) returns incorrect results. Refer to sk42811.
01145320 Default QoS/TOS settings for ssh and scp cannot be disabled.
Software Blades Multicore Container - CoreXL
00417895 In a cluster, when performing a hardware upgrade that changes the number of processing cores (or when changing the number of kernel instances in any other way), a Full Connectivity Upgrade is not possible.
00421176 It is not recommended to enable Hyper-Threading while CoreXL is enabled.
00417888 The following features/settings are not supported in CoreXL:
  1. Check Point QoS (Quality of Service)
  2. 'Traffic View' in SmartView Monitor(1) (all other views are available)
  3. Route-based VPN
  4. IP Pool NAT(2) (refer to sk76800)
  5. IPv6(3)
  6. Firewall-1 GX
  7. Overlapping NAT
  8. SMTP Resource(2)
  9. VPN Traditional Mode (refer to VPN Administration Guide - Appendix B for converting a Traditional policy to a Community-Based policy)

If any of the above features/settings is enabled/configured in SmartDashboard, then CoreXL acceleration will be automatically disabled on the Gateway (while CoreXL is still enabled). In order to preserve consistent configuration, before enabling one of the unsupported features, deactivate CoreXL via 'cpconfig' menu and reboot the Gateway (in cluster setup, CoreXL should be deactivated on all members).

Notes:
  • (1) - supported on R75.30 and above
  • (2) - supported on R75.40 and above
  • (3) - supported on R75.40 and above on SecurePlatform/Gaia/Linux only
00534533,
00534460
Certificate generation on SecureClient fails because the first_master table is empty on one of the CoreXL instances.
00534357,
00534254
ICMP packets are dropped with "ICMP error does not match an existing connection" message.
01061497 Traffic that depends on Dynamic Objects stops passing after policy installation - it is actually dropped by the rule that should accept it.
Refer to sk107079.
Clustering & Acceleration (ClusterXL and SecureXL)
00556394,
00561433
Traffic interruption over OSPF when Pivot member reboots.
00540762,
00502255
SecureXL cannot be loaded after installing a Security policy.
00641944 After rebooting the Pivot member, the 'cphaprob stat' command on the non-pivot members show wrongassigned load.
00639128 Full Connectivity Upgrade fails when running in unsupported scenaro.
00415896 On Nokia/IPSO when ADP is used, actual Performance Impact values are different from other platforms, even though the difference is not reflected in the protection page.
00557922,
00564507
With SecureXL enabled, packets are dropped with "Address spoofing" error message during Security policy installation.
00538043,
00565897
The bound check for the interfaces string crashes the security gateway.
00560326,
00558279
With acceleration enabled, remote users connected over internal netwrok cannot communicate properly after connection establishment.
00416199 Since SecureXL and QoS cannot work together, generally, when one is disabled, the other is enabled. If you run the commands etmstop and then etmstop disable to disable QoS, SecureXL starts automatically. However, the cpconfig menu does not reflect that SecureXL has started and does not show the 'Disable Check Point SecureXL' option as usual.
00404149 The Connect Control feature is not supported on ClusterXL LS modes. See sk31162 for further information.
- The configuration of ClusterXL in bridge mode is not supported.
- The Monitor all VLANs feature is not supported.
- In asymmetric routing scenarios, enabling Chain Forwarding will allow some features to work. See sk32403 for details.
- Full Connectivity Upgrade from previous versions is not supported in this release. A workaround is to perform the Zero Downtime upgrade, which may result in some connections being disconnected.
- Upon failover in clustered deployments, the Dynamic Routing mechanism issues an IGMP General Query, instructing the adjacent devices to re-register for multicast traffic. While current sessions are maintained, newly initiated multicast sessions are delayed until the process completes.
- When using a bonded interface on a gateway running ClusterXL, be sure to define all slave interfaces as disconnected in the file $FWDIR/conf/discntd.if.
- A SYN packet arriving on a connection that has been closed by an RST packet will not be accelerated if the SecureXL device does not support Sequence Verification acceleration. To verify that the SecureXL device supports Sequence Verification acceleration, run the command fwaccel stat and look for TCP_STATE_DETECT_V2 in the Accelerator Features section.
- A clear text packet which is dropped by SecureXL upon an encrypted connection is logged with service and source port 0.
- The Template Quota feature is supported on SecurePlatform only.
- High Load QoS is supported on SecurePlatform only.
- Aggressive Aging is supported on SecureXL devices that support API 2.5 and above. To verify support, run the command fwaccel ver.
00445253 While working in Nokia IP Clustering on a machine with more than 60 interfaces (including VLANs), the clustering forwarding mechanism might not work properly. See sk37411 for more details.
00439975,
00439978,
00439980,
00439983,
00439985
The maximum supported number of cluster members is:
  • ClusterXL mode - 5
  • 3rd party cluster mode - 8.
00420669 In ClusterXL Load Sharing, from a security perspective, it is recommended to use the SecurePlatform default configuration: Enable Sequence Verification and set fw_allow_out_of_state_post_syn to be 0 (default). If Sequence Verification is disabled (default in IPSO), fw_allow_out_of_state_post_syn should be set to 1 in order to avoid connectivity issues.
00563266,
00570933
The ISP redundancy cannot be disabled on incoming connections.
00570387 ClusterXL in legacy mode does not support bond interfaces.
00589619 "fwha_multicast_dynamic_routing_handler: packet, arrived on ifn 1 which isn't vpn tunnel" message in /var/log/messages file.
00663897,
00259915,
00259923,
00259925,
00259929
Some of the API calls cause a memory leak in asynchronous devices (IPSO SecureXL).
00616056,
00620918,
00622364

Cluster member crashes when CIFs protections are enabled and Qualys vulnerability scan is performed.

00632966,
00635212
Kernel memory leak in cluster environment.
00932751,
00934079
The ClusterXL policy ID appears as negative value in cluster kernel debug.
Advanced Networking (Dynamic Routing and QoS)
00441182 OSPF virtual link is not supported for Advanced Routing Suite.
00594831 When taking down interface by doing ifconfig down (ifdown) on the Standby member, all the configured OSPF routes disappear, and are not learned back from the Active member after the interface is up and running again.
SSL VPN and Connectra
00443163 The SSL VPN Blade query may include records that are irrelevant to Connectra.
00571370,
00570344,
00595225
The certificate warning window is too small when connecting to the SNX portal via Internet Explorer 8.
00651366 Access to non-main Connectra cluster IP address is blocked by autogenerated policy.
00883928 Browsers with implemented fix for BEAST (Browser Exploit Against SSL/TLS) are unable to reach SSL portal.
VSX
00423958 Using a DAIP object in a negated cell is not supported when installing Policy on a VSX gateway or Virtual System.
Anti Virus and URL Filtering
00518319,
00521175,
00521177,
00521498
The user cannot specify which URLs should not be scanned by the Anti Virus.
00341288 Anti Virus and Web Filtering signature updates may not succeed when the HTTP proxy is configured for the Anti Virus updates and Web Defense features are enabled. The Smart View Tracker log will show: Failed to contact User Center.
00595754 Anti Virus update fails when using proxy settings.
VoIP
00433456 SmartView Tracker logs for VoIP are not compatibile with the IPS logs. SCCP and H.323 logs are listed as Firewall, without reference to IPS, and do not contain IPS information (severity, performance impact and confidence level). Many SIP logs are logged with IPS, even if they are not related to the IPS protections.
00438666 Hide NAT is not supported on SIP phones registered to Cisco Call Manager.
00336808 When an H.323 IP phone that is not part of a handover domain tries to establish a call, the call attempt is blocked and the following message appears on the console: FW-1: fw_conn_inspect: fwconn_chain_lookup fail.
00336811 When a SIP-proxy is in the DMZ, Whiteboard and application sharing will not open between external to internal messengers.
00442263 SIP TCP, Skinny and H.323 protocols are not supported in bridge mode.
00531197,
00531217
Memory leak in fwx_sticky_port table.
00573114,
00574393
ACK Keep alive packets are not forwarded to the client.
00568626,
00568819,
00569297,
00655809,
00661407,
00766104,
00773088,
00777574,
00788977,
00849013,
00866073,
00877931,
00895030,
00940359,
01000933,
01109532,
01348533

SmartView Tracker logs show that SIP packets are dropped by IPS:

Product: IPS
Protocol: udp
Attack: Malformed SIP datagram
Attack Information: Invalid or no 'CSEQ' field
Refer to sk57060.
IPv6
00445945 An IPv6 host can not be configured as a Web server; it would cause connectivity issues for IPv4.
00437881 The fw6 monitor command is not working properly; therefore, IPv6 traffic can not be monitored using this command.
00079589 In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker.
00088516 Due to the fact that IPv6 is not supported for security servers, enabling Configuration apply to all connections under SmartDefense FTP Security Server settings causes FTP (as well as HTTP and SMTP) connections over IPv6 to be rejected, and no log is generated.
00090235 The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it should unload only the IPv6 policy.
00099724 The RSH protocol is not supported for IPv6.
00438161 A message may be displayed when installing a policy, that the NDISWANIPV6 or NDISWANIP interface is not protected by the anti-spoofing feature. This message can be safely ignored.
Endpoint Security
00439253 The Endpoint Security server may be unreachable after upgrading the SmartCenter server to R70. All files under /var/CPIntegrity/data should have owner "integrity".
00652486,
00652624,
00652625,
00653292,
00653293,
00664017
SecureClient license is not counted for the secondary connect.
Security Management
Security Management (SmartCenter)
00445796 Missing fw.log and fw.adtlog on Windows. See sk37467 for the procedure to overcome this issue. The solution explained in the SK has to be installed on the Security Gateways and Log Servers.
00443746 On Windows platforms, when more than one IP address is configured on the Security Management server machine, a non-routable IP address may be set as the main IP address and SIC will not be established. To fix: manually enter the correct, routable IP address in the Security Management server object.
00420245 After upgrading from NGX R65 to R70, if you have two services with the same name (ABC and abC are considered the same), the policy installation will fail on all gateways. You will get a message stating that you must rename the services so that there are no duplicate names.
00504011 When using an object of type "group with exclusion" and setting one of its fields to "Any", Security policy verification might fail.
00530137,
00530569
The "ldapcmd -p all stat 0" command crashes with core dump file.
00557889,
00528962,
00558872
"fwset is too big (>200 KB), cannot convert it to string" error in the fwm.elg file.
00763732,
00764380,
00764386,
00764387,
00783992,
00847418,
00853397,
00875877,
00903446,
00931302,
00947796,
00953144,
01003897,
01011687,
01113316,
01121980,
01146610,
01250749
SmartView Tracker shows incorrect logs - different logs from two different Security Gateways are unified to the same log record due to same Log Unique ID.
Refer to sk72160.
SmartConsole & SmartDashboard - Graphical User Interafce
00442152 If the RADIUS server name should be changed, and it acts as an LDAP user, the data on the LDAP user will not be refreshed automatically. Reselect the server in the LDAP user, or change the RADIUS name back.)
00561178,
00562578
"You are about to open a different Policy Package" pop-up message appears even if the same policy package is opened.
00434808 On Windows 2003 Server, SP1 is necessary for the SmartDashboard to load successfully.
00437981 When connecting to the SmartDashboard, if SmartMap is not synchronized or does not exist (for example, if it is the first time this SmartDashboard is connected to this server), no SmartMap is created.
00566859,
00568708
SmartView Tracker feature "View rule in SmartDashboard" does not high-light the target rule if section header is closed.
00543741 False pop-up warning "There are more than 1024 objects with address translation" in the SmartDashboard.
00549008,
00352960
Not all QoS rules installed on Cluster VIP are recognized by filter tree on SmartView Monitor.
00635238,
00640599,
00640345
Cross-CMA search provides incorrect results.
Event Management (Eventia Analyzer)
00424597 After upgrading to R70, install Policy to ensure that all components will work properly.
00426951 When upgrading the distributed Eventia Reporter from versions prior to R63, you must run cpstop on the Eventia Reporter machine before performing the upgrade.
00561856,
00562351
Eventia Analyzer does not create log for snmptrap, returning AuthenticationFailure trap.
00419695 Eventia Analyzer before NGX R65 cannot synchronize objects with management servers running NGX R65 or R70. The Analyzer will still run but will not synchronize any more changes.
00537624,
00539623
cpwd_admin list commands fails with error "Server failed to write all process info due to a lack of place".
0508689,
00532442
Eventia Reporter unable to start consolidation session when the Eventia database is stored on a partition greater than 2TB.
00562604,
00563594
Database maintenance runs every 15 minutes although there are no records to delete.
00256952,
00531535,
00532631
"Multi Value" list in the Custom Events of the Eventia Analyzer GUI is limited to 300 values.
00651958,
00657449
Import to the existing table fails.
01024996,
01056288,
01056289
Eventia Analyzer consolidation status stucks on "trying to reconnect".
Provider-1
00420029 When a new CMA is created, it takes a few minutes to become fully initialized. The MDG shows the new CMA as "started" before it is initialized.
00343945 SAM (Suspicious Activities Monitoring) is not supported on Provider-1.
00563333,
00563614,
00566283,
00566284
Memory leak in FWM process on Provider-1 running Solaris 10.
00418970 If you restore an older database revision of a CMA from before its Global Policy was installed, the MDG will still show the Global Policy as "Assigned." However, the Global Policy will not be active on the CMA until you re-assign it.
00443644 If reverting to an older revision of the global database, and a global policy is assigned to a customer with a Global IPS subscription, the global IPS objects (profiles, exceptions, patterns, etc.) will not be updated properly. See sk37324 for additional information and the procedure to overcome this issue.
00445069 On a newly created CLM, if an error message appears whenever SmartView Tracker is opened, or IPS attack descriptions are not displayed, the database must be installed on the CLM.
00413859 If an older database revision of a CMA from before its Global Policy was installed is restored, the MDG will still show the Global Policy as "Assigned." However, the Global Policy will not be active on the CMA until it is re-assigned.
00446196 After assigning global policy, the "Action according to Global Policy" of IPS protections "Sweep Scan" and "Host Port Scan" in the global IPS profiles on the CMAs, is always set to Detect. In order to deactivate these protections, on the relevant global IPS profile in the CMA, edit their settings and select "Override global policy with Inactive".
00446250 When performing the "Remove Overrides" action on a global profile from the CMA's IPS Profiles view, Peer-to-Peer protections will not be affected and their effective action will still be determined by the "Override Global Policy with:" action, if it has been selected.
To remove their override, edit each of these protections separately and select the Main Action to be according to the Global Policy. Such protections are: Winny, Soulseek, DirectConnect, Kazaa, Gnutella, BitTorrent, eMule, Skype, Yahoo Messenger, ICQ.
00445939 If a global IPS object (profile, exception, pattern, etc.) has been created/changed in the Global SmartDashboard while Assign Global Policy is being performed on a Customer, then on the next Assign Global Policy operation these object may not be updated properly. See sk37324 for additional information and the procedure to overcome this issue.
00447157 After installing R70, when you select "Edit Properties.." on a gateway object in the MDG, and try to modify its information fields, the operation fails and a "General access denied error" is displayed.
00462867 After installing R70, operations on CLMs on MLM with CPPR-MLM license and CMAs on MDS with VSX bundle license fail with "No valid license" message.
00444607 After upgrading Provider-1 to R70, FWM process on the MDS does not go up. Refer to sk37407 for additional information.
00420029 When a new CMA is created, it takes a few minutes to become fully initialized. The MDG shows the new CMA as "started" before it is initialized.
00524396 When performing Remove Global Policy on a CMA that is subscribed to Global IPS, the operation may fail if IPS Exceptions which relate to a global profile were created by the CMA administrator. To overcome this issue, delete from the CMA all IPS Exceptions which relate to a global profile and which were defined by the CMA administrator and then remove the global policy.
00568665,
00569082
Installing Security policy to a VSX cluster fails if "Global Properties"->"Reporting Tool"->"Exclude services" is configured.
00571126,
01216737,
00571399,
00783248;
01447813,
01447873
When re-assigning Global Policy, Policy Installation fails for VSX Virtual Systems in Bridge Mode. Refer to sk65321.
00769945,
00775539,
00775557,
00775559
fwm memory leak in cross-CMA search.
Other Platforms and Products
UTM-1 Edge
00443036 When installing a policy on an Edge device the following line appears in the SmartView Tracker: "msg: Error-65000: Could not determine firmware file name for gateway <gateway name>" This message can be ignored. Workaround: In SmartProvisioning (where firmware is uploaded to SmartCenter through SmartUpdate), open the Edge gateway -> Firmware tab and select "Use the following firmware" option.
00406131 Centrally managing Mail Security for UTM-1 Edge devices is not supported.
00365417 Configuring the Block FTP Commands protection in the IPS tab may not activate the protection on UTM-1 Edge gateways.
00422468 QoS rules may not take effect on hosts behind a NAT address.
00623149,
00623869,
00641652,
00647611,
00785020
IKE Phase 1 is re-negotiated every 2 hours on Edge devices. Refer to sk60326.
SmartProvisioning
00443450 If after running the SmartProvisioning wizard, the Actions table does not show "Get Actual Settings" for the gateways, wait until all actions are finished and then run "Get Actual Settings" manually on each gateway with the right-click menu.
00443473 In the Device page, when selecting all objects in a filter, gateways which are not SecurePlatform or Edge are not displayed in the list. To Update Corporate Office of a non-listed gateway, the CLI must be used.
00597194 FWM process crashes every few days. See sk59680.
Performance Pack
00440386 On Nokia IPSO platforms, the Performance ratings of IPS protections should be different when ADP is used; but the difference is not reflected in the protection's performance impact rating.
00529913,
00529256
Ping to the cluster VIP from standby cluster member is dropped when using Performance Pack.
00541937,
00512531,
00257604
Kernel panic on SecurePlatform R70 HFA 10 with Performance Pack machine when VPN with fragmentation is used.
00548793,
00549303,
00549472,
00549474,
00549477
Security gateway is crashing when running tcpdump.
FloodGate-1
00542917,
00546479
When folding occurs, FloodGate-1 module is asked about the folded connections that do not exist. As a result, these connections are not matched by any FloodGate-1 rule.
00550883,
00551697
In cluster configuration, installing a network policy causes the QoS policy to be reloaded 5 times on each cluster member.
00597060 Possible crash when FloodGate-1 installed in certain scenarios.
00628659,
00596381
When QOS packets arrive to the gateway's internal interface, it marks those packets with DSCP 0 meaning that no packet classification is done.
- QoS does nоt support the following:
  • IPv6
  • VSX
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment