Support Center > Search Results > SecureKnowledge Details
R71 Known Limitations

This article lists all of the known limitations of R71.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter> My Profile > My Subscriptions.

Important notes:

  • This release includes all limitations of Check Point R70.
  • To get a fix for an issue listed below contact Check Point Support with the issue ID.
  • To see if an issue has been fixed, search for the issue ID in Support Center.

For more information on R71 see the R71 Release Notes, R71 DLP Release Notes, and R71 home page.

Visit our discussion forums to ask questions and get answers from technical peers and Support experts.
Popular forums:

Table of Contents:

  • General
  • Security Gateway
    • ClusterXL
    • CoreXL
    • DLP
    • SecurePlatform
    • IPS
    • SSL VPN
    • IPSec VPN
    • VSX
    • SecureXL
    • URL Filtering
  • Security Management
    • Endpoint Security
    • SmartDashboard
    • SmartEvent and SmartReporter
    • SmartUpdate
    • SmartView Monitor
    • SmartWorkflow
    • SmartProvisioning
    • Security Management Server
  • Other Platforms and Products
    • IPS-1
    • Smart-1
    • SecurePlatform
    • UTM-1
    • IPSO
    • DLP-1
    • Red Hat Linux
    • Windows


ID Symptoms
SSL VPN and DLP: If you have an LDAP Account Unit configured to work with a DLP Gateway or SSL VPN gateway, the LDAP groups and users are automatically added.

To set the Account Unit server:

  1. Open SmartDashboard
  2. Open the properties of the LDAP Account Unit object > Servers.
  3. Set the priority of each server (1 is highest) for the gateway to query.
  4. Remove unnecessary servers.
  5. Click OK.
  6. Install the policy.
00545719 Anti-Virus Integration: Classification of a file type is done according to its content and extension. For files with no content signature, the classification is done only by extension. If you want to apply a policy to all executable files (".exe"), all the following types of .exe files should be selected:
  • Windows PE
  • MS-DOS executable (built-in)
  • MS-DOS executable (including self-extracting)
00542237 If the administrator chooses a predefined LDAP group (such as Domain Users) in the SSL VPN policy rules, some or all of the users will not be able to see their applications in the portal.

Workaround: Create a specific (not predefined) group.

00541046 If many LDAP servers defined in an Account Unit fail to connect, authentication to the SSL VPN portal may fail, even if the credentials are correct.
When defining an Account Unit, make sure that all LDAP servers are accessible and prioritized correctly.
Automatic update for Anti-Virus fails; CPD process crashes. Refer to sk57280.
Manual Anti-Virus signature update never finishes - The GUI update window never finishes.
Provider-1: CMA cannot fetch Global Policy after Provider-1 upgrade. Refer to sk56389.
Memory leak when SecureXL with templates is enabled on IPSO.
Running ctasd prevents the gateway from contacting the Commtouch Server if zero protection is disabled.
Client Authentication fails when UTF-8 characters are used.
01158419 Legitimate CIFS traffic is dropped with error "cifs_tunnel_execute: Error, context include an invalid FID.." 
Security Gateway
- ClusterXL Zero Downtime Upgrade from R70.x to R71 GA (without HFAs) fails. Refer to sk50260.
00256328 When working in an IPSO VRRP setup, Get Topology might fail if no VRRP master was selected.

In this case, an error message opens.

To solve this problem, VRRP should be configured properly with a master member selected.
00570387 ClusterXL in Legacy HA mode does not support Bond interfaces.
In ClusterXL HA, after policy installation is finished, the Standby cluster member is Down even though all of the pnotes are OK.
In IPSO cluster with 5 or more members, the cluster devices are initialized to Problem state from the 5th member onwards.
00594475 The Internal and External interfaces' VMAC address might get switched after Policy installation.
User Authority is not working with Proxy on the client browser configured with cluster Virtual IP address.
When creating an interface in the middle of the list, some of the VMAC addresses may change. Refer to sk65149.
Some OID entries are missing in Check Point MIB file - (cluster vip interfaces), and (cluster sync interfaces). Refer to sk66202.
Port flapping on the switch, to which the Synchronization interfaces are connected of three and more ClusterXL members.
Refer to sk95150
00524771 When using the "Multi-core Performance Add-On", the add-on's expiration time is incorrectly handled if it expires before the gateway's license.

Workaround: once the add-on's license expires:

  1. Reboot the gateway.
  2. Reconfigure the number of CoreXL instances using 'cpconfig' (or "cp_conf corexl enable" for the default number of CoreXL instances).
  3. Reboot the gateway again.
00546249 If you used 'cp_conf' to install licenses (not recommended), then you must:
  1. Reboot the machine.
  2. Run 'cpconfig' and select the option 'Configure Check Point CoreXL'.
  3. If SecureXL is installed, then run: 'sim affinity -a' command to enable automatic SIM Affinity.
00534489 If the DLP Gateway is configured to work in L2 Bridge mode, define direct routes to all SMTP servers. SMTP traffic must not be redirected back to the DLP Gateway.

Specifically, traffic to external SMTP servers must be routed to a default gateway without being redirected back to the DLP Gateway.

The SMTP Relay Server may require a specific route.
00534993 Regular expressions in Weighted data types will always match by the shortest match. This may cause some strings to appear truncated in logs.
00541780 In an environment with more than one bridge interface, the DLP Gateway must not see the same traffic twice on the different interfaces. The traffic must not run from one bridged segment to another.
00544921 When using DLP in bridge mode, with the DLP Gateway connected to more than one machine a switch must be used. Do not use a hub.
When applying DLP for HTTP and FTP protocols, the DLP captive web page may not be presented properly for all websites.

Workaround: Deploy Check Point UserCheck on user machines, or convert HTTP/FTP Ask User actions to Prevent or Detect:

  1. Connect with GuiDBedit Tool to the Security Management server.
  2. Expand 'Other' > dlp_data_tbl > dlp_general_settings_object.
  3. Change the value of 'action_replacing_quarantine_for_ftp_and_http' from 'disabled' to either 'prevent' or 'detect'.
  4. Save the changes and close the GuiDBedit Tool.
  5. In SmartDashboard, install the policy on the DLP Gateway.
00502629 For DLP to work successfully with the HTTP protocol, endpoints (desktops and laptops) must access the DLP Gateway directly, not through a proxy server.
00522857 Inspection of TLS encrypted SMTP connections and of HTTPS connections is not supported.
00538220 DLP recognizes a read-only password-protected MS-EXCEL file as an encrypted file. It is not scanned, but can be captured by a rule that matches the Encrypted File data type.
00531988 When an Office file includes other embedded Office files, the content of all files is scanned. If the embedded file is an MS-EXCEL file, only the first sheet is scanned.
00535598 Case insensitivity is fully supported for: Dictionaries, Key words, and Weighted Key Words that are not regular expressions.

Case insensitivity is supported only for ASCII characters (not UTF-8) for Patterns and Weighted Key Words that are regular expressions.

00542995 DLP pattern syntax does not recognize multiple character ranges for Pattern data type and Weighted data type with regular expressions, if:
  • The pattern uses range brackets ([ ])
  • The first metacharacter inside the brackets is the circumflex ( ^ ),
  • The range includes a metacharacter that can match more than one range.
For example: [^\w] should match - "not an alphanumeric character or underscore". This pattern will miss matching traffic.
00498694 All data types included in a Compound data type are matched on the same part. Therefore, if a Compound data type includes data types that scan different parts of a transmission, the data of transmissions will never be recognized as matching the Compound data type. You cannot create an operating Compound data type that connects one of these data types with a data type that searches the content of files, attachments, or email body:
  • Unintentional Recipient
  • External BCC
  • Mail with Attachment
00531747 Only administrators with Read/Write All permissions can be given additional DLP permissions to view confidential DLP information in the logs.
00521326 DLP does not inspect emails by IP address. DLP inspects only emails sent from My Organization. This includes:
  • The domains (and included sub-domains) defined for My Organization.
  • Addresses that belong to My Organization LDAP groups.
  • Internal Groups and Internal Users that belong to My Organization Specific users can be excluded from My Organization. Their emails will not be inspected by DLP.
00542806 Non-ASCII characters in vCalendar notification messages (generated by Outlook) will not be scanned by DLP.
00543974 If an archive file has more than 4 layers of subfolders, only the first 4 are scanned.


  1. Open the $DLPDIR/conif/dlp.conf file in a text editor.
  2. Change the value of 'max_recursion_level' to the number required.
    To block archive files with more layers that you scan, in the same file change the value of 'on_general_settings_violation' to 'prevent'.
  3. Install the policy on the DLP Gateway.
00546512 When installing a policy on an environment with DLP and other Security Gateways, the policy installation may fail with this error: "Policy installation for dedicated DLP Gateways should be done separately from other gateways"
When you install the DLP policy, make sure that only the DLP Gateways are selected for installation.
00548834 Installing Check Point UserCheck client on Windows Vista and on Windows 2003 Server, with non Administrator user, causes a User Account Control (UAC) prompt, requiring Administrator privileges.
00551846 On Windows XP, Vista and Win7, the UserCheck client is installed for the current user only.
When you install UserCheck for the first time, first log in as a user without administrator privileges. If the UserCheck client is installed the first time by a user with administrator privileges, users without administrator privileges will not be able to install and run the UserCheck client.
00545610 For Regular Expressions that contain the following meta-characters in brackets, write the characters in Hex format:

( \x28
) \x29
* \x2A
+ \x2B
. \x2E
? \x3F
[ \x5B
] \x5D
| \x7C
{ \x7B
} \x7D
00547198 The DLP Gateway does not support Anti-Spoofing. After policy installation, this log should be ignored: "The Internal interface is not protected by the anti-spoofing feature. Your network may be at risk."
00546863 If the target web (HTTP) server is not available, the DLP Gateway may show "Unknown WWW Server" in the user's browser.
00546860 SecurePlatform WebUI shows an additional administrator named 'postfix' under 'Appliance' > 'Appliance Administrators' (or 'Device' > 'Device Administrators' for open server installation).
This administrator can be safely ignored.
00543975 When using the "Document based on a corporate template" Data Type, the data type will match similar files, even if the scanned file is in a different format then the uploaded file.
If the uploaded template file contains tables, it is recommended to improve accuracy by creating a Data Type for each of the formats to match: for example, both PDF and PPT.
00548292 If UserCheck is not running on the end user computer, upon an HTTP violation, the DLP page that provides the Ask User operations may not appear.
00548122 Data Owners must be either Internal Users or belong to an Internal Group. LDAP users or groups cannot be chosen to be Data Owners.
00547858 When DLP Gateway activates failopen NIC or deactivates it, the events are not logged in SmartView Tracker or SmartView Monitor.To see the logs, open /var/log/messages/on the Security Gateway:
  • Entering bypass mode: "Activating failopen NIC for <number> sections (<interface>)"
  • Bypass deactivated: "Deactivating failopen NIC (<interface>)"
00548910 On View Email on a DLP incident log, the "Failed getting the incident file from the gateway. It may be expired." message may appear.

It may indicate a connectivity issue. Check the following:

  1. Make sure 'Policy' > 'Global Properties' > 'Accept SmartUpdate connections' is selected.
  2. If you have a Log Server or SmartEvent Server not on the Management Server, then open the $FWDIR/lib/implied_rules.def file on the Management Server and change this line (inside the second 'accept_cprid' rule in this file):
    "src in management_list, dst in cp_NG_products_list, \ "
    "src in management_list or src in log_server_list or src in event_analyzers_list, dst in cp_NG_products_list, \"
    (Important - keep the backslash at the end of the line.)
00544821 You can configure the DLP Gateway in bridge mode without an extra interface for management. However, to successfully pass installation, there must be at least 3 interfaces installed. During installation, when you select the management interface, select an interface that is not going to be part of the bridge. Afterwards, remove this IP address from the interface and configure the bridge interface to be the management interface.
00545758 Check Point Pattern Matching syntax for Negative ("match anything that is not the following") is the circumflex symbol. Currently, the negative, when used in brackets ([^ ]), causes the pattern to be dropped.
00545523 Configuration for only one proxy server is supported.
00549345 UserCheck client installation may fail if the name of the user that is logged in to the OS contains letters in a language other than English, and the OS system locale is configured to a different non-English language.
To overcome this issue: change the OS locale to the same language as the user name.
00551375 When adding or removing a bridge interface with Fail Open capabilities, or when changing a bridge interface From Fail Open to Fail Close (or vice versa), 'cpstop' and 'cpstart' is required on the DLP Gateway.
00559802 When scanning text, the DLP engine must identify the encoding of the text. In some files, such as text files written in notepad, the encoding is not included in the file header. When the encoding is not included in the file header, DLP assumes a default encoding. Refer to sk50284.
SYSCONFIG shows an error message when trying to set a host name that starts with number:

"Error: Hostname contains non-ASCII characters.

Failed to set host."
CPD crashes during online update (e.g. Anti-Virus signatures, SmartUpdate, etc.) on StandAlone machine.
00650473 Memory leak in sft_db_classify module.
The output of the 'cphaprob -a if' command shows the name of the interface truncated.

High CPU load with error messages:

"fwindom: hash reset"
"BUG: soft lockup - CPU#0 stuck for 10s!"

See sk45036.

00732936, 00733468, 00733481, 00733485, 00787576, 00827602 Quering tree . (memory statistics) returns incorrect results. Refer to sk42811.
00644648, 00644649 Security Gateway crashes when running 'fw ctl tcpstrstat -p' command while IPS blade is disabled in SmartDashboard. Refer to sk64540.
When SYN Attack protection (SYNDefender) is enabled, valid connections are getting dropped.
00502732 Attachments cannot be sent when using Domino Web Access (iNotes) 8.5 as a Clientless Application with URL Translation.

Workaround: Attachments can be sent when using Hostname Translation.

00520300 The Authentication by Certificate Principal Name feature does not function properly.
00528449 In order to connect to SSL VPN using client certificate authentication, anti-virus should be disabled for SSL traffic.

To disable anti-virus:

  1. Open GuiDBedit.
  2. In the tables tree, select 'Table' > 'Other' > 'content security'.
  3. Select Global_AV_Settings.
  4. Find the properties: scan_connectra_portal & connectra_portal > infer_from_http_av_settings and set their values to 'false'.
  5. Save and install policy.
00410439 Before installing new version of SSL Network Extender, it is recommended that users manually uninstall the previous version using the Window 'Add/Remove' Programs Control Panel applet, and then reboot. Users can then install the new version by pressing 'Connect' in the SSL Network Extender window in the SSL VPN portal). This ensures optimum system reliability.
00534451 Due to a conflict of ports (443), SSL VPN and Integrity Management cannot be installed on the same SecurePlatform machine (open server or appliance).
00530163 SecureClient users with "auto connect" mode enabled cannot connect to an SSL VPN portal.
00535277 Secure Workspace is not supported for the Windows 7.
00535975 Bridge mode is not supported on a gateway with the SSL VPN Blade enabled.
00532710 When accessed through file sharing applications, Office 2010 Word documents fail to open.
00537367 In the Link Translation settings, only one DNS name for a gateway is supported.
00537371 The Single Sign On option 'Always prompt user for credentials' does not work for File Share applications.
00537374 The advanced Single Sign On method 'This application reuses the portal credentials. If authentication fails, Connectra prompts users and stores their credentials' does not work for File Share applications.
00537376 When using the 'Save Draft' button in the 'Compose' screen, Webmail users may receive an error. To resolve this:
  1. In the email section, click the 'Options' link.
  2. Click the 'Folder Preferences' link.
  3. Under 'Special Folder Options', configure the Draft Folder to Drafts.
  4. Click 'Submit'.
00537395 When working with SSL Network Extender Network Mode inside Secure Workspace, traffic from outside the Secure Workspace routed through the SSL VPN gateway is also encrypted.
00537398 SSL Network Extender is not supported on Macintosh machines that have VPN-1 SecureClient installed. If both are installed, SSL Network Extender fails to connect.
00537402 Upgrading of SSL Network Extender Network mode sometimes requires a reboot of the user's computer. When using Secure Workspace, the message asking the user to approve the reboot may appear outside of Secure Workspace. If users are not allowed to switch between the secure and the regular desktop (configured in the Secure Workspace policy) and confirm the reboot, they must exit Secure Workspace and then reboot. Inside of Secure Workspace, users see a "Connecting..." message for a long time.
00537408 When the Downloaded-From-SSL VPN FTP client is configured to work in active mode, and SSL Network Extender Application Mode is used, the FTP connection does not open.

As a workaround, deselect 'Use active FTP' in the 'Connect' windows of the Downloaded-From-SSL VPN FTP client, and work in passive mode. Also deselect 'Multiple Connections'.

00522276 The connectivity test on the SSL VPN blade wizard fails if an initial policy is installed on a gateway.

Workaround: Install the policy, then run the wizard.

00537924 When enabling the SSL VPN Blade on a Load Sharing cluster, the Sticky-Decision Function (SDF) is also enabled. SDF automatically disables SecureXL functionality, a fact indicated by a message shown when a policy is installed.
00532727 SharePoint applications are only supported when Hostname Translation is the given translation method for the SSL VPN Portal.
00537462 To show the administrator message together with the credentials prompt on a web form (when Web Form SSO is turned on) you must select "Notify users that their credentials for this application are going to be stored". ('Login Settings' page of the 'SSL VPN application' > 'application properties' > 'Additional Settings' > 'Single Sign On' > 'Login Settings' section > 'Edit'.)
00535987 Citrix is not supported in Secure Workspace.
00537451 Allowed locations (configured in the 'Location' window of the 'User Property' object) are not enforced by SSL VPN.
00537424 When using the Downloaded-From-SSL VPN add-on FTP network application to connect to a Windows based FTP server, the files on the remote computers are not visible. The Downloaded-From-SSL VPN FTP client tries to work with "/" (slash), as the remote root directory even if configured otherwise at the connection parameters. Windows based FTP servers on the other hand, do not work with "/" as the root directory.

As a workaround, if the client machine runs on Windows OS, work with the native FTP. If the client machine runs on Macintosh/Linux, if users on client machines are able to work with SSL Network Extender Network Mode, use the native FTP client on the client machines. If using SSL Network Extender Application Mode, use a different FTP server which is not Windows based.

00537390 The connection will fail when an application is launched on the endpoint machine under these conditions:
  1. The application runs via the default browser.
  2. The application is configured to automatically start when SSL Network Extender is disconnected.
  3. The application is launched via the SSL Network Extender Application Mode client.
(Settings configured in the Edit Endpoint Application window: 'Native Application' > 'Endpoint applications' > 'Advanced: Edit' > 'Add/Edit'.)
00518890 When enabling the SSL VPN Blade on a cluster, the gateway's default settings for Office Mode change so that office mode uses IP addresses from a pool. For the new configuration to succeed, configure the IP pool for each cluster member.
00538696 Automatic Certificate Authentication (authenticateCertificateFirst) is not supported.
00546229 After you use SmartUpdate to install the SSL VPN package on a Security Gateway, run cpstop and cpstart commands on the Security Gateway before installing policy.
00537364 In the SmartDashboard SSL VPN tab, under Endpoint Security On Demand, changes to the 'Endpoint Compliance Settings' in the Endpoint Compliance page are not immediately reflected in the 'Level of Enforcement' column of the 'To what extent is Endpoint Compliance enforced on Applications?' table. Similarly, changes to the Secure Workspace Policy settings in the Secure Workspace page are not immediately reflected in the 'Level of Enforcement' column of the 'To what extent is Secure Workspace enforced on Applications?' table. To see the changes, go to another page, and then return to the original page.
00546088 After you install a server certificate on a Security Gateway (usually for SSL negotiations, the SSL VPN portal, SSL Network Extender, or Trac), you must install policy twice for the certificate to work.
00525258 If you have Windows 7 and use a Web browser that uses Java (for example, Firefox) launching SNX URL applications will fail to run.
Enabling R71 SSL VPN causes Firewall access control issue. Refer to sk44959.
ESOD scan is not performed after logout from Secure WorkSpace (SWS).
00545045 Connecting with L2TP clients may fail from a machine that also has SecureClient installed.
00545919 VPN Service Based Link Selection does not support service objects defined as a port range. In this scenario, only the first port number of the range will be considered.
00496009 Mobile VPN: Client certificate authentication is not supported for Secure Client Mobile in R71.

Workaround: To login to the VPN server using Secure Client Mobile, use the Username/Password authentication method.

00542356 When using Trusted Links, encrypt and decrypt logs are issued even though the traffic on the links is not encrypted.
00537464 ActiveSync with SecureClient Mobile: When the Web Intelligence protection 'HTTP Methods' is enabled in the IPS profile associated with SSL VPN, Microsoft ActiveSync synchronization with Exchange server fails. As a workaround, disable the 'HTTP Methods' protection.
00507772 When getting the topology of a Windows 2008 Server security gateway, the gateway may return additional non-existent interfaces of the type: IP, netmask Manually delete these interfaces from the topology. Leaving them in might affect connections from remote access clients such as SecureClient.
VPN clients fail to connect; VPND process crashes. Refer to sk56380.
VPN certificate authentication fails with Crossbeam XOS 9 gateway. Refer to sk56920.
00520192 The R71 Security Management server cannot manage the legacy VSX products "VSX NGX" and "VSX NGX Scalability Pack", only VSX NGX R65 and above.
00536287 After you uninstall Performace Pack, the 'fw ctl affinity' command does not work because there is still a SecureXL task registered in CPD process. To resolve this, manually run 'cpd_sched_config delete Sim_Affinity'. Afterwards the 'fw ctl affinity' command will work.
01445826 Traffic is not NATed as expected when SecureXL and IPS protection 'SYN Attack' (SYNDefender) are enabled. Refer to sk101892.
URL Filtering
00545938 In gateways lower than R71 version, "*" is not supported in a custom list in URL Filtering. From R71 and above, the "*" stands for zero or more characters of any kind. When pre- and post-R71 gateways are managed by the same management server, be careful when using "*" in URL definitions.
00662497 URL Filtering erroneously classifies sex education web sites as sexually explicit.
00737637 The Anti-Virus rejects URLs that end with a dot (".") when in Stream mode.
When URL Filtering is on, this message shows in the /var/log/messages file: "FW-1 - NULL context received". Refer to sk56381.
Security Management
Endpoint Security
00545252 When installing a Primary Security Management server and Endpoint Security Server on the same machine, you must choose the option: "Endpoint Security Server is a Primary Endpoint Security Server in standalone installation."
Do not install a Primary Endpoint Security Server in distributed installation, a Secondary Endpoint Security Server, or a Connection Point when installing a Primary Security Management server.
Endpoint Connect R73 fails to connect from Windows 7 when using certificate authentication.
00544224 If you are upgrading to R71 from Integrity 6.0 or 6.5 on Windows, when you are given the option to choose an Endpoint Security server, you must choose "Primary".
VTI topology is not configurable in SmartDashboard: cannot select network in 'VPN Gateway Properties' > 'Topology' > 'VPN Tunnel Interface Properties'.
Using the 'Get Interfaces with Topology' feature makes a duplicate Anti-Spoofing group of an already existing one, instead of creating a new one.
SmartView Tracker: when the URL Filtering blade is enabled, the URL shown in SmartView Tracker is truncated.
Policy verification fails when the license for monitoring is not installed on the SmartCenter and there is a Connectra object.
00518015 The Anti-Virus & Anti-Malware, Anti-Spam & Email, and URL Filtering Software Blades are not supported on IPSO 6. They are only supported on IPSO 4.2.
00537437 In SmartDashboard, non ASCII characters in usernames are not properly displayed. However, such names are authenticated correctly.
00542946 When the Anti-Virus & Anti Malware and URL Filtering blades are activated, legitimate FTP traffic over IPv6 is dropped.
00542948 When Proactive Detection is activated in the Anti-Virus and URL Filtering tab, legitimate HTTP traffic over IPv6 is blocked.
00528574 After establishing SIC or during policy verification, you might get an error message: "Incorrect reply from server. Command: private-db-dirty-check." The message can be ignored. Refer to sk44508.
On SmartDashboard, no warning shows when an object is created with a static IP address that is already in use. Refer to sk56385.
00609995 In SmartDashboard, when you click 'Get interfaces with topology', in the Object Properties window, for network behind interfaces, an error message shows: "Object with the name <object_name> already exists". Refer to sk59601.
00591655 "This Rule is disabled" tooltip pop-up shows when mouse is over NAT section titles.
Settings of the "Logs and Masters" tab are not kept for a cluster object.
SmartDashboard allows spaces in the name of Cluster Virtual interface. Refer to sk100470.
SmartEvent and SmartReporter
00526220 Improved stability of SmartEvent processes.
Reporter GUI crashes when trying to produce a report.
00537246 In the SmartEvent search field, use the mouse right-click paste option to enter text. The CTRL-V key combination does not function.
Scheduled reports generation fail with "Failed to get licensing data" error message.
Wrong CPU usage on text/csv format report on SmartView Monitor.
00538383 R71 DLP Gateways are not supported by SmartUpdate. SmartUpdate actions, such as package distribution or "get gateway data", on an R71 DLP Gateway may cause unexpected problems.
00542244 When upgrading a Flash-based IP Series appliance with SmartUpdate, you cannot upgrade the IPSO 6.2 and the fw1 R71 packages at the same time with the 'Upgrade All Packages' command. You must reboot the appliance immediately after the IPSO 6.2 installation.

Workaround: Do the upgrade of each package separately in SmartUpdate with the Distribute command.

00545090 SmartUpdate might not launch Network Voyager. Possible reasons and solutions are:
  • SmartUpdate uses port 443 for the Voyager connection. A different port may have been configured on the security gateway. You can change the ssl port number used by the security gateway in clish. In Clish, use the following command: 'set voyager ssl-port 443'
  • SmartUpdate uses HTTPS as the Voyager protocol. You can configure the security gateway to use HTTP instead. You can configure the security gateway to use HTTPS by entering the following Clish command: 'set voyager ssl-level 40'
SmartView Monitor
00463609 SmartView monitor does not show connected Abra users.
SmartView Monitor shows no events in IPS Event Manager view. Refer to sk56383.
00614899 After implementing the Hotfix from Issue ID #00601235, the status of all of the cluster members shows as 'Active attention' in SmartView Monitor. Refer to sk59660.
00518290 When upgrading an R70.1 environment with SmartWorkflow enabled, there must be no SmartWorkflow sessions in-progress.
Cannot approve the SmartWorkflow session, even with administrator Read/Write permissions. Refer to sk56382.
00520264 Connecting a SmartLSM gateway that has already been connected to a management server, to a management server with a new IP address requires Reset SIC.

Reset SIC for multiple SmartLSM Gateways can be done with the LSMcli utility.

00644181 The provisioning status always shows 'UNKNOWN' for Security Management object, Edge objects and objects that have provisioning disabled.
Hide NATed traffic from internal Edge interfaces is not forwarded to a VPN tunnel if "Only external interfaces" is configured for the Edge's VPN domain in the Provisioning GUI.
Security Management Server
00546970 When using a Security Management server with DHCP, the IP address of a Correlation Unit is not updated when the IP address of the Security Management server changes. Its IP address is updated when you Install Database on the Security Management server.
Security policy installation on UTM-1 Edge gateway fails if there is a group of services which contains other group of servises as its member.
Other Platforms and Products
00519829 Due to hardware limitations and complexity of Sensor policy, a policy installation may take more than five minutes with certain Sensor configurations. This will result in a timeout and an appearance that the policy has failed when in fact it has likely succeeded.

Workaround: Configure the timeout manually in GuiDBedit Tool:

  1. Global Properties - 'properties' table - firewall_properties object
  2. Set the value of 'install_policy_timeout' attribute (must be set in seconds; maximal value is 10000).
Incorrect HTTP statistics are shown when the Anti-Virus is configured to block according to file size.
00499457 SIC initialization may be problematic with IPS-1 Sensors, causing Sensor machines to sometime not be added to the SmartDashboard.


  1. Run 'cpconfig' and select option '(1) Secure Internal Communication'.
  2. Choose to re-initialize communication and reset the SIC key.
  3. Exit from 'cpconfig'. The SIC services should now restart.
  4. From the SmartDashboard, double-click the IPS-1 object from the drop-down list of network objects on the left-hand panel.
  5. Open the 'General Properties' tab and click 'Communication'.
  6. Select 'Initialize'.
  7. Install the policy.
00524497 After a policy push, the user configuration may not be completely loaded when traffic begins to flow through the device. As a result, network exceptions appear to be disabled.

Workaround: Wait for about sixty seconds. These network exceptions will then become active as the configuration completes loading.

00518418 When a pre-R71 Security Gateway resides between an IPS-1 sensor and a Security Management Server, define rules to allow traffic between the IPS-1 sensor and the Security Management Server.
00550114 Certain IPS exceptions may cause policy installation to fail if they are installed on an IPS-1 sensor. The problematic exceptions are those that include a service that does not have TCP or UDP ports, such as ICMP or SIT. These services have a ?? icon in SmartDashboard.
00540930 To upgrade a Smart-1 appliance running Provider-1, you must use the R71 Provider-1 CD.
  1. Connect a USB drive with the CD to the appliance or mount it through the Smart-1 LOM card (browse to the LOM card and choose ?Mount ISO? in the remote console screen - the ISO can be anywhere on your network or desktop).
  2. Boot the appliance.
  3. Perform the Provider-1 upgrade as described in the Installation and Upgrade guide for this release.
  When you upgrade a Smart-1 machine to R71 with the 'Run PUV only' option selected, after the PUV finishes running there will be an indication that the upgrade failed. You can safely ignore this message. If any problems occur, you will see it in the PUV output and logs.
00538212 Safe Upgrade is not supported when:
  • Upgrading to R71.
  • Upgrading from R71 to later versions.

When upgrading a Check Point appliance from NGX R65 to R71 with SmartUpdate, the automatic image created before the upgrade process, does not work from the WebUI.

Workaround: To revert to this automatic image, use the boot menu.

SecurePlatform e1000 NIC settings (speed/duplex) cannot be saved from WebUI or ethtool. Changes do not survive reboot. Refer to sk34154.
SecureClient connection to the gateway is reported as Endpoint Connect in the Security Gateway logs. Refer to sk56386.
Clientless VPN with Internet Explorer 6 does not work with SSLv2. Refer to sk56390.
00447591 Domain objects are not supported for UTM-1 Edge appliances. If the policy includes domain objects, remove them and then install the policy again.
00543792 If you have a UTM-1 Standalone configuration that you want to reconfigure to be a Locally Managed UTM-1 cluster, disable Office Mode before reconfiguring it. This prevents problems with the database. After you have reconfigured the machine, you can re-enable Office Mode.
IPSO Gateway is set to Problem state after installing Security Policy.
00511865 Before upgrading an IPSO Security Management Server to R71, see sk44539.
00546777 To reduce the memory usage of a Security Management Server on IPSO 6.2, restart processes using the cpstop and cpstart commands before connecting with SmartDashboard.
IPSO Gateway crashes when FloodGate-1 (QoS) is enabled.
00545278 The Networking part of the Hardware Diagnostics procedure on the DLP-1 9071 appliance is not supported.
DLP-1 Appliances: In DLP-1 9571, 10GbE NIC cannot be used in the expansion slot 1 (the right expansion slot) when expansion slots 2 and 3 are occupied.
00546007 The WebUI of DLP-1 3071 and DLP-1 9071 appliances shows UTM-1 and Power-1.
Red Hat Linux
Before installing a Security Management Server on RHEL 5.0, the IP address of the server must be added to the /etc/hosts file.
00549129 When installing R71 on a clean Windows machine, the default directory used for installation in the Typical Flow is the C:\ drive. On a Windows machine that does not have a C:\ drive, select the Custom Flow option during the installation so that you can change the default target directory.
00546169 When downgrading a Security Management Server on Windows from R71 to R70, reboot after the downgrade and run the 'post_uninstall_handler.exe' utility manually.
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document