When active data connections are initiated by the Server, the connections may be incorrectly logged as initiated by client.
SmartCenter, MDS Log server
HFA 01
00352292
When the Gateway NAT assigns a higher source port than contained in the original request, Windows Personal Firewall blocks legitimate DHCP OFFER packets. Resolution: Enhanced NAT processing ensures legitimate DHCP OFFER packets pass correctly.
Gateway
HFA 01
00353919
When using Static NAT on Solaris platforms, ARP tables may contain the incorrect MAC address.
Gateway
HFA 01
/
When using R6x SmartCenter server to manage R5x VPN-1 Gateways with Remote Access Communities, the SmartCenter server does not advise the administrator about the fact that R5x gateways do not support ?Drop? rules for traffic coming from a VPN Remote Access Community. This is now fixed. For further information please see sk33644. Resolution: We now fail policy installation in case of such a misconfiguration.
SmartCenter
HFA 01
00354588
When installing policies using dynamic objects and NAT, there might be stability issues.
Gateway
HFA 01
00348332
Legitimate email messages are incorrectly identified as malformed MIME error and dropped.
Gateway
HFA 01
00353015
When the SmartDefense Header Rejection defense is on, activating debug traces may cause gateway instability. Resolution: Improved stability for use of SmartDefense and debugging.
Gateway
HFA 01
00354637
If the Rule Base contains an SMTP resource, the MDQ process fails to start. Resolution: Improved rule checking ensures that the MDQ starts correctly.
Gateway
HFA 01
00352717
Requested additional FTP support for epsv and eprt in IPv4.
1. Install first on Gateway, then on SmartCenter. 2. On the server, replace updated files. For details, see sk33402.
HFA 01
00354854
If an FTP packet contains certain characters, the packet may be incorrectly modified. Resolution: All FTP packets are now passed correctly.
Gateway
HFA 01
00351280
When the MDCX command of MGCP is used to connect the RTP media streams, RTP connections may be inappropriately dropped.
Gateway
HFA 01
00360695
MGCP RSIP packets are dropped when there is white space in the header. Error message in debug: Invalid format of EndpointID field. Resolution: Enhanced MGCP parser ensures RSIP packets are correctly passed.
Gateway
HFA 01
00354405
Opening multiple concurrent HTTP connections may result in gateway instability. Resolution: Multiple HTTP connections can now be opened.
Gateway
HFA 01
00369859
During Automatic Update for Anti Virus updates, issues with memory may result.
SmartCenter
HFA 02
00370270
When a Logical Server is configured as type Other, connectivity issues may result. Resolution: Connectivity issues have been fixed for servers of un-predefined types.
Gateway
HFA 02
00362313
When SmartDefense is in Monitor-Only mode, DCERPC traffic may be incorrectly dropped. Resolution: Allow-Traffic rules have been improved to ensure that traffic is not dropped in Monitor-Only mode.
SmartCenter
HFA 02
00376604
On SecureXL devices that do not support TCP_STATE_DETECT_V2, accelerated connections are not lowered to their TCP END timeout, causing the Connections table to be flooded with redundant entries. Note: To find if the device supports the feature, run fwaccel stat. Resolution: Enhancements to SecureXL ensure that TCP packets are correctly timed out.
Gateway
HFA 30
00408032
Firewall may experience stability issues due to memory leak. Resolution: Specific memory leak fixed, memory allocation enhanced, and added allocation checks.
Gateway, SmartCenter
HFA 30
00383130
There may be inefficient memory use while using User Authority. Resolution: Improved memory usage for User Authority.
Gateway
HFA 40
00371333
When using External User Profiles with domain names associated with a Tacacs server, and the feature Omit Domain Name when authenticating users is selected, the gateway still sends the domain name to the TACACS and authentication fails. Resolution: Send desired login name, instead of the full user name to TACACS.
Gateway
HFA 40
00376396
Content filtering does not work with a real license for 25 hosts.
SmartCenter
HFA 40
00379416
Policy installation fails on gateways when rulebase_uids_in_log is set to true. Message displayed: Installation failed. Reason: Load on Module failed - no memory. Resolution: Improved handling of rule IDs and tables.
Gateway
HFA 40
00431788
After installing a policy, the default policy is installed, rather than the selected policy.
Gateway
HFA 40
00374589
Due to insufficient buffer space, policies may sometimes fail to push to a large number of gateways. Log messages may show "Connection buffer overflow". Resolution: Improved memory allocation and modified cpmi server connection buffer limit.
Gateway
HFA 40
00426932
POP3 and SMTP content inspection is not enforced. Resolution: Improved firewall procedures ensure that inspection is enforced.
Gateway
HFA 40
00378571
When one source makes two VoIP connections, the second connection cannot be established. Resolution: Improved method of identifying connections in kernel tables.
Gateway
HFA 40
00374502
SIP connections may be regularly dropped with the error: "Number of reinvites exceeded the limit". Resolution: Added sip_expire parameter to enable users to customize how much time a registration request should take. (See sk26202).
Gateway
HFA 40
00380750, 00380772
After installing NGX R65 HFA 02, the IPv6 module does not load if enabled.
Gateway
HFA 40
00439945
Resources are used even if Mail Security features are disabled. Resolution: The Messaging Security daemon is not activated if Messaging Security features are disabled on the SmartCenter server.
Improved stability upon resolving a system resources (sockets) leak that sometimes occurred during policy installation if there were open connections to multiple RADIUS servers.
Increased stack size resolves the issue of installation failure of a large policy on a gateway that displayed the following error: "Kernel fw-1 fwloghandle_register_string: unable to put entry into table policy push failed."
Policy verification and installation now displays a warning when DNS verification is disabled and NAT for DNS payload is enabled. Refer to sk34295 for details regarding these DNS features and their configuration.
SmartCenter
HFA 50
00417338, 00416789
Improved performance due to resolving an excessive memory consumption issue when using an MDQ security server.
H.225 packets are no longer dropped with a "Malformed H.225 packet" log message when the GenericH235SecurityCapability field is included in H.225 message.
Gateway
HFA 50
00427808, 00409120, 00423877, 00443304
Calls can now be established when calling a SIP user extension of a SIP phone that is registered with the full extension. Implementation: In SmartDashboard, go to the SmartDefense tab and select Application Intelligence > VoIP > SIP > SIP Custom Properties. Configure the "SIP user suffix length" parameter to the length of the extension number.
Gateway
HFA 50
00433044, 00432381, 00444731
SIP instant messaging over SIP traffic is now supported by the firewall.
Gateway
HFA 50
00437032, 00436021, 00497557, 00499029
Enhanced connectivity when media servers are in an internal network and NAT is defined for SIP traffic.
SIP traffic is now accepted when the 2xx response is sent to a port other than 5060. Please note that you must define sip and sip_dynamic_port as services in the rule.
RTP packets are now accepted by the gateway when using the SCCP protocol. The problem was resolved by allowing RTP connections in both directions.
Gateway
HFA 50
00432308, 00432184, 00432307, 00443309
SIP calls are now correctly established and disconnected when the same phone number is registered with the SIP proxy, from two different IP addresses. This behavior is typical in some implementations of "executive-secretary" features.
Only when the relevant SIP debug level is turned on will an unnecessary and harmless error message be printed to the error log file: "fwha_df_mod_voip_sip: pkt is not SIP".
Gateway
HFA 50
00411356, 00350984, 00410477, 00411353, 00412330
The gateway now correctly registers SIP phones that switch to a different proxy.
Gateway
HFA 50
00376830, 00376325, 00407067, 00495206
URL Filtering now successfully blocks the Sports category.
Improved stability of the HTTP security server when using URL filtering. This protection now verifies that the session exists prior to performing the designated action.
New kernel parameters for enhanced control of SCCP packets. This fixes an error that was seen when SCCP packets of larger than 1000 bytes were sent: "Malformed SCCP packet - message length exceeds the limit of 1KByte". To change the limit of the packet size, set the sk_len_limit kernel parameter to the relevant value.
Gateway
HFA 60
00438719, 00438125, 00466062, 00467056, 00499646
With an FTP Security server (when a rule uses ftp resource, or Anti-virus for ftp), the firewall consistently opens the data connection to the FTP client on port 20.
Gateway
HFA 60
00448962, 00447240
H.323 traffic is now passed correctly; fixed "Malformed H.225 message" error.
Gateway
HFA 60
00442822, 00441870, 00496981
UDP packets with IP option of type NOP or EOL are dropped by firewall, by design. (Drop error: "options not approved"). This HFA provides a new kernel parameter, allowing you to change the behavior of the firewall, to pass these packets. To enable UDP packets with NOP and EOL IP options to pass, change the value of the asm_allow_ipopt_on_udp kernel parameter to 1.
Improved performance of firewall on Crossbeam by enabling logs to be held locally, rather than transferred to a flash filesystem that is not always accessible.
Improved stability of FWD process while handling logs.
Gateway
HFA 60
00519772, 00520249, 00520302, 00525292, 00522039
Improved stability in fwd during process initialization.
MDS and SmartCenter
HFA 70
00506253, 00506254, 00404877
The firewall can be configured to allow a SIP (Session Initiation Protocol) connection to continue despite receiving a SIP CANCEL request by setting the kernel parameter sip_accept_session_after_cancel to 1.
Gateway
HFA 70
00505513, 00423573
Improved stability of fwd cpu usage regarding cluster related operations.
Improved stability of fwd during log purge operations.
MDS, SmartCenter server, and Gateway
HFA 70
Management
00350188
After a version upgrade, Clientless VPN on Cluster may fail to function properly. Resolution: Clientless VPN properties are now correctly added to member objects when a cluster is created, ensuring proper functionality of Clientless VPN on Clusters.
SmartCenter
HFA 01
00364123
SIP methods filtering defense cannot be deactivated through Profile Management. Resolution: SIP methods have been added to the Deactivated Profile list.
SmartCenter
HFA 01
00361496
If an attempt to create a new object fails, the fwm process may cause a memory leak.
SmartCenter
HFA 01
00363645
In Management High Availability, when a failover occurs, VPN-1 UTM Edge devices may fail to reconnect to the Secondary member.
SmartCenter
HFA 01
00361573
Cannot change admin password from SmartDashboard. Resolution: Improvements in password encryption methods and password creation requirements allow the admin password to be changed.
SmartCenter
HFA 01
00336004
For clusters only, Deployment Status information is not available in SmartDashboard., Resolution: Status information has been enhanced for clusters: if all members have the same status, this is the displayed status; otherwise, the status information will display information by priority. For example: an error from a member, a notification that not all members are installed, and so on.
SmartCenter
HFA 01
00354328
SmartUpdate cannot enable more than 20 packages. Resolution: Increased the package limit to 40.
SmartCenter
HFA 01
00364344
Issues with verification of upgrade, due to an unnecessary contract validation.
SmartCenter
HFA 01
00340782
SmartLSM: Performance issues with a large quantity of SmartLSM (ROBO) VPN-1 UTM Edge clients.
SmartCenter
HFA 01
00354741
SmartView Monitor: Real time monitoring causes gateway instability in rare instances.
Gateway
HFA 01
00374179
The upgrade_export and upgrade_import utilities may cause instability issues.
SmartCenter
HFA 02
00373630
The cpca and fwd processes may experience stability issues or display an error message: "Unable to contact Certificate Authority on the Management Station".
SmartCenter
HFA 02
00367125
Check Point NGX R65 with Messaging Security is not supported on Windows Vista or Windows 2000. Resolution: Check Point NGX R65.3 SmartConsole now supports NGX R65 with Messaging Security on Windows Vista. Workaround: If no other Plug-in is installed on the SmartCenter server, and the SmartConsole is on Windows Vista or Windows 2000, you must replace the plugin_metafile.C on the SmartCenter server. See sk35317 for details.
SmartCenter
HFA 30
00417050
Check Point NGX R65.3 SmartConsole is not supported on Windows Vista when VSX NGX Plug-in is installed on the SmartCenter server. Workaround: If no other Plug-in is installed on the SmartCenter server, and the SmartConsole is on Windows Vista or Windows 2000, you must replace the plugin_metafile.C on the SmartCenter server. See sk35317 for details.
SmartCenter
HFA 30
00374619, 00354298
Management HA: In specific scenarios, there are issues with policy installation and notification if a policy did not install.
Debug messages (as a result of an error or just informatory) now only appear in Debug mode.
Gateway, SmartCenter
HFA 50
00444877, 00444646, 00466573, 00466574
The command line function fwm was improved to recognize the correct database for Log Export, when running from a gateway or on a Provider-1 MDS.
Gateway
HFA 50
00428382, 00428005, 00428383, 00428420
Users can successfully connect to a SmartCenter server. The "Too many open files" error message no longer appears when opening SmartDashboard.
SmartCenter
HFA 50
00407978, 00404910
SmartCenter server license handling has been updated to recognize the Connectra Load Sharing Cluster built-in license. Previously, license verification on Connectra SmartCenter server failed.
Improved resource allocations on the SmartCenter server prevent memory leaks from being created if cpmistat is run in a script on the SmartCenter server to query for status.
SmartCenter
HFA 50
00440324, 00433157, 00494111
New gtar copies can now be placed in $CPDIR/bin/ to be utilized for Database revisions, while leaving $CPDIR/util/gtar intact, preserving the integrity of HFA installations. Implementation: To obtain a new gtar file, contact your Sales representative or Check Point Technical Services. Place the new gtar file in the $CPDIR/bin/ directory.
SmartCenter
HFA 50
00445927, 00445813, 00445928
Log forwarding has been enhanced in R65_HFA 50. This can correct the issue on SmartCenter servers with R65_HFA 30 on Windows platforms where the forwarding of log files sometimes failed.
Enhanced stability for FWM process to handle corruptions in Thresholds table.
MDS or SmartCenter server
HFA 60
00504024, 00499473
SmartUpdate now allows an unlimited number of packages to be installed on a gateway.
MDS or SmartCenter server
HFA 60
00443001, 00442874, 00442996, 00443471
SmartView Monitor provides improved gateway status information, fixing scenarios where the information could not be retrieved, due to enhanced communications between server and gateway.
MDS or SmartCenter server
HFA 60
00465326, 00464693, 00493501
Improved stability of the cpd process.
MDS and Gateway
HFA 60
00423122, 00506350
Users with policy download permissions also have permissions for database revision control.
MDS and SmartCenter
HFA 70
00425024, 00428599, 00506389
A standby CMA or MDS can renew its SIC certificate.
MDS
HFA 70
00414727, 00416543, 00506880
When changing the color of a group object, the chosen color is saved and will display correctly even after reopening SmartDashboard.
MDS and SmartCenter
HFA 70
00500350, 00504065, 00504978
The $FWDIR/conf/ipassignment.conf file will no longer be overwritten during synchronization of a UTM-1 cluster in High Availiability.
Enhancements to management (fwm) fixed memory leak which occurred during certain user management operations.
MDS and SmartCenter
HFA 70
00510703, 00520227, 00530447, 00520287
Enhancements to management (fwm) fixed memory leak which occured when viewing a database revision in a CMA.
MDS
HFA 70
Provider-1
00350237
In some cases, MDS cannot restore backup files greater than 1 GB.
MDS
HFA 01
00346194
Audit logs for Plug-in operations do not show the complete administrator name.
MDS
HFA 01
00347983
When activating or deactivating a Plug-in, error messages may appear for other Plug-ins that were not activated on the CMA.
MDS
HFA 01
00353007
When attempting to add a license to the MDS through the MDG, an Invalid License, message appears.
MDS and MDG
HFA 01
00350749
When creating license-contract links for a large system with many licenses, the MDS, may seem to pause for a number of minutes.
MDS and MDG
HFA 01
00362932
When enabling a CMA session description, the MDS fails to connect to the CMA. The CMA is shown as Stopped on the MDG.
MDS
HFA 01
00351783
When performing simultaneous virtual system updates on VSX gateways managed by, one CMA, the first update stops responding.
MDS
HFA 01
00346835
Sometimes after launching SDB or SVM, or after assigning a global policy, the server appears to be busy. This makes the client unusable for a number of minutes.
MDS
HFA 01
00348539
Traffic is not always encrypted between VS devices and the firewall.
MDS
HFA 01
00373367
CMAs may not be uploading the Anti Virus policy onto VPN-1 UTM Edge.
MDS and CMA
HFA 02
00369663
Provider-1 administrators may not be able to authenticate using TACACS/RADIUS.
MDS
HFA 30
00380298
Security Policies on gateways cannot be installed if rules for encryption are defined. Error in log file: "No license for encryption".
MDS
HFA 30
00406861
Issues with connecting to RADIUS/TACAS servers.
MDS
HFA 30
00406875
Because of issues with licenses, policies with rules for encryption or rules that contain IPv6 objects cannot be installed in Provider-1.
MDS
HFA 30
00371769
Bond interfaces on RHEL3 may fail if there are duplicate IP addresses for different interfaces.
The number of allowed users for SSL Network Extender licenses is now calculated correctly according to the number of licenses on each relevant CMA, rather than the number of licenses on the MDS.
MDS
HFA 60
00467051, 00440147, 00442116, 00467052
Enhanced Log Forwarding mechanism to provide greater stability of fwd process.
MDS and Log Server
HFA 60
00447109, 00445956
Improved handling of firewall processes provides increased stability of Provider-1 when performing an Activate Plug-in operation.
Enhancements to the SIC functionality resolve the issue of Provider-1 behind static NAT sometimes being unable to open the MDG.
MDS
HFA 50
00521291, 00527965, 00504674, 00508091, 00520916
Enhancements to Management (fwm) fixed memory leak which occured during synchronization between CMAs in High Availability.
MDS
HFA 70
00504867, 00504316, 00504865
After deleting a global object which is in use by a local rule, a message will appear during global policy installation the rule numbers of the local rules that are affected.
MDS
HFA 70
00528446, 00505054, 00505939, 00508096, 00527958
Improved stability of management (fwm) during license related operations.
Improved performance for queries against the Provider-1 database.
MDS
HFA 70
VPN
00346299
If peers are using certain non-Check Point encryption algorithms, connectivity issues may result for L2TP users on Windows Vista-based clients. Resolution: IKE validation procedures now allow Windows Vista L2TP clients to connect to Check Point VPN-1 gateways.
Gateway
HFA 01
00383256
If remote access connections are maintained during policy reload, they may cause traps and packet loss.
Gateway
HFA 30
00367354
Error on VPN initialization.
Gateway
HFA 30
00376292
The vpn tu command does not provide an option for IP address. Resolution: Added option to this command: after entering this command, the user is asked for the IP address.
Gateway, SmartCenter
HFA 30
00406283
Collision between internal IP address of VPN Remote Access Client (using SecureClient, SecuRemote, or SSL Network Extender) and an IP address in the encryption domain causes traffic meant for the internal IP address to be incorrectly transferred to the Remote Access Client. Resolution: If this IP address collision occurs, new connections to this IP address are sent to the IP address in the encryption domain, mitigating security threats associated with IP collision. For more details, see sk34579.
Gateway
HFA 30
00406806
After changing the authentication method from username/password to RADIUS ActiveIdentity, SecureClient users disconnect every few minutes.
Gateway
HFA 30
00404891
After changing the authentication method from username/password to Radius ActivIdentity server, the vpnd process may fail, and the SecureClient user disconnects every five or ten minutes.
Gateway
HFA 40
00431488
In VPN clusters, After a failover in a cluster with SXL enabled, if the new active gateway is a SmartLSM Remote Office/Branch Office gateway, the connection will fail.
Gateway
HFA 40
00406530, 00406411
Improved stability of an IPSO VRRP when an attempt to connect using visitor mode occurs.
Modifications have been made in the VPN kernel notifications sent to a SecureXL device regarding relevant SPIs, to ensure it receives valid SPI or MSPI updates.
Gateway
HFA 50
00436631, 00436247
When using IP Pool NAT, with multiple public IP addresses, the fwx_cntl_dyn_tab table reaches it's maximum limit of 25000 entries.
Workaround: To increase the number of entries:
Open $FWDIR/boot/modules/fwkern.conf on the gateway.
Add the lines: fwx_max_cntl_dyn=<xxxx> fwx_hash_cntl_dyn=<yyyy>
Where: <xxxx> is the new maximum limit <yyyy> is the new hash size
Reboot.
Install policy.
Run: fw tab -t fwx_cntl_dyn_tab to verify that the #VALS value has changed to the new limit.
Gateway
HFA 50
00447032, 00445761, 00447027
Improved memory usage when Route Injection Mechanism (RIM) is enabled on a VPN community.
Gateway
HFA 50
00373952, 00373366, 00428752, 00431084, 00431780
Improved SNX stability when interacting with the security gateway or hosts behind it. The VPND process no longer terminates unexpectedly.
Gateway
HFA 50
00375138, 00426299
The satellite Gateways now see routes on the central Gateways. Previously, in a star VPN community, where the central Gateways were meshed and the satellite Gateways were members of a mesh VPN community, when MEP was enabled in the star community and RIM was enabled in both communities, some of the satellites did not see the central Gateways' routes.
Gateway
HFA 50
00369124, 00368895
PMTU discovery has now been disabled on the socket that handles IKE over UDP. Previously, VPN between different networks failed to complete the IKE negotiation when a router with a low MTU passed traffic between them. An ICMP type 3 code 4 message was generated. Fragmentation was required on the packets but the "don't fragment flag" was set.
Gateway
HFA 50
00376384, 00375772, 00436692
To ensure correct routing, the MEP routing table now contains all the names of the cluster members. Previously, in a Star VPN community, where ClusterXL was meshed with a regular NGX R65 Gateway, routing failed if satellites were encrypting to the cluster via the regular Gateway.
A VPN tunnel only opens to the MEP gateway that was configured as "Allowed Peer Gateway" in the encryption rule. Previously, when two or more MEP gateways were configured using Traditional Mode (in a fully overlapping encryption domain), and a rule was created that allowed a VPN tunnel to be created only with one MEP gateway, RDP packets were still sent to all MEP gateways, enabling the VPN peers to open a tunnel with available MEP gateways.
Gateway
HFA 50
00441660, 00438511, 00441662
When trying to open a return connection to a remote VPN peer running SecuRemote or SecureClient (without office mode enabled), the connection is now accepted by the gateway.
Gateway
HFA 50
00496029, 00410051, 00417632, 00450301
Improved NAT-T connections between SecureClient and ClusterXL in Legacy mode, to correctly recognize the cluster interface for Main Mode packet 4 with NAT-D payload. This fixes the issue that resulted in a "Payload Malformed" error.
Improved IKE to IP address mapping to provide a relevant IPsec SA to packets after the mapping has been changed.
Gateway
HFA 60
00496911, 00436874, 00496976
When a route-based VPN community is defined between a gateway and an Edge appliance, the VPN tunnel persistence is maintained after restarting the firewall (cpstop and cpstart).
Gateway
HFA 60
00415544, 0041537100496978
In an environment with multiple tunnels between two gateways, and multiple IKE SAs for each gateway, the "vpn tu" command now correctly displays the relation between the IPSEC SAs and the IKE SAs when printing IPSEC SAs list.
Gateway
HFA 60
Endpoint Connect
00421195
The Endpoint Connect client cannot be configured to use the Challenge Response authentication method.
Gateway
HFA 40
Advanced Dynamic Routing Suite
00379773
Added support: cpvinfo for binaries and various improvements for protocol support and Check Point product integration.
Gateway
HFA 40
00379923
On AMD-based machines, OSPF may experience stability issues, due to issues with the CPU timer. To implement this fix: In $ADVRDIR/gatedwd, replace gated -N -r with gated -N -r -A
Gateway
HFA 40
00379913
After installing a policy on a VPN-1 gateway, connectivity may fail for a few seconds due to an incorrect OSPF negotiation.
Gateway
HFA 40
00379930
Large Join/Prune PIM messages may not be fragmented and therefore be too large to pass the interface and be dropped.
Gateway
HFA 40
00379935
BGP (Border Gateway Protocol) in some topologies may be unable to resolve a specific route, disabling further operations.
Gateway
HFA 40
00379910
In a Dynamic Routing configuration between an Edge device and an Advanced Dynamic Routing Suite gateway, the Dynamic Routing gateway incorrectly forwards the Edge VTI address as the next hop.
Gateway
HFA 40
00379928
Improved unicast route synchronization between different cluster members.
Gateway
HFA 40
ClusterXL
00349144
The Load Measurement Interval parameter has no effect on the load balancer.
Gateway
HFA 01
00350795
When attempting to perform a full synchronization to an unresponsive member, gateway instability may result on rare occasions.
Gateway
HFA 01
00354909
If the maximum allowed number of full sync attempts is reached, cluster member kernel tables are not updated and the VRRP member fails to perform a full synchronization following reboot. Resolution: Increased the maximum allowed number of full sync attempts.
Gateway
HFA 01
00370323
After rebooting a non-pivot member, there may be connectivity issues if the routing synchronization process started before all cluster configuration was done.
Gateway
HFA 40
00361891
After installing a policy, there may be connectivity issues if GateD OSPF routes are re-established. Resolution: GateD OSPF routing processes are not re-done after policy installation.
Gateway
HFA 40
00430032, 00429844
The 'cpstat ha -f all' command now shows cluster interfaces correctly in the 'Cluster IPs table' and the 'Sync table'.
In High Availability mode, if failover occurred while running a ping command to the cluster IP, the newly selected active member failed to answer the ping request. The ping was recorded as a connection that belongs to the member that was active at the time. Now, following failover, the newly selected active member rejects the first ping request it receives, but the next ping request is recorded as a new connection to this member.
Gateway
HFA 50
00417325, 00417247, 00417327, 00434339, 00464639
In SmartView Monitor, on ClusterXL gateways running on Solaris, the interface table now displays correctly.
Forwarded MAC addresses are now unique for every cluster member. When two pivot mode clusters are connected to the same switch, pivot forwarded packets are forwarded to the correct port.
Cluster member gateways
HFA 50
00408983, 00408720, 00445403
Improved connectivity and handling of the firewall ensures that acceptable VPN connections for HTTPS, when clientless VPN is used in a Check Point NGX R65 cluster, are accepted.
When installing policy on an IPSO cluster, the pnotes (Problem Notification) may timeout and failover may occur. The default 60 seconds before failover should be increased. Implementation: To change the default timeout from 60 seconds, set the kernel parameter, fwha_pnote_timeout_during_install_policy, to a higher value in milliseconds. Refer to sk36647.
Gateway
HFA 50
00434468, 00418653, 00433545, 00443770
To ensure stability, modifications were made to the pnotes mechanism to keep the pnotes timeout higher during policy installation on an IPSO cluster.
Stability has been enhanced so that a large policy installs successfully without ClusterXL failover.
Gateway
HFA 50
00379049, 00376340, 00411386, 00437245
The gateway now checks each occurrence of packets whose source IP addresses end in 255 to determine whether they are broadcast addresses, before automatically dropping them.
Gateway
HFA 50
00431119, 00430476, 00434476, 00443272, 00447913
When using a cluster, DNS responses may be dropped, as in some instances, certain DNS servers do not send the DNS question header in the DNS message response. In ClusterXL, it is not required to verify that the DNS question header is in the DNS message response. Do not use this resolution for third party clusters. Implementation: To set this functionality, set the kernel parameter, fwdns_verify_session_id_no_cksum, to 1.
Gateway
HFA 50
00496596, 00418374, 00419982
ClusterXL, configured in Load Sharing mode with Performance Pack turned on, now handles the load for policy installation properly; previously both members were processing same traffic.
Gateway
HFA 60
00506325, 00506327, 00506407, 00336356, 00405735
In ClusterXL Legacy mode, only the Active machine will reply to ARP requests sent by the Server on a non shared VLAN interface.
The Firewall allows more than 63 disconnected interfaces for ClusterXL.
Gateway
HFA 70
SmartDefense
00355802
Improved handling of unicode characters in Web Intelligence protections.
Gateway
HFA 30
00367357
Spoofing vulnerability in DShield.
Gateway
HFA 30
00426827
When attempting to launch an HTTP page with Connectra CM, marking/unmarking a Web Intelligence protection has no effect. Note: The fix is applied the next time Web Intelligence protections are marked or unmarked.
SmartDefense rejects Domain_tcp traffic larger than 4096 bytes and generates the error message "dns_process_data: failed to reallocate buffer for length" in the kernel debug results. Implementation: By default, the DNS buffer is set to 4096 bytes. To accommodate DNS traffic larger than the default buffer length, the dns_max_tcp_data_len parameter can be increased up to 32000 bytes.
String search of SmartDefense packets in SmartView Tracker now correctly handles issues that would return an Internal Handling error if the packet was too small to hold the string.
Gateway
HFA 60
00427013, 00426431, 00427359, 00433544
Web Intelligence)Anti-virus improved for web page loading; previously certain pages were not refreshed well.
Improvements to LSMcli better manage modifications to dynamic objects.
MDS
HFA 70
Infrastructure
00381300
Error is seen in log fix: "max resolving requests reached - out of memory".
Gateway, SmartCenter
HFA 30
00377080
Memory issues are sometimes experienced, due to incorrect file handling.
Gateway, SmartCenter
HFA 30
Eventia Reporter/Analyzer
00347746
Analyzer: During an advanced upgrade, the user-defined events are duplicated. Resolution: After installing this HFA, import the configuration files from the advanced upgrade.
SmartCenter
HFA 01
00364922
Analyzer: After upgrading Eventia Analyzer NGX R63 to NGX R65, dynamic upgrades do not appear. Note: This HFA eliminates the need to use the manual fix detailed in sk32690.
SmartCenter
HFA 01
00354788
Analyzer: When displaying events with a service filter, the Analyzer client disconnects from the Analyzer server.
SmartCenter
HFA 01
00364284
Analyzer: Events database takes up all available disk space. Resolution: When the database reaches its disk space threshold (2GB), events are kept on the Correlation Unit until space is freed on the Analyzer server. Note: If there is not enough available disk space on the machine, move $RTDIR/events_db/events.sql to another machine.
SmartCenter
HFA 01
00354791
Analyzer: If a report generation is interrupted, performance of the SmartCenter server affected.
SmartCenter
HFA 01
00354950
Analyzer: Event Details for custom events is sometimes empty. Resolution: After installing this HFA, redefine the custom event.
SmartCenter
HFA 01
00355618
Analyzer: If a dynamic update does not succeed, there is no notification.
SmartCenter
HFA 01
00361659
Analyzer: Old events appear in the current database, instead of being moved history files.
SmartCenter
HFA 01
00363051
Analyzer: When handling many customers and thousands of objects, object database synchronization may not complete.
SmartCenter
HFA 01
00351797
Reporter: Consolidation Sessions status may sometimes be displayed as Aborted, if many simultaneous sessions attempt to clean connections from the same table (also relevant for fewer sessions, if the database is still initializing when the attempts are made). Error message in lc_rt.log: "Lock wait timeout exceeded; Try restarting transaction".
SmartCenter
HFA 01
00363210
Reporter: Consolidation Sessions status may sometimes be displayed as Aborted, if many simultaneous sessions attempt to access the same Database table for a long time. Error message in lc_rt.log: "Database did not respond for 600 seconds, stuck with <number> items in the queue".
SmartCenter
HFA 01
00348712
Reporter: The Rule Base Analysis Report may sometimes provide the incorrect rule index or a value of Unspecified.
SmartCenter
HFA 01
00350756
Reporter: If values are added to a report filter from the User (Abbreviated) option, the reports are still not filtered by user.
SmartCenter
HFA 01
00350964
Reporter: The Integrity Event Type filter needs more predefined options. Resolution: This filter type has been enhanced to include SmartDefense and AntiVirus; and the IM secure filter has been renamed to IM Security.
SmartCenter
HFA 01
00355459
Reporter: The value of the Integrity Event Type filter in the Summary Report is sometimes incorrect.
SmartCenter
HFA 01
00350972
Reporter: The Action filter for Blocked Programs Report does not include a drop action. Resolution: The 'Endpoint Security' > 'Blocked Programs Report' > 'Filter' window now includes a new predefined 'Drop' action.
SmartCenter
HFA 01
00351795
Reporter: Status notifications for Consolidation Sessions is N/A during the time that incomplete records from previous sessions are being deleted. Resolution: Consolidation Session status notifications now include the new status of 'Previous Session Cleanup'.
SmartCenter
HFA 01
00352816
Reporter: The 'Endpoint Security > Firewall Events Report' is filtered incorrectly, if filtered by source or destination, where the value of one of these filters includes a string with white space.
SmartCenter
HFA 01
00355460
Reporter: When sorted by number of attacks, the Top Security Attacks section in the 'Cross Products Security > SmartDefense Detailed Attacks Report' is incorrectly sorted.
SmartCenter
HFA 01
00363212
Reporter: When the database is full (has less than 500MB free), a Consolidation Session may stop. Resolution: When the disk space threshold is reached, the session pauses and then automatically resumes when more space is available (after automated maintenance or manual cleanup of disk space).
SmartCenter
HFA 01
00379287
Reporter: If attempting to configure a new log consolidation session in Eventia Reporter, and the Log server has more than fifty log files, only some of the log files may be seen in the sequence; sometimes none can be seen.
SmartCenter and Log server
HFA 30
00416690, 00435203
Reporter: New permissions have been added so that only a Provider-1 superuser and Provider-1 Customer superuser can log into Eventia Reporter. This ensures that when the Eventia Reporter server is configured as a global object of the MDS, customer managers have no access to the private data of other customers.
Dedicated server
HFA 50
00432523, 00432506, 00450008
Reporter: The Log Consolidator process now ignores log entries with erroneous dates. Erroneous dates are defined as later than the current date and earlier than the current date minus a defined interval (360 days by default). These dates may be generated by endpoint computers with date and time values incorrectly defined. The ignored log records are stored in: $RTDIR/log_consolidator_engine/log/<IP>/ignored_records.txt and can be viewed by opening this file in a text editor. For details on modifying the defined interval, refer to sk42348.
SmartCenter or dedicated server
HFA 50
00420559, 00420557, 00418195, 00428353, 00441382
Reporter: Improved stability of log consolidation when DNS resolving is enabled.
SmartCenter or dedicated server
HFA 50
00438766, 00437000, 00440736, 00493460
Reporter: Automatic scheduling of more than 100 reports is now supported.
SmartCenter or dedicated server
HFA 50
00414024, 00380084, 00422998, 00428436, 00450025
Reporter: Improved stability of the log consolidation process.
SmartCenter or dedicated server
HFA 50
00409369, 00408795, 00411164, 00428464
Reporter: Improved performance of the Database Automatic Maintenance process.
SmartCenter or dedicated server
HFA 50
00440732, 00431255, 00440743
Reporter: Improved the stability of the Database Automatic Maintenance process to recover after a failure (for example, after a server reboot). The maintenance process will restart automatically after a short period of time following a failure.
SmartCenter or dedicated server
HFA 50
00440731, 00431256, 00440742
Reporter: Improved stability of consolidation, as log files, deleted from a log server no longer appear in the list when creating a new custom consolidation session or starting the consolidation from a ?selected file in the sequence?.
SmartCenter or dedicated server
HFA 50
00441496, 00429663
Reporter: Improved stability of log consolidation as references to objects that were deleted from the management database no longer remain on the Eventia Server.
Dedicated server
HFA 50
00444564, 00438300, 00442123
Analyzer: Improved stability of the Eventia Analyzer server when collecting a large amount of debug information, in some instances as a result of a Check Point Support request.
Analyzer Server
HFA 50
00495737, 00494981, 00495741
Eventia Analyzer. Improved object attribute handling fixes an error that caused the "syslog -r" command to fail on certain objects.
Eventia Log server
HFA 60
00496458, 00426047, 00495927, 00496459
Eventia Reporter. Improved file handling enables large tables (greater than 2.5GB) to be re-imported.
Eventia Reporter
HFA 60
00495785, 00494733, 00495788, 00504736
Eventia Reporter. Improved handling of MIME connections enables reports to be emailed with IronMail.
Eventia Reporter server
HFA 60
00495468, 00494814
Eventia Reporter. Added support for long (more than 22 characters) name for log servers, resolving an issue that blocked the cpWatchDog process from starting.
Eventia Log server
HFA 60
00436786, 00436755, 00436785
Analyzer: Automatic archiving of large history files when Database Maintenance is enabled now succeeds.
SmartCenter
HFA 50
00444564, 00438300, 00442123
Analyzer: Improved stability of the Eventia Analyzer server when collecting a large amount of debug information, in some instances as a result of a Check Point Support request.
Analyzer Server
HFA 50
00506387, 00423093, 00428461
Additional information added to report generation logs.
Improved synchronization between Provider-1 and Eventia databases.
Eventia servers
HFA 70
00519449, 00518516, 00519451, 00520397, 00526220
Improved stability in Eventia Analyzer server process.
Eventia servers
HFA 70
00510205, 00498197, 00510207
Improved stability in Eventia Reporter when running many consolidation sessions.
Eventia Reporter servers
HFA 70
00448019, 00447456, 00450107
Improved stability in synchronization between management and Eventia databases.
Eventia servers
HFA 70
00502477, 00498940, 00502480, 00503585, 00511945
Improved stability in generation of Rule Base Analysis report with "Active Policy Analysis" and "Per gateway" checked.
Eventia Reporter servers
HFA 70
QoS
00355336
When selecting a specific interface (instead of 'all interfaces') from the 'Install On' tab in SmartDashboard, QoS rules do not appear in SmartView Monitor.
SmartCenter
HFA 01
00360675
QoS policy installation fails with the following message: "no valid floodgate-1 license".
Improved ability to determine whether a connection is transferred on an active/inactive QoS interface prevents memory leaks when transferring an ftp connection on an interface that is not configured with QoS.
Gateway
HFA 50
00448638, 00448553, 00448637, 00498469
When verifying Traditional QoS policy which includes DiffServ rule and there is an Edge object with QoS enabled, the following error was displayed:
This was a false error and is now no longer shown.
MDS or SmartCenter server
HFA 60
Platform Specific
00364648
Nokia IPSO 4.1: A policy configured to activate a HTTP, FTP, or EMAIL Security Server may prevent such legitimate traffic on IPSO 4.1 machines.
Gateway
HFA 01
00351232
SecurePlatform: The following error occurs when using the hostname command to set the machine host name when not in the expert mode: "/bin/config: error while loading shared libraries: libscis.so: cannot open shared object file: No such file or directory".
Gateway, SmartCenter
HFA 01
00362347
SecurePlatform: DHCP relay daemon fails to start, producing the following error message: "DHCP Relay can't be started".
Gateway
HFA 01
00370878
SecurePlatform: Potential local privilege escalation by a legitimate administrator with restricted (cpshell) rights. For more information, please refer to sk33639.
SmartCenter/MDS, Gateway
HFA 02
00369782
VPN-1 UTM Edge: VPN-1 UTM Edge Firmware 7.5.29 is now supported.
SmartCenter
HFA 02
00373367
VPN-1 UTM Edge: Installing Build 006 of R65_HFA 02 may cause policy installation failures on VPN-1 UTM Edge.
SmartCenter
HFA 02
00373547
SecurePlatform: Installing the Edge_cmp package with the WebUI on a SecurePlatform machine fails.
SmartCenter
HFA 02
00422242
SecurePlatform: Net-snmp monitoring may fail under certain circumstances. Resolution: New SNMP monitoring agent added.
SmartCenter
HFA 40
00431088
VPN-1 UTM Edge: New support for firmware 8.0 (including libsw 8.0.34).
SmartCenter
HFA 40
00446704, 00446709
VPN-1 UTM Edge: Before installing a policy on an Edge device, it is no longer necessary to select VPN in the products list on the General Properties page of the Edge object. Even though VPN is not selected for the Edge object, the policy will be installed successfully.
SmartCenter
HFA 50
00437851, 00437914, 00438673
VPN-1 UTM Edge: Installing a policy on a large number of VPN-1 UTM Edge devices managed from SmartDashboard succeeds consistently.
SmartCenter
HFA 50
00412628, 00411722
VPN-1 UTM Edge: Improved the verifier code to enable successful policy installation for a policy that included two VPN-1 UTM Edges devices configured as backup gateways for each other, each with two external interfaces. Previously, a verifier warning appeared: "The VPN-1 UTM Edge object <edge_device_1> has VPN-1 UTM Edge object <edge_device_2> selected as its backup Gateway, but they do not have the same encryption domain.
SmartCenter
HFA 50
00499131, 00426246
SecurePlatform: New minimum and maximum values for the time zone counter have been updated in the Web User Interface. On the Device Date and Time Setup page, the time now can now be set to minus twelve or plus thirteen hours GMT. The time zone settings in sysconfig have been updated to the latest available.
Gateway
HFA 50
00368586, 00368274, 00410324
SecurePlatform: Improvements made to the backup process ensure that all memory and resources associated with the process are now released after performing a backup using the Web User Interface.
Gateway
HFA 50
00373925, 00373131, 00383557, 00405667, 00421147
SecurePlatform: mdsbackup files larger than 1GB can now be successfully restored.
Gateway
HFA 50
00441785, 00441202
SecurePlatform: When configuring VLANs with DHCP relay enabled on some of them, the VLAN interfaces are no longer duplicated on the DHCP relay menu.
SecurePlatform: When using the cpbackup command with the -f (file path) option, a backup file with a custom filename is now created.
Gateway
HFA 50
00427471, 00427375
SecurePlatform: When using the cpbackup command with the -f (file path) option, the backup file is now copied to the directory specified by the -f option.
Gateway
HFA 50
00448383, 00447928, 00448173
SecurePlatform: When an HFA package is installed, appliance interfaces are no longer remapped on NGX R65 appliances that have been upgraded from earlier versions.
Gateway
HFA 50
00463822
SecurePlatform: R65 HFA 50 can be installed on both SecurePlatform 2.4 and 2.6.
Gateway
HFA 50
00464335, 00464252
SecurePlatform: Enhanced password handling fixes truncated passwords, which happened when using SCP or FTP backup.
Gateway
HFA 60
00494933, 00467170
SecurePlatform: Improved SecurePlatform SSH commands for correctly persistent IP address changes.
Gateway
HFA 60
00462732, 00450357, 00502325, 00503381
SecurePlatform: When creating a backup file, if the command includes a -path flag but not a filename, the default filename is appended, ensuring that the backup file is created.
Gateway
HFA 60
00435672, 00435536
SecurePlatform: SCP backup passwords may now contain a zero (0) character in any place.
Gateway
HFA 60
00495973, 00192811, 00362754, 00420292
IPSO: Increased outgoing buffer size for UDP sockets (to 64K) fixes errors with IKE on MM packet 5 and 6.
SecurePlatform: Fixed memory leak, which caused FWM to crash and GUI clients to disconnect.
Gateway
HFA 70
Performance Pack
00422058, 00417266, 00498586
Improved SecureXL notifications to the firewall resolve a connectivity issue that occurs when the Sequence Verifier is enabled together with the Aggressive Aging mechanism. Implementation: An immediate workaround is to disable either the Sequence Verifier or the Aggressive Aging mechanism.
Gateway
HFA 50
00378310, 00409165
Modifications made in the replay_window calculation algorithm resolve the intermittent disconnection of VPN between a R65 gateway and another R65 or Edge gateway when acceleration is enabled.
Gateway
HFA 50
00443702, 00443074, 00466281, 00466507
Improved the fwaccel stat command output for accurate display of accelerated connection information.
Gateway
HFA 60
VoIP
00447938, 00445389, 00445541, 00446481
Improvements to packet handling fix a "Malformed SCCP packet - Invalid Reserved field" error and correctly pass SCCP packets.
Gateway
HFA 60
00508897, 00410142, 00527894
Improved support for VOIP H.323 protocol for use with Avaya Communication Manager (ACM).
The endpoint normally initiates the H.323 (H.225) TCP connection to the Gatekeeper or server. In scenarios where the Gatekeeper initiates the TCP connection to the endpoint, set the global parameter h323_gk_init_tcp_conn, by running the command fw ctl set int h323_gk_init_tcp_conn 1. Note that when running Avaya Communication Manager (ACM), the TTS (Time to service) feature may be enabled by default. When TTS is enabled, the Gatekeeper initiates the TCP connection to the endpoint, and so the h323_gk_init_tcp_conn parameter must be set.
For more instructions on how to set a global parameter, refer to sk26202.
IPv6 Neighbor-Advertisement packets are no longer dropped by the firewall as Out of State ICMPv6 packets.
Gateway
HFA 70
00404877, 00506253, 00506254
The firewall can be configured to allow a SIP (Session Initiation Protocol) connection to continue despite receiving a SIP CANCEL request by setting the kernel parameter sip_accept_session_after_cancel to 1.
Gateway
HFA 70
SSL Network Extender
00361150
SSL Network Extender now supports FIPS. In the FIPS mode, only TLS is available and SSL v3 is disabled.
More precise monitoring of CPU usage with SmartView Monitor on multiprocessor systems running SecurePlatform 2.6.
Gateway
HFA 70
Anti-virus
00369862 00427172
When performing an Automatic Update for Anti-Virus updates, issues with memory may result.
SmartCenter
HFA 40
00409468, 00408512
An anti-virus scan is performed on all HTTP traffic. Scanning only specific IP addresses requires configuration on the Content Inspection > Anti-Virus > HTTP page.
Gateway
HFA 50
00445265, 00444823, 00466238, 00466240
Anti-virus, with HTML file type set to Pass, has been improved to ensure that sites using http 1.1 (chunked headers) function properly.
Improved license handling, to resolve an issue that occurred with multiple licenses, when one enabled Anti-virus and another did not.
MDS and SmartCenter server
HFA 60
00495737, 00494981, 00495741
Eventia Analyzer. Improved object attribute handling fixes an error that caused the "syslog -r" command to fail on certain objects.
Eventia Log server
HFA 60
00496458, 00426047, 00495927, 00496459
Eventia Reporter. Improved file handling enables large tables (greater than 2.5GB) to be re-imported.
Eventia Reporter
HFA 60
00495785, 00494733, 00495788, 00504736
Eventia Reporter. Improved handling of MIME connections enables reports to be emailed with IronMail.
Eventia Reporter server
HFA 60
Miscellaneous
00355718
VND VLAN interfaces on Crossbeam machines running XOS suffer from acceleration stability issues. Resolution: This HFA resolves support issues with VND. To ensure stability on XOS platforms, set sim_vnd_route=1 in the simkern.conf file.
Gateway
HFA 01
00350940
SecureXL: Dead Loop messages in the log. Resolution: Enhancements to processes and filtering fix most of the Dead Loop instances. If it persists, set sim_cflush_outbound=0 in the simkern.conf file.
Gateway, SmartCenter
HFA 01
00343981
VPN-1 VSX: The fw stat command may fail in certain scenarios.
SmartCenter
HFA 01
00421083
Easy installation of HFA on gateways using SmartUpdate.
Gateway, SmartCenter
HFA 40
00444874
Web Filtering: This HFA improves the coverage and performance of Check Point's URL Filtering engine, focusing on hazardous and malicious websites.
Gateway
HFA 50
00375553, 00371285, 00380532, 00403450, 00438948
VPN-1 Power VSX: Static routes are now automatically recreated with new interface names after changes have been made to an interface name (normal or VLAN) and the next hop is in the same subnet as the VS interface.
SmartCenter
HFA 50
00437513, 00435716, 00445880, 00448917
UTM-1: The Gateway now ensures that large files that were previously downloaded are not scanned again. This reduces the number of required scans and prevents the scanning mechanism from overloading and dropping packets.
Gateway
HFA 50
00440838, 00439588
It is now possible to install an HFA on top of an installation if the path with the FWDIR variable contains a space character.
Gateway, SmartCenter
HFA 50
00374568, 00368079
Policy Server: When a SecureClient for Mac OSX connects to a Policy Server thatdoes not have a "SecureClient for Macosx" license, the SmartViewTracker will now log the "Mac license is limited to 0 users" error onlyonce per Mac OS user connection, rather than every ten minutes.
MDS
HFA 60
00496720, 00494943, 00496722
SMTP Security Server: Firewall now passes the Temporary SMTP error code 402 which is used by greylisting. This allows users to send mail to a site whose mail server uses greylisting for Anti-spam.
Gateway
HFA 60
00374568, 00368079
Policy Server: When a SecureClient for Mac OSX connects to a Policy Server that does not have a "SecureClient for Macosx" license, the SmartView Tracker will now log the "Mac license is limited to 0 users" error only once per Mac OS user connection, rather than every ten minutes.
SmartCenter server
HFA 60
SecureXL: 00467162, 00465493
Resolved connectivity issue with Performance Pack and interfaces with non equal MTU size.
When using partially automatic client authentication and when the Primary ISP link is down, the client can still get authenticated. Previously, the client received a "The page cannot be displayed" message in the browser when attempting authentication.
Gateway
HFA 60
00449966, 00449183, 00449969, 00463798, 00501246
SmartProvisioning: Gateway status on SmartProvisioning is now correct, fixing an error that may appear after installing HFA_30, that displayed "Needs Attention" for gateway status when it should have displayed "OK".
SmartCenter server
HFA 60
00509491
Gateway Protection: In response to the Sockstress TCP DoS vulnerability, this HFA provides a comprehensive protection for Check Point Security Gateways and the resources behind them. See sk42723.
Gateway
HFA 60
This solution is about products that are no longer supported and it will not be updated
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?
Visit our 