Support Center > Search Results > SecureKnowledge Details
NGX R65 Resolved Issues Technical Level

This article lists all of the issues that have been resolved in the various NGX R65 HFAs.

For more information on NGX R65 see the NGX R65 Release Notes and NGX R65 Known Limitations.

To see if an issue has been fixed in other releases, search for the issue ID in Support Center.

Visit our discussion forums to ask questions and get answers from technical peers and Support experts.
Popular forums:

Table of Contents

ID Symptoms Install On Resolved In
00360918 When active data connections are initiated by the Server, the connections may be incorrectly logged as initiated by client. SmartCenter, MDS Log server HFA 01
00352292 When the Gateway NAT assigns a higher source port than contained in the original request, Windows Personal Firewall blocks legitimate DHCP OFFER packets.
Resolution: Enhanced NAT processing ensures legitimate DHCP OFFER packets pass correctly.
Gateway HFA 01
00353919 When using Static NAT on Solaris platforms, ARP tables may contain the incorrect MAC address. Gateway HFA 01
/ When using R6x SmartCenter server to manage R5x VPN-1 Gateways with Remote Access Communities, the SmartCenter server does not advise the administrator about the fact that R5x gateways do not support ?Drop? rules for traffic coming from a VPN Remote Access Community. This is now fixed. For further information please see sk33644.
Resolution: We now fail policy installation in case of such a misconfiguration.
SmartCenter HFA 01
00354588 When installing policies using dynamic objects and NAT, there might be stability issues. Gateway HFA 01
00348332 Legitimate email messages are incorrectly identified as malformed MIME error and dropped. Gateway HFA 01
00353015 When the SmartDefense Header Rejection defense is on, activating debug traces may cause gateway instability.
Resolution: Improved stability for use of SmartDefense and debugging.
Gateway HFA 01
00354637 If the Rule Base contains an SMTP resource, the MDQ process fails to start.
Resolution: Improved rule checking ensures that the MDQ starts correctly.
Gateway HFA 01
00352717 Requested additional FTP support for epsv and eprt in IPv4. 1. Install first on Gateway, then on SmartCenter.
2. On the server, replace updated files. For details, see sk33402.
HFA 01
00354854 If an FTP packet contains certain characters, the packet may be incorrectly modified.
Resolution: All FTP packets are now passed correctly.
Gateway HFA 01
00351280 When the MDCX command of MGCP is used to connect the RTP media streams, RTP connections may be inappropriately dropped. Gateway HFA 01
00360695 MGCP RSIP packets are dropped when there is white space in the header.
Error message in debug: Invalid format of EndpointID field.
Resolution: Enhanced MGCP parser ensures RSIP packets are correctly passed.
Gateway HFA 01
00354405 Opening multiple concurrent HTTP connections may result in gateway instability.
Resolution: Multiple HTTP connections can now be opened.
Gateway HFA 01
00369859 During Automatic Update for Anti Virus updates, issues with memory may result. SmartCenter HFA 02
00370270 When a Logical Server is configured as type Other, connectivity issues may result.
Resolution: Connectivity issues have been fixed for servers of un-predefined types.
Gateway HFA 02
00362313 When SmartDefense is in Monitor-Only mode, DCERPC traffic may be incorrectly dropped.
Resolution: Allow-Traffic rules have been improved to ensure that traffic is not dropped in Monitor-Only mode.
SmartCenter HFA 02
00376604 On SecureXL devices that do not support TCP_STATE_DETECT_V2, accelerated connections are not lowered to their TCP END timeout, causing the Connections table to be flooded with redundant entries.
Note: To find if the device supports the feature, run fwaccel stat.
Resolution: Enhancements to SecureXL ensure that TCP packets are correctly timed out.
Gateway HFA 30
00408032 Firewall may experience stability issues due to memory leak.
Resolution: Specific memory leak fixed, memory allocation enhanced, and added allocation checks.
Gateway, SmartCenter HFA 30
00383130 There may be inefficient memory use while using User Authority.
Resolution: Improved memory usage for User Authority.
Gateway HFA 40
00371333 When using External User Profiles with domain names associated with a Tacacs server, and the feature Omit Domain Name when authenticating users is selected, the gateway still sends the domain name to the TACACS and authentication fails.
Resolution: Send desired login name, instead of the full user name to TACACS.
Gateway HFA 40
00376396 Content filtering does not work with a real license for 25 hosts. SmartCenter HFA 40
00379416 Policy installation fails on gateways when rulebase_uids_in_log is set to true.
Message displayed: Installation failed. Reason: Load on Module failed - no memory.
Resolution: Improved handling of rule IDs and tables.
Gateway HFA 40
00431788 After installing a policy, the default policy is installed, rather than the selected policy. Gateway HFA 40
00374589 Due to insufficient buffer space, policies may sometimes fail to push to a large number of gateways. Log messages may show "Connection buffer overflow".
Resolution: Improved memory allocation and modified cpmi server connection buffer limit.
Gateway HFA 40
00426932 POP3 and SMTP content inspection is not enforced.
Resolution: Improved firewall procedures ensure that inspection is enforced.
Gateway HFA 40
00378571 When one source makes two VoIP connections, the second connection cannot be established.
Resolution: Improved method of identifying connections in kernel tables.
Gateway HFA 40
00374502 SIP connections may be regularly dropped with the error: "Number of reinvites exceeded the limit".
Resolution: Added sip_expire parameter to enable users to customize how much time a registration request should take. (See sk26202).
Gateway HFA 40
00380750, 00380772 After installing NGX R65 HFA 02, the IPv6 module does not load if enabled. Gateway HFA 40
00439945 Resources are used even if Mail Security features are disabled.
Resolution: The Messaging Security daemon is not activated if Messaging Security features are disabled on the SmartCenter server.
Gateway HFA 40
00421560, 00367338, 00367639, 00367640, 00369204, 00417459, 00420931, 00429935, 00443990 Improved stability upon resolving a system resources (sockets) leak that sometimes occurred during policy installation if there were open connections to multiple RADIUS servers. Gateway HFA 50
00442854, 00426830, 00428054, 00439723, 00442852, 00465479 Improvements in the process enable defining a large number of IP ranges. Gateway HFA 50
00421562, 00373936, 00374736, 00417456, 00420915, 00442947, 00464275, 00429933, 00433495, 00438754, 00443988 Improved stability in RADIUS authentication when two RADIUS servers are configured to use two hosts sharing the same IP address. Gateway HFA 50
00419967, 00419654, 00435185, 00437711, 00500305 Improved gateway stability when handling RPC traffic. Gateway HFA 50
00407872, 00407730 Incorrectly defined dynamic objects now create a log entry displaying the dynamic object name instead of the object number. Gateway HFA 50
00375985, 00375483, 00432909, 00446523, 00446768, 00463858 Improved data structure validation resolves the issue of the gateway becoming unstable when under load. Gateway HFA 50
00421161, 00366470, 00416530, 00420375, 00428220, 00447035, 00447310 Policy installation now succeeds under the following circumstances:
  • Defining NAT rules for an Edge object using large groups as the source or destination.
  • Defining NAT rules for an Edge object using a dynamic object as the source or destination.
SmartCenter HFA 50
00426509, 00421995 Policy Installation from R65 SmartCenter server now succeeds on R60 gateways. Gateway and SmartCenter HFA 50
00407965, 00407852, 00407967, 00418341, 00430607, 00431068, 00446928, 00493492 Policy installation now succeeds on cluster members. Gateway HFA 50
00433003, 00351031, 00351288, 00365315, 00420940, 00493479, 00421778, 00439959 Increased stack size resolves the issue of installation failure of a large policy on a gateway that displayed the following error: "Kernel fw-1 fwloghandle_register_string: unable to put entry into table policy push failed." Gateway HFA 50
00403311, 00117492, 00326603, 00326769, 00326770, 00336963, 00339662, 00352317, 00380458, 00442510, 00445070 Policy verification and installation now displays a warning when DNS verification is disabled and NAT for DNS payload is enabled. Refer to sk34295 for details regarding these DNS features and their configuration. SmartCenter HFA 50
00417338, 00416789 Improved performance due to resolving an excessive memory consumption issue when using an MDQ security server. Gateway HFA 50
00409361, 00368357, 00429643, 00380117, 00405249, 00407361, 00493794, 00416822, 00425983 Resolution of an authentication issue over port 900 now enables users to connect to websites using browsers other than Internet Explorer. Gateway HFA 50
00419558 When anti-virus is enabled on an IPSO gateway, the correct rule number now appears in the log record. Gateway HFA 50
00413733, 00166300, 00180287, 00201177, 00379717, 00416929, 00431619, 00432228, 00180288 Enhanced Security Server connectivity resolves the issue of error messages being displayed while browsing under heavy load. Gateway HFA 50
00343879, 00339220, 00340336, 00360765, 00350823, 00430002, 00448975, 00360762, 00374151, 00424636, 00341124, 00437515, 00367676, 00430723, 00375166, 00404318, 00419517, 00427615, 00443902, 00494620, 00462838, 00493410 Enhanced performance when the firewall receives a message with an unexpected sequence. The message is now used and a new sequence is set. Gateway HFA 50
00371393, 00410290, 00367220, 00371784, 00372198, 00375055, 00381426, 00406748, 00412774 H.225 packets are no longer dropped with a "Malformed H.225 packet" log message when the GenericH235SecurityCapability field is included in H.225 message. Gateway HFA 50
00427808, 00409120, 00423877, 00443304 Calls can now be established when calling a SIP user extension of a SIP phone that is registered with the full extension. Implementation: In SmartDashboard, go to the SmartDefense tab and select Application Intelligence > VoIP > SIP > SIP Custom Properties. Configure the "SIP user suffix length" parameter to the length of the extension number. Gateway HFA 50
00433044, 00432381, 00444731 SIP instant messaging over SIP traffic is now supported by the firewall. Gateway HFA 50
00437032, 00436021, 00497557, 00499029 Enhanced connectivity when media servers are in an internal network and NAT is defined for SIP traffic. Gateway HFA 50
00418363, 00417437, 00420966, 00427009, 00430220, 00430222, 00432629 SIP traffic is now accepted when the 2xx response is sent to a port other than 5060. Please note that you must define sip and sip_dynamic_port as services in the rule. Gateway HFA 50
00371509, 00370485, 00377169, 00419806, 00448891, 00412105, 00445166 RTP packets are now accepted by the gateway when using the SCCP protocol. The problem was resolved by allowing RTP connections in both directions. Gateway HFA 50
00432308, 00432184, 00432307, 00443309 SIP calls are now correctly established and disconnected when the same phone number is registered with the SIP proxy, from two different IP addresses. This behavior is typical in some implementations of "executive-secretary" features. Gateway HFA 50
00430560, 00334134, 00335878, 00342303, 00362834, 00383617, 00422893, 00428642, 00448893, 00493533, 00362925, 00432447, 00371350, 00404176, 00410571, 00412331, 00416425, 00419827, 00445916, 00430265 VoIP MGCP headers with endpoint lengths up to 64 are now supported. Gateway HFA 50
00432313, 00432193, 00432312, 00443310 SIP calls with a duration of more than three minutes are now correctly disconnected. Gateway HFA 50
00363132, 00361932, 00432452, 00466724 It is now possible to register SIP phones without ?tag? in the registration request. Gateway HFA 50
00363779, 00363343, 00363780, 00375665, 00432451, 00493458 Improved connectivity ensures that MGCP packets (RSIP and AUEP messages) are now accepted. Gateway HFA 50
00374484, 00361818, 00374481, 00360630, 00367224, 00361816, 00383619, 00371347, 00430257, 00432443, 00466717, 00466718 Connectivity issues with MGCP (often during a Hold when music is playing) have been resolved. Gateway HFA 50
00371344, 00370880, 00371315, 00371528, 00424508, 00445751, 00383577, 00430328 Only when the relevant SIP debug level is turned on will an unnecessary and harmless error message be printed to the error log file: "fwha_df_mod_voip_sip: pkt is not SIP". Gateway HFA 50
00411356, 00350984, 00410477, 00411353, 00412330 The gateway now correctly registers SIP phones that switch to a different proxy. Gateway HFA 50
00376830, 00376325, 00407067, 00495206 URL Filtering now successfully blocks the Sports category. Gateway HFA 50
00364395, 00349312, 00352674, 00425262, 00434338, 00449668, 00434344, 00444619 Improved stability of the HTTP security server when using URL filtering. This protection now verifies that the session exists prior to performing the designated action. Gateway HFA 50
00445961, 00443248, 00467022, 00445963, 00446664, 00493483, 00494114, 00503420 Enhancements to CPD process fixed memory leak. MDS, SmartCenter server,and Gateway HFA 60
00450170, 00449637, 00496799 Gateways now correctly pass SIP packets that contain a tag string within the URI (for example:;tag=193442) Gateway HFA 60
00463395, 00447015, 00496407 The Log Forwarding Mechanism has been improved, fixing a memory leak in the FWD process. Gateway HFA 60
00443980, 00114058, 00201616, 00202511, 00213339, 00213308, 00424180, 00445418 When using HTTP Security server, while the firewall is the proxy server, the DNS timeout cache is now correctly set to five minutes. See sk22953. Gateway HFA 60
00466875, 00463844, 00466878 Improved ftp command parsing. See sk36267. Gateway HFA 60
00374058, 00372921, 00374056, 00374057, 00374059, 00376382, 00420715, 00442128, 00449393 New kernel parameters for enhanced control of SCCP packets. This fixes an error that was seen when SCCP packets of larger than 1000 bytes were sent: "Malformed SCCP packet - message length exceeds the limit of 1KByte". To change the limit of the packet size, set the sk_len_limit kernel parameter to the relevant value. Gateway HFA 60
00438719, 00438125, 00466062, 00467056, 00499646 With an FTP Security server (when a rule uses ftp resource, or Anti-virus for ftp), the firewall consistently opens the data connection to the FTP client on port 20. Gateway HFA 60
00448962, 00447240 H.323 traffic is now passed correctly; fixed "Malformed H.225 message" error. Gateway HFA 60
00442822, 00441870, 00496981 UDP packets with IP option of type NOP or EOL are dropped by firewall, by design. (Drop error: "options not approved"). This HFA provides a new kernel parameter, allowing you to change the behavior of the firewall, to pass these packets. To enable UDP packets with NOP and EOL IP options to pass, change the value of the asm_allow_ipopt_on_udp kernel parameter to 1. Gateway HFA 60
00496465, 00172047, 00179881, 00214588, 00376982, 00433918, 00496466 Improved performance of firewall on Crossbeam by enabling logs to be held locally, rather than transferred to a flash filesystem that is not always accessible. Gateway HFA 60
00495714, 00345195, 00348690, 00350188, 00350355, 00428682, 00431338, 00495776, 00445402 Improved clustering with Clientless VPN to provide proper functionality for environments that upgrade to NGX R65. Gateway HFA 60
00494698, 00493702, 00494701, 00494699, 00494700, 00494703 Improved handling of server list, to ensure that new Log Servers can be added without adversely affecting the fwd process. Gateway HFA 60
00450113, 00449986, 00493494 Retrieving interface information through 'cpstat os -f ifconfig' command now provides the MAC address. Gateway HFA 60
00415147, 00412518, 00415145, 00420694, 00423641, 00423378, 00426633, 00426672 Japanese character URIs (containing shift_jis encoding) are now correctly recognized; they are no longer falsely detected as command injections. Gateway HFA 60
00416546, 00416191, 00434917, 00435662, 00416547, 00416548, 00421889, 00497908, 00503998 The Firewall has been improved to handle large connections tables. Gateway HFA 60
00376299, 00347784, 00376296, 00376297, 00376298, 00445756, 00495071 SNMP handling improved to properly accept Check Point SNMP Pull requests. Gateway HFA 60
00496093, 00217318, 00351548, 00406381, 00496093, 00501616, 00496094 Gateways can now successfully open SSL VPN connections, even if clustering is not enabled. Gateway HFA 60
00466612, 00464197, 00466616 Information of logs with filesize larger than 2GB is now correctly displayed from the Get File List command. MDS and SmartCenter server HFA 60
00495637, 00444032, 00463576, 00495638 Improved firewall process handling fixed error (see /var/log/messages): "Failed to init ctipd's iprep object". Gateway HFA 60
00495632, 00421360, 00495633 Improved SMTP resource with MX-resolving to fix a memory leak. Gateway HFA 60
00435013, 00434854, 00435011 Improved SIP connectivity with Hidden NAT. Gateway HFA 60
00495666, 00137684, 00179812, 00448482, 00495667, 00185059 Improved Clientless VPN for correct translation of the location HTTP header from http to https. Gateway HFA 60
00495004, 00466145, 00494415, 00495005 Improved sam_alert configured on IPSO stand-alone environments, fixing handling conditions that were causing sam_alert to not be executed. Gateway HFA 60
00494698, 00441036, 00439548, 00467061 VPN debug mode has been improved for stability when working with NAT traversal tunneling (UDP encapsulation). Gateway HFA 60
00496601, 00341170, 00403922, 00417598 SIP packet handling has been improved to fix the "Attack Info - BYE message is out of state" error. Gateway HFA 60
00512176, 00511326, 00512178, 00517764, 00519229 Enhancements to Web Filtering are implemented in SmartView Monitor. SmartCenter server Gateway HFA 60
00446671, 00443585, 00446870, 00503511, 00508639, 00504798, 00510866, 00517061, 00508196, 00508962, 00510318, 00511879, 00517405, 00517716, 00521505 Improved stability of FWD process while handling logs. Gateway HFA 60
00519772, 00520249, 00520302, 00525292, 00522039 Improved stability in fwd during process initialization. MDS and SmartCenter HFA 70
00506253, 00506254, 00404877 The firewall can be configured to allow a SIP (Session Initiation Protocol) connection to continue despite receiving a SIP CANCEL request by setting the kernel parameter sip_accept_session_after_cancel to 1. Gateway HFA 70
00505513, 00423573 Improved stability of fwd cpu usage regarding cluster related operations. Gateway HFA 70
00501459, 00496768, 00501461 Enhancements to SecureXL fixed memory leak. Gateway HFA 70
00506176, 00361444, 00361452, 00361453, 00361454, 00412775, 00433069, 00496185 Improved stability when CPAS protections are enabled. Gateway HFA 70
00509612 Enhancements to VPND fixed memory leak. Gateway HFA 70
00526667, 00522061 Improved memory management of fwd during dynamic object resolving process fixed memory leak. Gateway HFA 70
00526440, 0052193400528269 Improved stability of fwd when dynamic object incorrectly defined. Gateway HFA 70
00500605, 00505879, 00506369, 00507298, 00531233, 00531195 Improved stability of clientless VPN. Gateway HFA 70
00500711, 00502744, 00506235, 00511732, 00517082, 00519239 Improvements to gateway cluster synchronization allow better management of fwx_alloc table entries for non-synchronized connections. Gateway HFA 70
00217680, 00517800, 00427744, 00217801, 00344698, 00431868, 00446794, 00450257, 00463273, 00506268, 00530340 Improved stability during manual client authentication. Gateway HFA 70
00217680, 00517800, 00427744, 00217801, 00344698, 00431868, 00446794, 00450257, 00463273, 00506268, 00530340 Improved stability during manual client authentication. Gateway HFA 70
00495421, 00496735, 00496736 Improved stability of security servers running on IPSO. Gateway HFA 70
00495534, 00498495, 00499355, 00526954 Includes updated list of Skinny message types to be allowed by the gateway. Gateway HFA 70
00435687, 00436390, 00438458, 00446572, 00447995, 00466886, 00494160, 00524069, 00506224, 00509837, 00528201 Improvements to firewall processes reduce extraneous error logs. Gateway HFA 70
00499613, 00501102, 00504002, 00523687 Improved handling of SNMPv3. MDS and SmartCenter HFA 70
00517097 Improved security for connections to the ICA management portal over OpenSSL. MDS and SmartCenter HFA 70
00496433, 00404972, 00405134, 00405136, 00405138, 00405140, 00407420, 00510266, 00512372, 00511796, 00409445, 00425647, 00434513 Improved stability of fwd during log purge operations. MDS, SmartCenter server, and Gateway HFA 70
00350188 After a version upgrade, Clientless VPN on Cluster may fail to function properly.
Resolution: Clientless VPN properties are now correctly added to member objects when a cluster is created, ensuring proper functionality of Clientless VPN on Clusters.
SmartCenter HFA 01
00364123 SIP methods filtering defense cannot be deactivated through Profile Management.
Resolution: SIP methods have been added to the Deactivated Profile list.
SmartCenter HFA 01
00361496 If an attempt to create a new object fails, the fwm process may cause a memory leak. SmartCenter HFA 01
00363645 In Management High Availability, when a failover occurs, VPN-1 UTM Edge devices may fail to reconnect to the Secondary member. SmartCenter HFA 01
00361573 Cannot change admin password from SmartDashboard.
Resolution: Improvements in password encryption methods and password creation requirements allow the admin password to be changed.
SmartCenter HFA 01
00336004 For clusters only, Deployment Status information is not available in SmartDashboard., Resolution: Status information has been enhanced for clusters: if all members have the same status, this is the displayed status; otherwise, the status information will display information by priority. For example: an error from a member, a notification that not all members are installed, and so on. SmartCenter HFA 01
00354328 SmartUpdate cannot enable more than 20 packages.
Resolution: Increased the package limit to 40.
SmartCenter HFA 01
00364344 Issues with verification of upgrade, due to an unnecessary contract validation. SmartCenter HFA 01
00340782 SmartLSM: Performance issues with a large quantity of SmartLSM (ROBO) VPN-1 UTM Edge clients. SmartCenter HFA 01
00354741 SmartView Monitor: Real time monitoring causes gateway instability in rare instances. Gateway HFA 01
00374179 The upgrade_export and upgrade_import utilities may cause instability issues. SmartCenter HFA 02
00373630 The cpca and fwd processes may experience stability issues or display an error message: "Unable to contact Certificate Authority on the Management Station". SmartCenter HFA 02
00367125 Check Point NGX R65 with Messaging Security is not supported on Windows Vista or Windows 2000.
Resolution: Check Point NGX R65.3 SmartConsole now supports NGX R65 with Messaging Security on Windows Vista.
Workaround: If no other Plug-in is installed on the SmartCenter server, and the SmartConsole is on Windows Vista or Windows 2000, you must replace the plugin_metafile.C on the SmartCenter server. See sk35317 for details.
SmartCenter HFA 30
00417050 Check Point NGX R65.3 SmartConsole is not supported on Windows Vista when VSX NGX Plug-in is installed on the SmartCenter server.
Workaround: If no other Plug-in is installed on the SmartCenter server, and the SmartConsole is on Windows Vista or Windows 2000, you must replace the plugin_metafile.C on the SmartCenter server. See sk35317 for details.
SmartCenter HFA 30
00374619, 00354298 Management HA: In specific scenarios, there are issues with policy installation and notification if a policy did not install. SmartCenter HFA 40
00412090, 00411259, 00466224, 00427725, 00443476, 00464269 Enhancements made to the fwm process provide stability during policy installation. SmartCenter HFA 50
00366985, 00366122, 00366986, 00371289, 00415251, 00449365 Debug messages (as a result of an error or just informatory) now only appear in Debug mode. Gateway, SmartCenter HFA 50
00444877, 00444646, 00466573, 00466574 The command line function fwm was improved to recognize the correct database for Log Export, when running from a gateway or on a Provider-1 MDS. Gateway HFA 50
00428382, 00428005, 00428383, 00428420 Users can successfully connect to a SmartCenter server. The "Too many open files" error message no longer appears when opening SmartDashboard. SmartCenter HFA 50
00407978, 00404910 SmartCenter server license handling has been updated to recognize the Connectra Load Sharing Cluster built-in license. Previously, license verification on Connectra SmartCenter server failed. SmartCenter HFA 50
00426664, 00330893, 00338991, 00339561, 00339562, 00339563, 00343846, 00343921, 00423359, 00427446, 00347004, 00348232, 00351744, 00418285, 00354264, 00368370, 00426082, 00426857, 00427657, 00442407, 00444266 Improved certificate handling ensures that certificates are reloaded as needed, and not renewed when not needed. SmartCenter HFA 50
00374515, 00367426, 00370082, 00371721, 00372406, 00408429, 00430716, 00406346, 00422740 Improved resource allocations on the SmartCenter server prevent memory leaks from being created if cpmistat is run in a script on the SmartCenter server to query for status. SmartCenter HFA 50
00440324, 00433157, 00494111 New gtar copies can now be placed in $CPDIR/bin/ to be utilized for Database revisions, while leaving $CPDIR/util/gtar intact, preserving the integrity of HFA installations.
Implementation: To obtain a new gtar file, contact your Sales representative or Check Point Technical Services. Place the new gtar file in the $CPDIR/bin/ directory.
SmartCenter HFA 50
00445927, 00445813, 00445928 Log forwarding has been enhanced in R65_HFA 50. This can correct the issue on SmartCenter servers with R65_HFA 30 on Windows platforms where the forwarding of log files sometimes failed. SmartCenter HFA 50
00495622, 00373479, 00409480, 00422945, 00467064, 00495623 Enhanced stability for FWM process to handle corruptions in Thresholds table. MDS or SmartCenter server HFA 60
00504024, 00499473 SmartUpdate now allows an unlimited number of packages to be installed on a gateway. MDS or SmartCenter server HFA 60
00443001, 00442874, 00442996, 00443471 SmartView Monitor provides improved gateway status information, fixing scenarios where the information could not be retrieved, due to enhanced communications between server and gateway. MDS or SmartCenter server HFA 60
00465326, 00464693, 00493501 Improved stability of the cpd process. MDS and Gateway HFA 60
00423122, 00506350 Users with policy download permissions also have permissions for database revision control. MDS and SmartCenter HFA 70
00425024, 00428599, 00506389 A standby CMA or MDS can renew its SIC certificate. MDS HFA 70
00414727, 00416543, 00506880 When changing the color of a group object, the chosen color is saved and will display correctly even after reopening SmartDashboard. MDS and SmartCenter HFA 70
00500350, 00504065, 00504978 The $FWDIR/conf/ipassignment.conf file will no longer be overwritten during synchronization of a UTM-1 cluster in High Availiability. SmartCenter HFA 70
00339780, 00339880, 00339881, 00339882, 00349112, 00367550, 00428390, 00523514, 00527130 SmartCenter successfully installs policy for topologies with more than 140 VPN communities. SmartCenter HFA 70
00505535, 00503342 Improvements to policy compilation fix an issue that could have occurred when CPDShield and other dynamic objects are used in rules. MDS and SmartCenter HFA 70
00510980, 00519517 Improved stability when listing large Account Units in the SmartDashboard. MDS and SmartCenter HFA 70
00432322, 00502717, 00523713, 00511174 Improved stability during security policy installation. MDS and SmartCenter HFA 70
00450225, 00502893, 00508111, 00527960, 00506361, 00511205, 00522418 Enhancements to management (fwm) fixed memory leak which occurred during certain user management operations. MDS and SmartCenter HFA 70
00510703, 00520227, 00530447, 00520287 Enhancements to management (fwm) fixed memory leak which occured when viewing a database revision in a CMA. MDS HFA 70
00350237 In some cases, MDS cannot restore backup files greater than 1 GB. MDS HFA 01
00346194 Audit logs for Plug-in operations do not show the complete administrator name. MDS HFA 01
00347983 When activating or deactivating a Plug-in, error messages may appear for other Plug-ins that were not activated on the CMA. MDS HFA 01
00353007 When attempting to add a license to the MDS through the MDG, an Invalid License, message appears. MDS and MDG HFA 01
00350749 When creating license-contract links for a large system with many licenses, the MDS, may seem to pause for a number of minutes. MDS and MDG HFA 01
00362932 When enabling a CMA session description, the MDS fails to connect to the CMA.
The CMA is shown as Stopped on the MDG.
00351783 When performing simultaneous virtual system updates on VSX gateways managed by, one CMA, the first update stops responding. MDS HFA 01
00346835 Sometimes after launching SDB or SVM, or after assigning a global policy, the server appears to be busy. This makes the client unusable for a number of minutes. MDS HFA 01
00348539 Traffic is not always encrypted between VS devices and the firewall. MDS HFA 01
00373367 CMAs may not be uploading the Anti Virus policy onto VPN-1 UTM Edge. MDS and CMA HFA 02
00369663 Provider-1 administrators may not be able to authenticate using TACACS/RADIUS. MDS HFA 30
00380298 Security Policies on gateways cannot be installed if rules for encryption are defined.
Error in log file: "No license for encryption".
00406861 Issues with connecting to RADIUS/TACAS servers. MDS HFA 30
00406875 Because of issues with licenses, policies with rules for encryption or rules that contain IPv6 objects cannot be installed in Provider-1. MDS HFA 30
00371769 Bond interfaces on RHEL3 may fail if there are duplicate IP addresses for different interfaces. MDS HFA 40
00419740, 00417955, 00420956, 00430201, 00439136, 00464270 All TCP sockets now close properly so that no file descriptor leaks occur when connecting to a CMA via RADIUS server authentication. MDS HFA 50
00420177, 00415445 Improved MDS stability when attempting to delete a customer from the MDG or CLI. MDS HFA 50
00433976, 00433667, 00433974 Improved SmartMap configuration enables connection via SmartDashboard to a CMA while SmartMap is loading. MDS HFA 50
00465893, 00445921, 00450283, 00465272 When a Customer object is deleted, it no longer deletes the objects to which the Customer was assigned. MDS HFA 60
00465306, 00464268, 00466035 Improved parsing algorithms provide correct import of Cisco routers (OSE) access list in ASCII format. MDS HFA 60
00428467, 00436800, 00443490, 00466039, 00466434 Improved Provider-1 licensing fixed an issue with adding licenses to CMAs with SmartUpdate. MDS HFA 60
00413150, 00182658, 00218123, 00334445, 00377778, 00424151, 00425399, 00427742, 00406648, 00416771, 00428000, 00441325, 00449358 The number of allowed users for SSL Network Extender licenses is now calculated correctly according to the number of licenses on each relevant CMA, rather than the number of licenses on the MDS. MDS HFA 60
00467051, 00440147, 00442116, 00467052 Enhanced Log Forwarding mechanism to provide greater stability of fwd process. MDS and Log Server HFA 60
00447109, 00445956 Improved handling of firewall processes provides increased stability of Provider-1 when performing an Activate Plug-in operation. MDS HFA 60
00466320, 00465700, 00466323, 00466483, 00503214, 00497740 Improved processing fixed a memory leak that occurred if a CMA is assigned to a global policy, and rules are added above or below the policy. MDS HFA 60
00410441, 00404966, 00419946, 00428266, 00432878, 00438356 Improved stability on the CMA when the MDS is down and the administrator authenticates through a RADIUS server due to changes made in the fwm process. MDS HFA 50
00406630, 00403254 Enhancements made to the fwm process ensure successful assignment of Global Policy in Provider-1. MDS HFA 50
00437462, 00436817 Enhancements were made to the allocating and releasing memory process. MDS HFA 50
00404453, 00382166, 00427710, 00443484, 00464325, 00466247, 00447482 The cpd process no longer terminates during certain licensing operations (adding, printing, deleting). CMA and MDS HFA 50
00437463, 00437463 A memory leak that occurred whenever a SmartCenter server's database is loaded by a third party has been resolved. MDS HFA 50
00405221, 00380451, 00418943, 00422741, 00428074, 00430111, 00443340, 00497811 Enhancements to the SIC functionality resolve the issue of Provider-1 behind static NAT sometimes being unable to open the MDG. MDS HFA 50
00521291, 00527965, 00504674, 00508091, 00520916 Enhancements to Management (fwm) fixed memory leak which occured during synchronization between CMAs in High Availability. MDS HFA 70
00504867, 00504316, 00504865 After deleting a global object which is in use by a local rule, a message will appear during global policy installation the rule numbers of the local rules that are affected. MDS HFA 70
00528446, 00505054, 00505939, 00508096, 00527958 Improved stability of management (fwm) during license related operations. MDS HFA 70
00529660, 00523689, 00418438, 00418791, 00427723, 00443482, 00522197, 00466284 Improved stability when connecting to a CLM using a LEA client. MDS HFA 70
00506386, 00413916 Improved support for using a CMA to manage Interspect SmartDefense. MDS HFA 70
00518778, 00518933 Increased stability in management (fwm) process especially under heavy load MDS HFA 70
00525382 Improved stability for restoring an MDS backup in R65.4. MDS HFA 70
00439849, 00441322, 00523698, 00431807, 00433027, 00435485, 00436185, 00501007, 00522222, 00436311 Improved performance for queries against the Provider-1 database. MDS HFA 70
00346299 If peers are using certain non-Check Point encryption algorithms, connectivity issues may result for L2TP users on Windows Vista-based clients.
Resolution: IKE validation procedures now allow Windows Vista L2TP clients to connect to Check Point VPN-1 gateways.
Gateway HFA 01
00383256 If remote access connections are maintained during policy reload, they may cause traps and packet loss. Gateway HFA 30
00367354 Error on VPN initialization. Gateway HFA 30
00376292 The vpn tu command does not provide an option for IP address.
Resolution: Added option to this command: after entering this command, the user is asked for the IP address.
Gateway, SmartCenter HFA 30
00406283 Collision between internal IP address of VPN Remote Access Client (using SecureClient, SecuRemote, or SSL Network Extender) and an IP address in the encryption domain causes traffic meant for the internal IP address to be incorrectly transferred to the Remote Access Client.
Resolution: If this IP address collision occurs, new connections to this IP address are sent to the IP address in the encryption domain, mitigating security threats associated with IP collision. For more details, see sk34579.
Gateway HFA 30
00406806 After changing the authentication method from username/password to RADIUS ActiveIdentity, SecureClient users disconnect every few minutes. Gateway HFA 30
00404891 After changing the authentication method from username/password to Radius ActivIdentity server, the vpnd process may fail, and the SecureClient user disconnects every five or ten minutes. Gateway HFA 40
00431488 In VPN clusters, After a failover in a cluster with SXL enabled, if the new active gateway is a SmartLSM Remote Office/Branch Office gateway, the connection will fail. Gateway HFA 40
00406530, 00406411 Improved stability of an IPSO VRRP when an attempt to connect using visitor mode occurs. Gateway HFA 50
00403767, 00403465, 00403768, 00444345, 00430144, 00430349, 00437193, 00425390, 00426555, 00409865, 00427489 Modifications have been made in the VPN kernel notifications sent to a SecureXL device regarding relevant SPIs, to ensure it receives valid SPI or MSPI updates. Gateway HFA 50
00436631, 00436247 When using IP Pool NAT, with multiple public IP addresses, the fwx_cntl_dyn_tab table reaches it's maximum limit of 25000 entries.

Workaround: To increase the number of entries:


  1. Open $FWDIR/boot/modules/fwkern.conf on the gateway.


  2. Add the lines:

    <xxxx> is the new maximum limit
    <yyyy> is the new hash size


  3. Reboot.


  4. Install policy.


  5. Run: fw tab -t fwx_cntl_dyn_tab to verify that the #VALS value has changed to the new limit.
Gateway HFA 50
00447032, 00445761, 00447027 Improved memory usage when Route Injection Mechanism (RIM) is enabled on a VPN community. Gateway HFA 50
00373952, 00373366, 00428752, 00431084, 00431780 Improved SNX stability when interacting with the security gateway or hosts behind it. The VPND process no longer terminates unexpectedly. Gateway HFA 50
00375138, 00426299 The satellite Gateways now see routes on the central Gateways. Previously, in a star VPN community, where the central Gateways were meshed and the satellite Gateways were members of a mesh VPN community, when MEP was enabled in the star community and RIM was enabled in both communities, some of the satellites did not see the central Gateways' routes. Gateway HFA 50
00369124, 00368895 PMTU discovery has now been disabled on the socket that handles IKE over UDP. Previously, VPN between different networks failed to complete the IKE negotiation when a router with a low MTU passed traffic between them. An ICMP type 3 code 4 message was generated. Fragmentation was required on the packets but the "don't fragment flag" was set. Gateway HFA 50
00376384, 00375772, 00436692 To ensure correct routing, the MEP routing table now contains all the names of the cluster members. Previously, in a Star VPN community, where ClusterXL was meshed with a regular NGX R65 Gateway, routing failed if satellites were encrypting to the cluster via the regular Gateway. SmartCenter HFA 50
00374473, 00364354, 00426867, 00427476, 00440335, 00447374 A VPN tunnel only opens to the MEP gateway that was configured as "Allowed Peer Gateway" in the encryption rule. Previously, when two or more MEP gateways were configured using Traditional Mode (in a fully overlapping encryption domain), and a rule was created that allowed a VPN tunnel to be created only with one MEP gateway, RDP packets were still sent to all MEP gateways, enabling the VPN peers to open a tunnel with available MEP gateways. Gateway HFA 50
00441660, 00438511, 00441662 When trying to open a return connection to a remote VPN peer running SecuRemote or SecureClient (without office mode enabled), the connection is now accepted by the gateway. Gateway HFA 50
00496029, 00410051, 00417632, 00450301 Improved NAT-T connections between SecureClient and ClusterXL in Legacy mode, to correctly recognize the cluster interface for Main Mode packet 4 with NAT-D payload. This fixes the issue that resulted in a "Payload Malformed" error. Gateway HFA 60
00415860, 00414578, 00415499, 00498285, 00430640, 00439726, 00444898 Fixed certificate enrollment when management is behind NAT Gateway HFA 60
00444892, 00427454, 00427592, 00499156, 00429669, 00433580, 00444412 Improved IKE to IP address mapping to provide a relevant IPsec SA to packets after the mapping has been changed. Gateway HFA 60
00496911, 00436874, 00496976 When a route-based VPN community is defined between a gateway and an Edge appliance, the VPN tunnel persistence is maintained after restarting the firewall (cpstop and cpstart). Gateway HFA 60
00415544, 0041537100496978 In an environment with multiple tunnels between two gateways, and multiple IKE SAs for each gateway, the "vpn tu" command now correctly displays the relation between the IPSEC SAs and the IKE SAs when printing IPSEC SAs list. Gateway HFA 60
Endpoint Connect
00421195 The Endpoint Connect client cannot be configured to use the Challenge Response authentication method. Gateway HFA 40
Advanced Dynamic Routing Suite
00379773 Added support: cpvinfo for binaries and various improvements for protocol support and Check Point product integration. Gateway HFA 40
00379923 On AMD-based machines, OSPF may experience stability issues, due to issues with the CPU timer.
To implement this fix:
In $ADVRDIR/gatedwd, replace gated -N -r with gated -N -r -A
Gateway HFA 40
00379913 After installing a policy on a VPN-1 gateway, connectivity may fail for a few seconds due to an incorrect OSPF negotiation. Gateway HFA 40
00379930 Large Join/Prune PIM messages may not be fragmented and therefore be too large to pass the interface and be dropped. Gateway HFA 40
00379935 BGP (Border Gateway Protocol) in some topologies may be unable to resolve a specific route, disabling further operations. Gateway HFA 40
00379910 In a Dynamic Routing configuration between an Edge device and an Advanced Dynamic Routing Suite gateway, the Dynamic Routing gateway incorrectly forwards the Edge VTI address as the next hop. Gateway HFA 40
00379928 Improved unicast route synchronization between different cluster members. Gateway HFA 40
00349144 The Load Measurement Interval parameter has no effect on the load balancer. Gateway HFA 01
00350795 When attempting to perform a full synchronization to an unresponsive member, gateway instability may result on rare occasions. Gateway HFA 01
00354909 If the maximum allowed number of full sync attempts is reached, cluster member kernel tables are not updated and the VRRP member fails to perform a full synchronization following reboot.
Resolution: Increased the maximum allowed number of full sync attempts.
Gateway HFA 01
00370323 After rebooting a non-pivot member, there may be connectivity issues if the routing synchronization process started before all cluster configuration was done. Gateway HFA 40
00361891 After installing a policy, there may be connectivity issues if GateD OSPF routes are re-established.
Resolution: GateD OSPF routing processes are not re-done after policy installation.
Gateway HFA 40
00430032, 00429844 The 'cpstat ha -f all' command now shows cluster interfaces correctly in the 'Cluster IPs table' and the 'Sync table'. Gateway HFA 50
00422096, 00421293, 00421508, 00421509, 00439149, 00439680, 00442284, 00446548 In High Availability mode, if failover occurred while running a ping command to the cluster IP, the newly selected active member failed to answer the ping request. The ping was recorded as a connection that belongs to the member that was active at the time. Now, following failover, the newly selected active member rejects the first ping request it receives, but the next ping request is recorded as a new connection to this member. Gateway HFA 50
00417325, 00417247, 00417327, 00434339, 00464639 In SmartView Monitor, on ClusterXL gateways running on Solaris, the interface table now displays correctly. Gateway HFA 50
00355797, 00352937, 00355793, 00366060, 00371045, 00375167, 00431351, 00436002, 00445310, 00435482, 00446314, 00493491 Improved stability when running clusters, on Solaris, due to a memory issue that was resolved. Gateway HFA 50
00429713, 00333378, 00333906, 00333907, 00373085, 00373590, 00428697 Improved handling by the gateway of virtually defragmented packets with ClusterXL that are configured with Sticky Decision Function (SDF). Gateway HFA 50
00435831, 00435812, 00435873, 00435859 Improved stability when enabling the ClusterXL "Support IGMP Snooping" feature. Gateway HFA 50
00369028, 00340983, 00341350, 00341351, 00353215, 00465688, 00369305, 00405248, 00430820 Forwarded MAC addresses are now unique for every cluster member. When two pivot mode clusters are connected to the same switch, pivot forwarded packets are forwarded to the correct port. Cluster member gateways HFA 50
00408983, 00408720, 00445403 Improved connectivity and handling of the firewall ensures that acceptable VPN connections for HTTPS, when clientless VPN is used in a Check Point NGX R65 cluster, are accepted. Gateway HFA 50
00428150, 00428036, 00428037, 00428040, 00428042, 00428142, 00447308 For improved performance, ClusterXL no longer probes proxy ARP IP addresses rather it probes the actual network. Gateway HFA 50
00436593, 00436351, 00436729, 00439048, 00444644, 00445183, 00447444 When installing policy on an IPSO cluster, the pnotes (Problem Notification) may timeout and failover may occur. The default 60 seconds before failover should be increased.
Implementation: To change the default timeout from 60 seconds, set the kernel parameter, fwha_pnote_timeout_during_install_policy, to a higher value in milliseconds. Refer to sk36647.
Gateway HFA 50
00434468, 00418653, 00433545, 00443770 To ensure stability, modifications were made to the pnotes mechanism to keep the pnotes timeout higher during policy installation on an IPSO cluster. Gateway HFA 50
00421827, 00407701, 00415240, 00448627, 00494539, 00421828, 00421829, 00498533, 00415268, 00420901 Stability has been enhanced so that a large policy installs successfully without ClusterXL failover. Gateway HFA 50
00379049, 00376340, 00411386, 00437245 The gateway now checks each occurrence of packets whose source IP addresses end in 255 to determine whether they are broadcast addresses, before automatically dropping them. Gateway HFA 50
00431119, 00430476, 00434476, 00443272, 00447913 When using a cluster, DNS responses may be dropped, as in some instances, certain DNS servers do not send the DNS question header in the DNS message response.
In ClusterXL, it is not required to verify that the DNS question header is in the DNS message response. Do not use this resolution for third party clusters.
Implementation: To set this functionality, set the kernel parameter, fwdns_verify_session_id_no_cksum, to 1.
Gateway HFA 50
00496596, 00418374, 00419982 ClusterXL, configured in Load Sharing mode with Performance Pack turned on, now handles the load for policy installation properly; previously both members were processing same traffic. Gateway HFA 60
00506325, 00506327, 00506407, 00336356, 00405735 In ClusterXL Legacy mode, only the Active machine will reply to ARP requests sent by the Server on a non shared VLAN interface. Gateway HFA 70
00506262, 00449687, 00449982, 00449983, 00528264, 00463535, 00464156, 00465847, 00517006, 00518046, 00517008 The Firewall allows more than 63 disconnected interfaces for ClusterXL. Gateway HFA 70
00355802 Improved handling of unicode characters in Web Intelligence protections. Gateway HFA 30
00367357 Spoofing vulnerability in DShield. Gateway HFA 30
00426827 When attempting to launch an HTTP page with Connectra CM, marking/unmarking a Web Intelligence protection has no effect.
Note: The fix is applied the next time Web Intelligence protections are marked or unmarked.
SmartCenter HFA 40
00416390, 00508610, 00416557, 00431286, 00440267, 00463499
Improved connectivity on IPSO gateways when Aggressive Aging is enabled. A correction was made in the timeout calculation.
Refer to sk35238.
Gateway HFA 50
00382383, 00349282, 00382300, 00447066, 00449880, 00426061, 00427228, 00439895, 00437278, 00441625, 00445852, 00446518 SmartDefense rejects Domain_tcp traffic larger than 4096 bytes and generates the error message "dns_process_data: failed to reallocate buffer for length" in the kernel debug results.
Implementation: By default, the DNS buffer is set to 4096 bytes. To accommodate DNS traffic larger than the default buffer length, the dns_max_tcp_data_len parameter can be increased up to 32000 bytes.
Gateway HFA 50
00501588, 00415867, 00416559, 00422066, 00424727, 00428683, 00430198, 00431184, 00463232, 00501045 String search of SmartDefense packets in SmartView Tracker now correctly handles issues that would return an Internal Handling error if the packet was too small to hold the string. Gateway HFA 60
00427013, 00426431, 00427359, 00433544 Web Intelligence)Anti-virus improved for web page loading; previously certain pages were not refreshed well. Gateway HFA 60
00450311, 00499947, 00499949, 00526088, 00566521, 00734363, 00751670, 01056335
Truncated UDP DNS packets are dropped by IPS protection "Non Compliant DNS" as attack "Bad domain format, empty domain".
Refer to sk106483.
Gateway HFA 70
00506258, 00431103, 00527458, 00506259 To allow a DNS query with class "ANY", set the kernel parameter fwdns_check_question_allow_class_any to 1. Gateway HFA 70
00505308, 00506886 Increases the maximum size of a script line of SmartLSM Edge gateway scripts using the LSMcli utility. MDS ans SmartCenter HFA 70
00465471, 00466070, 00517799, 00533184, 00517840, 00517841 Improvements to LSMcli better manage modifications to dynamic objects. MDS HFA 70
00381300 Error is seen in log fix: "max resolving requests reached - out of memory". Gateway, SmartCenter HFA 30
00377080 Memory issues are sometimes experienced, due to incorrect file handling. Gateway, SmartCenter HFA 30
Eventia Reporter/Analyzer
00347746 Analyzer: During an advanced upgrade, the user-defined events are duplicated.
Resolution: After installing this HFA, import the configuration files from the advanced upgrade.
SmartCenter HFA 01
00364922 Analyzer: After upgrading Eventia Analyzer NGX R63 to NGX R65, dynamic upgrades do not appear.
Note: This HFA eliminates the need to use the manual fix detailed in sk32690.
SmartCenter HFA 01
00354788 Analyzer: When displaying events with a service filter, the Analyzer client disconnects from the Analyzer server. SmartCenter HFA 01
00364284 Analyzer: Events database takes up all available disk space.
Resolution: When the database reaches its disk space threshold (2GB), events are kept on the Correlation Unit until space is freed on the Analyzer server.
Note: If there is not enough available disk space on the machine, move $RTDIR/events_db/events.sql to another machine.
SmartCenter HFA 01
00354791 Analyzer: If a report generation is interrupted, performance of the SmartCenter server affected. SmartCenter HFA 01
00354950 Analyzer: Event Details for custom events is sometimes empty.
Resolution: After installing this HFA, redefine the custom event.
SmartCenter HFA 01
00355618 Analyzer: If a dynamic update does not succeed, there is no notification. SmartCenter HFA 01
00361659 Analyzer: Old events appear in the current database, instead of being moved history files. SmartCenter HFA 01
00363051 Analyzer: When handling many customers and thousands of objects, object database synchronization may not complete. SmartCenter HFA 01
00351797 Reporter: Consolidation Sessions status may sometimes be displayed as Aborted, if many simultaneous sessions attempt to clean connections from the same table (also relevant for fewer sessions, if the database is still initializing when the attempts are made).
Error message in lc_rt.log: "Lock wait timeout exceeded; Try restarting transaction".
SmartCenter HFA 01
00363210 Reporter: Consolidation Sessions status may sometimes be displayed as Aborted, if many simultaneous sessions attempt to access the same Database table for a long time.
Error message in lc_rt.log: "Database did not respond for 600 seconds, stuck with <number> items in the queue".
SmartCenter HFA 01
00348712 Reporter: The Rule Base Analysis Report may sometimes provide the incorrect rule index or a value of Unspecified. SmartCenter HFA 01
00350756 Reporter: If values are added to a report filter from the User (Abbreviated) option, the reports are still not filtered by user. SmartCenter HFA 01
00350964 Reporter: The Integrity Event Type filter needs more predefined options.
Resolution: This filter type has been enhanced to include SmartDefense and AntiVirus; and the IM secure filter has been renamed to IM Security.
SmartCenter HFA 01
00355459 Reporter: The value of the Integrity Event Type filter in the Summary Report is sometimes incorrect. SmartCenter HFA 01
00350972 Reporter: The Action filter for Blocked Programs Report does not include a drop action.
Resolution: The 'Endpoint Security' > 'Blocked Programs Report' > 'Filter' window now includes a new predefined 'Drop' action.
SmartCenter HFA 01
00351795 Reporter: Status notifications for Consolidation Sessions is N/A during the time that incomplete records from previous sessions are being deleted.
Resolution: Consolidation Session status notifications now include the new status of 'Previous Session Cleanup'.
SmartCenter HFA 01
00352816 Reporter: The 'Endpoint Security > Firewall Events Report' is filtered incorrectly, if filtered by source or destination, where the value of one of these filters includes a string with white space. SmartCenter HFA 01
00355460 Reporter: When sorted by number of attacks, the Top Security Attacks section in the 'Cross Products Security > SmartDefense Detailed Attacks Report' is incorrectly sorted. SmartCenter HFA 01
00363212 Reporter: When the database is full (has less than 500MB free), a Consolidation Session may stop.
Resolution: When the disk space threshold is reached, the session pauses and then automatically resumes when more space is available (after automated maintenance or manual cleanup of disk space).
SmartCenter HFA 01
00379287 Reporter: If attempting to configure a new log consolidation session in Eventia Reporter, and the Log server has more than fifty log files, only some of the log files may be seen in the sequence; sometimes none can be seen. SmartCenter  and Log server HFA 30
00416690, 00435203 Reporter: New permissions have been added so that only a Provider-1 superuser and Provider-1 Customer superuser can log into Eventia Reporter. This ensures that when the Eventia Reporter server is configured as a global object of the MDS, customer managers have no access to the private data of other customers. Dedicated server HFA 50
00432523, 00432506, 00450008 Reporter: The Log Consolidator process now ignores log entries with erroneous dates. Erroneous dates are defined as later than the current date and earlier than the current date minus a defined interval (360 days by default). These dates may be generated by endpoint computers with date and time values incorrectly defined. The ignored log records are stored in: $RTDIR/log_consolidator_engine/log/<IP>/ignored_records.txt and can be viewed by opening this file in a text editor.
For details on modifying the defined interval, refer to sk42348.
SmartCenter or dedicated server HFA 50
00420559, 00420557, 00418195, 00428353, 00441382 Reporter: Improved stability of log consolidation when DNS resolving is enabled. SmartCenter or dedicated server HFA 50
00438766, 00437000, 00440736, 00493460 Reporter: Automatic scheduling of more than 100 reports is now supported. SmartCenter or dedicated server HFA 50
00414024, 00380084, 00422998, 00428436, 00450025 Reporter: Improved stability of the log consolidation process. SmartCenter or dedicated server HFA 50
00409369, 00408795, 00411164, 00428464 Reporter: Improved performance of the Database Automatic Maintenance process. SmartCenter or dedicated server HFA 50
00440732, 00431255, 00440743 Reporter: Improved the stability of the Database Automatic Maintenance process to recover after a failure (for example, after a server reboot). The maintenance process will restart automatically after a short period of time following a failure. SmartCenter or dedicated server HFA 50
00440731, 00431256, 00440742 Reporter: Improved stability of consolidation, as log files, deleted from a log server no longer appear in the list when creating a new custom consolidation session or starting the consolidation from a ?selected file in the sequence?. SmartCenter or dedicated server HFA 50
00441496, 00429663 Reporter: Improved stability of log consolidation as references to objects that were deleted from the management database no longer remain on the Eventia Server. Dedicated server HFA 50
00444564, 00438300, 00442123 Analyzer: Improved stability of the Eventia Analyzer server when collecting a large amount of debug information, in some instances as a result of a Check Point Support request. Analyzer Server HFA 50
00495737, 00494981, 00495741 Eventia Analyzer. Improved object attribute handling fixes an error that caused the "syslog -r" command to fail on certain objects. Eventia Log server HFA 60
00496458, 00426047, 00495927, 00496459 Eventia Reporter. Improved file handling enables large tables (greater than 2.5GB) to be re-imported. Eventia Reporter HFA 60
00495785, 00494733, 00495788, 00504736 Eventia Reporter. Improved handling of MIME connections enables reports to be emailed with IronMail. Eventia Reporter server HFA 60
00495468, 00494814 Eventia Reporter. Added support for long (more than 22 characters) name for log servers, resolving an issue that blocked the cpWatchDog process from starting. Eventia Log server HFA 60
00436786, 00436755, 00436785 Analyzer: Automatic archiving of large history files when Database Maintenance is enabled now succeeds. SmartCenter HFA 50
00444564, 00438300, 00442123 Analyzer: Improved stability of the Eventia Analyzer server when collecting a large amount of debug information, in some instances as a result of a Check Point Support request. Analyzer Server HFA 50
00506387, 00423093, 00428461 Additional information added to report generation logs. Eventia Reporter servers HFA 70
00518676, 00517121, 00518679, 00444817, 00444569, 00450114, 00526422 Improved synchronization between Provider-1 and Eventia databases. Eventia servers HFA 70
00519449, 00518516, 00519451, 00520397, 00526220 Improved stability in Eventia Analyzer server process. Eventia servers HFA 70
00510205, 00498197, 00510207 Improved stability in Eventia Reporter when running many consolidation sessions. Eventia Reporter servers HFA 70
00448019, 00447456, 00450107 Improved stability in synchronization between management and Eventia databases. Eventia servers HFA 70
00502477, 00498940, 00502480, 00503585, 00511945 Improved stability in generation of Rule Base Analysis report with "Active Policy Analysis" and "Per gateway" checked. Eventia Reporter servers HFA 70
00355336 When selecting a specific interface (instead of 'all interfaces') from the 'Install On' tab in SmartDashboard, QoS rules do not appear in SmartView Monitor. SmartCenter HFA 01
00360675 QoS policy installation fails with the following message: "no valid floodgate-1 license". Gateway HFA 01
00374521, 00336499, 00337523, 00337527, 00368535, 00374380, 00430889, 00376268, 00436077 When there is no connectivity to the SmartCenter server, running fwgate fetch localhost on the gateway now retrieves the local QoS policy. Gateway HFA 50
00377433, 00377402, 00415259, 00431349, 00431432, 00443930, 00447133, 00494109 Improved resource allocation for URI solves memory leak issues. Gateway HFA 50
00371564, 00371308, 00496955, 00372991, 00373086, 00431422, 00443929, 00415258, 00494107, 00494735 Improved ability to determine whether a connection is transferred on an active/inactive QoS interface prevents memory leaks when transferring an ftp connection on an interface that is not configured with QoS. Gateway HFA 50
00448638, 00448553, 00448637, 00498469 When verifying Traditional QoS policy which includes DiffServ rule and there is an Edge object with QoS enabled, the following error was displayed:

"Traditional QoS policy cannot contain VPN-1 UTM Edge/Embedded Gateways. Instead please use Express QoS policy."

This was a false error and is now no longer shown.
MDS or SmartCenter server HFA 60
Platform Specific
00364648 Nokia IPSO 4.1: A policy configured to activate a HTTP, FTP, or EMAIL Security Server may prevent such legitimate traffic on IPSO 4.1 machines. Gateway HFA 01
00351232 SecurePlatform: The following error occurs when using the hostname command to set the machine host name when not in the expert mode:
"/bin/config: error while loading shared libraries: cannot open shared object file: No such file or directory".
Gateway, SmartCenter HFA 01
00362347 SecurePlatform: DHCP relay daemon fails to start, producing the following error message: "DHCP Relay can't be started". Gateway HFA 01
00370878 SecurePlatform: Potential local privilege escalation by a legitimate administrator with restricted (cpshell) rights. For more information, please refer to sk33639. SmartCenter/MDS, Gateway HFA 02
00369782 VPN-1 UTM Edge: VPN-1 UTM Edge Firmware 7.5.29 is now supported. SmartCenter HFA 02
00373367 VPN-1 UTM Edge: Installing Build 006 of R65_HFA 02 may cause policy installation failures on VPN-1 UTM Edge. SmartCenter HFA 02
00373547 SecurePlatform: Installing the Edge_cmp package with the WebUI on a SecurePlatform machine fails. SmartCenter HFA 02
00422242 SecurePlatform: Net-snmp monitoring may fail under certain circumstances.
Resolution: New SNMP monitoring agent added.
SmartCenter HFA 40
00431088 VPN-1 UTM Edge: New support for firmware 8.0 (including libsw 8.0.34). SmartCenter HFA 40
00446704, 00446709 VPN-1 UTM Edge: Before installing a policy on an Edge device, it is no longer necessary to select VPN in the products list on the General Properties page of the Edge object. Even though VPN is not selected for the Edge object, the policy will be installed successfully. SmartCenter HFA 50
00437851, 00437914, 00438673 VPN-1 UTM Edge: Installing a policy on a large number of VPN-1 UTM Edge devices managed from SmartDashboard succeeds consistently. SmartCenter HFA 50
00412628, 00411722 VPN-1 UTM Edge: Improved the verifier code to enable successful policy installation for a policy that included two VPN-1 UTM Edges devices configured as backup gateways for each other, each with two external interfaces. Previously, a verifier warning appeared: "The VPN-1 UTM Edge object <edge_device_1> has VPN-1 UTM Edge object <edge_device_2> selected as its backup Gateway, but they do not have the same encryption domain. SmartCenter HFA 50
00499131, 00426246 SecurePlatform: New minimum and maximum values for the time zone counter have been updated in the Web User Interface. On the Device Date and Time Setup page, the time now can now be set to minus twelve or plus thirteen hours GMT.
The time zone settings in sysconfig have been updated to the latest available.
Gateway HFA 50
00368586, 00368274, 00410324 SecurePlatform: Improvements made to the backup process ensure that all memory and resources associated with the process are now released after performing a backup using the Web User Interface. Gateway HFA 50
00373925, 00373131, 00383557, 00405667, 00421147 SecurePlatform: mdsbackup files larger than 1GB can now be successfully restored. Gateway HFA 50
00441785, 00441202 SecurePlatform: When configuring VLANs with DHCP relay enabled on some of them, the VLAN interfaces are no longer duplicated on the DHCP relay menu. Gateway HFA 50
00369207, 00369144, 00373060, 00377107, 00408320, 00409037, 00421156, 00445319 SecurePlatform: When using the cpbackup command with the -f (file path) option, a backup file with a custom filename is now created. Gateway HFA 50
00427471, 00427375 SecurePlatform: When using the cpbackup command with the -f (file path) option, the backup file is now copied to the directory specified by the -f option. Gateway HFA 50
00448383, 00447928, 00448173 SecurePlatform: When an HFA package is installed, appliance interfaces are no longer remapped on NGX R65 appliances that have been upgraded from earlier versions. Gateway HFA 50
00463822 SecurePlatform: R65 HFA 50 can be installed on both SecurePlatform 2.4 and 2.6. Gateway HFA 50
00464335, 00464252 SecurePlatform: Enhanced password handling fixes truncated passwords, which happened when using SCP or FTP backup. Gateway HFA 60
00494933, 00467170 SecurePlatform: Improved SecurePlatform SSH commands for correctly persistent IP address changes. Gateway HFA 60
00462732, 00450357, 00502325, 00503381 SecurePlatform: When creating a backup file, if the command includes a -path flag but not a filename, the default filename is appended, ensuring that the backup file is created. Gateway HFA 60
00435672, 00435536 SecurePlatform: SCP backup passwords may now contain a zero (0) character in any place. Gateway HFA 60
00495973, 00192811, 00362754, 00420292 IPSO: Increased outgoing buffer size for UDP sockets (to 64K) fixes errors with IKE on MM packet 5 and 6. Gateway HFA 60
SecurePlatform: Fixed memory leak, which caused FWM to crash and GUI clients to disconnect. Gateway HFA 70
Performance Pack
00422058, 00417266, 00498586 Improved SecureXL notifications to the firewall resolve a connectivity issue that occurs when the Sequence Verifier is enabled together with the Aggressive Aging mechanism.
Implementation: An immediate workaround is to disable either the Sequence Verifier or the Aggressive Aging mechanism.
Gateway HFA 50
00378310, 00409165 Modifications made in the replay_window calculation algorithm resolve the intermittent disconnection of VPN between a R65 gateway and another R65 or Edge gateway when acceleration is enabled. Gateway HFA 50
00443702, 00443074, 00466281, 00466507 Improved the fwaccel stat command output for accurate display of accelerated connection information. Gateway HFA 60
00447938, 00445389, 00445541, 00446481 Improvements to packet handling fix a "Malformed SCCP packet - Invalid Reserved field" error and correctly pass SCCP packets. Gateway HFA 60
00508897, 00410142, 00527894 Improved support for VOIP H.323 protocol for use with Avaya Communication Manager (ACM).

The endpoint normally initiates the H.323 (H.225) TCP connection to the Gatekeeper or server. In scenarios where the Gatekeeper initiates the TCP connection to the endpoint, set the global parameter h323_gk_init_tcp_conn, by running the command fw ctl set int h323_gk_init_tcp_conn 1. Note that when running Avaya Communication Manager (ACM), the TTS (Time to service) feature may be enabled by default. When TTS is enabled, the Gatekeeper initiates the TCP connection to the endpoint, and so the h323_gk_init_tcp_conn parameter must be set.

For more instructions on how to set a global parameter, refer to sk26202.
Gateway HFA 70
00506718, 00446366, 00448023, 00449051, 00503185, 00506567, 00506718 IPv6 Neighbor-Advertisement packets are no longer dropped by the firewall as Out of State ICMPv6 packets. Gateway HFA 70
00404877, 00506253, 00506254 The firewall can be configured to allow a SIP (Session Initiation Protocol) connection to continue despite receiving a SIP CANCEL request by setting the kernel parameter sip_accept_session_after_cancel to 1. Gateway HFA 70
SSL Network Extender
00361150 SSL Network Extender now supports FIPS. In the FIPS mode, only TLS is available and SSL v3 is disabled. Gateway HFA 01
00409360, 00365404, 00381022, 00429957, 00434686, 00444403, 00444899, 00464486 SSL Network Extender now recognizes the ?5 user? license as a valid license to connect to the SSL Network Extender page. Gateway HFA 50
00450332, 00445014, 00450334, 00464487, 00467062 With multiple SSL Network Extender licenses for five users installed on one MDS, the total number of allowed users is now calculated correctly. MDS, SmartCenter server and Gateway HFA 60
00496949, 00448958, 00496973, 00497118 With multiple SSL Network Extender licenses for five users installed on one MDS, the total number of allowed users is now calculated correctly. Gateway HFA 60
00507785, 00509916, 00509917, 00509918 Improved stability in policy installation after the gateway has made multiple LDAP requests. Gateway HFA 70
SmartView Monitor
00467171, 00506995, 00521534, 00533677 Modules running Solaris ZFS file systems do not show disk space usage in SmartView Monitor Gateway HFA 70
00511458, 00517867, 00522370 Enhanced SNMP monitoring of CPU Idle time. Gateway HFA 70
00363993, 00442656, 00508628, 00508630, 00508631 Connectra users are promptly removed from the list of connected users in SmartView Monitor after they disconnect. Gateway HFA 70
00432800, 00256749, 00434161, 00441857, 00494101, 00523645, 00523979, 00502612, 00503221, 00503295, 00505487, 00511182, 00518623, 00519478, 00522561, 00522803 More precise monitoring of CPU usage with SmartView Monitor on multiprocessor systems running SecurePlatform 2.6. Gateway HFA 70
00369862 00427172 When performing an Automatic Update for Anti-Virus updates, issues with memory may result. SmartCenter HFA 40
00409468, 00408512 An anti-virus scan is performed on all HTTP traffic. Scanning only specific IP addresses requires configuration on the Content Inspection > Anti-Virus > HTTP page. Gateway HFA 50
00445265, 00444823, 00466238, 00466240 Anti-virus, with HTML file type set to Pass, has been improved to ensure that sites using http 1.1 (chunked headers) function properly. Gateway HFA 60
00442634, 00442431, 00495461, 00502525, 00503182, 00467069 Improved license handling, to resolve an issue that occurred with multiple licenses, when one enabled Anti-virus and another did not. MDS and SmartCenter server HFA 60
00495737, 00494981, 00495741 Eventia Analyzer. Improved object attribute handling fixes an error that caused the "syslog -r" command to fail on certain objects. Eventia Log server HFA 60
00496458, 00426047, 00495927, 00496459 Eventia Reporter. Improved file handling enables large tables (greater than 2.5GB) to be re-imported. Eventia Reporter HFA 60
00495785, 00494733, 00495788, 00504736 Eventia Reporter. Improved handling of MIME connections enables reports to be emailed with IronMail. Eventia Reporter server HFA 60
00355718 VND VLAN interfaces on Crossbeam machines running XOS suffer from acceleration stability issues.
Resolution: This HFA resolves support issues with VND. To ensure stability on XOS platforms, set sim_vnd_route=1 in the simkern.conf file.
Gateway HFA 01
00350940 SecureXL: Dead Loop messages in the log.
Resolution: Enhancements to processes and filtering fix most of the Dead Loop instances. If it persists, set sim_cflush_outbound=0 in the simkern.conf file.
Gateway, SmartCenter HFA 01
00343981 VPN-1 VSX: The fw stat command may fail in certain scenarios. SmartCenter HFA 01
00421083 Easy installation of HFA on gateways using SmartUpdate. Gateway, SmartCenter HFA 40
00444874 Web Filtering: This HFA improves the coverage and performance of Check Point's URL Filtering engine, focusing on hazardous and malicious websites. Gateway HFA 50
00375553, 00371285, 00380532, 00403450, 00438948 VPN-1 Power VSX: Static routes are now automatically recreated with new interface names after changes have been made to an interface name (normal or VLAN) and the next hop is in the same subnet as the VS interface. SmartCenter HFA 50
00437513, 00435716, 00445880, 00448917 UTM-1: The Gateway now ensures that large files that were previously downloaded are not scanned again. This reduces the number of required scans and prevents the scanning mechanism from overloading and dropping packets. Gateway HFA 50
00440838, 00439588 It is now possible to install an HFA on top of an installation if the path with the FWDIR variable contains a space character. Gateway, SmartCenter HFA 50
00374568, 00368079 Policy Server: When a SecureClient for Mac OSX connects to a Policy Server thatdoes not have a "SecureClient for Macosx" license, the SmartViewTracker will now log the "Mac license is limited to 0 users" error onlyonce per Mac OS user connection, rather than every ten minutes. MDS HFA 60
00496720, 00494943, 00496722 SMTP Security Server: Firewall now passes the Temporary SMTP error code 402 which is used by greylisting. This allows users to send mail to a site whose mail server uses greylisting for Anti-spam. Gateway HFA 60
00374568, 00368079 Policy Server: When a SecureClient for Mac OSX connects to a Policy Server that does not have a "SecureClient for Macosx" license, the SmartView Tracker will now log the "Mac license is limited to 0 users" error only once per Mac OS user connection, rather than every ten minutes. SmartCenter server HFA 60
SecureXL: 00467162, 00465493 Resolved connectivity issue with Performance Pack and interfaces with non equal MTU size. Gateway HFA 60
Authentication: 00374443, 00369981, 00374435, 00374441, 00383500 When using partially automatic client authentication and when the Primary ISP link is down, the client can still get authenticated. Previously, the client received a "The page cannot be displayed" message in the browser when attempting authentication. Gateway HFA 60
00449966, 00449183, 00449969, 00463798, 00501246 SmartProvisioning: Gateway status on SmartProvisioning is now correct, fixing an error that may appear after installing HFA_30, that displayed "Needs Attention" for gateway status when it should have displayed "OK". SmartCenter server HFA 60
00509491 Gateway Protection: In response to the Sockstress TCP DoS vulnerability, this HFA provides a comprehensive protection for Check Point Security Gateways and the resources behind them. See sk42723. Gateway HFA 60
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document