Support Center > Search Results > SecureKnowledge Details
R71.20 Known Limitations
Solution

This article lists all of the known limitations of R71.20.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > My Profile > My Subscriptions.

Important notes:

For more information on R71.20, refer to R71.20 Release Notes, Check Point R71.20 and to R71.20 Resolved Issues.

Note: A valid support account is needed in order to access these solutions.

Visit our discussion forums to ask questions and get answers from technical peers and Support experts.
Popular forums:

 

ID Symptoms Integrated In
Management Installation
00589182 After R71.20 uninstall, CPSG80 compatibility package is not uninstalled, although uninstall application says it is.

Workaround

To remove CPSG80 compatibility package do one of the following:

Option 1 (via Voyager):

  1. Connect to your machine via Voyager.
  2. Under 'Configuration > System Configuration > Packages > Manage Packages', uncheck the "Enable" checkbox of "CPSG 80 Series compatibility package R71.20".
  3. Click "Apply".
  4. Goto Delete Packages tab and select the "Delete" checkbox of "CPSG 80 Series compatibility package R71.20".
  5. Click "Apply".

Option 2 (via Command Line):

  1. Connect to your machine via command line.
  2. Run the command: echo y | newpkg -D CPSG80CMP-R71.20-00
  3. Run the command: echo y | newpkg -u CPSG80CMP-R71.20-00
-
SecurePlatform
00590137

Unable to configure External Interface IP.

Workaround

Requirements

  • The commands in the following procedure must be run in Expert mode.
  • The new version of the shared object is placed in the home direcory of user admin.

Steps

  1. Stop CP WebUI backend execution. Run:
    # cpadmin stop
  2. Save current working version of shared object. Run:
    # cp $CPDIR/lib/libscis.so $HOME/libscis.so.orig
  3. Replace current version of shared object with new version (libscis Shared Object). Run:
    # cp $HOME/libscis.so $CPDIR/lib/libscis.so
  4. Start CP WebUI backend execution. Run:
    # cpadmin start
-
00623367 Bond restarted even if there were no changes and only access to view configuration via sysconfig. -
01041690 Scheduled backup is overriding the file name. -
IPSO
00628910 'cpstat -f memory os' command displays incorrect amounts of real memory in IPSO6 machine. -
Security Gateway
Kernel

00743695,
00746586

MGCP packets with Response Code 100 are dropped by Security Gateway (...dropped by fw_early_sip_nat Reason: failed to get MGCP ports). Refer to sk66295. -
00892157,
00901702,
00901703,
00901704,
01180205,
01380337,
01382269,
01420384
  • 'snmpwalk' command for OID .1.3.6.1.4.1.2620.1.6.7.5.1.7 returns zero values for the number of interrupts per second
  • SmartView Monitor shows wrong (very low) CPU utilization on Security Gateway.
  • Output of 'cpstat -f cpu os' command on Security Gateway shows wrong CPU utilization.
Refer to sk101359.
R75.46,
R77.10
00732936,
00733468,
00733481,
00733485,
00787576,
00827602
Quering SNMP OID .1.3.6.1.4.1.2021.4 (memory statistics) returns incorrect results. Refer to sk42811. -
Services
00623627 DTPS process crashes (Segmentation fault). -
Mail Security
00759037, 00759572 Mail attachment with long name is been stuck on the spool directory. -
Security Servers
00744878, 00746573 User Authority stops working occasionally due to in.asessiond crash. -
Security Policy
00557967 When you create a rule with an SMTP resource and send emails, an mdq core is created and the emails are not sent. -
00655975 DCERPC traffic is being rejected. UUID is not allowed through the Rule Base. -
00658755, 00659784 DCOM drop, incorrect dcom response parsing. -
00938195 Mobile Access policy install never seems to happen on the gateway. R75.46,
R77.10
NAT
00645579 No replies from vip once Hide NAT is configured. -
URL Filtering
00623360 When using the "Enhance UFP performance" feature, the url is not sent to the server. If the "Stream Inspection Timeout" protection is enabled, you will see a log in SmartView Tracker. -
Abra
00570368

The Abra policy cannot be edited on non-English operating systems. Refer to sk52483.

-
IPSec VPN
00626280 When the customer has disabled the use of the largest possible subnet support (not the default) and additionally has NAT disabled in the community that the gateway is a part of, host to host tunnels are created, instead of subnet to subnet tunnels. -
00650516,
00650833,
00651034,
00747901,
00764475,
00769709,
00771880,
00781370,
00815972,
00915364,
01050231,
01050937,
01134027,
01147726,
01149010,
01287518,
01287519,
01306242,
01410617,
01410840,
01444107,
01448417,
01452593
IKE Phase 1 with DAIP device fails after IP address of DAIP device was changed.
Refer to sk101911.
-
00881969, 00888288 There is no audit when a Shared-Secret key is changed in a VPN Community object property. R77.10
01298072 Gateway is offering host to host IKE S2S negotiation despite being configured with gateway to gateway. -
SSL VPN
00631901 Additional protection level for SSL VPN native application is not applied if the application is set to launch automatically. The application will be launched but the link will be grayed out. -
00747207, 00750474

A user connected to the SSL VPN gateway from PC "A" that is compliant. The compliance check test, launched from the portal, determined that the user is compliant and can access a native application, using SNX. The same user disconnects and then connects to the SSL VPN gateway from PC "B" that is non-compliant . Although PC "B" is scanned and found non-compliant, this user can still access the native application.

Contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.

R75.30
IPS
00659174, 00661055 Cross-Site Scripting defense false positives. -
00758733, 00760610 IPS does not detect MS03-026. -
00759886, 00760889 Quick UFP causes Block HTTP Non Compliant error when access legitimate websites. -
Security Management
Infrastructure
00657885,
00658420,
00658372,
00658419,
00737684,
00780887,
00817009,
00820673,
00822584,
00864186,
00886996,
01038252,
01383912
$CPDIR/log/cpd.elg file is filled with these messages:
  • Unable to open '/dev/fw0': No such file or directory
  • fw_kbuf_allocate: ioctl(FWKBUF): No such file or directory
Refer to sk65276.
R75.40
01097682, 01100076 "cpsemd ver" command crashes with Segmentation fault. R75.47,
R77.10
SmartProvisioning
00590548

In R71.20, creating a new SmartLSM Cluster object in the SmartProvisioning GUI fails with the following error message:"Error on adding new device: No SmartLSM Security Cluster Profile found", even though a SmartLSM Cluster Profile object is defined in the SmartDashboard.

Workaround:

On the Security Management /CMA:

  1. Run: 'cpstop', or 'mdsstop_customer <CMA_Name>'
  2. On Provider-1, run: 'mdsenv <CMA_Name>'
  3. Replace $FWDIR/conf/provision_db.conf with Provisioning Configuration File.
  4. Make sure that the file has the appropriate permissions. Run: chmod 770 $FWDIR/conf/provision_db.conf
  5. Run: 'cpstart', or 'mdsstart_customer <CMA_Name>'
-
00613299 Update Selected CO Office Gateway crashing SmartProvisioning GUI. -
00636495 Cannot select Sofaware firmware for X-Series and W-Series Edges in SmartProvisioning. -
00642278 Changing bridge mode configuration in Provisioning Edge profile doesn't save the change in the database. -
00633190 In the summary view of the SmartProvisioning GUI, the number of configured profiles is always incorrect by -3. -
00763327 LSMcli does not create default edge interfaces in the "prv_configs" table, when creating a new Edge object. -
SmartDashboard
00593129

After upgrading to R71.20, when you access the IPSec VPN Blade tab on a Check Point Host object in SmartDashboard, the VPN Clients page does not appear.

Note: Since the Standalone type is a host and not a gateway, this issue also occurs on it.

Workaround:

  1. On the SmartConsole machine, close SmartDashboard and any other SmartConsole application.
  2. Browse to the Program directory, under the SmartConsole Installation Directory. For example, on Windows XP, if you used the default installation path, the directory is located in C:\Program Files\CheckPoint\SmartConsole\R71.20\PROGRAM
  3. Download and extract the VPN Clients page display fix and replace the current CPObjects.dll file in this directory with the new DLL file.

When you now access the IPSec VPN Blade tab, the VPN Clients page should appear.

-
00595833 Unable to edit ESOD policies. -
00597576 In SmartDashboard, in SCS object properties, when you deselect the "Dynamic Address" checkbox, the change does not remain. -
00613728 No option for re-direct logs for IPS Sensor objects in R71 or R71.20 SmartDashboard. -
00622309 Under IPSec VPN the "Remote Access" tab and "VPN Clients" tab are missing for VS-Cluster. -
00626999 When SmartView Tracker starts, you see gtar window popup for a few seconds and then it disappears (only on Windows 7 32-bit and 64-bit). -
00630349 SmartConsole crash when editing cluster object. -
00627338 "An invalid argument was encountered" popup error appears instead of a tool tip, when hovering the mouse over a group object in SmartDashboard. -
00670408 SmartUpdate > "Get Gateway Data" not working on a VSX object. -
00622309 "Remote Access" tab and "VPN Clients" tab are missing for VS-Cluster. -
00633201 Where Used dialog box does not come up again, if the Network Objects dialog box closes before the Where Used dialog box. -
00656078, 00656753 In R71.30 SmartView Tracker, if you right-click on "Current Rule Number" field, GUI crashes. -
00764238, 00767336 SmartDashboard hangs when browsing AD groups in LDAP group properties. -
00528574 After establishing SIC or during policy verification, you might get an error message: "Incorrect reply from server. Command: private-db-dirty-check."
The message can be ignored. Refer to sk44508.
R75
Provider-1
00522683 In Provider-1 environments that use either standalone log servers or Security Management backup servers, R71.20 should be installed on all MDSs, Log servers and Security Management servers. In addition, the minor version needs to be activated on the CMAs/CLMs. -
00600992 R71 SmartDashboard rejects the ~ as an illegal character. This prevents configuring different Encryption Domains for different User Groups. -
Analyzer
00648997 When you click on 'R71 SmartEvent > Policy > Virus Alert > Right Click Virus Found > Properties > Filter Tab', Analyzer GUI crashes. -
Reporting Tool
00639626 When Reporter is installed on WIN, any attempt to open a report from GUI fails, and an error message appears: "unzip operation failed (E90070)". -
00650645 Reporter Consolidation session status becomes "Aborted". -
00878295 Cyrillic characters from WinEventToCPLog installed on Russian Windows appear as gibberish. -
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment