This article lists all of the R75 specific known limitations.
This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.
The $CPDIR/tmp/ directory is filled with CKP_mutex::_opt_CPsuite-R75_40_fw1_log__blob.. _blob files.
-
01394107
Problem setting speed/duplex setting manually. See sk100285
-
Identity Awareness
00591269
When AD Query identifies a machine account with its IP address but does not identify the user account, the user will not be redirected to the captive portal for authentication. If the user locks and then unlocks Windows, they will reauthenticate to AD and Identity Awareness will identify the user account.
To avoid this situation, configure AD Query in SmartDashboard to not identify machines.
-
00592404
Identity Awareness supports authentication of AD users, user groups, organization units. In addition, you can define LDAP groups with more advanced filtering. Identity Awareness does not support authentication of Primary Groups of user and computer accounts. By default, the Primary Groups are 'Domain Users' and 'Domain Computers'.
-
00609209
When an http proxy is deployed between users and the Security Gateway, the security Rule Base associates users' http traffic with the http proxy IP. The security Rule Base does not identify the correct endpoint IP.
For the Application Control policy to correctly associate users' http traffic with the endpoint IP, configure the proxy to add the X-Forward-For attribute and set this option in the Identity Awareness settings page.
-
00570041
When you deploy a cluster in bridge mode, the bridge cannot acquire identities. You need to deploy another gateway to acquire identities and have it share identities with the cluster bridge. For more information, see the Advanced Deployment section in the Identity Awareness Administration Guide.
-
00594919
When a gateway gets identities from another sharing gateway, it opens a connection to the sharing gateway's main IP address. To change this to a different IP address, use dbedit or GuiDbEdit. Edit the "ia_control_connections_ip" attribute and set it to the required IP address of the sharing gateway.
-
00609230
When you have 2 or more users with identical user names, each user should log in to the Captive Portal or Identity Agent using domain\user as their user name.
-
00614676
To support non-English user names on a Security Gateway enabled with Identity Awareness, you must set an attribute. Use dbedit or GuiDBEdit tools to set the SupportUnicode attribute to true on the LDAP Account Unit object. The LDAP Account Unit object is found in the Servers table. Note: On R75.10 and forward this can be edited via the LDAP Account unit page in the SmartDashboard. You do not need to set this attribute when Identity Awareness is enabled on the Security Management Server or Log Server.
-
00535154
On IP Series appliances, when you use access role objects in the security policy, SecureXL templates are disabled.
When you use access role objects in the Application Control policy, SecureXL templates are not disabled.
-
00597462
For AD Query to work, WMI is used. WMI uses DCOM to communicate with the AD domain controllers. A high port (>1024) is used for the communication.
In some rare cases, the chosen high port conflicts with other applications used on that port. This conflict can result in the Firewall and IPS identifying the WMI traffic as a non-compliant application trying to traverse the high port. When this happens, you have two options:
If WMI traffic is blocked by IPS - manually add exceptions to the IPS protections which cause the blocks. If the Firewall is causing the blocking, add a rule allowing 'any','all-dce-rpc' and 'x11' between the gateway and the domain controllers.
Alternatively, you can change the high port to a different port on the domain controller. See Microsoft documentation on how to change the RPC port range.
-
00614609
When SmartDashboard runs on a computer that is a member of an AD subdomain and you use the Identity Awareness wizard to configure the subdomain, you must:
Use an Enterprise administrator account. The administrator name must be entered as domain\user.
For example if the domain name is ACME.COM and the subdomain is SUB.ACME.COM, then for Enterprise administrator John_Doe, enter ACME.COM\John_Doe.
After the wizard completes, go to the LDAP Account Unit object, enter the administrator's login DN, and edit the branch base to the sub domain (DC=SUB,DC=ACME,DC=COM)
-
00833323
IDA does not work with SecureXL drop templates.
-
00633171
Enabling Identity Awareness when two cluster members have the same IP address for sync causes verification failure during Policy Installation.
-
00739844, 00732496
DCE-RPC traffic alter context drops.
-
00831161, 00832375
Wrong access time displayed for specific user in the Captive Portal.
Traffic to the Web Server object is dropped if the Web server static NAT IP address and NAT translation in manual NAT rule are equal.
-
00783984, 00827496, 00829162, 00829966
Cannot login with AD credentials after Captive Portal timeout expires.
-
00760574, 00758149
On SecurePlatform or IPSO with Identity Awareness enabled, this incorrect message sometimes showed in the log $FWIDIR/log/pepd.elg: "_fwnac_ioctl_call: IOCTL failed".
When deploying UserCheck on users' desktops, make sure that Network Address Translation (NAT) on source IP is not applied on the HTTPS and UserCheck (port 18300) traffic from users' desktops to gateways with the DLP blade enabled.
-
00559128
DLP software blade cannot run on a gateway that uses an SMTP resource.
-
00258861
When the DLP Blade scans FTP traffic, and the FTP username contains the "@" character, the authentication fails. To make it possible for those users to authenticate, inform them that they must replace "@" with "@@" when they authenticate. For example, user "jon@doe" must authenticate with username "jon@@doe".
-
00574017
The IP addresses for user portals (Identity Awareness, Data Loss Prevention, Mobile Access, and SecurePlatform) must be different than the IP addresses to which the Endpoint Connect clients connect. For example, for the DLP portal, you can use the IP address of an internal interface.
-
00602864
When using the same username for two users: a user that is manually defined by the administrator in SmartDashboard and an AD/LDAP user:
The administrator must configure the same Email address for both users, so that the person with that email address will be able to view all their quarantined emails.
The person that is logging in to the DLP portal or the UserCheck client must use the password of the user that is manually defined by the SmartDashboard administrator.
-
00522857
TLS-encrypted SMTP connections and HTTPS connections are not scanned by the DLP Software Blade. The connections are allowed.
-
00570194
The UserCheck client is not compatible with Mobile Access Secure Workspace. If a UserCheck client is installed on a machine and a DLP violation occurs, the UserCheck client notification shows outside the Mobile Access Secure Workspace. We recommend not to install the UserCheck Client on a machine that usually runs Mobile Access Secure Workspace.
-
00573071
An error message displays during policy installation if an illegal word is entered in one of these data types - Key Words, Patterns, Weighted Words, or Dictionary. If the word is not in ASCII UTF8 encoding, the word appearing in the error message is not readable.
-
00640349
In a cluster environment, keep the default value 'DLP Blades' of the 'Install On' field in a DLP rule. Changing the value of the 'Install On' field in a cluster environment is not supported.
The identified hosts leak the web server software name and version details in HTTP responses.
-
Application Control
00591010
The Application Control log may contain an empty machine name field because the log is an aggregation of application traffic, also called a session. The machine name represents the last known machine which generated the traffic.
-
-
For Skype detection in Check Point R75, refer to sk60940.
-
00624397
If you select "When a request is blocked, redirect to the following" for an application and Application Control is configured to block the "Web Browsing" application, the redirect is blocked.
Security Management crash during policy installation failure on Security Gateway 80
-
01595095, 01596558, 01595254
'$' character is not allowed in Cisco router password. Refer to sk105038.
-
SmartEvent and SmartReporter
00574244
When upgrading to R75 on a Solaris platform that did not have the Reporting software blade installed, Reporting will not be available until you complete the following procedure:
Run evonfig to enter the SmartEvent Configuration wizard.
Choose Correlation Unit or SmartReporter.
Reboot.
-
00623993
After you enable SmartEvent or SmartEvent Intro, scheduled SmartEvent Reports do not run until you run evstop and evstart.
If you upgrade a Power-1, Smart-1, or UTM-1 appliance to R75, the SmartEvent and SmartReporter databases are stored in /opt. This partition is not the largest partition on the appliance. If you plan to use SmartEvent and SmartReporter, we recommend that you move these databases to a larger partition.
To move the SmartEvent database run these commands, where XX is the number of the previous version:
cpstop
mv /var/opt/CPrt-RXX /var/log/opt/;
ln -s /var/log/opt/CPrt-RXX /var/opt/CPrt-RXX
cpstart
To move the SmartReporter database, run UpdateMySQLConfig as described in Modifying SmartReporter Database Configuration in the R75 SmartReporter Administration Guide.
-
00628502
SmartReporter is not supported on Windows 64bit (Windows server 2008 64 bit).
SmartReporter sends the "Database auto. maintenance event - The database maintenance parameters needs to be adjusted. Max FSM should be increased" alert even when auto-maintenance is disabled.
-
00567025, 00732111
Internet Explorer does not open the Events Viewer from the Monitoring tab.
-
01024996, 01056288, 01056289
SmartReporter on Provider-1 is stuck on 'trying to connect' after MDS crash.
SmartEvent cannot fetch email blocked by DLP from the Security Management server. There is a problem of release mismatch, because the SmartEvent release is newer than the Security Management server release.
If the Security Management server has several interfaces, the "Push Policy" action to SmartLSM Gateways may not work. However, each SmartLSM Gateway will fetch the security policy from the management automatically at the configured time interval. Configure this time interval in SmartDashboard in the Logs and Masters > Masters page of the LSM Profile object properties.
-
00751438, 00761532, 00761540, 00766754
SmartProvisioning cannot push new routes to gateway, sending "Trying to convert illegal string [] to IP address" message in the debug output.
-
01443735, 01444059
SmartProvisioning Edge configuration design flaw. See sk101868.
-
SmartView Tracker
00595544
After you upgrade to R75, custom queries which use 'Provider-1' as Application Filter will stop working.
Change the query value from 'Provider-1' to 'SmartDomain Manager'.
-
00594080
After you upgrade to R75, if some custom queries stop working, look at the query definitions to make sure that they match the new product names.
DCE-RPC handler issues logs even when relevant rule is not defined to log.
-
SecurePlatform
00614956
Upgrading through the WebUI is not supported on Smart-1 with Provider-1 or open servers with Security Management. To upgrade these systems, run the "patch add cd" command. See sk64180.
-
00595594
To disable the SecurePlatform portal, you must configure the portal to use a port that is not accessible. In SmartDashboard, you can configure the SecurePlatform portal in the SecurePlatform Settings page of the object's properties. For example, enter 7654 for the port of the SecurePlatform portal (https://10.10.10.10:7654/) and make sure that port 7654 is not allowed in the rulebase.
-
00591846
To access the SecurePlatform portal for gateway cluster members, you must use the cluster member's IP address. You cannot use the virtual IP address shown in SmartDashboard and the CLI to access the SecurePlatform portal.
-
00662079, 00738691
DCE-RPC high port bind traffic drops.
-
00656919
SecurePlatform e1000 NIC settings (speed/duplex) cannot be saved from WebUI or ethtool. Changes do not survive reboot. See sk34154.
Running snmpwalk on MIB tree might give no output (empty mib tree) returning "No Such Object available on this agent at this OID" error message. Refer to sk66223.
If IPv6 is enabled in the security policy, SecureXL's Accept Templates are automatically disabled starting from the first security rule containing IPv6 objects. To view the status of Accept Templates, run the fwaccel stat command from the Security Gateway's CLI. For example, if the first rule containing IPv6 objects is the third one, then it will print: "Accept Templates: ... disabled from rule #3".
Standby cluster member drops packets on Anti-Spoofing when VMAC mode is enabled. Refer to sk100405.
-
VSX
00574537
Before you create a new VSX Cluster/Gateway, you must select "Accept Control Connections" in the Firewall section of the Global Properties.
-
00590681
cp_merge is not supported for VSX.
-
00749750, 00750007, 00750009
Kernel crash when running 'cpstop' command. Refer to sk63683.
-
Mobile Access
00734971
Connection problems when running SNX in Application mode, while same services have no problem in Network mode.
-
00535793
SharePoint is not supported if you use URL Translation as the Link Translation method.
-
00590604
After you upgrade, the Mobile Access portal address is "https://<ip_address>/sslvpn". To change the portal address to "https://<ip_address>/", change it in Portal Settings > Portal Customization.
-
00615544
IPS modifications for the Mobile Access blade take effect only after you install the policy and run cvpnrestart from the command line.
-
00623472
When you work with the Mobile Access blade, and define a DNS server for office mode, you must manually create an application to allow the traffic. To do this:
Create a Native Application with the IP address of the DNS server and the service group, DNS.
Make a rule in the Mobile Access policy that allows this native application to SSL Network Extender users.
-
00595151
To configure SMS authentication to Mobile Access, you must configure a proxy. You cannot use Citrix applications in Mobile Access when a proxy is configured. To use both SMS authentication and Citrix applications, configure the proxy for SMS authentication in GuiDBEdit.
-
00621069
IPS modifications for the Mobile Access blade take effect only after you install the policy and run cvpnrestart from the command line.
For File Shares, the "This application reuses the portal credentials" option is not supported.
-
00571019
The SSL Network Extender portal might not be accessible when other portals (such as DLP or Identity Awareness) are enabled. See sk56800 to change the priority of the CSHELL portal to 1.
-
00574399
If SecureClient Mobile cannot connect to a Security Gateway that has portals enabled (for example, DLP or Identity Awareness), refer to sk56800 to change the priority of the "clients" portal to 1. SecureClient Mobile cannot connect to a Security Gateway that has Mobile Access enabled.
-
00626034
When Single Sign On is disabled for a File Share application, you cannot access that File Share.
-
00627792
The Anti-Virus scan on SNX Application Mode and Abra cannot scan when the Anti-Virus software blade is enabled.
-
00628325
Mobile Access software blade is not supported with traditional mode VPN. If you have a traditional mode policy before you upgrade to R75, configure the simplified policy manually.
-
00644779
The SSL Network Extender and SSL VPN blade portal pages present the ICA certificate rather than the configured third party certificate.
-
00825623, 00825698
HTTP connection fails due to Content-Encoding configuration.
-
00748130, 00653188
Certificate users failed to authenticate in MAB Portal when it configured to run on internal VIP.
-
00827519, 00828812
PDF files cannot be opened in Internet Explorer if the no-cache is present in header.
-
00754554, 00754583
File Shares Favorites in left hand menu of Mobile Acces blade do not work.
-
00753956, 00754040, 00764409, 00764415, 00765543
If alternative portal is configured, user is redirected to it in clear on his next log in.
-
ClusterXL
00570387
ClusterXL in legacy mode does not support bond interfaces.
-
00957794, 00956235
Cannot set the fwldbcast_pending_timeout kernel parameter via $FWDIR/boot/modules/fwkern.conf file.
Some OID entries are missing in Check Point MIB file - 1.3.6.1.4.1.2620.1.5.15 (cluster vip interfaces), and 1.3.6.1.4.1.2620.1.5.16 (cluster sync interfaces). Refer to sk66202.
-
CoreXL
00417888
The following features are not supported in CoreXL:
Check Point QoS (Quality of Service)
Traffic view in SmartView Monitor (all other views are available)
Route-based VPN
IP Pool NAT
IPv6
Firewall-1 GX
Overlapping NAT
SMTP resource
VPN Traditional mode (refer to VPN Administration Guide appendix B for converting a traditional policy to a community based policy)
Before enabling one of the unsupported features, deactivate CoreXL using cpconfig and reboot the gateway. Note that in cluster setup, CoreXL should be deactivated on all members.
-
00574857
ConnectControl does not work if the logical server is configured as HTTP and CoreXL is enabled.
-
Endpoint Security Server
00601069
Endpoint Security Server cannot be installed if the SecurePlatform Portal is configured to use port 443. Also, Mobile Access, Identity Awareness, DLP, and IPsec VPN cannot be enabled on a standalone server running Endpoint Security Server.
-
SmartConsole
00665272, 00662563, 00666051, 00734848
Error in /var/log/messages after policy installtion: "cpmodule kernel: FW-1: fwk_get_str_cparam: param rule-<XX>-name buffer too small (40)". Refer to sk80380.
-
00670371, 00738321
Verification fails on SmartDashboard for clusters of versions: NGX R60, NGX R61, and NGX R62.
-
00626116
After you install SmartConsole, make sure that all SmartConsole users have Windows user accounts with read/write permissions on the data directory in the SmartConsole installation directory. The default location for the data directory is: C:\Program Files\CheckPoint\SmartConsole\R75\PROGRAM\data
-
00732856, 00743875
Error in /var/log/messages after policy installation: "FW-1: fw_kfree: wrong magic number at tail end of 0xc5962e78 (0xc5962e84) caller is fw_xlate_find_all_matches_rm2 sz=16".
We recommend that you use version 2.0 SP2 or higher of the Microsoft .Net Framework. If SmartDashboard shows unhandled exception errors or it crashes, make sure the installed .Net Framework is version 2.0 SP2 or higher. This is known to happen when you upload a new company logo for the Identity Awareness.
-
00636607, 00636724
SmartDashboard crashes frequently after upgrade from R71 to R75.
-
00656669, 00656921, 00660038
SmartDashboard hangs after "Loading products..." when connecting to one of the CMAs.
-
00776388, 00777220, 00777408
SmartUpdate fails to add Check_Point_Upgrade_for_R75.Splat.tgz to repository on 64-bit machine.
-
00766637, 00771838, 00784731, 00820138
Manual Anti Virus update enables the Automatic Anti Virus update option.
-
01116841, 01117138
Red X is displayed instead of black X for disabled rule indicator.
-
VPN
00594937
Endpoint Connect clients of version R73 or lower will not be scanned by the ESOD scanner once they connect to an R75 Security Gateway.
-
00591493
Encryption Suites VPN A and VPN B are supported for Security Gateways of version R71 or higher. They are not supported for Security Gateway 80 Series.
-
00658422
When using LDAP to manage VPN users, Endpoint Security VPN R75 keeps asking the user to change the password, as part of the AD password remediation feature, even after it has already been changed.
When one side of the VPN installs a policy and Phase 2 was renegotiated, the tunnel does not come up, since one side had the PFS enabled for Phase 2 while the other has not.
-
01054735, 01056658, 01056659
NAT-T is sent to the wrong gateway when 3rd party device fails over (but has virtual IP, so that the only change gateway should see on packet is the MAC address).
-
01140729, 01142415, 01142416, 01142417
ICMP packets with sequence 259 (0x103) are dropped when sent over VPN with "Reason: Failed to enforce VPN policy (11)" error.
After you upgrade Security Management or Provider-1 to R75, the management server updates the statuses of the UTM-1 Edge objects. It may take up to 24 hours until all statuses will be updated. Until the update is complete, the status will appear as Disconnected or Waiting. The UTM-1 Edge devices continue to enforce the security policy during this time.
To update the status manually, do either of these steps:
In SmartDashboard, do Install Policy (for UTM-1 Edge objects with static IP only)
In the UTM-1 Edge GUI: (A) disconnect from Service Center (B) reconnect to Service Center (go to "Services" -> "Account" tab - in the line "Connect to a Service Center": (A) click "Connect" - clear "Connect to a Service Center" - click "Next" and "Finish" ; (B) click "Connect" - select "Connect to a Service Center" - click "Next" - enter the device's GatewayID and Password - click "Next" and "Finish")
-
Security Gateway
01176835, 01177121, 01177120, 01177119, 01177118
Policy installation fails after several months of uptime of Security Gateway with enabled Traditional Anti-Virus. Refer to sk93189.