Support Center > Search Results > SecureKnowledge Details
R75 Known Limitations
Solution

This article lists all of the R75 specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

Important notes:

 

Table of Contents

  • General
  • Identity Awareness
  • DLP
  • Application Control
  • Security Management
  • SmartEvent and SmartReporter
  • SmartProvisioning
  • SmartView Tracker
  • SecurePlatform
  • Acceleration and Clustering
  • VSX
  • Mobile Access
  • ClusterXL
  • CoreXL
  • Endpoint Security Server
  • SmartConsole
  • VPN
  • UTM-1 Edge
  • Security Gateway
  • QoS
  • SmartLog

 

ID Symptoms Integrated In
General
00651439,
00669519		 SecureXL: VPN traffic is dropped when SecureXL Drop Templates are enabled. -
00726757 'upgrade_import' fails on Windows Server 2003 with non-English interface. R77.10
00767317,
00768386,
00770870,
00771710,
00773943,
00789097,
00824301,
00830511		 Kernel panic when certain IPS protections are enabled. -
00764349,
00767671,
00768224,
00768457,
00769776,
00786856		 Windows L2TP clients are automatically disconnected after 1 hour. R75.46,
R77.10
00842225,
00844217		 Kernel panic when running 'fw ctl sdstat start' command. -
00736035,
00737071,
00737639,
00763866		 Kernel panic and memory corruption when Optimized Rulebase is used. -
00749765,
00754538		 "MS-RPC non compliant version" drops. -
00744629,
00745559,
00746470,
00759089,
00763868		 Memory leaks when DCE-RPC traffic is handled by the Security Gateway. -
00911059,
00911246,
00911247		 EPSV and EPRT commands are dropped when Anti-Virus is enabled. R75.45
00930601,
00930828,
00930829,
00930830		 IPS logs over 1KB are partially lost. -
00906131,
00904214		 Security Gateway freezes repeatedly and randomly when FloodGate-1 (QoS) is enabled. R75.45
01110639 SmartDashboard is not detecting the proxy for updates. -
01120059,
01120363,
01120364		 ICMP packets with IP Options are dropped by the Security Gateway with 'Forbidden IP option' drop log in SmartView Tracker. Refer to sk93809. R75.47,
R77.10
01134550,
01139983,
01139984,
01139985		 The $CPDIR/tmp/ directory is filled with CKP_mutex::_opt_CPsuite-R75_40_fw1_log__blob.. _blob files. -
01394107 Problem setting speed/duplex setting manually. See sk100285 -
Identity Awareness
00591269 When AD Query identifies a machine account with its IP address but does not identify the user account, the user will not be redirected to the captive portal for authentication. If the user locks and then unlocks Windows, they will reauthenticate to AD and Identity Awareness will identify the user account.

To avoid this situation, configure AD Query in SmartDashboard to not identify machines.

 -
00592404 Identity Awareness supports authentication of AD users, user groups, organization units. In addition, you can define LDAP groups with more advanced filtering.
Identity Awareness does not support authentication of Primary Groups of user and computer accounts. By default, the Primary Groups are 'Domain Users' and 'Domain Computers'.		 -
00609209 When an http proxy is deployed between users and the Security Gateway, the security Rule Base associates users' http traffic with the http proxy IP. The security Rule Base does not identify the correct endpoint IP.

For the Application Control policy to correctly associate users' http traffic with the endpoint IP, configure the proxy to add the X-Forward-For attribute and set this option in the Identity Awareness settings page.

 -
00570041 When you deploy a cluster in bridge mode, the bridge cannot acquire identities. You need to deploy another gateway to acquire identities and have it share identities with the cluster bridge. For more information, see the Advanced Deployment section in the Identity Awareness Administration Guide. -
00594919 When a gateway gets identities from another sharing gateway, it opens a connection to the sharing gateway's main IP address. To change this to a different IP address, use dbedit or GuiDbEdit. Edit the "ia_control_connections_ip" attribute and set it to the required IP address of the sharing gateway. -
00609230 When you have 2 or more users with identical user names, each user should log in to the Captive Portal or Identity Agent using domain\user as their user name. -
00614676 To support non-English user names on a Security Gateway enabled with Identity Awareness, you must set an attribute. Use dbedit or GuiDBEdit tools to set the SupportUnicode attribute to true on the LDAP Account Unit object. The LDAP Account Unit object is found in the Servers table. Note: On R75.10 and forward this can be edited via the LDAP Account unit page in the SmartDashboard.
You do not need to set this attribute when Identity Awareness is enabled on the Security Management Server or Log Server.		 -
00535154 On IP Series appliances, when you use access role objects in the security policy, SecureXL templates are disabled.

When you use access role objects in the Application Control policy, SecureXL templates are not disabled.

 -
00597462 For AD Query to work, WMI is used. WMI uses DCOM to communicate with the AD domain controllers. A high port (>1024) is used for the communication.

In some rare cases, the chosen high port conflicts with other applications used on that port. This conflict can result in the Firewall and IPS identifying the WMI traffic as a non-compliant application trying to traverse the high port. When this happens, you have two options:

  1. If WMI traffic is blocked by IPS - manually add exceptions to the IPS protections which cause the blocks. If the Firewall is causing the blocking, add a rule allowing 'any','all-dce-rpc' and 'x11' between the gateway and the domain controllers.
  2. Alternatively, you can change the high port to a different port on the domain controller. See Microsoft documentation on how to change the RPC port range.
-
00614609 When SmartDashboard runs on a computer that is a member of an AD subdomain and you use the Identity Awareness wizard to configure the subdomain, you must:
  1. Use an Enterprise administrator account. The administrator name must be entered as domain\user.

    For example if the domain name is ACME.COM and the subdomain is SUB.ACME.COM, then for Enterprise administrator John_Doe, enter ACME.COM\John_Doe.

  2. After the wizard completes, go to the LDAP Account Unit object, enter the administrator's login DN, and edit the branch base to the sub domain (DC=SUB,DC=ACME,DC=COM)
-
00833323 IDA does not work with SecureXL drop templates. -
00633171 Enabling Identity Awareness when two cluster members have the same IP address for sync causes verification failure during Policy Installation. -
00739844,
00732496		 DCE-RPC traffic alter context drops. -
00831161,
00832375		 Wrong access time displayed for specific user in the Captive Portal. R75.45
00781364,
00782049,
00784464		 The PDP process consumes 100% CPU. R75.30
00816110,
00817382		 Traffic to the Web Server object is dropped if the Web server static NAT IP address and NAT translation in manual NAT rule are equal. -
00783984,
00827496,
00829162,
00829966		 Cannot login with AD credentials after Captive Portal timeout expires. -
00760574,
00758149		 On SecurePlatform or IPSO with Identity Awareness enabled, this incorrect message sometimes showed in the log $FWIDIR/log/pepd.elg: "_fwnac_ioctl_call: IOCTL failed". R75.30
00758078,
00759206,
00845559		 Anti-Spam blocks legitimate emails. -
DLP
00573597 When deploying UserCheck on users' desktops, make sure that Network Address Translation (NAT) on source IP is not applied on the HTTPS and UserCheck (port 18300) traffic from users' desktops to gateways with the DLP blade enabled. -
00559128 DLP software blade cannot run on a gateway that uses an SMTP resource. -
00258861 When the DLP Blade scans FTP traffic, and the FTP username contains the "@" character, the authentication fails. To make it possible for those users to authenticate, inform them that they must replace "@" with "@@" when they authenticate. For example, user "jon@doe" must authenticate with username "jon@@doe". -
00574017 The IP addresses for user portals (Identity Awareness, Data Loss Prevention, Mobile Access, and SecurePlatform) must be different than the IP addresses to which the Endpoint Connect clients connect. For example, for the DLP portal, you can use the IP address of an internal interface. -
00602864 When using the same username for two users: a user that is manually defined by the administrator in SmartDashboard and an AD/LDAP user:
  1. The administrator must configure the same Email address for both users, so that the person with that email address will be able to view all their quarantined emails.
  2. The person that is logging in to the DLP portal or the UserCheck client must use the password of the user that is manually defined by the SmartDashboard administrator.
-
00522857 TLS-encrypted SMTP connections and HTTPS connections are not scanned by the DLP Software Blade. The connections are allowed. -
00570194 The UserCheck client is not compatible with Mobile Access Secure Workspace. If a UserCheck client is installed on a machine and a DLP violation occurs, the UserCheck client notification shows outside the Mobile Access Secure Workspace. We recommend not to install the UserCheck Client on a machine that usually runs Mobile Access Secure Workspace. -
00573071 An error message displays during policy installation if an illegal word is entered in one of these data types - Key Words, Patterns, Weighted Words, or Dictionary. If the word is not in ASCII UTF8 encoding, the word appearing in the error message is not readable. -
00640349 In a cluster environment, keep the default value 'DLP Blades' of the 'Install On' field in a DLP rule. Changing the value of the 'Install On' field in a cluster environment is not supported. R75.10
01026340,
01057240,
01057239		 The identified hosts leak the web server software name and version details in HTTP responses. -
Application Control
00591010 The Application Control log may contain an empty machine name field because the log is an aggregation of application traffic, also called a session. The machine name represents the last known machine which generated the traffic. -
- For Skype detection in Check Point R75, refer to sk60940. -
00624397 If you select "When a request is blocked, redirect to the following" for an application and Application Control is configured to block the "Web Browsing" application, the redirect is blocked. -
00868386 WMIC causing leak on DC 2008 Windows server. -
01140570,
01140785,
01140786,
01140787		 Anti-Virus recognizes *.ico as *.mpeg R75.47,
R77.10
Security Management
00642563,
00642987		 Client authentication does not work when Visitor mode is enabled in the gateway's VPN configuration. -
00613608 If you upgrade from R71.10 or R71.20, you may see an "INSPECT manual changes" error message. You can safely ignore this message. -
00593741 To upgrade a Smart-1 appliance running Provider-1, you must use the R75 Multi-Domain Security Management DVD.
  1. Connect a USB optical drive with the DVD to the appliance.
  2. Perform the Multi-Domain Security Management upgrade as described in the R75 Installation and Upgrade Guide.
 -
00747320,
00750155,
00753738,
00782482,
00829978		 "No license for FloodGate-1 Management" error when installing QoS policy from R75 CMA. R75.30
00841696,
00852543		 The Pre-upgrade verifier tool truncates the results of the Object case check. -
00876499,
00878740,
00877960		 Wrong client IP is reported in the client field of the Audit for Management HA audit log. R75.45
00876135 High load during policy installation causes cluster fail-over. -
00915544,
00917167		 Binary files attachments with 'Strip ActiveX Tags' option enabled for HTTP resource results in corruption. R75.45
00948638,
00949765		 IPS logs over 1KB are partially lost. -
01102871 The fwm logexport command fails after enabling Anti-Virus Blade. R75.47,
R77
01158863,
01159656,
01159659,
01159660,
01159661		 Security Management crash during policy installation failure on Security Gateway 80 -
01595095, 01596558, 01595254  '$' character is not allowed in Cisco router password. Refer to sk105038. -
SmartEvent and SmartReporter
00574244 When upgrading to R75 on a Solaris platform that did not have the Reporting software blade installed, Reporting will not be available until you complete the following procedure:
  1. Run evonfig to enter the SmartEvent Configuration wizard.
  2. Choose Correlation Unit or SmartReporter.
  3. Reboot.
-
00623993 After you enable SmartEvent or SmartEvent Intro, scheduled SmartEvent Reports do not run until you run evstop and evstart. R75.10
00622278 If you upgrade a Power-1, Smart-1, or UTM-1 appliance to R75, the SmartEvent and SmartReporter databases are stored in /opt. This partition is not the largest partition on the appliance. If you plan to use SmartEvent and SmartReporter, we recommend that you move these databases to a larger partition.

To move the SmartEvent database run these commands, where XX is the number of the previous version:

  1. cpstop
  2. mv /var/opt/CPrt-RXX /var/log/opt/;
  3. ln -s /var/log/opt/CPrt-RXX /var/opt/CPrt-RXX
  4. cpstart
To move the SmartReporter database, run UpdateMySQLConfig as described in Modifying SmartReporter Database Configuration in the R75 SmartReporter Administration Guide.		 -
00628502 SmartReporter is not supported on Windows 64bit (Windows server 2008 64 bit). R75.20
00788387,
00815512,
00819076		 SmartReporter sends the "Database auto. maintenance event - The database maintenance parameters needs to be adjusted. Max FSM should be increased" alert even when auto-maintenance is disabled. -
00567025,
00732111		 Internet Explorer does not open the Events Viewer from the Monitoring tab. -
01024996,
01056288,
01056289		 SmartReporter on Provider-1 is stuck on 'trying to connect' after MDS crash. R75.46,
R77.10
01056925,
01060839,
01060840		 SmartEvent cannot fetch email blocked by DLP from the Security Management server. There is a problem of release mismatch, because the SmartEvent release is newer than the Security Management server release. R75.46,
R77.10
01108807,
01109334,
01109335		 Users with long names (more than 100 characters) do not appear in the Report for Mobile Access logins. R75.47
01126408,
01127605,
01127606,
01127607		 log_consolidator process crushes when starting consolidation session. R75.47
01131970,
01133050,
01133051,
01133052		 When reaching 90% of Database, SmartReporter Auto-Maintenance deletes all entries in database all the way down to 5% instead of 80%. R75.47
SmartProvisioning
00574775 If the Security Management server has several interfaces, the "Push Policy" action to SmartLSM Gateways may not work. However, each SmartLSM Gateway will fetch the security policy from the management automatically at the configured time interval. Configure this time interval in SmartDashboard in the Logs and Masters > Masters page of the LSM Profile object properties. -
00751438,
00761532,
00761540,
00766754		 SmartProvisioning cannot push new routes to gateway, sending "Trying to convert illegal string [] to IP address" message in the debug output. -
01443735,
01444059		 SmartProvisioning Edge configuration design flaw. See sk101868. -
SmartView Tracker
00595544 After you upgrade to R75, custom queries which use 'Provider-1' as Application Filter will stop working.

Change the query value from 'Provider-1' to 'SmartDomain Manager'.

 -
00594080 After you upgrade to R75, if some custom queries stop working, look at the query definitions to make sure that they match the new product names. R75.20
00750980,
00752389		 DCE-RPC handler issues logs even when relevant rule is not defined to log. -
SecurePlatform
00614956 Upgrading through the WebUI is not supported on Smart-1 with Provider-1 or open servers with Security Management. To upgrade these systems, run the "patch add cd" command. See sk64180. -
00595594 To disable the SecurePlatform portal, you must configure the portal to use a port that is not accessible. In SmartDashboard, you can configure the SecurePlatform portal in the SecurePlatform Settings page of the object's properties. For example, enter 7654 for the port of the SecurePlatform portal (https://10.10.10.10:7654/) and make sure that port 7654 is not allowed in the rulebase. -
00591846 To access the SecurePlatform portal for gateway cluster members, you must use the cluster member's IP address. You cannot use the virtual IP address shown in SmartDashboard and the CLI to access the SecurePlatform portal. -
00662079,
00738691		 DCE-RPC high port bind traffic drops. -
00656919 SecurePlatform e1000 NIC settings (speed/duplex) cannot be saved from WebUI or ethtool. Changes do not survive reboot. See sk34154. -
00757286,
00784476,
00784479,
00784481,
00784485,
00785904		 Boot from SecurePlatform ISO on HP DL165G7 using AMD Opteron Model 6128 does not work. The computer hangs at the "loading ramdisk" message. -
00826366,
00784495		 Corrupted information in image.list prevents creation or deletion of images through WebUI. R75.45
00772430,
00772508,
00772510,
00772512		 Many "kernel: ACPI: Unable to turn cooling device [bf6d8950] "on"" messages appear in the messages file when the ACPI thermal limit is reached. R77.10
00833259,
00833549		 Running snmpwalk on MIB tree might give no output (empty mib tree) returning "No Such Object available on this agent at this OID" error message. Refer to sk66223. -
00732936,
00733468,
00733481,
00733485,
00787576,
00827602		 Quering SNMP tree .1.3.6.1.4.1.2021.4 (memory statistics) returns incorrect results. Refer to sk42811. -
00755899,
00756207,
00781504		 GateD crashes when using VLAN interface for RIP. -
00736384,
00737274,
00788816		 CligateD daemon crashes when running "aggregate-address ?" whithin "router config". -
00859558,
00860760		 GateD daemon crashes upon failover from Primary to Standby gateway when 3 BGP adj. are brought up. -
00873627,
00884315		 cpauth does not support Identity Awareness and secondary connect. -
00930670,
00937571,
00937572		 GateD daemon crashes with BGP route maps due to ECMP code. -
01053445,
01054032,
01054033		 ConfD daemon crashes with core dump when attempting to delete VTI in Gaia. -
01145042,
01145111,
01145112,
01145113		 'snmpbulkget' command returns duplicate OIDs. R75.47
01140860,
01145052,
01145053,
01145054,
01145095		 When running show configuration rba command, CLISH crashes with segmentation fault. R75.47
Acceleration and Clustering
00574931 If IPv6 is enabled in the security policy, SecureXL's Accept Templates are automatically disabled starting from the first security rule containing IPv6 objects. To view the status of Accept Templates, run the fwaccel stat command from the Security Gateway's CLI. For example, if the first rule containing IPv6 objects is the third one, then it will print: "Accept Templates: ... disabled from rule #3". -
01394541,
01394737,
01396248,
01410571,
01422182,
01452043,
01460000,
01472870,
01481322;
01392662,
00267059,
01404588,
01423431,
01471438,
01495372		 Standby cluster member drops packets on Anti-Spoofing when VMAC mode is enabled.
Refer to sk100405.		 -
VSX
00574537 Before you create a new VSX Cluster/Gateway, you must select "Accept Control Connections" in the Firewall section of the Global Properties. -
00590681 cp_merge is not supported for VSX. -
00749750,
00750007,
00750009		 Kernel crash when running 'cpstop' command. Refer to sk63683. -
Mobile Access
00734971 Connection problems when running SNX in Application mode, while same services have no problem in Network mode. -
00535793 SharePoint is not supported if you use URL Translation as the Link Translation method. -
00590604 After you upgrade, the Mobile Access portal address is "https://<ip_address>/sslvpn". To change the portal address to "https://<ip_address>/", change it in Portal Settings > Portal Customization. -
00615544 IPS modifications for the Mobile Access blade take effect only after you install the policy and run cvpnrestart from the command line. -
00623472 When you work with the Mobile Access blade, and define a DNS server for office mode, you must manually create an application to allow the traffic. To do this:
  1. Create a Native Application with the IP address of the DNS server and the service group, DNS.
  2. Make a rule in the Mobile Access policy that allows this native application to SSL Network Extender users.
-
00595151 To configure SMS authentication to Mobile Access, you must configure a proxy. You cannot use Citrix applications in Mobile Access when a proxy is configured. To use both SMS authentication and Citrix applications, configure the proxy for SMS authentication in GuiDBEdit. -
00621069 IPS modifications for the Mobile Access blade take effect only after you install the policy and run cvpnrestart from the command line. R71.30
00626860 For File Shares, the "This application reuses the portal credentials" option is not supported. -
00571019 The SSL Network Extender portal might not be accessible when other portals (such as DLP or Identity Awareness) are enabled. See sk56800 to change the priority of the CSHELL portal to 1. -
00574399 If SecureClient Mobile cannot connect to a Security Gateway that has portals enabled (for example, DLP or Identity Awareness), refer to sk56800 to change the priority of the "clients" portal to 1. SecureClient Mobile cannot connect to a Security Gateway that has Mobile Access enabled. -
00626034 When Single Sign On is disabled for a File Share application, you cannot access that File Share. -
00627792 The Anti-Virus scan on SNX Application Mode and Abra cannot scan when the Anti-Virus software blade is enabled. -
00628325 Mobile Access software blade is not supported with traditional mode VPN. If you have a traditional mode policy before you upgrade to R75, configure the simplified policy manually. -
00644779 The SSL Network Extender and SSL VPN blade portal pages present the ICA certificate rather than the configured third party certificate. -
00825623,
00825698		 HTTP connection fails due to Content-Encoding configuration. -
00748130,
00653188		 Certificate users failed to authenticate in MAB Portal when it configured to run on internal VIP. -
00827519,
00828812		 PDF files cannot be opened in Internet Explorer if the no-cache is present in header. -
00754554,
00754583		 File Shares Favorites in left hand menu of Mobile Acces blade do not work. -
00753956,
00754040,
00764409,
00764415,
00765543		 If alternative portal is configured, user is redirected to it in clear on his next log in. -
ClusterXL
00570387 ClusterXL in legacy mode does not support bond interfaces. -
00957794,
00956235		 Cannot set the fwldbcast_pending_timeout kernel parameter via $FWDIR/boot/modules/fwkern.conf file. R75.46,
R77.10
00784077, 00785319 Some OID entries are missing in Check Point MIB file - 1.3.6.1.4.1.2620.1.5.15 (cluster vip interfaces), and 1.3.6.1.4.1.2620.1.5.16 (cluster sync interfaces). Refer to sk66202. -
CoreXL
00417888 The following features are not supported in CoreXL:
  • Check Point QoS (Quality of Service)
  • Traffic view in SmartView Monitor (all other views are available)
  • Route-based VPN
  • IP Pool NAT
  • IPv6
  • Firewall-1 GX
  • Overlapping NAT
  • SMTP resource
  • VPN Traditional mode (refer to VPN Administration Guide appendix B for converting a traditional policy to a community based policy)
Before enabling one of the unsupported features, deactivate CoreXL using cpconfig and reboot the gateway. Note that in cluster setup, CoreXL should be deactivated on all members.		 -
00574857 ConnectControl does not work if the logical server is configured as HTTP and CoreXL is enabled. -
Endpoint Security Server
00601069 Endpoint Security Server cannot be installed if the SecurePlatform Portal is configured to use port 443. Also, Mobile Access, Identity Awareness, DLP, and IPsec VPN cannot be enabled on a standalone server running Endpoint Security Server. -
SmartConsole
00665272,
00662563,
00666051,
00734848		 Error in /var/log/messages after policy installtion: "cpmodule kernel: FW-1: fwk_get_str_cparam: param rule-<XX>-name buffer too small (40)".
Refer to sk80380.		 -
00670371,
00738321		 Verification fails on SmartDashboard for clusters of versions: NGX R60, NGX R61, and NGX R62. -
00626116 After you install SmartConsole, make sure that all SmartConsole users have Windows user accounts with read/write permissions on the data directory in the SmartConsole installation directory. The default location for the data directory is: C:\Program Files\CheckPoint\SmartConsole\R75\PROGRAM\data -
00732856,
00743875		 Error in /var/log/messages after policy installation: "FW-1: fw_kfree: wrong magic number at tail end of 0xc5962e78 (0xc5962e84) caller is fw_xlate_find_all_matches_rm2 sz=16". R75.30,
R71.50
00624644 We recommend that you use version 2.0 SP2 or higher of the Microsoft .Net Framework. If SmartDashboard shows unhandled exception errors or it crashes, make sure the installed .Net Framework is version 2.0 SP2 or higher. This is known to happen when you upload a new company logo for the Identity Awareness. -
00636607,
00636724		 SmartDashboard crashes frequently after upgrade from R71 to R75. -
00656669,
00656921,
00660038		 SmartDashboard hangs after "Loading products..." when connecting to one of the CMAs. -
00776388,
00777220,
00777408		 SmartUpdate fails to add Check_Point_Upgrade_for_R75.Splat.tgz to repository on 64-bit machine. -
00766637,
00771838,
00784731,
00820138		 Manual Anti Virus update enables the Automatic Anti Virus update option. -
01116841,
01117138		 Red X is displayed instead of black X for disabled rule indicator. -
VPN
00594937 Endpoint Connect clients of version R73 or lower will not be scanned by the ESOD scanner once they connect to an R75 Security Gateway. -
00591493 Encryption Suites VPN A and VPN B are supported for Security Gateways of version R71 or higher. They are not supported for Security Gateway 80 Series. -
00658422 When using LDAP to manage VPN users, Endpoint Security VPN R75 keeps asking the user to change the password, as part of the AD password remediation feature, even after it has already been changed. R75.30
00660644,
00660654,
00660655,
00665383,
00733736		 Wrong value is used for SHA2-256 in IKE Phase 1. -
00667569 Endpoint Security VPN 75 initial policy is not set before connecting to the gateway. -
00657805 VPN LDAP users are allowed to connect after the LDAP group has been removed from the server, even when LDAP cache is not configured on the gateway. -
00778435,
00775202		 When Visitor Mode is enabled, Web Mail Server access is blocked. R75.30
00669598,
00663402		 When one side of the VPN installs a policy and Phase 2 was renegotiated, the tunnel does not come up, since one side had the PFS enabled for Phase 2 while the other has not. -
01054735,
01056658,
01056659		 NAT-T is sent to the wrong gateway when 3rd party device fails over (but has virtual IP, so that the only change gateway should see on packet is the MAC address). -
01140729,
01142415,
01142416,
01142417		 ICMP packets with sequence 259 (0x103) are dropped when sent over VPN with "Reason: Failed to enforce VPN policy (11)" error. R75.47,
R77.10
UTM-1 Edge
00614768 After you upgrade Security Management or Provider-1 to R75, the management server updates the statuses of the UTM-1 Edge objects. It may take up to 24 hours until all statuses will be updated.
Until the update is complete, the status will appear as Disconnected or Waiting. The UTM-1 Edge devices continue to enforce the security policy during this time.

To update the status manually, do either of these steps:
  • In SmartDashboard, do Install Policy (for UTM-1 Edge objects with static IP only)
  • In the UTM-1 Edge GUI:
    (A) disconnect from Service Center
    (B) reconnect to Service Center (go to "Services" -> "Account" tab - in the line "Connect to a Service Center":
    (A) click "Connect" - clear "Connect to a Service Center" - click "Next" and "Finish" ;
    (B) click "Connect" - select "Connect to a Service Center" - click "Next" - enter the device's GatewayID and Password - click "Next" and "Finish")
-
Security Gateway
01176835, 01177121, 01177120, 01177119, 01177118 Policy installation fails after several months of uptime of Security Gateway with enabled Traditional Anti-Virus. Refer to sk93189. R77.10
QoS
- QoS does not support the following:
  • IPv6
  • VSX
 -
SmartLog
- SmartLog cannot automatically perform object name resolving when the object name is changed. -

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment