Support Center > Search Results > SecureKnowledge Details
R75.30 Known Limitations
Solution

This article lists all of the R75.30 specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > My Profile > My Subscriptions.

 

Important notes:

 

Table of Contents

  • Secure Workspace
  • IPS
  • Endpoint Security
  • ClusterXL
  • Database Revision Control
  • Multi Domain Security Management/Provider-1
  • Solaris
  • Identity Awareness
  • SmartProvisioning
  • Management Portal
  • SecurePlatform
  • VPN
  • Security Gateway
  • Reporting Tool
  • SmartDashboard
  • SmartView Monitor
  • Application Control
  • SNMP
  • Logging
  • Security Management
  • Mobile Access
  • QoS
  • NAC
  • VoIP
  • SNX
  • Dynamic Routing
  • SmartEvent
  • Internal CA

 

ID Symptoms Integrated In
Secure Workspace
-

Internet Explorer Protected mode:

  • Endpoint Security on Demand and Secure Workspace do not work correctly if the user's browser is configured to use Protected Mode for SSL VPN Portal's URL.
  • If Endpoint Security on Demand is configured, Protected Mode is detected and an informative error page opens for the user.
  • If Endpoint Security on Demand is not configured, there is no error page. If users use Secure Workspace with Protected Mode on, various errors might occur.
-
-

Secure Workspace is not compatible with these third party applications:

  • McAfee HIP / signature 432
  • Symantec Event Library
  • Kaspersky Proactive Defense
  • Create Desktops limit
  • FS corruption
-
- If you get errors only when you use Firefox or Chrome browser, but not on Internet Explorer browser, it might indicate that there are problems with the installed Java version. Update to the latest Java version. -
- To work with SWS and IE9 need to uncheck "Protected Mode" from 'Internet Options' > 'Security'.

This applies to both Internet and Local Intranet zones.

Caution: Verify that you can safely work without Protected Mode.

-
- Check Point GO limitations that are related to Secure Workspace also apply to this hotfix.
Refer to sk52764.
-
00591709,
00510227
Win+A is not an officially supported way to switch between the Secure Workspace desktop and the host desktop. It may cause unexpected behavior. Use Win+S as a shortcut to switch between the desktops. -
00573859

The Windows 7 theme might change occasionally after you close Secure Workspace.

-
00461597 In Windows 7, the task switching window that shows when you click Alt+Tab might not work on the host computer while Secure Workspace is open. It also might not display correctly after you close Secure Workspace. -
00591735 If Chrome or Firefox is the default browser on a device, the SSL VPN shortcut on the desktop has an image of Chrome or Firefox, although the portal opens in Internet Explorer. -
00573964 Sometimes the message "Fail to run Secure Workspace due to lack of resources" opens, although there are free resources on the machine. Rebooting the client machine might repair this. -
00628747 If you log in to Secure Workspace from a Windows 7 64bit machine using Internet Explorer 8 64-bit, Cshell deployment fails in both ActiveX and Java. -
IPS
00660059

Install policy with IPS pattern granularity and AA profile, or with manual profile, might fail due to timeout.

Workaround:

  1. Run: cpstop
  2. Run: export commit_func_timeout=600
  3. Make sure the last command was successful.
  4. Run: echo $commit_func_timeout (The output should be 600.)
  5. Run: cpstart
  6. Install policy.
Refer to sk101559.
-
00661820,
00662785

Changing the Check Point pattern names or values before upgrade sometimes causes Online Update issues.

-
00725130 Protections that were converted from patterns should not be marked for Follow Up. In some cases, they are incorrectly marked for Follow Up and receive the IPS policy. This can cause the new protection not to receive the overridden policy, when the policy of the pattern was overridden before upgrade. -
00735793 Patterns that were deleted before upgrade are added again to the IPS blade as protections. They do not show as new patterns in R65 protections. -
00900797 Web Security drops traffic when we have content-type "multipart" without boundary. R75.45
01162387 Kernel debug is not generated correctly for 'Bad SMTP Server Greeting' protection.
As a result, kernel debug shows:

;== >fwemail_info_string_to_attack_id: str_id=135 (Server reply out of expected SMTP state);
;fwemail_info_string_to_attack_id: No match!;
;< ==fwemail_info_string_to_attack_id: Returning -1 (protection name is '');
;== >fwemail_string_to_string_id: str_id=124 (SMTP policy violation);
;< ==fwemail_string_to_string_id: Returning 997 (SMTP policy violation) ;
;== >fwemail_string_to_string_id: str_id=135 (Server reply out of expected SMTP state);
;< ==fwemail_string_to_string_id: Returning 1007 (Server reply out of expected SMTP state) ;
................
;FW-1 - ips_first_log_cap_issue_cap_for_static_log: attack_id is incorrect (-1 >=671);
R75.47,
R77.10
Endpoint Security
- These Endpoint Security clients cannot connect to a SecurePlatform gateway when the WebUI is configured to use port 443:
  • SecureClient (Visitor mode only)
  • Endpoint Connect
  • Security VPN client (R75)
  • Remote Access clients (E75.10 and above)
You must configure the SecurePlatform WebUI to use a different port for management connections when using Endpoint Security clients.
-
00913046 Since migration of R65 standalone to R75.30, E75.20 SecuRemote fails to download topology. -
ClusterXL
00849011 "Updating of persistent storage failed" error appears after running 'cpstop'. -
00981780,
01002306
Editing a cluster member, when IP Pool NAT on interfaces is defined, triggers error pop-up on SmartDashboard. -
01079289,
01103133,
01081270,
01086900,
01095303,
01081271,
01089476,
01081272,
01101130
Non-Pivot cluster member on 21400 appliances drops the packets without any log when VMAC is enabled.
Refer to sk89321.
R75.46,
R76
01393273 Fail-over in VRRP Cluster on IPSO OS during policy installation due to CPHAD / FWD pnote.
Refer to sk100454.
-
Database Revision Control
00846464

Policy installation failed after restoring R75.20 Database Revision Control, if VSX object is defined.

Workaround:

  1. Connect to Security Management Server with GuiDBedit Tool
  2. Go to 'Table' - 'Network Objects' - 'network_objects'
  3. Select the VSX object
  4. Modify the value of the 'vsxver' parameter from "300" to "400"
  5. Close GuiDBedit Tool
  6. Connect to Security Management Server with SmartDashboard
  7. Push configuration to VSX object: open VSX object for editing - without changing anything - click on 'OK'
  8. Install policy onto VSX object
-
01045901 Can skip DataBase Revision if SKIP_DBREVISION_IPS_UP environment variable us set to 1. R75.46,
R77.10
Multi Domain Security Management/Provider-1
00847867

When Global Policy is assigned to a Domain in Multi-Domain Security Management Server and you create a new Policy Package, all 'Add Rules' icons are grayed out.

Workaround: If you click on the Global Policy rule, the Add Rules icons will appear as available.

-
00891871,
00892718
Sorting any column in 'Administrator' tab does not work correctly. R75.45
01043555 After MDS restarts, all Domains fall out of sync, even if they were not changed. R75.46,
R77.10
01122320 Global Policy assignment does not work when manual MEP priorities are used in a global VPN community. -
Solaris
00733220

Upgrade on a Solaris platform completes with an error.

If you have SG-80 Security Gateways in your deployment with the IPS Blade enabled, update the IPS Database in the SmartDashboard. Otherwise, you can safely ignore this error.

R75.47,
R77
Identity Awareness
00850863 An identity agent for Mac OS X 10.6 and higher versions cannot be downloaded from the Captive Portal. To download a Mac agent, refer to sk63920. -
SmartProvisioning
00590351 The firmware selection does not operate correctly in SmartProvisioning. -
01171847,
01173512,
01173513,
01173514
If $FWDIR/conf/robo-IKE.NDB file contains duplicate keys (due to some leftovers of old deleted ROBO/Edge devices), validation results in drop of VPN traffic. R75.47,
R77.10
Management Portal
00873653 In the Portal management of 21400 appliances (after a clean install of R75.30), the Gateway Status page sometimes hangs. -
SecurePlatform
00864385 After upgrading from R75.20 to R75.30 on Dell Servers, SecurePlatform WebUI reports the server as 'Power-1 12000'. -
00879243 For the 21400 appliance, the LCD buttons do not respond during appliance diagnostics. The LCD buttons respond again when the tests are done. -
01071930,
01072602,
01072603,
01165611,
01201466,
01298642
"cpwmd: version" lines appear repeatedly in /var/log/messages file.
Refer to sk87840.
R75.46
01077346 'eth_set' command on a physical interface removes static routes for the VLANs configured on that physical interface. R77.10
01096602 On all UTM-1 / Power-1 and Smart-1 appliances, boot -p command is looking in the wrong directory when trying to purge backup files. R75.47
01101972,
01107459,
01107460,
01107996,
01113956,
01231354,
01266512
Backup in SecurePlatform WebUI / Gaia Portal via FTP fails with 'User name contains illegal characters' error when user account contains backslash "\" character or period "." character.
Refer to sk104104.
R77.10
01166558 10GB link is lost when interface is disabled/enabled from WebUI. -
01223776,
01224383,
01224384,
01224385
Saving a Backup file from Check Point appliance in SecurePlatform WebUI using the "Your desktop computer (download via browser)" option fails with "HTTP 404 - File Not Found" error when the backup file size exceeds 2GB.
Refer to sk94868.
R77.10
01239963
Values for VCC (+12v) on Smart-1 25 should be the same in WebUI (appliance_config.xml) and (sensors_data.C)
R77.10
01302944,
01303088,
01303086,
01303087
False alarm SNMP Trap messages about state of processes. -
01366460,
01366974,
01366977
"Out of normal bound" hardware sensors error appears in SecurePlatform WebUI and in SmartView Monitor after upgrade.
Refer to sk98694.
-
VPN
00876453 VPND process crashes repeatedly, leaving a stack back-trace that contains the expression: 'ConnIO_chain_free_opq' R75.45
00904125 CoreXL incorrectly dropped traffic sent on a trusted clear interface. R75.46,
R77.10
00882003 Crash in VPND process when using the same username multiple times. R75.46,
R77.10
00942046 Size of certain kernel tables (ike2esp, peer2ike, ike2peer) was not defined according to relevant properties in SmartDashboard. R75.46,
R77.10
01059469 Site-to-Site VPN with 3rd Party fails. Debug of VPND process shows: "encapsulation mode not supported: 3" -
01118184 Importing of 3rd party certificate with 'Authority Key Identifier' CRL Extension fails with 'Unhandled critical extension 2.5.29.36' error in SmartDashboard. R75.47,
R77.10
01291153,
01296221,
01296222,
01296223
LDAP queries from gateway during VPN connection are syntactically wrong - "=" between member and CN is missing. R77.10
Security Gateway
00903453 Will improve significantly the policy download time (performance) on the Security Gateway side. The whole policy download time will take less time. R75.45
00880389 Fixes the case where after enabling the Complementary Log server, part of the logs are not sent by the Security Gateway to the Primary Log Server. R75.45
01004154 Added an option to configure the timeout limit for authentication request via Captive Portal. Previously, it was hard-coded to 15 seconds. R75.46,
R77.10
01062295 Kernel can crash when 'vpnk_send_thru_cpas' function sends NULL pointer. -
01080183 Due to rare circumstances, mail might be bypassed by Anti-Spam due to temporary scan failure. R75.47,
R77.10
01147699 Firewall crash on IPSO 6.2 MR4. -
01360359,
01361990,
01361991
Blobs were not fetched by the Security Management and caused disk space issues.
Refer to sk98475.
-
Reporting Tool
00886867 Network Activity by Day of the Week is not correct when compared to the numbers in the table. -
00944187 Allowing the client to decide whether dbsync will perform full sync at startup or not. -
SmartDashboard
00886043,
00887781,
01295378,
00888608
SmartDashboard crashes when using 'Unused objects' filter in 'Network Objects' window.
Refer to sk97266.
R75.45
00880020,
00897954
The GUI exhibits unexpected behavior when an object name contains the following pattern: "_I-".
Refer to sk72200.
R75.46,
R77.10
00914692,
00915226
Importing certificate for Mobile Access Blade portal causes GUI to freeze. This happens after importing of 35 certificates. -
01047297 Memory leak in FWM process. -
01081397 Policy verification does not recognize two identical rules as duplicated. -
SmartView Monitor
01512770,
01514327
When exporting a SmartView Monitor report for the month in text format (per sk67560), only 26 days are exported in the report - even though you can see 30 days in the graph before exporting..
Refer to sk103429.
-
Application Control
00890183 'Google Images' and 'Google Videos' applications are not blocked. -
00853153 Traffic that should be blocked by Application Control might pass when two custom applications get the same UID in SmartDashboard.
Refer to sk91320.
-
SNMP
00888001 SNMP Trap configured for 'Interface Link Status' via 'threshold_config' utility is not sent on SecurePlatform OS.
Refer to sk89073.
R75.45
00895459 Output of a 'snmpwalk' command with 'exec' extension or 'extend' extension is limited (NET-SNMP Bug #1259323). -
00899666 /var/log/messages file repeatedly shows 'snmpd[PID]: ioctl 35123 returned -1'. -
01136054 It is not possible to send SNMP Trap in the event of a ClusterXL failover to multiple Trap Servers.
Refer to sk93455.
R75.47
01136054 It is not possible to send SNMP Response / SNMP Trap from specific IP address.
Refer to sk93644.
R75.47
01380346,
01380388
SNMP clear traps are sent automatically.
Refer to sk98947.
-
Logging
00892295,
01293847 
All confidential fields in Application Control / DLP / HTTPS Inspection logs are replaced with "******" in the output of the"fwm logexport" command.
Refer to sk113139.
R77.10
00918019 FTP accounting logs do not count the data connection. R75.45
00936055 The FWD process may crash soon after it is started. Fixed wrong initialization of cyclic logging scheduling. R75.46,
R77.10
01075493 SmartView Tracker: In the "changes" field of a management record, there is no word wrapping. -
Security Management
- Policy installation seems to be stuck at 84% in the SmartDashboard, but installed correctly on the Security Gateway. Fixed by hotfix for management server. R75.45
00900530,
00900558,
00900563
Various memory leaks during policy installation. -
01054133 No 'mgmtha' feature in license on Multi-Domain Security Management Server. Added 'mgmtha' to DMN-x like licenses in the cp.macro. R75.46,
R77.10
01053576,
01109748,
01055166,
01055167
Shared secret change in a VPN community is not saved in Database.
Refer to sk92516.
R75.46,
R77.10
01321562 SIC with VPN Security Gateways is broken every several days because IKE CN is the same as SIC CN. -
Mobile Access
00892221,
00892958
Enrollment failure with iPhone, if Mobile Access certificate contains special characters. -
00909530 ICS update failed when $FWDIR/ICS/update/incoming/ics_indx.txt was larger than 16000 bytes. R75.46,
R77.10
00919534 Not able to see the embedded native application links when connecting with SSL Network Extender on non-English Windows OS. R75.47,
R77.10
01090471 Merged the fix for Apache bug # 42829. R75.47,
R77.10
01106514 Cookies with double quotes or pipe characters are sometimes incorrectly handled. -
QoS
00904214,
00410115
Machine freezes repeatedly and randomly. R75.45
00938353 When current policy package contains QoS Policy, the SmartDashboard R75.30 crashes when going from "Read Only" to "Read/Write" mode. -
NAC
00912862 Captive Portal causes rule base enforcement mismatch: "display captive portal" checkbox. R75.45
00912088 PDPD running with high CPU. R75.45
00914806,
00920449
Identity Awareness ADQ logging: Setting "log_user_ad_logins" is not correctly filtering all log-in and log-out logs produced by the AD Query module. R75.45
VoIP
00915601 'Soft lockup - CPU#N stuck for 10s' errors in /var/log/messages files. R75.46,
R77.10
01379712,
01383038,
01413378,
01452565,
01465036;
01379691,
01383036,
01413392,
01465032,
01452562
External VoIP phones are not able to connect to Internal VoIP phones (behind the Security Gateway) that use Gatekeeper because 'alternativeAddress' in H.225 Facility Message payload is not NATed.
Refer to sk98970.
R77.20
SNX
01024897 SNX that authenticates with RADIUS can crash the VPND process on the Security Gateway. R75.46,
R77.10
01054395 No access to internal network when using SNX. Packets are leaving Security Gateway with wrong destination MAC address.
Refer to sk65847.
-
Dynamic Routing
01039805 cligated: 'show running' command prints 'nexthop' for code>route-mapsinstead of 'next-hop'. -
SmartEvent
01113957 CPSEMD process keeps crashing. R75.47,
R77.10
Internal CA
01323357,
01346144,
01343905,
01346145,
01362289,
01427578
ICA Management Tool (sk39915) shows that several certificates that should have expired, still appear as 'Valid'.
Refer to sk101049.
R77.20
01409969,
01410821,
01426955;
01405944,
01410824,
01410831,
01426953
  • Expired certificates cannot be deleted in Internal CA Management Tool.
  • Internal CA Management Tool does not show any expired certificates.
Refer to sk101049.
-

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment