This article lists all of the R75.40 specific known limitations.
This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > My Profile > My Subscriptions.
If you upgrade from R75.40 with fox_hf_ha40_057 or foxx_hf_ha40_066 hotfixes, installation will stop with errors. Uninstall the hotfixes and then install this release.
-
00944702
If an R75.40 Windows machine to be upgraded to R75.45 release already has a hotfix or HFA installed prior to R75.40, the crs.xml file must be deleted manually, if it exists. For example, if the hotfix is for FireWall on Windows, crs.xml can be in: C:\WINDOWS\FW1\R75.40\FW1\conf\crs.xml
Upgrade on a Solaris platform completes with error. If you deployed a Security Gateway 80 with the IPS blade enabled, update the IPS database on these appliances. Otherwise you can safely ignore this error.
Connection with SmartDashboard to freshly installed R75.45 SecurePlatform Security Management Server fails with 'Unable to get idle-time workstation locking policy' error. Refer to sk111293 (Scenario 5).
The values of RAD debugging environment variables 'CP_RAD_ELG_FILE_NUM' (controls the number of rotated debug output files) and 'CP_RAD_ELG_FILE_SIZE' (controls the size of each debug output file) are not applied - RAD debug ('rad_admin rad debug on all') runs with default values of 10 output debug files with maximal size 20 MB for each file. Refer to sk95889.
'fw sam' command fails to process the SAM rule with "sam: Name_of_GW_Object (FW_Index/FW_Total) ... failed 'Syntax of SAM rule' processing" error. Refer to sk97306.
Specific traffic is dropped by Security Gateway, although it should be accepted by the relevant security rule because in FireWall rulebase, the Service may be evaluated before evaluating the Source or the Destination. Refer to sk97876.
If you use Gaia Automatic Software Updates to uninstall R75.45, you must reboot the machine after the uninstall.
-
01045667
During installation on Gaia through Software Updates, if you see error messages such as "Unable to connect" or "Failed to acquire the lock", click 'OK' and ignore the message.
-
01051080
On a Multi-Domain Security Management Server, if the FWM daemon of some Domain Management Server does not start after installation or uninstallation of R75.45, you must run these commands:
If you install R75.45 with Gaia Automatic Software Updates, Gaia Portal loses connectivity. Workaround: configure the Gaia Portal to work on a port other than 443 (HTTPS).
To change the Gaia Portal port:
In SmartDashboard, edit the Security Gateway object.
In the left pane, go to 'Platform Portal'.
In the 'Main URL' field, add a port other than 443 at the end of the URL. For example, "url:4434".
With Gaia Automatic Software Updates on Multi-Domain Security Management environment, if the DAService terminates on error or after reboot, the DAService does not restart automatically. Workaround: Create a watch-dog script that runs this command: /opt/CPda/bin/DAService
When an IP Series appliance is upgraded to R75.45, this error shows and can be ignored: "Global Params logs send output".
-
01014565
During installation of R75.45 Gaia on IP Series appliances, if you run a backup, the size of the backup file is incorrectly reported for file sizes smaller than 1 MB.
-
21400 Appliance
01011236
To upgrade a 21400 appliance from R75.40 to R75.45 with the new SAM and Acceleration-ready card:
Make sure the new card is not installed in the appliance.
Upgrade to R75.45.
When prompted to reboot, halt the appliance and power off.
Insert the new SAM and Acceleration-ready card.
Power on the appliance.
-
Security Management
01075154, 01076096
On Security Management server running on Windows OS, Scheduled IPS update does not work. To get a fix for for this issue - contact Check Point Support.
"Administrator failed to log in: No SIC error message" error in SmartView Tracker for "Unknown" type Application log when working with Tufin Admin Login. Refer to sk92749.
Administrator user created via 'cpconfig' on Security Management Server, is not synchronized to the peer Security Management Server in Management HA deployment. Refer to sk92736.
On appliances running Gaia and SecurePlatform, Domain Management Server logs are created on '/var/opt/' partition. To fix the logs path, refer to sk83601.
-
00899202
'mds_restore' operation fails on Multi-Domain Security Management Server R75.40. Refer to sk72080.
-
01057689, 01060351, 01082199, 01060350
The settings in '$MDSDIR/conf/mds_exclude.dat' file do not work on mds_backup on Multi-Domain Security Management after upgrade to R75.45. Refer to sk86880.
SmartView Tracker 'Management' log shows false positive log in failures (from MDS and from Domains): Application: Unknown Subject: Administrator Login Operation: Log In Status: Failure Type: Log General Information: Administrator failed to log in: No SIC error message
Deploying the MSI package of Identity Agent using GPO rule fails with error "Please uninstall the Identity Agent from the Control Panel. Changing the Identity Agent from "Light" To "Full" or from "Full" to "Light" requires manual uninstall."
In Identity Awareness environment with identity sharing, identities created by a local Security Gateway that are on the same 32/28 network as identities created by a remote Security Gateway might be lost in rare occassions.
When Identity Awareness is running with both AD query and Identity or Multi User Host Agents as identity sources, the agents might ocassionally disconnect with "Invalid Session" message.
Unable to install policy with URLF enabled. Refer to sk103048.
IPS
01140621, 01145008, 01140826
Citrix traffic is dropped by IPS with log 'Citrix Enforcement Violation' when Security Gateway is running Gaia OS with 64-bit kernel. Refer to sk92720.
"Message to User: An error has occurred while processing this DLP message" Alert log in SmartView Tracker when processing AutoCad files. Refer to sk98310.
-
Mobile Access / VPN
01071316, 01071534, 01071535, 01071536
Login to File Share with comma (,) in the password is not possible. Refer to sk88500.
New applications that require approval incorrectly display MD5 warning dialog:
The server presented a certificate that uses a security method vulnerable to forgeries. The authenticity of this server cannot be guaranteed. You are advised to contact your system administrator before continuing.
On 64-bit machines, Web Applications in SNX incorrectly prompt for approval - the user is prompted to approve the application when user attempts to launch it. Related limitation - 01190814.
Proxy ARP in Gaia VRRP cluster does not function properly. When many interfaces are configured in the VRRP (~50), the /proc/net/varp file became corrupted and sometimes crashes the machine.
Large number of VRRP backup addresses causes confd and searched processes to consume the CPU at 100% for a long time on every configuration change in VRRP Simplified Mode cluster running on Gaia OS. Refer to sk92926.
-
01168228, 01166969
When running 'show backup-scheduled backup_file_name' command, Clish crashes with:
Backup in SecurePlatform WebUI / Gaia Portal via FTP fails with 'User name contains illegal characters' error when user account contains hyphen ("-") sign. Refer to sk104104.
VRRP cluster member freezes when removing a VLAN from a VRID configuration and error 'kernel: unregister_netdevice: waiting for VLAN_NAME to become free. Usage count = 1' appears repeatedly on console and in /var/log/messages. Refer to sk93544.
Gaia Portal crashes with error "Unable to connect to the server. Press OK to reconnect." when TACACS / RADIUS user with adminRole privileges changes "Roles" settings (change/add a role) in Gaia Portal. Refer to sk91420.
/var/log/messages file on Security Gateway running Gaia OS and SmartView Tracker logs from Security Gateway running Gaia OS repeatedly show the following messages about Hardware Sensors:
Several times per second in /var/log/messages file: xpand[PID]: Sending request to System Interface xpand[PID]: The max bit is 0 value is 0 max is 0.000000 xpand[PID]: The min bit is 0 value 0 min is 0.000000
Every minute: xpand[PID]: Note: no Name_of_Sensor sensors
IPv6 Router Discovery is not supported on ClusterXL. IPv6 Router Discovery can be used only with the VRRP clustering solution, or on single Security Gateway.
-
01138574, 01139359, 01139366, 01139368, 01139369
Changing OSPF route redistribution metric for a route with overlapping subnet can cause an extra LSA to be added to the database.
In ClusterXL, when multiple interfaces are used for OSPF, and the same interface is disconnected on both cluster members, OSPF Hello messages might not be sent on the other OSPF interfaces from the member that is in 'Active Attention' state. Refer to sk95246.
-
01355732
Standby member crash when with PIM is configured with more than 20 OIFs.
-
00891805, 01868791, 01868975
'ip rule list' command on Gaia OS shows duplicate PBR rules. Refer to sk109101.
When SecureXL is enabled, errors are displayed and then gateway reboots. Errors: SIM: sim_db_get_conn: Error !!! connection <...> already freed drv_write_lock: already locked. name = CI, current = simtcp_validate_tcp, previous = NONE, level=0
The 'Origin' column in SmartView Tracker logs (on 'Network & Endpoint' tab) always shows the Security Gateway's object name instead of its IP address even though the 'abc' button (Resolve IP) in the Query Toolbar is un-pressed (i.e., IP addresses are not resolved).
Filtering the logs by Security Gateway's object name in the 'Origin' column does not work.
When on SmartConsole Windows OS machine font is set to 125% (in Control Panel -> Display -> Medium (125%) ), checkboxes of gateway machines disappear from the policy installation dialog. When attempting to install policy you may receive the error pop-up "No Machines Eligible for Installation".
-
01124725, 01132295, 01132296, 01132297
In some conditions the Edge status shows 'OK' on the 'Devices' menu although it is not connected.
When downloading the 'R75.45 SmartConsole' package from R75.45 Security Management Server via SecurePlatform WebUI / Gaia Portal, the SmartConsole package that will be downloaded is actually 'R75.40 SmartConsole'. Refer to sk91582.
Error appears repeatedly for SmartReporter/SmartEvent in Windows Event Viewer - Application log: Source: PostgreSQL Event ID: 0 ERROR: schema "mysq" does not exist STATEMENT: delete from mysql.user where host='build' or user = 'PUBLIC'. Refer to sk92862.
The following errors appear repeatedly for SmartReporter/SmartEvent in Windows Event Viewer - Application log:
Source: PostgreSQL Event ID: 0 ERROR: syntax error at or near "s" at character N STATEMENT: SELECT * FROM Attack_Info WHERE Attack_Info_code = 14928 OR Attack_Info_name='Connections table's denial of service prevention mechanism'
$RTDIR/log_consolidator_engine/<IP_Address>/lc_rt.log file shows repeatedly: [LogConsolidator] Error:'ATTACK_INFO' - can not set field's value [LogConsolidator] Warning:failed to process current Log record (FileName:fw.log, FileID:..., Pos:...) [LogConsolidator] Error:failed to insert ATTACK_INFO inter_code data (Connections table's denial of service prevention mechanism) into table [LogConsolidator] :ERROR: syntax error at or near "s" LINE 1: ...de = 37727 OR Attack_Info_name='Connections table's denial o... ^
Proxy ARP addresses of the NATed hosts are erased on the Gaia VRRP Master member from the Check Point ARP Kernel table 'arp_table' (output of 'fw ctl arp' command returns 'No proxy ARP entries') after fail-over and fallback. Refer to sk93534.
The SNX connection from command line "snx -l <CA_Dir> -s <Server>" fails with "SNX: Authentication failed" when authenticating with a user certificate. Refer to sk101588.
-
Anti-Virus
01177282, 01182583, 01294565, 01294566
Traditional Anti-Virus inspects files although it should not according to configuration. Refer to sk98715.