Support Center > Search Results > SecureKnowledge Details
R75.40VS Known Limitations
Solution

This article lists all of the known limitations of R75.40VS.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > My Profile > My Subscriptions.

Important notes:

 

For more information on R75.40VS, see the R75.40VS Release Notes,
R75.40VS Home Page and R75.40VS Resolved Issues.

Visit our discussion forums to ask questions and get answers from technical peers and Support experts.
Popular forums:

 

There are two Known Limitation tables in this article. First table lists limitations of the release as per design and the second one lists issues that were encountered after the release.
This table lists limitations of R75.40VS as per design.

Table of Contents

  • Installation and Upgrade
  • VSX
  • VoIP
  • Firewall
  • Application Control
  • Identity Awareness
  • IPS
  • Security Management
  • SmartConsole
  • SmartProvisioning
  • SmartView Monitor
  • SmartReporter
  • SmartEvent
  • Multi-Domain Management / Provider-1
  • Anti-Bot and Anti-Virus
  • Mobile Access / VPN
  • Dynamic Routing
  • SecurePlatform and Gaia
  • ClusterXL
  • SNMP
  • SecureXL

 

ID Symptoms Integrated In
Installation and Upgrade
00905977 Starting with R75.40VS, installation on the Solaris platform is not supported. Therefore, there is no installation CD or DVD for Solaris. You can still export an older version of Multi-Domain Server on Solaris using the same procedure as in previous versions with the installation CD or DVD for SecurePlatform or Linux (instead of for Solaris). -
00924128 Gaia Portal may disconnect, without notice, during the upgrade via Gaia Portal from R75.40 to R75.40VS, if there is at least one activated software blade that uses the Multi-Portal infrastructure (e.g., Mobile Access blade).
Refer to sk79521.
R75.45
VSX
01275204,
01347336,
01356743
In SmartView Monitor - "System Counters", "Firewall History" and "System History" do not show any data for Virtual Systems.
Refer to sk98013.
-
01453316 Check Point VSX OID Branch 1.3.6.1.4.1.2620.1.16 can not be queried per Virtual System. The SNMP response contains the data from all configured Virtual Systems.
Refer to sk90860.
 -
01466618

To query a VSX Gateway / VSX cluster member over SNMPv2 / SNMPv3, the query should be sent to the VSX machine itself (context of VS0):

  • In DMI configuration:
    • In case of a single VSX Gateway, the SNMP query should be sent to the IP address of the DMI interface.
    • In case of a VSX cluster, the SNMP query should be sent to the physical IP address (of the DMI interface) of each cluster member.
  • In non-DMI configuration:
    • The SNMP query should be sent to the physical IP address of the external interface on the VSX machine.
Refer to sk90860.
-
01426098 After clean installation of VSX Gateway, before running the 'vsx_util reconfigure' command on the Security Management Server / Domain Management Server, the SNMP Agent on VSX Gateway should be disabled. Otherwise, the reconfigure process will fail.

If the reconfigure process failed:

  1. Reset the SIC on VSX Gateway (per sk65764)
  2. Disable SNMP Agent on VSX Gateway in Clish (with 'set snmp agent off' and 'save config' commands)
  3. Run the 'vsx_util reconfigure' command on the Security Management Server / Domain Management Server
    Important Note: Do not resume the reconfigure operation when prompted.
-
01456150 In SmartDashboard, it is not possible to select VSX Gateway itself as 'Next Hop Gateway' in 'Advanced Routing Rule':
  1. Open Virtual System / Virtual Router object.
  2. Go to 'Topology' pane.
  3. Click on 'Advanced Routing...' button.
  4. Click on 'Add...' button.
  5. When configuring a rule, VSX Gateway itself does not appear in the 'Next Hop Gateway' list (only other Virtual Systems / Virtual Routers appear).
-
00933940 You must configure these advanced settings separately on each Virtual System. If you only configure VS0, the settings are not applied to the other Virtual Systems:
  • IP Fragments (SmartDashboard > 'IPS' tab > Protections > IP Fragments)
  • enable_ip_options (SmartDashboard > 'Policy' menu > Global Properties > SmartDashboard Customization > Configure > Firewall-1 > Stateful Inspection).
-
00865982 When using VSLS clusters with three or more cluster members, the HitCount may be inaccurate. For Virtual Systems that are in Backup mode, and become the Active member - when they return to Backup mode, the HitCount statistics for the previous time interval are lost. The maximal length of a HitCount time interval is three hours. R76
00892773 VTI interfaces are not supported in VSX mode. -
00892775 IPSec VPN is not supported on Virtual Systems in Bridge mode.
Refer to sk101371.
-
00892779 Multicast packets are not encrypted between 2 Virtual Systems on an IPSec VPN tunnel. -
00913455 Configuring Jumbo Frames on a Virtual Switch in a non-DMI configuration is not supported. -
00930018 When using a Dynamic Routing configuration, the routing protocols and settings must be identical on all cluster members. -
00916103 Converting a non-DMI VSX Gateway or cluster to a Security Gateway or cluster is not supported. -
00939130 IPS contracts may not be applied to a Virtual System.

Workaround:
From the Multi-Domain Security Management server, run these commands:
[Expert@HostName]# mdsstop
[Expert@HostName]# mdsenv
[Expert@HostName]# mcd conf
[Expert@HostName]# cd mdsdb
[Expert@HostName]# rm vsx_lic_update_status.C
[Expert@HostName]# rm CPMILinksMgr.db
[Expert@HostName]# mdsstart
R76
00936366 VSX does not support DHCP clients. Do not run Gaia CLI commands for a DHCP client on a VSX Gateway. You can enter these commands, but they will fail. R76
- User Authentication is not supported. (Legacy) -
00913954 Do not configure local address when configuring BGP in a cluster configuration. BGP will use the best available interface to connect to the peer. -
00939306 When using SmartDashboard to remove interfaces, you must first disable BOOTP configurations on the interface. In clish, run:
HostName> set bootp interface <interface_name> off
-
00910674 Defining IP Pool NAT on a cluster member interface in a VSX cluster is not supported. -
00943335 When configuring CoreXL using the 'cpconfig' command, only VS0 is configured. If you run the 'cpconfig' command from a different context, only VS0 is configured. Use SmartDashboard to configure other Virtual Systems. R76
00920612 When using a VSX cluster configuration with Dynamic Routing, private member IP addresses are advertised to the neighboring routers. The range of the advertised IP addresses can mask other IP addresses on the network.

Workaround:
Change the range of the private member IP addresses on the VSX cluster.
-
00948143 When a VSX Gateway is created on one DMS (Domain Management Server) and a Virtual System is created on a different DMS, you cannot install the policy on the Virtual System.

Workaround:
  1. Add a rule for the VSX Gateway (and any other VSX cluster members) that allows traffic on TCP port 18191 from the DMS (Domain Management Server) with the Virtual System to the VSX Gateway.
  2. Repeat Step 1 for each Virtual System that is not on the main DMS.
  3. Install the policy onto the VSX Gateway / VSX cluster object.
R76
00989478 VSX does not support FloodGate-1 (QoS). -
00211938 Virtual Routers are not supported in these configurations:
  • ClusterXL Virtual System Load Sharing (VSLS)
  • Per Virtual System state
-
01070096,
01070157,
01070158
Remote access users fails to connect to R75.40VS gateway. -
01073455 Synchronization problem on OSPF routes in ClusterXL VS Load Sharing mode after rebooted member comes up. -
00940656 In some cases, when creating a VSX Gateway configuration that uses a Virtual Switch for a shared interface, the Virtual Switch is created without 'Trust' (refer to the output of 'vsx stat -v' command).

Workaround:
  1. Open SmartDashboard and double-click on the Virtual Switch object.
  2. Click 'OK'.
Trust is established with the Virtual Switch after the configuration is sent to the VSX Gateway.
R76
01059552,
01060162,
01060163
When a cluster member comes up after a reboot, RouteD daemon on the Virtual System fails to synchronize routes from the other cluster member before becoming active. R77
01077572,
01079040,
01079043
RouteD daemon consumes 100% CPU with VRRP and BOOTP/DHCP Relay configured. R76
01140022,
01168878,
01140793,
01225518,
01140791,
01183774,
01140792
Failover occurs randomly in VSX cluster because Critical Device 'VSX' reports its status as 'problem'.
Refer to sk93599.
R77.10
01181667 'Connection failed' error in SmartView Tracker IPS log when clicking on 'View Packet Capture' in a log generated by a Virtual System.
Refer to sk93342.
R77.10
01193346 VIP for interface 'A', configured on some VS, disappears when a Virtual Switch with 'AB' interface is added to VSX cluster (string A is an exact prefix of AB). For example, VIP for eth1.6 is missing on the CLI when there is a VSW with eth1.617 interface configured. R77.10
01259557,
01268507,
01259507
SAM Block rules are not supported in VSX mode. -
01112397,
01127089,
01276476,
01212758,
01139923,
01119558,
01213749
Packets larger than 1500 bytes do not pass through VSX Virtual Devices (e.g., Host1 - VS1 - VS2 - Host2).
Refer to sk96466.
R75.40VS on 61000,
R77.10
01076260,
01158636,
01143366
Multiple 'fw' core dump files for all Virtual Systems.
Refer to sk97126.
R75.40VS on 61000,
R77
01303205,
01303218,
01303219
VSX cannot be used as Virtual System in bridge mode. R77.10
01189237,
01061937
When running 'cpstop' on one of the cluster members, the Active member drops packets as spoofed.
Refer to sk97569.
R76
01246585,
01246964,
01246965,
01246966,
01299329
The fwk process crashes after running 'cpstop ; cpstart' commands on VSX Gateway.
Refer to sk102070.
R77.10
01101915,
01182619,
01108646,
01108647,
01192776,
01235365,
01344402,
01490514
FWK process on VSX Gateway might crash when SMTP traffic is passing through Virtual System.
Refer to sk104013.
R76SP on 61000,
R77
01146576,
01146497
Virtual System is not able to start (the fwk process crashes) when using Domain Objects in security rules.
Refer to sk93346.
R76SP on 61000,
R77
01105401,
01220170,
01177829,
01232982,
01223068
VSX cannot create 20 Virtual Systems - the operation faiols on Virtual System #18 due to time out.
Refer to sk97571.
R76
01209788,
01039188
After changing interfaces configuration these changes are not committed on the routing table.
Refer to sk97583.
R76
01323489 Virtual System in Bridge mode does not support more than two interfaces. -
01321667,
01323048,
01361452,
01365127
"KERPHY0069 Static Arp IP instance does not belong to any existing subnet" error in Clish when using the 'add arp static' command to configure a static ARP entry on one of the interfaces that is shown in Clish ('show interfaces' command) with the Funny IP address (IP address that belongs to Internal VSX Communication network).
Refer to sk98852.
-
01324138 VSX does not support SNMP traps when working in SNMP Per VS mode. -
00186960 When enabling Per Virtual System High Availability or VSLS, each Virtual Switch must have a physical interface that provides connectivity between cluster members.
Refer to sk36980.
-
00935493 DHCP Server does not work on a R75.40VS Virtual System other than VS0 (context of VSX Gateway itself).
Refer to sk79281.
-
VoIP
00830663 Hide NAT on H.323 Endpoints is supported only when the AliasAddress used in a RASmessage RRQ (Registration Request) is dialledDigits. For example, an AliasAddress of typeh323-ID is not supported with Hide NAT. Incoming calls to such endpoints will fail. -
00885529 VoIP IPS protections, which were supported in R65 versions (see the 'IPS Supported From' column) are not enforced on R75.40VS Security Gateways. These old settings and protections are replaced with the new protections and settings and can be safely ignored. (For example: the old 'SIP Custom Properties', 'SIP Protections' and 'SIP Filtering'). -
00867313 In Proxy in DMZ topologies, in which a SIP Proxy and an endpoint reside behind two different internal interfaces and the endpoint uses SIP over TCP to register to the proxy, despite enabling NAT on the internal endpoint, the Security Gateway may fail to do NAT on its data connections (e.g., RTP/RTCP) with the proxy, or with other external endpoints. -
00338423 Incoming connections are lost, if a failover occurs in a ClusterXL with all of the following settings:
  • VoIP traffic is SIP over TCP
  • SIP Proxy is on the external network
  • VoIP Gateway is configured as 'Hide NAT behind the Gateway IP address'
  • SecureXL is enabled on cluster members
-
00376741 In Site-to-Site VPN environment with a Star community topology, SIP communication is only supported if the SIP Proxy is behind the Central Gateway. When the SIP Proxy is behind one of the satellites, SIP communication between the satellite gateways is not supported. -
00429873 When the Hide NAT changes source port for SIP traffic over UDP option in IPS > Protections > By Type > Engine Settings > SIP - General Settings is enabled, if the NAT configuration is changed on the endpoints that register to the SIP server, then after a policy is installed, new connections from the endpoints can be made only after:
  • Connections from these endpoints have expired from the Connections Table on the Check Point Security Gateway, and
  • The registration of these endpoints have expired from the SIP server (Proxy). In general, the connection expires after the period that the endpoint has registered in the proxy.
Alternatively, solve the problem by restarting the Check Point Security Gateway and the endpoints.
-
00370661 In some VoIP systems, it is possible to define several aliases for the same username. It is recommended, where possible, to avoid defining aliases. For example, it is possible to define in the VoIP server "John" as a username and "1234" as its alias. With this configuration, the server may write "1234" instead of "John" in the SIP messages. Since the IP phones register with the name at the server, the Check Point Security Gateway is not aware of the association between the alias and the name. This behavior may therefore cause some of Security Gateway's features, such as NAT and logging, to work incorrectly. -
00350509 In a SIP packet 'Via' header field, having several URIs is not supported. Only multiple 'Via' header fields are supported. -
00349512 In a SIP packet 'Contact' header field, having several URIs is not supported. Only multiple 'Contact' header fields are supported. -
00410142, 00527894, 00544542, 00508897

Avaya VoIP calls with Avaya Call Manager fail through Check Point Security Gateway.
Refer to sk104786.

-
00421931 If H.323 TCP keepalive messages are sent for a period of an hour or more, the call may be terminated. To prevent this problem, increase the timeout of the relevant H.323 service in SmartDashboard to the same timeout as the keepalive message. -
00924600 H.323 Signaling connections do not survive ClusterXL failover. Therefore, upon failover, H.323 VoIP calls may be disconnected. -
00903507 With SIP over TCP and H.323, there can be VoIP connectivity issues in a ClusterXL deployment with Hide NAT on internal VoIP endpoints behind the cluster's Virtual IP address. As a workaround, configure Hide NAT to use an IP address that is not the cluster's Virtual IP address. -
00893024 With Hide NAT, SIP Call Session logs in SmartView Tracker sometimes mistakenly show the same IP address in the Source and Destination fields. The correct Source and Destination IP phone extensions are still available in the log. -
00936623 Sometimes, Automatic IPS VoIP exceptions are not matched, and the H.323 or SIP protections are still enforced. When this happens, manually configure two IPS exceptions:
  1. In the 'Source' column, enter the problematic IP address.
  2. In the 'Destination' column, enter the problematic IP address.
-
01672433;
01165051
Due to changes in the structure of StartMediaTransmission packet (part of Cisco Skinny Call Control Protocol (SCCP)), sent from Cisco Unified Communications Manager (CUCM) v8.6.2 to Media Gateway, this packet is not parsed correctly by Check Point Security Gateway anymore.
Refer to sk93034.
-
01179635, 01186000, 01849555, 01186002, 01186001
VoIP H.323 traffic without the Q934 header does not pass through Security Gateway.
Refer to sk111591.
R77.10
01182834,
01183565,
01183589,
01184170,
01184169,
01184171
When starting a conference of several VoIP phones through the Security Gateway, some VoIP phones lose voice (no media (RTP) is passed) without disconnection. -
01252041 H323 RAS IP in the payload is not natted correctly. R77.10
Firewall
00921527 Legacy URL Filtering is not supported. -
01092980,
01094857,
01094858
Incorrect netmask displayed in clish when running show interface command. -
01164242,
01188022,
01186033,
01194227,
01172608,
01165879,
01166721,
01252219,
01251312,
01177590,
01195053,
01320525
Output of 'cphaprob -a if' command shows Bond interface as 'Down' in the context of any Virtual System.
Refer to sk93341.
R76SP on 61000
01153053,
01151082
Security Gateway randomly reboots when IPS or SecureXL is enabled.
Refer to sk93308.
R75.47,
R77
01199173 Using automatic NAT rules along with manual rule with service (any kind of service) causes error:

"mismatch entry values width 16 in table 'NAT_rules' with width 15
Compilation failed.
Operation ended with errors.
"
-
00965657,
01216098,
01217419,
01217523,
01217524,
01217525,
01242454,
01247870,
01342019;
01242289,
01249221,
01295333,
01349692,
01357364,
01361187,
01365280
Performance degradation on Security Gateway when port scan test is performed through Security Gateway:
  • All traffic passing through the Security Gateway slowed down.
  • Output of 'top' command shows that some CoreXL FW instances ('fw_worker' processes) are overloaded (consume CPU at 80% and above), while other CoreXL FW instances are not utilized (do not consume CPU).
Refer to sk96068.
R76
00909368,
00912734,
01111227,
01308749,
01433278,
01438761

Policy installation / fetch on Security Gateway R75.40 / R75.40VS fails with the following possible errors in SmartDashboard:

  • Load on Module failed - no memory
  • Load on Module failed - failed to load Security Policy
Refer to sk101875.
R75.45
01477373,
01478414
Conflicting output of auto-negotiation between CLISH and ethtool. Refer to sk102663 -
Application Control
01184432,
01189565,
01212797,
01189566,
01189567,
01270217,
01189568,
01342981
RAD process crashes during browsing the Internet.
Refer to sk98192.
R77.10
Identity Awareness
00911724 When upgrading the Identity Agent from version R75.30 and lower, settings are not deleted, as they should be, when unchecking the box 'Keep agents settings after upgrade' (SmartDashboard > Security Gateway object > go to 'Identity Awareness' pane > go to 'Identity Agents' section > click on 'Settings' button > go to 'Agent Upgrades' section).
When upgrading the Identity Agent from R75.40 and higher, the settings are deleted as expected.
-
01155247,
01188734,
01188735,
01188736
Identity Awareness Multi User Host Agent fails to authenticate users with login name longer than 20 characters. R77.10
01287752 PDP process crashes on rare occasions. R75.40VS on 61000
IPS
01140621,
01145008,
01140826
Citrix traffic is dropped by IPS with log 'Citrix Enforcement Violation' when Security Gateway is running Gaia OS with 64-bit kernel.
Refer to sk92720.
R75.47,
R77
Security Management
00911104 If you log in to SmartDashboard with the superuser admin (defined in 'cpconfig') and then launch SmartView Tracker to a remote Log Server, you must enter the admin credentials again.

If you log in with credentials defined in SmartDashboard, SmartView Tracker opens without asking for credentials again.
-
00919814 If a policy cannot be installed after the Security Management server is upgraded, run 'cpstop;cpstart' commands. -
01155286,
01155686,
01155687,
01155688
When creating a certificate via ICA tool, it is not saved. R75.47
01258930,
01259342,
01259365
'cpca_client lscert' command fails with "Operation failed. rc=-1." error when there are more than 10 000 certificates defined. R77.10
01320641,
01320863
Failed to import Security Management server database with SmartLog to a CMA where SmartLog is not enabled.
Refer to sk97747.
R77.10
01385905,
01392376
Rulebase query search for services that are part of a group object fails.
Refer to sk99129.
-
SmartConsole
01058480 HitCount filter does not work in R75.40VS SmartDashboard. -
01084063,
01085629
SmartDashboard crashes when opening the 'IPSec VPN' tab in SmartDashboard. R76
01088895,
01088915
IPS update window does not pop up on R75.40VS SmartDashboard start up. R77.10
01125670,
01133853,
01142558,
01149815,
01133851,
01133852;
01166796,
01173108
"No Internet Connectivity" error appears in SmartDashboard on 'Anti-Bot & Anti-Virus' tab in Protections list.
Refer to sk93528.
R75.47,
R77,
R77.10
01133149,
01133696,
01133695,
01133694,
01136114,
01136039
SmartDashboard crashes when editing a Group Object or an Address Range Object that was just cloned.
Refer to sk92632.
R75.47,
R77
01200964,
01102102
SmartDashboard crashes when start typing in the 'Type to query Firewall Policy' field above the Security Policy.
Refer to sk94164.
-
01149900 Following a migrate, and prior to explicitly pushing a policy, editing a VSX cluster object will result in overriding the existing policy with a default one. -
01301309,
01303104,
01303105,
01303106
Search for Network Objects in SmartDashboard in Firewall policy does not return the expected results - for example:
  • when searching for object's name and when searching for object's IP address / Netmask
  • when searching for several IP addresses using boolean operators AND / OR
Refer to sk97512.
R77.10
01160792,
01137589
Opening Global domain SmartDashboard and quickly double-click on the SME global object leads to SmartDashboard crash.
Refer to sk97576.
R77
01160795,
01071911
Randomly no possibility to view the Network object since it is stuck on loading.
Refer to sk97578.
R76
01129462,
00950015
SmartDashboard crashes when opening a Security Policy while viewing the NAT policy and trying to interact with it (clicking, adding rule).
Refer to sk97580.
R76
01133502,
01133521,
01133640,
01150309
SmartDashboard crash when adding/deleting a new VPN community.
Refer to sk97581.
R77
SmartProvisioning
00912706 SmartLSM (ROBO) gateways do not support Advanced Upgrade of the Security Management server.

Workaround:
After upgrading the Security Management server, reestablish SIC from the SmartLSM (ROBO) gateways to the Security Management server.
R77.10
00914793 After upgrading a Security Management Server, installing a policy from SmartProvisioning will not work unless the policy is fetched from the gateway using the CLI. R77.10
SmartView Monitor
00889402 In a Full High Availability deployment, the connected client list is empty. So SmartView Monitor cannot be used to disconnect clients of the cluster members. R77
01145833 Functionality to record data and play recorded data back is not available anymore (in previous versions: select a View in the left pane (e.g., 'Traffic') - select a counter - in the top bar a new menu appears named as the selected View (e.g., 'Traffic') - this menu contains 'Recording' sub-menu).
Refer to sk93033.
R77.10
01171433 SmartView Monitor crashes when playing back a recorded data (select a View in the left pane (e.g., 'Traffic') - select a counter - in the top bar a new menu appears named as the selected View (e.g., 'Traffic') - select 'Recording' from that menu - select 'Play' - at this point, crash occurs). This applies to improved version of SmartView Monitor from sk93033. R77.10
SmartReporter
01092002,
01103211,
01103212,
01118709
SmartReporter 'Firewall Blade - Activity' reports show incorrect 'Traffic Size' information when the results are sorted by 'Bytes'.
Refer to sk92485.
R75.47,
R77
01116293,
01257535,
01125806,
01258461,
01259716,
01302387
SmartReporter shows incorrect Bytes values. R77.10
SmartEvent
01137445,
01166198,
01166199,
01166200
SmartEvent cannot process new events once reached the maximum capacity. R75.47,
R77
01191085 In SmartEvent, 'Account password reset' event does not show target user name. -
01255507,
01255516,
01255517,
01255518
When trying to search in Smart Event using a filter:

'Events' tab - Query Tree - expand 'Predefined' - expand 'Application &amp; URL Filtering' - expand 'More' - click on 'By Category' - right-click in the 'Application / Site' column - select 'Edit Application / Site Filter' - click on '+ Add application...' - start typing...

The following error pops up:

ModalDropDownContainer
Unhandled exception has occurred in a component in your
application. If you click Continue, the application will ignore this error
and attempt to continue.

Value does not fail within the expected range.
                    
Refer to sk95788.
R77.10
01321620,
01321712
SmartEvent GUI crashes. -
Multi-Domain Management / Provider-1
00920039 If after upgrade, a database synch from a Primary Multi-Domain Server to a Secondary ends with the error:
"Management High Availability feature is disabled"

Workaround:
Delete the '/opt/CPmds-R75.40VS/conf/mgha' directory.
-
00991128,
00993269
When deleting a CMA on the command line using the 'mdscmd' command, the operation fails and FWM daemon crashes. R76
01047552,
01048058,
01048064
FWM daemon crashes on Domain Management Server after upgrade. R75.47,
R76
01057689,
01060351,
01082199,
01060350
The settings in $MDSDIR/conf/mds_exclude.dat file do not work on mds_backup on Multi-Domain Security Management after upgrade to R75.45.
Refer to sk86880.
R75.46,
R76
01131536,
01132024,
01132025,
01132026,
01217927
Gaia Database is locked after running 'mds_backup -g -b -L best -d /var/tmp' command.
Refer to sk95388.
R75.47,
R77
01209824 Creating Domain Groups in Selection groups is disabled. R77.10
01377371, 01377794 Debug information (*.pdb) is not exported for Domain Management Server. -
Anti-Bot & Anti-Virus
- For more information about Anti-Bot and Anti-Virus support in VSX mode, refer to sk79920. -
Mobile Access / VPN
01099734,
01138487
VPN route-based link selection does not work on Gaia, if a route has two associated gateways with the same priority. The gateways must have different priorities. R77
01295332,
01106621,
01303410,
01168249
The maximum CN length in Internal CA is limited to 256 characters.
Refer to sk97553.
-
01317805,
01320186,
01320187,
01342460,
01343235,
01376450,
01393084,
01412081,
01436459,
01453671
VPND daemon crashes randomly in an environment used by both IPSec SNX and Check Point Mobile app (iOS/Android).
Refer to sk98448.
R77.20
01339552,
01342329,
01342330
Remote VPN users are rejected by Security Gateway with the following log in SmartView Tracker: Type: Log
Action: Reject
Reject Reason: IKE failure
Information: OM: USERNAME tried to connect, but you have reached the number of purchased licenses.
Encryption Scheme: IKE
Product: VPN-1 Power/UTM
Subproduct: VPN

Refer to sk98121.
-
01381022,
01381542,
01412083,
01459083,
01468193
Traffic over remote access VPN tunnels is interrupted during policy installation onto VPN Gateway.
Refer to sk98914.
R77.20
01445922 Stability issues when establish 500 Visitor Mode connections.  
Dynamic Routing
01068860 BGP peering fails on R75.40VS Cluster in VSX mode when using MD5 Authentication. -
01092647,
01092706,
01092707
Changing any setting in MCVR interfaces when working with large number of interfaces, causes WebUI time out. R75.46
01105356,
01110718,
00264072,
01238747,
01123319,
01140537,
01110717,
01188642
RouteD daemon on the Standby cluster member fails to synchronize with the Active cluster member.
Refer to sk95233.
R75.47
01118683,
01118726
OSPF Summary Link State LSA for default route is missing from VS sometimes. -
01124014,
01121719
RouteD child process on a Virtual System is terminated when adding a new warp interface on that Virtual System leading to a Virtual Router with 'if_get_address: duplicate address detected: 226.0.0.1/32' error in /var/log/messages.
Refer to sk93592.
R75.47,
R77.10
01159918,
01161745,
01161747,
01161748
Deleted routes still appear in the output of 'show route' command if the 'Kernel Routes' option is enabled, and routes were deleted, but not by RouteD daemon.
Refer to sk93627.
R75.47,
R77.10
00264054,
01208859,
01226498,
01256990,
01262859,
01306627,
01345851
OSPF routes are not pushed to the Gaia OS kernel when the involved interface flaps on cluster member(s).
Refer to sk97567.
R77
SecurePlatform and Gaia
00951808,
00952517
'ls -l' command does not show UID and GUID names, only numbers. R76
01010716,
01013754,
01013755
'save configuration' command in clish on Gaia OS does not create complete files. R75.46,
R76
01079779,
01080986,
01080987,
01113053
Running 'show /configuration' command in clish on Gaia OS results in 'Segmentation Fault' crash.
Refer to sk90142.
R75.46,
R76
01084356,
01084471
RouteD daemon crashes with 'Segmentation fault' when started under debug: 'routed -N -t all [<output_file_name>]'. Starting RouteD daemon under debug is not supported.
Refer to sk89903 and to sk86681.
-
01122219,
01123457,
01123458
When creating a Bond interface of two 10Gb interfaces and then checking the /proc/net/bonding/bond0 file, there are no slave interfaces. R75.47
01133497 Timezone data for Israel is not updated. -
00981634,
00982105,
00982109,
01118403
Syslogd messages in Gaia in /var/log/messages:
  • syslogd: sendto: Invalid argument
  • syslogd: sendto: Bad File Descriptor
  • syslogd: sendto: Connection refused
Refer to sk83160.
-
01049568 PPPoE username with leading "0" (zero) is not saved correctly on Gaia OS.
Refer to sk86400.
R76
01181119 It is possible to set an unsupported mode auto negotiation on interface via clish and webui. R77.10
01176854,
01182440
User that is authenticated on RADIUS (rba role 'radius-group-any'), is able to connect to R75.40VS in VSX mode over SSH, but is not able to switch from context of VS0 to other contexts (error: 'NMINST0069 cannot access to the virtual-system').
Context switching works correctly over SSH connection to R75.40VS in Gateway mode.
Refer to sk93507.
R77.10
01191195,
01192051
Non-preempt mode in Advanced VRRP does not work properly when configured via WebUI. Entries in the /config/active file are saved with "true" of "false" values instead of "t" or "". R77.10
01216788,
01216822,
01216823,
01216824
Scheduled backup is not shown in Show Configuration or in Save configuration. R77.10
01229531,
01229999,
01230000,
01230001,
01260171,
01260866,
01260960,
01397561
'confd' daemon consumes the CPU up to 100% when using Gaia Portal.
Refer to sk95238.
R77.10
01203416,
01284836,
01284837,
01284838
  • 'tacacs_enable' command fails to authenticate user on Gaia OS.
  • The following errors appear when attempting to authenticate using TACACS+:
    This system is for authorized use only.
    CLINFR0829  Unable to get user permissions.
    CLINFR0599  Failed to build ACLs.
                                
Refer to sk96566.
-
01095300,
01086417
Security gateway freeze when passing IPv6 traffic while SecureXL is enabled.
Refer to sk97582.
R76
01319366,
01321433,
01370011
Gaia Clish command 'show rba role monitorRole' shows that built-in 'monitorRole' can run extended command, which it is not allowed to.
Refer to sk98115.
R77.20
01318867,
01321216,
01369738,
01374588
Zombie process 'cciss_vol_statu' appears on HP Open Server running Gaia OS.
Refer to sk97857.
-
01515480 Not possible to restrict the advertising of specific speed on multi-speed 1G/10G Fiber interfaces that use IXGBE driver.
Refer to sk103524.
-
ClusterXL
01101309 The cphaprob syncstat command reports incorrect IDs of F&A Peers. -
01117649 Rebooted member fails to perform full sync when there is an active IPv6 FTP data connection through the cluster. -
01079289,
01103133,
01081270,
01086900,
01095303,
01081271,
01089476,
01081272,
01101130
Non-Pivot cluster member on 21400 appliances drops the packets without any log when VMAC is enabled.
Refer to sk89321.
R75.46,
R76
01179920,
01188993,
01251661,
01252220,
01252221,
01252222,
01401522
IGMP groups are not learned on cluster member.
Refer to sk93327.
R75.47,
R77
01189225,
01205991,
01225520,
01234907,
01235269,
01244461,
01270013,
01271857,
01271858,
01271859,
01345898,
01413824,
01421590
ARP Requests sent from the Standby Virtual System cause switch to send traffic to the Standby Virtual System.
Refer to sk94564.
R77.10
01095270,
01100448,
01181476,
01344670,
01380898,
01380939,
01440720,
01441208
Traffic is lost when both cluster members are up because switches/routers send traffic to Standby member.
Refer to sk94565.
-
01153427,
01194226,
01175143,
01227274
'cphaconf show_bond -a' command shows incorrect number of Slave interfaces that does not match configuration in the $FWDIR/conf/cpha_bond_ls_config.conf file.
Refer to sk95087.
R75.40VS on 61000,
R76SP on 61000,
R77
01147068,
01147087,
01151771;
01143366
Clustering is not started on VSX cluster (after reboot, or after 'cpstart'/'cphastart').
Refer to sk97127.
R75.40VS on 61000
01312678 Output of 'cphaprob state' command on Crossbeam VSX shows "none" instead of Sync IP address.
Example:
Cluster Mode:   Sync only (OPSEC) with IGMP Membership
 
Number     Unique Address  Firewall State (*)
 
1 (local)  none            Active
2          2.2.2.2         Active 
                    
Refer to sk98701.
-
SNMP
01155774,
01157574,
01157575
Duplicate object 'fwEvent' in R75.40VS Check Point MIB file.
Refer to sk92825.
R77
01166621 SNMPv3 with USM 'authentication' configuration does not survive reboot on Gaia OS.
Refer to sk92937.
R75.47
01108189,
01145989,
01213024,
01272380,
01273375,
01273376,
01273377,
01278068,
01299357,
01316555,
01341167,
01366634,
01372379
SNMPv3 'snmpwalk' command is supported only in the context of VS0. All other contexts support only SNMPv1 / SNMPv2 'snmpwalk' command.
Refer to sk96271.
R75.40VS on 61000,
R76SP on 61000,
R77

01307345,
01323726,
01323373, (01307352,
01312689,
01307353,
01307351), (01332020,
01332046,
01323811), (01323812,
01331909,
01331867)

Lots of SNMP compilation errors on 61000 appliance. R75.40VS on 61000,
R76SP on 61000
SecureXL
01176603,
01179299,
01179300,
01179301
Standby member with enabled SecureXL running on Gaia OS, generates multiple logs about multicast traffic that is being dropped on the interface that points to Multicast Receiver due to Anti-Spoofing.
Multicast traffic sent from Multicast Sender to Multicast Receiver is actually forwarded by the Active member, and then switch forwards it to the Standby member:
Multicast Receiver <-> Multicast Router <-> Switch <-> Cluster <-> Multicast Sender.
R75.47
01176055,
01245261,
01202618,
01238152,
00264879,
01245023
Security Gateway randomly reboots when IPS or SecureXL is enabled - memory leak in cphwd_api_add_connection.
Refer to sk93308.
R77
00265151,
01178351,
01179954,
01393264
In VSX cluster with VMAC mode, traffic does not pass from Virtual Router to Virtual System when SecureXL is enabled.
Refer to sk93348.
R77.10
01689131, 01690642

SIM Affinity and CoreXL FW Instances might be using the same CPU cores:

  • Outputs of "fw ctl affinity -l -r -v -a" command and "sim affinity -l" command show that SIM Affinity and CoreXL are using the same CPU cores (despite the correct initial configuration).
  • Output of "cat /proc/cpuinfo" command shows that the processor numbers are not running from 0 to maximal CPU core in sequence.
Refer to sk106409.
-

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment