Support Center > Search Results > SecureKnowledge Details
R75.46 Known Limitations
Solution

This article lists all of the R75.46 specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > My Profile > My Subscriptions.

 

Important notes:

Also, refer to sk92644 - Recommended fix for CPUSE Agent builds lower than 342 (on R75.40, R75.40VS, R75.45, R75.46, and R76)

 

Table of Contents

  • General and Installation
  • Gaia Automatic Software Updates
  • Identity Awareness
  • URL Filtering
  • Anti-Malware
  • IPS
  • Security Management
  • Multi-Domain Management
  • ClusterXL
  • SmartEvent
  • SmartReporter
  • SmartDashboard
  • Gaia OS
  • SecurePlatform OS
  • IP Series appliances
  • Security Gateway 80
  • Mobile Access
  • SNMP
  • Security Gateway
  • VoIP
  • VPN
  • Routing
  • Security Acceleration Module (SAM)
  • SmartView Monitor
  • SecureXL
  • Application Control
  • 2012 Models Security Appliances

 

ID Symptoms Integrated In
General and Installation
01048259 If you upgrade from R75.40 with fox_hf_ha40_057 or foxx_hf_ha40_066 hotfixes, installation will stop with errors. Uninstall these hotfixes and then install this release. -
00944702 If an R75.40 Windows machine to be upgraded to this release already has a hotfix, or HFA installed prior to R75.40, the crs.xml file must be deleted manually, if it exists.
For example, if the hotfix is for FireWall product, then crs.xml can be found in C:\WINDOWS\FW1\R75.40\FW1\conf\crs.xml
R76
00733220 Upgrade on a Solaris platform completes with error. If you deployed a Security Gateway 80 with the IPS blade enabled, update the IPS database on these appliances.
Otherwise you can safely ignore this error.
R75.47
01040038 After upgrading to R75.46 on SecurePlatform OS, the Boot Menu incorrectly shows "Check Point SecurePlatform R75.40". -
01125131,
01125957,
01125958
Hardware SNMP does not work on IP Appliances IP690 and IP2450 running Gaia - the snmpwalk command fails. R75.47
01103851 DCE-RPC *.def files are not updated on exiting Domain Management Server when upgrading from R75.40 to R75.46.
Refer to sk92362.
R75.47
01154583,
01155307,
01155308,
01155310
SNMP gets wrong information on Gaia 64-bit for fwHmem-current-allocated-bytes R75.47
01166446 Uninstallation does not remove the CPSG80R75CMP-R75-40 package on Solaris OS, although it is shown that "SG80 R75.20 Compatibility Package" was uninstalled successfully.

Workaround: run pkgrm -n -a /opt/admin.txt CPSG80R75CMP-R75-40 after uninstall to completely remove this package.
R75.47
01180040,
01180043,
01181797
'[ERROR] Process DLPU_0 isn't monitored by cpWatchDog. Stop request aborts' messages in $CPDIR/log/cpwd.elg file after 'cpstop;cpstart' commands.
Refer to sk90961.
R77.10
Gaia Automatic Software Updates
01045667 During installation on Gaia through Software Updates, if you see error messages such as "Unable to connect" or "Failed to acquire the lock", click on 'OK' and ignore the messages. -
01051080 On a Multi-Domain Security Management Server, if the FWM daemon of some Domain Management Server does not start after installation or uninstallation of R75.45, you must run these commands:
  • [Expert@HostName]# mdsstop
  • [Expert@HostName]# mdsenv
  • [Expert@HostName]# rm -i $FWDIR/conf/install_manager/ConversionScheme.conf
  • [Expert@HostName]# mdsstart
-
01038950 If you install R75.46 with Gaia Automatic Software Updates, WebUI loses connectivity.
Workaround: Set WebUI default port to something other than 443 (for example, 4434).
-
Identity Awareness
01155853 Not all UserCheck portal files replaced on upgrade. R75.47
01276174,
01278825,
01288542,
01287218,
01287366,
01277870,
01288540,
01287131,
01294477,
01277947
On a Terminal Server or Citrix Server with Identity Awareness Terminal Server/Citrix (Multi-User Host) Agent installed, SAP logon fails with "No memory error" when more than one user tries to connect to the SAP GUI at the same time.
Refer to sk97829.
R77.10
01362283,
01363268,
01363270
HTTP connections for TCP services with non standard HTTP ports (e.g., port 5555, instead of port 80 or port 8080) are not redirected to Captive Portal.
Refer to sk98696.
-
01343794,
01344386,
01367420
Terminal Server Identity Agent debug output is printed to the Windows debug buffer. As a result, debug output of the involved processes is not embedded in their log files.
Refer to sk99013.
-
URL Filtering
01166592,
01166726,
01166727,
01166728,
01187633,
01202083,
01202306,
01260097,
01382098
Security Gateway might crash if URL Filtering blade is enabled. R75.47,
R77
Anti-Malware
01177091,
01177500,
01245518,
01319841,
01177499,
01203121,
01260867,
01177498,
01245165
Memory leak in CPD daemon related to Anti-Malware statistics.
Refer to sk93745.
R77.10
01104462 "The rule does not exist any more" error in SmartDashboard after right-clicking in SmartView Tracker on an Anti-Bot & Anti-Virus log and selecting 'Add Exception to Anti-Bot & Anti-Virus Rule...'.
Refer to sk93806.
R75.47
IPS
01140621,
01145008,
01140826
Citrix traffic is dropped by IPS with log 'Citrix Enforcement Violation' when Security Gateway is running Gaia OS with 64-bit kernel.
Refer to sk92720.
R75.47,
R77
01177025,
01178915,
01178916,
01177866,
01178918,
01178917
$FWDIR/scripts/sdstat_analyse.csh script fails with:
'awk: cmd. line:1: fatal: cannot open file `some_string' for reading (No such file or directory)'.
Refer to sk43733.
-
Security Management
00944421 Policy installation fails when policy contains more than 16000 rules.

Workaround: Define an environment variable on the Security Management Server as described in sk89460.
R77
01092599 "Security Management Server" tab disappeared from SmartView Monitor after upgrade. R77.10
01165592,
01173795,
01176793,
01219362,
01176791,
01176794
'fwm logexport' command fails with 'Error: Failed to read field FollowUp' after enabling Anti-Virus / Anti-Bot blades.
Refer to sk91620.
-
01176619,
01182609,
01249247,
01249249,
01249250
Application Control updates might cause FWM daemon to hang for 30 seconds when there is a network problem (such as DNS lookup error). R77.10
01251123 "Internal_CA: Cannot backup CA database" log in SmartView Tracker from each machine in Management HA.
Refer to sk95594.
R77.10
01361034,
01361391,
01361390
When convert Standalone to Full HA there are 2 parameters that are not "transfered" to members from the cluster member. Consequently, there is a Maximum Concurrent table mismatch of the between the members and the cluster.
Refer to sk98697.
-
01416419,
01416492 
Cannot renew external CA's certificate from the SmartDashboard.  -
Multi-Domain Management
00948225 To uninstall this release, you must de-activate all plugins on all Domains. R75.47
01110334 Multi-Domain Security Management server database is corrupted after rolling back from R75.46 to R75.45 with activated Security Gateway 80 R75.20 plug-in.
Refer to sk92304.
-
01122129 After installation of R75.46, SmartDashboard and GuiDbEdit might fail to update existing objects and crash.

Workaround: Use Smart-Domain Manager to activate 'Management Enhancements' plug-in and 'Check Point Security Gateway 80 series R75.20' plug-in on all CMAs.
R75.47
01168879 'mds_backup' fails on clean Multi-Domain Security Management Server when there are no Domains configured at all with the following errors:
mds_backup> Making backup file "mds_backup_logs.tgz" for the variable information of Multi-Domain Server.
/opt/CPmds-R75.40/system/shared/gtar: No match.
mds_backup> Deleting temporary Multi-Domain Server backup files
mds_backup> Backing-up the Multi-Domain Server failed.
mds_backup> Cannot proceed with backup of the Multi-Domain Server.
R75.47,
R77
ClusterXL
01174253,
01175165,
01175166,
01175167
If ClusterXL in High Availability mode is used as Proxy in Non Transparent mode, then NAT kernel table 'fwx_alloc' on the Standby cluster member has significantly more entries than on the Active cluster member (ports leak).
Refer to sk93247.
R75.47,
R77
01142395,
01142407
Connection via VPN does not survive failover in ClusterXL High Availability mode with enabled SecureXL.
Refer to sk93567.
R75.47
01315802,
01320469,
01320470,
01322439,
01366280
Hosts behind a Full HA cluster are not hidden (NATed) behind the external cluster VIP address.
Refer to sk97689.
R77.10
SmartEvent
01109670 SmartEvent client cannot connect to Windows Server after downgrading to R75.40.
Refer to sk92222.
-
01140790 'DDoS Protector' event is missing in SmartEvent ('Policy' tab - 'Event policy') after using 'migrate import' from R75.40 installation. R77
01191898 SmartEvent User Defined events with 'Greater Than' filter are not generated.
Refer to sk93747.
R77.10
01182735,
01186356,
01186357,
01186358
The 'User' name field is empty in Automatic Reaction E-mail alerts sent by SmartEvent.
Refer to sk93632.
R77.10
01269813,
01272374,
01272375,
01272376
"Target Server URL" field is empty in SmartEvent "DLP Incident" logs.
Refer to sk96195.
R77.10
SmartReporter
01190094 R75.46 SmartReporter is not supported on Solaris OS. -
01239313,
01240884,
01240885,
01240886,
01272499,
01277786,
01322341
PDF reports are created as landscape-oriented, however the content is portrait-oriented, which causes inconsistent pagination.
Refer to sk98286.
R77.10
SmartDashboard
01082124 Clicking on "Version Information" opens the Internet browser to a "Not Found" page during IPS Offline Update because of the broken link. R76
01182557,
01185379,
01187967,
01185383,
01185381,
01185380
'Global object modification is prohibited!' error in SmartDashboard connected to Domain Management Server while trying to save a policy when using policy granularity feature.
Refer to sk93751.
R77.10
01198950,
01199155,
01199156,
01199157
'...latest application database' shows wrong date in SmartDashboard - 'Application & URL Filtering' tab - 'Overview' pane - 'Messages and Actions' window.
Refer to sk93939.
R77.10
01194742 SmartMap is not available in SmartDashboard R75.46.
Refer to sk93940.
-
01305093,
01305095,
01303534,
01305094
Boolean operators do not work when searching for IP addresses in SmartDashboard -> 'Firewall' tab -> 'Policy' pane. R77.10
01402103,
01405328,
01405435
"Where used" dialog shows interface uid and not its name. -
01433872,
01434077
Cannot clear the options 'Timeframe' in 'Hits' column of rulebase.
Refer to sk101586.
-
01456659,
01456848
After renaming the Interoperable Device object, pre-shared secret disappears from the object.
Refer to sk102170.
-
Gaia OS
01100863 Import of a snapshot image in Gaia Portal fails when working in Internet Explorer 8 browser
Workaround: Use other web browsers.
-
01074110,
01074448,
01074450
ClusterXL does not advertise BGP routes to Cisco router when configuring Cisco Loopback interface as neighbor IP address.
Refer to sk89580.
R75.47
01092659,
01092897,
01092898,
01092903
RouteD prints "mfc_ifl != ((void *)0)" errors in /var/log/messages file when passing multicast traffic in PIM Sparse-Mode. R77
01134336 Clish 'show configuration' command does not display the following commands:
  • set pbr rule ...
  • set pbr table ...
  • set routemap ...
Refer to sk93777.
-
00981634,
00982105,
00982109,
01118403
Syslogd messages in Gaia in /var/log/messages:
  • syslogd: sendto: Invalid argument
  • syslogd: sendto: Bad File Descriptor
  • syslogd: sendto: Connection refused
Refer to sk83160.
-
01171873,
01172517,
01172518,
01172519,
01195729,
01244085,
01299317
/var/log/messages file repeatedly shows the following errors:

WdHwSensors: Read command failed
WdHwSensors: the errno is: 1
WdHwSensors: Operation not permitted


Refer to sk93778.
-
01049568 PPPoE username with leading "0" (zero) is not saved correctly on Gaia OS.
Refer to sk86400.
R76
01191031,
01194451,
01194450,
01194449,
01194452
'A job with name <Job_Name> does not exist' error when trying to delete scheduled jobs on Gaia OS.
Refer to sk93784.
-
01194281,
01194780,
01194779,
01194781
Discrepancy in RX drops on Gaia OS between output of Clish 'show interface' command and output of Expert 'ifconfig' command.
Refer to sk93707.
R77.10
01273099,
01273589,
01273591,
01273592
Gaia OS scheduled backup to SCP server fails with "set_binding: Failed to set one binding" error.
Refer to sk96267.
R77.10
01107785,
01110326,
01174590,
01176687,
01289727,
01343538,
01369321,
01369821,
01373847,
01374689
Output of 'top' command on Gaia OS shows that monitord process consumes memory at high level.
Refer to sk93587.
R76
01255023 Unable to configure Name instead of IP address in syslog configuration. -
01291276 After enabling auto-flap interface, cluster members have a crossover for sync during a reboot. -
01165087,
01168113,
01184448,
00265998,
00265666,
01303434,
01299367,
01294060,
01294058,
01253308,
01234812,
01184448
Large number of VRRP backup addresses causes confd and searched processes to consume the CPU at 100% for a long time on every configuration change in VRRP Simplified Mode cluster running on Gaia OS.
Refer to sk92926.
-
01229681,
01230173,
01230172,
01251539,
01230174,
01070168,
01159324,
01219700,
01219699,
01219257,
01134334,
01168745,
01185604,
01190799,
01076237,
01124870,
01219698,
01076213,
01080262,
01190798,
01188472,
01165239,
01166046,
01223678,
01233446,
01185744,
01233727,
01166047,
01190348,
01240799,
01226780,
01233445,
01233007
SCP connection to Gaia machine fails for users whose default shell is not '/bin/bash' and for users authenticated by RADIUS.
Refer to sk93744.
R77.10
01469180, 01494277, 01502550, 01578108
  • After adding scheduled backup (add backup-scheduled) and setting scheduled backup (set backup-scheduled) in Gaia Clish, the command show backup-scheduled NAME returns:
    The scheduled backup is performed localy.
    The backup is not scheduled
  • Deleting the scheduled backup in Gaia Clish (with 'delete backup-scheduled NAME') does not delete its cron job - output of Expert command 'crontab -l' still shows the deleted scheduled backup (as '/bin/scheduled_backup NAME').
Refer to sk104878.
R77.30
SecurePlatform OS
01148068,
01187282,
01149572,
01149574,
01149573
'Scheduled Backup' in SecurePlatform WebUI does not work.
Refer to sk92747.
R77
01856931, 01859135 The specified path is duplicated when executing the "backup" command with "-path" option on SecurePlatform OS.
Refer to sk108696.
-
IP Series appliances
01014565 During installation of this release on IP Series appliances on Gaia OS, if you run a 'backup', the size of the output backup file is incorrectly reported for file sizes smaller than 1 MB. -
Security Gateway 80
01085131,
01085257
$FWDIR/conf/masters file disappears when upgrading Security Gateway 80 from R71.40 to R71.45. -
Mobile Access
01165970,
01166669,
01166670,
01166671
Cookie, created by script on the browser side, containing untranslated link is sent to internal server. R75.47
01154403,
01170849
When uploading file from the browser to the Security Gateway via HTTPS, this file is temporary stored in /tmp directory (located on the root partition). The root is the smallest partition on the Security Gateway and upload fails. R77
01180042 Website blocked due to certificate without seconds in the 'notafter' field. R77.10
01180138 ActiveSync applications cannot connect when using compressed form of URI Request.
Refer to sk93826.
R77.10
01224626,
01225079,
01225080,
01225081
If SNX Application Mode is used, Web application in Google Crome is running in the same process as the portal and cannot connect. R77.10
01280639 SecureWorkspace outbound Rules are not enforced on IE11. See sk103655.
SNMP
01166621 SNMPv3 with USM 'authentication' configuration does not survive reboot on Gaia OS.
Refer to sk92937.
R75.47
01353123 On IPSO OS, the SNMP return value is Counter32, although it is defined as INTEGER -
01353123 When running the "snmpwalk" command about OID .1.3.6.1.4.1.2620.1.1.25.3., IPSO does not return INTEGER but rather Counter value, even though MIB file about .1.3.6.1.4.1.2620.1.1.25.3. shows INTEGER value. -
Security Gateway
01176835, 01177121, 01177120, 01177119,
01177118
Policy installation fails after several months of uptime of Security Gateway with enabled Traditional Anti-Virus.
Refer to sk93189.
R77.10
01224828,
01226616,
01226617,
01226618
Smart Connection Reuse (sk24960) is not working properly on FTP Data connections. R77.10
01262645,
01268443,
01268444,
01268445,
01366778;
01360954,
01362036,
01362038
Security Gateway occasionally drops NFS v3 'MOUNTD' packets.
Refer to sk96120.
-
01336864,
01352515,
01353560,
01353561,
01355855,
01357787,
01359312,
01396361,
01407282
ARP table on Security Gateway is cleared after policy installation (which causes traffic outage). As a result, Policy installation progress shows "Success" even if it failed when running the 'fw fetch local' command on Security Gateway. -
01347637,
01352509,
01355809,
01355861,
01357797,
01359052,
01359339,
01396359,
01407277
Every few weeks, the firewall suddenly loses all Proxy ARP entries. Output of 'fw ctl arp' command returns "No proxy arps found".
Refer to sk98740.
-
01385943,
00266287

TCPdump shows wrong IP addresses for NATed traffic when SecureXL is enabled:

  • The incoming traffic is shown after the NAT
  • The outgoing traffic, if it was Forwarded to Kernel (F2F) on the outbound, is shown before the NAT
Refer to sk100194.
-
VoIP
01178961 'sip reason: Too many streams in SDP' drop log in SmartView Tracker if SIP SDP message contains more than 4 streams.
Refer to sk93752.
R77.10
VPN
01194357 VPND daemon crashes repeatedly when 'Restart Options' feature is enabled on Security Gateway (SmartDashboard - Security Gateway object - Properties - 'IPSec VPN' pane - VPN Advanced - the box 'Perform an organized shutdown of tunnels upon gateway restart' is checked, which sets the value of 'ike_support_crash_recovery_sr' attribute to 'true').

Workaround:
Using GuiDBedit Tool, set the value of 'ike_support_crash_recovery_sr' attribute to 'false' in the object of the problematic Security Gateway, and install the policy.
-
01189847,
01211060,
01213233,
01214065,
01220236,
01220237,
01295891,
01297021,
01340319,
01343399,
01357317,
01374137,
01375173,
01375177,
01394419
Traffic over VPN tunnel does not pass for several seconds during policy installation on Security Gateway (which causes traffic loss).
Refer to sk55244.
-
01202267 User RADIUS information was not written in kernel table, therefore was not saved after cache is cleaned. R77.10
01231095,
01231254,
01231255,
01231256,
01234787,
01262160,
01361863,
01383011,
01465966
"Failed to allocate an IP address" error when using 'ipassignment.conf' file to assign Office Mode IP address and Check Point Mobile VPN clients for Android/iOS.
Refer to sk95088.
R77.10
01352900,
01353061,
01353062,
01355363,
01372789,
01372862,
01374864
VPND memory usage rises steadily until the machine runs out of memory.
Refer to sk98388.
-
01098053,
01131271,
01142410,
01142456,
01142691,
01205417,
01363353
Permanent VPN tunnel is down when SecureXL is enabled on ClusterXL High Availability mode.
Refer to sk93568.
R75.47
Routing
01200679, 00266399, 01200951, 01200952, 01200953, 01256984, 01321801

/var/log/messages file on VRRP cluster member running on Gaia OS and configured OSPF repeatedly shows:
routed[PID]: cpcl_should_send() returns -3

R77.10
00265453 During Gaia VRRP failover, new master does not immediately send out its hello packet, old master continues to send its hello packet and switch records MAC address for old master.
Refer to sk98965.
-
Security Acceleration Module (SAM)
00265210 Appliance with SAM card can get into hung state in case quite a large number of clients connects to a large number of servers through this Security Gateway. Hung condition occurs once number of cached route entries on SAM card approaches the limit of Linux kernel route cache entries (i.e., ~4 million by default).
Refer to sk97618.
-
SmartView Monitor
01354819,
01361433,
01361435
SmartView Monitor reports incorrect status for VRRP cluster member.
Refer to sk98698.
-
SecureXL
00265583,
00265603,
00265934
Security Gateway randomly reboots and VMCORE file is generated. -
01364052 Wrong date for Firewall API version value in the output of the 'fwaccel ver' command. -
00265547,
01524533,
00265552,
00265553,
00265606,
00265937,
00266202,
00266210,
00266772,
01427129,
01497322,
01522830,
01523051,
01524546

Security Gateway crashes when SecureXL is enabled.

-
Application Control
01412965,
01413413
TLSv1 "Server Hello" packets being dropped by Application Control of HTTPS in SmartView Tracker and debug.
Refer to sk100971.
-
2012 Models Security Appliances
01569940,
01360248,
01364152
When reading sensor values, /var/log/messages filling up with error messages "xpand get data for <1> power supply"
Refer to sk105657.
-

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment