Support Center > Search Results > SecureKnowledge Details
Check Point R76 Known Limitations
Solution

This article lists all of the R76 specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.


Important notes:

Also, refer to sk92644 - Recommended fix for CPUSE Agent builds lower than 342 (on R75.40, R75.40VS, R75.45, R75.46, and R76)

 

Table of Contents

  • 21000 Series Appliances
  • General
  • Gaia
  • VPN
  • Anti-Bot / Anti-Virus / Anti-Malware
  • Identity Awareness
  • Security Management
  • SmartEndpoint
  • IPv6
  • SecurePlatform
  • UserCheck
  • Application and URL Filtering
  • ClusterXL
  • DLP
  • Firewall
  • Mobile Access
  • Multi-Domain Security Management
  • SmartEvent
  • SmartReporter
  • VSX
  • QoS
  • SmartUpdate
  • SmartLog
  • SmartDomain Manager
  • SNMP
  • SmartView Tracker
  • SmartView Monitor
  • SmartWorkflow
  • UserAuthority
  • SmartDashboard
  • Dynamic Routing
  • SecureXL
  • VoIP
  • SAM card
  • Firewall-1 GX
  • IPS
  • HTTPS Inspection

 

ID Symptoms Integrated In
21000 Series Appliances
00262587 The 21000 Appliance Security Acceleration Module (SAM-108) is only supported in Security Gateway mode, not in VSX mode. -
01087491 The MGMT interface that connects to the Management server should not be SAM-enabled. -
01091744 The Gaia "show asset disk" command shows the incorrect number of disk drives on 21400 or 21600 appliances. -
01091753 The Gaia "show asset memory" command shows incorrect values for the 21400 and 21600 appliances.

Workaround:
Run 'cat /proc/meminfo' command to see the correct values.
-
01385280; 01673919, 01489973, 01467347
Check Point 21000 series appliance with SAM card might crash due to exhaustion of all memory when there is an inbound clear traffic that should have been encrypted (such traffic is correctly dropped, but sending notifications from SAM card to the FireWall about such clear text packets received on encrypted connections might consume valuable memory). R77.30 
General
01456790 'fw putkey' command fails due to the introduction of IPv6 addresses.
Refer to sk35288.
-
Gaia
01090426 On Gaia First Time Wizard, if reboot is needed but you do not click OK immediately, the session can end without a reboot. The computer or appliance will not function correctly until it is rebooted. R77
00975277 IPMI drivers do not initialize. This results in multiple syslog error messages when Gaia tries to check the IPMI sensors. -
01057056 Connect Control with IPv6 in directly connected networks requires manual route configuration on the external router connected to the gateway. (Route traffic from the external router through the gateway.) -
01109279 Upgrade from SecurePlatform to Gaia can fail in rare cases because of insufficient disk space in the /sysimg volume. The error message shows "Disk Space Error /var/log/CPupgrade.elg".

You can use one of these workarounds:
  • Perform the upgrade with the WebUI.
  • Move the content of /sysimg/CPwrapper to a temporary directory located under /var/log. Try the upgrade again. If it is successful, delete the temporary directory.
R77
01135972 RouteD adds routes to the kernel with proto 'gated' instead of proto 'cprd'. R77.10
01135889 Standby member changes its state to 'Down' because Critical Device 'routed' reports its status as 'problem' when iBGP with 'local-address' is configured on ClusterXL in High Availability New mode.
Refer to sk93591.
R77
01141581 Installation of Gaia R76 on an HP ProLiant DL385 G6 fails with: 'installation failed missing HD". R77.10
01144571 When making changes in clish to syslog functions, they do not save to a file. R77.10
01165239 Unable to set non-local RADIUS user's default shell to /bin/bash. R77.10
01165731,
01166059,
01166061,
01221835,
01221871;
01254663,
01257049,
01257050,
01257051
The following errors appear repeatedly in /var/log/messages file: monitord[PID]: AddDataSQL: insertion failed, sensor name=[ ], timestamp=[YYYY-MM-DD HH:MM:SS] monitord[PID]: SQL error: columns time_stamp, sensor_name are not unique rc=19

Refer to sk97109.
R77.10
00981634,
00982105,
00982109,
01118403
Syslogd messages in Gaia in /var/log/messages:
  • syslogd: sendto: Invalid argument
  • syslogd: sendto: Bad File Descriptor
  • syslogd: sendto: Connection refused
Refer to sk83160.
-
01170384,
01171098,
01171099
Unable to login via CLI after upgrading from R75.40 SecurePlatform to R76 Gaia: 'CLINFR0819 User: admin denied access via CLI'.
Refer to Scenario 10 in sk103397.
R77.10
01181555,
01186061,
01186062,
01186063,
01186064
After upgrade from R75.40 or R75.45 to R76, it is impossible to obtain lock in Gaia Portal. R77.10
01195748,
01196205,
01196204
Unable to load 'GaiaTrapMIB.mib' file and the 'chkpnt-trap.mib' file at the same time in HP OpenView.
Refer to sk93727.
R77.10
01197861,
01199338,
01199339,
01206915,
01286418
'emergendisk' command fails with error "integer expression expected".
Refer to sk93930.
R77.10
01220408,
01223123,
01223124,
01223125,
01230668,
01287193,
01306637,
01345860
RouteD daemon restarts when enabling PIM traces in an environment with a large number of multicast groups/multicast senders.
Refer to sk94848.
R77.10
01241231 VLAN tags are not shown in the output when running tcpdump -e -i on an interface that is connected to VLANs on Gaia. -
01161919,
01188411,
01191342,
01197268
RouteD daemon constantly restarts after shutting down an interface on one of the ClusterXL members and rebooting both ClusterXL members.
Refer to sk95232.
R77
01302831,
01303089,
01303090,
01303091,
01358993
SNMP Trap for a monitored process (e.g., FWD) generates SNMP Trap Alert although this process is not down (Red Hat Bug 630905).
Refer to sk98702.
R77.10
01238081,
01245913,
01316440,
01240753
When adding two overlapping routes on Gaia OS, and then removing one of them, there are leftovers in Gaia Database ('/config/db/initial_db' file), which lead to routing issues.
Refer to sk97831.
R76SP on 61000,
R77.10
01237631,
01240716,
01316442,
01245910
Routes are not deleted from Gaia Database when routes with multiple next hops are configured on Gaia OS.
Refer to sk97832.
R76SP on 61000,
R77.10
00264404,
01221214,
01256983,
01306625,
01345849
RouteD daemon constantly crashes during multicast traffic on Active cluster member when Bond slave interfaces are disconnected (until slave interfaces are connected again).
Refer to sk100388.
R77
01402294, 01402384, 01575332, 01417801;
01579916, 01580345
syslog messages forwarded by Gaia OS to an external Syslog server do not contain hostname or timestamp.
Refer to sk100727.
-
01415699,
01416242
Each change of password for admin or expert automatically changes password for GRUB menu access.
Refer to sk101078.
-
01428735,
01432295,
01432973,
01518522,
01553076
Changes made in the value of 'vmalloc' in /boot/grub/grub.conf file on Gaia OS do not survive reboot.
Refer to sk103506.
-
VPN
01344624,
01344634,
01361821
'keep_IKE_SAs' flag is supported inly with IKEv1 (SmartDashboard - go to 'Policy' menu - click on 'Global Properties' - go to 'SmartDashboard Customization' - click on 'Configure...' button - expand 'VPN Advanced Properties' - click on 'VPN IKE properties'). -
01079390 A main IPv6 address must be configured for all gateways with IPv6 addresses participating in IPsec VPN or Mobile Access. Note that the main address should correspond to the external IPv6 address of the gateway. Similarly, a main IPv4 address should be configured for all gateways with their external IPv4 addresses. -
01084620 When passing VPN traffic between IPv6-only gateways, the overview graphs in the VPN tab in the SmartDashboard are not updated. R77
01099734 VPN route-based link selection does not work on Gaia, if a route has two associated gateways with the same priority. The gateways must have different priorities. R77
01069848 When configuring IPv6 VPN site-to-site, you must reduce MTU of interfaces directly connected to the gateway in IPv6 networks that are part of the encryption domain.
Refer to sk90721.
R77
01140164,
01138670,
01142565,
01142566,
01147454,
01363992
After installation of / upgrade to R76, users are unable to establish connection with L2TP.
Refer to sk92707.
R77
01152674 iOS Location Awareness gets incorrect result from the cluster due to inability to locate the connection. -
01158320 SmartDashboard crashes when creating a new VPN community. R77.10
01162811 VPND daemon crashes when using vpn shell commands. R77
01171632 Certificate parsing rules do not work in Mobile VPN for iOS and Android.
Refer to sk89800.
R77
01178460, 01182611,
01182612
Traffic does not pass via the VPN tunnel after upgrade to R76.
Refer to sk93380.
R77
01209674,
01210206,
01210207,
01210208
Security Gateway might crash in 'erase_IPSEC_SA' function.
Refer to sk94429.
R77.10
00546615,
00547716,
00621131,
00820879,
00866106,
01072886,
01104079,
01110099,
01130141,
01178088,
01224785,
01227163,
01227392,
01235828,
01278302,
01287589,
01380403,
01381003,
01393834
DHCP Discover packets are dropped by Satellite Gateway in Star community after VPN is established.
Refer to sk44559.
R77.10
01213252,
01231861,
01231862,
01231863,
01287734,
01299920

When CoreXL is enabled on Security Gateway, fragmented traffic over a SSL VPN tunnel (SNX) may be dropped.

Refer to sk97515.

R77.10
01319668, 01320566, 01320567, 01374555, 01382831, 01579763 Memory leak in VPND process in getMEPTopology. R77.20
01354368,
01355817,
01355816
VPN client fails to enroll certificate if LTE hotfix is installed on the Security Management.
Refer to sk98460.
-
01897679  Start Menu shortcuts do not process $$user placeholder correctly. Refer to sk109229. -
02565912,
02568329
When initiating a negotiation, the IDi (ID of initiator) is the main IP address and not the alternate name in the certificate.
Refer to sk120123
 
Anti-Bot / Anti-Virus / Anti-Malware
01075179 On the first install policy on cluster members, if the policy has Network Security rules and Anti-Bot/Anti-Virus rules, the Anti-Bot/Anti-Virus policy installation may fail.

Workaround:
Install the Anti-Bot/Anti-Virus policy again.
-
01106159 For Security Gateways that process IPv6 traffic, the statistics for the Virus and Bot detected hosts does not show all the data for the traffic. Go to 'Anti-Bot & Anti-Virus' tab > 'Statistics'. From the "by" drop-down menu, select "Hosts". -
01094019 For User Check, when a user authorizes connecting to an unknown website, sometimes when the user returns to the same website, the logs for the later connections are not complete. -
01120802 Email notification alerts are not supported, even though this option is displayed in SmartDashboard. -
01147573 When a disclaimer is configured within Anti-Spam, QMail mail servers reject e-mails due to violation of SMTP standards. R77
01176835,
01177121,
01177120,
01177119,
01177118

Policy installation fails after several months of uptime of Security Gateway with enabled Traditional Anti-Virus.

Refer to sk93189.

R77.10
02361107, 02391559
"Reason: Failed to process the file" log from Anti-Virus blade in SmartLog / SmartView Tracker.
Refer to sk114573.
-
Identity Awareness
01081896 Identity Awareness Agent does not restart automatically after upgrade. -
01179534 AD Query permissions script from sk43874 might produce error messages when running in Preview mode:
  • Failed to read configuration for log wevtutil el. The specified channel could not be found. Check channel configuration.
  • Required argument(s) is/are not specified. The parameter is incorrect.
Refer to sk93330.
R77
01209876,
01209991,
01209992,
01209993
Identity Awareness Agent for Mac OS X logs out when installing Security policy. R77.10
01227160 Identity Awareness Multi-User Host Agent might cause BSOD on rare occasions.
Refer to sk95196.
R77.10
01239257,
01240817,
01240818,
01240819,
01399466
Windows users, redirected to Identity Awareness Captive Portal with transparent authentication enabled, get a pop-up dialog asking for user credentials if the machine does not belong to an AD domain configured on the Security Gateway. R77.10
01322471,
01322911,
01322912,
01322913,
01336551,
01363705,
01376783
Mobile phone users are logged out from Captive Portal every several minutes during web surfing.
Refer to sk97868.
-
01353767,
01355483,
01355484
PDP daemon might crash when PEP daemon disconnects from it.
Refer to sk98526.
-
01629961, 01630168 Kerberos SSO authentication using principle name from another Domain / DNS Server does not work.
Refer to sk105778.
-
Security Management
01072362 At the end of Management installation on Windows 2003, at the prompt to activate Check Point processes and to select a user account ("Which user account do you want to use to run this program?"), you must select a user with administrator privileges, and not "restricted access". -
01140137 Policy installation fails when configured Unnumbered VTI interfaces in ClusterXL members with these errors:
".../Policy_Name.pf", line N: ERROR: Duplicate keys <IP_Address_in_Hex> in table 'cluster_members_ids_by_ips'
".../Policy_Name.pf", line N: ERROR: Duplicate keys <IP_Address_in_Hex> in table 'cluster_members_ips_by_local_ip'
R77,
R77.10
01157584,
01157815,
01188673,
01157816
Policy verification fails for R76 Security Gateways when Connectra R66 object exists in database with the following error:
"/.../<Policy_Name>.pf", line N: ERROR: cannot find <XXXp_pXXXp_pXXX> anywhere"
where "XXXp_pXXXp_pXXX" is an object that contains dots (.) in its name (e.g., my.company.com).
Refer to sk93207.
R77.10
01153045, 01157984, 01157985, 01453064
Policy installation fails with "Database conversion failed" when using an empty group in a NAT rule.
Refer to sk93645
R77.10
01158285 The last modification time of a VPN community object is not updated after a change of the community's shared secret. -
01160180 Problem converting all log files to ASCII. R77
01153285,
01153436,
01153437,
01155414,
01383398
Rulebase of Backward Compatible gateways gets the IPv6 address with mask 0 (i.e., all IP addresses), which makes the Backward Compatible gateway cell to be set as "Any" in the rule. R77
01167160 OPSec LEA Client (e.g., Tufin) displays duplicate log entries from the Management Audit Log ($FWDIR/log/fw.adtlog) when the FireWall Log ($FWDIR/log/fw.log) is switched (e.g., scheduled event that is configured in Security Management object). R77.10
01166821,
01168430,
01207553,
01168429,
01189860
FWD process does not open the 18184 port on Windows OS (when %FWDIR%\conf\fwopsec.conf file is configured with 'lea_server auth_port 0' and 'lea_server port 18184').
%FWDIR%\log\fwd.elg file shows the "opsec_listen_to_port: Listen failed" error.
-
01182073,
01182694,
01182696, 01183046 01183147

After checking the box of 'Endpoint Policy Management' product in the Security Management Server object and performing 'Install Database' operation, the FWM daemon immediately starts consuming the CPU at 100% on Security Management Server.

Refer to sk93356.

R77
01178752,
01207490,
01179224,
01322317,
01214580,
01179223,
01295064,
01322685,
01219366,
01321827

'fwm logexport' is slow on Security Management Server.

Refer to sk93288.

R77.10
01227467,
01228140,
01228139,
01228138;
01216104,
01216509,
01216686,
01228136,
01228137,
01344194;
01106282,
01209558,
01214745
The following warnings appear in SmartDashboard during policy installation or database installation:
  • dns_gen_network_str_ipv6: Object_Name: Empty or Invalid ipaddr6 string
  • dns_gen_host_str_ipv6: Object_Name: Empty or Invalid ipaddr6 string
Refer to sk95053.
R77.10
01138598,
01227117,
01232688,
01240728,
01340481,
01353664

Memory leak in CPD daemon when managing VSX Gateways.

Refer to sk93246.

R77.10
01260925,
01274672,
01274673,
01274674
"Warning: Rule N contains a domain object. It will not be enforced by IPv6 policy." verification warning in SmartDashboard during policy installation.
Refer to sk96266.
R77.10
01566268,
01566712
Policy verification/installation errors cannot be seen in the GUI due to message encryption failure. Refer to sk104538. -
01940846, 01941966  "fwm logexport" command exits and does not read all records of the log file. Refer to sk109948. -
SmartEndpoint
01078232 High Availability with Endpoint Security: After Endpoint Security Primary and Secondary servers are activated in SmartDashboard, and a database installation is done, you must restart Check Point services on the two Endpoint Security servers before you can start synchronization. Run 'cpstop' command and then 'cpstart' command. -
01088271 If you have Endpoint Security R73 (SecureAccess) or earlier installed, you must uninstall it to upgrade to R76. -
01105547 In High Availability mode, SmartEndpoint cannot connect to the Standby server in Read Only mode. R77
01104495 After you enable the Endpoint Security Management blade, some default polices can show incorrectly in SmartEndpoint as "Marked for installation" when they are installed successfully. This can occur if the the time zone was configured incorrectly, or if the computer is rebooted after correcting the time zone.
You can safely ignore this cosmetic issue that resolves itself automatically after a few hours.
-
IPv6
01089804 Update services over IPv6 requires special attention.
Refer to sk91180.
-
01091062, 01093247 You cannot currently configure IPv6 proxy in SmartDashboard. Instead, connect to Security Management Server with GuiDBedit Tool, and you can either configure the 'proxy_address' attribute as:
  • Global Property attribute: Edit the 'proxy_address' attribute within the 'firewall_properties' object ('Global Properties' table). The IPv6 proxy address must be inside square brackets [].

    Or as

  • Specific Gateway/Management object attribute: Edit the 'proxy_address' attribute within the desired object ('Network Objects' table). The IPv6 proxy address must be inside square brackets [].
In addition, if the machine on which SmartDashboard is installed, needs to use an IPv6 proxy to access the Internet, in the machine's Internet Options, set the Proxy Server address value inside square brackets [].
-
01118972 Site-to-Site IPSec VPN is not supported for Star Communities. R77
01113201 These blades and features do not support IPv6:
  • DLP
  • Anti-Spam
  • Mobile Access
  • Endpoint Security management
  • QoS
  • SSL Inspection
  • ClusterXL Load Sharing
  • VoIP
-
01253791,
01253800
Fail to install policy when there are IPV6 services in policy and Edge appliances.
Refer to sk95972.
-
SecurePlatform
01054032 Interfaces for VTI tunnels are not shown correctly on SmartDashboard. During an attempt to remove them, errors are shown and the WebUI becomes unstable. -
01145171 cron job handling is not included in configuration script. R77.10
01186074 Bash shell shows incorrect values. Editing the /etc/bashrc file and adding the '\u' option according to sk60862 does not work and gives error: "[Expert@I have no name!]#".
Refer to sk93399.
R77.10
01193187,
01193313,
01193314,
01193316,
01193317
Cannot schedule a backup in R76 SecurePlatform WebUI - the link for 'Scheduled Backup' does not work, and status bar shows 'Error'.
Refer to sk94106.
R77.10
01252720,
01252904,
01252906,
01252907
The 'ip mroute' command only shows the first output interface if there are more than one. R77.10
01242516,
01275082
Non-local users lose permissions after running some Check Point scripts (like cpstop) in Expert mode, getting "NMINST0069 cannot access to the virtual-system" error. R77.10
UserCheck
01092592 You must install the Network Security policy after changing UserCheck settings for Anti-Bot and Anti-Virus Software Blades. -
01091507 When a user with Microsoft Outlook Express tries to release a quarantined email using the Reply-by feature, the Reply-by message format must be in plain text and not the default HTML. -
01091743 On DLP violation with "Inform" action, the SmartView Tracker log of the violation always shows "Pending for User Response", regardless of the actual user response. -
01084238 When using dual IP stack on the Security Gateway with IPv4 clients connected, configure the UserCheck portal's main URL to use a DNS name that will be resolved to both IPv4 and IPv6. -
01167072,
01167075,
01173056
When UserCheck is enabled, e-mails are stuck in the fwdlp process and are not released.
Refer to sk93376.
R77
01170978,
01171274,
01174060
Users with "&" (ampersand) in DN cannot get UserCheck notifications.
Refer to sk93400.
-
Application and URL Filtering
- A known limitation: Bandwidth Limit in Application Control does not survive cluster failover in ClusterXL High Availability mode - any connection that was opened and limited on Active cluster member, will be unlimited on new Active cluster member after cluster fail-over.
Refer to sk97775.
-
01089602 To identify HTTPS traffic using Custom Application/Site, "HTTPS Inspection" must be enabled.
If it is disabled, and only "Categorized HTTPS Sites" is enabled, the Custom Application/Site will not be matched. URLs will be categorized by the CN/DN in the site certificate, and not by the user definition in Custom Application/Site.
R77,
R77.10
01113940 Log or event with Browse Time 00:00:00 indicates that another connection was established in parallel by the same user. -
01201251,
01205398,
01207097,
01207098;
01203392,
01207093,
01207094,
01205396;
01203396,
01207095,
01207096,
01205399

'Resource' field does not appear in SmartView Tracker logs sent from R76 Security Gateway when using a URI Resource, and Quick UFP is not working in R76 Security Gateway.

Refer to sk94264.

R77.10
ClusterXL
01096553 If you change the cluster mode from Load Sharing to VRRP, the cluster module on the Security Gateway will not be aware that the administrator has configured a virtual cluster IP.
  • The "cphaprob stat" command will not show Virtual IP interfaces.
  • Basic cluster features (fail-over of NAT and VPN, Proxy ARP) will fail.
Workaround:
  1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, etc.).
  2. Connect to Security Management Server with GuiDBedit Tool.
  3. In the left upper pane, go to 'Table' - 'Network Objects' - 'network_objects'.
  4. In the right upper pane, select the relevant Cluster object.
  5. In the lower pane, go to interfaces container.
  6. For each of the two 'Element Index' fields that has these values, reset the 'multicast_address' value:
    • right-click on multicast_address - set the MAC address value - click on 'OK'
    • right-click on multicast_address_type - select "default" - click on 'OK'
  7. Save the changes: go to 'File' menu - 'Save All'.
  8. Close the GuiDBedit Tool.
  9. Connect to Security Management Server with SmartDashboard.
  10. Install the policy onto the Cluster object.
-
01102858 In VRRP mode, a Backup cluster member can not establish local connections.

Workaround:
In the cluster object, uncheck the box "Hide cluster members outgoing traffic behind the cluster IP address". Also refer to 01103880 in this table.
R77.10
01106346 ClusterXL does not support IPv6 addresses on the Sync interface. -
01103880 In SmartDashboard, in the object of VRRP cluster, when you uncheck the box 'Hide Cluster Members' outgoing traffic behind the Cluster's IP address', and later change the cluster object to ClusterXL HA/LS mode, the 'Hide' configuration is still applied to the traffic. R77
00500711;
01238234
"FW-1: fw_xlate_anticipate: fwx_anticipate_server_side failed" appears repeatedly in /var/log/messages files on cluster members of ClusterXL in HA mode.
Refer to sk42754.
R77.10
01292687,
01310044,
01335892,
01336365,
01377904
Cluster Forwarding is enabled in 3rd party cluster after each policy installation.
Refer to sk43321.
R77.10
01245535,
01245826,
01245827,
01245828,
01295067
Policy compilation fails with "ERROR: Duplicate keys ... in table 'cluster_members_ips_by_local_ip'" when cluster contains more than 32 interfaces.
Refer to sk95375.
R77.10
01317978,
01339635
Some IPv6 pings are lost in the following IPv6 topology (ICMPv6 "Neighbor Advertisement" Type 136 packets are dropped due link collision):
Host_1 on Net_1 --- ClusterXL HA with IPv6 --- Host_2 on Net_2

where:

  • IPv6 address of Host_1 is NATed to an IPv6 address on Net_2
  • IPv6 address of Host_2 is NATed to an IPv6 address on Net_1

Refer to sk98075.
-
01401092, 01404180, 01473298, 01501607, 01614412
RouteD daemon might consume CPU at very high level on ClusterXL member running on Gaia OS, when there are issues with cluster sync interfaces.
Refer to sk102737.
-
00936176 In a Layer 2 Active/Standby cluster, when the switch ports are configured as a VLAN trunk, you must configure the Layer 2 physical interfaces as disconnected interfaces (interfaces will not be monitored by the Cluster) or with one of the VLANs.
 
DLP
01057253 An image in a fingerprinted document will not be matched by the document's fingerprint if the image is extracted and sent separately. -
01068792 UUencoded e-mail attachments are not scanned by the DLP blade. -
01098538 Files with long names (over 255 characters) are not included in the fingerprint repository scan. -
01069025 Files larger than 2G are not included in the fingerprint data type. -
01099173 When SMTP Mirror mode is enabled, the DLP gateway does not inspect emails received from the DLP agent installed on the Exchange mail server. R77.10
01057250 A compressed archive in a repository is fingerprinted, but the contents of the archive are not. This means that a document extracted from the archive and sent outside of the organization may not be caught. The document will only be caught if the document was fingerprinted before being placed in the archive. Fingerpinted documents contained in an archive will be matched. -
01094616 If you change the IP address of a DLP-enabled gateway, the UserCheck process must be manually stopped. Run: killall usrchkd -
01065671 Domain-based DFS file shares are not supported for fingerprint repositories. -
01089993 After upgrading to R76, e-mails quarantined before the upgrade can only be viewed using the DLP quarantine portal. -
01126138 After upgrading Security Gateway from R75.20/R75.40 to R76, when DLP Notification pop-up is displayed, "Send", "Discard" and "Cancel" buttons do not work. -
01163763,
01163761,
01171601
Emails are getting stuck in Exchange server queue.
Refer to sk93377.
R77
01172379 Reply by email does not work when using iPhone/iPad.
Refer to sk93386.
R77
01215492 DLP Bypass occurs for Exchange emails.
Refer to sk94585.
R77.10
01242502,
01242508
In DLP Tap Mode or inline when SMTP kernel inspection is enabled - data owners email is not sent on SMTP violations. R77.10
Firewall
01100862 When installing a Security or LSM gateway on Windows, disable the Windows firewall to allow connections from the gateway to the management.
To allow connections from a Windows Security Gateway or LSM gateway to the Management server, you must disable the Windows firewall, when you install the gateway.
-
01051315 If the environment has NGX R65 gateways, and R76 gateways with IPv6-only (no IPv4 addresses are defined), policy installation on R65 fails.

Workaround:
Define dummy IPv4 addresses on R76 gateways, or create two policy installations - one for R65 gateways and one for other gateways.
-
01155626,
01156132,
01156133,
01319645
  • "Unable to open '/dev/fw6vX': No such file or directory" error appears repeatedly in /var/log/messages and in $FWDIR/log/fwd.elg file.

  • "modprobe: FATAL: Could not open '/lib/modules/2.6.18-92cp/kernel/net/ipv6/ipv6.ko': No such file or directory" error appears repeatedly in /var/log/messages.

  • Output of 'fw fetchlocal -d $FWDIR/state/__tmp/FW1/' command shows these errors:

    • Unable to open '/dev/fw6vX': No such file or directory
    • Could not put license in running module: No such file or directory
    • Failed to Load Security Policy: No such file or directory
    • Fetching Security Policy Failed

Refer to sk84820.
R77.10
01153480,
01258151
The following errors appear repeatedly in the $FWDIR/log/fwd.elg file on Security Gateway:
  • Unable to open '/dev/fw6vX': No such file or directory
  • malware_report_user_kern_update: fwioctl6_multik() failed, index X
Refer to sk95789.
R77
01165022 DNS proxy query fails due to inconsistency of table key. R77
01165989 Error compiling IPv6 flavor when adding MGCP type service to rules. R77.10
01171295,
01171590,
01171591

'cpstat fw' command does not list all interfaces in Gaia R76.

Refer to sk93047.

R77.10
01153574,
01175973

Output of 'cpstat -f all ha' command on Gaia OS does not populate the 'Cluster IPs table' and the 'Sync table'.

Refer to sk93201.

R77.10
01207030 Value of kernel parameter 'fw_rules_uid_max_dic_entries' is not saved after policy install.
Refer to sk94426.
R77.10
01208406,
01209873,
01209874,
01209875,
01421874,
01473373,
01492119
Client Authentication connection is closed after several minutes.
Refer to sk94447.
R77.10
01225961,
01227374,
01227165,
01257432,
01260004,
01227373,
01232946,
01322967,
01267219,
01261302,
01227372

Memory gradually drops by up to 20% every 7 days. The Security Gateway needs to be rebooted about once a month to recover memory, as it does become slow when available memory gets very low.

Refer to sk95129.

R77.10
01227142,
01244151,
01244152,
01244153,
01252882,
01360945,
01397690
"FW-1 form has expired" message when working with Client Authentication and CoreXL.
Refer to sk95346.
R77.10
01246671 DCERPC high port connection is not opened, and is dropped on the Cleanup rule.
Refer to sk95427.
R77.10
01113346,
01181606,
01258189,
01288779,
00926275,
01132625,
01177065,
01113747,
01296117
Threat Emulation Daemon ted crashes inconsistently. R76SP on 61000,
R77
01044984,
01101927,
01059509,
01296181,
01288710
Memory leak in Gaia Software Updates 'DAService'. R76SP on 61000
01293744,
01295159,
01295160,
01295161,
01296143
FWD daemon crashes with core dump files.
Valgrind output for FWD daemon shows:
  • Invalid free() / delete
  • Mismatched free() / delete
R77.10
01320727,
01321113,
01321118
MDQ daemon crashes when working with SMTP traffic in case DNS MX record answer contains IPv6 address.
Refer to sk97753.
-
01322325,
01323049
In VSX with CoreXL configuration Hide NAT connections are dropped with reason: "VPN and/or NAT traffic between accelerated and non-accelerated interfaces or between non-accelerated interfaces is not allowed". -
01337426,
01337705
Memory consumption on Security Gateway constantly increases due to memory leak in 'fw_spii_pset_create'.
Refer to sk98012.
-
Mobile Access
01101822 If the Mobile Access Software Blade is enabled on a gateway that uses Optimize Drops, the drop feature will not function. Drop templates will not be offloaded on run time. R77
00949656 Exchange Web Services traffic is not scanned for viruses. -
01077062 A Security Management server that manages Connectra NGX R66.x gateways cannot manage gateways with IPv6 addresses in their topology. -
01153964 Mobile Access realm - When selecting certificate in the realm, the ActiveSync cert option is removed. R77
01158403 iPhone Mobile Access client unable to connect to R76 Mobile Access Blade gateway. R77
01187260 Preventing addition of gateway to Remote Access community, even if Mobile Access enabled from SmartDashboard. -
01186797 Mobile Access SSO with Kerberos authentication for Web Applications may not work in R76.
Refer to sk93529.
R77.10
00871249,
00897790,
00937707,
00871307,
01087345,
01069328,
01087308,
00886432,
01087344
When using an ActiveSync app on an Android phone or an iPhone, multiple sessions could be established for each user. As a result, available licenses are exhausted on Security Gateway, which causes sporadic updates to e-mail and random losses of connectivity.
Refer to sk68120.
-
01252071 SNX application mode overwrites the proxy information and breaks connectivity to portal.
Refer to sk95592.
R77.10
01290277,
01290476,
01320927,
01346421,
01346950,
01383302
  • Server cannot start connection to client even if Server to Client network application exists.
  • SNX traffic of Server to Client traffic is being dropped over "Unauthorized SSL VPN traffic" log in SmartView Tracker.
  • Back connections to VPN clients with Office mode fail.
Refer to sk97108.
R77.10
01285843,
01286399,
01286400
Login credentials on Mobile Access Portal page might be submitted multiple times if a user accidentally quickly clicks on 'Sign In' button several times. If a One Time Password (OTP) is used, then user's login might fail. R77.10
01304813,
01303880,
01298691,
01304811,
01304812
When adding a new account in ActiveSync, the server places a random number if the content-length is not sent to 0. R77.10
Multi-Domain Security Management
01100783 After deleting domains, the Multi-Domain Server might be down due to removal of the virtual interfaces. In such case, you must run mdsstop and mdsstart to continue working with the Multi-Domain Server. R77
01144438 Irrelevant information about connected administrators appears in the list. -
01159205 '$MDSDIR/scripts/mds_backup' script fails with these errors:
mds_backup> Deleting temporary Multi-Domain Server backup files 
mds_backup> Backing-up the Multi-Domain Server failed. 
mds_backup> Cannot proceed with backup of the Multi-Domain Server.
Refer to sk92925.
R77
01173132 In MDG HA tab, CMA sync status is unknown or blank. -
01183324 Cannot create VPN Tunnel when using 'Selected address from topology table' option.
Refer to sk93378.
R77.10
01194036 "Unable to get idle-time workstation locking policy" error when connecting with SmartView Tracker to a Domain Management Server / Domain Log Server.
Refer to sk111293 (Scenario 6 - Issue with Domain Management Server / Domain Log Server).
R77.10
01257068 MLM HA status is stuck in Advanced state. -
01287795,
01296327,
01296328,
01295721

'mds_restore' fails:
mds_restore> Insufficient disk-space in the current file-system.
mds_restore> Backup file extraction requires N KB while the current file-system contains only X KB.
mds_restore> Please move the backup directory to another file-system and try again.

Refer to sk97267.

R77.10
SmartEvent
01067753 If you move between SmartEvent and SmartEvent Intro, you must run: evstop ; evstart. -
01131360,
01131362,
01133707,
01134338,
01138336,
01138342,
01138349,
01381518,
01408044
After performing 'Install Database' operation from Security Management Server that has a lower version (e.g., R75.40) than the SmartEvent server (e.g., R75.45/R75.46/R76), login in SmartEvent GUI client fails with "Unable to get idle-time workstation locking policy" error.
Refer to sk111293 (Scenario 3).
R77
01156326 SmartEvent does not insert VSX events after upgrade to R76. -
01186677,
01186863,
01186864,
01199293,
01207476,
01383150
Customer sees multiple sources / destination on a single event, even if Eventia Analyzer was configured to create an event for each source.
Refer to sk93414.
R77
01240756 UTF-8 lack of support for XML-reports. All XML reports for Non-English languages (e.g., Russian) are badly generated. -
01272425 Timeline order configuration not saved in SmartEvent GUI.
Refer to sk96190.
R77.10
01301139 SmartEvent server fails to send report e-mails if SMTP server sends several "220" welcome messages.
Refer to sk97521.
R77.10
01311794 Page breaks are not formatted cleanly in SmartEvent reports saved as PDF.
Refer to sk97624.
-
01339214,
01339464,
01340543
Value of 'days_to_keep' configured per sk69706 is not applied.
Refer to sk98095.
-
01368648,
01371514,
01371650
SmartEvent keeps old events longer than configured.
Refer to sk99021.
-
02016302, 02016520 Ticket closing in SmartEvent takes a long time. Refer to sk111078 -
SmartReporter
01178561,
01179001,
01179000
SmartReporter generates Express Anti-Spam reports with inconsistent data in weekly and in daily reports. -
01215491 Multi User Activity Monthly Report shows partial information.
Refer to sk94637.
-
VSX
- SAM Block rules are not supported in VSX mode. -
01204727,
01204870,
01204871,
01206898,
01219132,
01235255,
01235256,
01261144,
01340541,
01407767,
01418834,
01460160
Memory consumption increases on VSX Gateway while querying SNMP VSX branch OID .1.3.6.1.4.1.2620.1.16
Refer to sk94124.
R77.10
01453316
Check Point VSX OID Branch 1.3.6.1.4.1.2620.1.16 can not be queried per Virtual System. The SNMP response contains the data from all configured Virtual Systems.
Refer to sk90860.
-
01087052 Cluster private network IP addresses are not supported as VSX virtual IP addresses. R77.10
01117516,
01120769,
01132780,
01324014,
01381952

Creation of a VSX cluster object on Crossbeam chassis fails with the following error in SmartDashboard:

Error: VSX default gateway definition is different on Name_of_Member_A (IP_Address_of_Member_A) and Name_of_Member_B (IP_Address_of_Member_B).

Refer to sk102095.
R77
01456150 In SmartDashboard, it is not possible to select VSX Gateway itself as 'Next Hop Gateway' in 'Advanced Routing Rule':
  1. Open Virtual System / Virtual Router object.
  2. Go to 'Topology' pane.
  3. Click on 'Advanced Routing...' button.
  4. Click on 'Add...' button.
  5. When configuring a rule, VSX Gateway itself does not appear in the 'Next Hop Gateway' list (only other Virtual Systems / Virtual Routers appear).
-
00892773 VTI interfaces are not supported in VSX mode. -
00974871 Missing entries in the Check Point MIB file ($CPDIR/lib/snmp/chkpnt.mib). -
01106220 If the Monitoring blade is enabled on VS0, 'vsx_util reconfigure' command sometimes fails.

Workaround:
Before you reconfigure, follow these steps:
  1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, etc.).
  2. Connect to Security Management Server with GuiDBedit Tool.
  3. In the left upper pane, go to 'Table' - 'Network Objects' - 'network_objects'.
  4. In the right upper pane, select the relevant VSX Security Gateway / VSX Cluster object.
  5. In the lower pane, right-click on the monitor_blade - 'Edit...' - choose "false" - click on 'OK'.
  6. Save the changes: go to 'File' menu - 'Save All'.
  7. Close the GuiDBedit Tool.
  8. Connect to Security Management Server with SmartDashboard.
  9. Install the policy onto the VSX Security Gateway / VSX Cluster object.
-
01099591 Viewing IPv6 neighbors with clish commands is not supported. -
01097619 To work in IPv6-only mode, you must reboot the gateway after you delete IPv4 addresses, and before you create a VSX object in SmartDashboard. R77
01104705 SmartDashboard lets you configure IPv6 addresses, when IPv6 is disabled on the VSX Gateway. These IPv6 addresses are not deployed until IPv6 is enabled and the VSX gateway is rebooted. R77
01105823 A Virtual System cannot have two identical routes with different prefixes. R77
01098222 Removal of Management IP address is not supported. R77
01103174 If the Management Server object does not have an IPv6 address, you cannot create an IPv6-only VSX object. You can create a dual stack VSX object. -
01098716 6in4 Interface is not supported in VSX. -
01067586 If conversion fails, SecureXL and VPN sometimes do not reload properly. If this happens, you must reboot the gateway. R77.10
01108131 Virtual Router is not supported, if IPv6 is enabled. -
01104511 After you convert from a Security Gateway cluster to a VSX cluster, you must remove the zero IPv6 address (::) from the Sync interface (also refer to sk92819):
  1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, etc.).
  2. Connect to Security Management Server / Main Domain Management Server (where VSX cluster object was created) with GuiDBedit Tool.
  3. In the left upper pane, go to 'Table' - 'Network Objects' - 'network_objects'.
  4. In the right upper pane, select the relevant VSX Cluster object.
  5. In the lower pane, go to interfaces container.
  6. Find the Sync interface, and remove the zero IP address ('::'):
    • right-click on the ipaddr6 field - 'Edit...' - remove the :: - click on 'OK'
    • right-click on the netmask6 field - 'Edit...' - remove the :: - click on 'OK'
  7. In the left upper pane, go to 'Table' - 'Other' - 'vs_slot_objects'.
  8. In the right upper pane, select the relevant VSX Cluster object.
  9. In the lower pane, go to interfaces container.
  10. Find the Sync interface, and remove the zero IP address ('::'):
    • right-click on the ipaddr6 field - 'Edit...' - remove the :: - click on 'OK'
    • right-click on the netmask6 field - 'Edit...' - remove the :: - click on 'OK'
  11. Save the changes: go to 'File' menu - 'Save All'.
  12. Close the GuiDBedit Tool.
  13. Connect to Security Management Server / Main Domain Management Server (where VSX cluster object was created) with SmartDashboard.
  14. Open the VSX Cluster object - go to 'Topology' pane - the Sync interface should not show any values in the 'IPv6 Address' section.
  15. Click on 'OK' to push the configuration to VSX cluster members.
  16. Install the policy onto the VSX Cluster object.
R77
01113788 After you define the first IPv6 address on a Virtual System, there is a wait of approximately 30 seconds while the new Virtual System restarts. -
01109201 On single processor computers, if the fwk process is down when converting a Security Gateway to a VSX Gateway, use this workaround:
Run: $FW_BOOT_DIR/fwboot corexl disable.
R77
01124445 When you create a VSX object in SmartDashboard, make sure that "Accept control connections" and "Accept Smart Update connections" are selected in the Global Properties menu. -
01134308 VSX Memory Resource Control (fw vsx mstat) supports only IPv4. If there are IPv6 connections the memory statistics will not be accurate. R76SP on 61000,
R77
01181667 'Connection failed' error when in SmartView Tracker IPS log clicking on 'View Packet Capture' in a log generated by a Virtual System.
Refer to sk93342.
R77.10
01181802,
01181999,
01191091,
01202556,
01250995,
01296948,
01306428,
01309353,
01309354,
01309355,
01313667
High CPU usage on R65 / R67 / R70 / R71 / R75 Security Gateway when managed by R75.47 / R76 Management Server.
Refer to sk93401.
R77
01227604,
01227814,
01227815,
01227816,
01350498
FWM process on Security Management Server uses all its memory and crashes after installing configuration to Virtual System. -
01132515,
01176616,
01188888,
01245124,
01266438,
01356728;
01108189,
01145989,
01213024,
01272380,
01273375,
01273376,
01273377,
01278068,
01299357,
01316555,
01341167,
01366634,
01372379
R76 ClusterXL in VSX mode is intermittently stuck and does not process traffic when issuing 'cphaprob' commands (e.g., 'cphaprob state') or 'fw' commands (e.g., 'fw ctl pstat'):
  • traffic stops passing until the commands produce an output
  • some commands might hang indefinitely and never display any output (e.g., 'cphaprob state', 'cphaprob -a if')
  • some commands produce an output only after several minutes (e.g., 'cphaprob syncstat', 'cphaprob list')
  • SSH session is stuck after issuing a command over SSH connection
  • VPN tunnel might go down during this issue
Refer to sk95215.
R77
01305413,
01305568,
01305874,
01305854
Kernel panic in VSX when running 'cpinfo'.
Refer to sk97498.
R77.10
01321724,
00266417,
01432448,
01432642

Output of 'netstat -ni' command on VSX Gateway with enabled SecureXL running on Gaia OS shows:

  • RX and TX values on physical interfaces increase as expected
  • RX and TX values on virtual interfaces (wrp/wrpj) do not increase as expected
Refer to sk100213
-
00186960 When enabling Per Virtual System High Availability or VSLS, each Virtual Switch must have a physical interface that provides connectivity between cluster members.
Refer to sk36980.
-
QoS
-

QoS does not support the following:

  • IPv6
  • VSX
-
01078365 If QoS is enabled on gateways that support dual stack (IPv4 and IPv6), QoS rulebase will only be applied on IPv4 traffic. Note, in this case, the QoS rulebase must not use objects that have only IPv6 addresses. This can lead to inconsistent behavior. -
SmartUpdate
01128140 Getting CPinfo file from SmartUpdate fails.
Refer to sk114496.
-
01136794 'No valid license found on Security Management Server' error when trying to connect with SmartUpdate GUI to Security Management Server.
Refer to sk92623.
-
SmartLog
- SmartLog cannot automatically perform object name resolving when the object name is changed. -
01156004 SmartLog GUI scroll bar missing. R77.10
01163451 Edge gateway missing from SmartLog filter by origin drop-down list. R77
01216804 Log server list is not sorted by Name. R77.10
01202347 When opening SmartLog with Global Manager, no Log Servers are shown in SmartLog GUI.
Refer to sk94031.
R77
01323197,
01337703
No permission to search the 'user' field when trying to filter by user in SmartLog on the MDG env.
Refer to sk98071.
-
SmartDomain Manager
01406867,
01406935,
01407039
"Launch SmartLog" option disappears from the right-click menu of Domain Log Server objects, if the following box is checked in the administrator 'General Properties' (and that administrator logs in to SmartDomain Manager):
"Set default launch type of SmartDashboard in Read Only mode"
Refer to sk100992.
-
SNMP
01155774 Duplicate object 'fwEvent' in Check Point MIB file on R75.40VS and R76.
Refer to sk92825.
R77
01277764 Check Point OS related MIB file has compliance errors. -
01311467

snmpd daemon crashes due to timeout.

-
01706787 The following error appears in Gaia Clish:
NMSSNM0075  Username must be less than or equal to 8 characters.
when running one of these commands in Gaia Clish, although USM user with longer username was created successfully with "add snmp usm user USERNAME" command:
  • set snmp usm user USERNAME usm-read-write
  • set snmp usm user USERNAME usm-read-only
Refer to sk106915.
-
SmartView Tracker
01162343 Hebrew characters are displayed as "????" in SmartView Tracker details window. R77.10
01144219,
01144565,
01144566,
01189318,
01150992,
01144284,
01146802,
01168628
SmartView Tracker shows incorrect logs after upgrade to R76. Symptoms of this issue include, but are not limited to:
  • Wrong interface name is shown in logs
  • Source / Destination / Origin fields show wrong information
  • NAT is being logged as performed, while it is not
  • Identity Awareness shows irrelevant IP addresses
  • Services are shown with the wrong port
Refer to sk72160.
-
SmartView Monitor
01173534 Smartview Monitor - 'System Counters' view - open either 'FireWall', or 'FireWall History' - click on 'Export View' icon - save as CSV or as Text - either report contains incorrect values (comparing to report saved as HTML), or an error appears 'Encountered an improper argument'.
Refer to sk93045.
R77
01173204, 01384323 SmartView Monitor shows "Attention" in the "Status" column for one of the cluster members.
Refer to sk108513.
R77
01190617 SmartView Monitor shows incorrect values in "Traffic > top tunnels" tab.
Refer to sk93609.
R77.10
SmartWorkflow
01168149 SmartWorkflow reports show incorrect date. R77
UserAuthority
01169340 UserAuthority daemon will not start. Running uagstart produces an error message and halts: 'cpopen: cpdev is not initialized!'. R77.10
SmartDashboard
01184356 R76 Administrator / User name cannot contain space in name.
Refer to sk93526.
R77
01090475,
01195878,
01186678,
01097287,
01097286,
01195877
'Anti-Bot & Anti-Virus' column disappears from 'Install Policy' dialog window when SmartWorkFlow is enabled.
Refer to sk91161.
-
01204138 SmartDashboard crash when creating SmartLSM profile or VSB.
Refer to sk94067.
R77.10
01303534 R76 Rulebase Query syntax issues. (In R76, 'SmartDashboard > Firewall Tab > Policy' there is a search box above the rule base. The user is trying to query his rules using the Boolean operators AND and OR. The Boolean operators do not work). R77.10
01305367 When user opens the APPI blade, goes to policy and tries to add a site in the Application/Sites Column he sees that the SmartDashboard freezes for a short time.
Refer to sk97548.
R77.10
01134124
Protocol Type "None" is missing in service's advanced properties in R76 SmartDashboard. As a result, it is not possible to remove the current Protocol Type.
Refer to sk109409.
R77

01309959, 01255704, 01288824, 01207190

On rare occasions, when user logs into SmartDashboard, it crashes. R77.10
01311680,
01323719,
01323738,
01316396
SmartDashboard crashes almost every time when opened.
Refer to sk97878.
R77.10
01352197,
01354318,
01354317
When creating a new object with a space in its name, the space is changed to "_". There is no message to the user to inform him of the change.
Refer to sk98455.
-
00265445,
00265446
SmartDashboard does not accept username or password longer than 30 characters.
Refer to sk99020.
-
01382864 When a rule name contains non ASCII characters policy installation fails with the error "load on module failed - failed to load security policy".
Refer to sk33893.
-
01382196 Right-click on APN (Access Point Name) object causes SmartDashboard to crash.
Refer to sk99127.
-
01687346
SmartDashboard Help incorrectly shows "You can assign up to 8 instances on a Virtual System"
(SmartDashboard - Virtual System object - "CoreXL" pane - click on "?" button in the upper right corner).
The correct number is up to 10.
-
Dynamic Routing
01197984 OSPFv3 ASE LSA for default route rejected on "OSPF IO: Malformed 5 LSA from neighbor ...".
Refer to sk93927.
R77.10
01257707,
01262056,
01262057,
01262059,
01321803,
01345846
CPU on Standby cluster member is loaded at 99% by 'WA' (disk I/O) after RIP was configured on ClusterXL running on Gaia OS:

  • Output of 'top' command and 'vmstat' command on Standby cluster member show 99% 'WA'.

  • /var/log/messages file on Standby cluster member repeatedly shows:
    routed[PID]: RipClusterProcessMsg: cxl ifname [lo]
    routed[PID]: RipClusterProcessMsg: iflp ifname [eth0]
    
  • Clish 'show routes rip' command on Standby cluster member does not display any routes.

  • Expert 'netstat -rn' command on Standby cluster member shows that some routes are missing.
Refer to sk95966.
R77.10
01266853,
00265253,
00265441,
01267048,
01267049,
01267050,
01345875,
01350560
RouteD daemon constantly restarts when enabling PIM traces.
Refer to sk96070.
R76SP on 61000,
R77.10
00265445,
00265446
Output of 'show bgp peer-groups' command is incorrect if one BGP peer-group name is a substring of another BGP peer-group name.
Refer to sk99019.
R76SP on 61000
01382407 Various PBR commands end with "Invalid gateway address" error.
Refer to sk99124.
R77.20
01395670,
01398021,
01396756
OSPF routes disappear from kernel routing table after OSPF Neighbor restarts and the Security Gateway is configured to act as OSPF Graceful Restart Helper.
Refer to sk100456.
-
01509559,
01510315
RouteD daemon might crash when running routing commands in Gaia Clish (e.g., checking the routing table).
Refer to sk103432.
-
01573240,
01576432
clish crash on show configuration static-route command if the /web/cgi-bin/validate.tclfile does not exist.
Refer to sk104647.
-
SecureXL
01216598, 01420184 Policy installation can cause outbound packets to be dropped during policy installation or when running 'fwaccel off ; fwaccel on' commands.
Refer to sk101134.
R76SP on 61000,
R77.10
VoIP
01375859,
01376023,
01376384,
01402195,
01402203,
01402212,
01402215,
01404681,
01405846,
01410025
MGCP traffic is dropped with log "Response to unknown Request. Bad Call-ID" after upgrade to R76 / R77 / R77.10.
Refer to sk99026.
-
01432186,
01436581, 01438445
MGCP traffic is natted to 10000 address port range.
Refer to sk101587.
-
SAM card
00266422,
00266446,
00266447
SAM crash when receiving ESP fragments that reassembles to more than 4K packet. -
00264758,
00265142,
00265283
Transmit Data errors present on 10GB Acceleration-Ready Card port(s) on a 21000 appliance.
Refer to sk97768.
-
Firewall-1 GX
01418309,
01419355,
01419462
Sporadic drops of gtpv2 gtp-u packets on FireWall-1 GX.
Refer to sk101139.
-
IPS
00508495, 00590267, 00632211, 00643347, 00650686, 00734714, 00780609, 00781421, 00863466, 00880392, 01080059, 01086056, 01087845, 01103721, 01245295, 01432703, 01433163, 01445637, 01550908, 01573511, 01573552 Security Gateway with enabled IPS blade might crash in "cmi_context_get_status ()" function.
Refer to sk104642.
-
HTTPS Inspection
01233672, 01180065, 01601700, 01606092, 01606093 Security Gateway with enabled HTTPS Inspection might crash during high traffic load.
Refer to sk105538.
-

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment