Support Center > Search Results > SecureKnowledge Details
Check Point R76 Resolved Issues
Solution

This article lists all of the issues that have been resolved in R76.

Important notes:

 

Table of Contents

  • Gaia
  • SecurePlatform
  • Security Management Server
  • Multi-Domain Security Management
  • Firewall
  • VPN
  • Identity Awareness
  • Mobile Access
  • Anti-Bot / Anti-Virus / Anti-Malware
  • ClusterXL
  • SNMP
  • CoreXL
  • IPS
  • UserCheck
  • Advanced Dynamic Routing - Gaia
  • Advanced Dynamic Routing - SecurePlatform
  • VSX
  • SmartLog
  • SmartProvisioning
  • SecureXL
  • SmartConsole
  • Endpoint Security on Demand
  • SmartReporter

 

ID Symptoms
Gaia
00974874,
00940782
If you configure a Virtual IP that is not on the same subnet as the physical IP addresses, the route to the virtual IP might not be pushed to the kernel.
01041105 Due to an issue with constant reboot of computers with more than 8000 MB memory running Gaia in 32-bit mode, the Gaia operating system now boots automatically in 64-bit mode, if there is more than 8000 MB memory.
01010716,
01013754,
01013755,
00934769
'save configuration <filename>' command in Gaia Clish does not create complete files.
00974647 'save configuration <filename>' command in Gaia Clish does not save dynamic routing configuration data.
01107785,
01110326,
01174590,
01176687,
01289727,
01343538,
01369321,
01369821,
01373847,
01374689
Output of 'top' command on Gaia OS shows that 'monitord' process consumes memory at high level.
Refer to sk93587.
01024956 Upgrading a Gaia Management machine from R75.40 using the WebUI is not supported, if the server is configured as a Multi-Domain Management Server.
00990162,
00990165
Gaia stops responding when many MCVR addresses (Monitored Ciruits) are added to VRRP.
01054033,
01054032
When setting up a VTI VPN tunnel between clusters, performing "Get Interfaces" in SmartDashboard does not work. Also, the VTI does not appear when running the 'ifconfig -a' command.
01049568 PPPoE username with leading "0" (zero) is not saved correctly on Gaia OS.
Refer to sk86400.
01070884,
01179220,
01190956;
01084061,
01084188,
01084187,
01203721
Backup/Restore function in Gaia Portal and Clish worked only for files up to 2GB in size.
Refer to sk88145.
01166969,
01168228,
01185640,
01167082,
01167083
When running 'show backup-scheduled Backup_File_Name' command, Clish crashes with
*** glibc detected ***
Backtrace:
/lib/libc.so.6(cfree+...)
/usr/lib/libcli.so(freeStringArr+...)
/usr/lib/cli/lib/libcli_backup.so
/usr/lib/cli/lib/libcli_backup.so(sched_backup_show+...)
Refer to sk113266.
01059548,
00265173,
00265898,
00265899,
00265900,
00265941,
01285879,
01361775
When configuring a bond interface in active-backup mode, the primary interface setting is not preserved after reboot.
Refer to sk100269.
01025926,
01352288,
01352738,
01362102
IPv6 is not enabled on Gaia OS after enabling IPv6 Support.
Refer to sk101834.
01078185,
01191860,
01217399,
01226023,
01227099,
01343584,
01345992,
01361546,
01361643,
01373202,
01374045,
01398982,
01400118,
01446648,
01448738
RADIUS users cannot login over SSH to Gaia OS.
Refer to sk97206.
01071819 'set lcd none' command in Gaia Clish does not function.
01084325,
01057465
Frequent hardware sensor alerts on Check Point 2012 appliances running SecurePlatform or Gaia.
01048313, 01202073, 01206159, 01048472 RouteD daemon constantly crashes when adding new loopback interface.
Refer to sk94209.
00891805, 01868791, 01868975 'ip rule list' command on Gaia OS shows duplicate PBR rules.
Refer to sk109101.
SecurePlatform
00974872 If you use the CLI to schedule a backup without logs, or deselect log collection in the WebUI, the configuration file '/var/CPbackup/conf/backup_sched.conf' gets this entry: BACKUP_LOGFILES=NO.. This setting will prevent the CLI command 'backup -l' from collecting logs.
00553445,
00553444,
00547140,
00548020,
00548320,
00552380,
00553442,
00567059,
00574093,
00574430,
00647906,
00648633,
00648958,
00765541,
00774981,
00815732,
00848407;
00904918,
00906772,
00923135,
00968476,
01007249,
01007599
IOWait consumes 100% CPU on Security Gateway after security policy installation.
Refer to sk60703.
00975431 SecurePlatform does not support HP NC522SFP Dual Port 10GbE Gigabit Server Adapters.
01041692 When creating a scheduled backup, the backup utility fails, when selecting the FTP storage destination.
01057115 When more than 136 MB of traffic passes through an interface, it is not seen by the SNMPD daemon. The SNMP Query for ifHCInOctets returns a truncated value.
Refer to sk61224.
00974869,
00909497
/var/log/messages file is filled with 'snmpd[PID]: ioctl 35123 returned -1'.
Refer to sk72240.
00974875 On SecurePlatform, the 'snmpwalk' command does not always give full output for custom OIDs.
01084325,
01057465
Frequent hardware sensor alerts on Check Point 2012 appliances running SecurePlatform or Gaia.
Security Management Server
01050062,
01050063
3rd party SNMP viewer shows mismatch in returned values.
01025433 Memory leak in CPD daemon.
01025611,
01025612
Memory leak in FWD daemon.
01042427,
00974910
Memory leak in FWM daemon.
01080525,
01080526
SNMPD daemon crashed after interface IP address change on Gaia OS (refer to sk89300). A warning now prevents the user from changing the interface IP address until it is removed from the SNMPD list.
01056038

Policy installation fails when a Management server, configured as pure IPv6 (IPv6 addresses only), manages Security Gateways running releases earlier than R76.

Workaround: Configure the Management server with dummy IPv4 addresses.
01062324

Advanced Upgrade from R75.10 Full HA to R76 Standalone configuration is not supported.

Workaround: Do an Advanced Upgrade to R76 Full HA, and then change from Full HA to Standalone.

00974989

SmartView Tracker does not resolve Edge ROBO gateways on the 'Origin' field.

00974890

SmartDashboard becomes unstable if the user changes the comments on a cluster object and clicks "OK".

00975073,
00983111,
00983800

Policy installation fails with error "Operation failed. Install/uninstall has been improperly terminated" instead of showing a proper error message and FWM daemon crashes when a NAT contains multiple Source / Destination objects.
Refer to sk103918.

01060112,
01084475

On a Security Management Server running on Windows OS, the migrate export command fails with plugin error due to incorrect name in registry:
"Error:Execution finished with errors. See log file 'C:\Program Files\CheckPoint\R75.40\CPShared\R75.40\log\migrate-ddd_MMM_dd_HH-mm-ss_Year.log' for further details".

01074771,
01074770

Policy installation fails on Security Gateways with Mobile Access Blade enabled.

00897954,
00974894

The set2xml parser leads to crashes when "_l-" substring exists in user-defined object names. Example: some_name_I-AG.

00963167,
00974975

Corrupted cp.license file on a Security Gateway causes FWM to crash on the Security Management Server.

Multi-Domain Security Management

00974986,
01062126,
00944214,
01041111,
00871278,
01041110

Policy installation that contains VPN rules fails because of a licensing error.
00974870 The 'backup' command has the option to collect Multi-Domain Server logs.
00974982 Memory leaks from FWM daemon context.
00991128,
00993269
When deleting a <tp_cma> from the command line using 'mdscmd' command, the operation fails and the FWM daemon terminates unexpectedly.
00939130 IPS contracts may not be applied to a Virtual System.
01048058 Domain Management Server stability issue can occur after upgrade.
01051402 Domain Management Servers are out of sync, after a 'cpstop;cpstart' commands are run on the Secondary Domain Management Server without a change to the database.
01060351,
01060350
mds_exclude.dat option does not work on mds_backup on R75.45 Provider-1: definitions inmds_exclude.dat file is ignored.
00912430,
00974880
Memory leak in FWM daemon on Domain Management Server.
01051597,
01051596
Renaming policy on CMA results in error "Global object modification is prohibited".
01051404 After the Multi-Domain Server restarts, all Domain Management Servers fall out of sync, even if they were not changed.
Firewall
00972765,
00623746
Cannot change 'frag_table' timeout from the default value of 20 seconds.
00973843,
00915764
When using a Bridge interface, this error appears is in the /var/log/ messages file: "SKB BUG: Invalid truesize (1586) len=1386, sizeof(sk_buff)=240"
00974971,
00943628
Security Policy installation fails with "ERROR: Duplicate keys <xxxxxxxx> in table 'sd_dst_intvl_list'".
Refer to sk83480.
00901704 If the total number of interrupts in /proc/stat exceeds a 32-bit value, SNMP Query for OID 1.3.6.1.4.1.2620.1.6.7.5.1.7 (number of interrupts per second) returns a zero value.
00974622,
00941110
"bootp" process caused system instability.
00974807,
00894501
When creating a Bond, interfaces from an Expansion card disappear.
For example, if eth1 is already a slave in a Bond, you cannot add interface eth1-1 to that Bond.
01062798,
01062799
IPS enters Bypass mode based on High CPU Threshold, even if the CPU usage is below the threshold.
Refer to sk89360.
01064632,
01064688
IPS High/Low Bypass memory thresholds are not implemented correctly.
01050805 When using the Security Gateway as a proxy server in non-transparent mode, cannot browse to web site. Proxy connection is not removed from the HTTP header.
01094321 Enhancement: NAT Templates are supported by SecureXL.
Refer to sk71200 for instructions.
01056598,
00895953
Improved memory to process large tables. Increases support for number of SmartLSM Security Gateways.
01043613

Traffic on UDP port 500 is dropped after installing a policy with a Server to Client configuration.

Before installing the policy, run these commands to set the relevant kernel parameters:
'fw ctl set int fwconn_rematch_udp_s2c_old_conn 1' (default is 0)
'fw ctl set int fwconn_rematch_udp_s2c_old_conn_by_service 500'
00992890,
00992889

Enhanced packet handling by Passive Streaming Layer (PSL). If the predefined threshold is reached, the packet is printed to /var/log/messages.

To set the threshold, follow sk26202 to set 'psl_print_stack_threshold_on_handle_pkt=<number_of_microseconds>'.
01052011,
01052012

The 'snmpwalk' command shows the CPU data of four cluster members at 100% (including Standby). SmartView Monitor and 'top' command show the CPUs at 99%+ idle.

00970793

Enhancement: To improve resource consumption on Security Gateway during heavy loads of traffic that should be dropped, this release introduces Optimized Drops. Traffic is dropped by SecureXL.

To activate:

  1. For each gateway and Virtual System that runs SecureXL, set the value of 'optimize_drops_support' kernel parameter to "true".
  2. Install policy.
Refer to sk90861 and sk90941.
01062483

With Dynamic Objects in a rule, after policy installation, traffic through the Security Gateway is sometimes incorrectly dropped on that rule because of synchronization issues.

01052824

Added additional support for VoIP protocol SCCP for Cisco Call Manager 7 and 8.

00974847,
00932080

After an ISP failover, Security Gateway (with NAT enabled) blocks connections getting an IP address from a DHCP server.

00974978,
00936087

In rare cases, when Log Server initialization fails, the FWD daemon terminates unexpectedly.

01025713,
01025714

When CoreXL enabled, the error message "FW-1 form has expired" appears.

01047145,
01047144
"X-Forward-For" header replacement in Identity Awareness with Application Control does not work - data was stripped.
Kernel debug shows:
;psl_handle_data_replacement: error, replace_tcp_data_f failed
;psl_handle_packet: error, psl_handle_data_replacement failed
;psl_handle_packet: saving msg "internal error - psl_handle_data_replacement failed
00935442,
00974900
Unable to connect to VRRP IP after running "fw unloadlocal" command. Kernel debug shows: "...dropped by fwha_forw_run Reason: Failed to send to another cluster member".
00511867,
00523958,
00645693,
00815652,
00915165,
00645691,
00974969,
00645696,
00645976,
00755648,
00784285
Security Gateway with PPPoE external interface installs "defaultfilter" policy instead of an expected policy if PPPoE connection is not available during boot.
Refer to sk43293.
00853274,
00853798,
00853799,
00853800,
00857677,
00859676,
00885390,
00903026,
00936263,
01056437,
01056440,
01057695,
01060611,
01111724,
01118586,
01119306,
01119814,
01121955,
01129793
Security Gateway might crash upon policy installation after deleting some rules from the rulebase if 'Connection Persistence' is set to 'Keep all connections' in Security Gateway object.
Refer to Scenario 4 in sk103598.
VPN
00840479 SSL Network Extender users are disconnected due to VPND daemon stability issues.
00974862

VPN negotiation fails for some NAT-T interfaces.

We created a configurable mechanism to limit the size of IKE packets for Security Gateway with a large number of external interfaces.

00974964 VPND daemon prints logs to $FWDIR/log/vpnd.elg by default, unless logs are disabled.
01056593 Issues occur when handling Remote Access connections from a user that is defined in many user groups.
01064509 You cannot configure a timeout on the Security Gateway for leased Office Mode IP addresses from a DHCP server.
01056597,
00922603
Reauthentication timeout interval for Remote Access clients was limited to one day.
01055167,
01055166
Changes to the shared secret of a VPN community are not saved.
00260574,
00974862
VPN negotiation fails for some NAT-T interfaces, getting the error "PAYLOAD-MALFORMED" in $FWDIR/log/ike.elg log file.

A configurable mechanism now limits the size of IKE packets for Security Gateways with a large number of external interfaces.
00905443,
00975003
CoreXL drops 'in clear' traffic from a trusted interface with "Clear text packet should be encrypted" message.
00943687,
00975002
Changing VPN capacity optimization options does not change the corresponding kernel tables size (ike2esp, peer2ike, ike2peer)
Identity Awareness
00974897 Portal language customization is now supported.
01025293,
01015320
Added configurable option for AD queries to ignore login events from users who log into a different domain.
01048696,
01048697
When using AD with an alternative UPN, Terminal Servers Identity Agent reports a user domain attribute in logs that is different than the standard Identity Agent. When users log in with the alternative UPN, the Terminal Server agent uses the alternative UPN as the domain name.
Refer to sk87200.
01028403, 01028403
When selecting a Security Gateway / Virtual System in SmartView Monitor, status of Identity Awareness blade is displayed as "Error: At least one server is currently disconnected".
Refer to sk94635.
Mobile Access
00892635 Mobile Access portal users cannot authenticate with LDAP using a certificate. This occurs when a user is defined in a nested group on the LDAP server.
00990024 Remote Access users are disconnected when policy installation takes longer than normal (typically in large deployments).
00990021 Microsoft Internet Explorer browser patch, intended to prevent a "BEAST ATTACK", prevents connection to the SSL Portal.
00974892 When you import a certificate into the Mobile Access Portal, the Portal GUI becomes unstable.
01028151,
01028152
Cannot use Java Script (for example, document.body.style.background ="url(../test.jpg)";) to set the background image for internal sites accessed through the Mobile Access Portal.
01068161,
01065144
ActiveSync fails when LDAP server uses UPN as a username.
The following error can be found in httpd.log:
[APACHE] [CVPN_ERROR] Cvpn::ActiveSyncHandler::isConfForSameUser: The usernames are different: from conf (<USERNAME>@company.com) from user (<USERNAME>)
01073383,
01073382
Custom certificate parsing is not applied for the legacy authentication scheme.
01081092,
01081091
Web Intelligence policy fails to load.
Error in httpd.log:
[emerg] WIConnection::init. ERROR! install_policy failed
00967218,
00974643
The Mobile Access login page is unstable when connecting from a Windows Phone 7.5 browser.
Anti-Bot / Anti-Virus / Anti-Malware
00974903,
00940647
Anti-Spam engine incorrectly blocks POP3 message download.
ClusterXL
00974904 The 'fwldbcast_pending_timeout' kernel parameter cannot be set in $FWDIR/boot/modules/fwkern.conf file on Security Gateway.
01081271,
01081270
When VMAC is configured on 21400 series appliances, the traffic sent to Non Pivot member is dropped.
01087692,
01081135
Full Sync fails after reboot.
01079289,
01103133,
01081270,
01086900,
01095303,
01081271,
01089476,
01081272,
01101130
Non-Pivot cluster member on 21400 appliances drops the packets without any log when VMAC is enabled.
Refer to sk89321.
SNMP
00941815,
00974589

When SNMP is used, these type of messages appear in /var/log/messages:
snmpd[PID]: unknown interface in /proc/net/ipv6_route
snmpd[PID]: /proc/net/ipv6_route data format error (5!=8), line == ...

CoreXL
00974963,
00937971
When using CoreXL and VPN-over-VPN (encrypting an already encrypted VPN packet), a Security Gateway in a Site-to-Site configuration will fail to register a valid SA and drop the encrypted packets.
IPS
00968456,
00975005
When using IPS, a memory leak occurs.
00974638 You cannot download a file from a web server, if the web server object in SmartDashboard has the IPS 'Header Spoofing' protection enabled as part of the policy.
01056665,
01056662
IPS logs show a website's host IP address instead of the host name.
UserCheck
00974981,
00957127
After upgrading the Security Management server, the UserCheck logo fails to display on the UserCheck > Access Notification page.
Advanced Dynamic Routing - Gaia
00974873 Inactive routemaps cannot be deleted completely. Dynamic routing protocols retain the deleted routemap.
01090376,
01090375
When using OSPF with MD5 authentication, a failover to a member that came up after a reboot, can cause the OSPF session to restart.
00923067,
00974873
In Gaia, inactive routemaps cannot be deleted completely. Dynamic routing protocols retain the deleted routemap.
01084341,
01068155
OSPF state is not synchronized to the Standby cluster member.
01066338,
01112517,
01102182,
01092667,
01091414,
01089757
When routed with OSPF MD5 authentication runs for a long time, the OSPF session gets restarted.
00957124,
00974860
A Policy Based Routing Action Table with a Normal Nexthop Type IP address is not created properly.
01024543,
01052462
IPv6 Neighbor Discovery does not work on VLAN interfaces, which in turn causes Dynamic Routing protocols (OSPF, etc) to fail as well on VLAN interfaces configured with IPv6 address.
Refer to sk92630.
Advanced Dynamic Routing - SecurePlatform
01069932,
01069847
Some of the signals received by routed are printed with the wrong name in the routed trace file.
VSX
01097972 When you add or reinstall a member on an active VSX Cluster, traffic can be interrupted for up to 30 seconds. This can occur if when the new/installed member becomes 'Active', you run the 'vsx_util reconfigure' or 'vsx add_member_reconf' commands on the Management Server.
01098051 After you run the 'vsx_util reconfigure' command and reboot the VSX Gateway, some or all Virtual Systems stay in the "HA module not started" state. You can see this when you run 'cphaprob -a if' command. When you run 'cphaprob state' in VS0, the member may show that it is in the 'Active/Standby' state.
01004032,
01004033
When adding over 32 warp interfaces in VSX, "Virtual System interface count exceeds 64" error displayed.
00661732,
00974871
Missing entries in the Check Point MIB file in the VSX Appliance for snmpwalk3 172.24.139.115 svncommand.
01082914, 01094710
'fwk' process consumes CPU at high level after enabling IPS blade and/or Anti-Bot blade on a Virtual System.
Refer to sk94645.
SmartLog
01003965 Improved disk consumption of the index files.
SmartProvisioning
00974945 Stability issue on Update Selected Corporate Office Gateway on cluster devices.
00920712,
00974915
SmartProvisioning hangs during search.
SecureXL
01088434 If NAT Templates are enabled, SecureXL will not start on the VRRP Backup member after policy install.
01088382,
01088433,
01088434
  • SecureXL does not start on the Backup member of VRRP cluster after reboot.
  • Output of "fwaccel stat" command shows:
    Accelerator Status : off by Firewall (too many general errors (NUMBER) (caller: Name_of_Function)).
Refer to sk100467 (Scenario 4 - "SecureXL does not start on the Backup member of VRRP cluster after reboot").
SmartConsole
01002306,
01002307
Configuring IP Pool NAT triggers an "IP Pool NAT is required to be defined on at least one interface" error pop-up in SmartDashboard.
01039951,
01039952
Anti-Spam tab in SmartDashboard does not recognize Security Gateway object with enabled Anti-Spam.
01057417,
01057416
User cannot add a new 'group with exclusion' from the 'Add object' menu into NAT rulebase.
01087743,
01087742
Carriage Return characters in Edge configuration script are deleted during an upgrade.
01083350,
00940118
The migrate folder in $FWDIR/tmp/ directory does not get deleted at the end of an advanced upgrade.
00938334,
00974989
ROBO Cluster members do not resolve in SmartView Tracker.
Note: The fix is not supported for Windows platforms.
Endpoint Security on Demand
00909605,
00620610
Endpoint Security on Demand updates fail with error: "Failed module reports that local application ended during handshake".
SmartReporter
00923904,
00974993
Selecting *.MHT report option generates an *.HTML format report instead.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment