ID |
Symptoms |
Firewall |
01069394, 01138565, 01083594, 01083595, 01138563, 01131371, 01138561 |
TCP traffic with ECN-setup SYN packets is dropped without logs. Refer to sk87880. |
01107522, 01212804, 01181681, 01110298, 01203533, 01108362, 01125662, 01108361, 01136846 |
After enabling Application Control and URL Filtering Blades on an IPSO cluster, logging stops after every 4-6 policy installations. |
01118812, 01184197, 01119847, 01119848, 01119846 |
DCE-RPC high port is not opened by the service 'ALL_DCE_RPC ' and all traffic on it is dropped. Important Note: If Security Management Server R77 manages Security Gateway lower than R77, then the relevant improved DEF files have to be copied on Security Management Server - from $FWDIR/lib/ directory to the corresponding Compatibility directory. Refer to sk42402. |
01134342, 01136030, 01134496, 01134494, 01134605, 01134495 |
The same web site can not be accessed on more than one destination port when Security Gateway is configured as Non-Transparent Proxy. |
01151082, 01153053, 01159408, 01160250, 01167104, 01168779, 01184203, 01186047, 01195459, 01200358, 01202398, 01219191, 01219436, 01219503, 01219504, 01254637, 01269927, 01273735, 01340126, 01341617, 01460273 |
Security Gateway randomly reboots when IPS Blade or SecureXL is enabled. Refer to sk93308. |
01119817, 01122449, 01122448, 01122450, 01180657 |
"psl_get_tmpl_opaque_ref: tmpl_data is NULL " message is printed repeatedly in /var/log/messages file. |
01165022, 01162580 |
DNS proxy query fails due to inconsistency of table key. |
01088236, 01132709, 01132707, 01184216, 01132708 |
TLS traffic (Server Hello) is dropped when using only the 'ssl_v3 ' service. |
00733220 |
Upgrade on a Solaris platform completes with error. If you deployed a Security Gateway 80 with the IPS blade enabled, update the IPS database on these appliances. Otherwise you can safely ignore this error. |
Security Management Server |
01160180, 01160430 |
Problem converting all log files to ASCII. |
01101916, 01102870, 01102871, 01153302; 01089633, 01147132, 01094201, 01140696; 01165592, 01173795, 01176793, 01176794, 01176791 |
'fwm logexport ' command fails with "Error: Failed to read field FollowUp " after enabling Anti-Virus / Anti-Bot blades. Refer to sk91620. |
01182073, 01183046, 01183147, 01189688, 01182696, 01182694 |
After checking the box of 'Endpoint Policy Management ' product in the Security Management Server object and performing 'Install Database ' operation, the FWM daemon immediately starts consuming the CPU at 100% on Security Management Server. Refer to sk93356. |
01140137, 01140521, 01140522, 01188671, 01190507, 01190599 |
Policy installation fails when configured Unnumbered VTI interfaces in ClusterXL members with errors:
"/opt/CPsuite-RXX/fw1/conf/Policy_Name.pf", line N: ERROR: Duplicate keys in table 'cluster_members_ids_by_ips'
"/opt/CPsuite-RXX/fw1/conf/Policy_Name.pf", line N: ERROR: Duplicate keys in table 'cluster_members_ips_by_local_ip'
|
01139654, 01154083, 01154082, 01154081 |
Management HA status is not changed after modifying VPN configuration files '$FWDIR/conf/vpn_route.conf ' and '$FWDIR/conf/vpn_service_based_routing.conf '. |
01139848, 01147896, 01147897, 01147898, 01172770, 01178697 |
"Administrator failed to log in: No SIC error message " error in SmartView Tracker for "Unknown " type Application log when working with Tufin Admin Login. Refer to sk92749. |
01153285, 01153436, 01153437, 01155414, 01383398 |
Rulebase of Backward Compatible gateways gets the IPv6 address with mask 0 (i.e., all IP addresses), which makes the Backward Compatible gateway cell to be set as "Any" in the rule. |
00871249, 00897790, 00937707, 00871307, 01087345, 01069328, 01087308, 00886432, 01087344 |
When using an ActiveSync app on an Android phone or an iPhone, multiple sessions could be established for each user. As a result, available licenses are exhausted on Security Gateway, which causes sporadic updates to e-mail and random losses of connectivity. Refer to sk68120. |
ClusterXL |
01173615, 00264391, 00264387, 00264365, 01189061, 01179741 |
ClusterXL NAT for DHCP Relay traffic fails in ClusterXL High Availability mode on Gaia OS. Refer to sk97642. |
01174253, 01175165, 01175166, 01175167, 01177475, 01187610, 01198641, 01202117, 01209940, 01248754, 01352098, 01363848 |
No traffic passes through ClusterXL in High Availability mode when proxy is enabled. Refer to sk93247. |
01135889, 00263828, 01137491, 01139528, 01137492, 01189083 |
Standby member changes its state to 'Down ' when iBGP with 'local-address ' is configured on ClusterXL. Refer to sk93591. |
00864792 |
The 'fw ctl pstat' command shows 'Sync: off ' when IPv6 is enabled. To see Sync status with IPv6 enabled, run 'fw ctl pstat -v 4'. Refer to sk78220. |
01103880 |
In SmartDashboard, in the object of VRRP cluster, when you clear the box "Hide Cluster Members' outgoing traffic behind the Cluster's IP address ", and later change the cluster object to ClusterXL High Availability / Load Sharing mode, the 'Hide' configuration is still applied to the traffic. |
00527195 |
'ping6' command for a ClusterXL Virtual IPv6 address is not supported. In such a case, ClusterXL will not reply to an ICMPv6 Echo Requests on the Virtual IPv6 addresses. |
00263881, 00265438, 00266409, 01166695, 01171767, 01238182, 01258620, 01345863 |
Interface is not removed from /proc/net/ip_mr_vif after the interface, on which PIM is enabled, goes down. |
VPN |
01079390 |
A main IPv6 address must be configured for all Security Gateways with IPv6 addresses participating in IPSec VPN or Mobile Access. Note that the main address should correspond to the external IPv6 address of the Security Gateway. Similarly, a main IPv4 address should be configured for all Security Gateways with IPv4 addresses. |
01099734, 01155802, 01138487 |
VPN route-based link selection does not work on Gaia OS, if a route has two associated Security Gateways with the same priority. The Security Gateways must have different priorities. |
01069848, 01138490 |
When configuring IPv6 VPN Site-to-Site, you must reduce MTU of interfaces directly connected to the Security Gateway in IPv6 networks that are part of the encryption domain. (This release fixes the issue described in sk90721). |
01140164, 01138670, 01142565, 01142566, 01147454, 01363992 |
After installation of / upgrade to R76, users are unable to establish connection with L2TP. Refer to sk92707. |
01084620, 01138494 |
When passing VPN traffic between IPv6-only gateways, the overview graphs in the VPN tab in the SmartDashboard are not updated. |
01162811, 01163747, 01186768 |
VPND daemon crashes when using vpn shell commands. |
01178460, 01182611, 01182612 |
Traffic does not pass via the VPN tunnel after upgrade to R76. (This release fixes the issue described in sk93380). |
01171006, 01171014, 01171581, 01171632, 01207513, 01207515, 01239833, 01469038 |
Check Point Mobile VPN does not accept partial certificates issued by 3rd party. Refer to sk89800. |
01108722, 01163520, 01163521, 01163522, 01179033 |
When connecting two L2TP Windows-based clients, located behind NAT, one of them is disconnected. |
01126097, 01127533, 01150189, 01127532, 01176662; 00769690, 00771821, 00846644 |
CPSB-SSLVPN-5000 license does not allow Check Point Mobile for Windows to connect. Refer to sk92503. |
01053808, 01060762, 01121784, 01121785, 01162145, 01183430, 01060763 |
VPN tunnel on Security Gateway 80 does not come up after rebooting Security Gateway 80 because VPN Peer Security Gateway does not recognize the Security Gateway 80's certificate correctly. Refer to Scenario 2 in sk114834. |
01153728, 01153934, 01175189, 01348020 |
VPND daemon on Virtual System constantly crashes after enabling Anti-Bot / Ant-Virus blade on Virtual System. Refer to sk98283. |
Gaia / SecurePlatform |
01169944, 01171054, 01171055, 01171056, 01171057 |
Gaia Portal hangs in loading status when entering static routes in batch mode ('Network Management ' pane - 'IPv4 Static Routes ' - click on 'Add Multiple Static Route '). |
01131536, 01132024, 01132025, 01132026, 01217927 |
Gaia Database is locked after running 'mds_backup -g -b -L best -d /var/tmp ' command. Refer to sk95388. |
01109670 |
SmartEvent client cannot connect to Windows Server after downgrading to R75.40. Refer to sk92222. |
01090426 |
In Gaia First Time Wizard, if reboot is needed, but you do not click 'OK ' immediately, the session can end without a reboot. The Gaia-based machine will not function correctly until it is rebooted. |
01100863 |
Import of a snapshot image in Gaia Portal fails when working in Internet Explorer 8 browser. |
01049568 |
PPPoE username with leading "0" (zero) is not saved correctly on Gaia OS. Refer to sk86400. |
00875213 |
TACACS+ authentication is not supported on the Gaia OS. The commands and Gaia Portal options are available (for future use), but should not be used. |
01170384, 01171099, 01184599, 01207506, 01171098 |
"CLINFR0819 User: admin denied access via CLI " error when trying to log in via CLI after upgrading from R75.40 SecurePlatform to R76 Gaia. Refer to Scenario 10 in sk103397. |
01166969, 01168228, 01167082, 01167083, 01185640 |
When running 'show backup-scheduled Backup_File_Name ' command, Clish crashes with:
*** glibc detected ***
Backtrace:
/lib/libc.so.6(cfree+...)
/usr/lib/libcli.so(freeStringArr+...)
/usr/lib/cli/lib/libcli_backup.so
/usr/lib/cli/lib/libcli_backup.so(sched_backup_show+...)
Refer to sk113266. |
01109279 |
Upgrade from SecurePlatform to Gaia fails in rare cases because of insufficient disk space in the /sysimg volume. The error message shows "Disk Space Error /var/log/CPupgrade.elg ". |
00942327, 01224452, 01224455, 01221978, 01199049, 01224454, 01200848, 01215728, 01224451 |
Memory usage constantly increases on Security Gateway running on Gaia OS. Refer to sk95128. |
01136738, 01165029, 01159441 |
RouteD daemon crashes several minutes after shutting down an interface on the Active ClusterXL member. Refer to sk95231. |
00900327, 00413960 |
Interface cannot be disabled in SecurePlatform WebUI. |
01141581, 01144586, 01144587 |
Installation of Gaia R76 on an HP ProLiant DL385 G6 fails with: 'installation failed missing HD". |
Gaia Dynamic Routing |
01183634, 01183320 |
In Gaia Advanced VRRP, can not create two interfaces for the same VRID. |
SmartDashboard |
01182539, 01173995 |
Cannot import XML license file for Security Gateway 80. |
01180435, 01180444 |
Policy verification fails from SmartDashboard when the Security Management Server is installed on Windows OS. |
01133149, 01173289, 01133695, 01163385, 01133694, 01136114, 01133696, 01136039 |
SmartDashboard crashes when editing a Group Object or an Address Range Object that was just cloned. Refer to sk92632. |
01124725, 01132295, 01132296, 01132297 |
In some conditions the Edge status shows 'OK' on the 'Devices' menu although it is not connected. |
SmartEvent |
01131360, 01131362, 01133707, 01134338, 01138336, 01138342, 01138349, 01381518, 01408044 |
After performing 'Install Database ' operation from Security Management Server that has a lower version (e.g., R75.40) than the SmartEvent server (e.g., R75.45/R75.46/R76), login in SmartEvent GUI client fails with "Unable to get idle-time workstation locking policy " error. Refer to sk111293 (Scenario 3). |
01137445, 01166198, 01166199, 01166200 |
SmartEvent is not able to process new events once the maximum capacity is reached (limit of the database size). |
01139635, 01144955, 01186353, 01144954 |
The 'cpstat cpsead ' command is unable to display more than 100 jobs. |
01140790, 01170278, 01170276, 01170275, 01170277 |
'DDoS Protector' event is missing in SmartEvent ('Policy' tab - 'Event policy') after importing the database from R75.40 installation using 'migrate import'. |
SmartReporter |
01092002, 01118709, 01103212, 01103211, 01186301 |
SmartReporter 'Firewall Blade - Activity ' reports show incorrect 'Traffic Size ' information when the results are sorted by 'Bytes '. Refer to sk92485. |
01162270, 01166093, 01187413, 01164514, 01166799, 01164515, 01164516 |
SmartReporter is not able to generate a report in PDF format. |
SmartView Monitor |
01099996, 01100674, 01100673, 01187498 |
Colors on line graph do not match the colors at the bottom list. |
01173534, 01174128, 01187483, 01175643, 01174129 |
'FireWall ' or 'FireWall History ' reports saved as CSV or as Text either contain wrong data, or an error "Encountered an improper argument " appears. Refer to sk93045. |
00889402 |
In a Full High Availability deployment, the connected client list is empty. So SmartView Monitor cannot be used to disconnect clients of the cluster members. |
01173204, 01384323 |
SmartView Monitor shows "Attention" in the "Status" column for one of the cluster members. Refer to sk108513. |
SmartProvisioning |
01136716, 01137539, 01137537, 01137538 |
When use the "Push dynamic objects " option in SmartProvisioning GUI, the Security Gateway became unresponsive for new connections/traffic. |
SmartLog |
01163468, 01163451 |
Edge gateway missing from SmartLog filter by origin drop-down list. |
01134295, 01139597, 01138530, 01138718 |
SmartLog server does not function correctly when different gateways perform a simultaneous log switch. |
IPS |
01126852, 01179166, 01133747, 01168710, 01129727, 01133346, 01161956, 01129735, 01130216, 01136950, 01188665, 01140798, 01129728, 01131964, 01139076, 01171814, 01176147, 01182052, 01140425, 01132542, 01132675, 01129726, 01136428, 01182105 |
Traffic rate through Security Gateway is decreased significantly when assign any IPS profile other than 'Default_Protection '.
Refer to sk92527. |
01067683, 01069230, 01180645, 01069528, 01069529 |
SmartView Tracker shows false positive IPS logs "TCP Out of Sequence " for Microsoft Keep Alive Packets.
Important Note: To disable the false positive IPS logs when a Keep Alive packet is recognized, set the value of psl_disable_keepalive_logs kernel parameter to 1 (one). |
01140621, 01140826, 01158344, 01166722, 01168854, 01144699, 01145008, 01186416, 01155842, 01181758, 01152515 |
Citrix traffic is dropped by IPS with log 'Citrix Enforcement Violation ' when Security Gateway is running Gaia OS with 64-bit kernel. Refer to sk92720. |
DLP |
01163763, 01163761, 01171601 |
Emails are getting stuck in Exchange server queue. Refer to sk93377. |
01172379 |
Reply by e-mail does not work when using iPhone/iPad. |
01165147, 01168375, 01168372, 01169344, 01173135 |
Data type is not recognized when sending e-mail using OWA 2007 or BlackBerry when the forbidden words exist in the end of the e-mail body. |
Identity Awareness |
01085734, 01187992, 01105582, 01105583, 01186792, 01149413 |
Users connecting to Internet with web browser that does not support Kerberos SSO will now automatically be redirected to the Captive portal after 1 second. |
01096077, 01102564, 01172630 |
Identity Awareness Multi User Host Agent might fail to connect to the Identity Awareness gateway when a local user is connected to the host machine. |
01110658, 01114894, 01115460, 01118660, 01118661, 01171088 |
Preliminary AD Query sessions are not destroyed, causing high CPU and memory usage. |
01179534 |
AD Query permissions script from sk43874 might produce error messages when running in Preview mode:
- Failed to read configuration for log wevtutil el. The specified channel could not be found. Check channel configuration.
- Required argument(s) is/are not specified. The parameter is incorrect.
Refer to sk93330. |
01120887, 01151005, 01182310, 01122006, 01166831, 01123051, 01122007 |
In Identity Awareness environment with identity sharing, identities created by a local gateway that are on the same 32/28 network as identities created by a remote gateway, might be lost in rare occasions. |
01176746, 01177366, 01180208, 01184550 |
SmartView Monitor shows incorrect messages and severities regarding PDP disconnections from PEP. |
01177336 , 01253559 , 01321334 , 01323461 , 01189819 , 01184402 , 01229810 |
PDPD process crashes under traffic load. Refer to sk97884. |
UserCheck |
01167072, 01167075, 01173056 |
When UserCheck is enabled, e-mails get stuck in the fwdlp process and are not released. Refer to sk93376. |
Multi-Domain Security Management Server |
01160184, 01160217 |
Problem with soft links and directory structures in Provider-1 after upgrade when $MDSDIR/conf/SMC_Files/SmartConsole/SmartConsole directory exist. |
01159205, 01160435, 01160436, 01152879 |
The $MDSDIR/scripts/mds_backup script fails with errors:
mds_backup> Deleting temporary Multi-Domain Server backup files
mds_backup> Backing-up the Multi-Domain Server failed
mds_backup> Cannot proceed with backup of the Multi-Domain Server
Refer to sk92925. |
01168879, 01169017, 01169018, 01169016, 01198268 |
The $MDSDIR/scripts/mds_backup script fails on clean Multi-Domain Security Management Server when there are no Domains configured at all with the following errors:
mds_backup> Making backup file "mds_backup_logs.tgz" for the variable information of Multi-Domain Server. /opt/CPmds-R75.40/system/shared/gtar: No match.
mds_backup> Deleting temporary Multi-Domain Server backup files
mds_backup> Backing-up the Multi-Domain Server failed.
mds_backup> Cannot proceed with backup of the Multi-Domain Server.
|
01145108, 01181226, 01145254 |
SmartView Tracker 'Management' log shows false positive "Administrator Login " failures (from MDS and from Domains):
Application: Unknown
Subject: Administrator Login
Operation: Log In
Status: Failure
Type: Log
General Information: Administrator failed to log in: No SIC error message
|
01100783, 01137798 |
After deleting domains, the Multi-Domain Security Management Server might be down due to removal of the virtual interfaces. In such case, you run mdsstop and mdsstart to continue working with the Multi-Domain Security Management Server. |
01110334 |
Multi-Domain Security Management server database is corrupted after rolling back from R75.46 to R75.45 with activated Security Gateway 80 R75.20 plug-in. |
VSX |
01117516, 01120769, 01132780, 01324014, 01381952 |
Creation of a VSX cluster object on Crossbeam chassis fails with the following error in SmartDashboard:
Error: VSX default gateway definition is different on Name_of_Member_A (IP_Address_of_Member_A) and Name_of_Member_B (IP_Address_of_Member_B).
Refer to sk102095. |
01146497, 01146576, 01146671, 01146827, 01146672, 01146673, 01184524, 01180177 |
Virtual System is not able to start when using Domain objects in security rules on R75.40VS in VSX mode. Refer to sk93346. |
01105823 |
A Virtual System cannot have two identical routes with different prefixes. |
01104705 |
SmartDashboard lets you configure IPv6 addresses, when IPv6 is disabled on the VSX Gateway. These IPv6 addresses are not deployed until IPv6 is enabled and the VSX gateway is rebooted. |
01134308 |
VSX Memory Resource Control (fw vsx mstat ) supports only IPv4. If there are IPv6 connections the memory statistics will not be accurate. |
01104511 |
After you convert from a Security Gateway cluster to a VSX cluster, you must remove the zero IPv6 address (:: ) from the Sync interface (refer to sk92819):
- Close all SmartConsole windows (SmartDashboard, SmartView Tracker, etc.).
- Connect to Security Management Server / Main Domain Management Server (where VSX cluster object was created) with GuiDBedit Tool.
- In the left upper pane, go to '
Table ' - 'Network Objects ' - 'network_objects '.
- In the right upper pane, select the relevant VSX Cluster object.
- In the lower pane, go to
interfaces container.
- Find the Sync interface, and remove the zero IP address ('
:: '):
- right-click on the
ipaddr6 field - 'Edit... ' - remove the :: - click on 'OK '
- right-click on the
netmask6 field - 'Edit... ' - remove the :: - click on 'OK '
- In the left upper pane, go to '
Table ' - 'Other ' - 'vs_slot_objects '.
- In the right upper pane, select the relevant VSX Cluster object.
- In the lower pane, go to
interfaces container.
- Find the Sync interface, and remove the zero IP address ('
:: '):
- right-click on the
ipaddr6 field - 'Edit... ' - remove the :: - click on 'OK '
- right-click on the
netmask6 field - 'Edit... ' - remove the :: - click on 'OK '
- Save the changes: go to '
File ' menu - 'Save All '.
- Close the GuiDBedit Tool.
- Connect to Security Management Server / Main Domain Management Server (where VSX cluster object was created) with SmartDashboard.
- Open the VSX Cluster object - go to '
Topology ' pane - the Sync interface should not show any values in the 'IPv6 Address ' section.
- Click on '
OK ' to push the configuration to VSX cluster members.
- Install the policy onto the VSX Cluster object.
|
01097619, 01134317 |
To work in IPv6-only mode, you must reboot the gateway after you delete IPv4 addresses, and before you create a VSX object in SmartDashboard. |
01098222 |
Removal of Management IP address is not supported. |
01101915, 01182619, 01108646, 01108647, 01192776, 01235365, 01344402, 01490514 |
FWK process on VSX Gateway might crash when SMTP traffic is passing through Virtual System. Refer to sk104013.
|
01195038, 01196676, 01198370, 01199430, 01204286, 01205296, 01320100, 01342308, 01344696, 01345255, 01348868, 01409097, 01409992, 01417436, 01419593, 01424293, 01433184, 01438929, 01445926, 01446314, 01495356 |
Client Authentication on VSX machine stops working after some time. Refer to sk97474. |
Mobile Access |
01155740, 01155759, 01164313, 01155749 |
DoS on Citrix applications via Mobile Access Blade:
- User connects to Citrix application and downloads the
.ica file, however, the SOCKS connection does not begin.
- When user signs out of the Mobile Access Portal, the Security Gateway releases the Citrix session and inserts an invalid value to the list of available IDs.
- As a result:
- Memory consumption increases on Security Gateway (because the ID queue has static size).
- After a while, a user requests an ID, receives an invalid ID, and is not be able to connect.
|
01158403, 01153964, 01151357 |
iPhone Mobile Access client unable to connect to R76 Mobile Access gateway. |
01101822 |
If the Mobile Access Software Blade is enabled on a gateway that uses Optimized Drops feature (refer to sk90861), the drop feature will not function. Drop Templates will not be offloaded on run time. |
01154403, 01170849 |
When uploading file from the browser to the Security Gateway via HTTPS, this file is temporary stored in /tmp directory. The root partition is the smallest partition on the Security Gateway and therefore upload fails. |
01145098, 01147903, 01147948, 01148034, 01148539, 01154843, 01188776, 01203816, 01210646, 01218200, 01322681, 01344909, 01372031 |
When connecting from Client to Server using Mobile Access, there can be connectivity issues, if the source port is re-used during the establishment timeout (which default is 1 hour). Refer to sk102096. |
URL Filtering |
01166592, 01166726, 01166727, 01166728, 01187633, 01202083, 01202306, 01260097, 01382098 |
Security Gateway crashes randomly if the URL Filtering blade is enabled. |
SmartWorkflow |
01168149, 01168241 |
SmartWorkflow reports show incorrect date. |
SmartEndpoint |
01105547 |
In Management HA deployment, SmartEndpoint cannot connect to the Backup Management Server in Read Only mode. |
Multi-Portal |
01104997, 01109975, 01109976, 01109977, 01174943 |
ICMP packets are dropped by Multi-Portal implied rule with "Reason: Rulebase drop - rule 0 ;" log. |
IPv6 |
01118972, 01138496 |
Site-to-Site IPSec VPN is not supported for Star Communities. |
Policy Server |
01094096, 01094287 |
The 'dtls ' process crashes frequently.
|
SNMP |
00263474, 01323569, 01351241, 01365427, 01365428, 01397921, 01408801, 01494582, 01550565, 01605897 |
"No Such Object" error when querying SNMP OID 1.3.6.1.2.1.68.1.3.1.3 (vrrpOperState ) on VRRP cluster running Gaia OS. Refer to sk100428.
|
01155774, 01197598, 01157574 |
MIB Browser (e.g., HP OpenView) reports duplicate object in R75.40VS and R76 Check Point MIB files and stops loading the MIB file: Duplicate Object label 'fwEvent' Refer to sk92825. |