Support Center > Search Results > SecureKnowledge Details
Check Point R77 Resolved Issues
Solution

This article lists all of the issues that have been resolved in R77.

Important notes:

 

Table of Contents

  • Firewall
  • Security Management Server
  • ClusterXL
  • VPN
  • Gaia / SecurePlatform
  • Gaia Dynamic Routing
  • SmartDashboard
  • SmartEvent
  • SmartReporter
  • SmartView Monitor
  • SmartProvisioning
  • SmartLog
  • IPS
  • DLP
  • Identity Awareness
  • UserCheck
  • Multi-Domain Security Management Server
  • VSX
  • Mobile Access
  • URL Filtering
  • SmartWorkflow
  • SmartEndpoint
  • Multi-Portal
  • IPv6
  • Policy Server
  • SNMP

 

ID Symptoms
Firewall
01069394,
01138565,
01083594,
01083595,
01138563,
01131371,
01138561
TCP traffic with ECN-setup SYN packets is dropped without logs.
Refer to sk87880.
01107522,
01212804,
01181681,
01110298,
01203533,
01108362,
01125662,
01108361,
01136846
After enabling Application Control and URL Filtering Blades on an IPSO cluster, logging stops after every 4-6 policy installations.
01118812,
01184197,
01119847,
01119848,
01119846
DCE-RPC high port is not opened by the service 'ALL_DCE_RPC' and all traffic on it is dropped.
Important Note: If Security Management Server R77 manages Security Gateway lower than R77, then the relevant improved DEF files have to be copied on Security Management Server - from $FWDIR/lib/ directory to the corresponding Compatibility directory.
Refer to sk42402.
01134342,
01136030,
01134496,
01134494,
01134605,
01134495
The same web site can not be accessed on more than one destination port when Security Gateway is configured as Non-Transparent Proxy.
01151082,
01153053,
01159408,
01160250,
01167104,
01168779,
01184203,
01186047,
01195459,
01200358,
01202398,
01219191,
01219436,
01219503,
01219504,
01254637,
01269927,
01273735,
01340126,
01341617,
01460273
Security Gateway randomly reboots when IPS Blade or SecureXL is enabled.
Refer to sk93308.
01119817,
01122449,
01122448,
01122450,
01180657
"psl_get_tmpl_opaque_ref: tmpl_data is NULL" message is printed repeatedly in /var/log/messages file.
01165022,
01162580
DNS proxy query fails due to inconsistency of table key.
01088236,
01132709,
01132707,
01184216,
01132708
TLS traffic (Server Hello) is dropped when using only the 'ssl_v3' service.
00733220 Upgrade on a Solaris platform completes with error. If you deployed a Security Gateway 80 with the IPS blade enabled, update the IPS database on these appliances. Otherwise you can safely ignore this error.
Security Management Server
01160180,
01160430
Problem converting all log files to ASCII.
01101916,
01102870,
01102871,
01153302;
01089633,
01147132,
01094201,
01140696;
01165592,
01173795,
01176793,
01176794,
01176791
'fwm logexport' command fails with "Error: Failed to read field FollowUp" after enabling Anti-Virus / Anti-Bot blades.
Refer to sk91620.
01182073,
01183046,
01183147,
01189688,
01182696,
01182694
After checking the box of 'Endpoint Policy Management' product in the Security Management Server object and performing 'Install Database' operation, the FWM daemon immediately starts consuming the CPU at 100% on Security Management Server.
Refer to sk93356.
01140137,
01140521,
01140522,
01188671,
01190507,
01190599
Policy installation fails when configured Unnumbered VTI interfaces in ClusterXL members with errors:
"/opt/CPsuite-RXX/fw1/conf/Policy_Name.pf", line N: ERROR: Duplicate keys  in table 'cluster_members_ids_by_ips'
"/opt/CPsuite-RXX/fw1/conf/Policy_Name.pf", line N: ERROR: Duplicate keys  in table 'cluster_members_ips_by_local_ip'
01139654,
01154083,
01154082,
01154081
Management HA status is not changed after modifying VPN configuration files '$FWDIR/conf/vpn_route.conf' and '$FWDIR/conf/vpn_service_based_routing.conf'.
01139848,
01147896,
01147897,
01147898,
01172770,
01178697
"Administrator failed to log in: No SIC error message" error in SmartView Tracker for "Unknown" type Application log when working with Tufin Admin Login.
Refer to sk92749.
01153285,
01153436,
01153437,
01155414,
01383398
Rulebase of Backward Compatible gateways gets the IPv6 address with mask 0 (i.e., all IP addresses), which makes the Backward Compatible gateway cell to be set as "Any" in the rule.
00871249,
00897790,
00937707,
00871307,
01087345,
01069328,
01087308,
00886432,
01087344
When using an ActiveSync app on an Android phone or an iPhone, multiple sessions could be established for each user. As a result, available licenses are exhausted on Security Gateway, which causes sporadic updates to e-mail and random losses of connectivity.
Refer to sk68120.
ClusterXL
01173615,
00264391,
00264387,
00264365,
01189061,
01179741
ClusterXL NAT for DHCP Relay traffic fails in ClusterXL High Availability mode on Gaia OS.
Refer to sk97642.
01174253,
01175165,
01175166,
01175167,
01177475,
01187610,
01198641,
01202117,
01209940,
01248754,
01352098,
01363848
No traffic passes through ClusterXL in High Availability mode when proxy is enabled.
Refer to sk93247.
01135889,
00263828,
01137491,
01139528,
01137492,
01189083
Standby member changes its state to 'Down' when iBGP with 'local-address' is configured on ClusterXL.
Refer to sk93591.
00864792 The 'fw ctl pstat' command shows 'Sync: off' when IPv6 is enabled. To see Sync status with IPv6 enabled, run 'fw ctl pstat -v 4'.
Refer to sk78220.
01103880 In SmartDashboard, in the object of VRRP cluster, when you clear the box "Hide Cluster Members' outgoing traffic behind the Cluster's IP address", and later change the cluster object to ClusterXL High Availability / Load Sharing mode, the 'Hide' configuration is still applied to the traffic.
00527195 'ping6' command for a ClusterXL Virtual IPv6 address is not supported. In such a case, ClusterXL will not reply to an ICMPv6 Echo Requests on the Virtual IPv6 addresses.
00263881,
00265438,
00266409,
01166695,
01171767,
01238182,
01258620,
01345863
Interface is not removed from /proc/net/ip_mr_vif after the interface, on which PIM is enabled, goes down.
VPN
01079390 A main IPv6 address must be configured for all Security Gateways with IPv6 addresses participating in IPSec VPN or Mobile Access. Note that the main address should correspond to the external IPv6 address of the Security Gateway. Similarly, a main IPv4 address should be configured for all Security Gateways with IPv4 addresses.
01099734,
01155802,
01138487
VPN route-based link selection does not work on Gaia OS, if a route has two associated Security Gateways with the same priority. The Security Gateways must have different priorities.
01069848,
01138490
When configuring IPv6 VPN Site-to-Site, you must reduce MTU of interfaces directly connected to the Security Gateway in IPv6 networks that are part of the encryption domain.
(This release fixes the issue described in sk90721).
01140164,
01138670,
01142565,
01142566,
01147454,
01363992
After installation of / upgrade to R76, users are unable to establish connection with L2TP.
Refer to sk92707.
01084620,
01138494
When passing VPN traffic between IPv6-only gateways, the overview graphs in the VPN tab in the SmartDashboard are not updated.
01162811,
01163747,
01186768
VPND daemon crashes when using vpn shell commands.
01178460,
01182611,
01182612
Traffic does not pass via the VPN tunnel after upgrade to R76.
(This release fixes the issue described in sk93380).
01171006,
01171014,
01171581,
01171632,
01207513,
01207515,
01239833,
01469038
Check Point Mobile VPN does not accept partial certificates issued by 3rd party.
Refer to sk89800.
01108722,
01163520,
01163521,
01163522,
01179033
When connecting two L2TP Windows-based clients, located behind NAT, one of them is disconnected.
01126097,
01127533,
01150189,
01127532,
01176662;
00769690,
00771821,
00846644
CPSB-SSLVPN-5000 license does not allow Check Point Mobile for Windows to connect.
Refer to sk92503.
01053808,
01060762,
01121784,
01121785,
01162145,
01183430,
01060763
VPN tunnel on Security Gateway 80 does not come up after rebooting Security Gateway 80 because VPN Peer Security Gateway does not recognize the Security Gateway 80's certificate correctly.
Refer to Scenario 2 in sk114834.
01153728,
01153934,
01175189,
01348020
VPND daemon on Virtual System constantly crashes after enabling Anti-Bot / Ant-Virus blade on Virtual System.
Refer to sk98283.
Gaia / SecurePlatform
01169944,
01171054,
01171055,
01171056,
01171057
Gaia Portal hangs in loading status when entering static routes in batch mode ('Network Management' pane - 'IPv4 Static Routes' - click on 'Add Multiple Static Route').
01131536,
01132024,
01132025,
01132026,
01217927
Gaia Database is locked after running 'mds_backup -g -b -L best -d /var/tmp' command. Refer to sk95388.
01109670 SmartEvent client cannot connect to Windows Server after downgrading to R75.40.
Refer to sk92222.
01090426 In Gaia First Time Wizard, if reboot is needed, but you do not click 'OK' immediately, the session can end without a reboot. The Gaia-based machine will not function correctly until it is rebooted.
01100863 Import of a snapshot image in Gaia Portal fails when working in Internet Explorer 8 browser.
01049568 PPPoE username with leading "0" (zero) is not saved correctly on Gaia OS.
Refer to sk86400.
00875213 TACACS+ authentication is not supported on the Gaia OS. The commands and Gaia Portal options are available (for future use), but should not be used.
01170384,
01171099,
01184599,
01207506,
01171098
"CLINFR0819 User: admin denied access via CLI" error when trying to log in via CLI after upgrading from R75.40 SecurePlatform to R76 Gaia.
Refer to Scenario 10 in sk103397.
01166969,
01168228,
01167082,
01167083,
01185640
When running 'show backup-scheduled Backup_File_Name' command, Clish crashes with:
*** glibc detected *** 
Backtrace:
/lib/libc.so.6(cfree+...)
/usr/lib/libcli.so(freeStringArr+...)
/usr/lib/cli/lib/libcli_backup.so
/usr/lib/cli/lib/libcli_backup.so(sched_backup_show+...)
Refer to sk113266.
01109279 Upgrade from SecurePlatform to Gaia fails in rare cases because of insufficient disk space in the /sysimg volume. The error message shows "Disk Space Error /var/log/CPupgrade.elg".
00942327,
01224452,
01224455,
01221978,
01199049,
01224454,
01200848,
01215728,
01224451
Memory usage constantly increases on Security Gateway running on Gaia OS.
Refer to sk95128.
01136738,
01165029,
01159441
RouteD daemon crashes several minutes after shutting down an interface on the Active ClusterXL member. Refer to sk95231.
00900327, 00413960 Interface cannot be disabled in SecurePlatform WebUI.
01141581,
01144586,
01144587
Installation of Gaia R76 on an HP ProLiant DL385 G6 fails with: 'installation failed missing HD".
Gaia Dynamic Routing
01183634,
01183320
In Gaia Advanced VRRP, can not create two interfaces for the same VRID.
SmartDashboard
01182539,
01173995
Cannot import XML license file for Security Gateway 80.
01180435,
01180444
Policy verification fails from SmartDashboard when the Security Management Server is installed on Windows OS.
01133149,
01173289,
01133695,
01163385,
01133694,
01136114,
01133696,
01136039
SmartDashboard crashes when editing a Group Object or an Address Range Object that was just cloned.
Refer to sk92632.
01124725, 01132295, 01132296, 01132297 In some conditions the Edge status shows 'OK' on the 'Devices' menu although it is not connected.
SmartEvent
01131360,
01131362,
01133707,
01134338,
01138336,
01138342,
01138349,
01381518,
01408044
After performing 'Install Database' operation from Security Management Server that has a lower version (e.g., R75.40) than the SmartEvent server (e.g., R75.45/R75.46/R76), login in SmartEvent GUI client fails with "Unable to get idle-time workstation locking policy" error.
Refer to sk111293 (Scenario 3).
01137445,
01166198,
01166199,
01166200
SmartEvent is not able to process new events once the maximum capacity is reached (limit of the database size).
01139635,
01144955,
01186353,
01144954
The 'cpstat cpsead' command is unable to display more than 100 jobs.
01140790, 01170278, 01170276, 01170275, 01170277 'DDoS Protector' event is missing in SmartEvent ('Policy' tab - 'Event policy') after importing the database from R75.40 installation using 'migrate import'.
SmartReporter
01092002,
01118709,
01103212,
01103211,
01186301
SmartReporter 'Firewall Blade - Activity' reports show incorrect 'Traffic Size' information when the results are sorted by 'Bytes'.
Refer to sk92485.
01162270,
01166093,
01187413,
01164514,
01166799,
01164515,
01164516
SmartReporter is not able to generate a report in PDF format.
SmartView Monitor
01099996,
01100674,
01100673,
01187498
Colors on line graph do not match the colors at the bottom list.
01173534,
01174128,
01187483,
01175643,
01174129
'FireWall' or 'FireWall History' reports saved as CSV or as Text either contain wrong data, or an error "Encountered an improper argument" appears.
Refer to sk93045.
00889402 In a Full High Availability deployment, the connected client list is empty. So SmartView Monitor cannot be used to disconnect clients of the cluster members.
01173204, 01384323 SmartView Monitor shows "Attention" in the "Status" column for one of the cluster members.
Refer to sk108513.
SmartProvisioning
01136716,
01137539,
01137537,
01137538
When use the "Push dynamic objects" option in SmartProvisioning GUI, the Security Gateway became unresponsive for new connections/traffic.
SmartLog
01163468,
01163451
Edge gateway missing from SmartLog filter by origin drop-down list.
01134295,
01139597,
01138530,
01138718
SmartLog server does not function correctly when different gateways perform a simultaneous log switch.
IPS
01126852,
01179166,
01133747,
01168710,
01129727,
01133346,
01161956,
01129735,
01130216,
01136950,
01188665,
01140798,
01129728,
01131964,
01139076,
01171814,
01176147,
01182052,
01140425,
01132542,
01132675,
01129726,
01136428,
01182105
Traffic rate through Security Gateway is decreased significantly when assign any IPS profile other than 'Default_Protection'.

Refer to sk92527.
01067683,
01069230,
01180645,
01069528,
01069529
SmartView Tracker shows false positive IPS logs "TCP Out of Sequence" for Microsoft Keep Alive Packets.

Important Note: To disable the false positive IPS logs when a Keep Alive packet is recognized, set the value of psl_disable_keepalive_logs kernel parameter to 1 (one).
01140621,
01140826,
01158344,
01166722,
01168854,
01144699,
01145008,
01186416,
01155842,
01181758,
01152515
Citrix traffic is dropped by IPS with log 'Citrix Enforcement Violation' when Security Gateway is running Gaia OS with 64-bit kernel.
Refer to sk92720.
DLP
01163763,
01163761,
01171601
Emails are getting stuck in Exchange server queue.
Refer to sk93377.
01172379 Reply by e-mail does not work when using iPhone/iPad.
01165147,
01168375,
01168372,
01169344,
01173135
Data type is not recognized when sending e-mail using OWA 2007 or BlackBerry when the forbidden words exist in the end of the e-mail body.
Identity Awareness
01085734,
01187992,
01105582,
01105583,
01186792,
01149413
Users connecting to Internet with web browser that does not support Kerberos SSO will now automatically be redirected to the Captive portal after 1 second.
01096077,
01102564,
01172630
Identity Awareness Multi User Host Agent might fail to connect to the Identity Awareness gateway when a local user is connected to the host machine.
01110658,
01114894,
01115460,
01118660,
01118661,
01171088
Preliminary AD Query sessions are not destroyed, causing high CPU and memory usage.
01179534 AD Query permissions script from sk43874 might produce error messages when running in Preview mode:
  • Failed to read configuration for log wevtutil el. The specified channel could not be found. Check channel configuration.
  • Required argument(s) is/are not specified. The parameter is incorrect.
Refer to sk93330.
01120887,
01151005,
01182310,
01122006,
01166831,
01123051,
01122007
In Identity Awareness environment with identity sharing, identities created by a local gateway that are on the same 32/28 network as identities created by a remote gateway, might be lost in rare occasions.
01176746,
01177366,
01180208,
01184550
SmartView Monitor shows incorrect messages and severities regarding PDP disconnections from PEP.
01177336 ,
01253559 ,
01321334 ,
01323461 ,
01189819 ,
01184402 ,
01229810
PDPD process crashes under traffic load.
Refer to sk97884.
UserCheck
01167072,
01167075,
01173056
When UserCheck is enabled, e-mails get stuck in the fwdlp process and are not released.
Refer to sk93376.
Multi-Domain Security Management Server
01160184,
01160217
Problem with soft links and directory structures in Provider-1 after upgrade when $MDSDIR/conf/SMC_Files/SmartConsole/SmartConsole directory exist.
01159205,
01160435,
01160436,
01152879
The $MDSDIR/scripts/mds_backup script fails with errors:
mds_backup> Deleting temporary Multi-Domain Server backup files
mds_backup> Backing-up the Multi-Domain Server failed
mds_backup> Cannot proceed with backup of the Multi-Domain Server
Refer to sk92925.
01168879,
01169017,
01169018,
01169016,
01198268
The $MDSDIR/scripts/mds_backup script fails on clean Multi-Domain Security Management Server when there are no Domains configured at all with the following errors:
mds_backup> Making backup file "mds_backup_logs.tgz" for the variable information of Multi-Domain Server.  /opt/CPmds-R75.40/system/shared/gtar: No match. 
mds_backup> Deleting temporary Multi-Domain Server backup files
mds_backup> Backing-up the Multi-Domain Server failed.
mds_backup> Cannot proceed with backup of the Multi-Domain Server.
01145108,
01181226,
01145254
SmartView Tracker 'Management' log shows false positive "Administrator Login" failures (from MDS and from Domains):
Application: Unknown
Subject: Administrator Login
Operation: Log In
Status: Failure
Type: Log
General Information: Administrator failed to log in: No SIC error message
01100783,
01137798
After deleting domains, the Multi-Domain Security Management Server might be down due to removal of the virtual interfaces. In such case, you run mdsstop and mdsstart to continue working with the Multi-Domain Security Management Server.
01110334 Multi-Domain Security Management server database is corrupted after rolling back from R75.46 to R75.45 with activated Security Gateway 80 R75.20 plug-in.
VSX
01117516,
01120769,
01132780,
01324014,
01381952

Creation of a VSX cluster object on Crossbeam chassis fails with the following error in SmartDashboard:

Error: VSX default gateway definition is different on Name_of_Member_A (IP_Address_of_Member_A) and Name_of_Member_B (IP_Address_of_Member_B).

Refer to sk102095.
01146497,
01146576,
01146671,
01146827,
01146672,
01146673,
01184524,
01180177
Virtual System is not able to start when using Domain objects in security rules on R75.40VS in VSX mode.
Refer to sk93346.
01105823 A Virtual System cannot have two identical routes with different prefixes.
01104705 SmartDashboard lets you configure IPv6 addresses, when IPv6 is disabled on the VSX Gateway. These IPv6 addresses are not deployed until IPv6 is enabled and the VSX gateway is rebooted.
01134308 VSX Memory Resource Control (fw vsx mstat) supports only IPv4. If there are IPv6 connections the memory statistics will not be accurate.
01104511 After you convert from a Security Gateway cluster to a VSX cluster, you must remove the zero IPv6 address (::) from the Sync interface (refer to sk92819):
  1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, etc.).
  2. Connect to Security Management Server / Main Domain Management Server (where VSX cluster object was created) with GuiDBedit Tool.
  3. In the left upper pane, go to 'Table' - 'Network Objects' - 'network_objects'.
  4. In the right upper pane, select the relevant VSX Cluster object.
  5. In the lower pane, go to interfaces container.
  6. Find the Sync interface, and remove the zero IP address ('::'):
    • right-click on the ipaddr6 field - 'Edit...' - remove the :: - click on 'OK'
    • right-click on the netmask6 field - 'Edit...' - remove the :: - click on 'OK'
  7. In the left upper pane, go to 'Table' - 'Other' - 'vs_slot_objects'.
  8. In the right upper pane, select the relevant VSX Cluster object.
  9. In the lower pane, go to interfaces container.
  10. Find the Sync interface, and remove the zero IP address ('::'):
    • right-click on the ipaddr6 field - 'Edit...' - remove the :: - click on 'OK'
    • right-click on the netmask6 field - 'Edit...' - remove the :: - click on 'OK'
  11. Save the changes: go to 'File' menu - 'Save All'.
  12. Close the GuiDBedit Tool.
  13. Connect to Security Management Server / Main Domain Management Server (where VSX cluster object was created) with SmartDashboard.
  14. Open the VSX Cluster object - go to 'Topology' pane - the Sync interface should not show any values in the 'IPv6 Address' section.
  15. Click on 'OK' to push the configuration to VSX cluster members.
  16. Install the policy onto the VSX Cluster object.
01097619,
01134317
To work in IPv6-only mode, you must reboot the gateway after you delete IPv4 addresses, and before you create a VSX object in SmartDashboard.
01098222 Removal of Management IP address is not supported.
01101915,
01182619,
01108646,
01108647,
01192776,
01235365,
01344402,
01490514
FWK process on VSX Gateway might crash when SMTP traffic is passing through Virtual System.
Refer to sk104013.
01195038,
01196676,
01198370,
01199430,
01204286,
01205296,
01320100,
01342308,
01344696,
01345255,
01348868,
01409097,
01409992,
01417436,
01419593,
01424293,
01433184,
01438929,
01445926,
01446314,
01495356
Client Authentication on VSX machine stops working after some time.
Refer to sk97474.
Mobile Access
01155740,
01155759,
01164313,
01155749
DoS on Citrix applications via Mobile Access Blade:
  • User connects to Citrix application and downloads the .ica file, however, the SOCKS connection does not begin.
  • When user signs out of the Mobile Access Portal, the Security Gateway releases the Citrix session and inserts an invalid value to the list of available IDs.
  • As a result:
    • Memory consumption increases on Security Gateway (because the ID queue has static size).
    • After a while, a user requests an ID, receives an invalid ID, and is not be able to connect.
01158403,
01153964,
01151357
iPhone Mobile Access client unable to connect to R76 Mobile Access gateway.
01101822 If the Mobile Access Software Blade is enabled on a gateway that uses Optimized Drops feature (refer to sk90861), the drop feature will not function. Drop Templates will not be offloaded on run time.
01154403,
01170849
When uploading file from the browser to the Security Gateway via HTTPS, this file is temporary stored in /tmp directory. The root partition is the smallest partition on the Security Gateway and therefore upload fails.
01145098,
01147903,
01147948,
01148034,
01148539,
01154843,
01188776,
01203816,
01210646,
01218200,
01322681,
01344909,
01372031
When connecting from Client to Server using Mobile Access, there can be connectivity issues, if the source port is re-used during the establishment timeout (which default is 1 hour).
Refer to sk102096.
URL Filtering
01166592,
01166726,
01166727,
01166728,
01187633,
01202083,
01202306,
01260097,
01382098
Security Gateway crashes randomly if the URL Filtering blade is enabled.
SmartWorkflow
01168149,
01168241
SmartWorkflow reports show incorrect date.
SmartEndpoint
01105547 In Management HA deployment, SmartEndpoint cannot connect to the Backup Management Server in Read Only mode.
Multi-Portal
01104997,
01109975,
01109976,
01109977,
01174943
ICMP packets are dropped by Multi-Portal implied rule with "Reason: Rulebase drop - rule 0;" log.
IPv6
01118972,
01138496
Site-to-Site IPSec VPN is not supported for Star Communities.
Policy Server
01094096,
01094287
The 'dtls' process crashes frequently.
SNMP
00263474, 01323569, 01351241, 01365427, 01365428, 01397921, 01408801, 01494582, 01550565, 01605897 "No Such Object" error when querying SNMP OID 1.3.6.1.2.1.68.1.3.1.3 (vrrpOperState) on VRRP cluster running Gaia OS.
Refer to sk100428.
01155774, 01197598, 01157574 MIB Browser (e.g., HP OpenView) reports duplicate object in R75.40VS and R76 Check Point MIB files and stops loading the MIB file:
Duplicate Object label 'fwEvent'
Refer to sk92825.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment