Support Center > Search Results > SecureKnowledge Details
Check Point R77 Known Limitations
Solution

This article lists all of the R77 - specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.

 

Important notes:

 

Table of Contents

  • Upgrade
  • Firewall
  • VPN
  • Performance Tuning
  • SmartConsole
  • Endpoint Security Management
    • Endpoint Security Server Upgrades
    • Initial Security Analysis Client
    • Active Directory Integration
    • SmartEndpoint
    • Cooperative Enforcement
  • Endpoint Security Client for Windows
    • General
    • Endpoint Security Client Upgrades
    • Full Disk Encryption
    • Media Encryption & Port Protection
    • Anti-Malware
    • Firewall
    • Remote Access VPN
    • Endpoint Security Application Control
    • Push Operations
    • Client User Interface
  • Endpoint Security Client for Mac
    • General
    • Full Disk Encryption
  • DLP
  • Identity Awareness
  • Anti-Malware
  • Application Control
  • Anti-Virus
  • SecurePlatform
  • Gaia
  • Gaia Central Device Management
  • Gaia Automatic Software Updates
  • ClusterXL
  • Threat Emulation
  • Mobile Access
  • Security Management
  • Multi-Domain Security Management
  • Security Gateway
  • Security Gateway Virtual Edition
  • VSX
  • SecureXL
  • SmartProvisioning
  • SmartLog
  • QoS
  • User Authority
  • Compliance Blade
  • SNMP
  • SmartEvent
  • CPInfo
  • SmartView Tracker
  • Dynamic Routing
  • IPS

 

ID Symptoms Integrated In
Upgrade
-

Upgrade of Security Management Server / Multi-Domain Security Management Server from R75.47 to R77 is fully supported.

Upgrade of Security Gateway from R75.47 to R77 is not supported (due to the fact that parts of R75.47 fixes are not included in R77).

Refer to sk94605.

-
Firewall
01274537,
01284439,
01306528,
01322112,
01335684
Connectivity issues might occur for connections that require Check Point Active Streaming (CPAS) processing and the connections also pass via device with an MTU lower than the external interface of the Security Gateway:
  • Multi-Portal (WebUI, User Check portal, DLP portal, Identity Awareness portal)
  • Mobile Access
  • Client Control Channel
  • VPN Visitor Mode
  • HTTPS inspection
  • IPS protection "Header Spoofing"
  • HTTP Proxy
  • VoIP
Refer to sk96124.
-
01306004,
01306263,
01306264,
01306265
Users are not able to connect with any client (Endpoint, SNX) to Multi-Portal after upgrade of Security Gateway to R77 that is connected over PPPoE.
Refer to sk97520.
R77.10
01313988,
01319105
Security Gateway may stop accepting new IPv4 connections when working with Dynamic Objects or with IPS protection 'Malicious IPs'.
Refer to sk97704.
R77.10
01321363,
01336243,
01360976,
01363927,
01364356,
01370330,
01373098,
01377079,
01401249,
01422203
/var/log/messages file on Gaia OS gateways repeatedly shows:
modprobe: FATAL: Could not open '/lib/modules/2.6.18-92cpx86_64/kernel/net/ipv6/ipv6.ko'.
Refer to sk95222.
-
01322060 Manual Client Authentication fails when working with browser and telnet on port 900 with "Cannot display a webpage" message in the browser. -
01375562,
01376256
Executing 'fw sam' command refreshes timeouts of all entries in the Connections Table.
Refer to sk99066.
R77.10
01386379,
01391750, 01392406
Syntax error during policy installation after upgrade to R77.
Refer to sk100197.
-
01399049,
01399192
"IPv6 is not compatible with Drop Templates. Please make sure that IPv6 is not enabled on Security Gateway" false warning is generated when installing Security policy.
Refer to sk100489.
-
VPN
01194485,
01194500
When SecureXL is enabled on an R76 Security Gateway, an IPv6 VPN tunnel between this gateway and an R77 Security Gateway cannot be established.
Refer to sk93772.
-
01298823,
01298884,
01298885,
01303180
Traffic does not pass over VPN tunnel after upgrade of Security Gateway to R76 or R77.
Refer to sk97499.
R77.10
01323359.
01323409
After upgrade to R77, traffic might not pass over Site to Site IPSec VPN, if IP Compression is enabled in the VPN community.
Refer to sk97861.
R77.10
01392722,
01392732
IKEv2 is not supported on DAIP gateways.
-
01400416,
01426321,
01427424,
01441931,
01442358
Traffic over VPN tunnel does not pass for several seconds during policy installation on Security Gateway (which causes traffic loss).
Refer to sk55244.
-
01424048,
01424181,
01466269
Memory leak in VPN code.
Refer to sk102267.
-
Performance Tuning
00264450 The Multi-Queue configuration page in the Gateway WebUI cannot be used for configuring Multi-Queue on SAM-enabled backplane interfaces. -
SmartConsole
01181036 After you detach a cluster member from a cluster object, while Central Device Management is enabled, the network services and routes of the detached cluster member object (which becomes a regular Gateway object) in SmartDashboard are not synchronized with the actual machine.
To resolve this issue:
  1. Go to 'Firewall' tab - click on 'Gateways' pane - right-click on the detached cluster member object.
  2. Select 'Maintenance' - click on 'Fetch Settings from Device'.
  3. Uncheck the box 'Calculate interfaces topology' - click 'Yes'.
  4. If the Gateway status was 'Local Change Detected', when the fetch operation completes, it changes to a different status, typically 'OK'.
-
01194017 When you select the 'Fetch Settings' option for a gateway in the 'Gateways' pane, do not open the gateway object until the fetch operation completes. If you open the gateway object before the fetch operation completes, the information shows incorrectly. -
01134403 In the Gateway's Properties window, changes made to interfaces, IPv4 or IPv6 routes, are applied immediately. Clicking Cancel will not prevent the changes from taking effect. -
01198265,
01197290
You must install VC9 redistributables before you install SmartConsole. Otherwise, SmartEndpoint will crash. -
01198120 In the SmartView Tracker - on 'Management' tab, when filtering on the 'Subject' column for 'Policy Installation', no results are shown if the policy was installed through an Endpoint Client.
Workaround: Filter the operation column to show policy installation logs.
R77.10
01204440 When editing a VSX object in SmartDashboard, click "OK" only once and then wait for the configuration process to complete. If you click "OK" more than once, or when the window shows the progress bar, the configuration process starts again, and SmartDashboard might crash. -
01262111,
01265541,
01265542,
01265543
In SmartvIew Tracker, usernames are not displayed correctly when switching from 'long usernames' to 'short usernames'.
Refer to sk95986.
R77.10
01312882,
01313567
Search-Field in Mobile Access policy does not work when connected in Read-Only mode. -
01343273,
01346262,
01346260
When selecting SmartDashboard - 'File' menu - 'Installed Policies' - select policy for a Virtual Router - 'View Policy', the operation fails with "View Installed Policy operation failed" error.
Refer to sk98275.
-
01342385,
01347612,
01347611
When changing placeholder's state (expanding, collapsing) only (without any DB changes), the changes are not saved.
Refer to sk98278.
-
01687346
SmartDashboard Help incorrectly shows "You can assign up to 8 instances on a Virtual System"
(SmartDashboard - Virtual System object - "CoreXL" pane - click on "?" button in the upper right corner).
The correct number is up to 10.
Endpoint Security Management
Endpoint Security Server Upgrades
01162444 After you upgrade an Endpoint Security Server to E80.50, you must install all policies before you upgrade Endpoint Security clients. -
01203454 Policies 35, 36, and 37 are used by the Full Disk Encryption blade and were previously used by Media Encryption & Port Protection. If a client upgrades to this version without Full Disk Encryption, and previously had Full Disk Encryption, or Media Encryption & Port Protection, these policies are not deleted. These policies try to sync with the Endpoint Security Server, but fail to do so. This leads to repeated attempts to synchronize. -
Initial Security Analysis Client
01119962 The link to download the Endpoint Security Initial Client from the Compliance Analysis Report does not work on Windows 64-bit computers.
Workaround: Use SmartEndpoint to manually download the Initial Client from the Endpoint Security Management.
-
Active Directory Integration
01071957,
01153531
If a member of a group was scanned by a different scanner instance than the group itself, it will not be part of this group in SmartEndpoint. -
01203339 When configuring ADScanner to work with SSL, enter the certificate that is defined using the keytool into all servers that the database will be imported to. This includes each secondary server or newly installed server. -
01212761 When you create a new Scanner Instance, you must include a port number in the Port field. -
SmartEndpoint
01170535 If you click "Preview" to see a message that you configured for users, the message only shows in English. When the message shows on Endpoint Security client computers, it will be in the language of the locale of the Endpoint Security client. -
Cooperative Enforcement
01028537 Security Gateways running with Cooperative Enforcement behave unpredictably when the Endpoint Security Management Server is down.

Therefore, when you shut down or restart an Endpoint Security Management Server that is part of a Cooperative Enforcement environment, first set the Security Gateways to run Cooperative Enforcement in Monitor Only mode.

After the Endpoint Security Management Server is up and running, disable the Monitor Only mode.
-
01181915 With Cooperative Enforcement, after the Endpoint Security Server is restarted, there is a grace period of 4 heartbeat intervals (configurable) in which connections from all clients are allowed by the Security Gateway. This includes clients whose connection were blocked before the restart. -
Endpoint Security Client for Windows
General
01213213 If a client computer connects to the Internet through a proxy, cpinfo will fail to upload the collected data. -
01220317 If you remove an Endpoint Security blade that was installed on clients, the policies are not deleted. You will have unnecessary policies saved in the storage, which causes extra synchronization with the server. -
00927816 Upgrading an Endpoint Security Client from E80.10 on a Windows 7 32-bit computer is not supported, if one or more of these blades is installed:
  • Media Encryption and Port Protection
  • Full Disk Encryption
  • WebCheck
-
01353748, 01248909, 01353748  Cannot install policy when using devices groups in peripheral device access configuration. Refer to sk95549 -
Endpoint Security Client Upgrades
01160298 Upgrade from ZoneAlarm Extreme Security version 11.0.000.504 to Endpoint Security Client is not supported.
Uninstall ZoneAlarm before you install Endpoint Security.
-
01092653 Before upgrading a client operating system from Windows 7 to Windows 8, you must uninstall the Endpoint Security client. After the operating system upgrade, install a new Endpoint Security client. -
01194566 Do not remove the Media Encryption & Port Protection blade while upgrading to E80.50. It will cause problems with the upgrade. After the upgrade is successfully deployed, you can remove the blade. -
Full Disk Encryption
01218072 Full Disk Encryption does not support being installed or upgraded on systems equipped with IntelĀ® Turbo Memory controller and running with Windows ReadyBoost enabled.
Refer to sk94784.
-
Media Encryption & Port Protection
01154280 In Windows Explorer, if you right-click on an archive file that is located on a removable device and click on Extract All, the action is blocked and an error is shown on the screen. To extract the archive file, open it and copy the files inside to the target location. -
01047401 In some situations, if you attempt to delete a file from a read-only external hard-drive, the action is blocked and two logs are generated in SmartLog:
  • One log says that the delete operation was allowed.
  • One log says that a write operation to the Recycle Bin was blocked.
-
01096095 Media Encryption & Port Protection does not support burning more than one CD/DVD at the same time. -
01149990 If you change the keyboard access policy from Block to Allow, you must reboot client computers to enable the keyboard. -
01162194 In clients on Windows XP, copying files to a non-business volume using applications other than 'Windows Explorer' is not supported. -
01176834 If a new Media Encryption & Port Protection policy is received by the client while it is encrypting a CD, the CD encryption fails. -
01149659 If you connect an external CD/DVD-ROM device that already has the encrypted media in it, the files burned on the CD/DVD are not visible through Windows Explorer. Eject the media and insert it again to see the encrypted files. -
01185885 To access information on a device that was encrypted in an R73 environment from an E80.50 client, users must have:

Permission to access encrypted storage without a password on a managed computer.
Or
The password for the device.

Media Encryption Remote Help for devices that were encrypted in an R73 environment can only work if the user has already accessed the device from a managed computer while it was connected to the Management Server.
-
01185040 In the Spanish version of the Endpoint Security Client, some of the Media Encryption messages might still appear in English. -
01202280 If you drag a file to a removable device while holding the right mouse button, and then select "Cancel" from the drop menu, the system will not allow additional copies to removable devices until the system is restarted. -
01202380,
01216688
You cannot format an "Business Data - Encrypted" drive with Windows - the format dialog does not open. -
01198569 If a device is inserted into a client computer before a user logs in to the Operating System, the device does not show in the SmartEndpoint Reporting tab. After a user logs in to the OS of the computer and inserts a device (the same device inserted previously or a different device), 2 records of device insertion show in the SmartEndpoint Reporting tab: one from before user log in and one from after user log in. -
01201453 If the policy defines the minimum percentage of media used for encrypted storage to be 100%, encrypting a removable device that is formatted as NTFS might fail. This setting is in the properties of "Allow offline access to encrypted storage devices". -
01181767 If the policy is "Encrypt Business Data" and the "Word" category is selected as a business files category, if you copy a ZIP file to the non-business drive, you are asked to encrypt the file. This is because .ODT files (OpenDocument Text document) have the same signature as ZIP files. -
01166369 If the policy is "Encrypt Business Data" and a user tries to copy a non-business file from a network location to the non-business drive, the user is asked to encrypt the file. This occurs even though it is a non-business file.
Workaround: First copy the files to the local computer and then copy them to the non-business drive.
-
00927136 If you use "Access to business data.exe" to open the encrypted container on an unmanaged machine, you cannot copy files from a network location to an encrypted container.
Workaround: First copy the files to the local computer and then copy them to the encrypted container.
-
01189778 In some situations, when a user clicks on "Remove Encryption" in the client UI, it does not work. If the user inserts the device again and then clicks on "Remove Encryption", the encryption is removed successfully. -
01161834 After you click on "Create Encrypted Storage", you can configure a password for offline use. You can leave the password field blank even if the policy defines a minimum password length. -
Anti-Malware
01246907 There is a compatibility issue between dump analysis with Visual Studio and the Anti-Malware blade. Do not deploy the Anti-Malware blade on computers that use Visual Studio for dump analysis.
You can Contact Check Point Support to get a fix for computers that require Visual Studio for dump analysis and the Anti-Malware blade.
-
01163467 After Endpoint Security Client installation and the first reboot, Anti-Malware immediately starts a full system scan, if it is configured in the policy. If a user tries to cancel the scan, it restarts immediately. After users let this scan complete, the next scan occurs at the scheduled time. -
01212645 If you configure trusted processes to be excluded from on-access scans (SmartEndpoint > 'Policy' tab > 'Anti-Malware' section > in 'Actions' column, edit the 'Scan all files upon access' > go to 'Process Exclusions' section - click on 'Add...'), you must enter the full path to the executable without wild cards. You can use environment variables. -
Firewall
01166534 If you want to manage the Endpoint Security Firewall policy from the Desktop Policy in SmartDashboard, you must add an explicit Firewall rule to allow ports used by the VPN client. Make sure to include TCP port 18264 (use predefined service 'FW1_ica_services'), which is used for certificate enrollment. -
01196921 If the Firewall Policy is taken from the Desktop Policy in SmartDashboard, make sure that users cannot disable Network Protection. In the Client Settings rule of the Policy, select Do not allow users to disable network protection on their computers. -
Remote Access VPN
01167203 When enrolling a certificate to replace the currently used certificate, which is invalid (expired/revoked), manually disconnect from the site prior to enrolling the certificate. Not doing so may result in connection failure with the old certificate. -
01523492,
01532228,
01525340
Even if proxy replacement disabled, when client connects with SDL, client does perform proxy replacement. See sk103733.  
Endpoint Security Application Control
00927399 If you disable the Application Control policy in SmartEndpoint, it is not disabled.
Workaround: Allow all applications.
-
Push Operations
01142237 If you push operations to a device and then Reset the device, you might get this error: Another administrator has changed an object that you are trying to change.
Discard the changes, refresh the data, and Reset the device again.
-
01193324 It is not recommended to push a Push Operation to more than 400 users in one operation.
It takes a very long time and clients might get a failure response from the server.
-
Client User Interface
01151330 If a user tries to delete a file from quarantine by marking a file in the list of infected items and clicking Delete, the item still shows in Client UI as quarantined. However, the file is deleted and attempts to restore this item through the Restore button will not succeed. -
Endpoint Security Client for Mac
General
01344855 If Sophos Anti-Virus v9.0.3 is installed, and the administrator creates a rule to check if Sophos Anti-Virus is always running, the Compliance blade fails to detect it and reports that it is not running.
-
01345542 If TrendMicro Titanium v3.0.1187 Anti-Virus is installed, and the administrator creates a rule that checks if TrendMicro Anti-Virus is always running, the Compliance blade does not detect it and reports that it is not running.
-
01345549 The Compliance blade does not recognize the McAfee Internet Security v3.1.0.0 update version in an Anti-malware Compliance rule to check McAfee Anti-Virus oldest DAT file time stamp.
-
01345555 If McAfee Internet Security v3.1.0.0 is installed, and the administrator creates an Antimalware Compliance rule to check if McAfee Anti-Virus is always running, the compliance blade fails to detect it and reports it as not running.
-
01345561 If Norton Anti-Virus v12 or Norton Internet Security v5 is installed, and the administrator creates a rule to check if Norton Anti-Virus is always running, the Compliance blade fails to detect it and reports that it is not running.
-
Full Disk Encryption
01209729 Do not use Full Disk Encryption with Pre-boot Protection only and no disk encryption. It is not secure. If you do install a client with Pre-boot Protection only and then uninstall it, the PPBE_BOOT2 partition remains on the disk. To remove it open the DiskUtility Application and delete the PPBE_BOOT2 partition. -
DLP
01178453 When upgrading to R77, the "Free Email Domains" object does not keep entries that the administrator manually added. -
01285178,
01285180
Some data types are not matched when posting text on facebook.com that contains violation.
Refer to sk96866.
R77.10
01290327,
01290478,
01290479,
01290480
In DLP tap mode, when a user sends an e-mail and the traffic is matched on a rule with a data type that is configured to send an e-mail to the owner, the e-mail arrives in a plain text format and the attached e-mail, which should contain the original e-mail, arrives empty.
Refer to sk97411.
-
Identity Awareness
01165562 When you upgrade a Full Identity Agent to R77, you must be run the installation program with administrator permissions. If you do not do this, an error message shows.
To install as an administrator, right-click on the installation executable, and select Run as administrator.
-
01274947,
01288905,
01288907,
01299437,
01342484
When 10 or more Identity Server "Server Configuration Rules" are defined (in the "Check Point Identity Agent - Distributed Configuration" window), the IP addresses displayed in the "Identity Server" column, do not match the configured IP addresses inside each rule (in the "Check Point Identity Agent - Identity Server Configuration" window).
Refer to sk98200.
R77.10
01301521,
01302787,
01302788,
01302789
Identity Awareness Multi-User Host (MUH) Agent might cause BSOD during uninstallation.
Possible workaround:
  1. Change the properties of the 'MADService' service - change the 'Startup type' to 'Manual' (Start - Run... - services.msc).
  2. Restart the machine.
  3. Uninstall the MUH Agent.
-
01323615,
01323845,
01323856,
01323859
Custom MSI package for Identity Awareness Multi-User Host Agent (Terminal Servers Identity Agent) requires to enter credentials during the installation, although it should contain pre-shared secret.
Refer to sk97879.
-
01336133,
01336588
Identity Awareness Agent fails to connect after a reboot on Windows XP SP3.

Workaround: Restart the 'MADService'.
-
01349619,
01351284,
01351285
PDP daemon crashes with core dump files after upgrading to R77.
Refer to sk98342.
-
01338036,
01354354,
01354355
Identity Agent crashes randomly.
Refer to sk98426.
-
01349850 When configuring the Microsoft NPS (Windows RADIUS Server) with RADIUS accounting, this causing the "RADIUS packets are not parsed correctly" error message by parsing Vendor-Specific attribute, where data was changed from one value to multiple values. -
01341104,
01368947,
01354356,
01354357
Roaming is not activated on Windows Vista and newer machines. -
01364961,
01373957;
01366849,
01372531
Identity Agent is disconnected from Security Gateway, and it takes a long time to reconnect.
Refer to sk99030.
-
01382233 Kerberos Authentication timeout for Browser-Based Authentication.
Refer to sk100168.
-
01549753,
01552370
Identity Agent causing zombie processes on Windows.
Refer to sk111761.
 
Anti-Malware
00927745 Windows Defender and Anti-Malware blade are not supported together. If enabling the Anti-Malware blade, disable the Windows Defender. -
01319816,
01320627,
01320628
Memory leak in CPD when working with Anti-Malware statistics. -
01361489,
01364092,
01365030,
01367220,
01369323,
01369833,
01371645
"Check Point Online Web Service failure.
Refer to sk74040 for more information.
" log appears repeatedly in SmartView Tracker when Anti-Virus or Anti-Bot or both are enabled.
Refer to sk98717.
-
Application Control
00781189 Dynamic Objects are not supported in Application Control rulebase. -
01382637,
01383002,
01410612
Application Control Blade does not block some TCP over DNS applications.
Refer to sk99044.
R77.20
Anti-Virus
- It is not supported to enable "Archive scanning" in Anti-Virus profile for traffic that is matched to a Security Rule with HTTP Resource.
Refer to sk101334.
-
01177207,
01177505,
01177506,
01177507,
01285044,
01336004,
01359073,
01373266
CPD process memory leak in Anti-Virus 'CPAV' code on Security Gateway.
Refer to sk93745 and to sk97327.
-
01285128,
01286167,
01286168,
01286169
CPD process memory leak in Anti-Virus 'FDT' code on Security Gateway.

Refer to sk97327.
R77.10
SecurePlatform
01267867,
01268435,
01268436,
01268437
Delay when logging in or exiting clish for a remote user when the default shell is /etc/cli.sh -
01278125,
01278320,
01278321,
01278322,
01288613,
01299581,
01360248,
01364152,
01364378,
01396512
'confd' process consumes CPU at 100% during hardware sensors data reading.
Refer to sk101079.
R77.10
01370049 SIC certificates are revoked on SecurePlatform gateway.
Refer to sk98729.
-
Gaia
01200972 When upgrading on IP Appliance from Gaia to R77 Gaia, if a snapshot is created before the upgrade, the upgrade fails - system loads with previous version.

Workaround:
  1. Create a snapshot before the upgrade to R77 using the Gaia "Image Management" mechanism.
  2. During the upgrade, type 'no' when asked if you want to create a snapshot image.
If the problem has already occurred:
  1. Follow the sk94205.
  2. Boot the new version after the upgrade.
R77.10
01235154,
01237767,
01265500,
01269871
On Check Point appliances running R75.47 or R77, after uploading a backup file in Gaia Portal ('Maintenance' pane - 'System Backup' - click on 'Import'), the uploaded file is not listed in the 'Backup' table, or in the output of Clish command 'show backups'. As a result, it is not possible to restore a backup file.
Refer to sk96828.
-
01225245,
01295293,
01295294,
01295295
On R77 Gaia, TACACS+ user is kicked out of shell or console on logging attempt. -
01364855,
01365145,
01365146,
01372380,
01374186,
01375344,
01379853,
01393166,
01394331,
01412840,
01418719,
01450060,
01473986
After reboot of Gaia OS, some interfaces are named as 'ethX_rename'.
Refer to sk97446.
R77.20
01322077,
01322763,
01322765,
01322766,
01440852
When using 'aspath-prepend-count' in routemap for BGP, the prepend count is not exported to the BGP peer.
Refer to sk101789.
R77.20
01346327,
01346375,
01346679,
01346680,
01350141,
01372665,
01372988,
01378331,
01381375,
01381376,
01381377
Gaia OS configured as NTP client responds to NTP queries from hosts.
Refer to sk98287.
-
01351038,
01351124,
01351126
Clishd daemon crashes with core dump file.
Refer to sk98329.
-
01349246,
01349371,
01349373
Core dump files are not compressed on Gaia OS after upgrading from SecurePlatform OS.
Refer to sk98341.
-
01406917, 01407062 State of VLAN interface that was created on Bond interface and was administratively set to "Down", is changed to "Up" after adding a comment on the Bond interface.
Refer to sk100788.
R77.30
01414168,
01414888,
01416219
"Fetch Settings From Device: getStaticRoutes - no nextop type found for key X.X.X.X/Y" error in SmartDashboard after adding static routes on a Security Gateway in Gaia Portal.
Refer to sk100611.
-
01448058 Clish crashes with 'Segmentation fault' when running 'show configuration user' command.
Refer to sk101974.
-
01318893, 01319783, 01319782, 01320419, 01338981, 01355359, 01359801, 01385958, 01386366, 01404400, 01405978, 01418214, 01460102, 01472038, 01501347, 01504525, 01509167, 01564581, 01570136 Incorrect count of slave interfaces in Bond Load Sharing (802.3ad LACP) after physical link on Slave interfaces goes down and back up.
Refer to sk98160.
R77.20 
Gaia Central Device Management
01215091 Central Device Management actions cannot be run on Standalone or Security Management machines. -
01217234 If the Security Management Server is a Standalone machine, or part of a Full HA cluster, for some of the Central Device Management actions to succeed, at least one policy installation is required on this Security Management Server. -
00264506 The IPS 'SSL Tunneling' protection may block cloning group synchronization traffic over TCP port 1129:
  • If members of the cloning group are part of Check Point cluster, then download IPS updates and install a policy.
  • If members of the cloning group are not part of Check Point cluster, then manually configure a Network Exception for this IPS protection to allow the traffic.
-
01215113 The "Get Topology" button is no longer available in Security Gateway's 'Topology' page.
To fetch interfaces and topology:
  1. Go to the "Firewall" tab.
  2. In the left upper pane, go to the "Gateways" view.
  3. Select on a Gaia Gateway.
  4. In the top tool bar, click on 'Actions' - go to 'Maintenance' menu - click on 'Fetch Settings From Device'.
Interfaces cannot be added or deleted via the Security Gateway's 'Topology' page.
To add an interface, configure it using the gateway's Operating System WebUI or CLI. Then use the 'Fetch Settings From Device' action in SmartDashboard (see above).
Delete an interface in the same way.
-
01208207 The 'Fetch Settings From Device' action fails, if the Gaia Security Gateway has a static route without a next-hop gateway address defined (such routes are only shown in Gaia Portal). For the 'Fetch Settings From Device' action to work, delete the static route in Gaia Portal ('Network Management' pane - go to 'IPv4 Static Routes'). R77.10
01215116 Only one NTP server can be configured using Central Device Management. -
01217359 In SmartDashboard, in "Gateways" view ("Firewall" tab - left upper pane), restoring a backup file from a remote server (FTP or SCP) fails due to a login issue. Contact Check Point Support for a solution. -
01215118 Two or more same-network routes with different next-hop gateways are not supported. For example, two default routes with different Gateway IP addresses. -
01215129 After successfully configuring interfaces, static routes, DNS, NTP and Proxy settings on the Security Gateway, Audit logs are sent to the Security Management Server:
  • Audit logs are sent only after a first policy install
  • Central Device Management actions (such as 'Push Settings To Device' and 'Run ... Script') do not generate an Audit log
-
01215133 The Central Device Management 'Open Shell' feature (click on 'Actions' - go to 'Maintenance' menu) does not work with Gaia Security Gateways that have an IPv6 address configured. -
Gaia Automatic Software Updates
- If Mobile Access blade is enabled or active on Security Gateway, then after upgrading to R77, the message 'Installed, self-test failed' might appear for the R77 package.
You need to install policy on the Security Gateway machine.
Note: The same message will continue to appear.
-
01210650,
00264589
The Secondary member of Full HA cluster cannot be upgraded using Gaia Software Updates.

Workaround: reinstall the the Secondary machine from scratch using the package for Fresh Install and synchronize the database from the Primary machine.

Refer to R77 Installation and Upgrade Guide - Chapter 7 Upgrading Security Management Server and Security Gateways - Upgrading Standalone Full High Availability:

To upgrade Full High Availability for cluster members in standalone configurations, there are different options:
  • Upgrade one machine and synchronize the second machine with minimal downtime.
  • Upgrade with a clean installation on one machine and synchronize the second machine with system downtime.
-
ClusterXL
00430815,
00430878,
00438084,
00836760,
00876244,
00905615,
01026331,
01083032,
01156311,
01277085,
01295791,
01321931,
01369211,
01398868,
01451296
Full Synchronization in cluster might fail due to insufficient buffer size - cluster member would be in 'Down' state because 'Synchronization' device reports its state as 'problem'.
Refer to sk36963.
-
01149020,
01102858
In the VRRP mode, local connections established by a VRRP Backup member fail (e.g., to DNS / NTP / Check Point Update servers).
Workaround:
  1. Open VRRP cluster object.
  2. Go to 'ClusterXL' pane.
  3. Uncheck the box "Hide Cluster Members' outgoing traffic behind Cluster's IP Address".
  4. Click on 'OK'.
  5. Save the changes: go to 'File' menu - click on 'Save'.
  6. Install policy onto VRRP cluster object.
-
01210097 When changing the cluster mode from High Availability to VRRP, the previous Proxy ARP configuration is not applied. Connections using Proxy ARP will not survive a fail-over.
Workaround: After changing the cluster mode, reboot both members.
-
01313749,
01319632,
01319633,
01319986,
01317782
$FWDIR/conf/cpha_hosts file (sk35780) is over-written during policy installation on Full HA cluster.
Refer to sk97522.
-
01322699,
01323617

Standby cluster member in ClusterXL High Availability Bridge mode, is passing/forwarding IGMP traffic.
Refer to sk97869.

Cluster debug on both members shows:
FW-1: fwha_select_ip_packet: IGMP Packet passed to OS (member 0).;
FW-1: fwha_select_ip_packet: IGMP Packet passed to OS (member 1).;

-
01341828,
01342888,
01342890,
01375740,
01352765,
01376129
Traffic outages and routing table drops in ClusterXL High Availability in Primary Up configuration.
Refer to sk98168.
-
01346966,
01351988,
01351990,
01369718,
01372574,
01382138,
01421084
ClusterXL forwarding of ARP Reply packets might cause duplicate entries on some Layer-3 devices connected to the cluster.
Refer to sk98417.
R77.20
01111297,
01320815,
01322895,
01322900,
01382195,
01405958
Port flapping on the switch, to which the Synchronization interfaces are connected of three and more ClusterXL members.
Refer to sk95150 - relevant kernel parameter must be set.
R77.20
Threat Emulation
01174234 For Threat Emulation, UserCheck messages usually work only with a UserCheck agent. This is because a connection cannot be redirected after a download starts, and the maliciousness of a file is determined after the download starts. -
01170605 IPv6 is not supported for Threat Emulation. -
01894511, 01908146, 01905123
/var/log/maillog file is not rotated on Threat Emulation gateway.
Refer to sk93505.
-
Mobile Access
01112227 Outlook Web Application push notifications do not work with the Mobile Access portal when Traditional Anti-Virus is enabled. -
01147075;
02302626
Mobile Access Portal supports Outlook Web App 2013 / 2016 only with the Path Translation (PT) method.
The Hostname Translation (HT) method is supported when cookies on the endpoint machine are configured.
The URL Translation (UT) method is not supported.
-
01102596 When activating features that use Multi Portals, IPSO Network Voyager is not accessible. HTTP automatically redirects to HTTPS, and the "403 forbidden" error is displayed in the browser.
Workaround: Change the IPSO Network Voyager SSL port and SSL level by running these commands in Clish:
# set ssl-port 4434
# set ssl-level 1
-
01184657, 01896185 Disabling the Floating Navigation Bar (FNB) via GuiDBedit Tool does not disable the FNB in the Web Application.
Refer to sk109254.
-
01284792,
01285678,
01285679,
01285680
When using an ActiveSync app on an iOS connected to R76/R77 Security Gateway, multiple sessions could be established for each user.
Refer to sk96686.
-
01278084 When users connect with Mobile VPN and then change network (either cellular or Wi-Fi), the VPN connection is lost. Users need to manually connect again.
Refer to sk97066.
-
01290277,
01290476,
01320927,
01346421,
01346950,
01383302
  • Server cannot start connection to client even if Server to Client network application exists.
  • SNX traffic of Server to Client traffic is being dropped over "Unauthorized SSL VPN traffic" log in SmartView Tracker.
  • Back connections to VPN clients with Office mode fail.
Refer to sk97108.
R77.10
01353168,
01353697,
01353705
Links with Unicode Hexadecimal encoding are not translated by Mobile Access Path Translation (PT).
Refer to sk98976.
-
01376821 When logging in with a user without any native application access defined, the SNX section in the portal is displayed. -
01346097,
01347184,
01353120,
01347202
"Error: Access Denied. The format or content of your request has been detected as invalid or unsafe (400)" when accessing Outlook Web Access (OWA) through Mobile Access Portal.
Refer to sk98215.
-
- Mobile Access does not support viewing or editing files with 'Office Online apps', Microsoft's browser-based Office applications. Outlook Web Access is supported, however you cannot open or edit Office Online app files from emails. -
Security Management
01098502,
01186713,
01101461
QoS policy installation on a 600 / 1100 / Security Gateway 80 appliance succeeds, but the following warnings are displayed:
WARNING: SharedLibLoad(Name_of_Library_File.so): called from statically-linked code!
Ignore these warnings.
-
01192796

If 'Enable drop optimization' feature (Refer to sk90861) is enabled in R76 Security Gateway object (SmartDashboard - R76 Security Gateway Properties - 'Optimizations' pane), policy installation can fail on R76 Security Gateway.

Workaround:

  • On Security Management Server:

    1. Connect to command line on R77 Security Management Server (over SSH, or console).
    2. Log in to Expert mode.
    3. Copy the 'important_implied_rules.C' file from '$FWDIR/conf/' directory to R76 Backward Compatibility directory:
      [Expert@HostName]# cp -v $FWDIR/conf/important_implied_rules.C  /opt/CPR76CMP-R77/conf/
    4. In SmartDashboard, install policy onto R76 Security Gateway.
  • On Multi-Domain Security Management Server:

    1. Connect to command line on R77 Multi-Domain Security Management Server (over SSH, or console).
    2. Log in to Expert mode.
    3. Copy the 'important_implied_rules.C' file from '$FWDIR/conf/' directory in MDS context to R76 Backward Compatibility directory in the context of involved Domain Management Server:
      [Expert@HostName]# mdsenv
      [Expert@HostName]# cp -v $FWDIR/conf/important_implied_rules.C  /var/opt/CPmds-R77/customers/<Name of Domain Management Server>/CPR76CMP-R77/conf/
    4. In SmartDashboard, install policy onto R76 Security Gateway.
-
01230727,
01230996,
01230991,
01230920,
01230943,
01230933
Security Gateways prior to R76 drop UDP traffic on non-standard ports after upgrading Security Management Server to R77.
Refer to sk95056.
-
01284743 Scheduled install ends with errors when opening SmartDashboard. In the GUI, you see "Scheduled install ended with errors". -
01273079,
01272160
'dbedit -s hostname' command stopped after the upgrade to R76 due to the IPv6 support. -
01288873,
01290219,
01288948
'migrate import' command fails with these errors in 'migrate-DDD_MMM_DD_HH-MM-SS_YYYY.log' file: .....................
[ExecCommandGetOutput] Going to execute command: '"/opt/CPsuite-R77/fw1/bin/fw" authd_set -b fwauthd.conf'
[ExecCommandGetOutput] ERR: Command completed with error code 1
.....................


Refer to sk98968.
-
01322162,
01322427
'router_load -cisco' command fails in SCP mode with "ERROR: Authentication failed, Invalid IP address or hostname".
Refer to sk98008.
R77.10
01335622,
01335779
'router_load -cisco' command wrongly shows "Download was successful" although it was not able to connect to Cisco OSE device (Error opening scp - Transfer aborted).
Refer to sk98009.
R77.10
01492692,
01492806
'router_load -cisco' command wrongly shows "Download was successful" although it was not able to connect to Cisco OSE device (Error opening scp - No such file or directory).
Refer to sk102996.
01385206 While the 'router_load' command is being executed, the output of 'ps auxw' / 'ps -ef' command shows the 'router_load' command with all its arguments - including username and password for OSE device.
Refer to sk102997.
-
01340456,
01340731,
01340734,
01346077
Policy Verification takes very long time and eventually times out.
Refer to sk98106.
-
01360844,
01362223,
01362224

$CPDIR/tmp/ directory is filled with 'file...' files.

Example: [Expert@HostName]# ls -l $CPDIR/tmp/file*
...
-rw-rw---- 1 admin root 771506 Jan 13 13:01 /opt/CPshrd-R77/tmp/fileR5LELI
-rw-rw---- 1 admin root 904722 Jan 13 13:25 /opt/CPshrd-R77/tmp/fileRcK0nz
-rw-rw---- 1 admin root 240090 Jan 13 13:25 /opt/CPshrd-R77/tmp/fileRfA9jP
...


Refer to sk98567.
-
01381866,
01386063
FWD daemon might crash under debug. -
01425206,
01425391
  • Policy installation on R77 Security Gateways fails with the following errors:

    "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: syntax error
    ... ... ...
    "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: table <auth_services> has no predefined format
    ... ... ...
    "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: table <client_was_auth> has no predefined format
    ... ... ...
    "/opt/CPsuite-R77/fw1/conf/<POLICY_NAME>.pf , line N: ERROR: syntax error
    Error compiling IPv6 flavor.
    Compilation failed.
    Operation ended with errors.
    .

  • UFP IPv6 logs in SmartView Tracker show wrong hit rate statistics.
Refer to sk101330.
-
01431881,
01432334
When defining an ICMP service with Type and Code and install it on Cisco router, the ICMP code value is ignored.
Refer to sk101500.
-
01368631,
01371531,
01427548
Resource field shows "*** Confidential ***" in Application Control / DLP logs on 3rd party LEA OPSEC client when using Permissions Profile.
Refer to sk101570.
R77.20
01493176,
01493994
Changes in Administrator password and allowed GUI clients are not synchronized in Management HA deployment.
Refer to sk103053.
-
02019438,
02019725 
fwm process memory leak and crash after renaming many objects in a large database.  -
Multi-Domain Security Management
01290396,
01292842,
01292845,
01295784
MDS HA status is switched to 'Lagging' every 6 hours.
Refer to sk97412.
-
01322693,
01336003,
01336016
Changes made in Global Policy in the 'IPSec VPN - Link Selection' in the global Security Gateway object are not exported to Domain Management Servers
Refer to sk97883.
-
01366893,
01370421,
01367292,
01367293
SmartUpdate in MDS level shows different licensing information than SmartUpdate in Domain level.
Refer to sk98898.
-
01404266,
01404568
SmartUpdate does not support Linux50 packages.
Refer to sk100946.
-
01488725,
01488755
After changing the administrator's Authentication Scheme from 'Check Point Password' to 'OS Password' with the 'mdscmd setadminauth ADMIN_NAME os' command, administrator is still able to authenticate in SmartDomain Manager with 'Check Point Password'.
Refer to sk102946.
-
Security Gateway
01277050,
01284886,
01284887,
01284888
FWD process on Security Gateway crashes in 'dns_gethostbyxaddr' function after an upgrade to R77.
Refer to sk97047.
-
01527202,
01530121,
01530122,
01531650
R76 / R77 / R77.10 / R77.20 takes long time to reboot / start Check Point services.
Refer to sk103822.
Security Gateway Virtual Edition
00631234 Management High Availability and Log Server are not supported on a standalone Security Gateway VE. -
00527267 Performance Pack (SecureXL) Heavy Load Quality of Service feature (HLQoS) is not supported. -
00575640 Cloning and Templates are not supported for vSEC Gateway for ESX besides the OVF Templates that are provided by Check Point. -
00526862 VMware Tools are not supported on a Security Gateway VE Virtual Machine. -
00525830 To upgrade from R71 Security Gateway VE, refer to R77 Security Gateway Virtual Edition Administration Guide - "Upgrading from R71 VE". -
00566886 CPU consumption for the Security Gateway VE might show inaccurate results.
To resolve this issue, reserve CPU resources on the ESX:
  1. In the vSphere client, right click the Security Gateway VE.
  2. Select Edit Settings.
  3. On the Resources tab, move the Reservation slider to allocate a guaranteed CPU share (in MHz).
-
00568259 You can configure up to 2 virtual CPUs for the Security Gateway VE. -
00566045 The SecurePlatform WebUI is disabled until you assign an IP address to one of network adapters in Security Gateway VE. -
00649693 In environments with more than one Security Gateway Virtual Edition on one ESX host, (where one is in Hypervisor mode (i.e., R71 VE / R75.20 VE / R75.40 VE on SecurePlatform OS) and the others are in Network Mode), apply this configuration on the Security Gateway Virtual Edition in Hypervisor Mode:
  1. Run 'sysconfig' command and configure the security of the Security Gateway Virtual Edition in Network mode instances to bypassed.
  2. Run 'sysconfig' command and configure the security of the VMs that are secured by one of the Security Gateway Virtual Editions in Network mode to bypassed.
  3. Run 'sysconfig' command and configure the global failure setting to fail-open.
-
VSX
- SAM Block rules are not supported in VSX mode. -
01143713 Up to 128 interfaces are allowed for each Virtual System. -
00892773 VTI interfaces are not supported in VSX mode. -
01159014 IPv6 VPN connections are not supported on a VSX Gateway. -
01453316 Check Point VSX OID Branch 1.3.6.1.4.1.2620.1.16 can not be queried per Virtual System. The SNMP response contains the data from all configured Virtual Systems.
Refer to sk90860.
-
01466618

To query a VSX Gateway / VSX cluster member over SNMPv2 / SNMPv3, the query should be sent to the VSX machine itself (context of VS0):

  • In DMI configuration:
    • In case of a single VSX Gateway, the SNMP query should be sent to the IP address of the DMI interface.
    • In case of a VSX cluster, the SNMP query should be sent to the physical IP address (of the DMI interface) of each cluster member.
  • In non-DMI configuration:
    • The SNMP query should be sent to the physical IP address of the external interface on the VSX machine.
Refer to sk90860.
-
01181667 IPS Packet Capture does not work on a Virtual System created on a Domain Management Server that is not Main Domain Management Server (where the object of VSX Gateway / VSX cluster was created). A 'Connection failed' error shows in the SmartView Tracker IPS log when clicking on View Packet Capture in a log generated by a Virtual System.
Refer to sk93342.
R77.10
01249325,
01288838,
01383867,
01398503
Some Virtual Systems are Down after rebooting a VSX cluster member with enabled Identity Awareness Blade.
Refer to sk102067.
R77.10
01268691,
01269671,
01269672,
01269673;
01268736,
01270077,
01273422
Kernel panic on Security Gateway in Gateway mode and FWK process crashes on Security Gateway in VSX mode.
Refer to sk96167.
-
01285022,
01286171,
01286175,
01286176
CPD process memory leak in 'vsxstatagent' function.
Refer to sk97327.
-
01322078,
01364311
SNMPD daemon crashes with core dump files (in /var/log/dump/usermode/) when running 'snmpwalk' query for VSX branch 1.3.6.1.4.1.2620.1.16.
Refer to sk100221.
R77.10
00186960 When enabling Per Virtual System High Availability or VSLS, each Virtual Switch must have a physical interface that provides connectivity between cluster members.
Refer to sk36980.
-
01456150 In SmartDashboard, it is not possible to select VSX Gateway itself as 'Next Hop Gateway' in 'Advanced Routing Rule':
  1. Open Virtual System / Virtual Router object.
  2. Go to 'Topology' pane.
  3. Click on 'Advanced Routing...' button.
  4. Click on 'Add...' button.
  5. When configuring a rule, VSX Gateway itself does not appear in the 'Next Hop Gateway' list (only other Virtual Systems / Virtual Routers appear).
-
01918066
PPTP traffic does not pass through Virtual System with enabled CoreXL and Hide NAT.
Refer to sk109834
-
SecureXL
00264417 If either of these features/settings is already enabled:
  • Multi-Queue on one of the non-SAM interface, or
  • Hyper-Threading in BIOS
and you then enable or disable SAM mode on one of the interfaces then:
  1. Reboot the system.
  2. Log in to Expert mode.
  3. Re-configure the Multi-Queue by running this command:
    [Expert@HostName]# cpmq reconfigure
  4. Reboot the system again.
Refer to Check Point Multi-Queue Guide from sk80940.
-
01269753,
01289911,
01289912,
01289913
SecureXL does not start fragmenting the packets. As a result, traffic sent over VPN tunnel is dropped. -
01317396,
01318910,
01318933
After cluster failover, VSX Virtual Router with enabled SecureXL stops passing some traffic.
Refer to sk97761.
-
00932955,
01459845,
01461372,
01470117
"ioctl getdropcfg#1 failed" error when running "sim dropcfg -l" command.
Refer to sk102346.
-
SmartProvisioning
01960860,
01961181
"No SmartLSM Profile with installed policy found for selected firmware" error when upgrading firmware on SMB appliance cluster through SmartProvisioning. Refer to -
SmartLog
- SmartLog cannot automatically perform object name resolving when the object name is changed. -
QoS
- QoS does not support the following:
  • IPv6
  • VSX
-
User Authority
01288683,
01289928,
01289929,
01289930
User Authority Server (UAS) does not start on 64-bit Security Gateway:
[Expert@HostName]# uagstart
UAS: Loading UAS driver ... 
mknod: missing operand after `0' 
Try `mknod --help' for more information. 
chmod: cannot access `/dev/uag0': No such file or directory 
UAS: UAS driver was loaded successfully 
UserAuthority: Starting driver 
Unable to open '/dev/uag0': No such file or directory 
UAG module: Can't open UAG device 
UserAuthority: Driver load failed 
Refer to sk97087.
R77.10
Compliance Blade
- Upgrade of R76 Management Server with Compliance Blade Hotfix to R77 fails with error message:

  • Error message on CLI: "Pre-upgrade verification failed"

  • Error message in Gaia Portal: "The file could not be retrieved"
Refer to sk97048.
-
00264417 Configuration of Compliance Blade is not saved after upgrade to R77.
Refer to sk95328.
-
SNMP
01289099,
01289976,
01289977,
01289978
"Could not resolve 'Sensor' within the trap 'Trap'" errors in Spectrum CA when importing Check Point 'GaiaTrapsMIB.mib' file.
Refer to sk97410.
-
SmartEvent
01313659,
01336916,
01336955,
01319013
After an upgrade, SmartEvent does not show any events and shows an error "No connection to correlation unit".
Refer to sk97632.
-
01338561,
01338574,
01338575
In Network Activity report, the total network traffic in the 'Summary' section is smaller than the total traffic in the 'Top Network Activity' section.
Refer to sk98073.
-
01339672,
01339954,
01352471,
01374073
SmartEvent 'Top Users By Traffic' view does not show any events for Active Directory users.
Refer to sk98092.
-
01346234,
01346579,
01346578
SmartEvent reports fail with no data found, if AD name has a comma (,) in it.
Refer to sk98276.
-
01384305,
01385997
Cannot query event if UserName contains quotes comma apostrophe.
Refer to sk99043.
-
01428433,
01432368
Client not able to configure SmartEvent with 3rd Party OPSEC device.
Refer to sk101536.
 
CPInfo
01343582 CPinfo crash on Windows 7 / 8 Security Management.
Refer to sk98198.
-
SmartView Tracker
01349964,
01352693,
01352694,
01396070,
01404453,
01413833,
01421334,
01453206
SmartView Tracker does not display any logs when filtering in 'Origin' column by Security Gateway's object name.
Refer to sk98349.
R77.20
Dynamic Routing
01351289 Despite using the 'local-address' option, BGP packets are sent out with source IP address of the outgoing interface instead of the configured IP address.
Refer to sk98358.
-
01350372 When exporting Static/Direct/RIP routes into OSPF without a routemap, or when not configuring automatic or manual tag, tag value is set to an unexpected value in the uninitiated variable in that function.
Refer to sk98415.
-
00266138,
00266151

Changing VLAN tag on a bond interface with configured IPv6 IP address causes the IPv6 route to disappear.
Refer to sk99016

-
00266007,
00266009,
00266071,
00266277
Redistributing interface routes in Gaia Portal from an interface with capital letters in its name (e.g., "Mgmt", "DMZ") fails - only the static routes are exported.
Refer to sk99067.
-
01409175,
00266299,
01412821
Routed: OSPF adjacency on neighbor stuck at LOADING because LSU is not sent.
Refer to sk100866.
-
01441529;
01394263,
01441498
OSPF traffic outage after policy installation or fail-over in ClusterXL running on Gaia OS.
Refer to sk101788.
R77.20
01448707,
00267075
routed crashes when sending ping on a static route. See sk101992. -
IPS
01370016,
01381780,
01371192
PPTP GRE Connections are not deleted from connection table.
Refer to sk100201.
-
01488103, 01511203, 01511647, 01535408, 01555564, 01560056 IPS protection "TCP Off-Path Sequence Inference" drops TCP packets originated by Security Gateway.
Refer to sk104637.
-
01367531, 01375276, 01375404, 01375414, 01375713, 01375715, 01375716, 01380512, 01511033 IPS protection "TCP Off-Path Sequence Inference" drops TCP "RST" packets with "ACK" value 0.
Refer to sk104640.
R77.20

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment