ID |
Symptoms |
Firewall |
01088236, 01132709, 01132707, 01184216, 01132708 |
TLS traffic (Server Hello) is dropped when using only the 'ssl_v3 ' service. |
01134342, 01136030, 01134496, 01134494, 01134605, 01134495 |
The same web site can not be accessed on more than one destination port when Security Gateway is configured as Non-Transparent Proxy. |
01118812, 01184197, 01119847, 01119848, 01119846 |
DCE-RPC high port is not opened by the service 'ALL_DCE_RPC ' and all traffic on it is dropped. Refer to sk42402. |
01144219, 01144565, 01144566, 01189318, 01150992, 01144284, 01146802, 01168628 |
SmartView Tracker shows incorrect logs after upgrade to R75.x. Symptoms of this issue include, but are not limited to:
- Wrong interface name is shown in logs
- Source / Destination / Origin fields show wrong information
- NAT is being logged as performed, while it is not
- Identity Awareness shows irrelevant IP addresses
- Services are shown with the wrong port
Refer to sk72160. |
01069394, 01138565, 01083594, 01083595, 01138563, 01131371, 01138561 |
TCP traffic with ECN-setup SYN packets is dropped without logs. Refer to sk87880. |
01136720, 01137534, 01137535, 01137536 |
Security Gateway drops the connection when there is Dynamic Object in the NAT rulebase, which is not mapped (is not configured in the Dynamic Objects list on the Security Gateway). |
00838996, 00929670, 01117517, 01109494, 01056468, 01124554, 00857002, 01125281, 01109498, 00967306, 01124477, 00839014 |
The original *.log file is kept (not purged) and some pointer files are missing (not created for new log) when switch a FireWall log on Windows 2008 / Windows 7. Refer to sk66162. |
01166584, 01166878, 01166880 |
Global kernel parameters that could cause a crash if their value is changed on-the-fly (with 'fw ctl set int PARAMETER VALUE ' command) were changed to read-only. Now, values of these kernel parameters can be set only during boot per sk26202:
fw_sync_sending_queue_size (described in sk82080)
fw_sync_recv_queue_size (described in sk82080)
fwlddist_buf_size (described in sk35466)
fw_log_bufsize (described in sk33139)
|
01120059, 01184207, 01120363, 01120364 |
ICMP packets with IP Options are dropped by the Security Gateway with 'Forbidden IP option ' drop log in SmartView Tracker. Important Note: To enable the fix, user must set the value of relevant kernel parameter 'asm_allow_ipopt_on_icmp ' to 1 (one). Refer to sk93809. |
01147066, 01147319, 01147320, 01147321, 01166815, 01199267, 01287367, 01322299, 01473258, 01474609
|
Output of 'fw ctl pstat ' command shows negative values. Refer to sk93810. |
01045465, 00264157 |
HTTPS Client Authentication accepts weak ciphers (as reported by 'sslscan ' test / 'McAfee/Foundstone ' test). |
01150621, 01155058, 01172804, 01155060, 01155061, 01155059 |
RPC NULL calls and RPC GETTIME calls are dropped on cleanup rule even when used the RPC service 'nfsprog '. |
01155362, 01157514, 01157515, 01157516, 01157518, 01158877, 01160701, 01162431, 01162675, 01173792, 01215306 |
Cipher strength for Client Authentication is under 128-bit and there is no way to control the SSL version in use. Important Note: Three new environment variables were added to disable the unwanted SSL versions - "ASSL_NO_TLS ", "ASSL_NO_SSLV2 ", "ASSL_NO_SSLV3 ". Refer to sk100584. |
00949900, 01128223, 01139785, 01126870, 01126869, 01128221 |
HTTP TRACE Method is allowed on Software Blades Portals based on Apache Web Server (Identity Awareness, Data Loss Prevention, Mobile Access, and the Gaia Portal). |
01119817, 01122449, 01122448, 01122450, 01180657 |
'psl_get_tmpl_opaque_ref: tmpl_data is NULL ' message is printed repeatedly in /var/log/messages file. |
01106719, 01143842, 01170327, 01171061, 01174244, 01383474, 01405518 |
Additional information will be printed when 'stack overflow, pc=0x... stack=0x... thst=0x... sp=0x... jumpadd=0x0 ' message appears in /var/log/messages file. Refer to sk99329. |
01151082, 01153053, 01159408, 01160250, 01167104, 01168779, 01184203, 01186047, 01195459, 01200358, 01202398, 01219191, 01219436, 01219503, 01219504, 01254637, 01269927, 01273735, 01340126, 01341617, 01460273 |
Security Gateway randomly reboots when IPS or SecureXL is enabled. Refer to sk93308. |
01127906, 01133771, 01140319, 01148057, 01134011, 01175966, 01189000, 01134110, 01128474, 01180416 |
Security Gateway randomly freezes when proxy is enabled. Refer to sk93248. |
01146454, 01126288 |
Arrays can be written out of bounds on fwauthd daemon. |
ClusterXL |
01081828, 01111075, 01134315, 01087517, 01087516, 01146163, 01183089, 01178565 |
Automatic NATed IP addresses are not assigned correctly with VMAC addresses in Gaia VRRP cluster with enabled VMAC instead of a physical MAC addresses of the cluster members. Refer to sk92426. |
01142395, 01142407 |
Connection via VPN does not survive failover in ClusterXL High Availability mode with enabled SecureXL. Refer to sk93567. |
01153574, 01175973; 01111814, 01116937, 01132298, 01116939, 01132266 |
Output of 'cpstat -f all ha ' command or of 'cpstat ha -f all ' command on Gaia OS does not show complete information in the 'Cluster IPs table ' and the 'Sync table '. Refer to sk93201. |
01081833, 00263257, 01146166, 00263272, 01088328, 01088330, 01134324, 01183113 |
Check Point ARP Kernel Table 'arp_table ' is not synchronized to the new VRRP Master after failover (on both Gaia and IPSO). Refer to sk92426. |
01136626, 01137838, 01139243, 01139241, 01146123, 01180945, 01173374, 01139242, 01169039, 01179018, 01170645, 01189081, 01150500, 01151779 |
Integrated global kernel parameter 'fwha_dead_timeout_multiplier ' to control ClusterXL dead timeout. Refer to sk93454. |
01136054, 01154020, 01136525, 01141214, 01136527, 01136526 |
Integrated ability to send an SNMP Trap in the event of a ClusterXL failover to multiple Trap Servers (by default, it is sent only to Security Management Server). Refer to sk93455. |
01135889, 00263828, 01137491, 01139528, 01137492, 01189083 |
Standby member changes its state to 'Down' when iBGP with 'local-address ' is configured on ClusterXL. Refer to sk93591. |
01174253, 01175165, 01175166, 01175167, 01177475, 01187610, 01198641, 01202117, 01209940, 01248754, 01352098, 01363848 |
No traffic passes through ClusterXL in High Availability mode when proxy is enabled. Refer to sk93247. |
01188513, 01191042, 01191043, 01195067 |
Proxy ARP addresses of the NATed hosts are erased on the Gaia VRRP Master member from the Check Point ARP Kernel table 'arp_table ' (output of 'fw ctl arp ' command returns 'No proxy ARP entries ') after fail-over and failback. Refer to sk93534. |
SecureXL |
01133253, 01135391, 01135386, 01135384, 01135385, 00263879 |
VSX on Crossbeam chassis crashes due to SecureXL when user runs the 'fwaccel on ' command, or when an interface goes up/down. Refer to sk92661. |
00262927, 01131280, 01142709, 01147527 |
If Security Acceleration Module (SAM) is installed, SIM Affinity for backplane interfaces (eth-bp1d1 and eth-bp1d2 ) is not configured during boot. Now, SIM Affinity correctly assigns the backplane interfaces during boot:
- if SIM Affinity was configured in Automatic Mode - to CPU 0 and to CPU 1
- if SIM Affinity was configured in Static Mode - based on
$PPKDIR/boot/modules/sim_aff.conf file
|
00263003, 01142708, 01132153, 01130803, 01122894, 01147517 |
SIM Affinity does not work correctly with interfaces that have multiple IRQs. Now, outputs of 'sim affinity -l ', 'fw ctl affinity -l -a ', and 'cat /proc/interrupts ' commands display identical affinities for interfaces with multiple IRQs. |
01176603, 01179299, 01179301, 01179300 |
Standby member with enabled SecureXL running on Gaia OS, generates logs that multicast traffic is being dropped on the interface that points to Multicast Receiver due to Anti-Spoofing. Now, logs for dropped multicast traffic will be generated only if the Destination IP address is not broadcast or if the Destination IP is multicast. Multicast traffic sent from Multicast Sender to Multicast Receiver is actually forwarded by the Active member, and then switch forwards it to the Standby member: Multicast Receiver <-> Multicast Router <-> Switch <-> Cluster <-> Multicast Sender. |
01160210, 01160245 |
Memory leaks in SecureXL. Refer to sk93308 and sk92934. |
01160126, 01160220 |
Memory leak detection procedure (sk35496) creates partial output for SecureXL. |
00116686, 01166916, 01166917, 01166918, 01166921 |
Performance degradation on Crossbeam chassis is caused by SecureXL SIM Affinity of SDP interfaces, which are not supported by SecureXL (these SDP interfaces were excluded from SecureXL). |
DLP |
01140369, 01140437, 01140438 |
Errors "Process DLPU_0 isn't monitored by cpWatchDog. Stop request aborts " in $CPDIR/log/cpwd.elg when DLP blade is disabled. |
01165147, 01168375, 01168372, 01169344, 01173135 |
Data type is not recognized when sending e-mail using OWA 2007 or BlackBerry when the forbidden words exist in the end of the e-mail body. |
Anti-Spam |
01080183, 01164250, 01085368, 01179612, 01085367 |
Due to rare circumstances, mail might be bypassed by Anti-Spam due to temporary scan failure. |
Anti-Bot / Anti-Virus |
01103916, 01104533, 01104532 |
The Anti-Virus Policy does not show the 'Service ' column in SmartDashboard. |
01073684, 01154866, 01147907, 01075092, 01075093, 01113720, 01116759 |
Anti-Virus in Traditional mode sometimes blocks files that contain multiple dots in the file name (e.g., this.is.example.zip). |
01104462 |
'The rule does not exist any more ' error is displayed in SmartDashboard after right-clicking in SmartView Tracker on an Anti-Bot & Anti-Virus log and selecting 'Add Exception to Anti-Bot & Anti-Virus Rule... '. Refer to sk93806. |
01140570, 01181709, 01140787, 01140786, 01140785 |
Anti-Virus recognizes *.ico files as *.mpeg files. |
01152926, 01155814 |
The following error is displayed in SmartDashboard when added a service in Anti-Bot & Anti-Virus policy:
SmartDashboard - 'Anti-Bot & Anti-Virus ' tab - go to 'Policy ' - right-click on 'Protection ' column - add 'Service ' - in 'Service ' column click to add service - start typing in the drop down text box.
ModalDropDownContainer Unhandled exception has occurred in a component in your application. If you click Continue, the application will ignore this error and attempt to continue. Can't find property '[ipaddr]'. |
Identity Awareness |
01126910, 01148527, 01129633, 01143373, 01145752, 01129631, 01129632, 01131008 |
When Identity Awareness is running with both AD query and Identity or Multi User Host Agents as identity sources, the agents might be occasionally disconnected with "Invalid Session " message. |
01102355, 01105215, 01105140, 01105141 |
Deploying the MSI package of Identity Agent using GPO rule fails. |
01085734, 01187992, 01105582, 01105583, 01186792, 01149413 |
Users connecting to Internet with web browser that does not support Kerberos SSO will automatically be redirected to the Captive portal after 1 second. |
01126592, 01128755, 01128757, 01128756 |
Not all entries are removed from Windows Registry after uninstallation of customized Identity Awareness client 'customAgent.msi '. |
01102067, 00896702, 00911403, 00913037, 00974899, 01046092, 01046092, 01057322, 01115813, 01116245, 01274689 |
User must enter the credentials twice in order to authenticate via Captive Portal in Internet Explorer 9 and Chrome 17 (and above). Refer to sk102387. |
01120887, 01151005, 01182310, 01122006, 01166831, 01123051, 01122007 |
In Identity Awareness environment with identity sharing, identities created by a local gateway that are on the same 32/28 network as identities created by a remote gateway, might be lost in rare occasions. |
01110434, 01136332, 01139043 |
Identity Agent for Mac OS X is unresponsive if the DNS Server is unreachable. |
01149718, 01154250, 01154248, 01154858, 01154249 |
Identity Awareness Terminal Server agent creates a lot of unnecessary Windows Event logs stating that the agent is connected. |
01139670, 01150390, 01148529, 01150391, 01146357 |
Number of attempts the Identity Agent will try to connect until it considers itself disconnected can now be configured by the user (default is: 30 times for the first time attempt, 2 times for regular attempts). |
01158287 |
Improved performance and stability for Terminal Server/Citrix Identity Agent. |
01140316, 01172645, 01150353, 01150355, 01158345 |
After Terminal Server reboot, the Identity Agent sometimes starts instead of the Terminal Server Agent. Refer to sk92645. |
01146202, 01146254, 01148530, 01146209, 01146213 |
Memory leaks in MADService.exe process when viewed users in Agent's GUI (Controller). Refer to sk92645. |
01157206, 01159941, 01159942, 01159943, 01209559, 01321563, 01351162, 01363762, 01395591; 01459004, 01459085 |
"CLogFormat::create failed - field already exists ! " messages appear repeatedly in $FWDIR/log/fwd.elg file on Identity Awareness gateway. Refer to sk102171. |
01050791, 01181543, 01158864, 01178616 |
Added support for NTLMv2 authentication for AD Query (Note: default is still NTLMv1). |
01176746, 01177366, 01180208, 01184550 |
SmartView Monitor shows incorrect messages and severities regarding PDP disconnections from PEP. |
URL Filtering |
01166592, 01166726, 01166727, 01166728, 01187633, 01202083, 01202306, 01260097, 01382098 |
Security Gateway crashes randomly if the URL Filtering blade is enabled. |
01175810, 01177409, 01177407, 01177408 |
Policy installation fails with 'Load on module failed - no memory ' error when the size of URL Filtering cache parameter 'cache_max_hash_size ' is set to a value over 25000. Refer to sk101875. |
UserCheck |
00892707, 01150006, 01139125 |
When a user reset the password known to the UserCheck Client and changes the user name, the user is required to restart the UserCheck Client for the changes to take effect (to send the new name to the Security Gateway). |
01155853 |
The UserCheck blue banner does not show in Internet Explorer 10. This issue is already resolved on an fresh install of R75.46, but not on an a system that is upgraded to R75.46. |
Endpoint |
01150991, 01150378, 01186636, 01150375, 01150194, 01150377, 01150376 |
Saving Endpoint Security Server policy fails with 'Server Error - An internal server fault has occurred '. Refer to sk92885. |
IPS |
01126852, 01179166, 01133747, 01168710, 01129727, 01133346, 01161956, 01129735, 01130216, 01136950, 01188665, 01140798, 01129728, 01131964, 01139076, 01171814, 01176147, 01182052, 01140425, 01132542, 01132675, 01129726, 01136428, 01182105 |
Traffic rate through Security Gateway is decreased significantly when assigned any IPS profile other than 'Default_Protection '.
Refer to sk92527. |
01078006, 01134117, 01140289, 01140343, 01157744, 01146982, 01127909, 01180425, 01128462, 01144331, 01175978, 01134010, 01143584, 01133764 |
Legitimate HTTP traffic is rejected by IPS protection 'Non Compliant HTTP ' as 'Attack: Block HTTP Non Compliant ' with these logs in SmartView Tracker:
Product: IPS Software Blade
Action: Reject
Protection Name: Non Compliant HTTP
Attack: Block HTTP Non Compliant
Protection Type: Protocol Anomaly HTTP
Protection ID: BlockHttpNonProtocolCompliant
Product Family: Network
Refer to sk92657. |
00886936, 01143583, 01140270, 01146985, 01157742, 00890411, 01144328 |
SmartView Tracker shows false positive IPS logs for HTTP Response packets with Body that contains CHUNK and GZIP when HTTP traffic passes through Proxy, and IPS 'Non Compliant HTTP ' protection and 'Gzip Enforcement ' protection are enabled:
Product: IPS Software Blade
Action: Reject
Protection Name: Non Compliant HTTP
Attack: Block HTTP Non Compliant
Protection Type: Protocol Anomaly HTTP
Protection ID: BlockHttpNonProtocolCompliant
Product Family: Network
Refer to sk93824. |
01067683, 01069230, 01180645, 01069528, 01069529 |
SmartView Tracker shows false positive IPS logs 'TCP Out of Sequence ' for Microsoft Keep Alive Packets.
Important Note: To disable the false positive IPS logs when a Keep Alive packet is recognized, user must set the value of relevant kernel parameter 'psl_disable_keepalive_logs ' to 1 (one). |
01162387, 01188757, 01168116, 01172694, 01168117, 01168115, 01168118, 01182622 |
Kernel debug is not generated correctly for 'Bad SMTP Server Greeting ' protection. As a result, kernel debug shows: ;== >fwemail_info_string_to_attack_id: str_id=135 (Server reply out of expected SMTP state); ;fwemail_info_string_to_attack_id: No match!; ;< ==fwemail_info_string_to_attack_id: Returning -1 (protection name is ''); ;== >fwemail_string_to_string_id: str_id=124 (SMTP policy violation); ;< ==fwemail_string_to_string_id: Returning 997 (SMTP policy violation) ; ;== >fwemail_string_to_string_id: str_id=135 (Server reply out of expected SMTP state); ;< ==fwemail_string_to_string_id: Returning 1007 (Server reply out of expected SMTP state) ; ................ ;FW-1 - ips_first_log_cap_issue_cap_for_static_log: attack_id is incorrect (-1 >=671); |
01166665, 01166816, 01166817, 01166818 |
SmartDashboard crashes during IPS online update because of corrupted $FWDIR/conf/SMC_Files/asm/crc_marker_db.fws file. Note: After the IPS online update, SmartDashboard will display the following message: 'It is possible that existing protections are marked for follow up, please refer to the follow up tab and review the list of protections. ' |
01140621, 01140826, 01158344, 01166722, 01168854, 01144699, 01145008, 01186416, 01155842, 01181758, 01152515 |
Citrix traffic is dropped by IPS with log 'Citrix Enforcement Violation ' when Security Gateway is running Gaia OS with 64-bit kernel. Refer to sk92720. |
VPN |
01098053, 01131271, 01142410, 01142456, 01142691, 01205417, 01363353 |
Permanent VPN tunnel is down when SecureXL is enabled on ClusterXL High Availability mode. Refer to sk93568. |
01053808, 01060762, 01121784, 01121785, 01162145, 01183430, 01060763 |
VPN tunnel on Security Gateway 80 does not come up after rebooting Security Gateway 80 because VPN Peer Security Gateway does not recognize the Security Gateway 80's certificate correctly. Refer to Scenario 2 in sk114834. |
01140729, 01142415, 01142416, 01142417 |
ICMP packets with Sequence Number 259 that were sent over VPN are dropped with 'Reason: Failed to enforce VPN policy (11) ' log. |
01166690, 01173667, 01173668, 01175085 |
Location Awareness sometimes returns an internal location to clients even though Network Location Awareness was disabled on Security Gateway. As a result, if a Mobile Access client for iOS / Android tries to connect on an internal interface, it receives a message that the network resources are already available. |
00640044, 00878091, 00854256, 00914297, 01044925, 01049424, 01101643, 01133083, 00773042, 00932822, 00984114, 01145648, 00819377, 01067447, 01140796, 01159443, 00743251, 00845907, 00863156, 01164812, 00867403, 01113168, 00259582, 00881673, 01145658, 01152303, 00864819, 00829916, 00881761, 00829917, 01106507, 01122615, 01131184, 00845917 |
Memory leaks in 'vpn_queues ' kernel table (in the output of 'fw tab -t vpn_queues -s ' command, the value in #VALS column is increasing without new VPN tunnels being established). |
01118184, 01174894, 01124402, 01124403 |
Importing of 3rd party certificate with 'Authority Key Identifier ' CRL Extension fails with 'Unhandled critical extension 2.5.29.36 ' error in SmartDashboard. |
01146577, 01150640, 01153832, 01158938, 01149287, 01149285, 01180944 |
RADIUS users are sometimes disconnected from remote access after a policy installation or after 2 hours, whichever came first. |
01074192, 01133619 |
Slow Site-to-Site VPN is affected by Virtual Defragmentation. The default value of kernel parameter 'sim_keep_DF_flag ' was changed to 1 (one). Refer to sk92465. |
01150366, 01183404 |
VPN kernel debug repeatedly shows incorrect message: vpnxl_device_active: ERROR: API table not loaded for device number 1.; |
01108722, 01163520, 01163521, 01163522, 01179033 |
When connecting two L2TP Windows-based clients, located behind NAT, one of them is disconnected. |
Mobile Access |
01085121, 01085808, 01085809, 01176652 |
With access to the Outlook Web Access 2003 server through NTLM authentication, the 'Inbox' is not populated correctly if accessed from Internet Explorer through the Mobile Access Portal. |
00919534, 00975377, 00922391, 01107377 |
Embedded native application links do not work correctly when connecting with SSL Network Extender on non-English Windows OS. |
01076453, 01175084, 01118444, 01188788; 01152674, 01118443 |
With 'Location Awareness by Interface Definition ' enabled on ClusterXL with more than two external interfaces, if the iOS client tries to connect using Mobile VPN application to the gateway through an interface different than the one used to create the VPN Site, the client fails to connect with "The sites resources are already available " error. Refer to sk92851. |
01090471, 01094133, 01100605, 01094086, 01094134 |
Mobile Access portal is occasionally unresponsive (Apache Bug 42829). Refer to sk92847. |
01113954, 01115835, 01115836 |
When a Remote Access client connects to the gateway, the Product field is not shown in raw logs. |
00857668, 01173048, 00924368, 00914381, 01081395, 01144114 |
After the Android hotfix was installed (sk65314), enabling Anti-Virus blade causes issues with ActiveSync and access to Exchange Server for Check Point Mobile for Android devices. |
00769690, 00771821, 00846644 |
The CPSB-SSLVPN-5000 license is not handled correctly on Security Gateway (during policy installation, Mobile Access blade is not disabled). Refer to sk92503. |
01139704, 01140640, 01140642, 01140641 |
If a web page has more than 1MB of untranslated characters, only part of the page shows when using Host Translation (HT). |
01145098, 01147903, 01147948, 01148034, 01148539, 01154843, 01188776, 01203816, 01210646, 01218200, 01322681, 01344909, 01372031 |
When connecting from Client to Server using Mobile Access, there can be connectivity issues, if the source port is re-used during the connection's timeout limit (which by default is 1 hour). Refer to sk102096. |
01165970, 01166669, 01166671, 01166670 |
Cookie, created by script on the browser side, containing untranslated link is sent to internal server. |
01161963, 01162752 |
Mobile Application for iOS (version 1.3.x) fails to connect if only ActiveSync application is allowed for the user. |
01155740, 01155759, 01164313, 01155749 |
DoS on Citrix applications via Mobile Access Blade:
- User connects to Citrix application and downloads the
.ica file, however, the SOCKS connection does not begin.
- When user signs out of the Mobile Access Portal, the Security Gateway releases the Citrix session and inserts an invalid value to the list of available IDs.
- As a result:
- Memory consumption increases on Security Gateway (because the ID queue has static size).
- After a while, a user requests an ID, receives an invalid ID, and is not able to connect.
|
01153364, 01153846, 01153847, 01153848, 01153956 |
Mobile Access Portal main page is inaccessible (HTTP 403 error) in cluster when both Anti-Virus Blade and Trace IP are enabled. |
SSL Network Extender |
01109172, 01110840, 01110842, 01110841 |
If the IP addresses on local network overlap with encryption domain (IP addresses range of a native application), SSL Network Extender client seems to connect then disconnects with the error "SSL initialization failed ". |
01073103, 01098876, 01140728; 01060864, 01062946, 01062945, 01080263 |
SSL Network Extender client in Office Mode is assigned only the first 2 out of 3 configured DNS / WINS servers. Refer to sk93884. |
Multi-Portal |
01104997, 01109975, 01109976, 01109977, 01174943 |
ICMP packets are dropped by Multi-Portal implied rule with 'Reason: Rulebase drop - rule 0; ' log. |
Security Management Server |
01102638, 01118717, 01113361, 01172857, 01107512 |
When connecting with SmartDashboard to already synchronized Secondary Management Server, the status appears as "Lagging " instead of "Synchronized ". Refer to sk92331. |
01146319, 01147351, 01147352, 01147350, 01158024 |
Administrator user created via 'cpconfig ' on Security Management Server, is not synchronized to the peer Security Management Server in Management HA deployment. Refer to sk92736. |
01106076, 01181173, 01106731, 01106730 |
SmartView Tracker 'Management' log was improved and now contains the status of the new added rule:
Application: SmartDashboard Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: firewall_policy Performed On: Policy_Name
- Changes: Rule N: added 'security_rule' - ; UID = {...}; Rule is disabled. ; ...
- Changes: Rule N: added 'security_rule' - ; UID = {...}; Rule is enabled. ; ...
|
01101916, 01102870, 01102871, 01153302; 01089633, 01147132, 01094201, 01140696; 01165592, 01173795, 01176793, 01176794, 01176791 |
'fwm logexport ' command fails with 'Error: Failed to read field FollowUp ' after enabling Anti-Virus / Anti-Bot blades. Refer to sk91620. |
01085749, 01090991, 01090990, 01090988, 01152734 |
Skybox LEA Client can not fetch all logs from Security Management Server / Log Server. |
01155286, 01155688, 01155686, 01155687 |
When created a certificate via ICA tool, it is not saved. |
01139654, 01154083, 01154082, 01154081 |
Management HA status is not changed after modifying VPN configuration files '$FWDIR/conf/vpn_route.conf ' and '$FWDIR/conf/vpn_service_based_routing.conf '. |
00983975, 00987027, 01176017, 01102388, 01175979 |
The $FWDIR/log/fwm.elg file is filled with unnecessary messages: CCPMIStatusRequest::~CCPMIStatusRequest: Called destructor for an uninitialized object or already released |
01140137, 01140521, 01140522, 01188671, 01190507, 01190599 |
Policy installation fails when configured Unnumbered VTI interfaces in ClusterXL members with these errors: "/opt/CPsuite-RXX/fw1/conf/Policy_Name.pf", line N: ERROR: Duplicate keys <IP_Address_in_Hex> in table 'cluster_members_ids_by_ips' "/opt/CPsuite-RXX/fw1/conf/Policy_Name.pf", line N: ERROR: Duplicate keys <IP_Address_in_Hex> in table 'cluster_members_ips_by_local_ip' |
01089781, 01090951, 01180660, 01090953 |
'fwm verify ' command returns: You do not have a license to manage gateways from this Domain Management Server. Management of gateways that are not Virtual Systems requires a Security Management level license. |
01139848, 01147896, 01147897, 01147898, 01172770, 01178697 |
"Administrator failed to log in: No SIC error message " error in SmartView Tracker for "Unknown " type Application log when working with Tufin Admin Login. Refer to sk92749. |
01182073, 01183046, 01183147, 01189688, 01182696, 01182694 |
After checking the box of 'Endpoint Policy Management' product in the Security Management Server object and performing 'Install Database ' operation, the FWM daemon immediately starts consuming the CPU at 100% on Security Management Server. Refer to sk93356. |
01090393, 01116279, 01116278 |
SmartDashboard might hang when clicking on 'OK ' in cluster Topology window with many interfaces defined. |
01109343, 01110887, 01110888, 01168270 |
FWM daemon crashes, if LDAP user with DN longer than 503 characters is selected in SmartDashboard. |
01134659, 01134688 |
FWM daemon crashes when creating a Database Revision. |
01114172, 01118953, 01118951, 01118952 |
FWM daemon crashes in rare cases when initializing SIC with new Security Gateway. |
Multi-Domain Security Management Server |
01124023, 01176029, 01124310, 01129443, 01125794, 01125793 |
If you run 'mdsstart_customer Domain_Name ' command from a directory other than '$FWDIR/conf/ ', then an empty 'CPMILinksMgr.db.private ' file is created in that directory (where the command was issued). |
01145108, 01181226, 01145254 |
SmartView Tracker 'Management' log shows false positive 'Administrator Login ' failures (from MDS and from Domains): Application: Unknown Subject: Administrator Login Operation: Log In Status: Failure Type: Log General Information: Administrator failed to log in: No SIC error message |
01107629, 01108173, 01108174 |
In the SmartDomain Manager: launch a Read-Only SmartDashboard connected to a Domain Management Server - go to 'IPS ' tab - expand 'Protections ' - expand 'By Protocol ' - expand 'IPS Software Blade ' - expand 'Web Intelligence ' - right-click on 'General HTTP Worm Catcher ' protection - select 'See Details... ' - in the 'Worm Patterns Definitions ' line, click on 'Edit... ' button - click on any pattern - the 'View... ' button is grayed out. |
01136947, 01156861 |
When editing a new Domain object without entering the 'Version & Blade Updates ' tab and clicking on 'OK ', a message is displayed about activating the plugins on this Domain. User is not able to cancel the message and editing the object. |
01168879, 01169017, 01169018, 01169016, 01198268 |
'mds_backup ' fails on clean Multi-Domain Security Management Server when there are no Domains configured at all with the following errors: mds_backup> Making backup file "mds_backup_logs.tgz" for the variable information of Multi-Domain Server. /opt/CPmds-R75.40/system/shared/gtar: No match. mds_backup> Deleting temporary Multi-Domain Server backup files mds_backup> Backing-up the Multi-Domain Server failed. mds_backup> Cannot proceed with backup of the Multi-Domain Server. |
01103851, 01134242, 01136378 |
DCE-RPC *.def files are not updated in the Backward Compatibility directories on the existing Domain Management Servers during an upgrade from R75.40. Refer to sk92362. |
01159205, 01160435, 01160436, 01152879 |
'$MDSDIR/scripts/mds_backup ' script fails with these errors: mds_backup> Deleting temporary Multi-Domain Server backup files mds_backup> Backing-up the Multi-Domain Server failed. mds_backup> Cannot proceed with backup of the Multi-Domain Server. Refer to sk92925. |
01144404, 01175045, 01148091, 01148935, 01198396, 01146132, 01166807, 01195906, 01145893, 01175261, 01146133, 01156451, 01146134, 01145894 |
FWM daemon sometimes crashes after OPSEC sessions due to rare memory leak. |
01047552, 01090883, 01048064, 01111956, 01048058 |
FWM daemon crashes on Domain Management Server after upgrade. |
SmartDashboard |
01133149, 01173289, 01133695, 01163385, 01133694, 01136114, 01133696, 01136039 |
SmartDashboard crashes when editing a Group Object or an Address Range Object that was just cloned. Refer to sk92632. |
01117384, 01120540, 01120541 |
On the IPS tab, when you right-click a signature and select 'Edit follow up comment ', the comment is not saved. |
01165542 |
When connected with previous SmartDashboard to an upgraded Security Management Server, it is not possible to download the updated SmartConsole from this message: Before you connect to [server version] you need to install SmartConsole version [server version] . |
01093127, 01132353, 01117435, 01131576, 01131575, 01131568 |
In the object of Gaia VRRP cluster - go to 'Topology ' - click on 'Edit Topology... ' button - 'Get Topology ' button is not available under the members' names. Note: The improved SmartDashboard requires a fix from sk93201 to be installed on VRRP cluster members. Refer to Resolved Issue 01153574. |
01121919, 01129265, 01126986, 01121965 |
'Users and Administrators Accounts ' pane is missing in 'Global Properties ', if User Authority license (CPUA-UAG ) is not installed on Security Management Server. |
01090475, 01195878, 01186678, 01097287, 01097286, 01195877 |
'Anti-Bot & Anti-Virus' column disappears from 'Install Policy ' dialog window when SmartWorkflow is enabled. Refer to sk91161. |
00943814 |
When downloading the 'R75.45 SmartConsole' package from R75.45 Security Management Server via SecurePlatform WebUI / Gaia Portal, the SmartConsole package that is downloaded is actually 'R75.40 SmartConsole'. Refer to sk91582. |
01140161, 01140169, 01164950 |
SmartDashboard sometimes crashes when created a new LDAP Group in the LDAP tree. |
01143684, 00636156 |
If static routes are changed, a new group is incorrectly created for Anti-Spoofing (behind a specific interface) after getting interfaces with topology. Resolution correctly changes the static routes of the group. |
01066037 01065620, 01066036 |
It is possible to set "Timeout for SYN attack Identification" to 1-3 seconds although the actual minimum value is 4 seconds. |
SmartView Monitor |
01099996, 01100674, 01100673, 01187498 |
Colors on line graph do not match the colors at the bottom list. |
00926085, 01139387, 01149063 |
Loading of any 'History ' view (e.g., Traffic - Common Services History ) fails with 'The parameter is incorrect ' error. |
01173534, 01174128, 01187483, 01175643, 01174129 |
'FireWall ' or 'FireWall History ' reports saved as CSV or as Text either contain incorrect data, or an error 'Encountered an improper argument ' appears. Refer to sk93045. |
SmartEvent |
01139635, 01144955, 01186353, 01144954 |
The 'cpstat cpsead ' command does not display more than 100 jobs. |
01137445, 01166198, 01166199, 01166200 |
SmartEvent is not able to process new events once reached the maximum capacity (limit of the database size). |
01131360, 01131362, 01133707, 01134338, 01138336, 01138342, 01138349, 01381518, 01408044 |
After performing 'Install Database ' operation from Security Management Server that has a lower version (e.g., R75.40) than the SmartEvent server (e.g., R75.45/R75.46/R76), login in SmartEvent GUI client fails with "Unable to get idle-time workstation locking policy " error. Refer to sk111293 (Scenario 3). |
01107332 |
In SmartEvent - Events - Predefined - Application & URL Filtering - UserCheck - query does not show any events. |
01113957, 01119873, 01115144, 01115143 |
CPSEMD daemon is constantly crashing. |
SmartReporter |
01036872, 01073870, 01086415, 01073869 |
'Active' Security Management Server is not always visible on 'Input' tab of SmartReporter reports after failover in Management HA setup. Note: This fix is integrated into the new SmartConsole. |
01092002, 01118709, 01103212, 01103211, 01186301 |
SmartReporter 'Firewall Blade - Activity ' reports show wrong 'Traffic Size ' information when the results are sorted by 'Bytes '. Refer to sk92485. |
01131970, 01133051, 01133052, 01133050, 01155392 |
SmartReporter continues to delete database records until the disk is 15% full. It should delete records until the disk is 80% full. |
01067315, 01102964, 01102965, 01151039, 01110549; 01070232, 01172399 |
The database size could not be increased beyond 200GB. Refer to sk92221. |
01126408, 01127605, 01127607, 01127606 |
Log Consolidator restarts continuously after consolidation session is created. Refer to sk92633. |
01108807, 01122937, 01109334, 01186304, 01109335 |
Users with long names (more than 100 characters) do not appear in the Report for Mobile Access logins. |
01092958, 01093460, 01093461, 01093462 |
'Outgoing ' traffic is shown as 'Other ' in the '...by Direction ' section of the Cross Blade Network Activity report. Refer to sk90620. |
01097627, 01103072, 01147702, 01103073 |
The 'evs_backup ' collects many unnecessary files, which causes a corruption on new machine when restored from this backup file. |
01162270, 01166093, 01187413, 01164514, 01166799, 01164515, 01164516 |
SmartReporter is not able to generate a report in PDF format. |
01161276, 01161948, 01239460, 01161946, 01244974, 01161949, 01244126; 01168703, 01171253, 01251118, 01171252, 01171251 |
The following errors appear repeatedly for SmartReporter/SmartEvent in Windows Event Viewer - Application log:
- Source: PostgreSQL
Event ID: 0 ERROR: schema "mysql" does not exist STATEMENT: delete from mysql.user where host='build' or user = 'PUBLIC'
- Source: PostgreSQL
Event ID: 0 ERROR: column "sam_int_domain_name" does not exist at character X STATEMENT: SELECT SAM_INT_DOMAIN_NAME FROM INT_DOMAIN
- Source: PostgreSQL
Event ID: 0 ERROR: relation "con0X_connections" already exists STATEMENT: CREATE TABLE CON0X_CONNECTIONS(...)
Refer to sk92862. |
SmartLog |
00983931, 01144502, 01132753, 01112908, 01137739, 01003965, 01004208 |
SmartLog indexes consume high amount of disk space. Refer to sk88840. |
01144961, 01145801, 01145799, 01145800 |
The symbolic links for the $SMARTLOGDIR/data/ directory and the $SMARTLOGDIR/log/ directory in the context of Domain Management Server are not always created when upgrading a Multi-Domain Security Management Server. |
01134295, 01139597, 01138530, 01138718 |
SmartLog server does not function correctly when different gateways perform a simultaneous log switch. |
01103093, 01151852, 01159162, 01152702 |
The smartlog_server process crashes if a log does not have action. |
SmartProvisioning |
01136716, 01137539, 01137537, 01137538 |
When using the "Push dynamic objects " option in SmartProvisioning GUI, the Security Gateway becomes unresponsive for new connections/traffic. |
01117423, 01118213, 01118214, 01320963, 01350176, 01350524 |
Dynamic Object LocalMachine_All_Interfaces on ROBO gateway does not include all the interfaces that were configured in SmartProvisioning GUI. Refer to sk98418. |
01095224, 01096963, 01096961, 01096962 |
Memory leaks in the CPD daemon when using SmartProvisioning. |
01171847, 01173514, 01173512, 01173513 |
If $FWDIR/conf/robo-IKE.NDB file on Security Gateway contains duplicate keys (due to some leftovers of old deleted ROBO/Edge devices), validation results in drop of VPN traffic.
LSMrouter will now validate that there are no duplicate keys for the 'Robo_ranges ' hash table (key is a range <lo_ip,hi_ip> ). If there are duplicate keys, update CO will now fail:
|
SecurePlatform OS and Gaia OS |
00903104, 01093937, 00914086, 00903383, 01139997 |
TCP Segmentation Offload (TSO) on 10GB interfaces is re-enabled after reboot. Refer to sk90062. |
01110134, 01111100, 01111099, 01204815, 01452594 |
VTI interface does not work on machine with CPU that does not support PAE. Refer to sk92320. |
00776966, 01123650, 01130952, 01139522, 00824938 |
The IPv6 default route could take precedence over a more specific route (after reboot and when an interface fails and comes back online). Refer to sk73201. |
01154583, 01155307, 01155310, 01155308 |
'snmpwalk ' command returns wrong value for fwHmem-current-allocated-bytes (OID .1.3.6.1.4.1.2620.1.1.26.1.6) on 64-bit system. |
01145042, 01145111, 01145113, 01145112 |
'snmpbulkget ' command returns duplicate OIDs. |
SecurePlatform OS |
01122219, 01124984, 01123458, 01124603, 01145593, 01123457 |
When create a Bond interface of two 10Gb interfaces and then check the /proc/net/bonding/bond0 file, there are no slave interfaces. |
00367067, 00374440, 00374442, 00509948, 00535607, 00613800, 00836960, 01045080, 01084320, 01181942 |
RADIUS authentication fails for SecurePlatform users included in groups other than 'Any '. Refer to sk58460. |
01096602, 01099569, 01099568 |
The 'backup -p ' command does not delete local backup files from /var/log/CPbackup/backups/ directory on UTM-1 / Power-1 / Smart-1 appliances. Refer to sk90404. |
01103111; 01102526 |
Added support for built-in DVD ROM on Dell PowerEdge R620 server. |
00635474, 01068695, 00858953, 00669272, 01124785, 01153745, 00750798, 01091468, 00906598, 00669271, 00906589 |
It is not possible to create VLANs on Check Point IAS D-series in 'sysconfig ' with naming pattern sXpX. Refer to sk89183. |
00515724, 01135952, 00648960, 01149836, 01149834, 01149839 |
Backup/Restore function in SecurePlatform WebUI works only for files up to 2GB in size. Refer to sk61230. |
01158222, 01158268, 01158269, 01158270 |
Creating Bond interface on 1 Gbps Fiber slave interfaces fails in SecurePlatform 'sysconfig ' with 'Failed to enslave interface ethX to bondN ' error. |
01090189, 01168663 |
It is not possible to download the SmartConsole from SecurePlatform WebUI ('Product Configuration ' pane - 'Download SmartConsole ') if MultiPortal or Mobile Access Blade is enabled - either there is not response from WebUI, or user is presented with 'Access Denied. The destination of your request has not been configured, or you do not have authorization to access it. (403) ' error. |
01097057, 01186336, 01102859, 01102860, 01102861 |
The following errors are displayed when starting the CPSNMPD daemon manually: [Expert@HostName]# $CPDIR/bin/cpsnmpd -p 260 snmpd: Opening port(s): Port 260 binded successfully CPSNMPD: server running #Init function of library "/opt/CPshrd-R7X/lib/libpersistentAgent.so"failed #Init function of library "/opt/CPshrd-R7X/lib/libstatisticaloid.so" failed #Init function of library "/opt/CPshrd-R7X/lib/libthresholdagent.so" failed #HaAgentLoadVersions: Could not get SVN version string from registry |
Gaia OS |
01131536, 01132024, 01132025, 01132026, 01217927 |
Gaia Database is locked after running 'mds_backup -g -b -L best -d /var/tmp ' command. Refer to sk95388. |
01094324, 01095703, 01095702 |
Backup using FTP ignores the '-path ' argument and puts the file in the home directory of the FTP server regardless of the specified path. |
01116132, 01119527, 01119526 |
Fans show as up (status 0) in the output of 'show sysenv fansl ' command despite being down and having 0 RPM. |
01076441, 01077261, 01139523, 01077265 |
Gaia Portal host access configuration settings are lost after reboot. |
01103609, 01159207, 01103676, 01130954, 01139525 |
TCP Segmentation Offload (TSO) is re-enabled on some Fiber 10GB interfaces after changing MTU or RX/TX ring size. |
01084691, 01095468, 01146818, 01146429 |
Gaia Portal does not work correctly if many VLAN interfaces are defined: takes long time to connect, and when connected it keeps disconnecting because confd daemon consumes CPU at 100%. |
01084518, 01118871, 01091063, 01091064 |
'CLINFR0412 Inconsistent ValFlag & MultiValue for XXX node registered at- COMMAND ' errors appear repeatedly in /var/log/messages file during boot. Refer to sk111632. |
00900638, 00265491, 00263550, 00263627, 00263748, 00263893, 00265490 |
Added support for SNMP Trap 'vrrpTrapNewMaster ' for VRRP fail-over. Refer to sk82060. |
01159918, 01188644, 01161747, 01186027, 01161745, 01161748, 01186286 |
Deleted routes still appear on Gaia OS. Refer to sk93627. |
01165593, 01195069, 01165760, 01165762 |
Proxy ARP in Gaia VRRP cluster does not function properly. When many interfaces are configured in the VRRP (~50), the /proc/net/varp file becomes corrupted and sometimes causes the machine to crash. Refer to sk93534. |
01104528, 01106641, 01106643 |
Some of the Dynamic Routing features fail after upgrading from IPSO IP Clustering to Gaia OS. Refer to sk92140. |
01142296, 01142344, 01142343, 01142342 |
Backup files created on Gaia OS running on Check Point appliances, are stored in /var/ instead of /var/log/ . |
01077665, 01139714 |
SMTP inspection in Bridge mode does not work on Gaia OS (e-mails are dropped), if the Bridge interface is not assigned an IP address. |
01140860, 01158726, 01145052, 01145095, 01145053, 01145054 |
'show configuration ' command in Clish causes 'Segmentation fault ' crash on Gaia OS. Refer to sk90142. |
00262415, 01165686
|
Saving the configuration on Gaia OS times out with 'NMSCFD0026 Timeout waiting for response from database server ' error if there are multiple interfaces configured. Refer to sk113746 - Scenario 1. |
01149077, 01150323, 01150322, 01150321 |
All default routes are deleted when running multiple PPPoE tunnels and one PPPoE tunnel is disconnected. Refer to sk92948. |
01149080, 01150324, 01150325, 01150327 |
Multiple PPPoE tunnels with the same peer address cause RouteD daemon to exit with the following message in /var/log/messages file: routed[PID]: if_get_address: duplicate address detected: X.X.X.X/Y Refer to sk92948. |
00955029, 00958406, 01089880, 01166749, 00975277 |
IPMI drivers fail to initialize on Gaia OS. |
01152200, 01157178, 01157179, 01157177 |
In Gaia Portal - User Management - Password Policy section, if you made a change to one of the fields and in another field you made a change and revert it (while keeping the first field unchanged), the 'Apply ' button becomes disabled (as if no changes were made on this page). |
01166621, 01166827, 01166828, 01166830, 01201540, 01215011, 01296931, 01412791
|
SNMPv3 with USM 'authentication ' configuration does not survive reboot on Gaia OS. Refer to sk92937. |
01152669, 01152709, 01152710, 01152708 |
Restoring from a Backup file larger than 2GB, created on the same machine, fails. |
01172655, 01173457, 01173458, 01173077 |
When VTI (vpnt ) interfaces are configured on machine, the 'save configuration filename ' command does not handle the vpnt interfaces properly (instead of saving the commands 'add vpn tunnel Tunnel_ID type ', it saves the commands 'set interface vpntN '). |
01097811, 01097879, 01097869, 01097881 |
Adding of IPv6 routes in Gaia Portal when working in Internet Explorer browser fails with error 'Destination 0 :: is the Default route. Please edit the existing entry. ' |
01097811, 01097879, 01097869, 01097881 |
IPv6 Neighbor Discovery does not work on VLAN interfaces configured with IPv6 address. Refer to sk92630. |
01077572, 01079040, 01079043, 00263904 |
RouteD daemon consumes CPU at 100% when VRRP and BOOTP/DHCP Relay are configured. |
Advanced Dynamic Routing |
01098011, 01099307, 01099309, 01139527 |
After adding OSPF 'Normal Area ' in Gaia Portal, the output of 'show configuration ospf ' command shows some 'stub ' and 'nssa ' attributes. |
01138574, 01139369, 01139366, 01139359, 01139368 |
When changed the redistribution metric of an OSPF route for an overlapping subnet, an extra Self-Originated LSA is added to the OSPF database. |
01105417, 01143706, 01110903, 01110905 |
Some RouteD multicast trace messages are printed incorrectly. |
01127744, 01145074, 01145075, 01164816, 01226501, 01306630, 01345855 |
RouteD daemon on StandAlone machine tries to send the OSPF MD5 Crypto sequence number (can be seen only in OSPF traces). |
01127421, 00264040, 01127712, 01127713, 01140538, 01139521, 01127716 |
RouteD daemon comes up and Dynamic Routing neighborship is established with peers only after running the 'cphastop ' command on ClusterXL members. Refer to sk93593. |
01105356, 01110718, 00264072, 01188642, 01123319, 01140537, 01110717 |
RouteD daemon on Standby cluster member fails to synchronize with Active cluster member. The 'routed[PID]: recv(data) errno = 11 ' error appears in /var/log/messages file. |
01150118, 01152912, 01153043; 01150114, 01157413 |
While RouteD daemon runs, during 'cpstop ' the Check Point kernel modules ($FWDIR/boot/modules/fw*mod*.o ) are not unloaded because /dev/fw* devices are still used by RouteD daemon. This prevents the implementation of sk35496 (How to detect a kernel memory leak on Security Gateway with SecurePlatform OS / Gaia OS). |
01155071, 01159029, 01159028, 01159027, 0118864 |
RouteD daemon on Gaia OS does not recognize new PPPoE tunnels. Static routes and PBR routes going through a PPPoE tunnel interface are missing. Refer to sk92947. |
01074110, 01074450, 01074448 |
ClusterXL does not advertise BGP routes to Cisco router when configuring Cisco Loopback interface as neighbor IP address. Refer to sk89580. |
01106885, 01109310, 01139526 |
After a ClusterXL failover, GateD daemon publishes OSPF routes to BGP with the physical IP address of cluster member, instead of the cluster Virtual IP address. |
IP Series Appliances |
01125131, 01172520, 01182152, 01125957, 01125958, 01174736, 01170840 |
Incorrect values are returned over SNMP when monitoring Hardware Sensors on IP Appliance IP2450 and IP Appliance IP690 after upgrading from IPSO OS to Gaia OS. Refer to sk92780. |
01125039, 01182154, 01192524, 01192520, 01125486, 01125485 |
SNMP Monitoring of Hardware Sensors does not work on Gaia OS running on IP appliances. |
01116178, 00263461, 00263371, 01143359, 01163820 |
Kernel core dump 'vmcore ' files are not generated on 32-bit Gaia OS running on IP Series appliance. Note: For 64-bit Gaia OS, ask your Check Point partner or Check Point Support Engineer for Hotfix 00263371. |