Support Center > Search Results > SecureKnowledge Details
Check Point R75.47 Resolved Issues
Solution

This article lists all of the issues that have been resolved in R75.47.

Important notes:

 

Table of Contents

  • Firewall
  • ClusterXL
  • SecureXL
  • DLP
  • Anti-Spam
  • Anti-Bot / Anti-Virus
  • Identity Awareness
  • URL Filtering
  • UserCheck
  • Endpoint
  • IPS
  • VPN
  • Mobile Access
  • SSL Network Extender
  • Multi-Portal
  • Security Management Server
  • Multi-Domain Security Management Server
  • SmartDashboard
  • SmartView Monitor
  • SmartEvent
  • SmartReporter
  • SmartLog
  • SmartProvisioning
  • SecurePlatform OS and Gaia OS
  • SecurePlatform OS
  • Gaia OS
  • Advanced Dynamic Routing
  • IP Series Appliances

 

ID Symptoms
Firewall
01088236,
01132709,
01132707,
01184216,
01132708
TLS traffic (Server Hello) is dropped when using only the 'ssl_v3' service.
01134342,
01136030,
01134496,
01134494,
01134605,
01134495
The same web site can not be accessed on more than one destination port when Security Gateway is configured as Non-Transparent Proxy.
01118812,
01184197,
01119847,
01119848,
01119846
DCE-RPC high port is not opened by the service 'ALL_DCE_RPC' and all traffic on it is dropped.
Refer to sk42402.
01144219,
01144565,
01144566,
01189318,
01150992,
01144284,
01146802,
01168628
SmartView Tracker shows incorrect logs after upgrade to R75.x. Symptoms of this issue include, but are not limited to:
  • Wrong interface name is shown in logs
  • Source / Destination / Origin fields show wrong information
  • NAT is being logged as performed, while it is not
  • Identity Awareness shows irrelevant IP addresses
  • Services are shown with the wrong port
Refer to sk72160.
01069394,
01138565,
01083594,
01083595,
01138563,
01131371,
01138561
TCP traffic with ECN-setup SYN packets is dropped without logs.
Refer to sk87880.
01136720,
01137534,
01137535,
01137536
Security Gateway drops the connection when there is Dynamic Object in the NAT rulebase, which is not mapped (is not configured in the Dynamic Objects list on the Security Gateway).
00838996,
00929670,
01117517,
01109494,
01056468,
01124554,
00857002,
01125281,
01109498,
00967306,
01124477,
00839014
The original *.log file is kept (not purged) and some pointer files are missing (not created for new log) when switch a FireWall log on Windows 2008 / Windows 7.
Refer to sk66162.
01166584,
01166878,
01166880
Global kernel parameters that could cause a crash if their value is changed on-the-fly (with 'fw ctl set int PARAMETER VALUE' command) were changed to read-only.
Now, values of these kernel parameters can be set only during boot per sk26202:
  • fw_sync_sending_queue_size (described in sk82080)
  • fw_sync_recv_queue_size (described in sk82080)
  • fwlddist_buf_size (described in sk35466)
  • fw_log_bufsize (described in sk33139)
01120059,
01184207,
01120363,
01120364
ICMP packets with IP Options are dropped by the Security Gateway with 'Forbidden IP option' drop log in SmartView Tracker.
Important Note: To enable the fix, user must set the value of relevant kernel parameter 'asm_allow_ipopt_on_icmp' to 1 (one).
Refer to sk93809.
01147066,
01147319,
01147320,
01147321,
01166815,
01199267,
01287367,
01322299,
01473258,
01474609
Output of 'fw ctl pstat' command shows negative values.
Refer to sk93810.
01045465,
00264157
HTTPS Client Authentication accepts weak ciphers (as reported by 'sslscan' test / 'McAfee/Foundstone' test).
01150621,
01155058,
01172804,
01155060,
01155061,
01155059
RPC NULL calls and RPC GETTIME calls are dropped on cleanup rule even when used the RPC service 'nfsprog'.
01155362,
01157514,
01157515,
01157516,
01157518,
01158877,
01160701,
01162431,
01162675,
01173792,
01215306
Cipher strength for Client Authentication is under 128-bit and there is no way to control the SSL version in use.
Important Note: Three new environment variables were added to disable the unwanted SSL versions - "ASSL_NO_TLS", "ASSL_NO_SSLV2", "ASSL_NO_SSLV3".
Refer to sk100584.
00949900,
01128223,
01139785,
01126870,
01126869,
01128221
HTTP TRACE Method is allowed on Software Blades Portals based on Apache Web Server (Identity Awareness, Data Loss Prevention, Mobile Access, and the Gaia Portal).
01119817,
01122449,
01122448,
01122450,
01180657
'psl_get_tmpl_opaque_ref: tmpl_data is NULL' message is printed repeatedly in /var/log/messages file.
01106719,
01143842,
01170327,
01171061,
01174244,
01383474,
01405518
Additional information will be printed when 'stack overflow, pc=0x... stack=0x... thst=0x... sp=0x... jumpadd=0x0' message appears in /var/log/messages file.
Refer to sk99329.
01151082,
01153053,
01159408,
01160250,
01167104,
01168779,
01184203,
01186047,
01195459,
01200358,
01202398,
01219191,
01219436,
01219503,
01219504,
01254637,
01269927,
01273735,
01340126,
01341617,
01460273
Security Gateway randomly reboots when IPS or SecureXL is enabled.
Refer to sk93308.
01127906,
01133771,
01140319,
01148057,
01134011,
01175966,
01189000,
01134110,
01128474,
01180416
Security Gateway randomly freezes when proxy is enabled.
Refer to sk93248.
01146454,
01126288
Arrays can be written out of bounds on fwauthd daemon.
ClusterXL
01081828,
01111075,
01134315,
01087517,
01087516,
01146163,
01183089,
01178565
Automatic NATed IP addresses are not assigned correctly with VMAC addresses in Gaia VRRP cluster with enabled VMAC instead of a physical MAC addresses of the cluster members.
Refer to sk92426.
01142395,
01142407
Connection via VPN does not survive failover in ClusterXL High Availability mode with enabled SecureXL.
Refer to sk93567.
01153574,
01175973;
01111814,
01116937,
01132298,
01116939,
01132266
Output of 'cpstat -f all ha' command or of 'cpstat ha -f all' command on Gaia OS does not show complete information in the 'Cluster IPs table' and the 'Sync table'.
Refer to sk93201.
01081833,
00263257,
01146166,
00263272,
01088328,
01088330,
01134324,
01183113
Check Point ARP Kernel Table 'arp_table' is not synchronized to the new VRRP Master after failover (on both Gaia and IPSO).
Refer to sk92426.
01136626,
01137838,
01139243,
01139241,
01146123,
01180945,
01173374,
01139242,
01169039,
01179018,
01170645,
01189081,
01150500,
01151779
Integrated global kernel parameter 'fwha_dead_timeout_multiplier' to control ClusterXL dead timeout.
Refer to sk93454.
01136054,
01154020,
01136525,
01141214,
01136527,
01136526
Integrated ability to send an SNMP Trap in the event of a ClusterXL failover to multiple Trap Servers (by default, it is sent only to Security Management Server).
Refer to sk93455.
01135889,
00263828,
01137491,
01139528,
01137492,
01189083
Standby member changes its state to 'Down' when iBGP with 'local-address' is configured on ClusterXL.
Refer to sk93591.
01174253,
01175165,
01175166,
01175167,
01177475,
01187610,
01198641,
01202117,
01209940,
01248754,
01352098,
01363848
No traffic passes through ClusterXL in High Availability mode when proxy is enabled.
Refer to sk93247.
01188513,
01191042,
01191043,
01195067
Proxy ARP addresses of the NATed hosts are erased on the Gaia VRRP Master member from the Check Point ARP Kernel table 'arp_table' (output of 'fw ctl arp' command returns 'No proxy ARP entries') after fail-over and failback.
Refer to sk93534.
SecureXL
01133253,
01135391,
01135386,
01135384,
01135385,
00263879
VSX on Crossbeam chassis crashes due to SecureXL when user runs the 'fwaccel on' command, or when an interface goes up/down.
Refer to sk92661.
00262927,
01131280,
01142709,
01147527
If Security Acceleration Module (SAM) is installed, SIM Affinity for backplane interfaces (eth-bp1d1 and eth-bp1d2) is not configured during boot.
Now, SIM Affinity correctly assigns the backplane interfaces during boot:
  • if SIM Affinity was configured in Automatic Mode - to CPU 0 and to CPU 1
  • if SIM Affinity was configured in Static Mode - based on $PPKDIR/boot/modules/sim_aff.conf file
00263003,
01142708,
01132153,
01130803,
01122894,
01147517
SIM Affinity does not work correctly with interfaces that have multiple IRQs.
Now, outputs of 'sim affinity -l', 'fw ctl affinity -l -a', and 'cat /proc/interrupts' commands display identical affinities for interfaces with multiple IRQs.
01176603,
01179299,
01179301,
01179300
Standby member with enabled SecureXL running on Gaia OS, generates logs that multicast traffic is being dropped on the interface that points to Multicast Receiver due to Anti-Spoofing.
Now, logs for dropped multicast traffic will be generated only if the Destination IP address is not broadcast or if the Destination IP is multicast.
Multicast traffic sent from Multicast Sender to Multicast Receiver is actually forwarded by the Active member, and then switch forwards it to the Standby member:
Multicast Receiver <-> Multicast Router <-> Switch <-> Cluster <-> Multicast Sender.
01160210,
01160245
Memory leaks in SecureXL.
Refer to sk93308 and sk92934.
01160126,
01160220
Memory leak detection procedure (sk35496) creates partial output for SecureXL.
00116686,
01166916,
01166917,
01166918,
01166921
Performance degradation on Crossbeam chassis is caused by SecureXL SIM Affinity of SDP interfaces, which are not supported by SecureXL (these SDP interfaces were excluded from SecureXL).
DLP
01140369,
01140437,
01140438
Errors "Process DLPU_0 isn't monitored by cpWatchDog. Stop request aborts" in $CPDIR/log/cpwd.elg when DLP blade is disabled.
01165147,
01168375,
01168372,
01169344,
01173135
Data type is not recognized when sending e-mail using OWA 2007 or BlackBerry when the forbidden words exist in the end of the e-mail body.
Anti-Spam
01080183,
01164250,
01085368,
01179612,
01085367
Due to rare circumstances, mail might be bypassed by Anti-Spam due to temporary scan failure.
Anti-Bot / Anti-Virus
01103916,
01104533,
01104532
The Anti-Virus Policy does not show the 'Service' column in SmartDashboard.
01073684,
01154866,
01147907,
01075092,
01075093,
01113720,
01116759
Anti-Virus in Traditional mode sometimes blocks files that contain multiple dots in the file name (e.g., this.is.example.zip).
01104462 'The rule does not exist any more' error is displayed in SmartDashboard after right-clicking in SmartView Tracker on an Anti-Bot & Anti-Virus log and selecting 'Add Exception to Anti-Bot & Anti-Virus Rule...'.
Refer to sk93806.
01140570,
01181709,
01140787,
01140786,
01140785
Anti-Virus recognizes *.ico files as *.mpeg files.
01152926,
01155814
The following error is displayed in SmartDashboard when added a service in Anti-Bot & Anti-Virus policy:

SmartDashboard - 'Anti-Bot & Anti-Virus' tab - go to 'Policy' - right-click on 'Protection' column - add 'Service' - in 'Service' column click to add service - start typing in the drop down text box.

ModalDropDownContainer
Unhandled exception has occurred in a component in your application.
If you click Continue, the application will ignore this error and attempt to continue.
Can't find property '[ipaddr]'.
Identity Awareness
01126910,
01148527,
01129633,
01143373,
01145752,
01129631,
01129632,
01131008
When Identity Awareness is running with both AD query and Identity or Multi User Host Agents as identity sources, the agents might be occasionally disconnected with "Invalid Session" message.
01102355,
01105215,
01105140,
01105141
Deploying the MSI package of Identity Agent using GPO rule fails.
01085734,
01187992,
01105582,
01105583,
01186792,
01149413
Users connecting to Internet with web browser that does not support Kerberos SSO will automatically be redirected to the Captive portal after 1 second.
01126592,
01128755,
01128757,
01128756
Not all entries are removed from Windows Registry after uninstallation of customized Identity Awareness client 'customAgent.msi'.
01102067,
00896702,
00911403,
00913037,
00974899,
01046092,
01046092,
01057322,
01115813,
01116245,
01274689
User must enter the credentials twice in order to authenticate via Captive Portal in Internet Explorer 9 and Chrome 17 (and above).
Refer to sk102387.
01120887,
01151005,
01182310,
01122006,
01166831,
01123051,
01122007
In Identity Awareness environment with identity sharing, identities created by a local gateway that are on the same 32/28 network as identities created by a remote gateway, might be lost in rare occasions.
01110434,
01136332,
01139043
Identity Agent for Mac OS X is unresponsive if the DNS Server is unreachable.
01149718,
01154250,
01154248,
01154858,
01154249
Identity Awareness Terminal Server agent creates a lot of unnecessary Windows Event logs stating that the agent is connected.
01139670,
01150390,
01148529,
01150391,
01146357
Number of attempts the Identity Agent will try to connect until it considers itself disconnected can now be configured by the user (default is: 30 times for the first time attempt, 2 times for regular attempts).
01158287 Improved performance and stability for Terminal Server/Citrix Identity Agent.
01140316,
01172645,
01150353,
01150355,
01158345
After Terminal Server reboot, the Identity Agent sometimes starts instead of the Terminal Server Agent.
Refer to sk92645.
01146202,
01146254,
01148530,
01146209,
01146213
Memory leaks in MADService.exe process when viewed users in Agent's GUI (Controller).
Refer to sk92645.
01157206,
01159941,
01159942,
01159943,
01209559,
01321563,
01351162,
01363762,
01395591;
01459004,
01459085
"CLogFormat::create failed - field already exists !" messages appear repeatedly in $FWDIR/log/fwd.elg file on Identity Awareness gateway.
Refer to sk102171.
01050791,
01181543,
01158864,
01178616
Added support for NTLMv2 authentication for AD Query (Note: default is still NTLMv1).
01176746,
01177366,
01180208,
01184550
SmartView Monitor shows incorrect messages and severities regarding PDP disconnections from PEP.
URL Filtering
01166592,
01166726,
01166727,
01166728,
01187633,
01202083,
01202306,
01260097,
01382098
Security Gateway crashes randomly if the URL Filtering blade is enabled.
01175810,
01177409,
01177407,
01177408
Policy installation fails with 'Load on module failed - no memory' error when the size of URL Filtering cache parameter 'cache_max_hash_size' is set to a value over 25000.
Refer to sk101875.
UserCheck
00892707,
01150006,
01139125
When a user reset the password known to the UserCheck Client and changes the user name, the user is required to restart the UserCheck Client for the changes to take effect (to send the new name to the Security Gateway).
01155853 The UserCheck blue banner does not show in Internet Explorer 10.
This issue is already resolved on an fresh install of R75.46, but not on an a system that is upgraded to R75.46.
Endpoint
01150991,
01150378,
01186636,
01150375,
01150194,
01150377,
01150376
Saving Endpoint Security Server policy fails with 'Server Error - An internal server fault has occurred'.
Refer to sk92885.
IPS
01126852,
01179166,
01133747,
01168710,
01129727,
01133346,
01161956,
01129735,
01130216,
01136950,
01188665,
01140798,
01129728,
01131964,
01139076,
01171814,
01176147,
01182052,
01140425,
01132542,
01132675,
01129726,
01136428,
01182105
Traffic rate through Security Gateway is decreased significantly when assigned any IPS profile other than 'Default_Protection'.

Refer to sk92527.
01078006,
01134117,
01140289,
01140343,
01157744,
01146982,
01127909,
01180425,
01128462,
01144331,
01175978,
01134010,
01143584,
01133764
Legitimate HTTP traffic is rejected by IPS protection 'Non Compliant HTTP' as 'Attack: Block HTTP Non Compliant' with these logs in SmartView Tracker:
Product: IPS Software Blade
                        Action: Reject
                        Protection Name: Non Compliant HTTP
                        Attack: Block HTTP Non Compliant
                        Protection Type: Protocol Anomaly HTTP
                        Protection ID: BlockHttpNonProtocolCompliant
                        Product Family: Network
                    
Refer to sk92657.
00886936,
01143583,
01140270,
01146985,
01157742,
00890411,
01144328
SmartView Tracker shows false positive IPS logs for HTTP Response packets with Body that contains CHUNK and GZIP when HTTP traffic passes through Proxy, and IPS 'Non Compliant HTTP' protection and 'Gzip Enforcement' protection are enabled:
Product: IPS Software Blade
                        Action: Reject
                        Protection Name: Non Compliant HTTP
                        Attack: Block HTTP Non Compliant
                        Protection Type: Protocol Anomaly HTTP
                        Protection ID: BlockHttpNonProtocolCompliant
                        Product Family: Network
                    
Refer to sk93824.
01067683,
01069230,
01180645,
01069528,
01069529
SmartView Tracker shows false positive IPS logs 'TCP Out of Sequence' for Microsoft Keep Alive Packets.

Important Note: To disable the false positive IPS logs when a Keep Alive packet is recognized, user must set the value of relevant kernel parameter 'psl_disable_keepalive_logs' to 1 (one).
01162387,
01188757,
01168116,
01172694,
01168117,
01168115,
01168118,
01182622
Kernel debug is not generated correctly for 'Bad SMTP Server Greeting' protection.
As a result, kernel debug shows:
;== >fwemail_info_string_to_attack_id: str_id=135 (Server reply out of expected SMTP state);
;fwemail_info_string_to_attack_id: No match!;
;< ==fwemail_info_string_to_attack_id: Returning -1 (protection name is '');
;== >fwemail_string_to_string_id: str_id=124 (SMTP policy violation);
;< ==fwemail_string_to_string_id: Returning 997 (SMTP policy violation) ;
;== >fwemail_string_to_string_id: str_id=135 (Server reply out of expected SMTP state);
;< ==fwemail_string_to_string_id: Returning 1007 (Server reply out of expected SMTP state) ;
................
;FW-1 - ips_first_log_cap_issue_cap_for_static_log: attack_id is incorrect (-1 >=671);
01166665,
01166816,
01166817,
01166818
SmartDashboard crashes during IPS online update because of corrupted $FWDIR/conf/SMC_Files/asm/crc_marker_db.fws file.
Note: After the IPS online update, SmartDashboard will display the following message:
'It is possible that existing protections are marked for follow up, please refer to the follow up tab and review the list of protections.'
01140621,
01140826,
01158344,
01166722,
01168854,
01144699,
01145008,
01186416,
01155842,
01181758,
01152515
Citrix traffic is dropped by IPS with log 'Citrix Enforcement Violation' when Security Gateway is running Gaia OS with 64-bit kernel.
Refer to sk92720.
VPN
01098053,
01131271,
01142410,
01142456,
01142691,
01205417,
01363353
Permanent VPN tunnel is down when SecureXL is enabled on ClusterXL High Availability mode.
Refer to sk93568.
01053808,
01060762,
01121784,
01121785,
01162145,
01183430,
01060763
VPN tunnel on Security Gateway 80 does not come up after rebooting Security Gateway 80 because VPN Peer Security Gateway does not recognize the Security Gateway 80's certificate correctly.
Refer to Scenario 2 in sk114834.
01140729,
01142415,
01142416,
01142417
ICMP packets with Sequence Number 259 that were sent over VPN are dropped with 'Reason: Failed to enforce VPN policy (11)' log.
01166690,
01173667,
01173668,
01175085
Location Awareness sometimes returns an internal location to clients even though Network Location Awareness was disabled on Security Gateway. As a result, if a Mobile Access client for iOS / Android tries to connect on an internal interface, it receives a message that the network resources are already available.
00640044,
00878091,
00854256,
00914297,
01044925,
01049424,
01101643,
01133083,
00773042,
00932822,
00984114,
01145648,
00819377,
01067447,
01140796,
01159443,
00743251,
00845907,
00863156,
01164812,
00867403,
01113168,
00259582,
00881673,
01145658,
01152303,
00864819,
00829916,
00881761,
00829917,
01106507,
01122615,
01131184,
00845917
Memory leaks in 'vpn_queues' kernel table (in the output of 'fw tab -t vpn_queues -s' command, the value in #VALS column is increasing without new VPN tunnels being established).
01118184,
01174894,
01124402,
01124403
Importing of 3rd party certificate with 'Authority Key Identifier' CRL Extension fails with 'Unhandled critical extension 2.5.29.36' error in SmartDashboard.
01146577,
01150640,
01153832,
01158938,
01149287,
01149285,
01180944
RADIUS users are sometimes disconnected from remote access after a policy installation or after 2 hours, whichever came first.
01074192,
01133619
Slow Site-to-Site VPN is affected by Virtual Defragmentation.
The default value of kernel parameter 'sim_keep_DF_flag' was changed to 1 (one).
Refer to sk92465.
01150366,
01183404
VPN kernel debug repeatedly shows incorrect message:
vpnxl_device_active: ERROR: API table not loaded for device number 1.;
01108722,
01163520,
01163521,
01163522,
01179033
When connecting two L2TP Windows-based clients, located behind NAT, one of them is disconnected.
Mobile Access
01085121,
01085808,
01085809,
01176652
With access to the Outlook Web Access 2003 server through NTLM authentication, the 'Inbox' is not populated correctly if accessed from Internet Explorer through the Mobile Access Portal.
00919534,
00975377,
00922391,
01107377
Embedded native application links do not work correctly when connecting with SSL Network Extender on non-English Windows OS.
01076453,
01175084,
01118444,
01188788;
01152674,
01118443
With 'Location Awareness by Interface Definition' enabled on ClusterXL with more than two external interfaces, if the iOS client tries to connect using Mobile VPN application to the gateway through an interface different than the one used to create the VPN Site, the client fails to connect with "The sites resources are already available" error.
Refer to sk92851.
01090471,
01094133,
01100605,
01094086,
01094134
Mobile Access portal is occasionally unresponsive (Apache Bug 42829).
Refer to sk92847.
01113954,
01115835,
01115836
When a Remote Access client connects to the gateway, the Product field is not shown in raw logs.
00857668,
01173048,
00924368,
00914381,
01081395,
01144114
After the Android hotfix was installed (sk65314), enabling Anti-Virus blade causes issues with ActiveSync and access to Exchange Server for Check Point Mobile for Android devices.
00769690,
00771821,
00846644
The CPSB-SSLVPN-5000 license is not handled correctly on Security Gateway (during policy installation, Mobile Access blade is not disabled).
Refer to sk92503.
01139704,
01140640,
01140642,
01140641
If a web page has more than 1MB of untranslated characters, only part of the page shows when using Host Translation (HT).
01145098,
01147903,
01147948,
01148034,
01148539,
01154843,
01188776,
01203816,
01210646,
01218200,
01322681,
01344909,
01372031
When connecting from Client to Server using Mobile Access, there can be connectivity issues, if the source port is re-used during the connection's timeout limit (which by default is 1 hour).
Refer to sk102096.
01165970,
01166669,
01166671,
01166670
Cookie, created by script on the browser side, containing untranslated link is sent to internal server.
01161963,
01162752
Mobile Application for iOS (version 1.3.x) fails to connect if only ActiveSync application is allowed for the user.
01155740,
01155759,
01164313,
01155749
DoS on Citrix applications via Mobile Access Blade:
  • User connects to Citrix application and downloads the .ica file, however, the SOCKS connection does not begin.
  • When user signs out of the Mobile Access Portal, the Security Gateway releases the Citrix session and inserts an invalid value to the list of available IDs.
  • As a result:
    • Memory consumption increases on Security Gateway (because the ID queue has static size).
    • After a while, a user requests an ID, receives an invalid ID, and is not able to connect.
01153364,
01153846,
01153847,
01153848,
01153956
Mobile Access Portal main page is inaccessible (HTTP 403 error) in cluster when both Anti-Virus Blade and Trace IP are enabled.
SSL Network Extender
01109172,
01110840,
01110842,
01110841
If the IP addresses on local network overlap with encryption domain (IP addresses range of a native application), SSL Network Extender client seems to connect then disconnects with the error "SSL initialization failed".
01073103,
01098876,
01140728;
01060864,
01062946,
01062945,
01080263
SSL Network Extender client in Office Mode is assigned only the first 2 out of 3 configured DNS / WINS servers.
Refer to sk93884.
Multi-Portal
01104997,
01109975,
01109976,
01109977,
01174943
ICMP packets are dropped by Multi-Portal implied rule with 'Reason: Rulebase drop - rule 0;' log.
Security Management Server
01102638,
01118717,
01113361,
01172857,
01107512
When connecting with SmartDashboard to already synchronized Secondary Management Server, the status appears as "Lagging" instead of "Synchronized".
Refer to sk92331.
01146319,
01147351,
01147352,
01147350,
01158024
Administrator user created via 'cpconfig' on Security Management Server, is not synchronized to the peer Security Management Server in Management HA deployment.
Refer to sk92736.
01106076,
01181173,
01106731,
01106730
SmartView Tracker 'Management' log was improved and now contains the status of the new added rule:

Application: SmartDashboard
Subject: Object Manipulation
Operation: Modify Object
Type: Log
Object Type: firewall_policy
Performed On: Policy_Name
  • Changes: Rule N: added 'security_rule' - ; UID = {...}; Rule is disabled. ; ...
  • Changes: Rule N: added 'security_rule' - ; UID = {...}; Rule is enabled. ; ...
01101916,
01102870,
01102871,
01153302;
01089633,
01147132,
01094201,
01140696;
01165592,
01173795,
01176793,
01176794,
01176791
'fwm logexport' command fails with 'Error: Failed to read field FollowUp' after enabling Anti-Virus / Anti-Bot blades.
Refer to sk91620.
01085749,
01090991,
01090990,
01090988,
01152734
Skybox LEA Client can not fetch all logs from Security Management Server / Log Server.
01155286,
01155688,
01155686,
01155687
When created a certificate via ICA tool, it is not saved.
01139654,
01154083,
01154082,
01154081
Management HA status is not changed after modifying VPN configuration files '$FWDIR/conf/vpn_route.conf' and '$FWDIR/conf/vpn_service_based_routing.conf'.
00983975,
00987027,
01176017,
01102388,
01175979
The $FWDIR/log/fwm.elg file is filled with unnecessary messages:
CCPMIStatusRequest::~CCPMIStatusRequest: Called destructor for an uninitialized object or already released
01140137,
01140521,
01140522,
01188671,
01190507,
01190599
Policy installation fails when configured Unnumbered VTI interfaces in ClusterXL members with these errors:
"/opt/CPsuite-RXX/fw1/conf/Policy_Name.pf", line N: ERROR: Duplicate keys <IP_Address_in_Hex> in table 'cluster_members_ids_by_ips'
"/opt/CPsuite-RXX/fw1/conf/Policy_Name.pf", line N: ERROR: Duplicate keys <IP_Address_in_Hex> in table 'cluster_members_ips_by_local_ip'
01089781,
01090951,
01180660,
01090953
'fwm verify' command returns:
You do not have a license to manage gateways from this Domain Management Server. Management of gateways that are not Virtual Systems requires a Security Management level license.
01139848,
01147896,
01147897,
01147898,
01172770,
01178697
"Administrator failed to log in: No SIC error message" error in SmartView Tracker for "Unknown" type Application log when working with Tufin Admin Login.
Refer to sk92749.
01182073,
01183046,
01183147,
01189688,
01182696,
01182694
After checking the box of 'Endpoint Policy Management' product in the Security Management Server object and performing 'Install Database' operation, the FWM daemon immediately starts consuming the CPU at 100% on Security Management Server.
Refer to sk93356.
01090393,
01116279,
01116278
SmartDashboard might hang when clicking on 'OK' in cluster Topology window with many interfaces defined.
01109343,
01110887,
01110888,
01168270
FWM daemon crashes, if LDAP user with DN longer than 503 characters is selected in SmartDashboard.
01134659,
01134688
FWM daemon crashes when creating a Database Revision.
01114172,
01118953,
01118951,
01118952
FWM daemon crashes in rare cases when initializing SIC with new Security Gateway.
Multi-Domain Security Management Server
01124023,
01176029,
01124310,
01129443,
01125794,
01125793
If you run 'mdsstart_customer Domain_Name' command from a directory other than '$FWDIR/conf/', then an empty 'CPMILinksMgr.db.private' file is created in that directory (where the command was issued).
01145108,
01181226,
01145254
SmartView Tracker 'Management' log shows false positive 'Administrator Login' failures (from MDS and from Domains): Application: Unknown
Subject: Administrator Login
Operation: Log In
Status: Failure
Type: Log
General Information: Administrator failed to log in: No SIC error message
01107629,
01108173,
01108174
In the SmartDomain Manager: launch a Read-Only SmartDashboard connected to a Domain Management Server - go to 'IPS' tab - expand 'Protections' - expand 'By Protocol' - expand 'IPS Software Blade' - expand 'Web Intelligence' - right-click on 'General HTTP Worm Catcher' protection - select 'See Details...' - in the 'Worm Patterns Definitions' line, click on 'Edit...' button - click on any pattern - the 'View...' button is grayed out.
01136947,
01156861
When editing a new Domain object without entering the 'Version & Blade Updates' tab and clicking on 'OK', a message is displayed about activating the plugins on this Domain. User is not able to cancel the message and editing the object.
01168879,
01169017,
01169018,
01169016,
01198268
'mds_backup' fails on clean Multi-Domain Security Management Server when there are no Domains configured at all with the following errors:
mds_backup> Making backup file "mds_backup_logs.tgz" for the variable information of Multi-Domain Server.
/opt/CPmds-R75.40/system/shared/gtar: No match.
mds_backup> Deleting temporary Multi-Domain Server backup files
mds_backup> Backing-up the Multi-Domain Server failed.
mds_backup> Cannot proceed with backup of the Multi-Domain Server.
01103851,
01134242,
01136378
DCE-RPC *.def files are not updated in the Backward Compatibility directories on the existing Domain Management Servers during an upgrade from R75.40.
Refer to sk92362.
01159205,
01160435,
01160436,
01152879
'$MDSDIR/scripts/mds_backup' script fails with these errors:
mds_backup> Deleting temporary Multi-Domain Server backup files
mds_backup> Backing-up the Multi-Domain Server failed.
mds_backup> Cannot proceed with backup of the Multi-Domain Server.
Refer to sk92925.
01144404,
01175045,
01148091,
01148935,
01198396,
01146132,
01166807,
01195906,
01145893,
01175261,
01146133,
01156451,
01146134,
01145894
FWM daemon sometimes crashes after OPSEC sessions due to rare memory leak.
01047552,
01090883,
01048064,
01111956,
01048058
FWM daemon crashes on Domain Management Server after upgrade.
SmartDashboard
01133149,
01173289,
01133695,
01163385,
01133694,
01136114,
01133696,
01136039
SmartDashboard crashes when editing a Group Object or an Address Range Object that was just cloned.
Refer to sk92632.
01117384,
01120540,
01120541
On the IPS tab, when you right-click a signature and select 'Edit follow up comment', the comment is not saved.
01165542 When connected with previous SmartDashboard to an upgraded Security Management Server, it is not possible to download the updated SmartConsole from this message:
Before you connect to [server version] you need to install SmartConsole version [server version].
01093127,
01132353,
01117435,
01131576,
01131575,
01131568
In the object of Gaia VRRP cluster - go to 'Topology' - click on 'Edit Topology...' button - 'Get Topology' button is not available under the members' names.
Note: The improved SmartDashboard requires a fix from sk93201 to be installed on VRRP cluster members. Refer to Resolved Issue 01153574.
01121919,
01129265,
01126986,
01121965
'Users and Administrators Accounts' pane is missing in 'Global Properties', if User Authority license (CPUA-UAG) is not installed on Security Management Server.
01090475,
01195878,
01186678,
01097287,
01097286,
01195877
'Anti-Bot & Anti-Virus' column disappears from 'Install Policy' dialog window when SmartWorkflow is enabled.
Refer to sk91161.
00943814 When downloading the 'R75.45 SmartConsole' package from R75.45 Security Management Server via SecurePlatform WebUI / Gaia Portal, the SmartConsole package that is downloaded is actually 'R75.40 SmartConsole'.
Refer to sk91582.
01140161,
01140169,
01164950
SmartDashboard sometimes crashes when created a new LDAP Group in the LDAP tree.
01143684,
00636156
If static routes are changed, a new group is incorrectly created for Anti-Spoofing (behind a specific interface) after getting interfaces with topology. Resolution correctly changes the static routes of the group.
01066037
01065620,
01066036
It is possible to set "Timeout for SYN attack Identification" to 1-3 seconds although the actual minimum value is 4 seconds.
SmartView Monitor
01099996,
01100674,
01100673,
01187498
Colors on line graph do not match the colors at the bottom list.
00926085,
01139387,
01149063
Loading of any 'History' view (e.g., Traffic - Common Services History) fails with 'The parameter is incorrect' error.
01173534,
01174128,
01187483,
01175643,
01174129
'FireWall' or 'FireWall History' reports saved as CSV or as Text either contain incorrect data, or an error 'Encountered an improper argument' appears.
Refer to sk93045.
SmartEvent
01139635,
01144955,
01186353,
01144954
The 'cpstat cpsead' command does not display more than 100 jobs.
01137445,
01166198,
01166199,
01166200
SmartEvent is not able to process new events once reached the maximum capacity (limit of the database size).
01131360,
01131362,
01133707,
01134338,
01138336,
01138342,
01138349,
01381518,
01408044
After performing 'Install Database' operation from Security Management Server that has a lower version (e.g., R75.40) than the SmartEvent server (e.g., R75.45/R75.46/R76), login in SmartEvent GUI client fails with "Unable to get idle-time workstation locking policy" error.
Refer to sk111293 (Scenario 3).
01107332 In SmartEvent - Events - Predefined - Application & URL Filtering - UserCheck - query does not show any events.
01113957,
01119873,
01115144,
01115143
CPSEMD daemon is constantly crashing.
SmartReporter
01036872,
01073870,
01086415,
01073869
'Active' Security Management Server is not always visible on 'Input' tab of SmartReporter reports after failover in Management HA setup.
Note: This fix is integrated into the new SmartConsole.
01092002,
01118709,
01103212,
01103211,
01186301
SmartReporter 'Firewall Blade - Activity' reports show wrong 'Traffic Size' information when the results are sorted by 'Bytes'.
Refer to sk92485.
01131970,
01133051,
01133052,
01133050,
01155392
SmartReporter continues to delete database records until the disk is 15% full. It should delete records until the disk is 80% full.
01067315,
01102964,
01102965,
01151039,
01110549;
01070232,
01172399
The database size could not be increased beyond 200GB.
Refer to sk92221.
01126408,
01127605,
01127607,
01127606
Log Consolidator restarts continuously after consolidation session is created.
Refer to sk92633.
01108807,
01122937,
01109334,
01186304,
01109335
Users with long names (more than 100 characters) do not appear in the Report for Mobile Access logins.
01092958,
01093460,
01093461,
01093462
'Outgoing' traffic is shown as 'Other' in the '...by Direction' section of the Cross Blade Network Activity report.
Refer to sk90620.
01097627,
01103072,
01147702,
01103073
The 'evs_backup' collects many unnecessary files, which causes a corruption on new machine when restored from this backup file.
01162270,
01166093,
01187413,
01164514,
01166799,
01164515,
01164516
SmartReporter is not able to generate a report in PDF format.
01161276,
01161948,
01239460,
01161946,
01244974,
01161949,
01244126;
01168703,
01171253,
01251118,
01171252,
01171251
The following errors appear repeatedly for SmartReporter/SmartEvent in Windows Event Viewer - Application log:

  • Source: PostgreSQL
    Event ID: 0
    ERROR: schema "mysql" does not exist
    STATEMENT: delete from mysql.user where host='build' or user = 'PUBLIC'

  • Source: PostgreSQL
    Event ID: 0
    ERROR: column "sam_int_domain_name" does not exist at character X
    STATEMENT: SELECT SAM_INT_DOMAIN_NAME FROM INT_DOMAIN

  • Source: PostgreSQL
    Event ID: 0
    ERROR: relation "con0X_connections" already exists
    STATEMENT: CREATE TABLE CON0X_CONNECTIONS(...)
Refer to sk92862.
SmartLog
00983931,
01144502,
01132753,
01112908,
01137739,
01003965,
01004208
SmartLog indexes consume high amount of disk space.
Refer to sk88840.
01144961,
01145801,
01145799,
01145800
The symbolic links for the $SMARTLOGDIR/data/ directory and the $SMARTLOGDIR/log/ directory in the context of Domain Management Server are not always created when upgrading a Multi-Domain Security Management Server.
01134295,
01139597,
01138530,
01138718
SmartLog server does not function correctly when different gateways perform a simultaneous log switch.
01103093,
01151852,
01159162,
01152702
The smartlog_server process crashes if a log does not have action.
SmartProvisioning
01136716,
01137539,
01137537,
01137538
When using the "Push dynamic objects" option in SmartProvisioning GUI, the Security Gateway becomes unresponsive for new connections/traffic.
01117423,
01118213,
01118214,
01320963,
01350176,
01350524
Dynamic Object LocalMachine_All_Interfaces on ROBO gateway does not include all the interfaces that were configured in SmartProvisioning GUI.
Refer to sk98418.
01095224,
01096963,
01096961,
01096962
Memory leaks in the CPD daemon when using SmartProvisioning.
01171847,
01173514,
01173512,
01173513
If $FWDIR/conf/robo-IKE.NDB file on Security Gateway contains duplicate keys (due to some leftovers of old deleted ROBO/Edge devices), validation results in drop of VPN traffic.

LSMrouter will now validate that there are no duplicate keys for the 'Robo_ranges' hash table (key is a range <lo_ip,hi_ip>). If there are duplicate keys, update CO will now fail:
  • SmartProvisioning will show 'Fail Execution'.

  • Running LSMrouter command will show:
    [Expert@GW_HostName]# LSMrouter 
                                    duplicate keys, ip range is not unique: lo_ip: X.X.X.X, hi_ip: X.X.X.X 
                                    Memory allocation failure!
                                
SecurePlatform OS and Gaia OS
00903104,
01093937,
00914086,
00903383,
01139997
TCP Segmentation Offload (TSO) on 10GB interfaces is re-enabled after reboot.
Refer to sk90062.
01110134,
01111100,
01111099,
01204815,
01452594
VTI interface does not work on machine with CPU that does not support PAE.
Refer to sk92320.
00776966,
01123650,
01130952,
01139522,
00824938
The IPv6 default route could take precedence over a more specific route (after reboot and when an interface fails and comes back online).
Refer to sk73201.
01154583,
01155307,
01155310,
01155308
'snmpwalk' command returns wrong value for fwHmem-current-allocated-bytes (OID .1.3.6.1.4.1.2620.1.1.26.1.6) on 64-bit system.
01145042,
01145111,
01145113,
01145112
'snmpbulkget' command returns duplicate OIDs.
SecurePlatform OS
01122219,
01124984,
01123458,
01124603,
01145593,
01123457
When create a Bond interface of two 10Gb interfaces and then check the /proc/net/bonding/bond0 file, there are no slave interfaces.
00367067,
00374440,
00374442,
00509948,
00535607,
00613800,
00836960,
01045080,
01084320,
01181942
RADIUS authentication fails for SecurePlatform users included in groups other than 'Any'.
Refer to sk58460.
01096602,
01099569,
01099568
The 'backup -p' command does not delete local backup files from /var/log/CPbackup/backups/ directory on UTM-1 / Power-1 / Smart-1 appliances.
Refer to sk90404.
01103111;
01102526
Added support for built-in DVD ROM on Dell PowerEdge R620 server.
00635474,
01068695,
00858953,
00669272,
01124785,
01153745,
00750798,
01091468,
00906598,
00669271,
00906589
It is not possible to create VLANs on Check Point IAS D-series in 'sysconfig' with naming pattern sXpX.
Refer to sk89183.
00515724,
01135952,
00648960,
01149836,
01149834,
01149839
Backup/Restore function in SecurePlatform WebUI works only for files up to 2GB in size.
Refer to sk61230.
01158222,
01158268,
01158269,
01158270
Creating Bond interface on 1 Gbps Fiber slave interfaces fails in SecurePlatform 'sysconfig' with 'Failed to enslave interface ethX to bondN' error.
01090189,
01168663
It is not possible to download the SmartConsole from SecurePlatform WebUI ('Product Configuration' pane - 'Download SmartConsole') if MultiPortal or Mobile Access Blade is enabled - either there is not response from WebUI, or user is presented with 'Access Denied. The destination of your request has not been configured, or you do not have authorization to access it. (403)' error.
01097057,
01186336,
01102859,
01102860,
01102861
The following errors are displayed when starting the CPSNMPD daemon manually:
[Expert@HostName]# $CPDIR/bin/cpsnmpd -p 260
snmpd: Opening port(s):
Port 260 binded successfully
CPSNMPD: server running
#Init function of library "/opt/CPshrd-R7X/lib/libpersistentAgent.so"failed
#Init function of library "/opt/CPshrd-R7X/lib/libstatisticaloid.so" failed
#Init function of library "/opt/CPshrd-R7X/lib/libthresholdagent.so" failed
#HaAgentLoadVersions: Could not get SVN version string from registry
Gaia OS
01131536,
01132024,
01132025,
01132026,
01217927
Gaia Database is locked after running 'mds_backup -g -b -L best -d /var/tmp' command.
Refer to sk95388.
01094324,
01095703,
01095702
Backup using FTP ignores the '-path' argument and puts the file in the home directory of the FTP server regardless of the specified path.
01116132,
01119527,
01119526
Fans show as up (status 0) in the output of 'show sysenv fansl' command despite being down and having 0 RPM.
01076441,
01077261,
01139523,
01077265
Gaia Portal host access configuration settings are lost after reboot.
01103609,
01159207,
01103676,
01130954,
01139525
TCP Segmentation Offload (TSO) is re-enabled on some Fiber 10GB interfaces after changing MTU or RX/TX ring size.
01084691,
01095468,
01146818,
01146429
Gaia Portal does not work correctly if many VLAN interfaces are defined: takes long time to connect, and when connected it keeps disconnecting because confd daemon consumes CPU at 100%.
01084518,
01118871,
01091063,
01091064
'CLINFR0412 Inconsistent ValFlag & MultiValue for XXX node registered at- COMMAND' errors appear repeatedly in /var/log/messages file during boot.
Refer to sk111632
00900638,
00265491,
00263550,
00263627,
00263748,
00263893,
00265490
Added support for SNMP Trap 'vrrpTrapNewMaster' for VRRP fail-over.
Refer to sk82060.
01159918,
01188644,
01161747,
01186027,
01161745,
01161748,
01186286
Deleted routes still appear on Gaia OS.
Refer to sk93627.
01165593,
01195069,
01165760,
01165762
Proxy ARP in Gaia VRRP cluster does not function properly.
When many interfaces are configured in the VRRP (~50), the /proc/net/varp file becomes corrupted and sometimes causes the machine to crash.
Refer to sk93534.
01104528,
01106641,
01106643
Some of the Dynamic Routing features fail after upgrading from IPSO IP Clustering to Gaia OS.
Refer to sk92140.
01142296,
01142344,
01142343,
01142342
Backup files created on Gaia OS running on Check Point appliances, are stored in /var/ instead of /var/log/.
01077665,
01139714
SMTP inspection in Bridge mode does not work on Gaia OS (e-mails are dropped), if the Bridge interface is not assigned an IP address.
01140860,
01158726,
01145052,
01145095,
01145053,
01145054
'show configuration' command in Clish causes 'Segmentation fault' crash on Gaia OS.
Refer to sk90142.
00262415,
01165686
Saving the configuration on Gaia OS times out with 'NMSCFD0026 Timeout waiting for response from database server' error if there are multiple interfaces configured.
Refer to sk113746 - Scenario 1. 
01149077,
01150323,
01150322,
01150321
All default routes are deleted when running multiple PPPoE tunnels and one PPPoE tunnel is disconnected.
Refer to sk92948.
01149080,
01150324,
01150325,
01150327
Multiple PPPoE tunnels with the same peer address cause RouteD daemon to exit with the following message in /var/log/messages file:
routed[PID]: if_get_address: duplicate address detected: X.X.X.X/Y
Refer to sk92948.
00955029,
00958406,
01089880,
01166749,
00975277
IPMI drivers fail to initialize on Gaia OS.
01152200,
01157178,
01157179,
01157177
In Gaia Portal - User Management - Password Policy section, if you made a change to one of the fields and in another field you made a change and revert it (while keeping the first field unchanged), the 'Apply' button becomes disabled (as if no changes were made on this page).
01166621, 01166827, 01166828, 01166830, 01201540, 01215011, 01296931, 01412791
SNMPv3 with USM 'authentication' configuration does not survive reboot on Gaia OS.
Refer to sk92937.
01152669,
01152709,
01152710,
01152708
Restoring from a Backup file larger than 2GB, created on the same machine, fails.
01172655,
01173457,
01173458,
01173077
When VTI (vpnt) interfaces are configured on machine, the 'save configuration filename' command does not handle the vpnt interfaces properly (instead of saving the commands 'add vpn tunnel Tunnel_ID type', it saves the commands 'set interface vpntN').
01097811,
01097879,
01097869,
01097881
Adding of IPv6 routes in Gaia Portal when working in Internet Explorer browser fails with error 'Destination 0 :: is the Default route. Please edit the existing entry.'
01097811,
01097879,
01097869,
01097881
IPv6 Neighbor Discovery does not work on VLAN interfaces configured with IPv6 address.
Refer to sk92630.
01077572,
01079040,
01079043,
00263904
RouteD daemon consumes CPU at 100% when VRRP and BOOTP/DHCP Relay are configured.
Advanced Dynamic Routing
01098011,
01099307,
01099309,
01139527
After adding OSPF 'Normal Area' in Gaia Portal, the output of 'show configuration ospf' command shows some 'stub' and 'nssa' attributes.
01138574,
01139369,
01139366,
01139359,
01139368
When changed the redistribution metric of an OSPF route for an overlapping subnet, an extra Self-Originated LSA is added to the OSPF database.
01105417,
01143706,
01110903,
01110905
Some RouteD multicast trace messages are printed incorrectly.
01127744,
01145074,
01145075,
01164816,
01226501,
01306630,
01345855
RouteD daemon on StandAlone machine tries to send the OSPF MD5 Crypto sequence number (can be seen only in OSPF traces).
01127421,
00264040,
01127712,
01127713,
01140538,
01139521,
01127716
RouteD daemon comes up and Dynamic Routing neighborship is established with peers only after running the 'cphastop' command on ClusterXL members.
Refer to sk93593.
01105356,
01110718,
00264072,
01188642,
01123319,
01140537,
01110717
RouteD daemon on Standby cluster member fails to synchronize with Active cluster member.
The 'routed[PID]: recv(data) errno = 11' error appears in /var/log/messages file.
01150118,
01152912,
01153043;
01150114,
01157413
While RouteD daemon runs, during 'cpstop' the Check Point kernel modules ($FWDIR/boot/modules/fw*mod*.o) are not unloaded because /dev/fw* devices are still used by RouteD daemon. This prevents the implementation of sk35496 (How to detect a kernel memory leak on Security Gateway with SecurePlatform OS / Gaia OS).
01155071,
01159029,
01159028,
01159027,
0118864
RouteD daemon on Gaia OS does not recognize new PPPoE tunnels.
Static routes and PBR routes going through a PPPoE tunnel interface are missing.
Refer to sk92947.
01074110,
01074450,
01074448
ClusterXL does not advertise BGP routes to Cisco router when configuring Cisco Loopback interface as neighbor IP address.
Refer to sk89580.
01106885,
01109310,
01139526
After a ClusterXL failover, GateD daemon publishes OSPF routes to BGP with the physical IP address of cluster member, instead of the cluster Virtual IP address.
IP Series Appliances
01125131,
01172520,
01182152,
01125957,
01125958,
01174736,
01170840
Incorrect values are returned over SNMP when monitoring Hardware Sensors on IP Appliance IP2450 and IP Appliance IP690 after upgrading from IPSO OS to Gaia OS.
Refer to sk92780.
01125039,
01182154,
01192524,
01192520,
01125486,
01125485
SNMP Monitoring of Hardware Sensors does not work on Gaia OS running on IP appliances.
01116178,
00263461,
00263371,
01143359,
01163820
Kernel core dump 'vmcore' files are not generated on 32-bit Gaia OS running on IP Series appliance.
Note: For 64-bit Gaia OS, ask your Check Point partner or Check Point Support Engineer for Hotfix 00263371.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment