ID |
Symptoms |
General and Installation |
01216887, 01207493 |
Memory leak in CPD process. |
01285128, 01286168, 01286167, 01286169 |
Online updates' service memory leak in CPD process. |
01287611, 01295861 |
In R77.10, free disk space is verified before installation. To disable this feature, add the the registry key, run: cpprod_util CPPROD_SetReserved FW1 SmartUpdate DenyInstallSpaceCheck 1 1 1
To re-enable, run: cpprod_util CPPROD_SetReserved FW1 SmartUpdate DenyInstallSpaceCheck 1 0 1 |
Firewall |
01050800, 01050338 |
When logging unprintable characters to $FWDIR/log/ike.elg file, it becomes corrupted and displayed incorrectly in IKEview. |
01155626, 01156133, 01156132 |
"Unable to open '/dev/fw6vX': No such file or directory" error appears repeatedly in the $FWDIR/log/fwd.elg file on Security Gateway. |
01313988, 01319105 |
Security Gateway may stop accepting new IPv4 connections when working with Dynamic Objects or with IPS protection 'Malicious IPs'. |
01165989 |
"Error compiling IPv6 flavor. Compilation failed." message when adding MGCP type service to rules. |
01171295, 01171590, 01171591 |
The cpstat fw command does not list all interfaces in Gaia. |
01255716, 01303556, 01303389 |
Policy verification fails when using H323 service in NAT rules for Edge. |
01184432, 01189565, 01189566, 01189567, 01189568, 01270217 |
The rad process crashes with "Program terminated with signal 11, Segmentation fault." error while browsing the Internet. |
01198865, 01158419 |
Legitimate CIFS traffic is dropped with error "cifs_tunnel_execute: Error, context include an invalid FID." |
01196093, 01189544, 01196091, 01196092, 01196093 |
Bypass of FTPS connection through the FTP Security Server is not supported. |
01218208 |
Cannot open a second 3rd party connection from the same source port with CPAS to the Security Gateway, until 20 seconds after the first connection closes. |
01207030 |
Kernel parameter fw_rules_uid_max_dic_entries is not saved after policy install. |
01106719, 01143842, 01170327, 01171061, 01174244, 01383474, 01405518 |
Additional information will be printed when 'stack overflow, pc=0x... stack=0x... thst=0x... sp=0x... jumpadd=0x0 ' message appears in /var/log/messages file. Refer to sk99329. |
01247081, 01246671 |
DCERPC high port connection is not getting opened, and gets dropped on the Cleanup rule. |
01293744, 01295159, 01295160, 01295161, 01296143 |
FWD daemon crashes with core dump files. Valgrind output for FWD daemon shows:
Invalid free() / delete Mismatched free() / delete
|
01287507, 00466023 |
If a log has a timestamp with the year in the middle (for example: Dec 17 2013 14:31:48), syslog cannot read it. |
00526774, 00648365, 01234565, 00527549, 01233978, 01234562, 01234564, 01234566, 01364730 |
Security Gateway can be configured to accept FTP connections on ports other than 21. Refer to sk43597. |
01220629, 00557386, 00556274, 00557675 |
The snmpwalk command fails with error: "No Such Object available on this agent at this OID." |
01203474, 01226037 |
The ftp dir command does not show directory listing when using User Authentication with FTP Resource. |
01254692, 01254747, 01254749, 01254750 |
Memory leak in kbuf when using HTTP. |
01219345 |
Rate limiting rules now support the 'destination' keyword to specify a set of server addresses the rule applies to. The syntax for the 'destination' keyword value follows the syntax of the 'source' keyword. In addition:
- The value 'any' can now be used for the 'source' and 'destination' keywords.
- The keyword 'destination-negated' was added and follows the same syntax as the 'source-negated' keyword.
For more on keyword syntax, see the "R77 Security Gateway Technical Administration Guide" under the "Rate limiting for DoS mitigation" section. |
01193722, 01192828 |
On the bond interface one of the NICs is shown as N/A. |
01293757, 00217945 |
Access Control Lists generated for Open Security Extension devices omit the service. |
00546615, 00547716, 00621131, 00820879, 00866106, 01072886, 01104079, 01110099, 01130141, 01178088, 01224785, 01227163, 01227392, 01235828, 01278302, 01287589, 01380403, 01381003, 01393834 |
DHCP Discover packets are dropped by Satellite Gateway in Star community after VPN is established. |
01306004, 01306263, 01306264, 01306265 |
Users are not able to connect with any client (Endpoint, SSL Network Extender) to Multi-Portal after upgrade of Security Gateway to R77 that is connected over PPPoE. |
01226616, 01224828, 01226617, 01226618 |
Smart Connection Reuse (sk24960) is not working properly on FTP Data connections. |
01375562, 01375562, 01376256 |
Executing 'fw sam' command (e.g., fw sam -f localhost -t 60 -J src 1.1.1.1) refreshes timeouts of all entries in the Connections Table. As a result, connections are not expired in time, which can lead to exhaustion of the Connections Table. Refer to sk99066 |
01264866, 01298649, 01302539, 01313949, 01316687, 01399331, 01482998, 01487264; 01284461, 01316702, 01317454, 01483000
|
FWD process on Security Gateway might crash during heavy traffic load when traffic is logged with packet capture. Refer to sk98326. |
01147066, 01147319, 01147320, 01147321, 01166815, 01199267, 01287367, 01322299, 01473258, 01474609 |
Output of 'fw ctl pstat ' command shows negative values. Refer to sk93810.
|
Gaia / SecurePlatform |
01098566, 01099576, 01099577 |
Cannot delete the backup files shown in the Gaia Portal. |
01273099, 01365481, 01273589, 01273591, 01273592, 01286380 |
Gaia OS scheduled backup to SCP server fails with "set_binding: Failed to set one binding " error. Refer to sk96267. |
01214699, 01354397, 01380928, 01420122, 01420167, 01457281; 01264645, 01354405, 01380936, 01400962, 01420125, 01457282 |
Backup on a Gaia machine / VSX machine with large number of Virtual Systems (more than several dozens) might fail with the following error despite the fact that there is enough free disk space:
- On Check Point appliances: "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups."
- On Open Server:
"Cannot complete the backup process: not enough space in /var/CPbackup/backups."
Refer to sk98609. |
01135972, 01136629 |
RouteD adds routes to the kernel with proto 'gated' instead of proto 'cprd'. |
01302831, 01303089, 01303090, 01303091, 01358993, 01406147, 01408726 |
SNMP Trap for a monitored process (e.g., FWD) generates SNMP Trap Alert although this process is not down (Red Hat Bug 630905). Refer to sk98702. |
01147025 |
The sshd configuration option MaxAuthTries from openssh 3.9p1 does not exist on SecurePlatform OS. |
01165731, 01166059, 01166061, 01221835, 01221871; 01254663, 01257049, 01257050, 01257051 |
The following errors appear repeatedly in /var/log/messages file:
monitord[PID]: AddDataSQL: insertion failed, sensor name=[ ], timestamp=[YYYY-MM-DD HH:MM:SS] monitord[PID]: SQL error: columns time_stamp, sensor_name are not unique rc=19
|
01176854, 01182440 |
User that is authenticated on RADIUS (rba role 'radius-group-any'), is able to connect to R75.40VS in VSX mode over SSH, but is not able to switch from context of VS0 to other contexts (error: 'NMINST0069 cannot access to the virtual-system'). |
00264327, 00264364, 01183780, 01195653 |
VRRP cluster member freezes when removing a VLAN from a VRID configuration and error 'kernel: unregister_netdevice: waiting for VLAN_NAME to become free. Usage count = 1' appears repeatedly on console and in /var/log/messages |
01101972, 01107459, 01107460, 01107996, 01113956, 01231354, 01266512; 01198918, 01199148; 00542743, 00544523, 00548136, 00590953, 00613593, 00621363, 00623743, 00637802, 00752876, 00760340, 00817088, 00858461, 00906468, 00906585, 00974863, 01081516, 01155812, 01164847, 01171945, 01212814, 01223187; 01200927, 01201131, 01201132, 01201133, 01294356, 01470743; 01212561, 01212982, 01212983, 01212984
|
Backup in SecurePlatform WebUI / Gaia Portal via FTP fails with 'User name contains illegal characters ' error. Refer to sk104104.
|
01206926, 01195748, 01196205, 01196204, 01195748 |
Unable to load GaiaTrapMIB.mib file and the chkpnt-trap.mib file at the same time in HP OpenView. |
01214827 |
The raid_diagnostic utility does not support the HP SmartArray P420i RAID Controller. |
01200679, 00266399, 01200951, 01200952, 01200953, 01256984, 01321801
|
/var/log/messages file on VRRP cluster member running on Gaia OS and configured OSPF repeatedly shows: routed[PID]: cpcl_should_send() returns -3 Refer to sk106129. |
01240537, 01239455, 01240535, 01240536 |
In Gaia Portal "Software Updates Notifications", when adding an e-mail with domain starting with a digit (for example, 4sight.com) it gives an error. |
01186074, 01207477, 01186330, 01186331 |
Bash shows incorrect values. Editing the /etc/bashrc file and adding the \u option according to sk60862 does not work and gives: [Expert@I have no name!]#. |
01224488, 00466139 |
OSPF packets sent by GateD (SecurePlatform Advanced Routing Daemon) start using the interface IP instead of the VIP as the source address. This leads to problems establishing the OSPF session |
01193893, 01193740 |
It is not possible to send SNMP Response / SNMP Trap from specific IP address. |
01197861, 01199338, 01199339, 01206915, 01286418 |
Gaia 'emergendisk' command fails with error "integer expression expected ". Refer to sk93930. |
00439913, 00550476, 00738400, 01229599, 01229601 |
Interface names longer than 11 characters are truncated in output of ifconfig command. |
01194781, 01194281, 01194780, 01194779, 01194781 |
Discrepancy in RX drops on Gaia OS between output of Clish 'show interface' command and output of Expert 'ifconfig -a' command. |
01293934, 01192799 |
Emulex 10GB NIC is not recognized during Gaia installation. |
01287704, 01287332 |
If PIM traces is enabled on Gaia in a Multicast environment, the routed.log sometimes shows an incorrect order of received and sent PIM packets. |
01255588, 01255760, 01255761, 01255762 |
Gaia Portal becomes inaccessible after configuring ACS TACACS+ Authentication. |
01294490, 01147025 |
Enhancement: Added support for MaxAuthTries configuration to OpenSSH on SecurePlatform. |
01215933, 00431330 |
SecurePlatform sends SNMP Traps with the 'public' community name, although a different community was configured in /etc/snmp/snmpd.conf This fix also add support to send traps o a list of configured sink servers. |
01298732, 00772430, 00772508, 00772510, 00772512 |
Many "kernel: ACPI: Unable to turn cooling device [bf6d8950] 'on'" messages appear in the /var/log/messages file when the ACPI thermal limit is reached. |
01268440, 01259785, 01262879, 01266337, 01266339 |
When running show configuration syslog command, Gaia Clish starts to crash with core dump file. |
01247678, 01248259, 01248260, 01248261 |
Gaia IP appliance crash related to ixgbe portwell driver. |
01240686, 01239963 |
Smart-1 25 WebUI shows VCC +12v Voltage as LOW due to difference in voltage values in /etc/appliance_config.xml and /etc/sysconfig/sensors/sensors_data.C files. Refer to sk98390.
|
01248060, 01251111, 01251112, 01251113, 01254623, 01258145, 01265159, 01267866, 01290650, 01292984 |
Segmentation Fault crash in Gaia Clish when running the show configuration command if the total list of features for all RBA users has more than 1024 characters. |
01294525, 00447858 |
When taking interface down and using SecurePlatform WebUI (even for viewing interfaces), routes towards the disabled interface will be removed from /etc/sysconfig/netconf.C file. |
01338493 |
If you change two parameters in Gaia Portal -> Password Policy section, and then revert only one of these parameters, the 'Apply' button is disabled - you cannot apply the first update. |
00367067, 00374440, 00374442, 00509948, 00535607, 00613800, 00836960, 01045080, 01084320, 01181942 |
RADIUS authentication fails for SecurePlatform users included in groups other than 'Any '. Refer to sk58460. |
00537938, 00554960, 00570381, 00572772, 00621657, 00641882, 00655899, 00656046, 00660977, 00765615, 00781490, 00789123, 00822285, 00822515, 00878166, 01132254, 01157409, 01158050, 01294146, 01294148, 01303403, 01502356 |
Backup to FTP server in SecurePlatform WebUI is always reported as successful, even when it fails. Refer to sk44344. |
Dynamic Routing |
00263833, 00263834, 00264854, 00265437, 00266413, 01151410, 01238180, 01258619, 01345862 |
Cluster on Gaia OS occasionally stops forwarding multicast traffic. Refer to sk97428. |
01177640 |
GateD daemon on SecurePlatform OS takes 100% CPU when reading manually-added ECMP routes from the kernel routing table. |
01224233 |
In Cluster on Gaia OS, if the synchronized connection between the Standby routing daemon and the Active routing daemon fails, it is not restarted by the Standby routing daemon. |
01220408, 01223123, 01223124, 01223125, 01230668, 01287193, 01306637, 01345860 |
RouteD daemon restarts when enabling PIM traces in an environment with a large number of multicast groups/multicast senders. Refer to sk94848. |
01254724, 01254920 |
Cannot use special characters, such as exclamation mark (!) when configuring MD5 authentication for BGP. The password is rejected as invalid. |
Security Management Server |
01153045, 01157984, 01157985, 01453064
|
Policy installation fails with "Database conversion failed " when using an empty group in a NAT rule. Refer to sk93645.
|
01230727, 01230920, 01230933, 01230943, 01230991, 01230996, 01234464, 01240615, 01247733, 01256843, 01259570, 01374830 |
Security Gateways prior to R76 drop UDP traffic on non-standard ports after upgrading Security Management Server to R77. Refer to sk95056.
|
00940190, 00944338, 01173868, 01177410, 01213497, 01213498 |
SmartDashboard closes during "Loading objects " without core dump file after using cp_merge utility on Security Management Server / Multi-Domain Security Management Server.
|
00745405, 00745470, 01232904 |
Topology fetch incomplete (interface with topology) on UTM-1 when using the default interface name: "Internal". |
01155774 |
Duplicate object 'fwEvent' in Check Point MIB file on R75.40VS and R76. |
01157584, 01157815, 01188673, 01157816 |
Policy verification fails for R76 Security Gateways when Connectra R66 object exists in database with the "/opt/CPsuite-R76/fw1/conf/<Policy_Name>.pf", line N: ERROR: cannot find <XXXp_pXXXp_pXXX> anywhere" error, where "XXXp_pXXXp_pXXX" is an object that contains dots (.) in its name. |
01167160, 01168072, 01168073, 01168074, 01248817 |
OPSec LEA Client displays duplicate log entries from the Management Audit Log ($FWDIR/log/fw.adtlog) when the FireWall Log ($FWDIR/log/fw.log) is switched (e.g., scheduled event that is configured in Security Management object). |
01178752, 01207490, 01179224, 01214580, 01179223, 01295064, 01219366 |
fwm logexport operation is slow on Security Management Server. |
01253574, 01253574, 01367562 |
SmartDashboard crashes when adding very large number of interfaces in Security Gateway / Cluster object (more than 180). Refer to sk98703. |
01245535, 01245826, 01245827, 01245828, 01295067, 01429594
|
In some scenarios, when cluster contains more than 32 interfaces, policy compilation might fail with the following error in SmartDashboard:
".../conf/<Policy_Name>.pf", line N: ERROR: Duplicate keys < IP_Addres_in_Hex > in table 'cluster_members_ips_by_local_ip'
Refer to sk95375. |
SecureXL |
01115708, 00263356, 00263358 |
When SecureXL is enabled, errors are displayed and then gateway reboots.
Errors:
- SIM: sim_db_get_conn: Error !!! connection <...> already freed
- drv_write_lock: already locked. name = CI, current = simtcp_validate_tcp, previous = NONE, level=0
Refer to sk108550. |
00264635, 01177389, 00264582, 01206412, 00264595 |
VPN traffic outage after policy installation when SecureXL is enabled on the Security Gateway, although no obvious problems are observed with the traffic. Packets are still sent to the network with correct Source IP address and Destination IP address, but do not arrive at their destination. |
01209606, 01235938, 01237012, 01237014, 01260746, 01408865 |
Memory leak in SecureXL when using VPN. Refer to sk95135. |
00264951 |
SAM card locks cause Firewall instability. |
01246356, 00351514 |
RTSP traffic is dropped when SecureXL is enabled. |
01277855 |
If SecureXL starts after packets finish an outbound chain, SecureXL drops the packets. |
ClusterXL |
01208645, 01208853, 01208854 |
IGMP packets generated by cluster members running on Gaia OS are dropped by the cleanup rule.
|
01244908 |
In ClusterXL, where VLANS are used as Cluster interfaces, the cpstat ha -f all command does not show the VLAN ID. |
01266853, 00265253, 00265441, 01267048, 01267049, 01267050, 01345875, 01350560 |
RouteD daemon constantly restarts when enabling PIM traces. Refer to sk96070. |
01292728, 01292728, 01347636, 01343549 |
When disconnecting/shutting down the Sync interface on the Pivot member of ClusterXL in Load Sharing Unicast mode, the state of the non-Pivot member changes from 'Active' to 'Ready'. Refer to sk98281. |
VSX |
01067586 |
If conversion fails, SecureXL and VPN sometimes do not reload properly. If this happens, you must reboot the Security Gateway. |
01087052 |
Cluster private network IP addresses are not supported as VSX virtual IP addresses. |
01178395 |
Memory consumption by CPD daemon increases on Management Server when managing VSX Gateways. |
01140022, 01168878, 01140793, 01225518, 01140791, 01183774, 01140792 |
Failover occurs randomly in VSX cluster because Critical Device 'VSX' reports its status as 'problem'. |
01204727, 01204870, 01204871, 01206898, 01219132, 01235255, 01235256, 01261144, 01340541, 01407767, 01418834, 01460160 |
Memory consumption increases on VSX Gateway while querying SNMP VSX branch OID .1.3.6.1.4.1.2620.1.16 Refer to sk94124. |
01321203, 01336047, 01363344, 01367632, 01370008, 01379969, 01436495, 01465441
|
During reboot of Active member in VSX cluster (applies to both HA and VSLS), the state of Standby member is "HA not started " instead of "Active ". Refer to sk98021. |
Application Control and URL Filtering |
01089602 |
To identify HTTPS traffic using Custom Application/Site, "HTTPS Inspection" must be enabled.
If it is disabled, and only "Categorized HTTPS Sites" is enabled, the Custom Application/Site will not be matched. URLs will be categorized by the CN/DN in the site certificate, and not by the user definition in Custom Application/Site.
|
01107522, 01108361, 01108362 |
After enabling Application Control and URL Filtering Blades on an IPSO cluster, logging stops after every 4-6 policy installations. |
01254114, 01259439, 01259441, 01259442 |
The values of RAD debugging environment variables CP_RAD_ELG_FILE_NUM (controls the number of rotated debug output files) and CP_RAD_ELG_FILE_SIZE (controls the size of each debug output file) are not applied - RAD debug (rad_admin rad debug on all) runs with default values of 10 output debug files with maximal size 20 MB for each file. |
SmartDashboard |
01122870, 01127319, 01127320, 01127338 |
When Windows is set to 125% (in Control Panel -> Display -> Medium (125%) ), checkboxes of gateway machines disappear from the policy installation dialog. When attempting to install policy you may receive the error pop-up "No Machines Eligible for Installation". |
01158320 |
SmartDashboard crashes when creating a new VPN community. |
SmartView Monitor |
01145833, 01147126, 01147127, 01147128, 01204426, 01248744 |
SmartView Monitor functionality to record data and play recorded data back is not available (Recording sub-menu). |
01171433, 01173254, 01173255, 01173256, 01248746 |
SmartView Monitor crashes when playing back recorded data (Recording > Play). |
01246247, 00889422 |
SmartView Monitor shows "Log Server is not responding" error for a Full HA cluster on Gaia OS. |
01084507, 01299321, 01094024, 01089802, 01294336, 01298533, 01294335, 01094069 |
- "The interface does not exist. Try a different interface." error in SmartView Monitor when opening a Traffic view on an interface.
- Running rtm monitor command on Security Gateway shows "Error: Bad interface name".
|
SmartView Tracker |
01162343, 01166740, 01166741 |
Hebrew characters are displayed as "????" in SmartView Tracker details window. |
01262111, 01265541, 01265542, 01265543 |
In SmartView Tracker, usernames are not displayed correctly when switching from 'long usernames' to 'short usernames'. |
SmartEvent / SmartReporter |
01272682, 01272425 |
Timeline order configuration not saved in SmartEvent GUI. |
01249378, 01240756 |
All XML reports from SmartEvent are missing fields written in non-English languages (other than ASCII English). |
01151049, 01151537, 01151538, 01151539 |
cpstat cpsead command does not print anything. |
01301139, 01304096 |
Mail to SMTP fails due to extra welcome message. |
01213537, 01216284, 01216285, 01216283 |
5 gateways extension CPSM-SM-5 does not add 5 additional managed SmartReporter gateways as it should. |
01230042, 01261419, 01261420, 01261421 |
The following errors appear repeatedly for SmartReporter/SmartEvent in Windows Event Viewer - Application log:
Source: PostgreSQL Event ID: 0 ERROR: syntax error at or near "s" at character N STATEMENT: SELECT * FROM Attack_Info WHERE Attack_Info_code = 14928 OR Attack_Info_name='Connections table's denial of service prevention mechanism'
$RTDIR/log_consolidator_engine/<IP_Address>/lc_rt.log file shows repeatedly:
[LogConsolidator] Error:'ATTACK_INFO' - can not set field's value [LogConsolidator] Warning:failed to process current Log record (FileName:fw.log, FileID:..., Pos:...) [LogConsolidator] Error:failed to insert ATTACK_INFO inter_code data (Connections table's denial of service prevention mechanism) into table [LogConsolidator] :ERROR: syntax error at or near "s" LINE 1: ...de = 37727 OR Attack_Info_name='Connections table's denial o...
Refer to sk95891. |
SmartLog |
01156004, 01156160, 01156161, 01201674 |
SmartLog GUI is missing the log servers list scroll bar. |
VPN |
01050338 01293876 |
IKEview incorrectly displays unprintable characters after they are logged in $FWDIR/log/ike.elg as corrupted. |
01213252, 01231862, 01231861, 01231863, 01287734, 01299920, 01310849 |
When CoreXL is enabled, fragmented traffic over a SSL VPN tunnel may be dropped. |
01207626, 01208459, 01208460, 01208839 |
VPN users with a pound sign in the name (#) cannot get IP address from ip_assignment.conf file. |
01230122, 01215432 |
A memory leak occurs when a remote user tries to reconnect to the VPN when the IKE Security Association (SA) has expired and the IPSEC Security Association has not expired yet. |
01298166, 00846431 |
VPN clients switch to Visitor Mode when it is not necessary due to incorrect gateway replay on connection establishment, causing high CPU load. |
01298319, 00519588 |
iPhone L2TP connections fail in a load-sharing Cluster environment. |
00872295, 00880449, 00992544, 00900135, 00986309, 01144180, 00900463, 01133797, 01048555, 01167109, 00891420, 01054452, 00880420, 01294140 |
In a heavy-load cluster environment, Remote Access VPN Clients that are authenticated by LDAP are not able to connect due to VPN certificate validation errors. |
01209674, 01210206, 01210207, 01210208 |
Security Gateway might crash in erase_IPSEC_SA function. |
01298823, 01298884, 01298885, 01303180, 01312535 |
Traffic does not go through the VPN tunnel after a Security Gateway upgrade to R76 or R77. This can occur in connection with a dynamic IP address (DAIP) when the IPSec VPN 'Link Selection - load sharing' is configured on the Security Gateway or one of the VPN peers to 'Use probing. Link redundancy mode.' |
01228623, 01153392 |
The vpn tu command shows a dynamic IP address of 0.0.0.1 and not the actual IP address. |
01230163, 01243776 |
When IKE phase expires, some VPN kernel tables do not get cleared. |
00546615, 01227392, 01072886, 01110099, 01235828, 01130141, 00547716, 01224785 |
DHCP Discover packets are dropped by Satellite Gateway in Star community after VPN is established. |
01217006 |
IPsec SHA-256, SHA-384, and AES-XCBC are now supported for Remote Access Clients. |
01242413, 01245164, 01245151 |
When IKEv2 is configured, enabling VPN debug can crash VPND. |
01215432, 01230125, 01230122, 01225126, 01286519 |
Memory leak in outbound SA kernel tables during IKE phase 2 renegotiation with IPSec Remote Access clients. |
00862912, 01293880 |
When selecting 'Enable enhancements for GW with multiple external interfaces' in Static Link Selection options section of site-to-site community configuration window, VPN tunnel might be down because of IKE session drops. |
01225381, 01225425, 01242472, 01237892, 01250185, 01242473 |
Sometimes VPND crashes following L2TP clients disconnection. |
01303862, 01298246 |
When encryption Suite-B is used, traffic connection in Star community will time-out without any drops. |
01298191, 01294630 |
With a certificate signed by a sub-CA, object settings are ignored in a Site-To-Site VPN with a 3rd party peer. |
01295783, 00840727 |
DNS suffixes which are common to the Office mode settings, are removed when SSL Network Extender disconnects. |
01154294, 01154787, 01154788, 01154789 |
Endpoint VPN client cannot authenticate with 3rd party certificate if CA marked policyConstraints option in certificate as 'critical'. |
01319182, 01319594, 01323572 |
Occasionally, after VPN tunnel is re-established, the following options in VPN Tunnel Utility ('vpn tu ' command) either do not show any information, or peer IP address must be entered in reverse order:
********** Select Option ********** (1) List all IKE SAs (2) List all IPsec SAs (3) List all IKE SAs for a given peer (GW) or user (Client) (4) List all IPsec SAs for a given peer (GW) or user (Client)
Refer to sk98165. |
01297463, 00570046, 00570111, 00572887, 00637958, 00642029, 00756537 |
"Bad certificate chain in the response" error when trying to validate a 3rd party certificate with a critical extension of CertificatePolicies in a chain. |
01238156 |
Enhancement: Added Permanent Tunnel support with interoperable VPN devices based on IKEv1/IKEv2 DPD (RFC 3706). Refer to sk97746. |
01227372, 01225961 |
A memory leak in VPN kernel tables causes free memory to decrease on the Security Gateway by up to 20% every 7 days. |
01323409, 01323359 |
Traffic does not pass in a VPN tunnel if IP compression is enabled on the community. |
01290645, 01267718, 01305490, 01290645, 01320983 |
When HTTPS Inspection is enabled, Windows 8 and Windows Server 2012 cannot run Windows update. |
01190171, 01190814 |
On 64-bit machines, Web Applications in SNX incorrectly prompt for approval - the user is prompted to approve the application when user attempts to launch it. |
UserAuthority |
01169340, 01175775 |
UserAuthority daemon does not start. Running uagstart produces an error message 'cpopen: cpdev is not initialized!' and halts. |
Anti-Bot / Anti-Virus / Anti-Malware |
01176835, 01177121, 01177120, 01177119, 01177118 |
Policy installation fails after several months of uptime of Security Gateway with enabled Traditional Anti-Virus. |
01177091, 01177498, 01177499, 01177500 |
Memory leak in CPD daemon related to Anti-Malware statistics. |
01182565 |
The cpd process has a high memory usage. Resolved memory leak in cpav. |
00948060, 01197215, 01199791, 01219448, 01224442, 01224443, 01224444, 01226392, 01278788, 01367586, 01374128, 01403331; 01151169, 01197246, 01199810, 01224445, 01224446, 01224448, 01367587, 01374132, 01403330
|
Traffic latency might be caused by Anti-Bot / Anti-Virus resource categorization mode set to 'Hold'. Refer to sk89340. |
Identity Awareness |
01154085, 01173340, 01173337, 01173338 |
Session expiration message might show up in SmartView Tracker as 'Internal error. Authentication method is not supported.' |
01211461, 01213089 |
Entering a badly formatted IP address for a multi-user host will not show an error. |
01196004, 01190458, 01196002, 01196003, |
Identity Awareness AD Query cannot utilize more than 100 Domain Controllers at once.
Note: In R77.10, the limit for simultaneous Domain Controllers is 256. |
01209993, 01209876, 01209992 |
Mac agent disconnects from the Security Gateway after policy installation. |
01189493, 01201645, 01234822, 01193180, 01241435 |
The Multi-User Host agent sometime fails to remove logged out users from the system and does not clear their assigned port range |
01237721, 01227160 |
Identity Awareness Multi-User Host Agent causes blue screen on Windows OS. |
01258200, 01246874 |
System crash after creating a new machine session. |
01276174, 01288542, 01277870, 01277947, 01278825, 01287131, 01287218, 01287366, 01288540, 01294477 |
On a terminal server or Citrix server with Identity Awareness Terminal Server/Citrix Agent installed, SAP logon fails with "not enough memory" error when more than one user tries to connect to the SAP GUI at the same time |
01274947, 01288905, 01288907, 01299437, 01342484 |
When 10 or more Identity Server "Server Configuration Rules" are defined (in the "Check Point Identity Agent - Distributed Configuration" window), the IP addresses displayed in the "Identity Server" column, do not match the configured IP addresses inside each rule (in the "Check Point Identity Agent - Identity Server Configuration" window). Refer to sk98200. |
01187267, 01195807, 01195808, 01195809, 01219367 |
Cluster status notifications causing redundant ADLOG reconf leading to AD Query outage. This can happen on High Availability clusters with a lot of cluster state notifications (for example, due to flapping interfaces). |
01239257, 01240817, 01240818, 01240819, 01399466 |
Windows users, redirected to Identity Awareness Captive Portal with transparent authentication enabled, get a pop-up dialog asking for user credentials if the machine does not belong to an AD domain configured on the Security Gateway. |
IPS |
01265930, 01266343, 01301002, 01266341, 01266342, 01343010, 01344720, 01352201, 01360416 |
Security Gateway might crash when IPS blade is enabled. Refer to sk96046. |
01203733, 01204217, 01204216, 01204215, 01204214 |
"FW-1 - cmi_sticky_exec: Failed to resolve handler from database" errors in /var/log/messages file when IPS blade is enabled. |
DLP |
01180040, 01180043, 01181797 |
'[ERROR] Process DLPU_0 isn't monitored by cpWatchDog. Stop request aborts' messages in $CPDIR/log/cpwd.elg file after running 'cpstop;cpstart' commands |
01186275, 01188216, 01188217 |
In some instances, browsing a website is recognized by DLP as uploading a text file. |
01257287 |
Enabling SMTP kernel inspection in mirror port requires running the "dlp_smtp_mirror_port enable" command on the gateway. |
01285180, 01285178, 01298458 |
Some data types are not matched when posting text on facebook.com that contains violation. |
Mobile Access |
01251460, 01239952 |
The Push Notification service is limited with a Plug & Play license. |
01211458, 01212686, 01212685, 01212687 |
- "Internet Explorer was unable to open this site. The requested site is either unavailable or cannot be found. Please try again later" error in Internet Explorer when trying to download Excel file from link in web application.
- "Unable to download the file from the website" error when Mobile VPN users are trying to download Excel file from link in web application.
|
01225079, 01224626 |
If SSL Network Extender Application mode is used and the portal is opened in Google Chrome, the Web application in Google Chrome is running in the same process as the portal and cannot connect. |
00265399 |
Full Connectivity upgrade (FCU) is not supported for Mobile Access Blade clients - Portal, Mobile and Mobile Enterprise. |
Multi-Domain Security Management |
01183324, 01183537, 01183538, 01207479, 01256755 |
Cannot create VPN Tunnel when using 'Selected address from topology table' option. |
01294365, 01123081 |
Memory leak with more than 150 Domain Management Servers. |
01221153, 01225111 |
Failed to create new Domain Management Server on Gaia after migrating the database from an earlier version. The sduu process hangs. |
00956244, 01198886 |
After exporting and importing of a Domain database, 'Assign Global Policy ' operation takes longer than expected. |
01182557, 01185379, 01187967, 01185383, 01185381, 01185380 |
'Global object modification is prohibited!' error in SmartDashboard connected to Domain Management Server while trying to save a policy when using policy granularity feature. |
01144846, 01290073, 01290075, 01290077 |
When logging in to the Multi-Domain Server, this error message may show: "-bash: /opt/uf/SecureComputing/scripts/envset: No such file or directory errors". The message can be ignored. |
01287795, 01296327, 01296328, 01295721 |
mds_restore operation fails with errors:
mds_restore> Insufficient disk-space in the current file-system. mds_restore> Backup file extraction requires N KB while the current file-system contains only X KB. mds_restore> Please move the backup directory to another file-system and try again. |
SmartProvisioning |
01200935, 01200900 |
FWM daemon memory leak. |
SNMP |
01277764, 01291858, 01291859, 01291860, 01304331 |
"The identifier should not start or end with number or special character " error when loading /etc/snmp/GaiaTrapsMIB.mib file into a MIB browser. |
01284949, 01285259, 01285260, 01285261, 01312661, 01313521, 01393380, 01394803 |
Check Point Trap MIB file ($CPDIR/lib/snmp/chkpnt-trap.mib) has compliance errors in SMI syntax. Refer to sk73440. |
01386525, 01391815 |
Defition of 'aviTopVirusesName ' object in 'AviTopVirusesEntry ' is missing from $CPDIR/lib/snmp/chkpnt.mib file. Refer to sk73440. |
01166621, 01166827, 01166828, 01166830, 01201540, 01215011, 01296931, 01412791
|
SNMPv3 with USM 'authentication ' configuration does not survive reboot on Gaia OS. Refer to sk92937. |
01195748, 01196205, 01196204, 01206926
|
Unable to load 'GaiaTrapMIB.mib' file and the 'chkpnt-trap.mib' file at the same time in HP OpenView. Refer to sk93727. |
SSL Inspection |
01213407, 01180042, 01180376, 01180375, 01180373 |
Website blocked due to certificate without seconds in the 'notafter' field. |
SSL Network Extender |
01201875, 01190814 |
New applications that require approval incorrectly display MD5 warning dialog: The server presented a certificate that uses a security method vulnerable to forgeries. The authenticity of this server cannot be guaranteed. |
01190171, 01201882 |
On 64-bit machines, Web Applications in SSL Network Extender incorrectly prompt for approval - the user is prompted to approve the application when user attempts to launch it. |
01206930, 01212882, 01212883, 01212884 |
Trust fails when the package path includes Korean characters. |
01190914, 01201875, 01201879, 01201880 |
New applications that require approval can show a false certificate fingerprint warning |
01285769, 01285770, 01285771 |
SSL Network Extender crashes when started by a network user. |
QoS |
01123551 |
QoS blade support for Centrally Managed LSM 1100 gateways (firmware version R75.20.30 and higher). |
VoIP |
01178961, 01208911, 01212440, 01217039, 01217040, 01217038, 01308634 |
'sip reason: Too many streams in SDP' drop log in SmartView Tracker if SIP SDP message contains more than 4 streams. |
01179635, 01186000, 01849555, 01186002, 01186001
|
VoIP H.323 traffic without the Q934 header does not pass through Security Gateway. Refer to sk111591.
|
Endpoint Security |
01293473, 01206369 |
When OU names or Group names have special characters, creation of DS instances can fail, and scans of these OUs and Groups are incomplete or skipped. |
01293497, 01242494 |
Deleting an OU from the AD sometimes leaves orphan objects. This resolution also adds support to delete existing orphan objects. To enable:
- Add these lines to $UEPMDIR/engine/conf/ds.local.properties:
remove.orphans.from.server=true remove.orphans.bulk.size=50
- Restart the Endpoint Security services: uepm_stop ; uepm_start
|
01293476, 01227437 |
Enhancement: Improved scan progress bar. The new progress bar contains 3 stages: "Creating Objects", "Attaching Group Members" and "Updating Deleted Objects". |
01293474 |
Enhancement: Improved scanning time and lower memory consumption of database. |
01293492, 01242482 |
Directory scan does not start (stuck on 0%) because of insufficient permissions on the search base. |
01293515 |
DirectoryScanner view does not contain any information that can tell the user that DirectoryScanner has stopped scanning from some reason.
Fix: Last Scan column added in the Directory Scanners view |
01293500, 01245685 |
If a username with a comma is deleted from the Active Directory and moved to 'Deleted users/Computers', it cannot be deleted from SmartEndpoint. |
01293442, 01024974 |
When creating a new DS instance on a large AD environment, a timeout message is shown.
Fix: Improved performance in large ADs. When creating a new DS instance, get only the first AD level. |
01252954 |
Enhancement: Added SmartConsole support for Mac clients with Media Encryption. |
01247474 |
Enhancement: Added Japanese localization to SmartEndpoint management. |
01266047 |
Temporarily Disable Preboot (WOL) does not work. |
01293490, 01227442 |
Added support to skip users or computers in scans. To enable:
- In $UEPMDIR/engine/conf/ds.local.properties:
- Change the value of should.scan.users to false, to skip users.
- Change the value of should.scan.computers to false, to skip computers.
- Restart the Endpoint Security services: uepm_stop;uepm_start
|
01312501, 01303989 |
Vulnerability Scanner detects Cross-Frame Scripting (XFS) vulnerability on Endpoint Security Server. Refer to sk103503. |
User Authority |
01288683, 01289928, 01289929, 01289930 |
User Authority Server (UAS) does not start on 64-bit Security Gateway:
[Expert@HostName]# uagstart UAS: Loading UAS driver ... mknod: missing operand after `0' Try `mknod --help' for more information. chmod: cannot access `/dev/uag0': No such file or directory UAS: UAS driver was loaded successfully UserAuthority: Starting driver Unable to open '/dev/uag0': No such file or directory UAG module: Can't open UAG device UserAuthority: Driver load failed
Refer to sk97087. |