Support Center > Search Results > SecureKnowledge Details
Check Point R77.10 Resolved Issues
Solution

This article lists all of the issues that have been resolved in R77.10.

Important notes:

Table of Contents

  • General and Installation
  • Firewall
  • Gaia / SecurePlatform
  • Dynamic Routing
  • Security Management Server
  • SecureXL
  • ClusterXL
  • VSX
  • Application Control and URL Filtering
  • SmartDashboard
  • SmartView Monitor
  • SmartView Tracker
  • SmartEvent / SmartReporter
  • SmartLog
  • VPN
  • UserAuthority
  • Anti-Bot / Anti-Virus / Anti-Malware
  • Identity Awareness
  • IPS
  • DLP
  • Mobile Access
  • Multi-Domain Security Management
  • SmartProvisioning
  • SNMP
  • SSL Inspection
  • SSL Network Extender
  • QoS
  • VoIP
  • Endpoint Security
  • User Authority

 

ID Symptoms
General and Installation
01216887,
01207493
Memory leak in CPD process.
01285128,
01286168,
01286167,
01286169
Online updates' service memory leak in CPD process.
01287611,
01295861
In R77.10, free disk space is verified before installation.
To disable this feature, add the the registry key, run:
cpprod_util CPPROD_SetReserved FW1 SmartUpdate DenyInstallSpaceCheck 1 1 1

To re-enable, run:
cpprod_util CPPROD_SetReserved FW1 SmartUpdate DenyInstallSpaceCheck 1 0 1
Firewall
01050800,
01050338
When logging unprintable characters to $FWDIR/log/ike.elg file, it becomes corrupted and displayed incorrectly in IKEview.
01155626,
01156133,
01156132
"Unable to open '/dev/fw6vX': No such file or directory" error appears repeatedly in the $FWDIR/log/fwd.elg file on Security Gateway.
01313988,
01319105
Security Gateway may stop accepting new IPv4 connections when working with Dynamic Objects or with IPS protection 'Malicious IPs'.
01165989 "Error compiling IPv6 flavor. Compilation failed." message when adding MGCP type service to rules.
01171295,
01171590,
01171591
The cpstat fw command does not list all interfaces in Gaia.
01255716,
01303556,
01303389
Policy verification fails when using H323 service in NAT rules for Edge.
01184432,
01189565,
01189566,
01189567,
01189568,
01270217
The rad process crashes with "Program terminated with signal 11, Segmentation fault." error while browsing the Internet.
01198865,
01158419
Legitimate CIFS traffic is dropped with error "cifs_tunnel_execute: Error, context include an invalid FID."
01196093,
01189544,
01196091,
01196092,
01196093
Bypass of FTPS connection through the FTP Security Server is not supported.
01218208 Cannot open a second 3rd party connection from the same source port with CPAS to the Security Gateway, until 20 seconds after the first connection closes.
01207030 Kernel parameter fw_rules_uid_max_dic_entries is not saved after policy install.
01106719,
01143842,
01170327,
01171061,
01174244,
01383474,
01405518
Additional information will be printed when 'stack overflow, pc=0x... stack=0x... thst=0x... sp=0x... jumpadd=0x0' message appears in /var/log/messages file.
Refer to sk99329.
01247081,
01246671
DCERPC high port connection is not getting opened, and gets dropped on the Cleanup rule.
01293744,
01295159,
01295160,
01295161,
01296143
FWD daemon crashes with core dump files. Valgrind output for FWD daemon shows:

Invalid free() / delete
Mismatched free() / delete

01287507,
00466023
If a log has a timestamp with the year in the middle (for example: Dec 17 2013 14:31:48), syslog cannot read it.
00526774,
00648365,
01234565,
00527549,
01233978,
01234562,
01234564,
01234566,
01364730
Security Gateway can be configured to accept FTP connections on ports other than 21.
Refer to sk43597.
01220629,
00557386,
00556274,
00557675
The snmpwalk command fails with error: "No Such Object available on this agent at this OID."
01203474,
01226037
The ftp dir command does not show directory listing when using User Authentication with FTP Resource.
01254692,
01254747,
01254749,
01254750
Memory leak in kbuf when using HTTP.
01219345 Rate limiting rules now support the 'destination' keyword to specify a set of server addresses the rule applies to. The syntax for the 'destination' keyword value follows the syntax of the 'source' keyword. In addition:
  • The value 'any' can now be used for the 'source' and 'destination' keywords.
  • The keyword 'destination-negated' was added and follows the same syntax as the 'source-negated' keyword.
For more on keyword syntax, see the "R77 Security Gateway Technical Administration Guide" under the "Rate limiting for DoS mitigation" section.
01193722,
01192828
On the bond interface one of the NICs is shown as N/A.
01293757,
00217945
Access Control Lists generated for Open Security Extension devices omit the service.
00546615,
00547716,
00621131,
00820879,
00866106,
01072886,
01104079,
01110099,
01130141,
01178088,
01224785,
01227163,
01227392,
01235828,
01278302,
01287589,
01380403,
01381003,
01393834
DHCP Discover packets are dropped by Satellite Gateway in Star community after VPN is established.
01306004,
01306263,
01306264,
01306265
Users are not able to connect with any client (Endpoint, SSL Network Extender) to Multi-Portal after upgrade of Security Gateway to R77 that is connected over PPPoE.
01226616,
01224828,
01226617,
01226618
Smart Connection Reuse (sk24960) is not working properly on FTP Data connections.
01375562,
01375562, 01376256 
Executing 'fw sam' command (e.g., fw sam -f localhost -t 60 -J src 1.1.1.1) refreshes timeouts of all entries in the Connections Table.
As a result, connections are not expired in time, which can lead to exhaustion of the Connections Table. 
Refer to sk99066 
01264866,
01298649,
01302539,
01313949,
01316687,
01399331,
01482998,
01487264;
01284461,
01316702,
01317454,
01483000
FWD process on Security Gateway might crash during heavy traffic load when traffic is logged with packet capture.
Refer to sk98326.
01147066,
01147319,
01147320,
01147321,
01166815,
01199267,
01287367,
01322299,
01473258,
01474609
Output of 'fw ctl pstat' command shows negative values.
Refer to sk93810.
Gaia / SecurePlatform
01098566,
01099576,
01099577
Cannot delete the backup files shown in the Gaia Portal.
01273099,
01365481,
01273589,
01273591,
01273592,
01286380
Gaia OS scheduled backup to SCP server fails with "set_binding: Failed to set one binding" error.
Refer to sk96267.
01214699,
01354397,
01380928,
01420122,
01420167,
01457281;
01264645,
01354405,
01380936,
01400962,
01420125,
01457282
Backup on a Gaia machine / VSX machine with large number of Virtual Systems (more than several dozens) might fail with the following error despite the fact that there is enough free disk space:
  • On Check Point appliances: "Cannot complete the backup process: not enough space in /var/log/CPbackup/backups."
  • On Open Server:
    "Cannot complete the backup process: not enough space in /var/CPbackup/backups."
Refer to sk98609.
01135972,
01136629
RouteD adds routes to the kernel with proto 'gated' instead of proto 'cprd'.
01302831,
01303089,
01303090,
01303091,
01358993,
01406147,
01408726
SNMP Trap for a monitored process (e.g., FWD) generates SNMP Trap Alert although this process is not down (Red Hat Bug 630905).
Refer to sk98702.
01147025 The sshd configuration option MaxAuthTries from openssh 3.9p1 does not exist on SecurePlatform OS.
01165731,
01166059,
01166061,
01221835,
01221871;
01254663,
01257049,
01257050,
01257051
The following errors appear repeatedly in /var/log/messages file:
monitord[PID]: AddDataSQL: insertion failed, sensor name=[      ], timestamp=[YYYY-MM-DD HH:MM:SS]
monitord[PID]: SQL error: columns time_stamp, sensor_name are not unique rc=19
01176854,
01182440
User that is authenticated on RADIUS (rba role 'radius-group-any'), is able to connect to R75.40VS in VSX mode over SSH, but is not able to switch from context of VS0 to other contexts (error: 'NMINST0069 cannot access to the virtual-system').
00264327,
00264364,
01183780,
01195653
VRRP cluster member freezes when removing a VLAN from a VRID configuration and error 'kernel: unregister_netdevice: waiting for VLAN_NAME to become free. Usage count = 1' appears repeatedly on console and in /var/log/messages
01101972,
01107459,
01107460,
01107996,
01113956,
01231354,
01266512;
01198918,
01199148;
00542743,
00544523,
00548136,
00590953,
00613593,
00621363,
00623743,
00637802,
00752876,
00760340,
00817088,
00858461,
00906468,
00906585,
00974863,
01081516,
01155812,
01164847,
01171945,
01212814,
01223187;
01200927,
01201131,
01201132,
01201133,
01294356,
01470743;
01212561,
01212982,
01212983,
01212984
Backup in SecurePlatform WebUI / Gaia Portal via FTP fails with 'User name contains illegal characters' error.
Refer to sk104104.
01206926,
01195748,
01196205,
01196204,
01195748
Unable to load GaiaTrapMIB.mib file and the chkpnt-trap.mib file at the same time in HP OpenView.
01214827 The raid_diagnostic utility does not support the HP SmartArray P420i RAID Controller.
01200679, 00266399, 01200951, 01200952, 01200953, 01256984, 01321801
/var/log/messages file on VRRP cluster member running on Gaia OS and configured OSPF repeatedly shows:
routed[PID]: cpcl_should_send() returns -3
Refer to sk106129.
01240537,
01239455,
01240535,
01240536
In Gaia Portal "Software Updates Notifications", when adding an e-mail with domain starting with a digit (for example, 4sight.com) it gives an error.
01186074,
01207477,
01186330,
01186331
Bash shows incorrect values. Editing the /etc/bashrc file and adding the \u option according to sk60862 does not work and gives: [Expert@I have no name!]#.
01224488,
00466139
OSPF packets sent by GateD (SecurePlatform Advanced Routing Daemon) start using the interface IP instead of the VIP as the source address. This leads to problems establishing the OSPF session
01193893,
01193740
It is not possible to send SNMP Response / SNMP Trap from specific IP address.
01197861,
01199338,
01199339,
01206915,
01286418
Gaia 'emergendisk' command fails with error "integer expression expected".
Refer to sk93930.
00439913,
00550476,
00738400,
01229599,
01229601
Interface names longer than 11 characters are truncated in output of ifconfig command.
01194781,
01194281,
01194780,
01194779,
01194781
Discrepancy in RX drops on Gaia OS between output of Clish 'show interface' command and output of Expert 'ifconfig -a' command.
01293934,
01192799
Emulex 10GB NIC is not recognized during Gaia installation.
01287704,
01287332
If PIM traces is enabled on Gaia in a Multicast environment, the routed.log sometimes shows an incorrect order of received and sent PIM packets.
01255588,
01255760,
01255761,
01255762
Gaia Portal becomes inaccessible after configuring ACS TACACS+ Authentication.
01294490,
01147025
Enhancement: Added support for MaxAuthTries configuration to OpenSSH on SecurePlatform.
01215933,
00431330
SecurePlatform sends SNMP Traps with the 'public' community name, although a different community was configured in /etc/snmp/snmpd.conf
This fix also add support to send traps o a list of configured sink servers.
01298732,
00772430,
00772508,
00772510,
00772512
Many "kernel: ACPI: Unable to turn cooling device [bf6d8950] 'on'" messages appear in the /var/log/messages file when the ACPI thermal limit is reached.
01268440,
01259785,
01262879,
01266337,
01266339
When running show configuration syslog command, Gaia Clish starts to crash with core dump file.
01247678,
01248259,
01248260,
01248261
Gaia IP appliance crash related to ixgbe portwell driver.
01240686,
01239963

Smart-1 25 WebUI shows VCC +12v Voltage as LOW due to difference in voltage values in /etc/appliance_config.xml and /etc/sysconfig/sensors/sensors_data.C files.
Refer to sk98390.

01248060,
01251111,
01251112,
01251113,
01254623,
01258145,
01265159,
01267866,
01290650,
01292984
Segmentation Fault crash in Gaia Clish when running the show configuration command if the total list of features for all RBA users has more than 1024 characters.
01294525,
00447858
When taking interface down and using SecurePlatform WebUI (even for viewing interfaces), routes towards the disabled interface will be removed from /etc/sysconfig/netconf.C file.
01338493 If you change two parameters in Gaia Portal -> Password Policy section, and then revert only one of these parameters, the 'Apply' button is disabled - you cannot apply the first update.
00367067,
00374440,
00374442,
00509948,
00535607,
00613800,
00836960,
01045080,
01084320,
01181942
RADIUS authentication fails for SecurePlatform users included in groups other than 'Any'.
Refer to sk58460.
00537938,
00554960,
00570381,
00572772,
00621657,
00641882,
00655899,
00656046,
00660977,
00765615,
00781490,
00789123,
00822285,
00822515,
00878166,
01132254,
01157409,
01158050,
01294146,
01294148,
01303403,
01502356
Backup to FTP server in SecurePlatform WebUI is always reported as successful, even when it fails.
Refer to sk44344.
Dynamic Routing
00263833,
00263834,
00264854,
00265437,
00266413,
01151410,
01238180,
01258619,
01345862
Cluster on Gaia OS occasionally stops forwarding multicast traffic.
Refer to sk97428.
01177640 GateD daemon on SecurePlatform OS takes 100% CPU when reading manually-added ECMP routes from the kernel routing table.
01224233 In Cluster on Gaia OS, if the synchronized connection between the Standby routing daemon and the Active routing daemon fails, it is not restarted by the Standby routing daemon.
01220408,
01223123,
01223124,
01223125,
01230668,
01287193,
01306637,
01345860
RouteD daemon restarts when enabling PIM traces in an environment with a large number of multicast groups/multicast senders.
Refer to sk94848.
01254724,
01254920
Cannot use special characters, such as exclamation mark (!) when configuring MD5 authentication for BGP. The password is rejected as invalid.
Security Management Server
01153045, 01157984, 01157985, 01453064
Policy installation fails with "Database conversion failed" when using an empty group in a NAT rule.
Refer to sk93645.
01230727, 01230920, 01230933, 01230943, 01230991, 01230996, 01234464, 01240615, 01247733, 01256843, 01259570, 01374830 Security Gateways prior to R76 drop UDP traffic on non-standard ports after upgrading Security Management Server to R77.
Refer to sk95056.
00940190,
00944338,
01173868,
01177410,
01213497,
01213498
SmartDashboard closes during "Loading objects" without core dump file after using cp_merge utility on Security Management Server / Multi-Domain Security Management Server.
00745405,
00745470,
01232904
Topology fetch incomplete (interface with topology) on UTM-1 when using the default interface name: "Internal".
01155774 Duplicate object 'fwEvent' in Check Point MIB file on R75.40VS and R76.
01157584,
01157815,
01188673,
01157816
Policy verification fails for R76 Security Gateways when Connectra R66 object exists in database with the "/opt/CPsuite-R76/fw1/conf/<Policy_Name>.pf", line N: ERROR: cannot find <XXXp_pXXXp_pXXX> anywhere" error,
where "XXXp_pXXXp_pXXX" is an object that contains dots (.) in its name.
01167160,
01168072,
01168073,
01168074,
01248817
OPSec LEA Client displays duplicate log entries from the Management Audit Log ($FWDIR/log/fw.adtlog) when the FireWall Log ($FWDIR/log/fw.log) is switched (e.g., scheduled event that is configured in Security Management object).
01178752,
01207490,
01179224,
01214580,
01179223,
01295064,
01219366
fwm logexport operation is slow on Security Management Server.
01253574,
01253574,
01367562
SmartDashboard crashes when adding very large number of interfaces in Security Gateway / Cluster object (more than 180).
Refer to sk98703.
01245535, 01245826, 01245827, 01245828, 01295067, 01429594
In some scenarios, when cluster contains more than 32 interfaces, policy compilation might fail with the following error in SmartDashboard:

".../conf/<Policy_Name>.pf", line N: ERROR: Duplicate keys < IP_Addres_in_Hex > in table 'cluster_members_ips_by_local_ip'

Refer to sk95375.
SecureXL
01115708,
00263356,
00263358

When SecureXL is enabled, errors are displayed and then gateway reboots.

Errors:

  • SIM: sim_db_get_conn: Error !!! connection <...> already freed
  • drv_write_lock: already locked. name = CI, current = simtcp_validate_tcp, previous = NONE, level=0
Refer to sk108550.
00264635,
01177389,
00264582,
01206412,
00264595
VPN traffic outage after policy installation when SecureXL is enabled on the Security Gateway, although no obvious problems are observed with the traffic. Packets are still sent to the network with correct Source IP address and Destination IP address, but do not arrive at their destination.
01209606,
01235938,
01237012,
01237014,
01260746,
01408865
Memory leak in SecureXL when using VPN.
Refer to sk95135.
00264951 SAM card locks cause Firewall instability.
01246356,
00351514
RTSP traffic is dropped when SecureXL is enabled.
01277855 If SecureXL starts after packets finish an outbound chain, SecureXL drops the packets.
ClusterXL
01208645,
01208853,
01208854

IGMP packets generated by cluster members running on Gaia OS are dropped by the cleanup rule.

01244908 In ClusterXL, where VLANS are used as Cluster interfaces, the cpstat ha -f all command does not show the VLAN ID.
01266853,
00265253,
00265441,
01267048,
01267049,
01267050,
01345875,
01350560
RouteD daemon constantly restarts when enabling PIM traces.
Refer to sk96070.
01292728,
01292728,
01347636,
01343549
When disconnecting/shutting down the Sync interface on the Pivot member of ClusterXL in Load Sharing Unicast mode, the state of the non-Pivot member changes from 'Active' to 'Ready'.
Refer to sk98281.
VSX
01067586 If conversion fails, SecureXL and VPN sometimes do not reload properly. If this happens, you must reboot the Security Gateway.
01087052 Cluster private network IP addresses are not supported as VSX virtual IP addresses.
01178395 Memory consumption by CPD daemon increases on Management Server when managing VSX Gateways.
01140022,
01168878,
01140793,
01225518,
01140791,
01183774,
01140792
Failover occurs randomly in VSX cluster because Critical Device 'VSX' reports its status as 'problem'.
01204727,
01204870,
01204871,
01206898,
01219132,
01235255,
01235256,
01261144,
01340541,
01407767,
01418834,
01460160
Memory consumption increases on VSX Gateway while querying SNMP VSX branch OID .1.3.6.1.4.1.2620.1.16
Refer to sk94124.
01321203,
01336047,
01363344,
01367632,
01370008,
01379969,
01436495,
01465441
During reboot of Active member in VSX cluster (applies to both HA and VSLS), the state of Standby member is "HA not started" instead of "Active".
Refer to sk98021.
Application Control and URL Filtering
01089602

To identify HTTPS traffic using Custom Application/Site, "HTTPS Inspection" must be enabled.

If it is disabled, and only "Categorized HTTPS Sites" is enabled, the Custom Application/Site will not be matched. URLs will be categorized by the CN/DN in the site certificate, and not by the user definition in Custom Application/Site.

01107522,
01108361,
01108362
After enabling Application Control and URL Filtering Blades on an IPSO cluster, logging stops after every 4-6 policy installations.
01254114,
01259439,
01259441,
01259442
The values of RAD debugging environment variables CP_RAD_ELG_FILE_NUM (controls the number of rotated debug output files) and CP_RAD_ELG_FILE_SIZE (controls the size of each debug output file) are not applied - RAD debug (rad_admin rad debug on all) runs with default values of 10 output debug files with maximal size 20 MB for each file.
SmartDashboard
01122870,
01127319,
01127320,
01127338
When Windows is set to 125% (in Control Panel -> Display -> Medium (125%) ), checkboxes of gateway machines disappear from the policy installation dialog.
When attempting to install policy you may receive the error pop-up "No Machines Eligible for Installation".
01158320 SmartDashboard crashes when creating a new VPN community.
SmartView Monitor
01145833,
01147126,
01147127,
01147128,
01204426,
01248744
SmartView Monitor functionality to record data and play recorded data back is not available (Recording sub-menu).
01171433,
01173254,
01173255,
01173256,
01248746
SmartView Monitor crashes when playing back recorded data (Recording > Play).
01246247,
00889422
SmartView Monitor shows "Log Server is not responding" error for a Full HA cluster on Gaia OS.
01084507,
01299321,
01094024,
01089802,
01294336,
01298533,
01294335,
01094069
  • "The interface does not exist. Try a different interface." error in SmartView Monitor when opening a Traffic view on an interface.
  • Running rtm monitor command on Security Gateway shows "Error: Bad interface name".
SmartView Tracker
01162343,
01166740,
01166741
Hebrew characters are displayed as "????" in SmartView Tracker details window.
01262111,
01265541,
01265542,
01265543
In SmartView Tracker, usernames are not displayed correctly when switching from 'long usernames' to 'short usernames'.
SmartEvent / SmartReporter
01272682,
01272425
Timeline order configuration not saved in SmartEvent GUI.
01249378,
01240756
All XML reports from SmartEvent are missing fields written in non-English languages (other than ASCII English).
01151049,
01151537,
01151538,
01151539
cpstat cpsead command does not print anything.
01301139,
01304096
Mail to SMTP fails due to extra welcome message.
01213537,
01216284,
01216285,
01216283
5 gateways extension CPSM-SM-5 does not add 5 additional managed SmartReporter gateways as it should.
01230042,
01261419,
01261420,
01261421
The following errors appear repeatedly for SmartReporter/SmartEvent in Windows Event Viewer - Application log:

  • Source: PostgreSQL
    Event ID: 0
    ERROR: syntax error at or near "s" at character N
    STATEMENT: SELECT * FROM Attack_Info WHERE Attack_Info_code = 14928 OR
    Attack_Info_name='Connections table's denial of service prevention mechanism'


  • $RTDIR/log_consolidator_engine/<IP_Address>/lc_rt.log file shows repeatedly:
    [LogConsolidator] Error:'ATTACK_INFO' - can not set field's value
    [LogConsolidator] Warning:failed to process current Log record (FileName:fw.log, FileID:..., Pos:...)
    [LogConsolidator] Error:failed to insert ATTACK_INFO inter_code data (Connections table's denial of service prevention mechanism) into table
    [LogConsolidator] :ERROR: syntax error at or near "s"
    LINE 1: ...de = 37727 OR Attack_Info_name='Connections table's denial o...
Refer to sk95891.
SmartLog
01156004,
01156160,
01156161,
01201674
SmartLog GUI is missing the log servers list scroll bar.
VPN
01050338 01293876 IKEview incorrectly displays unprintable characters after they are logged in $FWDIR/log/ike.elg as corrupted.
01213252,
01231862,
01231861,
01231863,
01287734,
01299920,
01310849
When CoreXL is enabled, fragmented traffic over a SSL VPN tunnel may be dropped.
01207626,
01208459,
01208460,
01208839
VPN users with a pound sign in the name (#) cannot get IP address from ip_assignment.conf file.
01230122,
01215432
A memory leak occurs when a remote user tries to reconnect to the VPN when the IKE Security Association (SA) has expired and the IPSEC Security Association has not expired yet.
01298166,
00846431
VPN clients switch to Visitor Mode when it is not necessary due to incorrect gateway replay on connection establishment, causing high CPU load.
01298319,
00519588
iPhone L2TP connections fail in a load-sharing Cluster environment.
00872295,
00880449,
00992544,
00900135,
00986309,
01144180,
00900463,
01133797,
01048555,
01167109,
00891420,
01054452,
00880420,
01294140
In a heavy-load cluster environment, Remote Access VPN Clients that are authenticated by LDAP are not able to connect due to VPN certificate validation errors.
01209674,
01210206,
01210207,
01210208
Security Gateway might crash in erase_IPSEC_SA function.
01298823,
01298884,
01298885,
01303180,
01312535
Traffic does not go through the VPN tunnel after a Security Gateway upgrade to R76 or R77. This can occur in connection with a dynamic IP address (DAIP) when the IPSec VPN 'Link Selection - load sharing' is configured on the Security Gateway or one of the VPN peers to 'Use probing. Link redundancy mode.'
01228623,
01153392
The vpn tu command shows a dynamic IP address of 0.0.0.1 and not the actual IP address.
01230163,
01243776
When IKE phase expires, some VPN kernel tables do not get cleared.
00546615,
01227392,
01072886,
01110099,
01235828,
01130141,
00547716,
01224785
DHCP Discover packets are dropped by Satellite Gateway in Star community after VPN is established.
01217006 IPsec SHA-256, SHA-384, and AES-XCBC are now supported for Remote Access Clients.
01242413,
01245164,
01245151
When IKEv2 is configured, enabling VPN debug can crash VPND.
01215432,
01230125,
01230122,
01225126,
01286519
Memory leak in outbound SA kernel tables during IKE phase 2 renegotiation with IPSec Remote Access clients.
00862912,
01293880
When selecting 'Enable enhancements for GW with multiple external interfaces' in Static Link Selection options section of site-to-site community configuration window, VPN tunnel might be down because of IKE session drops.
01225381,
01225425,
01242472,
01237892,
01250185,
01242473
Sometimes VPND crashes following L2TP clients disconnection.
01303862,
01298246
When encryption Suite-B is used, traffic connection in Star community will time-out without any drops.
01298191,
01294630
With a certificate signed by a sub-CA, object settings are ignored in a Site-To-Site VPN with a 3rd party peer.
01295783,
00840727
DNS suffixes which are common to the Office mode settings, are removed when SSL Network Extender disconnects.
01154294,
01154787,
01154788,
01154789
Endpoint VPN client cannot authenticate with 3rd party certificate if CA marked policyConstraints option in certificate as 'critical'.
01319182,
01319594,
01323572
Occasionally, after VPN tunnel is re-established, the following options in VPN Tunnel Utility ('vpn tu' command) either do not show any information, or peer IP address must be entered in reverse order:
**********     Select Option     **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
Refer to sk98165.
01297463,
00570046,
00570111,
00572887,
00637958,
00642029,
00756537
"Bad certificate chain in the response" error when trying to validate a 3rd party certificate with a critical extension of CertificatePolicies in a chain.
01238156 Enhancement: Added Permanent Tunnel support with interoperable VPN devices based on IKEv1/IKEv2 DPD (RFC 3706).
Refer to sk97746.
01227372,
01225961
A memory leak in VPN kernel tables causes free memory to decrease on the Security Gateway by up to 20% every 7 days.
01323409,
01323359
Traffic does not pass in a VPN tunnel if IP compression is enabled on the community.
01290645,
01267718,
01305490,
01290645,
01320983
When HTTPS Inspection is enabled, Windows 8 and Windows Server 2012 cannot run Windows update.
01190171,
01190814
On 64-bit machines, Web Applications in SNX incorrectly prompt for approval - the user is prompted to approve the application when user attempts to launch it.
UserAuthority
01169340,
01175775
UserAuthority daemon does not start. Running uagstart produces an error message 'cpopen: cpdev is not initialized!' and halts.
Anti-Bot / Anti-Virus / Anti-Malware
01176835,
01177121,
01177120,
01177119,
01177118
Policy installation fails after several months of uptime of Security Gateway with enabled Traditional Anti-Virus.
01177091,
01177498,
01177499,
01177500
Memory leak in CPD daemon related to Anti-Malware statistics.
01182565 The cpd process has a high memory usage. Resolved memory leak in cpav.
00948060,
01197215,
01199791,
01219448,
01224442,
01224443,
01224444,
01226392,
01278788,
01367586,
01374128,
01403331;
01151169,
01197246,
01199810,
01224445,
01224446,
01224448,
01367587,
01374132,
01403330
Traffic latency might be caused by Anti-Bot / Anti-Virus resource categorization mode set to 'Hold'.
Refer to sk89340.
Identity Awareness
01154085,
01173340,
01173337,
01173338
Session expiration message might show up in SmartView Tracker as 'Internal error. Authentication method is not supported.'
01211461,
01213089
Entering a badly formatted IP address for a multi-user host will not show an error.
01196004,
01190458,
01196002,
01196003,
Identity Awareness AD Query cannot utilize more than 100 Domain Controllers at once.

Note: In R77.10, the limit for simultaneous Domain Controllers is 256.
01209993,
01209876,
01209992
Mac agent disconnects from the Security Gateway after policy installation.
01189493,
01201645,
01234822,
01193180,
01241435
The Multi-User Host agent sometime fails to remove logged out users from the system and does not clear their assigned port range
01237721,
01227160
Identity Awareness Multi-User Host Agent causes blue screen on Windows OS.
01258200,
01246874
System crash after creating a new machine session.
01276174,
01288542,
01277870,
01277947,
01278825,
01287131,
01287218,
01287366,
01288540,
01294477
On a terminal server or Citrix server with Identity Awareness Terminal Server/Citrix Agent installed, SAP logon fails with "not enough memory" error when more than one user tries to connect to the SAP GUI at the same time
01274947,
01288905,
01288907,
01299437,
01342484
When 10 or more Identity Server "Server Configuration Rules" are defined (in the "Check Point Identity Agent - Distributed Configuration" window), the IP addresses displayed in the "Identity Server" column, do not match the configured IP addresses inside each rule (in the "Check Point Identity Agent - Identity Server Configuration" window).
Refer to sk98200.
01187267,
01195807,
01195808,
01195809,
01219367
Cluster status notifications causing redundant ADLOG reconf leading to AD Query outage. This can happen on High Availability clusters with a lot of cluster state notifications (for example, due to flapping interfaces).
01239257,
01240817,
01240818,
01240819,
01399466
Windows users, redirected to Identity Awareness Captive Portal with transparent authentication enabled, get a pop-up dialog asking for user credentials if the machine does not belong to an AD domain configured on the Security Gateway.
IPS
01265930,
01266343,
01301002,
01266341,
01266342,
01343010,
01344720,
01352201,
01360416
Security Gateway might crash when IPS blade is enabled.
Refer to sk96046.
01203733,
01204217,
01204216,
01204215,
01204214
"FW-1 - cmi_sticky_exec: Failed to resolve handler from database" errors in /var/log/messages file when IPS blade is enabled.
DLP
01180040,
01180043,
01181797
'[ERROR] Process DLPU_0 isn't monitored by cpWatchDog. Stop request aborts' messages in $CPDIR/log/cpwd.elg file after running 'cpstop;cpstart' commands
01186275,
01188216,
01188217
In some instances, browsing a website is recognized by DLP as uploading a text file.
01257287 Enabling SMTP kernel inspection in mirror port requires running the "dlp_smtp_mirror_port enable" command on the gateway.
01285180,
01285178,
01298458
Some data types are not matched when posting text on facebook.com that contains violation.
Mobile Access
01251460,
01239952
The Push Notification service is limited with a Plug & Play license.
01211458,
01212686,
01212685,
01212687
  • "Internet Explorer was unable to open this site. The requested site is either unavailable or cannot be found. Please try again later" error in Internet Explorer when trying to download Excel file from link in web application.
  • "Unable to download the file from the website" error when Mobile VPN users are trying to download Excel file from link in web application.
01225079,
01224626
If SSL Network Extender Application mode is used and the portal is opened in Google Chrome, the Web application in Google Chrome is running in the same process as the portal and cannot connect.
00265399 Full Connectivity upgrade (FCU) is not supported for Mobile Access Blade clients - Portal, Mobile and Mobile Enterprise.
Multi-Domain Security Management
01183324,
01183537,
01183538,
01207479,
01256755
Cannot create VPN Tunnel when using 'Selected address from topology table' option.
01294365,
01123081
Memory leak with more than 150 Domain Management Servers.
01221153,
01225111
Failed to create new Domain Management Server on Gaia after migrating the database from an earlier version. The sduu process hangs.
00956244,
01198886
After exporting and importing of a Domain database, 'Assign Global Policy' operation takes longer than expected.
01182557,
01185379,
01187967,
01185383,
01185381,
01185380
'Global object modification is prohibited!' error in SmartDashboard connected to Domain Management Server while trying to save a policy when using policy granularity feature.
01144846,
01290073,
01290075,
01290077
When logging in to the Multi-Domain Server, this error message may show: "-bash: /opt/uf/SecureComputing/scripts/envset: No such file or directory errors". The message can be ignored.
01287795,
01296327,
01296328,
01295721
mds_restore operation fails with errors:

mds_restore> Insufficient disk-space in the current file-system.
mds_restore> Backup file extraction requires N KB while the current file-system contains only X KB. mds_restore> Please move the backup directory to another file-system and try again.
SmartProvisioning
01200935,
01200900
FWM daemon memory leak.
SNMP
01277764,
01291858,
01291859,
01291860,
01304331
"The identifier should not start or end with number or special character" error when loading /etc/snmp/GaiaTrapsMIB.mib file into a MIB browser.
01284949,
01285259,
01285260,
01285261,
01312661,
01313521,
01393380,
01394803
Check Point Trap MIB file ($CPDIR/lib/snmp/chkpnt-trap.mib) has compliance errors in SMI syntax.
Refer to sk73440.
01386525,
01391815
Defition of 'aviTopVirusesName' object in 'AviTopVirusesEntry' is missing from $CPDIR/lib/snmp/chkpnt.mib file.
Refer to sk73440.
01166621, 01166827, 01166828, 01166830, 01201540, 01215011, 01296931, 01412791
SNMPv3 with USM 'authentication' configuration does not survive reboot on Gaia OS.
Refer to sk92937.
01195748, 01196205, 01196204, 01206926
Unable to load 'GaiaTrapMIB.mib' file and the 'chkpnt-trap.mib' file at the same time in HP OpenView.
Refer to sk93727.
SSL Inspection
01213407,
01180042,
01180376,
01180375,
01180373
Website blocked due to certificate without seconds in the 'notafter' field.
SSL Network Extender
01201875,
01190814
New applications that require approval incorrectly display MD5 warning dialog:
The server presented a certificate that uses a security method vulnerable to forgeries.
The authenticity of this server cannot be guaranteed.
01190171,
01201882
On 64-bit machines, Web Applications in SSL Network Extender incorrectly prompt for approval - the user is prompted to approve the application when user attempts to launch it.
01206930,
01212882,
01212883,
01212884
Trust fails when the package path includes Korean characters.
01190914,
01201875,
01201879,
01201880
New applications that require approval can show a false certificate fingerprint warning
01285769,
01285770,
01285771
SSL Network Extender crashes when started by a network user.
QoS
01123551 QoS blade support for Centrally Managed LSM 1100 gateways (firmware version R75.20.30 and higher).
VoIP
01178961,
01208911,
01212440,
01217039,
01217040,
01217038,
01308634
'sip reason: Too many streams in SDP' drop log in SmartView Tracker if SIP SDP message contains more than 4 streams.
01179635, 01186000, 01849555, 01186002, 01186001
VoIP H.323 traffic without the Q934 header does not pass through Security Gateway.
Refer to sk111591.
Endpoint Security
01293473,
01206369
When OU names or Group names have special characters, creation of DS instances can fail, and scans of these OUs and Groups are incomplete or skipped.
01293497,
01242494

Deleting an OU from the AD sometimes leaves orphan objects.
This resolution also adds support to delete existing orphan objects. To enable:

  1. Add these lines to $UEPMDIR/engine/conf/ds.local.properties:
       remove.orphans.from.server=true
       remove.orphans.bulk.size=50

  2. Restart the Endpoint Security services: uepm_stop ; uepm_start
01293476,
01227437
Enhancement: Improved scan progress bar. The new progress bar contains 3 stages: "Creating Objects", "Attaching Group Members" and "Updating Deleted Objects".
01293474 Enhancement: Improved scanning time and lower memory consumption of database.
01293492,
01242482
Directory scan does not start (stuck on 0%) because of insufficient permissions on the search base.
01293515 DirectoryScanner view does not contain any information that can tell the user that DirectoryScanner has stopped scanning from some reason.

Fix: Last Scan column added in the Directory Scanners view
01293500,
01245685
If a username with a comma is deleted from the Active Directory and moved to 'Deleted users/Computers', it cannot be deleted from SmartEndpoint.
01293442,
01024974
When creating a new DS instance on a large AD environment, a timeout message is shown.

Fix: Improved performance in large ADs. When creating a new DS instance, get only the first AD level.
01252954 Enhancement: Added SmartConsole support for Mac clients with Media Encryption.
01247474 Enhancement: Added Japanese localization to SmartEndpoint management.
01266047 Temporarily Disable Preboot (WOL) does not work.
01293490,
01227442
Added support to skip users or computers in scans.
To enable:
  1. In $UEPMDIR/engine/conf/ds.local.properties:
    • Change the value of should.scan.users to false, to skip users.
    • Change the value of should.scan.computers to false, to skip computers.
  2. Restart the Endpoint Security services: uepm_stop;uepm_start
01312501, 01303989 Vulnerability Scanner detects Cross-Frame Scripting (XFS) vulnerability on Endpoint Security Server.
Refer to sk103503.
User Authority
01288683,
01289928,
01289929,
01289930
User Authority Server (UAS) does not start on 64-bit Security Gateway:
[Expert@HostName]# uagstart
UAS: Loading UAS driver ...
mknod: missing operand after `0'
Try `mknod --help' for more information.
chmod: cannot access `/dev/uag0': No such file or directory
UAS: UAS driver was loaded successfully
UserAuthority: Starting driver
Unable to open '/dev/uag0': No such file or directory
UAG module: Can't open UAG device
UserAuthority: Driver load failed
Refer to sk97087.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment