-XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB

WWW.CHECKPOINT.COM WELCOME: JACCO GILLIS| SIGN OUT

TRY OUR PRODUCTS QUOTING TOOLS ASSETS / INFO SUPPORT / SERVICES

Support Center > Search Results > SecureKnowledge Details

Search Support Center

Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021)

Rate This My Favorites Email Print

Solution ID sk98285
Product All
Version R77.10
OS Gaia
Platform / Model All
Date Created 03-Feb-2014
Last Modified 19-Jan-2016

Solution
Table of Contents:

Introduction
Availability
Important Notes
List of resolved issues per Take
Installation instructions
Uninstall instructions
List of replaced files per package

Introduction
R77.10 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.

This Incremental Hotfix and this article are periodically updated with new fixes.

The list of resolves issues below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental
Hotfix starting from the Take number listed in this table (inclusive). The date, when this take was made available is also listed in the table.

Availability
Contact Check Point Support to get the Jumbo Hotfix Accumulator (CPUSE Identifier, or the package file)..

Latest available Take is:

Take Date

Take_171 03 Jan 2016

Important Notes
Refer to sk98028 (Jumbo Hotfix Accumulator FAQ).

This Jumbo Hotfix Accumulator is suitable only for Gaia OS (SecurePlatform / Linux / IPSO / Windows OS are not supported).

Each "Take" of this Jumbo Hotfix Accumulator is always based on latest GA Take of Check Point R77.10.

It is recommended to install Jumbo Hotfix Accumulator on all the R77.10 machines in the environment - Security Gateways / Management Servers / etc. running on
Gaia OS.

This Jumbo Hotfix Accumulator is suitable for these products and configurations:

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
Security Gateway
Cluster
VSX
Security Management Server
Multi-Domain Security Management Server
Standalone machine (Gateway + Management)
Log Server
SmartEvent Server
SmartReporter Server

Installation of this Jumbo Hotfix Accumulator () is not supported on Smart-1 205, 210, 225, 3050 and 3150 appliances (sk98931).
These Smart-1 appliances are installed with special R77.10 ISO, which contains another Jumbo Hotfix Accumulator ().
Since the '' is not a part of '', installation of this Jumbo Hotfix Accumulator () will fail due to a conflict.

Refer to sk103270 - Virtual Systems in Bridge Mode are "Down" after installing Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021).

Refer to sk102949 - 10GB interfaces are not recognized anymore (disappear) on Gaia OS after installing Take_62 of Jumbo Hotfix Accumulator for R77.10
(gypsy_hf_base_021).

List of resolved issues per Take

ID Product Symptoms

Take 171 (31 Dec 2015)

01877390 All General stability fixes.

Take 167 (19 Nov 2015)

01667373,
01685955,
01823953,
01467047, Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789.
All
01729491, Refer to sk106499.
01614223,
01695195,
01667373

01836315,
SecureXL sends the traffic with Destination MAC Address 00:00:00:00:00:00.
01777564, SecureXL
Refer to sk107436.
01830876

01853542,
IKE Phase 1 with DAIP device fails after IP address of DAIP device was changed.
01410617, VPN
Refer to sk101911.
01853541

Users cannot use the real IP address of DAIP gateway when using the 'vpn tu' command.
01856813 VPN
Refer to sk100346.

The vpn tu command shows the real IP address when using the command to show the tunnels, but when using one of the delete
01395232,
VPN commands, it does not accept the real IP address to delete the tunnel.
01856807
Refer to sk100346.

BGP routemaps stop working correctly after Gaia OS upgrade from R75.4X / R76 versions to R77.10 and later versions.
01858183 Gaia OS
Refer to sk108497.

01824547,
01824341, VPN and/or NAT traffic between accelerated and non-accelerated interfaces, or between non-accelerated interfaces, is not
Security Gateway
01376344, allowed.
01847677

01858058, With ICS and SSL Network Extender (SNX) enabled, the ICS failure may caus the license count problem. As a result,users cannot
01413750, Mobile Access connect to MAB portal.
01699327 Refer tosk101129

Take 151 (14 Oct 2015)

Check Point response to CVE-2015-2808 (Bar Mitzvah) and OpenSSL CVE-2015-1789.

01810846 All
Refer to sk106499.

Output of 'ps auxw' command after reboot shows multiple 'clishd' processes in state "Z" (zombie) with "defunct" arguments.
01821747 Gaia OS
Refer to sk105953.

'raid_diagnostic' command, SmartView Monitor, 'cpstat' command and 'snmpwalk' command show "MISSING" state for some
01810668 Gaia OS harddisks.
Refer tosk104580.

The /etc/snmp/userDefinedSettings.conf file on Gaia OS (see sk79280) is overwritten during a hotfix installation.
01820171 Gaia OS

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
Refer to sk107861.

Custom changes made to the/etc/cpshell/log_rotation.conf filefollowing sk36798, do not survive Jumbo hotfix installation - after
01824360 Gaia OS
installation it goes back to the default.

01808293, CVPND daemon crashes when the user/application calls for two factor authentication in Mobile Access Portal using SMS, but the
Mobile Access
01819371 user has no phone number defined.

01825560,
01385102,
01400575,
01405365, Output of 'cphaprob syncstat' command does not show any peers: 'IDs of F&A Peers - None' .
ClusterXL
01431662, Refer to sk98167.
01433263,
01576856,
01612685

01831575, Although CCP mode is set to Broadcast, Delta Sync packets are sent over Sync interface(s) as Multicast.
ClusterXL
01693578 Refer to sk101132.

01827150 SecureXL ADP monitorhangs and crashes with"ADP slot N possibly hung".

01812924 SecureXL SAM log collection framework when host crash with "ADP slot N possibly hung".

01810487 SecureXL SAM log collection framework issues.

Take 144 (16 Aug 2015)

01745344,
'routed' daemon might crash when running routing commands in Gaia Clish.
01524421, Security Gateway
Refer tosk103432.
01526432

01746639, SNMP query for CPU usage by each Virtual System (OID 1.3.6.1.4.1.2620.1.16.22.2) returns 0 (zero) values.
VSX
01469254 Refer tosk102434.

Take 143 (5 Aug 2015)

Improved memory training logic for "SAM-108-V2" card (memory training is a task performed by the hypervisor to get a sense of
01722124 SecureXL the timing necessary for the pins out of the memory controller on the card's processor to achieve maximum throughput to the
onboard DIMMs while maintaining reliability).

The "mdscmd adddomain ..." command / "mdscmd addlogserver ..." command creates Domain Management Server / Domain
Multi-Domain Security Log Server with wrong build number. As a result, SmartDashboard shows "R77" version instead of the real version "R77.10" /
01715922
Management Server "R77.20".
Refer tosk103958

01732224, Clish command "show asset all" returns incorrect Chassis and Motherboard information on G-series of21000 appliances.
Gaia OS
01734652 Refer tosk103711

Take 140 (9 Jul 2015)

In certain scenarios when both CoreXL and SecureXL are enabled, despite setting '' per
sk26874, user still cannot simultaneously ping Virtual IP address of the cluster and IP addresses of physical interfaces on cluster
00266575 ClusterXL
members from a remote host.
Refer to sk98699.

/var/log/messages file on Security Gateway running Gaia OS and SmartView Tracker logs from Security Gateway running Gaia OS
repeatedly show the following messages about Hardware Sensors:

Several times per second in /var/log/messages file:



01712480, 
01399215,
Gaia OS
01649011, Every minute:
01595558 

Repeatedly in /var/log/messages file:




Refer to sk79140.

01712212,
01364855, After reboot of Gaia OS, some interfaces are named as 'ethX_rename'.
Gaia OS
01473986, Refer to sk97446.
01393166

SNMP Trap for a monitored process that runs under different names generates SNMP Trap Alert although this process is not
01712298,
Gaia OS down.
01428542
Refer to sk101446.

01713421,
SNMP query for any OID under 1.3.6.1.4.1.2620.1.6.7.5 (multiProcTable) returns 0 (zero).
01479338,
Gaia OS Refer to sk98570.

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
01712387

01712214,
01430113,
Gaia OS SNMPD daemon crashes.
01428858,
01392708

Take 139 (1 Jul 2015)

VSX R77 and above does not generate syslog messages and SNMP traps about Connections Table capacity.
01699276 VSX
Refer tosk106137.

Take 138 (28 Jun 2015)

01702071 SecureXL SAM crash when SecureXL is enabled.

Take 137 (17 Jun 2015)

Gaia OS, RouteD daemon on Gaia cluster consumes CPU at high level when Master quits.
01691164
ClusterXL Refer to sk103352.

01504500, Memory leak in PDPD daemon related to ADQuery.

Identity Awareness
01690981 Refer to sk106422.

Take 135 (14 Jun 2015)

01689960 Identity Awareness Memory usage (RSS) of pepd process increased in ~70% within 48 hours.

Memory leak in PDPD daemon related to ADQuery.

01688636 Identity Awareness
Refer to sk106422.

Multi-Domain Security FWD daemon does not start on a specific Domain.

01689713
Management Server Refer to sk102097.

Take 133 (03 Jun 2015)

Enhancement for Check Point 21000 series appliance with SAM card: Statistics for network memory buffers is now available via
"ipsctl -a" command under:
net:dev:adp:ipsctl:slot:<N>:kern:mbuf:stats
01675477 SecureXL
Description: An "mbuf" is a basic unit of memory management in the kernel IPC subsystem. Network packets and socket buffers
are stored in mbufs. A network packet may span multiple mbufs arranged into a mbuf chain (linked list), which allows adding or
trimming network headers with little overhead.

01680044 SecureXL 21800 appliance with SAM card might crash if more than 32 CPU cores are used.

01680145 SecureXL Improved support for SAM card on 21800 appliance.

01678047 SecureXL Check Point appliance with SAM card might crash when removing a slave interface from bonding group.

01679951,
01383687, SecureXL Check Point appliance with SAM card might crash when removing a slave interface from bonding group defined on SAM ports.
01383321

01680181, Some connections are dropped as out of state after failover in ClusterXL HA mode on 21000 appliances with SAM card.
SecureXL
00266698 Refer to sk101287.

21000 series appliance with SAM card might crash in specific scenario when accessing the /dev/tilegxpci*/boot for reading or
01676648,
SecureXL writing.
01499723
Refer to sk103209.

01678897 SecureXL Improved bonding driver for SAM card (when a port crashes, the bonding interface will not be deleted).

01677946 SecureXL Traffic does not flow through SAM card when running tcpdump on SAM ports.

00267288,
SecureXL When gateway is under load, after 2 mins VPN Traffic stops completely with Huawei eNodeB
00266165

Check Point 21000 series appliance with SAM card might crash due to exhaustion of all memory when there is an inbound clear
01676324,
SecureXL, VPN traffic that should have been encrypted (such traffic is correctly dropped, but sending notifications from SAM card to the FireWall
01383871
about such clear text packets received on encrypted connections might consume valuable memory).

Multi-Domain Security "mdscmd" command with "-i" option fails to resolve the Domain Management Server Name by IP address.
01674054
Management Server Refer to sk105172.

01659095,
Security Gateway Added support for the Full IRQ feature.
01442459

01675259,
01400363, FireWall-1 GX After policy installation traffic from encryption side is stall and long connections stops working.
01383686

01675233,
FireWall-1 GX After policy installation encrypt traffic stalls if connection is initiated from the decrypt side.
00266402

When the external interface ARP entry is deleted by the OS, all the encryption packet will forwarded from SAM to Host. As a
01676483 Hardware
result, Security gateway is crashed with kernel panic.

01678100, Traffic outage increased when running cpstop on VSX VSLS cluster once the number of VSs is increased.
01408821, VSX

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
01405807 Refer tosk99038.

Take 131 (14 May 2015)

01664843, Security Management

01644959, Server / Multi-Domain Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) - prevent Internal CA (ICA) Portal from using SSLv3.
01638481, Security Management Refer to sk102989.
01640415 Server

01635047,
01410174, Browser-based Authentication Guests are timed out by Identity Awareness after 10 minutes.
Identity Awareness
01424645, Refer to sk101503.
01621439

01635048, "Table pdp_sessions entries limit (90000) reached" critical system alert messages in SmartView Tracker.
Identity Awareness
01427172 Refer to sk101288.

01635050, Identity Agent is disconnected from Security Gateway, and it takes a long time to reconnect.
Identity Awareness
01458809 Refer to sk99030.

01635051, Identities are not shared with all gateways.

Identity Awareness
01479698 Refer to sk101369.

01644637, PDP daemon might crash when PEP daemon disconnects from it.
Identity Awareness
01398550 Refer to sk98526.

01644571, Kerberos Authentication timeout for Browser-Based Authentication.

Identity Awareness
01382918 Refer to sk100168.

01633369,
PDP daemon crashes with core dump files after upgrade.
01457006, Identity Awareness
Refer to sk98342.
01362696

01636834, Output of command 'pep show user query cid IP_Address_of_Terminal_Server' does not show identities when Identity Agent is
01555558, Identity Awareness installed on Terminal Server / Citrix Server.
01552306 Refer to sk104115.

01638279, PEP sends register and unregister requests within the same trap handling.
Identity Awareness
01585333 Refer to sk101369.

01463118, RADIUS users with UID=0 and /bin/bash as the default shell, receive UID=96 and do not get the permissions to execute Check
Gaia OS
01661731 Point commands.

01661734, "sudo: sorry, you must have a tty to run sudo" error upon SCP connection to Gaia OS using RADIUS SuperUser / non-SuperUser
01463117, Gaia OS with default shell /bin/bash anduid=0 on the involved Gaia OS.
01503168 Refer to sk106044.

01460637,
ClusterXL The OID 1.3.6.1.4.1.2620.1.5.6.0 returns value with new line causing SNMP managers diffculties to parse the value.
01659098

01664178,
01430677, SmartView Monitor randomly shows the state of a 3rd party cluster member (e.g., VRRP) as "Active attention".
ClusterXL
01407594, Refer to sk98698.
01426889

01656044, RouteD daemon might crash on Gaia VRRP cluster member if a fail-over is triggered on an interface with VLANs.
ClusterXL
01651492 Refer to sk105957.

01661560,
R76 / R77 / R77.10 / R77.20 takes long time to reboot / start Check Point services.
01527202, Security Gateway
Refer to sk103822.
01654109

Take 127 (29 Apr 2015)

Amount of transmitted traffic in Application Control Accounting logs is much higher than the amount of transmitted traffic
01638982 Application Control reported by the relevant outbound interface.
Refer to sk103071.

Per Microsoft Advisory 2880823, SHA-1 Hashing Algorithm for Microsoft Root Certificate Program is being deprecated.
01639154, SHA-256 will be used instead of SHA-1 in certificates generated by the Security Gateway when inspecting connections to servers
01642700, using an SHA-256 certificate.
HTTPS Inspection
01549650, SHA-1 will only be used in certificates generated by the Security Gateway when inspecting connections to servers using a SHA-1
01600954 certificate.
Refer to sk103839.

01629081,
URL Filtering blocks HTTPS web sites with "Internal System Error occurred" log when "Categorize HTTPS sites" and "Fail-close"
01502668,
URL Filtering are enabled.
01550598,
Refer to sk102866.
01430167

01629050 VSX FWK process might crash with core dump when collecting kernel debug.

01625763,
01467996, Gaia backup on VSX R77.10 machine does not collect the contents of $CVPNDIR directory.
VSX
01455461 Refer to sk102027.

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB

01633698,
01412667, Gaia clishd daemon becomes unstable and might crash with core dump file.
Gaia OS
01470486, Refer to sk98329.
01395397

Check Point response to Leap Second introduced in UTC on 30 June 2015.

01625915 Gaia OS
Refer to sk104560.

Take 122 (15 Apr 2015)

01613474, Link Translation domain does not work - some links are not included/excluded from translation domain.
Mobile Access
01467856 Refer to sk105565.

01621015,
Security Gateway configured as Proxy occasionally stops processing all traffic.
01450548, Security Gateway
Refer to sk102134.
01584548

01624462,
01323769, Security Gateway might crash during boot if drop optimization is enabled in 'Firewall Policy Optimization' per sk90861.
SecureXL
01624548, Refer to sk105182.
01526386

01625656,
SecureXL SAM core file debug enhancement.
00266756

01619486,
01475358, Adding cluster member with an higher fwha_version causes a traffic outage.
ClusterXL
01618121, Refer to sk104567.
01572817

Take 118 (23 Mar 2015)

01605112,
01438052, Security Gateway might crash during policy installation in rare scenarios.
Security Gateway
01547468, Refer to sk102787.
01443612

Take 116 (16 Mar 2015)

01604166,
Check Point response to TLS FREAK Attack (CVE-2015-0204).
01604933, General
Refer to sk105062.
01602805

01604263,
01549950, Connections with servers that use certificates signed with "SHA-256" might fail due to libcurl incompatible API call.
General
01599469, Refer to curl bug 848.
01562156

01579792,
01529122,
Hardware SAM module - Migrate to MDE 4.1.7
01441198,
01472572

01585337, Virtual System does not respond to SNMP query after in-place upgrade to R75.40VS / R76 / R77 / R77.10 / R77.20.
Gaia OS, VSX
01598790 Refer to sk102232.

01595732; confd process consumes CPU at high level on Gaia OS due to large size of Gaia Database (/config/db/initial_db).
Gaia OS
01605966 Refer to sk104761.

01493120,
01338428, TACACS+ and RADIUS users cannot use the set virtual systems command in a VSX environment. Use local users for
VSX
01494538, authentication instead.
01493089

01430907,
Policy install during link probing session sometimes causes VPN outage.
01596800, VPN
Refer to sk101532.
01488486

01474694,
Remote Access VPN clients are not assigned their static IP addresses configured in $FWDIR/conf/ipassignment.conf file, but
01606476;
VPN from a general Office Mode IP Pool.
01463675,
Refer to sk105162.
01606626

Take 108 (17 Feb 2015)

01579763,
VPN Memory leak in VPND process in getMEPTopology.
01382831

" " error on the VPN client and in SmartView Tracker when using ipassignment.conf file to
01579902 VPN assign Office Mode IP address.
Refer to sk95088.

Take 107 (12 Feb 2015)

01572987, Check Point Response to CVE-2015-0235 (glibc - GHOST).

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
01569696 General Refer to sk104443.

Security Management
Server / Multi-Domain
01567655 Rules with Address Ranges are not verified correctly by the policy verifier.
Security Management
Server

01568041 Identity Awareness After a failover in a VRRP cluster, the connection between the PDP and the PEP stays connected to the "old" MASTER PEP.

01531477, 21000 series appliance with SAM card crashes when disabling SecureXL with 'fwaccel off' command and during / after policy
01550638, SecureXL installation.
01426122 Refer to sk101451.

01551843,
00266716, Security Gateway with enabled SecureXL might crash when running the 'fw ctl failmem' command per sk100766.
SecureXL
00266160, Refer to sk102719.
01425602

01558055, SAM acceleration card memory leak, happened because memory buffer was not freed after discarding a descriptor with an
SecureXL
00266773 invalid IP header checksum.

01558054,
01392200,
SecureXL Kernel panic while running over night UDP traffic with different UDP source port numbers.
00266312,
00266792

01558053,
Duplicate traffic on SAM interfaces on 21700 Appliance.
00266757, Hardware
Refer to sk98954.
00266531

01550633, SAM card on 21000 appliances might crash during boot if the number of configured CoreXL FW instances is equal to the number
01397083, CoreXL of CPU cores on the appliance (e.g., there are 16 CPU cores, and 16 CoreXL FW instances were configured).
01557534 Refer to sk100546.

01555951, Blocking NTP access on Gaia OS / IPSO OS (CVE-2013-5211).

Gaia OS
01344996 Refer to sk98758.

Suppress the messages printed by the Cluster Under Load (CUL) mechanism (see sk92723) in the /var/log/messages file and in
01570459,
Cluster the dmesg.
01463146
Refer to sk101649.

Standby cluster member drops packets on Anti-Spoofing when VMAC mode is enabled.
01578189 Cluster
Refer to sk100405.

Check Point appliance with SAM card might crash when removing a slave interface from bonding group defined on SAM ports.
01559695 Gaia OS
Refer to sk104358.

Running config_system utility causes issues with NTP settings through Gaia Web Portal.
01567438 Gaia OS
Refer to sk100729.

Extra "chkpntTrapOID" field is defined in /etc/snmp/GaiaTrapsMIBs.mib file.

01567437 Gaia OS
Refer to sk100196.

A user created in Gaia Portal with '/bin/bash' shell and 'monitorRole' role gets admin persmissions upon login - this user is able
01573709 Gaia OS to execute any command in Expert mode and in Clish.
Refer to sk101650.

01553898,
"cp_ipaddrs:SIOCGIFCONF failed: Bad address" error when starting a user mode process under valgrind on Gaia OS 64-bit.
01342859, Security Gateway
Refer to sk103768.
01535250

01570407, The funcchain process frequently crashes with core dump.

Security Gateway
01446442 Refer to sk98151.

Some fields in SNMP Trap packet sent by SecurePlatform / Gaia OS are in the wrong order.
01567439 Security Gateway
Refer to sk100455.

01380553, Multi-Queue configuration might be reset during reboot on VSX Gateway.

VSX
01568713 Refer to sk98945.

01573511,
01432703, Security Gateway with enabled IPS blade might crash in "cmi_context_get_status ()" function.
IPS
01550908, Refer to sk104642.
01445637

01514487, Push Notifications might be dropped by the updated IPS protection "Secure Socket Layer (SSL) v3.0" released on 15 Oct 2014.
Mobile Access
01505419 Refer to sk102989.

Take 92 (08 Jan 2015)

Security Gateway with enabled HTTPS Inspection crashes repeatedly.

01537085 HTTPS Inspection
Refer to sk108653.

Application Control policy with distributed Identity Awareness rules may cause Security Gateway to crash when processing a UDP
01539945 Application Control

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
domain connection.

01540706, IPS, Application

RTSP over HTTP traffic might cause high CPU load on Security Gateway when HTTP inspection on non standard ports is enabled.
01535816, Control, URL Filtering,
Refer to sk103113.
01430984 Anti-Bot, Anti-Virus

01543277,
01535899,
Possible memory leak on Security Gateway when duplicate packets are received (e.g., during packet retransmission).
01450816, Security Gateway
Refer to sk103077.
01492069,
01543260

Specific traffic is dropped by Security Gateway, although it should be accepted by the relevant security rule because in FireWall
01547529 Security Gateway rulebase, the Service may be evaluated before evaluating the Source or the Destination.
Refer to sk97876.

01542832,
Gaia OS Clish command save configuration does not save the SNMP mode - "set snmp mode VALUE".
01535506

RouteD daemon might consume CPU at high level on Standby / VRRP Backup cluster member.
01546302 Gaia OS, ClusterXL
Refer to sk105863.

Random flapping of OSPF neighbors in Gaia OS cluster under load.

01549785 Gaia OS, Cluster
Refer to sk105865.

Take 88 (29 Dec 2014)

01515864, Check Point response to the POODLE Bites vulnerability (CVE-2014-3566).

All
01525174 Refer to sk102989.

01514018,
Security Management,
01493654, Improved security in ICA Management Tool against Cross-Site Request Forgery (CSRF) attack.
Multi-Domain Security
01520272, Refer to sk102837.
Management Server
01522317

01513569,
Security Gateway Improved inspection of RPC protocol.
01509612

01526439,
Security Gateway Improved inspection of CIFS protocol.
01502480

Security Gateway with enabled SecureXL might crash when processing a packet with Multicast Source IP address and Unicast
01526344 Security Gateway Destination IP address.
Refer to sk108818.

01522806,
01398865,
Security Gateway In Cluster HA setup, kernel panic during heavy load when syslog is configured.
01524482,
01510633

01505419, Push Notifications might be dropped by the updated IPS protection "Secure Socket Layer (SSL) v3.0" released on 15 Oct 2014.
Mobile Access
01514487 Refer to sk102989.

01515939, Disable SSLv3 (and force TLSv1.0) in Mobile Access Blade when connecting to internal HTTPS servers (due to POODLE Bites
Mobile Access
01498500 vulnerability).

01513476, Improved support for SHA-256 signed certificates.

Mobile Access
01511308 Refer to sk101541.

01523791,
01507153, Mobile Access support for SHA-256 signed certificates.
Mobile Access
01507285, Refer to sk101541.
01431706

Security Gateway might crash in the following scenario:

1. SecureXL is enabled
01521578 SecureXL 2. Value of kernel parameter sim_ipsec_dont_fragment is set to 1
3. VPN tunnel needs to pass fragmented packets

Refer to sk101219.

01521559, Traffic sent over VPN tunnel does not reach its destination because SecureXL does not start fragmenting the packets.
SecureXL
00266020 Refer to sk98070.

01535357, SecureXL,
Security Gateway might crash when inspecting multicast traffic. SecureXL does not accelerate multicast traffic.
01526084, Security Gateway,
Refer to sk103698.
01526086 ClusterXL, VSX

01522830,
01523051,
01497322, SecureXL Security Gateway might crash when SecureXL is enabled.

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
00266772

01522792,
21000 series appliance with SAM card crashes during / after policy installation.
01510636, SecureXL
Refer to sk101451.
01524862

01526474,
01528105, When enabling SAM card with SecureXL and ClusterXL Unicast Mode, traffic is dropped.
SecureXL
01481039, Refer to sk102246.
01528107

01508340,
Identity Awareness Improved handling of URL in Captive Portal (to prevent executing of a javascript in URL).
01522353

Traffic outages and routing table drops in ClusterXL High Availability in Primary Up configuration.
01352765 Cluster
Refer to sk98168.

TLSv1 "Server Hello" packets are dropped by Application Control of HTTPS.

01516725 Application Control
Refer to sk100971.

01365409, VPN, Multiple Authentication Schemes with certificate not enforced correctly on Check Point Mobile VPN clients.
01531234 IPsec VPN Refer to sk98592.

HTTPS Inspection, IPS,

DLP, Identity
Awareness, URL Check Point response to the TLS 1.x padding vulnerability (POODLE attack against a TLS connection).
01532514
Filtering, Mobile Refer to sk103683.
Access, VPN,
Application Control

01534321, After adding a new USM (User-based Security Model) user, query from vs0 on vs2 works with user credentials, but after setting
01394079, VSX the SNMP agent off and on again, same query with same user credentials responds with: "snmpwalk: Unknown user name".
01462305 Refer to sk100218.

Take 77 (20 Nov 2014)

01391617,
01442718, Security Gateway Manual Client authentication unexpectedly fails when connecting to the Security Gateway on port 900.
01512394

Security Gateway might crash when IPv6-over-IPv4 security rule is configured (with service SIT_with_Intra_Tunnel_Inspection
01513354,
Security Gateway but IPv6 is disabled on Security Gateway.
01513872
Refer to sk103526.

Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) - prevent Mobile Access Blade from using SSLv3 when
01501099,
Mobile Access connecting to application servers.
01510288
Refer to sk102989.

01505921,
01386431, Added support for collecting Connections per Second statistics through SNMP (new OID is .1.3.6.1.4.1.2620.1.1.26.11.6 -
Gaia OS
01381334, .iso.org.dod.internet.private.enterprises.checkpoint.products.fw.fwPerfStat.fwConnectionsStat.fwConnectionsStatConnectionRate
01505679

01510874,
SNMPD daemon might crash with "Program terminated with signal SIGABRT, Aborted" message when querying Check Point
01471576, Gaia OS
OIDs.
01511636

01493236, monitord and confd processes consume 100% CPU.

Gaia OS
01511924 Refer to sk102988.

01426068, After a reboot the Gaia system loads without Clish and without static routes.
Gaia OS
01515176 Refer to sk101501.

Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) - prevent web browsers from connecting with SSLv3 to
01505622,
HTTPS Inspection internal servers through Inbound HTTPS Inspection.
01501121
Refer to sk102989.

Take 72 (30 Oct 2014)

01493588, Improvement in negotiation rate of HTTPS traffic through Security Gateway R76 and above.
HTTPS Inspection
01493587 Refer to sk103081.

Security Management
01501318, Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) - prevent Management Portal (SmartPortal) from using
Server, Multi-Domain
01499586, SSLv3.
Security Management
01499587 Refer to sk102989.
Server

Take 67 (12 Oct 2014)

CVE-2014-6271 Bash Code Injection vulnerability (shellshock).

01489771 Gaia OS
Refer to sk102673.

Take 64 (28 Sep 2014)

Data transfer is slow on Security Gateway running Gaia OS via Intel 10 GB Ethernet Adapter, which uses IXGBE driver.

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
01481648 Gaia OS Refer to sk102713.

Take 62 (17 Sep 2014)

VSX 'fwk' process might crash on Virtual Systems with enabled Application Control blade.
01471922 VSX
Refer to sk102720.

VPND daemon might crash during policy installation.

01461368 VPN
Refer to sk102716.

01382318, Clish or Gaia Portal might become unresponsive.

Gaia OS
01475757 Refer to sk100174.

Security Gateway might crash when running 'fw ctl failmem' command per sk100766.
01471887 Security Gateway
Refer to sk102719.

ClusterXL member with enabled HTTP/HTTPS Proxy might crash while internal client downloads a big file through the HTTP
1461361 Cluster proxy.
Refer to sk102714.

Take 61 (09 Sep 2014)

Security Gateway might crash when available memory is low.

01467589 Security Gateway
Refer to sk102719.

01468193, Traffic over remote access VPN tunnels is interrupted during policy installation onto VPN Gateway.
VPN
01459083 Refer to sk98914.

Mobile Access Portal might become unstable if an authenticated user sends a password that contains Extended ASCII characters
01469797 Mobile Access (e.g., euro
).
Refer to sk102487.

01463408, Improved support for hardware in Smart-1 205 / 210 / 225 / 3050 / 3150 appliances.
Gaia OS
01401089 Refer to sk98931.

01398870,
01469745, SNMPD process crashes with core dump files.
Gaia OS
01418605, Refer to sk100514.
01440524

Threat Prevention Security Gateway with enabled Anti-Virus blade might crash during Anti-Virus scan of a file transferred over File Share (Common
01468191 (Anti-Bot / Anti-Virus / Internet File System, CIFS).
Threat Emulation) Refer to sk102488.

Threat Prevention
Security Gateway with enabled Anti-Virus blade / Anti-Bot blade and policy 'Action' set to 'Prevent' might crash under high load.
01467858 (Anti-Bot / Anti-Virus /
Refer to sk102489.
Threat Emulation)

Take 57 (31 Aug 2014)

Memory leaks in 'cpsemd' process on SmartEvent server when it fails to connect to log storage.
01465990 SmartEvent
Refer to sk102266.

"Failed to allocate an IP address" error when using 'ipassignment.conf' file to assign Office Mode IP address and Check Point
01465966,
VPN Mobile VPN clients for Android/iOS.
01383011
Refer to sk95088.

Memory leak in VPN code.

01466269 VPN
Refer to sk102267.

Take 55 (27 Aug 2014)

Memory consumption on DLP Gateway constantly increases when SMTP / HTTP inspection is enabled.
01465357 DLP
Refer to sk102211.

Take 54 (25 Aug 2014)

01406839, 'cpstat os -f sensors' command does not show the hardware sensors information on some Open Servers.
Gaia OS
01464194 Refer to sk102193.

SNX client is rejected with "Access denied - wrong user name or password" error in Mobile Access Portal when trying to change
01463847,
Mobile Access the password.
01367463
Refer to sk95026.

Security Gateway under high traffic load might freeze after several days of uptime.
01460773 Security Gateway
Refer to sk102190.

Take 51 (18 Aug 2014)

Active member in ClusterXL HA Primary Up mode running on Gaia OS frequently reboots when PIM SM is configured and
01413125,
Cluster multicast traffic is passing through.
01382403
Refer to sk99042.

FWD daemon crashes on Security Management Server / Domain Management Server with core dump file when creating new
Security Gateway objects with Identity Awareness blade.
01456935 Cluster
Refer to sk102120.

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB

VPND daemon crashes randomly in an environment used by both IPSec SNX and Check Point Mobile app (iOS/Android).
01453671 VPN
Refer to sk98448.

Security Gateway with enabled Application Control blade might crash after resetting SIC in 'cpconfig' menu and exiting from
URL Filtering /
01410612 'cpconfig' menu.
Application Control
Refer to sk102121.

Take 48 (30 Jul 2014)

01448755, VPN Security Gateway might crash after policy installation.

VPN
01345486 Refer to sk98279.

01444143,
SNMP query for 'vsxCounters' (OID .1.3.6.1.4.1.2620.1.16.23) returns incorrect values after deleting a Virtual System.
01444357, VSX
Refer to sk101477.
01415010

Take 46 (07 Jul 2014)

01431718, "No Such Object available on this agent at this OID" error when running 'snmpwalk' on Check Point OID 1.3.6.1.4.1.2620.500.
VPN
01354036 Refer to sk97530.

01433800,
01422633; Disabling Mobile Access 'Content-Analyzer' feature for specific host.
Mobile Access
01433795, Refer to sk101076.
01430262

01407353,
SecureXL drops UDP connections with "Dropped Traffic: dropped by handle_outbound_pac, Reason: connection not found".
00266763, SecureXL
Refer to sk101134.
01438463

Take 43 (25 Jun 2014)

01421084, ClusterXL forwarding of ARP Reply packets might cause duplicate entries on some Layer-3 devices connected to the cluster.
Cluster
01369718 Refer to sk98417.

01429528, SmartView Monitor Real Time Monitoring views show incorrect information regarding traffic that is passing through the Security
01433211, SecureXL Gateway (significantly smaller amount than actual traffic).
01412797 Refer to sk101107.

Take 42 (22 Jun 2014)

01426251,
VPN, ClusterXL with ISP Redundancy sends VPN traffic with wrong source IP address after VPN link failover.
01426058,
Cluster Refer to sk98532.
01360076

Take 41 (16 Jun 2014)

01424374, Unable to establish a TCP connection while using Multi-Queue on Bonded interfaces.
Gaia OS
01423889 Refer to sk101120.

Take 40 (16 Jun 2014)

The /var/log/messages file on Gaia OS gateways repeatedly shows: modprobe: FATAL: Could not open '/lib/modules/2.6.18-
01422203,
Security Gateway 92cpx86_64/kernel/net/ipv6/ipv6.ko'.
01363927
Refer to sk95222.

Take 39 (15 Jun 2014)

Number of "Gateway to Gateway Tunnels" is not displayed correctly in SmartView Monitor.

01421282 Security Gateway
Refer to sk101349.

Take 38 (11 Jun 2014)

DLP,
Identity Awareness,
SmartReporter,
Security Management,
01421180, SSL/TLS MITM vulnerability (CVE-2014-0224).
Multi-Domain Security
01431726 Refer to sk101186.
Management Server,
Mobile Access,
VPN,
Security Gateway

01418898, SCP (Secure Copy Protocol) backup Gaia OS fails when user password is greater then 16 characters.
Gaia OS
01373478 Refer to sk100215.

01421988, After change of member state in R77.10 cluster on Gaia OS, Proxy ARP configuration from the $FWDIR/conf/local.arp file (per
01417159, Cluster sk30197) is lost - output of 'fw ctl arp' command on R77.10 cluster member shows "No proxy ARP entries".
00927546 Refer to sk98853.

Output of 'top' command on Security Gateway shows that FWD daemon consumes CPU at 100% when logging rate to
01420168, Management Server / Log Server reaches ~500 logs/sec. Logs are not sent from Security Gateway to Management Server / Log
Security Gateway
01453119 Server during the issue.
Refer to sk101312.

01421867, ARP table on Security Gateway is cleared after policy installation (which causes traffic outage). As a result, Policy installation

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
01359312 Security Gateway progress shows "Success" even if it failed when running the 'fw fetch local' command on Security Gateway.

Every few weeks, the Security Gateway suddenly loses all Proxy ARP entries (defined per sk30197).
01421769,
Security Gateway During the issue, output of 'fw ctl arp' command returns "No proxy arps found".
01359339
Refer to sk98740.

Take 32 (02 Jun 2014)

 directory on Security Gateway / Management Server is filled with 'file...' files.

Example:


Security Gateway,
01413775, 
Security Management,
01453199,  
Multi-Domain Security
01396019  
Management Server
 


Note: In addition, must install improved Gaia Software Updates daemon - refer to sk98567.

Security Gateway with enabled Proxy might crash with this stack:




01415701,
Security Gateway  
01379819 




Refer to sk101190.

VSX 'fwk' process crashes when running kernel debug of 'WS' module (with 'fw ctl debug -m WS + flags' command).
01418617 VSX
Refer to sk101168.

01413728, Security Management,

Policy Verification takes very long time and eventually times out.
01393797, Multi-Domain Security
Refer to sk98106.
01453279 Management Server

01413833, Security Management,

SmartView Tracker does not display any logs when filtering in 'Origin' column by Security Gateway's object name.
01396070, Multi-Domain Security
Refer to sk98349.
01453206 Management Server

Take 28 (25 May 2014)

URL Filtering / Application Control Blade does not block some TCP over DNS applications.
01410612
Application Control Refer to sk99044.

01413392, External VoIP phones are not able to connect to Internal VoIP phones that use Gatekeeper.
Security Gateway
01413378 Refer to sk98970.

01412845, Core dump files are not compressed on Gaia OS after upgrading from SecurePlatform OS.
Gaia OS
01417708 Refer to sk98341.

Take 26 (19 May 2014)

01410025, MGCP traffic is dropped with log "Response to unknown Request. Bad Call-ID" after upgrade to R76 / R77 / R77.10.
Security Gateway
01404681 Refer to sk99026.

01410193, VSX 'fwk' process might crash during Non-Compliant HTTP attack.
VSX
01401878 Refer to sk100431.

Take 22 (14 May 2014)

01408686, When malformed DHCP relay packet arrives, Security Gateway drops this packet and stops connection, but then next NOT
01407752, Security Gateway malformed packet that arrives also dropped on same connection.
01384154 Refer to sk100233.

Traffic outages and routing table drops in ClusterXL High Availability in Primary Up configuration.
01352765 Cluster
Refer to sk98168.

01407753,
Some pings are lost when passing through Security Gateway with enabled SecureXL.
01405757, SecureXL
Refer to sk99112.
01379842

01372714 VPN When using Trusted Link, SmartView Monitor incorrectly shows that Site-to-Site VPN tunnel is down.

Take 21 (13 May 2014)

DLP,
URL Filtering /
01407571,
Application Control, Random traffic outages when UserCheck is enabled on Security Gateway.
01404651,
Threat Prevention Refer to sk100505.
01396595
(Anti-Bot / Anti-Virus /

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
Threat Emulation)

01407894, Identity Awareness, When URL Filtering or Identity Awareness is enabled, trying to reach HTTPS sites can sometimes cause the Security Gateway to
01404670, URL Filtering / crash.
01375738 Application Control Refer to sk98935.

Take 20 (11 May 2014)

Output of 'fwaccel stat' command shows:

01405942,
01418762, SecureXL Accelerator Status : off by Firewall (too many general errors (Number_Larger_than_10) (caller: cphwd_offload_drop_templates))
01398302
Refer to sk100467(Scenario 1 - Number of elements in kernel table 'src_ranges_list' exceeds the limit).

Take 19 (07 May 2014)

Malicious file might pass instead of being blocked by Anti-Malware in the following specific scenario:

Threat Prevention 1. Malicious file is not in cache.

01405428 (Anti-Bot / Anti-Virus / 2. Anti-Virus blade MD5 classification engine is in Hold mode.
Threat Emulation) 3. Malicious file is detected by Anti-Virus blade MD5 classification engine.
4. Redirection is possible in that phase of the protocol.

Take 18 (04 May 2014)

Some IPv6 pings are lost in the following IPv6 topology (ICMPv6 "Neighbor Advertisement" Type 136 packets are dropped due link
collision):

Host_1 on Net_1 --- ClusterXL HA with IPv6 --- Host_2 on Net_2

01402655 Cluster
where:

IPv6 address of Host_1 is NATed to an IPv6 address on Net_2

IPv6 address of Host_2 is NATed to an IPv6 address on Net_1

Refer to sk98075.

Take 15 (01 May 2014)

01392855, Traffic rate is decreased significantly when assigning any IPS profile other than 'Default_Protection', or enabling Application
01379164, IPS Control / URL Filtering / Anti-Virus / Anti-Bot.
01379164 Refer to sk92527.

01402104,
URL Filtering / Enabling URL Filtering blade and Application Control blade might cause Security Gateway to hang.
01375852,
Application Control Refer to sk99027.
01399125

Take 14 (30 Apr 2014)

A potential stability issue might be triggered by a certain traffic condition when one or more of the following is enabled on
Security Gateway:

IPS blade
IPsec Remote Access
VPN,
01400606, Mobile Access / SSL VPN blade
Mobile Access,
01382860, SSL Network Extender
Identity Awareness,
01401879 Identify Awareness blade
DLP
HTTPS Inspection
UserCheck
Data Leak Prevention blade

Refer to sk100431.

Take 13 (28 Apr 2014)

01395288, Threat Prevention Potential Denial of Service (DoS), which might be triggered by a certain traffic condition on Security Gateways when Threat
01398288, (Anti-Bot / Anti-Virus / Prevention blades are enabled (Anti-Bot blade or Anti-Virus blade).
01405088 Threat Emulation) Refer to sk100195.

Take 12 (27 Apr 2014)

01393881, VSX gateway reboots randomly.

VSX
01375886 Refer to sk100286.

Take 10 (13 Apr 2014)

01381090, Upgrade from R76 with enabled Mobile Access blade and Push Notifications to R77.10 can cause the operating system of the
01384237, Mobile Access Security Gateway to freeze.
01404655 Refer to sk101062.

Take 9 (27 Mar 2014)

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB

Threat Prevention
FTP connection in Passive Mode does not work after configuring Anti-Virus Blade to scan FTP traffic.
01383108 (Anti-Bot / Anti-Virus /
Refer to sk45085.
Threat Emulation)

SmartView Tracker shows logs about Client Authentication over HTTP and over Telnet, although 'Successful Authentication
Tracking' in Client Authentication properties in security rule is set to 'None':
01383102,
01383104, Security Gateway No Client Authentication Rules Are Available
01383099 Connection Closed by Client

Refer to sk98966.

Take 8 (26 Mar 2014)

Threat Prevention Threat Emulation MTA behaves like fail-close upon failure, even if fail-open policy is configured. SmartView Tracker shows a
01381690,
(Anti-Bot / Anti-Virus / Prevent log upon failure due to "Threat scan failed", although "Allow all connections (Fail-open)" is configured.
01395268
Threat Emulation) Refer to sk98913.

01381694, Threat Prevention

Anti-Virus Blade might not work on a Virtual System R77.10.
01447071, (Anti-Bot / Anti-Virus /
Refer to sk98848.
01395276 Threat Emulation)

Take 6 (20 Mar 2014)

IPS,
URL Filtering /
01379576,
Application Control, Some protections may not work for specific HTTP evasions.
01418504,
Threat Prevention Refer to sk98814.
01430578
(Anti-Bot / Anti-Virus /
Threat Emulation)

Mobile Access portal is occasionally unresponsive.

01381133 Mobile Access
Refer to sk92847.

01379645,
URL Filtering / URL Filtering drops the traffic with an "Internal Error" log.
01414498,
Application Control Refer to sk98743.
01362385

01318867,
Security Management,
01321216, Zombie process 'cciss_vol_statu' appears on HP Open Server running Gaia OS.
Multi-Domain Security
01369738, Refer to sk97857.
Management Server
01374588

Take 4 (10 Mar 2014)

Threat Prevention "Check Point Online Web Service failure. See sk74040 for more information." log appears repeatedly in SmartView Tracker when
01369323,
(Anti-Bot / Anti-Virus / Anti-Virus or Anti-Bot or both are enabled.
01440393
Threat Emulation) Refer to sk98717.

When an LDAP group is nested in another LDAP group, and the parent group is used in an 'AccessRole', users in the nested
01352695,
group will not be identified as part of the parent group and will not be assigned to this 'AccessRole'.
01380498, Identity Awareness
As a result, enforcement based on this 'AccessRole' (within Firewall, Application Control, etc. policies) will be incorrect.
01430638
Refer to sk98328.

"KERPHY0069 Static Arp IP instance does not belong to any existing subnet" error in Clish when using the 'add arp static'
Gaia OS, command to configure a static ARP entry on one of the interfaces that is shown in Clish ('show interfaces' command) with the
01361452
VSX Funny IP address (IP address that belongs to Internal VSX Communication network).
Refer to sk98852.

The following messages appear in /var/log/messages file:

01358795, syslogd: sendto: Invalid argument

01380304, Gaia OS syslogd: sendto: Bad File Descriptor
01352316 syslogd: sendto: Connection refused

Refer to sk83160.

SNMPD process crashes with "Segmentation fault" error.

01351121 Gaia OS
Refer to sk98066.

01367709, SNMPD daemon fails to start / crash on Gaia OS.

Gaia OS
01365028 Refer to sk98324..

Dynamic Object LocalMachine_All_Interfaces on ROBO gateway does not include all the interfaces that were configured in
01350524,
Security Gateway SmartProvisioning GUI.
01453179
Refer to sk98418.

When SCCP video conference is initiated, the VoIP phone hangs with "Connection to server lost, temporary error".
01372940 Security Gateway
Refer to sk98836.

Traffic outages and routing table drops in ClusterXL High Availability in Primary Up configuration.
01352765 Cluster
Refer to sk98168.

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
01365459,
Kernel debug 'fw ctl debug' command is not applied to all CoreXL FW instances in R77.10.
01430380, CoreXL
Refer to sk98625.
01418503

01372862, VPND memory usage rises steadily until the machine runs out of memory.
VPN
01355363 Refer to sk98388.

"Access Denied. The format or content of your request has been detected as invalid or unsafe (400)" error when accessing
01353120 Mobile Access Outlook Web Access (OWA) through Mobile Access Portal.
Refer to sk98215.

Updating SNX client to the latest version on Security Gateway.

Refer to sk97702.
01349469, SSL Network eXtender
Some SSL VPN functionality breaks (such as ESOD scan, SNX, Native Application launch, etc.) as a result of a Java update
01345987 (SNX), Mobile Access
to version 7 update 51 (7u51) and above.
Refer to sk97987.

After switching the active FireWall log on the Log Server (either scheduled operation, or with 'fw logswitch' command, or in
SmartView Tracker):

01361419, Security Management, LEA clients do not receive new logs.

01447069, Multi-Domain Security No new events are coming to SmartEvent.
01395373 Management Server No logs are processed by SmartReporter consolidation session.
No logs are forwarded to third-party OPSEC clients.

Refer to sk98588.

SmartView Tracker is not able to fetch firewall log file from Security Gateway:

Security Management, Go to 'Tools' menu

01368102,
Multi-Domain Security Click 'Remote Files Management...'
01453076
Management Server Select the relevant Security Gateway
Click on 'Get File List...' button - nothing happens at all

Refer to sk98647.

Installation instructions
Important Notes:

In cluster environment:
Jumbo Hotfix Accumulator must be installed on all members of the cluster. To assure synchronization without losing connectivity, cluster administrator should use
either Optimal Service Upgrade (OSU) method, or Connectivity Upgrade (CU) method. For additional information and limitations, refer to sk107042 - ClusterXL
upgrade methods and paths.
In Management HA environment:
Jumbo Hotfix Accumulator must be installed on both Management Servers.
On VSX Gateways:
Jumbo Hotfix Accumulator can be installed either using CPUSE in Gaia Clish (online/offline), or using Legacy installation in Command Line.
It is recommended to install Jumbo Hotfix Accumulator on all the R77.10 machines in the environment - Security Gateways / Management Servers / etc. running on
Gaia OS.
All Takes of Jumbo Hotfix Accumulator must be installed in the same way (refer to sk107320):
If the Jumbo Hotfix Accumulator was installed for the first time using CPUSE, then all subsequent Takes must also be installed using CPUSE.
If the Jumbo Hotfix Accumulator was installed for the first time using Legacy CLI, then all subsequent Takes must also be installed using Legacy CLI.

Procedure:

There are two installation methods: using Gaia CPUSE (Check Point Update Service Engine) - this is the recommended method; and Manual installation in Command Line
(Legacy CLI).

Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)

Online installation

1. Connect to the Gaia Portal on your Check Point machine and navigate to Software Updates section - click on Status and Actions.
2. In the upper right corner, click on the Add hotfixes from the cloud button in the upper right corner.
3. Paste the CPUSE Identifier and start the search (get the CPUSE Identifier from the "Availability" section above).
4. When the package is found, click on the link to add the package to the list of available packages.
5. Select the package - click on Install Update button on the toolbar.
6. Machine will be rebooted automatically.

Refer to detailed instructions in sk98926 - Install Check Point products using Check Point Upgrade Service Engine (CPUSE) - section "(IV) Installation

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
instructions for Jumbo Hotfix Accumulators"..

Offline installation

Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already
downloaded / installed (for package export instructions, refer to sk92449).

1. Connect to the Gaia Portal on your Check Point machine and navigate to Software Updates section - click on Status and Actions.
2. On the toolbar, click on the More button and select Import Package.
3. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Upload.
4. Select the imported package and click on Install Update button on the toolbar.
5. Machine will be rebooted automatically.

Refer to detailed instructions in sk98926 - Install Check Point products using Check Point Upgrade Service Engine (CPUSE) - section "(IV) Installation
instructions for Jumbo Hotfix Accumulators".

Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)

Note: Requires CPUSE build 802 and above (refer to sk98228).

Online installation

1. Connect to command line on Gaia OS.

2. Log in to Clish.
3. Acquire the lock over Gaia configuration database:
HostName> lock database override
4. Import the package from Check Point cloud:
HostName> installer import cloud <CPUSE Identifier>
Note: Get the CPUSE Identifier from the "Availability" section above.
5. Show the packages that are available for download:
Note: Refer to the top section "Hotfixes" - refer to "Jumbo Hotfix Accumulator for ..."
HostName> show installer packages available-for-download
6. Download the package from Check Point cloud:
HostName> installer download <Package_Number>
7. Install the downloaded package:
HostName> installer install <Package_Number>
Note: The progress (in per cent) will be displayed in Clish.
8. Machine will be rebooted automatically.

Offline installation

Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already
downloaded / installed (for package export instructions, refer to sk92449).

1. Transfer the offline package (TGZ) / exported package (TAR) to the target Gaia machine (into some directory, e.g., /some_path_to_jumbo/).
2. Connect to command line on target Gaia OS.
3. Log in to Clish.
4. Acquire the lock over Gaia configuration database:
HostName> lock database override
5. Import the package from the hard disk:
Note: When import completes, this package is deleted from the original location.
HostName> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
6. Show the imported packages:
Note: Refer to the top section "Hotfixes" - refer to "<Package_File_Name>"
HostName> show installer packages imported
7. Install the imported package:
HostName> installer install <Package_Number>
8. Machine will be rebooted automatically.

Show / Hide instructions for Legacy installation in Command Line

1. Transfer the Jumbo Hotfix Accumulator package to the machine (into some directory, e.g., /some_path_to_fix/).
2. Unpack the Jumbo Hotfix Accumulator package:
[Expert@HostName]# cd /some_path_to_fix/
[Expert@HostName]# tar -zxvf Check_Point_<Package_Name>.tgz
3. Install the Jumbo Hotfix Accumulator:
[Expert@HostName]# ./UnixInstallScript
Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB
4. Reboot the machine.

Uninstall instructions
Important Notes:

This Jumbo Hotfix Accumulator installs several packages with relevant fixes.
One of these packages is "SecurePlatform" - a set of RPM files for Gaia OS.
During the uninstall via Legacy CLI:
Take_165 and lower - these RPM packages for Gaia OS are not uninstalled (the original RPMs are not restored).
Take_166 and above - these RPM packages for Gaia OS are fully uninstalled (the original RPMs are restored).
All Takes of Jumbo Hotfix Accumulator must be uninstalled in the same way as they were installed (refer to sk107320):
If a Take of Jumbo Hotfix Accumulator was installed using CPUSE, then it must be uninstalled using CPUSE.
If a Take of Jumbo Hotfix Accumulator was installed using Legacy CLI, then it must be uninstalled using Legacy CLI.

Procedure:

There are two uninstall methods: using Gaia CPUSE (Check Point Update Service Engine); and Manual uninstall in Command Line (Legacy CLI).

Show / Hide instructions for uninstall in Gaia Portal - using CPUSE (Check Point Update Service Engine)

Related solution:

sk92449 (CPUSE - Gaia Software Updates (including Gaia Software Updates Agent))

Procedure:

1. Connect to the Gaia Portal on your Gaia machine and navigate to the 'Software Updates' section - click on 'Status and Actions'.
2. Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
3. Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
4. A warning will be displayed that after this uninstall, the machine will be automatically rebooted.
Click on 'OK' to start the uninstall.

Show / Hide instructions for uninstall in Gaia Clish - using CPUSE (Check Point Update Service Engine)

Note: Requires CPUSE build 802 and above (refer to sk98228).

1. Connect to command line on Gaia OS.

2. Log in to Clish.
3. Acquire the lock over Gaia configuration database:
HostName> lock database override
4. Uninstall the package:
HostName> installer uninstall <Package_Number>
Note: The progress (in per cent) will be displayed in Clish.
5. Machine will be rebooted automatically.

Show / Hide instructions for Legacy uninstall in Command Line

1. Unpack the Jumbo Hotfix Accumulator (you need to use the Take that is currently installed or higher):
[Expert@HostName]# cd /some_path_to_fix/
[Expert@HostName]# tar -zxvf Check_Point_R77.10.linux.tgz
2. Run the installation with '-u' flag:
[Expert@HostName]# ./UnixInstallScript -u
3. Should get the following text on the screen:


 


 



4. Reboot the machine.

List of replaced files per package

List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV 

 -XPER+RWIL[$FFXPXODWRUIRU5J\SV\BKIBEDVHB

Give us Feedback Please rate this document [1=Worst,5=Best]


Comment Submit

2016 Check Point Software Technologies Ltd. All rights reserved. Check Point Software Technologies, Inc. is a wholly owned subsidiary of Check Point Software Technologies L
Copyright | Privacy Policy | Site Map

KWWSVVXSSRUWFHQWHUFKHFNSRLQWFRPVXSSRUWFHQWHUSRUWDO"HYHQW6XEPLWBGR*RYLHZVROXWLRQGHWDLOV VROXWLRQLG VN,QVWDOODWLRQLQVWUXFWLRQV