The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Jumbo Hotfix Accumulator for R80.20 (R80_20_jumbo_hf)
Solution ID
sk137592
Product
All
Version
R80.20
OS
Gaia
Date Created
01-Nov-2018
Last Modified
20-Nov-2019
Show more details
Show less details
Solution
Show the Entire Article
Availability | Important Notes| List of resolved issues | Installation instructions | Uninstall instructions | Revision History
Introduction
R80.20 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.
This Incremental Hotfix and this article are periodically updated with new fixes.
The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below. List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.
This Jumbo Hotfix Accumulator is suitable for these products and configurations: Security Gateway, StandAlone, Security Management Server, Multi-Domain Management Server, Log Server, Multi-Domain Log Server, SmartEvent Server, Endpoint Security Server, VSX and Cluster.
Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.20.
For CPUSE installation, CPUSE Agent build 1573 and above (refer to sk92449) must be used.
It is recommended to install Jumbo Hotfix Accumulator on all the R80.20 machines running on Gaia OS.
This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
Take_118 is the latest R80.20 Jumbo Hotfix Accumulator General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:
Product
Take
Date
CPUSE offline package
SmartConsole package
Security Gateway / Standalone
Take_118
27 Oct 2019
(TGZ)
(EXE) Build 081
Security Management
(TGZ)
Take 118 | Take 117 | Take 103 | Take 91 | Take 87
Important Notes
R80.30 GA release is aligned with R80.20 Jumbo Hotfix Accumulator Take 74.
Customers who installed R80.20 Jumbo Hotfix Take 118 and below, can safely upgrade to R80.30 Jumbo Hotfix Take 107.
For Take 118, refer to sk163473 and sk163312 due to Gaia restore errors on Multi-Domain Server.
To check the Take number of the currently installed R80.20 Jumbo Hotfix (if it is installed), run: [Expert@HostName:0]# cpinfo -y all
List of resolved issues per HotFix Take
ID
Product
Description
R80.20 Jumbo HotFix - General Availability Take 118 (27 October 2019, GA from 04 November 2019)
PRJ-6085, PRJ-6078
ClusterXL
After installing Jumbo HotFix Take 117 only on a standby member, it's outgoing traffic does not pass.
R80.20 Jumbo HotFix - Ongoing Take 117 (13 October 2019)
PRJ-2725, PMTR-38948
Upgrade
Added a pre-upgrade verification that Global network objects with NAT configuration are not supported.
PRJ-3605, PMTR-39644
Security Management
Added ability to automatically determine the API process memory allocation to avoid "Out of memory" errors. Refer to sk119553.
PRJ-2338, PRHF-4046
Security Management
In some scenarios, user cannot discard or publish a worksession, receiving the general message "Internal error".
PRJ-4305, PMTR-40468
Security Management
Added a mechanism to prevent the Management Server from starting if an import process was interrupted.
PRJ-3872, PRHF-3463
Security Management
In some scenarios, size of the shadow_object.C file increases after each policy installation, eventually causing a failure in installing a policy.
PRHF-3242, PRJ-658
Security Management
In a rare scenario, the policy verifier ignores rules with object named "Internet" used with negate operator.
PRJ-4515, PMTR-39361
Security Management
Cannot export a .pdf file from the Licence inventory view after Jumbo HotFix installation on the Management server.
PRJ-1374, CPM-2242
Security Management
High Availability synchronization between Management Servers fails with "Couldn't get peers for peers ids" message in the cpm.elg file.
PRJ-4240, PMTR-38720
Security Management
When many users are connected to and actively working in the same domain in SmartConsole, they may experience:
Slowness in SmartConsole responses
Long duration of operations
High load on the Management Server
PRJ-3690, PMTR-36555
Security Management
New policy creation may fail when there are no installation targets defined in this policy.
PRJ-5025, PRHF-4877
Security Management
In some scenarios, policy verification process fails after reaching memory size of 4GB. Refer to sk161412.
PRJ-1517, CPM-2264
Security Management
Performance and stability improvements in large High Availability setups.
PRJ-2646, PMTR-38095
Security Management
In a rare scenario, the Security Management server does not start due to a missing object, or a duplication of objects.
PRJ-2787, PMTR-41157
Multi-Domain Management
In some scenarios, upgrade from R80 fails due to an internal error related to deprecated application objects. Refer to sk157752.
PRJ-3880, PRHF-5177
Compliance
In some scenarios, some of the Best Practices show "N\A" status in the Compliance blade dashboard.
PRJ-2644, SL-2509
Logging
Running views and reports with a filter fails if the filter contains a "NOT" operator combined with parentheses.
PRJ-395, PMTR-28518
Logging
In some scenarios, lea_session processes consume 100% CPU causing the machine to slow down.
PRJ-1324, PRHF-3690
Logging
In some scenarios, when running mdsstart, the following error message is shown: "/opt/CPSmartLog-R80.20/bin/smartlogstop: line 65: /opt/CPmds-R80.20/customers/<name>/CPSmartLog-R80.20/log/smartlogRun.log: No such file or directory".
PRHF-4497, PRJ-3209
Logging
In some Full HA environment scenarios, the "Logserver <Cluster virtual IP> is disconnected" error pops up in SmartConsole log view.
PRJ-1310, PRHF-3681
Logging
In the Logs & Monitor view, the "File size" field is missing from the logs generated by Media Encryption & Port Protection blade. Refer to sk157952.
PRHF-4975, PRJ-4061
Logging
In some scenarios, when exporting logs with "Visible columns" option selected from SmartView, some columns return empty record. Refer to sk161712.
PRJ-3642, PRHF-2607
Logging
In some scenarios, when SAM activity is defined and a Log server receives a high amount of packets, the FWD process on the Log server stops working.
PRJ-3011, PRHF-1554
Logging
In some scenarios, the log maintenance mechanism deletes the earliest logs due to mistake in Emergency mode maintenance.
PRJ-3363, PMTR-34580
Multi-Domain Management
In some scenarios, Administrator does not see that a revision was created in its Domain (on Domain level) after a Global policy was assigned to it.
PRJ-798 PMTR-36765
Multi-Domain Management
In some scenarios, the "Unable to connect to server. Please make sure the server is up and running." error appears when trying to log into single Domain from SmartConsole. Refer to sk153293.
PRJ-3687, PMTR-7744
Multi-Domain Management
"dleserver.utils.UidManager" errors on cma_migrate failure on Multi-Domain Server upgraded from R80.
PRJ-4413, PRHF-3285
Multi-Domain Management
In a rare scenario, FWM process stops working on the Domain level during login.
PRJ-1881, PRJ-783
SmartConsole
In some scenarios, user cannot delete a VS object since it is referenced by an automatically generated exception rule.
PRJ-4135, PRHF-1847
SmartConsole
Administrators with "\" in their username receive the "Error Occurred" pop-up when trying to view a packet capture. Refer to sk140992.
PRJ-4430, PMTR-27392
SmartConsole
In some scenarios, when there is a large quantity of unused permission profiles in the system, the CPM server takes a long time to start.
PRHF-2194, PRJ-4433
SmartConsole
In some scenarios, Client certificate is removed when deleting Domain that is included in certificate's permissions.
PRJ-1969, PRJ-4546, PRHF-3268
SmartConsole
In setups with a large quantity of network object, users may experience slowness when editing the HTTPS Inspection policy. Refer to sk147134.
This fix requires R80.20 SmartConsole Build 081 to be installed.
PRJ-4531, PRJ-965
SmartConsole
In a rare scenario, the DNS Maximum Reply Length IPS protection is not enforced.
This fix requires R80.20 SmartConsole Build 081 to be installed.
PRJ-3869, PRHF-4655
SmartConsole
In a rare scenario, when user clicks on Mail Transfer Agent (MTA) options in the Security gateway settings or on 'Next hop' column inside MTA settings, SmartConsole shows "Not Responding" and freezes. Refer to sk161232
This fix requires R80.20 SmartConsole Build 081 to be installed.
PRJ-777
SmartConsole
In a rare scenario, the FTP Bounce, Port Overflow and Known Ports IPS protections are not enforced.
This fix requires R80.20 SmartConsole Build 081 to be installed.
MCFG-199, PRJ-2383
SmartProvisioning
SmartUpdate generates audit log even when no action was taken.
PROV-2068, PRJ-4671
SmartProvisioning
In some scenarios in SmartProvisioning:
When executing Run Script on SmartProvisioning profile, the application disconnects from the server and is closed.
When executing Push Settings and Actions the "The action was not performed due to maintenance mode" error appears.
PRJ-5512, PMTR-42219
Security Gateway
In some scenarios, fw monitor on Security gateway shows some packets that are handled by SecureXL and not FireWall-1.
PRJ-5502, PMTR-40456
Security Gateway
In a rare scenario, using "kill" or pressing Ctrl+C on the "fw monitor" process does not finish it.
PRJ-5509, PMTR-38750
Security Gateway
In some scenarios, fw monitor fails to show IPv6 traffic in SecureXL.
PRJ-5504, PMTR-40523
Security Gateway
In some scenarios, the "fwmonitor_kiss_add_to_global_buf: all the buffers are full" error is displayed even after the heavy traffic is stopped.
PRJ-5506, PMTR-40455
Security Gateway
In a rare scenario, Secure Network Distributor (SND) consumes high CPU when running fw monitor.
PRJ-5507, PMTR-41300
Security Gateway
In some scenarios, when running "fw monitor" with "-e" flag, SecureXL traffic is not filtered, and all traffic is displayed.
PRJ-5503, PMTR-39556
Security Gateway
In some scenarios, incorrect chain number and name are displayed by "fw monitor -p all".
PRJ-5497, PMTR-39046
Security Gateway
Added ability for fw monitor to support monitoring traffic on Acceleration Card.
PRJ-4310, STRM-149
Security Gateway
In some scenarios, a remote client disconnects after one hour although the session is not idle. Refer to sk160213.
PRJ-770, SWG-1922
Security Gateway
In a rare scenario, memory usage may rise on Security gateway, when using service with resource with "Optimize URL logging" feature enabled. Refer to sk153052.
SWG-2174, PRJ-4179
Security Gateway
Some Web sites cannot be opened when Content Awareness or Anti-Virus/Anti-Bot is enabled, and Security gateway is configured as proxy.
PRJ-2918, UP-293, PRHF-4494
Security Gateway
In a rare scenario, Security gateway may crash due to NULL pointer dereference.
PMTR-40937, PRJ-4613
Security Gateway
In some scenarios, VoIP traffic is dropped with "allocate_port_impl: could not find a free port;" error in dmesg.
PRJ-697, QOS-22
Security Gateway
In a rare scenario, Security gateway crashes during QoS policy installation.
PMTR-35854, PRJ-3040
Security Gateway
In a rare scenario, changing the xmit-hash-policy of the bonding group while machine handling traffic, causes it to crash. Refer to sk154573.
PRJ-4806, PMTR-41392
Security Gateway
Added ability to enable NAT over specific IP address avoiding a source port allocation.
PRJ-1016, PRHF-5456
Security Gateway
In some scenarios, packets with TTL1 are dropped when using security zones in the Access rulebase.
PRJ-3562, STRM-109
Security Gateway
Disabling connections timestamp does not work on active streaming connections. Refer to sk62700.
PRJ-4760, PMTR-40677
IPS
In some scenarios, IPS update fails as a result of error in management server installation.
PRJ-3766, MUX-174
Content Awareness
In some scenarios, when the Content Awareness blade is enabled, uploading files via ShareFile stucks at 100%.
PRJ-5764
HTTPS Inspection
Improved TLS implementation for TLS Inspection and Categorization - Server Name Indications (SNI). TLS 1.2 support for additional cipher suites:
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
X25519 Elliptic Curve
P-521 Elliptic Curve
Full ECDSA support
Also was improved the fail open/close mechanism and logging for validations. For the complete list of supported cipher suites, see sk104562.
PRJ-3368, PMTR-13884
Threat Prevention
Deleting a Threat Prevention profile might fail if the IPS profile has many overrides. Refer to sk136552.
PRJ-689, PMTR-26827
Application Control
In some scenarios, custom Application Object that was initiated with wrong "Application Risk" value might cause connectivity problems. Refer to sk140892.
PRJ-4517, PMTR-38645, GAIA-5872
ClusterXL
Added support for Cluster Load Sharing without IPSec VPN.
PRJ-1205, PRHF-3633
ClusterXL
In some scenarios, after adding a vlan to the bond slave cluster member may go down.
PRJ-3298, PMTR-38208
ClusterXL
In some scenarios, when changing cluster topology and installing the policy, the cluster fails over. Refer to sk156335.
PRJ-3315, PMTR-37812
ClusterXL
In some scenarios, pushing policy in order to update the cluster topology during high load, causes the members to fail-over. Refer to sk154575.
PRJ-480, PRHF-3328
ClusterXL
In some scenarios, the xmit-hash-policy of a Bond interface with the vlan causes the cluster member to go down. Refer to sk151412.
PRJ-3294, PRHF-4301
CoreXL
In a rare scenario, custom affinity configuration is overwritten when HT is enabled. Refer to sk158112.
PRJ-1201, PRJ-1843, PRHF-3487
SecureXL
In some scenarios, Policy Based Routing (PBR) does not work properly when acceleration is enabled.
PRJ-3598, PMTR-39660
SecureXL
In a rare scenario, when SecureXL is enabled, a VSX gateway may crash. Refer to sk160912.
PRJ-1640, PRJ-1637, PMTR-37736, PMTR-37727
SecureXL
In some scenarios, packets with IP options are not forwarded across bridge interfaces. Refer to Issue #3 in sk154892.
PMTR-40703, PRJ-4620
SecureXL
In some scenarios, sending IP fragmented traffic through a Virtual Switch or Virtual Router fails with "Virtual defragmentation error".
PRJ-2114, PMTR-29033, PRHF-4050
Routing
In a rare scenario, the Standby member of ClusterXL incorrectly calculates the routing protocol priorities, causing the routes to be synchronized in the wrong way.
PRJ-306, ROUT-318
Routing
In some scenarios, Routed Pnote in 'Problem' state and ClusterXL member is down after enabling OSPF. Refer to sk123317.
PRJ-307, ROUT-209
Routing
Enhancement: Improved the memory handling mechanism in Routed.
GAIA-4695, PRJ-614
Gaia OS
When running "service vmtoolsd restart" command on Gaia installation with VMware, the "Installing memory driver: FATAL: Module vmmemctl not found. [FAILED]" error is displayed although the vmw_balloon.ko driver is loaded.
PRJ-3793, PRHF-1778
Gaia OS
Enhancement: The maximum size of the arp table was increased to 4096.
PRJ-440, PRJ-4541, 02473276
Gaia OS
"Authentication failure" error when authenticating with TACACS+ user that has special characters in their password. Refer to sk101332.
PRJ-3625
Gaia OS
On Smart-1 525/5050/5150, user cannot open the iDRAC without installing a dedicated Hotfix.
PRJ-3141, GAIA-2861
Gaia OS
In some scenarios, the IGB driver interfaces are occasionally down after reboot of a Management machine. Refer to sk135532.
PRJ-1029 GAIA-5047
Gaia OS
Changing the xmit-hash-policy of the bond may cause all static arp entries to disappear from the arp -a output. Refer to sk152892.
PRJ-4152, PMTR-38041
VPN
In some scenarios, the Phase-2 negotiation fails with "Reason: Wrong value for: Encapsulation Mode" after upgrade. Refer to sk157092.
PRJ-1604, PMTR-27831
VPN
In some scenarios, when client disconnects from the gateway, the information about the client is not cleared correctly.
PRJ-2434, VSX-1866
VSX
Added the option to configure reject routes via vsx_provisioning_tool on Scalable Platforms Appliances. Refer to sk151473.
PRJ-5304, PMTR-42418
VSX
Running fw monitor with -v flag on a VSX gateway may cause the fw monitor to quit with the "Segmentation fault" error. Refer to sk162402.
PRJ-3433, PRHF-5371
VSX
In some scenarios, traffic is dropped on VSX when SecureXL is enabled. Refer to sk160352.
PRJ-4265, PRHF-5105
VSX
In a rare scenario, machine crashes when using VSX with Virtual Switch (VSW).
PRJ-4955, GAIA-6397
VSX
In some scenarios, traffic does not pass in VSX setup with VS-VSW-VS topology and some Threat Prevention blades enabled on VSs.
PRJ-4683, SPC-1903
VSX
In some scenarios, running the "fw vsx resctrl monitor disable" command or disabling VSX Resource Monitor via CPView causes crash of the VSX Gateway. Refer to sk144432.
PRJ-4960, PMTR-38779, MUX-186
Hardware
In a rare scenario, the watchdog process of Falcon Acceleration Card stops working.
R80.20 Jumbo HotFix - General Availability Take 103 (26 August 2019, GA from 22 September 2019)
PMTR-35836, PRJ-249
Security Management
"Runtime error: java.lang.String incompatible with com.checkpoint.management.web_api_is.common.multi_values.objects.MultiStringForSet" error when trying to set a tag to ICMP and ICMP6 services or set those services into a group with API command.
PMTR-36761, PRJ-716
Security Management
A new feature for process tracking was added. If the restart occurs, a 'pstree' command is logged and the process that caused the restart can be tracked.
PMTR-23492, PRJ-2947
Security Management
Support for Internal CA certificate replacement.
PRHF-2012, PRJ-1247
Security Management
High CPU usage of fwm when SmartEvent is enabled on the Security Management Server. Refer to sk147563.
SMCUPG-719, PRJ-1686
Security Management
Deletion of Domain failed with "Could not send message" error when having large amount of gateways in the domain. The Domain remain without Domain Servers.
PRHF-3283, PRJ-450
Security Management
In a rare scenario, a failure in policy installation causes a false "Policy installation is currently in progress" error message while there is no installation attempt.
PRJ-1899, PRJ-1901
Security Management
After opening and searching in pickers for a few times, the "error retrieving results" message appears when opening a picker.
CPM-2300, PRJ-1973
Security Management
In some rare scenarios CPM server does not start after a failure in delete domain.
PMTR-38249, PRJ-2161
Security Management
In some scenarios, traffic is dropped with "network_classifier_get_dynobjs_for_ip: failed to get UUIDs for IP 0.0.0.0" and "kfunc_ip_ranges_to_dynobj: network_classifier_get_dynobjs_for_ip failed" errors in dmesg when dynamic object is used in access policy.
PRHF-3514, PRJ-1379
Security Management
Upgrade from R7x is failing with core file of cpdb due to an empty field in 'autoupdate_and_install_settings' object.
PRHF-3455, PRJ-1335
Security Management
Inline layers are not verified when there are no selected targets in the 'install on' column.
RJ-1864, PRJ-1880
Security Management
In some scenarios, SmartConsole stops working while adding or removing many objects via Web API.
PMTR-33605, PRJ-2159
Security Management
In some cases on Multi-Domain environments with several servers, tasks still appear in progress after restart of the server even though they are not really running.
PMTR-38103, PRJ-2490
Security Management
In some scenarios, a validation incident about Invalid Email Address is presented in SmartConsole after upgrade from R77.
PMTR-37924, PRJ-1761
Security Management
Due to a failed full sync, FWM was restarted unexpectedly and obsolete domain sessions were used in the global policy assignment.
PMTR-26076, PRJ-1570
Multi-Domain Management
Synchronization in a Multi-Domain High-Availability setup fails post upgrade from R80 due to duplicate compliance objects.
PRJ-1303
Multi-Domain Management
When running the 'add-domain' Web API command on an existing Domain, the original Domain is deleted.
CPM-1730, PRJ-1403
Multi-Domain Management
The Multi-Domain Server database size grows significantly causing operations like 'mds restore' and HA full sync to take a long time.
PMTR-36438, PRJ-552
Multi-Domain Management
In rare cases, if Domain deletion failed in the past, and following MDS Upgrade or MDS Restore - some objects are missing on Domain or Global level in SmartConsole.
This is relevant specifically under the following cases:
Multi-Domain Server upgrade from R80.10 to R80.20.
Multi-Domain Server Restore in any R80.x
PRHF-3783, PRJ-1440
Multi-Domain Management
In some scenarios, gateways are missing in the 'Gateways and Servers' view in SmartConsole on the MDS level.
PRHF-3300, PRJ-592
Multi-Domain Management
Multi-Domain Server processes must be stopped before running cma_migrate.
PRJ-2386, PMTR-38670
Multi-Domain Management
In a rare scenario, CPM server fails to start after successful Domain deletion.
PMTR-36614, PRJ-2244
Multi-Domain Management
The mds_backup command will generate an output file of format .tar instead of .tgz to improve the duration time of backup (mds_backup) and restore (mds_restore) of Multi-Domain Server. Refer to sk163300.
PRJ-2421, PMTR-38710
SmartProvisioning
In VPN Community managed by SmartProvisioining:
When adding SMB gateway to the VPN community, VPN tunnel may not been established.
When changing security profile in VPN community, the VPN settings are not changed.
Policy installation fails for cluster member of CO Gateway.
PRJ-2664, PRJ-2721
SmartProvisioning
VPN tunnel of LSM gateway can not be established when CO gateway is managed by Security Management of higher version. Refer to sk106628.
PRHF-3392, PRJ-867
SmartProvisioning
In VPN star community managed by SmartProvisioning, VPN tunnels may not be established after installing policy to CO gateway (center). Refer to sk152612.
PMTR-31155, PRJ-1433
SmartConsole
In some scenarios, SmartConsole terminates when installing policy on many targets at once.
PMTR-36527, PRJ-760
SmartConsole
Redundant layers appear in the output of the 'show-package' command when Global policy holding more than one layer, is assigned to Domain.
PRHF-3415, PRJ-738
SmartConsole
In rare scenarios, upgrade fails with "com.checkpoint.management.classes.dle.triggers.internal.VersionInfo.VersionInfo" NPE in cpm.elg file.
PMTR-24658, PRJ-1745
SmartConsole
Wrong error message displayed in SmartConsole when Domain Server cannot be deleted when it is referenced in the policy.
PRJ-1532, PRJ-1535
SmartConsole
In a specific scenario, Global policy rules may change order after Multi-Domain Server upgrade. Refer to sk155432.
MCFG-200, PRJ-2559
SmartConsole
In "Gateways and Servers" view, gateways are missing status when managing more than 1000 gateways. This fix supports statuses up to 5,000 gateways.
PRJ-1919, PRJ-2416
Identity Awareness
Security hardening for IDA enforcement according to XFF IP.
PRJ-1926, PRJ-1952
Identity Awareness
Performance improvement of Identity Awareness kernel tables for Cluster and multi-fw1 instances gateways.
PRJ-1926, IDA-1966
Identity Awareness
In a rare scenario, identities are missing from all connected Identity Gateways (PEPs).
IDA-1987, PRJ-1956
Identity Awareness
In a rare scenario, sessions longer than 24 hours disappear from the Identity Gateway (PEP) but exist on the Identity server (PDP)
IDA-1981
Identity Awareness
Users are not propagated from the PDP to the PEP on a specific network due to a rare race condition between register and unregister requests triggered by different instances or cluster members.
PRJ-1926
Identity Awareness
The output of pep show pdp all command on the Identity Gateway (PEP) contains "inx invalid type (0)" instead of an Identity server (PDP) IP address. Refer to Scenario #3 in sk156953.
PMTR-32539, PRHF-3443
Identity Awareness
Users are not authenticated when an identity source provides the login name in an 'User Principal Name' format "user@domain". Refer to sk147417
PRHF-2895, PRJ-334
Security Gateway
After upgrading to R80.20, it is not possible to configure an OSPF interface to have a priority of 0.
PRJ-3735, PMTR-40259
Security Gateway
In some scenarios, when a connection is accelerated and ICMP packet is sent from a server to a client, it is being dropped by Security gateway.
PRJ-1490, GAIA-4689
Security Gateway
In some scenarios, the fwk process virtual memory increases on USFW/VSX environment. Refer to sk160513.
PRJ-604, PRHF-3117
Security Gateway
In a rare scenario, routed process stops working when ECMP is enabled for both IBGP and EBGP. Refer to sk162547.
PMTR-25754, PRJ-773
Security Gateway
Potential NAT issues when using "Hide internal networks behind the Gateway's external IP" along with destination NAT. Potential NAT issues for connections opened from templates due to route change.
PMTR-28915, PRJ-915
Security Gateway
Possible performance impact on NAT port exhaustion scenarios.
PRJ-3675
Security Gateway
In some scenarios, when disabling the interface, large amount of "fwmultik_f2p_routing: fw_os_route_retrieve_streaming failed" error messages appears in \var\log\messages file.
PRJ-3330
Security Gateway
The Fast Acceleration feature lets you define trusted connections to allow bypassing deep packet inspection. This feature significantly improves throughput for these trusted high volume connections and reduces CPU consumption.
PMTR-21865, PRJ-1141
Security Gateway
In a rare scenario, Security Gateway may crash when sending log from FW instance with IPv6 packet.
PRJ-2108
Security Gateway
Issue with categorization of HTTPS sites over IPv6.
PMTR-22797, PRJ-1688
Logging
Machine statuses in "Gateways and Servers" disappear from SmartConsole and reappear periodically.
PRJ-2310
Logging
Log Exporter filtering feature allows to decide which logs will be exported based on values from the various fields on the raw log.
SL-2002, PRJ-1239
Logging
Running views or reports that contain the attack / attack_info fields may fail or not be completed.
PRHF-3831, PRJ-2677
Logging
In a rare scenario, the accounting of bytes in a report is not accurate.
SL-1052, PRJ-1275
Logging
In a rare scenario, when an environment has many gateways (dozens), FWM on the log server might crash when reaching to 4 GB memory.
PMTR-37425, PRJ-1401
Gaia OS
Backup task fails if SmartConsole is open during backup.
PRJ-2173, PRHF-5189
Gaia OS
Many "fwldbcast_new: too many hosts : 0" kernel messages appear in /var/log/messages file. Refer to sk153253.
Enable the user to use CLISH commands related to LOM at (Smart-1 3150).
PRJ-2464
Gaia OS
Adding 6800 appliance picture to WebUI.
PRHF-4394, PRJ-2651
ClusterXL
In a rare scenario, crash on Active member when accessing Standby member via IPv6. Refer to sk159635.
PRHF-4105, PRJ-2146
ClusterXL
In a rare scenario, the fw_workers process consumes high CPU on the Standby member of a ClusterXL. Refer to sk156333.
PRJ-2152, PRJ-2551
ClusterXL
The message "fwlddist_debug_update_op: resetting to avoid overflow" should be printed only in debug mode since it's not an error.
PRHF-4193, PRJ-2396
CoreXL
"fwmutlik_do_sequence_accounting_on_entry: bad dir" errors are mistakenly printed in dmesg output. Refer to sk158312.
GAIA-4153, PRJ-415
SecureXL
Debug for the adp module in host Performance Pack does not work.
PRJ-630, PRHF-5533
SecureXL
In some scenarios, latency is observed on the Security gateway when SecureXL is enabled. Refer to sk162914.
GAIA-4855, PRJ-897
SecureXL
When IPS is enabled on VS connected to VR, HTTP traffic is not passing out of the internal Host.
PRJ-1176
SecureXL
Added sim module parameter "sim_anti_spoofing_enabled" to allow disable of anti-spoofing in Performance Pack without installing new Firewall policy.
PRJ-1300, PRJ-1299
SecureXL
In a rare scenario, multicast routing lookup may lead to SIM crash.
PRHF-4430, PRJ-2752
SecureXL
In some scenarios, TCP syn-ack packets are dropped when server is behind a hide NAT rule on a VPN interface.
PRJ-1848
SecureXL
Host destination entries memory leaking when neighbor entry is incomplete state.
PMTR-37165, PRJ-1217
SecureXL
In some scenarios, multicast traffic is not forwarded across bridge interfaces.
PRJ-579
Endpoint Management
R80.20 JHF failed to install when using Anti-Malware E2 engine for signatures update.
PRJ-1419, GAIA-5136
VPN
In some scenarios, VPN Encryption Domain Routes are not added to kernel via RIM in VSX environment. Refer to sk154692.
CRYPT-210, PRJ-2954
VPN
After running "cpca_client re_sign_ca" and "mcc replace", SmartConsole shows the same Internal CA certificate.
GAIA-5338, PRJ-1386
VPN
In some scenarios with acceleration enabled, traffic through VR for a VPN setup does not pass.
R80.20 Jumbo HotFix - General Availability Take 91 (10 July 2019, GA from 20 August 2019)
PRJ-645, PRJ-601
Security Management
Added ability for R80.20 Security Management or Multi-Domain Server to manage R80.30 Security gateway. Refer to sk149272.
This fix requires R80.20 SmartConsole Build 055 to be installed.
PRJ-2301, GAIA-3984
SmartConsole
Added support for 16000 and 26000 appliances.
This fix requires R80.20 SmartConsole Build 055 to be installed.
PRJ-2820, PMTR-39191
Gaia OS
While unplugging one of the Power supply cables on Smart-1 5150/5050/525 appliances a false 'No Read' message appears for ~5 seconds in both PSUs statuses (instead of Present/Input Lost/Absence).
R80.20 Jumbo HotFix - General Availability Take 87 (26 June 2019, GA from 09 July 2019)
PRJ-1603, PMTR-37581
Security Management
CPUSE Upgrade of Multi-Domain Server is stuck indefinitely when more than one Leading VIP interface is defined.
PRJ-1168, PMTR-33784, PMTR-36843
Multi-Domain Management
After upgrade of Multi-Domain Server from R77.x to R80.20, some of the validation incidents might not have a link to the relevant object.
PRJ-845, PMTR-36840
Multi-Domain Management
Improved duration of Multi-Domain Server upgrade from R80.10.
PRJ-1786, PMTR-37945
SmartConsole
In a rare scenario, when using "add-threat-exception" API command to empty rulebase, it fails with the "Runtime error: Index: -1, Size: 0" error.
PRJ-1478, PRHF-2632
Logging
In some scenarios, logs for a specific Management server or Domain are not displayed. Refer to sk135213.
PRJ-1553, PMTR-31315
Logging
In some scenarios with low disk space and customized retention configuration, logs and indexes may be deleted contrary to the configuration.
In some cases, logs are not forwarded when log forwarding in enabled on a Log server machine.
PRJ-2374
Gaia OS
CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
PRJ-1867, PRJ-1677, PMTR-37999
Gaia OS
Clish command "show system init-services" and Expert command "service --status-all" run "mdsstart" on the server.
PRJ-766, PMTR-36031, MBS-6878
CoreXL
In a rare scenario, Security gateway may freeze when "Drop Templates" or "DOS rate" feature is enabled.
R80.20 Jumbo HotFix - Ongoing Take 80 (27 May 2019)
PRJ-96, PRHF-2762
Security Management
In some scenarios, the postgres.elg file grows and fills up the disk space. Refer to sk143852.
PMTR-34832, CPM-2137
Security Management
In a rare scenario, policy installation from a previous revision fails with "Internal error".
PMTR-27539, PMTR-27797
Multi-Domain Management
False message "peer <name> failed to synchronized me" appears in Multi-Domain Servеr HA window although machines are successfully synced. Refer to sk151392.
PMTR-35703, PRHF-3127
SmartConsole
"Legacy URL Filtering not supported" error pops up when installing policy.. Refer to sk110116.
PMTR-25295, PMTR-14661
SmartConsole
"SessionInWorkLoginException" error when using the API "discard" to discard a connected session other than the current session. Refer to sk142534.
PMTR-30862, PRHF-2252
SmartConsole
"Get Gateway Data" returns "Execution error" for cluster object in SmartUpdate.
PRJ-103, PRHF-3002
SmartConsole
Cannot delete Global Host object from the Global Domain if the name matches the name of Multi-Domain Management. Refer to sk151192.
PMTR-29658, VPNRA-189
SmartView Monitor
In some scenarios, SNX client is not seen in SmartView Monitor tracking page after connecting to the Security gateway.
PMTR-33424, SL-1997
SmartView Monitor
SmartView Time filter does not work correctly if the server Time Zone is different than the client Time Zone.
PMTR-32677, PMTR-31278
Security Gateway
Connectivity issues on some HTTPS sites (as login pages) when Security gateway is configured as proxy. Refer to sk147878
PMTR-34742, PMTR-34543
Security Gateway
OpenSSL is vulnerable to Padding Oracle Timing / Side Channel Attack.
PMTR-35948, PMTR-34489
Security Gateway
Security gateway crashes in a certain rare scenario.
PMTR-33337, PMTR-33143
Security Gateway
In a rare scenario, setting interface topology to "Network defined by routes" causes policy installation failures or traffic drops.
PRJ-378, PMTR-31289, PMTR-26959
Security Gateway
In some scenarios, Security Gateway drops ICMP traffic with "fw_conn_post_inspect Reason: First server side outbound packet is an ICMP" message.
PMTR-34114, PMTR-32168
Logging
In a rare scenario, Security gateway starts to log locally even if logs are sent to backup server.
PRJ-833, PRJ-748
Logging
In a rare scenario, cannot open new tab in SmartView after exporting data using a relative time filter.
PMTR-34126, PMTR-31493
Logging
In some scenarios, a Domain picker is displayed when logging in to the SmartView web application on a dedicated SmartEvent server.
PMTR-34878, PRJ-69, PRJ-105
Threat Emulation
Management Server upgrade from R80.10 to R80.20 fails in these scenarios:
There are Threat Emulation settings, which remained from Security Gateway objects that were already removed.
There are Threat Emulation settings, which are configured in the cluster member objects and not in the cluster object.
In some scenarios during Identity Agent or Terminal Server Agent IP change, PEP database becomes corrupted.
PMTR-35095, MB-30
ClusterXL
New validation added: Starting from R80.20, ClusterXL does not support Load Sharing mode. SmartConsole blocks such configuration with a warning message.
PMTR-33209, PMTR-30582
ClusterXL
Unable to access ClusterXL Standby members over an IPSec tunnel or when the connections are routed through the Active member. Refer to sk147493.
PMTR-32708, PMTR-33852
SecureXL
Security gateway forwards re-transmitted TCP reset packets although fw_disable_rst_replay property is enabled.
PMTR-34750, PMTR-32605
VPN
After a Multi-Domain Management Server upgrade, if there are more than 1 certificate for internal_ca, it may cause a connectivity loss when using Global VPN Community. Refer to sk147836.
PMTR-33335, MBS-5210, PRHF-3647
VSX
In a rare scenario, VSX reboots when running with 40G NICs.
PMTR-35083, PMTR-26556, PMTR-30291
CPView
In some scenarios, the CPView tool does not display any sensor information under the "Hardware Health" tab.
PMTR-33418, PRJ-292, PRJ-3535
CoreXL
In a rare scenario, Security gateway freezes when Priority Queue is enabled. Refer to sk149413.
R80.20 Jumbo HotFix - Ongoing Take 74 (14 April 2019)
PMTR-36350, PRJ-503
General
Alignment to Mail Transfer Agent Engine Update. Refer to sk123174.
PMTR-26344, PMTR-26345
SecureXL
UDP packets are dropped during policy installation and the following error is displayed: "simi_reorder_enqueue_packet: reached the limit of maximum enqueued packets for conn". Refer to sk148432.
R80.20 Jumbo HotFix - Ongoing Take 73 (08 April 2019)
PMTR-31335
General
Added support for 6500 and 6800 appliances. Refer to sk139932.
PMTR-23799
General
Added ability to FW Monitor to support monitoring of accelerated traffic by default. Refer to sk30583.
PMTR-29498, PRHF-1960
Security Management
Manual changes in INSPECT files under $FWDIR/lib directory of compatibility packages are not synchronized from active to standby Management servers. Refer to sk143792.
PMTR-29853
Security Management
Policy installation fails with "IPv6 addresses domain is not supported for Remote Access VPN community" message when using Domain object in Remote Access encryption domain. Refer to sk142832.
PMTR-29923, PMTR-28958
Security Management
"Error retrieving results" message is displayed in SmartConsole after searching for unused objects in Object Explorer.
PMTR-34653, PRHF-2891
Security Management
After installing R80.20 Jumbo HFA Take 33, newly created users fail to log in into local SmartView WebUI, receiving the "Invalid username and password" error. Refer to sk148794.
PMTR-23745, MCFG-80
Security Management
Unjustified validation error is displayed when installing Threat Prevention policy on Cluster object: "Threat Prevention requires topology to be defined. At least one internal, one external, and no undefined interfaces are required. Incorrectly defined topology impacts performance and security. Please install both Access Control and Threat Prevention policies after fixing the topology."
PMTR-34017, API-595
SmartConsole
Number of sessions in "Changes" list does not match the value of 'total'.
PMTR-31336, PMTR-12430
SmartConsole
When searching in the SmartConsole main search bar for network groups we can see some number of network groups, but the search inside the Logical Server object shows the different number of Logical server objects groups.
PMTR-31641, MCFG-144
SmartConsole
FWM process stops working after repeatedly clicking "Update Corporate Gateways" in SmartConsole.
PMTR-31044
SmartConsole
When an administrator publishes session for a different administrator, the name of the administrator that invoked the action will be written in the audit logs as the publisher.
PMTR-31136
Mobile Access
Mobile Access Portal Agent installation page is vulnerable for XSS attack in Chrome and Firefox.
PMTR-29243, PMTR-32515
Security Gateway
When routed syslog is enabled, the "show configuration routedsyslog" command does not show any output.
PMTR-33631, PMTR-24656
Security Gateway
In some scenarios, Security Gateway crashes when Priority Queue is enabled. Refer to sk149414.
PMTR-34473, PMTR-33518
Security Gateway
R80.20 bridge with no VLAN configuration may cause connectivity disruptions on VLAN-tagged traffic passing through it.
PMTR-30245, PMTR-29336, PRHF-2609
Security Gateway
In rare scenarios, Security Gateway crashes during file upload to Google drive when Content Awareness blade is enabled.
PMTR-33140, PMTR-1479
Security Gateway
In a rare scenario, TCP segments of HTTPS payload are missing in Mirror and Decrypt designated interface.
PMTR-33559, IDA-1793
Security Gateway
Users are not matched to access roles with nested LDAP groups or LDAP groups with filter. Refer to sk148092.
PMTR-31049, IDA-1120
Security Gateway
Group update request is sent specifically to the originator LDAP server even if it is down. Refer to sk127833.
PMTR-26374, SWG-1312
Security Gateway
Added support for ICAP client working with Symantec DLP ICAP server.
PMTR-27196, PMTR-24606
Security Gateway
Starting from SmartConsole Build 46, added automatic Implied Rule for ICAP Server to allow connectivity with trusted ICAP clients.
PMTR-31315, PRHF-2244
Logging
In a rare scenario, TCP state information is not displayed in the log despite being enabled in SmartConsole.
PMTR-32876, PMTR-15708, PMTR-28005
UserCheck
Potential memory leak in rare scenarios when UserCheck is used on HTTP connection.
PMTR-30599
UserCheck
When switching from manual expiration date in User Template to "According to global properties", the actual expiration date is not changed.
PMTR-31422
Threat Extraction
When configuring scrub_additional_file_types to "all" and enabling block_unsupported_files, file types that have no extension are not stripped.
PMTR-30657
Identity Awareness
When X-Forwarded-For (XFF) settings are enabled on one of the policy layers or/and on the Security gateway object, the /var/log/messages file shows errors related to asynchronous identity fetch. Refer to sk145673.
PRHF-523, PMTR-29857
IPS
Some SMTP-related IPS Core Protections remain enabled despite the IPS is disabled.
PMTR-33238, PMTR-32352
IPS
R77.x gateways managed by R80.x Security Management show that IPS blade is enabled while it is disabled on the gateway object. Refer to sk146592.
PMTR-35032
VPN
Important security update for IPSec Site-to-Site (S2S) VPN.
PMTR-31860, PMTR-31863, PMTR-21587
VPN
Connectivity improvements for certain Windows L2TP client versions. Refer to sk145895.
PMTR-23293, 02031663
Gaia OS
The CLISH command "show arp table dynamic all" and Bash command "arp -an" show different entries. Refer to sk112753.
PMTR-32129, PMTR-26981, PMTR-26979
Gaia OS
Added 'pigz' and 'unpigz' binaries.
PMTR-30225, GAIA-3093, PMTR-30226, 02085811
Gaia OS
Enhancement: administrators are allowed to use personal, remotely managed password to login to Expert mode, instead of the shared "expert password".
PMTR-33811, PMTR-33923
CPView
"Connections from templates" property shows incorrect value Network tab ->Traffic-> Templates of CPView.
PMTR-29063, PMTR-23710
Endpoint
"User was not authenticated" errors in Capsule Docs when activating Single Sign-On in the policy.
PMTR-30683, PMTR-30518
Compliance
The grc_conditions3.xml and grc_controls.xml files in R80.20 are overwritten by the files of R80.10 from the Cloud.
R80.20 Jumbo HotFix - General Availability Take 47 (24 February 2019, GA from 25 March 2019)
PMTR-28379, PMTR-28378
Security Management
Added ability to manage Check Point Maestro.
PMTR-32183, PRHF-2532, PRHF-2618
Security Management
High Availability synchronization fails on Multi-Domain Server level after Domain deletion or after updating licenses or contracts in SmartUpdate. Refer to sk151072.
PMTR-32160
IPS
Accelerated HTTP traffic might not be accelerated on an R77.10 Security Gateway managed by a Security Management server.
R80.20 Jumbo HotFix - Ongoing Take 43 (11 February 2019)
PMTR-27655
Security Management
Values updated in resourceProfiles files to handle high CPU utilization for "Java" process (described in sk123417) are not resistant and get overridden after Jumbo Hotfix Accumulator installation or backup/restore or export/import procedures.
PMTR-28644, PMTR-28557
Security Management
Running the fwm sic_reset command from CMA fails with "reset_objects: updateMultiple failed". Refer to sk142512.
PMTR-25816, PMTR-25793
Security Management
Once user performs any change to his configuration, the Compliance blade performs a partial scan and calculates the relevant Best practices. During this scan, exceptions of relevant objects for these Best practices are deleted. Meaning, if previously obj1 was excluded from applying Best practice #1, during partial scan obj1 will be relinked to Best practice #1.
PMTR-32542, PMTR-32187
Multi-Domain Management
Log servers are not seen in SmartConsole Log Server tab after Advanced Upgrade to Jumbo Hotfix Accumulator Take 33.
After new Domain creation, logs from this Domain are not seen in SmartConsole.
PMTR-29670, PMTR-29604
Multi-Domain Management
Upgrade of the Primary Multi-Domain Server from R80.10 fails when its Global Domain is in Standby mode. Refer to sk143892.
CPView is not supported on Multi-Domain Security Management environments.
PMTR-29458, PMTR-26606
SmartConsole
"Synchronization with Check Point UserCenter" feature displays "Synchronization with Check Point UserCenter requires a valid license." warning message even though all licenses are valid.
PMTR-23395, PMTR-29385
SmartConsole
If administrator updates his details (e.g. name, phone, email) and tries to publish the session, it fails with "Internal error" message.
After Jumbo HFA installation, the session cannot be published or discarded and any further update will fail. Refer to sk144214.
PMTR-25778, PMTR-25825, PMTR-25790
SmartConsole
When using Global VPN Community with permanent tunnel gateways list (matrix / permanent tunnel gateways), upgrade from R7x fails.
PMTR-26495, PMTR-26474
SmartConsole
"Error: SIC initialization failed because of failure in parsing the certificate file" error when user attempts to log in with certificate to API (mgmt_cli) with password including "!".
API-512, PMTR-25591
SmartConsole
Web API show-package fails if the package was installed on a cluster member which is already deleted. Refer to sk144132.
PMTR-25081, PMTR-25069, PMTR-24728
SmartConsole
Attempt to update Threat Emulation images fails with "Could not send Threat Emulation images update command, validate SIC connectivity and install policy with Threat Emulation enabled for [name]" message.
PMTR-28877, BS-859
SmartConsole
The existing regulation is not updated and appears as "EU Data Privacy" instead of "GDPR".
PMTR-28488, DO-902
Security Gateway
Traffic is dropped when using non-FQDN Domain object in Security policy.
PMTR-28593, PMTR-25909
Security Gateway
Added support for NAT on payload of H323 packets when different IP addresses are used for payload and control.
PMTR-28197, PMTR-27742
Security Gateway
No service enforcement when creating "Other services" without match expression for TCP, UDP or SCTP.
PMTR-27663, PMTR-28320, PMTR-24802
Threat Emulation
Added ability to update Threat Emulation file types in an offline environment.
PMTR-26022, PMTR-25770
HTTPS Inspection
When HTTPS Inspection is enabled and "Hide X-Forwarded-For in outgoing traffic" option is selected, the XFF header is not obfuscated on HTTPs traffic.
PMTR-27367, IDA-1609
Identity Awareness
In some scenarios, Identity Agent fails to authenticate using Kerberos SSO due to very large Kerberos ticket and the agent fallback to User/Password authentication.
PMTR-28368, PMTR-28140
Anti-Malware
During upgrade, if Anti-Virus is enabled, all emails are stuck in MTA queue due to missing certificate.
PMTR-30218, TPM-1378
IPS
The "A general error has occurred" message is displayed when trying to change the IPS protection configuration in "MySQL -> General settings".
PMTR-30868, PMTR-30867
Web Intelligence
In some scenarios, connectivity issues between Capsule Workspace and Security gateway.
PMTR-27702, PMTR-20103
Web Intelligence
Potential memory leak due to "Out of state" HTTP response.
PMTR-26141, 01967376
SSL Inspection
Added support for custom extension used by Apple.
PMTR-30550, PMTR-29405
Logging
Exporting 100K or more logs to Excel from SmartView fails.
In rare scenarios, when the Log server miscalculates the available disk space, it may stop receiving logs from the connected gateways and cause the logs to accumulate locally on the Security gateway. Refer to sk146152.
PMTR-27043, PMTR-23553
Logging
After two or more upgrades of a Security gateway / Security Management server / Log server or SmartEvent server, log maintenance fails to delete logs from older version.
PMTR-26706, PMTR-26696
Logging
After Daylight saving time change, the logs from the time of change until the end of the day are not indexed and the "Illegal instant due to time zone offset transition (daylight savings time 'gap')" error is displayed in solr.elg file.
PMTR-28160, PMTR-23550
Logging
After upgrade from R80.x to R80.20 GA, the pre-upgrade logs data will not be deleted according to the logs retention policy.
PMTR-22357, SL-1600
Logging
In rare scenarios, due to a connection attempt failure to the Security Management, the Security gateway starts logging locally.
PMTR-29044, SL-1538
Logging
When Security gateway is configured to send alerts only to a specific Log server, logs may be written locally on the gateway instead to be sent to the Log server.
PMTR-26040, PMTR-25672, PMTR-28925
Logging
Added Threat Emulation forensic report in SmartView Log card.
PMTR-29233, PMTR-22839, 02535956
SecureXL
Memory consumption on Security Gateway increases after enabling NetFlow v9 in Gaia OS. Refer to sk118719.
PMTR-30162, PMTR-22869, PMTR-30163
SecureXL
Concurrent connections monitoring can become inaccurate when "fw samp quota" rules are changed.
PMTR-27529, MBS-4134
SecureXL
In rare scenarios, Security gateway crashes when penalty checkbox is selected.
PMTR-29118, PMTR-17539, PMTR-27741
SecureXL
In some scenarios, large number of incorrectly classified "simlinux_br_port: dev == NULL !!!" debug messages appear in kernel message logs.
PMTR-28120, GAIA-3349
SecureXL
In some scenarios, HTTP requests do not pass when SecureXL is enabled.
PMTR-28084, PMTR-27895
ClusterXL
In some scenarios, standby cluster member sends PIM Hello packets.
PMTR-29200, PMTR-28139, VSX-1928
VSX
In some scenarios, the cpd and fw_full processes stop working when the TDERROR debug flag is enabled.
PMTR-28022, VSX-1895
VSX
Traffic from a Virtual System in VSX Cluster to Security Management Server is dropped with "Local interface address spoofing" log. Refer to sk110473.
PMTR-23158, PMTR-26453, PMTR-26095 GAIA-3010
Gaia OS
CVE-2018-15473: Username enumeration is possible due to a premature bail-out while dealing with a malformed packet. The issue exists in several authentication protocols.
PMTR-28381, PRHF-1502, PMTR-28899
Gaia OS
When using conv2db to recreate Gaia database from /config/active, comments are not skipped and the new database file may contain irrelevant information. Refer to sk139832. Note: the issue is cosmetic only.
PMTR-28798, PMTR-28822, PMTR-12070, 01515638
Gaia OS
SNMPD process fails to send Coldstart on reboot. Coldstart is configured by threshold that can be too short comparing to the OS boot time.
PMTR-28277, GAIA-2493
Gaia OS
Connectivity problem for 10 Gigabit fiber network interfaces (be2net driver) after upgrade from R77.30.
PMTR-28041, PMTR-25332, GAIA-3471
Gaia OS
Added support for "/", "(", and "*" characters as part of the system message banner.
PMTR-23058, PMTR-24458, 01579916
Gaia OS
syslog messages forwarded to external Syslog server, do not contain the host name. Refer to sk100727.
PMTR-28303, 02397556, CP-41
Gaia OS
In some scenarios, snmpwalk reports false values of bond interface.
PMTR-28312, PMTR-28338, 01906257
Gaia OS
In some scenarios, sporadic timeouts occur during snmpwalk run.
PMTR-28834, PMTR-28836, 02489137
Gaia OS
Different LOM versions are reported in WebUI and Clish.
PMTR-11377, PMTR-25506 02100804
VPN
After Cluster failover, VPN tunnel is down and "Unknown SPI for IPsec packet" log is shown. Refer to sk112339.
PMTR-30425, PMTR-30360
VPN
VPN tunnels with 3rd party peers fail because of mismatched IDs. Refer to sk144094.
PMTR-25196, PMTR-31887
VPN
In some scenarios, IKE fragmentation is dropped when NAT-T is enforced. Refer to sk143372.
R80.20 Jumbo HotFix - General Availability Take 33 (08 January 2019, GA from 04 February 2019)
PMTR-25005, PMTR-23377
Security Management
In some scenarios, purge operation fails with "Task was interrupted because of server restart" message and the CPM process stops working, producing core dump file.
PMTR-28037, PRHF-1977
Security Management
Policy installation fails due to a memory allocation failure.
PMTR-26802
Security Management
When creating a Security Gateway object and click OK, SmartConsole terminates with "The connection with the server was lost...." error.
PMTR-25488, PMTR-25218
Security Management
When Database is more than 100 objects and searching for the objects in the Objects Explorer and scrolling down, list of items disappears and the results in the bottom-left show "No items found". Refer to sk139793.
PMTR-26386, PRHF-1656, PMTR-25184
Security Management
Cannot export logs to Excel from SmartView connected to Multi-Domain Log Server. Refer to sk140433.
PMTR-24555, PMTR-26219
Security Management
In some scenarios, migrate_export fails when exporting R77.30 database from Windows machine in order to import it to R80.20 on Gaia.
PMTR-26457, PMTR-17608
Multi-Domain Management
When Domain has policies that are in use in some policy installation preset, the attempt to delete this Domain fails with "Error: Unspecified error".
PMTR-23217, PMTR-22277
Multi-Domain Management
Log in to the primary Multi-Domain Management GUI fails due to HA and logging objects synchronization generating high load.
PMTR-21125
SmartEvent
In large-scale environments, log_indexer process may unexpectedly stop working producing 3.5GB core file.
PMTR-23080, PMTR-26637
SmartConsole
HTTPS Inspection rule with mixed Access Role and network object cannot be enforced.
PMTR-25913
SmartView
Added consolidated Threat Prevention dashboard, providing full threat visibility across Networks, Mobile and Endpoints. Refer to sk134634.
PMTR-23063, PMTR-22415
SmartUpdate
SmartUpdate hangs on launch due to over 4000+ unattached licenses. Refer to sk136512.
PMTR-21902, PMTR-21183
Security Gateway
Memory leak in FWD process.
PMTR-29099
Security Gateway
Security gateway drops multicast or broadcast packets when working in bridge mode.
PMTR-26564, PMTR-25323
ClusterXL
3rd party cluster Full-Sync does not run on startup and caused the cluster to be in down state.
Dynamic Routing packets are dropped on the cluster member with the lower priority.
PMTR-25290, PRHF-1556
Threat Prevention
In some scenarios, Advanced Upgrade fails with different errors due to NULL pointer exception check.
PMTR-25286, PMTR-25287, PMTR-25106
Identity Awareness
User's access to a network resource may fail in the following scenario:
Access to a network resource is through an Identity Awareness Gateway (configured as PEP)
In SmartConsole, the Identity Awareness Gateway object is configured with "Identity Awareness -> Identity Sharing -> Get identities from other gateways -> All sharing gateways"
The sharing Identity Awareness Gateway (configured as PDP) that shares identities with the affected Identity Awareness Gateway (configured as PEP), opens an identity sharing connection not from its main IP address
Identity sharing does not work for non-HTTP traffic when XFF is enabled only on the layer and not on the Security gateway.
PMTR-25193, IDA-1396
Identity Awareness
Identity sharing fails when XFF is enabled and remote PDP does not respond.
PMTR-26589, IDA-1604
Identity Awareness
In some scenarios, Terminal Servers Identity Agent (MUH Agent) session Access Role is missing on PDP but exists on PEP, causing next PEP to PDP sync to be removed from PEP and thus the accessibility loss.
PMTR-25100, IDA-1226
Identity Awareness
Improved error handing when Identity Sharing is used and remote PDP server does not respond due to prolong outage. Refer to sk141152.
PMTR-22758, PMTR-22632
Identity Awareness
In rare scenarios, PDP crashes after generating traffic for a long time.
PMTR-26173, PMTR-26171
SSL Inspection
Change SSL Network Extender on MacOS to 64-bit architecture to support 32 bit apps depreciation in OSX.
PMTR-24797
SSL Inspection
HTTPS traffic is inspected when it is configured to be bypassed: when HTTPS Inspection is enabled and probe bypass is 0. Refer to sk132913.
PMTR-23567, PMTR-23317
Logging
A Domain administrator connected to a specific Domain in Multi-Domain environment cannot see suggestions when typing in logs search box.
PMTR-29010, SL-1878
Logging
After configuring mail alerts to be sent using "internal_sendmail" script, emails from Check Point server arrive with blank email body. Refer to sk142492.
PMTR-23288, PMTR-19838
Gaia OS
After adding the RBA roles Gaia commands (add rba role TACP-0 virtual-system-access all), the lines are missing from the "show configuration" command output, but the values can be seen in Expert mode (/config/active). Refer to sk119394.
PMTR-24810, PMTR-24803
Gaia OS
Security Management / Multi-Domain Management server OS backup fails due to package compression errors. Refer to sk121212.
PMTR-24293, VSECC-785
CloudGuard
Attempt to install central license on CloudGuard gateway fails with "not vSec product" error.
PMTR-24166, PMTR-23917
SecureXL
The Anti-Spoofing policy is not unloaded by running the "fw unloadlocal" command.
PMTR-25207
SecureXL
"sume_from_fw_forward: dropping packet of for vsid=0 due to loop prevention" dmesg errors during policy installation failure.
R80.20 Jumbo HotFix - General Availability Take 17 (04 December 2018, GA from 08 January 2019)
PMTR-24006, PMTR-22022
Security Management
Remote Access users configured with Pre-Shared Secret Key (PSK) cannot connect after upgrade from R77.x.
PMTR-23394, PRHF-1450
Security Management
Policy installation fails with "Policy installation had failed due to an internal error" message when Security gateway has more than hundred interfaces. Refer to sk138592.
PRHF-734, PMTR-11728
Security Management
In rare scenarios, the CPM service does not start on machine startup.
PMTR-20174, 01619796
Security Gateway
Security gateway does not load policy after reboot when number of SAM rules reaches its limit of 25000. Refer to sk110560.
PMTR-22110, 02661309, 02662730
Security Gateway
DNS NAT does not work when the DNS parser encounters an IPv6 record in DNS servers answer. Refer to sk121346.
PMTR-14588, PMTR-22784, 02768662, 02769044
Security Gateway
Security gateway with Dynamic NAT enabled, is rebooted after running "cpstop".
PMTR-20144, IDA-1176, PRHF-721
Identity Awareness
Update with "-" machine name from the Domain Controller causes the Identity Collector to create un-authenticated sessions on the PDP.
PMTR-22826, VSECC-734
CloudGuard Controller
CloudGuard Controller Data Center objects are not enforced on Multi-Domain Security Management. Refer to sk139372.
PMTR-24762, PMTR-19431
SecureXL
Drops from link collisions in PPAK due to Dynamic port allocation ("db_save_conn: failed to save conn <>, collision(-2)").
PMTR-23850, PMTR-22080
ClusterXL
When upgrading a VRRP cluster to R80.20 with Connectivity Upgrade (CU), CU fails due to the member not being in READY state.
PMTR-23382, IDA-982
VPN
User cannot connect to a VPN site that belongs to a group that has a special character in its name. Refer to sk124514.
PMTR-20038, PMTR-22373
Gaia OS
"/opt/CPInstLog/uninstall_SecurePlatform_R80_10_JHF_PLATO:Uninstallation failed!" error during uninstallation of Jumbo Hotfix Take on Smart-1 device. Newer version of RPMs remain installed after uninstall.
R80.20 Jumbo HotFix - General Availability Take 10 (01 November 2018, GA from 22 November 2018)
PMTR-22164
Security Management
When using Global Dynamic Network objects, creating a new policy package in a local Domain fails with 'Internal error' if it is assigned to the Global Domain.
PRHF-755, PRHF-495, PMTR-16967, PMTR-16968
Multi-Domain Management
Domain deleting fails with "Delete Domain failed: Error: Unspecified error".
PMTR-22800, PMTR-24139
Endpoint Security
In some scenarios, assignment to Virtual Group does not apply properly.
PMTR-22405
Security Gateway
In rare scenario, when configured as a proxy/ICAP client, a Security gateway may crash when using HTTPS Policy Categorization.
PMTR-21081, UP-251
Security Gateway
A large number of Time objects used in the rule base may cause rulebase matching failures resulting in connectivity issues.
PMTR-22320, PRHF-903
Security Gateway
ISP redundancy OID is missing from the MIB file.
SL-1594, PRHF-1268, PMTR-22564
Logging
In rare scenarios, monitoring information (such as licensing information, CPU usage, etc.) displayed in SmartConsole and SmartView Monitor is not updated. Refer to sk137092.
PMTR-23183, SL-1654
Logging
Added new format for Log Exporter to support "Check Point App for Splunk"
PMTR-23418, PMTR-23417
Logging
In some scenarios, the Logs & Monitor -> Logs section in SmartConsole is stucked on searching. Refer to sk144313.
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
In the upper right corner, click on the Import Package button.
In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
Above the list of all software packages, click on the Showing Recommended packages button - selectAll.
Select the imported package Check Point R80.20 Jumbo hotfix T<number> for sk137592 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
Select this package and click on Install Update button on the toolbar.
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
Install the latest build of CPUSE Agent from sk92449.
Connect to command line on target Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Import the package from the hard disk: HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
Show the imported packages: Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.20 Jumbo hotfix T<number> for sk137592" HostName:0> show installer packages imported
Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts: HostName:0> installer verify <Package_Number>
Install the imported package: HostName:0> installer install <Package_Number>
Uninstall instructions
Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
A warning will be displayed that after this uninstall, the machine will be automatically rebooted. Click on 'OK' to start the uninstall.
CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent. Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449.
Connect to command line on Gaia OS.
Log in to Clish.
Acquire the lock over Gaia configuration database: HostName:0> lock database override
Uninstall the package: HostName:0> installer uninstall <Package_Number> Note: The progress (in per cent) will be displayed in Clish.
