Table of Contents:

• Introduction
• Availability
• List of resolved issues per HotFix
• Revision History

Important Note: This may not be the latest firmware release. To see the latest firmware release, refer to sk97766.

Introduction

R77.20.87 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes. This Incremental Hotfix and this article are periodically updated with new fixes.

The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below.

Availability

Build 990173120 is the latest R77.20.87 Jumbo Hotfix Accumulator General Availability release that can be directly downloaded from this article. 

Download Package	700 Appliance	910 Appliance	1400 Appliance
R77.20.87 Image	(IMG)	(IMG)	(IMG)
R77.20.87 package for SmartUpdate			For R80.x SmartUpdate (TGZ)
			R77.30 SmartUpdate and SmartProvisioning (TGZ)

 

Resolved Issues per Build

To see the date on which a build was published, refer to the Revision History table at the bottom of this article.

ID	Description
Available in Private Builds (contact Check Point Support to receive private builds)
SMB-12773	When the user upgrades a 700, 900, or 1400 Security Gateway from R77.20.80 or R77.20.81 to R77.20.85 and higher, the session timeout for IMAPS changes from 3600 seconds to 40 seconds. Refer to sk167693.
SMB-12919	The appliance firmware fails after accessing websites whose certificate fails to be decoded.
SMB-13319	Remote access clients fail to connect with a PFX file that contains multiple CRLs.
SMB-14072	When HTTPS Inspection is enabled and the application is blocked, the user may not receive a user-check block page for some websites.
SMB-13454	If you create a new Application Group that contains one application that does not require SSL inspection and another application that does, the custom application group icon shows a lock icon even after you delete application signatures that require SSL inspection.
R77.20.87 Jumbo Hotfix build 990173120 (19 December 2021)
-	General stability fixes and performance improvements.
R77.20.87 Jumbo Hotfix build 990172913 (06 July 2021)
SA-422	Check Point Response to Wi-Fi FragAttacks in Quantum Spark appliances. See sk173718.
R77.20.87 Jumbo Hotfix build 990173083 (04 Feb 2021)
SMB-14401	SMB 700 and 1400 devices are vulnerable to DNSPooQ on internal (LAN, Wi-Fi) networks.
SMB-14108	Policy installation for the 1400 Security Gateway with IPS blade enabled fails with the following error message: "Installation failed. Reason: Failed to load Policy on Security Gateway". Refer to sk170930.
R77.20.87 Jumbo Hotfix build 990173072 (05 Dec 2020)
-	General stability improvements and fixes.
R77.20.87 Jumbo Hotfix build 990173042 (29 July 2020)
SMB-12856	When the Firewall policy is in strict mode, DHCP does not work on the bridge interface and the users cannot connect to WiFi.
SMB-12632	IP does not work when the "call id" field (usually generated randomly) of the SIP packets includes the IP address of the phone.
SMB-11853	A vulnerability in the code enables an attacker to cause a buffer overflow which can lead to a Denial of Service condition.
SMB-12158	You cannot create a LAN switch configured with LAN port numbers that are a combination of a single digit and 2 digits. Examples: LAN9 +LAN10+LAN11 LAN8 +LAN10+LAN11
SMB-11592	Starting from version R77.20.87 B3006, the Security Gateway generates certificates with a 2048 bit public key (instead of a 1024 bit key).
R77.20.87 Jumbo Hotfix build 990173004 (10 Feb 2020)
SMB-10549	Read-only and networking admins do not have permissions to create a mobile invitation.
SMB-11585	Azure traffic passing via VPN tunnel is dropped for 30 seconds when renewing or renegotiating IKE keys, and then resumes.
SMB-10749	After upgrading to version R77.20.87 pre-build 966, it is not possible to browse to websites that use certain CAs when SSL inspection is turned on.
SMB-11514	DHCP domain name (option 15) does not work from the DHCP custom options table. The date is saved properly but not propagated to the network.
SMB-11493	APPI and URL categorization block outgoing VPN traffic.
SMB-10783	Two new wireless monitoring pages were added to the WebUI: Access points list Wireless active devices list
SMB-10684	When URL Filtering is enabled, if there is a proxy that uses a port other than 8080, the Gateway still tries to use port 8080 to open HTTP connections to http://cws.checkpoint.com/URLF. As a result, the URL Filtering blade may not function as expected.
SMB-10581	Drag and drop of SSL inspection exceptions is not supported.
SMB-10784	When using the mobile or WebUI login, Radius admin session timeout is not according to the configuration.
SMB-10842	When a cluster member is down after using the command 'cpstop', the command 'cpstart' does not bring it back up.
SMB-11352	Enhancement: Increase the maximum allowed length of special SIP requests from 4096 to 8192 bytes.
SMB-11284	In rare cases, centrally managed appliances switched to local management without administrative intervention.
R77.20.87 Jumbo Hotfix build 990172960 (18 Aug 2019)
SMB-9662	TCP SACK PANIC - Linux Kernel vulnerabilities - CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479. Refer to sk156192.
SMB-9998	The error message that appears when editing a switch, "Could not set interface network-ports: Only ports higher than the port the switch is named after can be added to the switch," appears when adding a LAN with a higher number, but should only appear when adding a LAN with a lower number.
SMB-9742	You cannot edit a configuration in which LAN10 acts as a pivot (LAN10_Switch).
SMB-9759	New Advanced Settings option: "IPS engine settings - Allow protocol unknown commands" Normally, the IPS engine blocks protocols (e.g. POP3, IMAP,...) commands that it does not recognize. When the advanced setting is set to "true", IPS allows the traffic.
SMB-9839	Locally managed clusters are sometimes not synced when a fail-over is triggered by the 'force member down' button in the WebUI.
SMB-9811	In the WebUI, an active static route may appear twice in the Routing page, once as disabled and once as enabled.
SMB-9856	In version R77.20.85 and higher, some e-mails that contain attachments and are sent via SMTP to a mail server behind the Gateway, might not reach the mail server if Threat Emulation, IPS, and Anti-Spam are all enabled.
SMB-9934	The "Active Devices" page might not display data and appear to be empty.
SMB-9916	When Anti-Spam or Anti-Virus are enabled, a rare issue in the e-mail parsing I/S might lead to a crash, and clients are not able to send or receive emails for a period of time. This issue existed in all previous releases and was resolved in R77.20.87 Jumbo HF.
SMB-9908	You cannot configure the advanced fields of default system services via CLI commands.
SMB-9997	In some rare environments, if Anti-Spam or Anti-Virus are enabled, clients behind a 700/1400 appliance are unable to reach a POP3 mail server outside the Gateway. In such a scenario, the client receives packets containing a bad TCP checksum.
SMB-9621	Added support for the sicRenewal tool to re-create the SIC certificate. For more information, see sk158333.
SMB-9926	Improved detection of the correct USB cellular modem serial interface when there is more than one interface available.

 

Revision History