Support Center > Search Results > SecureKnowledge Details
Jumbo Hotfix Accumulator for R80.20SP Technical Level
Solution

Introduction | Availability | Important Notes | Resolved Issues per Take | Installation Instructions | Replaced Files | Revision History and Take Alignment

Introduction

R80.20SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.20SP.

This Incremental Hotfix and article are updated periodically with new fixes.

The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this take was made available is listed near the Take's number.

Important: Upgrade of CPUSE Agent is not supported on R80.20SP version for chassis and Maestro products.

Availability

General Availability Take:

Product  Take Date CPUSE Offline Package
Orchestrator (MHO-140/MHO-170) Take_317 16 August 2021 (TGZ)
Orchestrator (MHO-175) Take_6* 13 April 2021 (TGZ)
Maestro Gateway Take_317 16 August 2021 (TGZ)
Chassis Gateway

* Take_6 is based on Take_310 of MHO-140/MHO-170, with the same content. Take_6 is a special take for MHO-175 only. It must be installed on MHO-175 GA and cannot be used with MHO-140, MHO-170, or Security Gateways.

Ongoing Take:

Product  Take Date CPUSE Offline Package
Orchestrator (MHO-140/MHO-170) Take_326 18 October 2021 (TGZ)
Maestro Gateway Take_326 18 October 2021 (TGZ)
Chassis Gateway

Important Notes

  1. Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.20SP.
  2. This Jumbo Hotfix Accumulator must be installed only after the successful completion of the Gaia First Time Configuration Wizard and a reboot.
  3. For Gateway installation: All CPUSE commands must be run via gclish shell only. 
  4. To check the Take number of the currently installed R80.20SP Jumbo Hotfix Accumulator (if it is installed), refer to the last section of the following command: [Expert@HostName:0]# asg_provision

Resolved Issues per Take

Enter the string to filter the below table:

ID Product(s) Description
Take 326 (18 October 2021)
MBS-12953 General A new user that is added in the Gaia Portal of the Security Group receives a different password hash for each member of the Security Group.
MBS-14011 General DHCP Office Mode fails with "failed to correct the packet to member=xx". 
PMTR-53642 General These error messages appear again and again in the dmesg and var/log/messages files:
 
May 13 13:12:54 2020 Setup3_5800_255_14 kernel: [SIM4];[snd];resume_packet: invalid in_corr_info => dropping packet, in_corr_info(sxl_dev_id:32, flags:0x0, pkt_flags:0x0), pkt_type:VM Reinject, next_state:Stateless checks, pkt:ffff880220824ec0, ifn:10, vsid:0, instance:-1, caller:resume_inbound_from_vm_reinject
MBS-14572 Chassis Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).
MBS-14167 Chassis The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)
SPC-1602 Chassis In a rare scenario, the SSM may encounter an issue and stop working.
MBS-13580 Chassis (Multiple Security Groups) A traffic outage occurs when removing a slave interface from a bond interface
MBS-13262 Chassis (Multiple Security Groups) Enhancement: In a Multiple Security Group (MSG) environment, each bond in the shared bond LACP mechanism now has the VMAC octet, rather than the global VMAC, as its Security Group MAC Magic.
MBS-14024 Chassis (Multiple Security Groups) In a Multiple Security Group (MSG) environment, SSM updates occur on both chassis. With this fix, the SSM updates will occur on the applicable chassis only.  
MBS-14185 Chassis (Multiple Security Groups) In a Multiple Security Group (MSG) environment, different Security Gateways reject packets after a policy push on newly created VSs. 
MBS-14195 Chassis (Multiple Security Groups) In a Multiple Security Group (MSG) environment, the Toggle_kern_params script runs in an endless loop.  
MBS-14518 Maestro (Gateway) "Updating SSMs amount" message appears repeatedly in the /var/log/ports file.
PMTR-69337 Maestro (Gateway) If an uplinks distribution update fails, a retry does not occur.
PMTR-71771 Maestro (Orchestrator) The Maestro Orchestrator's SDK API might stop responding (for example, when there are many periodic SNMP queries). 
PMTR-71536 Maestro (Orchestrator) In a rare scenario, if the lldp daemon is restarted on the Maestro Orchestrator, it can lead to communication issues between the Gateways and the Orchestrator.
MBS-14503 Maestro (Orchestrator) When upgrading the Orchestrator with CPUSE from R80.20SP to R81.10, the Deployment Agent is not upgraded.  
MBS-10506 Maestro (Orchestrator) If a Bond interface that is assigned to a Security Group is configured in the 802.3AD (LACP) mode, packet loss might occur on a Security Appliance when the Security Appliance regains connectivity to the Orchestrators.
Take 317 (Released 16 August 2021, GA from 18 October 2021)
MBS-14098 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 202 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-13989 General Enhancement: The data for "Throughput" and "Packet rate" in the output of the "asg perf" command were aligned with the CPView tool.
MBS-14077 Chassis Enhancement: Removed double logging of Global Clish (gclish) commands when "audit-log" is enabled.
MBS-14234 General Using Static NAT for the destination in asymmetric connections may lead to Out of State traffic drops.
MBS-8488 General In some scenarios, the fw_full core dump file is created randomly on Quantum Scalable Chassis and Quantum Maestro appliances.
MBS-9585 General
  • Output of the "asg monitor" command shows that the state of a Security Group Member is "DOWN".
  • Output of the "cphaprob list" command shows that the Critical Device "Policy" reports its state as "problem" on the Security Group Member.
  • Output of the "asg_policy verify -a" command shows "Failed" in the "Status" column for the Security Group Member.
  • Output of the "asg_policy verify -a" command shows "Policy date is lower than max policy date" in the "Summary" section for the Security Group Member.
MBS-14160 General A memory leak may occur when the Security Group fails to correct the packet.
MBS-14085 Chassis The /var/log/messages file contains these errors:
  • kernel: pif_create_if: error: failed to register interface eth1-Mgmt<X>! (register_netdev() rc is -17)
  • kernel: pif_create_if: error: failed to register interface eth1-CIN! (register_netdev() rc is -17).
  • bfm_create_remote_ifs: error: failed to create pseudo interface!
MBS-14079 Maestro When running the "snmpwalk" command on the Maestro Orchestrator, these errors about QSFP ports appear in the /var/log/messages file:
  • mhostatagent_get_port_cnt_data> Failed execute cmd tor_util stats port XX tx errs
  • mhostatagent_get_port_label_data> port XX seems not available
  • mhostatagent_get_portLinkState_data> Failed execute cmd tor_util get_port_link_state XX
MBS-14108 SNMP The MIB file $CPDIR/lib/snmp/chkpnt.mib fails MIB validation tests in the SNMP tree OID .1.3.6.1.4.1.2620.1.48.0 (asg).
MBS-14165 SNMP SNMP OID .1.3.6.1.4.1.2620.1.48.16 (asgSecureXLStatusBitmask) always returns the status of SecureXL as enabled, even when it is not.
MBS-14076 CoreXL Improved the stability of the "asg perf" command when all CPU cores are equally assigned to CoreXL Firewall instances and CoreXL SND instances.
MBS-11293 Identity Awareness Improved stability in these scenarios on the Security Group:
  • Multiple Identity Collectors in redundancy mode 
  • Multiple Identity Sharing connections
Take 315 (31 May 2021)
MBS-14025 General Enhancement: Disable the experimental daemon cpview_collectd at any time.
MBS-13922 General "Quitting due to time-out" message appears during JHF installation process on CPUSE.
MBS-13981 General If a connection is not symmetrical, the first packet drop is not an SYN/rule base drop.
MBS-13906 Chassis In some scenarios, a failure report is not collected fully if an SSM fails.
MBS-14041 Chassis (Multiple Security Groups) In a Multiple Security Group (MSG) environment, VSLS commands do not take effect.
Take 314 (02 May 2021)
MBS-13573 General Enhancement: New parameters for SNMP traps sent from Security Group Members. The parameters show the chassis ID and the blade ID of the member that sent the SNMP trap. 
MBS-12620 General Rule base Hit Count is not updated by R80.20SP Virtual Systems (VSs). Refer to sk170675.
MBS-7805 General After adding a slave interface to a Bond interface, the output of the "asg diag" command shows that the "Distribution Mode" test failed because of an issue with the slave interface.
MBS-9650 General
  1.  Output of the "asg perf -p" command shows that the "Throughput" is 0 in the "Firewall" column.
  2. Output of the "asg perf -v" command shows the "Throughput" value is lower than expected (the F2F traffic is missing).
  3. SNMP Query for OID .1.3.6.1.4.1.2620.1.48.20.1.0 (asgThroughput) returns a value lower than expected (the F2F traffic is missing).
MBS-12597 General The "asg perf" command does not appear, or shows "0" values for "Throughput" and "Packet rate". Refer to sk174908
MBS-13440 General ICMP error packets may not be forwarded correctly if the generating device is not in the encryption domain.
MBS-13343 General When the user attempts to download an original attachment file that was extracted by Threat Extraction, the original file is downloaded with a size of 0KB if the file name contains spaces.
MBS-13463 Chassis Limited the maximum configured MTU value to 9000 on SSM440 to prevent traffic issues.
MBS-13450 Chassis Some Management and CIN interfaces share MAC addresses (for example, eth1-CIN, eth1-Mgmt1, eth1-Mgmt2). This means that the interfaces share IPv6 link-local addresses, as IPv6 link-local addresses are derived from MAC addresses. In some scenarios, this might cause duplicated link-local addresses on the interfaces.

This fix updates the link-local addresses for the CIN and MGMT interfaces so that interfaces that share a MAC address do not share a link-local address.
MBS-8858 Maestro (Gateway) Improved the Distribution Mode configuration for Bridge slave interfaces - each slave interface has a different Distribution Mode.
MBS-13593 Maestro (Gateway) In a Dual Site environment: if one Site-Sync port link state is down and there is no active Gateway on site X, then when the first Gateway on site X boots, it may fail to become active.
Take 313 (31 March 2021, GA from 6 July 2021)
MBS-13347 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 190 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-10509 General Enhancement:
  • Added the "--max-file-size" flag to only collect files with a size smaller than N-Megabytes (by default, files smaller than 100MB will be collected).
  • After collecting all the files, CPSDC now prints the collected data size and its compressed size.
  • Added the file cpsdc_skipped_items.txt to the output archive that contains the skipped items and the reason for their being skipped.
MBS-13496 General After an upgrade to R80.20SP Take 310, Check Point Support Data Collector (CPSDC) does not create a symbolic link to the executable.
MBS-13282 General The /var/log/send_alert* files repeatedly show this message for different interfaces: "Site <X> eth<X>-<XX> link is up".
MBS-13474 General In rare scenarios, the command hw_utilization -d fails when more than 9 Virtual Systems are configured.
MBS-13362 General While in the MDPS data plane (set mdps environment dplane), login from Gaia Clish to the Expert mode fails with "Wrong password" if the user is authenticated by a RADIUS server.
MBS-13202 General OIDs 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 are not supported. They have been removed from the chckpnt.mib file.
MBS-13032 General Resolved high memory consumption by the cpview_collectd process.
MBS-13344 General The local logging test will no longer run on the "asg_perf_hogs" utility, as it has its own HCP (HealthCheck Point test).
MBS-13477 General When a cluster admin is down or a member is rebooted, some packet loss may occur.
MBS-14222 General Enhancement:
Added support for PIM.
Known Limitations:
  • PIM all modes - Supported only with IGMP snooping disabled.
  • PIM Dense mode - Supported.
  • PIM Sparse mode - Supported only when the Security Group is configured as a downstream Rendezvous Point (RP).
  • PIM SSM mode - Not supported.
MBS-13362 Maestro (Orchestrator) Enhancement:

Support for Link State Propagation (LSP) groups of Orchestrator ports. LSP binds Orchestrator ports together to work as a single logical port. 
  • If one of the bound Orchestrator ports in the LSP group goes down, then the Orchestrator changes the state of all ports in the LSP group to "down".
  • If all the bound Orchestrator ports in the LSP group go up, then the Orchestrator changes the state of all ports in the LSP group to "up".
For more information, see sk172613.
MBS-13304 Maestro (Orchestrator) Added support for the SNMP sysOID .1.3.6.1.2.1.1.2.0 for Maestro Orchestrators.
MBS-13327 Maestro (Orchestrator) Added the ability to upgrade R80.20SP to R81.10 with the CPUSE upgrade package.
Take 310 (28 January 2021, GA from 31 March 2021)
MBS-12976 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 188 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-12809 General Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414). Changed the name of the cpdata_collector_sp command to cpdata_collector.
MBS-11351 General VPN Site-to-Site tunnel fails to establish when several interfaces with the Topology "External" are configured in the Security Gateway object.
MBS-12714,
MBS-12883
General Remote Access client using the Visitor Mode, or connecting to a Mobile Access Portal, may disconnect several seconds after it connected.
MBS-12356 General If the "Chassis HA mode" is configured as "VSLS", the SNMP query for the OID "asgChassisParamsMaxGrade" (.1.3.6.1.4.1.2620.1.48.28.4.1.5) returns a wrong value.
MBS-12834 General The asg diag command shows that the "Licenses" test fails with the reason "Licenses differ across blades".
The "asg_licenses_verifier -v" tool shows the error "Differerent licenses are installed across blades".
MBS-13054 Chassis Multiple Security Groups (MSG) A bond in the 802.3AD (LACP) mode that is shared between several Security Groups stops working because of duplicate LACP replies it sends to a connected switch. The connected switch shuts down the LACP because of duplicate replies (in Security Groups, a non-LACP task member sends replies in addition to the LACP task member).
MBS-12719 Chassis Multiple Security Groups (MSG) On chassis with Multiple Security Groups configured, added support for sending global commands to Security Members in all Security Groups.
Syntax in Expert mode:
sgrm global_conf -a run_global_cmd -v <Expert Mode Command>
Take 309 (3 January 2021, GA from 28 January 2021)
MBS-12752,
MBS-12941
General Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414). The new flag "last-modification-day" collects files that were modified in the last N days. By default, the CPSDC collects files that were modified in the last 7 days.
MBS-12843 General Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414) to collect additional files:
  • /var/log/asg_diag_last_run.txt
  • /var/log/ssm_failure_reports/*
MBS-12637 General Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414) to collect additional files:
  • /etc/sgdb.json
  • /etc/distutil.conf
  • /var/log/sgrmd.elg
  • /var/log/resource_manager.elg
  • /proc/net/bonding
MBS-12835 Chassis The SSM Allow Management Loss feature (sk145792) sends alerts even if a failure event's duration is short.
Now the feature sends alerts only if a failure event's duration is long (30 seconds by default).
MBS-12230 General Enhancement: Ability to configure SNMP Traps in Gaia gClish. For more information and configuration instructions, see sk171394.
MBS-12810,
MBS-12952
Maestro Enhancement: Ability to send SNMP v2 / v3 traps for changes in port statuses on Maestro Orchestrator.

New commands in Gaia Clish on Maestro Orchestrator:

To enable / disable the feature:
set maestro snmp traps port-state {on | off}
To add an SNMP Trap Sink:
add snmp traps receiver <IPv4 address> version {v2 | v3} community <String>
MBS-12738 Maestro Added support for Orchestrator Hardware Health Monitoring (resolves Known Limitation MBS-5205).

To monitor, use any of these:
  • Gaia Portal (Maintenance > Hardware Health Monitoring)
  • The show sysenv all command in Gaia Clish
  • The cpstat command in Gaia Clish or Expert mode
    • cpstat os –f sensors
    • cpstat os –f power_supply
  • SNMP "Get" requests for the supported sensors
    • V2 and V3
  • SNMP Traps for the supported sensors
    • V2 and V3
Supported hardware sensors:
  • Fan speeds:
    • 8 Fans on MHO-140
    • 4 Fans on MHO-170
  • Voltages:
    • 3 sensors for the first UCD regulator
    • 2 sensors for the second UCD regulator
  • Temperatures:
    • ASIC
    • CPU cores (3 on MHO-140 and 4 on MHO-170) 
    • Power regulators (4 sensors - 2 per each UCD regulator)
    • System/ambient (2 sensors)
  • Power Supply status (2 PSUs)
SNMP Notes:
  • SNMP GET and TRAP reuse same OIDs that are used for regular Security Gateway.
  • Example: for SNMP GET these are under iso.org.dod.internet.private.enterprise.checkpoint.products.s vn.svnPerf
  • SNMP trap behavior is like SGW behavior. Traps are periodically sent for failed sensors until it is recovered.
Take 306 (21 December 2020)
MBS-12788 Maestro In some scenarios, after rebooting several Security Group Members at the same time, the Security Group Members can boot up with a cluster state of LOST, READY, or DOWN. or may fail to communicate with one of the Orchestrators.

To resolve in R80.20SP Jumbo Hotfix Accumulator Takes 304/305:

Restart the ssm_pmd daemon on each one of the Maestro Orchestrators with these commands in the Expert mode:
[Expert@ORCH:0]# tellpm process:ssm_pmd ; tellpm process:ssm_pmd t

Important Note:
This fix is part of the Orchestrator JHF. You do not need to install Take 306 on the Security Gateway to resolve this issue. You need to install it only on the Orchestrator.
Take 305 (1 December 2020)
MBS-12430 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 183 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-12561 General Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414) to run 5 threads by default (instead of 20 threads).
To change the number of the running threads, change the value of the "check max_threads_amount" parameter in the configuration file "/etc/cpsdc/conf/cpsdc_conf.json".
MBS-11960,
MBS-4866,
MBS-12653
General Enhancement: Added support for ISP Redundancy. 

Note: If you enabled the ISP Redundancy in the Security Gateway object and you downgrade from the Jumbo Hotfix Accumulator to a Take lower than Take 305, the system may be stuck in the DOWN state:
The output of the asg monitor command shows the state DOWN.
The output of the cphaprob stat command shows that the Critical Device "Configuration" reports its state as "Problem".

To avoid this issue:
Before you downgrade from the Jumbo Hotfix Accumulator, you must disable the ISP Redundancy in the Security Gateway object in SmartConsole.

To resolve this issue:
Contact Check Point Support.
MBS-12525 General The output of the "ps -aef | grep [d]efunc" command shows multiple zombie processes "[sh] <defunct>". The issue occurs after a reboot or policy installation.
MBS-11506 General The Check Point Support Data Collector "cpdata_collector_sp" (CPSDC, see sk164414) fails with the "Failed to open /etc/cpsdc/conf/cpsdc_logger.json" error. See sk168713.
MBS-12375 General Commands in Gaia gClish fail with:
CLINFR0739 error in command execution; see "/var/log/messages"
The /var/log/messages file shows:
clish[<PID>]: timeout on read from all remote nodes; connections lost
Refer to sk170301.
MBS-12532 Maestro The "add maestro security-group id <ID> interface(press the TAB key)" command on an Orchestrator shows VLAN interfaces in the list of available interfaces.
Take 304 (2 November 2020, GA from 1 December 2020)
MBS-11953 General Added support for the Threat Extraction Software Blade in VSX mode.
MBS-12216 General Updated the Check Point Support Data Collector (CPSDC, see sk164414) not to collect unnecessary log files.
MBS-12217 General Updated the Check Point Support Data Collector (CPSDC, see sk164414):
  • By default, the CPSDC scripts collect the data from Security Group Members that are in the UP state and those that are in the DOWN state.
  • Added a new flag "exclude-down" to collect the data only from Security Group Members that are in the UP state.
  • Removed the "include-down" flag.
MBS-11956 General These Gaia gClish commands do not take effect on all Security Group Members: 
  • set user <username> password-hash
  • set user <username> force-password-change
MBS-12280 General If the IPSec Software Blade is disabled, this message appears repeatedly in the /var/log/messages file:
fwhandle_get(fwvpn.c:4288): Table kbufs - Invalid handle XXX (bad pool).
MBS-12362 Chassis & Maestro The CPD daemon consumes CPU at 100%.
To resolve this issue, the SNMP OID 'asgVSXDropTable' (1.3.6.1.4.1.2620.1.48.30.110) was removed from the $CPDIR/lib/snmp/chkpnt.mib file.
As a result, it is no longer possible to get information over SNMP about dropped packets by Virtual Systems.
This issue applies to:
  • VSX mode
  • R80.20SP Jumbo Hotfix Accumulator Take 302
MBS-6084 Chassis & Maestro To support asymmetric connections, it is necessary to enable the cluster synchronization in the corresponding service's properties (Advanced pane > in the Cluster and synchronization section, select Synchronize connections if Synchronization is enabled on the cluster > install policy).
MBS-6525, MBS-12150 Chassis In a rare scenario, under a heavy load on the CPU cores that run SecureXL on SGM400, a traffic outage can occur when the i40e driver becomes unresponsive and resets itself (see sk170002).
MBS-10924 Maestro Major enhancement for configuration of VLAN interfaces on Maestro Orchestrators. See sk170294.
MBS-11899 Maestro Reduced the memory consumption on Maestro Orchestrators.
MBS-12314 Maestro It is now possible to add these Check Point Appliance models to the same Security Group:
  • 26000 Turbo and 28000 Plus
  • 6900 Turbo and 7000 Plus
Important Note: All the Security Appliances assigned to the same Security Group must have identical Memory size and Hard Disk size.
Take 302 (05 October 2020)
MBS-11443 General The "config_verify -v" command shows "Performing xfer files verification... Failed!" because the /etc/smo_uptime files are not identical on all Security Group members.
MBS-11780 General The Gaia gClish command "add backup-scheduled name <Name> local" fails with "Segmentation fault (core dumped)". See sk168913.
MBS-11892 General Non-SMO members of a Security Group can enter a reboot loop after the user installs Take 295 of the R80.20SP Jumbo Hotfix Accumulator. See sk169515.
MBS-10748 General Added support for the new SNMP OID 1.3.6.1.4.1.2620.1.48.20.27.4: Total number (from all cluster members) of packets dropped by a security policy on the Security Gateway or specified VSX Virtual System.

Note: You must use SNMP v3 in the VS mode as described in sk90860.
MBS-10123 General Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.

Configuration in expert mode:
  1. Run: g_all "vsx resctrl monitor enable"
  2. Run: g_all "vsx mstat enable"
  3. Run: g_all "reboot"
Configuration in Gaia gClish:
     
       4. Configure SNMP v3 in the VS mode as described in sk90860.

SNMP OIDs - statistics from the specified Virtual System, statistics from each cluster member:
  • Number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.10.1.*
  • Physical memory - 1.3.6.1.4.1.2620.1.48.30.40.10.1.*
  • CPU usage - 1.3.6.1.4.1.2620.1.48.30.50.10.1.*
  • Packet rate - 1.3.6.1.4.1.2620.1.48.30.80.10.1.*
  • Throughput - 1.3.6.1.4.1.2620.1.48.30.90.10.1.*
  • Interface packet rate - 1.3.6.1.4.1.2620.1.48.30.100.10.1.*
  • Total number of dropped packets - 1.3.6.1.4.1.2620.1.48.30.110.10.1.*
  • Connection rate - 1.3.6.1.4.1.2620.1.48.30.120.10.1.*
  • Virtual memory - 1.3.6.1.4.1.2620.1.48.30.130.10.1.*
SNMP OIDs - statistics from the specified Virtual System, total statistics from all cluster members:
  • Total number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.20
  • Total packet rate - 1.3.6.1.4.1.2620.1.48.30.80.20
  • Total throughput - 1.3.6.1.4.1.2620.1.48.30.90.20
  • Total number of dropped packets - 1.3.6.1.4.1.2620.1.48.30.110.20
  • Total connection rate - 1.3.6.1.4.1.2620.1.48.30.120.20
MBS-11765 General Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell '/bin/bash' and the 'admin' role are configured.
MBS-11674 General Fetching packet capture from a violation log in SmartConsole fails with the error "Failed at getting the incident file from the gateway".
MBS-11806 General On VSX Cluster Members, the last octet of the MAC address on WRP interfaces is wrongly set based on the Global VMAC instead of the MAC Magic value.
MBS-12049 General Security Group member reboots in a loop after installing R80.20SP JHF Take 295, if IPv6 was enabled.
  • This issue applies to Take 295 released before 30 September 2020.
  • Take 295 released on 30 September 2020 resolves this issue.
MBS-11764 General The output of the "show smo verifiers" command shows that the "ARP Consistency" test fails. This issue was caused by an unused padding in the kernel table 'arp_table'.
MBS-11821 General The output of "asg diag" shows that a test failed because the $CPDIR/conf/skip_interfaces.conf file is not identical on Security Group Members. See sk169873.
MBS-11367 General In rare cases, a Security Group member can crash (with the message "Entering kdb") during the installation of the R80.20SP Jumbo Hotfix Accumulator.
MBS-12001 General On VSX Cluster Members, VMAC address is set on WRP interfaces in the Decimal format instead of the Hexadecimal format.
MBS-9767 General VPN IKE packets are forwarded to a Security Group member even after its state changes to "Down".
MBS-10768 General The output of the "asg diag verify" command shows that the Proxy ARP test fails because the local.arp files are not consistent on Security Group Members.
MBS-4414 General While a Security Group member reboots, some existing connections can fail on the Security Group. See sk169765,
MBS-2581 General Logs generated by Software Blades on Scalable Platforms, do not show the Group ID and SGM ID.
MBS-11831 General After installing Take 295 of the R80.20SP Jumbo Hotfix Accumulator, Gaia Clish commands for Dynamic Routing fail with these errors (see sk169232):
  • RTGRTG0019 source_tclfile(rtgmisc.tcl)
  • RTGRTG0019 tclproc: invalid command name <command>
MBS-11227 Chassis Scalable Platform automatically collects statistics and data in the /var/log/ssm_failure_reports/ directory in these cases:
  • An SSM enters the management loss state (see sk145792).
  • An SSM goes down.
MBS-11777 Chassis If the kernel parameters 'fw_reject_non_syn' and 'fw_reject_out_of_state_syn_resp' are enabled, and an administrator makes changes in SSM configuration (for example, adding a new interface to a Security Group), then Security Group Members can flood the chassis with reject packets.
MBS-10744 Maestro The "show maestro port X/Y/Z optic-info" command incorrectly returns "Not supported" for Check Point supported transceivers.
MBS-11844 Maestro In a Dual Site deployment, when one of the Maestro Orchestrators boots up on one of the sites, both sites might become active for a short time.
MBS-11611 Maestro The REST API server may remain down on the Maestro Orchestrator if it was forcefully unplugged from the electricity.
MBS-11847 Maestro It is now possible to add 16000 Turbo and 16200 Plus Security Appliance models to the same Security Group.

Note
: All Security Appliances within the same Security Group must have an identical Memory size and HD size.
PRJ-10396, MBS-12023 Maestro In some scenarios, transmit queues may stop, causing packet loss.

Applies to these Line Cards on Security Appliances:
  • 40 GbE Fiber card (CPAC-2-40F-B)
  • 100 GbE Fiber card (CPAC-2-100/25F-B)
MBS-11728 Maestro (Orchestrator) If the user upgrades the Maestro Hyperscale Orchestrator (MHO) from R80.20SP Jumbo Hotfix Take 295 or older to a new Take, the upgrade may have an effect on traffic because "orchd stop" was not done at the start of the Jumbo Hotfix installation process." Refer to sk173686.
Take 295 (19 August 2020, GA from 30 September 2020)
MBS-11071 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 161 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-11633 General UserCheck Portal does not work on a VSX Gateway after the user installs the R80.20SP Jumbo Hotfix Accumulator.
This applies to Take 279 to Take 283 (see sk168754).
MBS-10095 General VPN outage when a Check Point Security Gateway renegotiates IPsec with a 3rd party VPN peer.
MBS-10263 General Clear packets that should be encrypted are not forwarded between Security Group members from interfaces whose MAC addresses start with the hexadecimal digits 02 (example: 02:AB:CD:EF:12:34).
MBS-11388 General The 'asg diag' command does not add failed tests to the Message Of The Day (MOTD) if the names of these failed tests contain a hyphen (for example, "Multi-Queue").
MBS-11177 General Terminal Escape Sequences appear around the "OK" and "FAILED" statuses of Software Blade verifications in the summary file, which the 'asg diag' command creates.
Note: These Terminal Escape Sequences add color to the status text.
MBS-11085 General The "Hits" counter value in the SmartConsole rulebase does not update when traffic reaches a non-SMO Security Group member (for Security Gateway only).
MBS-11359 General After every change to VSX objects in SmartConsole and pushing of VSX configuration, the output of the 'ps -auxw' command on the VSX Gateway / VSX Cluster Members shows the "[gzip] <defunct>" processes.
MBS-11427 General Improved stability of the FWD daemon when adding or deleting "fw samp" rules.
MBS-11295 General IPv6 traffic outage during cluster fail-overs.
MBS-11375 General Memory leak in the stateless correction flows (example: local connections that pass through the Mgmt interface of a Security Group, like a connection from a non-SMO member of a Security Group to the Management Server).
MBS-10092 General Added new SNMP OIDs for Maestro Hyperscale Orchestrators in the chkpnt.mib file (the new branch "mho" with the OID .1.3.6.1.4.1.2620.1.55):
  • .1.3.6.1.4.1.2620.1.55.1 - Statistics for ports
    • .1.3.6.1.4.1.2620.1.55.1.1 - RX statistics for ports
    • .1.3.6.1.4.1.2620.1.55.1.2 - TX statistics for ports
    • .1.3.6.1.4.1.2620.1.55.1.3 - RX buffer statistics for ports
    • .1.3.6.1.4.1.2620.1.55.1.4 - State of ports (logical port ID, physical port / port label ID, link state, admin state, speed)
    • .1.3.6.1.4.1.2620.1.55.1.5 - Summary information for ports (logical port ID, physical port / port label ID, link state, admin state, speed, RX statistics, TX statistics)
  • .1.3.6.1.4.1.2620.1.55.2 - Number of ACL rule memory entries
    • .1.3.6.1.4.1.2620.1.55.2.1 - Number of used ACL rule memory entries
    • .1.3.6.1.4.1.2620.1.55.2.2 - Total number of ACL rule memory entries
    • .1.3.6.1.4.1.2620.1.55.2.3 - Number of free/unused ACL rule memory entries
MBS-11397 Chassis Added support for 40G SFP transceiver for SSM440 (BTI40GSRQSFPP).
MBS-11063 Chassis & Maestro Security Group Members are now able to synchronize their Fast Acceleration rules (sk156672) with those on the SMO Security Group Member and load them without reboot.
MBS-11175 Maestro The 'asg_bond -v' command does not validate LACP system ID received from switches.
MBS-11283 Maestro Improved the stability of Gaia Clish operations on Security Groups topology on Maestro Orchestrators.
Take 283 (02 July 2020)
MBS-10870 General The '$SMODIR/bin/coredumps_bt' command shows the message "In order to use gdb, please run: /opt/CPsmo-R80.20/bin/debug_tools/install_debug_tools".
MBS-10921 General The autocomplete for the Gaia Clish command 'show bonding group <Group_ID>' shows "Sorry, no help available here" for the "interfaces" option.
MBS-6708 General When interrupting the 'asg_perf_hogs' command with the CTRL+C keys, the message on the screen shows "Operation was canceled/terminated by user" instead of "No issues were found".
MBS-10962 General Query for the SNMP OID "asgNetIfTx" (.1.3.6.1.4.1.2620.1.48.26.1.1.12) returns inconsistent values.
MBS-10407 General New feature:
The Custom Intelligence Feeds feature provides an ability to add custom cyber intelligence feeds into the Threat Prevention engine. It allows fetching feeds from a third-party server directly to the Security Gateway to be enforced by the Anti-Virus and Anti-Bot Software Blades. For more information, see sk132193.
Known Limitation:
When editing local source feeds, make sure to copy the edited files to all Security Group Members (with the 'asg_cp2blades <path_to_file>' command).
MBS-8473 Chassis Removed the 'ccutil reset_parity_counter' command from the code.
MBS-7630 Chassis The output of the 'asg stat vs' command in the section "Virtual System Status" shows "active chassis" in lowercase when a Virtual System is in a freeze. Now the output shows "Active chassis" with a capital letter.
MBS-11048 Chassis "KERLAG0429 cant read "set_list": no such variable" error in Gaia gClish when running the 'delete bonding group <Bond ID>' command and working with Multiple Security Groups.
MBS-11068 Chassis The output of the 'ps aux | grep defunct' command shows "vrf" processes after an SNMP query for one of these:
  • OID .1.3.6.1.4.1.2620.1.48.32 - SSM CPU and RAM usage
  • OID .1.3.6.1.4.1.2620.1.48.33 - SSM Ports (speed, link, packets)
The issue occurs from Take 210 of the R80.20SP Jumbo Hotfix Accumulator, in which these OIDs were added (see MBS-8719).
MBS-9798 Chassis & Maestro Fragmented packets are dropped with the "fwfrag_expires Reason: timeout has expired for fragment;" message in kernel debug.

Note
: This issue was fixed in Gateway mode. A fix for VSX mode is planned.
MBS-11045 Maestro Improved stability of the ssm_pmd daemon when changing the QSFP mode.
MBS-10929 Maestro "NMSSG0429 error copying "/tmp/sgdb.json": no such file or directory" in Gaia Clish on Maestro Orchestrator when modifying a Security Group topology.
MBS-10961 Maestro Maestro Orchestrator does not require a license. Therefore, this message was removed from the Gaia Portal on Maestro Orchestrator (from the Upgrades (CPUSE) > Status and Actions page):
"The trial license is currently active and will expire on <Date> <Time>".
MBS-10125 Maestro
  • Improved the stability of the sgm_pmd and lb_configd daemons.
  • Improved Security Appliance cluster stability.
MBS-10229 Gaia Added the new column "asgResourceTitle" to the SNMP Table "asgResourceTable". The new column contains the Security Group Member ID and the resource name.

Format of the output: "Site <Site-ID> Member <Member-ID> <Resource-Name>"

Example output: "Site 2 Member 1 Memory Utilization"

The SNMP OID of the new column is: asgResourceTable.1.8 (.1.3.6.1.4.1.2620.1.48.23.1.8).

Note: The SNMP MIB file is $CPDIR/lib/snmp/chkpnt.mib
Take 279 (31 May 2020, GA from 30 June 2020)
MBS-10240 General Added support for the Threat Extraction blade.
Note: Does not apply to the VSX mode.
MBS-6180 General Removed the "-amw" flag from the syntax of the 'asg stat' command. Run the 'asg stat -v' command to get the required information.
MBS-8379 General Added support for secondary IPv4 addresses (aliases) on the data ports of a Security Group (Maestro and Scalable Platforms). See sk167073.
Note: This does not apply to VSX mode.
MBS-10833 General The 'asg_provision' command fails the "CVPN" test due to a different version of the CPinfo tool between the Security Group members and the SMO.
MBS-10732 Chassis The Chassis Monitor daemon (cmd) sometimes fails to retrieve the CPU temperatures due to an SNMP timeout.
MBS-10619 Chassis The test asg diag 'Software Versions' sometimes fails on CMM version mismatch due to a failure to retrieve the version from the CMM.
MBS-10733 Chassis When restarting the active CMM (for example, with the 'ccutil restart_cmm active' command), a chassis may fail over, even if there is a Standby CMM.
MBS-5608 Chassis When the 'asg_hard_start' command is executed without the "-b <SGM_IDs>" flag, it applies to all SGMs.
Now the command's built-in help contains the description of the "-b <SGM_IDs>" flag, which allows you to run this command for the specified SGMs.
MBS-10812 Maestro The 'drop_monitor' command fails with "Got JSON status failed from blade . Error: Error - Was not able to get driver type._".
MBS-10757 Maestro After installation of the R80.20SP Jumbo Hotfix Accumulator Take 274, Maestro Security Appliances may fail to boot.
MBS-10600 Maestro The Check Point Support Data Collector (CPSDC) Tool (sk164414) now collects additional files and command outputs.
MBS-10506 Maestro If a Bond interface that is assigned to a Security Group is configured in the 802.3AD (LACP) mode, packet loss might occur on a Security Appliance when the Security Appliance becomes active after a reboot.
MBS-10763 Gaia When a Linux password is changed for a user on a Security Group member, it is not updated on other Security Group members.
Take 273 (04 May 2020)
MBS-9910 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 141 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-10630 General Improved stability of the lb_configd daemon.
MBS-10289 General Remote Access Clients fail to connect to the VPN Gateway with the error "Negotiation with site failed", if the username is 6 or fewer characters long.
MBS-10384 General Kernel memory utilization increases on non-SMO members after policy installation.
MBS-10388 General Improved the formatting in the output of the 'asw_swb_update_verifier' command for rows with "need_to_update" in the "status" column.
MBS-10384 General Kernel memory utilization increases on non-SMO members after policy installation.
MBS-10151 General The size of the dentry cache (see the output of the 'slabtop -o' command) can increase on non-SMO members during policy installation.
MBS-10418 General Enhancement: Moved the "/cpsdc_tmp/" directory from "/tmp/cpsdc_tmp/" to "/var/log/cpsdc_tmp/" (this directory contains temporary files for the Check Point Support Data Collector).
MBS-10410 General Policy installation on a Security Gateway object fails after deleting the last configured URL with the 'url_block -d -n <URL>' command.
MBS-9949 General Corrected a spelling mistake ("Incosistent") in the output of the 'asg diag' commands in the "Reason" column.
MBS-10254 Chassis The SSM Allow Management Loss feature (sk145792) may not enter the "Management Loss Mode" when the total amount of backplane interface packets exceeds 2 billion.
MBS-10302 Chassis
  • The 'asg_reboot' command was changed to perform a software reboot only.
  • The 'asg_hard_reboot' command was added to perform a hardware reboot.
MBS-10093 Chassis The 'ccutil get_matrix_max_size' command returns the command usage instead of an expected value.
MBS-9523 Maestro It is now supported to create a Gaia snapshot on one Security Appliance and revert that Gaia snapshot on a different Security Appliance in the same Security Group (for example, with the command 'snapshot_recover').
MBS-10230 Maestro Connections to the Security Group over the Security Group's Mgmt interface may be interrupted.
MBS-9550 Maestro Deleting the entire Security Group might cause the Security Group members to stay in the DETACH state.
MBS-7433 VSX In VSX mode, UIPC does not work if a Virtual System (other than VS0) is configured with an IP address on the same subnet as the VS0 management network.
Take 266 (31 March 2020)
MBS-8558 General Improved stability of the fwk daemon for VSX mode.
MBS-9810 General Improved stability of the "asg perf" utility.
MBS-9300 General The output of the 'asg policy verify' command might show "Failed" for some Security Group members if a Mobile Access Policy in installed on this Security Group.
MBS-8799 General Remote Access VPN clients fail to get an Office Mode IP address when Office Mode Anti-Spoofing is enabled on the Security Gateway.
MBS-9750 General Security Group member on a Standby Chassis / Standby Maestro Site initiates an IKEv2 negotiation.
MBS-9877 General Security Group members are not shown in Gaia Portal in this scenario:
  1. Connected to the Gaia Portal of the Security Group
  2. From the left tree, clicked Maintenance > Shut Down
  3. Clicked the option Selected members
  4. The Select cluster members pop up opens, but it is empty
MBS-9793 General When the 'asg_dr_verifier' command is run in the context of a Virtual System other than VS0, the output in the "BGP peers" section incorrectly shows: "Status: Inconsistency found on some of the SGMs"
MBS-4895 General The 'fw sam_policy' ('fw samp') commands are not supported for Scalable Platforms and Maestro Security Appliances in VSX mode.
MBS-9831 General When the configured routes have comments (comments in the configured BGP peers, comments in the configured BGP AS, comments in the configured static routes, and so on), the 'asg_route' command reports a false positive for inconsistent routes, because the comment information is not synchronized.
MBS-9067 Chassis The "SSM Allow Management Loss" feature (sk145792) is now enabled by default.
MBS-9666 Chassis The output of the 'asg perf' command does not update the memory utilization counter during a reboot.
MBS-9731 Chassis Enhancement: Added support for the following transceivers:
  • 40G QSFP transceiver for SSM160 / SSM440 (APQPSR43CDM01NI)
  • 40G QSFP transceiver for SSM160 / SSM440 (BTI40GLRQSFPP)
  • 10G SFP transceiver for SSM160 / SSM440 (BTI10GLRSFPP)
MBS-3460 Chassis Added support for configuring the SSM backplane speed in Gaia gClish.

On SGM400:
  • set ssm backplane-speed Auto apply-on <chassis1 | chassis2>
  • Note: This configuration lets SGM400 work with the 40G link without the need to configure it manually on the SSM.
On SGMs other than SGM400:
  • set ssm backplane-speed 10GB
To get the current SSM backplane speed, run one of these commands:
  • asg_chassis_ctrl get_backplane_admin_speed <1 | 2 | all>
  • asg_port_speed verify
MBS-9714 Maestro The following message might appear when applying the change after removing Security Appliances from a Security Group:
Failed to apply Security Groups topology
Failed to execute 'tor_util remove_sgm <Security_Group_ID> <Member_ID>' on MHOs: <Orchestrator_ID>
MBS-9830 Maestro Installing a Hotfix / Jumbo Hotfix Accumulator on all Security Group members at the same time (and not gradually) overrides the configuration of traffic distribution to default: general and L4 Distribution is enabled.
MBS-9384 Maestro Improved the link stability on the ethX-Sync interfaces of the Maestro Hyperscale Orchestrator.
MBS-9762 Maestro In Maestro Dual Site environment, uninstall of a Hotfix might fail.
MBS-9704 Maestro OSPF packets cannot pass through a Maestro bridging group. Kernel debug shows that packets are dropped:
"fwha_ccl_inbound_late: dir 1, X.X.X.X:0 -> 224.0.0.5:0 IPP 89: failed to send to member 0, dropping"
MBS-9603 Chassis Multiple Security Groups (MSG) Security Group Resource Manager processes CCP packets from Virtual Systems with IDs other than 0 (zero). This might cause the cluster state of Security Group members to change repeatedly between ACTIVE and DOWN.

Security Group Resource Manager will now process CCP packets only from the Virtual System with ID 0 (zero).
This avoids cluster state flapping when other Virtual Systems publish their cluster state as DOWN, when they do not have policy installed yet.
MBS-9877 Chassis Multiple Security Groups (MSG) When Multiple Security Groups are enabled, each Security Group incorrectly considers the member with the lowest ID as the Security Group Resource Manager. As a result, members in other Security Groups do not get updates from the correct Security Group Resource Manager.
Take 258 (10 March 2020, GA from 31 March 2020)
MBS-9528 General Although only OSPFv2 with Graceful Restart Helper is configured (without OSPFv3), the Critical Device "OSPF3 Graceful Restart" shows this message during the cluster failover: "OSPF3 Graceful Restart PROBLEM Master -> Standby. Waiting for GR".
MBS-9143 General Improved the policy load functionality in the 'fw samp' command (for Security Gateway only).
MBS-9136 General Security Group might assign the same Office Mode IP address to different Remote Access VPN clients.
MBS-8734 General Traffic might fail to pass over a VPN tunnel with a DAIP peer.
MBS-9354 General VPN tunnel over NAT-T with a DAIP peer might not work when Layer 4 Distribution is enabled.
MBS-7208 General After a snapshot was reverted on a member, the output of the 'asg diag' command might show "Policy signature doesn't match on all SGMs".
MBS-8672 General Enhancement: Avoid connection forwarding (when possible) between Security Group members in VSX mode.
MBS-8249 General Changed the configuration options in the 'asg_alert' command to allow sending of SNMP traps for each individual test result from the 'asg_diag' command.

Now it is possible to select for which tests to send individual SMNP traps, and to send these SNMP traps for either failed tests, successful tests, or both.
MBS-8923 General The output of the 'asg diag print' command shows an alert (which is a False Positive) for the Dynamic Routing Diagnostic test about differing interfaces and neighbors on the Security Group members.

Root cause: The configuration lock is owned elsewhere on one of the Security Group members, even when the interfaces and neighbors are the same.
MBS-8762 General The Geo Policy IPToCountry database fails to update on Security Gateways (sk163672).
MBS-8460 General When connected with SSL Network Extender to a Mobile Access Gateway, the user is unable to open new connections after a fail-over in the Security Group until a policy is installed on the Security Group.
MBS-8853 General Enhancement: Added support for "Same VMAC Feature". Refer to sk165674.
MBS-9332 General Enhancement: Check Point Support Data Collector tool (cpdata_collector) and IP/URL Block features are able to self-update from the Check Point Cloud. This requires the Security Gateway to be connected to the Internet.
MBS-9778 Maestro Memory leak in the "sgm_pmd" process.
MBS-8691 Maestro
  1. The time configuration in Gaia gClish is not applied on the Security Appliances of a Security Group.
  2. The $FWDIR/log/blade_config.* files on the Security Appliances of a Security Group may show the following error: "Error: Failed to update the date".
MBS-9179 Maestro Manual distribution settings might be overridden after reboot on Maestro Security Appliances.
MBS-9838 Maestro Improved recovery for traffic distribution if there were communication issues between Security Appliances and Orchestrators.
Take 242 (05 Feb 2020)
MBS-9661 General Resolved the issue with the installation of the Jumbo Hotfix Accumulator Take 240 on Dual Chassis / Maestro Dual Site with VSX Virtual Switch.
Take 240 (03 Feb 2020)
MBS-9390 General The output of the 'asg route' command shows "cost None" on some SGMs.
MBS-9473 General Threat Extraction processes do not start after an upgrade to Take 191 of the R80.20SP Jumbo Hotfix Accumulator.
MBS-9235 General VPN tunnel might disconnect after ~30 seconds.
MBS-6173 General Enhancement: The 'asg diag' command is now able to verify the Multi-Queue status (the "multi-queue" test) on the backplane interfaces BPEthX.
MBS-9202,
MBS-6190
Chassis Added initial support for Multiple Security Groups on chassis. For implementation, contact Check Point Support.
MBS-8778 Maestro The output of the "cores_verifier" script in the section "Ppak core affinity on all SGMs is:" is broken, when more than 10 SecureXL instances are configured on the Security Appliances.
MBS-9394 Maestro Improved the stability of the orch_info utility.
MBS-9135 Maestro Deleting a Security Appliance from a Security Group in Gaia Clish and applying the new configuration might fail with errors.
MBS-7861 Maestro Enhancement: Improved the internal process of applying the Security Group topology.
MBS-9311 Maestro Enhancement: Improved the stability of Quick FCD.
MBS-7445 Cluster BGP connections that pass through the cluster might break after a failover.
MBS-8901 Cluster ClusterXL does not monitor the external interface of VSX Virtual Switches.
Take 210 (05 Jan 2020)
MBS-8849 General Enhancement: Added the new Check Point Support Data Collector tool (cpdata_collector).
MBS-9130 General When the user runs the 'cpview' command on Security Group members, the "Overview" page shows "N/A" in all counters.
MBS-6638 General  In rare cases, during policy installation, traffic may be dropped on the cleanup rule for some time, or until SecureXL is disabled.
MBS-8850 General Enhancement: Added new tools to block malicious traffic.
  • "ip_block": lets you block malicious traffic to or from certain IP addresses.
  • "url_block": lets you block malicious traffic to or from certain URLs.
For more information, refer to the R80.20SP Maestro Administration Guide and R80.20SP Scalable Platforms Administration Guide - section "IP and URL Block Feature".
MBS-7595 Gaia The size of the /var/log/ports file grows constantly because the file is not rotated.
MBS-8427 Gaia Scheduled backup to a remote server does not work.
MBS-8427 Chassis Enhancement: Added support for the "SSM Allow Management Loss feature" (sk145792).
MBS-8453 Chassis Added support for MAGG with LACP configuration.
Note: MAGG with LACP configuration is only supported in Chassis, not in Maestro.
MBS-8851 Chassis Enhancement: Improved logging.
  1. Added support for Log Alerts.
  2. Improved the distribution of Log Servers - use the 'log_distributer' command in Gaia gClish to configure the distribution of logs and alerts between the configured Log Servers. 
MBS-8848 Chassis Enhancement: Added the new utility "drop_monitor" to show detailed statistics in real time about packet drops on NICs and SSM ports.

For more information, refer to the R80.20SP Scalable Platforms Administration Guide - "Packet Drop Monitoring" section.

Note: This utility replaces the "asg_drop_monitor" utility. Runs from VS0 only.
MBS-8255 Chassis Enhancement: Added support for Management Data Plane Separation. See sk138672.
MBS-8719 Chassis Enhancement: Added SSM extended monitoring with SNMP.
  • OID .1.3.6.1.4.1.2620.1.48.33 - SSM Ports (speed, link, packets)
  • OID .1.3.6.1.4.1.2620.1.48.32 - SSM CPU and RAM usage

To see the current state, run in Gaia gClish:
'show ssm extended-snmp-monitoring state'

To enable, run in Gaia gClish:
'set ssm extended-snmp-monitoring state on'

To disable, run in Gaia gClish:
'set ssm extended-snmp-monitoring state off'
MBS-8663 Maestro Improved FCD stability when a Security Appliance is removed from a Security Group.
MBS-6220 Maestro Orchestrator Security Appliance may crash after it is removed from the Security Group.
MBS-8839 Maestro Orchestrator  Enhancement: Added the ability to configure the MTU on the External Sync interface of the Maestro Orchestrator. 
MBS-7993 Maestro Orchestrator Enhancement: Added the ability to configure multiple physical ports as the Sync port on Maestro Orchestrator. Configuration is performed from Gaia Clish on the Maestro Orchestrator.
  • To configure multiple ports for the Internal Sync (between Orchestrators on the same site) run: 'set maestro port <port number>  type ssm_sync'
  • To configure multiple ports for the External Sync (between Orchestrators on different sites) run: 'set maestro port <port number> type site_sync'
MBS-5861 Maestro Orchestrator Failed to establish SIC with the Security Group object in SmartConsole if First Time Wizard settings were applied to that Security Group from the Orchestrator's Gaia Clish (for example, 'set maestro security-group id 1 ftw-configuration ...').
MBS-8948 Maestro Orchestrator Interface distribution mode is not identical on the Orchestrator and on the Security Appliances.
Take 191 (2 Dec 2019, GA from 05 Jan 2020)
MBS-8292 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 118 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-6531 General Layer 4 Distribution with "General Distribution" does not work as expected due to an incorrect calculation for Non-TCP / Non-UDP traffic.
MBS-8596 VPN The Security Group might mistakenly encrypt IKE NAT-T packets.
MBS-8688 VPN Improved stability of VPN encrypted connections.
MBS-5886 VSX The output of the 'hw_utilization -d' command shows "0" in the "Conn. limit" column instead of "unlimited" for VSID 0.
MBS-8483 Maestro "insmod: error inserting '<name of kernel module>.o':-1 Invalid module format" messages during the Maestro Orchestrator boot.
MBS-7556 Maestro Security Group mistakenly reports disconnected interfaces (uplinks) as LINK UP.
MBS-8010 Maestro  After the user installs R80.20SP Jumbo Hotfix Accumulator Take 163, the message "Failed to load Security Groups" appears in the Maestro Orchestrator's Gaia Portal. This message continues to appear until a Site ID is configured.
MBS-8448 Maestro "Failed to run ['tor_util', 'clear_port', '2.0', '1']" error in Gaia Portal of the Maestro Orchestrator in Dual Site deployment.
MBS-7563 Maestro Improved communication stability between the Security Appliances and the Maestro Orchestrators.
MBS-8622 Maestro Output of the 'asg diag verify' command shows "SGM license is missing" warning in the "Licensing" category.
Take 178 (1 Nov 2019, GA from 02 Dec 2019)
MBS-7728 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 103 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-7589 General Installation of a CPUSE package might fail due to a timeout.
MBS-7538 General  Improved stability of IPv6 connections.
MBS-6206 General Added support for Gaia scheduled backup with the 'add backup-scheduled' command.
MBS-7460 General In rare cases, the Threat Emulation blade might not function and the '_g_allc tecli' commands might fail in this scenario:
  1. SMO Image Cloning is enabled.
  2. Threat Emulation blade is enabled.
  3. A new member is added to the Security Group.
MBS-6634 General When running PIM Sparse Mode / PIM SSM, PIM register packets are sent with an incorrect checksum. This causes the RP to drop these PIM packets.
MBS-6719 General Improved stability of the RouteD daemon when IGMP query-interval is set to a value of less than 4 seconds.
MBS-4495 General Added the ability to configure Proxy ARP in Gaia gClish with the 'add arp proxy' command.
MBS-6543 General The 'asg_drop_monitor -r' command does not reset the drop statistics for the BPEthX interfaces that use the i40e driver.
MBS-6418 Chassis - General  The clock on the CMM is not synchronized when an administrator changes the clock time in Gaia Clish, Gaia gClish, or Gaia Portal.
MBS-8393 SNMP SNMP query for the OID asgIPv6PeakUnits returns null values.
MBS-7670 VSX Added support for Policy-Based Routing (PBR) in VSX mode (see sk137232).
MBS-6563 VSX The ID in the names of these files now supports 4 digits (as the ID in the $FWDIR/conf/fwha_vsx_conf_id.conf file):
  • $FWDIR/conf/vsx_local_vs_files/local.vs. <ID>
  • $FWDIR/conf/vsx_local_vs_files/local.vskeep. <ID>
MBS-7671 VSX The Gaia gClish command 'set pbr rule priority X action table' does not show the PBR tables configured in the current Virtual System context.
MBS-7346 Maestro Added support for VSX Virtual Switches in a Maestro Security Group.
MBS-7486 Maestro - Orchestrator Added support for configuring a VLAN Trunk interface that includes all VLAN IDs (2-4094) without adding each VLAN interface separately on the Orchestrator. Refer to sk165172.
MBS-8142 Maestro - Orchestrator Improved link stability on ethX-Sync interfaces of Maestro Hyperscale Orchestrator.
MBS-7569 Maestro - Orchestrator Improved connectivity between Security Appliances that belong to the same Security Group.
MBS-7869 Maestro - Orchestrator

In Dual Site, if different QSFP modes are configured for ports with the same port number on different Maestro Orchestrators, this error appears in Maestro Orchestrator's Gaia Portal when the user tries to load a Security Group topology:

Failed to load Security Groups
Failed to fetch Security Groups topology

MBS-7750 Maestro - Orchestrator Internal improvements for operations related to Security Groups (creating and removing Security Groups, adding and removing interfaces).
MBS-7793 Maestro - Orchestrator Error on Maestro Hyperscale Orchestrator: "Failed to apply configuration on remote Orchestrator(s) SG X has no hostname."
MBS-8206 Maestro - VSX "Error: Failed to find any routes on the machine" in SmartConsole when creating a VSX object.
Take 163 (10 Sep 2019)
MBS-6460 Maestro Added support for Dual Site deployment. You can deploy two Maestro Hyperscale Orchestrators on each physical site and connect the sites to each other. The sites synchronize both connections and configuration. Refer to the Known Limitations in the "Dual Site Deployment" section of sk148074 - Check Point Maestro Known Limitations.
MBS-6577 General  Enhancement: Output of the 'asg_provision' command now shows SGM IDs in the headline.
MBS-5386 General Output of the 'asg_conns -b <SGM IDs> -6' command shows "IPv6 not enabled" even though it is enabled on the chassis.
MBS-6865 General The 'asg if' command shows "(NA)/(NA)" (instead of "(up)/(up)") in the "Link State" column for the ethX-MgmtY interfaces.
MBS-5710 General  The gClish command 'installer verify' shows "Action was aborted" if a CPUSE package was not imported on all members.
MBS-6510 General The 'asg_provision' command fails when there is an inconsistency between members in the installed Hotfixes / Jumbo Hotfix Accumulators.
MBS-6757 Maestro - General The gClish 'installer' commands fail with "expected integer but got <XX>" when explicitly specifying "member_ids" <site_id>-08 or <site_id>-09.
MBS-5913 Maestro - General Output of the 'cores_verifier' command does not show any information in the "Ppak core affinity on all SGMs is" section.
MBS-7246 Maestro - General Minimized the amount of packet drops during the reboot of Maestro Hyperscale Orchestrators.
MBS-5381 Chassis - General
Maestro - General
Output of the 'asg perf -p' command always shows the value "0" in the "VPN Performance" section > "VPN connections" counter.
MBS-7247 Chassis - General
Maestro - General
Output of the 'config_verify -v' command shows "Performing xfer files verification... Failed!" for the $FWDIR/conf/te_attributes.conf file.
MBS-6131 Chassis - General
Maestro - General
Output of the 'asg diag' command shows that the /etc/sysconfig/image.md5 file is not identical on all the SGMs.
MBS-6610 Gaia Output of the 'asg_perf_hogs' command incorrectly shows the status "FAILED" for the "Kernel soft lockups" test if the year has changed recently on the system.
MBS-7136 Maestro Gaia - OS Failure to log in on Security Appliances after removing them from a Security Group.
MBS-6440 Maestro - Cluster When running the 'clusterXL_admin' command, the output might incorrectly show "Operation failed: member is not down, run 'cphaprob list' for further details".
MBS-7332 Maestro - Security Groups Improved stability of Security Appliances when they are added to a Security Group with configured "fw samp" rules.
MBS-7237 Maestro -Hardware Security Appliance may fail to revert to factory default (which must happen by design) when removing it from a Security Group.
MBS-7241 Chassis - Hardware
Maestro - Hardware
Output of the 'smo verifiers report name "SSD Health"' command shows "Warning: SSD attributes getting towards low threshold".
MBS-6548 Chassis - Hardware Enhancement: Added support for 10G SFP transceiver for SSM160 (BTI10GSRSFPP).
MBS-6530 Chassis - Hardware On 64000 Scalable Platforms, the output of the 'asg stat -v' command shows "0" PSUs and "0" Fans, if only PSU 5 and PSU 6 are used.
MBS-6544 Chassis - Hardware The "Dot3ahErrorAggregation: The threshold for the frame error was exceeded on port X/Y/Z" message appears repeatedly in SSM logs.
Take 121 (31 July 2019)
MBS-6399 General Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 87 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-6157 General & Maestro The 'asg_local_arp_verifier' command might show "Error: Problem found in configuration" even though the $FWDIR/conf/local.arp files contain the same, correct configuration on all Security Group members.
MBS-6613 General & Maestro The "asg diag verify" test, called "Security Group," fails with the "DB/Kernel/Configuration differ" message even though the Security Group configuration is correct on all members (as reported by the 'security_group_util diag' command).
MBS-6359 General & Maestro "Did not find any new packages" message may appear in the output of the 'installer install' command when the user installs the R80.20SP Jumbo Hotfix Accumulator.
MBS-6706 General & Maestro IPv6 traffic might fail to pass over a Bond interface.
MBS-6834 SecureXL & Maestro Security Group members do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO.
MBS-5975 Maestro (Cluster) After the user deletes a Security Appliance from a Security Group, the 'cphaprob stat' command might still show that Security Appliance (member).
MBS-6693 Maestro (Orchestrator) The 'set maestro security-group apply-new-config' command fails with the error "NMSSG0429 can't read "output": no such variable" after the user deletes all Security Groups in Gaia Clish on a Maestro Orchestrator.
MBS-7032 Maestro (Orchestrator) Maestro Orchestrator's Gaia Portal shows the status "No connectivity" for Downlinks if the Maestro Orchestrator cannot detect the Security Appliance at this time.

Example (click to enlarge image):

MBS-6640 Maestro (Orchestrator)  Maestro Orchestrator logs are now written into the /var/log/maestro.log file instead of the /var/log/messages file on the Maestro Orchestrator.
MBS-6700 Maestro (Orchestrator) Improved stability of the lldpd daemon on Maestro Orchestrator.
MBS-6758 Maestro (Orchestrator) "Failed to get Orchestrators interfaces" error in Maestro Orchestrator's Gaia Portal in case the Maestro Orchestrator fails to resolve its "Orchestrator ID".
MBS-5807 Maestro (Orchestrator) Maestro Orchestrator's Gaia Portal now shows Downlinks that are in the Up state only.

Example 1 - The "Unassigned Gateways" pane (click to enlarge image):

Example 2 - The tooltip when the mouse cursor hovers over a Security Appliance (click to enlarge image):

MBS-7039 Maestro (Security Groups) If Security Appliances are removed from a Security Group and then added back to the same/other Security Group, some of these Security Appliances may remain out of the Security Group (appear as "DETACHED").
Take 105 (01 July 2019)
MBS-6494 Maestro / Gaia OS The output of the 'config_verify -v' command shows "Configuration files inconsistent" for the /boot/grub/grub.conf file.
MBS-5702 General Added support for the image auto-clone feature (set smo image auto-clone state on) that lets a remote SGM clone SMO images.
MBS-6201 General Layer 4 distribution can cause rapid NAT port exhaustion.
MBS-6269 General When the user runs the 'tcpdump' command with the '-mcap' flag in global mode (with either the 'tcpdump -mcap' command in gClish, or the '_g_tcpdump -mcap_' command in Expert mode), the command deletes all copies of the packet captures on the peer members.
MBS-5488 Gaia OS The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported.
MBS-6624 Gaia OS CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
MBS-6306 VSX Log Server Distribution (asg_log_servers) is not supported on 40000 / 60000 chassis.
MBS-6080 VSX Reverting a chassis in VSX mode to a snapshot might cause an additional reboot.
MBS-5636 VSX A reset of the SIC between the Scalable Platform or Maestro Security Appliance in VSX mode and the Management Server might cause the non-SMO members to change their state to DOWN. To recover, reboot the non-SMO members.
MBS-5864 Cluster In Dual Chassis, the user must install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster.
MBS-5610 SecureXL An Accelerated SYN Defender configuration made with the 'fwaccel synatk' / 'fwaccel6 synatk' commands might not be applied on non-SMO members.
MBS-5837 Logging The "distribution calculation completed successfully" message in Syslog is shown with an "Alert" priority instead of a "Notice" priority .
MBS-5595 Maestro (General) When the user adds a large number of Security Appliances at once to a Security Group in Orchestrator's Gaia Portal, it might disconnect with the message "Unable to connect to the server. Press OK to reconnect."
MBS-5849 Maestro (General) Improved stability of the ssm_pmd process on Maestro Orchestrator.
MBS-6090 Maestro (General) The cpdiag tool now supports Security Appliances.
MBS-5749 Maestro (Performance) After the user installs a Jumbo Hotfix Accumulator on a 23900 appliance connected to a Maestro Orchestrator, the Hyper-Threading (SMT) feature will be disabled by default.
MBS-6073 Maestro (Performance) Improved traffic distribution on Maestro Security Appliances.
MBS-5674

Maestro (Gaia)

On Maestro Security Appliances, Gaia gClish shows "KERLAG0029 Interface ethX-Mgmt4 cant be changed to state off" when the user runs the 'delete bonding group [ID] interface ethX-Mgmt4' command.
MBS-6121 Maestro (Gaia) On Maestro Orchestrator, the settings made with the following commands are not applied:
  • 'set maestro security-group id management-connectivity ...'
  • 'set maestro security-group id ftw-configuration ... '
MBS-5652 Maestro (Gaia) On Maestro Orchestrator, a Gaia OS backup might fail due to low disk space (because large log files are not rotated).
MBS-5457 Maestro (VSX) If after creating a new Virtual System object, policy installation on a Security Group object fails with "Error code: 0-2000240", wait 2-3 minutes and install the policy again.
MBS-5592 Maestro (VSX) When creating a VSX Gateway object in SmartConsole, it recognizes only the interfaces that were assigned to the Security Group before the First Time Wizard.
MBS-6082 Maestro (VSX) When creating a VSX Gateway object in SmartConsole, it does not show the physical interfaces on which the VLAN interfaces were created and assigned to the Security Group. Example: The VLAN interface eth1-05.5 was assigned to the Security Group. The VSX Gateway object in SmartConsole does not show the physical interface eth1-05.
MBS-5104 Maestro (Networking) You can only connect one DAC / Fiber cable between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator. Connecting two cables between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator is not supported.
MBS-5927 Maestro (Cluster) Improved the internal process of creating a Security Group in Maestro Orchestrator's Gaia Portal when the option "Set FTW configuration" is selected.
MBS-5594 Maestro (Cluster) Security Appliances show the link state on ports as Down, while the Maestro Orchestrator shows the link state on these ports as Up.
MBS-5557 Maestro (Multi-Queue)  The output of the 'cpmq get -v' command shows an incorrect Multi-Queue configuration (the 'rx_num' does not show the expected value) in the following scenario:
  1. On Maestro Orchestrator, created a new Security Group, but in the First Time Wizard, did not select the option "Install as VSX".
  2. In SmartConsole, configured the SMO as a VSX Gateway.
  3. Installed the policy.
MBS-5838 Maestro (Hardware) On Maestro Security Appliances, the 'asg stat -v' command now monitors the ethX-08 interfaces.
MBS-5701 Maestro (Hardware) Added the ability to configure the Maestro Orchestrator port's QSFP mode to 1 GbE in the Gaia Clish.
- Maestro (Hardware) 23900 appliances support Maestro beginning in Jumbo Hotfix Accumulator Take 105.
MBS-6099 Maestro (Licensing) A Maestro Security Appliance that was removed from a Security Group and then added back to the same Security Group might not pull the license from the existing members of the Security Group. As a result, this Security Appliance remains in the DOWN state.

Installation Instructions

List of Replaced Files

To receive a list of files replaced by this Jumbo Hotfix Accumulator, contact Check Point Support.

Revision History and Take Alignment

Show / Hide revision history

Date Description Aligned with R80.20 JHFA Take (sk137592)
18 Oct 2021 Release of Take 326 Take 202
16 Aug 2021 Release of Take 317 Take 202
31 May 2021 Release of Take 315 Take 190
02 May 2021 Release of Take 314 Take 190
31 Mar 2021 Release of Take 313 Take 190
28 Jan 2021 Release of Take 310 Take 188
03 Jan 2020 Release of Take 309 Take 183
21 Dec 2020 Release of Take 306 Maestro Release
01 Dec 2020 Release of Take 305 Take 183
02 Nov 2020 Release of Take 304 Take 161
05 Oct 2020 Release of Take 302 Take 161
19 Aug 2020 Release of Take 295 Take 161
02 July 2020 Release of Take 283 Take 141
31 May 2020 Release of Take 279 Take 141
04 May 2020 Release of Take 273 Take 141
31 Mar 2020 Release of Take 266 Take 118
10 Mar 2020 Release of Take 258 Take 118
05 Feb 2020 Release of Take 242 Take 118
03 Feb 2020 Release of Take 240 Take 118
05 Jan 2020 Release of Take 210 Take 118
02 Dec 2019 Release of Take 191 Take 118
03 Nov 2019 Release of Take 178 for Maestro Maestro Release
01 Nov 2019 Release of Take 178 Take 103
10 Sep 2019 Release of Take 163 Take 87
31 July 2019 Release of Take 121 Take 87
01 July 2019 Release of Take 105 -

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment