Introduction | Availability | Important Notes | Resolved Issues per Take | Installation Instructions | Replaced Files | Revision History and Take Alignment
Introduction
R80.20SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.20SP.
This Incremental Hotfix and article are updated periodically with new fixes.
The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this take was made available is listed near the Take's number.
Important: Upgrade of the CPUSE Agent is not supported on R80.20SP version for chassis and Maestro products.
Availability
Recommended Take:
Product
Take
Date
CPUSE Offline Package
Orchestrator MHO-140 / MHO-170
Take_334
06 July 2022
(TGZ)
Orchestrator MHO-175
Take_9*
05 Dec 2021
(TGZ)
Maestro Security Group
Take_334
06 July 2022
(TGZ)
Chassis Security Group
* Take_9 is based on Take_310 of MHO-140/MHO-170, with the same content. Take_6 is a special take for MHO-175 only. It must be installed on MHO-175 GA and cannot be used with MHO-140, MHO-170, or Security Groups. It also includes support for CPUSE upgrade to R81.10.
Latest Take:
Product
Take
Date
CPUSE Offline Package
Orchestrator MHO-140 / MHO-170
Take_336
23 Jan 2023
(TGZ)
Maestro Security Group
Take_336
23 Jan 2023
(TGZ)
Chassis Security Group
Important Notes
Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.20SP.
This Jumbo Hotfix Accumulator must be installed only after the successful completion of the Gaia First Time Configuration Wizard and a reboot.
For Security Group installation: You must run all CPUSE commands only in the Global gClish (gclish) shell only.
To check the Take number of the currently installed R80.20SP Jumbo Hotfix Accumulator (if it is installed), run the "asg_provision" command in the Expert mode and refer to the last section of the output.
Resolved Issues per Take
Enter the string to filter the below table:
ID
Product(s)
Description
Take 336 (23 January 2023)
MBS-16351, MBS-6399
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 230 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-16137, PRHF-25720
General
The Chassis ID and Blade ID fields ("asgTrapChassisID" and asgTrapBladeID" ) in SNMP threshold events are empty. Refer to sk179926.
MBS-16473, PMTR-86488
General
When NAT is configured on the Source IP and the Destination IP, out-of-state drops may occur.
MBS-16432, PMTR-85516
General
Enhancement: Add pre_upgrade_verifier to the sp_upgrade script with this command: sp_upgrade --verify
MBS-16343, PMTR-88702
Maestro Gateway
In a rare scenario, the "sp_upgrade" script might not detect that the Maestro Security Group runs in the VSX mode. As a result, the upgrade of the Security Group to a higher version might fail.
Take 335 (16 November 2022)
MBS-15920, MBS-6399
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 220 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-15064, MBS-14488
General
All Security Group Members but the SMO may go into the "Down" state after an Anti-Malware policy installation fails. Refer to sk177607.
MBS-15927, PMTR-77523
General
The "Obtain IPv4 Address Automatically" option in the IPv4 and IPv6 tabs of the Gaia Portal's interface editor is disabled (as it is on gClish).
MBS-16074, PRJ-29955
General
The "asg perf --delay" command does not change the "refresh time" on the screen.
MBS-14684, MBS-14468
General
The output of the "asg perf -6" command shows "IPV6 is Disabled".
MBS-15939, PRHF-24453
General
When you run the "set kernel-routes on/off" and "set domainname <VALUE>" commands through gCLish, the configuration is applied locally.
MBS-15850, PMTR-82241
Maestro Gateway
The Security Group does not synchronize to Security Group Members the configuration of a Bond interface in LACP mode on shared interfaces when you configure this Bond interface in Gaia Portal. Configuration made in Gaia gClish is synchronized as expected.
MBS-15749, PMTR-83873
Maestro Gateway
CPUSE upgrade packages are not available when working in "High Availability over Load Sharing" mode with VPN enabled.
MBS-15957, PRJ-40885
Maestro Orchestrator
The HealthCheck Point (HCP) "Daemons state" test may fail if you do not maximize the SSH client window.
MBS-15449, PMTR-81227
Maestro Orchestrator
The outputs of the "top" and "ps -aux" commands show "lldpd" and "snmp_trap_sender" as zombie processes.
Take 334 (06 July 2022)
MBS-15471, MBS-6399
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 211 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-15615, PRHF-22250
General
OSPF installs a route to the incorrect IP when it is configured as P2P. Refer to sk177686.
MBS-15611
General
The routed process unexpectedly exits when OSPF is configured as P2P.
MBS-15431, PRHF-22789
General
"asg_copy_capture" logs repeatedly appear in the var/log/messages file. The reason given in the logs is "capture file was not found on remote SGMs".
MBS-15448, MBS-12143
General
Static routes with the "ping" option enabled (to ping the next hop Gateways) do not appear on some Security Group Members.
MBS-15239
Maestro Orchestrator
When you change the number of Orchestrators from 2 to 1 through the CLI, packet loss can occur because of an outdated LSP state.
Take 332 (20 April 2022)
MBS-15650
Maestro (Orchestrator)
Packet loss may occur when:
A Maestro Orchestrator that is installed with R80.20SP Take 331 reboots
The user runs "orchd restart" or "orchd stop" on a Maestro Orchestrator that is installed with R80.20SP Take 331
Take 331 (29 March 2022)
MBS-7740
General
Improved the stability of the Gaia Backup / Restore feature.
MBS-15078, MBS-15075
General
When the user runs the "reconfigure_snmp_alerts" script with the "/usr/scripts/reconfigure_snmp_alerts" command, the script does not correctly parse authentication passwords that include a ">" character.
MBS-14570
General
After a Jumbo Hotfix uninstallation, the CCP propagates “admin_down” to other Security Groups.
MBS-15176, PRHF-21133
General
Security Group may drop traffic during an internal failover between Security Group members when Dynamic Anti-Spoofing is enabled.
MBS-15029
General
When the user connects more than one cluster to the same network segment (see sk25977), port flapping can occur because two different cluster members have the same correction MAC address.
MBS-15238
General
After a Jumbo Hotfix Accumulator installation, the Rule Base Hit Count does not work correctly because the value of the 'HitCountLogPort' variable is overridden by a different value on the SMO.
MBS-15068, MBS-15063
General
Changing the VLAN ID of an existing interface might cause a traffic interruption. See sk176929.
MBS-15115 PMTR-65248
Maestro Gateway
"sgm_pmd" and "lb_configd" errors may appear in /var/log/messages during boot process.
MBS-15145 PMTR-71033
Maestro (Orchestrator)
Enhancement: Improved the stability of the Security Groups' topology apply process.
MBS-13101 PMTR-63357
Maestro (Orchestrator)
Improved the stability of the Link State Propagation (LSP) mechanism.
MBS-15401
Maestro (Orchestrator)
The Message of the Day (MOTD) is not updated correctly on the Maestro Hyperscale Orchestrator (MHO).
MBS-15060 PMTR-73959
Maestro (Orchestrator)
IPv6 packets with a flow label field may be dropped as "First packet isn't SYN".
MBS-15111 MBS-14133
Maestro (Gateway and Orchestrator)
In some scenarios, link flapping on a Maestro Gateway may cause an unexpected site failover, cluster state flapping on the other Gateways, or packet drops.
Take 328 (3 February 2022)
MBS-15207, MBS-6399
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 205 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
Take 327 (9 January 2022)
MBS-6399
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 203 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-14601
General
TCP connection drops 60 min after a failover in the Security Group on Scalable Chassis / Maestro. See sk172887.
PRHF-19991
General
ADLOG stops working during policy installation.
MBS-14937
General
In VSLS mode, you cannot configure the Security Group to forward specific inbound connections to the SMO (see sk175584).
MBS-14105
General
Security Group Members may drop internal connections over the sync interface because the kernel table "cluster_members_ips" is empty.
MBS-15008
General
During the upgrade from R80.20SP to R81.10, a Security Group Member might change its state from ACTIVE to READY.
MBS-15055
General
In a rare scenario, the CPD process may crash during policy installation. The issue occurs from Take 317 of the R80.20SP Jumbo Hotfix Accumulator.
MBS-14635
General
The "ip_block" command now supports the # character in the feed file and ignores the lines that start with this character.
PMTR-68940
General
The configuration of ISP Redundancy Links made with the "fw isp_link <Link Name> down" command is not included in the main configuration that non-SMO Security Group Members pull from the SMO Security Group Member.
MBS-14732
Chassis
The CMM is not updated with the time from a configured NTP server. As a result, SGMs stay in the Down state for a long time.
PMTR-76352
Chassis
The clock verifier test (clock_verifier -v) does not work.
MBS-15012
Chassis (Multiple Security Groups)
Enhancement: Added support for LACP Management Aggregation (MAGG) interfaces with Multiple Security Groups.
MBS-14669
Maestro (Orchestrator)
Enhancement: New Gaia Clish command to disable port auto-negotiation on the Maestro Orchestrator: set maestro port <port> auto-negotiation disabled
MBS-14962
Maestro (Orchestrator)
Enhancement: The Maestro Orchestrator will read the IP address range for CIN interfaces from the smodb.json database.
MBS-14876
Maestro (Orchestrator)
Enhancement: Added the HealthCheck Point (HCP) test to the Maestro Orchestrator. HCP validates the integrity of all of the Maestro Orchestrator's port links.
MBS-15012
Maestro (Orchestrator)
The "set maestro port <port> admin-state <state>" command changes the port state on the remote MHO. With this fix, the command changes the port state only on the local MHO.
MBS-14479
Maestro (Orchestrator)
In some scenarios, the port speed might change after the user reboots the Maestro Orchestrator or restarts the Maestro Orchestrator's daemons with the "orchd restard" command.
Take 326 (18 October 2021)
MBS-12953
General
A new user that is added in the Gaia Portal of the Security Group receives a different password hash for each member of the Security Group.
MBS-14011
General
DHCP Office Mode fails with "failed to correct the packet to member=xx".
PMTR-53642
General
These error messages appear again and again in the dmesg and var/log/messages files:
Added support for 40G SFP transceiver for SSM160 (BTI40GSRDDQSFP).
MBS-14167
Chassis
The BMAC address is not updated after moving an SGM from one slot to a different slot. (The issue applies to Security Gateway only, not to VSX.)
SPC-1602
Chassis
In a rare scenario, the SSM may encounter an issue and stop working.
MBS-13580
Chassis
A traffic outage occurs when removing a slave interface from a bond interface
MBS-13262
Chassis (Multiple Security Groups)
Enhancement: In a Multiple Security Group (MSG) environment, each bond in the shared bond LACP mechanism now has the VMAC octet, rather than the global VMAC, as its Security Group MAC Magic.
MBS-14024
Chassis (Multiple Security Groups)
In a Multiple Security Group (MSG) environment, SSM updates occur on both chassis. With this fix, the SSM updates will occur on the applicable chassis only.
MBS-14185
Chassis (Multiple Security Groups)
In a Multiple Security Group (MSG) environment, different Security Gateways reject packets after a policy push on newly created VSs.
MBS-14195
Chassis (Multiple Security Groups)
In a Multiple Security Group (MSG) environment, the Toggle_kern_params script runs in an endless loop.
MBS-14518
Maestro (Gateway)
"Updating SSMs amount" message appears repeatedly in the /var/log/ports file.
PMTR-71771
Maestro (Orchestrator)
The Maestro Orchestrator's SDK API might stop responding (for example, when there are many periodic SNMP queries).
PMTR-71536
Maestro (Orchestrator)
In a rare scenario, if the lldp daemon is restarted on the Maestro Orchestrator, it can lead to communication issues between the Gateways and the Orchestrator.
MBS-14503
Maestro (Orchestrator)
When upgrading the Orchestrator with CPUSE from R80.20SP to R81.10, the Deployment Agent is not upgraded.
MBS-10506
Maestro (Orchestrator)
If a Bond interface that is assigned to a Security Group is configured in the 802.3AD (LACP) mode, packet loss might occur on a Security Appliance when the Security Appliance regains connectivity to the Orchestrators.
Take 317 (Released 16 August 2021, GA from 18 October 2021)
MBS-14098
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 202 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-13989
General
Enhancement: The data for "Throughput" and "Packet rate" in the output of the "asg perf" command were aligned with the CPView tool.
MBS-14077
Chassis
Enhancement: Removed double logging of Global Clish (gclish) commands when "audit-log" is enabled.
MBS-14234
General
Using Static NAT for the destination in asymmetric connections may lead to Out of State traffic drops.
MBS-8488
General
In some scenarios, the fw_full core dump file is created randomly on Quantum Scalable Chassis and Quantum Maestro appliances.
MBS-9585
General
Output of the "asg monitor" command shows that the state of a Security Group Member is "DOWN".
Output of the "cphaprob list" command shows that the Critical Device "Policy" reports its state as "problem" on the Security Group Member.
Output of the "asg_policy verify -a" command shows "Failed" in the "Status" column for the Security Group Member.
Output of the "asg_policy verify -a" command shows "Policy date is lower than max policy date" in the "Summary" section for the Security Group Member.
MBS-14160
General
A memory leak may occur when the Security Group fails to correct the packet.
MBS-14085
Chassis
The /var/log/messages file contains these errors:
kernel: pif_create_if: error: failed to register interface eth1-Mgmt<X>! (register_netdev() rc is -17)
kernel: pif_create_if: error: failed to register interface eth1-CIN! (register_netdev() rc is -17).
bfm_create_remote_ifs: error: failed to create pseudo interface!
MBS-14079
Maestro
When running the "snmpwalk" command on the Maestro Orchestrator, these errors about QSFP ports appear in the /var/log/messages file:
mhostatagent_get_port_cnt_data> Failed execute cmd tor_util stats port XX tx errs
mhostatagent_get_port_label_data> port XX seems not available
mhostatagent_get_portLinkState_data> Failed execute cmd tor_util get_port_link_state XX
MBS-14108
SNMP
The MIB file $CPDIR/lib/snmp/chkpnt.mib fails MIB validation tests in the SNMP tree OID .1.3.6.1.4.1.2620.1.48.0 (asg).
MBS-14165
SNMP
SNMP OID .1.3.6.1.4.1.2620.1.48.16 (asgSecureXLStatusBitmask) always returns the status of SecureXL as enabled, even when it is not.
MBS-14076
CoreXL
Improved the stability of the "asg perf" command when all CPU cores are equally assigned to CoreXL Firewall instances and CoreXL SND instances.
MBS-11293
Identity Awareness
Improved stability in these scenarios on the Security Group:
Multiple Identity Collectors in redundancy mode
Multiple Identity Sharing connections
Take 315 (31 May 2021)
MBS-14025
General
Enhancement: Disable the experimental daemon cpview_collectd at any time.
MBS-13922
General
"Quitting due to time-out" message appears during JHF installation process on CPUSE.
MBS-13981
General
If a connection is not symmetrical, the first packet drop is not an SYN/rule base drop.
MBS-13906
Chassis
In some scenarios, a failure report is not collected fully if an SSM fails.
MBS-14041
Chassis (Multiple Security Groups)
In a Multiple Security Group (MSG) environment, VSLS commands do not take effect.
Take 314 (02 May 2021)
MBS-13573
General
Enhancement: New parameters for SNMP traps sent from Security Group Members. The parameters show the chassis ID and the blade ID of the member that sent the SNMP trap.
MBS-12620
General
Rule base Hit Count is not updated by R80.20SP Virtual Systems (VSs). Refer to sk170675.
MBS-7805
General
After adding a slave interface to a Bond interface, the output of the "asg diag" command shows that the "Distribution Mode" test failed because of an issue with the slave interface.
MBS-9650
General
Output of the "asg perf -p" command shows that the "Throughput" is 0 in the "Firewall" column.
Output of the "asg perf -v" command shows the "Throughput" value is lower than expected (the F2F traffic is missing).
SNMP Query for OID .1.3.6.1.4.1.2620.1.48.20.1.0 (asgThroughput) returns a value lower than expected (the F2F traffic is missing).
MBS-12597
General
The "asg perf" command does not appear, or shows "0" values for "Throughput" and "Packet rate". Refer to sk174908.
MBS-13440
General
ICMP error packets may not be forwarded correctly if the generating device is not in the encryption domain.
MBS-13343
General
When the user attempts to download an original attachment file that was extracted by Threat Extraction, the original file is downloaded with a size of 0KB if the file name contains spaces.
MBS-13463
Chassis
Limited the maximum configured MTU value to 9000 on SSM440 to prevent traffic issues.
MBS-13450
Chassis
Some Management and CIN interfaces share MAC addresses (for example, eth1-CIN, eth1-Mgmt1, eth1-Mgmt2). This means that the interfaces share IPv6 link-local addresses, as IPv6 link-local addresses are derived from MAC addresses. In some scenarios, this might cause duplicated link-local addresses on the interfaces.
This fix updates the link-local addresses for the CIN and MGMT interfaces so that interfaces that share a MAC address do not share a link-local address.
MBS-8858
Maestro (Gateway)
Improved the Distribution Mode configuration for Bridge slave interfaces - each slave interface has a different Distribution Mode.
MBS-13593
Maestro (Gateway)
In a Dual Site environment: if one Site-Sync port link state is down and there is no active Gateway on site X, then when the first Gateway on site X boots, it may fail to become active.
Take 313 (31 March 2021, GA from 6 July 2021)
MBS-13347
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 190 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-10509
General
Enhancement:
Added the "--max-file-size" flag to only collect files with a size smaller than N-Megabytes (by default, files smaller than 100MB will be collected).
After collecting all the files, CPSDC now prints the collected data size and its compressed size.
Added the file cpsdc_skipped_items.txt to the output archive that contains the skipped items and the reason for their being skipped.
MBS-13496
General
After an upgrade to R80.20SP Take 310, Check Point Support Data Collector (CPSDC) does not create a symbolic link to the executable.
MBS-13282
General
The /var/log/send_alert* files repeatedly show this message for different interfaces: "Site <X> eth<X>-<XX> link is up".
MBS-13474
General
In rare scenarios, the command hw_utilization -d fails when more than 9 Virtual Systems are configured.
MBS-13362
General
While in the MDPS data plane (set mdps environment dplane), login from Gaia Clish to the Expert mode fails with "Wrong password" if the user is authenticated by a RADIUS server.
MBS-13202
General
OIDs 1.3.6.1.4.1.2620.1.48.20.5 and 1.3.6.1.4.1.2620.1.48.21.5 are not supported. They have been removed from the chckpnt.mib file.
MBS-13032
General
Resolved high memory consumption by the cpview_collectd process.
MBS-13344
General
The local logging test will no longer run on the "asg_perf_hogs" utility, as it has its own HCP (HealthCheck Point test).
MBS-13477
General
When a cluster admin is down or a member is rebooted, some packet loss may occur.
MBS-14222
General
Enhancement: Added support for PIM. Known Limitations:
PIM all modes - Supported only with IGMP snooping disabled.
PIM Dense mode - Supported.
PIM Sparse mode - Supported only when the Security Group is configured as a downstream Rendezvous Point (RP).
PIM SSM mode - Not supported.
MBS-13362
Maestro (Orchestrator)
Enhancement:
Support for Link State Propagation (LSP) groups of Orchestrator ports. LSP binds Orchestrator ports together to work as a single logical port.
If one of the bound Orchestrator ports in the LSP group goes down, then the Orchestrator changes the state of all ports in the LSP group to "down".
If all the bound Orchestrator ports in the LSP group go up, then the Orchestrator changes the state of all ports in the LSP group to "up".
Added support for the SNMP sysOID .1.3.6.1.2.1.1.2.0 for Maestro Orchestrators.
MBS-13327
Maestro (Orchestrator)
Added the ability to upgrade R80.20SP to R81.10 with the CPUSE upgrade package.
Take 310 (28 January 2021, GA from 31 March 2021)
MBS-12976
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 188 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-12809
General
Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414). Changed the name of the cpdata_collector_spcommand to cpdata_collector.
MBS-11351
General
VPN Site-to-Site tunnel fails to establish when several interfaces with the Topology "External" are configured in the Security Gateway object.
MBS-12714, MBS-12883
General
Remote Access client using the Visitor Mode, or connecting to a Mobile Access Portal, may disconnect several seconds after it connected.
MBS-12356
General
If the "Chassis HA mode" is configured as "VSLS", the SNMP query for the OID "asgChassisParamsMaxGrade" (.1.3.6.1.4.1.2620.1.48.28.4.1.5) returns a wrong value.
MBS-12834
General
The asg diag command shows that the "Licenses" test fails with the reason "Licenses differ across blades". The "asg_licenses_verifier -v" tool shows the error "Differerent licenses are installed across blades".
MBS-13054
Chassis Multiple Security Groups (MSG)
A bond in the 802.3AD (LACP) mode that is shared between several Security Groups stops working because of duplicate LACP replies it sends to a connected switch. The connected switch shuts down the LACP because of duplicate replies (in Security Groups, a non-LACP task member sends replies in addition to the LACP task member).
MBS-12719
Chassis Multiple Security Groups (MSG)
On chassis with Multiple Security Groups configured, added support for sending global commands to Security Members in all Security Groups. Syntax in Expert mode: sgrm global_conf -a run_global_cmd -v <Expert Mode Command>
Take 309 (3 January 2021, GA from 28 January 2021)
MBS-12752, MBS-12941
General
Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414). The new flag "last-modification-day" collects files that were modified in the last N days. By default, the CPSDC collects files that were modified in the last 7 days.
MBS-12843
General
Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414) to collect additional files:
/var/log/asg_diag_last_run.txt
/var/log/ssm_failure_reports/*
MBS-12637
General
Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414) to collect additional files:
/etc/sgdb.json
/etc/distutil.conf
/var/log/sgrmd.elg
/var/log/resource_manager.elg
/proc/net/bonding
MBS-12835
Chassis
The SSM Allow Management Loss feature (sk145792) sends alerts even if a failure event's duration is short. Now the feature sends alerts only if a failure event's duration is long (30 seconds by default).
MBS-12230
General
Enhancement: Ability to configure SNMP Traps in Gaia gClish. For more information and configuration instructions, see sk171394.
MBS-12810, MBS-12952
Maestro
Enhancement: Ability to send SNMP v2 / v3 traps for changes in port statuses on Maestro Orchestrator.
New commands in Gaia Clish on Maestro Orchestrator:
To enable / disable the feature: set maestro snmp traps port-state {on | off} To add an SNMP Trap Sink: add snmp traps receiver <IPv4 address> version {v2 | v3} community <String>
MBS-12738
Maestro
Added support for Orchestrator Hardware Health Monitoring (resolves Known Limitation MBS-5205).
To monitor, use any of these:
Gaia Portal (Maintenance > Hardware Health Monitoring)
The show sysenv all command in Gaia Clish
The cpstat command in Gaia Clish or Expert mode
cpstat os –f sensors
cpstat os –f power_supply
SNMP "Get" requests for the supported sensors
V2 and V3
SNMP Traps for the supported sensors
V2 and V3
Supported hardware sensors:
Fan speeds:
8 Fans on MHO-140
4 Fans on MHO-170
Voltages:
3 sensors for the first UCD regulator
2 sensors for the second UCD regulator
Temperatures:
ASIC
CPU cores (3 on MHO-140 and 4 on MHO-170)
Power regulators (4 sensors - 2 per each UCD regulator)
System/ambient (2 sensors)
Power Supply status (2 PSUs)
SNMP Notes:
SNMP GET and TRAP reuse same OIDs that are used for regular Security Gateway.
Example: for SNMP GET these are under iso.org.dod.internet.private.enterprise.checkpoint.products.s vn.svnPerf
SNMP trap behavior is like SGW behavior. Traps are periodically sent for failed sensors until it is recovered.
Take 306 (21 December 2020)
MBS-12788
Maestro
In some scenarios, after rebooting several Security Group Members at the same time, the Security Group Members can boot up with a cluster state of LOST, READY, or DOWN. or may fail to communicate with one of the Orchestrators. To resolve in R80.20SP Jumbo Hotfix Accumulator Takes 304/305: Restart the ssm_pmd daemon on each one of the Maestro Orchestrators with these commands in the Expert mode: [Expert@ORCH:0]# tellpm process:ssm_pmd ; tellpm process:ssm_pmd t
Important Note: This fix is part of the Orchestrator JHF. You do not need to install Take 306 on the Security Gateway to resolve this issue. You need to install it only on the Orchestrator.
Take 305 (1 December 2020)
MBS-12430
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 183 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-12561
General
Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414) to run 5 threads by default (instead of 20 threads). To change the number of the running threads, change the value of the "check max_threads_amount" parameter in the configuration file "/etc/cpsdc/conf/cpsdc_conf.json".
MBS-11960, MBS-4866, MBS-12653
General
Enhancement: Added support for ISP Redundancy.
Note: If you enabled the ISP Redundancy in the Security Gateway object and you downgrade from the Jumbo Hotfix Accumulator to a Take lower than Take 305, the system may be stuck in the DOWN state: The output of the asg monitor command shows the state DOWN. The output of the cphaprob stat command shows that the Critical Device "Configuration" reports its state as "Problem".
To avoid this issue: Before you downgrade from the Jumbo Hotfix Accumulator, you must disable the ISP Redundancy in the Security Gateway object in SmartConsole.
The output of the "ps -aef | grep [d]efunc" command shows multiple zombie processes "[sh] <defunct>". The issue occurs after a reboot or policy installation.
MBS-11506
General
The Check Point Support Data Collector "cpdata_collector_sp" (CPSDC, see sk164414) fails with the "Failed to open /etc/cpsdc/conf/cpsdc_logger.json" error. See sk168713.
MBS-12375
General
Commands in Gaia gClish fail with: CLINFR0739 error in command execution; see "/var/log/messages" The /var/log/messages file shows: clish[<PID>]: timeout on read from all remote nodes; connections lost Refer to sk170301.
MBS-12532
Maestro
The "add maestro security-group id <ID> interface(press the TAB key)" command on an Orchestrator shows VLAN interfaces in the list of available interfaces.
Take 304 (2 November 2020, GA from 1 December 2020)
MBS-11953
General
Added support for the Threat Extraction Software Blade in VSX mode.
MBS-12216
General
Updated the Check Point Support Data Collector (CPSDC, see sk164414) not to collect unnecessary log files.
MBS-12217
General
Updated the Check Point Support Data Collector (CPSDC, see sk164414):
By default, the CPSDC scripts collect the data from Security Group Members that are in the UP state and those that are in the DOWN state.
Added a new flag "exclude-down" to collect the data only from Security Group Members that are in the UP state.
Removed the "include-down" flag.
MBS-11956
General
These Gaia gClish commands do not take effect on all Security Group Members:
set user <username> password-hash
set user <username> force-password-change
MBS-12280
General
If the IPSec Software Blade is disabled, this message appears repeatedly in the /var/log/messages file: fwhandle_get(fwvpn.c:4288): Table kbufs - Invalid handle XXX (bad pool).
MBS-12362
Chassis & Maestro
The CPD daemon consumes CPU at 100%. To resolve this issue, the SNMP OID 'asgVSXDropTable' (1.3.6.1.4.1.2620.1.48.30.110) was removed from the $CPDIR/lib/snmp/chkpnt.mib file. As a result, it is no longer possible to get information over SNMP about dropped packets by Virtual Systems. This issue applies to:
VSX mode
R80.20SP Jumbo Hotfix Accumulator Take 302
MBS-6084
Chassis & Maestro
To support asymmetric connections, it is necessary to enable the cluster synchronization in the corresponding service's properties (Advanced pane > in the Cluster and synchronization section, select Synchronize connections if Synchronization is enabled on the cluster > install policy).
MBS-6525, MBS-12150
Chassis
In a rare scenario, under a heavy load on the CPU cores that run SecureXL on SGM400, a traffic outage can occur when the i40e driver becomes unresponsive and resets itself (see sk170002).
MBS-10924
Maestro
Major enhancement for configuration of VLAN interfaces on Maestro Orchestrators. See sk170294.
MBS-11899
Maestro
Reduced the memory consumption on Maestro Orchestrators.
MBS-12314
Maestro
It is now possible to add these Check Point Appliance models to the same Security Group:
26000 Turbo and 28000 Plus
6900 Turbo and 7000 Plus
Important Note: All the Security Appliances assigned to the same Security Group must have identical Memory size and Hard Disk size.
Take 302 (05 October 2020)
MBS-11443
General
The "config_verify -v" command shows "Performing xfer files verification... Failed!" because the /etc/smo_uptime files are not identical on all Security Group members.
MBS-11780
General
The Gaia gClish command "add backup-scheduled name <Name> local" fails with "Segmentation fault (core dumped)". See sk168913.
MBS-11892
General
Non-SMO members of a Security Group can enter a reboot loop after the user installs Take 295 of the R80.20SP Jumbo Hotfix Accumulator. See sk169515.
MBS-10748
General
Added support for the new SNMP OID 1.3.6.1.4.1.2620.1.48.20.27.4: Total number (from all cluster members) of packets dropped by a security policy on the Security Gateway or specified VSX Virtual System.
Note: You must use SNMP v3 in the VS mode as described in sk90860.
MBS-10123
General
Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems.
Configuration in expert mode:
Run: g_all "vsx resctrl monitor enable"
Run: g_all "vsx mstat enable"
Run: g_all "reboot"
Configuration in Gaia gClish:
4. Configure SNMP v3 in the VS mode as described in sk90860.
SNMP OIDs - statistics from the specified Virtual System, statistics from each cluster member:
Number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.10.1.*
SNMP OIDs - statistics from the specified Virtual System, total statistics from all cluster members:
Total number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.20
Total packet rate - 1.3.6.1.4.1.2620.1.48.30.80.20
Total throughput - 1.3.6.1.4.1.2620.1.48.30.90.20
Total number of dropped packets - 1.3.6.1.4.1.2620.1.48.30.110.20
Total connection rate - 1.3.6.1.4.1.2620.1.48.30.120.20
MBS-11765
General
Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell '/bin/bash' and the 'admin' role are configured.
MBS-11674
General
Fetching packet capture from a violation log in SmartConsole fails with the error "Failed at getting the incident file from the gateway".
MBS-11806
General
On VSX Cluster Members, the last octet of the MAC address on WRP interfaces is wrongly set based on the Global VMAC instead of the MAC Magic value.
MBS-12049
General
Security Group member reboots in a loop after installing R80.20SP JHF Take 295, if IPv6 was enabled.
This issue applies to Take 295 released before 30 September 2020.
Take 295 released on 30 September 2020 resolves this issue.
MBS-11764
General
The output of the "show smo verifiers" command shows that the "ARP Consistency" test fails. This issue was caused by an unused padding in the kernel table 'arp_table'.
MBS-11821
General
The output of "asg diag" shows that a test failed because the $CPDIR/conf/skip_interfaces.conf file is not identical on Security Group Members. See sk169873.
MBS-11367
General
In rare cases, a Security Group member can crash (with the message "Entering kdb") during the installation of the R80.20SP Jumbo Hotfix Accumulator.
MBS-12001
General
On VSX Cluster Members, VMAC address is set on WRP interfaces in the Decimal format instead of the Hexadecimal format.
MBS-9767
General
VPN IKE packets are forwarded to a Security Group member even after its state changes to "Down".
MBS-10768
General
The output of the "asg diag verify" command shows that the Proxy ARP test fails because the local.arp files are not consistent on Security Group Members.
MBS-4414
General
While a Security Group member reboots, some existing connections can fail on the Security Group. See sk169765,
MBS-2581
General
Logs generated by Software Blades on Scalable Platforms, do not show the Group ID and SGM ID.
MBS-11831
General
After installing Take 295 of the R80.20SP Jumbo Hotfix Accumulator, Gaia Clish commands for Dynamic Routing fail with these errors (see sk169232):
RTGRTG0019 source_tclfile(rtgmisc.tcl)
RTGRTG0019 tclproc: invalid command name <command>
MBS-11227
Chassis
Scalable Platform automatically collects statistics and data in the /var/log/ssm_failure_reports/ directory in these cases:
An SSM enters the management loss state (see sk145792).
An SSM goes down.
MBS-11777
Chassis
If the kernel parameters 'fw_reject_non_syn' and 'fw_reject_out_of_state_syn_resp' are enabled, and an administrator makes changes in SSM configuration (for example, adding a new interface to a Security Group), then Security Group Members can flood the chassis with reject packets.
MBS-10744
Maestro
The "show maestro port X/Y/Z optic-info" command incorrectly returns "Not supported" for Check Point supported transceivers.
MBS-11844
Maestro
In a Dual Site deployment, when one of the Maestro Orchestrators boots up on one of the sites, both sites might become active for a short time.
MBS-11611
Maestro
The REST API server may remain down on the Maestro Orchestrator if it was forcefully unplugged from the electricity.
MBS-11847
Maestro
It is now possible to add 16000 Turbo and 16200 Plus Security Appliance models to the same Security Group. Note: All Security Appliances within the same Security Group must have an identical Memory size and HD size.
PRJ-10396, MBS-12023
Maestro
In some scenarios, transmit queues may stop, causing packet loss.
Applies to these Line Cards on Security Appliances:
40 GbE Fiber card (CPAC-2-40F-B)
100 GbE Fiber card (CPAC-2-100/25F-B)
MBS-11728
Maestro (Orchestrator)
If the user upgrades the Maestro Hyperscale Orchestrator (MHO) from R80.20SP Jumbo Hotfix Take 295 or older to a new Take, the upgrade may have an effect on traffic because "orchd stop" was not done at the start of the Jumbo Hotfix installation process." Refer to sk173686.
Take 295 (19 August 2020, GA from 30 September 2020)
MBS-11071
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 161 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-11633
General
UserCheck Portal does not work on a VSX Gateway after the user installs the R80.20SP Jumbo Hotfix Accumulator. This applies to Take 279 to Take 283 (see sk168754).
MBS-10095
General
VPN outage when a Check Point Security Gateway renegotiates IPsec with a 3rd party VPN peer.
MBS-10263
General
Clear packets that should be encrypted are not forwarded between Security Group members from interfaces whose MAC addresses start with the hexadecimal digits 02 (example: 02:AB:CD:EF:12:34).
MBS-11388
General
The 'asg diag' command does not add failed tests to the Message Of The Day (MOTD) if the names of these failed tests contain a hyphen (for example, "Multi-Queue").
MBS-11177
General
Terminal Escape Sequences appear around the "OK" and "FAILED" statuses of Software Blade verifications in the summary file, which the 'asg diag' command creates. Note: These Terminal Escape Sequences add color to the status text.
MBS-11085
General
The "Hits" counter value in the SmartConsole rulebase does not update when traffic reaches a non-SMO Security Group member (for Security Gateway only).
MBS-11359
General
After every change to VSX objects in SmartConsole and pushing of VSX configuration, the output of the 'ps -auxw' command on the VSX Gateway / VSX Cluster Members shows the "[gzip] <defunct>" processes.
MBS-11427
General
Improved stability of the FWD daemon when adding or deleting "fw samp" rules.
MBS-11295
General
IPv6 traffic outage during cluster fail-overs.
MBS-11375
General
Memory leak in the stateless correction flows (example: local connections that pass through the Mgmt interface of a Security Group, like a connection from a non-SMO member of a Security Group to the Management Server).
MBS-10092
General
Added new SNMP OIDs for Maestro Hyperscale Orchestrators in the chkpnt.mib file (the new branch "mho" with the OID .1.3.6.1.4.1.2620.1.55):
.1.3.6.1.4.1.2620.1.55.1 - Statistics for ports
.1.3.6.1.4.1.2620.1.55.1.1 - RX statistics for ports
.1.3.6.1.4.1.2620.1.55.1.2 - TX statistics for ports
.1.3.6.1.4.1.2620.1.55.1.3 - RX buffer statistics for ports
.1.3.6.1.4.1.2620.1.55.1.4 - State of ports (logical port ID, physical port / port label ID, link state, admin state, speed)
.1.3.6.1.4.1.2620.1.55.1.5 - Summary information for ports (logical port ID, physical port / port label ID, link state, admin state, speed, RX statistics, TX statistics)
.1.3.6.1.4.1.2620.1.55.2 - Number of ACL rule memory entries
.1.3.6.1.4.1.2620.1.55.2.1 - Number of used ACL rule memory entries
.1.3.6.1.4.1.2620.1.55.2.2 - Total number of ACL rule memory entries
.1.3.6.1.4.1.2620.1.55.2.3 - Number of free/unused ACL rule memory entries
MBS-11397
Chassis
Added support for 40G SFP transceiver for SSM440 (BTI40GSRQSFPP).
MBS-11063
Chassis & Maestro
Security Group Members are now able to synchronize their Fast Acceleration rules (sk156672) with those on the SMO Security Group Member and load them without reboot.
MBS-11175
Maestro
The 'asg_bond -v' command does not validate LACP system ID received from switches.
MBS-11283
Maestro
Improved the stability of Gaia Clish operations on Security Groups topology on Maestro Orchestrators.
Take 283 (02 July 2020)
MBS-10870
General
The '$SMODIR/bin/coredumps_bt' command shows the message "In order to use gdb, please run: /opt/CPsmo-R80.20/bin/debug_tools/install_debug_tools".
MBS-10921
General
The autocomplete for the Gaia Clish command 'show bonding group <Group_ID>' shows "Sorry, no help available here" for the "interfaces" option.
MBS-6708
General
When interrupting the 'asg_perf_hogs' command with the CTRL+C keys, the message on the screen shows "Operation was canceled/terminated by user" instead of "No issues were found".
MBS-10962
General
Query for the SNMP OID "asgNetIfTx" (.1.3.6.1.4.1.2620.1.48.26.1.1.12) returns inconsistent values.
MBS-10407
General
New feature: The Custom Intelligence Feeds feature provides an ability to add custom cyber intelligence feeds into the Threat Prevention engine. It allows fetching feeds from a third-party server directly to the Security Gateway to be enforced by the Anti-Virus and Anti-Bot Software Blades. For more information, see sk132193. Known Limitation: When editing local source feeds, make sure to copy the edited files to all Security Group Members (with the 'asg_cp2blades <path_to_file>' command).
MBS-8473
Chassis
Removed the 'ccutil reset_parity_counter' command from the code.
MBS-7630
Chassis
The output of the 'asg stat vs' command in the section "Virtual System Status" shows "active chassis" in lowercase when a Virtual System is in a freeze. Now the output shows "Active chassis" with a capital letter.
MBS-11048
Chassis
"KERLAG0429 cant read "set_list": no such variable" error in Gaia gClish when running the 'delete bonding group <Bond ID>' command and working with Multiple Security Groups.
MBS-11068
Chassis
The output of the 'ps aux | grep defunct' command shows "vrf" processes after an SNMP query for one of these:
OID .1.3.6.1.4.1.2620.1.48.32 - SSM CPU and RAM usage
OID .1.3.6.1.4.1.2620.1.48.33 - SSM Ports (speed, link, packets)
The issue occurs from Take 210 of the R80.20SP Jumbo Hotfix Accumulator, in which these OIDs were added (see MBS-8719).
MBS-9798
Chassis & Maestro
Fragmented packets are dropped with the "fwfrag_expires Reason: timeout has expired for fragment;" message in kernel debug. Note: This issue was fixed in Gateway mode. A fix for VSX mode is planned.
MBS-11045
Maestro
Improved stability of the ssm_pmd daemon when changing the QSFP mode.
MBS-10929
Maestro
"NMSSG0429 error copying "/tmp/sgdb.json": no such file or directory" in Gaia Clish on Maestro Orchestrator when modifying a Security Group topology.
MBS-10961
Maestro
Maestro Orchestrator does not require a license. Therefore, this message was removed from the Gaia Portal on Maestro Orchestrator (from the Upgrades (CPUSE) > Status and Actions page): "The trial license is currently active and will expire on <Date> <Time>".
MBS-10125
Maestro
Improved the stability of the sgm_pmd and lb_configd daemons.
Improved Security Appliance cluster stability.
MBS-10229
Gaia
Added the new column "asgResourceTitle" to the SNMP Table "asgResourceTable". The new column contains the Security Group Member ID and the resource name.
Format of the output: "Site <Site-ID> Member <Member-ID> <Resource-Name>"
Example output: "Site 2 Member 1 Memory Utilization"
The SNMP OID of the new column is: asgResourceTable.1.8 (.1.3.6.1.4.1.2620.1.48.23.1.8).
Note: The SNMP MIB file is $CPDIR/lib/snmp/chkpnt.mib
Take 279 (31 May 2020, GA from 30 June 2020)
MBS-10240
General
Added support for the Threat Extraction blade. Note: Does not apply to the VSX mode.
MBS-6180
General
Removed the "-amw" flag from the syntax of the 'asg stat' command. Run the 'asg stat -v' command to get the required information.
MBS-8379
General
Added support for secondary IPv4 addresses (aliases) on the data ports of a Security Group (Maestro and Scalable Platforms). See sk167073. Note: This does not apply to VSX mode.
MBS-10833
General
The 'asg_provision' command fails the "CVPN" test due to a different version of the CPinfo tool between the Security Group members and the SMO.
MBS-10732
Chassis
The Chassis Monitor daemon (cmd) sometimes fails to retrieve the CPU temperatures due to an SNMP timeout.
MBS-10619
Chassis
The test asg diag 'Software Versions' sometimes fails on CMM version mismatch due to a failure to retrieve the version from the CMM.
MBS-10733
Chassis
When restarting the active CMM (for example, with the 'ccutil restart_cmm active' command), a chassis may fail over, even if there is a Standby CMM.
MBS-5608
Chassis
When the 'asg_hard_start' command is executed without the "-b <SGM_IDs>" flag, it applies to all SGMs. Now the command's built-in help contains the description of the "-b <SGM_IDs>" flag, which allows you to run this command for the specified SGMs.
MBS-10812
Maestro
The 'drop_monitor' command fails with "Got JSON status failed from blade . Error: Error - Was not able to get driver type._".
MBS-10757
Maestro
After installation of the R80.20SP Jumbo Hotfix Accumulator Take 274, Maestro Security Appliances may fail to boot.
MBS-10600
Maestro
The Check Point Support Data Collector (CPSDC) Tool (sk164414) now collects additional files and command outputs.
MBS-10506
Maestro
If a Bond interface that is assigned to a Security Group is configured in the 802.3AD (LACP) mode, packet loss might occur on a Security Appliance when the Security Appliance becomes active after a reboot.
MBS-10763
Gaia
When a Linux password is changed for a user on a Security Group member, it is not updated on other Security Group members.
Take 273 (04 May 2020)
MBS-9910
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 141 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-10630
General
Improved stability of the lb_configd daemon.
MBS-10289
General
Remote Access Clients fail to connect to the VPN Gateway with the error "Negotiation with site failed", if the username is 6 or fewer characters long.
MBS-10384
General
Kernel memory utilization increases on non-SMO members after policy installation.
MBS-10388
General
Improved the formatting in the output of the 'asw_swb_update_verifier' command for rows with "need_to_update" in the "status" column.
MBS-10384
General
Kernel memory utilization increases on non-SMO members after policy installation.
MBS-10151
General
The size of the dentry cache (see the output of the 'slabtop -o' command) can increase on non-SMO members during policy installation.
MBS-10418
General
Enhancement: Moved the "/cpsdc_tmp/" directory from "/tmp/cpsdc_tmp/" to "/var/log/cpsdc_tmp/" (this directory contains temporary files for the Check Point Support Data Collector).
MBS-10410
General
Policy installation on a Security Gateway object fails after deleting the last configured URL with the 'url_block -d -n <URL>' command.
MBS-9949
General
Corrected a spelling mistake ("Incosistent") in the output of the 'asg diag' commands in the "Reason" column.
MBS-10254
Chassis
The SSM Allow Management Loss feature (sk145792) may not enter the "Management Loss Mode" when the total amount of backplane interface packets exceeds 2 billion.
MBS-10302
Chassis
The 'asg_reboot' command was changed to perform a software reboot only.
The 'asg_hard_reboot' command was added to perform a hardware reboot.
MBS-10093
Chassis
The 'ccutil get_matrix_max_size' command returns the command usage instead of an expected value.
MBS-9523
Maestro
It is now supported to create a Gaia snapshot on one Security Appliance and revert that Gaia snapshot on a different Security Appliance in the same Security Group (for example, with the command 'snapshot_recover').
MBS-10230
Maestro
Connections to the Security Group over the Security Group's Mgmt interface may be interrupted.
MBS-9550
Maestro
Deleting the entire Security Group might cause the Security Group members to stay in the DETACH state.
MBS-7433
VSX
In VSX mode, UIPC does not work if a Virtual System (other than VS0) is configured with an IP address on the same subnet as the VS0 management network.
Take 266 (31 March 2020)
MBS-8558
General
Improved stability of the fwk daemon for VSX mode.
MBS-9810
General
Improved stability of the "asg perf" utility.
MBS-9300
General
The output of the 'asg policy verify' command might show "Failed" for some Security Group members if a Mobile Access Policy in installed on this Security Group.
MBS-8799
General
Remote Access VPN clients fail to get an Office Mode IP address when Office Mode Anti-Spoofing is enabled on the Security Gateway.
MBS-9750
General
Security Group member on a Standby Chassis / Standby Maestro Site initiates an IKEv2 negotiation.
MBS-9877
General
Security Group members are not shown in Gaia Portal in this scenario:
Connected to the Gaia Portal of the Security Group
From the left tree, clicked Maintenance > Shut Down
Clicked the option Selected members
The Select cluster members pop up opens, but it is empty
MBS-9793
General
When the 'asg_dr_verifier' command is run in the context of a Virtual System other than VS0, the output in the "BGP peers" section incorrectly shows: "Status: Inconsistency found on some of the SGMs"
MBS-4895
General
The 'fw sam_policy' ('fw samp') commands are not supported for Scalable Platforms and Maestro Security Appliances in VSX mode.
MBS-9831
General
When the configured routes have comments (comments in the configured BGP peers, comments in the configured BGP AS, comments in the configured static routes, and so on), the 'asg_route' command reports a false positive for inconsistent routes, because the comment information is not synchronized.
MBS-9067
Chassis
The "SSM Allow Management Loss" feature (sk145792) is now enabled by default.
MBS-9666
Chassis
The output of the 'asg perf' command does not update the memory utilization counter during a reboot.
MBS-9731
Chassis
Enhancement: Added support for the following transceivers:
40G QSFP transceiver for SSM160 / SSM440 (APQPSR43CDM01NI)
40G QSFP transceiver for SSM160 / SSM440 (BTI40GLRQSFPP)
10G SFP transceiver for SSM160 / SSM440 (BTI10GLRSFPP)
MBS-3460
Chassis
Added support for configuring the SSM backplane speed in Gaia gClish.
On SGM400:
set ssm backplane-speed Auto apply-on <chassis1 | chassis2>
Note: This configuration lets SGM400 work with the 40G link without the need to configure it manually on the SSM.
On SGMs other than SGM400:
set ssm backplane-speed 10GB
To get the current SSM backplane speed, run one of these commands:
The following message might appear when applying the change after removing Security Appliances from a Security Group: Failed to apply Security Groups topology Failed to execute 'tor_util remove_sgm <Security_Group_ID> <Member_ID>' on MHOs: <Orchestrator_ID>
MBS-9830
Maestro
Installing a Hotfix / Jumbo Hotfix Accumulator on all Security Group members at the same time (and not gradually) overrides the configuration of traffic distribution to default: general and L4 Distribution is enabled.
MBS-9384
Maestro
Improved the link stability on the ethX-Sync interfaces of the Maestro Hyperscale Orchestrator.
MBS-9762
Maestro
In Maestro Dual Site environment, uninstall of a Hotfix might fail.
MBS-9704
Maestro
OSPF packets cannot pass through a Maestro bridging group. Kernel debug shows that packets are dropped: "fwha_ccl_inbound_late: dir 1, X.X.X.X:0 -> 224.0.0.5:0 IPP 89: failed to send to member 0, dropping"
MBS-9603
Chassis Multiple Security Groups (MSG)
Security Group Resource Manager processes CCP packets from Virtual Systems with IDs other than 0 (zero). This might cause the cluster state of Security Group members to change repeatedly between ACTIVE and DOWN.
Security Group Resource Manager will now process CCP packets only from the Virtual System with ID 0 (zero). This avoids cluster state flapping when other Virtual Systems publish their cluster state as DOWN, when they do not have policy installed yet.
MBS-9877
Chassis Multiple Security Groups (MSG)
When Multiple Security Groups are enabled, each Security Group incorrectly considers the member with the lowest ID as the Security Group Resource Manager. As a result, members in other Security Groups do not get updates from the correct Security Group Resource Manager.
Take 258 (10 March 2020, GA from 31 March 2020)
MBS-9528
General
Although only OSPFv2 with Graceful Restart Helper is configured (without OSPFv3), the Critical Device "OSPF3 Graceful Restart" shows this message during the cluster failover: "OSPF3 Graceful Restart PROBLEM Master -> Standby. Waiting for GR".
MBS-9143
General
Improved the policy load functionality in the 'fw samp' command (for Security Gateway only).
MBS-9136
General
Security Group might assign the same Office Mode IP address to different Remote Access VPN clients.
MBS-8734
General
Traffic might fail to pass over a VPN tunnel with a DAIP peer.
MBS-9354
General
VPN tunnel over NAT-T with a DAIP peer might not work when Layer 4 Distribution is enabled.
MBS-7208
General
After a snapshot was reverted on a member, the output of the 'asg diag' command might show "Policy signature doesn't match on all SGMs".
MBS-8672
General
Enhancement: Avoid connection forwarding (when possible) between Security Group members in VSX mode.
MBS-8249
General
Changed the configuration options in the 'asg_alert' command to allow sending of SNMP traps for each individual test result from the 'asg_diag' command.
Now it is possible to select for which tests to send individual SMNP traps, and to send these SNMP traps for either failed tests, successful tests, or both.
MBS-8923
General
The output of the 'asg diag print' command shows an alert (which is a False Positive) for the Dynamic Routing Diagnostic test about differing interfaces and neighbors on the Security Group members.
Root cause: The configuration lock is owned elsewhere on one of the Security Group members, even when the interfaces and neighbors are the same.
MBS-8762
General
The Geo Policy IPToCountry database fails to update on Security Gateways (sk163672).
MBS-8460
General
When connected with SSL Network Extender to a Mobile Access Gateway, the user is unable to open new connections after a fail-over in the Security Group until a policy is installed on the Security Group.
MBS-8853
General
Enhancement: Added support for "Same VMAC Feature". Refer to sk165674.
MBS-9332
General
Enhancement: Check Point Support Data Collector tool (cpdata_collector) and IP/URL Block features are able to self-update from the Check Point Cloud. This requires the Security Gateway to be connected to the Internet.
MBS-9778
Maestro
Memory leak in the "sgm_pmd" process.
MBS-8691
Maestro
The time configuration in Gaia gClish is not applied on the Security Appliances of a Security Group.
The $FWDIR/log/blade_config.* files on the Security Appliances of a Security Group may show the following error: "Error: Failed to update the date".
MBS-9179
Maestro
Manual distribution settings might be overridden after reboot on Maestro Security Appliances.
MBS-9838
Maestro
Improved recovery for traffic distribution if there were communication issues between Security Appliances and Orchestrators.
Take 242 (05 Feb 2020)
MBS-9661
General
Resolved the issue with the installation of the Jumbo Hotfix Accumulator Take 240 on Dual Chassis / Maestro Dual Site with VSX Virtual Switch.
Take 240 (03 Feb 2020)
MBS-9390
General
The output of the 'asg route' command shows "cost None" on some SGMs.
MBS-9473
General
Threat Extraction processes do not start after an upgrade to Take 191 of the R80.20SP Jumbo Hotfix Accumulator.
MBS-9235
General
VPN tunnel might disconnect after ~30 seconds.
MBS-6173
General
Enhancement: The 'asg diag' command is now able to verify the Multi-Queue status (the "multi-queue" test) on the backplane interfaces BPEthX.
MBS-9202, MBS-6190
Chassis
Added initial support for Multiple Security Groups on chassis. For implementation, contact Check Point Support.
MBS-8778
Maestro
The output of the "cores_verifier" script in the section "Ppak core affinity on all SGMs is:" is broken, when more than 10 SecureXL instances are configured on the Security Appliances.
MBS-9394
Maestro
Improved the stability of the orch_info utility.
MBS-9135
Maestro
Deleting a Security Appliance from a Security Group in Gaia Clish and applying the new configuration might fail with errors.
MBS-7861
Maestro
Enhancement: Improved the internal process of applying the Security Group topology.
MBS-9311
Maestro
Enhancement: Improved the stability of Quick FCD.
MBS-7445
Cluster
BGP connections that pass through the cluster might break after a failover.
MBS-8901
Cluster
ClusterXL does not monitor the external interface of VSX Virtual Switches.
Take 210 (05 Jan 2020)
MBS-8849
General
Enhancement: Added the new Check Point Support Data Collector tool (cpdata_collector).
MBS-9130
General
When the user runs the 'cpview' command on Security Group members, the "Overview" page shows "N/A" in all counters.
MBS-6638
General
In rare cases, during policy installation, traffic may be dropped on the cleanup rule for some time, or until SecureXL is disabled.
MBS-8850
General
Enhancement: Added new tools to block malicious traffic.
"ip_block": lets you block malicious traffic to or from certain IP addresses.
"url_block": lets you block malicious traffic to or from certain URLs.
The size of the /var/log/ports file grows constantly because the file is not rotated.
MBS-8427
Gaia
Scheduled backup to a remote server does not work.
MBS-8427
Chassis
Enhancement: Added support for the "SSM Allow Management Loss feature" (sk145792).
MBS-8453
Chassis
Added support for MAGG with LACP configuration. Note: MAGG with LACP configuration is only supported in Chassis, not in Maestro.
MBS-8851
Chassis
Enhancement: Improved logging.
Added support for Log Alerts.
Improved the distribution of Log Servers - use the 'log_distributer' command in Gaia gClish to configure the distribution of logs and alerts between the configured Log Servers.
MBS-8848
Chassis
Enhancement: Added the new utility "drop_monitor" to show detailed statistics in real time about packet drops on NICs and SSM ports.
Note: This utility replaces the "asg_drop_monitor" utility. Runs from VS0 only.
MBS-8255
Chassis
Enhancement: Added support for Management Data Plane Separation. See sk138672.
MBS-8719
Chassis
Enhancement: Added SSM extended monitoring with SNMP.
OID .1.3.6.1.4.1.2620.1.48.33 - SSM Ports (speed, link, packets)
OID .1.3.6.1.4.1.2620.1.48.32 - SSM CPU and RAM usage
To see the current state, run in Gaia gClish: 'show ssm extended-snmp-monitoring state'
To enable, run in Gaia gClish: 'set ssm extended-snmp-monitoring state on'
To disable, run in Gaia gClish: 'set ssm extended-snmp-monitoring state off'
MBS-8663
Maestro
Improved FCD stability when a Security Appliance is removed from a Security Group.
MBS-6220
Maestro Orchestrator
Security Appliance may crash after it is removed from the Security Group.
MBS-8839
Maestro Orchestrator
Enhancement: Added the ability to configure the MTU on the External Sync interface of the Maestro Orchestrator.
MBS-7993
Maestro Orchestrator
Enhancement: Added the ability to configure multiple physical ports as the Sync port on Maestro Orchestrator. Configuration is performed from Gaia Clish on the Maestro Orchestrator.
To configure multiple ports for the Internal Sync (between Orchestrators on the same site) run: 'set maestro port <port number> type ssm_sync'
To configure multiple ports for the External Sync (between Orchestrators on different sites) run: 'set maestro port <port number> type site_sync'
MBS-5861
Maestro Orchestrator
Failed to establish SIC with the Security Group object in SmartConsole if First Time Wizard settings were applied to that Security Group from the Orchestrator's Gaia Clish (for example, 'set maestro security-group id 1 ftw-configuration ...').
MBS-8948
Maestro Orchestrator
Interface distribution mode is not identical on the Orchestrator and on the Security Appliances.
Take 191 (2 Dec 2019, GA from 05 Jan 2020)
MBS-8292
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 118 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-6531
General
Layer 4 Distribution with "General Distribution" does not work as expected due to an incorrect calculation for Non-TCP / Non-UDP traffic.
MBS-8596
VPN
The Security Group might mistakenly encrypt IKE NAT-T packets.
MBS-8688
VPN
Improved stability of VPN encrypted connections.
MBS-5886
VSX
The output of the 'hw_utilization -d' command shows "0" in the "Conn. limit" column instead of "unlimited" for VSID 0.
MBS-8483
Maestro
"insmod: error inserting '<name of kernel module>.o':-1 Invalid module format" messages during the Maestro Orchestrator boot.
MBS-7556
Maestro
Security Group mistakenly reports disconnected interfaces (uplinks) as LINK UP.
MBS-8010
Maestro
After the user installs R80.20SP Jumbo Hotfix Accumulator Take 163, the message "Failed to load Security Groups" appears in the Maestro Orchestrator's Gaia Portal. This message continues to appear until a Site ID is configured.
MBS-8448
Maestro
"Failed to run ['tor_util', 'clear_port', '2.0', '1']" error in Gaia Portal of the Maestro Orchestrator in Dual Site deployment.
MBS-7563
Maestro
Improved communication stability between the Security Appliances and the Maestro Orchestrators.
MBS-8622
Maestro
Output of the 'asg diag verify' command shows "SGM license is missing" warning in the "Licensing" category.
Take 178 (1 Nov 2019, GA from 02 Dec 2019)
MBS-7728
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 103 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-7589
General
Installation of a CPUSE package might fail due to a timeout.
MBS-7538
General
Improved stability of IPv6 connections.
MBS-6206
General
Added support for Gaia scheduled backup with the 'add backup-scheduled' command.
MBS-7460
General
In rare cases, the Threat Emulation blade might not function and the '_g_allc tecli' commands might fail in this scenario:
SMO Image Cloning is enabled.
Threat Emulation blade is enabled.
A new member is added to the Security Group.
MBS-6634
General
When running PIM Sparse Mode / PIM SSM, PIM register packets are sent with an incorrect checksum. This causes the RP to drop these PIM packets.
MBS-6719
General
Improved stability of the RouteD daemon when IGMP query-interval is set to a value of less than 4 seconds.
MBS-4495
General
Added the ability to configure Proxy ARP in Gaia gClish with the 'add arp proxy' command.
MBS-6543
General
The 'asg_drop_monitor -r' command does not reset the drop statistics for the BPEthX interfaces that use the i40e driver.
MBS-6418
Chassis - General
The clock on the CMM is not synchronized when an administrator changes the clock time in Gaia Clish, Gaia gClish, or Gaia Portal.
MBS-8393
SNMP
SNMP query for the OID asgIPv6PeakUnits returns null values.
MBS-7670
VSX
Added support for Policy-Based Routing (PBR) in VSX mode (see sk137232).
MBS-6563
VSX
The ID in the names of these files now supports 4 digits (as the ID in the $FWDIR/conf/fwha_vsx_conf_id.conf file):
$FWDIR/conf/vsx_local_vs_files/local.vs. <ID>
$FWDIR/conf/vsx_local_vs_files/local.vskeep. <ID>
MBS-7671
VSX
The Gaia gClish command 'set pbr rule priority X action table' does not show the PBR tables configured in the current Virtual System context.
MBS-7346
Maestro
Added support for VSX Virtual Switches in a Maestro Security Group.
MBS-7486
Maestro - Orchestrator
Added support for configuring a VLAN Trunk interface that includes all VLAN IDs (2-4094) without adding each VLAN interface separately on the Orchestrator. Refer to sk165172.
MBS-8142
Maestro - Orchestrator
Improved link stability on ethX-Sync interfaces of Maestro Hyperscale Orchestrator.
MBS-7569
Maestro - Orchestrator
Improved connectivity between Security Appliances that belong to the same Security Group.
MBS-7869
Maestro - Orchestrator
In Dual Site, if different QSFP modes are configured for ports with the same port number on different Maestro Orchestrators, this error appears in Maestro Orchestrator's Gaia Portal when the user tries to load a Security Group topology:
Failed to load Security Groups Failed to fetch Security Groups topology
MBS-7750
Maestro - Orchestrator
Internal improvements for operations related to Security Groups (creating and removing Security Groups, adding and removing interfaces).
MBS-7793
Maestro - Orchestrator
Error on Maestro Hyperscale Orchestrator: "Failed to apply configuration on remote Orchestrator(s) SG X has no hostname."
MBS-8206
Maestro - VSX
"Error: Failed to find any routes on the machine" in SmartConsole when creating a VSX object.
Take 163 (10 Sep 2019)
MBS-6460
Maestro
Added support for Dual Site deployment. You can deploy two Maestro Hyperscale Orchestrators on each physical site and connect the sites to each other. The sites synchronize both connections and configuration. Refer to the Known Limitations in the "Dual Site Deployment" section of sk148074 - Check Point Maestro Known Limitations.
MBS-6577
General
Enhancement: Output of the 'asg_provision' command now shows SGM IDs in the headline.
MBS-5386
General
Output of the 'asg_conns -b <SGM IDs> -6' command shows "IPv6 not enabled" even though it is enabled on the chassis.
MBS-6865
General
The 'asg if' command shows "(NA)/(NA)" (instead of "(up)/(up)") in the "Link State" column for the ethX-MgmtY interfaces.
MBS-5710
General
The gClish command 'installer verify' shows "Action was aborted" if a CPUSE package was not imported on all members.
MBS-6510
General
The 'asg_provision' command fails when there is an inconsistency between members in the installed Hotfixes / Jumbo Hotfix Accumulators.
MBS-6757
Maestro - General
The gClish 'installer' commands fail with "expected integer but got <XX>" when explicitly specifying "member_ids" <site_id>-08 or <site_id>-09.
MBS-5913
Maestro - General
Output of the 'cores_verifier' command does not show any information in the "Ppak core affinity on all SGMs is" section.
MBS-7246
Maestro - General
Minimized the amount of packet drops during the reboot of Maestro Hyperscale Orchestrators.
MBS-5381
Chassis - General Maestro - General
Output of the 'asg perf -p' command always shows the value "0" in the "VPN Performance" section > "VPN connections" counter.
MBS-7247
Chassis - General Maestro - General
Output of the 'config_verify -v' command shows "Performing xfer files verification... Failed!" for the $FWDIR/conf/te_attributes.conf file.
MBS-6131
Chassis - General Maestro - General
Output of the 'asg diag' command shows that the /etc/sysconfig/image.md5 file is not identical on all the SGMs.
MBS-6610
Gaia
Output of the 'asg_perf_hogs' command incorrectly shows the status "FAILED" for the "Kernel soft lockups" test if the year has changed recently on the system.
MBS-7136
Maestro Gaia - OS
Failure to log in on Security Appliances after removing them from a Security Group.
MBS-6440
Maestro - Cluster
When running the 'clusterXL_admin' command, the output might incorrectly show "Operation failed: member is not down, run 'cphaprob list' for further details".
MBS-7332
Maestro - Security Groups
Improved stability of Security Appliances when they are added to a Security Group with configured "fw samp" rules.
MBS-7237
Maestro -Hardware
Security Appliance may fail to revert to factory default (which must happen by design) when removing it from a Security Group.
MBS-7241
Chassis - Hardware Maestro - Hardware
Output of the 'smo verifiers report name "SSD Health"' command shows "Warning: SSD attributes getting towards low threshold".
MBS-6548
Chassis - Hardware
Enhancement: Added support for 10G SFP transceiver for SSM160 (BTI10GSRSFPP).
MBS-6530
Chassis - Hardware
On 64000 Scalable Platforms, the output of the 'asg stat -v' command shows "0" PSUs and "0" Fans, if only PSU 5 and PSU 6 are used.
MBS-6544
Chassis - Hardware
The "Dot3ahErrorAggregation: The threshold for the frame error was exceeded on port X/Y/Z" message appears repeatedly in SSM logs.
Take 121 (31 July 2019)
MBS-6399
General
Aligned the R80.20SP Jumbo Hotfix Accumulator with Take 87 of the R80.20 Jumbo Hotfix Accumulator (see sk137592).
MBS-6157
General & Maestro
The 'asg_local_arp_verifier' command might show "Error: Problem found in configuration" even though the $FWDIR/conf/local.arp files contain the same, correct configuration on all Security Group members.
MBS-6613
General & Maestro
The "asg diag verify" test, called "Security Group," fails with the "DB/Kernel/Configuration differ" message even though the Security Group configuration is correct on all members (as reported by the 'security_group_util diag' command).
MBS-6359
General & Maestro
"Did not find any new packages" message may appear in the output of the 'installer install' command when the user installs the R80.20SP Jumbo Hotfix Accumulator.
MBS-6706
General & Maestro
IPv6 traffic might fail to pass over a Bond interface.
MBS-6834
SecureXL & Maestro
Security Group members do not pull the SecureXL configuration from the $PPKDIR/conf/simkern.conf file on the SMO.
MBS-5975
Maestro (Cluster)
After the user deletes a Security Appliance from a Security Group, the 'cphaprob stat' command might still show that Security Appliance (member).
MBS-6693
Maestro (Orchestrator)
The 'set maestro security-group apply-new-config' command fails with the error "NMSSG0429 can't read "output": no such variable" after the user deletes all Security Groups in Gaia Clish on a Maestro Orchestrator.
MBS-7032
Maestro (Orchestrator)
Maestro Orchestrator's Gaia Portal shows the status "No connectivity" for Downlinks if the Maestro Orchestrator cannot detect the Security Appliance at this time.
Example (click to enlarge image):
MBS-6640
Maestro (Orchestrator)
Maestro Orchestrator logs are now written into the /var/log/maestro.log file instead of the /var/log/messages file on the Maestro Orchestrator.
MBS-6700
Maestro (Orchestrator)
Improved stability of the lldpd daemon on Maestro Orchestrator.
MBS-6758
Maestro (Orchestrator)
"Failed to get Orchestrators interfaces" error in Maestro Orchestrator's Gaia Portal in case the Maestro Orchestrator fails to resolve its "Orchestrator ID".
MBS-5807
Maestro (Orchestrator)
Maestro Orchestrator's Gaia Portal now shows Downlinks that are in the Up state only.
Example 1 - The "Unassigned Gateways" pane (click to enlarge image):
Example 2 - The tooltip when the mouse cursor hovers over a Security Appliance (click to enlarge image):
MBS-7039
Maestro (Security Groups)
If Security Appliances are removed from a Security Group and then added back to the same/other Security Group, some of these Security Appliances may remain out of the Security Group (appear as "DETACHED").
Take 105 (01 July 2019)
MBS-6494
Maestro / Gaia OS
The output of the 'config_verify -v' command shows "Configuration files inconsistent" for the /boot/grub/grub.conf file.
MBS-5702
General
Added support for the image auto-clone feature (set smo image auto-clone state on) that lets a remote SGM clone SMO images.
MBS-6201
General
Layer 4 distribution can cause rapid NAT port exhaustion.
MBS-6269
General
When the user runs the 'tcpdump' command with the '-mcap' flag in global mode (with either the 'tcpdump -mcap' command in gClish, or the '_g_tcpdump -mcap_' command in Expert mode), the command deletes all copies of the packet captures on the peer members.
MBS-5488
Gaia OS
The Gaia Clish / Gaia gClish command 'snapshot_recover' is not supported.
MBS-6624
Gaia OS
CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.
MBS-6306
VSX
Log Server Distribution (asg_log_servers) is not supported on 40000 / 60000 chassis.
MBS-6080
VSX
Reverting a chassis in VSX mode to a snapshot might cause an additional reboot.
MBS-5636
VSX
A reset of the SIC between the Scalable Platform or Maestro Security Appliance in VSX mode and the Management Server might cause the non-SMO members to change their state to DOWN. To recover, reboot the non-SMO members.
MBS-5864
Cluster
In Dual Chassis, the user must install policy after changing the mode of a bond interface (for example, from XOR to 802.3AD), so that the bond interface is monitored by the cluster.
MBS-5610
SecureXL
An Accelerated SYN Defender configuration made with the 'fwaccel synatk' / 'fwaccel6 synatk' commands might not be applied on non-SMO members.
MBS-5837
Logging
The "distribution calculation completed successfully" message in Syslog is shown with an "Alert" priority instead of a "Notice" priority .
MBS-5595
Maestro (General)
When the user adds a large number of Security Appliances at once to a Security Group in Orchestrator's Gaia Portal, it might disconnect with the message "Unable to connect to the server. Press OK to reconnect."
MBS-5849
Maestro (General)
Improved stability of the ssm_pmd process on Maestro Orchestrator.
MBS-6090
Maestro (General)
The cpdiag tool now supports Security Appliances.
MBS-5749
Maestro (Performance)
After the user installs a Jumbo Hotfix Accumulator on a 23900 appliance connected to a Maestro Orchestrator, the Hyper-Threading (SMT) feature will be disabled by default.
MBS-6073
Maestro (Performance)
Improved traffic distribution on Maestro Security Appliances.
MBS-5674
Maestro (Gaia)
On Maestro Security Appliances, Gaia gClish shows "KERLAG0029 Interface ethX-Mgmt4 cant be changed to state off" when the user runs the 'delete bonding group [ID] interface ethX-Mgmt4' command.
MBS-6121
Maestro (Gaia)
On Maestro Orchestrator, the settings made with the following commands are not applied:
'set maestro security-group id management-connectivity ...'
'set maestro security-group id ftw-configuration ... '
MBS-5652
Maestro (Gaia)
On Maestro Orchestrator, a Gaia OS backup might fail due to low disk space (because large log files are not rotated).
MBS-5457
Maestro (VSX)
If after creating a new Virtual System object, policy installation on a Security Group object fails with "Error code: 0-2000240", wait 2-3 minutes and install the policy again.
MBS-5592
Maestro (VSX)
When creating a VSX Gateway object in SmartConsole, it recognizes only the interfaces that were assigned to the Security Group before the First Time Wizard.
MBS-6082
Maestro (VSX)
When creating a VSX Gateway object in SmartConsole, it does not show the physical interfaces on which the VLAN interfaces were created and assigned to the Security Group. Example: The VLAN interface eth1-05.5 was assigned to the Security Group. The VSX Gateway object in SmartConsole does not show the physical interface eth1-05.
MBS-5104
Maestro (Networking)
You can only connect one DAC / Fiber cable between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator. Connecting two cables between a Quad Port Card on an Appliance and each Maestro Hyperscale Orchestrator is not supported.
MBS-5927
Maestro (Cluster)
Improved the internal process of creating a Security Group in Maestro Orchestrator's Gaia Portal when the option "Set FTW configuration" is selected.
MBS-5594
Maestro (Cluster)
Security Appliances show the link state on ports as Down, while the Maestro Orchestrator shows the link state on these ports as Up.
MBS-5557
Maestro (Multi-Queue)
The output of the 'cpmq get -v' command shows an incorrect Multi-Queue configuration (the 'rx_num' does not show the expected value) in the following scenario:
On Maestro Orchestrator, created a new Security Group, but in the First Time Wizard, did not select the option "Install as VSX".
In SmartConsole, configured the SMO as a VSX Gateway.
Installed the policy.
MBS-5838
Maestro (Hardware)
On Maestro Security Appliances, the 'asg stat -v' command now monitors the ethX-08 interfaces.
MBS-5701
Maestro (Hardware)
Added the ability to configure the Maestro Orchestrator port's QSFP mode to 1 GbE in the Gaia Clish.
-
Maestro (Hardware)
23900 appliances support Maestro beginning in Jumbo Hotfix Accumulator Take 105.
MBS-6099
Maestro (Licensing)
A Maestro Security Appliance that was removed from a Security Group and then added back to the same Security Group might not pull the license from the existing members of the Security Group. As a result, this Security Appliance remains in the DOWN state.
