Table of Contents:

• Introduction
• Availability
• Important Notes
• Resolved Issues per Take
• Installation Instructions
• Replaced Files
• Revision History

Introduction

R80.30SP Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues for products running R80.30SP.

This Incremental Hotfix and article will be updated periodically with new fixes.

The list of resolved issues below describes each resolved issue and provides the Take number in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). The date on which this Take was released appears next to the Take number. 

Availability

Recommended Take 

Product	Take	Date	CPUSE Offline Package
Orchestrator	Take 210 and higher	02 Dec. 2019	See sk155832
Maestro Gateway	Take 97	30 Nov. 2021	(TGZ)

Latest Take 

Product	Take	Date	CPUSE Offline Package
Orchestrator	Take 210 and higher	02 Dec. 2019	See sk155832
Maestro Gateway	Take 108	02 Jan. 2023	(TGZ)

Important Notes

• Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.30SP.
  
  
• Upgrade of CPUSE Agent is not supported on R80.30SP.
  
  
• R80.30SP is not supported on Orchestrator appliances MHO140 and MHO170. For Orchestrators, use R80.20SP with the Jumbo Hotfix indicated in the table above. 
  
  
• This Jumbo Hotfix Accumulator must be installed only after the successful completion of the Gaia First Time Configuration Wizard and a reboot.
  
  
• For Gateway installation: All CPUSE commands must be run through the gclish shell only.
  
  
• To check the Take number of the currently installed R80.30SP Jumbo Hotfix Accumulator (if it is installed), refer to the last section of this command: [Expert@HostName:0]# asg_provision
  
  
• For Known Limitations, refer to sk148074: Known Limitations for Scalable Platform and Maestro Appliances. . 

Resolved Issues per Take

ID	Description
Take 108 (02 January 2023)
MBS-15907	UPDATE: Added configurable protection for blocking brute-force attacks on VPN's SNX portal. Refer to sk180271.
MBS-15065, MBS 14488	All Security Group Members but the SMO may go into the "Down" state after an Anti-Malware policy installation fails. Refer to sk177607.
MBS-15750, PMTR-83873	CPUSE upgrade packages are not available when working in "High Availability over Load Sharing" mode with VPN enabled.
MBS-16342, PMTR-88702	In some scenarios, the sp_upgrade script does not recognize that a Security Gateway is in VSX mode. As a result, the upgrade fails.
MBS-15631, PMTR-71738	In rare scenarios, when you change the number of CoreXL instances in a VS, the procedure fails, and the SMO goes down (SMO failover occurs). Then the modified VS does not run on the SMO. Rebooting the applicable SGM or executing the "cpstart" command from the applicable VS returns the SMO to the ACTIVE state.
MBS-16096, PMTR-87006	After an upgrade to Jumbo Hotfix Accumulator R80.30SP Take 97 or Take 101, a member may be in Down state with a "pull_config" pnote.
Take 101 (03 February 2022)
MBS-15151,  PMTR-76352	The clock verifier test (clock_verifier -v) does not work.
MBS-14938, MBS-14928	In the VSLS mode, you cannot configure the Security Group to forward specific inbound connections to the SMO with the "asg_excp_conf" command.
MBS-14666, PRHF-19991	ADLOG stops working during policy installation.
MBS-15030, MBS-15029	When the user connects more than one cluster to the same network segment (see sk25977), port flapping can occur because two different cluster members have the same correction MAC address.
MBS-15069, MBS-15063	Changing the VLAN ID of an existing interface might cause a traffic interruption. See sk176929.
MBS-14511, MBS-14105	Security Group Members may drop internal connections over the sync interface because the kernel table "cluster_members_ips" is empty. See sk176404.
MBS-14428, PRHF-19001	Improved the stability of the Gaia backup functionality in Scalable Platforms.
MBS-15112, MBS-14133	In some scenarios, link flapping on a Maestro Gateway may cause an unexpected site failover, cluster state flapping on the other Gateways, or packet drops.
MBS-15163, MBS-15055	In a rare scenario, the CPD process may crash during policy installation. The issue occurs from Take 82 of the R80.30SP Jumbo Hotfix Accumulator.
MBS-14911, MBS-14823	The Message of the Day (MOTD) is not updated with the results of the "asg diag verify" command when the default shell is gClish (see sk175963).
MBS-15075	When the user runs the "reconfigure_snmp_alerts" script with the "/usr/scripts/reconfigure_snmp_alerts" command, the script does not correctly parse authentication passwords that include a  ">" character.
MBS-14635, MBS-14834	The "ip_block" command now supports comments using the "#" character in the feed file and ignores the lines that start with this character.
Take 97 (30 November 2021)
MBS-13650	Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 237 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
MBS-15049	The R80.30SP Jumbo Hotfix Accumulator supports upgrade to R81.10.
PRHF-15323	In a Dual Site Maestro environment, traffic is interrupted intermittently when a Domain object is used in the Rule Base.
MBS-14519	Multicast traffic may cause high CPU load on all SGMs.
PMTR-70886	Security Group might drop traffic (drops by PSL) when it passes over a Bridge interface and failover occurs.
MBS-8410	Enhancements: Added IPv6 dynamic routing support. Changes to IPv6 link-local addresses: By default, all Chassis / Sites in the Security Group will have the same IPv6 link-local address for a given logical interface (previously, each Chassis / Site had its own IPv6 link-local address due to different MAC addresses). By default, all VLANs on a particular physical interface will have unique IPv6 link-local addresses (previously, each VLAN shared the same IPv6 link-local address as the parent physical interface).
Take 82 (05 September 2021)
MBS-14597	Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 317 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
MBS-13605	Enhancement: The asg perf command calculates memory use differently from CPView. For the most accurate value, refer to the output of the asg perf command.
PMTR-71419	Using Static NAT for the destination in asymmetric connections may lead to Out of State traffic drops.
MBS-13975	In rare scenarios, the core dump files are created for the fw_full process.
Take 75 (06 April 2021)
MBS-13520	During a gradual Jumbo Hotfix upgrade on a Security Group’s Gateways, LACP bond slaves may get suspended if there are active Gateways in the same Security Group and in the same site with different Jumbo Hotfix versions. The issue may continue until the upgrade completes and all of the Gateways’ Jumbo Hotfix versions are aligned.
Take 73 (07 March 2021)
MBS-13420	Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 310 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
MBS-12809	Enhancement: Updated the Check Point Support Data Collector (CPSDC, see sk164414). Changed the name of the cpdata_collector_sp command to cpdata_collector.
MBS-10123	Enhancement: Added support for the new SNMP OIDs to get performance statistics from VSX Virtual Systems. Configuration in Gaia gClish: Run: g_all "vsx mstat enable" Run: g_all "reboot" Configure SNMP v3 in the VS mode as described in sk90860. SNMP OIDs - statistics from the specified Virtual System, statistics from each cluster member: Number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.10.1.* Physical memory - 1.3.6.1.4.1.2620.1.48.30.40.10.1.* Packet rate - 1.3.6.1.4.1.2620.1.48.30.80.10.1.* Throughput - 1.3.6.1.4.1.2620.1.48.30.90.10.1.* Interface packet rate - 1.3.6.1.4.1.2620.1.48.30.100.10.1.* Connection rate - 1.3.6.1.4.1.2620.1.48.30.120.10.1.* Virtual memory - 1.3.6.1.4.1.2620.1.48.30.130.10.1.* SNMP OIDs - statistics from the specified Virtual System, total statistics from all cluster members: Total number of concurrent connections - 1.3.6.1.4.1.2620.1.48.30.30.20 Total packet rate - 1.3.6.1.4.1.2620.1.48.30.80.20 Total throughput - 1.3.6.1.4.1.2620.1.48.30.90.20 Total connection rate - 1.3.6.1.4.1.2620.1.48.30.120.20
MBS-12230	Enhancement: Ability to configure SNMP Traps in Gaia gClish. For more information and configuration instructions, see sk171394.
MBS-11953	Enhancement: Added support for the Threat Extraction Software Blade in VSX mode
MBS-4414	While a Security Group Member reboots, some existing connections can fail on the Security Group. See sk169765.
PRHF-9930	In a rare scenario, traffic is dropped with the "[ERROR]: up_handle_get_matched_service_clob: no clob list on handle for type SERVICE;" error in dmesg.
MBS-2581	Logs generated by Software Blades on Scalable Platforms, do not show the Group ID and SGM ID.
MBS-12714	Remote Access client using the Visitor Mode, or connecting to a Mobile Access Portal, may disconnect several seconds after it connected.
MBS-12669	Improved the stability of the VPND process when a "CCCclientRequest" packet is sent.
MBS-12375	Commands in Gaia gClish fail with: CLINFR0739 error in command execution; see "/var/log/messages" The /var/log/messages file shows: clish[<PID>]: timeout on read from all remote nodes; connections lost Refer to sk170301.
PRHF-14951	Improved the stability of IP Pool NAT.
MBS-9806	Added full support for VSX Virtual Switches. Important Note: If you created Virtual Switches in R80.30SP with the R80.30SP Jumbo Hotfix Accumulator Take 56 or Take 49, you must install a special hotfix before you install the R80.30SP Jumbo Hotfix Accumulator Take 73 or higher. Refer to sk171917.
MBS-11367	In rare cases, a Security Group member can crash (with the message "Entering kdb") during the installation of the R80.30SP Jumbo Hotfix Accumulator.
MBS-9716	After a Security Group Member reboot, the output of the "asg monitor" command shows its state as "Detached". See sk169764.
PRHF-14952	Improved Security Gateway operation during a large number of connections per second.
PRHF-14534	Improved access to kernel global tables preventing lock contention.
MBS-13328	Enabled configuration of more than one CPU core for the MDPS Management plane. Resolved an issue when a policy installation overrides the MDPS resource configuration. For more information about Management Data Plane Separation (MDPS), see sk138672.
MBS-11674	Fetching packet capture from a violation log in SmartConsole fails with the error "Failed at getting the incident file from the gateway".
MBS-11670	The configuration of Rate Limiting for DoS mitigation in SecureXL (the $FWDIR/conf/fwaccel_dos_rate_on_install script) is not synchronized between Security Group Members.
MBS-13282	The /var/log/send_alert* files repeatedly show this message for different interfaces: "Site <X> eth<X>-<XX> link is up".
MBS-11765	Gaia users other than the 'admin' cannot use SCP to connect to a Security Group Member, even if the default shell '/bin/bash' and the 'admin' role are configured.
MBS-9767	VPN IKE packets are forwarded to a Security Group member even after its state changes to "Down".
MBS-11764	The output of the "show smo verifiers" command shows that the "ARP Consistency" test fails. This issue was caused by an unused padding in the kernel table 'arp_table'.
MBS-11956	These Gaia gClish commands do not take effect on all Security Group Members: set user <username> password-hash set user <username> force-password-change
MBS-9820	Added support for the Management Data Plane Separation (MDPS). See sk138672.
MBS-12280	If the IPSec Software Blade is disabled, this message appears repeatedly in the /var/log/messages file (refer to sk170852): fwhandle_get(fwvpn.c:4288): Table kbufs - Invalid handle XXX (bad pool).
MBS-8379	Added support for secondary IPv4 addresses (aliases) on the data ports of a Security Group (Maestro and Scalable Platforms). See sk167073. Note: This does not apply to VSX mode.
PRHF-11517	The FWD process stops working randomly on Security Group Members on Scalable Chassis and Maestro (for more information and configuration instructions, see sk168692).
PRHF-15535, PMTR-65841	Added support for the SNMP sysOID .1.3.6.1.2.1.1.2.0 for Maestro Orchestrators.
MBS-11960	Added support for ISP Redundancy.
MBS-13224	Added support for Policy-Based Routing (PBR) in VSX mode.
MBS-12143	Static routes with the "ping" option enabled (to ping the next hop gateways) do not appear on some Security Group Members.
Take 56 (26 January 2021)
MBS-12874	Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 226 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
MBS-8558	Improved stability of the FWK daemon.
PRHF-14900	Improved stability of the QoS Software Blade when an interface goes down and up.
MBS-12346	Output of the asg diag command shows that the "License" test fails because of the IPS license. Output of the asg_license_verifier command shows "ERROR: No license for 'IPS-1' [mandatory feature 'ips']".
MBS-7805	After adding a slave interface to a Bond interface, the output of the asg diag command shows that the "Distribution Mode" test failed because of an issue with the slave interface.
MBS-11927	The output of the asg_dr_verifier command contains the line cat: /proc/self/vrf: No such file or directory. Refer to sk171073.
MBS-12769	Output of the asg monitor command shows that the state of the SMO Security Group Member is "Down". Output of the cphaprob list command shows that the Critical Device "Pull_config" reports its state as "problem". The $FWDIR/log/fwd.elg file on the SMO contains this message repeatedly: "fwauthd_init: got known service port XXX ... choosing another one".
MBS-9585	Output of the asg monitor command shows that the state of a Security Group Member is "DOWN". Output of the cphaprob list command shows that the Critical Device "Policy" reports its state as "problem" on the Security Group Member. Output of the asg_policy verify -a command shows "Failed" in the "Status" column for the Security Group Member. Output of the asg_policy verify -a command shows "Policy date is lower than max policy date" in the "Summary" section for the Security Group Member.
PRHF-14165	Memory leak may appear in VPN and CPAS configuration. Fix is relevant for Gaia 3.10 only.
PMTR-62477	Half-closed accelerated TCP connections may take too long time to expire.
PRHF-14268	Certain scenarios do not free allocated memory after sending a packet from kernel addressing fragment correction.
MBS-12525	The output of the ps -aef | grep [d]efunc command shows multiple zombie processes "[sh] <defunct>". The issue occurs after a reboot or policy installation.
MBS-12490, PMTR-61822	Connections may be wrongly matched on Domain or Updatable objects used in Security policy.
MBS-12642	Gaia scheduled backup fails to run. The /var/log/messages file contains the error "scheduled_backup: SGM isn't SMO, skipping scheduled backup".
Take 49 (26 October 2020)
MBS-12224	If only one CPU core runs as a CoreXL SND on Security Group Members, these cosmetic issues can occur: Output of the asg_perf command is empty. Output of the cores_verifier command shows "Error: unable to obtain value from smodb".  Output of the cores_verifier command shows "Error: BPEth0 doesn't exist in /proc/interrupts".
MBS-12182	Output of the asg monitor -v command shows "0 / 0" in the "Bond" unit. The cluster does not monitor the bond interfaces as part of the site grade.
MBS-12386	Mobile Access fails to start on all Security Group Members after the installation of the R80.30SP Jumbo Hotfix Accumulator Take 45.
Take 45 (02 October 2020)
MBS-11529	Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 215 of the R80.30 Jumbo Hotfix Accumulator (see sk153152).
MBS-11529	Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 215 of the R80.30 Jumbo Hotfix Accumulator (see sk153152). Aligned the R80.30SP Jumbo Hotfix Accumulator with Take 295 of the R80.20SP Jumbo Hotfix Accumulator (see sk155832).
Take 32 (07 April 2020)
MBS-10318	Take 32 of the R80.30SP Jumbo Hotfix Accumulator blocks its installation on top of the R80.30SP Take 41 and higher image (because all these fixes are already integrated).
Take 31 (10 March 2020) (Take 31 was replaced with Take 32.)
MBS-7208	After a snapshot was reverted on a member, the output of the asg diag command may show "Policy signature doesn't match on all SGMs".
MBS-9401	Connections may fail, if their packets need to be forwarded internally more than one time.
MBS-9427	Output of the asg perf command may show incorrect number of CPU cores that run as CoreXL SND.
MBS-9582	Configuration actions may fail in the Gaia Portal of a Maestro Security Group.
MBS-9778	Memory leak in the sgm_pmd process.
MBS-9838	Improved recovery for traffic distribution if there were communication issues between Security Appliances and Orchestrators.
MBS-8900	External interface of a VSX Virtual Switch is not monitored by the VSX cluster. As a result, cluster failover does not occur if there are issues with that interface.
MBS-9400	In VSX mode, packets are not forwarded correctly to other members if packets arrive at a wrp interface.
MBS-9354	VPN tunnel over NAT-T with a DAIP peer might not work when Layer 4 distribution is enabled.

Installation Instructions

For installation instructions, refer to the "Installing and Uninstalling a Hotfix" section of the Check Point Maestro R80.30SP Administration Guide.  

Replaced Files

To receive a list of files replaced by this Jumbo Hotfix Accumulator, contact Check Point Support.

Revision History