Saturday, January 27, 2018

Jumbo Hotfix Accumulator for R80.10 (R80_10_jumbo_hf)

Jumbo Hotfix Accumulator for R80.10 (R80_10_jumbo_hf)
Solution
Table of Contents:
  • Introduction
  • Availability
  • Important Notes
  • List of resolved issues per HotFix
  • Installation instructions
  • Uninstall instructions
  • List of replaced files
  • Revision History
Collapse the Entire Article

Introduction

R80.10 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.
This Incremental Hotfix and this article are periodically updated with new fixes.
The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below.
Refer to sk98028 - Jumbo Hotfix Accumulator FAQ.

Availability

Effective January 18th, 2018, the R80.10 image has been replaced with Take 462.
Only R80.10 Jumbo Hotfix Accumulator Take 70 and above can be installed on top of this R80.10 image Take 462.
  • General Availability Take

    Take_56 is the latest General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:
    TakeDateCPUSE offline
    package
    SmartConsole package
    Take_5623 Nov 2017 (TGZ) (EXE)
    • Effective Dec 12th 2017, the General Availability Take_56 is available for CPUSE online installation (it replaces Take_42).
    • Effective January 7th, 2018, SmartConsole package has been updated (Build 024)
  • Ongoing Take

    TakeDateCPUSE Online IdentifierSmartConsole package
    Take_7015 Jan 2018Check_Point_R80_10_JUMBO_HF_Bundle_T70_sk116380_FULL.tgz (EXE)

Important Notes

  • Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.10.
  • For CPUSE installation, CPUSE Agent build 1298 and above (refer to sk92449) must be used.
  • It is recommended to install Jumbo Hotfix Accumulator on all the R80.10 machines running on Gaia OS.
  • This Jumbo Hotfix Accumulator is suitable for these products and configurations:
    • Security Gateway
    • StandAlone
    • Cluster
    • VSX
    • Security Management Server
    • Multi-Domain Security Management Server
    • Log Server
    • Multi-Domain Log Server
    • SmartEvent Server
    • vSEC
  • This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
  • To check the Take number of the currently installed R80.10 Jumbo Hotfix Accumulator (if it is installed):
    [Expert@HostName:0]# cpinfo -y all

List of resolved issues per HotFix

Enter the string to filter the below table: 

IDProductSymptoms
R80.10 Jumbo HotFix - Ongoing Take 70 (15 Jan 2018)
TPM-494Multi-Domain Security ManagementGlobal policy assignment fails after removing staging overrides in the Global Domain.
PMTR-1458,
02659051
Multi-Domain Security Management Attaching a central license from Multi-Domain Security Management to a Domain/CMA creates duplicate license objects in SmartUpdate, which cannot be deleted.
Refer to sk120833.
API-146Security Management Enhancement: New flags to control the API commands output in full details level.
Refer to sk121292
API-124Security ManagementThe "show-access-rulebase" API command fails if the rulebase contains rules with "Encrypt" or "Client Encrypt" action.
CPM-948Security ManagementThere is no status in the SmartView Monitor for Mobile Access blade. 
PMTR-2379Security Managementquerydb_util generates core file when cannot connect to Security Management server. 
PMTR-2376Security Managementfwm process is down during gateway creation after configuring shared secret for VPN community. 
PMTR-2722Security Management After reboot or HA Full sync, some objects are not visible in a specific private session. 
PMTR-712Security GatewayCPD process exits with core dump generated while stopping CPD / rebooting the system / restarting watchdog.
PMTR-1310Security Gateway Connections configured with Drop and Block message were actually dropped, but log appears as Accept log.
PMTR-1388Security Gateway Upon packet loss, the clients' retransmit "strategy" triggers an issue of reassembling the TCP stream incorrectly. The SSL stream cannot be decrypted like this, so the SSL session is closed.
Refer to sk121738.
PMTR-2660,
02666905
Security GatewayWhen DHCP is configured to work with VPN, DHCP Relay traffic is dropped. 
PMTR-709 LoggingEnhancement: Allow viewing HTTPS related fields according to permission profile in LEA. When configuring a permission profile that allows HTTPS, you will be able to see the related fields when receiving them with LEA OPSEC client, instead of obfuscating them.
PMTR-1771,
02525352 
Gaia Gaia backup files are not created on Multi-Domain Management server.
Refer to sk119401
PMTR-2368Gaia Configuring more than 200 logical interfaces can cause routed to crash upon the next change in configuration.
PMTR-1442,
02554018 
SmartLog SmartConsole search does not work for strings that include non-English characters. For example, Cyrillic characters and characters with accent marks.
Refer to sk120293
PMTR-1224,
02562873 
SmartLog After performing a Gradual Upgrade of the Domain Management Server, no logs are displayed in the relevant domain until running the mdsstop;mdsstart commands on MLM.
TEX-412 Threat ExtractionSecurity enhancements for Data Loss Prevention and Threat Extraction blades 
PMTR-1932, 02590986 Threat EmulationLinks inside email with domain suffix (e.g. www.example.com) are emulated as .com files. 
PMTR-2891Anti-Virus,
Threat Emulation 
Enhancement in Anti-Virus to allow replacement of Kaspersky Labs components.
For removal instructions see sk118539. For further information visit http://www.checkpoint.com/kaspersky
PMTR-4787DLPThe dlpu process crashes in some cases when DLP blade is enabled.
PMTR-1303 Mobile Access Connection to internal sites or Capsule Docs server via Mobile Access Blade's Reverse Proxy feature fails due to an incorrectly forwarded 'Host' header. 
PMTR-2089 Mobile AccessAn incorrect policy installation warning "R80.10 gateways cannot be included in the Mobile Access Legacy Policy when Mobile Access Unified Policy is the selected policy source" is shown when installing the Access Control policy on a Mobile Access gateway and the legacy Mobile Access policy is empty. 
PMTR-1183 URL Filtering Enhancements in categorization in cases where only URL Filtering is enabled. 
PMTR-2594 HTTPS InspectionHTTPS based traffic is bypassed when using a category based HTTPS inspection rulebase on a SMB gateway without URL Filtering blade enabled. 
R80.10 Jumbo HotFix - General Availability Take 56 (23 Nov 2017)
PMTR-683,
02648460
Security ManagementUsers that are not configured with Multi-Domain super user permissions, experience slowness in running queries.
PMTR-2697Security ManagementFWM process restarts when trying to read the $FWDIR/tmp/fwmtrace.log file from an incorrect directory where this file does not exist.
R80.10 Jumbo HotFix - Ongoing Take 53 (25 Oct 2017)
PMTR-1702Security ManagementPolicy installation fails when Access Role is configured in the Access Control policy on a gateway with no Identity Awareness enabled. 
SMCPOL-122Security ManagementWhen policy installation fails with "Operation incomplete due to timeout" error, timeout can be increased via GuiDBedit Tool.
Refer to sk112353
CPM-830Security ManagementFWM process crash in Management HA environment when $FWDIR/tmp/fwmtrace.log file reaches 2GB.
PMTR-738Security GatewayCluster member IP addresses is not added correctly during policy generation. 
PMTR-1421Gaia OS Outputs of "top" and "ps -aux" commands show lspci as zombie process.
Refer to sk121891.
PMTR-330DLP Enhancement: Maximum allowed SMTP headers length can be configured.
Refer to sk119293.
PMTR-332DLPEnhancement: Improved DLP stability.
GM-2855 SMB AppliancesEnhancement: IPv6 support for 700 / 1200R / 1400 SMB Appliances.
Refer to sk118816.
R80.10 Jumbo HotFix - General Availability Take 42 (17 Sept 2017)
Note: This Take replaces Take 40 released on 12 Sept 2017.
It is recommended to install Take 42
GAIA-1060Security GatewaySIC status is "Not Communicating" and CPD process restarts after installing R80.10 Jumbo HotFix Take 40.
Refer to sk120494.
UP-94,
02556604
Security GatewayWebsites with short Host headers (like ab.com) cannot be loaded.
TEX-328Threat ExtractionSecurity gateway hangs when enabling Threat Extraction Web API.
TPM-373Threat PreventionThe API command "show threat-profile" wrongly reports configuration of internal settings which causes failure in certain scenarios. 
PMTR-748Anti-Virus, Anti-BotCrash in Anti-Virus & Anti-Bot blades. 
CPM-806Security ManagementPolicy installation fails on DAIP gateways after changing Domain Server from Standby to Active.
PMTR-464Security ManagementAfter upgrade to R80.x, Administrator's "email" field does not show in SmartConsole. 
PMTR-466Security ManagementRulebase initialization fails after CMA migration from R77.30 to R80.10 via cma_migrate.
TPM-419 Management Console After a period of time in which multiple IPS updates have been performed, the database size can become very large because of unused data.
  • Enhancement: new procedure to clean old / unused IPS version in the database
TPM-334 Management Console Geo policy allows to configure several rules for the same country, causing incorrect policy enforcement.
PMTR-631SmartEvent In SmartEvent policy, when selecting two 'Event Fields' with the same 'Log Field' in 'Event Format' tab, the Event fails to generate. 
PMTR-625SmartEventWhen automatic reaction mail is sent, the resolving name of source and destination is missing and only the source and destination IP address is shown. 
PMTR-655SmartEventWhen automatic reaction email is sent, wrong "Start time" is displayed.
R80.10 Jumbo HotFix - Take 37 (04 Sept 2017)
PMTR-397Security Gateway export_p12 feature is missing in VPN utilities.
PMTR-418Security GatewaySecurity Gateway / Active cluster member freezes / locks up randomly.
Refer to sk114977.
PMTR-454Security Gateway Login to Smart Console fails with "The server did not provide a meaningful replay; This might be caused by a contract mismatch, a Premature session shutdown or an internal server error" error. 
PMTR-469Security Gateway FWM process consumes high CPU in case of unreachable DAIP objects existing in the system.
PMTR-458Security Gateway Enhancement: Performance of Global Domain Assignment for Open Servers with 9-24 GB memory is improved.
PMTR-473Security GatewayEnhancement: Improved Security Gateway stability when it is configured as proxy. 
BS-175Security Gateway Some objects are missing when querying for unused objects.
SL-441Security Gateway In environment with more than 50 Log servers, log queries return results only from 50 log servers.
GAIA-634Gaia OS Enhancement: Improved clish stability.
CPM-792Security Management Log Server status in Monitoring view is not presented for cluster members of Full HA environment. 
CPM-734Multi-Domain Security ManagementGlobal policy assignment fails after section manipulation in the Global Domain's rulebase. 
BS-149Multi-Domain Security ManagementPolicy installation from Multi-Domain Management following a Threat policy uninstall, fails.
API-99 Management ConsoleSecurity Management API server fails under heavy load.
Refer to sk119553.
API-92Management ConsoleAPI "show-packages" (when set to "details-level" : "full") fails where the revision in one of the package’s installation targets has been purged from the database.
API-93Management Console If object is used inside a disabled rule, the "where-used" Security Management API command shows that the rule is enabled. 
API-94Management Console Reply to Security Management API "show-gateways-and-servers" misspells the name of the "identity-awareness" blade as "identical-awareness".
API-88Management Console Under certain conditions, after restarting Security Management Server, the API server, although configured to accept requests from GUI clients, no longer does so, but reverts to the default behavior of accepting only calls from the local host.
R80.10 Jumbo HotFix - General Availability Take 35 (22 Aug 2017)
MAGB-27, MAGB-28 Mobile Access Improved stability of Mobile Access WebMail application.
PMTR-172 Security GatewaySecurity hardening for Client Authentication portal.
CPM-534Security Management migrate_global_policies and cma_migrate commands can run when processes are down. 
PMTR-436 Security Management Long duration of policy installation for large number of NAT rules.
CPM-665 Security Management Performance improvements.
DP-1079Check Point Appliances "Can't validate base version is a GA take of R80.10" error message when installing Jumbo Hotfix Accumulator Take 24 on 405 / 410 appliances.
R80.10 Jumbo HotFix - General Availability Take 24 (01 Aug 2017)
PMTR-290Application ControlSupport for user-defined application with encoded escaped characters within the URL.
GAIA-760Gaia OS BGP does not work for VTIs and Point-to-Point interfaces with mask length of 32 with Virtual IPs. 
TEX-329 DLP, Threat Extraction Security enhancements for Data Loss Prevention and Threat Extraction blades. 
02559994,
PMTR-385 
SmartLog On Open Servers with 24G-35G of RAM running R80.10 Jumbo Hotfix (Take 10/15/18) logs are not indexed and SmartLogs queries fail.
R80.10 Jumbo HotFix - General Availability Take 18 (24 July 2017)
ACM-520Application ControlImproved Policy Verification for Pre-R80.10 Security Gateways that support only services of type "TCP" or ‎"UDP" in the Application Control layer.
02522974, PMTR-100Identity AwarenessImproved Access Role identification for different login/logout scenarios.
02524894, PMTR-99Security ManagementAutomatic NAT rule is not removed after the corresponding network object is removed.
02521459, GM-2678Security ManagementPolicy installation fails in some cases when installing policy on all managed Security Gateways at once, if Security Management manages both standard Security Gateways and UTM-1 Edge devices.
R80.10 Jumbo HotFix - General Availability Take 15 (11 July 2017)
02536538,
PMTR-147
Security GatewayImproved URL recognition mechanism for Anti-Virus, Anti-Bot, and URL Filtering blades.
PMTR-44vSECvSEC objects are not enforced on part of the gateways. Problem is relevant only for large scale environment with more than 50 gateways/cluster/vs/member.
PMTR-45vSECIn large scale Azure environments, Data Center objects are partialy imported.
PMTR-167SmartViewSecurity hardening of SmartView.
02539824,
PMTR-164
Security ManagementSecurity Management access hardening.
R80.10 Jumbo HotFix - General Availability Take 10 (28 June 2017)
02530810Smart-1Added support for Smart-1 405 / 410 appliances.
Refer to sk117578.
02524737,
PMTR-88
VSXWrong license status for 'Virtual Systems' blade for VSX objects in R80 SmartConsole.
R80.10 Jumbo HotFix - Take 7 (22 June 2017)
02528737,
02529416,
02533097,
CPM-535
Multi-Domain Security ManagementSeveral cpsm-domains-X licenses are counted only once.
Refer to sk118316.
02520574, CPM-462Multi-Domain Security ManagementUpgrade failure of secondary Multi-Domain Log Server when using NGX license.
02520796,
CPM-460
Multi-Domain Security Managementmds_import fails with "CPM server failed to start, see server logs" message when trying to import a database exported from R80.10 Multi-Domain Management Server.
02524769,
PMTR-87
Security ManagementWhile updating a User name, the logged in User name in the logs is wrongly reported with the old User name.
02449460, CPM-465Security ManagementManagement High Availability synchronization between primary server upgraded from R80 Jumbo Hotfix to R80.10 and new R80.10 secondary server, fails.
02532395,
ACM-335
Security Management,
Security Gateway
Security rules that should be installed on a specific Security Gateway wrongly can be installed on another R80.10 Security Gateway.
Refer to sk118153.
02526608,
PMTR-81
Security GatewayImproved non-compliant HTTP protection to enforce more rare cases of non-compliant HTTP traffic.
02523046, PMTR-47Security Gatewayin.emaild.mta process may crash randomly (once every few days was observed) when the Security gateway is configured as Mail Transfer Agent (MTA). Mails under inspection may be delayed by up to a few minutes.
02513631, PMTR-96IPSWhen an IPS protection is overridden, it is enforced correctly however it may cause higher performance load.
PMTR-98 SmartConsole Translated Source column with "Original" object wrongly has a Hide NAT option.
R80.10 Jumbo HotFix - General Availability Take 3 (06 June 2017)
02521398Threat EmulationFixed Mail Transfer Agent (MTA) enforcement issue.

Installation instructions

Procedure:
  • Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)

    • Offline installation
      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
      3. In the upper right corner, click on the Import Package button.
      4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
      5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
      6. Select the imported package Check Point R80.10 Jumbo hotfix T<number> for sk116380 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      7. Select this package and click on Install Update button on the toolbar.

  • Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)

    For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
    • Offline installation
      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to command line on target Gaia OS.
      3. Log in to Clish.
      4. Acquire the lock over Gaia configuration database:
        HostName:0> lock database override
      5. Import the package from the hard disk:
        Note: When import completes, this package is deleted from the original location.
        HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR
      6. Show the imported packages:
        Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.10 Jumbo hotfix T<number> for sk116380"
        HostName:0> show installer packages imported
      7. Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts:
        HostName:0> installer verify <Package_Number>
      8. Install the imported package:
        HostName:0> installer install <Package_Number>

Uninstall instructions

Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.
    Procedure:

    List of replaced files

    List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.


    Revision History

    Show / Hide revision history

    DateDescription
    15 Jan 2018Released Take 70 of R80.10 Jumbo Hotfix Accumulator 
    18 Dec 2017Added R80.10 SmartConsole Build 013
    12 Dec 2017Take 56 of R80.10 Jumbo Hotfix Accumulator is now in General Availability
    23 Nov 2017Released Take 56 of R80.10 Jumbo Hotfix Accumulator 
    07 Nov 2017 Added CPUSE Online Identifier of Take 53
    25 Oct 2017Released Take 53 of R80.10 Jumbo Hotfix Accumulator 
    24 Sep 2017Added note regarding CPUSE Agent build 1298 
    18 Sep 2017Added reference to sk120494
    17 Sep 2017 Released Take 42 of R80.10 Jumbo Hotfix Accumulator
    12 Sep 2017 Released Take 40 of R80.10 Jumbo Hotfix Accumulator
    04 Sep 2017Released Take 37 of R80.10 Jumbo Hotfix Accumulator 
    22 Aug 2017Released Take 35 of R80.10 Jumbo Hotfix Accumulator 
    09 Aug 2017Added note regarding SmartConsole Build 005 
    01 Aug 2017Released Take 24 of R80.10 Jumbo Hotfix Accumulator 
    27 July 2017Added the following notes:
    24 July 2017Released Take 18 of R80.10 Jumbo Hotfix Accumulator
    Released updated R80.10 SmartConsole for R80.10 Jumbo Hotfix Accumulator (for Take 7 and above)
    19 July 2017Added an important note that to check the Take number of the installed R80.10 Jumbo Hotfix Accumulator, user should run the "cpinfo -y all" command
    11 July 2017Released Take 15 of R80.10 Jumbo Hotfix Accumulator
    28 June 2017Released Take 10 of R80.10 Jumbo Hotfix Accumulator
    22 June 2017Released Take 7 of R80.10 Jumbo Hotfix Accumulator
    06 June 2017First release of R80.10 Jumbo Hotfix Accumulator (Take 3)
    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment 

    Tuesday, January 23, 2018

    R80.10 JHF 56


    The Latest GA release for R80.10 is Take 56 and you can find all the information under sk116380.

    Note when you apply take 56 on FWM and FWGateways Clusters
    you need to install SmartConsole package

    Installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)

    Offline installation
    Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").


    • Offline installation
      Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
      1. Install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
      3. In the upper right corner, click on the Import Package button.
      4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
      5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
      6. Select the imported package Check Point R80.10 Jumbo hotfix T<number> for sk116380 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
      7. Select this package and click on Install Update button on the toolbar.
    1. Install the latest build of CPUSE Agent from sk92449.
    2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
    3. In the upper right corner, click on the Import Package button.
    4. In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
    5. Above the list of all software packages, click on the Showing Recommended packages button - select All.
    6. Select the imported package Check Point R80.10 Jumbo hotfix T<number> for sk116380 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
    7. Select this package and click on Install Update button on the toolbar.


    The following tasks were completed.

    1. Upgrade CPUSE to R80.10  take 421 on FWM
    2. Apply JHF 56 on FWM and FWGateway Cluster
    3. Update eval license on FWM 
    4. Update Security Policy to gateway post upgrade.
    5. Login to Gateway post upgrade – validate functionality.

    Test results

    [Expert@myFWM:0]# cpinfo -y all |grep Take

    This is Check Point CPinfo Build 914000176 for GAIA
       HOTFIX_R80_10_JUMBO_HF    Take: 56
       HOTFIX_R80_10_JUMBO_HF    Take: 56
       HOTFIX_R80_10_JUMBO_HF    Take: 56
       HOTFIX_R80_10_JUMBO_HF    Take: 56
       HOTFIX_R80_10_JUMBO_HF    Take: 56
       BUNDLE_R80_10_JUMBO_HF    Take: 56

    [Expert@myFWM:0]#

    Sunday, January 7, 2018

    How to troubleshoot IPS update

    Solution

    How to troubleshoot IPS update [scheduled and manual] issues

    If IPS update fails, the user needs to understand what kind of update is being performed, as troubleshooting steps are different for various kinds of update.

    For manual IPS update issues

    The client (Windows PC that runs SmartDashboard) is the one that initiates the connection towards the Check Point updates servers, and most troubleshooting has to be performed on the client PC.

    In both cases (scheduled and manual), the following update server URLs should be reachable by DNS, HTTP and HTTPS (for example can be opened on a normal web browser, e.g. Google Chrome or Internet Explorer).
    Open the browser on the client that is performing the IPS manual update, and verify connectivity to:
    Notes:
    • You might get a redirect to a page, a page with the words "It works!" or "File not found." 
    • A blank page indicates an issue.
    If there is no connectivity to the above servers, the issue is on the client connectivity side. For example; a proxy issue, routing issue, etc.

    If there is connectivity (with or without proxy);
    1. If the update is stuck at 99%, please refer to article sk111760.
    2. If the update won't start at all, and fails, please collect the following information:
      1. Debug SmartConsole GUI client as per article sk112334.
      2. Download WireShark and install it on the client PC, collect a traffic capture file during the IPS manual update issue being replicated.
      3. Provide the output files from SmartConsole debug and traffic capture to Check Point Support.

    3. If any other symptom, contact Check Point Support for additional troubleshooting.

    For scheduled IPS update issues

    The Security Management Server / Multi Domain Management Server (the Management or the relevant CMA) is the initiator of the connection towards Check Point updates servers, and most troubleshooting has to be performed on it.
    1. Since the IP addresses of the update servers are changed according to geo-location, and are very dynamic, make sure that the /etc/hosts file under the Security Management Server does not contain any manual entry for the below servers:

      • cws.checkpoint.com
      • secureupdates.checkpoint.com
      • updates.checkpoint.com
      • dl3.checkpoint.com

    2. Review article sk98781 and make sure that the checkbox for "Automatically download Contracts and other important data" is selected. If it is not selected, do so, and install the policy. Then try the update again.
    3. Verify that the Security Management Server can reach and resolve the servers, as follows:

      1. If the Security Management Server is not using proxy, use:
        # nslookup cws.checkpoint.com
        Repeat the command for all servers and verify that there is an IP reply.
        Verify that the Security Management Server has HTTP/HTTPS access to CheckPoint update servers, using curl:
        (If R76 and lower, ca-bundle.crt is in $FWDIR/bin)
        # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com
        # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://dl3.checkpoint.com
        # curl_cli -v http://cws.checkpoint.com
        Note: Possible connectivity errors: Could not resolve host, fetch .crl failed, etc. (these indicate an Internet connection problem).

      2. If the Security Management Server is using proxy, use:
        # nslookup cws.checkpoint.com
        Repeat the command for all servers and verify that there is an IP reply.
        Verify that the Security Management Server has HTTP/HTTPS access to Check Point update servers, using curl:
        (If R76 and lower, ca-bundle.crt is in $FWDIR/bin)
        # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com -x <proxyIP:proxyPORT>
        # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://dl3.checkpoint.com -x <proxyIP:proxyPORT>
        # curl_cli -v http://cws.checkpoint.com -x <proxyIP:proxyPORT>
        Note: Change <proxyIP:proxyPORT> to the proxy IP address and port, removing the symbols. For example, if the proxy IP address and port is: 10.20.30.40:8080, the command will be:
        # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com -x 10.20.30.40:8080
    For scheduled IPS update:
    If all of the above tests were performed and the issue persists, please review and perform FWM debug according to article sk86186, making sure the scheduled update will occur while the FWM debug is running.
    FWM debug for scheduled IPS update can be run using a more focused debug:
    # fw debug fwm on TDERROR_ALL_FWMAU=5
    # fw debug fwm on TDERROR_ALL_FDT=5

    Collect all files and outputs from troubleshooting steps above and Contact Check Point Support along with a screenshot of the update issue (Try to include the error that pops-up from the update)
    For faster resolution and verification, collect CPinfo files from the Security Management and Security Gateways, involved in the case.