Jumbo Hotfix Accumulator for R80.10 (R80_10_jumbo_hf)
| Solution ID | sk116380 |
| Product | Security Gateway, VSX, Security Management, Multi-Domain Management / Provider-1, SmartEvent / Eventia Analyzer |
| Version | R80.10 |
| OS | Gaia |
| Date Created | 06-Jun-2017 |
| Last Modified | 18-Jan-2018 |
Solution
Table of Contents:
This Incremental Hotfix and this article are periodically updated with new fixes.
The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below.
Refer to sk98028 - Jumbo Hotfix Accumulator FAQ.
Only R80.10 Jumbo Hotfix Accumulator Take 70 and above can be installed on top of this R80.10 image Take 462.
- Introduction
- Availability
- Important Notes
- List of resolved issues per HotFix
- Installation instructions
- Uninstall instructions
- List of replaced files
- Revision History
Collapse the Entire Article
Introduction
R80.10 Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues in different products.This Incremental Hotfix and this article are periodically updated with new fixes.
The list below describes each resolved issue and provides a Take number, in which the fix was included. A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive). In addition, you can find the date when the take was published in the table below.
Refer to sk98028 - Jumbo Hotfix Accumulator FAQ.
Availability
Effective January 18th, 2018, the R80.10 image has been replaced with Take 462.Only R80.10 Jumbo Hotfix Accumulator Take 70 and above can be installed on top of this R80.10 image Take 462.
General Availability Take
Take_56 is the latest General Availability release that can be directly downloaded from Check Point Cloud using CPUSE and from this article:
Take Date CPUSE offline
packageSmartConsole package Take_56 23 Nov 2017 
(TGZ) (EXE)- Effective Dec 12th 2017, the General Availability Take_56 is available for CPUSE online installation (it replaces Take_42).
- Effective January 7th, 2018, SmartConsole package has been updated (Build 024)
Ongoing Take
Take Date CPUSE Online Identifier SmartConsole package Take_70 15 Jan 2018 Check_Point_R80_10_JUMBO_HF_Bundle_T70_sk116380_FULL.tgz (EXE)- Contact Check Point Support to get this Ongoing Jumbo Hotfix Accumulator
Important Notes
- Each of the Jumbo Hotfix Accumulator Takes is based on Check Point R80.10.
- For CPUSE installation, CPUSE Agent build 1298 and above (refer to sk92449) must be used.
- It is recommended to install Jumbo Hotfix Accumulator on all the R80.10 machines running on Gaia OS.
- This Jumbo Hotfix Accumulator is suitable for these products and configurations:
- Security Gateway
- StandAlone
- Cluster
- VSX
- Security Management Server
- Multi-Domain Security Management Server
- Log Server
- Multi-Domain Log Server
- SmartEvent Server
- vSEC
- This Jumbo Hotfix Accumulator has to be installed only after successful completion of Gaia First Time Configuration Wizard and reboot.
- To check the Take number of the currently installed R80.10 Jumbo Hotfix Accumulator (if it is installed):
[Expert@HostName:0]# cpinfo -y all
List of resolved issues per HotFix
Enter the string to filter the below table:| ID | Product | Symptoms |
| R80.10 Jumbo HotFix - Ongoing Take 70 (15 Jan 2018) | ||
| TPM-494 | Multi-Domain Security Management | Global policy assignment fails after removing staging overrides in the Global Domain. |
| PMTR-1458, 02659051 | Multi-Domain Security Management | Attaching a central license from Multi-Domain Security Management to a Domain/CMA creates duplicate license objects in SmartUpdate, which cannot be deleted. Refer to sk120833. |
| API-146 | Security Management | Enhancement: New flags to control the API commands output in full details level. Refer to sk121292. |
| API-124 | Security Management | The "show-access-rulebase" API command fails if the rulebase contains rules with "Encrypt" or "Client Encrypt" action. |
| CPM-948 | Security Management | There is no status in the SmartView Monitor for Mobile Access blade. |
| PMTR-2379 | Security Management | querydb_util generates core file when cannot connect to Security Management server. |
| PMTR-2376 | Security Management | fwm process is down during gateway creation after configuring shared secret for VPN community. |
| PMTR-2722 | Security Management | After reboot or HA Full sync, some objects are not visible in a specific private session. |
| PMTR-712 | Security Gateway | CPD process exits with core dump generated while stopping CPD / rebooting the system / restarting watchdog. |
| PMTR-1310 | Security Gateway | Connections configured with Drop and Block message were actually dropped, but log appears as Accept log. |
| PMTR-1388 | Security Gateway | Upon packet loss, the clients' retransmit "strategy" triggers an issue of reassembling the TCP stream incorrectly. The SSL stream cannot be decrypted like this, so the SSL session is closed. Refer to sk121738. |
| PMTR-2660, 02666905 | Security Gateway | When DHCP is configured to work with VPN, DHCP Relay traffic is dropped. |
| PMTR-709 | Logging | Enhancement: Allow viewing HTTPS related fields according to permission profile in LEA. When configuring a permission profile that allows HTTPS, you will be able to see the related fields when receiving them with LEA OPSEC client, instead of obfuscating them. |
| PMTR-1771, 02525352 | Gaia | Gaia backup files are not created on Multi-Domain Management server. Refer to sk119401. |
| PMTR-2368 | Gaia | Configuring more than 200 logical interfaces can cause routed to crash upon the next change in configuration. |
| PMTR-1442, 02554018 | SmartLog | SmartConsole search does not work for strings that include non-English characters. For example, Cyrillic characters and characters with accent marks. Refer to sk120293. |
| PMTR-1224, 02562873 | SmartLog | After performing a Gradual Upgrade of the Domain Management Server, no logs are displayed in the relevant domain until running the mdsstop;mdsstart commands on MLM. |
| TEX-412 | Threat Extraction | Security enhancements for Data Loss Prevention and Threat Extraction blades |
| PMTR-1932, 02590986 | Threat Emulation | Links inside email with domain suffix (e.g. www.example.com) are emulated as .com files. |
| PMTR-2891 | Anti-Virus, Threat Emulation | Enhancement in Anti-Virus to allow replacement of Kaspersky Labs components. For removal instructions see sk118539. For further information visit http://www.checkpoint.com/kaspersky |
| PMTR-4787 | DLP | The dlpu process crashes in some cases when DLP blade is enabled. |
| PMTR-1303 | Mobile Access | Connection to internal sites or Capsule Docs server via Mobile Access Blade's Reverse Proxy feature fails due to an incorrectly forwarded 'Host' header. |
| PMTR-2089 | Mobile Access | An incorrect policy installation warning "R80.10 gateways cannot be included in the Mobile Access Legacy Policy when Mobile Access Unified Policy is the selected policy source" is shown when installing the Access Control policy on a Mobile Access gateway and the legacy Mobile Access policy is empty. |
| PMTR-1183 | URL Filtering | Enhancements in categorization in cases where only URL Filtering is enabled. |
| PMTR-2594 | HTTPS Inspection | HTTPS based traffic is bypassed when using a category based HTTPS inspection rulebase on a SMB gateway without URL Filtering blade enabled. |
| R80.10 Jumbo HotFix - General Availability Take 56 (23 Nov 2017) | ||
| PMTR-683, 02648460 | Security Management | Users that are not configured with Multi-Domain super user permissions, experience slowness in running queries. |
| PMTR-2697 | Security Management | FWM process restarts when trying to read the $FWDIR/tmp/fwmtrace.log file from an incorrect directory where this file does not exist. |
| R80.10 Jumbo HotFix - Ongoing Take 53 (25 Oct 2017) | ||
| PMTR-1702 | Security Management | Policy installation fails when Access Role is configured in the Access Control policy on a gateway with no Identity Awareness enabled. |
| SMCPOL-122 | Security Management | When policy installation fails with "Operation incomplete due to timeout" error, timeout can be increased via GuiDBedit Tool. Refer to sk112353. |
| CPM-830 | Security Management | FWM process crash in Management HA environment when $FWDIR/tmp/fwmtrace.log file reaches 2GB. |
| PMTR-738 | Security Gateway | Cluster member IP addresses is not added correctly during policy generation. |
| PMTR-1421 | Gaia OS | Outputs of "top" and "ps -aux" commands show lspci as zombie process. Refer to sk121891. |
| PMTR-330 | DLP | Enhancement: Maximum allowed SMTP headers length can be configured. Refer to sk119293. |
| PMTR-332 | DLP | Enhancement: Improved DLP stability. |
| GM-2855 | SMB Appliances | Enhancement: IPv6 support for 700 / 1200R / 1400 SMB Appliances. Refer to sk118816. |
| R80.10 Jumbo HotFix - General Availability Take 42 (17 Sept 2017) Note: This Take replaces Take 40 released on 12 Sept 2017. It is recommended to install Take 42 | ||
| GAIA-1060 | Security Gateway | SIC status is "Not Communicating" and CPD process restarts after installing R80.10 Jumbo HotFix Take 40. Refer to sk120494. |
| UP-94, 02556604 | Security Gateway | Websites with short Host headers (like ab.com) cannot be loaded. |
| TEX-328 | Threat Extraction | Security gateway hangs when enabling Threat Extraction Web API. |
| TPM-373 | Threat Prevention | The API command "show threat-profile" wrongly reports configuration of internal settings which causes failure in certain scenarios. |
| PMTR-748 | Anti-Virus, Anti-Bot | Crash in Anti-Virus & Anti-Bot blades. |
| CPM-806 | Security Management | Policy installation fails on DAIP gateways after changing Domain Server from Standby to Active. |
| PMTR-464 | Security Management | After upgrade to R80.x, Administrator's "email" field does not show in SmartConsole. |
| PMTR-466 | Security Management | Rulebase initialization fails after CMA migration from R77.30 to R80.10 via cma_migrate. |
| TPM-419 | Management Console | After a period of time in which multiple IPS updates have been performed, the database size can become very large because of unused data.
|
| TPM-334 | Management Console | Geo policy allows to configure several rules for the same country, causing incorrect policy enforcement. |
| PMTR-631 | SmartEvent | In SmartEvent policy, when selecting two 'Event Fields' with the same 'Log Field' in 'Event Format' tab, the Event fails to generate. |
| PMTR-625 | SmartEvent | When automatic reaction mail is sent, the resolving name of source and destination is missing and only the source and destination IP address is shown. |
| PMTR-655 | SmartEvent | When automatic reaction email is sent, wrong "Start time" is displayed. |
| R80.10 Jumbo HotFix - Take 37 (04 Sept 2017) | ||
| PMTR-397 | Security Gateway | export_p12 feature is missing in VPN utilities. |
| PMTR-418 | Security Gateway | Security Gateway / Active cluster member freezes / locks up randomly. Refer to sk114977. |
| PMTR-454 | Security Gateway | Login to Smart Console fails with "The server did not provide a meaningful replay; This might be caused by a contract mismatch, a Premature session shutdown or an internal server error" error. |
| PMTR-469 | Security Gateway | FWM process consumes high CPU in case of unreachable DAIP objects existing in the system. |
| PMTR-458 | Security Gateway | Enhancement: Performance of Global Domain Assignment for Open Servers with 9-24 GB memory is improved. |
| PMTR-473 | Security Gateway | Enhancement: Improved Security Gateway stability when it is configured as proxy. |
| BS-175 | Security Gateway | Some objects are missing when querying for unused objects. |
| SL-441 | Security Gateway | In environment with more than 50 Log servers, log queries return results only from 50 log servers. |
| GAIA-634 | Gaia OS | Enhancement: Improved clish stability. |
| CPM-792 | Security Management | Log Server status in Monitoring view is not presented for cluster members of Full HA environment. |
| CPM-734 | Multi-Domain Security Management | Global policy assignment fails after section manipulation in the Global Domain's rulebase. |
| BS-149 | Multi-Domain Security Management | Policy installation from Multi-Domain Management following a Threat policy uninstall, fails. |
| API-99 | Management Console | Security Management API server fails under heavy load. Refer to sk119553. |
| API-92 | Management Console | API "show-packages" (when set to "details-level" : "full") fails where the revision in one of the package’s installation targets has been purged from the database. |
| API-93 | Management Console | If object is used inside a disabled rule, the "where-used" Security Management API command shows that the rule is enabled. |
| API-94 | Management Console | Reply to Security Management API "show-gateways-and-servers" misspells the name of the "identity-awareness" blade as "identical-awareness". |
| API-88 | Management Console | Under certain conditions, after restarting Security Management Server, the API server, although configured to accept requests from GUI clients, no longer does so, but reverts to the default behavior of accepting only calls from the local host. |
| R80.10 Jumbo HotFix - General Availability Take 35 (22 Aug 2017) | ||
| MAGB-27, MAGB-28 | Mobile Access | Improved stability of Mobile Access WebMail application. |
| PMTR-172 | Security Gateway | Security hardening for Client Authentication portal. |
| CPM-534 | Security Management | migrate_global_policies and cma_migrate commands can run when processes are down. |
| PMTR-436 | Security Management | Long duration of policy installation for large number of NAT rules. |
| CPM-665 | Security Management | Performance improvements. |
| DP-1079 | Check Point Appliances | "Can't validate base version is a GA take of R80.10" error message when installing Jumbo Hotfix Accumulator Take 24 on 405 / 410 appliances. |
| R80.10 Jumbo HotFix - General Availability Take 24 (01 Aug 2017) | ||
| PMTR-290 | Application Control | Support for user-defined application with encoded escaped characters within the URL. |
| GAIA-760 | Gaia OS | BGP does not work for VTIs and Point-to-Point interfaces with mask length of 32 with Virtual IPs. |
| TEX-329 | DLP, Threat Extraction | Security enhancements for Data Loss Prevention and Threat Extraction blades. |
| 02559994, PMTR-385 | SmartLog | On Open Servers with 24G-35G of RAM running R80.10 Jumbo Hotfix (Take 10/15/18) logs are not indexed and SmartLogs queries fail. |
| R80.10 Jumbo HotFix - General Availability Take 18 (24 July 2017) | ||
| ACM-520 | Application Control | Improved Policy Verification for Pre-R80.10 Security Gateways that support only services of type "TCP" or "UDP" in the Application Control layer. |
| 02522974, PMTR-100 | Identity Awareness | Improved Access Role identification for different login/logout scenarios. |
| 02524894, PMTR-99 | Security Management | Automatic NAT rule is not removed after the corresponding network object is removed. |
| 02521459, GM-2678 | Security Management | Policy installation fails in some cases when installing policy on all managed Security Gateways at once, if Security Management manages both standard Security Gateways and UTM-1 Edge devices. |
| R80.10 Jumbo HotFix - General Availability Take 15 (11 July 2017) | ||
| 02536538, PMTR-147 | Security Gateway | Improved URL recognition mechanism for Anti-Virus, Anti-Bot, and URL Filtering blades. |
| PMTR-44 | vSEC | vSEC objects are not enforced on part of the gateways. Problem is relevant only for large scale environment with more than 50 gateways/cluster/vs/member. |
| PMTR-45 | vSEC | In large scale Azure environments, Data Center objects are partialy imported. |
| PMTR-167 | SmartView | Security hardening of SmartView. |
| 02539824, PMTR-164 | Security Management | Security Management access hardening. |
| R80.10 Jumbo HotFix - General Availability Take 10 (28 June 2017) | ||
| 02530810 | Smart-1 | Added support for Smart-1 405 / 410 appliances. Refer to sk117578. |
| 02524737, PMTR-88 | VSX | Wrong license status for 'Virtual Systems' blade for VSX objects in R80 SmartConsole. |
| R80.10 Jumbo HotFix - Take 7 (22 June 2017) | ||
| 02528737, 02529416, 02533097, CPM-535 | Multi-Domain Security Management | Several cpsm-domains-X licenses are counted only once. Refer to sk118316. |
| 02520574, CPM-462 | Multi-Domain Security Management | Upgrade failure of secondary Multi-Domain Log Server when using NGX license. |
| 02520796, CPM-460 | Multi-Domain Security Management | mds_import fails with "CPM server failed to start, see server logs" message when trying to import a database exported from R80.10 Multi-Domain Management Server. |
| 02524769, PMTR-87 | Security Management | While updating a User name, the logged in User name in the logs is wrongly reported with the old User name. |
| 02449460, CPM-465 | Security Management | Management High Availability synchronization between primary server upgraded from R80 Jumbo Hotfix to R80.10 and new R80.10 secondary server, fails. |
| 02532395, ACM-335 | Security Management, Security Gateway | Security rules that should be installed on a specific Security Gateway wrongly can be installed on another R80.10 Security Gateway. Refer to sk118153. |
| 02526608, PMTR-81 | Security Gateway | Improved non-compliant HTTP protection to enforce more rare cases of non-compliant HTTP traffic. |
| 02523046, PMTR-47 | Security Gateway | in.emaild.mta process may crash randomly (once every few days was observed) when the Security gateway is configured as Mail Transfer Agent (MTA). Mails under inspection may be delayed by up to a few minutes. |
| 02513631, PMTR-96 | IPS | When an IPS protection is overridden, it is enforced correctly however it may cause higher performance load. |
| PMTR-98 | SmartConsole | Translated Source column with "Original" object wrongly has a Hide NAT option. |
| R80.10 Jumbo HotFix - General Availability Take 3 (06 June 2017) | ||
| 02521398 | Threat Emulation | Fixed Mail Transfer Agent (MTA) enforcement issue. |
Installation instructions
Procedure:
- Show / Hide instructions for installation in Gaia Portal - using CPUSE (Check Point Update Service Engine)
- Offline installation
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
- Install the latest build of CPUSE Agent from sk92449.
- Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions.
- In the upper right corner, click on the Import Package button.
- In the Import Package window, click on Browse... - select the CPUSE package (either offline TGZ file, or exported TAR file) - click on Import.
- Above the list of all software packages, click on the Showing Recommended packages button - select All.
- Select the imported package Check Point R80.10 Jumbo hotfix T<number> for sk116380 - click on More button on the toolbar - click on Verifier (or right-click on the package and click on Verifier).
- Select this package and click on Install Update button on the toolbar.
- Offline installation
- Show / Hide instructions for installation in Gaia Clish - using CPUSE (Check Point Update Service Engine)For detailed installation instructions, refer to CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
- Offline installation
Note: Either get the offline package from Check Point Support, or export the package from a source Gaia machine, on which this package was already downloaded / installed (for package export instructions, refer to sk92449 - section "(4-D) "How to ..."").
- Install the latest build of CPUSE Agent from sk92449.
- Connect to command line on target Gaia OS.
- Log in to Clish.
- Acquire the lock over Gaia configuration database:
HostName:0> lock database override - Import the package from the hard disk:
Note: When import completes, this package is deleted from the original location.
HostName:0> installer import local <Full_Path>/<Package_File_Name>.TGZ_or_TAR - Show the imported packages:
Note: Refer to the top section "Hotfixes" - refer to "Check Point R80.10 Jumbo hotfix T<number> for sk116380"
HostName:0> show installer packages imported - Verify that this R80 Jumbo Hotfix Accumulator package can be installed without conflicts:
HostName:0> installer verify <Package_Number> - Install the imported package:
HostName:0> installer install <Package_Number>
- Offline installation
Uninstall instructions
Important Note: This Jumbo Hotfix Accumulator removes all its packages during uninstall.- Show / Hide instructions for uninstall in Gaia Portal - using CPUSE (Check Point Update Service Engine)
- CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449. - Connect to the Gaia Portal on your Gaia machine and navigate to the 'Upgrades (CPUSE)' section - click on 'Status and Actions'.
- Above the list of all software packages, click on the 'Showing Recommended packages' button - select 'All'.
- Right-click on the Jumbo Hotfix Accumulator package - click on 'Uninstall'.
- A warning will be displayed that after this uninstall, the machine will be automatically rebooted.
Click on 'OK' to start the uninstall.
- CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
- Show / Hide instructions for uninstall in Gaia Clish - using CPUSE (Check Point Update Service Engine)
- CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
Otherwise (and if this machine is offline), users should manually install the latest build of CPUSE Agent from sk92449. - Connect to command line on Gaia OS.
- Log in to Clish.
- Acquire the lock over Gaia configuration database:
HostName:0> lock database override - Uninstall the package:
HostName:0> installer uninstall <Package_Number>
Note: The progress (in per cent) will be displayed in Clish. - Machine will be rebooted automatically.
- CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
List of replaced files
List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.Revision History
Show / Hide revision history
| Date | Description |
| 15 Jan 2018 | Released Take 70 of R80.10 Jumbo Hotfix Accumulator |
| 18 Dec 2017 | Added R80.10 SmartConsole Build 013 |
| 12 Dec 2017 | Take 56 of R80.10 Jumbo Hotfix Accumulator is now in General Availability |
| 23 Nov 2017 | Released Take 56 of R80.10 Jumbo Hotfix Accumulator |
| 07 Nov 2017 | Added CPUSE Online Identifier of Take 53 |
| 25 Oct 2017 | Released Take 53 of R80.10 Jumbo Hotfix Accumulator |
| 24 Sep 2017 | Added note regarding CPUSE Agent build 1298 |
| 18 Sep 2017 | Added reference to sk120494 |
| 17 Sep 2017 | Released Take 42 of R80.10 Jumbo Hotfix Accumulator |
| 12 Sep 2017 | Released Take 40 of R80.10 Jumbo Hotfix Accumulator |
| 04 Sep 2017 | Released Take 37 of R80.10 Jumbo Hotfix Accumulator |
| 22 Aug 2017 | Released Take 35 of R80.10 Jumbo Hotfix Accumulator |
| 09 Aug 2017 | Added note regarding SmartConsole Build 005 |
| 01 Aug 2017 | Released Take 24 of R80.10 Jumbo Hotfix Accumulator |
| 27 July 2017 | Added the following notes:
|
| 24 July 2017 | Released Take 18 of R80.10 Jumbo Hotfix Accumulator Released updated R80.10 SmartConsole for R80.10 Jumbo Hotfix Accumulator (for Take 7 and above) |
| 19 July 2017 | Added an important note that to check the Take number of the installed R80.10 Jumbo Hotfix Accumulator, user should run the "cpinfo -y all" command |
| 11 July 2017 | Released Take 15 of R80.10 Jumbo Hotfix Accumulator |
| 28 June 2017 | Released Take 10 of R80.10 Jumbo Hotfix Accumulator |
| 22 June 2017 | Released Take 7 of R80.10 Jumbo Hotfix Accumulator |
| 06 June 2017 | First release of R80.10 Jumbo Hotfix Accumulator (Take 3) |
| Give us Feedback | |
