This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
simonemantovani
Collaborator
a week ago
Jump to solution

Certificate and CRL validation fails from March 1, 2026

Hello

accidentally, for the firewall infrastructure of a customer we ran into the issue reported in following SK:

https://support.checkpoint.com/results/sk/sk184766#

For the specific customer we planned to install the suggested hotfix.

Hope it could be useful.

 

(2)
2 Solutions

Accepted Solutions
Hugo_vd_Kooij
MVP Gold
MVP Gold
a week ago
Jump to solution

URGENT WARNING!

While the article seems to indicate this only applies to R82 gateways and above the only thing needed is a R82 or above management.

I just fixed a VPN issue where the customer runs R82 MDS with R81.20 gateways and R81.10 spark applances.

The VPN certificate expire date/time was March 3, 2026 13:44 and today (March 2) at exactly 13:44 the VPN went down.

Applied the workaround from the SK and did a renewal after that to resolve the issue.

The error on the Spark appliance was an "internal error" which I tried to solve based on https://support.checkpoint.com/results/sk/sk170141 but then I verified the exact time when the outage began and it was exactly 24 before expiration.

So I urge everyone to considere all gateways regardless of the version as impacted by this SK if your Management system is on R82 or above.

And the certificate was issued in 2021.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

View solution in original post

(1)
nmelay2
Collaborator
Friday
Jump to solution

A quick and dirty workaround for this issue is to temporarily move the gw or mgmt clock 24h ahead in the future.

Yep, it's that easy.
That's far off from being an ideal workaround, but if you're stuck knee deep in this where-did-my-Feb-29th-go craze, that's worth a try.
Moving the clock forward should cancel the bug in every piece of yet to be fixed Check Point code.

Works for:
- the CPUSE "Connection Error, FDT - Unexpected error code" issue
- new gateways unable to download their license
- new gateways unable to connect to Smart-1 Cloud / MaaS

Again, not ideal, but worth a try.
If your equipment is going through initial setup or planned maintenance, the system date being off by 1 day is probably not that bad.

This whole March 1st bug it totally effed up.

View solution in original post

56 Replies
Steffen_Appel
Advisor
a week ago
Jump to solution

We ran into this bug too, the hotfix worked for us. It seems (by the workaround in the SK), that CP added an extra day (incorrect leap year) into the calculation.

Mattias_Jansson
Collaborator
a week ago
In response to Steffen_Appel
Jump to solution

Does the hotfix require a reboot?

0 Kudos
AndrzejAdamczyk
Explorer
a week ago
In response to Mattias_Jansson
Jump to solution

Quite important information - does anybody can reply?

0 Kudos
_Val_
Admin
Admin
a week ago
In response to Mattias_Jansson
Jump to solution

Hotfix yes, workaround - no

_Val_
Admin
Admin
a week ago
Jump to solution

Please follow the Sk instruction. There is a workaround that can be applied right away.

Also, it is important to say that the issue mentioned in the SK is limited and may only happen with R82 and R82.10 versions.

Steffen_Appel
Advisor
a week ago
In response to _Val_
Jump to solution

Limited to specific versions yes, limited in the effect no. We had several hundred of remote workers, who could not connect.

_Val_
Admin
Admin
a week ago
In response to Steffen_Appel
Jump to solution

@Steffen_Appel I think you misread my comment.

Just to be clear, "limited" means it does not happen to every GW or a user. S2S VPN tunners are affected only if X509 certs are in use. Users are affected only if cert-based auth is used. An additional limitation is about new certificates or newly generated CRLs.

That said, yes, if you are affected, it can be painful.

I want to assure you and everybody else that we are working on fixing the issue as soon as possible. The workaround mentioned in the SK is also very effective and does not require an HF installation, to buy you time for HF installation.

Please do not hesitate to reach out to TAC if you need any additional assistance.

(1)
Steffen_Appel
Advisor
a week ago
In response to _Val_
Jump to solution

As I wrote we installed the HF and it fixes the issue for us. 

_Val_
Admin
Admin
a week ago
In response to Steffen_Appel
Jump to solution

Happy to hear that

Steffen_Appel
Advisor
Monday
In response to _Val_
Jump to solution

The HF for the 3900 cannot be installed on a freshly installed GW with take 464.

 

 

"

Verification results
1 Errors | Installation is not allowed
Verification errors:
  1. Installed hotfixes are missing from this package."

 

0 Kudos
PeterKj
Explorer
Tuesday
In response to Steffen_Appel
Jump to solution

I have the same issue on 3900. Just created a ticket with TAC.

0 Kudos
PatrickHen
Participant
Tuesday
In response to PeterKj
Jump to solution

Any update from TAC yet?
Same issue on 3920 which was upgraded from previous build to T464 and seems up-to-date

0 Kudos
RemoteUser
Advisor
Tuesday
In response to PatrickHen
Jump to solution

TAC answer: i'm really upset to hear that.. 

If you are using a 3900 appliance with R82.10 GA2 that was upgraded from GA1, the hotfix may not be installed.

To resolve this issue, please perform a clean installation directly to GA2. You can find the procedure in the documentation below:

sk183506 - Check Point Quantum R82.10 Release
Check Point R82.10 Gaia Clean Install and Upgrade for 3900 appliances - CPUSE offline package

After the clean installation, install GA2 and then apply the fix from SK184766.

PatrickHen
Participant
Tuesday
In response to RemoteUser
Jump to solution

My TAC engineer was not aware of the above, so thank you.

I still hope TAC will come up with a working hotfix for 3900 appliances which were upgraded from GA1 to GA2.
They still seem to work ok for now and we don't wat to have to do a clean install on all of them...

0 Kudos
PatrickHen
Participant
Tuesday
In response to RemoteUser
Jump to solution

Got the same reply from TAC now.
Told him I think Check Point should be able to come up with a similar working hotfix for devices that were upgraded from GA1 to GA2 without us having to perform a clean install.
Waiting for TAC now.
(if someone from TAC is following this threat: please provide better support for customers that upgraded from GA1 to GA2 like Check Point recommended in it's mail from 13-01-2026 16:36)

(1)
RemoteUser
Advisor
Wednesday
In response to PatrickHen
Jump to solution

Update from TAC:

Hello Team,

I hope this email finds you well.

Based on our discussion with the R&D team, they are working on a fix that can be installed directly on the appliance, without needing the fresh install I mentioned earlier.

I can't provide an exact ETA, but it is a top priority, and we aim to deliver it as soon as possible, hopefully by the end of the day.

If you prefer not to do a fresh install, you can continue using the WA until we release the new fix.

If you prefer to use the Fresh Install step ,you can review the following SK that explains the backup steps - sk102234 - Backing up Gaia system level configuration

Thank you for your cooperation and understanding.

Steffen_Appel
Advisor
Wednesday
In response to RemoteUser
Jump to solution

There is a new build on top of HF22 (doesn't say anything about 22 and GA2): https://support.checkpoint.com/results/download/142063

 

I could not import it on JHF22 with GA2 installed.

0 Kudos
PatrickHen
Participant
Wednesday
In response to Steffen_Appel
Jump to solution

When you now look at the TAR for 3900 appliances under 'R82.10 GA Take 464', you see this is a new take.
Was Take 2 yesterday, is Take 9 today.
Just imported it on a 3920 which was upgraded from GA1 to GA2 and the verification is ok now :-).

BAlexiev
Participant
Thursday
In response to _Val_
Jump to solution

Val, after the hotfix has been installed on R82 JHF Take 44 (or earlier for that matter), when installing JHF T60, the hotfix will have to be applied again, correct?

Btw, with the hotfix installed, JHF Take 60 is no longer shown as recommended in SmartConsole on R82. It is still listed as recommended in the Gaia portal.

Thanks!

0 Kudos
Steffen_Appel
Advisor
Thursday
In response to BAlexiev
Jump to solution

Yes it is not shown as it does not include the HF, so I guess you have to uninstall the HF, install take 60 and then the T60 HF.

0 Kudos
Robert_Yohn
Participant
a week ago
Jump to solution

Does the HF install on MDS require a reboot?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
Thursday
In response to Robert_Yohn
Jump to solution

Yes, installing the hotfix on an MDS requires rebooting the MDS.

0 Kudos
HeikoAnkenbrand
MVP Diamond
MVP Diamond
a week ago
Jump to solution

February 29 is a leap day that occurs only every four years in the Gregorian calendar to compensate for the difference between the calendar year and the solar year.

The year 2026 is not a leap year; the next February 29 will be in 2028.

If you take a closer look at the firewall code in R82, you will see that there is a small programming error. As a result, the certificates were no longer valid from March 1 onwards 😉


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Steffen_Appel
Advisor
a week ago
In response to HeikoAnkenbrand
Jump to solution

That was my thought is morning (see above) 🙂

0 Kudos
Alex_Lewis
Contributor
a week ago
Jump to solution

In my case, after installing the hotfix Gaia Software Updates can no longer access the Check Point Download Center. 

Cannot establish connection with the Check Point cloud. Connection Error, FDT - Unexpected error code. Make sure that 1. Proxy, DNS and routing are configured properly. 2. Firewall does not block traffic originating from this machine to Check Point servers (checkpoint.com and akamaitechnologies.com over HTTP and HTTPS).

Steffen_Appel
Advisor
a week ago
In response to Alex_Lewis
Jump to solution

@Alex_Lewis I can confirm the issue.

0 Kudos
hvf3000
Explorer
Monday
In response to Alex_Lewis
Jump to solution

@Alex_Lewis I am experiencing the same issue across multiple installations.

0 Kudos
Alejandro_Lansa
Participant
Monday
In response to Alex_Lewis
Jump to solution

I can also confirm this issue. I have the same problem on the 3 Gateways where I have installed the Hotfix. I have one gateway pending to be updated that still works fine.

0 Kudos
JBhelm
Participant
Tuesday
In response to Alex_Lewis
Jump to solution

I have the same issue, i updated management and standby node for now, and both get this error.

The non-updated Active node does not get this error.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events