I was trying the other day to exclude on UTM 1180 gateway some IP address and service combination from being encrypted inside VPN tunnel and noted that any changes you do to the firewall files on the CLI, in this case - crypt.def, do not take effect . It is actually logical as every SK asking you to do such changes also specifies that "Changes are to be done on SmartCenter/Management server and then you are to install Security Policy" . The catch here is "installing the policy" - if it is what is known as Locally managed UTM, i.e. you manage it via its Web interface, you have no such action - "install policy" .
One solution would be to restart the UTM - works, but kinda harsh. The other solution is this undocumented (not listed in any Checkpoint documentation I searched) command :
You should be in Expert mode to run it . Also pay attention to the output - there should be no errors.
FW.pf: Compiled OK. Resolver Error 0 (no error) Resolver Error 0 (no error) Resolver Error 0 (no error) Resolver Error 0 (no error)
Update 2019: Checkpoint have caught up (thanks to Albrecht from community.checkpoint.com for noticing) and now the once undocumented command is explained in their SecureKnowledgebase - sk97949, sk100278 and sk108274