Checkpoint NGX Release Notes

7/31/2019 Checkpoint NGX Release Notes

1/94

Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved.

Check Point Enterprise SuiteNGX (R60)

Release NotesMay 16, 2005

In This Document

Information About This Release

This document contains important information not included in the documentation. Review

this information before setting up Check Point NGX (R60).

In This Section

License Upgrade Requirement

To upgrade to NGX R60, you must first upgrade licenses for all NG products, as NGX

R60 will not function with licenses from previous versions. The utility license_upgrade

is included on the CD at \license_upgrade. See the Upgrade Guidefor instructions.

IMPORTANTBefore you begin installation, read

the latest available version of these release notes at:http://www.checkpoint.com/techsupport/downloads.jsp

Information About This Release page 1

Resolved Limitations page 10

Clarifications and Limitations page 16

License Upgrade Requirement page 1

NGX (R60) Products by Platform page 2

Build Numbers page 3

Non-upgradable Products page 3

Minimum Hardware Requirements page 4

Maximum Number of Interfaces Supported by Platform page 7

Minimum Software Requirements page 8

The Regular Expression (RX) Library page 9
http://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/downloads.jsp


2/94

Information About This Release NGX (R60) Products by Platform

Release Notes for Check Point NGX (R60). Last Update May 16, 2005 2

NGX (R60) Products by Platform

Notes to Products by Platform Table1) See Minimum Software Requirements on page 8 for Solaris platforms.

2) The following SmartConsole Clients are not supported on Solaris UltraSPARC 8 (32- and 64-bit):Eventia Reporter Client, SmartView Monitor, SmartLSM and the SecureClient Packaging Tool.

3) HA Legacy mode is not supported on Windows Server 2003.

4) ClusterXL supported only in third party mode with VRRP or IP Clustering.

5) Only the Server Add-on of Eventia Reporter is supported on Nokia.6) SmartView Monitor on Solaris is supported only in 32-bit mode.

7) VPN-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia platform.

Product

RHEL

3.0

Check

Point Nokia Mac

8

32/64

bit

9

64 bit

Server

2003

2000

Advanced

Server

(SP1-4)

2000

Server

(SP1-4)

2000

Profes-

sional

(SP1-4)

XP

Home

&

Profes-

sional

98

SE

&

ME

Hand-

Held PC

2000 &

Pocket

PC 2003

kernel

2.4.21

Secure

Platform

IPSO

3.9

OS

X

SmartConsole GUI X 2 X X X X X X X

VPN-1 Pro Module

.(including QoS, Policy Server)

X X X X X X X X

SmartCenter Server (incl. VSX) X X X X X X X X

SmartPortal X X X X X X XSecuRemote X X X X X

SecureClient X X X X X X X X

ClusterXL (VPN-1 Pro

.Module)

X X X 3 X X X X X 4

UserAuthority

.(Management Add-on only)

X X X X X X X X X X

Eventia Reporter - Server X X X X X X X X5

SmartView Monitor X 6 X X X X X X

VPN-1 Accelerator Driver II X X

VPN-1 Accelerator Driver III X X X X X X X X

Performance Pack X X X

SmartLSM - GUI X X X X X

SmartLSM - Enabled

.Management

X X X X X X X X

SmartLSM - Enabled ROBO

.Gateways

X X X X X X

SmartLSM - Enabled CO

.Gateways

X X X X X X X X

Advanced Routing X

SecureXL Turbocard X

SSL Network Extender - Server X X X X X X X X

SSL Network Extender - Client X X X

Provider-1/SiteManager-1 Server X X X X

Provider-1/SiteManager-1 GUI X X X X X X X

OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14

Cisco OS Versions: 9.x, 10.x, 11.x, 12.x

Microsoft Windows

Solaris

UltraSPARC 1


3/94

Information About This Release Build Numbers


Build Numbers

The following table lists all NGX (R60) software products available, and the build numbers as

they are distributed on the product CD. To verify each products build number, use the given

command format.

Non-upgradable Products

The following Check Point products cannot be upgraded to NGX (R60):

VPN-1 SmallOffice

VPN-1 Net FireWall-1 4.1

Product Build No. Command

VPN-1 Pro 457_4 (Windows)

458_2 (all others)

fw ver

SmartCenter 387 fwm ver

SecureClient Policy Server 24 dtps ver

SmartView Monitor 134 rtm ver

QoS 47 fgate ver

SVN Foundation 562 cpshared_ver

NG Compatibility Package 57_1 fw_loader -v

R55W Compatibility Package 12_4 fw_loader ver

VPN-1 Edge Compatibility Package 650_1 fw ver

VPN-1 Edge - S series 5.0.58s Displayed on the default portal page

VPN-1 Edge - X series 5.0.50x (or 5.0.57x) Displayed on the default portal page

SmartConsole (GUI) 654_1 Help > About Check PointSmartDashboard

UserAuthority Server 30_1 uas ver

Eventia Reporter 339_2 SVRServer ver

SecuRemote/SecureClient 619_1 Help > About

SecurePlatform 244_1 ver

Performance Pack 79_1 sim ver -k

VPN-1 HW Accelerator II 13_1 n/a

VPN-1 HW Accelerator III 20004_2 (Windows)

20004_1 (Solaris)20007_1 (Linux)

n/a


4/94

Information About This Release Minimum Hardware Requirements


Minimum Hardware Requirements

In This Section

Windows & Linux Platforms

Minimum Requirements for VPN-1 Pro

On Windows and Linux platforms, the minimum hardware requirements for installing a

VPN-1 Pro SmartCenter Server, Enforcement Module or SmartPortal are:

Intel Pentium II 300 MHz or equivalent processor

300 MB free disk space

RAM

Windows: 256 Mbytes

Linux: 128 Mbytes (256 Mbytes recommended)

One or more network adapter cards

CD-ROM Drive

Minimum Requirements for SmartConsole

On Windows and Linux platforms, the minimum hardware requirements for installing a

SmartConsole, which include SmartDashboard, SmartView Tracker, SmartView Monitor,

Eventia Reporter, SmartUpdate, SmartLSM and User Monitor, are: Intel Pentium II 300 MHz or equivalent processor


256 Mbytes RAM

One network adapter card

CD-ROM Drive

800 x 600 video adapter card

Minimum Requirements for SecuRemote/SecureClient

On Windows and Mac OS-X platforms, the minimum hardware requirements for installing

SecuRemote/SecureClient are:


128 MB RAM

Windows & Linux Platforms page 4

Solaris Platforms page 6

SecurePlatform page 7


5/94



Minimum Requirements for Eventia Reporter

The following minimum hardware requirements were designed so that Eventia Reporter

Server will be able to process a volume of about 3 GB logs per day and generate reports

according to the performance numbers limitation. If you have less logs produced per day

you can use a machine with less CPU or memory. This may, however, cause degradation in

the performance numbers. In addition, if your machine has less physical memory you will

need to change the database cache size. To do this follow the instructions in Eventia

Reporter User Guide under the section Changing the Eventia Reporter Database Cache Size.

On Windows and Linux platforms, the minimum hardware requirements for installing

Eventia Reporter are:

Intel Pentium III 1000 MHz or equivalent processor 60 MB disk space for installation

40GB disk space for database

1GB RAM


CD-ROM Drive


The following is also recommended:

Configure the network connection between the Eventia Reporter Server machine and

the SmartCenter or the Log server, to the optimal speed.

Use the fastest disk available with a high RPM (revolutions per minute).

Increase the machine's memory. It significantly improves performance.

It is recommended to install an uninterruptible power supply (UPS) for the EventiaReporter Server machine.


6/94



Solaris Platforms


On a Solaris platform, the minimum hardware requirements for installing a VPN-1 Pro

SmartCenter Server, Enforcement Module or SmartPortal are: UltraSPARC II

100 MB free disk space for installation

128 Mbytes RAM, 256 Mbytes recommended

One or more network adapter cards

CD-ROM Drive

Minimum Requirements for SmartConsole

On a Solaris platform, the minimum hardware requirements for installing a SmartConsole,

which include SmartDashboard, SmartView Tracker, SmartView Monitor, Eventia

Reporter, SmartUpdate, SmartLSM and User Monitor, are:

UltraSPARC III

100 MB free disk space for installation

128 Mbytes RAM One network adapter card

CD-ROM Drive


Minimum Requirements for Eventia Reporter

The following minimum hardware requirements were designed so that Eventia Reporter

Server will be able to process a volume of about 3 GB logs per day and generate reportsaccording to the performance numbers limitation. If you have less logs produced per day

you can use a machine with less CPU or memory. This may, however, cause degradation in

the performance numbers. In addition, if your machine has less physical memory you will

need to change the database cache size. To do this follow the instructions in Eventia

Reporter User Guide under the section Changing the Eventia Reporter Database Cache Size.

The minimum hardware requirements for installing Eventia Reporter on a Solaris platform

are: UltraSPARC III 400MHz processor

100 MB disk space for installation

40GB disk space for database

1GB RAM


CD-ROM Drive 1024 x 768 video adapter card


7/94

Information About This Release Maximum Number of Interfaces Supported by Platform


The following is also recommended:

Configure the network connection between the Eventia Reporter Server machine and

the SmartCenter or the Log server, to the optimal speed.

Use the fastest disk available with a high RPM (revolutions per minute). Increase the machine's memory. It significantly improves performance.

It is recommended to install an uninterruptible power supply (UPS) for the Eventia

Reporter Server machine.

SecurePlatform


On SecurePlatform, the minimum hardware requirements for installing a VPN-1 Pro

SmartCenter Server, Enforcement Module or SmartPortal are:

Intel Pentium III 300+ MHz or equivalent processor

4 GB free disk space

256 Mbytes (512 Mbytes recommended)

One or more supported network adapter cards

CD-ROM Drive (bootable)


For details regarding SecurePlatform on specific hardware platforms, see

http://www.checkpoint.com/products/supported_platforms/recommended.html

Maximum Number of Interfaces Supported by Platform

The maximum number of interfaces supported (physical and virtual) is shown by platform

in the following table.

Notes to Maximum Number of Interfaces Table

1) SecurePlatform and Nokia IPSO support 255 virtual interfaces per physical interface.

2) When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are

supported.

ProductSolaris

UltraSPARC

Microsoft

Windows

Check Point

SecurePlatform Nokia IPSO

VPN-1 Pro and

Performance Pack

255 32 1015 1, 2 256 1

ClusterXL 255 32 1015 1, 2 256 1
http://www.checkpoint.com/products/supported_platforms/recommended.htmlhttp://www.checkpoint.com/products/supported_platforms/recommended.html


8/94

Information About This Release Minimum Software Requirements


Minimum Software Requirements

Solaris Platform

Required Packages SUNWlibc

SUNWlibCx

SUNWter

SUNWadmc

SUNWadmfw

Required PatchesCheck Point recommends using the Sun Install Check Tool to check the patch level of your

Solaris machines. The Sun Install Check Toolis available on the Sun download site at

http://www.sun.com/software/installcheck/download.xml . Use the tool to make sure your

Solaris machines have the following or newer patches.

Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC

platforms:

Solaris 9: the following patches (or newer) are required on Solaris 9 UltraSPARC

platforms:

To verify that you have these patches installed use the command:

showrev -p | grep

The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches

before installing 64-bit patches.

Number System Notes

108528-18 All If the patches 108528-17 and 113652-01 are installed, remove

113652-01, and then install 108528-18.

110380-03 All

109147-18 All

109326-07 All

108434-01 32 bit108435-01 64 bit

Number System Notes

112233-12 All

112902-07 All116561-03 All Only if dmfe(7D) ethernet driver is defined on the machine
http://www.sun.com/software/installcheck/download.xmlhttp://sunsolve.sun.com/http://www.sun.com/software/installcheck/download.xmlhttp://sunsolve.sun.com/http://sunsolve.sun.com/


9/94

Information About This Release The Regular Expression (RX) Library


Windows Platform

This release requires that Service Packs be applied to Windows 2000 systems. This release

supports Windows 2000 Service Packs SP1, SP2, SP3, and SP4. The release also supports

Windows 2003 and Windows 2003 SP1.

Linux Platform

This release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation

instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade .

Nokia Platform

This release supports IPSO 3.9.

The Regular Expression (RX) Library

NGX (R60) uses the RX Library. The library license agreement (LGPL) can be

downloaded from:

http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf.
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdfhttp://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdfhttp://www.checkpoint.com/techsupport/downloads.jsp


10/94

Resolved Limitations Firewall


Resolved Limitations

In This Section

This section contains limitations that were published as release notes with NG withApplication Intelligence (R55) and now stand as resolved in NGX (R60). They are

presented in their original format, stressing the limitation, yet should be understood as

resolved.

Firewall

Installation

1) On Windows platforms, the SNMP service must be stopped before uninstalling VPN-1

Pro. If the SNMP service is running, a message regarding locked files is displayed.

2) In order to install the SmartCenter Applications on Windows NT, use the installation

executable instead of the installation wrapper.

SmartDashboard, Motif GUI

3) After resetting to default, the update time and version are no longer displayed on the

top side of the General page. However, these update details can still be seen on the

bottom half of the General page.

Platform Specific Solaris

4) SUN's Gigaswift network driver is not supported when using ClusterXL in a VLAN

tagging configuration.

Firewall page 10

SmartCenter page 11

VPN page 13

VPN-1 Edge page 13

SmartUpdate page 13

SecuRemote/SecureClient page 13SecurePlatform page 14

VSX page 14

ClusterXL page 14

SSL Network Extender page 15


11/94

Resolved Limitations SmartCenter


Directional Rule Match

5) A user group may be placed in the Destination column in the Security Rule Base only

if the Remote Access community appears in the to part of the VPN column in a new

Directional VPN rule (for example, VPN column = Any > RemoteAccess). If theRemote Access community is used alone (for example, in a non directional form), this

will not work.

SmartCenter

Upgrade, Backout, and Backward Compatibility

1) When upgrading to a new machine using the Import or Export utilities, and SecurID isbeing used for authentication, and the new SmartCenter Server has the same IP address

as the original SmartCenter Server, use the following instructions to retain both user

and administrator authentication:

For Windows Platforms

If the environment variable %VAR_ACE exists, copy the file %VAR_ACE\sdconf.rec from

the original machine to the new machine. Otherwise, copy the file

%WINDIR\system32/sdconf.rec from the original machine to the new machine. In

addition, copy the registry key HKLM > SOFTWARE > SDTI > ACECLIENT >NodeSecret

from the original machine to the new machine.

For Unix Platforms

If the environment variable $VAR_ACE exists, copy the files $VAR_ACE/sdconf.rec and

$VAR_ACE/securid from the original machine to the new machine. Otherwise, copy

/var/ace/sdconf.rec and /var/ace/securid from the original machine to the newmachine.

2) When installing the R55W Add-On on a standalone machine (in other words, it is

deployed with both the SmartCenter Server as well as the VPN-1 Pro Gateway), the

local gateway remains of version R55. You should use the Upgrade Tool to upgrade the

local gateway from version R55 to version R55W. Refer to the Getting Started Guidefor

more information.

Policy Installation

3) Policy installation issues on a VPN-1 Edge/Embedded Gateway when a rule contains a

Cluster object in its source or destination. As a workaround, create a node object with

the IP address of the cluster object, and use the node object instead of the cluster object

in the rule.


12/94

Resolved Limitations SmartCenter


SmartCenter Server

4) When using rules with resources, avoid installing them on VPN-1 Edge/Embedded

profiles. Resources are not supported with VPN-1 Edge/Embedded appliances.

Management High Availability

5) When adding a new Secondary Management, the machine should be synchronized once

manually before it starts synchronizing automatically.

6) When creating a Management High Availability environment, all peers must be installed

with the same products. If one product is installed on one peer but not on the other,

product information may be lost and the product may not function properly.

7) When using Management High Availability, all SmartCenter servers must be installed

with the same version. This also applies if your SmartCenter servers were created with

the R55W add-on; if one of the SmartCenter servers is installed with the R55W

add-on, the others should be as well.

Platform Specific Nokia

8) In order to manage QoS modules from a Nokia SmartCenter, you need to enable QoSin Voyager on SmartCenter. Telnet into the Nokia SmartCenter and perform cpstop

and cpstart (or reboot). In cpstop, you can safely ignore the message etmstop: Module

not loaded. When you run cpstart on SmartCenter, you can safely ignore the message

FloodGate-1: This is a Management Station. No QoS Policy will be Loaded.

Note: Trying to install a QoS policy on a module before executing these steps on

SmartCenter will fail and produce the error message: Failed to start

uninstall/install operation.

Miscellaneous

9) In demo mode, when launching SmartLSM through SmartDashboard, no predefined

ROBO Gateway objects are shown in SmartLSM, and no SmartLSM Profile objects can

be created in SmartDashboard.

SmartConsole Applications10) On the Motif platform, in SmartDashboard, there are issues when adding or editing

Default community strings in SNMP in SmartDefense. Use the dbeditutility to add or

edit entries. The entries are contained in the asm table:AdvancedSecurityObject and

snmp_protection\snmp_default_communities_list.

OPSEC

11) OPSEC applications that read logs using LEA may fail if the network objects databasecontains more then 2000 objects.


13/94

Resolved Limitations VPN


VPN

VPN Communities

1) Excluded Services are not supported with VPN Communities that contain VPN-1 Edgedevices.

PKI, PKCS

2) Entrust CAs are defined as OPSEC CAs, and can be configured to support CMP

automatic enrollment. In upgrade, Entrust CAs are changed to be OPSEC CAs.

VPN-1 and SecuRemote/SecureClient Issues

3) The combination of using multiple external interfaces (route through different

interfaces) for SecuRemote/SecureClient and ClusterXL pivot mode is not supported.

4) MACROs have been added to cp.macro for SecureClient on MAC OS, and

SecureClient with Integrity. The cp.macro file should be replaced under$CPDIR/conf

on the Management.

VPN-1 Edge

1) Policy installation issues on a VPN-1 Edge/Embedded Gateway when a rule contains a

Cluster object in its source or destination. As a workaround, create a node object with

the IP address of the cluster object, and use the node object instead of the cluster object

in the rule.

SmartUpdate1) SmartUpdate does not support upgrading remote devices to versions other than that of

the management server.

SecuRemote/SecureClient

Connectivity

1) If SecureClient receives an IP address on a subnet on which the cluster also has an

interface, SecureClient will not survive a failover from one cluster member to another.

When the cluster fails over to another member, the MAC address is reset to the MAC

address of the active cluster member. Once SecureClient receives an Office Mode

address from the gateway, SecureClient can no longer discover the MAC address of the

cluster. This means that SecureClient cannot update the MAC address when the MAC

address of the cluster member changes. SecureClient continues to send packets to the

MAC address of the now inactive cluster member.


14/94

Resolved Limitations SecurePlatform


SecurePlatform

General

1) Starting with this release, the SecurePlatform restricted shell allows using the '/' symbolwith ifconfig and route commands. This allows defining networks with CIDR

notation (e.g., 10.10.0.0/16).

2) If you physically replace a NIC card in a machine with SecurePlatform, the order of the

NICs may change. Make sure that you verify that the NICs are mapped and connected

according to your needs.

3) Some models of Intel PRO/1000 cards may have performance issues when used under

high load and/or in ClusterXL setup. The symptoms include log messages (in

/var/log/messages) about NICs being reset via watchdog, or, in other cases, NICs

stopping transmitting the traffic. Please contact Check Point technical support to resolve

those issues.

WebUI

4) The character % should not be specified when defining a password.

VSX

1) Virtual Device names are limited to 64 characters. When creating a new Virtual Device,

the name of the device is composed of the new Virtual Device name, the VSX box

name, and the cluster member name. This name should not exceed 64 characters.

2) Each Virtual System/Router can have up to 30 interfaces.

ClusterXL

Platform Specific Solaris

1) SUN's Gigaswift network driver is not supported when using ClusterXL in a VLAN

tagging configuration.

2) In a Solaris cluster configuration, one or more of the following may occur:

The kernel message ERROR_ACK for DL_ENABMULTI_REQ during the boot process.

The message no interface information during or after the boot process.

An interface has the flag MULTI_BCASTin ifconfig.

An interface starts, possibly once every several boots, in the down state.

The message ar_entry_query: Could not find the ace for source address

during or after the boot process.


15/94

Resolved Limitations SSL Network Extender


As a result of these issues, the cluster does not process packets on the problematic

interface.

VPN-1 and SecuRemote/SecureClient Issues

3) The combination of using multiple external interfaces (route through different

interfaces) for SecuRemote/SecureClient and ClusterXL pivot mode is not supported.

Crossbeam

4) On a Crossbeam box, where an external circuit is defined as the sync network, the

wrong Unicast MAC is used when forwarding IKE packets between members. This may

cause key-exchanges to fail.

Supported Features

5) When a SecureXL host and a ClusterXL gateway are both located on the same network,

and the ClusterXL gateway is either in High Availability or Load Sharing Unicast mode,

the SecureXL host may not recognize a failover performed by the ClusterXL gateway. A

workaround is to place a router between the gateways.

Load Sharing

6) ISP redundancy is supported in Load Sharing Unicast mode only when working over

SecureXL or Performance Pack.

SSL Network Extender

1) SSL Network Extender is not supported on ClusterXL in Load Sharing mode.


16/94

Clarifications and Limitations SSL Network Extender


Clarifications and Limitations

In This Section

Firewall page 17

SmartCenter page 28

VPN page 40

VPN-1 Edge/Embedded page 50

VSX page 52

SecuRemote/SecureClient page 55 SecurePlatform page 60

SmartLSM page 68

SmartUpdate page 70

SmartView Monitor page 72

Eventia Reporter page 73

ClusterXL page 77

SecureXL page 88

Performance Pack page 88

SSL Network Extender page 90

QoS page 92

UserAuthority Server page 93OPSEC page 94

InterSpect page 94

Cl ifi ti d Li it ti Fi ll


17/94

Clarifications and Limitations Firewall


Firewall

In This Section

Installation, Upgrade and Backward Compatibility

1) Manual configuration to the file fwauthd.conf (e.g., in.ahttpd configuration to the

generic TCP Security Server) are not preserved during upgrade and the changes should

be reapplied.

2) When upgrading from earlier NG Feature Packs, the SYNDefender configuration moves

to a global configuration in SmartDefense and defaults to off. If a per-module

configuration is desired, uncheck Override modules SYNDefender configuration under

TCP > SYN Attack Configuration in SmartDefense settings.

Installation, Upgrade and Backward Compatibility page 17

Platform Specific SecurePlatform page 18

Platform Specific Nokia page 18

Platform Specific Windows page 19

Platform Specific Solaris page 19

Platform Specific Linux page 20 Load Sharing page 20

NAT page 20

Authentication page 21

Security Servers page 21

Services page 23

IPv6 page 23

SmartConsole & SmartConsole Applications page 24

ISP Redundancy page 24

Logging page 25

Policy Installation page 25

OSE page 26 SAM page 26

Dynamically Assigned IP Address (DAIP) Modules page 26

Miscellaneous page 26

VoIP page 26



18/94



3) Prior to NG with Application Intelligence (R54), setting the SmartDefense feature Max

URL length to 0would drop all connections. Since R54, setting the parameter to 0

disables this protection.

4) When the Web Intelligence General HTTP Worm Catcher is enabled, policy installationon modules running NG FP1 cannot be performed. In order to install the policy, you

should either remove the NG FP1 modules from the list ofPolicy Installation Targets,

or alternatively disable the General HTTP Worm Catcher.

5) When the Web Intelligence General HTTP Worm Catcher is enabled, policy installation

on modules running NG FP3 prior to HotFix-2 cannot be performed. In order to

install the policy, you should upgrade the module to NG FP3 HotFix-2.

6) In modules that pre-date version NG with Application Intelligence R55W, the Web

Intelligence defenses HTTP Format Sizes, ASCII Only Request, General HTTP Worm

Catcher only support the protection scope apply to all HTTP connections; therefore, if

one of these defenses is configured with protection scope apply to selected web servers

and is installed on an older module, the protection scope apply to all HTTP connections

will be applied on this module.

7) During upgrade of a cluster member from a pre-NGX (R60) version to NGX (R60)and higher versions, the following message may appear on the console: FW-1:

fwlddist_put: bad operation received from higher version. This message can be

safely ignored.

Platform Specific SecurePlatform

8) Virtual interfaces are not supported on the Enforcement Module on Linux and

SecurePlatform operating systems.


9) When the SmartDefense TCP Sequence Verifier feature is enabled and SecureXL is on

or Flows acceleration is enabled, a message appears when you install a policy from

SmartDashboard and the Sequence Verifier feature is not enforced.

For SecureXL, the message displayed is: Warning: This Gateway supports SecureXL

traffic acceleration. TCP Sequence Verifier (SmartDefense) will not be enforced on acceleratedconnections. To allow Sequence Verification, turn off acceleration on the Gateway by running

cpconfig.

For Flows acceleration, the message is: Flows: TCP Sequence Verifier acceleration is not

supported on the Gateway.

To configure the TCP Sequence Verifier, select the SmartDefense tab > Network Security

> TCP and deselect Sequence Verifier.



19/94



Platform Specific Windows

10) VPN-1 Pro limits its memory allocations to a certain percentage of the available

non-paged memory. This limit affects the number of concurrent connections that the

Enforcement Module can handle. The limit is intended to leave the rest of the systemenough memory resources for smooth operation. The default limit can be changed to

suit the system configuration. In Windows the limit can be set by setting the

MaxNonPagedPoolUsage value (DWORD) in the registry (under


20/94


20) On Solaris platforms with a qlc driver and the kernel memory allocator debugging

functionality enabled, the system may experience instability. In this case, install Solaris

patch 113042-10 or higher.

Platform Specific Linux

21) New interfaces that are added after the Enforcement Module is started (e.g., a PPP

interface) are not displayed by the fw stat -l command. Use the fw ctl iflist

command instead.

22) When NIS is enabled for resolving network services, Check Point processes may

experience memory leakage due to a memory leak in libC 2.2.4. A workaround is to

disable NIS resolving (remove nis and nisplus from services: in/etc/nsswitch.conf).

23) ATM and ISDN interfaces are not supported.

Load Sharing

24) When employing SecurID for authentication, it is recommended to define each cluster

member separately on the ACE/Server with its own unique (internal) IP address. In

addition, to send packets to the ACE/Server with their unique IP addresses and not theVIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting

with no_hide_services_ports to, for example, no_hide_services_ports = {}, where 5500 is the service port and 17 (UDP) is the protocol.

NAT

25) Microsoft Exchange Outlook Client UDP new mail notification does not work with

Hide NAT on the client. For the new mail notification both the Client and the Serverneed to be in both the source and the destination cells:

In the FWDIR/libexchange.def file, enable this notification by setting #define

ALLOW_EXCHANGE_NOTIFY (as stated in the file comments).

26) OSE objects cannot be used in NAT rules. The workaround is to define regular node

objects with the same addresses and to use them instead.

27) Automatic ARP is not supported with IP Pool NAT.

Source Destination Action InfoClient Server MSExchange AcceptServer Client



21/94


Authentication

28) When performing manual client authentication (using port 900) to a cluster where the

members' IP addresses are not routable, the URLs returned in the HTML from the

replying cluster member contain the member's own non-routable IP address instead ofthe cluster IP address. This fails subsequent operations. The workaround is to configure

the cluster to use a domain name instead of an IP address in the client authentication

HTML pages, using the ahttpclientd_redirected_url global property. Make sure that

your DNS servers resolves this domain name to the IP address of the cluster.

29) After changing the sdconf.rec file on a Firewall-1 (needed for SecurID authentication),

in order for the new configuration to take effect, you must restart the Firewall-1

services by running cpstop and cpstart.

30) Client Authentication will fail if VPN-1 Pro machine name is configured with a wrong

IP address in the hosts file.

31) Clientless VPN with the ActionClient Auth is not supported if the web server object is

in the destination cell. The workaround is to add the gateway to the destination cell.

32) When using SmartDirectory server for internal password authentication, if the account

lockout feature is disabled the Firewall will not attempt to modify the user's login failedcount and last login failed attributes on the SmartDirectory server. This improves overall

performance and eliminates unnecessary SmartDirectory modify errors when using

SmartDirectory servers that do not have these attributes defined because they did not

apply the Check Point SmartDirectory schema extension on the SmartDirectory server.

33) Issues may arise when using automatic or partially automatic client authentication for

HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround

is to define a decision function based only on IP addresses in order for connections to

open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs

only. For OPSEC clusters, refer to the product documentation for more information.

34) Definition of nested RADIUS Server groups is not supported.

Security Servers

35) The HTTP Security Server handles a proxied or a tunneled connection requestdifferently than earlier Firewall versions. Beginning with FireWall-1 NG FP2, such

requests are not allowed if they are matched with an Accept rule. However, they are still

allowed if the request is matched with an Authentication or a Resource rule. This change

was done in order to harden security and prevent the CONNECT from looping to the

Security Server and then to another destination.



22/94


In R54, FTP over HTTP proxy connections were allowed when using User

Authentication even if they were not allowed explicitly by a rule in the Security Policy.

In NGX (R60), in order to further harden security, these connections are not allowed

by default unless there is an explicit rule (using a URI Resource) that allows them. If

you wish to revert to the old behavior refer to SecureKnowledge solution sk14608.

36) When using SMTP resources to filter files by their filename, an incorrect log message is

generated stating: Forbidden MIME attachment stripped.

37) UFP counters available via cpstat fw -f ufp give incorrect values.

38) If web browsers are configured to use an IP address for their proxy (instead of a

hostname), the next proxy definition of the HTTP Security Server must also use thesame IP address. If the next proxy definition is a hostname, connections using an IP

address will not be allowed to the proxy. It is recommend to use only hostnames in the

browser configuration.

39) Outlook Web Access is not supported with User Authentication.

40) When a field in a URI specification file is too long, the Security server exits when

trying to load the file. Under load, the Firewall daemon (FWD) reloads the security

server, which then exits. After a certain time cores are dumped.

41) Client authentication with agent automatic sign on is supported with all rules, with two

exceptions:

The rule must not use an HTTP resource.

Rules where the destination is a web server.

42) When using the HTTP Security Server in proxy mode (HTTP Tunneling), connectionsmay be encrypted over port 80 (e.g., the first command is in the clear, and subsequent

requests are in SSL). SmartDefense will block these connections and generate the

following log entry: Binary character in request. To enable such connections,

change the global property asm_http_allow_connect to True. Please note that this

change will cause SmartDefense to stop examining these connections when an HTTP

Connect command is detected in the proxied connection.

43) When using SOAP filtering in the HTTP Security Server, the SOAP scheme filesupports all forms of namespaces and methods, however, the feature is not supported if

a method has no namespace at all.

44) Security Servers are not supported with Sequence Verifier in Load Sharing Cluster

environments.



23/94


Services

45) No warning is generated when a policy containing services with the Keep connections

open after Policy has been installed checked is installed on NG FP3 modules. Such

services will be enforced according to the default behavior on these modules.46) When CIFS resources are used in rules with policy targets in theirInstall On fields,

policy installation on NG FP3 modules may succeed without warning, although CIFS

resource filtering is not supported on these modules.

47) A service using the FTP_BASIC protocol type cannot be used with the FTP Security

Server.

48) When using T.120 connections, make sure to manually add a rule that allows T.120connections.

49) When Hide NAT is performed on a VPN-1 gateway, Real Time Stream Control

Protocol (RTSP) sessions are dropped. A workaround is available to resolve this issue:

a. Change to $FWDIR/lib/ directory.

b. Backup the current rtsp.def file.

c. Edit the file rtsp.def:d. Uncomment the following line:

//#define RTSP_C_TO_S_DATA to:

#define RTSP_C_TO_S_DATA

e. Install a Security Policy.

Note that performing this workaround will result in a packet drop of RTSP sessions

initiated within 60 seconds subsequently to a previous RealNetworks Data Transport

(RDT/RTSP) session, using the same port number as the subsequent session.

IPv6

50) Discovery traffic is enabled by default on IPv6 enabled modules. To disable it, edit the

file $FWDIR/lib/implied_rules.def and comment out the line #define

ACCEPT_DISCOVERY 1.

51) When connecting to the IPv6 IPv4 compatibleaddress of VPN-1 Pro (::w.x.y.z., forexample), the following appears on the console: Jan 14 09:37:32 shif [LOG_CRIT]

kernel: fw_filterin: 0 unknown interface.This message can be safely ignored in

such configurations. To prevent the message from appearing, run this command:

modzap _fw_verbose_unknown_if $FWDIR/boot/modules/fwmod.o 0x0 and reboot.

52) Due to the fact that IPv6 is not supported for security servers, enabling Configuration

apply to all connections under SmartDefense's FTP Security Server settings causes FTP (as

well as HTTP and SMTP) connections over IPv6 to be rejected, and no log isgenerated.



24/94


53) The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it

should unload only the IPv6 policy.

54) In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker.

55) Anti-spoofing is currently not supported with IPv6.

56) Boot policy is not supported on IPv6 enabled modules.

57) Content of IPv6 in IPv4 tunnels (IPv4 protocol 41) passing through VPN-1 Pro is not

inspected.

58) CPMAD functionality is not supported with the IPv6 protocol.

59) SmartDefense's ping size property is not enforced on ICMPv6 echo request packets.

60) IPv6 packets with extension headers which are not explicitly allowed via editing of the

table.def INSPECT script are dropped without being logged.

61) The Remote Shell (RSH) protocol is not supported for IPv6.

SmartConsole & SmartConsole Applications

62) Firewall implied rules for GUI Clients are not matched when using wildcard (e.g.,1.1.*.*). As a result, connections from GUI Clients to the SmartCenter Server may be

blocked if there is a VPN-1 Pro module between them. Single IP definitions (e.g.,

1.1.1.1) are supported. When specifying GUI Clients using any formats other than the IP

address, add an explicit rule in the Rule Base allowing the GUI Clients to connect to

the SmartCenter Server.

63) When a client connects with SmartDashboard to SmartCenter and performs a

SmartDefense online update, a second client connecting with SmartDashboard to the

same SmartCenter will see the new protections but not the new HTML descriptions.

The situation is resolved by the second client logging out & logging in again.

A similar behavior may occur regarding the Silent Post-install Update. If new

protections were added in that package, then the second client that logs in will not see

the respective new HTML descriptions. The workaround is the same (client should log

out & log in again).

ISP Redundancy

64) When using the ISP load sharing configuration, outgoing traffic that passes through a

security server is not load-shared, and will pass through a single ISP (the default route).

If this ISP fails, new connections will be opened through the second ISP.

65) ISP redundancy is not supported in a ClusterXL Different subnets configuration. This

means the IP address of the cluster must be on the same subnet as the cluster members'real IP addresses.



25/94


66) In a ClusterXL configuration, the names of the external interfaces of all cluster

members must be identical and must correspond in turn to the names of the external

interfaces of the cluster object. For example, if the cluster object has two external

interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively;

each cluster member must have two external interfaces called eth0 and eth1 whichshould be connected to ISP-1 and ISP-2 respectively.

67) If the ISP redundancy feature is enabled over a PPPoE or a PPTP interface, the MTU

of any other external Ethernet interface should be lowered to match the MTU of the

PPPoE/PPTP interface. For example ifeth1 is an external Ethernet interface and eth0

is an Ethernet interface over which a PPPoE interface called pppoe0 is defined, the

MTU ofeth1 should match the MTU ofpppoe0.

On SecurePlatform this can be achieved by logging on to the box and running:

ifconfig ethX mtu newMTU

ifconfig --save

Where ethXis the name of the external Ethernet interface and newMTUis the MTU of

the PPPoE/PPTP interface. This change will be persistent across boots.

Notes:

a. The MTU of the PPPoE/PPTP interface can be obtained on SecurePlatform byrunning: ifconfig pppXXXwherepppXXXis the name of the PPPoE/PPTPinterface.

b. In the aforementioned example, the MTU ofeth0 should notbe changed.

68) ISP redundancy cannot be used in conjunction with SynDefender.

69) ISP redundancy, when working in conjunction with SecureXL, has the followinglimitations:

Some connections passing through interfaces configured with ISP redundancy are

not accelerated, while other connections (for example, an internal connection to a

DMZ) are accelerated and are not affected by this limitation.

ISP redundancy over PPTP and PPPoE interfaces is not supported.

Logging70) FTP data connections may appear in the Active connections view in SmartView Tracker

even after these connections have been terminated.

Policy Installation

71) When installing a policy on a module, the policy installation log may record

anti-spoofing warning messages from modules not included in the installation that do

not have anti-spoofing configured.



26/94


72) Policy installation may fail when there are 70 or more dynamic objects.

OSE

73) For Cisco routers, make sure that the host names are resolvable by DNS or by the hosts

file.

SAM

74) A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if the

SmartCenter Server is also a VPN-1 Pro enforcement module and no policy has been

installed on it since adding the remote Gateway.

Dynamically Assigned IP Address (DAIP) Modules

75) The fw tab command on a SmartCenter Server is not

supported.

Miscellaneous

76) Token ring adapters are not supported.

77) The TCP Sequence Verifier is not supported with clusters using asymmetric routing.

78) The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to

a SmartCenter server object in specific cases only:

to the primary IP defined for this object and

only if there are interfaces defined in its Topology tab.

This may create connectivity problems when trying to install policies (or other

operations included in the control connections). The workaround is to define explicit

rules that allow connectivity to the SmartCenter object.

79) When executing the following command: fw tab -u -f -t connections, error

messages such as FW-1: fwkbuf_length: invalid id number XXXX and Table kbufs -

Invalid handle 6a6b8803 (bad entry) can be safely ignored.To avoid these messages,

use the command fw tab -u -t connections instead.

VoIP

80) MSN Messenger version 5 is not supported. Additionally, there are a few known issues

regarding MSN Messenger when employing Hide NAT:

When running SIP and the data connection tries to open MSN Messenger

connections on hidden networks, the connection fails.

While audio and video each work separately, they cannot be run concurrently.



27/94


81) When using the SIP protocol and a security rule uses the Actionrejectto block

high_udp_ports (RTP ports - data connection), the incoming audio is rejected as well.

A workaround is to use the Actiondrop in place ofreject.

82) When an H.323 IP phone that is not part of a handover domain tries to establish a call,the call attempt is blocked and the following message appears on the console: FW-1:

fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to

make calls, add it to the handover domain, and the error message will no longer appear.

Note that this console message may appear in other (non-VoIP) scenarios as well.

83) In some cases, when a user closes an MSN Messenger application (such as Whiteboard),

the application will not close automatically on the remote end. The remote user will

need to close the application manually.

84) When the SIP-proxy is in the DMZ, whiteboard and application sharing will not open

between external to internal messengers.

Clarifications and Limitations SmartCenter


28/94


SmartCenter

In This Section

Installation, Upgrade, and Backward Compatibility

1) If the AMON private schema was previously imported using the amon_import tool, it

needs to be re-imported after the upgrade.

2) When using the Upgrade Export and Import utilities on the Windows platform, the

machine should be connected to the network. Alternatively, a connector can be used tosimulate a connection. Refer to SecureKnowledge, solution sk19840 for more

information regarding how to simulate a network connection during an upgrade.

3) After upgrading SmartCenter, open the SmartUpdate GUI and from the Packages

menu, select Get Data from All to retrieve the installed Packages information from the

remote modules.

Installation, Upgrade, and Backward Compatibility page 28

SmartDirectory page 31

SmartDashboard page 32

Policy Installation page 33

VPN Communities page 33

SmartConsole Applications page 34High Availability page 35

Logging page 36

Monitoring page 36

Management High Availability page 37

Trust Establishment (SIC) page 37

Platform Specific Windows page 38

Platform Specific Nokia page 38

OPSEC page 38

Miscellaneous page 38

OSE page 39

Dynamically Assigned IP Address (DAIP) Modules page 39

SmartPortal page 39


29/94



30/94


9) Check Point 4.1 gateways and embedded devices are no longer supported with this

release. After upgrading the SmartCenter Server to NGX (R60), these objects will

remain, but you will not be able to install policy on them.

10) VPN-1 Net is no longer supported.11) After upgrading SmartCenter, but before upgrading the gateways, SecureID users may

not be able to connect. A workaround is detailed on SecureKnowledge (sk17820).

This solution should be implemented in the compatibility package directories as well:

For NG gateways (NG FCS - R55):

Unix /opt/CPngcmp-R60/lib/

Windows C:\Program Files\CheckPoint\NGCMP

For R55W gateways:

Unix /opt/CPR55Wcmp/lib

Windows C:\Program Files\CheckPoint\R55WCmp\lib

12) When upgrading a SmartCenter server on Solaris, Linux and SecurePlatform, the

following upgrade options are displayed:1.( ) Upgrade installed products and install new products.

2.( ) Upgrade installed products.

Be sure to select option 2 only. New products should be installed only after

completing the upgrade of installed products. After completing the upgrade, run the

installation program again to add more products.

13) When upgrading SmartCenter with a duplicate machine on the Windows platform, thefollowing message may appear after selecting Import configuration file: Failed to

import configuration. Imported configuration file does not contain the

correct data. The problem is resolved by either removing gzip.exe from the

environment path, or removing the file altogether.

14) When upgrading a SmartCenter Server with the Eventia Reporter Add-on from R56 to

NGX (R60), you must upgrade Eventia Reporter Add-on as well.

15) On the SmartCenter Server, if you start the Check Point Products installation from the

NGX CD using the SecurePlatform command patch add, you can decide whether or

not to export the SmartCenter configuration for advanced upgrade. While the

operation should succeed, an error may be displayed on operation completion, stating

that the patch was not applied. This message is accurate, but confusing; indeed the patch

was not applied, instead export operation was performed.

16) A secondary SmartCenter server does not support the wrappers Advanced Upgrade orthe Export/Import tools.


) f d k h h dd b k


31/94


17) After upgrading a Nokia SmartCenter server with the R55W Add-on, backout to

R55W is not supported. It is therefore recommended to back up the SmartCenter

configuration before the upgrade. The configuration is exported via the upgrade tools.

Make sure to save the configuration outside the Check Point directory structure. Then,

if a return to R55W becomes necessary, install a fresh R55W Add-on installation andimport the configuration you saved earlier. For more information regarding the upgrade

tools, please refer to the R55W Upgrade Guide.

18) When running the NGX Pre Upgrade Verifier on an R55 SmartCenter with HFA12

installed, the following message regarding the file auth_HFA.def may appear:

INSPECT manual changes

Description: Some changes in VPN-1 behavior require changes to be mademanually in INSPECT files. Since INSPECT files are overwritten with newversions when upgrading, these changes may be lost. In some cases thechanges should be re-applied on the new INSPECT files, in other cases thereare new GUI options that need to be set instead.

Impacts: If changes were lost after the upgrade, VPN-1 may not work asexpected.

Todo: Check if changes are needed in the new version, if so, follow SK

instructions for these changes.This problem will occur in the following files:

auth_HFA.def

This message can be safely ignored.

19) In this release, SmartCenter does not manage gateways prior to NG FP3. If you have

such gateways, it is recommended that you upgrade them as well.

20) When performing an advanced upgrade using the wrapper, the installation wizard will

prompt you to select one of the following options:

1 Download most updated upgrade utilities [default]

2 I have already downloaded and extracted the upgrade utilities. Thefiles are on my local disk

3 Use the upgrade utilities from the CD

Option 1 currently is not supported on Unix platforms. When upgrading Unixplatforms, it is recommended to download the updated utilities manually using the link

provided, and only then proceeding to option 2.

SmartDirectory

21) When a SmartDirectory user is based on an internal firewall template, internal groups

that the template belongs to will be added to the SmartDirectory user, but these groups

will not appear in the list of template groups in the user's Groups page.


22) Wh ll d fi i b h A U i b l i h


32/94


22) When manually defining branches on an Account Unit, spaces between elements in the

branch definition will not work. Example:

A good branch: ou=Finance,o=ABC,c=us

A bad branch: ou=Finance , o=ABC , c=us

23) When using the Display list of distinguished names (DNs) for matching UIDs on login

feature, if there is no available LDAP server, the authentication will hang. Subsequently,

a policy installation will cause the process that attempted the authentication to consume

all available CPU resources.

24) When using an LDAP server for internal password authentication, if the account

lockout feature is disabled, the firewall will not attempt to modify the user's loginfailed count and last login failed attributes on the LDAP server. When using

LDAP servers that do not have these attributes defined (because they did not apply the

Check Point LDAP schema extension on the LDAP server), this improves overall

performance and eliminates unnecessary LDAP modify errors.

25) IfUse SmartDirectory (LDAP) is checked in the Global Properties, but no LDAP account

unit is configured, the authentication of external users (as opposed to LDAP users) that

are not defined in the user's database will not succeed. To resolve this issue, make surethat you uncheck Use SmartDirectory (LDAP) in the Global Properties.

SmartDashboard

26) In Microsoft Active Directory, when the expiration date is defined in the user's

properties, and the user account has expired, the user is not able to authenticate and the

reason for the authentication failure is not displayed.

27) Firewall implied rules for GUI Clients are not matched when using wildcard (e.g.,

1.1.*.*). As a result, connections from GUI Clients to the SmartCenter Server may be

blocked if there is a VPN-1 Pro module between them. Single IP definitions (e.g.,

1.1.1.1) are supported. When specifying GUI Clients using any formats other than the IP

address, add an explicit rule in the Rule Base allowing the GUI Clients to connect to

the SmartCenter Server.

28) When upgrading from NG FP1 or lower, certain policies may be hidden inSmartDashboard. Starting from NG FP2, only policies that belong to the current Policy

Package are displayed. To access other policies select File > Open and choose the relevant

Policy Package.

29) When using Active Directory .NET (2003) with NGX (R60), errors are encountered

when changes are made to the account expiration user attribute. Use Active Directory

2000 to avoid these errors.


30) The following web links available from the Help menu in SmartDashboard and


33/94


30) The following web links available from the Help menu in SmartDashboard and

SmartUpdate open a browser window to pages that have not yet been posted on the

Check Point web site.

Online Software Updates

What's New In Check Point Software

Policy Installation

31) Policy installation may fail when there are 70 or more dynamic objects.

32) After aborting an installation, before attempting to install a policy, make sure that there

are no processes running the fwm load command on SmartCenter server, or your

installation may halt.33) By selecting the Install Policy option Install on all gateways, if it fails do not install on

gateways of the same version, policy is installed on gateways by group. There are four

such groups:

VPN-1 Edge

R55W

NGX all others (R55 and prior versions)

When this option is selected, if policy fails when installing to a member of one of the

groups, the policy will not be installed to any other gateways in that group. Policy

installation will continue uninterrupted to members of other groups, however.

34) Uninstall of policy on LSM profiles is not supported.

35) It is not recommended to install security policy on more than 100 VPN-1 Edge devicessimultaneously. Use one of the following solutions instead:

Install the policy in groups of 100 VPN-1 Edge devices.

Use SmartLSM, which installs policy on profiles, when managing hundreds of

VPN-1 Edge devices. When using SmartLSM the above limitation is not relevant.

VPN Communities

36) When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabled from

a Standalone machine, the policy fetch operation may not succeed once VPN has been

established between the Standalone and the ROBO Gateway in question. In order to

overcome this issue, you should add the CPD service as an excluded service for each of

the communities which have SmartLSM ROBO profiles. To do this:

1 Open the community object.

2 In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as

an excluded service.


SmartConsole Applications


34/94


SmartConsole Applications

37) When deleting objects from SmartDashboard, in some cases the Where Used... option

will not report that objects are being used in the database, and it is possible to delete

these objects without any warning. The following are cases in reference:

RADIUS and TACACS servers referenced by Templates in the Authentication tab.

Users and User Groups contained by other User Groups.

For SmartDirectory Account Units referenced by External Groups the Where Used...

option is applicable but the Delete operation cannot be performed. As a

workaround, restart (cpstop, cpstart) the SmartCenter Server. Note that all cases

apply only if the objects were created after the SmartCenter Server was started.

38) The Status Manager GUI fails if the Disconnect Client or the Global System Alert

Definition windows are displayed and the SmartCenter Server goes down. The failure

happens when the Status Manager re-connects to the SmartCenter Server.

39) In order to be able to track Session ID information, an application should be opened

independently, meaning not from another Check Point application.

40) An application error occurs in the Status Manager when stopping the Management

process fwm while the Status Manager is up and running.

41) The Status Manager cannot show more than 16 connected clients to the SmartCenter

Server. If more than 16 clients are connected, it will show that 0 clients are connected.

42) The capability for exporting logs from SmartView Tracker running on Motif is disabled

in this version.

43) The View Rule in SmartDashboard feature in SmartView Tracker for Motif is not

supported.

44) The View rule in SmartDashboard feature in SmartView Tracker does not bring into

focus the SmartDashboard application if it is already opened to the right rule database.

45) If SmartView Monitor is open and a new non-Check Point Node object is created in

SmartDashboard, the new object will appear in SmartView Monitor. Upon closing and

restarting SmartView Monitor, the object will not appear, which is the correct behavior.

46) When choosing to view Installed Policies from SmartDashboard on Motif, a failure may

occur if one of the VPN-1 Pro modules fails to respond.

47) When logs can not be generated from some reason, such as there is no disk space or the

logging process is down, then changes can not be saved from SmartDashboard. If this

occurs, the following error message appears: The changes could not be saved. Please

make sure all Firewall-1 services are up and running. For more information use the

SmartView Monitor application.


48) When running a query on a Security Policy in SmartDashboard, only user-defined rules


35/94


48) When running a query on a Security Policy in SmartDashboard, only user defined rules

are displayed in the query result. Implied rules matching the query will not be

displayed, even if the option View Implied Rules is selected.

49) When switching the active file from SmartView Tracker, the new active file name isautomatically designated by the system. The user-defined file name is ignored.

50) Policy installation may fail if a Gateway Cluster object was created in SmartDashboard

using Simple mode (wizard). This problem can be avoided by doing any of the

following:

Create the object in Simple mode. When you arrive at the Finished Cluster's

definition wizard page, check Edit Cluster's Properties and click Finish. The Gateway

Cluster Properties window appears. Edit the object, if needed, and click OK. Create the object in Simple mode. After creating the object, use the dbedit tool to

to change the fwver attribute of the object from 5.0 to 6.0.

Use Classic mode instead of Simple mode.

51) When defining the topology of an object in the following manner: Interface Properties

> Topology > Internal > IP Addresses behind this interface > Specific, the following error

message may appear after selecting a group or network and clicking OK: The selectedobject's type is not valid.

To work around this issue, perform the following steps:

1 Create a new Simple Group (From the Topology tab, click New > Group > Simple

Group).

2 Name the group, but do not add any members.

3 Click OK.

4 Edit the new group, and add the original group or network as a member.

Note: Each time the interface's properties are edited, the same error message appears.

To avoid repeating the above process, first define the other properties of the interface,

leaving the topology definition to the end.

High Availability

52) Issuing a Stop Member command in SmartView Monitor performs the cphastop

command on this member. Among other things, this disables the State Synchronization

mechanism. Any connections opened while the member is stopped will not survive a

failover event, even if the member is restarted using cphastart. However, connections

opened after the member is restarted are normally synchronized.


Logging


36/94


gg g

53) When working with a Log Server of an earlier version than the version of SmartCenter

Server, the logs fields of log records from new modules that were added after the

upgrade of SmartCenter Server may not be resolvable.

54) An administrator with Read Only permission for Monitoring can still create, modify,

rename and delete queries in SmartView Tracker.

55) When a Log Server is installed on a DAIP module, management operations such as

purge and log switch can not be performed.

56) Audit logs operation strings have changed. Several new columns have been added and

other existing column names have been changed. This may cause existing filters to stopworking.

57) If you are using the cyclic logging feature, it is recommended after upgrade to back up

your old /log files to another machine, and then to delete them from the Log

Server.

58) When a Log Server runs out of disk space, any logs sent by ELA clients will be lost. To

prevent this, be sure to maintain adequate disk space on the Log Server.

Monitoring

59) Alerts that are defined in the Check Point SmartView Monitor Threshold Definition

window are not sent to SmartView Monitor as popup alerts, until a first policy is

installed. In the SmartDashboard Global Properties > Log and Alert > Alert Commands

page, be sure to check the property Send popup alert to SmartView Monitor.

60) When defining thresholds in SmartView Monitor, if you choose one of the UserDefined options as the Alert Method, make sure that this method is defined in

SmartDashboard's Global Properties. If the alert method is not defined, a regular alert is

generated.

61) If SmartView Monitor is open when a new module is created in SmartDashboard, the

module will appear in SmartView Monitor with the status waiting until SmartView

Monitor is restarted. For details, refer to SecureKnowledge solution sk16122.

62) SmartView Monitor should be opened connecting to a SmartCenter Server and not to

a Log Server. When using SmartView Monitor on a Log Server, statuses may be

inaccurate.

63) OS information will not be available in SmartView Monitor if the monitored machine

is a Windows machine that does not run the Windows Management Instrumentation

service.


64) Working with SmartView Monitor on clustered systems may lead to unpredictable


37/94


behavior. It is therefore recommended to turn off the Objects status in SmartMap

feature in clustered configurations. This is done from the View menu in

SmartDashboard, by unchecking the option Objects status in SmartMap.

65) In certain scenarios, such as a High Availability SmartCenter Server in a large

environment with many clustered gateways, SmartView Monitor may fail to display the

status of certain gateways.

Management High Availability

66) A SmartCenter server that is also a VPN-1 Pro module must have a policy installed on

it in order for other SmartCenter Servers to be able to communicate with it. This must

be done after initial setup, or after resetting SIC communication on the SmartCenter

Server.

67) Database versions which were created using the Revision Control feature should be

synchronized manually in a Management High Availability environment. To synchronize

it, do the following:

1 Run cpstop on the standby SmartCenter server.

2 Copy all files under$FWDIR/conf/db_versions/repository/* and

$FWDIR/conf/db_versions/database/* from the active management to the

standby SmartCenter server.

3 Run cpstart on the standby SmartCenter server.

68) If a primary SmartCenter Server is in a Standalone configuration, and a secondary

SmartCenter Server is active, policy installation from the secondary to the primaryserver will be prohibited immediately after upgrade. In order to resolve this, install the

policy locally on the primary server.

69) When using Management High Availability (between SmartCenter and/or CMA

and/or MDS), change over may not succeed when SmartPortal is connected in

Read/Write mode. To resolve this issue, you should allow access from SmartPortal to

Read-only administrators, only; or, use SmartView Monitor to disconnect Read/Write

mode in SmartPortal.

Trust Establishment (SIC)

70) If your SmartCenter Server is deployed in a standalone configuration, you must install

the policy locally (in other words, on the SmartCenter itself), beforeestablishing SIC

with Connectra devices.


Platform Specific Windows


38/94


71) Windows 2000 specific issue: A SmartConsole connection to the SmartCenter Server

on Windows 2000 may fail with the message: No license for user interface if the

SmartCenter Server was disconnected from the network and then reconnected while

the VPN-1 Pro services on the machine were running. If this occurs, restart VPN-1 Pro

services (run cpstop and then cpstart).

72) On Windows platforms only, in some cases when performing the Restore Version

operation (from SmartDashboard, File > Database Revision Control > Restore Version)

while SmartView Tracker is open, the restore fails and the database cannot be saved.

The solution is to make sure that SmartView Tracker is closed before performing

Restore Version operations. If you already encountered such a problem, run cpstop andthen cpstart.

73) When trying to export a configuration either via the wrapper or via the

upgrade_export command on NG FP1, the export may fail with the following message:

Error: FWDIR environment variable is not set. Please set it and try again. A

workaround is to set the %FWDIR environment variable to the location where

VPN-1/Firewall-1 was installed. (The default is WINDOWSDIR:\WINNT\FW1\NG).


74) When upgrading using the Import Configuration option in the wrapper, and the

machine you have exported the configuration from is a Nokia platform, a situation may

occur where Check Point packages that were inactive on the production machine will

either become active on the target machine if its OS is Nokia, or will be installed on

other platforms.

If this should occur, when the target machine is a Nokia platform, return the relevant

packages to the inactive state. For other platforms, uninstall the relevant packages.

OPSEC

75) In CPMI, the command line fw unload does not trigger an

eCPMI_NOTIFY_UNINSTALL_POLICY notification event.

Miscellaneous

76) After upgrading from NG FP2, the name of the Internal Certificate Authority (CA)

that was previously entered is not displayed in the Check Point Configuration Tool

(cpconfig > Certificate Authority tab), although it is still viable. If it is reconfigured, then

it is displayed.


77) Using the cp_merge utility to merge large number of objects (more than 10,000) from

S C S k Thi i b i i di


39/94


two SmartCenter Servers may not work. This is because at some point two main audit

logs are generated. If you have a large number of objects, and you wish to perform the

merge even though from some point the audit logs will not be generated, then do as

follows:

1 Define the environment variable FWM_ALLOW_AUDIT_FAILURE from a shell.

2 Use the cp_merge command from the same shell.

OSE

78) The Drop action is not supported for Cisco OSE devices. If the Drop action is used, the

policy installation operation fails.

79) For Cisco routers, make sure that the host names are resolvable by DNS or by the hosts

file.

80) 3Com devices are not supported.

Dynamically Assigned IP Address (DAIP) Modules

81) The fw tab command on a SmartCenter Server is notsupported.

SmartPortal

82) Using sysconfig to install and configure SmartPortal on SecurePlatform is not

supported. Use one of the following two workarounds instead:

Use the SecurePlatform Web UI First-Time Configuration wizard

Configure the operating system via sysconfig, and then manually install SmartPortal

by running rpm -i on the SmartPortal RPM file located at

/sysimage/CPwrapper/Linux/CPportal.

83) The SIC activation key is not set in the Solaris SmartPortal installation, as cpconfig

does not run when the install completes. This issue is resolved by manually running

cpconfig. The license setup prompts in cpconfig can be safely ignored.

Clarifications and Limitations VPN

VPN


40/94


In This Section

Upgrade, Backout, and Backward Compatibility

1) VPN-1 Net is no longer supported.

VPN Routing

2) The IP pool NAT on a VPN-1 module which serves as a VPN router (in order to

forward VPN traffic from one VPN tunnel to another) should be defined as part of the

encryption domain of the VPN router. Otherwise, VPN connections via the VPN

router will fail.

Upgrade, Backout, and Backward Compatibility page 40

VPN Routing page 40

VPN Tunnel Management page 41

VPN Communities page 41

Multiple Entry Point (MEP) & VPN Load Distribution page 42

VPN-1 Clusters page 42

VPN-1 Hardware/Software Acceleration page 44

IKE, Interoperability page 44

PKI, PKCS page 44

NAT with VPN page 44

VPN-1 Diagnostics (Logging, Monitoring, Planning) page 45

Miscellaneous page 45 Office Mode page 45

L2TP Clients page 45

Nokia Clients Support (CryptoCluster & Symbian) page 46

VPN-1 and SecuRemote/SecureClient Issues page 46

Route Injection Mechanism page 46

Link Selection page 47

Routed VPN page 47

Multicast page 49

LDT (Locally Defined Tunnels) page 49


3) VPN Routing only connects the VPN domain of a DAIP Gateway that is hosted

behind the DAIP Gateway to the VPN domain of another DAIP Gateway Connections


41/94


behind the DAIP Gateway to the VPN domain of another DAIP Gateway. Connections

that originate on the DAIP Gateway itself or are directed at the DAIP Gateway cannot

be routed through the hub.

4) When using VPN routing to route all communication from the VPN domain of a

Satellite DAIP Gateway via the Hub to other Satellite Gateways or to the Internet, it is

not possible to open connections from the external IP of the Satellite DAIP Gateway to

the Internet.

5) Excluded services in the VPN Community are not supported with Routed VPN.

6) In NGX (R60), a new routing decision is undertaken after packets are encrypted. This

behavior is enabled by default (including after upgrade), and may cause a change inrouting behavior. If you experience problems, it is recommended to change the routing

configuration to incorporate the new behavior. However, you can disable the new

routing behavior per gateway by using the GuiDBedit tool to change the attribute

reroute_encrypted_packets on the gateway object to False.

Note: This behavior cannot be disabled on SecureXL.

7) After removing virtual tunnel interfaces definitions, the anti-spoofing warning messagesmay appear during all consequent policy installations.

VPN Tunnel Management

8) The feature Use the community settings (SmartDashboard > gateway object > VPN > VPN

Advanced > VPN Tunnel Sharing) is to be used only when all VPN peers are of version

NGX (R60) or later. Otherwise, use the Custom settings option.

VPN Communities

9) SmartDashboard allows VPN-1 modules with dynamic IP addresses to be added as

members of a VPN community in which aggressive mode for IKE Phase 1 is selected.

This configuration, however, is not supported.

10) If the Exportable for SecuRemote/SecureClient property is checked on a VPN-1 Pro

Enforcement Module (from the VPN tab underTraditional Mode configuration), the

modules topology information will be exported to SecuRemote/SecureClients even if

the Enforcement Module is not a member of the Remote Access community.

11) When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabled from

a Standalone machine, the policy fetch operation may not succeed once VPN has been

established between the Standalone and the ROBO Gateway in question. In order to

overcome this issue, you should add the CPD service as an excluded service for each of

the communities which have SmartLSM ROBO profiles. To do this:1 Open the community object.


2 In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as

an excluded service


42/94


an excluded service.

12) The setting Accept all encrypted traffic in the Site to Site Community Properties window

does not apply to connections which pass through the VPN Tunnel Interface.

Multiple Entry Point (MEP) & VPN Load Distribution

13) When using a traditional policy configuration, the IP pools mechanism is not supported

when configured differently per different rules. This issue is not relevant when using

VPN communities, since, in this case IP pools are configured globally and not per rule.

14) When configuring MEP gateways to have the same encryption domain and you enable

a backup gateway (Global Properties > VPN Advanced). This gateway will not affect theMEP configuration. This means that the configuration will continue to behave as if it

were a fully overlapping encryption domain MEP configuration.

If backup gateway functionality is required for a group of gateways in the MEP

configuration, the desired behavior (in which the primary gateway will have a higher

priority than the backup) can be achieved by configuring the Primary gateway to

include the desired encryption domain and the backup gateways to include only

themselves as part of their encryption domain.

15) Starting with version NGX (R60), only the site-to-site MEP load distribution

configuration is downloaded to VPN-1 Edge devices.

VPN-1 Clusters

16) When defining Office Mode IP pools, make sure each cluster member has a distinct

pool.17) When detaching a cluster member from a VPN cluster, manually remove the VPN

domain once the member has been detached.

18) When based on topology information, the VPN domain calculation contains only the

cluster member topology and not the cluster object topology. This may cause issues in

the VPN domain of clusters since the cluster object and members may have different

subnets. In this case, define the VPN domain manually on the cluster object. This issue

does not exist on VSX appliances.

19) Peer or secure remote Gateways may show error messages when working against an

overloaded Gateway cluster in Load Sharing mode. This is due to IPsec packets with an

old replay counter. These error messages can be safely ignored.


20) When based on topology information, the VPN domain calculation contains only the

cluster member topology and not the cluster object topology. This may create a


43/94


cluster member topology and not the cluster object topology. This may create a

situation where the VPN domain of a cluster has different subnets between the

members and the cluster object. A workaround is to define the VPN domain manually

on the cluster object. This problem does not exist on VSX appliances.

21) If an SSL Network Extender connection to a Load Sharing gateway times out, the user

may not receive notification, but packets from the user are dropped.

22) During policy installation, the following messages may appear on the console:

[Expert@fault]# gated_xl[1383]: task_set_option: task MRouting socket 17option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0e

gated_xl[1383]: task_change_role reinitializing done

gated_xl[1383]: task_set_option: task MRouting socket 17 option GroupAdd(10)interface 56.2.2.1(vt-aaa) group 224.0.0.2: Address ale

gated_xl[1383]: task_change_role reinitializing done

gated_xl[1383]: task_change_role re-initializing

These messages can be safely ignored.

23) VPN Routing is not supported for SSL Network Extender remote access usersconnecting through a clustered central gateway in a Load Sharing deployment.

24) When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster

(i.e., the peer and the cluste

Documents

Checkpoint NGX Release Notes