Checkpoint NGX WhatsNew

7/31/2019 Checkpoint NGX WhatsNew

1/30

Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved.

Whats Newin Check Point Enterprise Suite

NGX (R60)

5/16/05

In This Document

The latest version of the Whats New documentation is available online at

http://www.checkpoint.com/techsupport/downloads.jsp .

Unified Software Package page 2

Firewall page 3

VPN page 14

SecuRemote/SecureClient page 18

Integrity page 21

SSL Network Extender page 21

SmartCenter page 22

VPN-1 Edge page 23

SmartView Monitor page 24

Eventia Reporter page 25

SmartUpdate page 26 SmartLSM page 27

SecurePlatform page 27

ClusterXL page 29

Performance Pack page 29

VSX page 29

QoS page 30

UserAuthority page 30
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp


2/30

New Features Unified Software Package

Whats New in Check Point NGX R60 Last Update 5/16/05 2

Unified Software Package

In previous versions, each product had its own software package (for example, Check Point

SVN Foundation - cpshared_R55__.tgz). NGX (R60) binds a

number of products into a unified software package to simplify the installation process. Thefollowing products are included in the package fw1_R60__.tgz,

where represents the package version and represents the relevant

operating system:

Check Point SVN Foundation

VPN-1 Pro

SecureClient Policy Server

SmartView Monitor

QoS (previously FloodGate-1)

Software packages not included in this list are distributed in their own packages located on

the product CD.


3/30

New Features Firewall


Firewall

In This Section

Web Intelligence

1 New web protections have been added to prevent:

Directory Listing

LDAP Injection

Display of web server error messages in the browser, a feature known as Error

Concealment

2 Specific behavioral patterns to be blocked by the Cross-Site Scripting, SQL Injection

and Command Injection defenses in Web Intelligence can now be defined by the user.

3 Malicious code protector is now supported on SPARC processors.

4 It is now possible to make all protections on specific web servers run in monitor only

mode, while on other servers the protection will be active.

5 Different HTTP method schemes can now be set for each web server.

6 Server-based Security Policy configuration is enhanced, and completely integrated into

SmartDefense. The result is an easy and granular defense configuration that retains theglobal view that is present in SmartDefense.

Monitor-only Mode

7 Many of the new features have a monitor-only mode where features are activated in a

mode that issues logs but does not block traffic. This usability element is helpful in the

transition phase, when features are applied for the first time at a customer's site, and will

be helpful in discovering configuration problems in the deployment stage. With a singleclick the defaults of each protection can be restored. Monitor-only mode also supports

audit-only deployments.

Web Intelligence page 3

Voice over IP (VoIP) page 6

Network Security page 7

DNS Security page 8

Check Point Active Streaming page 10

Application Intelligence for Additional Protocols page 10

Malicious Activity Prevention page 12

General page 13


4/30



SQL Injection

8 VPN-1 Pro rejects HTTP requests containing SQL commands inside the URL or body.

An attacker can use flaws in the web application to inject malicious commands that will

be run directly in the application database and cause damage or information disclosure.This defense has three levels of protection: low, medium and high. The definitions for

these three levels are conveniently displayed as you slide the change bar to select a

different mode in SmartDashboard.

Shell Command Injection

9 VPN-1 Pro rejects HTTP requests containing shell commands inside the URL or body.

An attacker can use flaws in the scripting engine to inject malicious commands that willbe run directly on the host. This defense has three levels of protection: low, medium

and high. The definitions for these three levels are conveniently displayed as you slide

the change bar to select a different mode in SmartDashboard.

Cross Site Scripting

10 VPN-1 Pro rejects HTTP requests sent using the POST command that contain

scripting code. Attackers can use scripting commands inside URLs and forms to steal aninnocent user's identity. This form of stealing is particularly insidious because the

administrator and the user do not know they are being tricked. VPN-1 Pro also

understands the encoded data sent as part of the URL, which is an alternative way of

submitting information. The scripting code is not stripped from the request, but rather

the whole request is rejected. The defense has three levels of protection: low, medium

and high.

Directory Traversal Attacks

11 Directory traversal attacks allow hackers to access files and directories that should be out

of their reach. In many attacks, this leads to running executable code on the web server

with one simple URL. Most of the attacks are based on the ".." notation within a file

system. VPN-1 Pro blocks requests in which the URL contains an illegal directory

request. For example, http://www.server.com/first/second/../../.. is illegal because it

goes deeper than the root directory. http://www.server.com/first/second/../ is legal

because it is equivalent to http://www.server.com/first/. VPN-1 Pro supports the same

capability for URLs that are encoded with Unicode and % encoding.

HTTP Format Sizes

12 The sizes of different elements in HTTP request/response are not limited; this can used

to perform DOS attack on a web server. In addition, many buffer-overflow attacks

require a considerably large buffer to be sent to the web server. It is good security


5/30



practice to limit these buffers. This reduces the chance for buffer overruns and limits the

size of code that can be inserted using the overflow. This defense provides the ability to

impose a limit on the following elements:

Maximum URL length Maximum Header length

Maximum number of headers

Specific header length, by giving a regular expression to describe the header name

and value.

The maximum allowed length is adjustable using SmartDefense.

Blocking Non-ASCII Characters Request

13 VPN-1 Pro blocks non-ASCII characters (32-127) in the HTTP request/response

headers. Other than the fact that the HTTP RFC does not allow binary characters

anywhere in the HTTP headers, blocking them is good security practice because

executables and buffer-overrun exploits usually need binary characters. The defense can

be turned on using SmartDefense, in the Request\Response Headers section of the

ASCII Only Request window.

Allowed HTTP Methods

14 The HTTP RFC allows a restricted set of standard HTTP methods (GET, PUT,

HEAD, POST). Many of the non-standard methods have a very bad security record and

so, by default, they are blocked. WebDAV methods are blocked by default but can be

added either as a group or individually. Other methods, blocked by default can be added

individually too.

Header Rejection

15 A web server or application parses not only the URL, but also the rest of the HTTP

header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities.

Such attacks, while RFC compliant, can be blocked using signatures that are defined

using regular expressions.

HTTP Header Spoofing

16 One of the first steps an attacker takes before attacking a web site is to fingerprint it.

The attacker analyzes the web server's response in order gather as much information as

possible about it. Some information in the response is redundant; this defense removes

such information by either removing the relevant header or changing its value. The

relevant headers can be added using regular expressions for name and value, each header

can be stripped (removed), or replaced from SmartDefense.


6/30



Voice over IP (VoIP)

17 Supported SIP RFCs and Standards

3372 (SIP-T)

3311 (Update message)

SIP over TCP

18 Supported SIP Advanced Features

Call forwarding capabilities

Forward on busy

Forward on no answer Find me, Follow me

Forward unconditional

Registration timeout configuration

Third party registration

Proxy failover

DoS Protection. A maximum number of new VoIP sessions that can be initiated perminute from a specific IP address can be set. This feature is not enforced for Proxies

or IP addresses on the White List.

19 Supported H.323 RFCs and Standards

H.323 V.2, V.3, V.4

H.234 V.3, V.5, V.7

H.225 V.2, V.3, V.4

20 Supported H.323 Network Configurations when NAT is in use

Gatekeepers, Gateways and PBX can be installed using Static NAT in the external

network, internal network or DMZ.

Incoming calls to Hide NAT are supported.

H.323-PSTN gateways can be installed anywhere using either Static or Hide NAT.

21 Advanced H.323 features

FastStart and NAT support.

H.245 Tunneling and NAT support.

DoS Protection. A maximum number of new VoIP sessions that can be initiated per

minute from a specific IP address can be set.

22 MGCP service - Support for the MGCP protocol, including:

Dynamic management of RTP sessions (open data connection dynamically)

Analysis and enforcement of message states


7/30



Verification of existence and correctness of call parameters

Keep call state for each call

Enforcement of call hand-over

Logging of call information, and reporting of security vulnerabilities

Sample Attack or vulnerability - call denial-of-service, call hijacking, fooling a billing

service

Getting Here - Configure a VoIP domain, and then using SmartDashboard select

SmartDefense > Application Intelligence > VoIP > MGCP. Use the MGCP services in the

Security rule base.

23 Advanced MGCP features: DoS Protection. A maximum number of new VoIP sessions

that can be initiated per minute from a specific IP address can be set.

24 Skinny Client Control Protocol (SCCP) - VPN-1 supports the SCCP protocol, including:

Dynamic management of RTP sessions (open data connection dynamically)

Analysis and enforcement of message states

Verification of existence and correctness of call parameters

Keep call state for each call

Enforcement of hand-over domains

Logs call information, report security vulnerabilities

Sample Attack or vulnerability - Call denial-of-service, call hijacking, fooling a billing

service

Getting Here - Configure a VoIP domain, and then using SmartDashboard selectSmartDefense > Application Intelligence > VoIP > SCCP. Use the SCCP service in the

Security rule base.

25 Advanced SCCP features: DoS Protection. A maximum number of new VoIP sessions that

can be initiated per minute from a specific IP address can be set.

Network Security

Port Scanning

26 Port Scanning detects scanning attempts in real-time (during packet processing). Scans

are detected whether they are perpetrated by a single host or several (distributed scans).

The feature detects two types of scans:

scans aimed at detecting all services that a given computer runs (host port scan), and

scans aimed at detecting the computers in a given network running a certain service(sweep scan).


8/30



This feature is useful in detecting worms such as Welchia that scan networks in order to

spread themselves.

Sample Attack or vulnerability - Welchia worm

Getting Here - In SmartDashboard select SmartDefense > Network Security > Port ScanDetections

DShield Storm Center

27 Automatic integration in the rule base with the SANS Storm Center. SANS monitors

the top malicious sources in the Internet. This feature allows both the updating of

SANS with malicious hosts detected by VPN-1 Pro and the ability to block hosts

known to be malicious by SANS automatically. This offers protection from DistributedDenial of Service (DDOS) at the Firewall and further "upstream" by other Check Point

customers.

Sample Attack or vulnerability - Code Redor any DDOS attack.

Getting Here - In SmartDashboard, select SmartDefense > Network Security > DShield

Storm Center > Report to DShield

DNS Security

DNS Verification

28 VPN-1 enforces the DNS protocol on DNS UDP and TCP traffic ensuring that the

traffic that crosses the Firewall is valid DNS traffic.

The RFC-defined header-size, domain and FQDN (Fully Qualified Domain Name)

syntax are enforced. This protects clients and servers from buffer overruns.

VPN-1 enforces the proper content of the header (Z flag, QR bit, OPCODE),

Resource Records counters and formats. This includes:

enforcing a domain's proper syntax on queries and responses,

enforcing proper format of the TYPE values, and

enforcing format of Inverse Queries.

In addition, VPN-1 verifies that every response matches a certain request by the sessionID.


9/30



UDP Protocol Enforcement

29 DNS protocol inspection (supporting RFCs 1034/1035 (General), 1996 (Notify), 2136

(update), 2317 (classless delegation), 2535 (DNS security extensions), 2671 (EDNS0),

draft-ietf-dnsext-axfr-clarify-05. Enforcement on lengths, counters, header flags, properdomain format, Resource Record formats, response matching a previous request, bound

checking, type and domain logging.

Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning

Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS

> Protocol Enforcement, and enable UDP Protocol Enforcement.

TCP Protocol Enforcement30 Inspect DNS over TCP - In addition to the UDP capabilities mentioned above, inspect

TCP zone transfer traffic.

Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning


> Protocol Enforcement, and enable TCP Protocol Enforcement.

Defense Against Cache Poisoning

31 IDscrambling- Some DNS implementation use trivial transaction ID and source ports

that are easy to predict for their DNS queries, this allows hackers to craft spoofed

response packets that will poison the DNS server's cache. VPN-1 tracks each request,

and randomizes the transaction ID and source port of outgoing queries using strong

cryptographic algorithms. Replies are validated to have matching query entries.

Sample Attack or vulnerability - DNS cache poisoningGetting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS

> Cache Poisoning > Scrambling.

32 Birthday-Attack Defense- An attacker sends many simultaneous queries to the attacked

server, triggering it to issue many queries to external servers, which the attacker then

spoofs the replies for. If a spoofed reply matches one of the server's requests, the result

may be poisoning the server's cache; because of the birthday paradox, the chances of a

spoofed reply to match a server request are high. This defense prevents external queriesto internal DNS servers if the DNS server is not authoritative for the queried domain.

Sample Attack or vulnerability - DNS birthday attack


> Cache Poisoning > Drop Inbound Requests.

33 Excessive ID Mismatch Detection - DNS cache poisoning attacks (especially the

"Birthday Attack") usually have a by-product of many mismatching DNS replies in ashort time. An excessive number of DNS replies that do not have a matching query can

indicate a cache-poisoning attack. VPN-1 generates a special alert when thresholds of


10/30



mismatched replies in a specified duration of time are surpassed. These thresholds are

configurable (default is 50 over 5 seconds) and administrators can be notified in a

variety of manners (log, email, SMTP Trap or one of three User Defined Actions).

Sample Attack or vulnerability - DNS cache poisoningGetting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS

> Cache Poisoning > Mismatched Replies.

Domains Block List

34 Damaging or malicious traffic can sometimes be characterized by the DNS domain it is

trying to reach. In VPN-1 you can now maintain a block-list of DNS domains. Queries

regarding the domains in the block-list are blocked. This method is effective forblocking traffic to this domain when the destination IP address hosts additional sites

besides the prohibited one. This important advantage over blocking traffic to this

domain in the Security rule-base grants safe domains access while keeping the unsafe

ones out.

Sample Attack or vulnerability - Undesired traffic to a site characterized by its domain.


> Domains block-list.

Check Point Active Streaming

35 The new Active Streaming technology enhances the streaming capabilities that already

exist in VPN-1 to new levels of inspection. Check Point Active Streaming reassembles

TCP segments, enabling inspection of complete protocol units before any of them reach

the client or server.

Application Intelligence for Additional Protocols

36 POP3 and IMAP - VPN-1 can verify that the username entered for reading mail using

POP3 or IMAP is similar to the username entered for VPN authentication and/or for

UserAuthority authentication. In addition, protocol validation including blocking of

binary data will be made on the username, and on other protocol elements.

Sample Attack or vulnerability - Restrict a user from reading another user's mail.

Getting Here - In order to configure username verification, define the gateway object as

a Mail Server, then edit the Mail Server page of the object, and enable the property

Verify username with VPN tunnel user.

37 Block Peer to Peer Applications - Peer to peer applications use their own proprietary

protocols, which use arbitrary port numbers, and therefore are hard to block using

standard methods (such as via the Security rule base). These applications can cause a


11/30



variety of problems. VPN-1 can block the common peer to peer applications, including

Kazaa, eDonkey, Gnutella, and gives administrators the opportunity to exclude specific

ports and network objects from peer to peer detection.

Sample Attack or vulnerability - Exposing private data, exposing the network to virusesand Trojan horses, wasting CPU time, exploiting storage and bandwidth resources,

wasting employees' time and raising legal issues (piracy and intellectual property rights).

Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > Peer

to Peer

38 DCE-RPC - DCE-RPC is a protocol for calling a procedure on a remote machine as if it

were a local procedure call. The protocol uses a Universal Unique Identifier (UUID) to

connect remote machine Interfaces. Many DCE-RPC attacks are based on malformedor objectionable DCE-RPC traffic.

VPN-1's DCE-RPC packet verification will prevent DOS attacks and exploits. VPN-1

addresses this protocol validation by authorizing DCE-RPC UUIDs and opening high

ports dynamically only if the UUID is allowed and the protocol flow is not violated.

Sample Attack or vulnerability - Blaster Worm, Spike

Getting Here - Enabled by default in VPN-1s DCE-RPC enforcement.

39 DCOM Protocol Validation - Recent attacks against DCOM are based on malformed

DCOM traffic on port 135. VPN-1 will allow DCOM communication, allow traffic for

UUIDs needed by DCOM, but prevent the Blaster and other attacks

Sample Attack or vulnerability - The Blaster attack creates buffer overflow on DCOM

server on port 135

Getting Here- Enabled by default in VPN-1s DCE-RPC enforcement.

40 SNMP Version Enforcement - SNMPv3 is much more secure than earlier versions.

VPN-1 will verify that all SNMP traffic is from version 3. The default is set to allow all

SNMP traffic but if you switch to SNMPv3, all traffic from earlier versions is blocked.

Sample Attack or vulnerability - SNMPv2 trivial communities; data is not encrypted,

poor authentication mechanisms.

Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence >

SNMP and enable Allow only SNMPv3 traffic.


12/30



41 Communities Block-list - Common network devices have default well-known

community strings. These communities are often not disabled, and thus expose a

vulnerability by leaving an easy way to create unauthorized SNMP access to the

machine. VPN-1 enforces an SNMP domain block-list, blocking SNMPv2 and earlier

connections that use these trivial community strings.

Sample Attack or vulnerability - SNMPv2 trivial communities

Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence >

SNMP and enable Drop requests with default community strings for SNMPv1 and SNMPv2.

42 MS-SQL - An administrator can now block the Slammer worm on the SQL monitoring

UDP protocol by looking for pre-defined patterns.

Sample Attack or vulnerability - Slammer worm

Getting Here - In SmartDashboard, include the service MSSQL_Resolver in any access

rule in the Security rule base.

Malicious Activity Prevention

43 Malicious Code Protector - Most HTTP worms and exploits take advantage of buffer

overflow vulnerability. This vulnerability is generally a result of mishandling of inputlength. An attacker can exploit this vulnerability by sending an enlarged buffer which is

copied on top of the smaller buffer by the application, thus creating a memory

corruption. This memory corruption might lead to any of the following:

a brutal application termination

a denial of service attack

in the event of a well crafted attack - malicious code execution

Malicious Code Protection is a Check Point patent-pending technology that blocks

hackers from sending malicious code to target servers and applications. It can detect

malicious executable code within communications by identifying not only the existence

of executable code in a data stream but its potential for malicious behavior. Malicious

Code Protection is a kernel-based protection delivering wire-speed performance. Its

core functions are:

Monitor communication for potential executable code

Confirm the presence of executable code

Identify if the code is malicious


13/30



Block malicious executable code from reaching target host

It is important to understand that this defense does not rely upon pattern detection,

which means it can stop both known andunknown attacks.

Sample Attack or vulnerability - Some common worms: Nimda, CodeRed, and manyexploits such as IIS WebDAV exploits.

Getting Here - In SmartDashboard, select Web Intelligence > Malicious Code > Malicious

Code Protector.

General

44DCE-RPC can now communicate over ports other than 135.

45 Multicast traffic can now be allowed or blocked for each multicast group. Configuration

is per interface. For example, define a new object called multicast address range, and use it

when defining the network topology on the interface.

46 IPv6 security is now supported on the Linux platform.

47 NAT hide can now be defined for PPTP clients.

48 Authentication capabilities have been enhanced to better protect against brute force

attacks.

49 It is now possible to disable the logging of anti-spoofing activity of local interfaces and

clusters.

50 Individual interfaces can now be configured to accept or block traffic from specific

multicast groups.

51 ISP redundancy on the Nokia platform is now supported.

52 ISP Redundancy DNS features can now be configured using SmartDashboard.

53 The SmartDefense service now protects IPv6 networks.

54 SmartDefense update can now traverse web proxy with authentication.

55 It is now possible to define a name for each security rule. The rule name will appear inthe logs created by that rule and will persist across policy changes.

56 Enhanced SmartDefense updates infrastructure with improved inspection capabilities.


14/30

New Features VPN


VPN

In This Section

VPN Routing

1 To tighten security and enhance granularity of the VPN security policy, enforcement of

VPN rules by the direction of a connection is now possible.

For example, it is possible to define in the VPN column:

2 OSPF/BGP over VPN is enabled with VPN-1 gateway on SecurePlatform and IPSO.

Every VPN tunnel is represented as a virtual adapter, enabling encapsulation of OSPF

and BGP traffic. These virtual adapters can be used to establish integrated dynamic

routing configurations with the routing domains in the protected networks. In effect

this new technology enables unification of all the VPN-protected networks to a unified

dynamically adaptable network.

VPN Routing page 14

VPN Tunnel Management page 15

Multiple Entry Point (MEP) and VPN Load Distribution page 15

VPN-1 Clusters page 16

PKI, PKCS page 16

NAT with VPN page 16 VPN-1 Diagnostics (Logging, Monitoring, Planning) page 16

Connectivity page 16

Office Mode page 17

L2TP Clients page 17

Multicast page 17

Route Injection Mechanism (RIM) page 17

Source Destination

Community A Community B

Community A Any

Local domain Community A

Local domain Remote Access Community


15/30

New Features VPN


3 Support of Back-up links and On-Demand links is enabled by multiple VPN links

between VPN-1 gateways. Multiple VPN links are available when a single VPN-1

gateway is connected to multiple network infrastructures (e.g., multiple ISPs). Two

VPN gateways may have several paths of communication that they can use to reach each

other. Also new are Link Selection mechanisms, which provide additional methods to

resolve a gateways IP address, such as defining a fixed IP address to always be used, and

defining a DNS name to be resolved, which is most useful for gateways with

dynamically allocated IP addresses.

4 GRE is now supported over IPsec in order to interoperate with devices that support

dynamic routing over the VPN only with GRE.

5 Wire mode VPN is now available: Internal (safe) VPN connectivity is supported byreducing security checks on VPN traffic.

6 On Linux, SecurePlatform, and SecurePlatform Pro, encrypted packets will now be

rerouted again after they are encrypted (and the destination was changed to the gateway

IP address). (This behavior already takes place on Nokia platforms.)

VPN Tunnel Management7 VPN tunnels may now be defined on VPN-1 gateways. The functionality is accessed

using the command line interface to the gateway. This extends the interface to external

management tools for Check Point gateways.

8 VPN links can now be configured to be always on. This feature enables:

VPN link (tunnel) monitoring - link-properties, link-state, traffic through the link

and more. Better support of sensitive applications for link setup delays.

Configuration of Route Injection Mechanism when using MEP.

Alert upon tunnel failure

9 SmartView Monitor can now monitor VPN tunnels. SmartViews of VPN tunnel

properties and status, both for site to site and for remote access VPN, are now available.

Multiple Entry Point (MEP) and VPN Load Distribution

10 For site to site VPN, Explicit MEP configuration is now available at the center of a star

community. There are several methods to connect to the MEP gateway, including

explicit priority among entry points (which is independent of the VPN domain

definition of entry points). For Remote Access VPN, the old MEP configuration still

exists.


16/30

New Features VPN


VPN-1 Clusters

11 By enabling the new Sticky Decision Function, ClusterXL Load Sharing now supports:

VPN routing of third party gateways that require stickiness

SecureClient Visitor mode

SSL Network Extender clients

L2TP and Nokia clients

Support for these features requires certain additional configuration. Consult the

ClusterXL guide for more details.

PKI, PKCS12 Internal CA diagnostics are now available through SmartView Monitor.

13 Internal CA enhancements include:

Certificate enrollment using PKCS10 is available.

Generatecertificate - as PKCS12 (used in CAPI token)

Additional, configurable level of administration privileges

14 Certificate enrollment to a VPN-1 module using SCEP and CMP protocols is now

available.

15 Online Certificate Status Protocol (OCSP) is now supported.

16 An existing CA certificate can now be replaced with a newer one in a VPN-1 system,

provided that the new certificate has the exact same pair of keys as the certificate that it

is replacing.

NAT with VPN

17 SecureClient now supports NAT-T.

VPN-1 Diagnostics (Logging, Monitoring, Planning)

18 The usability of VPN activity logs has been enhanced.

Connectivity

19 SecuRemote/SecureClient can now resolve the address of the remote gateway by using

one of the following link selection methods:

Main IP / Single IP

Topology calculation

N F t VPN


17/30

New Features VPN


RDP probing, which allows the possibility of configuring the primary interface and

manual IP list for probing.

20 The encryption domain of the gateway can now be defined differently for site-to-site

VPN, and for remote access VPN.

21 Third party DAIP gateways and externally managed DAIP gateways are now supported

with certificate authentication.

Office Mode

22 Office Mode assignment can now be used to access other gateways in the site.

23 A RADIUS server can now be used for Office Mode IP assignment.

L2TP Clients

24 Legacy authentication schemes, such as Check Point password, OS password, RADIUS,

LDAP, TACACS, etc., are now supported for L2TP clients.

Multicast25 Through the use of VPN Virtual interfaces, multicast traffic can now be encrypted and

passed through VPN tunnels.

Route Injection Mechanism (RIM)

26 RIM is now supported both with and without MEP. It can be configured under the

Tunnel Management page on the community.

New Features SecuRemote/SecureClient


18/30



SecuRemote/SecureClient

In This Section

NAT with VPN

1 SecureClient now supports NAT-T.

User Experience

2 SecuRemote/SecureClient user interface now supports the following languages:

English, French, Italian, German and Spanish.

3 The Hotspot Registration feature now limits the number of unsuccessful registration

attempts and disables registration IP addresses once the client connects.

Connectivity

4 In MEP configuration, the client MEP decision can be disabled, in which case the

client connects to the gateway specified in the profile.

5 In an MEP configuration, a backup gateway can be specified in a centrally managed

connection profile. If so specified, and the primary gateways are unreachable, theSecuRemote/SecureClient connects to the specified backup gateway and does not

perform an MEP decision.

6 The encryption domain of the gateway can now be defined differently for site-to-site

VPN, and for remote access VPN.

7 SecuRemote/SecureClient can now resolve the address of the remote gateway by using

one of the following link selection methods: Main IP / Single IP

NAT with VPN page 18

User Experience page 18

Connectivity page 18

Office Mode page 19

Desktop Security page 19

Secure Configuration Verification (SCV) page 19 Windows - XP-specific Issues page 20

Miscellaneous page 20

SecureClient Software Distribution Sever (SDS) page 20



19/30



Topology calculation

RDP probing, which allows the possibility of configuring the primary interface and

manual IP list for probing.

Office Mode

8 Office Mode assignment can now be used to access other gateways in the site.

9 A RADIUS server can now be used for Office Mode IP assignment.

10 VPN-1 Pro gateway DHCP requests can contain various client attributes that allow

DHCP clients to differentiate themselves. The attributes are pre-configured on the

client side operating system, and can be used by different DHCP servers in the processof distributing IP addresses. VPN-1 Pro gateway DHCP requests can contain the

following attributes:

Host Name

Fully Qualified Domain Name (FQDN)

Vendor Class

User Class

Desktop Security

11 When policy expiration is enabled and SecureClient is connected, it will attempt to

update policy every expire_time/2. If it fails to update the policy, SecureClient will not

revert to the default policy.

12 Desktop security rules now support RADIUS groups.13 Policy server logon is by default set to the Policy Server on the gateway to which you

connect. Centrally managed profiles can be configured to direct logons to a different

Policy Server. Perform the following:

1 Specify the Policy Server in the profile.

2 Use the dbedit database tool to set the property use_profile_ps_configuration

to true.

Secure Configuration Verification (SCV)

14 When enforcing Secure Configuration Verification on simplified mode VPN (VPN-1

communities), specific hosts and services may be defined as exceptions to the rule (e.g.,

to allow anti-virus updates, even if the client machine is not verified).



20/30


15 SecuRemote (which does not support SCV) can be regarded as verified when SCV is

enforced. To enable it set scv_allow_sr_clients to true in userc.c, (by default it this

value is set to false). This global flag can be overridden by the administrator by setting

the matching flag in the topology, using the dbedit tool.

16 OS Monitor is now supported on Windows 2003 Server.

17 The operatorgreater than (>) is supported in signature file comparison in AntiVirus

monitor.

18 ZoneAlarm Pro antivirus signatures version validation is supported for AntiVirus

monitor.

19 The following enhancements for SCV monitors are now available:

You can now check keys under HKCU, HKU and HKLM in the Registry Monitor

While in Secure Domain Logon (SDL), each check under the Registry Monitor, OS

Monitor and Browser Monitor can be disabled.

Windows - XP-specific Issues

20 Improved integration with Windows XP SP2 Firewall.

Miscellaneous

21 The following R56 local attributes can now be centrally managed:

Hotspot registration configuration

Disconnect_when_in_enc_domain

Simplified_client_route_all_traffic

22 SecureClient now reports the following parameters to User Monitor:

OS version, Client version and build

last known SCV failure reason

23 Secure Domain Logon (SDL) by default will not be part of the Windows logon

procedure when the client machine is part of the encryption domain. To force SDL

when inside the encryption domain, use the Windows Registry editor to setSdlIgnoreEncDomain to 0 (DWORD) in HKLM\Software\CheckPoint\SecuRemote.

24 VPN-1 Pro now enforces the amount of licensed remote access connections, this

include the amount of SecuRemote allowed according to the gateway size plus the

amount of SecureClient licenses.

SecureClient Software Distribution Sever (SDS)

25 The SDS server and the SDS agent are no longer part of the SecureClient product.

New Features Integrity


21/30


Integrity

1 Integrity Product Family achieves Total Access Protection for all PCs that connect to

your network. Check Point Integr ity endpoint security products ensure that both

employee and guest users' PCs are secure before they're granted network access. Bystopping worms, spyware, and hacker attacks, Integrity maintains business continuity,

supports regulatory compliance, and protects you against financial loss due to endpoint

attacks.

2 Integrity client and server software secures all networked PCs by centrally managing

proactive defenses and enforcing policy compliance.

3 Integrity for Linux offers enterprises easy-to-manage endpoint security for the growingnumber of Linux workstations, providing sophisticated attack protections coupled with

centralized policy deployment and reporting.

4 Integrity SecureClient unites the complementary strengths of VPN-1 SecureClient and

Integrity to deliver the most advanced remote access, endpoint security, and access

policy enforcement.

5 Integrity Clientless Security mitigates risks posed by employee and guest endpoints

accessing enterprise resources via the Web. It delivers spyware disablement, ensures

session confidentiality, and enforces network access policy.

6 Integrity Desktop delivers preemptive protection against the latest worms, viruses,

spyware, and hacker attacks.

SSL Network Extender

1 The SSL Network Extender is now centrally managed, and can be configured on

SmartDashboard.

2 SSL Network Extender now supports SecureIDs New Pin Mode and password changes

for RADIUS and LDAP authentication servers.

3 SSL Network Extender now supports ICS.

4 SSL Network Extender clients are supported on ClusterXL gateways in Load Sharingmode when the Sticky Decision Function is enabled.

5 SSL Network Extender now supports Integr ityTM Clientless Security (ICS) version 3.0,

including IntegrityTM Secure Browser (ISB).

6 The SSL Network Extender end-user interface can now be customized, as well as

localized for the following languages (user-selectable):

English French

New Features SmartCenter


22/30


Italian

German

Spanish

Japanese Traditional Chinese

Simplified Chinese

Portuguese (Brazilian)

Hebrew

SmartCenterCloning Network Objects

1 Networks and Host Nodes can now be cloned with a right click. The newly created

object has field values in common with the original object.

SmartGroups

2 Groups can be viewed hierarchically in the Objects Tree. Additionally, a new feature in

SmartDashboard allows you to configure group conventions. When you do so,

SmartDashboard makes suggestions to assign newly created objects to groups based on

their name, color or network location.

Tooltips

3 Details about a network object or service, such as IP/port, version, and comment, arenow visible within SmartDashboard rule bases without opening the object or service.

Unique Rule Identifier

4 A new feature in SmartView Tracker allows you to open SmartDashboard to the rule

that a certain connection matched on. Also, an enhanced rule filter provides the ability

to search within SmartView Tracker for other connections that matched on that rule,either by rule number or unique rule ID. A new feature in SmartDashboard allows you

to view all logs generated for a certain rule.

Improved Manageability of Administrators

5 In this release, cpconfig allows the definition of just one administrator. Others can be

added through SmartDashboard. All cpconfig administrators can be converted to

administrators in SmartDashboard by using the $FWDIR/bin/cp_admin_convert tool.

New Features VPN-1 Edge


23/30


Mandatory Session Description

6 SmartDashboard users can now be compelled to enter a session ID describing the

changes they have made. This provides a better ability to track database changes in the

audit logs.

GUI Client Disconnect

7 When logging into a SmartCenter Server, an administrator can now disconnect other

users who are logged in and locking the database.

Central Management for Connectra

8 Connectra devices are now part of Check Points centralized SMART management,

integrating security, monitoring, logging, reporting, updating and intelligent

information processing in a single interface.

Web-Based Access to SmartCenter SmartPortal

9 SmartPortal is a web-based management tool providing a centralized view of security

policies, network and security activity status, and administrator information. This

web-based access to SmartCenter extends the visibility of security policies to groups

outside of the IT security team and enables collaborative management of SmartCenter

administrators.

VPN-1 Edge

1 VPN-1 Pro now supports VPN-1 Edge behind NAT devices. This can implemented byusing NAT traversal (port 4500), which encapsulates the IKE/IPSEC in UDP packets,

between the VPN-1 Edge device and the VPN-1 Pro.

2 Enhanced VPN-1 Edge configuration in SmartDashboard, including:

time of log generation and forwarding

time at which the VPN-1 Edge device is updated with new configuration settings

content filtering (CVP and UFP) Unrestricted mode (connections from centrally managed peers that do not undergo

access control or NAT)

3 VPN-1 Edge (with firmware 4.5 or higher) is now integrated with Eventia Reporter.

4 Excluded Services are now supported with VPN Communities that contain SofaWare

entities.

5 VPN-1 Edge Web UI can now be launched from within SmartDashboard, as follows:

New Features SmartView Monitor


24/30


Select a VPN-1 Edge object in the Objects tree, right click and choose Manage

Device in the displayed menu.

In the VPN-1 Edge Objects General Properties page, click Configure Edge Using

Web Interface.

6 VPN Enhancements: VPN-1 Edge now supports different IKE methods, rules with

communities in the VPN column, Multiple Entry Point (MEP) enhancements, shared

secrets, excluded services, as well as Link selection.

7 Content filtering for VPN-1 Edge can now be centrally managed from SmartCenter.

This can be done using the Content filtering section of the VPN-1 Edge page of the

Global Properties, or the Content Filtering page of the VPN-1 Edge object. The

configuration includes specifying OPSEC UFP, CVP & SMTP servers, and determiningwhich Edge devices use UFP/CVP.

8 NAT rules can now be configured and installed on VPN-1 Edge gateways. NAT rules

can either be manual, by placing a VPN-1 Edge gateway in a NATed rule in the Install

On column, orautomaticby choosing a VPN-1 Edge gateway as the Install on gateway

in the network objects NAT page.

9 A High Availability (HA) deployment can now be configured for VPN-1 Edge devicesusing SmartCenter. Configuring HA for VPN-1 Edge is done in the VPN page of the

VPN-1 Edge Gateway Objects Properties window. Select Use Backup Gateways and

specify the (VPN-1 Edge) gateway that will function as the backup gateway.

10 A configuration script can now be added to the VPN-1 Edge object window. This

script is downloaded to the VPN-1 Edge device. It controls various features and

settings, (for example QoS settings, Wireless Settings).

SmartView Monitor

1 SmartView Monitor has become a new monitoring application that combines the

functionality of the following applications:

SmartView Status

SmartView Monitor

User Monitor

In addition it has new capabilities. The GUI is an MDI (Multi-document interface)

application that allows users to see side-by-side multiple views of traffic in different

aspects.

2 It is now possible to monitor the following elements in SmartView Monitor Traffic

Monitoring:

Traffic by top or specific tunnels Traffic by top or specific interfaces

New Features Eventia Reporter


25/30


Packet size distribution

Traffic by top individual connections

Connection direction filter

3 Tunnel Monitoring is a new feature that allows the user to view the current gateway togateway tunnels in the organization. The user can define filters to present specific

tunnels, as well as display tunnel state and other properties. The user can also reset a

tunnel and drill down to view its traffic.

4 SmartView Monitor now has new ways of presenting traffic monitoring:

Traffic data can now be presented in a pie graph or in a table.

After drilling down into data, a back button is now available to undo drill downs. Exporting to HTML is now possible.

Inbound and outbound traffic can now be viewed side by side

5 The various SmartView Status applications have been replaced with Gateway views.

SmartView Monitor now presents a table view that displays all gateways and

configurable status columns. In addition there is a detail view that allows browser-like

drill down.

Eventia Reporter

1 Eventia Reporter Add-On and Eventia Reporter Server can now be installed on a

Solaris 64-bit platform.

2 Eventia Reporter is faster than previous versions.

Report generation - a report based on 20 GB of logs can be generated in little overan hour.

Log consolidation the log consolidator can process 32 GB per day (without DNS).

3 Eventia Reporter now provides more flexible and meaningful report content.

Clearer Reports

Unnecessary details and sections have been removed from the reports. By default,

graphs are only created for time/date reports so as to achieve a smaller output. Internal filters

Internal filters are displayed for better report comprehension and flexibility. A user

can now filter reports based on communication direction, firewall action, VPN-1

fields, email sender/recipient, etc.

4 Consolidator and database management controls have moved from the SmartDashboard

and are now integrated in the Reporter Client.

New Features SmartUpdate


26/30


5 When the database grows too large, the Reporter can automatically archive or delete

the oldest records. Database maintenance can be defined in terms of database space or

record age.

6 Provider-1 now supports log-based reports.

7 Improved Security Rule support:

Rule name support: users can now tag rules with names. Names will be displayed in

reports and can be used in filters.

UUID support for rules can be used to track rule usage regardless of their location

in the Rule Base.

Rule Base Activity: the Rule Bases Analysis report includes a section that shows allrules in a policy and their usage.

Support for Rule Base policies in reports.

SmartUpdate

1 Packages can now be distributed to remote devices and then installed at a later date.

This is beneficial in a number of ways:

The risk of a loss of connectivity during installation is minimized, as the package is

delivered to the remote device before the remote install command is issued.

Upgrade performance is improved, as packages can be transferred in parallel to

multiple devices.

The process is now more efficient, as it can more easily be performed after hours,

when the load on the network is less.

Downtime due to upgrade is reduced.

2 SmartUpdate can now upgrade remote devices to versions earlier than that of the

management server. Earlier versions supported are R54, R55, R55W, and R55P, and

their respective HFAs.

3 The Upgrade All option in SmartUpdate allows Nokia platforms to be upgraded to any

IPSO OS version. To do so, the desired Nokia IPSO OS package must first be added to

the SmartUpdate Package Repository and set as the default package, followed byselecting the Upgrade All option.

4 SmartUpdate supports an automatic revert from an unsuccessful upgrade when

upgrading SecurePlatform gateways. SmartUpdate creates the image backup before the

upgrade starts. Should the Upgrade not complete successfully, the SecurePlatform

machine will revert to the backed up image.

5 SmartUpdate supports the CPInfo utility. The CPInfo utility runs on remote gateways

and/or the SmartCenter server, and collects information about that machine into a

single text file. This text file is fetched and accessible from the GUI machine.

New Features SmartLSM


27/30


6 The SmartUpdate command line tool can make a snapshot of the SecurePlatform

machine. A list of currently available snapshots on a machine can be compiled and used

to revert a machine to one of the snapshots.

SmartLSM1 When defining VPN Domain for VPN-1 Express/Pro or VPN-1 Edge ROBO

Gateways, the user should use the new Topology table available in the SmartLSM GUI

(or the parallel capabilities of LSMcli). It is possible to define the VPN Domain for

ROBO Gateway in one of the following ways:

Use the external IP address of the Gateway only

VPN Domain includes all of the networks behindthe Gateway's internal interfaces(based on topology)

VPN Domain consists of manually defined IP address ranges.

2 Controlling the settings of internal interfaces of VPN-1 Edge ROBO Gateways is now

supported from the centralized SmartLSM management. The following settings can be

controlled and enforced on the VPN-1 Edge ROBO Gateway:

Interface is enabled/disabled Interface IP address and netmask

NAT Hide of the network behind the interface is enabled/disabled

DHCP server on the interface is enabled/disabled

Range of IP addresses distributed by the DHCP server

DHCP server serves as a relay to another external DHCP server

3 It is now possible to launch VPN-1 Edge Portal Web GUI when using context menusof items representing VPN-1 Edge gateways and VPN-1 Edge ROBO Gateways in the

SmartLSM main view.

SecurePlatform

Installation

1 SecurePlatform can be installed in two flavors: the regular flavor, and the

SecurePlatform Pro flavor. SecurePlatform Pro is an enhanced version of

SecurePlatform. SecurePlatform Pro adds advanced networking and management

capabilities to SecurePlatform such as:

Dynamic routing

RADIUS authentication for SecurePlatform administrators

To install SecurePlatform Pro select SecurePlatform Pro option during the installation.

New Features SecurePlatform


28/30


To convert regular SecurePlatform to SecurePlatform Pro, from the expert mode command

line run: pro enable.

For information regarding advanced routing, see the Check Point Advanced Routing Suite

guide.

2 In this release, the SecurePlatform installation allows adding new hardware drivers for

mass storage and networking devices, during the installation phase.

3 There is a change in behavior from R55 and earlier SecurePlatform versions. When no

key is pressed after the SecurePlatform installation has begun, the installation will be

aborted, and the system boots from the hard disk.

General

4 Speed/Duplex settings of Ethernet interfaces can be controlled using the eth_set utility

in the command line, or by using the WebUI. The interface settings configured via theWebUI, or via the command line utility will survive reboot and become persistent.

5 The patch add command now supports scp as one of the options, allowing convenient

and secure transfer of patch files to SecurePlatform.

6 VPN-1 log files are not included in the backup operation by default.

7 The display of time zones in the command line was changed from the POSIX

convention to the commonly accepted convention. For example, for a region locatedtwo hours to the east of the GMT region, the time zone will show GMT+2 and not

GMT-2, as in earlier versions.

8 During the installation of SecurePlatform, one interface is selected as the management

interface. The IP address of this interface cannot be set to 0.0.0.0, as this will disrupt

operation of the product. The commands sysconfig and ifconfig enforce this

limitation in this release. If a specific interface must receive the IP address 0, a different

interface must first be configured to be the management interface, and then the IP

address 0.0.0.0 can assigned to the specific interface.

User Experience

9 Starting with this release, Netscape 7.1 is supported for use with the administration

WebUI. This allows using the WebUI from non-Windows systems.

Note - SecurePlatform Pro requires a separate license that must be installed on the

SmartCenter Server that manages the SecurePlatform Pro enforcement modules.

New Features ClusterXL


29/30


ClusterXL

Configuration

1 ClusterXL has a new (and optional) packet distribution scheme for Load Shar ing whichis supported with the two Load Sharing modes: Multicast and Unicast. In the new

distribution scheme (called Sticky Decision Function), a connection that started on a

certain cluster member will continue to pass only through that member. The Sticky

Decision Function is not supported with Performance Pack or with an Acceleration

device.

VPN-1 Clusters2 ClusterXL Load Sharing now supports SecureClient visitor mode and SSL extender

clients when the Sticky Decision Function is enabled.

3 Third party peers can now open VPN tunnels on ClusterXL in Load Sharing mode

with the Sticky Decision Function enabled.

4 ClusterXL Load Sharing now supports VPN routing configuration, in which both sides

of the connection are encrypted for peer gateways of third parties, such as Cisco, whichrequires stickiness. This support is limited to when the Sticky Decision Function is

enabled, and requires certain additional configuration. Consult the ClusterXL guide for

more details.

Supported Features

5 Dynamic routing is now supported in SecurePlatform clusters.

6 Multicast data traffic is supported on ClusterXL in High Availability mode, and in Load

Sharing mode under certain conditions. Refer to the Release Notes for more details.

Performance Pack

1 BGE interface is now supported on Solaris.

2 SmartView Monitor is now supported by Performance Pack.

3 Dynamic Routing changes are now supported by Performance Pack on SecurePlatform.

VSX

1 SmartCenter Server can now manage the following versions of VSX:

VSX 2.0.1

VSX NG AI

New Features QoS


30/30


VSX NG AI Release 2

2 For more information on these releases, please see the documentation at

http://www.checkpoint.com/support/technical/documents/index.html .

QoS

1 The license for QoS Express should be installed on the SmartCenter server instead of

on the Enforcement module. QoS supports licenses for 1, 3 or 5 modules. These

licenses should be added via SmartUpdate and then attached to the SmartCenter

Gateway Object.

2 QoS is now supported by and can run on the same Enforcement Module that runs WebIntelligence.

UserAuthority

1 UserAuthority now supports outbound identity-based access control for non-TCP

connections.

2User credentials can now be fetched using UserAuthority Servers on other SICdomains.
http://www.checkpoint.com/support/technical/documents/index.htmlhttp://www.checkpoint.com/support/technical/documents/index.html

Documents

Checkpoint NGX WhatsNew