October 25, 2007 - downloads.checkpoint.comdownloads.checkpoint.com/fileserver/SOURCE/direct/ID/5524/FILE/...Copyright © 2006 Check Point Software Technologies, Ltd. All rights reserved

Check Point® Enterprise Suite NGX (R60)

Release NotesOctober 25, 2007

Copyright © 2006 Check Point Software Technologies, Ltd. All rights reserved.

In This Document

Information About This Release This document contains important information not included in the documentation. Review this information before setting up Check Point NGX (R60).

In This Section

License Upgrade Requirement

To upgrade to NGX R60, you must first upgrade licenses for all NG products, as NGX R60 will not function with licenses from previous versions. The utility license_upgrade is included on the CD at \license_upgrade. See the Upgrade Guide for instructions.

IMPORTANTBefore you begin installation, read

the latest available version of these release notes at:http://www.checkpoint.com/support/technical/documents/docs_r60.html

Information About This Release page 1

Resolved Limitations page 11

Clarifications and Limitations page 18

License Upgrade Requirement page 1

NGX (R60) Products by Platform page 2

Build Numbers page 4

Non-upgradable Products page 4

Minimum Hardware Requirements page 5

Maximum Number of Interfaces Supported by Platform page 8

Minimum Software Requirements page 9

The Regular Expression (RX) Library page 10

http://www.checkpoint.com/support/technical/documents/docs_r60.htmlhttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.html

Information About This Release — NGX (R60) Products by Platform

NGX (R60) Products by Platform

Product Solaris 1RHEL

3.0 Check Point

Nokia IPSO

Mac OS

Ultra-SPARC 8 & 9

Server 2003

2000 Advanced

Server (SP1-4)

2000 Server (SP1-4)

2000 Profes-sional

(SP1-4)

XP Home

& Profes-sional

98 SE &

ME

Hand-Held PC 2000 & Pocket

PC 2003

kernel 2.4.21

Secure Platform

3.9 & 4.0

X

SmartConsole GUI X 2 X X X X X X

VPN-1 Pro Module .(including QoS, Policy Server)

X X X X X X X

SmartCenter Server .(including VSX)

X X X X X X X 3

SmartPortal X X X X X X

SecuRemote X X X X XSecureClient X X X X X X X XClusterXL (VPN-1 Pro .Module)

X X 4 X X X X X 5

UserAuthority .(Management Add-on only)

X X X X X X X X X 6

Eventia Reporter - Server X X X X X X X 7

SmartView Monitor X X X X X X X

VPN-1 Accelerator Driver II X 8

VPN-1 Accelerator Driver III X X X X X X X

Performance Pack X X X 9

SmartLSM - GUI X X X X X

SmartLSM - Enabled .Management

X X X X X X X

SmartLSM - Enabled .ROBO Gateways

X X X X X X

SmartLSM - Enabled CO .Gateways

X X X X X X X

Advanced Routing X X 10

SecureXL Turbocard X

SSL Network Extender .- Server

X X X X X X X

SSL Network Extender .- Client

X X X

Provider-1/SiteManager-1 .Server

X X X

Provider-1/SiteManager-1 .GUI

X X X X X X

OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14Cisco OS Versions: 9.x, 10.x, 11.x, 12.x

Microsoft Windows

Release Notes for Check Point NGX (R60). Last Update — October 25, 2007 2

Information About This Release — NGX (R60) Products by Platform

Notes to Products by Platform Table

1) See “Minimum Software Requirements” on page 9 for Solaris platforms.

2) The following SmartConsole Clients are not supported on Solaris UltraSPARC: Eventia Reporter Client, SmartView Monitor, SmartLSM and the SecureClient Packaging Tool.

3) VPN-1 Edge devices cannot be managed from a SmartCenter server running Nokia IPSO.

4) HA Legacy mode is not supported on Windows Server 2003.

5) ClusterXL supported only in third party mode with VRRP or IP Clustering.

6) UserAuthority is not supported on Nokia flash-based platforms.

7) On Nokia IPSO, Eventia Reporter is only supported as a Management Add-on, and only on disk-based platforms.

8) VPN-1 Accelerator Driver II is supported on Solaris 8 only.

9) Nokia provides SecureXL as part of IPSO.

10) Nokia provides Advanced Routing as part of IPSO.


Information About This Release — Build Numbers

Build Numbers

The following table lists all NGX (R60) software products available, and the build numbers as they are distributed on the product CD. To verify each product’s build number, use the given command format or direction within the GUI.

Non-upgradable Products

The following Check Point products cannot be upgraded to NGX (R60).

• VPN-1 SmallOffice

• VPN-1 Net

• FireWall-1 4.1

Product Build No. Viewable via CLI Command or GUI SelectionVPN-1 Pro 457 (Windows)

458 (all others) fw ver

SmartCenter 387 fwm verSecureClient Policy Server 24 dtps verSmartView Monitor Server 134 rtm verQoS 47 fgate verSVN Foundation 562 cpshared_verNG Compatibility Package 57 fw_loader -vR55W Compatibility Package 12 fw_loader verVPN-1 Edge• Compatibility Package• S series• X series

6505.0.58s5.0.50x (or 5.0.57x)

fw verDisplayed on the default portal pageDisplayed on the default portal page

SmartConsole Client Package• SmartDashboard• SmartView Tracker• SmartView Monitor• Eventia Reporter Client• Packaging Tool• SmartLSM• SmartUpdate

654*41831531583418260315

*Viewable as part of package filename.

From the Help menu of each SmartConsole client, select About Check Point

UserAuthority Server 30 uas ver Eventia Reporter Server 339 SVRServer verSecuRemote/SecureClient 619 From the Help menu, select AboutSecurePlatform 244 verPerformance Pack 79 sim ver -kVPN-1 HW Accelerator II 13 n/aVPN-1 HW Accelerator III 20004 (Windows)

20004 (Solaris)20007 (Linux)

n/a


Information About This Release — Minimum Hardware Requirements

Minimum Hardware Requirements

In This Section

Windows & Linux Platforms

Minimum Requirements for VPN-1 ProOn Windows and Linux platforms, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server, Enforcement Module or SmartPortal are:

• Intel Pentium II 300 MHz or equivalent processor

• 300 MB free disk space

• RAM

• Windows: 256 Mbytes

• Linux: 128 Mbytes (256 Mbytes recommended)

• One or more network adapter cards

• CD-ROM Drive

Minimum Requirements for SmartConsole (Windows only)On Windows platforms, the minimum hardware requirements for installing a SmartConsole, which include SmartDashboard, SmartView Tracker, SmartView Monitor, Eventia Reporter, SmartUpdate, SmartLSM and User Monitor, are:

• Intel Pentium II 300 MHz or equivalent processor


• 256 Mbytes RAM

• One network adapter card

• CD-ROM Drive

• 800 x 600 video adapter card

Minimum Requirements for SecuRemote/SecureClientOn Windows, Linux and Mac OS-X platforms, the minimum hardware requirements for installing SecuRemote/SecureClient are:


• 128 MB RAM

Windows & Linux Platforms page 5

Solaris Platforms page 7

SecurePlatform page 8



Minimum Requirements for Eventia ReporterThe following minimum hardware requirements were designed so that Eventia Reporter Server will be able to process a volume of about 3 GB logs per day and generate reports according to the performance numbers limitation. If you have less logs produced per day you can use a machine with less CPU or memory. This may, however, cause degradation in the performance numbers. In addition, if your machine has less physical memory you will need to change the database cache size. To do this follow the instructions in “Eventia Reporter” User Guide under the section Changing the Eventia Reporter Database Cache Size.

On Windows and Linux platforms, the minimum hardware requirements for installing Eventia Reporter are:

• Intel Pentium III 1000 MHz or equivalent processor

• 60 MB disk space for installation

• 40GB disk space for database

• 1GB RAM


• CD-ROM Drive


The following is also recommended:

• Configure the network connection between the Eventia Reporter Server machine and the SmartCenter or the Log server, to the optimal speed.

• Use the fastest disk available with a high RPM (revolutions per minute).

• Increase the machine's memory. It significantly improves performance.

• It is recommended to install an uninterruptible power supply (UPS) for the Eventia Reporter Server machine.

Nokia Platforms

NGX (R60) supports the following Nokia platforms:

IP120, IP130, IP260, IP330, IP350, IP380, IP530, IP650, IP710, IP740, IP1220, IP1260

and the following flash-based Nokia Platforms:

IP265, IP355, IP385, IP1225, IP1265, IP2250



Solaris Platforms

Minimum Requirements for VPN-1 ProOn a Solaris platform, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server, Enforcement Module or SmartPortal are:

• UltraSPARC II

• 100 MB free disk space for installation

• 128 Mbytes RAM, 256 Mbytes recommended

• One or more network adapter cards

• CD-ROM Drive

Minimum Requirements for SmartConsoleOn a Solaris platform, the minimum hardware requirements for installing a SmartConsole, which include SmartDashboard, SmartView Tracker, SmartView Monitor, Eventia Reporter, SmartUpdate, SmartLSM and User Monitor, are:

• UltraSPARC III

• 100 MB free disk space for installation

• 128 Mbytes RAM


• CD-ROM Drive


Minimum Requirements for Eventia ReporterThe following minimum hardware requirements were designed so that Eventia Reporter Server will be able to process a volume of about 3 GB logs per day and generate reports according to the performance numbers limitation. If you have less logs produced per day you can use a machine with less CPU or memory. This may, however, cause degradation in the performance numbers. In addition, if your machine has less physical memory you will need to change the database cache size. To do this follow the instructions in “Eventia Reporter” User Guide under the section Changing the Eventia Reporter Database Cache Size.

The minimum hardware requirements for installing Eventia Reporter on a Solaris platform are:

• UltraSPARC III 400MHz processor

• 100 MB disk space for installation

• 40GB disk space for database

• 1GB RAM


• CD-ROM Drive



Information About This Release — Maximum Number of Interfaces Supported by Platform

The following is also recommended:

• Configure the network connection between the Eventia Reporter Server machine and the SmartCenter or the Log server, to the optimal speed.

• Use the fastest disk available with a high RPM (revolutions per minute).

• Increase the machine's memory. It significantly improves performance.

• It is recommended to install an uninterruptible power supply (UPS) for the Eventia Reporter Server machine.

SecurePlatform

Minimum Requirements for VPN-1 ProOn SecurePlatform, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server, Enforcement Module or SmartPortal are:

• Intel Pentium III 300+ MHz or equivalent processor

• 4 GB free disk space

• 256 Mbytes (512 Mbytes recommended)

• One or more supported network adapter cards

• CD-ROM Drive (bootable)


For details regarding SecurePlatform on specific hardware platforms, see http://www.checkpoint.com/products/supported_platforms/secureplatform.html

Maximum Number of Interfaces Supported by Platform

The maximum number of interfaces supported (physical and virtual) is shown by platform in the following table.

Notes to Maximum Number of Interfaces Table1) SecurePlatform supports 255 virtual interfaces per physical interface.2) When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical

interface are supported.

ProductSolaris

UltraSPARC

Microsoft Windows

Check Point SecurePlatform Nokia IPSO

VPN-1 Pro & Performance Pack (SecureXL)

255 32 1015 1, 2 1015

ClusterXL 255 32 1015 1, 2 1015


http://www.checkpoint.com/products/supported_platforms/secureplatform.htmlhttp://www.checkpoint.com/products/supported_platforms/secureplatform.html

Information About This Release — Minimum Software Requirements

Minimum Software Requirements

Solaris Platform

Required Packages• SUNWlibC

• SUNWlibCx

• SUNWter

• SUNWadmc

• SUNWadmfw

Required PatchesCheck Point recommends using the Sun Install Check Tool to check the patch level of your Solaris machines. The Sun Install Check Tool is available on the Sun download site at http://www.sun.com/software/installcheck/download.xml. Use the tool to make sure your Solaris machines have the following or newer patches.

Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC platforms:

Solaris 9: the following patches (or newer) are required on Solaris 9 UltraSPARC platforms:

To verify that you have these patches installed use the command:showrev -p | grep

The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches before installing 64-bit patches.

Number System Notes

108528-18 All If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.

110380-03 All109147-18 All109326-07 All108434-01 32 bit108435-01 64 bit

Number System Notes

112233-12 All112902-07 All116561-03 All Only if dmfe(7D) ethernet driver is defined on the machine


http://www.sun.com/software/installcheck/download.xmlhttp://sunsolve.sun.com

Information About This Release — The Regular Expression (RX) Library

Windows Platform

This release requires that Service Packs be applied to Windows 2000 and Windows 2003 systems. This release supports Service Packs SP1, SP2, SP3, and SP4.

Linux Platform

This release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade.

Nokia Platform

This release supports IPSO 3.9 and 4.0. For the latest information on which IPSO releases are supported, see the Nokia Support Web at http://support.nokia.com.

The Regular Expression (RX) Library

NGX (R60) uses the RX library. The library license agreement (LGPL) can be downloaded from: http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf.


http://www.redhat.com/support/resources/howto/kernel-upgradehttp://support.nokia.comhttp://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf

Resolved Limitations — Firewall

Resolved Limitations

In This Section

This section contains limitations that were published as release notes with NG with Application Intelligence (R55) and now stand as resolved in NGX (R60). They are presented in their original format, stressing the limitation, yet should be understood as resolved.

Firewall

Installation

1) On Windows platforms, the SNMP service must be stopped before uninstalling VPN-1 Pro. If the SNMP service is running, a message regarding locked files is displayed.

2) In order to install the SmartCenter Applications on Windows NT, use the installation executable instead of the installation wrapper.

SmartDashboard, Motif GUI

3) After resetting to default, the update time and version are no longer displayed on the top side of the General page. However, these update details can still be seen on the bottom half of the General page.

Platform Specific — Solaris

4) SUN's Gigaswift network driver is not supported when using ClusterXL in a VLAN tagging configuration.

Firewall page 11

SmartCenter page 12

VPN page 14

VPN-1 Edge page 14

SecureXL page 14

SecuRemote/SecureClient page 15


VSX page 15

ClusterXL page 16

SSL Network Extender page 16


Resolved Limitations — SmartCenter

Directional Rule Match

5) A user group may be placed in the Destination column in the Security Rule Base only if the Remote Access community appears in the to part of the VPN column in a new Directional VPN rule (for example, VPN column = Any > RemoteAccess). If the Remote Access community is used alone (for example, in a non directional form), this will not work.

SmartCenter

Upgrade, Backout, and Backward Compatibility

1) When upgrading to a new machine using the Import or Export utilities, and SecurID is being used for authentication, and the new SmartCenter Server has the same IP address as the original SmartCenter Server, use the following instructions to retain both user and administrator authentication:

• For Windows Platforms

If the environment variable %VAR_ACE exists, copy the file %VAR_ACE\sdconf.rec from the original machine to the new machine. Otherwise, copy the file %WINDIR\system32/sdconf.rec from the original machine to the new machine. In addition, copy the registry key HKLM > SOFTWARE > SDTI > ACECLIENT >NodeSecret from the original machine to the new machine.

• For Unix Platforms

If the environment variable $VAR_ACE exists, copy the files $VAR_ACE/sdconf.rec and $VAR_ACE/securid from the original machine to the new machine. Otherwise, copy /var/ace/sdconf.rec and /var/ace/securid from the original machine to the new machine.

2) When installing the R55W Add-On on a standalone machine (in other words, it is deployed with both the SmartCenter Server as well as the VPN-1 Pro Gateway), the local gateway remains of version R55. You should use the Upgrade Tool to upgrade the local gateway from version R55 to version R55W. Refer to the Getting Started Guide for more information.

Policy Installation

3) Policy installation issues on a VPN-1 Edge/Embedded Gateway when a rule contains a Cluster object in its source or destination. As a workaround, create a node object with the IP address of the cluster object, and use the node object instead of the cluster object in the rule.


Resolved Limitations — SmartCenter

SmartCenter Server

4) When using rules with resources, avoid installing them on VPN-1 Edge/Embedded profiles. Resources are not supported with VPN-1 Edge/Embedded appliances.

Management High Availability

5) When adding a new Secondary Management, the machine should be synchronized once manually before it starts synchronizing automatically.

6) When creating a Management High Availability environment, all peers must be installed with the same products. If one product is installed on one peer but not on the other, product information may be lost and the product may not function properly.

7) When using Management High Availability, all SmartCenter servers must be installed with the same version. This also applies if your SmartCenter servers were created with the R55W add-on; if one of the SmartCenter servers is installed with the R55W add-on, the others should be as well.

Platform Specific — Nokia

8) In order to manage QoS modules from a SmartCenter server running on IPSO, you need to enable QoS on the SmartCenter server. Telnet into the SmartCenter server and perform cpstop and cpstart (or reboot). In cpstop, you can safely ignore the message etmstop: Module not loaded. When you run cpstart on the SmartCenter server, you can safely ignore the message FloodGate-1: This is a Management Station. No QoS Policy will be Loaded.

Note: Trying to install a QoS policy on a module before executing these steps on the SmartCenter server will fail and produce the error message: Failed to start uninstall/install operation.

Miscellaneous

9) In demo mode, when launching SmartLSM through SmartDashboard, no predefined ROBO Gateway objects are shown in SmartLSM, and no SmartLSM Profile objects can be created in SmartDashboard.

SmartConsole Applications

10) On the Motif platform, in SmartDashboard, there are issues when adding or editing Default community strings in SNMP in SmartDefense. Use the dbedit utility to add or edit entries. The entries are contained in the asm table: AdvancedSecurityObject and snmp_protection\snmp_default_communities_list.


Resolved Limitations — VPN

OPSEC

11) OPSEC applications that read logs using LEA may fail if the network objects database contains more then 2000 objects.

VPN

VPN Communities

1) Excluded Services are not supported with VPN Communities that contain VPN-1 Edge devices.

PKI, PKCS

2) Entrust CAs are defined as OPSEC CAs, and can be configured to support CMP automatic enrollment. In upgrade, Entrust CAs are changed to be OPSEC CAs.

VPN-1 and SecuRemote/SecureClient Issues

3) The combination of using multiple external interfaces (route through different interfaces) for SecuRemote/SecureClient and ClusterXL pivot mode is not supported.

4) MACROs have been added to cp.macro for SecureClient on MAC OS, and SecureClient with Integrity. The cp.macro file should be replaced under $CPDIR/conf on the Management.

VPN-1 Edge

1) Policy installation issues on a VPN-1 Edge/Embedded Gateway when a rule contains a Cluster object in its source or destination. As a workaround, create a node object with the IP address of the cluster object, and use the node object instead of the cluster object in the rule.

SecureXL


1. On Solaris platforms, Performance Pack does not support the following types of interfaces

• VLAN and virtual interfaces

• bge, dmfe and skge interfaces


Resolved Limitations — SecuRemote/SecureClient

SecuRemote/SecureClient

Connectivity

1) If SecureClient receives an IP address on a subnet on which the cluster also has an interface, SecureClient will not survive a failover from one cluster member to another. When the cluster fails over to another member, the MAC address is reset to the MAC address of the active cluster member. Once SecureClient receives an Office Mode address from the gateway, SecureClient can no longer discover the MAC address of the cluster. This means that SecureClient cannot update the MAC address when the MAC address of the cluster member changes. SecureClient continues to send packets to the MAC address of the now inactive cluster member.

SecurePlatform

General

1) Starting with this release, the SecurePlatform restricted shell allows using the '/' symbol with ifconfig and route commands. This allows defining networks with CIDR notation (e.g., 10.10.0.0/16).

2) If you physically replace a NIC card in a machine with SecurePlatform, the order of the NICs may change. Make sure that you verify that the NICs are mapped and connected according to your needs.

3) Some models of Intel PRO/1000 cards may have performance issues when used under high load and/or in ClusterXL setup. The symptoms include log messages (in /var/log/messages) about NICs being reset via watchdog, or, in other cases, NICs stopping transmitting the traffic. Please contact Check Point technical support to resolve those issues.

WebUI

4) The character % should not be specified when defining a password.

VSX

1) Virtual Device names are limited to 64 characters. When creating a new Virtual Device, the name of the device is composed of the new Virtual Device name, the VSX box name, and the cluster member name. This name should not exceed 64 characters.

2) Each Virtual System/Router can have up to 30 interfaces.


Resolved Limitations — ClusterXL

ClusterXL


1) SUN's Gigaswift network driver is not supported when using ClusterXL in a VLAN tagging configuration.

2) In a Solaris cluster configuration, one or more of the following may occur:

• The kernel message ERROR_ACK for DL_ENABMULTI_REQ during the boot process.

• The message no interface information during or after the boot process.

• An interface has the flag MULTI_BCAST in ifconfig.

• An interface starts, possibly once every several boots, in the down state.

• The message ar_entry_query: Could not find the ace for source address during or after the boot process.

As a result of these issues, the cluster does not process packets on the problematic interface.

VPN-1 and SecuRemote/SecureClient Issues

3) The combination of using multiple external interfaces (route through different interfaces) for SecuRemote/SecureClient and ClusterXL pivot mode is not supported.

Crossbeam

4) On a Crossbeam box, where an external circuit is defined as the sync network, the wrong Unicast MAC is used when forwarding IKE packets between members. This may cause key-exchanges to fail.

Supported Features

5) When a SecureXL host and a ClusterXL gateway are both located on the same network, and the ClusterXL gateway is either in High Availability or Load Sharing Unicast mode, the SecureXL host may not recognize a failover performed by the ClusterXL gateway. A workaround is to place a router between the gateways.

Load Sharing

6) ISP redundancy is supported in Load Sharing Unicast mode only when working over SecureXL or Performance Pack.

SSL Network Extender

1) SSL Network Extender is not supported on ClusterXL in Load Sharing mode. (This limitation still applies to Nokia IP clusters, however).


Resolved Limitations — SSL Network Extender


Clarifications and Limitations — SSL Network Extender

Clarifications and Limitations

In This Section

—

Firewall page 19

SmartCenter page 30

VPN page 42

VPN-1 Edge/Embedded page 52

VSX page 54

SecuRemote/SecureClient page 57


SmartLSM page 70

SmartUpdate page 72

SmartView Monitor page 74

Eventia Reporter page 75

ClusterXL page 79

ConnectControl page 90

SecureXL page 91

Performance Pack page 91

SSL Network Extender page 93

QoS page 95

UserAuthority Server page 96

OPSEC page 97

InterSpect page 97

IPv6 page 97


Clarifications and Limitations — Firewall

Firewall

In This Section

Installation, Upgrade and Backward Compatibility

1) Manual configuration to the file fwauthd.conf (e.g., in.ahttpd configuration to the generic TCP Security Server) are not preserved during upgrade and the changes should be reapplied.

2) When upgrading from earlier NG Feature Packs, the SYNDefender configuration moves to a global configuration in SmartDefense and defaults to off. If a per-module configuration is desired, uncheck Override modules’ SYNDefender configuration under TCP > SYN Attack Configuration in SmartDefense settings.

Installation, Upgrade and Backward Compatibility page 19

Platform Specific — Nokia page 20

Platform Specific — Windows page 21

Platform Specific — Solaris page 21

Platform Specific — Linux page 22

Load Sharing page 22

NAT page 22

Authentication page 23

Security Servers page 23

Services page 25

IPv6 page 25

SmartConsole & SmartConsole Applications page 26

ISP Redundancy page 26

Logging page 27

Policy Installation page 27

OSE page 28

SAM page 28

Dynamically Assigned IP Address (DAIP) Modules page 28

Miscellaneous page 28

VoIP page 28



3) Prior to NG with Application Intelligence (R54), setting the SmartDefense feature Max URL length to 0 would drop all connections. Since R54, setting the parameter to 0 disables this protection.

4) When the Web Intelligence General HTTP Worm Catcher is enabled, policy installation on modules running NG FP1 cannot be performed. In order to install the policy, you should either remove the NG FP1 modules from the list of Policy Installation Targets, or alternatively disable the General HTTP Worm Catcher.

5) When the Web Intelligence General HTTP Worm Catcher is enabled, policy installation on modules running NG FP3 prior to HotFix-2 cannot be performed. In order to install the policy, you should upgrade the module to NG FP3 HotFix-2.

6) In modules that pre-date version NG with Application Intelligence R55W, the Web Intelligence defenses HTTP Format Sizes, ASCII Only Request, General HTTP Worm Catcher only support the protection scope apply to all HTTP connections; therefore, if one of these defenses is configured with protection scope apply to selected web servers and is installed on an older module, the protection scope apply to all HTTP connections will be applied on this module.

7) When making Inspect changes to the file user.def, do so to the copy of the file in the directory $FWDIR/conf (and not the version in the directory $FWDIR/lib, as was the practice in previous versions). This is because user.def is copied from the /conf directory to the /lib directory during policy installation.

Also, filenames are now adjusted to the different compatibility packages, so be sure to modify the appropriate file only:

• user.def.NGX_R60 - contains user code for NGX modules (this will overwrite the file $FWDIR/lib/user.def during policy install)

• user.def.R55WCMP - contains user code for R55W modules (this will overwrite the file user.def in the R55W compatibility package directory)

• user.def.MGCMP - contains user code for NG modules, R55 and below.

• user.def.EdgeCmp - contains user code for VPN-1 Edge modules.


8) When the SmartDefense TCP Sequence Verifier feature is enabled and Flows acceleration is enabled, the Sequence Verifier feature is not enforced and the following message appears when installing policy:

“Flows: TCP Sequence Verifier acceleration is not supported on the Gateway.”



When SecureXL is enabled, you can enable the SmartDefense TCP Sequence Verifier feature by first enabling it in Nokia Network Voyager (System Configuration > Advanced System Tuning) and then in SmartDashboard (SmartDefense tab > Network Security > TCP). The Sequence Verifier feature will then be enforced on accelerated connections.

9) VPN-1 Pro will not log locally on a flash-based Nokia appliance if the log server becomes unavailable. As a result, logs generated while the log server is unavailable are lost.

Platform Specific — Windows

10) VPN-1 Pro limits its memory allocations to a certain percentage of the available non-paged memory. This limit affects the number of concurrent connections that the Enforcement Module can handle. The limit is intended to leave the rest of the system enough memory resources for smooth operation. The default limit can be changed to suit the system configuration. In Windows the limit can be set by setting the MaxNonPagedPoolUsage value (DWORD) in the registry (under


18) On the Solaris 8 platform 64 bit, the maximum number of file descriptors must be set to less than 8192. Setting a higher number can lead to unpredictable VPN-1 Pro behavior.

19) When using automatic ARP publishing with ATM interfaces on Solaris, errors like SIOCDARP: Protocol error may appear on the console. These errors can be safely ignored.

20) On Solaris platforms with a qlc driver and the kernel memory allocator debugging functionality enabled, the system may experience instability. In this case, install Solaris patch 113042-10 or higher.

Platform Specific — Linux

21) New interfaces that are added after the Enforcement Module is started (e.g., a PPP interface) are not displayed by the fw stat -l command. Use the fw ctl iflist command instead.

22) When NIS is enabled for resolving network services, Check Point processes may experience memory leakage due to a memory leak in libC 2.2.4. A workaround is to disable NIS resolving (remove nis and nisplus from services: in /etc/nsswitch.conf).

23) ATM and ISDN interfaces are not supported.

Load Sharing

24) When employing SecurID for authentication, it is recommended to define each cluster member separately on the ACE/Server with its own unique (internal) IP address. In addition, to send packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for example, no_hide_services_ports = {}, where 5500 is the service port and 17 (UDP) is the protocol.

NAT

25) Microsoft Exchange Outlook Client UDP new mail notification does not work with Hide NAT on the client. For the new mail notification both the Client and the Server need to be in both the source and the destination cells:

In the FWDIR/libexchange.def file, enable this notification by setting #define ALLOW_EXCHANGE_NOTIFY (as stated in the file comments).

Source Destination Action InfoClient Server MSExchange AcceptServer Client



26) OSE objects cannot be used in NAT rules. The workaround is to define regular node objects with the same addresses and to use them instead.

27) Automatic ARP is not supported with IP Pool NAT.

Authentication

28) When performing manual client authentication (using port 900) to a cluster where the members' IP addresses are not routable, the URLs returned in the HTML from the replying cluster member contain the member's own non-routable IP address instead of the cluster IP address. This fails subsequent operations. The workaround is to configure the cluster to use a domain name instead of an IP address in the client authentication HTML pages, using the ahttpclientd_redirected_url global property. Make sure that your DNS servers resolves this domain name to the IP address of the cluster.

29) After changing the sdconf.rec file on a Firewall-1 (needed for SecurID authentication), in order for the new configuration to take effect, you must restart the Firewall-1 services by running cpstop and cpstart.

30) Client Authentication will fail if VPN-1 Pro machine name is configured with a wrong IP address in the hosts file.

31) Clientless VPN with the Action Client Auth is not supported if the web server object is in the destination cell. The workaround is to add the gateway to the destination cell.

32) When using SmartDirectory server for internal password authentication, if the account lockout feature is disabled the Firewall will not attempt to modify the user's login failed count and last login failed attributes on the SmartDirectory server. This improves overall performance and eliminates unnecessary SmartDirectory modify errors when using SmartDirectory servers that do not have these attributes defined because they did not apply the Check Point SmartDirectory schema extension on the SmartDirectory server.

33) Issues may arise when using automatic or partially automatic client authentication for HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a decision function based only on IP addresses in order for connections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, refer to the product documentation for more information.

34) Definition of nested RADIUS Server groups is not supported.

Security Servers

35) The HTTP Security Server handles a proxied or a tunneled connection request differently than earlier Firewall versions. Beginning with FireWall-1 NG FP2, such requests are not allowed if they are matched with an Accept rule. However, they are still



allowed if the request is matched with an Authentication or a Resource rule. This change was done in order to harden security and prevent the CONNECT from looping to the Security Server and then to another destination.

In R54, FTP over HTTP proxy connections were allowed when using User Authentication even if they were not allowed explicitly by a rule in the Security Policy. In NGX (R60), in order to further harden security, these connections are not allowed by default unless there is an explicit rule (using a URI Resource) that allows them. If you wish to revert to the old behavior refer to SecureKnowledge solution sk14608.

36) When using SMTP resources to filter files by their filename, an incorrect log message is generated stating: Forbidden MIME attachment stripped.

37) UFP counters available via cpstat fw -f ufp give incorrect values.

38) If web browsers are configured to use an IP address for their proxy (instead of a hostname), the next proxy definition of the HTTP Security Server must also use the same IP address. If the next proxy definition is a hostname, connections using an IP address will not be allowed to the proxy. It is recommend to use only hostnames in the browser configuration.

39) Outlook Web Access is not supported with User Authentication.

40) When a field in a URI specification file is too long, the Security server exits when trying to load the file. Under load, the Firewall daemon (FWD) reloads the security server, which then exits. After a certain time cores are dumped.

41) Client authentication with agent automatic sign on is supported with all rules, with two exceptions:

• The rule must not use an HTTP resource.

• Rules where the destination is a web server.

42) When using the HTTP Security Server in proxy mode (HTTP Tunneling), connections may be encrypted over port 80 (e.g., the first command is in the clear, and subsequent requests are in SSL). SmartDefense will block these connections and generate the following log entry: Binary character in request. To enable such connections, change the global property asm_http_allow_connect to True. Please note that this change will cause SmartDefense to stop examining these connections when an HTTP Connect command is detected in the proxied connection.

43) When using SOAP filtering in the HTTP Security Server, the SOAP scheme file supports all forms of namespaces and methods, however, the feature is not supported if a method has no namespace at all.

44) Security Servers are not supported with Sequence Verifier in Load Sharing Cluster environments.



Services

45) No warning is generated when a policy containing services with the Keep connections open after Policy has been installed checked is installed on NG FP3 modules. Such services will be enforced according to the default behavior on these modules.

46) When CIFS resources are used in rules with policy targets in their Install On fields, policy installation on NG FP3 modules may succeed without warning, although CIFS resource filtering is not supported on these modules.

47) A service using the FTP_BASIC protocol type cannot be used with the FTP Security Server.

48) When using T.120 connections, make sure to manually add a rule that allows T.120 connections.

49) When Hide NAT is performed on a VPN-1 gateway, Real Time Stream Control Protocol (RTSP) sessions are dropped. A workaround is available to resolve this issue:

a. Change to $FWDIR/lib/ directory.b. Backup the current rtsp.def file.c. Edit the file rtsp.def: d. Uncomment the following line:

//#define RTSP_C_TO_S_DATA to:#define RTSP_C_TO_S_DATA

e. Install a Security Policy.Note that performing this workaround will result in a packet drop of RTSP sessions initiated within 60 seconds subsequently to a previous RealNetworks Data Transport (RDT/RTSP) session, using the same port number as the subsequent session.

IPv6

50) Discovery traffic is enabled by default on IPv6 enabled modules. To disable it, edit the file $FWDIR/lib/implied_rules.def and comment out the line #define ACCEPT_DISCOVERY 1.

51) When connecting to the IPv6 IPv4 compatible address of VPN-1 Pro (::w.x.y.z., for example), the following appears on the console: Jan 14 09:37:32 shif [LOG_CRIT] kernel: fw_filterin: 0 unknown interface. This message can be safely ignored in such configurations. To prevent the message from appearing, run this command: modzap _fw_verbose_unknown_if $FWDIR/boot/modules/fwmod.o 0x0 and reboot.

52) Due to the fact that IPv6 is not supported for security servers, enabling Configuration apply to all connections under SmartDefense's FTP Security Server settings causes FTP (as well as HTTP and SMTP) connections over IPv6 to be rejected, and no log is generated.



53) The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it should unload only the IPv6 policy.

54) In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker.

55) Anti-spoofing is currently not supported with IPv6.

56) Boot policy is not supported on IPv6 enabled modules.

57) Content of IPv6 in IPv4 tunnels (IPv4 protocol 41) passing through VPN-1 Pro is not inspected.

58) CPMAD functionality is not supported with the IPv6 protocol.

59) SmartDefense's ping size property is not enforced on ICMPv6 echo request packets.

60) IPv6 packets with extension headers which are not explicitly allowed via editing of the table.def INSPECT script are dropped without being logged.

61) The Remote Shell (RSH) protocol is not supported for IPv6.

SmartConsole & SmartConsole Applications

62) Firewall implied rules for GUI Clients are not matched when using wildcard (e.g., 1.1.*.*). As a result, connections from GUI Clients to the SmartCenter Server may be blocked if there is a VPN-1 Pro module between them. Single IP definitions (e.g., 1.1.1.1) are supported. When specifying GUI Clients using any formats other than the IP address, add an explicit rule in the Rule Base allowing the GUI Clients to connect to the SmartCenter Server.

63) When a client connects with SmartDashboard to SmartCenter and performs a SmartDefense online update, a second client connecting with SmartDashboard to the same SmartCenter will see the new protections but not the new HTML descriptions. The situation is resolved by the second client logging out & logging in again.

A similar behavior may occur regarding the Silent Post-install Update. If new protections were added in that package, then the second client that logs in will not see the respective new HTML descriptions. The workaround is the same (client should log out & log in again).

ISP Redundancy

64) When using the ISP load sharing configuration, outgoing traffic that passes through a security server is not load-shared, and will pass through a single ISP (the default route). If this ISP fails, new connections will be opened through the second ISP.

65) ISP redundancy is not supported in a ClusterXL Different subnets configuration. This means the IP address of the cluster must be on the same subnet as the cluster members' real IP addresses.



66) In a ClusterXL configuration, the names of the external interfaces of all cluster members must be identical and must correspond in turn to the names of the external interfaces of the cluster object. For example, if the cluster object has two external interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively.

67) If the ISP redundancy feature is enabled over a PPPoE or a PPTP interface, the MTU of any other external Ethernet interface should be lowered to match the MTU of the PPPoE/PPTP interface. For example if eth1 is an external Ethernet interface and eth0 is an Ethernet interface over which a PPPoE interface called pppoe0 is defined, the MTU of eth1 should match the MTU of pppoe0.

On SecurePlatform this can be achieved by logging on to the box and running:

ifconfig ethX mtu newMTUifconfig --save

Where ethX is the name of the external Ethernet interface and newMTU is the MTU of the PPPoE/PPTP interface. This change will be persistent across boots.

Notes:

a. The MTU of the PPPoE/PPTP interface can be obtained on SecurePlatform by running: ifconfig pppXXX where pppXXX is the name of the PPPoE/PPTP interface.

b. In the aforementioned example, the MTU of eth0 should not be changed.

68) ISP redundancy cannot be used in conjunction with SynDefender.

69) ISP redundancy, when working in conjunction with SecureXL, has the following limitations:

• Some connections passing through interfaces configured with ISP redundancy are not accelerated, while other connections (for example, an internal connection to a DMZ) are accelerated and are not affected by this limitation.

• ISP redundancy over PPTP and PPPoE interfaces is not supported.

Logging

70) FTP data connections may appear in the Active connections view in SmartView Tracker even after these connections have been terminated.

Policy Installation

71) When installing a policy on a module, the policy installation log may record anti-spoofing warning messages from modules not included in the installation that do not have anti-spoofing configured.



72) Policy installation may fail when there are 70 or more dynamic objects.

OSE

73) For Cisco routers, make sure that the host names are resolvable by DNS or by the hosts file.

SAM

74) A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if the SmartCenter Server is also a VPN-1 Pro enforcement module and no policy has been installed on it since adding the remote Gateway.

Dynamically Assigned IP Address (DAIP) Modules

75) The fw tab command on a SmartCenter Server is not supported.

Miscellaneous

76) Token ring adapters are not supported.

77) The TCP Sequence Verifier is not supported with clusters using asymmetric routing.

78) The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to a SmartCenter server object in specific cases only:

• to the primary IP defined for this object and

• only if there are interfaces defined in its Topology tab.

This may create connectivity problems when trying to install policies (or other operations included in the control connections). The workaround is to define explicit rules that allow connectivity to the SmartCenter object.

79) When executing the following command: fw tab -u -f -t connections, error messages such as FW-1: fwkbuf_length: invalid id number XXXX and Table kbufs - Invalid handle 6a6b8803 (bad entry) can be safely ignored. To avoid these messages, use the command fw tab -u -t connections instead.

VoIP

80) MSN Messenger version 5 is not supported. Additionally, there are a few known issues regarding MSN Messenger when employing Hide NAT:

• When running SIP and the data connection tries to open MSN Messenger connections on hidden networks, the connection fails.

• While audio and video each work separately, they cannot be run concurrently.



81) When using the SIP protocol and a security rule uses the Action reject to block high_udp_ports (RTP ports - data connection), the incoming audio is rejected as well. A workaround is to use the Action drop in place of reject.

82) When an H.323 IP phone that is not part of a handover domain tries to establish a call, the call attempt is blocked and the following message appears on the console: FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to make calls, add it to the handover domain, and the error message will no longer appear. Note that this console message may appear in other (non-VoIP) scenarios as well.

83) In some cases, when a user closes an MSN Messenger application (such as Whiteboard), the application will not close automatically on the remote end. The remote user will need to close the application manually.

84) When the SIP-proxy is in the DMZ, whiteboard and application sharing will not open between external to internal messengers.


Clarifications and Limitations — SmartCenter

SmartCenter

In This Section

Installation, Upgrade, and Backward Compatibility

1) If the AMON private schema was previously imported using the amon_import tool, it needs to be re-imported after the upgrade.

2) When using the Upgrade Export and Import utilities on the Windows platform, the machine should be connected to the network. Alternatively, a connector can be used to simulate a connection. Refer to SecureKnowledge, solution sk19840 for more information regarding how to simulate a network connection during an upgrade.

3) After upgrading SmartCenter, open the SmartUpdate GUI and from the Packages menu, select Get Data from All to retrieve the installed Packages’ information from the remote modules.

Installation, Upgrade, and Backward Compatibility page 30

SmartDirectory page 33

SmartDashboard page 34

Policy Installation page 35

VPN Communities page 35

SmartConsole Applications page 36

High Availability page 37

Logging page 38

Monitoring page 38

Management High Availability page 39

Trust Establishment (SIC) page 39

Platform Specific — Windows page 40

Platform Specific — Nokia page 40

OPSEC page 40


OSE page 41

Dynamically Assigned IP Address (DAIP) Modules page 41

SmartPortal page 41



4) When upgrading with a duplicate machine whose IP address differs from the original IP address of the SmartCenter Server, if Central licenses are used, they should be updated to the new IP address. This can be done via the User Center at http://usercenter.checkpoint.com, by choosing the action License > Move IP > Activate Support and Subscription.

5) If the Import or the Export operation fails while upgrading, the entire operation will fail with the exception of these products: Eventia Reporter, SmartView Monitor, SecureXL and UserAuthority Server. Use the log file of the Import/Export operation to understand what caused the problem and fix it. The log file is located at:

• Windows: C:\program files\checkpoint\CPInstLog

• Unix: /opt/CPInstLog

6) When using the Export or Import upgrade utilities on Windows NT, the version of the system DLL MSVCRT.dll should be 6.0 or higher. When using a lower version of this DLL, the operation fails with the following error: The procedure entry point __lc_collate_co could not be located in the dynamic link library MSVCRT.dll. To continue the operation, allow the system to use this DLL from the current path by:

1 Using the REGEDIT application to add the string msvcrt.dll to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager

\ExcludeFromKnownDlls

2 Rebooting your machine.

7) When upgrading a Log Server, choose the Upgrade option and ignore the other options (to export the configuration or to perform pre-upgrade verifications). These options are irrelevant for Log Server upgrades. Also, the backwards compatibility (BC) package is installed on every Log Server. It can be safely removed, as it is not in use on a Log Server.

8) If, when using the Check Point Installation Wrapper, the download of updates fails during an upgrade (for example, because the machine is not connected to the Internet), then the upgrade will continue using the tools that exist on the CD. To use the most recent version:

1 Download the updates from: https://support.checkpoint.com/downloads/bin/autoupdate/ut/r60/index.html

2 Save the update on the local disk of your SmartCenter server

3 Restart the installation wrapper and choose the second option on the download page: I already downloaded and extracted the Upgrade Utilities.


http://usercenter.checkpoint.comhttps://support.checkpoint.com/downloads/bin/autoupdate/ut/r60/index.html


9) Check Point 4.1 gateways and embedded devices are no longer supported with this release. After upgrading the SmartCenter Server to NGX (R60), these objects will remain, but you will not be able to install policy on them.

10) VPN-1 Net is no longer supported.

11) After upgrading SmartCenter, but before upgrading the gateways, SecureID users may not be able to connect. A workaround is detailed on SecureKnowledge (sk17820).

This solution should be implemented in the compatibility package directories as well:

For NG gateways (NG FCS - R55):

• Unix /opt/CPngcmp-R60/lib/

• Windows C:\Program Files\CheckPoint\NGCMP

For R55W gateways:

• Unix /opt/CPR55Wcmp/lib

• Windows C:\Program Files\CheckPoint\R55WCmp\lib

12) When upgrading a SmartCenter server on Solaris, Linux and SecurePlatform, the following upgrade options are displayed:

1.( ) Upgrade installed products and install new products.

2.( ) Upgrade installed products.

Be sure to select option 2 only. New products should be installed only after completing the upgrade of installed products. After completing the upgrade, run the installation program again to add more products.

13) When upgrading SmartCenter with a duplicate machine on the Windows platform, the following message may appear after selecting Import configuration file: Failed to import configuration. Imported configuration file does not contain the

correct data. The problem is resolved by either removing gzip.exe from the environment path, or removing the file altogether.

14) When upgrading a SmartCenter Server with the Eventia Reporter Add-on from R56 to NGX (R60), you must upgrade Eventia Reporter Add-on as well.

15) On the SmartCenter Server, if you start the Check Point Products installation from the NGX CD using the SecurePlatform command patch add, you can decide whether or not to export the SmartCenter configuration for advanced upgrade. While the operation should succeed, an error may be displayed on operation completion, stating that the patch was not applied. This message is accurate, but confusing; indeed the patch was not applied, instead export operation was performed.

16) A secondary SmartCenter server does not support the wrapper’s Advanced Upgrade or the Export/Import tools.



17) After upgrading a SmartCenter server running on IPSO with the R55W Add-on, backout to R55W is not supported. It is therefore recommended to back up the SmartCenter configuration before the upgrade. The configuration is exported via the upgrade tools. Make sure to save the configuration outside the Check Point directory structure. Then, if a return to R55W becomes necessary, install a fresh R55W Add-on installation and import the configuration you saved earlier. For more information regarding the upgrade tools, please refer to the R55W Upgrade Guide.

18) When running the NGX Pre Upgrade Verifier on an R55 SmartCenter with HFA12 installed, the following message regarding the file auth_HFA.def may appear:

INSPECT manual changes

Description: Some changes in VPN-1 behavior require changes to be made manually in INSPECT files. Since INSPECT files are overwritten with new versions when upgrading, these changes may be lost. In some cases the changes should be re-applied on the new INSPECT files, in other cases there are new GUI options that need to be set instead.

Impacts: If changes were lost after the upgrade, VPN-1 may not work as expected.

Todo: Check if changes are needed in the new version, if so, follow SK instructions for these changes.

This problem will occur in the following files:

auth_HFA.def

This message can be safely ignored.

19) In this release, SmartCenter does not manage gateways prior to NG FP3. If you have such gateways, it is recommended that you upgrade them as well.

20) When performing an advanced upgrade using the wrapper, the installation wizard will prompt you to select one of the following options:

1 Download most updated upgrade utilities [default]

2 I have already downloaded and extracted the upgrade utilities. The files are on my local disk

3 Use the upgrade utilities from the CD

Option 1 currently is not supported on Unix platforms. When upgrading Unix platforms, it is recommended to download the updated utilities manually using the link provided, and only then proceeding to option 2.

SmartDirectory

21) When a SmartDirectory user is based on an internal firewall template, internal groups that the template belongs to will be added to the SmartDirectory user, but these groups will not appear in the list of template groups in the user's Groups page.



22) When manually defining branches on an Account Unit, spaces between elements in the branch definition will not work. Example:

A good branch: ou=Finance,o=ABC,c=us

A bad branch: ou=Finance , o=ABC , c=us

23) When using the Display list of distinguished names (DNs) for matching UIDs on login feature, if there is no available LDAP server, the authentication will hang. Subsequently, a policy installation will cause the process that attempted the authentication to consume all available CPU resources.

24) When using an LDAP server for internal password authentication, if the account lockout feature is disabled, the firewall will not attempt to modify the user's login failed count and last login failed attributes on the LDAP server. When using LDAP servers that do not have these attributes defined (because they did not apply the Check Point LDAP schema extension on the LDAP server), this improves overall performance and eliminates unnecessary LDAP modify errors.

25) If Use SmartDirectory (LDAP) is checked in the Global Properties, but no LDAP account unit is configured, the authentication of external users (as opposed to LDAP users) that are not defined in the user's database will not succeed. To resolve this issue, make sure that you uncheck Use SmartDirectory (LDAP) in the Global Properties.

SmartDashboard

26) In Microsoft Active Directory, when the expiration date is defined in the user's properties, and the user account has expired, the user is not able to authenticate and the reason for the authentication failure is not displayed.

27) Firewall implied rules for GUI Clients are not matched when using wildcard (e.g., 1.1.*.*). As a result, connections from GUI Clients to the SmartCenter Server may be blocked if there is a VPN-1 Pro module between them. Single IP definitions (e.g., 1.1.1.1) are supported. When specifying GUI Clients using any formats other than the IP address, add an explicit rule in the Rule Base allowing the GUI Clients to connect to the SmartCenter Server.

28) When upgrading from NG FP1 or lower, certain policies may be hidden in SmartDashboard. Starting from NG FP2, only policies that belong to the current Policy Package are displayed. To access other policies select File > Open and choose the relevant Policy Package.

29) When using Active Directory .NET (2003) with NGX (R60), errors are encountered when changes are made to the account expiration user attribute. Use Active Directory 2000 to avoid these errors.



30) The following web links available from the Help menu in SmartDashboard and SmartUpdate open a browser window to pages that have not yet been posted on the Check Point web site.

• Online Software Updates • What's New In Check Point Software

Policy Installation

31) Policy installation may fail when there are 70 or more dynamic objects.

32) After aborting an installation, before attempting to install a policy, make sure that there are no processes running the fwm load command on SmartCenter server, or your installation may halt.

33) By selecting the Install Policy option Install on all gateways, if it fails do not install on gateways of the same version, policy is installed on gateways by group. There are four such groups:

• VPN-1 Edge

• R55W

• NGX

• all others (R55 and prior versions)

When this option is selected, if policy fails when installing to a member of one of the groups, the policy will not be installed to any other gateways in that group. Policy installation will continue uninterrupted to members of other groups, however.

34) Uninstall of policy on LSM profiles is not supported.

35) It is not recommended to install security policy on more than 100 VPN-1 Edge devices simultaneously. Use one of the following solutions instead:

• Install the policy in groups of 100 VPN-1 Edge devices.

• Use SmartLSM, which installs policy on profiles, when managing hundreds of VPN-1 Edge devices. When using SmartLSM the above limitation is not relevant.

VPN Communities

36) When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabled from a Standalone machine, the policy fetch operation may not succeed once VPN has been established between the Standalone and the ROBO Gateway in question. In order to overcome this issue, you should add the CPD service as an excluded service for each of the communities which have SmartLSM ROBO profiles. To do this:

1 Open the community object.

2 In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as an excluded service.



SmartConsole Applications

37) When deleting objects from SmartDashboard, in some cases the Where Used... option will not report that objects are being used in the database, and it is possible to delete these objects without any warning. The following are cases in reference:

• RADIUS and TACACS servers referenced by Templates in the Authentication tab.

• Users and User Groups contained by other User Groups.

• For SmartDirectory Account Units referenced by External Groups the Where Used... option is applicable but the Delete operation cannot be performed. As a workaround, restart (cpstop, cpstart) the SmartCenter Server. Note that all cases apply only if the objects were created after the SmartCenter Server was started.

38) The Status Manager GUI fails if the Disconnect Client or the Global System Alert Definition windows are displayed and the SmartCenter Server goes down. The failure happens when the Status Manager re-connects to the SmartCenter Server.

39) In order to be able to track Session ID information, an application should be opened independently, meaning not from another Check Point application.

40) An application error occurs in the Status Manager when stopping the Management process fwm while the Status Manager is up and running.

41) The Status Manager cannot show more than 16 connected clients to the SmartCenter Server. If more than 16 clients are connected, it will show that 0 clients are connected.

42) The capability for exporting logs from SmartView Tracker running on Motif is disabled in this version.

43) The View Rule in SmartDashboard feature in SmartView Tracker for Motif is not supported.

44) The View rule in SmartDashboard feature in SmartView Tracker does not bring into focus the SmartDashboard application if it is already opened to the right rule database.

45) If SmartView Monitor is open and a new non-Check Point Node object is created in SmartDashboard, the new object will appear in SmartView Monitor. Upon closing and restarting SmartView Monitor, the object will not appear, which is the correct behavior.

46) When choosing to view Installed Policies from SmartDashboard on Motif, a failure may occur if one of the VPN-1 Pro modules fails to respond.

47) When logs can not be generated from some reason, such as there is no disk space or the logging process is down, then changes can not be saved from SmartDashboard. If this occurs, the following error message appears: The changes could not be saved. Please make sure all Firewall-1 services are up and running. For more information use the

SmartView Monitor application.



48) When running a query on a Security Policy in SmartDashboard, only user-defined rules are displayed in the query result. Implied rules matching the query will not be displayed, even if the option View Implied Rules is selected.

49) When switching the active file from SmartView Tracker, the new active file name is automatically designated by the system. The user-defined file name is ignored.

50) Policy installation may fail if a Gateway Cluster object was created in SmartDashboard using Simple mode (wizard). This problem can be avoided by doing any of the following:

• Create the object in Simple mode. When you arrive at the Finished Cluster's definition wizard page, check Edit Cluster's Properties and click Finish. The Gateway Cluster Properties window appears. Edit the object, if needed, and click OK.

• Create the object in Simple mode. After creating the object, use the dbedit tool to to change the fwver attribute of the object from 5.0 to 6.0.

• Use Classic mode instead of Simple mode.

51) When defining the topology of an object in the following manner: Interface Properties > Topology > Internal > IP Addresses behind this interface > Specific, the following error message may appear after selecting a group or network and clicking OK: The selected object's type is not valid.

To work around this issue, perform the following steps:

1 Create a new Simple Group (From the Topology tab, click New > Group > Simple Group).

2 Name the group, but do not add any members.

3 Click OK.

4 Edit the new group, and add the original group or network as a member.

Note: Each time the interface's properties are edited, the same error message appears. To avoid repeating the above process, first define the other properties of the interface, leaving the topology definition to the end.

High Availability

52) Issuing a Stop Member command in SmartView Monitor performs the cphastop command on this member. Among other things, this disables the State Synchronization mechanism. Any connections opened while the member is stopped will not survive a failover event, even if the member is restarted using cphastart. However, connections opened after the member is restarted are normally synchronized.



Logging

53) When working with a Log Server of an earlier version than the version of SmartCenter Server, the logs fields of log records from new modules that were added after the upgrade of SmartCenter Server may not be resolvable.

54) An administrator with Read Only permission for Monitoring can still create, modify, rename and delete queries in SmartView Tracker.

55) When a Log Server is installed on a DAIP module, management operations such as purge and log switch can not be performed.

56) Audit logs operation strings have changed. Several new columns have been added and other existing column names have been changed. This may cause existing filters to stop working.

57) If you are using the cyclic logging feature, it is recommended after upgrade to back up your old /log files to another machine, and then to delete them from the Log Server.

58) When a Log Server runs out of disk space, any logs sent by ELA clients will be lost. To prevent this, be sure to maintain adequate disk space on the Log Server.

Monitoring

59) Alerts that are defined in the Check Point SmartView Monitor Threshold Definition window are not sent to SmartView Monitor as popup alerts, until a first policy is installed. In the SmartDashboard Global Properties > Log and Alert > Alert Commands page, be sure to check the property Send popup alert to SmartView Monitor.

60) When defining thresholds in SmartView Monitor, if you choose one of the User Defined options as the Alert Method, make sure that this method is defined in SmartDashboard's Global Properties. If the alert method is not defined, a regular alert is generated.

61) If SmartView Monitor is open when a new module is created in SmartDashboard, the module will appear in SmartView Monitor with the status waiting until SmartView Monitor is restarted. For details, refer to SecureKnowledge solution sk16122.

62) SmartView Monitor should be opened connecting to a SmartCenter Server and not to a Log Server. When using SmartView Monitor on a Log Server, statuses may be inaccurate.

63) OS information will not be available in SmartView Monitor if the monitored machine is a Windows machine that does not run the Windows Management Instrumentation service.



64) Working with SmartView Monitor on clustered systems may lead to unpredictable behavior. It is therefore recommended to turn off the Objects status in SmartMap feature in clustered configurations. This is done from the View menu in SmartDashboard, by unchecking the option Objects status in SmartMap.

65) In certain scenarios, such as a High Availability SmartCenter Server in a large environment with many clustered gateways, SmartView Monitor may fail to display the status of certain gateways.

Management High Availability

66) A SmartCenter server that is also a VPN-1 Pro module must have a policy installed on it in order for other SmartCenter Servers to be able to communicate with it. This must be done after initial setup, or after resetting SIC communication on the SmartCenter Server.

67) Database versions which were created using the Revision Control feature should be synchronized manually in a Management High Availability environment. To synchronize it, do the following:

1 Run cpstop on the standby SmartCenter server.

2 Copy all files under $FWDIR/conf/db_versions/repository/* and $FWDIR/conf/db_versions/database/* from the active management to the standby SmartCenter server.

3 Run cpstart on the standby SmartCenter server.

68) If a primary SmartCenter Server is in a Standalone configuration, and a secondary SmartCenter Server is active, policy installation from the secondary to the primary server will be prohibited immediately after upgrade. In order to resolve this, install the policy locally on the primary server.

69) When using Management High Availability (between SmartCenter and/or CMA and/or MDS), change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve this issue, you should allow access from SmartPortal to Read-only administrators, only; or, use SmartView Monitor to disconnect Read/Write mode in SmartPortal.

Trust Establishment (SIC)

70) If your SmartCenter Server is deployed in a standalone configuration, you must install the policy locally (in other words, on the SmartCenter itself), before establishing SIC with Connectra devices.



Platform Specific — Windows

71) Windows 2000 specific issue: A SmartConsole connection to the SmartCenter Server on Windows 2000 may fail with the message: No license for user interface if the SmartCenter Server was disconnected from the network and then reconnected while the VPN-1 Pro services on the machine were running. If this occurs, restart VPN-1 Pro services (run cpstop and then cpstart).

72) On Windows platforms only, in some cases when performing the Restore Version operation (from SmartDashboard, File > Database Revision Control > Restore Version) while SmartView Tracker is open, the restore fails and the database cannot be saved. The solution is to make sure that SmartView Tracker is closed before performing Restore Version operations. If you already encountered such a problem, run cpstop and then cpstart.

73) When trying to export a configuration either via the wrapper or via the upgrade_export command on NG FP1, the export may fail with the following message: Error: FWDIR environment variable is not set. Please set it and try again. A workaround is to set the %FWDIR environment variable to the location where VPN-1/Firewall-1 was installed. (The default is WINDOWSDIR:\WINNT\FW1\NG).


74) When upgrading using the Import Configuration option in the wrapper, and the machine you have exported the configuration from is a Nokia platform, a situation may occur where Check Point packages that were not installed on the production machine will be installed. If this should occur, uninstall the relevant packages.

OPSEC

75) In CPMI, the command line fw unload does not trigger an eCPMI_NOTIFY_UNINSTALL_POLICY notification event.

Miscellaneous

76) After upgrading from NG FP2, the name of the Internal Certificate Authority (CA) that was previously entered is not displayed in the Check Point Configuration Tool (cpconfig > Certificate Authority tab), although it is still viable. If reconfigured, it is displayed.

77) Using the cp_merge utility to merge large number of objects (more than 10,000) from two SmartCenter Servers may not work. This is because at some point two main audit logs are generated. If you have a large number of objects, and you wish to perform the merge even though from some point the audit logs will not be generated, then do as follows:

1 Define the environment variable FWM_ALLOW_AUDIT_FAILURE from a shell.



2 Use the cp_merge command from the same shell.

OSE

78) The Drop action is not supported for Cisco OSE devices. If the Drop action is used, the policy installation operation fails.

79) For Cisco routers, make sure that the host names are resolvable by DNS or by the hosts file.

80) 3Com devices are not supported.

Dynamically Assigned IP Address (DAIP) Modules

81) The fw tab command on a SmartCenter Server is not supported.

SmartPortal

82) Using sysconfig to install and configure SmartPortal on SecurePlatform is not supported. Use one of the following two workarounds instead:

• Use the SecurePlatform Web UI First-Time Configuration wizard

• Configure the operating system via sysconfig, and then manually install SmartPortal by running rpm -i on the SmartPortal RPM file located at /sysimage/CPwrapper/Linux/CPportal.

83) The SIC activation key is not set in the Solaris SmartPortal installation, as cpconfig does not run when the install completes. This issue is resolved by manually running cpconfig. The license setup prompts in cpconfig can be safely ignored.


Clarifications and Limitations — VPN

VPN

In This Section

Upgrade, Backout, and Backward Compatibility

1) VPN-1 Net is no longer supported.

2) After upgrading a pre-NGX management server to NGX, existing VPN connections will be dropped the first time policy is installed if the enforcement modules are not also upgraded to NGX. New connections will succeed as expected. For connections with static source-destination ports (for example, GRE connections), reinitialize them by running cpstop/cpstart on the module.

Upgrade, Backout, and Backward Compatibility page 42

VPN Routing page 43

VPN Tunnel Management page 43

VPN Communities page 43

Multiple Entry Point (MEP) & VPN Load Distribution page 44

VPN-1 Clusters page 44

VPN-1 Hardware/Software Acceleration page 46

IKE, Interoperability page 46

PKI, PKCS page 46

NAT with VPN page 47

VPN-1 Diagnostics (Logging, Monitoring, Planning) page 47


Office Mode page 47

L2TP Clients page 47

Nokia Clients Support (CryptoCluster & Symbian) page 48

VPN-1 and SecuRemote/SecureClient Issues page 48

Route Injection Mechanism page 48

Link Selection page 49

Route Based VPN page 49

Multicast page 51

LDT (Locally Defined Tunnels) page 51



VPN Routing

3) The IP pool NAT on a VPN-1 module which serves as a VPN router (in order to forward VPN traffic from one VPN tunnel to another) should be defined as part of the encryption domain of the VPN router. Otherwise, VPN connections via the VPN router will fail.

4) VPN Routing only connects the VPN domain of a DAIP Gateway that is hosted behind the DAIP Gateway to the VPN domain of another DAIP Gateway. Connections that originate on the DAIP Gateway itself or are directed at the DAIP Gateway cannot be routed through the hub.

5) When using VPN routing to route all communication from the VPN domain of a Satellite DAIP Gateway via the Hub to other Satellite Gateways or to the Internet, it is not possible to open connections from the external IP of the Satellite DAIP Gateway to the Internet.

6) Excluded services in the VPN Community are not supported with Routed VPN.

7) In NGX (R60), a new routing decision is undertaken after packets are encrypted. This behavior is enabled by default (including after upgrade), and may cause a change in routing behavior. If you experience problems, it is recommended to change the routing configuration to incorporate the new behavior. However, you can disable the new routing behavior per gateway by using the GuiDBedit tool to change the attribute reroute_encrypted_packets on the gateway object to False.

Note: This behavior cannot be disabled on SecureXL.

8) After removing virtual tunnel interfaces definitions, the anti-spoofing warning messages may appear during all consequent policy installations.

VPN Tunnel Management

9) The feature Use the community settings (SmartDashboard > gateway object > VPN > VPN Advanced > VPN Tunnel Sharing) is to be used only when all VPN peers are of version NGX (R60) or later. Otherwise, use the Custom settings option.

VPN Communities

10) SmartDashboard allows VPN-1 modules with dynamic IP addresses to be added as members of a VPN community in which aggressive mode for IKE Phase 1 is selected. This configuration, however, is not supported.

11) If the Exportable for SecuRemote/SecureClient property is checked on a VPN-1 Pro Enforcement Module (from the VPN tab under Traditional Mode configuration), the modules topology information will be exported to SecuRemote/SecureClients even if the Enforcement Module is not a member of the Remote Access community.



12) When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabled from a Standalone machine, the policy fetch operation may not succeed once VPN has been established between the Standalone and the ROBO Gateway in question. In order to overcome this issue, you should add the CPD service as an excluded service for each of the communities which have SmartLSM ROBO profiles. To do this:

1 Open the community object.

2 In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as an excluded service.

13) The setting Accept all encrypted traffic in the Site to Site Community Properties window does not apply to connections which pass through the VPN Tunnel Interface.

Multiple Entry Point (MEP) & VPN Load Distribution

14) When using a traditional policy configuration, the IP pools mechanism is not supported when configured differently per different rules. This issue is not relevant when using VPN communities, since, in this case IP pools are configured globally and not per rule.

15) When configuring MEP gateways to have the same encryption domain and you enable a backup gateway (Global Properties > VPN Advanced). This gateway will not affect the MEP configuration. This means that the configuration will continue to behave as if it were a fully overlapping encryption domain MEP configuration.

If backup gateway functionality is required for a group of gateways in the MEP configuration, the desired behavior (in which the primary gateway will have a higher priority than the backup) can be achieved by configuring the Primary gateway to include the desired encryption domain and the backup gateways to include only themselves as part of their encryption domain.

16) Starting with version NGX (R60), only the site-to-site MEP load distribution configuration is downloaded to VPN-1 Edge devices.

VPN-1 Clusters

17) When defining Office Mode IP pools, make sure each cluster member has a distinct pool.

18) When detaching a cluster member from a VPN cluster, manually remove the VPN domain once the member has been detached.

19) When based on topology information, the VPN domain calculation contains only the cluster member topology and not the cluster object topology. This may cause issues in the VPN domain of clusters since the cluster object and members may have different subnets. In this case, define the VPN domain manually on the cluster object. This issue does not exist on VSX appliances.



20) Peer or secure remote Gateways may show error messages when working against an overloaded Gateway cluster in Load Sharing mode. This is due to IPsec packets with an old replay counter. These error messages can be safely ignored.

21) When based on topology information, the VPN domain calculation contains only the cluster member topology and not the cluster object topology. This may create a situation where the VPN domain of a cluster has different subnets between the members and the cluster object. A workaround is to define the VPN domain manually on the cluster object. This problem does not exist on VSX appliances.

22) If an SSL Network Extender connection to a Load Sharing gateway times out, the user may not receive notification, but packets from the user are dropped.

23) During policy installation, the following messages may appear on the console:

[Expert@fault]# gated_xl[1383]: task_set_option: task MRouting socket 17 option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0e

gated_xl[1383]: task_change_role reinitializing done

gated_xl[1383]: task_set_option: task MRouting socket 17 option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0.0.2: Address ale

gated_xl[1383]: task_change_role reinitializing done

gated_xl[1383]: task_change_role re-initializing

These messages can be safely ignored.

24) VPN Routing is not supported for SSL Network Extender remote access users connecting through a clustered central gateway in a Load Sharing deployment.

25) When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster (i.e., the peer and the cluster are located on the same VLAN and there is no Layer 3 (IP) routing device between them), the following features are not supported:

• ISP redundancy

• VPN link selection - reply from same interface

This issue can be resolved either by placing a router between the VPN peer and the cluster, or by disabling these features.

• To disable ISP redundancy, in SmartDashboard select the g

Documents

October 25, 2007 - downloads.checkpoint.comdownloads.checkpoint.com/fileserver/SOURCE/direct/ID/5524/FILE/...Copyright © 2006 Check Point Software Technologies, Ltd. All rights reserved