Checkpoint NGX Release Notes

Check Point Enterprise Suite NGX (R60) Release Notes
May 16, 2005
IMPORTANT Before you begin installation, read the latest available version of these release notes at: http://www.checkpoint.com/techsupport/downloads.jsp In This Document Information About This Release Resolved Limitations Clarifications and Limitations page 1 page 10 page 16
Information About This Release

This document contains important information not included in the documentation. Review this information before setting up Check Point NGX (R60).
In This Section
License Upgrade Requirement NGX (R60) Products by Platform Build Numbers Non-upgradable Products Minimum Hardware Requirements Maximum Number of Interfaces Supported by Platform Minimum Software Requirements The Regular Expression (RX) Library
page 1 page 2 page 3 page 3 page 4 page 7 page 8 page 9
License Upgrade Requirement

To upgrade to NGX R60, you must first upgrade licenses for all NG products, as NGX R60 will not function with licenses from previous versions. The utility license_upgrade is included on the CD at <OS>\license_upgrade. See the Upgrade Guide for instructions.
Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved.
Information About This Release NGX (R60) Products by Platform
NGX (R60) Products by Platform

Product RHEL Check Microsoft Windows 3.0 Point Nokia Mac 8 9 Server 2000 2000 2000 XP 98 Hand- kernel Secure IPSO OS 32/64 64 bit 2003 Advanced Server Profes- Home SE Held PC 2.4.21 Platform 3.9 X bit Server (SP1-4) sional & & 2000 & (SP1-4) (SP1-4) Profes- ME Pocket sional PC 2003
UltraSPARC 1 X2 X X X X X X X X X X X X X X X X X X X X X
6
Solaris
SmartConsole GUI VPN-1 Pro Module .(including QoS, Policy Server) SmartCenter Server (incl. VSX) SmartPortal SecuRemote SecureClient ClusterXL (VPN-1 Pro .Module) UserAuthority .(Management Add-on only) Eventia Reporter - Server SmartView Monitor VPN-1 Accelerator Driver II VPN-1 Accelerator Driver III Performance Pack SmartLSM - GUI SmartLSM - Enabled .Management SmartLSM - Enabled ROBO .Gateways SmartLSM - Enabled CO .Gateways Advanced Routing SecureXL Turbocard SSL Network Extender - Server SSL Network Extender - Client Provider-1/SiteManager-1 Server Provider-1/SiteManager-1 GUI OSE Supported Routers
X X X X X X X X X X X X X X X
X X X X X X X X X X X X X X X
X X X X X X X X X X X X X X X4 X X5 X X X X
X X
X X
X X X X X X
X3 X X X X X
X X X X X X
X X X X X X X X X X X X
X X
X X X
X X X
X X
X X X X X
X X
X X
Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14 Cisco OS Versions: 9.x, 10.x, 11.x, 12.x
Notes to Products by Platform Table

1) 2) 3) 4) 5) 6) 7) See Minimum Software Requirements on page 8 for Solaris platforms. The following SmartConsole Clients are not supported on Solaris UltraSPARC 8 (32- and 64-bit): Eventia Reporter Client, SmartView Monitor, SmartLSM and the SecureClient Packaging Tool. HA Legacy mode is not supported on Windows Server 2003. ClusterXL supported only in third party mode with VRRP or IP Clustering. Only the Server Add-on of Eventia Reporter is supported on Nokia. SmartView Monitor on Solaris is supported only in 32-bit mode. VPN-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia platform.
Release Notes for Check Point NGX (R60). Last Update May 16, 2005
Information About This Release Build Numbers
Build Numbers
The following table lists all NGX (R60) software products available, and the build numbers as they are distributed on the product CD. To verify each products build number, use the given command format.
Product Build No. Command
fw ver
VPN-1 Pro SmartCenter SecureClient Policy Server SmartView Monitor QoS SVN Foundation NG Compatibility Package R55W Compatibility Package
457_4 (Windows) 458_2 (all others) 387 24 134 47 562 57_1 12_4
fwm ver dtps ver rtm ver fgate ver cpshared_ver fw_loader -v fw_loader ver fw ver
VPN-1 Edge Compatibility Package 650_1 VPN-1 Edge - S series VPN-1 Edge - X series SmartConsole (GUI) UserAuthority Server Eventia Reporter SecuRemote/SecureClient SecurePlatform Performance Pack VPN-1 HW Accelerator II VPN-1 HW Accelerator III 5.0.58s 5.0.50x (or 5.0.57x) 654_1 30_1 339_2 619_1 244_1 79_1 13_1
Displayed on the default portal page Displayed on the default portal page
Help > About Check Point SmartDashboard
uas ver SVRServer ver

Help > About
ver sim ver -k
n/a
20004_2 (Windows) n/a 20004_1 (Solaris) 20007_1 (Linux)
Non-upgradable Products
The following Check Point products cannot be upgraded to NGX (R60): VPN-1 SmallOffice VPN-1 Net FireWall-1 4.1
Information About This Release Minimum Hardware Requirements
Minimum Hardware Requirements

In This Section
Windows & Linux Platforms Solaris Platforms SecurePlatform Windows & Linux Platforms
Minimum Requirements for VPN-1 Pro
page 4 page 6 page 7
On Windows and Linux platforms, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server, Enforcement Module or SmartPortal are: Intel Pentium II 300 MHz or equivalent processor 300 MB free disk space RAM Windows: 256 Mbytes Linux: 128 Mbytes (256 Mbytes recommended) One or more network adapter cards CD-ROM Drive
Minimum Requirements for SmartConsole
On Windows and Linux platforms, the minimum hardware requirements for installing a SmartConsole, which include SmartDashboard, SmartView Tracker, SmartView Monitor, Eventia Reporter, SmartUpdate, SmartLSM and User Monitor, are: Intel Pentium II 300 MHz or equivalent processor 100 MB free disk space 256 Mbytes RAM One network adapter card CD-ROM Drive 800 x 600 video adapter card
Minimum Requirements for SecuRemote/SecureClient
On Windows and Mac OS-X platforms, the minimum hardware requirements for installing SecuRemote/SecureClient are: 40 MB free disk space 128 MB RAM
Minimum Requirements for Eventia Reporter
The following minimum hardware requirements were designed so that Eventia Reporter Server will be able to process a volume of about 3 GB logs per day and generate reports according to the performance numbers limitation. If you have less logs produced per day you can use a machine with less CPU or memory. This may, however, cause degradation in the performance numbers. In addition, if your machine has less physical memory you will need to change the database cache size. To do this follow the instructions in Eventia Reporter User Guide under the section Changing the Eventia Reporter Database Cache Size. On Windows and Linux platforms, the minimum hardware requirements for installing Eventia Reporter are: Intel Pentium III 1000 MHz or equivalent processor 60 MB disk space for installation 40GB disk space for database 1GB RAM One network adapter card CD-ROM Drive 1024 x 768 video adapter card The following is also recommended: Configure the network connection between the Eventia Reporter Server machine and the SmartCenter or the Log server, to the optimal speed. Use the fastest disk available with a high RPM (revolutions per minute). Increase the machine's memory. It significantly improves performance. It is recommended to install an uninterruptible power supply (UPS) for the Eventia Reporter Server machine.
Solaris Platforms
On a Solaris platform, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server, Enforcement Module or SmartPortal are: UltraSPARC II 100 MB free disk space for installation 128 Mbytes RAM, 256 Mbytes recommended One or more network adapter cards CD-ROM Drive
Minimum Requirements for SmartConsole
On a Solaris platform, the minimum hardware requirements for installing a SmartConsole, which include SmartDashboard, SmartView Tracker, SmartView Monitor, Eventia Reporter, SmartUpdate, SmartLSM and User Monitor, are: UltraSPARC III 100 MB free disk space for installation 128 Mbytes RAM One network adapter card CD-ROM Drive 800 x 600 video adapter card
Minimum Requirements for Eventia Reporter
The following minimum hardware requirements were designed so that Eventia Reporter Server will be able to process a volume of about 3 GB logs per day and generate reports according to the performance numbers limitation. If you have less logs produced per day you can use a machine with less CPU or memory. This may, however, cause degradation in the performance numbers. In addition, if your machine has less physical memory you will need to change the database cache size. To do this follow the instructions in Eventia Reporter User Guide under the section Changing the Eventia Reporter Database Cache Size. The minimum hardware requirements for installing Eventia Reporter on a Solaris platform are: UltraSPARC III 400MHz processor 100 MB disk space for installation 40GB disk space for database 1GB RAM One network adapter card CD-ROM Drive 1024 x 768 video adapter card
Information About This Release Maximum Number of Interfaces Supported by Platform
The following is also recommended: Configure the network connection between the Eventia Reporter Server machine and the SmartCenter or the Log server, to the optimal speed. Use the fastest disk available with a high RPM (revolutions per minute). Increase the machine's memory. It significantly improves performance. It is recommended to install an uninterruptible power supply (UPS) for the Eventia Reporter Server machine. SecurePlatform
On SecurePlatform, the minimum hardware requirements for installing a VPN-1 Pro SmartCenter Server, Enforcement Module or SmartPortal are: Intel Pentium III 300+ MHz or equivalent processor 4 GB free disk space 256 Mbytes (512 Mbytes recommended) One or more supported network adapter cards CD-ROM Drive (bootable) 1024 x 768 video adapter card For details regarding SecurePlatform on specific hardware platforms, see http://www.checkpoint.com/products/supported_platforms/recommended.html
Maximum Number of Interfaces Supported by Platform

The maximum number of interfaces supported (physical and virtual) is shown by platform in the following table.
Solaris Product VPN-1 Pro and Performance Pack ClusterXL 255 255 Microsoft 32 32
UltraSPARC Windows
Check Point SecurePlatform 1015

1, 2
Nokia IPSO 256 1 256 1
1015 1, 2
Notes to Maximum Number of Interfaces Table

1) 2) SecurePlatform and Nokia IPSO support 255 virtual interfaces per physical interface. When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are supported.
Information About This Release Minimum Software Requirements
Minimum Software Requirements

Solaris Platform
Required Packages

SUNWlibc SUNWlibCx SUNWter SUNWadmc SUNWadmfw
Required Patches
Check Point recommends using the Sun Install Check Tool to check the patch level of your Solaris machines. The Sun Install Check Tool is available on the Sun download site at http://www.sun.com/software/installcheck/download.xml. Use the tool to make sure your Solaris machines have the following or newer patches. Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC platforms:
Number System Notes
108528-18 All 110380-03 109147-18 109326-07 108434-01 108435-01 All All All 32 bit 64 bit
If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.
Solaris 9: the following patches (or newer) are required on Solaris 9 UltraSPARC platforms:
Number System Notes
112233-12 112902-07 116561-03
All All All
Only if dmfe(7D) ethernet driver is defined on the machine
To verify that you have these patches installed use the command:
showrev -p | grep <patch number>
The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches before installing 64-bit patches.
Information About This Release The Regular Expression (RX) Library
Windows Platform This release requires that Service Packs be applied to Windows 2000 systems. This release supports Windows 2000 Service Packs SP1, SP2, SP3, and SP4. The release also supports Windows 2003 and Windows 2003 SP1. Linux Platform This release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade. Nokia Platform This release supports IPSO 3.9.
The Regular Expression (RX) Library

NGX (R60) uses the RX Library. The library license agreement (LGPL) can be downloaded from: http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf.
Resolved Limitations Firewall
Resolved Limitations
In This Section
Firewall SmartCenter VPN VPN-1 Edge SmartUpdate SecuRemote/SecureClient SecurePlatform VSX ClusterXL SSL Network Extender
page 10 page 11 page 13 page 13 page 13 page 13 page 14 page 14 page 14 page 15
This section contains limitations that were published as release notes with NG with Application Intelligence (R55) and now stand as resolved in NGX (R60). They are presented in their original format, stressing the limitation, yet should be understood as resolved.
Firewall
Installation 1) On Windows platforms, the SNMP service must be stopped before uninstalling VPN-1 Pro. If the SNMP service is running, a message regarding locked files is displayed. 2) In order to install the SmartCenter Applications on Windows NT, use the installation executable instead of the installation wrapper. SmartDashboard, Motif GUI 3) After resetting to default, the update time and version are no longer displayed on the top side of the General page. However, these update details can still be seen on the bottom half of the General page. Platform Specific Solaris 4) SUN's Gigaswift network driver is not supported when using ClusterXL in a VLAN tagging configuration.
10
Resolved Limitations SmartCenter
Directional Rule Match 5) A user group may be placed in the Destination column in the Security Rule Base only if the Remote Access community appears in the to part of the VPN column in a new Directional VPN rule (for example, VPN column = Any > RemoteAccess). If the Remote Access community is used alone (for example, in a non directional form), this will not work.
SmartCenter
Upgrade, Backout, and Backward Compatibility 1) When upgrading to a new machine using the Import or Export utilities, and SecurID is being used for authentication, and the new SmartCenter Server has the same IP address as the original SmartCenter Server, use the following instructions to retain both user and administrator authentication: For Windows Platforms If the environment variable %VAR_ACE exists, copy the file %VAR_ACE\sdconf.rec from the original machine to the new machine. Otherwise, copy the file %WINDIR\system32/sdconf.rec from the original machine to the new machine. In addition, copy the registry key HKLM > SOFTWARE > SDTI > ACECLIENT >NodeSecret from the original machine to the new machine. For Unix Platforms If the environment variable $VAR_ACE exists, copy the files $VAR_ACE/sdconf.rec and $VAR_ACE/securid from the original machine to the new machine. Otherwise, copy /var/ace/sdconf.rec and /var/ace/securid from the original machine to the new machine. 2) When installing the R55W Add-On on a standalone machine (in other words, it is deployed with both the SmartCenter Server as well as the VPN-1 Pro Gateway), the local gateway remains of version R55. You should use the Upgrade Tool to upgrade the local gateway from version R55 to version R55W. Refer to the Getting Started Guide for more information. Policy Installation 3) Policy installation issues on a VPN-1 Edge/Embedded Gateway when a rule contains a Cluster object in its source or destination. As a workaround, create a node object with the IP address of the cluster object, and use the node object instead of the cluster object in the rule.
11
Resolved Limitations SmartCenter
SmartCenter Server 4) When using rules with resources, avoid installing them on VPN-1 Edge/Embedded profiles. Resources are not supported with VPN-1 Edge/Embedded appliances. Management High Availability 5) When adding a new Secondary Management, the machine should be synchronized once manually before it starts synchronizing automatically. 6) When creating a Management High Availability environment, all peers must be installed with the same products. If one product is installed on one peer but not on the other, product information may be lost and the product may not function properly. 7) When using Management High Availability, all SmartCenter servers must be installed with the same version. This also applies if your SmartCenter servers were created with the R55W add-on; if one of the SmartCenter servers is installed with the R55W add-on, the others should be as well. Platform Specific Nokia 8) In order to manage QoS modules from a Nokia SmartCenter, you need to enable QoS in Voyager on SmartCenter. Telnet into the Nokia SmartCenter and perform cpstop and cpstart (or reboot). In cpstop, you can safely ignore the message etmstop: Module not loaded. When you run cpstart on SmartCenter, you can safely ignore the message
FloodGate-1: This is a Management Station. No QoS Policy will be Loaded.
Note: Trying to install a QoS policy on a module before executing these steps on SmartCenter will fail and produce the error message: Failed to start
uninstall/install operation.
Miscellaneous 9) In demo mode, when launching SmartLSM through SmartDashboard, no predefined ROBO Gateway objects are shown in SmartLSM, and no SmartLSM Profile objects can be created in SmartDashboard. SmartConsole Applications 10) On the Motif platform, in SmartDashboard, there are issues when adding or editing Default community strings in SNMP in SmartDefense. Use the dbedit utility to add or edit entries. The entries are contained in the asm table: AdvancedSecurityObject and snmp_protection\snmp_default_communities_list. OPSEC 11) OPSEC applications that read logs using LEA may fail if the network objects database contains more then 2000 objects.
12
Resolved Limitations VPN
VPN
VPN Communities 1) Excluded Services are not supported with VPN Communities that contain VPN-1 Edge devices. PKI, PKCS 2) Entrust CAs are defined as OPSEC CAs, and can be configured to support CMP automatic enrollment. In upgrade, Entrust CAs are changed to be OPSEC CAs. VPN-1 and SecuRemote/SecureClient Issues 3) The combination of using multiple external interfaces (route through different interfaces) for SecuRemote/SecureClient and ClusterXL pivot mode is not supported. 4) MACROs have been added to cp.macro for SecureClient on MAC OS, and SecureClient with Integrity. The cp.macro file should be replaced under $CPDIR/conf on the Management.
VPN-1 Edge
1) Policy installation issues on a VPN-1 Edge/Embedded Gateway when a rule contains a Cluster object in its source or destination. As a workaround, create a node object with the IP address of the cluster object, and use the node object instead of the cluster object in the rule.
SmartUpdate
1) SmartUpdate does not support upgrading remote devices to versions other than that of the management server.
SecuRemote/SecureClient
Connectivity 1) If SecureClient receives an IP address on a subnet on which the cluster also has an interface, SecureClient will not survive a failover from one cluster member to another. When the cluster fails over to another member, the MAC address is reset to the MAC address of the active cluster member. Once SecureClient receives an Office Mode address from the gateway, SecureClient can no longer discover the MAC address of the cluster. This means that SecureClient cannot update the MAC address when the MAC address of the cluster member changes. SecureClient continues to send packets to the MAC address of the now inactive cluster member.
13
Resolved Limitations SecurePlatform
SecurePlatform
General 1) Starting with this release, the SecurePlatform restricted shell allows using the '/' symbol with ifconfig and route commands. This allows defining networks with CIDR notation (e.g., 10.10.0.0/16). 2) If you physically replace a NIC card in a machine with SecurePlatform, the order of the NICs may change. Make sure that you verify that the NICs are mapped and connected according to your needs. 3) Some models of Intel PRO/1000 cards may have performance issues when used under high load and/or in ClusterXL setup. The symptoms include log messages (in /var/log/messages) about NICs being reset via watchdog, or, in other cases, NICs stopping transmitting the traffic. Please contact Check Point technical support to resolve those issues. WebUI 4) The character % should not be specified when defining a password.
VSX
1) Virtual Device names are limited to 64 characters. When creating a new Virtual Device, the name of the device is composed of the new Virtual Device name, the VSX box name, and the cluster member name. This name should not exceed 64 characters. 2) Each Virtual System/Router can have up to 30 interfaces.
ClusterXL
Platform Specific Solaris 1) SUN's Gigaswift network driver is not supported when using ClusterXL in a VLAN tagging configuration. 2) In a Solaris cluster configuration, one or more of the following may occur: The kernel message ERROR_ACK for DL_ENABMULTI_REQ during the boot process. The message no interface information during or after the boot process. An interface has the flag MULTI_BCAST in ifconfig. An interface starts, possibly once every several boots, in the down state. The message ar_entry_query: Could not find the ace for source address during or after the boot process.
14
Resolved Limitations SSL Network Extender
As a result of these issues, the cluster does not process packets on the problematic interface. VPN-1 and SecuRemote/SecureClient Issues 3) The combination of using multiple external interfaces (route through different interfaces) for SecuRemote/SecureClient and ClusterXL pivot mode is not supported. Crossbeam 4) On a Crossbeam box, where an external circuit is defined as the sync network, the wrong Unicast MAC is used when forwarding IKE packets between members. This may cause key-exchanges to fail. Supported Features 5) When a SecureXL host and a ClusterXL gateway are both located on the same network, and the ClusterXL gateway is either in High Availability or Load Sharing Unicast mode, the SecureXL host may not recognize a failover performed by the ClusterXL gateway. A workaround is to place a router between the gateways. Load Sharing 6) ISP redundancy is supported in Load Sharing Unicast mode only when working over SecureXL or Performance Pack.
SSL Network Extender

1) SSL Network Extender is not supported on ClusterXL in Load Sharing mode.
15
Clarifications and Limitations SSL Network Extender
Clarifications and Limitations

In This Section
Firewall SmartCenter VPN VPN-1 Edge/Embedded VSX SecuRemote/SecureClient SecurePlatform SmartLSM SmartUpdate SmartView Monitor Eventia Reporter ClusterXL SecureXL Performance Pack SSL Network Extender QoS UserAuthority Server OPSEC InterSpect
page 17 page 28 page 40 page 50 page 52 page 55 page 60 page 68 page 70 page 72 page 73 page 77 page 88 page 88 page 90 page 92 page 93 page 94 page 94
16
Clarifications and Limitations Firewall
Firewall
In This Section
Installation, Upgrade and Backward Compatibility Platform Specific SecurePlatform Platform Specific Nokia Platform Specific Windows Platform Specific Solaris Platform Specific Linux Load Sharing NAT Authentication Security Servers Services IPv6 SmartConsole & SmartConsole Applications ISP Redundancy Logging Policy Installation OSE SAM Dynamically Assigned IP Address (DAIP) Modules Miscellaneous VoIP Installation, Upgrade and Backward Compatibility
page 17 page 18 page 18 page 19 page 19 page 20 page 20 page 20 page 21 page 21 page 23 page 23 page 24 page 24 page 25 page 25 page 26 page 26 page 26 page 26 page 26
1) Manual configuration to the file fwauthd.conf (e.g., in.ahttpd configuration to the generic TCP Security Server) are not preserved during upgrade and the changes should be reapplied. 2) When upgrading from earlier NG Feature Packs, the SYNDefender configuration moves to a global configuration in SmartDefense and defaults to off. If a per-module configuration is desired, uncheck Override modules SYNDefender configuration under TCP > SYN Attack Configuration in SmartDefense settings.
17
3) Prior to NG with Application Intelligence (R54), setting the SmartDefense feature Max URL length to 0 would drop all connections. Since R54, setting the parameter to 0 disables this protection. 4) When the Web Intelligence General HTTP Worm Catcher is enabled, policy installation on modules running NG FP1 cannot be performed. In order to install the policy, you should either remove the NG FP1 modules from the list of Policy Installation Targets, or alternatively disable the General HTTP Worm Catcher. 5) When the Web Intelligence General HTTP Worm Catcher is enabled, policy installation on modules running NG FP3 prior to HotFix-2 cannot be performed. In order to install the policy, you should upgrade the module to NG FP3 HotFix-2. 6) In modules that pre-date version NG with Application Intelligence R55W, the Web Intelligence defenses HTTP Format Sizes, ASCII Only Request, General HTTP Worm Catcher only support the protection scope apply to all HTTP connections; therefore, if one of these defenses is configured with protection scope apply to selected web servers and is installed on an older module, the protection scope apply to all HTTP connections will be applied on this module. 7) During upgrade of a cluster member from a pre-NGX (R60) version to NGX (R60) and higher versions, the following message may appear on the console: FW-1: fwlddist_put: bad operation received from higher version. This message can be safely ignored. Platform Specific SecurePlatform 8) Virtual interfaces are not supported on the Enforcement Module on Linux and SecurePlatform operating systems. Platform Specific Nokia 9) When the SmartDefense TCP Sequence Verifier feature is enabled and SecureXL is on or Flows acceleration is enabled, a message appears when you install a policy from SmartDashboard and the Sequence Verifier feature is not enforced. For SecureXL, the message displayed is: Warning: This Gateway supports SecureXL traffic acceleration. TCP Sequence Verifier (SmartDefense) will not be enforced on accelerated connections. To allow Sequence Verification, turn off acceleration on the Gateway by running cpconfig. For Flows acceleration, the message is: Flows: TCP Sequence Verifier acceleration is not supported on the Gateway.
> TCP
To configure the TCP Sequence Verifier, select the and deselect Sequence Verifier.
SmartDefense
tab > Network Security
18
Platform Specific Windows 10) VPN-1 Pro limits its memory allocations to a certain percentage of the available non-paged memory. This limit affects the number of concurrent connections that the Enforcement Module can handle. The limit is intended to leave the rest of the system enough memory resources for smooth operation. The default limit can be changed to suit the system configuration. In Windows the limit can be set by setting the MaxNonPagedPoolUsage value (DWORD) in the registry (under <HKEY_LOCAL_MACHINES/SYSTEM/CurrentControlSet/Services/FW1/Parameters). Valid values are 0-100 which represent the maximum percentage of memory which VPN-1 Pro can use. In other operating systems, this can be set by changing the fw_salloc_maxmem_usage global parameter. 11) The following message may be displayed when installing a policy: The NDISWANIP interface is not protected by the anti-spoofing feature. This message can be safely ignored. 12) If an Intel NMS service is running during the VPN-1 Pro installation, it may crash. This is a known pre- NMS version 2.0.56.0, Intel NMS service issue, where crashes occur whenever an NDIS IM driver is installed. Since NMS version 2.0.56.0 was part of PC6.0, releases from and including PC6.0 do not have this issue. 13) The Network Load Balancing (NLB) driver is not supported with VPN-1. 14) VLAN tagging is not supported on Windows platforms. 15) Adaptec Duralink64 port aggregation/failover is not supported. 16) On Windows platforms, when switching from High Availability Legacy to High Availability New Mode or Load Sharing, the CCP transport mode is set to broadcast instead of multicast. A workaround is to toggle the CCP mode via the following command on each cluster member: cphaconf set_ccp broadcast/multicast. Platform Specific Solaris 17) Supported interfaces for Solaris systems are listed in the file $FWDIR/boot/ifdev. Add interfaces other than those listed only after consulting Check Point technical services. 18) On the Solaris 8 platform 64 bit, the maximum number of file descriptors must be set to less than 8192. Setting a higher number can lead to unpredictable VPN-1 Pro behavior. 19) When using automatic ARP publishing with ATM interfaces on Solaris, errors like SIOCDARP: Protocol error may appear on the console. These errors can be safely ignored.
19
20) On Solaris platforms with a qlc driver and the kernel memory allocator debugging functionality enabled, the system may experience instability. In this case, install Solaris patch 113042-10 or higher. Platform Specific Linux 21) New interfaces that are added after the Enforcement Module is started (e.g., a PPP interface) are not displayed by the fw stat -l command. Use the fw ctl iflist command instead. 22) When NIS is enabled for resolving network services, Check Point processes may experience memory leakage due to a memory leak in libC 2.2.4. A workaround is to disable NIS resolving (remove nis and nisplus from services: in /etc/nsswitch.conf). 23) ATM and ISDN interfaces are not supported. Load Sharing 24) When employing SecurID for authentication, it is recommended to define each cluster member separately on the ACE/Server with its own unique (internal) IP address. In addition, to send packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for example, no_hide_services_ports = {<5500, 17>}, where 5500 is the service port and 17 (UDP) is the protocol. NAT 25) Microsoft Exchange Outlook Client UDP new mail notification does not work with Hide NAT on the client. For the new mail notification both the Client and the Server need to be in both the source and the destination cells:
Source Client Server Destination Server Client Action Info MSExchange Accept
In the
FWDIR/libexchange.def
ALLOW_EXCHANGE_NOTIFY
file, enable this notification by setting (as stated in the file comments).
#define
26) OSE objects cannot be used in NAT rules. The workaround is to define regular node objects with the same addresses and to use them instead. 27) Automatic ARP is not supported with IP Pool NAT.
20
Authentication 28) When performing manual client authentication (using port 900) to a cluster where the members' IP addresses are not routable, the URLs returned in the HTML from the replying cluster member contain the member's own non-routable IP address instead of the cluster IP address. This fails subsequent operations. The workaround is to configure the cluster to use a domain name instead of an IP address in the client authentication HTML pages, using the ahttpclientd_redirected_url global property. Make sure that your DNS servers resolves this domain name to the IP address of the cluster. 29) After changing the sdconf.rec file on a Firewall-1 (needed for SecurID authentication), in order for the new configuration to take effect, you must restart the Firewall-1 services by running cpstop and cpstart. 30) Client Authentication will fail if VPN-1 Pro machine name is configured with a wrong IP address in the hosts file. 31) Clientless VPN with the Action Client Auth is not supported if the web server object is in the destination cell. The workaround is to add the gateway to the destination cell. 32) When using SmartDirectory server for internal password authentication, if the account lockout feature is disabled the Firewall will not attempt to modify the user's login failed count and last login failed attributes on the SmartDirectory server. This improves overall performance and eliminates unnecessary SmartDirectory modify errors when using SmartDirectory servers that do not have these attributes defined because they did not apply the Check Point SmartDirectory schema extension on the SmartDirectory server. 33) Issues may arise when using automatic or partially automatic client authentication for HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a decision function based only on IP addresses in order for connections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, refer to the product documentation for more information. 34) Definition of nested RADIUS Server groups is not supported. Security Servers 35) The HTTP Security Server handles a proxied or a tunneled connection request differently than earlier Firewall versions. Beginning with FireWall-1 NG FP2, such requests are not allowed if they are matched with an Accept rule. However, they are still allowed if the request is matched with an Authentication or a Resource rule. This change was done in order to harden security and prevent the CONNECT from looping to the Security Server and then to another destination.
21
In R54, FTP over HTTP proxy connections were allowed when using User Authentication even if they were not allowed explicitly by a rule in the Security Policy. In NGX (R60), in order to further harden security, these connections are not allowed by default unless there is an explicit rule (using a URI Resource) that allows them. If you wish to revert to the old behavior refer to SecureKnowledge solution sk14608. 36) When using SMTP resources to filter files by their filename, an incorrect log message is generated stating: Forbidden MIME attachment stripped. 37) UFP counters available via
cpstat fw -f ufp
give incorrect values.
38) If web browsers are configured to use an IP address for their proxy (instead of a hostname), the next proxy definition of the HTTP Security Server must also use the same IP address. If the next proxy definition is a hostname, connections using an IP address will not be allowed to the proxy. It is recommend to use only hostnames in the browser configuration. 39) Outlook Web Access is not supported with User Authentication. 40) When a field in a URI specification file is too long, the Security server exits when trying to load the file. Under load, the Firewall daemon (FWD) reloads the security server, which then exits. After a certain time cores are dumped. 41) Client authentication with agent automatic sign on is supported with all rules, with two exceptions: The rule must not use an HTTP resource. Rules where the destination is a web server. 42) When using the HTTP Security Server in proxy mode (HTTP Tunneling), connections may be encrypted over port 80 (e.g., the first command is in the clear, and subsequent requests are in SSL). SmartDefense will block these connections and generate the following log entry: Binary character in request. To enable such connections, change the global property asm_http_allow_connect to True. Please note that this change will cause SmartDefense to stop examining these connections when an HTTP Connect command is detected in the proxied connection. 43) When using SOAP filtering in the HTTP Security Server, the SOAP scheme file supports all forms of namespaces and methods, however, the feature is not supported if a method has no namespace at all. 44) Security Servers are not supported with Sequence Verifier in Load Sharing Cluster environments.
22
Services 45) No warning is generated when a policy containing services with the Keep connections open after Policy has been installed checked is installed on NG FP3 modules. Such services will be enforced according to the default behavior on these modules. 46) When CIFS resources are used in rules with policy targets in their Install On fields, policy installation on NG FP3 modules may succeed without warning, although CIFS resource filtering is not supported on these modules. 47) A service using the FTP_BASIC protocol type cannot be used with the FTP Security Server. 48) When using T.120 connections, make sure to manually add a rule that allows T.120 connections. 49) When Hide NAT is performed on a VPN-1 gateway, Real Time Stream Control Protocol (RTSP) sessions are dropped. A workaround is available to resolve this issue: a. b. c. d. Change to $FWDIR/lib/ directory. Backup the current rtsp.def file. Edit the file rtsp.def: Uncomment the following line:
//#define RTSP_C_TO_S_DATA #define RTSP_C_TO_S_DATA
to:
e. Install a Security Policy. Note that performing this workaround will result in a packet drop of RTSP sessions initiated within 60 seconds subsequently to a previous RealNetworks Data Transport (RDT/RTSP) session, using the same port number as the subsequent session. IPv6 50) Discovery traffic is enabled by default on IPv6 enabled modules. To disable it, edit the file $FWDIR/lib/implied_rules.def and comment out the line #define ACCEPT_DISCOVERY 1. 51) When connecting to the IPv6 IPv4 compatible address of VPN-1 Pro (::w.x.y.z., for example), the following appears on the console: Jan 14 09:37:32 shif [LOG_CRIT] kernel: fw_filterin: 0 unknown interface. This message can be safely ignored in such configurations. To prevent the message from appearing, run this command: modzap _fw_verbose_unknown_if $FWDIR/boot/modules/fwmod.o 0x0 and reboot. 52) Due to the fact that IPv6 is not supported for security servers, enabling Configuration apply to all connections under SmartDefense's FTP Security Server settings causes FTP (as well as HTTP and SMTP) connections over IPv6 to be rejected, and no log is generated.
23
53) The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it should unload only the IPv6 policy. 54) In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker. 55) Anti-spoofing is currently not supported with IPv6. 56) Boot policy is not supported on IPv6 enabled modules. 57) Content of IPv6 in IPv4 tunnels (IPv4 protocol 41) passing through VPN-1 Pro is not inspected. 58) CPMAD functionality is not supported with the IPv6 protocol. 59) SmartDefense's
ping size
property is not enforced on ICMPv6 echo request packets.
60) IPv6 packets with extension headers which are not explicitly allowed via editing of the table.def INSPECT script are dropped without being logged. 61) The Remote Shell (RSH) protocol is not supported for IPv6. SmartConsole & SmartConsole Applications 62) Firewall implied rules for GUI Clients are not matched when using wildcard (e.g., 1.1.*.*). As a result, connections from GUI Clients to the SmartCenter Server may be blocked if there is a VPN-1 Pro module between them. Single IP definitions (e.g., 1.1.1.1) are supported. When specifying GUI Clients using any formats other than the IP address, add an explicit rule in the Rule Base allowing the GUI Clients to connect to the SmartCenter Server. 63) When a client connects with SmartDashboard to SmartCenter and performs a SmartDefense online update, a second client connecting with SmartDashboard to the same SmartCenter will see the new protections but not the new HTML descriptions. The situation is resolved by the second client logging out & logging in again. A similar behavior may occur regarding the Silent Post-install Update. If new protections were added in that package, then the second client that logs in will not see the respective new HTML descriptions. The workaround is the same (client should log out & log in again). ISP Redundancy 64) When using the ISP load sharing configuration, outgoing traffic that passes through a security server is not load-shared, and will pass through a single ISP (the default route). If this ISP fails, new connections will be opened through the second ISP. 65) ISP redundancy is not supported in a ClusterXL Different subnets configuration. This means the IP address of the cluster must be on the same subnet as the cluster members' real IP addresses.
24
66) In a ClusterXL configuration, the names of the external interfaces of all cluster members must be identical and must correspond in turn to the names of the external interfaces of the cluster object. For example, if the cluster object has two external interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively. 67) If the ISP redundancy feature is enabled over a PPPoE or a PPTP interface, the MTU of any other external Ethernet interface should be lowered to match the MTU of the PPPoE/PPTP interface. For example if eth1 is an external Ethernet interface and eth0 is an Ethernet interface over which a PPPoE interface called pppoe0 is defined, the MTU of eth1 should match the MTU of pppoe0. On SecurePlatform this can be achieved by logging on to the box and running: ifconfig ethX mtu newMTU
ifconfig --save
Where ethX is the name of the external Ethernet interface and newMTU is the MTU of the PPPoE/PPTP interface. This change will be persistent across boots. Notes: a. The MTU of the PPPoE/PPTP interface can be obtained on SecurePlatform by running: ifconfig pppXXX where pppXXX is the name of the PPPoE/PPTP interface. b. In the aforementioned example, the MTU of eth0 should not be changed. 68) ISP redundancy cannot be used in conjunction with SynDefender. 69) ISP redundancy, when working in conjunction with SecureXL, has the following limitations: Some connections passing through interfaces configured with ISP redundancy are not accelerated, while other connections (for example, an internal connection to a DMZ) are accelerated and are not affected by this limitation. ISP redundancy over PPTP and PPPoE interfaces is not supported. Logging 70) FTP data connections may appear in the Active connections view in SmartView Tracker even after these connections have been terminated. Policy Installation 71) When installing a policy on a module, the policy installation log may record anti-spoofing warning messages from modules not included in the installation that do not have anti-spoofing configured.
25
72) Policy installation may fail when there are 70 or more dynamic objects. OSE 73) For Cisco routers, make sure that the host names are resolvable by DNS or by the hosts file. SAM 74) A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if the SmartCenter Server is also a VPN-1 Pro enforcement module and no policy has been installed on it since adding the remote Gateway. Dynamically Assigned IP Address (DAIP) Modules 75) The fw tab supported.
<remote DAIP Module>
command on a SmartCenter Server is not
Miscellaneous 76) Token ring adapters are not supported. 77) The TCP Sequence Verifier is not supported with clusters using asymmetric routing. 78) The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to a SmartCenter server object in specific cases only: to the primary IP defined for this object and only if there are interfaces defined in its Topology tab. This may create connectivity problems when trying to install policies (or other operations included in the control connections). The workaround is to define explicit rules that allow connectivity to the SmartCenter object. 79) When executing the following command: fw tab -u -f -t connections, error messages such as FW-1: fwkbuf_length: invalid id number XXXX and Table kbufs Invalid handle 6a6b8803 (bad entry) can be safely ignored. To avoid these messages, use the command fw tab -u -t connections instead. VoIP 80) MSN Messenger version 5 is not supported. Additionally, there are a few known issues regarding MSN Messenger when employing Hide NAT: When running SIP and the data connection tries to open MSN Messenger connections on hidden networks, the connection fails. While audio and video each work separately, they cannot be run concurrently.
26
81) When using the SIP protocol and a security rule uses the Action reject to block high_udp_ports (RTP ports - data connection), the incoming audio is rejected as well. A workaround is to use the Action drop in place of reject. 82) When an H.323 IP phone that is not part of a handover domain tries to establish a call, the call attempt is blocked and the following message appears on the console: FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to make calls, add it to the handover domain, and the error message will no longer appear. Note that this console message may appear in other (non-VoIP) scenarios as well. 83) In some cases, when a user closes an MSN Messenger application (such as Whiteboard), the application will not close automatically on the remote end. The remote user will need to close the application manually. 84) When the SIP-proxy is in the DMZ, whiteboard and application sharing will not open between external to internal messengers.
27
Clarifications and Limitations SmartCenter
SmartCenter
In This Section
Installation, Upgrade, and Backward Compatibility SmartDirectory SmartDashboard Policy Installation VPN Communities SmartConsole Applications High Availability Logging Monitoring Management High Availability Trust Establishment (SIC) Platform Specific Windows Platform Specific Nokia OPSEC Miscellaneous OSE Dynamically Assigned IP Address (DAIP) Modules SmartPortal Installation, Upgrade, and Backward Compatibility 1) If the AMON private schema was previously imported using the needs to be re-imported after the upgrade.
page 28 page 31 page 32 page 33 page 33 page 34 page 35 page 36 page 36 page 37 page 37 page 38 page 38 page 38 page 38 page 39 page 39 page 39
amon_import
tool, it
2) When using the Upgrade Export and Import utilities on the Windows platform, the machine should be connected to the network. Alternatively, a connector can be used to simulate a connection. Refer to SecureKnowledge, solution sk19840 for more information regarding how to simulate a network connection during an upgrade. 3) After upgrading SmartCenter, open the SmartUpdate GUI and from the Packages menu, select Get Data from All to retrieve the installed Packages information from the remote modules.
28
4) When upgrading with a duplicate machine whose IP address differs from the original IP address of the SmartCenter Server, if Central licenses are used, they should be updated to the new IP address. This can be done via the User Center at http://usercenter.checkpoint.com, by choosing the action License > Move IP > Activate Support and Subscription. 5) If the Import or the Export operation fails while upgrading, the entire operation will fail with the exception of these products: Eventia Reporter, SmartView Monitor, SecureXL and UserAuthority Server. Use the log file of the Import/Export operation to understand what caused the problem and fix it. The log file is located at: Windows: C:\program files\checkpoint\CPInstLog Unix: /opt/CPInstLog 6) When using the Export or Import upgrade utilities on Windows NT, the version of the system DLL MSVCRT.dll should be 6.0 or higher. When using a lower version of this DLL, the operation fails with the following error: The procedure entry point __lc_collate_co could not be located in the dynamic link library MSVCRT.dll. To continue the operation, allow the system to use this DLL from the current path by:
1
Using the REGEDIT application to add the string registry key:

\ExcludeFromKnownDlls
msvcrt.dll
to the following
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager
Rebooting your machine.
7) When upgrading a Log Server, choose the Upgrade option and ignore the other options (to export the configuration or to perform pre-upgrade verifications). These options are irrelevant for Log Server upgrades. Also, the backwards compatibility (BC) package is installed on every Log Server. It can be safely removed, as it is not in use on a Log Server. 8) If, when using the Check Point Installation Wrapper, the download of updates fails during an upgrade (for example, because the machine is not connected to the Internet), then the upgrade will continue using the tools that exist on the CD. To use the most recent version:
1 2 3
Download the updates from: https://support.checkpoint.com/downloads/bin/autoupdate/ut/r60/index.html Save the update on the local disk of your SmartCenter server Restart the installation wrapper and choose the second option on the download page: I already downloaded and extracted the Upgrade Utilities.
29
9) Check Point 4.1 gateways and embedded devices are no longer supported with this release. After upgrading the SmartCenter Server to NGX (R60), these objects will remain, but you will not be able to install policy on them. 10) VPN-1 Net is no longer supported. 11) After upgrading SmartCenter, but before upgrading the gateways, SecureID users may not be able to connect. A workaround is detailed on SecureKnowledge (sk17820). This solution should be implemented in the compatibility package directories as well: For NG gateways (NG FCS - R55): Unix /opt/CPngcmp-R60/lib/ Windows C:\Program Files\CheckPoint\NGCMP For R55W gateways: Unix /opt/CPR55Wcmp/lib Windows C:\Program Files\CheckPoint\R55WCmp\lib 12) When upgrading a SmartCenter server on Solaris, Linux and SecurePlatform, the following upgrade options are displayed:
1.( ) Upgrade installed products and install new products. 2.( ) Upgrade installed products.
Be sure to select option 2 only. New products should be installed only after completing the upgrade of installed products. After completing the upgrade, run the installation program again to add more products. 13) When upgrading SmartCenter with a duplicate machine on the Windows platform, the following message may appear after selecting Import configuration file: Failed to
import configuration. Imported configuration file does not contain the correct data. The problem is resolved by either removing environment path, or removing the file altogether. gzip.exe
from the
14) When upgrading a SmartCenter Server with the Eventia Reporter Add-on from R56 to NGX (R60), you must upgrade Eventia Reporter Add-on as well. 15) On the SmartCenter Server, if you start the Check Point Products installation from the NGX CD using the SecurePlatform command patch add, you can decide whether or not to export the SmartCenter configuration for advanced upgrade. While the operation should succeed, an error may be displayed on operation completion, stating that the patch was not applied. This message is accurate, but confusing; indeed the patch was not applied, instead export operation was performed. 16) A secondary SmartCenter server does not support the wrappers Advanced Upgrade or the Export/Import tools.
30
17) After upgrading a Nokia SmartCenter server with the R55W Add-on, backout to R55W is not supported. It is therefore recommended to back up the SmartCenter configuration before the upgrade. The configuration is exported via the upgrade tools. Make sure to save the configuration outside the Check Point directory structure. Then, if a return to R55W becomes necessary, install a fresh R55W Add-on installation and import the configuration you saved earlier. For more information regarding the upgrade tools, please refer to the R55W Upgrade Guide. 18) When running the NGX Pre Upgrade Verifier on an R55 SmartCenter with HFA12 installed, the following message regarding the file auth_HFA.def may appear:
INSPECT manual changes Description: Some changes in VPN-1 behavior require changes to be made manually in INSPECT files. Since INSPECT files are overwritten with new versions when upgrading, these changes may be lost. In some cases the changes should be re-applied on the new INSPECT files, in other cases there are new GUI options that need to be set instead. Impacts: If changes were lost after the upgrade, VPN-1 may not work as expected. Todo: Check if changes are needed in the new version, if so, follow SK instructions for these changes. This problem will occur in the following files: auth_HFA.def
This message can be safely ignored. 19) In this release, SmartCenter does not manage gateways prior to NG FP3. If you have such gateways, it is recommended that you upgrade them as well. 20) When performing an advanced upgrade using the wrapper, the installation wizard will prompt you to select one of the following options:
1 2 3
Download most updated upgrade utilities [default] I have already downloaded and extracted the upgrade utilities. The files are on my local disk Use the upgrade utilities from the CD
Option 1 currently is not supported on Unix platforms. When upgrading Unix platforms, it is recommended to download the updated utilities manually using the link provided, and only then proceeding to option 2. SmartDirectory 21) When a SmartDirectory user is based on an internal firewall template, internal groups that the template belongs to will be added to the SmartDirectory user, but these groups will not appear in the list of template groups in the user's Groups page.
31
22) When manually defining branches on an Account Unit, spaces between elements in the branch definition will not work. Example: A good branch: A bad branch:
ou=Finance,o=ABC,c=us
ou=Finance , o=ABC , c=us
23) When using the Display list of distinguished names (DNs) for matching UIDs on login feature, if there is no available LDAP server, the authentication will hang. Subsequently, a policy installation will cause the process that attempted the authentication to consume all available CPU resources. 24) When using an LDAP server for internal password authentication, if the account lockout feature is disabled, the firewall will not attempt to modify the user's login failed count and last login failed attributes on the LDAP server. When using LDAP servers that do not have these attributes defined (because they did not apply the Check Point LDAP schema extension on the LDAP server), this improves overall performance and eliminates unnecessary LDAP modify errors. 25) If Use SmartDirectory (LDAP) is checked in the Global Properties, but no LDAP account unit is configured, the authentication of external users (as opposed to LDAP users) that are not defined in the user's database will not succeed. To resolve this issue, make sure that you uncheck Use SmartDirectory (LDAP) in the Global Properties. SmartDashboard 26) In Microsoft Active Directory, when the expiration date is defined in the user's properties, and the user account has expired, the user is not able to authenticate and the reason for the authentication failure is not displayed. 27) Firewall implied rules for GUI Clients are not matched when using wildcard (e.g., 1.1.*.*). As a result, connections from GUI Clients to the SmartCenter Server may be blocked if there is a VPN-1 Pro module between them. Single IP definitions (e.g., 1.1.1.1) are supported. When specifying GUI Clients using any formats other than the IP address, add an explicit rule in the Rule Base allowing the GUI Clients to connect to the SmartCenter Server. 28) When upgrading from NG FP1 or lower, certain policies may be hidden in SmartDashboard. Starting from NG FP2, only policies that belong to the current Policy Package are displayed. To access other policies select File > Open and choose the relevant Policy Package. 29) When using Active Directory .NET (2003) with NGX (R60), errors are encountered when changes are made to the account expiration user attribute. Use Active Directory 2000 to avoid these errors.
32
30) The following web links available from the Help menu in SmartDashboard and SmartUpdate open a browser window to pages that have not yet been posted on the Check Point web site.
Online Software Updates What's New In Check Point Software
Policy Installation 31) Policy installation may fail when there are 70 or more dynamic objects. 32) After aborting an installation, before attempting to install a policy, make sure that there are no processes running the fwm load command on SmartCenter server, or your installation may halt. 33) By selecting the
Install Policy gateways of the same version,
option Install on all gateways, if it fails do not install on policy is installed on gateways by group. There are four
such groups: VPN-1 Edge R55W NGX all others (R55 and prior versions) When this option is selected, if policy fails when installing to a member of one of the groups, the policy will not be installed to any other gateways in that group. Policy installation will continue uninterrupted to members of other groups, however. 34) Uninstall of policy on LSM profiles is not supported. 35) It is not recommended to install security policy on more than 100 VPN-1 Edge devices simultaneously. Use one of the following solutions instead: Install the policy in groups of 100 VPN-1 Edge devices. Use SmartLSM, which installs policy on profiles, when managing hundreds of VPN-1 Edge devices. When using SmartLSM the above limitation is not relevant. VPN Communities 36) When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabled from a Standalone machine, the policy fetch operation may not succeed once VPN has been established between the Standalone and the ROBO Gateway in question. In order to overcome this issue, you should add the CPD service as an excluded service for each of the communities which have SmartLSM ROBO profiles. To do this:
1 2
Open the community object. In the Advanced Setting tab, choose the an excluded service.
Excluded Services
tab and add the
CPD
as
33
SmartConsole Applications 37) When deleting objects from SmartDashboard, in some cases the Where Used... option will not report that objects are being used in the database, and it is possible to delete these objects without any warning. The following are cases in reference: RADIUS and TACACS servers referenced by Templates in the Authentication tab. Users and User Groups contained by other User Groups. For SmartDirectory Account Units referenced by External Groups the Where Used... option is applicable but the Delete operation cannot be performed. As a workaround, restart (cpstop, cpstart) the SmartCenter Server. Note that all cases apply only if the objects were created after the SmartCenter Server was started. 38) The Status Manager GUI fails if the Disconnect Client or the Global System Alert Definition windows are displayed and the SmartCenter Server goes down. The failure happens when the Status Manager re-connects to the SmartCenter Server. 39) In order to be able to track Session ID information, an application should be opened independently, meaning not from another Check Point application. 40) An application error occurs in the Status Manager when stopping the Management process fwm while the Status Manager is up and running. 41) The Status Manager cannot show more than 16 connected clients to the SmartCenter Server. If more than 16 clients are connected, it will show that 0 clients are connected. 42) The capability for exporting logs from SmartView Tracker running on Motif is disabled in this version. 43) The View Rule in supported.
SmartDashboard
feature in SmartView Tracker for Motif is not
44) The View rule in SmartDashboard feature in SmartView Tracker does not bring into focus the SmartDashboard application if it is already opened to the right rule database. 45) If SmartView Monitor is open and a new non-Check Point Node object is created in SmartDashboard, the new object will appear in SmartView Monitor. Upon closing and restarting SmartView Monitor, the object will not appear, which is the correct behavior. 46) When choosing to view Installed Policies from SmartDashboard on Motif, a failure may occur if one of the VPN-1 Pro modules fails to respond. 47) When logs can not be generated from some reason, such as there is no disk space or the logging process is down, then changes can not be saved from SmartDashboard. If this occurs, the following error message appears: The changes could not be saved. Please
make sure all Firewall-1 services are up and running. For more information use the SmartView Monitor application.
34
48) When running a query on a Security Policy in SmartDashboard, only user-defined rules are displayed in the query result. Implied rules matching the query will not be displayed, even if the option View Implied Rules is selected. 49) When switching the active file from SmartView Tracker, the new active file name is automatically designated by the system. The user-defined file name is ignored. 50) Policy installation may fail if a Gateway Cluster object was created in SmartDashboard using Simple mode (wizard). This problem can be avoided by doing any of the following: Create the object in Simple mode. When you arrive at the Finished Cluster's definition wizard page, check Edit Cluster's Properties and click Finish. The Gateway Cluster Properties window appears. Edit the object, if needed, and click OK. Create the object in Simple mode. After creating the object, use the dbedit tool to to change the fwver attribute of the object from 5.0 to 6.0. Use Classic mode instead of Simple mode. 51) When defining the topology of an object in the following manner: Interface Properties > Topology > Internal > IP Addresses behind this interface > Specific, the following error message may appear after selecting a group or network and clicking OK: The selected
object's type is not valid.
To work around this issue, perform the following steps:

1 2 3 4
Create a new Simple Group (From the Group).
Topology
tab, click
New > Group > Simple
Name the group, but do not add any members. Click

OK.
Edit the new group, and add the original group or network as a member.
Note: Each time the interface's properties are edited, the same error message appears. To avoid repeating the above process, first define the other properties of the interface, leaving the topology definition to the end. High Availability 52) Issuing a Stop Member command in SmartView Monitor performs the cphastop command on this member. Among other things, this disables the State Synchronization mechanism. Any connections opened while the member is stopped will not survive a failover event, even if the member is restarted using cphastart. However, connections opened after the member is restarted are normally synchronized.
35
Logging 53) When working with a Log Server of an earlier version than the version of SmartCenter Server, the logs fields of log records from new modules that were added after the upgrade of SmartCenter Server may not be resolvable. 54) An administrator with Read Only permission for Monitoring can still create, modify, rename and delete queries in SmartView Tracker. 55) When a Log Server is installed on a DAIP module, management operations such as purge and log switch can not be performed. 56) Audit logs operation strings have changed. Several new columns have been added and other existing column names have been changed. This may cause existing filters to stop working. 57) If you are using the cyclic logging feature, it is recommended after upgrade to back up your old <FWDIR>/log files to another machine, and then to delete them from the Log Server. 58) When a Log Server runs out of disk space, any logs sent by ELA clients will be lost. To prevent this, be sure to maintain adequate disk space on the Log Server. Monitoring 59) Alerts that are defined in the Check Point SmartView Monitor Threshold Definition window are not sent to SmartView Monitor as popup alerts, until a first policy is installed. In the SmartDashboard Global Properties > Log and Alert > Alert Commands page, be sure to check the property Send popup alert to SmartView Monitor. 60) When defining thresholds in SmartView Monitor, if you choose one of the User Defined options as the Alert Method, make sure that this method is defined in SmartDashboard's Global Properties. If the alert method is not defined, a regular alert is generated. 61) If SmartView Monitor is open when a new module is created in SmartDashboard, the module will appear in SmartView Monitor with the status waiting until SmartView Monitor is restarted. For details, refer to SecureKnowledge solution sk16122. 62) SmartView Monitor should be opened connecting to a SmartCenter Server and not to a Log Server. When using SmartView Monitor on a Log Server, statuses may be inaccurate. 63) OS information will not be available in SmartView Monitor if the monitored machine is a Windows machine that does not run the Windows Management Instrumentation service.
36
64) Working with SmartView Monitor on clustered systems may lead to unpredictable behavior. It is therefore recommended to turn off the Objects status in SmartMap feature in clustered configurations. This is done from the View menu in SmartDashboard, by unchecking the option Objects status in SmartMap. 65) In certain scenarios, such as a High Availability SmartCenter Server in a large environment with many clustered gateways, SmartView Monitor may fail to display the status of certain gateways. Management High Availability 66) A SmartCenter server that is also a VPN-1 Pro module must have a policy installed on it in order for other SmartCenter Servers to be able to communicate with it. This must be done after initial setup, or after resetting SIC communication on the SmartCenter Server. 67) Database versions which were created using the Revision Control feature should be synchronized manually in a Management High Availability environment. To synchronize it, do the following:
1 2
Run
cpstop
on the standby SmartCenter server.

$FWDIR/conf/db_versions/repository/* and
Copy all files under
$FWDIR/conf/db_versions/database/*
from the active management to the
standby SmartCenter server.

3
Run
cpstart
on the standby SmartCenter server.
68) If a primary SmartCenter Server is in a Standalone configuration, and a secondary SmartCenter Server is active, policy installation from the secondary to the primary server will be prohibited immediately after upgrade. In order to resolve this, install the policy locally on the primary server. 69) When using Management High Availability (between SmartCenter and/or CMA and/or MDS), change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve this issue, you should allow access from SmartPortal to Read-only administrators, only; or, use SmartView Monitor to disconnect Read/Write mode in SmartPortal. Trust Establishment (SIC) 70) If your SmartCenter Server is deployed in a standalone configuration, you must install the policy locally (in other words, on the SmartCenter itself), before establishing SIC with Connectra devices.
37
Platform Specific Windows 71) Windows 2000 specific issue: A SmartConsole connection to the SmartCenter Server on Windows 2000 may fail with the message: No license for user interface if the SmartCenter Server was disconnected from the network and then reconnected while the VPN-1 Pro services on the machine were running. If this occurs, restart VPN-1 Pro services (run cpstop and then cpstart). 72) On Windows platforms only, in some cases when performing the Restore Version operation (from SmartDashboard, File > Database Revision Control > Restore Version) while SmartView Tracker is open, the restore fails and the database cannot be saved. The solution is to make sure that SmartView Tracker is closed before performing Restore Version operations. If you already encountered such a problem, run cpstop and then cpstart. 73) When trying to export a configuration either via the wrapper or via the upgrade_export command on NG FP1, the export may fail with the following message: Error: FWDIR environment variable is not set. Please set it and try again. A workaround is to set the %FWDIR environment variable to the location where VPN-1/Firewall-1 was installed. (The default is WINDOWSDIR:\WINNT\FW1\NG). Platform Specific Nokia 74) When upgrading using the Import Configuration option in the wrapper, and the machine you have exported the configuration from is a Nokia platform, a situation may occur where Check Point packages that were inactive on the production machine will either become active on the target machine if its OS is Nokia, or will be installed on other platforms. If this should occur, when the target machine is a Nokia platform, return the relevant packages to the inactive state. For other platforms, uninstall the relevant packages. OPSEC 75) In CPMI, the command line Miscellaneous 76) After upgrading from NG FP2, the name of the Internal Certificate Authority (CA) that was previously entered is not displayed in the Check Point Configuration Tool (cpconfig > Certificate Authority tab), although it is still viable. If it is reconfigured, then it is displayed.
fw unload eCPMI_NOTIFY_UNINSTALL_POLICY
does not trigger an notification event.
38
77) Using the cp_merge utility to merge large number of objects (more than 10,000) from two SmartCenter Servers may not work. This is because at some point two main audit logs are generated. If you have a large number of objects, and you wish to perform the merge even though from some point the audit logs will not be generated, then do as follows:
1 2
Define the environment variable Use the

cp_merge
FWM_ALLOW_AUDIT_FAILURE
from a shell.
command from the same shell.
OSE 78) The Drop action is not supported for Cisco OSE devices. If the policy installation operation fails.
Drop
action is used, the
79) For Cisco routers, make sure that the host names are resolvable by DNS or by the hosts file. 80) 3Com devices are not supported. Dynamically Assigned IP Address (DAIP) Modules 81) The fw tab supported. SmartPortal 82) Using sysconfig to install and configure SmartPortal on SecurePlatform is not supported. Use one of the following two workarounds instead: Use the SecurePlatform Web UI First-Time Configuration wizard Configure the operating system via sysconfig, and then manually install SmartPortal by running rpm -i on the SmartPortal RPM file located at /sysimage/CPwrapper/Linux/CPportal. 83) The SIC activation key is not set in the Solaris SmartPortal installation, as cpconfig does not run when the install completes. This issue is resolved by manually running cpconfig. The license setup prompts in cpconfig can be safely ignored.
<remote DAIP Module>
command on a SmartCenter Server is not
39
Clarifications and Limitations VPN
VPN
In This Section
Upgrade, Backout, and Backward Compatibility VPN Routing VPN Tunnel Management VPN Communities Multiple Entry Point (MEP) & VPN Load Distribution VPN-1 Clusters VPN-1 Hardware/Software Acceleration IKE, Interoperability PKI, PKCS NAT with VPN VPN-1 Diagnostics (Logging, Monitoring, Planning) Miscellaneous Office Mode L2TP Clients Nokia Clients Support (CryptoCluster & Symbian) VPN-1 and SecuRemote/SecureClient Issues Route Injection Mechanism Link Selection Routed VPN Multicast LDT (Locally Defined Tunnels) Upgrade, Backout, and Backward Compatibility 1) VPN-1 Net is no longer supported. VPN Routing
page 40 page 40 page 41 page 41 page 42 page 42 page 44 page 44 page 44 page 44 page 45 page 45 page 45 page 45 page 46 page 46 page 46 page 47 page 47 page 49 page 49
2) The IP pool NAT on a VPN-1 module which serves as a VPN router (in order to forward VPN traffic from one VPN tunnel to another) should be defined as part of the encryption domain of the VPN router. Otherwise, VPN connections via the VPN router will fail.
40
3) VPN Routing only connects the VPN domain of a DAIP Gateway that is hosted behind the DAIP Gateway to the VPN domain of another DAIP Gateway. Connections that originate on the DAIP Gateway itself or are directed at the DAIP Gateway cannot be routed through the hub. 4) When using VPN routing to route all communication from the VPN domain of a Satellite DAIP Gateway via the Hub to other Satellite Gateways or to the Internet, it is not possible to open connections from the external IP of the Satellite DAIP Gateway to the Internet. 5) Excluded services in the VPN Community are not supported with Routed VPN. 6) In NGX (R60), a new routing decision is undertaken after packets are encrypted. This behavior is enabled by default (including after upgrade), and may cause a change in routing behavior. If you experience problems, it is recommended to change the routing configuration to incorporate the new behavior. However, you can disable the new routing behavior per gateway by using the GuiDBedit tool to change the attribute reroute_encrypted_packets on the gateway object to False. Note: This behavior cannot be disabled on SecureXL. 7) After removing virtual tunnel interfaces definitions, the anti-spoofing warning messages may appear during all consequent policy installations. VPN Tunnel Management 8) The feature
Use the community settings (SmartDashboard > gateway object > VPN > VPN
is to be used only when all VPN peers are of version NGX (R60) or later. Otherwise, use the Custom settings option. VPN Communities 9) SmartDashboard allows VPN-1 modules with dynamic IP addresses to be added as members of a VPN community in which aggressive mode for IKE Phase 1 is selected. This configuration, however, is not supported. 10) If the Exportable for SecuRemote/SecureClient property is checked on a VPN-1 Pro Enforcement Module (from the VPN tab under Traditional Mode configuration), the modules topology information will be exported to SecuRemote/SecureClients even if the Enforcement Module is not a member of the Remote Access community. 11) When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabled from a Standalone machine, the policy fetch operation may not succeed once VPN has been established between the Standalone and the ROBO Gateway in question. In order to overcome this issue, you should add the CPD service as an excluded service for each of the communities which have SmartLSM ROBO profiles. To do this:
1
Advanced > VPN Tunnel Sharing)
Open the community object.

41
In the Advanced Setting tab, choose the an excluded service.
Excluded Services
tab and add the
CPD
as
12) The setting Accept all encrypted traffic in the Site to Site Community Properties window does not apply to connections which pass through the VPN Tunnel Interface. Multiple Entry Point (MEP) & VPN Load Distribution 13) When using a traditional policy configuration, the IP pools mechanism is not supported when configured differently per different rules. This issue is not relevant when using VPN communities, since, in this case IP pools are configured globally and not per rule. 14) When configuring MEP gateways to have the same encryption domain and you enable a backup gateway (Global Properties > VPN Advanced). This gateway will not affect the MEP configuration. This means that the configuration will continue to behave as if it were a fully overlapping encryption domain MEP configuration. If backup gateway functionality is required for a group of gateways in the MEP configuration, the desired behavior (in which the primary gateway will have a higher priority than the backup) can be achieved by configuring the Primary gateway to include the desired encryption domain and the backup gateways to include only themselves as part of their encryption domain. 15) Starting with version NGX (R60), only the site-to-site MEP load distribution configuration is downloaded to VPN-1 Edge devices. VPN-1 Clusters 16) When defining Office Mode IP pools, make sure each cluster member has a distinct pool. 17) When detaching a cluster member from a VPN cluster, manually remove the VPN domain once the member has been detached. 18) When based on topology information, the VPN domain calculation contains only the cluster member topology and not the cluster object topology. This may cause issues in the VPN domain of clusters since the cluster object and members may have different subnets. In this case, define the VPN domain manually on the cluster object. This issue does not exist on VSX appliances. 19) Peer or secure remote Gateways may show error messages when working against an overloaded Gateway cluster in Load Sharing mode. This is due to IPsec packets with an old replay counter. These error messages can be safely ignored.
42
20) When based on topology information, the VPN domain calculation contains only the cluster member topology and not the cluster object topology. This may create a situation where the VPN domain of a cluster has different subnets between the members and the cluster object. A workaround is to define the VPN domain manually on the cluster object. This problem does not exist on VSX appliances. 21) If an SSL Network Extender connection to a Load Sharing gateway times out, the user may not receive notification, but packets from the user are dropped. 22) During policy installation, the following messages may appear on the console:
[Expert@fault]# gated_xl[1383]: task_set_option: task MRouting socket 17 option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0e gated_xl[1383]: task_change_role reinitializing done gated_xl[1383]: task_set_option: task MRouting socket 17 option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0.0.2: Address ale gated_xl[1383]: task_change_role reinitializing done gated_xl[1383]: task_change_role re-initializing
These messages can be safely ignored. 23) VPN Routing is not supported for SSL Network Extender remote access users connecting through a clustered central gateway in a Load Sharing deployment. 24) When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster (i.e., the peer and the cluster are located on the same VLAN and there is no Layer 3 (IP) routing device between them), the following features are not supported:
ISP redundancy VPN link selection - reply from same interface
This issue can be resolved either by placing a router between the VPN peer and the cluster, or by disabling these features. To disable ISP redundancy, in SmartDashboard select the gateway object > Topology > ISP redundancy. To disable VPN link selection reply from the same interface, do one of the following in SmartDashboard. Select the gateway object > VPN > Link Selection > Outgoing Route Selection > Route based probing. Select the gateway object > VPN > Link Selection > Outgoing Route Selection > Operating system routing table > Setup > Use outgoing traffic configuration. 25) VPN Tunnel Interfaces of cluster members cannot have the same IP address.
43
VPN-1 Hardware/Software Acceleration 26) When IPSec NIC is installed and VPNx is activated on the same machine, only VPNx will be utilized for VPN acceleration. To use IPsec acceleration with IPsec NICs, disable VPNx using cpconfig. 27) VPN-1 Accelerator II is not supported on SecurePlatform or Windows platforms. 28) When installing VPN-1 Accelerator II on Solaris 9, an error message reports that the driver cannot be attached. This message may be safely ignored. Reboot the machine and the driver will function properly. IKE, Interoperability 29) Clarification: The global property Support Authentication methods: Pre-shared Secret, under Remote Access > VPN - Basic tab, applies only for the use of pre-shared secret with aggressive mode in IKE phase 1. However, the user's pre-shared secret, which appears in the IKE Phase 2 Properties window of a user object, is used for the following additional purposes, which are not affected by the above property: IKE Hybrid mode with pre-shared secret for user authentication. For L2TP termination (used by Microsoft IPSec clients) with MD5 challenge. SSL authenticated topology download (not over IKE) for SecuRemote/SecureClient. 30) When working with SecureClient versions earlier than R56 HFA2, do not configure gateways to support Diffie-Hellman Group 14. PKI, PKCS 31) On a SmartCenter Server running HP-UX 11, creation of an Entrust certificate for Check Point Gateways is supported only when the CA is defined as an OPSEC PKI (and not as an Entrust CA). 32) The authentication scheme of the ICA management tool is based on DNs of certificates issued by the ICA, and is independent of the user/administrator certificates issued by SmartDashboard. Changes in SmartDashboard regarding an administrator or user therefore cannot affect accessibility to the ICA management tool. To remove users from the ICA management tool access list, use the command cpca_client set_mgmt_tool to remove them from the ICA access list, or revoke their certificates. 33) When modifying the file InternalCA.C, be sure to copy the modified file to the other management stations, and then install the policy again for the changes to become active. NAT with VPN 34) In order to use NAT-T between a VPN-1 gateway and a Cisco gateway that is located behind a NAT device, one should configure the Cisco gateway as a DAIP gateway.
44
VPN-1 Diagnostics (Logging, Monitoring, Planning) 35) An accept log may be received when using an SMTP resource with VPN even if the connection was encrypted. Miscellaneous 36) The reject log is missing when using Security Servers with the wrong encryption properties, despite the fact that the connection is rejected. 37) When using the command cprestart on the SmartCenter Server, it will not apply to the enforcement module. In order to restart the enforcement module, run cpstop followed by cpstart. 38) The feature Connectivity enhancements Nokia IP clustering in Pivot mode. Office Mode 39) An Office Mode IP address is not granted during MEP failover. In an MEP configuration, if the Gateway that assigned the Office Mode IP address to the SecureClient fails over to another MEP Gateway, SecureClient does not receive a newly assigned IP address from the MEP peer Gateway. To resolve this issue, disconnect SecureClient and then reconnect. 40) The Unique by Machine option, located in the Office Mode tab, is currently not supported when Office Mode uses DHCP to allocate IP addresses. Enabling this option may lead to SSL Network Extender receiving different IP addresses when connecting from the same machine, or the same IP address when connecting from different machines. L2TP Clients 41) When using L2TP for remote access, VPN Drop logs with the following Information fields may be received due to traffic sent from the L2TP client: encryption failure: received a cleartext packet within an encrypted connection - received when unencrypted packets arrive from the physical IP of the client encryption failure: Cannot identify peer for encrypted connection - received when the destination is either broadcast or not part of the encryption domain. These logs can be safely ignored. 42) When using L2TP termination on a VPN-1 module, fragmentation at the PPP layer is not supported. This means that IP packets which are not passed inside a TCP-based connection, sent from the Gateway to the client using L2TP, must be smaller than the default MTU of 1500 bytes.
for multiple interfaces
is not supported on
45
43) Legacy authentication schemes, such as Check Point password, OS password, RADIUS, LDAP, TACACS, etc., are now supported for L2TP clients. Automatic notification of password expiration or replacement, such as SecurIDs new PIN mode, are not supported, and will cause authentication failure. Nokia Clients Support (CryptoCluster & Symbian) 44) Nokia clients are not supported when the Gateway side is set up in a load-sharing cluster configuration; unless you follow the instructions outlined in the Clustering Configuration Guide for IPSO 3.8 which explains how to establish VPNs with non-Check Point Gateways and clients. This document can be downloaded from the Nokia customer support site: https://support.nokia.com. Nokia clients support ClusterXL in Load Sharing mode when the Sticky Decision Function is enabled. VPN-1 and SecuRemote/SecureClient Issues 45) When connecting with a VPN-1 client to a VPN-1 cluster, the message tunnel test failed may appear on the client side; however, connectivity between the client and the gateway is not impaired. 46) When configuring an encryption domain for a Remote Access Community using Set domain for Remote Access Community, connections from remote access clients destined to this encryption domain can only be routed to other gateways using the Domain Based definitions. Traffic originating from remote access clients cannot be routed using Route Based VPN. Route Injection Mechanism 47) When configuring the Route Injection Mechanism (RIM) with a customer editable script, proceed as follows:
1 2 3 4
Disable the permanent tunnels Install policy Enable the permanent tunnels and the Install policy again.
customer editable script
together
When using RIM with a customer editable script on a local gateway, and you need to change the encryption domain of a peer gateway, proceed as follows:
1 2 3 4
Disable the permanent tunnels Install policy Change the encryption domain Enable the permanent tunnels and the
customer editable script
together
46
Install policy again

customer editable script,
Note - When disabling the RIM with a notify tunnel status as Down.
the gateway does not
48) When activating RIM on an IPSO platform, for performance reasons it is recommended to inject no more than 200 routes. Link Selection 49) Starting with version NGX (R60), only the site-to-site interface resolving configuration is downloaded to VPN-1 Edge devices. 50) On Nokia platforms, the link selection mechanism Route Based Probing ignores route preferences (metric). This has several consequences. When a peer gateways link selection is configured to be accessed through multiple IP addresses that have routes with the same subnet mask, the route will be chosen randomly. The link selection feature On-Demand Links is not supported, and whether enabled or not, all links are treated as regular links. If all links are down, however, the on-demand script executes successfully. 51) The option Routed VPN 52) When working with the SecurePlatform Pro Advanced Routing suite, and Route Based Probing Link Selection is configured with identical routes via multiple redundant interfaces, only one route will remain active. A workaround is to split the identical routes into different routes, so that each one of them will cover the different subnets. 53) Configuring VPNT interfaces with MTU other than 1500 is not supported for Dynamic Routing purposes. 54) The vpn shell command cannot create VPN tunnel interfaces when the VPN-1 module is not active (e.g., the module has been installed, but policy has not yet been installed to it). However, when it is necessary to create VTI in such a situation (such as when adding a new cluster member to an existing cluster), use the SecurePlatform config utility to create the interfaces. The following is an example of such a command: config conn add type vpnt name <if-name> vpnt-is-unnum off local <a.b.c.d/32> remote <x.y.z.w> vpnt-remote-peer <peer-obj-name> 55) When using unnumbered VPN Tunnel Interfaces on a Nokia platform, packets originating on or intended for the VTI will be dropped by the VPN-1 gateway. A workaround is to create a dummy interface on the Topology tab of the gateway object to represent the VTI. Use the VTI proxy IP address as the address for the dummy interface.
Reply from same interface
is not supported for Remote Access.
47
56) This release note is relevant for the feature Route Based VPN, when a connection that originates on Gateway A is routed through a VTI to Gateway B (or servers behind Gateway B) and is accepted by the implied rules. The connection leaves Gateway A in the clear with the local IP address of the VTI as the source IP address. If this IP address is not routable, return packets will be lost. One solution to this issue is to make the VTI source IP address routable. Otherwise, make sure that the destination IP addresses of connections that pass on implied rules are not published by routing protocols. This can be done by: not including them in any published route adding route maps not redistributing directly connected networks in any Dynamic Routing protocol If the routes to these IP addresses are nonetheless published, it is possible to add static routes on each peer gateway (e.g. Gateway A), which will override the dynamic routes. Having excluded those IP addresses from route-based VPN, it is still possible to have other connections encrypted to those addresses (i.e. when not passing on implied rules) by using domain based VPN definitions. 57) VPN Tunnel Interfaces are not supported using a Nokia IP Clustering deployment. 58) Dynamic routing with VPN is not supported on IPSO for the following protocols: RIP, IGMP, PIM, DVMRP. 59) When working with route based VPN on a combination of Nokia and SecurePlatform gateways, the VTI on the Nokia gateway for the SecurePlatform peer should use a loopback interface (and not a physical interface) as a proxy interface. 60) Dynamic routing with VPN and SecureXL is not supported on IPSO. 61) When creating new VPN Tunnel Interfaces on Nokia platforms, erroneous OSPF default values are set after the first VTI. A workaround is use Voyager to set the values manually to: Hello Interval 10, Dead Timer Interval 40, Retransmit Interval 5,
OSPF Cost 1.
62) When creating VTI on an IPSO gateway, the default MTU of the interface is set to 65535. Use Voyager to modify this setting to 1500. 63) When working with GRE over IPSec, the network object's main IP address (and not the IP according to the link selection) is set as the IP address of the GRE header. In this case, the expected GRE endpoint on the peer side and the main IP address of the local network object should be the same.
48
Multicast 64) Multicast restriction cannot be configured on unnumbered interfaces. LDT (Locally Defined Tunnels) 65) When defining a VPN tunnel with the command vpn ldt tunnel, be sure to first define the peer with the command vpn ldt topology. Otherwise, tunnel establishment may fail without notification. 66) In order to create a VPN tunnel with DAIP using LDT, the gateway must first have a common community with DAIP (even a dummy DAIP) configured in SmartDashboard.
49
Clarifications and Limitations VPN-1 Edge/Embedded
VPN-1 Edge/Embedded
In This Section
Upgrade SmartCenter VPN Communities Policy Installation Logging SmartUpdate General Upgrade
page 50 page 50 page 50 page 51 page 51 page 51 page 51
1) In order for SofaWareLoader to create topologies suitable for SofaWare 4.5 appliances, use a text editor to open the file SofawareLoader.ini, located in the directory FW1_4.1_BC\conf . In the [Server] section, add the line TopologyOldFormat=1. The change takes effect without running the commands cpstop and cpstart.
sofawareloader.ini
Note: In Management High Availability mode, each change made to the file should be made on both machines.
Edge will now store
2) When upgrading firmware, the following message appears: VPN-1 continue successfully, select SmartCenter
OK
the new firmware image and restart. Do you wish to proceed?
For the upgrade to
shortly after this message appears.
3) A VPN-1 Edge gateway will fail to install if a Check Point gateway has an interface named in and the SofaWare Reducer is disabled. To resolve this issue, make sure that the SofaWare Reducer is enabled, or avoid naming Check Point gateway interfaces as in. 4) Make sure that in the Advanced Permanent Tunnel configuration, the life_sign_timeout attribute is larger than life_sign_transmitter_interval attribute. 5) When making changes to the IP addresses of the DMZ or LAN, make sure that the address ranges of these two interfaces do not temporarily overlap, as unpredictable behavior may occur. VPN Communities 6) VPN-1 Edge devices do not support IP compression. If a VPN Community is configured to use IP compression, a VPN-1 Edge device will fail IKE negotiation at the gateway.
50
Clarifications and Limitations VPN-1 Edge/Embedded
Policy Installation 7) When defining VPN-1 Edge/Embedded appliances to perform VPN as Remote Access, avoid placing the appliance's profiles on the rule's destination cell. 8) For SMP customers or customers who upgraded from NG with Application Intelligence (R54) and used the SmartCenter server SofaWare Connector (SSC), the Profile Hi-Med-Low_Profile is combined from three policy targets that can be used in the Install On column. However, these targets are not included in the generic Policy Targets object. To work around this, specify the High, Medium or Low targets themselves in the Install On column. Otherwise, if installing on Policy Targets, they will not affect the VPN-1 Edge/Embedded appliance. 9) When using the group All VPN-1 Embedded devices defined as Remote rulebase, the icon that is defined is wrong and can be safely ignored.
Access
on the
10) The following error message may appear when compiling VPN-1 Edge policy from the command line: Incorrectly built binary which accesses errno or h_errno directly. Needs to be fixed. This message can be safely ignored. Logging 11) VPN-1 Edge/Embedded Gateways support only regular log tracking. Other tracking at a rule that would be installed on such Gateways (profiles) is ignored. SmartUpdate 12) When upgrading firmware, the Reboot option is not currently supported. 13) The menu item Set as Default in SmartUpdate is not relevant for VPN-1 Edge packages. Choosing this option results in the following message: Illegal name for 'VPN-1 Edge W Series' @ 'sofaware_gw_types' - Object name must not contain spaces. You can safely ignore this message and proceed with the usual upgrade path. General 14) When an enforcement module in an LSM environment has both a Log Server enabled and a VPN-1 Edge profile configured, the following error message may appear on the console: 17010: Can't find ini file /opt/CPsuite-R60/fw1/conf/sofawareN/SWManagementServer.ini. This message can be safely ignored. 15) When creating the certificate of a VPN-1 Edge device which is defined as a remote access user, make sure to use the object's name as the CN. 16) In the event that a VPN-1 Edge/Embedded device with DAIP is configured to perform hide-NAT and the device is located behind a NAT device, hide-NAT should be configured on the device to be performed behind one of the internal interfaces.
51
Clarifications and Limitations VSX
VSX
In This Section
Upgrade VPN-1 VSX Provider-1/SiteManager-1 SmartCenter SmartDashboard SmartConsole Applications VSX ClusterXL Miscellaneous Upgrade
1) In order to upgrade VSX SmartCenter NG with Application Intelligence to NGX (R60), use the export utilities included in the NGX (R60) Media Pack. For details, see Upgrading VSX SmartCenter Management in The Upgrade Guide. VPN-1 VSX 2) This version of SmartCenter can manage the following VSX versions: VSX 2.0.1 VSX NG AI VSX NG AI Release 2 For more information on these releases, please refer to the releases documentation at http://www.checkpoint.com/support/technical/documents/index.html. 3) Make sure the time and date configurations on all modules are synchronized before establishing trust between the VSX modules and the SmartCenter Server. 4) When changing interface addresses or subnet masks, routes which rely on the previous interface configuration are not maintained. 5) FireWall-1 GX capabilities are not supported on VSX 2.0.1, VSX NG AI and VSX NG AI Release 2. 6) VPN wire mode is not supported on VSX 2.0.1, VSX NG AI and VSX NG AI Release 2.
52
Provider-1/SiteManager-1 7) A VSX gateway cannot be deleted with a license attached, and attempting to do so causes a non-specific error message to appear. To delete the gateway, first detach the license using SmartUpdate or the CLI. 8) When changing the anti-spoofing properties of a Virtual System using the Multi Domain GUI (MDG), you must install a policy on the Virtual System in order for changes to take effect on the VSX module. 9) When using Management High Availability, the Sync on Install configuration should not be used. Use either Manual sync, Scheduled sync or Sync on save instead. 10) Deleting the VSX object from the MDG deletes the VSX object and all of its related Virtual Systems information from the Customer Management Add-on (CMA) only. The Virtual Systems are not deleted from the VSX Gateway/Cluster, and the Virtual Systems network objects are not deleted from the other CMAs. 11) To upgrade a VSX 2.0.1 object on a Provider-1 system to VSX NG AI, you must use the vsxver MDS command line utility. This should be run after upgrading VSX 2.0.1 modules in order to update the version on all Virtual Systems/Routers across all CMAs. 12) Changing the IP address of a CMA which contains VSX definitions (Virtual Systems/Routers and VSX Gateways/Clusters) is currently not supported. 13) Migration of CMAs which contain VSX definitions (Virtual Systems/Routers) is not supported. SmartCenter 14) Database revisions are not supported when SmartCenter/CMA management includes VSX definitions, such as VSX Gateways/Clusters, Virtual Systems, and Virtual Routers. SmartDashboard 15) When deleting a VSX Gateway/Cluster with an attached license from SmartDashboard, the following window appears:
You are about to delete all Virtual Systems and Virtual Routers contained in the VSX Box. Are you sure you want to continue?
If No is selected, the VSX Gateway/Cluster will still appear to have been deleted. Close and restart SmartDashboard to see that the VSX Gateway/Cluster has indeed not been deleted. 16) To manage VSX 2.0.1 in this version, click on the Web Intelligence tab in SmartDashboard and disable General HTTP Worm Catcher.
53
17) When using Provider-1 management, the topology and routing information of the VSX Gateway should be configured via the MDG rather than via SmartDashboard. Changing the configuration of the VSX Gateway object via SmartDashboard overrides the previous configuration done via MDG. 18) Deleting the VSX object from SmartDashboard removes the VSX object and its related Virtual Systems from the SmartCenter management only. The Virtual Systems are not deleted from the VSX Gateway/cluster. 19) Conversion of a Simplified Policy to a Traditional Policy is not supported. SmartConsole Applications 20) Selecting a group with exclusion on the supported.
Origin
column in SmartView Tracker is not
21) When working on a third party VSX Cluster (e.g., Crossbeam, Nokia), the cluster may report a status of Attention in the SmartView Monitor. This status can be ignored and considered harmless. 22) Selecting a group with exclusion on the supported. VSX ClusterXL 23) Cluster Priorities are currently not supported on VSX clusters. Miscellaneous 24) After creating a VS Cluster with VPN capabilities, the VPN properties do not receive the correct default values. This can lead to unpredictable behavior when using VPN functionality with this VS Cluster. To resolve this issue, perform the following after completing the definitions in the MDG:
1 2 3 4 5 6 7
Origin
column in SmartView Tracker is not
Open SmartDashboard and connect to the Active CMA of the customer that owns the VS Cluster. Edit the VS Cluster object. Uncheck Click
OK. VPN
in the
Installed Products
list.
Edit the VS Cluster object again. Check Click

VPN
in the
Installed Products
list.
OK.
54
Clarifications and Limitations SecuRemote/SecureClient
SecuRemote/SecureClient
In This Section
Installation, Upgrade and Backward Compatibility Office Mode SecureClient Policy Server Desktop Security Connectivity Secure Configuration Verification Certificates Platform Specific Windows XP SecureClient Packaging Tool Miscellaneous Installation, Upgrade and Backward Compatibility
page 55 page 56 page 56 page 57 page 57 page 58 page 58 page 58 page 58 page 58
1) When upgrading a branded version of SecuRemote/SecureClient, make sure that the customized settings are included in the upgrade package. 2) When installing SecureClient using a split-kernel configuration, it may take a few minutes to complete the installation after reboot. 3) When installing SecuRemote/SecureClient NG with Application Intelligence R56 on a machine that already has SecuRemote/SecureClient installed, it installs into the same directory, overwriting or upgrading the previous installation. The user chooses between an upgrade or a clean install. 4) When installing SecuRemote/SecureClient, the Microsoft QoS packet scheduler is automatically unbound from all network connections. Conversely, when uninstalling SecureClient, the QoS packet scheduler is automatically rebound during the uninstallation process. For information about known problems with Microsoft QoS Packet Scheduler, see http://support.microsoft.com/default.aspx?scid=kb;[LN];831385. 5) In Compact View installations, upgrading from SecuRemote/SecureClient 4.1 and earlier versions is not supported. Additionally, previous settings are overridden when installing over NG or Extended View. 6) To avoid unpredictable behavior that may occur when using wireless network cards, users running Windows XP and XP SP1 are recommended to install the following Microsoft hotfixes prior to SecuRemote/SecureClient installation:
55
Hotfix: Wireless Update Rollup Package for Windows XP, http://support.microsoft.com/default.aspx?scid=kb;en-us;826942 Hotfix: Stop error when network traffic is initiated and a filter driver is loaded, http://support.microsoft.com/default.aspx?scid=kb;en-us;831385. Note that this hotfix is available from Microsoft on demand only.
7) When upgrading SecuRemote/SecureClient 4.1 while employing Entrust certificates, make sure to add Entrust support to the installation package (see re-packaging release note for upgrade). 8) SecureClient Software Distribution Server is not supported. 9) A non-MSI package (.exe) cannot be installed over an an .exe package, uninstall the .msi package.
.msi
package. Prior to installing
10) After upgrading SecuRemote 4.1/R54/R55 that was configured for a dial-up adapter only, the client cannot connect using a LAN adapter. 11) Clients using a Mac OS-X license prior to NGX (R60) should contact the User Center to upgrade their existing license to NGX (R60). Office Mode 12) When using Office Mode and configuring internal DNS in the encryption domain, in the SmartDashboard Global Properties Remote Access page, select Encrypt DNS traffic. 13) An Office Mode IP address is not granted during MEP failover. In a MEP configuration, if the Gateway that assigned the Office Mode IP address to the SecureClient fails over to another MEP Gateway, SecureClient does not receive a newly assigned IP address from the MEP peer Gateway. To resolve this issue, disconnect SecureClient and then reconnect. 14) In auto-connect mode, when traffic is detected that is destined for the site, SecureClient automatically connects. If office mode is also enabled, then the connection must be re-initiated by the user once the auto-connect connection has been established. 15) To assist with the IP stickiness of an IP address assigned for Office Mode, SecureClient stores a pseudo-MAC address in the registry that is used during IKE negotiation. When a machine installed and configured with Office Mode is cloned, all the clones will have the same pseudo-MAC address. This may cause problems with the IP stickiness feature. To avoid this problem, delete the registry value HKML\Software\CheckPoint\SecuRemote\5.0\OM\MAC from each clone. SecureClient Policy Server 16) When updating a site, a user that is a member of a runtime group (e.g., RADIUS or NT) will fail to log on to a Policy Server enforcing membership to this group.
56
Desktop Security 17) The Desktop Security Rule Base supports all Firewall supported services except DCOM, BackWeb and IGMP. The Desktop Security Rule Base does support IGMP in the case where Router Alert is the only option set in the packet. 18) The Desktop Security Rule Base does not support groups with exclusions of network objects. 19) The Desktop Security Rule Base does not support user groups restricted by IP range. 20) To allow FTP data connections to survive events that reload the the Security Policy (connect, disconnect, logon to Policy Server, Enable Policy, interface up/down, etc.), save_data_conns is set to true in userc.set. This means that data connections will survive even if they should not. For example, if only logged on users (not AllUsers) are permitted to perform FTP and open data connections, these connections will persist after the user logs off the Policy Server. If for security reasons you prefer to block data connections in these cases, you may set the attribute to false. 21) The Desktop Security Rule Base does not support RADIUS groups. Connectivity 22) When disconnecting from one gateway in an MEP configuration and re-connecting to another, UDP and ICMP connections (such as ping) may cause an attempt to re-authenticate with the original gateway for up to 40 seconds after disconnecting from the original gateway. 23) When multiple SecuRemote/SecureClient users have the same LDAP UID, authentication may fail if they do not use their dynamic name. 24) A load sharing cluster cannot be included in a fully overlapping MEP configuration. Instead, define a group in SmartCenter which includes the encryption domain, the cluster, and the gateway. Assign the group as the MEP's encryption domain. 25) The length of a Dynamic Name for users is limited to 256 characters in SecuRemote/SecureClient and VPN-1. 26) When more than one site is defined, the attribute allow_clear_traffic_while_disconnected in userc.c is disabled. 27) Secure Domain Logon (SDL) over Visitor Mode is supported only in transparent proxy (no proxy) configuration. 28) When a Gateway is configured with an external IP and a non-routable internal IP defined as the main IP address, the update site operation may fail. 29) If a TCP tunnel goes down while a client is connected using visitor mode, the client disconnects.
57
30) In Compact view, Load Sharing is not supported, and a re-authentication dialog appears after a MEP or HA failover. 31) When you specify that the HotSpot registration should be restricted to the Local Subnet only, (which is configured in the SmartDashboard > Global Properties > Remote Access > Registration > Enable Registration > Restrict to Local subnet access), this specification is not supported when configured through GUI. Secure Configuration Verification 32) Use of older versions of SecureClients Secure Configuration Verification module scvprod is not supported. Make sure to use the scvprod provided in this version. 33) Secure Configuration Verification does not support verification of the virus definition file for Mcafee Virus Scan Professional build 8.2 and later. Certificates 34) Authentication fails when using an Entrust certificate (EPF) that is read only. Platform Specific Windows XP 35) When Auto Local Logon or Secure switching function is disabled. SecureClient Packaging Tool 36) When installing SecureClient, the file product.ini may be configured to support some invalid installation options. This may be done by combining product.ini flags and generating invalid combinations. Some examples are: Simplified and SecuRemote - not supported, but may be configured in product.ini. Simplified and SDL - not supported, but may be configured. Miscellaneous 37) Dial-up integration with Connect Mode is not supported with AT&T and AOL dialers. For dial-up integration, use the command line interface. 38) If you are using AOL dialer from outside the USA, select an access point that supports AOLnet connections. Avoid GlobalNet connections. The type of connection, by geographical location, can be viewed at http://intlaccess.web.aol.com/. You can browse to this location by entering the keyword Access in your AOL browser. 39) Master Browser functionality may fail when SecuRemote/SecureClient is installed on a machine that is also configured as a master browser. 40) SecureClient does not support IP address forwarding and Internet Connection Sharing (ICS).
Domain Logon
is enabled, the Windows XP fast user
58
41) On Windows 2000 Server, where Microsoft Internet Explorer network settings are configured to Automatically detect settings, proxy replacement does not function. 42) The attribute
sdl_netlogon_timeout
in the file
userc.c
is no longer supported.
43) In the following scenarios, the RSA Software Token Authentication window is updated only after SecuRemote/SecureClient restarts: importing a new RSA software token setting a RSA software token passphrase, or changing the token passphrase. 44) ActiveTests are not supported in the Diagnostics tool. 45) Policy installation will fail if two (or more) distinct user groups and network objects are used in the same cell of a rule. For example, if the following appears in a source or destination cell, the policy will not install: usergroup1@netobj1 & usergroup2@netobj2 If the user groups match or the network objects match, however, the installation will succeed. The following examples allow the policy to install successfully: usergroup1@netobj1 & usergroup2@netobj1 usergroup1@netobj1 & usergroup1@netobj2 46) In order to enable Auto Local Logon to be completely automatic (similar to Transparent mode in version NG R55), set the global userc.c flag, called suppress_dialog_when_creds_available, to true. Subsequently, when in Auto-Connect Mode, the user will not be prompted for authentication if all the necessary fields in the Connect window contain valid data.
59
Clarifications and Limitations SecurePlatform
SecurePlatform
In This Section
Installation, Upgrade and Backward Compatibility Unicast Routing Multicast Routing ClusterXL General Installed Products Unsupported Features WebUI Installation, Upgrade and Backward Compatibility
1) In order to upgrade SecurePlatform NG FP2 or NG FP3 using the NG with Application Intelligence CD, update the patch command before beginning the upgrade. In order to update the patch command, proceed as follows:
1 2 3 4 5 6
Log into SecurePlatform. Place the CD into the CD drive. Enter the Expert mode. Type Type
mount /mnt/cdrom. patch add
/mnt/cdrom/SecurePlatform/patch/CPpatch_command_update.tgz
Proceed with the
patch add cd
to upgrade the OS.
This release note does not apply to upgrades performed via SmartUpdate. 2) To upgrade an NG FP2 SecurePlatform machine, you need to apply a Pre-Install-Patch on the machine before you start the upgrade process. You can download the Pre-Install-Patch package from the download center. 3) If, during the initial configuration process, Performance Pack was not installed, it is not possible to add it to the system later via sysconfig. Performance Pack may be installed, however, in Expert mode by installing the RPM package manually.
60
4) When using Snapshot image management to create a new snapshot of a SecurePlatform machine running Provider-1/SiteManager-1, the MDS processes are not stopped automatically. Before creating a snapshot image, run the command mdsstop. After the snapshot creation process completes, run mdsstart. 5) On Dell and IBM systems with the BIOS feature Console Redirection, this feature must be disabled to use SecurePlatform with a serial console. 6) When using the command line to upgrade, exiting the installation before it finishes places the system in an unstable state. Be sure to take a Snapshot of the system before beginning the upgrade (or answer Y when asked to create a backup image at the beginning of the upgrade). 7) To repeat an upgrade procedure (e.g., after a failed upgrade), install the updated command from the SecurePlatform CD. To install it, proceed as follows:
1 2 3 4 5 6
patch
Log into SecurePlatform. Place the CD into the CD drive. Enter the Expert mode. Type Type
mount /mnt/cdrom. patch add
/mnt/cdrom/SecurePlatform/patch/CPpatch_command_update.tgz
Answer
when prompted.
After this update is complete, the system will allow multiple upgrade operations. 8) When upgrading from SecurePlatform FP2, FP3 and FP4, you must update the "patch" command before proceeding with the upgrade. To apply the patch, insert the SecurePlatform installation CD and run the following commands:
1 2
mount /mnt/cdrom patch add /mnt/cdrom/SecurePlatform/patch/CPpatch_command_update.tgz
After applying this patch, proceed with the upgrade. 9) The SecurePlatform WebUI management interface will only upload an upgrade package if the browser being used is Microsoft Internet Explorer. 10) During upgrade, the following console messages can be safely ignored:

INIT: version 2.78 reloading INIT: version 2.85 reloading
11) The installation process fails with some USB CDROM models. Use the floppy to start the installation, or install via the network.
61
12) On some older computers (usually 5-6 years old), the SecurePlatform CDROM will fail to boot due to BIOS limitations. In this case, create a boot floppy and use it to start the installation. 13) Using sysconfig to install and configure SmartPortal on SecurePlatform is not supported. Use one of the following two workarounds instead: Use the SecurePlatform Web UI First-Time Configuration wizard Configure the operating system via sysconfig, and then manually install SmartPortal by running rpm -i on the SmartPortal RPM file located at /sysimage/CPwrapper/Linux/CPportal. Unicast Routing 14) If working with the Advanced Routing suite, and Multihomed Link Selection is configured with identical routes via multiple redundant interfaces, the following workaround is required: If there are only two identical routes, one of the routes must be split into two routes: The first route covers half of the subnet and the second route the other half of the subnet. 15) Configuring any redistribute options in the RIP environment will remove the default redistribute rip and redistribute direct options. These options can be configured manually, if needed. 16) Despite establishing OSPF adjacency, kernel-sourced routes may not be distributed immediately. In those cases, a 10 minute delay may be experienced. 17) During reboot, a number of Dynamic Routing messages appear on the console. These messages can be safely ignored. 18) When working with VTI unnumbered interfaces, changes to the IP address of the proxy interface do not immediately register with Dynamic Routing. For the changes to take effect, run the commands drouter stop and drouter start. 19) After running the command service network restart, the previous kernel routes persist. For the changes to take effect, run the commands drouter stop and drouter start. 20) When publishing a network from two (or more) sources with the same Distance and Metric, the network will be deleted from the RIB of the operating system. A workaround is to change the metric for one of the peers, or if one peer is reached via a different interface, to change the metric of one of the local interfaces.
62
21) When changing the VTI netmask to a specific masklen, GateD creates three routes: two connected routes for local and remote IPs, and one additional network kernel route for a defined subnet. After VTI removal, the third network route is preserved in the GateD routing table, but removed from the OS routing table. Multicast Routing 22) Defining NAT on a host that transmits multicast traffic is not supported. 23) When running any Multicast protocols, the special interface pimreg is added to the system. This interface is not monitored by ClusterXL and always appears as DOWN in the output of cphaprob -a if . This error can be safely ignored. 24) To enable multicast service on a VPN Gateway functioning as a rendezvous point, add a rule to the Security Policy of that Gateway to allow only the specific multicast service to be accepted unencrypted, and to accept all other services only through the community. 25) A SecurePlatform machine with more than 10 interfaces may encounter difficulty running Multicast Dynamic Routing protocols (as well as OSPF). This issue may be addressed by adjusting the number of multicast groups that can be joined by a single process. The limit is set in the file proc/sys/net/ipv4/igmp_max_memberships, and the default number is 20. 26) The Dynamic routing suite does not support multiple adjacencies to the same routing neighbor, when one of the cluster IPs participating in the adjacency resides on different subnet. This means that if you have a configuration in which the cluster interface resides on network different from the member network on the same interface, this IP cannot be used together with another regular cluster interface for forming multiple adjacencies to the same routing neighbor. 27) Defining Dynamic Routing protocols on the Cluster Sync interface is not supported. 28) 224.0.0.x routes that remain in the routing table after dynamic routing is disabled can be safely ignored. 29) PIM multicast traffic is not supported with virtual tunnel interfaces configured with identical local IP addresses. ClusterXL 30) After making changes to the cluster topology, run the commands cpstop and update Dynamic Routing.
cpstart
to
31) After adding or removing a cluster member and installing a new policy on it, execute cpstop and cpstart in order to update Dynamic Routing with the new configuration.
63
32) GateD adds the cluster IP address of VPN tunnel interfaces when full adjacency is established. This may, however, result in a variety of problems, such as losing adjacencies. Generally, VPNT interfaces should not be redistributed to the peers. It may be achieved, however, by using the route-map command. See the following example:
config terminal route-map block-vpnt-distribution permit 5 match ip address access-list vpnt-network exit access-list vpnt-network permit <internal networks> <mask wildcard> access-list vpnt-network deny <all vpn tunnel ip addresses> <mask wildcard> access-list vpnt-network deny <all ext. interface networks> <mask wildcard> exit router ospf 1 redistribute direct route-map block-vpnt-distribution
33) During policy installation, the following messages may appear on the console:
[Expert@fault]# gated_xl[1383]: task_set_option: task MRouting socket 17 option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0e gated_xl[1383]: task_change_role reinitializing done gated_xl[1383]: task_set_option: task MRouting socket 17 option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0.0.2: Address ale gated_xl[1383]: task_change_role reinitializing done gated_xl[1383]: task_change_role re-initializing
These messages can be safely ignored. 34) When executing the command clusterXL_admin down on a cluster configuration which includes Dynamic Routing, be sure to wait 10 seconds or so before running the command clusterXL_admin up. Failing to do so may result in a delay of a few seconds before the cluster member returns to normal (active or standby) state, and the following error message:
Operation failed: member is still down, run 'cphaprob list' for further details.
This occurs because the command clusterXL_admin down causes the active cluster member running Dynamic Routing to start a sync of the FIB table, and will not enter the UP state until the sync completes. 35) When using the Advanced Routing Suite with ClusterXL, make sure to perform the following:
1
In order to keep routes synchronized among cluster members, allow the service FIBMGRD in the Rule Base.
64
To prevent FIBMGRD connections from exceeding the timeout threshold, add the following lines to the file $FWDIR/lib/user.def on the management station:
/*Cluster related definitions - cluster fold and others */ #include "cluster.def" deffunc user_accept_non_syn() { ( src in cluster_members_ips, dst in cluster_members_ips, ( sport = 2010 ) or (dport = 2010) ) };
36) When using VTIs on a ClusterXL gateway with Hitless Restart configured, be sure to set Hitless Restart to restart-type signaled. 37) To ensure RIB synchronization in NGX (R60), the following steps should be performed:
1 2 3
Define a new TCP service with destination port of 1024-65535 and source port of 2010. In the
Advanced Properties
tab, uncheck
Match for ANY . FIBMGR
Add a rule allowing the above service and the service cluster members.
between all the
38) BGP is not supported on interfaces that have a Cluster IP address configured to a different subnet than the physical IP addresses. 39) Dynamic Routing protocols do not support cluster IP addresses defined on a subnet other than that of the physical IP addresses of the interfaces. General 40) In legacy High Availability mode for ClusterXL, MAC address synchronization is not supported for VLAN tagged interfaces. Use new High Availability mode, or manually configure the MAC addresses of the interfaces using the ifconfig CLI or WebUI. 41) If you use a default subnet configuration, you should define the routing through the device and not the IP address. 42) Network installation from a Windows-based FTP Server is not supported. Use a Linux-based FTP Server instead. 43) The cpconfig command line interface of SecurePlatform versions R55 and earlier displayed the time zone GMT offset according to the POSIX standard, which is the opposite of the commonly accepted standard. For example, for GMT+2, the command line interface shows GMT -2.
65
In this release, the time zone display in the command line uses the commonly accepted notation. Please pay attention to this change when configuring the system time zone from the command line. 44) For optimal usage of memory on machines with more than 512MB of memory, add the following configuration settings to /etc/fw.boot/modules/fwkern.conf and then reboot the machine:
fw_hmem_use_alternate_malloc=1 fw_smem_use_alternate_malloc=1
You should not assign more than 1700MB to the Maximum memory pool size. This value is set in the Capacity Optimization page of the modules object in SmartDashboard. 45) During the Backup/Restore operation, the Expert password is not backed up. 46) SecurePlatform cannot be installed on a machine that has more than two SCSI hard drives, unless they are in a RAID configuration and can be seen as a single virtual drive. 47) After updating the time zone of SecurePlatform, make sure to reboot the computer to ensure that the new time zone is applied to all applications. 48) Restoring the system settings via an SSH connection is not supported. Use a console that is locally connected to restore the system settings. 49) When using multiple RADIUS servers, make sure that the servers are exact replicas of each other. When using multiple RADIUS servers that contain different users, the login failure or success depends on the listed order of the servers in the configuration file (i.e., when one RADIUS server denies access, SecurePlatform will deny access, and does not try to authenticate the user against other RADIUS servers). 50) When using RADIUS groups access and user lockout features at the same time, there is no way to see that users that accessed the system via RADIUS groups are locked. 51) Important Notice: This version modifies the way in which SecurePlatform handles the BIOS clock settings. For instance, it is no longer necessary to manually change the BIOS clock when switching to or from daylight savings time. Make sure to set the BIOS clock to UTC (GMT) time. 52) When restoring system configuration from older versions of SecurePlatform, the time zone configuration is not restored properly. Make sure to configure the time zone manually after restore. 53) When using SNMP, enable the service prior to adding new users. The command users show does not function as expected if the service is not enabled first. 54) Under a high load, Advanced Routing messages are sometimes printed to the SecurePlatform console.
66
snmp
55) SecurePlatform R60 NGX can be configured to send system (syslog) messages to remote syslog servers. Note that system logs can include sensitive information like IP addresses of the system, etc. Make sure that when you make use of this facility you are transferring logs only over encrypted or secured channels (e.g. trusted networks or VPNs). 56) Restart PPPoE and PPTP network connections if initial connection to the modem fails. When restarting the connection from the command line, you may need to re-enter PPP credentials. 57) Deploying a DHCP server on a SecurePlatform machine running a VPN-1 enforcement module is not supported. As a workaround, deploy the DHCP server on a SecurePlatform machine not running an enforcement module. Installed Products 58) The following Check Point products are not supported on a Dynamic Address IP (DAIP) Gateway: SmartCenter Server ClusterXL Log Server Policy Server SmartView Monitor Unsupported Features 59) If you make a Snapshot of a system upgraded to NGX (R60) and then revert to R55 or R55W, you cannot use that Snapshot to revert once again to version NGX (R60). The revert process is limited in that it cannot revert to a newer OS version from an older OS version. Consider upgrading again instead of reverting to the newer OS Snapshot. 60) NGX builds prior to take 160 do not support upgrade via SmartUpdate for SecurePlatform. WebUI 61) If an error occurs when changing interface settings, the WebUI does not display the error.
67
Clarifications and Limitations SmartLSM
SmartLSM
In This Section
Installation and Configuration General Policy Configuration Status Monitoring SmartUpdate Installation and Configuration
page 68 page 68 page 68 page 68 page 69
1) A Dynamically assigned IP (DAIP) VPN-1 Pro/Express gateway cannot be a CO Gateway. Thus the command LSMenabler on should not be run on it. 2) After defining the interfaces or resetting SIC on an R55 ROBO Gateway, all Check Point services must be restarted, including cprid. This can be done via the commands cpstop and cpridstop, followed by cpstart and cpridstart. 3) On a SmartCenter server running on Linux, Solaris, or SecurePlatform, defining an entry similar to the following in the /etc/hosts file should be avoided:
127.0.0.1 mymachine localhost.localdomain localhost
Such an entry may cause the VPN routing tables and security policy of a ROBO Gateway to not be updated after pushing policy, even though the SmartLSM GUI reports a successful policy installation. In such a situation, it is possible to fetch policy from the ROBO Gateway using the command fw fetch <SmartCenter IP>. General 4) To support High Availability of SmartCenter servers, define both SmartCenter servers from SmartDashboard > Profile Object > Masters tab. Policy Configuration 5) Resolve all Dynamic Objects that are used in the policy. An un-resolved Dynamic Object will result in dropping all the packets that match the other characteristics of the rule. Status Monitoring 6) The SmartLSM GUI reports the status of ROBO Gateways as Waiting in the following SmartCenter High Availability scenario: One or more ROBO Gateways are managed in SmartLSM on a Primary SmartCenter server
68
Clarifications and Limitations SmartLSM
The Secondary SmartCenter server is synchronized for the first time. Management HA Switchover is performed: The Primary SmartCenter server is changed to standby, and the Secondary SmartCenter server is changed to active.
status_proxy
To resolve this issue, restart the
on the Secondary SmartCenter server.
7) When configuring a VPN Domain for VPN-1 Edge ROBO gateways to contain only part of the networks behind the VPN-1 Edge gateway, the traffic from/to the network(s) not participating in the VPN domain will not be passed in clear, and will instead be dropped. Additionally, SmartLSM does not currently support alternating between clear and encrypted traffic between the Corporate Office gateway and the VPN-1 Edge ROBO gateways. A choice must be made to send all traffic between the two gateways either in clear or encrypted. 8) When using SmartLSM to manage more than 950 VPN-1 Express/Pro ROBO gateways from a single SmartCenter/Provider-1 CMA, the gateway and policy status will not be collected for some of the gateways. All other management activities besides the status collection will operate correctly. If using the Provider-1 environment, the problem might be addressed by splitting the management into a number of CMAs, each managing no more than 950 VPN-1 Express/Pro ROBO gateways. The problem does not exist when managing VPN-1 Edge ROBO gateways. SmartUpdate 9) When upgrading or installing packages on a Nokia VPN-1 Pro/Express ROBO Gateway via SmartLSM, even though the SmartUpdate Package repository contains a newer IPSO image version, the IPSO image on the ROBO Gateway may not be updated. 10) When using the LSMcli Install command to install certain packages (e.g., Performance Pack) on a VPN-1 Express/Pro ROBO Gateway, the package may not be distributed or installed, and the following error is displayed: Failed to get
installable targets (profiles) - One or more arguments are invalid.
The workaround is to install these packages via SmartLSM GUI.
69
Clarifications and Limitations SmartUpdate
SmartUpdate
In This Section
Installation, Backward Compatibility, and Upgrade GUI Licensing OPSEC Miscellaneous Platform Specific - Nokia Installation, Backward Compatibility, and Upgrade
page 70 page 70 page 71 page 71 page 71 page 71
1) When a gateway has been upgraded and then rolled back to the previously installed version, SmartUpdate will not be able to report its status. This occurs because the gateway restarts with the initial policy, instead of the last installed policy. The workaround is to re-install the old policy via SmartDashboard. 2) In order to ensure successful package installation, packages should be transferred and installed one-by-one. For instance, you should first transfer the VPN-1 Pro package and complete installation and only then transfer the next package, (say Performance Pack), and complete that installation. An incomplete transfer and installation may result in the failure of the next consecutive package to be successfully transferred. 3) The command line executable for upgrading remote gateways, cprinstall, does not currently support the upgrade all option. Instead, run cprinstall install to upgrade individual packages, or use the SmartUpdate GUI. 4) After using SmartUpdate to install a firmware package on a VPN-1 Edge gateway, renaming the gateway in SmartDashboard may fail and result in the following message:
Internal Error [12] while handling object edge1. Failed to update references of object edge1. Please contact technical support.
If this should occur, you can safely ignore this message and perform the rename operation again. To avoid this message, leave SmartDashboard open during firmware installation.
5) After upgrading SmartCenter to NGX (R60), all software packages (except for VPN-1 Edge firmware packages) that were located in the Package Repository do not appear in SmartUpdate. The packages are, however, in the directory $SUROOT, and can be re-added to the Package Repository using the SmartUpdate command Add From File. GUI 6) The feature Add Package From Download Center is not supported if the machine running SmartUpdate accesses the Download Center through a proxy server.
70
Clarifications and Limitations SmartUpdate
Licensing 7) If a local license is detached from the license repository and then reattached without first closing SmartUpdate, the license appears in the repository as unattached. In such a scenario, either attach the license manually, or close and restart SmartUpdate before reattaching the license. OPSEC 8) Both SmartUpdate and cprinstall are unable to uninstall any OPSEC package installed on SecurePlatform gateways. You can resolve this issue as follows:
1 2
Add the package to be uninstalled to the SmartUpdate packages repository. On the SmartCenter Server: Go to the $SUROOT directory Find one of the subdirectories matching your product, and Change the name of this directory from ...#Linux#... to ...#SecurePlatform#... Run uninstall.
Miscellaneous 9) When running Fetch CPInfo on a non-Windows Management server, while trying to fetch CPInfo for the Management itself, in certain cases the command may halt unexpectedly. In this case, rerun the command, or run CPInfo locally. Platform Specific - Nokia 10)
Upgrade All
and separate transfer and install is not supported on diskless Nokia. To resolve this issue you should explicitly install Nokia IPSO and thereafter you should install the Check Point products, one by one.
71
Clarifications and Limitations SmartView Monitor
SmartView Monitor
In This Section
Installation, Upgrade and Backward Compatibility Platform Specific Solaris Platform Specific Windows Gateway Status Tunnel Monitoring User Monitoring SAM Installation, Upgrade and Backward Compatibility
page 72 page 72 page 72 page 72 page 72 page 72 page 73
1) SmartView Monitor custom views created with NG with Application Intelligence R54 or R55 are not maintained after upgrade. 2) After installing NGX (R60), Last hour history tables in the System Counters view may be empty. To resolve this issue, run the commands cpstop and cpstart. Platform Specific Solaris 3) The
total virtual memory
counter is not supported for gateways on the Solaris platform.
Platform Specific Windows 4) The total virtual memory counter is not supported on gateways on the Windows platform if the virtual memory is larger than four Gigabytes. Gateway Status 5) SmartView Monitor does not report the status of OPSEC modules. 6) After modifying a
Global Threshold,
the change becomes effective after selecting
Tools >
Stop System Alert Daemon
and
Start System Alert Daemon.
Tunnel Monitoring 7) The SNMP interface for Tunnel Monitoring is not supported. 8) When drilling-down to tunnel traffic on cluster gateways, tunnel traffic is displayed on only one of the cluster members. User Monitoring 9) The feature
Reset tunnel
is not supported on SSL Network Extender client tunnels.

72
Clarifications and Limitations Eventia Reporter
SAM 10) A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if the SmartCenter Server is also a VPN-1 Pro module and no policy has been installed on it since adding the remote Gateway.
Eventia Reporter
In This Section
Installation, Upgrade and Backward Compatibility General Configuration Installation, Upgrade and Backward Compatibility
page 73 page 78 page 78
1) For a local Eventia Reporter Advanced Upgrade, the export mechanism does not copy the database files or other associated Eventia Reporter files. (This issue does not arise with the Eventia Reporter SmartCenter Add-on Advanced Upgrade). To perform a full export that includes all of the Eventia Reporter data, follow these steps: On the original (SmartCenter) machine:
1 2
Run the command
cpstop.
Back up the database data. The location of the database data files is specified in the mysql configuration file my.ini (Windows) or my.cnf (all other platforms). The mysql configuration file is located in the directory $RTDIR/Database/conf/. Open the mysql configuration file with WordPad or another file editor. Locate the lines that begin as follows:

datadir= innodb_log_group_home_dir= innodb_data_file_path=
The directories indicated by these entries are the ones to copy. By way of example, the default entries for a Windows installation are:
[mysqld] datadir="C:/Program Files/CheckPoint/EventiaReporter/R60/ReportingServer/Database/data" innodb_log_group_home_dir="C:/Program Files/CheckPoint/EventiaReporter/R60/ReportingServer/Database/log" innodb_data_file_path = ibdata1:10M:autoextend:max:40G
73
The third entry, innodb_data_file_path, records database files that were added or moved to absolute locations (for example, if the command UpdateMySQLConfig -A or -M has been applied). These files should be copied as well. Make sure to copy the database data files to a location that is accessible from the target machine, and when copying directories, to include their sub-directories.
3 4 5
Backup any company logo image file(s) in Backup any custom distribution scripts in
$RTDIR/bin. $RTDIR/DistributionScripts.
Run the CD wrapper and perform the Export operation.
On the target machine:

6 7 8 9
Run the Advanced Upgrade procedure on the target machine. Run the command
cpstop.
Copy the database files from the backup to the target machine. If necessary, modify the following fields in the mysql configuration file to match the locations of the database data files: datadir, innodb_log_group_home_dir, innodb_data_file_path. Make sure that the paths are written in Unix format, with forward (/) slashes between directories.
10 Copy your company logo image file(s) to $RTDIR/bin. 11 Copy your distribution scripts to the directory $RTDIR/DistributionScripts. (Be
sure to check whether the script is supported in the platform to which you are migrating.)
12 Run the command cpstart. 13 Start a consolidation session in the Management tab of the Eventia Reporter
Client. 2) Eventia Reporter can be upgraded to NGX (R60) from version NG R56 only. If you are upgrading from a version prior to R56, uninstall the Reporter and continue with the upgrade. 3) The MySQL server on the Eventia Reporter conflicts with a MySQL server installation on the same computer. Install the Eventia Reporter server on a computer that does not contain a MySQL server installation. 4) Eventia Reporter will not continue consolidation sessions if the log files were manually upgraded on the log server. 5) After upgrading from R56 to NGX (R60), a scheduled report that is selected for a specific module may fail to run. If this occurs, resave the report.
74
6) After installing Eventia Reporter on SecurePlatform and configuring it with reboot the operating system.
cpconfig,
7) When upgrading from R56 to NGX (R60) on Solaris, the install wrapper presents options to perform a new installation or import a configuration, but does not present the option to perform an upgrade. Select New Installation to upgrade Eventia Reporter. General 8) Account logs that are originated by a gateway cluster are counted twice. Thus, reports of these logs will display inaccurate data. 9) Logs produced by VPN-1 Pro modules that also have QoS installed show twice the number of actual HTTP connections. As a result, reports generated on such modules will display an incorrect number of connections. 10) Estimated report-generation time does not exist out-of-the-box. The first generation of any report will not display an estimated generation time. 11) In High Availability mode, after switching the status of a SmartCenter server from active to inactive, reports that were generated on the now inactive SmartCenter server are unavailable from the Eventia Reporter GUI client. However, the reports are still available on the Eventia Reporter server's Results directory. 12) If SmartDashboard is connected to an inactive management, Eventia Reporter cannot be launched from the Window menu of SmartDashboard. Instead, launch Eventia Reporter via the Windows Start Menu. 13) When running Eventia Reporter on SecurePlatform, set the number of DNS threads to 150. Setting this value higher may impede the closing of consolidation sessions. 14) Restarting a consolidation session based on a file outside of the logtrack sequence will duplicate the data in the database. Make sure to remove the session after it completes. 15) If Eventia Reporter is running with multiple consolidation sessions, after running cpstop, ensure that all log_consolidator processes have terminated before running cpstart. 16) The Active Policy Analysis section of the Rule Base Analysis report cannot be generated per gateway. Either unselect the section when generating the reports per gateway, or from the Input tab, select Generate the report using summary of all gateways. Configuration 17) Eventia Reporter data is not synchronized by the MDS in High Availability Provider-1/SiteManager-1 configurations. To ensure that the report information is accurate, perform the following:
75
Install Eventia Reporter Add-on on a single MDS. When starting the Eventia Reporter client, make sure to open it only on this MDS.
18) FTP or HTTP distribution of reports does not work with proxy settings. If a machine has proxy settings, use alternate distribution methods such as e-mail distribution or copy files from the Report's Results directory instead. 19) When a Eventia Reporter server's IP address has static NAT, a machine running the Eventia Reporter SmartConsole must be able to route connections to the Eventia Reporter server's real IP address. This can be achieved by running the Eventia Reporter SmartConsole on a machine in the Server's local network, or sometimes, by adding the appropriate route entries in the Eventia Reporter SmartConsole's routing table. 20) Instability may occur with the Eventia Reporter client if it connects to a SmartCenter server on a Nokia platform that is both low on memory and in a standalone configuration.
76
Clarifications and Limitations ClusterXL
ClusterXL
In This Section
Upgrade, Backout, and Backward Compatibility General Configuration VPN-1 Clusters High Availability Load Sharing Authentication State Synchronization SmartConsole Security Servers Platform Specific Nokia Platform Specific Solaris Platform Specific Windows Services Unsupported Features Upgrade, Backout, and Backward Compatibility
page 77 page 78 page 78 page 79 page 80 page 81 page 82 page 83 page 83 page 83 page 84 page 85 page 86 page 86 page 86
1) When upgrading from Version 4.1 to NGX (R60), cluster members that were not attached to a cluster are not seen in SmartDashboard. After upgrading, these objects are hidden but still exist in the system, so creating objects with the same name is not possible. This issue can be resolved by deleting the hidden object. To delete the object, use dbedit to edit the file $FWDIR/conf/objects.C on the SmartCenter server and delete the object, and then install policy. 2) When upgrading a Version 4.1 Check Point High Availability cluster, if you do not wish to change the mode of the cluster, select Legacy High Availability mode in a new ClusterXL object (and not the default value which is New High Availability). Moving to a New High Availability configuration (recommended) requires a topological change. Read more about it in the ClusterXL guide under Migrating from Legacy High Availability. 3) During upgrade of a cluster member from a pre-NGX (R60) version to NGX (R60) and higher versions, the following message may appear on the console: FW-1: fwlddist_put: bad operation received from higher version. This message can be safely ignored.
77
4) Full Connectivity Upgrade (FCU) to major releases such as NGX (R60) is not supported. You can perform a Zero Downtime upgrade, however. For instructions, refer to the Upgrade Guide. General 5) In legacy High Availability mode for ClusterXL, MAC address synchronization is not supported for VLAN tagged interfaces. Use new High Availability mode, or manually configure the MAC addresses of the interfaces using the ifconfig CLI or WebUI. 6) Performing an SNMP query on both the clusters IP address as well as on the members IP addresses concurrently, is not supported. The SNMP query can only be run on one or the other at time. Alternatively, you can wait for the UDP virtual session timeout between the SNMP queries on the different IP addresses. This timeout has a 40 second default, and can be defined in Global Properties > Stateful Inspection. Configuration 7) In the Rule Base, when adding a cluster object to the source or destination column in a rule, this rule will only apply to the cluster addresses. If the rule needs to be applied to the cluster member addresses, add their objects to the rule as well. 8) The following error messages may appear on the console when enabling or disabling Cluster XL or state synchronization using the command cpconfig.
FW-1: fwkdebug_register: module cluster already registered FW-1: fwha_kdebug_register: fwkdebug_register failed
These messages may be safely ignored. 9) To use manual client authentication through HTTP in a cluster environment, set the database property hclient_enable_new_interface to true. This forces the HTTP client authentication daemon to ask for both the user name and password in the same HTML page. When the IP addresses of the cluster members are not routable, the URLs returned in the HTML from the replying cluster member contain the non-routable IP address of the member instead of the IP address of the cluster. This would fail subsequent operations. The workaround in this case is to configure the cluster to use a domain name, using theahttpclientd_redirected_url global property. Make sure that your DNS servers resolve this domain name to the cluster's IP address. 10) Use the commands cpstop and cpstart instead of cprestart on cluster configurations. The command cprestart is not supported on cluster members. 11) A cluster IP interface or a synchronization network interface cannot be defined as a non-monitored (i.e., disconnected) interface.
78
12) When defining VLAN tags on an interface, cluster IP addresses can be defined only on the VLAN interfaces (the tagged interfaces). Defining a cluster IP address on a physical interface that has VLANs is not supported. The physical interface should be defined with the Network Objective Monitored Private on ClusterXL clusters and as Private on third-party clusters. 13) When installing policy on a cluster with a layer 2 bridge defined, the installation may fail with the following error: Load on Module failed. To resolve this issue, do the following:
1
Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so that they include the environment variable FW_MANAGE_BRIDGE 1. Install policy.
14) When setting an interface whose current Network Objective is Sync to Non-Monitored Private, and setting another interface's Network Objective to Sync and installing policy, the status of the cluster members will change to Active Attention and Down. To avoid this issue, make this configuration change in two phases.
1
Set the interface with the Network Objective of Sync to Monitored Private (instead of Non-Monitored), and the other interfaces Network Objective to Sync and install policy. Reconfigure the Monitored Private interface to Non-Monitored and install policy again.
15) When defining a Sync interface on a VLAN interface, it can only be defined on the lowest VLAN tag on a physical interface. 16) Defining the lowest VLAN tag on a physical interface as disconnected (i.e., Private) is not supported. VPN-1 Clusters 17) When defining Office Mode IP pools, make sure each cluster member has a distinct pool. 18) Before adding an existing gateway to a cluster, remove it from all VPN communities in which it participates. 19) When detaching a cluster member from a VPN cluster, manually remove the VPN domain once the member has been detached. 20) When working with TCPT and clusters, the remote connection will not survive failover in the following cases:
Non-Monitored
79
When there is an option to perform an administrative failover, in which case the client does not receive any notification and considers itself connected to the non-active cluster member. When working with a High Availability cluster: in the event that a cluster member moves from Active to Standby, where the client does not receive any notification and considers itself to be connected to the non-active cluster member. This can happen, for example, when switching the priorities of the cluster members in SmartDashboard and installing the new policy.
21) Peer or secure remote Gateways may show error messages when working against an overloaded Gateway cluster in Load Sharing mode. This is due to IPsec packets with an old replay counter. These error messages can be safely ignored. 22) Using Sticky Decision Function with VPN features will guarantee connection stickiness for connections that pass through the cluster only, and not to connections originating from a cluster member or to it. 23) When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster (i.e., the peer and the cluster are located on the same VLAN and there is no Layer 3 (IP) routing device between them), the following features are not supported:
ISP Redundancy VPN link selection - Reply from same interface
This issue can be resolved either by placing a router between the VPN peer and the cluster, or by disabling these features. (Neither feature is enabled by default.) To disable ISP redundancy, in SmartDashboard edit the gateway object > Topology > ISP Redundancy, and remove the check mark from Support ISP Redundancy. To disable VPN link selection - Reply from the same interface, in SmartDashboard edit the gateway object > VPN > Link Selection > Outgoing Route Selection, and do the following: a Under When initiating a tunnel, enable Operating system routing table, b and under When responding to remotely initiated tunnel, select Setup, and enable Use outgoing traffic configuration. 24) When configuring a VTI cluster interface, it should be assigned a name identical to the name of the member interface. High Availability 25) Issuing a Stop Member command in SmartView Monitor performs the cphastop command on this member. Among other things, this disables the State Synchronization mechanism. Any connections opened while the member is stopped will not survive a failover event, even if the member is restarted using cphastart. However, connections opened after the member is restarted are normally synchronized.
80
26) State synchronization during policy installation may in certain cases cause a cluster member to initiate a failover. To prevent this situation, modify the enforcement module global parameter fwha_freeze_state_machine_timeout. This parameter sets the number of seconds during policy installation in which no state synchronization will be performed. Set this parameter to the shortest period which eliminates the issue; the recommended value is 30 seconds. Load Sharing 27) Under load, tcp packet out of state error messages may appear. For each one of the cases there is a specific way to resolve it. Refer to the Firewall and SmartDefense guide for a full explanation and security implications.
message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-PUSH-ACK
In SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp end timeout. The recommended value is 60 seconds. If there are many connections consider enlarging the connection table size in the same ratio as the tcp end timeout.
message_info: SYN packet for established connection
run the command:
fw ctl set int fw_trust_rst_on_port <port>
When a single port is not enough, you can set the port number to -1, meaning that you trust a reset from every port. For other out of state messages: run the command: fw ctl set fwconn_merge_all_syncs 1. This allows a more reliable way of merging TCP states across asymmetric connections.
28) When employing SecurID for authentication, it is recommended to define each cluster member with its own unique (internal) IP address separately on the ACE/Server. In addition, to send packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for example, no_hide_services_ports = {<5500, 17>}, where 5500 is the service port and 17 (UDP) is the protocol. 29) For the first few seconds of an asymmetric connection, server-to-client packets are not accelerated. An asymmetric connection, such as an FTP data connection through an accelerated ClusterXL cluster, is where the server-to-client side is handled by a different member than the client-to-server side. Asymmetric connections are only opened when using VPN or static NAT. This is a temporary performance degradation that affects only a small percentage of traffic. 30) When using a Fujitsu GigEthernet NIC (fjgi and fjge interfaces) with Check Point Load Sharing (CPLS) multicast, packets can be received when the interface is set to promiscuous mode only.
81
31) When installing a new policy that uses Sticky Decision Function (configured in SmartDashboard > Cluster Object > ClusterXL page > Advanced), and the old policy used the regular decision function, some connections may be lost, especially connections to or from the cluster members. New connections are unaffected. 32) After a failover, non-pivot members of a ClusterXL cluster in Unicast mode may report incorrect load distribution information. For the correct load distribution, review the information reported by the pivot member. 33) When using ClusterXL in Load Sharing mode and the Sticky Decision Function is enabled, the failure of a module within 40 seconds of an IKE negotiation may cause a connectivity failure with that peer for up to 40 seconds. When the failure involves a PIX gateway, communications may be interrupted for up to 40 seconds. When the failure involves an L2TP client, communications may be disconnected, as keepalive packets are blocked during this period. 34) may fail if it passes through a Load Sharing cluster. To resolve this issue, on the Cluster object, select ClusterXL > Advanced and in the Advanced Load Sharing Configuration window you should either: select Use Sticky Decision Function, or change the selection for Use sharing method based on: to IPs.
traceroute
Authentication 35) When performing manual client authentication (using port 900) to a cluster where the IP addresses of the members are not routable, the URLs returned in the HTML from the replying cluster member contain the non-routable IP address of the member instead of the cluster IP address. This fails subsequent operations. The workaround is to configure the cluster to use a domain name instead of an IP address in the client authentication HTML pages, using the ahttpclientd_redirected_url global property. Make sure that your DNS servers resolve this domain name to the IP address of the cluster. 36) Issues may arise when using automatic or partially automatic client authentication for HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a decision function based only on IP addresses in order for connections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, refer to the product documentation for more information.
82
State Synchronization 37) A cluster member will stay in the down state if it is detached and then reattached to the cluster, as it does not automatically perform a full sync upon reattachment. To force a full sync, run the following commands on the module: fw ctl setsync off and fw ctl setsync start. 38) Upon completion of full synchronization (Full sync), an error message State synchronization is in risk, is displayed on the cluster member on which the synchronization is taking place. If this message occurs only once immediately following Full sync, it can be safely ignored. If this message appears erratically, consult the ClusterXL user guide in the section Blocking New Connections Under Load. SmartConsole 39) When working with a 3rd party Cluster Object with QoS, if you move from the Topology tab to a different tab, the following error message appears: No interface was
activated in QoS tab for this host (Inbound or Outbound). Do you want to continue?
Select
Yes
and continue your operation. This error message can be safely ignored.
40) SmartUpdate shows cluster members as distinct Gateways without the common cluster entity. When cluster members are not of the same version, applying Get Check Point Gateway Data on a cluster member will set the member's version on the Cluster object. To set the version of the cluster correctly, apply the Get Check Point Gateway Data command to the cluster member with the latest version. 41) If two or more interfaces on the same cluster member share the same IP address and Net Mask (as might occur when defining bridge interfaces), only one interface will be displayed in the Topology tab in SmartDashboard. To manage interfaces with the same IP address and Net Mask, use the GuiDBedit tool. 42) When using ClusterXL in High Availability Legacy mode, the Network Objective is set automatically to Cluster if all of the members' interfaces on that network have the same IP address and netmask. Changing the Network Objective to a different setting will, in this case, be overridden by the system, and change back to Cluster after clicking OK. 43) When deleting a network via the Topology page (Cluster Object > Properties > Topology > Edit Topology), selecting Name or IP address of one of the interfaces and then clicking Remove results in the following error message: Please select an interface. In order to remove a whole network, remove all the interfaces (members and cluster) and click OK. Security Servers 44) Security Servers are not supported with Sequence Verifier in Load Sharing cluster environments.
83
Platform Specific Nokia 45) To work with a third party cluster (such as state synchronization) on the IPSO platform, a Nokia VRRP or Nokia IP Clustering configuration must be used. To work with other third party products (such as external load balancers) on the IPSO platform, you may alternatively do the following: Configure IP clustering with an empty IP cluster. Using the Nokia Configuration Tool (such as Voyager), enter the same cluster ID for all machines and an administrative password. Follow the instructions listed in Nokia's resolution number 18230 - How do I configure State Sync Only in NG? 46) When deleting the IP address of the sync interface, the following message appears on the console: netlog:nokcl_sync .. Invalid tx ifindex: -1. This message may be safely ignored. To prevent the message from appearing, add an IP address to the sync interface. 47) VPN Tunnel Interfaces (VTI) are not supported on the Nokia IP Clustering configuration. 48) After configuring a gateway cluster on a Nokia platform via the Simple mode (wizard), be sure to complete the cluster interface definition on the Topology page of the cluster object. 49) NAT rules should not be applied to VRRP traffic. To prevent NAT rules from being applied to VRRP traffic, define the following manual NAT rule and give it higher priority than other NAT rules that relate to Cluster VIPs or to their networks:
Original Packet Source Destination Service Translated Packet Source Dest Service Install On
Cluster VIPs VRRP IP: 224.0.0.18
Any
Original Original Original relevant cluster
50) To use more than 60 interfaces on a cluster, it is required to remove the following two files from each cluster member:

$FWDIR/bin/cxl_create_partner_topology_file $FWDIR/tmp/cxl_partner_topology_config.txt
This is done by executing the following commands on each cluster member:

1 2
mv $FWDIR/bin/cxl_create_partner_topology_file $FWDIR/bin/cxl_create_partner_topology_file.backup mv $FWDIR/tmp/cxl_partner_topology_config.txt $FWDIR/tmp/cxl_partner_topology_config.txt.backup
84
Note that the Get Topology feature in SmartDashboard will stop working for the Nokia cluster, and the cluster IP addresses will need to be configured manually in the Topology tab of the cluster object's Properties page. Platform Specific Solaris 51) When configuring virtual interfaces on Solaris GigaSwift interfaces, the ClusterXL product may not recognize the virtual interfaces in cases where no corresponding physical interface is defined. If the virtual interface is not recognized, it will not run a monitoring mechanism and eventually it will not perform failover. In order to make ClusterXL work properly on such virtual interfaces, the corresponding physical interface must be defined. For example, when a CE device with an instance of 0 is defined on the system, the /etc/hostname.ce0 file must be created and must contain some arbitrary IP address that will be assigned to the physical interface. 52) When configuring VLAN tags, set the IP address on the VLAN physical interface. If the physical (untagged) interface is not used, the IP address can be any IP address. For example: If the physical interface is ce1, and the VLAN interfaces are ce1001 and ce2001, then ce1 must also have an IP address. 53) ClusterXL in Unicast mode (Pivot) is not supported on Solaris when using VLAN tagging. 54) The local.arp file is not supported on ClusterXL gateways running Solaris. In order to use manual NAT on Solaris, use the following workaround: On the command line, run the following command: arp -s <NATed IP address> <mac_address_of_target> pub For this command to survive boot, add a file under /etc/rc3.d/ (the name does not matter), and on each line enter an IP address to be NATed and its corresponding MAC address.
arp -s <1.1.1.1> arp -s <1.1.1.2>
<mac_address_of_target> <mac_address_of_target>
pub pub
etc... Save the file and

chmod 777. bge
55) ClusterXL does not support defining VLANs on Solaris
interfaces.
85
Platform Specific Windows 56) On Windows platforms, when switching from High Availability Legacy to High Availability New Mode or Load Sharing, the CCP transport mode is set to broadcast instead of multicast. A workaround is to toggle the CCP mode via the following command on each cluster member: cphaconf set_ccp multicast. 57) Disabling a network connection (interface) is not supported on ClusterXL gateways on Windows platforms. A workaround is to:
1 2 3
Disconnect the network cable. Wait 15 seconds and then set the network connection as disabled. Reconnect the network cable after another 15 seconds.
If required to enable this interface again, do the following:

1 2 3
Disconnect the network cable. Wait 15 seconds and set the network connection as enabled. Reconnect the network cable after another 15 seconds.
Services 58) When using T.120 connections, make sure you manually add a rule that allows T.120 connections. Unsupported Features 59) When using a NAT rule that keeps the original source address for a connection that originates from a cluster member, cluster hide will not be applied for this connection. The source IP address will be the result of the NAT Rule-Base, and not the cluster IP address. 60) TCP connections inspected by Web Intelligence or VoIP Application Intelligence features will not survive failover. On the event of failover these connections will be reset. 61) Performance Pack is not supported when using ClusterXL Load Sharing with Sticky Decision Function (SDF). When SDF is enabled, acceleration is automatically turned off. To re-enable acceleration, first make sure acceleration is enabled by running the cpconfig configuration tool. Then disable SDF (in SmartDashboard, edit the Gateway Cluster object, select the ClusterXL page, and click Advanced), and install the new Security Policy twice. 62) The compatibility matrix for third party clustering solutions (other than Nokia) is specified in the following link: http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain third party
86
solution is not specifically written as being supported for this release, you must assume it is currently not supported. For Nokia clustering (VRRP or IP Clustering), see the Check Point Software and Hardware Compatibility section of the ClusterXL guide for information regarding which IPSO release is supported with this VPN-1 release. 63) Mounting an NFS drive on a cluster member is not supported, as hide NAT changes the IP address of the cluster member, and the server cannot resolve the resulting mismatch. 64) The following Web Intelligence features require connections to be sticky:
Header spoofing Directory listing Error concealment ASCII only response Send error page
A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for Web connections in the following configurations: ClusterXL High Availability ClusterXL Load Sharing with Sticky Decision Function enabled ClusterXL Load Sharing with no VPN peers, no static NAT rules and no SIP Nokia VRRP Cluster Nokia IP Clustering configuration with no VPN peers, static NAT rules or SIP For other OPSEC certified clustering products - please refer to the OPSEC-certified product's documentation. 65) The following VoIP Application Intelligence (AI) features require connections to be sticky:
H.323 SIP Skinny
A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for VoIP connections in the following configurations: ClusterXL High Availability ClusterXL Load Sharing with no VPN peers or static NAT rules Nokia VRRP Cluster Nokia IP Clustering configuration with no VPN peers or static NAT rules
87
Clarifications and Limitations SecureXL
For other OPSEC certified clustering products - please refer to the OPSEC-certified product's documentation.
SecureXL
Unsupported Features 1) ISP redundancy, when working in conjunction with SecureXL, has the following limitations: Some connections passing through interfaces configured with ISP redundancy are not accelerated, while other connections (for example, an internal connection to a DMZ) are accelerated and are not affected by this limitation. ISP redundancy over PPTP and PPPoE interfaces is not supported. 2) When SecureClient is connected to a VPN-1 gateway with two external interfaces and the connected interface goes down, SecureClient will lose connectivity. In order to resume connectivity, the user needs to disconnect and reconnect. Platform Specific Nokia 3) When the SmartDefense TCP Sequence Verifier feature is enabled and SecureXL is on or Flows acceleration is enabled, a message appears when you install a policy from SmartDashboard and the Sequence Verifier feature is not enforced. For SecureXL, the message displayed is: Warning: This Gateway supports SecureXL traffic acceleration. TCP Sequence Verifier (SmartDefense) will not be enforced on accelerated connections. To allow Sequence Verification, turn off acceleration on the Gateway by running cpconfig. For Flows acceleration, the message is: Flows: TCP Sequence Verifier acceleration is not supported on the Gateway. To configure the TCP Sequence Verifier, select the > TCP and deselect Sequence Verifier.
SmartDefense
tab > Network Security
Performance Pack
Unsupported Features 1) Performance Pack does not support dynamic interface changes on Solaris. Before performing ifconfig up/down/plumb or unplumb, turn off acceleration by issuing the fwaccel off command. Then enable acceleration by issuing the fwaccel on command. 2) Overlapping NAT is not supported with Performance Pack.
88
Clarifications and Limitations Performance Pack
3) When configuring Remote Access > Office Mode on a VPN gateway that has multiple external interfaces with SecureXL enabled, make sure that Support connectivity enhancement for gateways with multiple external interfaces is checked. Unsupported Products 4) Performance Pack is not supported when using ClusterXL Load Sharing with Sticky Decision Function (SDF). When SDF is enabled, acceleration is automatically turned off. To re-enable acceleration, first make sure acceleration is enabled by running the cpconfig configuration tool. Then disable SDF (in SmartDashboard, edit the Gateway Cluster object, select the ClusterXL page, and click Advanced), and install the new Security Policy twice. 5) PPTP and PPPoE interfaces are not supported by Performance Pack in configurations where NAT and/or VPN-1 are used. 6) QoS is not supported with Performance Pack. 7) Virtual interfaces and VLAN interfaces are not supported by Performance Pack on Solaris. Accelerated Features 8) The SmartDefense feature PPTP Enforcement does not allow acceleration of the GRE protocol over PPTP when enabled. In order to accelerate the GRE protocol over PPTP, disable this feature (on the SmartDefense tab, select Application Intelligence > VPN Protocols > PPTP Enforcement).
89
SSL Network Extender

In This Section
Client Limitations Gateway Limitations Client Limitations
page 90 page 90
1) SSL Network Extender is not supported in a Fast User Switch environment. 2) While SSL Network Extender and SecureClient can be installed on the same machine, they can not be activated at the same time. 3) The Office Mode IP per User feature is not supported if a user connects using both SSL Network Extender and SecureClient, in that order. This means that a user that connects to a VPN-1 Gateway using SSL Network Extender receives an Office mode IP address. When the user disconnects and connects again using SecureClient, he/she will not receive an Office mode IP address. 4) SSL Network Extender may not work properly with pop-up blockers. It is recommended to disable them, or to configure them to allow pop-ups on the SSL Network Extender site. 5) To use SSL Network Extender with WindowsXP SP2:
1 2
Click the Internet Explorer Information bar, and select Always allow Pop-ups from this site. Select Tools > Internet Options > Security > Web Content Zone > Custom Level and enable Automatic prompting for ActiveX controls.
6) In some Windows 2000 systems, the High Encryption Pack is not installed. Those systems can only perform SSL-56 bit encryption, which is not supported by SSL Network Extender. The administrator must install the High Encryption Pack in order to use those Windows 2000 systems with the SSL Network Extender. 7) To install SSL Network Extender, Microsoft Windows Installer (MSI) version 2.0 must be installed on the client computer. While most Windows installations include MSI 2.0, if it is not installed, it can be freely downloaded from Microsoft's web site. Gateway Limitations 8) If Secure Configuration Verification (SCV) is enabled in Global Properties, and you are working in a Simplified Mode Security Policy, packets from the SSL Network Extender will not be transferred.
90
9) The Unique by Machine option, located in the Office Mode tab, is currently not supported when Office Mode uses DHCP to allocate IP addresses. Enabling this option may lead to SSL Network Extender receiving different IP addresses when connecting from the same machine, or the same IP address when connecting from different machines. 10) SSL Network Extender licenses are now installed on the management module, and not on the enforcement modules as they were in R55. After installing the license on the management module, activate the license by installing policy on all enforcement modules to which the clients will connect. Note that SSL Network Extender licenses installed on R55 modules must be retained after the upgrade, as the management license does not apply to these modules. 11) At present, the ICS Dynamic Upgrade feature is not supported. 12) Under certain circumstances, the vpnd may not bind to the port designated as the Visitor Mode port, which will cause the SSL Network Extender not to work. To resolve this issue, verify that the port is not taken by another process, and execute the command fw kill vpnd. 13) The web page language does not change when selecting Hebrew. A workaround is to edit the file messages.js in $FWDIR/conf/extender/language/chkp/hebrew:
1 2 3 4 5
on line 131 not just ;
var MSG_RESTRICT_ACCESS
..., make sure the line ends with "; and
on line 133 var "; at the end on line 181 the end on line 190
MSG_ASKUSER_ACCESS
..., add " in the beginning of the string and

"
install_required
..., add
"
in the beginning of the string and

";
";
at
b64_alert
..., add
in the beginning of the string and
at the end
on line 202 browser_settings_error ..., add " in the beginning of the string and "; at the end
91
Clarifications and Limitations QoS
QoS
In This Section
Logging Low Latency Queuing (LLQ) and DiffServ Authenticated QoS Clusters Performance Pack Miscellaneous Logging
page 92 page 92 page 92 page 92 page 93 page 93
1) Sub-rules do not inherit the log track from the parent rule. To overcome this issue, add the Log/Account track to the specific sub rule you want to log. 2) Under heavy load, QoSs accounting might lose some of the connection parameters such as source/destination. These account records may be safely ignored. Low Latency Queuing (LLQ) and DiffServ 3) When managing QoS Classes, there is an option to define a new DiffServ Class of Service Group. This option is not valid and should not be used. 4) The values Inbound Guaranteed and Outbound Guaranteed for the Best Effort class in the table DiffServ and Low Latency classes in the QoS tab of the Topology window may be inaccurate when adding a Low Latency class or a DiffServ class to the interface. Since this error does not affect the correct scheduling of QoS, it can be ignored. 5) In the QoS Rule Base, although it is possible to paste an LLQ class before a DiffServ class, it should not be done. Authenticated QoS 6) The Authenticated QoS feature uses the UserAuthority Server to get user authentication data. Before using this feature, refer to the UserAuthority Server section for the list of its known limitations. Clusters 7) It is not possible to convert a QoS Gateway into a cluster member if this Gateway appears in the Install On column in the rule-base. To resolve this:
1 2
Remove the QoS Gateway from the Convert it into a cluster member.
Install On
column.
92
Clarifications and Limitations UserAuthority Server
Add the member to the
Install On
column in the relevant rules.
Performance Pack 8) Performance Pack should not be run concurrently with QoS, and safeguards are in place to prevent it from doing so. However, if you wish to bypass these safeguards, you can run Performance Pack concurrently with QoS by first running the following commands in order:
1 2 3
etmstop fwaccel off etmstart
Miscellaneous 9) When upgrading from NG FP1 or lower, certain policies may be hidden in SmartDashboard. Starting from NG FP2, only policies that belong to the current Policy Package are displayed. To access other policies select File > Open and choose the relevant Policy Package. 10) QoS may not schedule traffic on an interface that was newly enabled on the Gateway. In order for the interface to be recognized by QoS, run the command cprestart. 11) Deactivating an interface direction for QoS in the object topology does not remove it from the Install On column in the Rule Base. As a workaround, manually remove the interface direction from the Install On column. 12) QoS is not supported on Athlon-based machines.
UserAuthority Server
1) When using UserAuthority Server on Citrix/Terminal Server, routing configurations where a destination can be reached through multiple interfaces using the same metric is not supported. The Citrix UAS identifies connections by a 4-tuple: source port, destination IP and destination port. The source IP address is not taken into account. As a result the Citrix UAS cannot differentiate between concurrent connections that differ by their source IP addresses only. In the following example, if the two connections are opened simultaneously, the UAS cannot guarantee that the right user identification will be returned for queries on those connections.
User Source IP Source Port Destination IP Destination Port
Joe Bob
192.168.0.5 192.168.0.2
5001 5001
209.81.7.23 209.81.7.23
80 80
2) When changing
(under Global Properties > UserAuthority) from to All Domains, some users may be required to re-enter credentials to UserAuthority WebAccess in a Web Single Sign-On scenario.
Trusted Domains Specific Domains
93
Clarifications and Limitations OPSEC
3) When users are authenticated on other VPN-1 Pro Gateways using Client Authentication, SecureClient or SecuRemote, the automatic configuration is unable to resolve the connection to the username. 4) When using a Log Server, a security rule which allows ELA traffic from the UserAuthority Server to this Log Server should be explicitly defined. 5) UserAuthority Server is supported on single processor machines only. Running UserAuthority Server on SMP may cause instability in the VPN-1 Pro kernel.
OPSEC
1) In CPMI, the command
fw unload
does not trigger the notification event
eCPMI_NOTIFY_UNINSTALL_POLICY .
InterSpect
1) To enable SIC establishment between an InterSpect device and firewalled management, a rule should be defined to accept the service ICA_PULL on the management.
94

Checkpoint NGX Release Notes

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Checkpoint NGX Release Notes

Uploaded by

Copyright:

Available Formats

Check Point Enterprise Suite NGX (R60) Release Notes

May 16, 2005

Information About This Release

page 1 page 2 page 3 page 3 page 4 page 7 page 8 page 9

License Upgrade Requirement

Information About This Release NGX (R60) Products by Platform

NGX (R60) Products by Platform

Notes to Products by Platform Table

Information About This Release Build Numbers

uas ver SVRServer ver

ver sim ver -k

20004_2 (Windows) n/a 20004_1 (Solaris) 20007_1 (Linux)

Information About This Release Minimum Hardware Requirements

Minimum Hardware Requirements

page 4 page 6 page 7

Information About This Release Minimum Hardware Requirements

Minimum Requirements for Eventia Reporter

Information About This Release Minimum Hardware Requirements

Information About This Release Maximum Number of Interfaces Supported by Platform

Maximum Number of Interfaces Supported by Platform

Check Point SecurePlatform 1015

Nokia IPSO 256 1 256 1

Notes to Maximum Number of Interfaces Table

Information About This Release Minimum Software Requirements

Minimum Software Requirements

SUNWlibc SUNWlibCx SUNWter SUNWadmc SUNWadmfw

112233-12 112902-07 116561-03

All All All

Only if dmfe(7D) ethernet driver is defined on the machine

Information About This Release The Regular Expression (RX) Library

The Regular Expression (RX) Library

Resolved Limitations Firewall

Resolved Limitations SmartCenter

Resolved Limitations SmartCenter

Resolved Limitations VPN

Resolved Limitations SecurePlatform

Resolved Limitations SSL Network Extender

SSL Network Extender

Clarifications and Limitations SSL Network Extender

Clarifications and Limitations

Clarifications and Limitations Firewall

Clarifications and Limitations Firewall

tab > Network Security

Clarifications and Limitations Firewall

Clarifications and Limitations Firewall

Clarifications and Limitations Firewall

Clarifications and Limitations Firewall

give incorrect values.

Clarifications and Limitations Firewall

Clarifications and Limitations Firewall

property is not enforced on ICMPv6 echo request packets.

Clarifications and Limitations Firewall

Clarifications and Limitations Firewall

command on a SmartCenter Server is not

Clarifications and Limitations Firewall

Clarifications and Limitations SmartCenter

Clarifications and Limitations SmartCenter

Using the REGEDIT application to add the string registry key:

Rebooting your machine.

Clarifications and Limitations SmartCenter

Clarifications and Limitations SmartCenter

Clarifications and Limitations SmartCenter

ou=Finance , o=ABC , c=us