Check Point NGX R65 Release Notes
Revised: February 2, 2009 This Release Notes document provides essential operating requirements and describes known issues for VPN-1/FireWall-1 NGX R65. Review this information before setting up VPN-1/FireWall-1 NGX R65.
Note - Before you begin installation, read the latest available version of these release notes at: http://www.checkpoint.com/support/
In This Document
Information About This Release page 2 Resolved Limitations page 18 Clarifications and Limitations page 22 Documentation Feedback page 42
Copyright © February 2, 2009 Check Point Software Technologies, Ltd. All rights reserved 1 Information About This Release
Information About This Release This document contains important information not included in the documentation. Review this information before setting up Check Point NGX R65.
In This Section
Build Numbers page 3 NGX Products, Supported by Platform page 4 NGX Clients, Supported by Platform page 5 Non-upgradable Products page 5 HFAs Included in this Release page 5 Minimum Hardware Requirements page 6 Maximum Number of Interfaces Supported by Platform page 14 Minimum Software Requirements page 15 The Regular Expression (RX) Library page 17
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 2 Build Numbers
Build Numbers
The following table lists all NGX R65 software products available, and the build numbers as they are distributed on the product CD. To verify each product’s build number, use the given command format or direction within the GUI.
Product Build No.CLI Command / GUI Selection VPN-1 Power / UTM SecurePlatform fw ver /Linux 430 Sun 428 Windows 427 IPSO 436 SmartCenter Server 083 fwm ver Provider-1/SiteManager-1 620000292 CPvinfo $MDSDIR/lib/libmds.so | grep “Build Multi-Domain Server (MDS) Number” Endpoint Security Server 7.20.084.000 System configuration > Version information Endpoint Security Client 7.00.843.000 Right-click the System Tray icon and select About Eventia Reporter Server 239 SVRServer ver Eventia Analyzer Server 058 cpsemd ver SmartView Monitor Server 013 rtm ver UserAuthority Server 010 uas ver SecureClient Policy Server 008 dtps ver SVN Foundation 432 cpshared_ver IPSO 435 UTM-1 Edge 7.0.27x Displayed on the default portal page QoS 020 fgate ver SmartConsole Applications 620000380 Help > About Check Point
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 3 NGX Products, Supported by Platform
NGX Products, Supported by Platform
Check Point Product Platform and Operating System RHEL Check Solaris Microsoft Windows 3.0 Point Nokia Ultra- Server 2000 2000 2000 XP Home kernel Secure IPSO SPARC 2003 Advanced Server Profes- & Profes- 2.4.21 Platform 4.1 - 8, 9 & (SP1-2) Server (SP1-4) sional sional 4.2 10 (SP1-4) (SP1-4) VPN-1 Power / UTM X XXX X X 1 X 2 SmartCenter Server X XXX XX X 3 Provider-1/SiteManager-1 X X 4 X .Server (MDS) VPN-1 Power VSX 5 X Endpoint Security Server X X X X X Eventia Suite 6 X XXX XX UserAuthority Server X XXXXXXX X 7 SSL Network Extender Server X XXX XXX SmartConsole Applications X 8 XXXXX Provider-1/SiteManager-1 MDG X XXXXX SmartPortal X XXX XX SmartLSM - Enabled .Management & Enabled X 9 XXX XXX .ROBO / CO Gateways ClusterXL X X 10 XX XX X 11 VPN-1 Accelerator Driver II X 12 VPN-1 Accelerator Driver III X XXX XX VPN-1 Accelerator Driver IV X X X Advanced Routing X X 13 Performance Pack XX X 14 SecureXL Turbocard X 15 OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14 Cisco OS Versions: 9.x, 10.x, 11.x, 12.x
Notes to Products by Platform Table 1. Anti Virus and Web Filtering are included on SecurePlatform. 2. Anti Virus and Web Filtering are supported on Nokia disk-based platforms running IPSO 4.2 Build 42 HF002 or later. 3. UTM-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia IPSO platform. 4. Provider-1/SiteManager-1 supported on both RHEL 3.0 AS and ES. 5. VPN-1 Power VSX gateways are also supported on Crossbeam Systems X-Series Security Services Switches. 6. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and the Eventia Analyzer Correlation Unit. 7. UserAuthority is not supported on Nokia flash-based platforms. 8. The following SmartConsole clients are not supported on Solaris UltraSPARC platforms: SmartView Monitor, SmartLSM, Eventia Reporter Client, Eventia Analyzer Client, and the SecureClient Packaging Tool. 9. Enabled ROBO Gateways are not supported on Solaris platforms.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 4 NGX Clients, Supported by Platform
10. HA Legacy mode is not supported on Windows Server 2003. 11. ClusterXL is supported only in third party mode with VRRP or IP Clustering. 12. VPN-1 Power Accelerator Driver II is supported on Solaris 8 only. 13. Nokia provides Advanced Routing as part of IPSO. 14. Nokia provides SecureXL as part of IPSO. 15. NGX-compatible Turbocard driver is available at http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html. NGX Clients, Supported by Platform
Check Point Product Operating System Windows Mac Linux Server 2000 Server 2000 Profes- Mobile OS 2003 / Advanced sional (SP1-4) 2003 "X" (SP1) Server / XP Home & 2003SE (SP1-4) Professional 5.0 SecuRemote X X X SecureClient X X X X SecureClient Mobile X SSL Network Extender X XX Endpoint Security Clients X X
Non-upgradable Products
The following Check Point products cannot be upgraded to NGX R65: • VPN-1 Power SmallOffice, VPN-1 Net • FireWall-1 4.1
HFAs Included in this Release
This release includes fixes and improvements that were initially distributed as part of NGX R60 Hotfix Accumulator (HFA) R60_HFA_05.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 5 Minimum Hardware Requirements
Minimum Hardware Requirements
In This Section
VPN-1 Power/UTM page 7 Provider-1/SiteManager-1 MDS page 7 Provider-1/SiteManager-1 MDG page 7 VPN-1 Power VSX page 8 Eventia Reporter page 8 Endpoint Security Server page 9 Endpoint Security Clients page 11 SmartConsole page 11 Check Point Clients page 11 SecurePlatform Supported Hardware page 12 Supported Nokia Platforms page 12 Supported SecureClient Mobile Hardware page 13
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 6 Minimum Hardware Requirements
VPN-1 Power/UTM The following section shows the minimum hardware requirements for installing a VPN-1 gateway and SmartCenter Server:
VPN-1 Gateway Windows & Linux Solaris SecurePlatform Processor Intel Pentium II UltraSparc III Intel Pentium III CPU 300MHz or equivalent 300MHz or equivalent processor processor Free Disk Space 300MB Installation - 100 MB 10GB Memory Windows: 256MB 128MB 256MB (512MB Linux: 256MB (512MB recommended) recommended) CD-ROM Drive Yes Yes Yes (bootable) Network Adapter One or more Yes One or more supported network adapter cards Video Adapter supports 800 x 600 supports 1024 x 768 resolution resolution
SmartCenter Server Windows & Linux Solaris SecurePlatform Processor Intel Pentium III UltraSparc III Intel Pentium III CPU 800MHz or equivalent 800MHz or equivalent processor processor Free Disk Space Windows: 300MB 400MB 10GB (installation includes Linux: 512MB OS) Memory 512MB 512MB 512MB CD-ROM Drive Yes Yes Yes (bootable) Network Adapter One or more Yes One or more supported network adapter cards
Provider-1/SiteManager-1 MDS The following table shows the minimum hardware requirements for installing a Provider-1/SiteManager-1 Multi Domain Server (MDS). Linux Solaris SecurePlatform CPU Intel Pentium III 1GHz or UltraSPARC III 900MHz Intel Pentium III 1GHz or equivalent processor equivalent processor Memory 1GB 1GB 1GB Disk Space 2GB 2GB 10GB (install includes OS) CD-ROM Drive Yes Yes Yes (bootable)
Provider-1/SiteManager-1 MDG The following table shows the minimum hardware requirements for installing the Provider-1/SiteManager-1 Multi Domain GUI (MDG). Windows Solaris CPU Intel Pentium III 1GHz or equivalent processor UltraSparc III 900MHz Memory 512MB 512MB Disk Space 100MB 100 MB CD-ROM Drive Yes Yes Video Adapter supports at least 800 x 600 resolution supports at least 800 x 600 resolution
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 7 Minimum Hardware Requirements
VPN-1 Power VSX The following table shows the minimum hardware requirements for installing a VPN-1 Power VSX gateway. SecurePlatform CPU Intel Pentium III 450MHz or equivalent processor Memory 512MB Disk Space 9GB (install includes OS) CD-ROM Drive Yes (bootable) VPN-1 Power VSX gateways are also supported on Crossbeam Systems X-Series Security Services Switches.
Eventia Reporter The hardware requirements presented below are designed for an Eventia Reporter server that will process at least 15GB of logs per day and generate reports according to the performance numbers. For deployments that will generate fewer logs per day, a machine with less CPU or memory can be used, with the caveat that this may cause degradation in the performance numbers. Windows & Linux Windows & Linux Recommended Solaris Minimum CPU Intel Pentium IV 2.0 GHz Dual CPU 3.0 GHz UltraSPARC III 900 MHz Memory 1GB 2GB 1GB Disk Space (on 2 physical disks) Installation: 80MB 80MB 80MB Database: 60GB (40GB for database, 100GB (60GB for database, 60GB (40GB for database, 20GB temp directory) 40GB for temp directory) 20GB for temp directory) CD-ROM Drive Yes Yes Yes
Recommendations to Optimize Performance • Disable DNS resolution - consolidation performance may improve to 32GB of logs/day. • Configure the network connection between the Eventia Reporter server and the SmartCenter server (or the Log Server), to the optimal speed. • Use the fastest disk available with the highest RPM (revolutions per minute) and a large buffer size. • Use the UpdateMySQLConfig to tune the database configuration and adjust the consolidation memory buffers to use the additional memory. • Increase the machine's memory, as it significantly improves performance. • Install an uninterruptible power supply (UPS) for the Eventia Reporter Server.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 8 Minimum Hardware Requirements
Endpoint Security Server
Application Server Hardware • Intel Pentium Intel Core 2 • Intel Dual Xeon 2GHz
Admin Application Server Users RAM Disk Space up to 500 1 GB 5 GB up to 1,000 1 GB 10 GB up to 2,000 1 GB 12 GB up to 5,000 1 GB 15 GB up to 20,000 1 GB 533 GB
Bandwidth and Download Requirements Total Bandwidth1 Policy Download2 Ask Bandwidth3 LogUpload Bandwidth4 Users Kbps Kbps Kbps Kbps up to 500 469 1 0.8 11 up to 1,000 916 2 1 22 up to 2,000 1,809 4 3 44 up to 5,000 4,488 11 8 111 up to 20,000 17,882 43 35 444 1. Assumes one sync per day, one heartbeat per minute, one ask per hour, one log upload per hour and one Administrator. 2. Assumes one deployment for all users and policies of certain sizes. 3. Assumes one ask per hour. 4. Assumes one log upload per day.
Operating Systems • Red Hat Enterprise Linux ES v. 3.0 (Update 5) • Windows 2000 Server (SP4) and Advanced Server (SP4) • Windows Server 2003 (SP1) v. 5.2.3790 • Check Point Secure Platform (SPLAT) v. R65
Browsers (Administrator Console) • Internet Explorer v. 6 (SP2) and v. 7 • Mozilla Firefox 1.5 and 2.0 (Recommended)
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 9 Minimum Hardware Requirements
Supported Gateways and Clients • Check Point VPN-1 NGX 157 or later • Check Point VPN-1 Power • Check Point VPN-1 UTM • Check Point VPN-1 SecureClient™ with Application Intelligence R56 build 619 or later (recommended) • Check Point Safe@Office 425W 5.0.58x or later • Cisco VPN Concentrator v. 4.7.1 or later • Cisco ASA 5500 Series Adaptive Security Appliance • Cisco client 4.6.00.0049-K9 or later • Cisco Aironet 1100 Series Wireless Access Point v.12.2 (11)JA1 (Certified version) • Nortel Contivity 4.8.083 (Tunnelguard TG_1.1.3.0_002) • Enterasys RoamAbout R2 G060405 or later
Supported Antivirus Solutions (Pre-Configured) This section lists the minimum supported versions of third-party antivirus solutions. Generally, VPN-1/FireWall-1 supports the latest version within 60 days of its release.
ALWIL Software avast! 4 Professional Edition avast! 4 Server Edition BitDefender BitDefender Professional Plus 9.x-10.x BitDefender Standard 9.x-10.x Computer Associates CA Anti-Virus 7.x eTrust EZ Antivirus 7.x Eset s.r.o. NOD32 for Microsoft Windows NT/2000/2003/XP 2.51.x Enterprise Edition 2.51.x F-Secure Anti-Virus 2006 Anti-Virus Client Security 6.x Anti-Virus for Windows Servers 5.x Anti-Virus for Workstation 2005, 5.x Gri-Soft AVG AntiVirus 7.x McAfee VirusScan Professional 7.x VirusScan 6.x-11.x Panda Software Panda Titanium Antivirus 2006, 11.x Sophos Anti-Virus 3.x-6.x Anti-Virus Small Business Edition 2002-2007 Symantec Symantec AntiVirus Corporate Edition Norton AntiVirus Trend Micro Office Corporate Edition 6.x-8.x PC-cillin Internet Security 2002-2007
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 10 Minimum Hardware Requirements
Endpoint Security Clients
Hardware Specifications Requirement Minimum Processor Pentium III 450 MHz RAM 500 MB Disk Space 60 MB
Operating Systems • Microsoft Windows XP Pro (SP2) • Windows 2000 Pro v. 5.00.2195 (SP4) with crypt32.dll of 5.131.2195.6926
SmartConsole The following table shows the minimum hardware requirements for installing SmartConsole applications. Windows Solaris CPU Intel Pentium II 300MHz or equivalent UltraSparc III processor Memory 256MB 128MB Disk Space 100MB 100 MB CD-ROM Drive Yes Yes Video Adapter supports 800 x 600 resolution supports 800 x 600 resolution Note - SmartConsole on Solaris includes the following applications only: SmartDashboard, SmartView Tracker and SmartUpdate.
Check Point Clients The minimum hardware requirements for installing Check Point Clients are: SecuRemote / SecureClient Endpoint Security Agent / Flex CPU 133 MHz Pentium-compatible CPU Intel Pentium II 450 MHz Memory 128MB 256MB Disk Space 40MB 30MB Note - The minimum requirements presented for SecureClient are true for Mac OS-X as well.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 11 Minimum Hardware Requirements
SecurePlatform Supported Hardware For details regarding SecurePlatform on specific hardware platforms, see http://www.checkpoint.com/products/supported_platforms/secureplatform.html.
Bond / Bridge Hardware Certifications
Bridge Mode The following devices were tested and are recommended for use with a Bridge configuration: • Intel Corporation PRO/1000 PT Dual Port • Intel Corporation PRO/10GbE SR • Broadcom NetXtreme (BCM5704, BCM5721,BCM5715) • Broadcom NetXtreme II (BCM5708S) • Sun X4422A-2 Dual Port • Sun 10G GBE • nVidia Corporation MCP55 Ethernet controller • Marvell 88E8053 Gigabit Ethernet controller • Marvell 88E8001 Gigabit Ethernet controller
Bond Mode The following devices were tested and are recommended for use with a Bond configuration: • Intel Corporation PRO/1000 PT Dual Port • Intel Corporation PRO/1000 MT Dual Port • Broadcom NetXtreme (BCM5704, BCM5721, BCM5715) • Broadcom NetXtreme II (BCM5708) • Marvel 88E8053 Gigabit Ethernet controller • Marvell 88E8001 Gigabit Ethernet controller The following devices were tested and are NOT recommended for use with a Bond configuration: • Sun X4422A-2 Dual port Ethernet controller • Sun 10G GBE • nVidia Corporation MCP55 Ethernet controller • Intel Corporation PRO/10GbE SR
Supported Nokia Platforms The following Nokia platforms are supported in this release. Platform Type Hardware Platform Disk-based IP2601, IP350, IP290, IP380, IP390, IP560, IP710, IP740, IP1220, IP1260, IP690 Flash-based IP290, IP355, IP385, IP390, IP560, IP690, IP1220, IP1260, IP2250, IP2255 Hybrid IP390, IP560, IP1220, IP1260 1. AV and URL filtering are not recommended on this platform. Please note that AV and URL filtering features are only supported on the disk-based systems with 1GB RAM or higher.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 12 Minimum Hardware Requirements
Supported SecureClient Mobile Hardware
Processor • Intel ARM/StrongARM/XScale/PXA Series Processor family • Texas Instrument OMAP processor family.
Supported SecureClient Mobile Hardware The following table shows the minimum hardware requirements for installing SecureClient Mobile: Any PocketPC device running Windows Mobile 2003/2003 SE or Windows Mobile 5.0 is supported. Any Smartphone device running Windows Mobile 5.0 is supported. The devices in the following table have been tested and proved working.
Tested Devices Operating System Tested Devices PocketPC running • HP/Compaq iPAQ Pocket PC 2003 - series 4150,4350,3950,5450, 5550, Windows Mobile 2210,6340 2003/2003 SE • HP/Compaq iPAQ Pocket PC 2003 SE / Phone Edition - series 4700, hx2x00 • Dell AXIM X5 PocketPC 2003 • HTC Himalaya (XDA II, MDA II, Qtek 2020, i-Mate, Orange SPV1000) • HTC Blue Angel (XDA III, MDA III, Qtek 9090, i-Mate 2K, Sprint PPC-660, Verizon XV6600, Cingular SX66) • HTC Magician (Dopod 818, i-mate JAM, O2 Xda mini, Qtek 5100, MDA Compact) PocketPC running Win- • Dell AXIM X51v dows Mobile 5.0 • HTC Universal (O2 Exec, i-Mate JasJar, Orange M5000, MDA IV) • HTC Wizard/Apache (Sprint PPC6700, Orange SPV M3000a, T-Mobile MDA Vario, i-mate K-Jam) • ETEN M600 • Symbol MC70 • Motorola HC700 • Intermec 700 • Palm Treo 700w, 700wx, 700v •HTC TyTN Hardened PocketPC de- • Symbol MC70 vices • Motorola HC700 • Intermec 700 Windows Mobile 5.0 • HTC Tornado (i-mate sp5/sp5m, qtek 8310 Smartphone • HTC StrTrk (i-mate smartflip, qtek 8500, Cingular 3125) •Samsung i320 • Motorola Q • HTC S620 (Excalibur, t-mobile Dash)
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 13 Maximum Number of Interfaces Supported by Platform
Supported SecureClient Mobile Communication Cards Any card that supports the supported devices and provides an IP interface should be valid. The following cards have also been tested and proved working • TRENDNet TE-CF100 10/100MBps CompactFlash Fast Ethernet Adapter • Socket Communications CF Wireless LAN Card • Linksys WCF 12 • Sierra AirCard 750 • Sierra AirCard 555 • SanDisk Connect WiFi SD Card • Socket Communications CF Bluetooth Adapter • Socket Communications Serial Adapter • Spectec WLAN-11b
Maximum Number of Interfaces Supported by Platform
The maximum number of interfaces supported (physical and virtual) is shown by platform in the following table. Platform Max Number of Interfaces Solaris 255 Windows 32 Nokia 1015 SecurePlatform 1015 1 2 1. SecurePlatform supports 255 virtual interfaces per physical interface. 2. When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are supported.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 14 Minimum Software Requirements
Minimum Software Requirements
In This Section
Windows Platform page 15 Linux Platform page 16 Solaris Platform page 16 Nokia Platform page 17 SecureClient Mobile page 17
Windows Platform This release requires the application of service packs SP1, SP2, SP3 and SP4 to Windows 2000 Server/Advanced Server, and service packs SP1 and SP2 to Windows Server 2003.
Endpoint Security Server Endpoint Security server requires that all service packs be installed for your version of Windows. In addition, Endpoint Security server supports the following product versions:
Supported Operating Systems (Server) • Red Hat Enterprise Linux ES v. 3.0 (Update 5) • Windows 2000 Server (SP4) and Advanced Server (SP4) • Windows Server 2003 v. 5.2.3790
Supported Browsers (Server) • Internet Explorer v. 6 (SP1, SP2) and later • Netscape Navigator v. 7.1 and later
Supported Anti-Virus Solutions (pre-configured) Endpoint Security server supports the latest version within 60 days of its release. The following table lists the minimum supported versions of third-party antivirus solutions. Computer Associates • Vet v. 10.65.0.10 • eTrust Antivirus (Innoculate IT) v. 7.0.139 and 7.1 • eTrust EZ Antivirus (EZ Armor) 2005 (r3.1) McAfee • VirusScan v. 4.1 • VirusScan Enterprise v. 8.0i • VirusScan Professional v. 9.0 • Internet Security Suite 2004 and 2005 Sophos • Anti-Virus v. 3.81.0, 3.90.0, and 5.0 • Anti-Virus Small Business Edition 1.0.1 Symantec • Norton AntiVirus 2004 and 2005 • Norton AntiVirus Corporate Edition v. 9.0 and 10.0 • Norton Internet Security 2004 and 2005 Trend Micro • PC-cillin Antivirus 2004 • PC-cillin Internet Security 2004 and 2005 • OfficeScan Corporate Edition v. 6.5, 7.0, and 7.5
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 15 Minimum Software Requirements
Supported Instant Messaging Software • AOL 9, AOL Instant Messenger v. 5.9, AOL Instant Messenger Triton v. 0.1.12 Beta • MSN v. 7.5, Windows Messenger • Yahoo Instant Messenger v. 5, 6, and 7 • ICQ v. 5.04, ICQ Pro 2003b • Trillian v. 2.0.12 (3 protocols), 2.0.13 (4 protocols), 3.0 (4 protocols), and 3.1 (4 protocols) • GAIM v. 1.0.0, 1.0.2, 1.0.3, 1.1.0, 1.2.1, and 1.5.0 • Miranda v. 0.4rc1
Endpoint Security Agent and Endpoint Security Flex Browsers • Netscape Navigator v. 7.2 • Microsoft Internet Explorer v 6.0 SP2 and later Operating Systems • Microsoft Windows XP Pro (SP2) • Windows 2000 Pro v. 5.00.2195 (SP4) • Red Hat Linux WS 3.0 (Update 5) • Novell Linux Desktop 9.1 SP1
Linux Platform This release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade.
Solaris Platform
Required Packages • SUNWlibC • SUNWlibCx (except Solaris 10) • SUNWter • SUNWadmc • SUNWadmfw
Required Patches The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 16 The Regular Expression (RX) Library
To display your current patch level, use the command showrev -p | grep
Platform Required Recommended Notes Solaris 8 108528-18 If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18. 110380-03 109147-18 109326-07 108434-01 Required only for 32 bit systems 108435-01 Required only for 64 bit systems 109147-40 or higher Solaris 9 112233-12 112902-07 116561-03 Only if dmfe(7D) ethernet driver is defined on the machine 112963-25 or higher Solaris 10 117461-08 or When using bge interfaces, operating system updates must be no higher higher than update 1, and the kernel patch must be no higher than 118822-20. For information regarding installing more recent patches, see Check Point SecureKnowledge sk31772.
Nokia Platform This release supports IPSO 4.1 and 4.2. For the latest information on which IPSO releases are supported, see the Nokia Support Web at http://support.nokia.com.
SecureClient Mobile This release supports the following SecureClient Mobile Operating Systems: • Pocket PC 2003 • Pocket PC 2003 SE / Phone Edition • Windows Mobile 5.0 Pocket PC • Windows Mobile 5.0 Smartphone
The Regular Expression (RX) Library
NGX R65 uses the RX Library. The library license agreement (LGPL) can be downloaded from: http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 17 Resolved Limitations
Resolved Limitations This section contains previously documented limitations that now stand as resolved in NGX R65. In general, they are presented in their original format, stressing the limitation, yet should be understood as resolved.
In This Section
Content Inspection page 19 Endpoint Security page 19 Eventia Analyzer page 20 Eventia Reporter page 20 Provider-1/SiteManager-1 page 21 SmartCenter page 21
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 18 Content Inspection
Content Inspection 16. Resolved: Making changes to the default Content Inspection settings in any demo mode other than Advanced results in numerous error messages and is not supported.
Endpoint Security 17. Flex now supports long custom text. You can create custom text that exceeds 180 characters. 18. In the past, when a non-administrator user logged into a machine after client installation, the client was not correctly licensed. Now, after rebooting the client machine, both administrator and non-administrator users are fully licensed. 19. Agent now supports the Antispyware Action setting Confirm. 20. VPN package installations now occur in a timely fashion. 21. You no longer need to suppress the SmartDefense component to have connectivity with Endpoint Security clients. 22. The Antivirus on-demand (manual or scheduled) scan now functions normally. 23. The Endpoint Security client no longer uses Policy Update or Connectivity Alerts, so they no longer cause issues when the VPN Settings dialog is open. 24. The documentation now describes the button blackout behavior for options that are not available to the user when the enterprise policy is in effect. 25. In VPN Settings | Options tab | Configure Proxy Settings, the Detect proxy from Internet Explorer option now works with Visitor Mode.
26. IKE over TCP is now the default for VPN communication. 27. The import profile option for VPN now functions properly. 28. Due to program filtering enhancements, the option ‘Changes Frequently’ is no longer needed and has been removed. 29. Due to client packager enhancements, it is no longer possible to specify a personal policy in the package. This prevents overriding the local configuration file. 30. Japanese characters are now supported in enforcement rule names. 31. The masteradmin password is now set during installation. The first SmartCenter user to login is no longer prompted to change the password of the masteradmin account. 32. Endpoint Security now closes idle connections after 120 minutes. 33. The "Review Compliance Alerts" link is now only active when there are compliance alerts to review. 34. Endpoint Security clients do not support Windows 98, Windows NT, or Windows ME. If you try to install Endpoint Security on one of these operating systems, it will now prevent the installation. 35. Blocking all connection types for a specific program and then saving your changes no longer causes the permissions to revert to the inherited permissions for the program group.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 19 Eventia Analyzer
Eventia Analyzer 36. Resolved: Changes to objects on a High Availability secondary server are not updated on the Eventia Analyzer Server. 37. Resolved: Changes to objects on a High Availability management server are not automatically updated on the Analyzer Server following a sync operation from another HA server. 38. Resolved: After defining a Correlation Unit in Eventia Analyzer, subsequent updates in SmartCenter to objects referenced by the Correlation Unit will not be updated in Eventia Analyzer. To include the updates to the object, do the following: 1. On the Policy tab in Eventia Analyzer, select General Settings > Initial Settings > Correlation Units, and remove the Correlation Unit definition. 2. In SmartCenter, edit the Correlation Unit object, select OK, and select File > Save. 3. Redefine the Correlation Unit in Eventia Analyzer. 39. Resolved: Eventia Analyzer does not support multi threading. 40. Resolved: Logs that are generated and registered to multiple products are not picked up by Eventia Analyzer. 41. Resolved: After modifying an Event Query and saving it, modifications made to the same Event Query immediately after may not be saved. If you wish to make further changes to that Event Query, first click on another query before reopening the modified query. 42. Resolved: On Solaris platforms, after running the command cpstart, objects do not synchronize between SmartCenter and Analyzer Server. 43. Resolved: On Unix platforms, only one Eventia Analyzer administrator can be defined using cpconfig. To define more administrators, use the command fwm -a on the Eventia Analyzer server.
Eventia Reporter 44. Resolved: In High Availability mode, after switching the status of a SmartCenter server from active to inactive, reports that were generated on the now inactive SmartCenter server are unavailable from the Eventia Reporter GUI Client. However, the reports are still available on the Eventia Reporter Server's Results directory. 45. Resolved: When running Eventia Reporter on SecurePlatform, set the number of DNS threads to 150. Setting this value higher may impede the closing of consolidation sessions. 46. Resolved: A Distributed installation of Eventia Reporter Server is not supported on a machine which contains a VPN-1 Power gateway, SecureClient, SmartCenter High Availability server or Provider-1/SiteManager-1 MDS. 47. Resolved: The Log Server on an Eventia Analyzer machine cannot serve as a Log Server for Eventia Reporter. 48. Resolved: When installing a distributed Eventia Reporter on SecurePlatform, make sure to restart the machine when the installation completes. 49. Resolved: The Eventia Reporter Client requires SmartDashboard to be installed on the same machine in order to launch. When installing the Eventia Reporter Client, be sure to install SmartDashboard as well. 50. Resolved: Eventia Reporter cannot be installed via the SecurePlatform WebUI on an Endpoint Security Server.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 20 Provider-1/SiteManager-1
51. Resolved: Running the SmartCenter Express upgrade on Linux, SecurePlatform or Solaris platforms does not upgrade a previous installation of Eventia Reporter. To upgrade Eventia Reporter, enter the following at the command line: For Linux and SecurePlatform 1. Copy
Provider-1/SiteManager-1 54. Resolved: Global SmartDashboard cannot be used to create Connectra or VPN-1 Power/UTM gateway objects. Instead, use a SmartDashboard connected to a specific CMA to create these objects. 55. Resolved: Push Packages Now operation is not supported when working with SmartUpdate from the Multi-Domain GUI.
SmartCenter 56. Resolved: After using the Advanced Upgrade tools to migrate a SmartCenter server to a different machine, RADIUS authentication servers will no longer be able connect to the SmartCenter server. To re-establish connection between them, do the following on the SmartCenter server: 1. Run the command regedit to open the Windows registry. 2. Locate the key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT. 3. Delete the value NodeSecret. 4. Reboot the SmartCenter server.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 21 Clarifications and Limitations
Clarifications and Limitations This section contains clarifications and limitations for NGX R65. For further information regarding clarifications and limitations from previous Check Point releases, see the NGX R65 Known Limitations Supplement, located at http://www.checkpoint.com/support/technical/documents/index.html
In This Section
Anti Virus Integration page 23 ClusterXL page 23 Connectra page 23 Content Inspection page 23 Endpoint Security page 24 Eventia Suite page 28 Firewall page 29 Performance Pack page 30 Provider-1/SiteManager-1 page 31 QoS page 34 SecureClient Mobile page 34 SecurePlatform page 36 SecureXL page 36 SmartCenter Server page 38 SmartConsole Applications page 40 SmartDashboard page 40 SmartDefense page 40 SmartPortal page 41 SSL Network Extender page 41 User Authority Server page 41
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 22 Anti Virus Integration
Anti Virus Integration 1. To enable the Hide all connections from internal interfaces to external interfaces behind the gateway feature use GuiDBEdit. Change the hide_internal_interfaces value to true.
SMTP 2. Anti Virus for SMTP on IPSO is not supported while the SMTP resource is active. Work around: - Disable Anti Virus for SMTP - Remove the SMTP resource - Configure Anti Virus for SMTP only for connections that have no SMTP resource
ClusterXL 3. When using a bonded interface on a gateway running ClusterXL, be sure to define all slave interfaces as disconnected in the file $FWDIR/conf/discntd.if. For details, see the section “Defining a Disconnected Interface on Unix” in the ClusterXL Administration Guide. 4. Upon failover in clustered deployments, the Dynamic Routing mechanism issues an IGMP General Query, instructing the adjacent devices to re-register for multicast traffic. While current sessions are maintained, newly initiated multicast sessions are delayed until the process completes. 5. Full Connectivity Upgrade from previous versions is not supported in this release. A workaround is to perform the Zero Downtime upgrade, which may result in some connections being disconnected. 6. In asymmetric routing scenarios, enabling Chain Forwarding will allow some features to work. See SecureKnowledge sk32403 for details. 7. The Monitor all VLANs feature is not supported in NGX R65.
Connectra 8. For Connectra limitations, see the Connectra NGX R62CM Release Notes.
Content Inspection 9. Anti Virus and Web Filtering are not supported on an IPSO diskless machine. If Anti Virus or Web Filtering are enabled all packets will be dropped and a message will be sent to the elg log. Both Anti Virus and Web Filtering should be disabled on an IPSO diskless machine.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 23 Endpoint Security
Endpoint Security
In This Section
Client Installation, Upgrade, Backward Compatibility page 24 Server Installation, Upgrade, Backward Compatibility page 25 Endpoint Security VPN page 26 Endpoint Security Logging and Tracking page 26 Miscellaneous page 27
Client Installation, Upgrade, Backward Compatibility 10. The Custom Parameter RESETCONFIG to keep personal policy during upgrade is not supported. This affects Flex users who have configured their client rules through the client UI. User settings are always deleted during upgrade and re-connection to the server. Passwords and upgrade keys are kept during upgrade. 11. When installing a client without VPN on an endpoint computer with R60 SecureClient installed, SecureClient will not function properly because of a conflict with SmartDefense. (This conflict does not occur when you install VPN clients, which replace SecureClient.) Workaround: Install VPN client packages to replace SecureClient. (See the section on Migrating from Check Point SecureClient in the Endpoint Security Administrator Guide.) Alternatively, disable SmartDefense in the client installation package: in the Client Packager, specify the custom parameter: INSTALL_SD=NO 12. The Custom Parameter REBOOTPROMPTWITHSILENT only affects installations when using an msi installer that was created from a Client Package using the msi option. The Custom Parameter does not affect an install that is run using a Client Package directly, including upgrades initiated via enforcement rules. 13. Before upgrading an existing GPO installation using manual upgrade or automatic update feature, you must verify the existing GPO configurations are removed from the client system. Perform the following steps on the GPO server: 1. Select the installed package, right click, and choose All Tasks | Remove... 2. Select Allow users to continue to use the software, but prevent new installations. This ensures the GPO settings are cleared on the client's registry but leaves the software on the system. When the client receives the updated policy, the application settings are removed from the following GPO Application Management registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt 3. Proceed with manual or automatic upgrade. 14. When performing a GPO upgrade, the existing Check Point Endpoint Security client’s disconnected policy must contain a firewall rule that allows outbound traffic to the GPO server's IP. If this is not configured, the upgrade process will not be able to remove the existing software correctly and the GPO upgrade will fail.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 24 Endpoint Security
Server Installation, Upgrade, Backward Compatibility 15. Endpoint Security is now certified to support 20,000 concurrent endpoint users with default configuration. Higher performance figures are possible with customization for your environment. Contact Check Point Professional Services for information about configuration for more than 20,000 concurrent endpoint users. 16. After installing a distributed Endpoint Security server (with a remote Smart Center), configuring the SIC communication, and installing the database, you must restart the Endpoint Security server machine in order to complete the configuration. 17. After upgrading an Endpoint Security server version 6.5.x to version 7.x, the Smart Portal IP and port will not be correctly configured. To configure: 1. Log into the Endpoint Security server. 2. Go to System Configuration | Server Settings. 3. Click the Edit button. 4. Enter the correct EndpointServerIP:port for Smart Portal (default Smart Portal port is 4433. For example: 209.87.213.90:4433). 5. Click Save. 18. When installing Endpoint Security in conjunction with other products from the wrapper on Linux and SPLAT, the Endpoint Security server is not configured properly until you run Smart Dashboard and install the database on the local machine. 19. Due to an issue in the SmartCenter import/export mechanism (existing in SmartCenter R65, and, possibly previous versions as well), when exporting and then importing a SmartCenter configuration in environments where the Endpoint Security server is managed by the SmartCenter, the communication between SmartCenter and the Endpoint Security server will cease functioning. Workaround: Run the command cpprod_util SetCertPath ($CPDIR)/conf/sic_cert.p12 using the value of $CPDIR. You can verify this (on Linux or SPLAT) by using ckp_regedit -p -r HKLM /Software/checkpoint/SIC and reading the value of the CertPath parameter. 20. During SPLAT or Linux Endpoint Security installation, if you do not define a valid administrator, you will not be able to view events in the Endpoint Security reports. You must define a valid administrator during the install process. 21. When installing Endpoint security on Linux, if you cannot launch SmartPortal, use the following workaround: 1. Edit the /etc/hosts file and make sure the following entry exists: 127.0.0.1 machine's real IP machinehostname 2. Connect to the machine with SmartConsole. 3. Edit the Integrity object. 4. Set the IP address, and choose install Database. 22. Sometimes, after switching from Standby to Active Server, you may need to restart the services.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 25 Endpoint Security
Endpoint Security Logging and Tracking 23. Endpoint Security servers installed on Check Point's Secure Platform (SPLAT) show the incorrect time in the logs and user interface. The database backup time differs from the time set in the configuration screen. Time settings for other Check Point products on the same SPLAT server are correct. To correct the time: 1. Log into to the SPLAT machine as an administrator. 2. Switch to expert mode using the 'expert' command. 3. Determine the correct localized timezone by running the command 'timezone -show'. 4. Record the value returned exactly as displayed from the 'timezone -show' command. 5. Switch to the integrity user with the command 'su integrity'. 6. Edit the file '/home/integrity/.bashrc'. 7. Append the line: export TZ=”TIMEZONE” where 'TIMEZONE' is the value recorded in step 4. 8. Save the file and restart the server with the 'reboot' command 24. Because SmartPortal and SmartView Tracker do not support multi-byte characters, logs that use multi-byte characters display incorrectly.
Endpoint Security VPN 25. Entrust configuration is not supported in Endpoint Security VPN packages. When you need Entrust configuration, install the Endpoint Security client and SecureClient separately. 26. You cannot configure script execution. If you need script execution for SCV enforcement, you must install an Endpoint Security client and SecureClient separately. 27. When using “Route all traffic through gateway” in conjunction with Office Mode in Endpoint Security with VPN, with SCV enforcement on Endpoint Security, the client sometimes sends packets from the real IP rather than the Office Mode IP. Microsoft Windows Dead Gateway Detection causes this behavior as it handles the default route. To avoid this change the EnableDeadGWDetect registry key. More information can be found in the SecureKnowledge SK39013 article. To disable the Dead Gateway Detection mechanism on NG AI R54 and R55, modify the registry as follows: Note: Always back up the registry before making any modification. 1. Select Start > Run. 2. From the Run dialog box, under the Open field, enter the command regedit. 3. Locate the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters section. 4. Add the following DWORD with the value "0" EnableDeadGWDetect. 5. Save and exit. 6. Reboot. 28. Some buttons on VPN dialogs are not the default button even though they are highlighted as such. This will cause keyboard shortcuts to select different controls than highlighted. 29. The local subnets feature of Hotspot Registration is not enforced. Setting Hotspot.local.subnets.only to ‘true’ has no effect.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 26 Endpoint Security
30. When using the Cingular WWAN Connection Manager,it may conflict with Endpoint Security VPN client. When switching to the WWAN adapter, the Endpoint Security VPN client may switch to CLI mode. 31. For Firewall-1, the Implied/Hard-Coded rules that are applied before all policy rules do not include the new ports and protocols. You must configure firewall rules to allow Endpoint Security traffic. Use the following steps: 1. Make a copy of the implied_rules.def file on SmartCenter and save it. 2. Under INTEGRITY_HEARTBEAT, change port 6054 to 80. #define INTEGRITY_HEARTBEAT (udp, dport = 80) 3. Under accept_integrity_server_ports, change port 80 to 2100. ( (tcp, (dport = 443 or dport = 2100)) or INTEGRITY_HEARTBEAT), Note - Editing the implied_rules.def file must be done carefully and only for important workarounds.
Miscellaneous 32. Endpoint users in the Test Group do not receive automatic updates if Antivirus or Antispyware staging is not configured. Do not place users in the Test Group unless you also configure staging. 33. It is possible to block Antivirus and Antispyware updates with firewall rules. Be sure to configure your firewall rules to allow this traffic. 34. Updates will sometimes fail after initial installation due to file permissions issues. This update failure is not common and subsequent updates are generally successful. 35. The traceroute protocol cannot be used to block trace route outbound. In order to prevent traceroute from working, block the traceroute program with an Application Rule. Alternatively, you could block the inbound ICMP timeout packet, but this may cause issues. 36. When a client is in disconnected mode and has an active disconnected policy it will not ask the server for permissions of programs. Therefore all programs not explicitly overridden in the policy will be treated as “unknown” and will be given permissions according to the "unknown programs" group filter. 37. There are no implied rules to allow remediation or Antivirus or Antispyware updates. Do not configure firewall rules that block this traffic. 38. Logitec QuickCam software version 10.5 is incompatible with the Check Point Endpoint Security client. This causes crashes of many programs when they attempt to start. You must upgrade to version 11.5 of the Logitec QuickCam software. 39. Endpoint Security will not install on endpoint computer that have any active firewalls other than the Microsoft built-in firewall.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 27 Eventia Suite
Eventia Suite 40. When upgrading Eventia Analyzer on a Windows platform, shut down the SNMP service before performing the upgrade. 41. Eventia Analyzer NGX R65 does not support upgrade from Eventia Analyzer 2.0. To upgrade to a version with similar functionality, install Eventia Analyzer NGX R63. 42. After adding a log file to the Log Server, perform a log switch operation on the Log Server in order to view the log file in the offline job screen. 43. In a Provider-1/SiteManager-1 environment, Eventia Suite only synchronizes global services defined on the MDS and not CMA-specific services. 44. Files that are added to a Log Server may take a few minutes to appear as candidates for correlation in Eventia Analyzer and for consolidation in Eventia Reporter. It can take up to three minutes to appear when placed on an R65 Log Server, and up to 30 minutes when placed on an older Log Server. 45. A new user group in SmartDashboard will appear empty in Eventia until it is modified. If a user group has been created in SmartDashboard and users added during its creation, modify a property (such as color) so Eventia will populate it. 46. Eventia Analyzer only supports the Block Source and Block Event Activity Automatic Reactions in a SmartCenter environment. 47. Eventia Reporter Express Reports do not support the Restore Default Settings (for Report) option. Create a Custom report using the Save Report As option to keep the original Predefined report and the newly configured report.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 28 Firewall
Firewall
In This Section
Configuration page 29 Services page 29 Logging page 29 VoIP page 29 Anti Virus page 30 Miscellaneous page 30
Configuration 1. All SmartDefense protections under IP and ICMP should not be configured to send an AMT command to quarantined users under User Defined alerts, since such a configuration can cause hosts that have been spoofed to be quarantined.
Services 2. Dynamic opening of audio and video in MSN Messenger over the service MSNMS is not supported if SecureXL is installed.
Logging 3. A connection dropped by a Drop Template is not logged, even if the tracking option for the relevant rule is set to Log.
VoIP 4. SIP TCP and SCCP Failover are not functioning correctly in Third party Clustering solutions. Therefore calls using one of these protocols will not survive cluster failover. 5. Incoming connections will be lost if a failover occurs on a ClusterXL gateway with the following deployment: • VoIP is SIP over TCP • SIP proxy in the external network • Gateway is configured as hide NAT • Running SecureXL 6. MSN Messenger version 5 is not supported. Additionally, there are a few known issues regarding MSN Messenger when employing Hide NAT: • When running SIP and the data connection tries to open MSN Messenger connections on hidden networks, the connection fails. • While audio and video each work separately, they cannot be run concurrently. 7. When using SIP, setting a rule to reject the service high_udp_ports rejects incoming audio as well. A workaround is to use the drop action instead. 8. When an H.323 IP phone that is not part of a handover domain tries to establish a call, the call attempt is blocked and the following message appears on the console: FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to make calls, add it to the handover domain, and the error message will cease to appear. Note that this message may appear in other (non-VoIP) scenarios as well.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 29 Performance Pack
9. In some cases, when a user closes an MSN Messenger application (such as Whiteboard) the application will not close automatically at the remote end (the remote user would have to close the application manually). 10. When a SIP-proxy is in the DMZ, Whiteboard and application sharing will not open between external to internal messengers.
Anti Virus 11. SmartDefense protections block an https reply that is transferred by the proxy to the SmartCenter Server using the CONNECT method. In this scenario, a workaround is as follows: a. On the SmartCenter Server console use the command fw ctl set in asm_http_allow_connect 1. b. If the https reply is still blocked disable the Active Streaming defenses.
Miscellaneous 12. Security servers do not support encrypted sessions or clients with Kerberos authentication. 13. In a bond configuration the following features are not supported: • ClusterXL Load Sharing • Bonding of more than two interfaces. 14. In a bridge configuration, the following features are not supported: • NAT • VPN • ClusterXL • Traffic routed between bridged interfaces to other Firewall IP interfaces. • A connection passing twice through the same bridge. • Acceleration of connections that traverse two bridge interfaces.
Performance Pack 15. When running Performance Pack on a Solaris platform, routing changes may cause connectivity issues in active connections.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 30 Provider-1/SiteManager-1
Provider-1/SiteManager-1
In This Section
Upgrade, Migrate, Backup, Restore page 31 Configuration page 31 Licensing page 32 Management High Availability page 32 Management Plug-ins page 32 Global SmartDefense page 32 Global VPN Communities page 33
Upgrade, Migrate, Backup, Restore 16. After completing the upgrade, start the CMAs for the first time in a sequential mode (using the command mdsstart -s). The sequential mode is necessary because otherwise the SDUU process may negatively affect running the CMAs normally for the first time. 17. When upgrading Provider-1 MDS on SecurePlatform, the following message may appear: /bin/ln: /var/CPbackup/schemes/mds.cpbak: File exists. This message can be safely ignored. 18. After migrating from a VPN-1 UTM standalone gateway to a CMA, management of the QoS policy is disrupted. To restore a previous QoS policy, or to create a new QoS policy, from SmartDashboard select File > Add Policy Type to Package. 19. After migrating SmartCenter with two interfaces into a CMA, the CMA will not receive logs. To solve this issue, manually erase the CMA object interfaces after the migration process is complete. 20. When upgrading the Provider-1 Multi Domain Server (MDS), the pre-upgrade configuration should always be backed up using the mds_backup tool. Although the upgrade process offers the chance to do this during the upgrade, in certain cases, the backup will not be performed correctly and the process may enter a loop. It is advised to backup the system prior to initiating the upgrade process instead of using the backup function in the upgrade user interface.
Configuration 21. When adding a new MDS Container to an MDS High-Availability environment, the initial synchronization should succeed. However, if the management Plug-ins installed on the new MDS server are not identical to the other MDS servers, the server will not communicate with the rest of the HA environment. An adequate status will be shown. 22. When using a SmartCenter Backup server, make sure that the same Management Plug-ins are installed on the Provider-1 MDS servers and the SmartCenter Backup server. 23. To perform specific actions for a customer the administrator is required to have Read/Write permissions. If an administrator's permissions are set to 'Customized', the administrator is labeled 'unsafe' or 'untrusted' for specific actions, even if all the options are set to Read/Write. In order to give the administrator full permissions for the following actions, Read/Write All must be selected: • Configure Customer Management Add-on • Delete Customer Management Add-on • Import Customer Management Add-on • Start Customer Management Add-on • Stop Customer Management Add-on • Assigning the Customer Management Add-on to an administrator.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 31 Provider-1/SiteManager-1
24. Provider-1 customers with Global Manager administrator accounts cannot have read-only access. The following are the only options available in to Provider-1 customers with Global Manager administrator accounts: a. A Global Manager can have access to Global Policies, but cannot have access to Customer Policies. b. A Global Manager can have full access to specifically selected Provider-1 Customers.
Licensing 25. It is not possible to add a license to MDS via MDG. To add a license to MDS use ftp and the CLI command cplic add -l filename.
Management High Availability 26. When using SmartView Monitor and/or SmartView Tracker on the active CMA, the CMA cannot be changed to standby. Before making another CMA the active management station, you must first close these SmartConsole applications. You can then make another CMA active, and reconnect to it with these applications.
Management Plug-ins 27. Prior to removing the plug-in package from the Provider-1 Multi Domain Server (MDS), the plug-in should be deactivated from all Provider-1 customers. If removed prior to deactivation, the MDS server might not be able to function. In such a case, the correct workaround is to install the plug-in package, deactivate the plug-in from all Provider-1 customers and remove the package again.
Global SmartDefense 28. Protecting or excluding Global services in the SmartDefense Spoofed Reset protection (Global SmartDashboard > SmartDefense tab > Network Security > TCP > Spoofed Reset Protection > Exclude) will not cause these services or settings to be applied to the CMA when Global Policy is assigned to participating Global SmartDefense Customers. The Global services that are assigned when assigning Global Policy are: • Global services that are referenced by a Global rule. • Global services that were downloaded by SmartDefense Online Update for Global SmartDefense Customers. Note that any Protected or Excluded settings made on the Global SmartDashboard in this case are preserved. In addition if Global services downloaded by SmartDefense Online Update exist locally on the CMA with different Protected or Excluded settings than those in the Global SmartDashboard (that is, the Assign Global Policy operation) will fail with the following error message: Cannot assign Global service '
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 32 Provider-1/SiteManager-1
activated in such a CMA without explicitly modifying the Monitor-only attribute, the Global SmartDefense settings will determine whether the traffic will be blocked or logged (i.e., what occurs when Monitor-only is selected). To preserve the Monitor-only attribute of the SmartDefense protection on the CMA-level, do the following: 1. Activate the SmartDefense protection on the CMA 2. Save the policy. 3. Modify the Monitor-only attribute. 4. Set the Monitor-only attribute to the desired setting. 5. Save the policy. 30. In the Global SmartDashboard > SmartDefense Profile Management view, right-clicking the Default_Protection profile will allow the user to clone the selected profile or create a new profile. Such an action should not be executed. 31. When using the Override mode with one or more Provider-1 customers, consider the following: Performing an independent SmartDefense Online Update on the CMA level, while trying to override the configuration with an earlier updated version from the Global SmartDashboard, may cause certain conflicts and result in policy verification issues. If performing an Online Update at the CMA level is an absolute requirement, the customer should either work in Merge mode, or, the Global Policies should not be re-assigned until the Global SmartDefense is re-aligned with the same Online Update.
Global VPN Communities 32. When using the Database Revisions in a CMA that has gateways enabled for global use, consider the following: When reverting to previous revisions, make sure that one or more of the gateways currently enabled for global use were not in this state when the database revision was created. If one or more of the gateways were enabled for global use when the database revision was created, they should be disabled from global use prior to reverting to the revision.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 33 QoS
QoS 33. When working with a Third Party server combined with QOS, you may get a warning regarding activation of QOS on a specific interface. Please ignore this warning.
SecureClient Mobile Note - For additional information about SecureClient Mobile refer to the Frequently Asked Questions section in the Check Point SecureClient Mobile Release Notes and What’s New document. 34. On the HP PocketPC series, the iPAQWireless application and today item malfunction when SecureClient Mobile is installed. A patch is available through SecureKnowledge database. See SK #32505. 35. When installing the client on Windows Mobile 5.0 PPC, a warning message is issued stating the application is not signed. The executables and package are signed with a Check Point certificate. One can install the cpcert.cab provided in the ZIP package before installing the client to prevent this warning. 36. When installing the client on a PocketPC 2003 device, it is required to install the unsigned package SecureClient_Mobile_Setup_626000xxx_unsigned.cab. This is an operating system limitation. 37. When working with certificates authentication, make sure there is only one valid certificate for the relevant gateway in the CAPI store. In case more than one such certificate exists, the first one is used without prompting the client to choose which certificate to use (as done by Internet Explorer). 38. Installing the client to a storage card is not supported. 39. On some devices, an error message with the AcquireCredentialsHandle is mentioned. In most cases this issue is resolved by quitting the client and restarting it. In some cases a soft-reset is required. 40. Connecting through a proxy that requires digest authentication is not supported. NTLM authentication is also not supported. 41. User is unable to connect to site after reboot when PPC is on cradle and the Always Connected option is enabled. 42. Certificate enrollment (CheckPoint CA), a feature that is implemented on both SecureClient and SNX is not supported on this client release. When “Certificate with enrollment” is selected in SmartDashboard and the user does not have a valid certificate in its CAPI store, the result is that the user receives an error message. 43. When the client is installed but not running on a Windows Mobile 5.0 device, ActiveSync is disabled. To over come this, start the client, then start the ActiveSync. Since the client is not running, a change in the fireWall policy required for the ActiveSync protocol to run cannot be applied. 44. When using WM5.0, there are cases where the uninstalling/upgrading the client failed. In such a case, the client loads with an error message stating that the client drivers did not load. A second uninstall removes the client completely in such a case. 45. When using SCM and SSL Network Extender with RADIUS authentication and ipassignment.conf for Office Mode, the proper IP addresses are not assigned resulting in failed connections. For a patch to earlier gateway versions please open a Service Request with Check Point support.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 34 SecureClient Mobile
46. On some Windows Mobile 5.0 devices when connecting to the gateway over ActiveSync (used as network interface) TCP connections and targeting resources behind the gateway, do not open over the tunnel, usually, resulting with a timeout. This is caused by the DTPT LSP “hijacking” all TCP connections and bypassing the routing table. The workaround available is to change the ActiveSync connection type from RNDIS to Serial. To do this uncheck the Enable advanced network functionality in the 'USB to PC' applet in the device network settings. (This option exists in most WM50 aku2 and above devices). 47. The flag neo_policy_expire should be configured to request for the client to update its policy regularly. The following flags are not implemented: neo_enable_automatic_policy_update and neo_automatic_policy_update_frequency. 48. On the Samsung i360 device (Cingular Blackjack), SCM's today/home plug-in can only be activated on the Samsung Home Screen Layouts. The Windows Default layout becomes unusable with SCM home plug-in turned on. To overcome this limitation use one of the Samsung Home layouts or disable the SCM's home plug-in. 49. Changing the value neo_remember_user_password to true becomes operative on the client only after the second login, after the flag was downloaded to the client. The client is updated with the new policy and only in the subsequent login it actually saves the password. 50. The device issues DNS queries on both the physical and virtual interfaces which could expose server names and IP addresses. To prevent this, set the flag neo_allow_clear_while_disconnected to false. 51. MSI installer does not enforce that upgrading should only be done to a higher build number. On the device, when the CAB file is installed this enforcement does take place. 52. If setting the Office Mode pool to high address numbers, for example 230.230.230.0, the users will not be able to connect. A message will appear: “Client Disconnected: (44) Failed to apply assigned office Mode IP data. If this problem persists you should reset your device.” This is a general Office Mode problem for all of the Check Point VPN clients. 53. A user that is authenticating using user-password scheme and wants to switch to certificate authentication must clear its cached credentials. This is done on the client: Menu > Options > Clear_passwords. 54. Changing the gateway from SSL Network Extender mode only (snx_enabled) to SCM mode only might cause the client to stop downloading a policy from the server, even if SCM mode (neo_enable) is operative. 55. The flag NEOGUI_NO_GUI is not fully supported. The client has to be restarted for the flag to take effect (the flag should be set before the client's GUI is initialized). The flag NEOGUI_NO_OPTIONS_DLG is not implemented in this client release. 56. Some of the SSL Network Extender (SNX) settings conflict with SecureClient Mobile (SCM) settings. The following flags take precedence when SNX and SCM are both enabled on the same gateway (all are found both in the SNX dialog under Global Properties > Remote Access and on the SecureClient Mobile dialog: • User authentication method: snx_user_auth_methods over user_auth_methods • Re-authenticate user every: snx_user_re_auth_timeout over neo_user_re_auth_timeout • Supported encryption methods: snx_encryption_methods over neo_encryption_methods • Send keep-alive packets every: snx_keep_alive_timeout over neo_keep_alive_timeout
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 35 SecurePlatform
Smartphone 57. When running the CertImport utility the selection of the certificate should be done using the [select] key and not by the joystick's center-click. Selecting the certificate with the joystick results with the operating system trying to “run” the certificate and an error message. 58. Smartphone devices are unable to connect over ActiveSync to a PC. 59. The proxy replacement feature is not functional. 60. When the client is connected on some models the VNA is falsely identified as WiFi interface in home plug-in.
SecurePlatform 61. After initial installation of SecurePlatform on an x3650 system done through USB, the USB keyboard input will not be read through the operating system. On the second boot, the USB keyboard input will be accepted. Workaround: 1. ssh to the SecurePlatform. 2. Enter expert mode. 3. Execute: • insmod usbcore • insmod usb-uhci • insmod hid • insmod input • insmod keybdev No reboot is necessary. The USB keyboard input will be accepted. 62. Before beginning the upgrade, make sure that sufficient space is available for the /opt partition. On systems that manage VSX gateways, verify that at least 850MB of disk space is available for /opt before upgrade. 63. Implementation of a multicast routing protocol in a PIM-SM (PIM Sparse mode) environment is not supported in the following scenarios: 1. A Rendezvous Point router hides multicast sender IPs behind its own IP (for example, NAT feature). 2. A Rendezvous Point router generates multicast traffic to a multicast group on which it is defined as a Rendezvous Point. Note - Note that these two scenarios (where a Rendezvous Point runs NAT for hosts or generates its own multicast traffic) are not typical of a real environment.
SecureXL 64. A SYN packet arriving on a connection that has been closed by an RST packet will not be accelerated if the SecureXL device does not support Sequence Verification acceleration. To verify that the SecureXL device supports Sequence Verification acceleration, run the command fwaccel stat and look for TCP_STATE_DETECT_V2 in the Accelerator Features section. 65. On the Corrent S3500 Turbocard, setting the notification delay to a value less than 27 causes the DLY field of the command fwaccel templates to display incorrect information. However, this issue involves only the command’s display - the device supports such settings. 66. A clear text packet which is dropped by SecureXL upon an encrypted connection is logged with service and source port 0.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 36 SecureXL
67. The Template Quota feature is supported on SecurePlatform only. 68. High Load QoS is supported on SecurePlatform only. 69. Aggressive Aging is supported on SecureXL devices that support API 2.5 and above. To verify support, run the command fwaccel ver. 70. The following message will appear in /var/log in SecurePlatform and on the Solaris console after performing Install Policy when SecureXL is enabled: The Rulebase does not support SecureXL Drop Templates. This message can be safely ignored. 71. Aggressive aging is disabled on IPSO when SecureXL is enabled.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 37 SmartCenter Server
SmartCenter Server
In This Section
Platform Specific- Nokia page 38 Installation page 38 Upgrade page 38 Miscellaneous page 39
Platform Specific- Nokia 72. When switching the Connectra NGX R62CM Plug-in package to ON, the following message is displayed: "A reboot may be required to complete this action. See package documentation for details". Although you can safely ignore this message, you should run cpstart. 73. When installing NGX R65 on a Nokia machine, the Connectra NGX R62CM Plug-in package is also installed. If you remove it, and want to re-install, you should do so by running newpkg from the command line. In case you have installed the plugin via Voyager, you should run ./opt/CPPIconnectra-R65/START from the command line in order to activate the plugin.
Installation 74. When connecting to the SmartCenter Server for the first time, the following error message may appear: connection can not be established. Note - This error appears once (during your first connection) because SmartCenter Server is in the process of a silent SmartDefense update. If this error appears, wait a few minutes before you attempt to connect to the SmartCenter Server again.
Upgrade 75. As of NGX R65, UTM-1 Edge objects should not have a .default suffix. A UTM-1 Edge box with a .default suffix in its name may suffer from connectivity problems with the SmartCenter. If an object in the database has a .default suffix before the Upgrade process is run, change the name or remove that suffix for a successful upgrade. 76. When upgrading from R60 and earlier to R61 and later versions using the export/import tools, SmartDefense protections involving scanning of SMTP and POP3 traffic will no longer function. If you have not yet performed the upgrade, use the following workaround to prevent this issue: 1. Before using upgrade_import utility, save the file $FWDIR/conf/fwauthd.conf in a temporary place. 2. Run upgrade_import. 3. Run cpstop. 4. Copy the file back. 5. Run cpstart. If you have already upgraded and are experiencing this problem, do the following. 1. Run cpstop. 2. Use a text editor to open the file $FWDIR/conf/fwauthd.conf.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 38 SmartCenter Server
3. Add the following two lines. 2525 fwssd in.emaild.smtp wait 0 110 fwssd in.emaild.pop3 wait 0 4. Run cpstart. 77. When performing an in-place upgrade of SmartCenter R61 Enterprise/Pro to NGX R65 on a Linux or SecurePlatform machine that has an installation of Endpoint Security Server R61, the Endpoint Security installation wrapper will run automatically. The user must cancel this operation; otherwise all data on the Endpoint Security Server will be lost and the server will be inaccessible. In this scenario, a workaround is as follows: 1. When the Endpoint Security installation starts, abort the installation by typing quit. 2. When the rest of the upgrade process completes, edit the file
Miscellaneous 78. When using SmartView Monitor and/or SmartView Tracker on the active SmartCenter, the SmartCenter cannot be changed to standby. Before making another SmartCenter the active management station, you must first close these SmartConsole applications. You can then make another SmartCenter active, and reconnect to it with these applications. 79. UTM-1 Edge modules are not supported on a SmartCenter server running IPv6. 80. To successfully manage a UTM-1 gateway, define a NGX R62 VPN-1Power/UTM Gateway object.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 39 SmartConsole Applications
SmartConsole Applications 81. The Get Interfaces operation for a Check Point object does not return alias IP addresses for real interfaces. To add alias IP addresses to the object's topology, define them manually. Once defined, do not perform the Get Interfaces operation again, as this will erase all manual changes to the object topology.
SmartDashboard
Installation on Solaris UltraSPARC 82. Some of the SmartDefense protections are not presented in the Solaris SmartDashboard. 83. A Demo mode session is only supported when the Solaris SmartDashboard is launched from the home directory (/opt/CPclnt-R65). 84. Logging in with a certificate file is not supported by the Solaris SmartDashboard. 85. SmartDashboard does not support the Compressed Connection mode on Solaris.
SmartDefense 86. The behavior of the Net Quota SmartDefense protection when using ClusterXL in Load Sharing mode is different than the behavior of the same protection on a single gateway. Each cluster member has its own counter. For example, in a 2 members cluster, the limit to be twice as much as the limit of a single gateway. 87. When configuring a bridge, make sure to configure an IP address using sysconfig or WebGUI on the bridge interface. Otherwise, the following SmartDefense protections may not be enforced: • Spoofed Reset Protection • SYN Attack Defender • Fingerprint Scrambling To avoid this, do the following: 1. Open SmartDashboard and edit the gateway object's properties. 2. On the Topology tab of the object, select Get > Interfaces. The resulting window will report that both physical interfaces have the same IP address. A warning message may be generated as well. 3. Acknowledge the warning and for each interface set a different IP address within the subnet of the bridge. 4. On the Topology tab of the internal interface, set the Topology to Internal, and the IP Addresses behind this interface to Specific, and select a pre-defined IP Address Range. Configure Anti-Spoofing as required for your network topology. 5. On the Topology tab of the external interface, set the Topology to External, and the IP Addresses behind this interface to Specific, and select a pre-defined IP Address Range. Configure Anti-Spoofing as required for your network topology. 88. SmartDefense profiles are not supported on VPN-1 Power VSX. Only the default SmartDefense profile applies. 89. Configuring the Block FTP Commands protection in the SmartDefense tab may not activate the protection on VPN-1 Edge gateways. In this case, enforce this command using VPN-1 Edge CLI scripts.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 40 SmartPortal
SmartPortal 90. The Solaris tar fails to open tgz files that contain directory names of more than 100 characters. In this scenario, use the GNU tar (gtar) instead. gtar can be found on any Check Point CD in the directory $CPDIR/util. 91. If the Smart Portal checkbox is selected in SmartDashboard it is possible to connect to Smart Portal both from the Endpoint Security server and by direct https access. If the Smart Portal checkbox is not selected in SmartDashboard it is only possible to connect to Smart Portal from the Endpoint Security server.
SSL Network Extender 92. SSL Network Extender is not supported on Nokia IP clusters in Load Sharing mode. 93. A new installation or upgrade of an SSL Network Extender client is not supported via ISB (Endpoint Security Secure Browser). Install or upgrade an SSL Network Extender client via Internet Explorer. Once the installation or upgrade is complete via Internet Explorer, connections to the Internet can be performed via ISB. 94. ISB (Endpoint Security Secure Browser) is not supported on a Windows Vista platform.
User Authority Server 95. When chaining to externally managed UserAuthority Servers, restriction on the exported data is not enforced.
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 41 Documentation Feedback
Documentation Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: [email protected]
VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 42