Check Point NGX R65 Release Notes Revised: February 2, 2009 This Release Notes document provides essential operating requirements and describes known issues for VPN-1/FireWall-1 NGX R65. Review this information before setting up VPN-1/FireWall-1 NGX R65. Note - Before you begin installation, read the latest available version of these release notes at: http://www.checkpoint.com/support/ In This Document Information About This Release page 2 Resolved Limitations page 18 Clarifications and Limitations page 22 Documentation Feedback page 42 Copyright © February 2, 2009 Check Point Software Technologies, Ltd. All rights reserved 1 Information About This Release Information About This Release This document contains important information not included in the documentation. Review this information before setting up Check Point NGX R65. In This Section Build Numbers page 3 NGX Products, Supported by Platform page 4 NGX Clients, Supported by Platform page 5 Non-upgradable Products page 5 HFAs Included in this Release page 5 Minimum Hardware Requirements page 6 Maximum Number of Interfaces Supported by Platform page 14 Minimum Software Requirements page 15 The Regular Expression (RX) Library page 17 VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 2 Build Numbers Build Numbers The following table lists all NGX R65 software products available, and the build numbers as they are distributed on the product CD. To verify each product’s build number, use the given command format or direction within the GUI. Product Build No.CLI Command / GUI Selection VPN-1 Power / UTM SecurePlatform fw ver /Linux 430 Sun 428 Windows 427 IPSO 436 SmartCenter Server 083 fwm ver Provider-1/SiteManager-1 620000292 CPvinfo $MDSDIR/lib/libmds.so | grep “Build Multi-Domain Server (MDS) Number” Endpoint Security Server 7.20.084.000 System configuration > Version information Endpoint Security Client 7.00.843.000 Right-click the System Tray icon and select About Eventia Reporter Server 239 SVRServer ver Eventia Analyzer Server 058 cpsemd ver SmartView Monitor Server 013 rtm ver UserAuthority Server 010 uas ver SecureClient Policy Server 008 dtps ver SVN Foundation 432 cpshared_ver IPSO 435 UTM-1 Edge 7.0.27x Displayed on the default portal page QoS 020 fgate ver SmartConsole Applications 620000380 Help > About Check Point <product name> (includes SmartDashboard, SmartView Tracker, SmartView Monitor, SmartLSM, Eventia Reporter Client, Eventia Analyzer Client, SecureClient Packaging Tool, SmartLSM, SmartUpdate) Solaris SmartConsole R65_motif Help > About Check Point <product name> B620000017_1 Provider-1/SiteManager-1 620000280 Help > About Check Point Provider-1/SiteManager-1 Multi-Domain GUI (MDG) SmartPortal 620000098 cpvinfo /opt/CPportal-R65/portal/bin/ smartportalstart Compatibility Packages: •NG 40 /opt/CPngcmp-R65/bin/fw_loader ver • R55W 17 /opt/CPR55WCmp-R65/bin/fw_loader ver •VSX NGX 508 /opt/CPvsxngxcmp-R65/bin/fw_loader ver • UTM-1 Edge 620000020 /opt/CPEdgecmp-R65/bin/fw ver SecuRemote/SecureClient 019 Help > About SecurePlatform 004 ver Performance Pack 030 sim ver -k VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 3 NGX Products, Supported by Platform NGX Products, Supported by Platform Check Point Product Platform and Operating System RHEL Check Solaris Microsoft Windows 3.0 Point Nokia Ultra- Server 2000 2000 2000 XP Home kernel Secure IPSO SPARC 2003 Advanced Server Profes- & Profes- 2.4.21 Platform 4.1 - 8, 9 & (SP1-2) Server (SP1-4) sional sional 4.2 10 (SP1-4) (SP1-4) VPN-1 Power / UTM X XXX X X 1 X 2 SmartCenter Server X XXX XX X 3 Provider-1/SiteManager-1 X X 4 X .Server (MDS) VPN-1 Power VSX 5 X Endpoint Security Server X X X X X Eventia Suite 6 X XXX XX UserAuthority Server X XXXXXXX X 7 SSL Network Extender Server X XXX XXX SmartConsole Applications X 8 XXXXX Provider-1/SiteManager-1 MDG X XXXXX SmartPortal X XXX XX SmartLSM - Enabled .Management & Enabled X 9 XXX XXX .ROBO / CO Gateways ClusterXL X X 10 XX XX X 11 VPN-1 Accelerator Driver II X 12 VPN-1 Accelerator Driver III X XXX XX VPN-1 Accelerator Driver IV X X X Advanced Routing X X 13 Performance Pack XX X 14 SecureXL Turbocard X 15 OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14 Cisco OS Versions: 9.x, 10.x, 11.x, 12.x Notes to Products by Platform Table 1. Anti Virus and Web Filtering are included on SecurePlatform. 2. Anti Virus and Web Filtering are supported on Nokia disk-based platforms running IPSO 4.2 Build 42 HF002 or later. 3. UTM-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia IPSO platform. 4. Provider-1/SiteManager-1 supported on both RHEL 3.0 AS and ES. 5. VPN-1 Power VSX gateways are also supported on Crossbeam Systems X-Series Security Services Switches. 6. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and the Eventia Analyzer Correlation Unit. 7. UserAuthority is not supported on Nokia flash-based platforms. 8. The following SmartConsole clients are not supported on Solaris UltraSPARC platforms: SmartView Monitor, SmartLSM, Eventia Reporter Client, Eventia Analyzer Client, and the SecureClient Packaging Tool. 9. Enabled ROBO Gateways are not supported on Solaris platforms. VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 4 NGX Clients, Supported by Platform 10. HA Legacy mode is not supported on Windows Server 2003. 11. ClusterXL is supported only in third party mode with VRRP or IP Clustering. 12. VPN-1 Power Accelerator Driver II is supported on Solaris 8 only. 13. Nokia provides Advanced Routing as part of IPSO. 14. Nokia provides SecureXL as part of IPSO. 15. NGX-compatible Turbocard driver is available at http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html. NGX Clients, Supported by Platform Check Point Product Operating System Windows Mac Linux Server 2000 Server 2000 Profes- Mobile OS 2003 / Advanced sional (SP1-4) 2003 "X" (SP1) Server / XP Home & 2003SE (SP1-4) Professional 5.0 SecuRemote X X X SecureClient X X X X SecureClient Mobile X SSL Network Extender X XX Endpoint Security Clients X X Non-upgradable Products The following Check Point products cannot be upgraded to NGX R65: • VPN-1 Power SmallOffice, VPN-1 Net • FireWall-1 4.1 HFAs Included in this Release This release includes fixes and improvements that were initially distributed as part of NGX R60 Hotfix Accumulator (HFA) R60_HFA_05. VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 5 Minimum Hardware Requirements Minimum Hardware Requirements In This Section VPN-1 Power/UTM page 7 Provider-1/SiteManager-1 MDS page 7 Provider-1/SiteManager-1 MDG page 7 VPN-1 Power VSX page 8 Eventia Reporter page 8 Endpoint Security Server page 9 Endpoint Security Clients page 11 SmartConsole page 11 Check Point Clients page 11 SecurePlatform Supported Hardware page 12 Supported Nokia Platforms page 12 Supported SecureClient Mobile Hardware page 13 VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 6 Minimum Hardware Requirements VPN-1 Power/UTM The following section shows the minimum hardware requirements for installing a VPN-1 gateway and SmartCenter Server: VPN-1 Gateway Windows & Linux Solaris SecurePlatform Processor Intel Pentium II UltraSparc III Intel Pentium III CPU 300MHz or equivalent 300MHz or equivalent processor processor Free Disk Space 300MB Installation - 100 MB 10GB Memory Windows: 256MB 128MB 256MB (512MB Linux: 256MB (512MB recommended) recommended) CD-ROM Drive Yes Yes Yes (bootable) Network Adapter One or more Yes One or more supported network adapter cards Video Adapter supports 800 x 600 supports 1024 x 768 resolution resolution SmartCenter Server Windows & Linux Solaris SecurePlatform Processor Intel Pentium III UltraSparc III Intel Pentium III CPU 800MHz or equivalent 800MHz or equivalent processor processor Free Disk Space Windows: 300MB 400MB 10GB (installation includes Linux: 512MB OS) Memory 512MB 512MB 512MB CD-ROM Drive Yes Yes Yes (bootable) Network Adapter One or more Yes One or more supported network adapter cards Provider-1/SiteManager-1 MDS The following table shows the minimum hardware requirements for installing a Provider-1/SiteManager-1 Multi Domain Server (MDS). Linux Solaris SecurePlatform CPU Intel Pentium III 1GHz or UltraSPARC III 900MHz Intel Pentium III 1GHz or equivalent processor equivalent processor Memory 1GB 1GB 1GB Disk Space 2GB 2GB 10GB (install includes OS) CD-ROM Drive Yes Yes Yes (bootable) Provider-1/SiteManager-1 MDG The following table shows the minimum hardware requirements for installing the Provider-1/SiteManager-1 Multi Domain GUI (MDG). Windows Solaris CPU Intel Pentium III 1GHz or equivalent processor UltraSparc III 900MHz Memory 512MB 512MB Disk Space 100MB 100 MB CD-ROM Drive Yes Yes Video Adapter supports at least 800 x 600 resolution supports at least 800 x 600 resolution VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 7 Minimum Hardware Requirements VPN-1 Power VSX The following table shows the minimum hardware requirements for installing a VPN-1 Power VSX gateway. SecurePlatform CPU Intel Pentium III 450MHz or equivalent processor Memory 512MB Disk Space 9GB (install includes OS) CD-ROM Drive Yes (bootable) VPN-1 Power VSX gateways are also supported on Crossbeam Systems X-Series Security Services Switches. Eventia Reporter The hardware requirements presented below are designed for an Eventia Reporter server that will process at least 15GB of logs per day and generate reports according to the performance numbers. For deployments that will generate fewer logs per day, a machine with less CPU or memory can be used, with the caveat that this may cause degradation in the performance numbers. Windows & Linux Windows & Linux Recommended Solaris Minimum CPU Intel Pentium IV 2.0 GHz Dual CPU 3.0 GHz UltraSPARC III 900 MHz Memory 1GB 2GB 1GB Disk Space (on 2 physical disks) Installation: 80MB 80MB 80MB Database: 60GB (40GB for database, 100GB (60GB for database, 60GB (40GB for database, 20GB temp directory) 40GB for temp directory) 20GB for temp directory) CD-ROM Drive Yes Yes Yes Recommendations to Optimize Performance • Disable DNS resolution - consolidation performance may improve to 32GB of logs/day.