Checkpoint NGX R65 Releasenotes

Copyright © February 2, 2009 Check Point Software Technologies, Ltd. All rights reserved 1

Check Point NGX R65 Release Notes

Revised: February 2, 2009

This Release Notes document provides essential operating requirements and describes known issues for VPN-1/FireWall-1 NGX R65. Review this information before setting up VPN-1/FireWall-1 NGX R65.

In This Document

Note - Before you begin installation, read the latest available version of these release notes at: http://www.checkpoint.com/support/

Information About This Release page 2

Resolved Limitations page 18

Clarifications and Limitations page 22

Documentation Feedback page 42

Information About This Release

VPN-1/FireWall-1 NGX R65 Release Notes. Last Update — February 2, 2009 2

Information About This Release This document contains important information not included in the documentation. Review this information before setting up Check Point NGX R65.

In This Section

Build Numbers page 3

NGX Products, Supported by Platform page 4

NGX Clients, Supported by Platform page 5

Non-upgradable Products page 5

HFAs Included in this Release page 5

Minimum Hardware Requirements page 6

Maximum Number of Interfaces Supported by Platform page 14

Minimum Software Requirements page 15

The Regular Expression (RX) Library page 17

Build Numbers


Build NumbersThe following table lists all NGX R65 software products available, and the build numbers as they are distributed on the product CD. To verify each product’s build number, use the given command format or direction within the GUI.

Product Build No. CLI Command / GUI Selection

VPN-1 Power / UTM SecurePlatform /Linux 430Sun 428Windows 427IPSO 436

fw ver

SmartCenter Server 083 fwm verProvider-1/SiteManager-1 Multi-Domain Server (MDS)

620000292 CPvinfo $MDSDIR/lib/libmds.so | grep “Build Number”

Endpoint Security Server 7.20.084.000 System configuration > Version informationEndpoint Security Client 7.00.843.000 Right-click the System Tray icon and select AboutEventia Reporter Server 239 SVRServer verEventia Analyzer Server 058 cpsemd verSmartView Monitor Server 013 rtm verUserAuthority Server 010 uas verSecureClient Policy Server 008 dtps verSVN Foundation 432

IPSO 435cpshared_ver

UTM-1 Edge 7.0.27x Displayed on the default portal pageQoS 020 fgate verSmartConsole Applications (includes SmartDashboard, SmartView Tracker, SmartView Monitor, SmartLSM, Eventia Reporter Client, Eventia Analyzer Client, SecureClient Packaging Tool, SmartLSM, SmartUpdate)

620000380 Help > About Check Point <product name>

Solaris SmartConsole R65_motif B620000017_1

Help > About Check Point <product name>

Provider-1/SiteManager-1 Multi-Domain GUI (MDG)

620000280 Help > About Check Point Provider-1/SiteManager-1

SmartPortal 620000098 cpvinfo /opt/CPportal-R65/portal/bin/smartportalstart

Compatibility Packages:• NG• R55W• VSX NGX• UTM-1 Edge

4017508620000020

/opt/CPngcmp-R65/bin/fw_loader ver/opt/CPR55WCmp-R65/bin/fw_loader ver/opt/CPvsxngxcmp-R65/bin/fw_loader ver/opt/CPEdgecmp-R65/bin/fw ver

SecuRemote/SecureClient 019 Help > AboutSecurePlatform 004 verPerformance Pack 030 sim ver -k

NGX Products, Supported by Platform


NGX Products, Supported by Platform

Notes to Products by Platform Table1. Anti Virus and Web Filtering are included on SecurePlatform.

2. Anti Virus and Web Filtering are supported on Nokia disk-based platforms running IPSO 4.2 Build 42 HF002 or later.

3. UTM-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia IPSO platform.

4. Provider-1/SiteManager-1 supported on both RHEL 3.0 AS and ES.

5. VPN-1 Power VSX gateways are also supported on Crossbeam Systems X-Series Security Services Switches.

6. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and the Eventia Analyzer Correlation Unit.

7. UserAuthority is not supported on Nokia flash-based platforms.

8. The following SmartConsole clients are not supported on Solaris UltraSPARC platforms: SmartView Monitor, SmartLSM, Eventia Reporter Client, Eventia Analyzer Client, and the SecureClient Packaging Tool.

9. Enabled ROBO Gateways are not supported on Solaris platforms.

Check Point Product

SolarisRHEL 3.0

Check Point Nokia

Ultra- SPARC 8, 9 &

10

Server 2003

(SP1-2)

2000 Advanced

Server (SP1-4)

2000 Server

(SP1-4)

2000 Profes-sional

(SP1-4)

XP Home & Profes-

sional

kernel 2.4.21

Secure Platform

IPSO 4.1 - 4.2

VPN-1 Power / UTM X X X X X X 1 X 2

SmartCenter Server X X X X X X X 3

Provider-1/SiteManager-1 .Server (MDS)

X X 4 X

VPN-1 Power VSX 5 X

Endpoint Security Server X X X X X

Eventia Suite 6 X X X X X X UserAuthority Server X X X X X X X X X 7

SSL Network Extender Server X X X X X X XSmartConsole Applications X 8 X X X X XProvider-1/SiteManager-1 MDG X X X X X XSmartPortal X X X X X XSmartLSM - Enabled .Management & Enabled .ROBO / CO Gateways

X 9 X X X X X X

ClusterXL X X 10 X X X X X 11

VPN-1 Accelerator Driver II X 12

VPN-1 Accelerator Driver III X X X X X X

VPN-1 Accelerator Driver IV X X X

Advanced Routing X X 13

Performance Pack X X X 14

SecureXL Turbocard X 15

OSE Supported Routers

Microsoft Windows

Platform and Operating System

Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14

Cisco OS Versions: 9.x, 10.x, 11.x, 12.x

NGX Clients, Supported by Platform


10. HA Legacy mode is not supported on Windows Server 2003.

11. ClusterXL is supported only in third party mode with VRRP or IP Clustering.

12. VPN-1 Power Accelerator Driver II is supported on Solaris 8 only.

13. Nokia provides Advanced Routing as part of IPSO.

14. Nokia provides SecureXL as part of IPSO.

15. NGX-compatible Turbocard driver is available at http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html.

NGX Clients, Supported by Platform

Non-upgradable ProductsThe following Check Point products cannot be upgraded to NGX R65:

• VPN-1 Power SmallOffice, VPN-1 Net

• FireWall-1 4.1

HFAs Included in this ReleaseThis release includes fixes and improvements that were initially distributed as part of NGX R60 Hotfix Accumulator (HFA) R60_HFA_05.

Check Point Product

Mac Linux

Server 2003 (SP1)

2000 Server / Advanced

Server(SP1-4)

2000 Profes-sional (SP1-4) / XP Home & Professional

Mobile 2003

2003SE 5.0

OS "X"

SecuRemote X X X

SecureClient X X X XSecureClient Mobile XSSL Network Extender X X XEndpoint Security Clients X X

Windows

Operating System

http://www.checkpoint.com/downloads/quicklinks/downloads_tc.html

Minimum Hardware Requirements



In This Section

VPN-1 Power/UTM page 7

Provider-1/SiteManager-1 MDS page 7

Provider-1/SiteManager-1 MDG page 7

VPN-1 Power VSX page 8

Eventia Reporter page 8

Endpoint Security Server page 9

Endpoint Security Clients page 11

SmartConsole page 11

Check Point Clients page 11

SecurePlatform Supported Hardware page 12

Supported Nokia Platforms page 12

Supported SecureClient Mobile Hardware page 13



VPN-1 Power/UTMThe following section shows the minimum hardware requirements for installing a VPN-1 gateway and SmartCenter Server:

VPN-1 Gateway

SmartCenter Server

Provider-1/SiteManager-1 MDSThe following table shows the minimum hardware requirements for installing a Provider-1/SiteManager-1 Multi Domain Server (MDS).

Provider-1/SiteManager-1 MDGThe following table shows the minimum hardware requirements for installing the Provider-1/SiteManager-1 Multi Domain GUI (MDG).

Windows & Linux Solaris SecurePlatform

Processor Intel Pentium II UltraSparc III Intel Pentium IIICPU 300MHz or equivalent

processor300MHz or equivalent processor

Free Disk Space 300MB Installation - 100 MB 10GBMemory Windows: 256MB

Linux: 256MB (512MB recommended)

128MB 256MB (512MB recommended)

CD-ROM Drive Yes Yes Yes (bootable)Network Adapter One or more Yes One or more supported

network adapter cardsVideo Adapter supports 800 x 600

resolutionsupports 1024 x 768 resolution

Windows & Linux Solaris SecurePlatform

Processor Intel Pentium III UltraSparc III Intel Pentium IIICPU 800MHz or equivalent

processor800MHz or equivalent processor

Free Disk Space Windows: 300MBLinux: 512MB

400MB 10GB (installation includes OS)

Memory 512MB 512MB 512MBCD-ROM Drive Yes Yes Yes (bootable)Network Adapter One or more Yes One or more supported

network adapter cards

Linux Solaris SecurePlatform

CPU Intel Pentium III 1GHz or equivalent processor

UltraSPARC III 900MHz Intel Pentium III 1GHz or equivalent processor

Memory 1GB 1GB 1GBDisk Space 2GB 2GB 10GB (install includes OS)CD-ROM Drive Yes Yes Yes (bootable)

Windows Solaris

CPU Intel Pentium III 1GHz or equivalent processor UltraSparc III 900MHzMemory 512MB 512MBDisk Space 100MB 100 MBCD-ROM Drive Yes YesVideo Adapter supports at least 800 x 600 resolution supports at least 800 x 600 resolution



VPN-1 Power VSXThe following table shows the minimum hardware requirements for installing a VPN-1 Power VSX gateway.

VPN-1 Power VSX gateways are also supported on Crossbeam Systems X-Series Security Services Switches.

Eventia ReporterThe hardware requirements presented below are designed for an Eventia Reporter server that will process at least 15GB of logs per day and generate reports according to the performance numbers. For deployments that will generate fewer logs per day, a machine with less CPU or memory can be used, with the caveat that this may cause degradation in the performance numbers.

Recommendations to Optimize Performance

• Disable DNS resolution - consolidation performance may improve to 32GB of logs/day.

• Configure the network connection between the Eventia Reporter server and the SmartCenter server (or the Log Server), to the optimal speed.

• Use the fastest disk available with the highest RPM (revolutions per minute) and a large buffer size.

• Use the UpdateMySQLConfig to tune the database configuration and adjust the consolidation memory buffers to use the additional memory.

• Increase the machine's memory, as it significantly improves performance.

• Install an uninterruptible power supply (UPS) for the Eventia Reporter Server.

SecurePlatform

CPU Intel Pentium III 450MHz or equivalent processorMemory 512MBDisk Space 9GB (install includes OS)CD-ROM Drive Yes (bootable)

Windows & Linux

Minimum

Windows & Linux Recommended Solaris

CPU Intel Pentium IV 2.0 GHz Dual CPU 3.0 GHz UltraSPARC III 900 MHzMemory 1GB 2GB 1GBDisk Space

Installation:

Database:

80MB60GB (40GB for database, 20GB temp directory)

(on 2 physical disks)80MB100GB (60GB for database, 40GB for temp directory)

80MB60GB (40GB for database, 20GB for temp directory)

CD-ROM Drive Yes Yes Yes



Endpoint Security Server

Application Server Hardware

• Intel Pentium Intel Core 2

• Intel Dual Xeon 2GHz

Admin Application Server

Bandwidth and Download Requirements

Operating Systems

• Red Hat Enterprise Linux ES v. 3.0 (Update 5)

• Windows 2000 Server (SP4) and Advanced Server (SP4)

• Windows Server 2003 (SP1) v. 5.2.3790

• Check Point Secure Platform (SPLAT) v. R65

Browsers (Administrator Console)

• Internet Explorer v. 6 (SP2) and v. 7

• Mozilla Firefox 1.5 and 2.0 (Recommended)

Users RAM Disk Space

up to 500 1 GB 5 GB

up to 1,000 1 GB 10 GB

up to 2,000 1 GB 12 GB

up to 5,000 1 GB 15 GB

up to 20,000 1 GB 533 GB

Total Bandwidth1

1. Assumes one sync per day, one heartbeat per minute, one ask per hour, one log upload perhour and one Administrator.

Policy Download2

2. Assumes one deployment for all users and policies of certain sizes.

Ask Bandwidth3

3. Assumes one ask per hour.

LogUpload

Bandwidth4

4. Assumes one log upload per day.

Users Kbps Kbps Kbps Kbps

up to 500 469 1 0.8 11

up to 1,000 916 2 1 22

up to 2,000 1,809 4 3 44

up to 5,000 4,488 11 8 111

up to 20,000 17,882 43 35 444



Supported Gateways and Clients

• Check Point VPN-1 NGX 157 or later

• Check Point VPN-1 Power

• Check Point VPN-1 UTM

• Check Point VPN-1 SecureClient™ with Application Intelligence R56 build 619 or later (recommended)

• Check Point Safe@Office 425W 5.0.58x or later

• Cisco VPN Concentrator v. 4.7.1 or later

• Cisco ASA 5500 Series Adaptive Security Appliance

• Cisco client 4.6.00.0049-K9 or later

• Cisco Aironet 1100 Series Wireless Access Point v.12.2 (11)JA1 (Certified version)

• Nortel Contivity 4.8.083 (Tunnelguard TG_1.1.3.0_002)

• Enterasys RoamAbout R2 G060405 or later

Supported Antivirus Solutions (Pre-Configured)

This section lists the minimum supported versions of third-party antivirus solutions. Generally, VPN-1/FireWall-1 supports the latest version within 60 days of its release.

ALWIL Software avast! 4 Professional Edition

avast! 4 Server Edition

BitDefender BitDefender Professional Plus 9.x-10.x

BitDefender Standard 9.x-10.x

Computer Associates CA Anti-Virus 7.x

eTrust EZ Antivirus 7.x

Eset s.r.o. NOD32 for Microsoft Windows NT/2000/2003/XP 2.51.x

Enterprise Edition 2.51.x

F-Secure Anti-Virus 2006

Anti-Virus Client Security 6.x

Anti-Virus for Windows Servers 5.x

Anti-Virus for Workstation 2005, 5.x

Gri-Soft AVG AntiVirus 7.x

McAfee VirusScan Professional 7.x

VirusScan 6.x-11.x

Panda Software Panda Titanium Antivirus 2006, 11.x

Sophos Anti-Virus 3.x-6.x

Anti-Virus Small Business Edition 2002-2007

Symantec Symantec AntiVirus Corporate Edition

Norton AntiVirus

Trend Micro Office Corporate Edition 6.x-8.x

PC-cillin Internet Security 2002-2007



Endpoint Security Clients

Hardware Specifications

Operating Systems

• Microsoft Windows XP Pro (SP2)

• Windows 2000 Pro v. 5.00.2195 (SP4) with crypt32.dll of 5.131.2195.6926

SmartConsoleThe following table shows the minimum hardware requirements for installing SmartConsole applications.

Note - SmartConsole on Solaris includes the following applications only: SmartDashboard, SmartView Tracker and SmartUpdate.

Check Point ClientsThe minimum hardware requirements for installing Check Point Clients are:

Note - The minimum requirements presented for SecureClient are true for Mac OS-X as well.

Requirement Minimum

Processor Pentium III 450 MHz

RAM 500 MB

Disk Space 60 MB

Windows Solaris

CPU Intel Pentium II 300MHz or equivalent processor

UltraSparc III

Memory 256MB 128MBDisk Space 100MB 100 MBCD-ROM Drive Yes YesVideo Adapter supports 800 x 600 resolution supports 800 x 600 resolution

SecuRemote / SecureClient Endpoint Security Agent / Flex

CPU 133 MHz Pentium-compatible CPU Intel Pentium II 450 MHzMemory 128MB 256MBDisk Space 40MB 30MB



SecurePlatform Supported Hardware For details regarding SecurePlatform on specific hardware platforms, see http://www.checkpoint.com/products/supported_platforms/secureplatform.html.

Bond / Bridge Hardware Certifications

Bridge Mode

The following devices were tested and are recommended for use with a Bridge configuration:

• Intel Corporation PRO/1000 PT Dual Port

• Intel Corporation PRO/10GbE SR

• Broadcom NetXtreme (BCM5704, BCM5721,BCM5715)

• Broadcom NetXtreme II (BCM5708S)

• Sun X4422A-2 Dual Port

• Sun 10G GBE

• nVidia Corporation MCP55 Ethernet controller

• Marvell 88E8053 Gigabit Ethernet controller


Bond Mode

The following devices were tested and are recommended for use with a Bond configuration:

• Intel Corporation PRO/1000 PT Dual Port

• Intel Corporation PRO/1000 MT Dual Port

• Broadcom NetXtreme (BCM5704, BCM5721, BCM5715)

• Broadcom NetXtreme II (BCM5708)

• Marvel 88E8053 Gigabit Ethernet controller


The following devices were tested and are NOT recommended for use with a Bond configuration:

• Sun X4422A-2 Dual port Ethernet controller

• Sun 10G GBE

• nVidia Corporation MCP55 Ethernet controller

• Intel Corporation PRO/10GbE SR

Supported Nokia PlatformsThe following Nokia platforms are supported in this release.Platform Type Hardware Platform

Disk-based IP2601, IP350, IP290, IP380, IP390, IP560, IP710, IP740, IP1220, IP1260, IP690

1. AV and URL filtering are not recommended on this platform. Please note that AV and URL filtering features are only supported on the disk-based systems with 1GB RAM or higher.

Flash-based IP290, IP355, IP385, IP390, IP560, IP690, IP1220, IP1260, IP2250, IP2255Hybrid IP390, IP560, IP1220, IP1260

http://www.checkpoint.com/products/supported_platforms/secureplatform.html



Supported SecureClient Mobile Hardware

Processor

• Intel ARM/StrongARM/XScale/PXA Series Processor family

• Texas Instrument OMAP processor family.

Supported SecureClient Mobile Hardware

The following table shows the minimum hardware requirements for installing SecureClient Mobile:

Any PocketPC device running Windows Mobile 2003/2003 SE or Windows Mobile 5.0 is supported.

Any Smartphone device running Windows Mobile 5.0 is supported.

The devices in the following table have been tested and proved working.

Tested Devices

Operating System Tested Devices

PocketPC running Windows Mobile 2003/2003 SE

• HP/Compaq iPAQ Pocket PC 2003 - series 4150,4350,3950,5450, 5550, 2210,6340

• HP/Compaq iPAQ Pocket PC 2003 SE / Phone Edition - series 4700, hx2x00

• Dell AXIM X5 PocketPC 2003• HTC Himalaya (XDA II, MDA II, Qtek 2020, i-Mate, Orange SPV1000)• HTC Blue Angel (XDA III, MDA III, Qtek 9090, i-Mate 2K, Sprint PPC-660,

Verizon XV6600, Cingular SX66)• HTC Magician (Dopod 818, i-mate JAM, O2 Xda mini, Qtek 5100, MDA

Compact)

PocketPC running Win-dows Mobile 5.0

• Dell AXIM X51v• HTC Universal (O2 Exec, i-Mate JasJar, Orange M5000, MDA IV)• HTC Wizard/Apache (Sprint PPC6700, Orange SPV M3000a, T-Mobile MDA

Vario, i-mate K-Jam)• ETEN M600• Symbol MC70• Motorola HC700• Intermec 700• Palm Treo 700w, 700wx, 700v• HTC TyTN

Hardened PocketPC de-vices

• Symbol MC70• Motorola HC700• Intermec 700

Windows Mobile 5.0 Smartphone

• HTC Tornado (i-mate sp5/sp5m, qtek 8310• HTC StrTrk (i-mate smartflip, qtek 8500, Cingular 3125)• Samsung i320• Motorola Q• HTC S620 (Excalibur, t-mobile Dash)

Maximum Number of Interfaces Supported by Platform


Supported SecureClient Mobile Communication Cards

Any card that supports the supported devices and provides an IP interface should be valid.

The following cards have also been tested and proved working

• TRENDNet TE-CF100 10/100MBps CompactFlash Fast Ethernet Adapter

• Socket Communications CF Wireless LAN Card

• Linksys WCF 12

• Sierra AirCard 750

• Sierra AirCard 555

• SanDisk Connect WiFi SD Card

• Socket Communications CF Bluetooth Adapter

• Socket Communications Serial Adapter

• Spectec WLAN-11b

Maximum Number of Interfaces Supported by PlatformThe maximum number of interfaces supported (physical and virtual) is shown by platform in the following table. Platform Max Number of Interfaces

Solaris 255Windows 32Nokia 1015SecurePlatform 1015 1 2

1. SecurePlatform supports 255 virtual interfaces per physical interface.

2. When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are supported.

Minimum Software Requirements



In This Section

Windows PlatformThis release requires the application of service packs SP1, SP2, SP3 and SP4 to Windows 2000 Server/Advanced Server, and service packs SP1 and SP2 to Windows Server 2003.

Endpoint Security Server

Endpoint Security server requires that all service packs be installed for your version of Windows.

In addition, Endpoint Security server supports the following product versions:

Supported Operating Systems (Server)

• Red Hat Enterprise Linux ES v. 3.0 (Update 5)

• Windows 2000 Server (SP4) and Advanced Server (SP4)

• Windows Server 2003 v. 5.2.3790

Supported Browsers (Server)

• Internet Explorer v. 6 (SP1, SP2) and later

• Netscape Navigator v. 7.1 and later

Supported Anti-Virus Solutions (pre-configured)

Endpoint Security server supports the latest version within 60 days of its release.

The following table lists the minimum supported versions of third-party antivirus solutions.

Windows Platform page 15

Linux Platform page 16

Solaris Platform page 16

Nokia Platform page 17

SecureClient Mobile page 17

Computer Associates • Vet v. 10.65.0.10• eTrust Antivirus (Innoculate IT) v. 7.0.139 and 7.1• eTrust EZ Antivirus (EZ Armor) 2005 (r3.1)

McAfee • VirusScan v. 4.1• VirusScan Enterprise v. 8.0i• VirusScan Professional v. 9.0• Internet Security Suite 2004 and 2005

Sophos • Anti-Virus v. 3.81.0, 3.90.0, and 5.0• Anti-Virus Small Business Edition 1.0.1

Symantec • Norton AntiVirus 2004 and 2005• Norton AntiVirus Corporate Edition v. 9.0 and 10.0• Norton Internet Security 2004 and 2005

Trend Micro • PC-cillin Antivirus 2004 • PC-cillin Internet Security 2004 and 2005• OfficeScan Corporate Edition v. 6.5, 7.0, and 7.5



Supported Instant Messaging Software

• AOL 9, AOL Instant Messenger v. 5.9, AOL Instant Messenger Triton v. 0.1.12 Beta

• MSN v. 7.5, Windows Messenger

• Yahoo Instant Messenger v. 5, 6, and 7

• ICQ v. 5.04, ICQ Pro 2003b

• Trillian v. 2.0.12 (3 protocols), 2.0.13 (4 protocols), 3.0 (4 protocols), and 3.1 (4 protocols)

• GAIM v. 1.0.0, 1.0.2, 1.0.3, 1.1.0, 1.2.1, and 1.5.0

• Miranda v. 0.4rc1

Endpoint Security Agent and Endpoint Security Flex

Linux PlatformThis release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade.

Solaris Platform

Required Packages

• SUNWlibC

• SUNWlibCx (except Solaris 10)

• SUNWter

• SUNWadmc

• SUNWadmfw

Required Patches

The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com.

Browsers • Netscape Navigator v. 7.2• Microsoft Internet Explorer v 6.0 SP2 and later

Operating Systems • Microsoft Windows XP Pro (SP2)• Windows 2000 Pro v. 5.00.2195 (SP4)• Red Hat Linux WS 3.0 (Update 5)• Novell Linux Desktop 9.1 SP1

http://www.redhat.com/support/resources/howto/kernel-upgrade

http://sunsolve.sun.com

The Regular Expression (RX) Library


To display your current patch level, use the command showrev -p | grep <patch number>

Nokia PlatformThis release supports IPSO 4.1 and 4.2. For the latest information on which IPSO releases are supported, see the Nokia Support Web at http://support.nokia.com.

SecureClient MobileThis release supports the following SecureClient Mobile Operating Systems:

• Pocket PC 2003

• Pocket PC 2003 SE / Phone Edition

• Windows Mobile 5.0 Pocket PC

• Windows Mobile 5.0 Smartphone

The Regular Expression (RX) LibraryNGX R65 uses the RX Library. The library license agreement (LGPL) can be downloaded from: http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf.

Platform Required Recommended Notes

Solaris 8 108528-18 If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.

110380-03

109147-18

109326-07

108434-01 Required only for 32 bit systems

108435-01 Required only for 64 bit systems

109147-40 or higher

Solaris 9 112233-12

112902-07

116561-03 Only if dmfe(7D) ethernet driver is defined on the machine

112963-25 or higher

Solaris 10 117461-08 or higher

When using bge interfaces, operating system updates must be no higher than update 1, and the kernel patch must be no higher than 118822-20. For information regarding installing more recent patches, see Check Point SecureKnowledge sk31772.

http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf

http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf

http://support.nokia.com

Resolved Limitations


Resolved LimitationsThis section contains previously documented limitations that now stand as resolved in NGX R65. In general, they are presented in their original format, stressing the limitation, yet should be understood as resolved.

In This Section

Content Inspection page 19

Endpoint Security page 19

Eventia Analyzer page 20

Eventia Reporter page 20

Provider-1/SiteManager-1 page 21

SmartCenter page 21

Content Inspection


Content Inspection16. Resolved: Making changes to the default Content Inspection settings in any demo mode other

than Advanced results in numerous error messages and is not supported.

Endpoint Security17. Flex now supports long custom text. You can create custom text that exceeds 180 characters.

18. In the past, when a non-administrator user logged into a machine after client installation, the client was not correctly licensed. Now, after rebooting the client machine, both administrator and non-administrator users are fully licensed.

19. Agent now supports the Antispyware Action setting Confirm.

20. VPN package installations now occur in a timely fashion.

21. You no longer need to suppress the SmartDefense component to have connectivity with Endpoint Security clients.

22. The Antivirus on-demand (manual or scheduled) scan now functions normally.

23. The Endpoint Security client no longer uses Policy Update or Connectivity Alerts, so they no longer cause issues when the VPN Settings dialog is open.

24. The documentation now describes the button blackout behavior for options that are not available to the user when the enterprise policy is in effect.

25. In VPN Settings | Options tab | Configure Proxy Settings, the Detect proxy from Internet

Explorer option now works with Visitor Mode.

26. IKE over TCP is now the default for VPN communication.

27. The import profile option for VPN now functions properly.

28. Due to program filtering enhancements, the option ‘Changes Frequently’ is no longer needed and has been removed.

29. Due to client packager enhancements, it is no longer possible to specify a personal policy in the package. This prevents overriding the local configuration file.

30. Japanese characters are now supported in enforcement rule names.

31. The masteradmin password is now set during installation. The first SmartCenter user to login is no longer prompted to change the password of the masteradmin account.

32. Endpoint Security now closes idle connections after 120 minutes.

33. The "Review Compliance Alerts" link is now only active when there are compliance alerts to review.

34. Endpoint Security clients do not support Windows 98, Windows NT, or Windows ME. If you try to install Endpoint Security on one of these operating systems, it will now prevent the installation.

35. Blocking all connection types for a specific program and then saving your changes no longer causes the permissions to revert to the inherited permissions for the program group.

Eventia Analyzer


Eventia Analyzer36. Resolved: Changes to objects on a High Availability secondary server are not updated on the

Eventia Analyzer Server.

37. Resolved: Changes to objects on a High Availability management server are not automatically updated on the Analyzer Server following a sync operation from another HA server.

38. Resolved: After defining a Correlation Unit in Eventia Analyzer, subsequent updates in SmartCenter to objects referenced by the Correlation Unit will not be updated in Eventia Analyzer. To include the updates to the object, do the following:

1. On the Policy tab in Eventia Analyzer, select General Settings > Initial Settings > Correlation Units, and remove the Correlation Unit definition.

2. In SmartCenter, edit the Correlation Unit object, select OK, and select File > Save.

3. Redefine the Correlation Unit in Eventia Analyzer.

39. Resolved: Eventia Analyzer does not support multi threading.

40. Resolved: Logs that are generated and registered to multiple products are not picked up by Eventia Analyzer.

41. Resolved: After modifying an Event Query and saving it, modifications made to the same Event Query immediately after may not be saved. If you wish to make further changes to that Event Query, first click on another query before reopening the modified query.

42. Resolved: On Solaris platforms, after running the command cpstart, objects do not synchronize between SmartCenter and Analyzer Server.

43. Resolved: On Unix platforms, only one Eventia Analyzer administrator can be defined using cpconfig. To define more administrators, use the command fwm -a on the Eventia Analyzer server.

Eventia Reporter44. Resolved: In High Availability mode, after switching the status of a SmartCenter server from

active to inactive, reports that were generated on the now inactive SmartCenter server are unavailable from the Eventia Reporter GUI Client. However, the reports are still available on the Eventia Reporter Server's Results directory.

45. Resolved: When running Eventia Reporter on SecurePlatform, set the number of DNS threads to 150. Setting this value higher may impede the closing of consolidation sessions.

46. Resolved: A Distributed installation of Eventia Reporter Server is not supported on a machine which contains a VPN-1 Power gateway, SecureClient, SmartCenter High Availability server or Provider-1/SiteManager-1 MDS.

47. Resolved: The Log Server on an Eventia Analyzer machine cannot serve as a Log Server for Eventia Reporter.

48. Resolved: When installing a distributed Eventia Reporter on SecurePlatform, make sure to restart the machine when the installation completes.

49. Resolved: The Eventia Reporter Client requires SmartDashboard to be installed on the same machine in order to launch. When installing the Eventia Reporter Client, be sure to install SmartDashboard as well.

50. Resolved: Eventia Reporter cannot be installed via the SecurePlatform WebUI on an Endpoint Security Server.

Provider-1/SiteManager-1


51. Resolved: Running the SmartCenter Express upgrade on Linux, SecurePlatform or Solaris platforms does not upgrade a previous installation of Eventia Reporter. To upgrade Eventia Reporter, enter the following at the command line:

For Linux and SecurePlatform1. Copy <CD>/Linux/CPrt/CPrt_unify-R61-00.i386.rpm2. rpm -i CPrt_unify-R61-00.i386.rpm

For Solaris1. Copy <CD>/solaris2/CPrt/CPrt.tgz2. gtar zxvf CPrt.tgz3. pkgadd -d .

52. Resolved: In a Provider-1 environment, in order to use the Administrator Profiles login using MDS credentials, do the following:1. Use a text editor to open the file $MDSDIR/conf/mdsdb/tables.C.2. In the table pv1-administrator, change read_permission from 0x70000 to 0x000000.3. In table mdss for MDS HA, change read_permission from 0x70000 to 0x000000.

53. Resolved: After installation of Eventia Suite via Web UI, the Eventia Reporter Server does not started automatically. On the Eventia Reporter Server, run the following commands1. cpstop 2. evconfig3. select Save and Exit from the menu4. cpstart

Provider-1/SiteManager-154. Resolved: Global SmartDashboard cannot be used to create Connectra or VPN-1 Power/UTM

gateway objects. Instead, use a SmartDashboard connected to a specific CMA to create these objects.

55. Resolved: Push Packages Now operation is not supported when working with SmartUpdate from the Multi-Domain GUI.

SmartCenter56. Resolved: After using the Advanced Upgrade tools to migrate a SmartCenter server to a

different machine, RADIUS authentication servers will no longer be able connect to the SmartCenter server. To re-establish connection between them, do the following on the SmartCenter server:

1. Run the command regedit to open the Windows registry.

2. Locate the key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT.

3. Delete the value NodeSecret.

4. Reboot the SmartCenter server.

Clarifications and Limitations


Clarifications and LimitationsThis section contains clarifications and limitations for NGX R65. For further information regarding clarifications and limitations from previous Check Point releases, see the NGX R65 Known Limitations Supplement, located at http://www.checkpoint.com/support/technical/documents/index.html

In This Section

Anti Virus Integration page 23

ClusterXL page 23

Connectra page 23

Content Inspection page 23

Endpoint Security page 24

Eventia Suite page 28

Firewall page 29

Performance Pack page 30

Provider-1/SiteManager-1 page 31

QoS page 34

SecureClient Mobile page 34

SecurePlatform page 36

SecureXL page 36

SmartCenter Server page 38

SmartConsole Applications page 40

SmartDashboard page 40

SmartDefense page 40

SmartPortal page 41

SSL Network Extender page 41

User Authority Server page 41

http://www.checkpoint.com/support/technical/documents/index.html

Anti Virus Integration


Anti Virus Integration1. To enable the Hide all connections from internal interfaces to external interfaces behind the

gateway feature use GuiDBEdit. Change the hide_internal_interfaces value to true.

SMTP2. Anti Virus for SMTP on IPSO is not supported while the SMTP resource is active.

Work around:

- Disable Anti Virus for SMTP

- Remove the SMTP resource

- Configure Anti Virus for SMTP only for connections that have no SMTP resource

ClusterXL3. When using a bonded interface on a gateway running ClusterXL, be sure to define all slave

interfaces as disconnected in the file $FWDIR/conf/discntd.if. For details, see the section “Defining a Disconnected Interface on Unix” in the ClusterXL Administration Guide.

4. Upon failover in clustered deployments, the Dynamic Routing mechanism issues an IGMP General Query, instructing the adjacent devices to re-register for multicast traffic. While current sessions are maintained, newly initiated multicast sessions are delayed until the process completes.

5. Full Connectivity Upgrade from previous versions is not supported in this release. A workaround is to perform the Zero Downtime upgrade, which may result in some connections being disconnected.

6. In asymmetric routing scenarios, enabling Chain Forwarding will allow some features to work. See SecureKnowledge sk32403 for details.

7. The Monitor all VLANs feature is not supported in NGX R65.

Connectra8. For Connectra limitations, see the Connectra NGX R62CM Release Notes.

Content Inspection9. Anti Virus and Web Filtering are not supported on an IPSO diskless machine. If Anti Virus or

Web Filtering are enabled all packets will be dropped and a message will be sent to the elg log. Both Anti Virus and Web Filtering should be disabled on an IPSO diskless machine.

https://secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?id=sk32403

Endpoint Security


Endpoint Security

In This Section

Client Installation, Upgrade, Backward Compatibility10. The Custom Parameter RESETCONFIG to keep personal policy during upgrade is not supported.

This affects Flex users who have configured their client rules through the client UI. User settings are always deleted during upgrade and re-connection to the server. Passwords and upgrade keys are kept during upgrade.

11. When installing a client without VPN on an endpoint computer with R60 SecureClient installed, SecureClient will not function properly because of a conflict with SmartDefense. (This conflict does not occur when you install VPN clients, which replace SecureClient.)

Workaround: Install VPN client packages to replace SecureClient. (See the section on Migrating from Check Point SecureClient in the Endpoint Security Administrator Guide.) Alternatively, disable SmartDefense in the client installation package: in the Client Packager, specify the custom parameter: INSTALL_SD=NO

12. The Custom Parameter REBOOTPROMPTWITHSILENT only affects installations when using an msi installer that was created from a Client Package using the msi option. The Custom Parameter does not affect an install that is run using a Client Package directly, including upgrades initiated via enforcement rules.

13. Before upgrading an existing GPO installation using manual upgrade or automatic update feature, you must verify the existing GPO configurations are removed from the client system.

Perform the following steps on the GPO server:

1. Select the installed package, right click, and choose All Tasks | Remove...

2. Select Allow users to continue to use the software, but prevent new installations.

This ensures the GPO settings are cleared on the client's registry but leaves the software on the system.

When the client receives the updated policy, the application settings are removed from the following GPO Application Management registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt

3. Proceed with manual or automatic upgrade.

14. When performing a GPO upgrade, the existing Check Point Endpoint Security client’s disconnected policy must contain a firewall rule that allows outbound traffic to the GPO server's IP. If this is not configured, the upgrade process will not be able to remove the existing software correctly and the GPO upgrade will fail.

Client Installation, Upgrade, Backward Compatibility page 24

Server Installation, Upgrade, Backward Compatibility page 25

Endpoint Security VPN page 26

Endpoint Security Logging and Tracking page 26

Miscellaneous page 27

Endpoint Security


Server Installation, Upgrade, Backward Compatibility15. Endpoint Security is now certified to support 20,000 concurrent endpoint users with default

configuration. Higher performance figures are possible with customization for your environment. Contact Check Point Professional Services for information about configuration for more than 20,000 concurrent endpoint users.

16. After installing a distributed Endpoint Security server (with a remote Smart Center), configuring the SIC communication, and installing the database, you must restart the Endpoint Security server machine in order to complete the configuration.

17. After upgrading an Endpoint Security server version 6.5.x to version 7.x, the Smart Portal IP and port will not be correctly configured.

To configure:

1. Log into the Endpoint Security server.

2. Go to System Configuration | Server Settings.

3. Click the Edit button.

4. Enter the correct EndpointServerIP:port for Smart Portal (default Smart Portal port is 4433. For example: 209.87.213.90:4433).

5. Click Save.

18. When installing Endpoint Security in conjunction with other products from the wrapper on Linux and SPLAT, the Endpoint Security server is not configured properly until you run Smart Dashboard and install the database on the local machine.

19. Due to an issue in the SmartCenter import/export mechanism (existing in SmartCenter R65, and, possibly previous versions as well), when exporting and then importing a SmartCenter configuration in environments where the Endpoint Security server is managed by the SmartCenter, the communication between SmartCenter and the Endpoint Security server will cease functioning.

Workaround: Run the command cpprod_util SetCertPath ($CPDIR)/conf/sic_cert.p12 using the value of $CPDIR. You can verify this (on Linux or SPLAT) by using ckp_regedit -p -r HKLM /Software/checkpoint/SIC and reading the value of the CertPath parameter.

20. During SPLAT or Linux Endpoint Security installation, if you do not define a valid administrator, you will not be able to view events in the Endpoint Security reports. You must define a valid administrator during the install process.

21. When installing Endpoint security on Linux, if you cannot launch SmartPortal, use the following workaround:

1. Edit the /etc/hosts file and make sure the following entry exists: 127.0.0.1 machine's real IP machinehostname

2. Connect to the machine with SmartConsole.

3. Edit the Integrity object.

4. Set the IP address, and choose install Database.

22. Sometimes, after switching from Standby to Active Server, you may need to restart the services.

Endpoint Security


Endpoint Security Logging and Tracking23. Endpoint Security servers installed on Check Point's Secure Platform (SPLAT) show the

incorrect time in the logs and user interface. The database backup time differs from the time set in the configuration screen. Time settings for other Check Point products on the same SPLAT server are correct.

To correct the time:

1. Log into to the SPLAT machine as an administrator.

2. Switch to expert mode using the 'expert' command.

3. Determine the correct localized timezone by running the command 'timezone -show'.

4. Record the value returned exactly as displayed from the 'timezone -show' command.

5. Switch to the integrity user with the command 'su integrity'.

6. Edit the file '/home/integrity/.bashrc'.

7. Append the line:

export TZ=”TIMEZONE”

where 'TIMEZONE' is the value recorded in step 4.

8. Save the file and restart the server with the 'reboot' command

24. Because SmartPortal and SmartView Tracker do not support multi-byte characters, logs that use multi-byte characters display incorrectly.

Endpoint Security VPN25. Entrust configuration is not supported in Endpoint Security VPN packages. When you need

Entrust configuration, install the Endpoint Security client and SecureClient separately.

26. You cannot configure script execution. If you need script execution for SCV enforcement, you must install an Endpoint Security client and SecureClient separately.

27. When using “Route all traffic through gateway” in conjunction with Office Mode in Endpoint Security with VPN, with SCV enforcement on Endpoint Security, the client sometimes sends packets from the real IP rather than the Office Mode IP. Microsoft Windows Dead Gateway Detection causes this behavior as it handles the default route. To avoid this change the EnableDeadGWDetect registry key. More information can be found in the SecureKnowledge SK39013 article.

To disable the Dead Gateway Detection mechanism on NG AI R54 and R55, modify the registry as follows:

Note: Always back up the registry before making any modification.

1. Select Start > Run.

2. From the Run dialog box, under the Open field, enter the command regedit.

3. Locate the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters section.

4. Add the following DWORD with the value "0" EnableDeadGWDetect.

5. Save and exit.

6. Reboot.

28. Some buttons on VPN dialogs are not the default button even though they are highlighted as such. This will cause keyboard shortcuts to select different controls than highlighted.

29. The local subnets feature of Hotspot Registration is not enforced. Setting Hotspot.local.subnets.only to ‘true’ has no effect.

Endpoint Security


30. When using the Cingular WWAN Connection Manager,it may conflict with Endpoint Security VPN client. When switching to the WWAN adapter, the Endpoint Security VPN client may switch to CLI mode.

31. For Firewall-1, the Implied/Hard-Coded rules that are applied before all policy rules do not include the new ports and protocols. You must configure firewall rules to allow Endpoint Security traffic. Use the following steps:

1. Make a copy of the implied_rules.def file on SmartCenter and save it.

2. Under INTEGRITY_HEARTBEAT, change port 6054 to 80.

#define INTEGRITY_HEARTBEAT (udp, dport = 80)

3. Under accept_integrity_server_ports, change port 80 to 2100.

( (tcp, (dport = 443 or dport = 2100)) or INTEGRITY_HEARTBEAT), Note - Editing the implied_rules.def file must be done carefully and only for important workarounds.

Miscellaneous32. Endpoint users in the Test Group do not receive automatic updates if Antivirus or Antispyware

staging is not configured. Do not place users in the Test Group unless you also configure staging.

33. It is possible to block Antivirus and Antispyware updates with firewall rules. Be sure to configure your firewall rules to allow this traffic.

34. Updates will sometimes fail after initial installation due to file permissions issues. This update failure is not common and subsequent updates are generally successful.

35. The traceroute protocol cannot be used to block trace route outbound. In order to prevent traceroute from working, block the traceroute program with an Application Rule. Alternatively, you could block the inbound ICMP timeout packet, but this may cause issues.

36. When a client is in disconnected mode and has an active disconnected policy it will not ask the server for permissions of programs. Therefore all programs not explicitly overridden in the policy will be treated as “unknown” and will be given permissions according to the "unknown programs" group filter.

37. There are no implied rules to allow remediation or Antivirus or Antispyware updates. Do not configure firewall rules that block this traffic.

38. Logitec QuickCam software version 10.5 is incompatible with the Check Point Endpoint Security client. This causes crashes of many programs when they attempt to start. You must upgrade to version 11.5 of the Logitec QuickCam software.

39. Endpoint Security will not install on endpoint computer that have any active firewalls other than the Microsoft built-in firewall.

Eventia Suite


Eventia Suite40. When upgrading Eventia Analyzer on a Windows platform, shut down the SNMP service before

performing the upgrade.

41. Eventia Analyzer NGX R65 does not support upgrade from Eventia Analyzer 2.0. To upgrade to a version with similar functionality, install Eventia Analyzer NGX R63.

42. After adding a log file to the Log Server, perform a log switch operation on the Log Server in order to view the log file in the offline job screen.

43. In a Provider-1/SiteManager-1 environment, Eventia Suite only synchronizes global services defined on the MDS and not CMA-specific services.

44. Files that are added to a Log Server may take a few minutes to appear as candidates for correlation in Eventia Analyzer and for consolidation in Eventia Reporter. It can take up to three minutes to appear when placed on an R65 Log Server, and up to 30 minutes when placed on an older Log Server.

45. A new user group in SmartDashboard will appear empty in Eventia until it is modified. If a user group has been created in SmartDashboard and users added during its creation, modify a property (such as color) so Eventia will populate it.

46. Eventia Analyzer only supports the Block Source and Block Event Activity Automatic Reactions in a SmartCenter environment.

47. Eventia Reporter Express Reports do not support the Restore Default Settings (for Report) option. Create a Custom report using the Save Report As option to keep the original Predefined report and the newly configured report.

Firewall


Firewall

In This Section

Configuration1. All SmartDefense protections under IP and ICMP should not be configured to send an AMT

command to quarantined users under User Defined alerts, since such a configuration can cause hosts that have been spoofed to be quarantined.

Services2. Dynamic opening of audio and video in MSN Messenger over the service MSNMS is not

supported if SecureXL is installed.

Logging3. A connection dropped by a Drop Template is not logged, even if the tracking option for the

relevant rule is set to Log.

VoIP4. SIP TCP and SCCP Failover are not functioning correctly in Third party Clustering solutions.

Therefore calls using one of these protocols will not survive cluster failover.

5. Incoming connections will be lost if a failover occurs on a ClusterXL gateway with the following deployment:

• VoIP is SIP over TCP

• SIP proxy in the external network

• Gateway is configured as hide NAT

• Running SecureXL

6. MSN Messenger version 5 is not supported. Additionally, there are a few known issues regarding MSN Messenger when employing Hide NAT:

• When running SIP and the data connection tries to open MSN Messenger connections on hidden networks, the connection fails.

• While audio and video each work separately, they cannot be run concurrently.

7. When using SIP, setting a rule to reject the service high_udp_ports rejects incoming audio as well. A workaround is to use the drop action instead.

8. When an H.323 IP phone that is not part of a handover domain tries to establish a call, the call attempt is blocked and the following message appears on the console: FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to make calls, add it to the handover domain, and the error message will cease to appear. Note that this message may appear in other (non-VoIP) scenarios as well.

Configuration page 29

Services page 29

Logging page 29

VoIP page 29

Anti Virus page 30


Performance Pack


9. In some cases, when a user closes an MSN Messenger application (such as Whiteboard) the application will not close automatically at the remote end (the remote user would have to close the application manually).

10. When a SIP-proxy is in the DMZ, Whiteboard and application sharing will not open between external to internal messengers.

Anti Virus11. SmartDefense protections block an https reply that is transferred by the proxy to the

SmartCenter Server using the CONNECT method. In this scenario, a workaround is as follows:

a. On the SmartCenter Server console use the command fw ctl set in asm_http_allow_connect 1.

b. If the https reply is still blocked disable the Active Streaming defenses.

Miscellaneous12. Security servers do not support encrypted sessions or clients with Kerberos authentication.

13. In a bond configuration the following features are not supported:

• ClusterXL Load Sharing

• Bonding of more than two interfaces.

14. In a bridge configuration, the following features are not supported:

• NAT

• VPN

• ClusterXL

• Traffic routed between bridged interfaces to other Firewall IP interfaces.

• A connection passing twice through the same bridge.

• Acceleration of connections that traverse two bridge interfaces.

Performance Pack15. When running Performance Pack on a Solaris platform, routing changes may cause connectivity

issues in active connections.




In This Section

Upgrade, Migrate, Backup, Restore16. After completing the upgrade, start the CMAs for the first time in a sequential mode (using the

command mdsstart -s). The sequential mode is necessary because otherwise the SDUU process may negatively affect running the CMAs normally for the first time.

17. When upgrading Provider-1 MDS on SecurePlatform, the following message may appear: /bin/ln: /var/CPbackup/schemes/mds.cpbak: File exists. This message can be safely ignored.

18. After migrating from a VPN-1 UTM standalone gateway to a CMA, management of the QoS policy is disrupted. To restore a previous QoS policy, or to create a new QoS policy, from SmartDashboard select File > Add Policy Type to Package.

19. After migrating SmartCenter with two interfaces into a CMA, the CMA will not receive logs. To solve this issue, manually erase the CMA object interfaces after the migration process is complete.

20. When upgrading the Provider-1 Multi Domain Server (MDS), the pre-upgrade configuration should always be backed up using the mds_backup tool. Although the upgrade process offers the chance to do this during the upgrade, in certain cases, the backup will not be performed correctly and the process may enter a loop. It is advised to backup the system prior to initiating the upgrade process instead of using the backup function in the upgrade user interface.

Configuration21. When adding a new MDS Container to an MDS High-Availability environment, the initial

synchronization should succeed. However, if the management Plug-ins installed on the new MDS server are not identical to the other MDS servers, the server will not communicate with the rest of the HA environment. An adequate status will be shown.

22. When using a SmartCenter Backup server, make sure that the same Management Plug-ins are installed on the Provider-1 MDS servers and the SmartCenter Backup server.

23. To perform specific actions for a customer the administrator is required to have Read/Write permissions. If an administrator's permissions are set to 'Customized', the administrator is labeled 'unsafe' or 'untrusted' for specific actions, even if all the options are set to Read/Write. In order to give the administrator full permissions for the following actions, Read/Write All must be selected:• Configure Customer Management Add-on• Delete Customer Management Add-on• Import Customer Management Add-on• Start Customer Management Add-on• Stop Customer Management Add-on• Assigning the Customer Management Add-on to an administrator.

Upgrade, Migrate, Backup, Restore page 31

Configuration page 31

Licensing page 32

Management High Availability page 32

Management Plug-ins page 32

Global SmartDefense page 32

Global VPN Communities page 33



24. Provider-1 customers with Global Manager administrator accounts cannot have read-only access.

The following are the only options available in to Provider-1 customers with Global Manager administrator accounts:

a. A Global Manager can have access to Global Policies, but cannot have access to Customer Policies.

b. A Global Manager can have full access to specifically selected Provider-1 Customers.

Licensing25. It is not possible to add a license to MDS via MDG. To add a license to MDS use ftp and the

CLI command cplic add -l filename.

Management High Availability26. When using SmartView Monitor and/or SmartView Tracker on the active CMA, the CMA cannot

be changed to standby. Before making another CMA the active management station, you must first close these SmartConsole applications. You can then make another CMA active, and reconnect to it with these applications.

Management Plug-ins27. Prior to removing the plug-in package from the Provider-1 Multi Domain Server (MDS), the

plug-in should be deactivated from all Provider-1 customers. If removed prior to deactivation, the MDS server might not be able to function.

In such a case, the correct workaround is to install the plug-in package, deactivate the plug-in from all Provider-1 customers and remove the package again.

Global SmartDefense28. Protecting or excluding Global services in the SmartDefense Spoofed Reset protection (Global

SmartDashboard > SmartDefense tab > Network Security > TCP > Spoofed Reset Protection > Exclude) will not cause these services or settings to be applied to the CMA when Global Policy is assigned to participating Global SmartDefense Customers.

The Global services that are assigned when assigning Global Policy are:

• Global services that are referenced by a Global rule.

• Global services that were downloaded by SmartDefense Online Update for Global SmartDefense Customers.

Note that any Protected or Excluded settings made on the Global SmartDashboard in this case are preserved. In addition if Global services downloaded by SmartDefense Online Update exist locally on the CMA with different Protected or Excluded settings than those in the Global SmartDashboard (that is, the Assign Global Policy operation) will fail with the following error message:

Cannot assign Global service '<service-name>' because a different service with the same name already exists in the CMA database. Delete this service from the CMA or rename it prior to performing Assign Global Policy.

In this case, in the SmartDashboard connected to the CMA prior to assigning Global Policy, either rename the service, or delete the service.

29. When activating a SmartDefense protection whose Monitor-only attribute was not modified on a CMA of a Customer set to Merge mode, the Monitor-only setting of the protection will be overridden by the next Global SmartDefense assignment. Thus, if a certain protection is



activated in such a CMA without explicitly modifying the Monitor-only attribute, the Global SmartDefense settings will determine whether the traffic will be blocked or logged (i.e., what occurs when Monitor-only is selected).

To preserve the Monitor-only attribute of the SmartDefense protection on the CMA-level, do the following:

1. Activate the SmartDefense protection on the CMA

2. Save the policy.

3. Modify the Monitor-only attribute.

4. Set the Monitor-only attribute to the desired setting.

5. Save the policy.

30. In the Global SmartDashboard > SmartDefense Profile Management view, right-clicking the Default_Protection profile will allow the user to clone the selected profile or create a new profile. Such an action should not be executed.

31. When using the Override mode with one or more Provider-1 customers, consider the following:

Performing an independent SmartDefense Online Update on the CMA level, while trying to override the configuration with an earlier updated version from the Global SmartDashboard, may cause certain conflicts and result in policy verification issues.

If performing an Online Update at the CMA level is an absolute requirement, the customer should either work in Merge mode, or, the Global Policies should not be re-assigned until the Global SmartDefense is re-aligned with the same Online Update.

Global VPN Communities32. When using the Database Revisions in a CMA that has gateways enabled for global use,

consider the following:

When reverting to previous revisions, make sure that one or more of the gateways currently enabled for global use were not in this state when the database revision was created. If one or more of the gateways were enabled for global use when the database revision was created, they should be disabled from global use prior to reverting to the revision.

QoS


QoS33. When working with a Third Party server combined with QOS, you may get a warning regarding

activation of QOS on a specific interface. Please ignore this warning.

SecureClient MobileNote - For additional information about SecureClient Mobile refer to the Frequently Asked Questions section in the Check Point SecureClient Mobile Release Notes and What’s New document.

34. On the HP PocketPC series, the iPAQWireless application and today item malfunction when SecureClient Mobile is installed. A patch is available through SecureKnowledge database. See SK #32505.

35. When installing the client on Windows Mobile 5.0 PPC, a warning message is issued stating the application is not signed.

The executables and package are signed with a Check Point certificate. One can install the cpcert.cab provided in the ZIP package before installing the client to prevent this warning.

36. When installing the client on a PocketPC 2003 device, it is required to install the unsigned package SecureClient_Mobile_Setup_626000xxx_unsigned.cab.

This is an operating system limitation.

37. When working with certificates authentication, make sure there is only one valid certificate for the relevant gateway in the CAPI store. In case more than one such certificate exists, the first one is used without prompting the client to choose which certificate to use (as done by Internet Explorer).

38. Installing the client to a storage card is not supported.

39. On some devices, an error message with the AcquireCredentialsHandle is mentioned. In most cases this issue is resolved by quitting the client and restarting it. In some cases a soft-reset is required.

40. Connecting through a proxy that requires digest authentication is not supported. NTLM authentication is also not supported.

41. User is unable to connect to site after reboot when PPC is on cradle and the Always Connected option is enabled.

42. Certificate enrollment (CheckPoint CA), a feature that is implemented on both SecureClient and SNX is not supported on this client release. When “Certificate with enrollment” is selected in SmartDashboard and the user does not have a valid certificate in its CAPI store, the result is that the user receives an error message.

43. When the client is installed but not running on a Windows Mobile 5.0 device, ActiveSync is disabled. To over come this, start the client, then start the ActiveSync. Since the client is not running, a change in the fireWall policy required for the ActiveSync protocol to run cannot be applied.

44. When using WM5.0, there are cases where the uninstalling/upgrading the client failed. In such a case, the client loads with an error message stating that the client drivers did not load. A second uninstall removes the client completely in such a case.

45. When using SCM and SSL Network Extender with RADIUS authentication and ipassignment.conf for Office Mode, the proper IP addresses are not assigned resulting in failed connections.

For a patch to earlier gateway versions please open a Service Request with Check Point support.

https://secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?id=sk32505

SecureClient Mobile


46. On some Windows Mobile 5.0 devices when connecting to the gateway over ActiveSync (used as network interface) TCP connections and targeting resources behind the gateway, do not open over the tunnel, usually, resulting with a timeout. This is caused by the DTPT LSP “hijacking” all TCP connections and bypassing the routing table.

The workaround available is to change the ActiveSync connection type from RNDIS to Serial. To do this uncheck the Enable advanced network functionality in the 'USB to PC' applet in the device network settings. (This option exists in most WM50 aku2 and above devices).

47. The flag neo_policy_expire should be configured to request for the client to update its policy regularly. The following flags are not implemented: neo_enable_automatic_policy_update and neo_automatic_policy_update_frequency.

48. On the Samsung i360 device (Cingular Blackjack), SCM's today/home plug-in can only be activated on the Samsung Home Screen Layouts. The Windows Default layout becomes unusable with SCM home plug-in turned on. To overcome this limitation use one of the Samsung Home layouts or disable the SCM's home plug-in.

49. Changing the value neo_remember_user_password to true becomes operative on the client only after the second login, after the flag was downloaded to the client. The client is updated with the new policy and only in the subsequent login it actually saves the password.

50. The device issues DNS queries on both the physical and virtual interfaces which could expose server names and IP addresses. To prevent this, set the flag neo_allow_clear_while_disconnected to false.

51. MSI installer does not enforce that upgrading should only be done to a higher build number. On the device, when the CAB file is installed this enforcement does take place.

52. If setting the Office Mode pool to high address numbers, for example 230.230.230.0, the users will not be able to connect. A message will appear:

“Client Disconnected: (44) Failed to apply assigned office Mode IP data. If this problem persists you should reset your device.”

This is a general Office Mode problem for all of the Check Point VPN clients.

53. A user that is authenticating using user-password scheme and wants to switch to certificate authentication must clear its cached credentials. This is done on the client: Menu > Options > Clear_passwords.

54. Changing the gateway from SSL Network Extender mode only (snx_enabled) to SCM mode only might cause the client to stop downloading a policy from the server, even if SCM mode (neo_enable) is operative.

55. The flag NEOGUI_NO_GUI is not fully supported. The client has to be restarted for the flag to take effect (the flag should be set before the client's GUI is initialized). The flag NEOGUI_NO_OPTIONS_DLG is not implemented in this client release.

56. Some of the SSL Network Extender (SNX) settings conflict with SecureClient Mobile (SCM) settings. The following flags take precedence when SNX and SCM are both enabled on the same gateway (all are found both in the SNX dialog under Global Properties > Remote Access and on the SecureClient Mobile dialog:

• User authentication method: snx_user_auth_methods over user_auth_methods

• Re-authenticate user every: snx_user_re_auth_timeout over neo_user_re_auth_timeout

• Supported encryption methods: snx_encryption_methods over neo_encryption_methods

• Send keep-alive packets every: snx_keep_alive_timeout over neo_keep_alive_timeout

SecurePlatform


Smartphone57. When running the CertImport utility the selection of the certificate should be done using the

[select] key and not by the joystick's center-click. Selecting the certificate with the joystick results with the operating system trying to “run” the certificate and an error message.

58. Smartphone devices are unable to connect over ActiveSync to a PC.

59. The proxy replacement feature is not functional.

60. When the client is connected on some models the VNA is falsely identified as WiFi interface in home plug-in.

SecurePlatform61. After initial installation of SecurePlatform on an x3650 system done through USB, the USB

keyboard input will not be read through the operating system. On the second boot, the USB keyboard input will be accepted.Workaround:

1. ssh to the SecurePlatform.

2. Enter expert mode.

3. Execute: • insmod usbcore• insmod usb-uhci• insmod hid• insmod input• insmod keybdev

No reboot is necessary. The USB keyboard input will be accepted.

62. Before beginning the upgrade, make sure that sufficient space is available for the /opt partition. On systems that manage VSX gateways, verify that at least 850MB of disk space is available for /opt before upgrade.

63. Implementation of a multicast routing protocol in a PIM-SM (PIM Sparse mode) environment is not supported in the following scenarios:

1. A Rendezvous Point router hides multicast sender IPs behind its own IP (for example, NAT feature).

2. A Rendezvous Point router generates multicast traffic to a multicast group on which it is defined as a Rendezvous Point.

Note - Note that these two scenarios (where a Rendezvous Point runs NAT for hosts or generates its own multicast traffic) are not typical of a real environment.

SecureXL64. A SYN packet arriving on a connection that has been closed by an RST packet will not be

accelerated if the SecureXL device does not support Sequence Verification acceleration.

To verify that the SecureXL device supports Sequence Verification acceleration, run the command fwaccel stat and look for TCP_STATE_DETECT_V2 in the Accelerator Features section.

65. On the Corrent S3500 Turbocard, setting the notification delay to a value less than 27 causes the DLY field of the command fwaccel templates to display incorrect information. However, this issue involves only the command’s display - the device supports such settings.

66. A clear text packet which is dropped by SecureXL upon an encrypted connection is logged with service and source port 0.

SecureXL


67. The Template Quota feature is supported on SecurePlatform only.

68. High Load QoS is supported on SecurePlatform only.

69. Aggressive Aging is supported on SecureXL devices that support API 2.5 and above. To verify support, run the command fwaccel ver.

70. The following message will appear in /var/log in SecurePlatform and on the Solaris console after performing Install Policy when SecureXL is enabled: The Rulebase does not support SecureXL Drop Templates. This message can be safely ignored.

71. Aggressive aging is disabled on IPSO when SecureXL is enabled.

SmartCenter Server


SmartCenter Server

In This Section

Platform Specific- Nokia72. When switching the Connectra NGX R62CM Plug-in package to ON, the following message is

displayed:

"A reboot may be required to complete this action. See package documentation for details".

Although you can safely ignore this message, you should run cpstart.

73. When installing NGX R65 on a Nokia machine, the Connectra NGX R62CM Plug-in package is also installed. If you remove it, and want to re-install, you should do so by running newpkg from the command line.

In case you have installed the plugin via Voyager, you should run ./opt/CPPIconnectra-R65/START from the command line in order to activate the plugin.

Installation74. When connecting to the SmartCenter Server for the first time, the following error message may

appear: connection can not be established. Note - This error appears once (during your first connection) because SmartCenter Server is in the process of a silent SmartDefense update.

If this error appears, wait a few minutes before you attempt to connect to the SmartCenter Server again.

Upgrade75. As of NGX R65, UTM-1 Edge objects should not have a .default suffix. A UTM-1 Edge box

with a .default suffix in its name may suffer from connectivity problems with the SmartCenter. If an object in the database has a .default suffix before the Upgrade process is run, change the name or remove that suffix for a successful upgrade.

76. When upgrading from R60 and earlier to R61 and later versions using the export/import tools, SmartDefense protections involving scanning of SMTP and POP3 traffic will no longer function. If you have not yet performed the upgrade, use the following workaround to prevent this issue:

1. Before using upgrade_import utility, save the file $FWDIR/conf/fwauthd.conf in a temporary place.

2. Run upgrade_import.

3. Run cpstop.

4. Copy the file back.

5. Run cpstart.

If you have already upgraded and are experiencing this problem, do the following.

1. Run cpstop.

2. Use a text editor to open the file $FWDIR/conf/fwauthd.conf.

Platform Specific- Nokia page 38

Installation page 38

Upgrade page 38


SmartCenter Server


3. Add the following two lines.

2525 fwssd in.emaild.smtp wait 0

110 fwssd in.emaild.pop3 wait 0

4. Run cpstart.

77. When performing an in-place upgrade of SmartCenter R61 Enterprise/Pro to NGX R65 on a Linux or SecurePlatform machine that has an installation of Endpoint Security Server R61, the Endpoint Security installation wrapper will run automatically. The user must cancel this operation; otherwise all data on the Endpoint Security Server will be lost and the server will be inaccessible. In this scenario, a workaround is as follows:

1. When the Endpoint Security installation starts, abort the installation by typing quit.

2. When the rest of the upgrade process completes, edit the file <ENDPOINT SECURITYDIR>/engine/webapps/ROOT/bin/opsec/config.propertis as follows:

Change:

FWDIR=/opt/CPsuite-R61/fw1

CPDIR=/opt/CPshrd-R61

To:

FWDIR=/opt/CPsuite-R65/fw1

CPDIR=/opt/CPshrd-R65

3. Register the Endpoint SecurityAmon DLL by running the following command: $CPDIR/bin/amon_config cpstatdll add Endpoint Security <ENDPOINT SECURITYDIR>/engine/webapps/ROOT/bin/opsec Endpoint SecurityAmon

4. Run the following script: <ENDPOINT SECURITYDIR>/bin/install.sh

5. Log out and log in again to the root account.

6. Restart the SmartCenter server.

Note: <ENDPOINT SECURITYDIR> should be replaced by the Endpoint Security installation directory (e.g. /opt/CPEndpoint Security).

Miscellaneous78. When using SmartView Monitor and/or SmartView Tracker on the active SmartCenter, the

SmartCenter cannot be changed to standby. Before making another SmartCenter the active management station, you must first close these SmartConsole applications. You can then make another SmartCenter active, and reconnect to it with these applications.

79. UTM-1 Edge modules are not supported on a SmartCenter server running IPv6.

80. To successfully manage a UTM-1 gateway, define a NGX R62 VPN-1Power/UTM Gateway object.

SmartConsole Applications


SmartConsole Applications81. The Get Interfaces operation for a Check Point object does not return alias IP addresses for real

interfaces. To add alias IP addresses to the object's topology, define them manually. Once defined, do not perform the Get Interfaces operation again, as this will erase all manual changes to the object topology.

SmartDashboard

Installation on Solaris UltraSPARC82. Some of the SmartDefense protections are not presented in the Solaris SmartDashboard.

83. A Demo mode session is only supported when the Solaris SmartDashboard is launched from the home directory (/opt/CPclnt-R65).

84. Logging in with a certificate file is not supported by the Solaris SmartDashboard.

85. SmartDashboard does not support the Compressed Connection mode on Solaris.

SmartDefense86. The behavior of the Net Quota SmartDefense protection when using ClusterXL in Load Sharing

mode is different than the behavior of the same protection on a single gateway. Each cluster member has its own counter. For example, in a 2 members cluster, the limit to be twice as much as the limit of a single gateway.

87. When configuring a bridge, make sure to configure an IP address using sysconfig or WebGUI on the bridge interface. Otherwise, the following SmartDefense protections may not be enforced:

• Spoofed Reset Protection

• SYN Attack Defender

• Fingerprint Scrambling

To avoid this, do the following:

1. Open SmartDashboard and edit the gateway object's properties.

2. On the Topology tab of the object, select Get > Interfaces. The resulting window will report that both physical interfaces have the same IP address. A warning message may be generated as well.

3. Acknowledge the warning and for each interface set a different IP address within the subnet of the bridge.

4. On the Topology tab of the internal interface, set the Topology to Internal, and the IP Addresses behind this interface to Specific, and select a pre-defined IP Address Range. Configure Anti-Spoofing as required for your network topology.

5. On the Topology tab of the external interface, set the Topology to External, and the IP Addresses behind this interface to Specific, and select a pre-defined IP Address Range. Configure Anti-Spoofing as required for your network topology.

88. SmartDefense profiles are not supported on VPN-1 Power VSX. Only the default SmartDefense profile applies.

89. Configuring the Block FTP Commands protection in the SmartDefense tab may not activate the protection on VPN-1 Edge gateways. In this case, enforce this command using VPN-1 Edge CLI scripts.

SmartPortal


SmartPortal90. The Solaris tar fails to open tgz files that contain directory names of more than 100 characters.

In this scenario, use the GNU tar (gtar) instead. gtar can be found on any Check Point CD in the directory $CPDIR/util.

91. If the Smart Portal checkbox is selected in SmartDashboard it is possible to connect to Smart Portal both from the Endpoint Security server and by direct https access. If the Smart Portal checkbox is not selected in SmartDashboard it is only possible to connect to Smart Portal from the Endpoint Security server.

SSL Network Extender92. SSL Network Extender is not supported on Nokia IP clusters in Load Sharing mode.

93. A new installation or upgrade of an SSL Network Extender client is not supported via ISB (Endpoint Security Secure Browser). Install or upgrade an SSL Network Extender client via Internet Explorer. Once the installation or upgrade is complete via Internet Explorer, connections to the Internet can be performed via ISB.

94. ISB (Endpoint Security Secure Browser) is not supported on a Windows Vista platform.

User Authority Server95. When chaining to externally managed UserAuthority Servers, restriction on the exported data is

not enforced.

Documentation Feedback


Documentation FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:

[email protected]

mailto:[email protected]?subject=Check Point User Guide feedback

Checkpoint NGX R65 Releasenotes

Documents

Transcript of Checkpoint NGX R65 Releasenotes