Checkpoint NGX R65 Known Limitations Supplement

Check Point NGX R65 Known Limitations Supplement
Revised: February 4, 2008 This Known Limitations Supplement document provides essential operating requirements and describes known issues for VPN-1/FireWall-1 NGX R65. Review this information before setting up VPN-1/FireWall-1 NGX R65.
Note - Before you begin installation, read the latest available version of these release notes at: http://www.checkpoint.com/support/
In This Document
Information About This Document Previously Published Clarifications and Limitations Documentation Feedback page 2 page 2 page 42
Copyright February 4, 2008 Check Point Software Technologies, Ltd. All rights reserved
Information About This Document

This document contains known limitations from versions prior to NGX R65 that are relevant for this release. Before setting up NGX R65, review this information in conjunction with the latest NGX R65 Release Notes, available at http://www.checkpoint.com/support/technical/documents/index.html.
Previously Published Clarifications and Limitations

In This Section
ClusterXL Endpoint Security Eventia Suite Firewall Provider-1/SiteManager-1 SecureXL SmartCenter Server SmartPortal SmartUpdate UTM-1 Edge VPN VPN-1 Power VSX page 3 page 11 page 14 page 16 page 22 page 29 page 31 page 35 page 36 page 38 page 39 page 39
VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update February 4, 2008 5:37 pm
ClusterXL
ClusterXL
In This Section
Authentication Configuration ConnectControl General High Availability ISP Redundancy Load Sharing Platform Specific Nokia Platform Specific Solaris Platform Specific Windows Policy Installation Security Servers Services SmartConsole State Synchronization Unsupported Features VPN-1 Clusters page 3 page 3 page 4 page 4 page 5 page 5 page 5 page 6 page 7 page 7 page 7 page 7 page 7 page 8 page 8 page 8 page 9
Authentication
1. When performing manual client authentication (using port 900) to a cluster where the IP addresses of the members are not routable, the URLs returned in the HTML from the replying cluster member contain the non-routable IP address of the member instead of the cluster IP address. This fails subsequent operations. The workaround is to configure the cluster to use a domain name instead of an IP address in the client authentication HTML pages, using the ahttpclientd_redirected_url global property. Make sure that your DNS servers resolve this domain name to the IP address of the cluster. 2. Issues may arise when using automatic or partially automatic client authentication for HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a decision function based only on IP addresses in order for connections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, refer to the product documentation for more information.
Configuration
3. In the Rule Base, when adding a cluster object to the source or destination column in a rule, this rule will only apply to the cluster addresses. If the rule needs to be applied to the cluster member addresses, add their objects to the rule as well. 4. To use manual client authentication through HTTP in a cluster environment, set the database property hclient_enable_new_interface to true. This forces the HTTP client authentication daemon to ask for both the user name and password in the same HTML page. When the IP addresses of the cluster members are not routable, the URLs returned in the HTML from the replying cluster member contain the non-routable IP address of the member instead of the IP address of the cluster. This would fail subsequent operations. The workaround in this case is to configure the cluster to use a domain name, using theahttpclientd_redirected_url global property. Make sure that your DNS servers resolve this domain name to the cluster's IP address. 5. Use the commands cpstop and cpstart instead of cprestart on cluster configurations. The command cprestart is not supported on cluster members.
ClusterXL
6. A cluster IP interface or a synchronization network interface cannot be defined as a non-monitored (i.e., disconnected) interface. 7. Acceleration is not supported when using ClusterXL Load Sharing with Sticky Decision Function (SDF). When SDF is enabled, acceleration is automatically turned off. To re-enable acceleration, first make sure acceleration is enabled by running the cpconfig configuration tool. Then disable SDF (in SmartDashboard, edit the Gateway Cluster object, select the ClusterXL page, and click Advanced), and install the new Security Policy twice. Installing the Security Policy twice is also required when moving from ClusterXL Load Sharing with SDF to ClusterXL High Availability when acceleration is turned on. 8. When defining VLAN tags on an interface, cluster IP addresses can be defined only on the VLAN interfaces (the tagged interfaces). Defining a cluster IP address on a physical interface that has VLANs is not supported. The physical interface should be defined with the Network Objective Monitored Private on ClusterXL clusters and as Private on third-party clusters. 9. When setting an interface whose current Network Objective is Sync to Non-Monitored Private, and setting another interface's Network Objective to Sync and installing policy, the status of the cluster members will change to Active Attention and Down. To avoid this issue, make this configuration change in two phases. 1. Set the interface with the Network Objective of Sync to Monitored Private (instead of Non-Monitored), and the other interfaces Network Objective to Sync and install policy. 2. Reconfigure the Monitored Private interface to Non-Monitored and install policy again. 10. When defining a Sync interface on a VLAN interface, it can only be defined on the lowest VLAN tag on a physical interface. 11. Defining the lowest VLAN tag on a physical interface as disconnected (Non-Monitored Private) is not supported. 12. Defining a Sync interface on a VLAN interface is not supported on Nokia clusters and on other third party clusters. 13. A cluster object must contain two or more gateways. If configuring only one gateway, do not configure a cluster.
ConnectControl
14. The Server Load balance method is not supported. 15. The Domain balance method is not supported for Logical Servers. 16. If a Logical server is configured to have an IP address that belongs to the external network of the gateway, no Automatic Proxy ARP is configured on the gateway to the IP address of the Logical server. As a result there is no communication to the Logical server from external hosts. To resolve this issue, manually configure Proxy ARP using the file $FWDIR/conf/local.arp. See "Automatic Proxy ARP" in the ClusterXL User Guide for local.arp file configuration instructions. 17. Logical Servers are not supported in conjunction with Security Servers. 18. When configuring Server Availability for ConnectControl (SmartDashboard > Policy menu > Global Properties > ConnectControl), the value for the Server availability check interval must be a multiple of 5 and no less than 15.
General
1. In certain cases, installing policy on a cluster member may cause its state to change and a failover may subsequently occur. To prevent this situation, modify the firewall global parameter fwha_freeze_state_machine_timeout. This parameter sets the number of seconds during policy installation in which no state changes (including the "false" failover) will occur. Set this parameter to the shortest period which eliminates the issue; the recommended value is 30 seconds.
ClusterXL
2. Performing an SNMP query on both the clusters IP address as well as on the members IP addresses concurrently, is not supported. The SNMP query can only be run on one or the other at time. Alternatively, you can wait for the UDP virtual session timeout between the SNMP queries on the different IP addresses. This timeout has a 40 second default, and can be defined in Global Properties > Stateful Inspection.
High Availability
3. In legacy High Availability mode for ClusterXL, MAC address synchronization is not supported for VLAN tagged interfaces. Use new High Availability mode, or manually configure the MAC addresses of the interfaces using the ifconfig CLI or WebUI. 4. Issuing a Stop Member command in SmartView Monitor performs the cphastop command on this member. Among other things, this disables the State Synchronization mechanism. Any connections opened while the member is stopped will not survive a failover event, even if the member is restarted using cphastart. However, connections opened after the member is restarted are synchronized as normal.
ISP Redundancy
5. In a ClusterXL ISP Redundancy configuration, the names of the external interfaces of all cluster members must be identical and must correspond in turn to the names of the external interfaces of the cluster object. For example, if the cluster object has two external interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively.
Load Sharing
6. Under load, tcp packet out of state error messages may appear. For each case there is a specific way to resolve it. Refer to the Firewall and SmartDefense guide for a full explanation and security implications. message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-PUSH-ACK In SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp end timeout. The recommended value is 60 seconds. If there are many connections consider enlarging the connection table size in the same ratio as the tcp end timeout. message_info: SYN packet for established connection run the command: fw ctl set int fw_trust_rst_on_port <port> When a single port is not enough, you can set the port number to -1, meaning that you trust a reset from every port. For other out of state messages: run the command: fw ctl set int fwconn_merge_all_syncs 1. This allows a more reliable way of merging TCP states across asymmetric connections. 7. When employing SecurID for authentication, it is recommended to define each cluster member with its own unique (internal) IP address separately on the ACE/Server. In addition, to send packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for example, no_hide_services_ports = {<5500, 17>}, where 5500 is the service port and 17 (UDP) is the protocol. 8. For the first few seconds of an asymmetric connection, server-to-client packets are not accelerated. An asymmetric connection, such as an FTP data connection through an accelerated ClusterXL cluster, is where the server-to-client side is handled by a different
ClusterXL
member than the client-to-server side. Asymmetric connections are only opened when using VPN or static NAT. This is a temporary performance degradation that affects only a small percentage of traffic. 9. When installing a new policy that uses Sticky Decision Function (configured in SmartDashboard > Cluster Object > ClusterXL page > Advanced), and the old policy used the regular decision function, some connections may be lost, especially connections to or from the cluster members. New connections are unaffected. 10. After a failover, non-pivot members of a ClusterXL cluster in Unicast mode may report incorrect load distribution information. For the correct load distribution, review the information reported by the pivot member. 11. When using ClusterXL in Load Sharing mode and the Sticky Decision Function is enabled, the failure of a module within 40 seconds of an IKE negotiation may cause a connectivity failure with that peer for up to 40 seconds. When the failure involves a PIX gateway, communications may be interrupted for up to 40 seconds. When the failure involves an L2TP client, communications may be disconnected, as keepalive packets are blocked during this period.
12. traceroute may fail if it passes through a Load Sharing cluster. To resolve this issue, on the Cluster object, select ClusterXL > Advanced and in the Advanced Load Sharing Configuration window you should either: select Use Sticky Decision Function, or change the selection for Use sharing method based on: to IPs.
Platform Specific Nokia

13. Either Nokia VRRP or Nokia IP Clustering configuration must be used when creating a cluster based on an IPSO platform. Using other OPSEC Certified third party clustering products (such as OPSEC Certified external load balancers) to create a cluster based on IPSO platforms has limited support. Contact Check Point Support and receive configuration instruction and a list of associated limitations. 14. After configuring a gateway cluster on a Nokia platform via the Simple mode (wizard), be sure to complete the cluster interface definition on the Topology page of the cluster object. 15. The feature Connectivity enhancements for multiple interfaces is not supported on Nokia IP clustering in Forwarding mode. 16. NAT rules should not be applied to VRRP traffic. To prevent NAT rules from being applied to VRRP traffic, define the following manual NAT rule and give it higher priority than other NAT rules that relate to Cluster VIPs or to their networks:
Original Packet Source Physical IP of VRRP members Translated Packet Destination Service Source Dest Service VRRP IP: 224.0.0.18 Any Original Original Original Install On relevant cluster
17. When configuring a Nokia IP Cluster, do not set the primary or secondary interfaces to Network Objective Private. Check Point recommends setting a Nokia IP Clusters primary interface to Network Objective Cluster, and its secondary interface to Network Objective Cluster or Sync. 18. The Get Topology operation supports up to 256 interfaces on Nokia platforms. To define more than 256 interfaces, you need to do so manually.
ClusterXL
Platform Specific Solaris

19. When configuring virtual interfaces on Solaris GigaSwift interfaces, the ClusterXL product may not recognize the virtual interfaces in cases where no corresponding physical interface is defined. If the virtual interface is not recognized, it will not run a monitoring mechanism and eventually it will not perform failover. In order to make ClusterXL work properly on such virtual interfaces, the corresponding physical interface must be defined. For example, when a CE device with an instance of 0 is defined on the system, the /etc/hostname.ce0 file must be created and must contain some arbitrary IP address that will be assigned to the physical interface. 20. ClusterXL does not support defining VLANs on Solaris bge interfaces. 21. When configuring VLAN tags, set the IP address on the VLAN physical interface. If the physical (untagged) interface is not used, the IP address can be any IP address. For example: If the physical interface is ce1, and the VLAN interfaces are ce1001 and ce2001, then ce1 must also have an IP address. 22. ClusterXL in Unicast mode (Pivot) is not supported on Solaris when using VLAN tagging. 23. When using a Fujitsu GigEthernet NIC (fjgi and fjge interfaces) with Check Point Load Sharing (CPLS) multicast, packets can be received when the interface is set to promiscuous mode only.
Platform Specific Windows

24. On Windows platforms, when switching from High Availability Legacy to High Availability New Mode or Load Sharing, the CCP transport mode is set to broadcast instead of multicast. A workaround is to toggle the CCP mode via the following command on each cluster member: cphaconf set_ccp multicast.
Policy Installation
25. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with the following error: Load on Module failed. To resolve this issue, do the following: 1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so that they include the environment variable FW_MANAGE_BRIDGE 1. 2. Install policy.
Security Servers
26. Security Servers are not supported with Sequence Verifier in Load Sharing cluster environments.
Services
27. When using T.120 connections, make sure you manually add a rule that allows T.120 connections.
ClusterXL
SmartConsole
28. When working with a 3rd party cluster object with QoS, if you move from the Topology tab to a different tab, the following error message appears: No interface was activated in QoS tab for this host (Inbound or Outbound). Do you want to continue? Select Yes and continue your operation. This error message can be safely ignored. 29. SmartUpdate shows cluster members as distinct gateways without the common cluster entity. When cluster members are not of the same version, applying Get Check Point Gateway Data on a cluster member will set the member's version on the cluster object. To set the version of the cluster correctly, apply the Get Check Point Gateway Data command to the cluster member with the latest version. 30. If two or more interfaces on the same cluster member share the same IP address and Net Mask (as might occur when defining bridge interfaces), only one interface will be displayed in the Topology tab in SmartDashboard. To manage interfaces with the same IP address and Net Mask, use the GuiDBedit tool. 31. When using ClusterXL in High Availability Legacy mode, the Network Objective is set automatically to Cluster if all of the members' interfaces on that network have the same IP address and netmask. Changing the Network Objective to a different setting will, in this case, be overridden by the system, and change back to Cluster after clicking OK. 32. When deleting a network via the Topology page (Cluster Object > Properties > Topology > Edit Topology), selecting Name or IP address of one of the interfaces and then clicking Remove results in the following error message: Please select an interface. In order to remove a whole network, remove all the interfaces (members and cluster) and click OK.
State Synchronization
33. A cluster member will stay in the down state if it is detached and then reattached to the cluster, as it does not automatically perform a full sync upon reattachment. To force a full sync, run the following commands on the module: fw ctl setsync off and fw ctl setsync start. 34. Upon completion of full synchronization (Full sync), an error message State synchronization is in risk, is displayed on the cluster member on which the synchronization is taking place. If this message occurs only once immediately following Full sync, it can be safely ignored. If this message appears erratically, consult the ClusterXL user guide in the section Blocking New Connections Under Load.
Unsupported Features
35. Cluster deployments automatically hide the IP address of the cluster members behind a virtual IP address. If you manually add NAT rules that contradict this configuration, the manually added NAT rules take precedence. For details, see the ClusterXL Advanced Configuration chapter of the ClusterXL Guide. 36. TCP connections inspected by Web Intelligence or VoIP Application Intelligence features will not survive failover. On the event of failover these connections will be reset. 37. The compatibility matrix for third party clustering solutions (other than Nokia) is specified in the following link: http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain third party solution is not specifically written as being supported for this release, you must assume it is currently not supported. For Nokia clustering (VRRP or IP Clustering), see the Check Point Software and Hardware Compatibility section of the ClusterXL guide for information regarding which IPSO release is supported with this VPN-1 release. 38. Mounting an NFS drive on a cluster member is not supported, as hide NAT changes the IP address of the cluster member, and the server cannot resolve the resulting mismatch.
ClusterXL
39. The following Web Intelligence features require connections to be sticky: Header spoofing Directory listing Error concealment ASCII only response Send error page
A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for Web connections in the following configurations: ClusterXL High Availability ClusterXL Load Sharing with Sticky Decision Function enabled ClusterXL Load Sharing with no VPN peers, no static NAT* rules and no SIP Nokia VRRP Cluster Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIP For other OPSEC certified clustering products - please refer to the OPSEC-certified product's documentation.
40. The following VoIP Application Intelligence (AI) features require connections to be sticky: H.323 SIP over TCP Skinny
A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for VoIP connections in the following configurations: ClusterXL High Availability ClusterXL Load Sharing with no VPN peers or static NAT* rules Nokia VRRP Cluster Nokia IP Clustering configuration with no VPN peers or static NAT* rules For other OPSEC certified clustering products - please refer to the OPSEC-certified product's documentation.
41. Sticky connections cannot be guaranteed on ClusterXL Load Sharing Unicast mode with hide NAT. 42. To support SSL Network Extender in a ClusterXL Load Sharing configuration, enable the Sticky Decision Function.
VPN-1 Clusters
43. When defining Office Mode IP pools, make sure each cluster member has a distinct pool. 44. Before adding an existing gateway to a cluster, remove it from all VPN communities in which it participates. 45. When detaching a cluster member from a VPN cluster, manually remove the VPN domain once the member has been detached.
*.including ConnectControl Logical Servers
ClusterXL
46. Peer or secure remote gateways may show error messages when working against an overloaded gateway cluster in Load Sharing mode. This is due to IPsec packets with an old replay counter. These error messages can be safely ignored. 47. Using Sticky Decision Function with VPN features will guarantee connection stickiness for connections that pass through the cluster only, and not to connections originating from a cluster member or to it. 48. When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster (i.e., the peer and the cluster are located on the same VLAN and there is no Layer 3 (IP) routing device between them), the following features are not supported: ISP Redundancy VPN link selection - Reply from same interface
This issue can be resolved either by placing a router between the VPN peer and the cluster, or by disabling these features. (Neither feature is enabled by default.) To disable ISP redundancy, in SmartDashboard edit the gateway object > Topology > ISP Redundancy, and remove the check mark from Support ISP Redundancy. To disable VPN link selection - Reply from the same interface, in SmartDashboard edit the gateway object > VPN > Link Selection > Outgoing Route Selection, and do the following: A. Under When initiating a tunnel, enable Operating system routing table, B. and under When responding to remotely initiated tunnel, select Setup, and enable Use outgoing traffic configuration. 49. When configuring a VTI cluster interface, it should be assigned a name identical to the name of the member interface.
10
Endpoint Security
Endpoint Security
In This Section
Server Installation, Upgrade, and Backward Compatibility Client Installation, Upgrade, and Backward Compatibility Integration Logging, Alerts, and Errors Localization and Special Characters Gateways and Third Party Product Integrations Miscellaneous page 11 page 11 page 11 page 12 page 12 page 12 page 13
Server Installation, Upgrade, and Backward Compatibility

1. By default, VPN-1/FireWall-1 and the Check Point SecurePlatform administration interface both use port 443 for SSL communication. If you plan to run VPN-1/FireWall-1 on SecurePlatform, change the SecurePlatform SSL to a different port during the operating system installation. Do not change the VPN-1/FireWall-1 default port, as this is not supported. 2. Normally, after installing the VPN-1/FireWall-1, answering Y to the message Would you like to start VPN-1/FireWall-1 after exiting? starts VPN-1/FireWall-1. If this does not work, type cpstop and cpstart (or, with Provider-1 setup, type mdsstop and mdsstart) to successfully start VPN-1/FireWall-1.
Client Installation, Upgrade, and Backward Compatibility

3. Clients cannot download packages from an external source when they are restricted. If the client becomes restricted due to a client Enforcement rule, and the rule specifies an upgrade package on an external URL, the client may not be able to download the external package. This can occur even if the external URL is actually the same as an VPN-1/FireWall-1. A workaround is to upgrade using the Upgrade package from VPN-1/FireWall-1 option rather than upgrading from an external URL.
Integration
4. If you see an unexpected error when logging into VPN-1/FireWall-1 with your SmartCenter administrator credentials, it may be because your SmartCenter license has expired or become invalid. If you are running VPN-1/FireWall-1 together with SmartCenter (either on the same host or on separate hosts), and your SmartCenter license expires or becomes invalid, you are not able to log on to VPN-1/FireWall-1 using your SmartCenter administrator credentials. This occurs whether you are trying to log on to VPN-1/FireWall-1 directly or through SmartDashboard. Use the cplic command to check the status of your SmartCenter license, and if necessary, set a new SmartCenter license. (For information on cplic, see the Check Point Command Line Interface Guide.) Even if your SmartCenter license is invalid, however, you can log in to VPN-1/FireWall-1 using your VPN-1/FireWall-1 administrator credentials.
5. If you are setting up a distributed installation (in which VPN-1/FireWall-1 and SmartCenter run on separate hosts), VPN-1/FireWall-1 does not automatically synchronize with SmartCenter. To synchronize VPN-1/FireWall-1 with SmartCenter, restart VPN-1/FireWall-1 after you install and configure SmartCenter, install the database, and establish secure internal communication (SIC). 6. If you are setting up a distributed installation (one in which VPN-1/FireWall-1 and SmartCenter run on separate hosts), changing the logging settings to store VPN-1/FireWall-1 logs locally will result with an authentication error on every attempt to view logs from within VPN-1/FireWall-1. In this configuration, you can view the logs with SmartView Tracker or Smart Portal.
11
Endpoint Security
7.
After installing an VPN-1/FireWall-1 on a Provider-1 MDS machine, perform the following steps to prevent a crash: 1. 2. 3. 4. Stop the CMA that works with the VPN-1/FireWall-1. Log out of the shell used to start the VPN-1/FireWall-1 installation. Log in again to the root account. Start the CMA.
After upgrading a Provider-1 MDS server that includes an installation of VPN-1/FireWall-1 that is associated with one of the CMAs, perform the same procedure.
Logging, Alerts, and Errors

8. Continuous looping of log uploads occurs if the minimum number of events is less than 2. In order to prevent continuous looping of log uploads, in the Client Configuration > Client Settings panel's Log Upload Size area, set the minimum number of events to be equal to or greater than 2. 9. SNMP traps sent from the VPN-1/FireWall-1 are logged to /var/log/messages file, but the messages are in hex codes. A workaround is to enable SYSLOG and SNMP traps in Linux by issuing the following commands: syslogd -h -r -m 0 (to enable syslog with remote option) snmptrapd -Oa (to enable snmptrapd and route the output to syslog). 10. While Apache is running, it shows the following error: (730038)An operation was attempted on something that is not a socket.: winnt_accept: AcceptEx failed. Attempting to recover. Workaround: Place the directive Win32DisableAcceptEx on a separate line in the beginning of the httpd.conf configuration file (in install_dir\apache2\conf), and then restart Apache. 11. Logging at the Info level can produce a lot of data. For this reason, do not set Info level notifications to be sent to e-mail.
Localization and Special Characters

12. Classic Firewall Rules cannot contain certain symbols. You cannot use the ampersand symbol ('&'), quotation marks, or the less than symbol ('<') in the names of Classic Firewall Rules. 13. Using Client Rules to update clients of different locales (languages) is not supported. The rules are applied regardless of the client locales, which results in all clients being updated to the same language. Workaround: Assign a different policy with a different Client Rule to each client with a different locale. You can move all users back to a shared policy after the upgrade has completed. 14. Localized characters are not supported in the Install Key. You cannot use non-English characters in the Install Key in the Client Packager page. Workaround: Use only ascii characters for the Install Key. 15. In search fields in the VPN-1/FireWall-1 administration console, VPN-1/FireWall-1 interprets the characters % and _ as search wildcards, NOT as literal characters for which to search.
Gateways and Third Party Product Integrations

16. In order for the Endpoint Security client to detect McAfee Virus Scan Enterprise Virus definition, you must use the full McAfee product version number when referencing it for the Endpoint Security client. This is because the McAfee product's user interface displays only a portion of the product version number. 17. SecureClient is not compatible with PC-Cillin 2005. If you have SecureClient installed, you will not be able to also install PC-Cillin 2005.
12
Endpoint Security
18. Endpoint Security clients don't recognize full version numbers for Sophos antivirus products. Endpoint Security clients only recognize version numbers up to two places after the first decimal point (x.xx). 19. A personal policy is not able to block Microsoft Remote Desktop. You cannot block Microsoft Remote Desktop using application rules. 20. If you are using EAP and the Network Interface Card is disabled, it will remain disabled even after reboot. 21. If a client is out of compliance with an Enforcement Rule that is configured to Warn or Observe, the VPN Security Configuration (or SCV status) is displayed as Verified. It is displayed as Not Verified only if the Enforcement Rule is configured to Restrict the client.
Miscellaneous
22. Scheduled Antispyware scan times can be incorrect when the Endpoint Security server and the Endpoint Security client are located in different time zones. This is because the scan time always occurs at the specified time in the server's time zone instead of the client's time zone. 23. Internet Explorer (6.x) limits to 3000 the number of groups you can import into an NTDomain, LDAP, or RADIUS catalog on VPN-1/FireWall-1. To import more than 3000 groups, use another of the supported browsers. Mozilla Firefox is the only compatible browser that accommodates imports of more than 10,000 groups. For very large imports, the import page may take up to ten minutes to display all imported groups. When importing groups with a browser other than Internet Explorer, users may get a warning asking whether to abort the long-running javascript routine. Users should close the dialog box or choose to continue running javascript. For Firefox, you can suppress this message by typing about:config in the address bar, finding the entry for dom.max_script_run_time, and setting the number to 60 (on new computers) or 120 (on older computers). 24. The Flex client must be rebooted to register changes to Return to Default buttons. When you change the setting of Hide Return to Default buttons in Flex (in the Advanced Settings section of a policy's Client Settings tab), the end user must reboot the Flex client for the change to take effect. 25. Enterprise policies cannot override keyboard and mouse settings. If a policy allows a program and to enforce the enterprise policy only, and the user has set permissions in the personal policy to block the program, the program is able to access the Zones as defined in the enterprise policy, but is not able to perform keyboard and mouse activity. Workaround: Users must set the program to allow the keyboard and mouse activity in the personal policy.
13
Eventia Suite
Eventia Suite
In This Section
Eventia Analyzer Eventia Reporter page 14 page 14
Eventia Analyzer
1. Eventia Analyzer does not support static NAT and therefore will not include logs with rules that use static NAT as part of the Event. 2. Apache syslogs sometimes have a log suppression mechanism where a new log contains the phrase message repeat. These logs are not captured by Eventia Analyzer and therefore events based on these logs will not be generated. 3. Changes to objects on a High Availability secondary server are not updated on the Eventia Analyzer Server. 4. Changes to objects on a High Availability management server are not automatically updated on the Analyzer Server following a sync operation from another HA server. To force updates of the objects, on the Eventia Analyzer Client, select Policy tab > General Settings > Objects > Network Objects > Refresh. 5. When attempting to use the Get Version option in the Eventia Analyzer module while editing its host properties in SmartDashboard, the version will result in an empty string. Select the most recent version available. 6. Address range objects are not synchronized from SmartCenter or the MDS server to the Eventia Suite server. In order to include them on the Eventia Suite server, from the Eventia Analyzer Client, select Policy tab > General Settings > Network Objects and add the range manually. 7. Eventia Analyzer cannot be installed with SmartUpdate. 8. To define a new event based upon order logs, save and modify an existing event that uses the order logs, such as Check Point administrator credential guessing. 9. On Solaris, no logs are received and processed for 10 minutes if the Log Server is stopped and restarted. If a Log Server is stopped and then started, restart the Correlation Units. 10. The Global Exceptions product field does not filter out logs from the audit log.
Eventia Reporter
Installation, Upgrade and Backward Compatibility
11. Eventia Reporter can be upgraded to NGX R65 from version NG R56 and later. If you are upgrading from a version prior to R56, uninstall Reporter and continue with the upgrade. 12. The MySQL server on the Eventia Reporter Server conflicts with a MySQL server installation on the same computer. Install the Eventia Reporter server on a computer that does not contain a MySQL server installation. 13. Eventia Reporter will not continue consolidation sessions if the log files were manually upgraded on the Log Server. 14. After upgrading from R56 to NGX (NGX R61), a scheduled report that is selected for a specific module may fail to run. If this occurs, resave the report.
14
Eventia Suite
15. To upgrade a distributed deployment of Eventia Reporter from NGX (R60) on SecurePlatform Pro, do the following: 1. Uninstall the package CPadvr-R60-00. 2. Run the upgrade. 3. Uninstall the package CPsuite-R60-00. 4. Reboot the machine. 16. The Eventia Reporter Client requires SmartDashboard to be installed on the same machine in order to launch. When installing the Eventia Reporter Client, be sure to install SmartDashboard as well.
General
17. Account logs that are originated by a gateway cluster are counted twice. Thus, reports of these logs will display inaccurate data. 18. Logs produced by VPN-1 Power/UTM modules that also have QoS installed show twice the number of actual HTTP connections. As a result, reports generated on such modules will display an incorrect number of connections. 19. If SmartDashboard is connected to an inactive management, Eventia Reporter cannot be launched from the Window menu of SmartDashboard. Instead, launch Eventia Reporter via the Windows Start Menu. 20. If Eventia Reporter is running with multiple consolidation sessions, after running cpstop, ensure that all log_consolidator processes have terminated before running cpstart. 21. FTP or HTTP distribution of reports does not work with proxy settings. If a machine has proxy settings, use alternate distribution methods such as e-mail distribution, or copy files from the Report's Results directory instead. 22. When a Eventia Reporter Server's IP address has static NAT, a machine running the Eventia Reporter SmartConsole must be able to route connections to the Eventia Reporter server's real IP address. This can be achieved by running the Eventia Reporter SmartConsole on a machine in the Server's local network, or sometimes, by adding the appropriate route entries in the Eventia Reporter SmartConsole's routing table.
15
Firewall
Firewall
In This Section
Installation, Upgrade and Backward Compatibility Platform Specific Windows Platform Specific Solaris Platform Specific Linux SmartConsole Applications Load Sharing Authentication Security Servers Security Services Stateful Inspection Dynamically Assigned IP Address (DAIP) Modules IPv6 ISP Redundancy Management OPSEC Policy Installation SAM Miscellaneous VoIP SecureClient page 16 page 17 page 17 page 17 page 17 page 17 page 18 page 18 page 18 page 18 page 18 page 19 page 19 page 19 page 19 page 19 page 19 page 20 page 20 page 20 page 21
Installation, Upgrade and Backward Compatibility

1. In modules that pre-date version NG with Application Intelligence R55W, the Web Intelligence defenses HTTP Format Sizes, ASCII Only Request, General HTTP Worm Catcher only support the protection scope apply to all HTTP connections; therefore, if one of these defenses is configured with protection scope apply to selected web servers and is installed on an older module, the protection scope apply to all HTTP connections will be applied on this module. 2. When making Inspect changes to the file user.def, do so to the copy of the file in the directory $FWDIR/conf (and not the version in the directory $FWDIR/lib, as was the practice in previous versions). This is because user.def is copied from the /conf directory to the /lib directory during policy installation. Also, filenames are now adjusted to the different compatibility packages, so be sure to modify the appropriate file only:
user.def.NGX_R60 - contains user code for NGX modules (this will overwrite the file $FWDIR/lib/user.def during policy install) user.def.R55WCMP - contains user code for R55W modules (this will overwrite the file user.def in the R55W compatibility package directory) user.def.MGCMP - contains user code for NG modules, R55 and below. user.def.EdgeCmp - contains user code for UTM-1 Edge modules.
3. When restoring settings using the Nokia IPSO backup utility, run the CPconfig tool after installing the CPsuite package and before the restore process starts. 4. After installing the firewall on a machine with functional PPPoE (ADSL) connectivity, PPPoE no longer works.
16
Firewall
5. The name of the installation directory of VPN-1 may not end with a space. 6. On Linux systems and SecurePlatform, verify that there is at least 115 MB of free disk space in the "/" partition before upgrade. 7. After upgrading an R55 or older Enforcement Module, previously defined SAM rules need to be defined again.
Platform Specific Windows

8. The following message may be displayed when installing a policy: The NDISWANIP interface is not protected by the anti-spoofing feature. This message can be safely ignored. 9. If an Intel NMS service is running during the VPN-1 Power/UTM installation, it may crash. This is a known pre-NMS version 2.0.56.0, Intel NMS service issue, where crashes occur whenever an NDIS IM driver is installed. Since NMS version 2.0.56.0 was part of PC6.0, releases from and including PC6.0 do not have this issue. 10. The Network Load Balancing (NLB) driver is not supported with VPN-1. 11. VLAN tagging is not supported on Windows platforms.

12. On Solaris platforms with a qlc driver and the kernel memory allocator debugging functionality enabled, the system may experience instability. In this case, install Solaris patch 113042-10 or higher. 13. The AGE driver will panic when it fails to allocate memory. This occurs during age NIC, when system resources are low and it cannot allocate memory for the packet.
Platform Specific Linux

14. The FTP Security Server does not support Kerberos when the RHEL FTP client is trying to negotiate a Kerberos session. To avoid this issue, use the flag -u with the FTP client. 15. When working with VPN-1 Power/UTM on Red Hat Enterprise Linux 3.0, make sure to update E1000 drivers to the latest drivers available from Intel.
SmartConsole Applications
16. When a client connects with SmartDashboard to SmartCenter and performs a SmartDefense online update, a second client connecting with SmartDashboard to the same SmartCenter will see the new protections but not the new HTML descriptions. The situation is resolved by the second client logging out & logging in again. A similar behavior may occur regarding the Silent Post-install Update. If new protections were added in that package, then the second client that logs in will not see the respective new HTML descriptions. The workaround is the same (client should log out & log in again). 17. A Multicast Address Range object cannot be used as a source or destination in the Rule Base. You can, however, define and use in its place a corresponding Address Range object.
Load Sharing
18. When employing SecurID for authentication, it is recommended to define each cluster member separately on the ACE/Server with its own unique (internal) IP address. In addition, to send packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for example, no_hide_services_ports = {<5500, 17>}, where 5500 is the service port and 17 (UDP) is the protocol.
17
Firewall
Authentication
19. Client Authentication will fail if VPN-1 Power/UTM machine name is configured with a wrong IP address in the hosts file. 20. Clientless VPN with the Action Client Auth is not supported if the web server object is in the destination cell. The workaround is to add the gateway to the destination cell. 21. When using SmartDirectory server for internal password authentication, if the account lockout feature is disabled the Firewall will not attempt to modify the user's login failed count and last login failed attributes on the SmartDirectory server. This improves overall performance and eliminates unnecessary SmartDirectory modify errors when using SmartDirectory servers that do not have these attributes defined because they did not apply the Check Point SmartDirectory schema extension on the SmartDirectory server. 22. Issues may arise when using automatic or partially automatic client authentication for HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a decision function based only on IP addresses in order for connections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, refer to the product documentation for more information. 23. Definition of nested RADIUS Server groups is not supported.
Security Servers
24. When a field in a URI specification file is too long, the Security server exits when trying to load the file. Under load, the Firewall daemon (FWD) reloads the security server, which then exits. After a certain time cores are dumped. 25. Client authentication with agent automatic sign on is supported with all rules, with two exceptions: The rule must not use an HTTP resource. Rules where the destination is a web server.
26. When using SOAP filtering in the HTTP Security Server, the SOAP scheme file supports all forms of namespaces and methods, however, the feature is not supported if a method has no namespace at all.
Security
27. When using a URI resource to allow or restrict access to specific paths (by filling the path field), it is recommended to use the regular expression [/\] instead of / - this expression provides protection against Windows style paths. For example: instead of defining a path: /home/mydir/, define it as [/\]home[/\]mydir[/\].
Services
28. A service using the FTP_BASIC protocol type cannot be used with the FTP Security Server. 29. When using T.120 connections, make sure to manually add a rule that allows T.120 connections.
Stateful Inspection
30. Changing the "match for any" option in the MSNP service to "false" it causes connectivity problems after an upgrade in the following scenario: Service X other than Microsoft Messenger protocol was running on port 1863. No special rule was defined for this service (for example, the service was permitted by a rule with "Any" in service column). To resolve this issue, define a rule permitting the service with X in the "service" column.
18
Firewall
31. In a cluster environment, TCP state enforcement allows a server to respond with an ACK packet on a SYN packet (instead of SYN-ACK). Sequence Verification enforcement will be applied to all the traffic of the connection.
Dynamically Assigned IP Address (DAIP) Modules

32. The fw tab <remote DAIP Module> command on a SmartCenter server is not supported.
IPv6
33. In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker. 34. Due to the fact that IPv6 is not supported for security servers, enabling Configuration apply to all connections under SmartDefense's FTP Security Server settings causes FTP (as well as HTTP and SMTP) connections over IPv6 to be rejected, and no log is generated. 35. The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it should unload only the IPv6 policy. 36. The RSH protocol is not supported for IPv6.
ISP Redundancy
37. ISP redundancy is not supported in a ClusterXL Different subnets configuration. This means the IP address of the cluster must be on the same subnet as the cluster members' real IP addresses. 38. In a ClusterXL configuration, the names of the external interfaces of all cluster members must be identical and must correspond in turn to the names of the external interfaces of the cluster object. For example, if the cluster object has two external interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively.
Management
39. Defining network objects with names identical to a service is not supported.
OPSEC
40. TCP resource with cvp group is not supported.
Policy Installation
41. Check Point uses the notation starting with "SA_" for internal purposes. Defining objects with names starting with this string is not supported. 42. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with the following error: Load on Module failed. To resolve this issue, do the following: 1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so that they include the environment variable FW_MANAGE_BRIDGE 1. 2. Install policy. 43. To install policy on NG enforcement modules via the command line, run the command fwm load from any directory other than $FWDIR/conf. 44. Policy installation may fail when there are 70 or more dynamic objects.
19
Firewall
SAM
45. A Suspicious Activity Monitor (SAM) rule will fail for a remote gateway if the SmartCenter server is also a VPN-1 Power/UTM gateway and no policy has been installed on it since adding the remote gateway.
Miscellaneous
46. The TCP Sequence Verifier is not supported with clusters using asymmetric routing. 47. The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to a SmartCenter server object in specific cases only: to the primary IP defined for this object and only if there are interfaces defined in its Topology tab.
This may create connectivity problems when trying to install policies (or other operations included in the control connections). The workaround is to define explicit rules that allow connectivity to the SmartCenter object. 48. A large database on a gateway may result in high CPU usage by the services VPND and DTPSD. To resolve this issue, use the cpprod utility to set a value for the setting SIC_SERVER_DEFAULT_TIMEOUT.
VoIP
49. MSN Messenger version 5 is not supported. Additionally, there are a few known issues regarding MSN Messenger when employing Hide NAT: When running SIP and the data connection tries to open MSN Messenger connections on hidden networks, the connection fails. While audio and video each work separately, they cannot be run concurrently.
50. When using the SIP protocol and a security rule uses the Action reject to block high_udp_ports (RTP ports - data connection), the incoming audio is rejected as well. A workaround is to use the Action drop in place of reject. 51. When an H.323 IP phone that is not part of a handover domain tries to establish a call, the call attempt is blocked and the following message appears on the console: FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to make calls, add it to the handover domain, and the error message will no longer appear. Note that this console message may appear in other (non-VoIP) scenarios as well. 52. In some cases, when a user closes an MSN Messenger application (such as Whiteboard), the application will not close automatically on the remote end. The remote user will need to close the application manually. 53. When using the service SIP with Hide NAT enabled on internal IP phones, do not enable the SmartDefense flag "Block SIP calls that use two different voice connections (RTP) for incoming audio and outgoing audio". If the flag is enabled, the firewall may begin to drop RTP/RTCP packets. The flag is located in SmartDefense > VoIP > SIP. 54. When the SIP-proxy is in the DMZ, whiteboard and application sharing will not open between external to internal messengers. 55. In previous versions a VoIP signalling connection could not have a different encryption policy than a VoIP data connection. As of NGX the VoIP signalling connection can have a different encryption policy than the VoIP data connection.
20
Firewall
SecureClient
56. Policy installation fails if a combination of different user groups & network objects are used in the same cell. For example, if the following appears in a source or destination cell, the policy will not install: usergroup1@netobj1 & usergroup2@netobj2 If the user groups match or the network objects match, the installation will succeed. The following examples will allow the policy to install successfully: usergroup1@netobj1 & usergroup2@netobj1 usergroup1@netobj1 & usergroup1@netobj2 57. The following Web Intelligence features require connections to be sticky: Header spoofing Directory listing Error concealment ASCII only response Send error page
A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for Web connections in the following configurations: ClusterXL High Availability ClusterXL Load Sharing with Sticky Decision Function enabled ClusterXL Load Sharing with no VPN peers, no static NAT* rules and no SIP Nokia VRRP Cluster Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIP For other OPSEC certified clustering products - please refer to the OPSEC-certified product's documentation. * including ConnectControl Logical Servers 58. The following VoIP Application Intelligence (AI) features require connections to be sticky: H.323 SIP over TCP Skinny
A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for VoIP connections in the following configurations: ClusterXL High Availability ClusterXL Load Sharing with no VPN peers or static NAT* rules Nokia VRRP Cluster Nokia IP Clustering configuration with no VPN peers or static NAT* rules For other OPSEC certified clustering products - please refer to the OPSEC-certified product's documentation. * including ConnectControl Logical Servers
21
Provider-1/SiteManager-1
In This Section
Installation, Upgrade, and Revert Configuration Licensing Backup and Restore Migrate Global Policy Global VPN Global SmartDefense SmartUpdate SmartPortal Status Monitoring Eventia Reporter Authentication Miscellaneous page 22 page 23 page 23 page 24 page 24 page 25 page 26 page 26 page 27 page 27 page 27 page 27 page 28 page 28
Installation, Upgrade, and Revert

1. Some of the issues reported by the Pre-Upgrade Verifier may require database modifications. To avoid having to repeat these changes, remember to synchronize your mirror MDSs/CMAs and perform the install database to CLM processes. It is highly recommended that you read the Upgrading in Multi MDS environment section in The Upgrade Guide. 2. After upgrading an MDS or MLM in a multi MDS environment, SmartDashboard displays CMA and CLM objects with the previous version, and the following error message appears when performing the operation Install Database:
Install Database on <CLM_name> Log Server can only be partially completed. To restore full functionality (full resolving and remote operations), upgrade the Log Server to be the same version as your Management Server.
In order to update the CMA/CLM objects to the most recent version, use the following procedure after upgrading all MDS and/or MLM servers: 1. Verify that all active CMAs are up and running with valid licenses, and that none of them currently has a SmartDashboard connected. 2. Run the following commands in a root shell on each MDS/MLM server: A. mdsenv
B. $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL
3. Synchronize all Standby CMAs and SmartCenter Backup servers and install the database on the CLMs. In some cases, the MDG will display CMAs with the version that was used before the upgrade. To resolve this issue, after performing steps 1 - 3, do the following: 1. Make sure that each CMA that displays the wrong version is synchronized with the Customer's other CMAs. 2. Restart the MDS containers hosting the problematic CMAs by executing the following commands in a root shell: A. mdsenv B. mdsstop m C. mdsstart -m
22
3. After upgrading a pre-NGX SmartCenter to NGX R65, software packages (except for UTM-1 Edge firmware packages) that were displayed in the Package Repository of SmartUpdate do not appear. The packages are in the directory $SUROOT, and can be re-added to the Package Repository using the SmartUpdate command Add From File. 4. Management of FireWall-1 4.1 gateways and VPN-1 Net gateways are not supported in NGX R65. Prior to upgrading configurations that contain such gateways, the gateways need to be upgraded to the supported products/ versions. Since the pre-upgrade verification tools will not allow the upgrade to proceed as long as such gateways exist in the configuration database, the objects either need to be deleted from the source management or updated to represent a supported product/ version. If the objects are updated for the sake of allowing the upgrade to proceed, management of the gateways will not be allowed until the gateway software and license is upgraded as well. Please also note that configurations that contain externally managed FireWall-1 4.1 gateways cannot be upgraded to NGX. To allow the upgrade to proceed, these objects need to be updated to represent a supported version. 5. After upgrading an MDS server that includes an installation of Endpoint Security Server that is associated with one of the CMAs, do the following: with one of the CMAs, do the following: 1. Stop the CMA. 2. Log in again to the root account. 3. Start the CMA.
Configuration
6. In the SecurePlatform installation, the default maximum number of file handles is set to 65536. This also applies to standard Linux installations, but the default number may vary. For Provider-1/SiteManager-1 installations with a large number of CMAs, 65536 file handles may be insufficient. Indications that the system may not have enough available file handles can be failure of processes to start, and/or crashes of random processes. To check if insufficient file handles is indeed the problem, enter the following command from root or expert mode:
# cat /proc/sys/fs/file-nr
This command prints three numbers to the screen. If the middle number is close to zero, or the left number equals the right-most number, it is required to increase the maximum number of file handles. To increase the maximum number of file handles, enter the following command from root or expert mode:
# echo 131072 > /proc/sys/fs/file-max

The number above is for demonstration purposes; the actual figure should be derived from the amount of memory and the number of CMAs.
Licensing
7. If you upgrade licenses after upgrading the MDS, the upgraded licenses will not be displayed in the MDG until after restarting the MDS. 8. Under rare circumstances, a CMA license may not appear in the SmartUpdate view of the MDG, and yet appear in SmartUpdate when launched from the CMA. If this happens, do the following: 1. From the command line in the CMA environment, use the cplic command to remove the missing license, and then add it again. 2. In SmartUpdate, right-click the CMA and select Get Licenses.
23
Backup and Restore

9. A backup file created on a Solaris platform with the mds_backup command cannot be restored on a Linux platform, nor vice-versa. A backup made by mds_backup on Linux can be restored on SecurePlatform and vice-versa. 10. When saving the configuration of an MDS (via the command mds_backup), make sure to also back up the configuration of each of the VSX gateways/clusters that are managed by the MDS. When restoring the configuration of the MDS (via the command mds_restore), make sure to restore the configuration of all VSX gateways/clusters immediately afterwards.
Migrate
11. After migrating a SmartCenter server running on a Nokia platform to an NGX R65 CMA, the UTM-1 Edge objects and Profiles creation option from SmartDashboard is not available. See SecureKnowledge SK26484 for more information. 12. Migrating a CMA/SmartCenter database to a Provider-1 CMA disables the CMA's PnP license, if any. 13. Migration of a CMA is not supported when VSX objects exist in the database. 14. After migrating Global Policies and CMAs that contain Global VPN Community, the VPN Communities mode of the Global Policies view in the MDG may not display all gateways participating in the Global VPN Communities. To resolve this issue, after completing the migration of all relevant configuration databases and starting the MDS and the CMA processes, issue the following commands in the root shell on the MDS: 1. mdsenv
2. fwm mds rebuild_global_communities_status all

15. When migrating complex databases, the MDG may timeout with the error message Failed to import Customer Management Add-on, even when the migration process continues and is successful. Therefore, when migrating large databases, it is recommended that you run the migrate operation from the command line. See the cma_migrate command in The Upgrade Guide. 16. The migrate_assist utility reports missing files, depending on FTP server type. If files are missing, copy the relevant files manually. More information regarding the relevant files and the directory structure is available in the Upgrading Provider-1 chapter of The Upgrade Guide. 17. Before migrating the global database, if there are Global VPN Communities in the source database or in the target database, it is highly recommended that you read the Gradual Upgrade with Global VPN Considerations section of The Upgrade Guide. 18. If you delete a CMA that has been migrated from an existing CMA or SmartCenter database, and then want to recreate it, first create a new Customer with a new name. Add a new CMA to the new Customer and import the existing CMA or SmartCenter database into the new CMA. 19. After migrating SmartCenter or CMA databases with SmartLSM data, execute the command LSMenabler on on the CMA. 20. After migrating a SmartCenter database which contains SmartDashboard administrators or administrator group objects, these objects remain in the database but are not displayed in SmartDashboard. As the CMA is managed by Customer Administrators via the MDG and not via SmartDashboard, these objects are irrelevant to the CMA. However, if you need to delete or edit one of these objects, use dbedit or GuiDBedit to do so. 21. When migrating a CMA or SmartCenter High Availability (HA) to a new CMA in a different Provider-1/SiteManager-1 environment, be sure to use the primary database of the CMA or SmartCenter HA for the migrate operation.
24
In addition, if the name used for the new CMA is not the name of the previous primary CMA or SmartCenter HA, the new CMA name may not be similar to a name already used for a network object in the migrated database, including the secondary management object. 22. When migrating a CMA or SmartCenter Backup server with Endpoint Security Server installed, the Endpoint Security Server installation does not migrate. The recommended approach for this configuration is the following: 1. Before migrating, open SmartDashboard to the CMA/SmartCenter server to be migrated. 2. Edit the CMA/SmartCenter server object, and deselect Endpoint Security Server from the list of Check Point Products. 3. Run the migrate operation. 4. Reinstall the Endpoint Security Server on the machine on which the CMA resides. 5. Configure the migrated CMA to use Endpoint Security Server. 23. When migrating SmartCenter or CMA configurations that contain SmartDefense settings and protections that were downloaded via SmartDefense Online Update, the migrate_assist tool does not copy all the necessary files, and the target machine will not contain the full original SmartDefense configuration. To resolve this issue, do one of the following: Copy the directories manually from the source machine according to the instructions found in the Provider-1 User Guide. Use migrate_assist, and then do the following operations before importing the configuration: A. On the source machine, go to $FWDIR/conf and copy the content of the subdirectory SMC_Files. B. Place the copied content in the directory /conf on the target machine. C. Delete the following files from the target machine:
SMC_Files/monitor/SmartViewMonitor.tar SMC_Files/asm/post_install_sd_updates SMC_Files/asm/post_install_sd.ver
Global Policy
24. When deleting a Check Point host object created in Global SmartDashboard that has the same name as one of the MDS/MLM servers, the SIC certificate of the matching MDS/MLM server may be revoked. To avoid this situation, refrain from defining Check Point host objects with names identical to MDS/MLM servers in the system. If the certificate of one of the MDS/MLM servers is revoked, see SecureKnowledge SK24204 to remedy the situation. 25. Avoid circular references in the Global Policy, as this will cause its assignment to fail. 26. To ensure the endpoint security of Global Policies, only Provider-1 Superuser and Customer Superuser administrators are allowed to perform a Database Revision Control operation on a CMA. This is to ensure that a lower level administrator does not change the Global Policy assigned to a Customer. This is not a limitation, but rather an effect of the administrators permission hierarchy. 27. Assigning a Global Policy to Customers may be a heavy operation. For this reason, it is recommended that you use MDG: Manage > Provider-1/SiteManager-1 Properties > Global Policies and configure Perform Policy operations on 1 customers at a time. For information about an MDS machine that includes a large amount of CMAs and big databases (global database and local CMAs' databases), refer to Hardware Requirements and Recommendations in the Provider-1/SiteManager-1 User Guide.
25
28. When installing policy from the MDG using the Assign/ Install Global Policy operation, the Security Policy is not installed on UTM-1 Edge profiles. Use SmartDashboard to install policy to UTM-1 Edge profiles. 29. When creating Connectra gateway objects (like other gateway objects, such as VPN-1 Power/UTM, UTM-1 Edge, and InterSpect), be sure to do so using the CMA SmartDashboard. Defining Connectra objects in Global SmartDashboard is not supported.
Global VPN
30. Simplified VPN Mode Policies cannot work with gateways from versions prior to FP2. You cannot assign a Global Simplified VPN Mode Policy to a CMA with gateways of version FP2 or lower. 31. Global VPN Communities do not support shared secret authentication. 32. Only Globally-enabled gateways can participate in Global VPN Communities. Gateway authentication is automatically defined using the CMAs Internal Certificate Authority. Third-party Certificate Authorities are not supported. 33. UTM-1 Edge gateways cannot participate in Global VPN Communities. 34. Currently an external gateway can fetch CRL only according to the FQDN. Therefore, a peer gateway would fail to fetch a CRL when the primary CMA is down (even if the mirror CMA is operational). To avoid this scenario, you can change the FQDN to a resolvable DNS name by executing the following commands: 1. mdsenv <CMA> 2. Run cpconfig and select the menu item Certificate Authority 35. After enabling a module for global use from the MDG, install a policy on the module or use the Install Database operation on the management server in order for its VPN domain to be calculated. 36. When migrating a CMA, all CMAs that participate in a Global VPN Community must be migrated as well. If you do not migrate all relevant CMAs, it will affect Global Community functionality and maintenance. 37. A globally enabled gateway can be added to a Global VPN Community from Global SmartDashboard only through the community object and not from the VPN tab of the object. 38. When a VPN Simplified Mode Global Policy is assigned to a Customer, all of the Customers Security Policies must be VPN Simplified as well. 39. If the Install policy on gateway operation takes place while the MDS is down, the status of this gateway in the Global VPN Communities view is not updated. 40. When using VPN-1 Power VSX Virtual Systems in Global VPN Communities, the operating system and version displayed on objects representing Virtual Systems in peer CMAs is incorrect. This information can be safely ignored.
Global SmartDefense
41. If a Customer is configured for SmartDefense Merge mode, modifications made to the SmartDefense settings on a SmartCenter Backup server are not preserved after Global Policy is reassigned to the Customer. 42. Customers subscribed to the Global SmartDefense service also receive updates to the Content Inspection > File Types list. All newly downloaded file types are by default set to Action type Scan. The SmartDefense mode assigned to the Customer determines whether any changes the CMA administrator has made to the File Types list are preserved when Global Policy is assigned.
26
SmartUpdate
43. Firmware packages cannot be deleted from the SmartUpdate repository. In order to delete packages, use the utility mds_delete_firmware. 44. When using the MDGs SmartUpdate view, packages are added to the SmartUpdate repository of the MDS to which the MDG is connected. When in a Multi-MDS environment, make sure that each SmartUpdate package is added to each MDS individually. When adding SofaWare firmware packages in such an environment, a package added to one MDS will appear to have been added to all other MDSs. In this case as well, make sure that each firmware package is added to each MDS individually. 45. After detaching a Central license from a CMA using the SmartUpdate view, the license remains in the License Repository, and therefore cannot be added again to the CMA from the MDG General view. To add it again, reattach the license using SmartUpdate. 46. SmartUpdate packages cannot be added to the MDS Package repository if no CMAs are defined. Before populating an MDS's SmartUpdate repository with packages, define at least one CMA.
SmartPortal
47. When using Management High Availability (between a SmartCenter server and either a CMA or an MDS), change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve this issue, do one of the following: Only allow access from SmartPortal to Read-only administrators Disconnect Read/Write SmartPortal clients from SmartView Monitor
Status Monitoring
48. A CMA will report the status Waiting until it is started for the first time. 49. In a CMA High Availability configuration, the High Availability synchronization status in the MDG may contain inconsistent values if valid licenses have not been installed. If this is the case, the synchronization status should be ignored. In order to operate, however, all CMAs must have valid licenses. 50. SmartView Monitor displays invalid statuses when connecting to a CLM. To view Customer statuses using SmartView Monitor, connect to a CMA.
Eventia Reporter
51. As Eventia Reporter data is not synchronized on multiple MDSs in High Availability configurations, Eventia Reporter should be set to work with just one MDS. To do so, install the Eventia Reporter Add-on on one MDS only, and log into this MDS whenever using the Eventia Reporter client. 52. You must log into the Eventia Reporter client using a Provider-1 Superuser administrator account, or a Customer Superuser administrator account. Other administrator types are not supported. 53. Only one Eventia Reporter server is supported. Do not define more than one Eventia Reporter server in Global SmartDashboard. 54. For Eventia Reporter to function properly, all Customers must have a Global Policy assigned to them. If a Customer has not been assigned a Global Policy, all reports generated for this Customer will fail with the following error:
Could not retrieve CMA for customer <CUSTOMER-NAME>. CMA is either stopped or standby.
27
Authentication
55. After defining RADIUS or TACACS server objects in Global SmartDashboard, wait until the MDSs are synchronized before configuring administrators to authenticate via the new servers.
Miscellaneous
56. In a CMA High Availability configuration, the MDG may variably report the status of UTM-1 Edge gateways as either OK or Not Responding. To see the correct status, open SmartView Monitor on the Active management. 57. Certificates for Provider-1 administrators should be created only from an MDG connected to the MDS that currently hosts the active global database. 58. When working with a large CMA database, synchronizing this database may take some time. If you create a second CMA from the MDG it may seem that the operation was not successful on account of the timeout, when in fact the operation was done within a set period of time. To make sure that this operation finished successfully after the MDG's timeout: 1. Wait until the second CMA is displayed on the MDG, with a Started status. 2. From SmartDashboard, connect to the active CMA. 3. Select Policy > Management High Availability and in the displayed window verify that the standby CMA's Status is Synchronized. 59. The cp_merge utility is not supported in Provider-1/SiteManager-1. 60. When creating, deleting or updating a Virtual Device, the database of the CMA containing the VPN-1 Power VSX gateway will be locked during that time. If a user tries to connect to the CMA via SmartDashboard, a message will report that the database is locked. Selecting Disconnect does not unlock the database. Connection to the CMA may be resumed when the operation finishes. 61. SmartDashboard currently lacks appropriate error messages for the following scenarios: Using a SmartCenter Backup Server, the user cannot edit a Virtual System object where the VPN-1 Power VSX belongs to another CMA (main CMA), because there is no connection between them. The user cannot edit a Virtual System object in a CMA whose Active main CMA is a SmartCenter Backup Server, because there is no connection between them.
62. When removing a Provider-1 installation from a machine that has Endpoint Security Server installed on it, Endpoint Security Server may not uninstall. A workaround is to uninstall Endpoint Security Server separately. 63. After upgrading an MDS machine with Endpoint Security Server installed and associated with a certain CMA to NGX R65, reverting to the previous version of Provider-1 using the utility mds_remove will succeed, however the Endpoint Security configuration will contain information related to the newer version. To resolve this issue, do the following: 1. Use a text editor to open the file /opt/CPEndpoint Security/engine/webapps/ROOT/bin/opsec/config.properties 2. Enter the correct values for the following keys: CMA_IP=[IP address of the CMA which is configured to use Endpoint Security] CPDIR=[the CPDIR directory of the CMA] FWDIR=[the FWDIR directory of the CMA] MDS_CPDIR=[the new value of MDSDIR directory] MSP_SOMEIP_ADDR=[IP address of the CMA which is configured to use Endpoint Security] 64. Global SmartDashboard cannot be used to create Connectra or VPN-1 Power/UTM gateway objects. Instead, use a SmartDashboard connected to a specific CMA to create these objects.
28
SecureXL
SecureXL
In This Section
General Platform Specific Nokia Platform Specific Solaris Accelerated Features Unsupported Features Unsupported Products page 29 page 29 page 30 page 30 page 30 page 30
General
1. When using Performance Pack or Turbocard in a cluster configuration, all members must have Performance Pack or Turbocard installed and running. 2. For the first few seconds of an asymmetric connection, server-to-client packets are not accelerated. An asymmetric connection, such as an FTP data connection through an accelerated ClusterXL cluster, is where the server-to-client side is handled by a different member than the client-to-server side. Asymmetric connections are only opened when using VPN or NAT. This is a temporary performance degradation that affects only a small percentage of traffic. 3. In a High Availability configuration, some accounting information held in the accelerator (for accelerated connections only) may be lost in the event of a failover. As a result, the accounting information reported may be lower than the actual traffic. 4. When a gateway has IP pool NAT defined for site to site connections in a MEP environment and Automatic Hide NAT for internal networks is enabled, back connections to the IP pooled IP address are dropped by the gateway. To prevent these connections from being dropped, do one of the following: Disable Automatic Hide NAT on the gateway. Configure Hide NAT for the internal network object with manual or automatic rules.
5. For a list of the recommended platforms for Performance Pack, see the Hardware Compatibility List for SecurePlatform at http://www.checkpoint.com/products/supported_platforms/secureplatform.html.

6. When the SmartDefense TCP Sequence Verifier feature is enabled and Flows acceleration is enabled, the Sequence Verifier feature is not enforced and the following message appears when installing policy:
Flows: TCP Sequence Verifier acceleration is not supported on the Gateway.

When SecureXL is enabled, you can enable the SmartDefense TCP Sequence Verifier feature by first enabling it in Nokia Network Voyager (System Configuration > Advanced System Tuning) and then in SmartDashboard (SmartDefense tab > Network Security > TCP). The Sequence Verifier feature will then be enforced on accelerated connections. 7. The SmartDefense protection IP Fragments (SmartDefense tab > Network Security > IP and ICMP) is not supported on Turbocard and Nokia platforms with SecureXL enabled.
29
SecureXL

8. On Solaris platforms, Performance Pack does not support the following types of interfaces VLAN and virtual interfaces bge, dmfe and skge interfaces
Accelerated Features
9. When flows are enabled, full sanity checks are performed for flowed (accelerated) connections for the IP layer. No sanity checks are performed on the UDP or TCP layer of flowed packets. The workaround is to disable flows. 10. SmartView Monitor gets updates for every connection from SecureXL once every 30 seconds. Because of the difference between the SecureXL update interval and the SmartView Monitor update interval, you might not get a smooth line even when monitoring constant rate connection. This phenomenon is negligible when monitoring real life traffic that has many connections that open and close at random. Regardless of the number of connections, over a significant period of time, the average of the total number of monitored traffic, will be monitored accurately. 11. The SmartDefense protection PPTP Enforcement does not allow acceleration of the GRE protocol over PPTP when enabled. In order to accelerate the GRE protocol over PPTP, disable this protection (on the SmartDefense tab, select Application Intelligence > VPN Protocols > PPTP Enforcement).
Unsupported Features
12. Fingerprint Scrambling causes a negative impact on performance. ISN Spoofing disables TCP templates, and TTL and IPID cause traffic to be handled by the firewall module only. 13. The NetQuotas feature is not supported with SecureXL. 14. The Overlapping NAT feature is not supported with SecureXL. 15. WISP redundancy has the following limitations when working with SecureXL: Connections passing through interfaces configured with ISP redundancy are not accelerated. Other connections (for example, an internal connection to a DMZ) are accelerated and are not affected by this limitation. ISP redundancy over PPTP and PPPoE interfaces is not supported.
16. When configuring Remote Access > Office Mode on a gateway that has multiple external interfaces with SecureXL enabled, make sure that Support connectivity enhancement for gateways with multiple external interfaces is checked. 17. When SecureClient is connected to a Check Point gateway with two external interfaces and the connected interface goes down, SecureClient will lose connectivity. In order to resume connectivity, the user needs to disconnect and reconnect. 18. Performance Pack does not support source-based routing.
Unsupported Products
19. Check Point QoS is not supported with SecureXL. 20. PPTP and PPPoE interfaces are not supported by Performance Pack in configurations where NAT and/or VPN are used.
30
SmartCenter Server
SmartCenter Server
In This Section
Upgrade, Backout and Backward Compatibility Policy Installation SmartConsole Applications Logging SmartCenter High Availability SmartDirectory User Management Trust Establishment OSE Platform Specific - Nokia Platform Specific - Windows page 31 page 33 page 33 page 34 page 34 page 34 page 34 page 34 page 34 page 35 page 35
Upgrade, Backout and Backward Compatibility

1. When using the Upgrade Export and Import utilities on the Windows platform, the machine should be connected to the network. Alternatively, a connector can be used to simulate a connection. Refer to SecureKnowledge solution sk19840 for more information regarding how to simulate a network connection during an upgrade. 2. When upgrading with a duplicate machine whose IP address differs from the original IP address of the SmartCenter server, if Central licenses are used, they should be updated to the new IP address. This can be done via the User Center at http://usercenter.checkpoint.com, by choosing the action License > Move IP > Activate Support and Subscription. 3. When using the Upgrade Export and Import utilities, if a specific product should fail to install, the entire operation will fail, with the exception of these products: SmartView Reporter SmartView Monitor SecureXL UserAuthority Server
Failure importing and/or exporting of these products will not cause the entire import/export operation to fail. Use the log file of the import/export operation to understand what caused the problem and fix it. The log file is located at: Windows: C:\program files\checkpoint\CPInstLog Unix: /opt/CPInstLog 4. When upgrading a Log Server, always choose to upgrade and ignore the other options (to export the configuration or to perform pre-upgrade verifications). These options are irrelevant for Log Server upgrades. Also, the backwards compatibility (BC) package is installed on every Log Server. It can be safely removed, as it is not in use on a Log Server.
31
SmartCenter Server
5. If, when using the Check Point Installation Wrapper, the download of updates fails during an upgrade (for example, because the machine is not connected to the Internet), then the upgrade will continue using the tools that exist on the CD. To use the most recent version: a. Download the updates from: https://support.checkpoint.com/downloads/bin/autoupdate/ut/r61/index.htm. b. Save the update on the local disk of your SmartCenter server. c. Restart the installation wrapper and choose the second option on the download page: I already downloaded and extracted the Upgrade Utilities. 6. Check Point 4.1 gateways and embedded devices are not supported with this release. After upgrading the SmartCenter server to NGX, these objects will remain, but you will not be able to install policy on them. 7. VPN-1 Net is no longer supported. 8. After upgrading SmartCenter, but before upgrading the gateways, SecureID users may not be able to connect. A workaround is detailed on SecureKnowledge sk17820. This solution documented there should be implemented in the compatibility package directories as well: For NG gateways (NG - R55) - Unix /opt/CPngcmp-DAL/lib/ - Windows C:\Program Files\CheckPoint\NGCMP For R55W gateways - Unix /opt/CPR55Wcmp/lib - Windows C:\Program Files\CheckPoint\R55WCmp\lib 9. When upgrading SmartCenter with a duplicate machine on the Windows platform, the following message may appear after selecting Import configuration file:
Failed to import configuration. Imported configuration file does not contain the correct data.
To resolve the issue, do one of the following: Remove the file gzip.exe from the environment path. Remove gzip.exe altogether.
10. Advanced Upgrade from the wrapper, or use of the Export/Import tools, is not supported on a secondary SmartCenter server. 11. In this release, SmartCenter does not manage gateways prior to NG FP3. If you have such gateways, it is recommended that you upgrade them as well. 12. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature, previously defined UTM-1 Edge devices will not be able to connect to the SmartCenter server, and the Connection Wizard will generate "object non-registered" messages. To resolve this issue, use SmartUpdate to re-install a specific firmware package. 13. To manage UTM-1 Edge devices with an NGX R65 SmartCenter server that was migrated from Nokia to a different platform, see Check Point SecureKnowledge sk30389.
32
SmartCenter Server
Policy Installation
14. After aborting an installation and before attempting to install policy, make sure that there are no processes running the fwm load command on the SmartCenter server. 15. By selecting the Install Policy option Install on all selected gateways, if it fails do not install on gateways of the same version, policy is installed on gateways by group. There are four such groups: UTM-1 Edge R55W NGX all others (R55 and prior versions)
When this option is selected, if policy fails when installing to a member of one of the groups, the policy will not be installed to any other gateways in that group. Policy installation will continue uninterrupted to members of other groups, however. 16. Uninstall policy on LSM profiles is not supported. 17. Policy installation is divided into several stages: Verification, compilation, file transfer, etc. Each stage has a default time-out of 300 seconds. Should you encounter time-out problems while installing a policy, you can change the value of the timeout in the following way: a. Run cpstop on the SmartCenter server. b. Run DBedit and change the install_policy_timeout attribute that is located under firewall_properties in the global properties. A valid value is 0-10000. c. Close DBEdit and run cpstart. 18. Policy may not install successfully on an InterSpect device, even if SIC is established. To resolve this issue, make sure that the SmartCenter server's IP address(es) are configured in InterSpect's GUI Clients.
SmartConsole Applications
19. When running a query on a Security Policy in SmartDashboard, only user-defined rules are displayed in the query result. Implied rules matching the query are not displayed, even if the option View Implied Rules is selected. 20. When switching the active file from SmartView Tracker, the new active file name will be automatically name by the system. It will not receive the user-defined file name. 21. UTM-1 Edge objects cannot be defined from the Manage menu in SmartDashboard. To define UTM-1 Edge objects, from the Objects Tree, right-click Check Point > New. 22. A Connectra object cannot be dragged & dropped into the Address Translation Rule Base. To add a Connectra object to a rule, right click on the relevant cell, select Add, and select the relevant Connectra object. 23. To perform SmartDefense Online Update in Demo Mode, use Demo Mode Advanced. Other Demo Modes do not support this feature. 24. InterSpect objects cannot be added to NAT rules. 25. After deploying Anti Virus signatures, the Express CI Deployment Status is not updated by clicking Refresh on the SmartDefense Services tab. This issue is resolved by closing and restarting SmartDashboard.
33
SmartCenter Server
Logging
26. When a Log Server is installed on a DAIP module, management operations such as "purge" and "log switch" can not be performed. 27. If using the cyclic logging feature, after upgrade it is recommended to back up the previous <FWDIR>/log files to another machine, and then to delete them. 28. When a Log Server runs out of disk space, any logs sent by ELA clients will be lost. To prevent this, be sure to maintain adequate disk space on the Log Server. 29. After upgrading a gateway, SmartView Tracker may report 0 active connections. To resolve this issue, reinstall policy on the gateway. 30. When a filter is applied in the Traffic or Audit log pages, logs may not display in sequential order, and using the scroll bar arrow to navigate through the logs does not appear to work. To scroll, click and drag the scroll bar or use the buttons Bottom and Top.
SmartCenter High Availability

31. If a primary SmartCenter server is in a Standalone configuration, and a secondary SmartCenter server is active, then policy installation from the secondary to the primary server will be prohibited immediately after upgrade. In order to resolve this, install the policy locally on the primary server. 32. When modifying the file InternalCA.C, be sure to copy the modified file to the other management stations, and then install policy again for the changes to become active. 33. When executing Management High Availability (between SmartCenter and/or CMA and/or MDS) change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve this issue, restrict access from SmartPortal to Read-only administrators; or, use SmartView Monitor to disconnect the Read/Write mode in SmartPortal.
SmartDirectory
34. If Use SmartDirectory (LDAP) is checked in Global Properties, but no LDAP account unit is configured, the authentication of external users (as opposed to LDAP users) that are not defined in the user's database will not succeed. To resolve this issue, make sure that you uncheck Use SmartDirectory (LDAP) in the Global Properties.
User Management
35. When manually defining branches on an Account Unit, spaces between elements in the branch definition will not work. For example: A good branch: ou=Finance,o=ABC,c=us A bad branch: ou=Finance , o=ABC , c=us
Trust Establishment
36. Before establishing secure internal communication (SIC) between a standalone SmartCenter server and a Connectra device, install policy to the SmartCenter server.
OSE
37. The Drop action is not supported for Cisco OSE devices. If the Drop action is used, the policy installation operation fails. 38. 3Com devices are not supported.
34
SmartPortal
Platform Specific - Nokia

39. When upgrading using the Import Configuration option in the wrapper, and the machine you have exported the configuration from is a Nokia platform the following may occur: Check Point packages that were inactive on the production machine will either become active on the target machine if its OS is Nokia, or will be installed on other platforms.
If this should occur, when the target machine is a Nokia platform, return the relevant packages to the inactive state. For other platforms, uninstall the relevant packages.
Platform Specific - Windows

40. On Windows platforms only, in some cases, when performing the Restore Version operation (from SmartDashboard, File > Database Revision Control > Restore Version) while SmartView Tracker is open, the restore fails and you are not able to save the database (File > Save). The solution is to make sure that SmartView Tracker is closed before performing Restore Version operations. If you already encountered such a problem, run cpstop and then cpstart. 41. After using the Advanced Upgrade tools to migrate a SmartCenter server to a different machine, RADIUS authentication servers will no longer be able connect to the SmartCenter server. To re-establish connection between them, do the following on the SmartCenter server: 1. Use Regedit to open the Windows registry. 2. Locate the key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT. 3. Delete the value NodeSecret. 4. Reboot the SmartCenter server.
SmartPortal
1. When a filter is applied in the Traffic or Audit log pages, logs may not display in sequential order, and using the scroll bar arrow to navigate through the logs does not appear to work. To scroll, click and drag the scroll bar or use the buttons Bottom and Top.
35
SmartUpdate
SmartUpdate
In This Section
Installation, Backward Compatibility, and Upgrade Miscellaneous Platform Specific Nokia Platform Specific SecurePlatform Policy Installation GUI Licensing page 36 page 37 page 37 page 37 page 37 page 37 page 37
Installation, Backward Compatibility, and Upgrade

1. When a gateway has been upgraded and then rolled back to the previously installed version, SmartUpdate will not be able to report its status. This occurs because the gateway restarts with the initial policy, instead of the last installed policy. The workaround is to re-install the old policy via SmartDashboard. 2. The command line executable for upgrading remote gateways, cprinstall, does not currently support the upgrade all option. Instead, run cprinstall install to upgrade individual packages, or use the SmartUpdate GUI. 3. After using SmartUpdate to install a firmware package on a UTM-1 Edge gateway, renaming the gateway in SmartDashboard may fail and result in the following message: Internal Error [12] while handling object edge1. Failed to update references of object edge1. Please contact technical support. If this should occur, you can safely ignore this message and perform the rename operation again. To avoid this message, leave SmartDashboard open during firmware installation. 4. After upgrading a pre-NGX SmartCenter to NGX R61, software packages (except for UTM-1 Edge firmware packages) that were displayed in the Package Repository of SmartUpdate do not appear. The packages are in the directory $SUROOT, and can be re-added to the Package Repository using the SmartUpdate command Add From File. 5. After upgrading a SecurePlatform gateway from NGX (R60) to NGX (R60A), SmartUpdate erroneously reports that the upgrade has failed. This message can be safely ignored. 6. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature, previously defined UTM-1 Edge devices will not be able to connect to the SmartCenter server, and the Connection Wizard will generate object non-registered messages. To resolve this issue, use SmartUpdate to re-install a specific firmware package. 7. SmartUpdate can be used to upgrade a Log Server, but it cannot be used to downgrade a Log Server. Downgrading a Log Server should only be done locally. 8. SmartPortal NGX (R60) cannot be upgraded to NGX R61 via SmartUpdate. A workaround is to install SmartPortal NGX R61 directly (locally) to the NGX R60 machine. 9. When using SmartUpdate to upgrade Eventia Reporter Server from NGX (R60), the message Execution error may appear at the end of the upgrade process. This message may be safely ignored. To confirm that the upgrade was successful, in SmartUpdate select the Reporter Server and run the operation Get Gateway Data. 10. Eventia Analyzer cannot be upgraded to version NGX 2.0 via SmartUpdate, however SmartUpdate does support Eventia Analyzer license operations.
36
SmartUpdate
Miscellaneous
11. When running Fetch CPInfo on a non-Windows Management server, while trying to fetch CPInfo for the Management itself, in certain cases the command may halt unexpectedly. In this case, rerun the command, or run CPInfo locally. 12. When upgrading to any NGX version from any pre-NGX version (e.g., R55), the SmartUpdate Package Repository is not upgraded. After the upgrade, the SmartUpdate Package Repository will therefore be empty. 13. In SmartDashboard, the version number of an NGX (R60A) gateway may be changed to NGX (R60) when performing an operation via SmartUpdate. There are two workarounds to this issue: Always have SmartDashboard open when performing SmartUpdate operations on an NGX (R60A) gateway. If the version number has changed, open SmartDashboard and manually change the gateway's version to NGX (R60A). 14. If, while pushing new firmware to a UTM-1 Edge device, the Secondary SmartCenter has just failed over, the firmware may not be successfully installed. To resolve this issue, synchronize the Edge device with the Secondary SmartCenter and run the Push Now operation again.

15. Upgrade All and separate transfer and install is not supported on flash-based Nokia. To resolve this issue you should explicitly install Nokia IPSO and thereafter you should install the Check Point products, one by one. Alternatively, use Nokia Voyager to install the wrapper and manage the installation packages. 16. When trying to install or verify an NG_AI R55P HFA package via SmartUpdate, the following error message may be displayed Package <package name> has wrong format. In this case, you should install your package locally on a module. 17. When upgrading Nokia flash-based machines via SmartUpdate, the following error message is displayed at the end of the upgrade process Execution error. CPRID session timed out. It is highly probable that your module was successfully upgraded, and that this message can be safely ignored. To ensure that this is the case, run the operation Get Gateway Data for this gateway and see that the module was indeed upgraded in SmartUpdate.
Platform Specific SecurePlatform

18. When using the SmartUpdate option Upgrade All, make sure that a VPN-1 Power/UTM Linux package is not in the Package Repository of any gateway running on SecurePlatform.
Policy Installation
19. When upgrading from R55W on a SecurePlatform machine, SmartUpdate will not reestablish a connection with the gateway after reboot. This is caused by the gateway failing to fetch a new policy and starting with an initial policy. To resolve this issue, go to the gateway and fetch the policy manually, or install policy from the SmartDashboard.
GUI
20. The feature Add Package From Download Center is not supported if the machine running SmartUpdate accesses the Download Center through a proxy server.
Licensing
21. If a local license is detached from the license repository and then reattached without first closing SmartUpdate, the license appears in the repository as unattached. In such a scenario, either attach the license manually, or close and restart SmartUpdate before reattaching the license.
37
UTM-1 Edge
UTM-1 Edge
Upgrade, Revert and Backward Compatibility
1. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature, previously defined UTM-1 Edge devices will not be able to connect to the SmartCenter server, and the Connection Wizard will generate object non-registered messages. To resolve this issue, use SmartUpdate to re-install a specific firmware package. 2. To manage UTM-1 Edge devices with an R62 SmartCenter server that was migrated from Nokia to a different platform, see SecureKnowledge sk30389.
SmartCenter
3. A Sofaware profile will fail to install if a Check Point gateway has an interface named in and the Sofaware Reducer is disabled. To resolve this issue, make sure that the Sofaware Reducer is enabled, or avoid naming Check Point gateway interfaces as in. 4. Make sure that in the Advanced Permanent Tunnel configuration, the life_sign_timeout attribute is larger than life_sign_transmitter_interval attribute. 5. UFP settings, CVP settings, and internal network settings of UTM-1 Edge ROBO gateways with firmware version 5.0 cannot be managed by this version of SmartLSM.
Policy Installation
6. When using the group All VPN-1 Embedded devices defined as Remote Access on the rulebase, the icon that is defined is wrong and can be safely ignored. 7. In case an object of type Embedded Device exists in the database but is not DNS-resolvable, installing policy on any Edge devices may operate slowly. To solve the problem, either remove the Embedded Device object from the database, or make sure the name as exists in the database is resolvable by DNS on the management machine.
VPN Communities
8. In order for SofawareLoader to create topologies suitable for Sofaware 4.5 appliances, use a text editor to open the file SofawareLoader.ini, located in the directory %FWDIR%\FW1_EDGE_BC\conf. In the [Server] section, add the line TopologyOldFormat=1. The change takes effect without running the commands cpstop and cpstart. 9. UTM-1 Edge devices do not support GRE tunnels, and therefore cannot be included in VPN Communities that use GRE tunnels.
Other
10. UTM-1 Edge gateways support only regular log tracking. When using other tracking on a rule that would be installed on such gateways, it is ignored. 11. If, while pushing new firmware to a UTM-1 Edge device, the secondary management has just failed over, the firmware may not be successfully installed. To resolve this issue, synchronize the UTM-1 Edge device with the secondary management and run the Push Now operation again. 12. Scanning is performed on archive files of the following types only: zip, gzip, and tar. 13. Only the first 30 HTTP headers or worm patterns defined on UTM-1 Edge devices of version 6.0.x are enforced.
38
VPN
VPN
VPN Communities
1. When managing SmartLSM ROBO gateways some of which are VPN-1 -enabled from a standalone machine, the policy fetch operation may not succeed once VPN has been established between the standalone and the ROBO gateway in question. In order to overcome this issue, you should add the CPD service as an excluded service for each of the communities which have SmartLSM ROBO profiles. To do this, a. Open the community object. b. In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as excluded service.
VPN-1 Power VSX

In This Section
Miscellaneous Provider-1/SiteManager-1 SmartCenter SmartDashboard Policy Installation VSX NG AI Management Issues VSX ClusterXL Platform Specific Nokia page 39 page 39 page 40 page 40 page 40 page 40 page 41 page 41
Miscellaneous
1. When working with a non-dedicated management interface, you cannot add new members to an existing VSX cluster using the vsx_util command. 2. On a VSX NG AI Release 2.2 (Nokia) cluster/gateway, SecureClient connections are dropped during policy installation. 3. Upgrading to R65 is not support for Nokia VSX.
4. Make sure that the IP address of the management object is set before running vsx_util or creating any Virtual Devices. 5. When attempting to delete a Virtual Device from a CMA, and the CMA database on which the VSX is defined is locked, the operation will fail, and an error message will be displayed. This is the proper behavior. However, this operation also causes the Virtual Device to disappear from the Tree view. To resolve this issue, restart SmartDashboard. 6. If the VSX Wizard fails, and changes need to be made to the defined configuration, avoid re-fetching the configuration from the modules. This means that if you move back to the SIC establishment dialog and click Next, you should reply NO to the question regarding re-fetching the configuration from the VSX gateway(s).
39
VPN-1 Power VSX
SmartCenter
7. To establish trust with newly created Virtual Devices, the IP address of the management server must be routable from the VSX gateway. When a management server has more then one interface, make sure to select the IP address of the proper interface to serve as the management server's IP address. 8. The Install Database operation is not supported on Virtual Devices. 9. The Policy Uninstall operation is not supported on VSX clusters.
SmartDashboard
10. After creating a VSX gateway or cluster, its IP address cannot be changed. 11. The name of a Virtual Device should not exceed 64 characters. In cluster scenarios, the Member Virtual Device name is a composite of the Member name and the Cluster Virtual Device name. This could result in a Virtual Device name which contains more than 64 characters. 12. After resetting the SIC for a VSX gateway or cluster member, reinstall policy. 13. When adding NATed addresses to the topology of a Virtual System, only address ranges are supported. To add a single IP address or an IP subnet, define it as an address range. 14. Editing the name of the VSX management interface is not supported. 15. When editing a VSX gateway or cluster object using the Creation Templates tab, you can only switch to a Customized Virtual System. Please note that this act is irreversible. 16. Propagating routes from Virtual Routers to Virtual Systems is not supported. 17. When using the vsx_util reconfigure command line utility to reconfigure a VSX gateway, the SIC status of the network object does not change to Communicating. While this will result in warnings regarding trust establishment on VS/VR for this specific object, the messages can be safely ignored. 18. When configuring a host object as a Web Server in a deployment that contains configured Virtual Systems, on the Web Server tab, set the Protected by field to contain targets that do not include Virtual Systems. 19. When defining NAT routes on the Topology tab of the Virtual System, insert two IP addresses, the first and last address of the IP range used for NATing. Note that large ranges can result in a slow response from the SmartCenter server. 20. When activating the "General HTTP Worm Catcher" SmartDefense protection on a VSX gateway, all HTTP traffic is scanned for worms, regardless of the scope.
Policy Installation
21. Policy cannot be installed on more then 10 Virtual Systems simultaneously. 22. VSX does not support the SmartDefense Profiles feature. 23. Virtual Systems cannot be managed from a Secondary management server.
VSX NG AI Management Issues

24. When creating a NG AI Virtual Device, the main IP address of the Virtual Device should be routable from the SmartCenter server. 25. When two Virtual Systems with internal IP addresses that originate from identical subnets (that is, overlapping subnets) are connected through a Virtual Switch, the internal interface of one of the Virtual Systems cannot be propagated. 26. To enable the synchronization of routing information between cluster members, the policy on the VSX cluster must allow communication between cluster members on TCP port 2010.
40
VPN-1 Power VSX
27. When connecting from SmartDashboard to the management server through a Virtual Device, the Virtual Device topology or routing cannot be changed. 28. If you change the IP address of an interface leading to a virtual router when editing VSX NG AI, all manually defined routes to this Virtual Router will be deleted from the Virtual System and should to be re-entered manually. 29. In VSX, the Phase 1 proposal for SecureClient is hardcoded. Therefore, changing the Phase 1 encryption method is not reflected in the client. 30. To avoid warning messages during policy installation, interfaces defined on a Virtual System or Virtual Router should be associated with a route. 31. The number of interfaces that can be assigned to a Virtual System is limited to 64. 32. When an VSX NG AI Virtual Device is created it is assigned a unique IP. If the unique IP is already in use, the operation will fail. To fix this problem cancel the operation and create the Virtual Device with a unique IP that is not being used. 33. On Nokia platforms running VSX NG AI in a cluster configuration, an issue may arise when changing the VLAN interface on a Virtual Device. If the operation fails at some point, the change may be applied to some cluster members and not others.
VSX ClusterXL
34. To prevent a Virtual System in Bridge mode from creating loops in a clustered environment, a spanning tree protocol is required. 35. All Virtual System interfaces in bridge mode must have the same VLAN ID.

36. When creating a NG AI VSX cluster on IPSO, delete from the physical interfaces list any interfaces which are not VRRP enabled. Remove these unused interfaces when using the VSX Wizard or immediately afterwards. 37. Encryption method AES128/MD5 is not supported for VPN.
41
VPN-1 Power VSX
Documentation Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com
42

Checkpoint NGX R65 Known Limitations Supplement

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Checkpoint NGX R65 Known Limitations Supplement

Transféré par

Droits d'auteur :

Formats disponibles

Check Point NGX R65 Known Limitations Supplement

Information About This Document

Previously Published Clarifications and Limitations

Platform Specific Nokia

Platform Specific Solaris

Platform Specific Windows

Server Installation, Upgrade, and Backward Compatibility

Client Installation, Upgrade, and Backward Compatibility

Logging, Alerts, and Errors

Localization and Special Characters

Gateways and Third Party Product Integrations

Installation, Upgrade and Backward Compatibility

Platform Specific Windows

Platform Specific Solaris

Platform Specific Linux

Dynamically Assigned IP Address (DAIP) Modules

Installation, Upgrade, and Revert

# echo 131072 > /proc/sys/fs/file-max

Backup and Restore

2. fwm mds rebuild_global_communities_status all

SMC_Files/monitor/SmartViewMonitor.tar SMC_Files/asm/post_install_sd_updates SMC_Files/asm/post_install_sd.ver

Platform Specific Nokia

Flows: TCP Sequence Verifier acceleration is not supported on the Gateway.

Platform Specific Solaris

Upgrade, Backout and Backward Compatibility

SmartCenter High Availability

Platform Specific - Nokia

Platform Specific - Windows

Installation, Backward Compatibility, and Upgrade

Platform Specific Nokia

Platform Specific SecurePlatform

VPN-1 Power VSX

VPN-1 Power VSX

VSX NG AI Management Issues

VPN-1 Power VSX

Platform Specific Nokia

VPN-1 Power VSX

Vous aimerez peut-être aussi