7/31/2019 Checkpoint NGX Release Notes
1/94
Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved.
Check Point Enterprise SuiteNGX (R60)
Release NotesMay 16, 2005
In This Document
Information About This Release
This document contains important information not included in the documentation. Review
this information before setting up Check Point NGX (R60).
In This Section
License Upgrade Requirement
To upgrade to NGX R60, you must first upgrade licenses for all NG products, as NGX
R60 will not function with licenses from previous versions. The utility license_upgrade
is included on the CD at \license_upgrade. See the Upgrade Guidefor instructions.
IMPORTANTBefore you begin installation, read
the latest available version of these release notes at:http://www.checkpoint.com/techsupport/downloads.jsp
Information About This Release page 1
Resolved Limitations page 10
Clarifications and Limitations page 16
License Upgrade Requirement page 1
NGX (R60) Products by Platform page 2
Build Numbers page 3
Non-upgradable Products page 3
Minimum Hardware Requirements page 4
Maximum Number of Interfaces Supported by Platform page 7
Minimum Software Requirements page 8
The Regular Expression (RX) Library page 9
http://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.htmlhttp://www.checkpoint.com/techsupport/downloads.jsp7/31/2019 Checkpoint NGX Release Notes
2/94
Information About This Release NGX (R60) Products by Platform
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 2
NGX (R60) Products by Platform
Notes to Products by Platform Table1) See Minimum Software Requirements on page 8 for Solaris platforms.
2) The following SmartConsole Clients are not supported on Solaris UltraSPARC 8 (32- and 64-bit):Eventia Reporter Client, SmartView Monitor, SmartLSM and the SecureClient Packaging Tool.
3) HA Legacy mode is not supported on Windows Server 2003.
4) ClusterXL supported only in third party mode with VRRP or IP Clustering.
5) Only the Server Add-on of Eventia Reporter is supported on Nokia.6) SmartView Monitor on Solaris is supported only in 32-bit mode.
7) VPN-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia platform.
Product
RHEL
3.0
Check
Point Nokia Mac
8
32/64
bit
9
64 bit
Server
2003
2000
Advanced
Server
(SP1-4)
2000
Server
(SP1-4)
2000
Profes-
sional
(SP1-4)
XP
Home
&
Profes-
sional
98
SE
&
ME
Hand-
Held PC
2000 &
PC 2003
kernel
2.4.21
Secure
Platform
IPSO
3.9
OS
X
SmartConsole GUI X 2 X X X X X X X
VPN-1 Pro Module
.(including QoS, Policy Server)
X X X X X X X X
SmartCenter Server (incl. VSX) X X X X X X X X
SmartPortal X X X X X X XSecuRemote X X X X X
SecureClient X X X X X X X X
ClusterXL (VPN-1 Pro
.Module)
X X X 3 X X X X X 4
UserAuthority
.(Management Add-on only)
X X X X X X X X X X
Eventia Reporter - Server X X X X X X X X5
SmartView Monitor X 6 X X X X X X
VPN-1 Accelerator Driver II X X
VPN-1 Accelerator Driver III X X X X X X X X
Performance Pack X X X
SmartLSM - GUI X X X X X
SmartLSM - Enabled
.Management
X X X X X X X X
SmartLSM - Enabled ROBO
.Gateways
X X X X X X
SmartLSM - Enabled CO
.Gateways
X X X X X X X X
Advanced Routing X
SecureXL Turbocard X
SSL Network Extender - Server X X X X X X X X
SSL Network Extender - Client X X X
Provider-1/SiteManager-1 Server X X X X
Provider-1/SiteManager-1 GUI X X X X X X X
OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14
Cisco OS Versions: 9.x, 10.x, 11.x, 12.x
Microsoft Windows
Solaris
UltraSPARC 1
7/31/2019 Checkpoint NGX Release Notes
3/94
Information About This Release Build Numbers
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 3
Build Numbers
The following table lists all NGX (R60) software products available, and the build numbers as
they are distributed on the product CD. To verify each products build number, use the given
command format.
Non-upgradable Products
The following Check Point products cannot be upgraded to NGX (R60):
VPN-1 SmallOffice
VPN-1 Net FireWall-1 4.1
Product Build No. Command
VPN-1 Pro 457_4 (Windows)
458_2 (all others)
fw ver
SmartCenter 387 fwm ver
SecureClient Policy Server 24 dtps ver
SmartView Monitor 134 rtm ver
QoS 47 fgate ver
SVN Foundation 562 cpshared_ver
NG Compatibility Package 57_1 fw_loader -v
R55W Compatibility Package 12_4 fw_loader ver
VPN-1 Edge Compatibility Package 650_1 fw ver
VPN-1 Edge - S series 5.0.58s Displayed on the default portal page
VPN-1 Edge - X series 5.0.50x (or 5.0.57x) Displayed on the default portal page
SmartConsole (GUI) 654_1 Help > About Check PointSmartDashboard
UserAuthority Server 30_1 uas ver
Eventia Reporter 339_2 SVRServer ver
SecuRemote/SecureClient 619_1 Help > About
SecurePlatform 244_1 ver
Performance Pack 79_1 sim ver -k
VPN-1 HW Accelerator II 13_1 n/a
VPN-1 HW Accelerator III 20004_2 (Windows)
20004_1 (Solaris)20007_1 (Linux)
n/a
7/31/2019 Checkpoint NGX Release Notes
4/94
Information About This Release Minimum Hardware Requirements
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 4
Minimum Hardware Requirements
In This Section
Windows & Linux Platforms
Minimum Requirements for VPN-1 Pro
On Windows and Linux platforms, the minimum hardware requirements for installing a
VPN-1 Pro SmartCenter Server, Enforcement Module or SmartPortal are:
Intel Pentium II 300 MHz or equivalent processor
300 MB free disk space
RAM
Windows: 256 Mbytes
Linux: 128 Mbytes (256 Mbytes recommended)
One or more network adapter cards
CD-ROM Drive
Minimum Requirements for SmartConsole
On Windows and Linux platforms, the minimum hardware requirements for installing a
SmartConsole, which include SmartDashboard, SmartView Tracker, SmartView Monitor,
Eventia Reporter, SmartUpdate, SmartLSM and User Monitor, are: Intel Pentium II 300 MHz or equivalent processor
100 MB free disk space
256 Mbytes RAM
One network adapter card
CD-ROM Drive
800 x 600 video adapter card
Minimum Requirements for SecuRemote/SecureClient
On Windows and Mac OS-X platforms, the minimum hardware requirements for installing
SecuRemote/SecureClient are:
40 MB free disk space
128 MB RAM
Windows & Linux Platforms page 4
Solaris Platforms page 6
SecurePlatform page 7
7/31/2019 Checkpoint NGX Release Notes
5/94
Information About This Release Minimum Hardware Requirements
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 5
Minimum Requirements for Eventia Reporter
The following minimum hardware requirements were designed so that Eventia Reporter
Server will be able to process a volume of about 3 GB logs per day and generate reports
according to the performance numbers limitation. If you have less logs produced per day
you can use a machine with less CPU or memory. This may, however, cause degradation in
the performance numbers. In addition, if your machine has less physical memory you will
need to change the database cache size. To do this follow the instructions in Eventia
Reporter User Guide under the section Changing the Eventia Reporter Database Cache Size.
On Windows and Linux platforms, the minimum hardware requirements for installing
Eventia Reporter are:
Intel Pentium III 1000 MHz or equivalent processor 60 MB disk space for installation
40GB disk space for database
1GB RAM
One network adapter card
CD-ROM Drive
1024 x 768 video adapter card
The following is also recommended:
Configure the network connection between the Eventia Reporter Server machine and
the SmartCenter or the Log server, to the optimal speed.
Use the fastest disk available with a high RPM (revolutions per minute).
Increase the machine's memory. It significantly improves performance.
It is recommended to install an uninterruptible power supply (UPS) for the EventiaReporter Server machine.
7/31/2019 Checkpoint NGX Release Notes
6/94
Information About This Release Minimum Hardware Requirements
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 6
Solaris Platforms
Minimum Requirements for VPN-1 Pro
On a Solaris platform, the minimum hardware requirements for installing a VPN-1 Pro
SmartCenter Server, Enforcement Module or SmartPortal are: UltraSPARC II
100 MB free disk space for installation
128 Mbytes RAM, 256 Mbytes recommended
One or more network adapter cards
CD-ROM Drive
Minimum Requirements for SmartConsole
On a Solaris platform, the minimum hardware requirements for installing a SmartConsole,
which include SmartDashboard, SmartView Tracker, SmartView Monitor, Eventia
Reporter, SmartUpdate, SmartLSM and User Monitor, are:
UltraSPARC III
100 MB free disk space for installation
128 Mbytes RAM One network adapter card
CD-ROM Drive
800 x 600 video adapter card
Minimum Requirements for Eventia Reporter
The following minimum hardware requirements were designed so that Eventia Reporter
Server will be able to process a volume of about 3 GB logs per day and generate reportsaccording to the performance numbers limitation. If you have less logs produced per day
you can use a machine with less CPU or memory. This may, however, cause degradation in
the performance numbers. In addition, if your machine has less physical memory you will
need to change the database cache size. To do this follow the instructions in Eventia
Reporter User Guide under the section Changing the Eventia Reporter Database Cache Size.
The minimum hardware requirements for installing Eventia Reporter on a Solaris platform
are: UltraSPARC III 400MHz processor
100 MB disk space for installation
40GB disk space for database
1GB RAM
One network adapter card
CD-ROM Drive 1024 x 768 video adapter card
7/31/2019 Checkpoint NGX Release Notes
7/94
Information About This Release Maximum Number of Interfaces Supported by Platform
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 7
The following is also recommended:
Configure the network connection between the Eventia Reporter Server machine and
the SmartCenter or the Log server, to the optimal speed.
Use the fastest disk available with a high RPM (revolutions per minute). Increase the machine's memory. It significantly improves performance.
It is recommended to install an uninterruptible power supply (UPS) for the Eventia
Reporter Server machine.
SecurePlatform
Minimum Requirements for VPN-1 Pro
On SecurePlatform, the minimum hardware requirements for installing a VPN-1 Pro
SmartCenter Server, Enforcement Module or SmartPortal are:
Intel Pentium III 300+ MHz or equivalent processor
4 GB free disk space
256 Mbytes (512 Mbytes recommended)
One or more supported network adapter cards
CD-ROM Drive (bootable)
1024 x 768 video adapter card
For details regarding SecurePlatform on specific hardware platforms, see
http://www.checkpoint.com/products/supported_platforms/recommended.html
Maximum Number of Interfaces Supported by Platform
The maximum number of interfaces supported (physical and virtual) is shown by platform
in the following table.
Notes to Maximum Number of Interfaces Table
1) SecurePlatform and Nokia IPSO support 255 virtual interfaces per physical interface.
2) When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are
supported.
ProductSolaris
UltraSPARC
Microsoft
Windows
Check Point
SecurePlatform Nokia IPSO
VPN-1 Pro and
Performance Pack
255 32 1015 1, 2 256 1
ClusterXL 255 32 1015 1, 2 256 1
http://www.checkpoint.com/products/supported_platforms/recommended.htmlhttp://www.checkpoint.com/products/supported_platforms/recommended.html7/31/2019 Checkpoint NGX Release Notes
8/94
Information About This Release Minimum Software Requirements
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 8
Minimum Software Requirements
Solaris Platform
Required Packages SUNWlibc
SUNWlibCx
SUNWter
SUNWadmc
SUNWadmfw
Required PatchesCheck Point recommends using the Sun Install Check Tool to check the patch level of your
Solaris machines. The Sun Install Check Toolis available on the Sun download site at
http://www.sun.com/software/installcheck/download.xml . Use the tool to make sure your
Solaris machines have the following or newer patches.
Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC
platforms:
Solaris 9: the following patches (or newer) are required on Solaris 9 UltraSPARC
platforms:
To verify that you have these patches installed use the command:
showrev -p | grep
The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches
before installing 64-bit patches.
Number System Notes
108528-18 All If the patches 108528-17 and 113652-01 are installed, remove
113652-01, and then install 108528-18.
110380-03 All
109147-18 All
109326-07 All
108434-01 32 bit108435-01 64 bit
Number System Notes
112233-12 All
112902-07 All116561-03 All Only if dmfe(7D) ethernet driver is defined on the machine
http://www.sun.com/software/installcheck/download.xmlhttp://sunsolve.sun.com/http://www.sun.com/software/installcheck/download.xmlhttp://sunsolve.sun.com/http://sunsolve.sun.com/7/31/2019 Checkpoint NGX Release Notes
9/94
Information About This Release The Regular Expression (RX) Library
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 9
Windows Platform
This release requires that Service Packs be applied to Windows 2000 systems. This release
supports Windows 2000 Service Packs SP1, SP2, SP3, and SP4. The release also supports
Windows 2003 and Windows 2003 SP1.
Linux Platform
This release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation
instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade .
Nokia Platform
This release supports IPSO 3.9.
The Regular Expression (RX) Library
NGX (R60) uses the RX Library. The library license agreement (LGPL) can be
downloaded from:
http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf.
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdfhttp://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdfhttp://www.checkpoint.com/techsupport/downloads.jsp7/31/2019 Checkpoint NGX Release Notes
10/94
Resolved Limitations Firewall
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 10
Resolved Limitations
In This Section
This section contains limitations that were published as release notes with NG withApplication Intelligence (R55) and now stand as resolved in NGX (R60). They are
presented in their original format, stressing the limitation, yet should be understood as
resolved.
Firewall
Installation
1) On Windows platforms, the SNMP service must be stopped before uninstalling VPN-1
Pro. If the SNMP service is running, a message regarding locked files is displayed.
2) In order to install the SmartCenter Applications on Windows NT, use the installation
executable instead of the installation wrapper.
SmartDashboard, Motif GUI
3) After resetting to default, the update time and version are no longer displayed on the
top side of the General page. However, these update details can still be seen on the
bottom half of the General page.
Platform Specific Solaris
4) SUN's Gigaswift network driver is not supported when using ClusterXL in a VLAN
tagging configuration.
Firewall page 10
SmartCenter page 11
VPN page 13
VPN-1 Edge page 13
SmartUpdate page 13
SecuRemote/SecureClient page 13SecurePlatform page 14
VSX page 14
ClusterXL page 14
SSL Network Extender page 15
7/31/2019 Checkpoint NGX Release Notes
11/94
Resolved Limitations SmartCenter
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 11
Directional Rule Match
5) A user group may be placed in the Destination column in the Security Rule Base only
if the Remote Access community appears in the to part of the VPN column in a new
Directional VPN rule (for example, VPN column = Any > RemoteAccess). If theRemote Access community is used alone (for example, in a non directional form), this
will not work.
SmartCenter
Upgrade, Backout, and Backward Compatibility
1) When upgrading to a new machine using the Import or Export utilities, and SecurID isbeing used for authentication, and the new SmartCenter Server has the same IP address
as the original SmartCenter Server, use the following instructions to retain both user
and administrator authentication:
For Windows Platforms
If the environment variable %VAR_ACE exists, copy the file %VAR_ACE\sdconf.rec from
the original machine to the new machine. Otherwise, copy the file
%WINDIR\system32/sdconf.rec from the original machine to the new machine. In
addition, copy the registry key HKLM > SOFTWARE > SDTI > ACECLIENT >NodeSecret
from the original machine to the new machine.
For Unix Platforms
If the environment variable $VAR_ACE exists, copy the files $VAR_ACE/sdconf.rec and
$VAR_ACE/securid from the original machine to the new machine. Otherwise, copy
/var/ace/sdconf.rec and /var/ace/securid from the original machine to the newmachine.
2) When installing the R55W Add-On on a standalone machine (in other words, it is
deployed with both the SmartCenter Server as well as the VPN-1 Pro Gateway), the
local gateway remains of version R55. You should use the Upgrade Tool to upgrade the
local gateway from version R55 to version R55W. Refer to the Getting Started Guidefor
more information.
Policy Installation
3) Policy installation issues on a VPN-1 Edge/Embedded Gateway when a rule contains a
Cluster object in its source or destination. As a workaround, create a node object with
the IP address of the cluster object, and use the node object instead of the cluster object
in the rule.
7/31/2019 Checkpoint NGX Release Notes
12/94
Resolved Limitations SmartCenter
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 12
SmartCenter Server
4) When using rules with resources, avoid installing them on VPN-1 Edge/Embedded
profiles. Resources are not supported with VPN-1 Edge/Embedded appliances.
Management High Availability
5) When adding a new Secondary Management, the machine should be synchronized once
manually before it starts synchronizing automatically.
6) When creating a Management High Availability environment, all peers must be installed
with the same products. If one product is installed on one peer but not on the other,
product information may be lost and the product may not function properly.
7) When using Management High Availability, all SmartCenter servers must be installed
with the same version. This also applies if your SmartCenter servers were created with
the R55W add-on; if one of the SmartCenter servers is installed with the R55W
add-on, the others should be as well.
Platform Specific Nokia
8) In order to manage QoS modules from a Nokia SmartCenter, you need to enable QoSin Voyager on SmartCenter. Telnet into the Nokia SmartCenter and perform cpstop
and cpstart (or reboot). In cpstop, you can safely ignore the message etmstop: Module
not loaded. When you run cpstart on SmartCenter, you can safely ignore the message
FloodGate-1: This is a Management Station. No QoS Policy will be Loaded.
Note: Trying to install a QoS policy on a module before executing these steps on
SmartCenter will fail and produce the error message: Failed to start
uninstall/install operation.
Miscellaneous
9) In demo mode, when launching SmartLSM through SmartDashboard, no predefined
ROBO Gateway objects are shown in SmartLSM, and no SmartLSM Profile objects can
be created in SmartDashboard.
SmartConsole Applications10) On the Motif platform, in SmartDashboard, there are issues when adding or editing
Default community strings in SNMP in SmartDefense. Use the dbeditutility to add or
edit entries. The entries are contained in the asm table:AdvancedSecurityObject and
snmp_protection\snmp_default_communities_list.
OPSEC
11) OPSEC applications that read logs using LEA may fail if the network objects databasecontains more then 2000 objects.
7/31/2019 Checkpoint NGX Release Notes
13/94
Resolved Limitations VPN
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 13
VPN
VPN Communities
1) Excluded Services are not supported with VPN Communities that contain VPN-1 Edgedevices.
PKI, PKCS
2) Entrust CAs are defined as OPSEC CAs, and can be configured to support CMP
automatic enrollment. In upgrade, Entrust CAs are changed to be OPSEC CAs.
VPN-1 and SecuRemote/SecureClient Issues
3) The combination of using multiple external interfaces (route through different
interfaces) for SecuRemote/SecureClient and ClusterXL pivot mode is not supported.
4) MACROs have been added to cp.macro for SecureClient on MAC OS, and
SecureClient with Integrity. The cp.macro file should be replaced under$CPDIR/conf
on the Management.
VPN-1 Edge
1) Policy installation issues on a VPN-1 Edge/Embedded Gateway when a rule contains a
Cluster object in its source or destination. As a workaround, create a node object with
the IP address of the cluster object, and use the node object instead of the cluster object
in the rule.
SmartUpdate1) SmartUpdate does not support upgrading remote devices to versions other than that of
the management server.
SecuRemote/SecureClient
Connectivity
1) If SecureClient receives an IP address on a subnet on which the cluster also has an
interface, SecureClient will not survive a failover from one cluster member to another.
When the cluster fails over to another member, the MAC address is reset to the MAC
address of the active cluster member. Once SecureClient receives an Office Mode
address from the gateway, SecureClient can no longer discover the MAC address of the
cluster. This means that SecureClient cannot update the MAC address when the MAC
address of the cluster member changes. SecureClient continues to send packets to the
MAC address of the now inactive cluster member.
7/31/2019 Checkpoint NGX Release Notes
14/94
Resolved Limitations SecurePlatform
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 14
SecurePlatform
General
1) Starting with this release, the SecurePlatform restricted shell allows using the '/' symbolwith ifconfig and route commands. This allows defining networks with CIDR
notation (e.g., 10.10.0.0/16).
2) If you physically replace a NIC card in a machine with SecurePlatform, the order of the
NICs may change. Make sure that you verify that the NICs are mapped and connected
according to your needs.
3) Some models of Intel PRO/1000 cards may have performance issues when used under
high load and/or in ClusterXL setup. The symptoms include log messages (in
/var/log/messages) about NICs being reset via watchdog, or, in other cases, NICs
stopping transmitting the traffic. Please contact Check Point technical support to resolve
those issues.
WebUI
4) The character % should not be specified when defining a password.
VSX
1) Virtual Device names are limited to 64 characters. When creating a new Virtual Device,
the name of the device is composed of the new Virtual Device name, the VSX box
name, and the cluster member name. This name should not exceed 64 characters.
2) Each Virtual System/Router can have up to 30 interfaces.
ClusterXL
Platform Specific Solaris
1) SUN's Gigaswift network driver is not supported when using ClusterXL in a VLAN
tagging configuration.
2) In a Solaris cluster configuration, one or more of the following may occur:
The kernel message ERROR_ACK for DL_ENABMULTI_REQ during the boot process.
The message no interface information during or after the boot process.
An interface has the flag MULTI_BCASTin ifconfig.
An interface starts, possibly once every several boots, in the down state.
The message ar_entry_query: Could not find the ace for source address
during or after the boot process.
7/31/2019 Checkpoint NGX Release Notes
15/94
Resolved Limitations SSL Network Extender
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 15
As a result of these issues, the cluster does not process packets on the problematic
interface.
VPN-1 and SecuRemote/SecureClient Issues
3) The combination of using multiple external interfaces (route through different
interfaces) for SecuRemote/SecureClient and ClusterXL pivot mode is not supported.
Crossbeam
4) On a Crossbeam box, where an external circuit is defined as the sync network, the
wrong Unicast MAC is used when forwarding IKE packets between members. This may
cause key-exchanges to fail.
Supported Features
5) When a SecureXL host and a ClusterXL gateway are both located on the same network,
and the ClusterXL gateway is either in High Availability or Load Sharing Unicast mode,
the SecureXL host may not recognize a failover performed by the ClusterXL gateway. A
workaround is to place a router between the gateways.
Load Sharing
6) ISP redundancy is supported in Load Sharing Unicast mode only when working over
SecureXL or Performance Pack.
SSL Network Extender
1) SSL Network Extender is not supported on ClusterXL in Load Sharing mode.
7/31/2019 Checkpoint NGX Release Notes
16/94
Clarifications and Limitations SSL Network Extender
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 16
Clarifications and Limitations
In This Section
Firewall page 17
SmartCenter page 28
VPN page 40
VPN-1 Edge/Embedded page 50
VSX page 52
SecuRemote/SecureClient page 55 SecurePlatform page 60
SmartLSM page 68
SmartUpdate page 70
SmartView Monitor page 72
Eventia Reporter page 73
ClusterXL page 77
SecureXL page 88
Performance Pack page 88
SSL Network Extender page 90
QoS page 92
UserAuthority Server page 93OPSEC page 94
InterSpect page 94
Cl ifi ti d Li it ti Fi ll
7/31/2019 Checkpoint NGX Release Notes
17/94
Clarifications and Limitations Firewall
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 17
Firewall
In This Section
Installation, Upgrade and Backward Compatibility
1) Manual configuration to the file fwauthd.conf (e.g., in.ahttpd configuration to the
generic TCP Security Server) are not preserved during upgrade and the changes should
be reapplied.
2) When upgrading from earlier NG Feature Packs, the SYNDefender configuration moves
to a global configuration in SmartDefense and defaults to off. If a per-module
configuration is desired, uncheck Override modules SYNDefender configuration under
TCP > SYN Attack Configuration in SmartDefense settings.
Installation, Upgrade and Backward Compatibility page 17
Platform Specific SecurePlatform page 18
Platform Specific Nokia page 18
Platform Specific Windows page 19
Platform Specific Solaris page 19
Platform Specific Linux page 20 Load Sharing page 20
NAT page 20
Authentication page 21
Security Servers page 21
Services page 23
IPv6 page 23
SmartConsole & SmartConsole Applications page 24
ISP Redundancy page 24
Logging page 25
Policy Installation page 25
OSE page 26 SAM page 26
Dynamically Assigned IP Address (DAIP) Modules page 26
Miscellaneous page 26
VoIP page 26
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
18/94
Clarifications and Limitations Firewall
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 18
3) Prior to NG with Application Intelligence (R54), setting the SmartDefense feature Max
URL length to 0would drop all connections. Since R54, setting the parameter to 0
disables this protection.
4) When the Web Intelligence General HTTP Worm Catcher is enabled, policy installationon modules running NG FP1 cannot be performed. In order to install the policy, you
should either remove the NG FP1 modules from the list ofPolicy Installation Targets,
or alternatively disable the General HTTP Worm Catcher.
5) When the Web Intelligence General HTTP Worm Catcher is enabled, policy installation
on modules running NG FP3 prior to HotFix-2 cannot be performed. In order to
install the policy, you should upgrade the module to NG FP3 HotFix-2.
6) In modules that pre-date version NG with Application Intelligence R55W, the Web
Intelligence defenses HTTP Format Sizes, ASCII Only Request, General HTTP Worm
Catcher only support the protection scope apply to all HTTP connections; therefore, if
one of these defenses is configured with protection scope apply to selected web servers
and is installed on an older module, the protection scope apply to all HTTP connections
will be applied on this module.
7) During upgrade of a cluster member from a pre-NGX (R60) version to NGX (R60)and higher versions, the following message may appear on the console: FW-1:
fwlddist_put: bad operation received from higher version. This message can be
safely ignored.
Platform Specific SecurePlatform
8) Virtual interfaces are not supported on the Enforcement Module on Linux and
SecurePlatform operating systems.
Platform Specific Nokia
9) When the SmartDefense TCP Sequence Verifier feature is enabled and SecureXL is on
or Flows acceleration is enabled, a message appears when you install a policy from
SmartDashboard and the Sequence Verifier feature is not enforced.
For SecureXL, the message displayed is: Warning: This Gateway supports SecureXL
traffic acceleration. TCP Sequence Verifier (SmartDefense) will not be enforced on acceleratedconnections. To allow Sequence Verification, turn off acceleration on the Gateway by running
cpconfig.
For Flows acceleration, the message is: Flows: TCP Sequence Verifier acceleration is not
supported on the Gateway.
To configure the TCP Sequence Verifier, select the SmartDefense tab > Network Security
> TCP and deselect Sequence Verifier.
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
19/94
Clarifications and Limitations Firewall
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 19
Platform Specific Windows
10) VPN-1 Pro limits its memory allocations to a certain percentage of the available
non-paged memory. This limit affects the number of concurrent connections that the
Enforcement Module can handle. The limit is intended to leave the rest of the systemenough memory resources for smooth operation. The default limit can be changed to
suit the system configuration. In Windows the limit can be set by setting the
MaxNonPagedPoolUsage value (DWORD) in the registry (under
7/31/2019 Checkpoint NGX Release Notes
20/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 20
20) On Solaris platforms with a qlc driver and the kernel memory allocator debugging
functionality enabled, the system may experience instability. In this case, install Solaris
patch 113042-10 or higher.
Platform Specific Linux
21) New interfaces that are added after the Enforcement Module is started (e.g., a PPP
interface) are not displayed by the fw stat -l command. Use the fw ctl iflist
command instead.
22) When NIS is enabled for resolving network services, Check Point processes may
experience memory leakage due to a memory leak in libC 2.2.4. A workaround is to
disable NIS resolving (remove nis and nisplus from services: in/etc/nsswitch.conf).
23) ATM and ISDN interfaces are not supported.
Load Sharing
24) When employing SecurID for authentication, it is recommended to define each cluster
member separately on the ACE/Server with its own unique (internal) IP address. In
addition, to send packets to the ACE/Server with their unique IP addresses and not theVIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting
with no_hide_services_ports to, for example, no_hide_services_ports = {}, where 5500 is the service port and 17 (UDP) is the protocol.
NAT
25) Microsoft Exchange Outlook Client UDP new mail notification does not work with
Hide NAT on the client. For the new mail notification both the Client and the Serverneed to be in both the source and the destination cells:
In the FWDIR/libexchange.def file, enable this notification by setting #define
ALLOW_EXCHANGE_NOTIFY (as stated in the file comments).
26) OSE objects cannot be used in NAT rules. The workaround is to define regular node
objects with the same addresses and to use them instead.
27) Automatic ARP is not supported with IP Pool NAT.
Source Destination Action InfoClient Server MSExchange AcceptServer Client
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
21/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 21
Authentication
28) When performing manual client authentication (using port 900) to a cluster where the
members' IP addresses are not routable, the URLs returned in the HTML from the
replying cluster member contain the member's own non-routable IP address instead ofthe cluster IP address. This fails subsequent operations. The workaround is to configure
the cluster to use a domain name instead of an IP address in the client authentication
HTML pages, using the ahttpclientd_redirected_url global property. Make sure that
your DNS servers resolves this domain name to the IP address of the cluster.
29) After changing the sdconf.rec file on a Firewall-1 (needed for SecurID authentication),
in order for the new configuration to take effect, you must restart the Firewall-1
services by running cpstop and cpstart.
30) Client Authentication will fail if VPN-1 Pro machine name is configured with a wrong
IP address in the hosts file.
31) Clientless VPN with the ActionClient Auth is not supported if the web server object is
in the destination cell. The workaround is to add the gateway to the destination cell.
32) When using SmartDirectory server for internal password authentication, if the account
lockout feature is disabled the Firewall will not attempt to modify the user's login failedcount and last login failed attributes on the SmartDirectory server. This improves overall
performance and eliminates unnecessary SmartDirectory modify errors when using
SmartDirectory servers that do not have these attributes defined because they did not
apply the Check Point SmartDirectory schema extension on the SmartDirectory server.
33) Issues may arise when using automatic or partially automatic client authentication for
HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround
is to define a decision function based only on IP addresses in order for connections to
open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs
only. For OPSEC clusters, refer to the product documentation for more information.
34) Definition of nested RADIUS Server groups is not supported.
Security Servers
35) The HTTP Security Server handles a proxied or a tunneled connection requestdifferently than earlier Firewall versions. Beginning with FireWall-1 NG FP2, such
requests are not allowed if they are matched with an Accept rule. However, they are still
allowed if the request is matched with an Authentication or a Resource rule. This change
was done in order to harden security and prevent the CONNECT from looping to the
Security Server and then to another destination.
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
22/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 22
In R54, FTP over HTTP proxy connections were allowed when using User
Authentication even if they were not allowed explicitly by a rule in the Security Policy.
In NGX (R60), in order to further harden security, these connections are not allowed
by default unless there is an explicit rule (using a URI Resource) that allows them. If
you wish to revert to the old behavior refer to SecureKnowledge solution sk14608.
36) When using SMTP resources to filter files by their filename, an incorrect log message is
generated stating: Forbidden MIME attachment stripped.
37) UFP counters available via cpstat fw -f ufp give incorrect values.
38) If web browsers are configured to use an IP address for their proxy (instead of a
hostname), the next proxy definition of the HTTP Security Server must also use thesame IP address. If the next proxy definition is a hostname, connections using an IP
address will not be allowed to the proxy. It is recommend to use only hostnames in the
browser configuration.
39) Outlook Web Access is not supported with User Authentication.
40) When a field in a URI specification file is too long, the Security server exits when
trying to load the file. Under load, the Firewall daemon (FWD) reloads the security
server, which then exits. After a certain time cores are dumped.
41) Client authentication with agent automatic sign on is supported with all rules, with two
exceptions:
The rule must not use an HTTP resource.
Rules where the destination is a web server.
42) When using the HTTP Security Server in proxy mode (HTTP Tunneling), connectionsmay be encrypted over port 80 (e.g., the first command is in the clear, and subsequent
requests are in SSL). SmartDefense will block these connections and generate the
following log entry: Binary character in request. To enable such connections,
change the global property asm_http_allow_connect to True. Please note that this
change will cause SmartDefense to stop examining these connections when an HTTP
Connect command is detected in the proxied connection.
43) When using SOAP filtering in the HTTP Security Server, the SOAP scheme filesupports all forms of namespaces and methods, however, the feature is not supported if
a method has no namespace at all.
44) Security Servers are not supported with Sequence Verifier in Load Sharing Cluster
environments.
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
23/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 23
Services
45) No warning is generated when a policy containing services with the Keep connections
open after Policy has been installed checked is installed on NG FP3 modules. Such
services will be enforced according to the default behavior on these modules.46) When CIFS resources are used in rules with policy targets in theirInstall On fields,
policy installation on NG FP3 modules may succeed without warning, although CIFS
resource filtering is not supported on these modules.
47) A service using the FTP_BASIC protocol type cannot be used with the FTP Security
Server.
48) When using T.120 connections, make sure to manually add a rule that allows T.120connections.
49) When Hide NAT is performed on a VPN-1 gateway, Real Time Stream Control
Protocol (RTSP) sessions are dropped. A workaround is available to resolve this issue:
a. Change to $FWDIR/lib/ directory.
b. Backup the current rtsp.def file.
c. Edit the file rtsp.def:d. Uncomment the following line:
//#define RTSP_C_TO_S_DATA to:
#define RTSP_C_TO_S_DATA
e. Install a Security Policy.
Note that performing this workaround will result in a packet drop of RTSP sessions
initiated within 60 seconds subsequently to a previous RealNetworks Data Transport
(RDT/RTSP) session, using the same port number as the subsequent session.
IPv6
50) Discovery traffic is enabled by default on IPv6 enabled modules. To disable it, edit the
file $FWDIR/lib/implied_rules.def and comment out the line #define
ACCEPT_DISCOVERY 1.
51) When connecting to the IPv6 IPv4 compatibleaddress of VPN-1 Pro (::w.x.y.z., forexample), the following appears on the console: Jan 14 09:37:32 shif [LOG_CRIT]
kernel: fw_filterin: 0 unknown interface.This message can be safely ignored in
such configurations. To prevent the message from appearing, run this command:
modzap _fw_verbose_unknown_if $FWDIR/boot/modules/fwmod.o 0x0 and reboot.
52) Due to the fact that IPv6 is not supported for security servers, enabling Configuration
apply to all connections under SmartDefense's FTP Security Server settings causes FTP (as
well as HTTP and SMTP) connections over IPv6 to be rejected, and no log isgenerated.
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
24/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 24
53) The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it
should unload only the IPv6 policy.
54) In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker.
55) Anti-spoofing is currently not supported with IPv6.
56) Boot policy is not supported on IPv6 enabled modules.
57) Content of IPv6 in IPv4 tunnels (IPv4 protocol 41) passing through VPN-1 Pro is not
inspected.
58) CPMAD functionality is not supported with the IPv6 protocol.
59) SmartDefense's ping size property is not enforced on ICMPv6 echo request packets.
60) IPv6 packets with extension headers which are not explicitly allowed via editing of the
table.def INSPECT script are dropped without being logged.
61) The Remote Shell (RSH) protocol is not supported for IPv6.
SmartConsole & SmartConsole Applications
62) Firewall implied rules for GUI Clients are not matched when using wildcard (e.g.,1.1.*.*). As a result, connections from GUI Clients to the SmartCenter Server may be
blocked if there is a VPN-1 Pro module between them. Single IP definitions (e.g.,
1.1.1.1) are supported. When specifying GUI Clients using any formats other than the IP
address, add an explicit rule in the Rule Base allowing the GUI Clients to connect to
the SmartCenter Server.
63) When a client connects with SmartDashboard to SmartCenter and performs a
SmartDefense online update, a second client connecting with SmartDashboard to the
same SmartCenter will see the new protections but not the new HTML descriptions.
The situation is resolved by the second client logging out & logging in again.
A similar behavior may occur regarding the Silent Post-install Update. If new
protections were added in that package, then the second client that logs in will not see
the respective new HTML descriptions. The workaround is the same (client should log
out & log in again).
ISP Redundancy
64) When using the ISP load sharing configuration, outgoing traffic that passes through a
security server is not load-shared, and will pass through a single ISP (the default route).
If this ISP fails, new connections will be opened through the second ISP.
65) ISP redundancy is not supported in a ClusterXL Different subnets configuration. This
means the IP address of the cluster must be on the same subnet as the cluster members'real IP addresses.
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
25/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 25
66) In a ClusterXL configuration, the names of the external interfaces of all cluster
members must be identical and must correspond in turn to the names of the external
interfaces of the cluster object. For example, if the cluster object has two external
interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively;
each cluster member must have two external interfaces called eth0 and eth1 whichshould be connected to ISP-1 and ISP-2 respectively.
67) If the ISP redundancy feature is enabled over a PPPoE or a PPTP interface, the MTU
of any other external Ethernet interface should be lowered to match the MTU of the
PPPoE/PPTP interface. For example ifeth1 is an external Ethernet interface and eth0
is an Ethernet interface over which a PPPoE interface called pppoe0 is defined, the
MTU ofeth1 should match the MTU ofpppoe0.
On SecurePlatform this can be achieved by logging on to the box and running:
ifconfig ethX mtu newMTU
ifconfig --save
Where ethXis the name of the external Ethernet interface and newMTUis the MTU of
the PPPoE/PPTP interface. This change will be persistent across boots.
Notes:
a. The MTU of the PPPoE/PPTP interface can be obtained on SecurePlatform byrunning: ifconfig pppXXXwherepppXXXis the name of the PPPoE/PPTPinterface.
b. In the aforementioned example, the MTU ofeth0 should notbe changed.
68) ISP redundancy cannot be used in conjunction with SynDefender.
69) ISP redundancy, when working in conjunction with SecureXL, has the followinglimitations:
Some connections passing through interfaces configured with ISP redundancy are
not accelerated, while other connections (for example, an internal connection to a
DMZ) are accelerated and are not affected by this limitation.
ISP redundancy over PPTP and PPPoE interfaces is not supported.
Logging70) FTP data connections may appear in the Active connections view in SmartView Tracker
even after these connections have been terminated.
Policy Installation
71) When installing a policy on a module, the policy installation log may record
anti-spoofing warning messages from modules not included in the installation that do
not have anti-spoofing configured.
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
26/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 26
72) Policy installation may fail when there are 70 or more dynamic objects.
OSE
73) For Cisco routers, make sure that the host names are resolvable by DNS or by the hosts
file.
SAM
74) A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if the
SmartCenter Server is also a VPN-1 Pro enforcement module and no policy has been
installed on it since adding the remote Gateway.
Dynamically Assigned IP Address (DAIP) Modules
75) The fw tab command on a SmartCenter Server is not
supported.
Miscellaneous
76) Token ring adapters are not supported.
77) The TCP Sequence Verifier is not supported with clusters using asymmetric routing.
78) The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to
a SmartCenter server object in specific cases only:
to the primary IP defined for this object and
only if there are interfaces defined in its Topology tab.
This may create connectivity problems when trying to install policies (or other
operations included in the control connections). The workaround is to define explicit
rules that allow connectivity to the SmartCenter object.
79) When executing the following command: fw tab -u -f -t connections, error
messages such as FW-1: fwkbuf_length: invalid id number XXXX and Table kbufs -
Invalid handle 6a6b8803 (bad entry) can be safely ignored.To avoid these messages,
use the command fw tab -u -t connections instead.
VoIP
80) MSN Messenger version 5 is not supported. Additionally, there are a few known issues
regarding MSN Messenger when employing Hide NAT:
When running SIP and the data connection tries to open MSN Messenger
connections on hidden networks, the connection fails.
While audio and video each work separately, they cannot be run concurrently.
Clarifications and Limitations Firewall
7/31/2019 Checkpoint NGX Release Notes
27/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 27
81) When using the SIP protocol and a security rule uses the Actionrejectto block
high_udp_ports (RTP ports - data connection), the incoming audio is rejected as well.
A workaround is to use the Actiondrop in place ofreject.
82) When an H.323 IP phone that is not part of a handover domain tries to establish a call,the call attempt is blocked and the following message appears on the console: FW-1:
fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to
make calls, add it to the handover domain, and the error message will no longer appear.
Note that this console message may appear in other (non-VoIP) scenarios as well.
83) In some cases, when a user closes an MSN Messenger application (such as Whiteboard),
the application will not close automatically on the remote end. The remote user will
need to close the application manually.
84) When the SIP-proxy is in the DMZ, whiteboard and application sharing will not open
between external to internal messengers.
Clarifications and Limitations SmartCenter
7/31/2019 Checkpoint NGX Release Notes
28/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 28
SmartCenter
In This Section
Installation, Upgrade, and Backward Compatibility
1) If the AMON private schema was previously imported using the amon_import tool, it
needs to be re-imported after the upgrade.
2) When using the Upgrade Export and Import utilities on the Windows platform, the
machine should be connected to the network. Alternatively, a connector can be used tosimulate a connection. Refer to SecureKnowledge, solution sk19840 for more
information regarding how to simulate a network connection during an upgrade.
3) After upgrading SmartCenter, open the SmartUpdate GUI and from the Packages
menu, select Get Data from All to retrieve the installed Packages information from the
remote modules.
Installation, Upgrade, and Backward Compatibility page 28
SmartDirectory page 31
SmartDashboard page 32
Policy Installation page 33
VPN Communities page 33
SmartConsole Applications page 34High Availability page 35
Logging page 36
Monitoring page 36
Management High Availability page 37
Trust Establishment (SIC) page 37
Platform Specific Windows page 38
Platform Specific Nokia page 38
OPSEC page 38
Miscellaneous page 38
OSE page 39
Dynamically Assigned IP Address (DAIP) Modules page 39
SmartPortal page 39
7/31/2019 Checkpoint NGX Release Notes
29/94
Clarifications and Limitations SmartCenter
7/31/2019 Checkpoint NGX Release Notes
30/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 30
9) Check Point 4.1 gateways and embedded devices are no longer supported with this
release. After upgrading the SmartCenter Server to NGX (R60), these objects will
remain, but you will not be able to install policy on them.
10) VPN-1 Net is no longer supported.11) After upgrading SmartCenter, but before upgrading the gateways, SecureID users may
not be able to connect. A workaround is detailed on SecureKnowledge (sk17820).
This solution should be implemented in the compatibility package directories as well:
For NG gateways (NG FCS - R55):
Unix /opt/CPngcmp-R60/lib/
Windows C:\Program Files\CheckPoint\NGCMP
For R55W gateways:
Unix /opt/CPR55Wcmp/lib
Windows C:\Program Files\CheckPoint\R55WCmp\lib
12) When upgrading a SmartCenter server on Solaris, Linux and SecurePlatform, the
following upgrade options are displayed:1.( ) Upgrade installed products and install new products.
2.( ) Upgrade installed products.
Be sure to select option 2 only. New products should be installed only after
completing the upgrade of installed products. After completing the upgrade, run the
installation program again to add more products.
13) When upgrading SmartCenter with a duplicate machine on the Windows platform, thefollowing message may appear after selecting Import configuration file: Failed to
import configuration. Imported configuration file does not contain the
correct data. The problem is resolved by either removing gzip.exe from the
environment path, or removing the file altogether.
14) When upgrading a SmartCenter Server with the Eventia Reporter Add-on from R56 to
NGX (R60), you must upgrade Eventia Reporter Add-on as well.
15) On the SmartCenter Server, if you start the Check Point Products installation from the
NGX CD using the SecurePlatform command patch add, you can decide whether or
not to export the SmartCenter configuration for advanced upgrade. While the
operation should succeed, an error may be displayed on operation completion, stating
that the patch was not applied. This message is accurate, but confusing; indeed the patch
was not applied, instead export operation was performed.
16) A secondary SmartCenter server does not support the wrappers Advanced Upgrade orthe Export/Import tools.
Clarifications and Limitations SmartCenter
) f d k h h dd b k
7/31/2019 Checkpoint NGX Release Notes
31/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 31
17) After upgrading a Nokia SmartCenter server with the R55W Add-on, backout to
R55W is not supported. It is therefore recommended to back up the SmartCenter
configuration before the upgrade. The configuration is exported via the upgrade tools.
Make sure to save the configuration outside the Check Point directory structure. Then,
if a return to R55W becomes necessary, install a fresh R55W Add-on installation andimport the configuration you saved earlier. For more information regarding the upgrade
tools, please refer to the R55W Upgrade Guide.
18) When running the NGX Pre Upgrade Verifier on an R55 SmartCenter with HFA12
installed, the following message regarding the file auth_HFA.def may appear:
INSPECT manual changes
Description: Some changes in VPN-1 behavior require changes to be mademanually in INSPECT files. Since INSPECT files are overwritten with newversions when upgrading, these changes may be lost. In some cases thechanges should be re-applied on the new INSPECT files, in other cases thereare new GUI options that need to be set instead.
Impacts: If changes were lost after the upgrade, VPN-1 may not work asexpected.
Todo: Check if changes are needed in the new version, if so, follow SK
instructions for these changes.This problem will occur in the following files:
auth_HFA.def
This message can be safely ignored.
19) In this release, SmartCenter does not manage gateways prior to NG FP3. If you have
such gateways, it is recommended that you upgrade them as well.
20) When performing an advanced upgrade using the wrapper, the installation wizard will
prompt you to select one of the following options:
1 Download most updated upgrade utilities [default]
2 I have already downloaded and extracted the upgrade utilities. Thefiles are on my local disk
3 Use the upgrade utilities from the CD
Option 1 currently is not supported on Unix platforms. When upgrading Unixplatforms, it is recommended to download the updated utilities manually using the link
provided, and only then proceeding to option 2.
SmartDirectory
21) When a SmartDirectory user is based on an internal firewall template, internal groups
that the template belongs to will be added to the SmartDirectory user, but these groups
will not appear in the list of template groups in the user's Groups page.
Clarifications and Limitations SmartCenter
22) Wh ll d fi i b h A U i b l i h
7/31/2019 Checkpoint NGX Release Notes
32/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 32
22) When manually defining branches on an Account Unit, spaces between elements in the
branch definition will not work. Example:
A good branch: ou=Finance,o=ABC,c=us
A bad branch: ou=Finance , o=ABC , c=us
23) When using the Display list of distinguished names (DNs) for matching UIDs on login
feature, if there is no available LDAP server, the authentication will hang. Subsequently,
a policy installation will cause the process that attempted the authentication to consume
all available CPU resources.
24) When using an LDAP server for internal password authentication, if the account
lockout feature is disabled, the firewall will not attempt to modify the user's loginfailed count and last login failed attributes on the LDAP server. When using
LDAP servers that do not have these attributes defined (because they did not apply the
Check Point LDAP schema extension on the LDAP server), this improves overall
performance and eliminates unnecessary LDAP modify errors.
25) IfUse SmartDirectory (LDAP) is checked in the Global Properties, but no LDAP account
unit is configured, the authentication of external users (as opposed to LDAP users) that
are not defined in the user's database will not succeed. To resolve this issue, make surethat you uncheck Use SmartDirectory (LDAP) in the Global Properties.
SmartDashboard
26) In Microsoft Active Directory, when the expiration date is defined in the user's
properties, and the user account has expired, the user is not able to authenticate and the
reason for the authentication failure is not displayed.
27) Firewall implied rules for GUI Clients are not matched when using wildcard (e.g.,
1.1.*.*). As a result, connections from GUI Clients to the SmartCenter Server may be
blocked if there is a VPN-1 Pro module between them. Single IP definitions (e.g.,
1.1.1.1) are supported. When specifying GUI Clients using any formats other than the IP
address, add an explicit rule in the Rule Base allowing the GUI Clients to connect to
the SmartCenter Server.
28) When upgrading from NG FP1 or lower, certain policies may be hidden inSmartDashboard. Starting from NG FP2, only policies that belong to the current Policy
Package are displayed. To access other policies select File > Open and choose the relevant
Policy Package.
29) When using Active Directory .NET (2003) with NGX (R60), errors are encountered
when changes are made to the account expiration user attribute. Use Active Directory
2000 to avoid these errors.
Clarifications and Limitations SmartCenter
30) The following web links available from the Help menu in SmartDashboard and
7/31/2019 Checkpoint NGX Release Notes
33/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 33
30) The following web links available from the Help menu in SmartDashboard and
SmartUpdate open a browser window to pages that have not yet been posted on the
Check Point web site.
Online Software Updates
What's New In Check Point Software
Policy Installation
31) Policy installation may fail when there are 70 or more dynamic objects.
32) After aborting an installation, before attempting to install a policy, make sure that there
are no processes running the fwm load command on SmartCenter server, or your
installation may halt.33) By selecting the Install Policy option Install on all gateways, if it fails do not install on
gateways of the same version, policy is installed on gateways by group. There are four
such groups:
VPN-1 Edge
R55W
NGX all others (R55 and prior versions)
When this option is selected, if policy fails when installing to a member of one of the
groups, the policy will not be installed to any other gateways in that group. Policy
installation will continue uninterrupted to members of other groups, however.
34) Uninstall of policy on LSM profiles is not supported.
35) It is not recommended to install security policy on more than 100 VPN-1 Edge devicessimultaneously. Use one of the following solutions instead:
Install the policy in groups of 100 VPN-1 Edge devices.
Use SmartLSM, which installs policy on profiles, when managing hundreds of
VPN-1 Edge devices. When using SmartLSM the above limitation is not relevant.
VPN Communities
36) When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabled from
a Standalone machine, the policy fetch operation may not succeed once VPN has been
established between the Standalone and the ROBO Gateway in question. In order to
overcome this issue, you should add the CPD service as an excluded service for each of
the communities which have SmartLSM ROBO profiles. To do this:
1 Open the community object.
2 In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as
an excluded service.
Clarifications and Limitations SmartCenter
SmartConsole Applications
7/31/2019 Checkpoint NGX Release Notes
34/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 34
SmartConsole Applications
37) When deleting objects from SmartDashboard, in some cases the Where Used... option
will not report that objects are being used in the database, and it is possible to delete
these objects without any warning. The following are cases in reference:
RADIUS and TACACS servers referenced by Templates in the Authentication tab.
Users and User Groups contained by other User Groups.
For SmartDirectory Account Units referenced by External Groups the Where Used...
option is applicable but the Delete operation cannot be performed. As a
workaround, restart (cpstop, cpstart) the SmartCenter Server. Note that all cases
apply only if the objects were created after the SmartCenter Server was started.
38) The Status Manager GUI fails if the Disconnect Client or the Global System Alert
Definition windows are displayed and the SmartCenter Server goes down. The failure
happens when the Status Manager re-connects to the SmartCenter Server.
39) In order to be able to track Session ID information, an application should be opened
independently, meaning not from another Check Point application.
40) An application error occurs in the Status Manager when stopping the Management
process fwm while the Status Manager is up and running.
41) The Status Manager cannot show more than 16 connected clients to the SmartCenter
Server. If more than 16 clients are connected, it will show that 0 clients are connected.
42) The capability for exporting logs from SmartView Tracker running on Motif is disabled
in this version.
43) The View Rule in SmartDashboard feature in SmartView Tracker for Motif is not
supported.
44) The View rule in SmartDashboard feature in SmartView Tracker does not bring into
focus the SmartDashboard application if it is already opened to the right rule database.
45) If SmartView Monitor is open and a new non-Check Point Node object is created in
SmartDashboard, the new object will appear in SmartView Monitor. Upon closing and
restarting SmartView Monitor, the object will not appear, which is the correct behavior.
46) When choosing to view Installed Policies from SmartDashboard on Motif, a failure may
occur if one of the VPN-1 Pro modules fails to respond.
47) When logs can not be generated from some reason, such as there is no disk space or the
logging process is down, then changes can not be saved from SmartDashboard. If this
occurs, the following error message appears: The changes could not be saved. Please
make sure all Firewall-1 services are up and running. For more information use the
SmartView Monitor application.
Clarifications and Limitations SmartCenter
48) When running a query on a Security Policy in SmartDashboard, only user-defined rules
7/31/2019 Checkpoint NGX Release Notes
35/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 35
48) When running a query on a Security Policy in SmartDashboard, only user defined rules
are displayed in the query result. Implied rules matching the query will not be
displayed, even if the option View Implied Rules is selected.
49) When switching the active file from SmartView Tracker, the new active file name isautomatically designated by the system. The user-defined file name is ignored.
50) Policy installation may fail if a Gateway Cluster object was created in SmartDashboard
using Simple mode (wizard). This problem can be avoided by doing any of the
following:
Create the object in Simple mode. When you arrive at the Finished Cluster's
definition wizard page, check Edit Cluster's Properties and click Finish. The Gateway
Cluster Properties window appears. Edit the object, if needed, and click OK. Create the object in Simple mode. After creating the object, use the dbedit tool to
to change the fwver attribute of the object from 5.0 to 6.0.
Use Classic mode instead of Simple mode.
51) When defining the topology of an object in the following manner: Interface Properties
> Topology > Internal > IP Addresses behind this interface > Specific, the following error
message may appear after selecting a group or network and clicking OK: The selectedobject's type is not valid.
To work around this issue, perform the following steps:
1 Create a new Simple Group (From the Topology tab, click New > Group > Simple
Group).
2 Name the group, but do not add any members.
3 Click OK.
4 Edit the new group, and add the original group or network as a member.
Note: Each time the interface's properties are edited, the same error message appears.
To avoid repeating the above process, first define the other properties of the interface,
leaving the topology definition to the end.
High Availability
52) Issuing a Stop Member command in SmartView Monitor performs the cphastop
command on this member. Among other things, this disables the State Synchronization
mechanism. Any connections opened while the member is stopped will not survive a
failover event, even if the member is restarted using cphastart. However, connections
opened after the member is restarted are normally synchronized.
Clarifications and Limitations SmartCenter
Logging
7/31/2019 Checkpoint NGX Release Notes
36/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 36
gg g
53) When working with a Log Server of an earlier version than the version of SmartCenter
Server, the logs fields of log records from new modules that were added after the
upgrade of SmartCenter Server may not be resolvable.
54) An administrator with Read Only permission for Monitoring can still create, modify,
rename and delete queries in SmartView Tracker.
55) When a Log Server is installed on a DAIP module, management operations such as
purge and log switch can not be performed.
56) Audit logs operation strings have changed. Several new columns have been added and
other existing column names have been changed. This may cause existing filters to stopworking.
57) If you are using the cyclic logging feature, it is recommended after upgrade to back up
your old /log files to another machine, and then to delete them from the Log
Server.
58) When a Log Server runs out of disk space, any logs sent by ELA clients will be lost. To
prevent this, be sure to maintain adequate disk space on the Log Server.
Monitoring
59) Alerts that are defined in the Check Point SmartView Monitor Threshold Definition
window are not sent to SmartView Monitor as popup alerts, until a first policy is
installed. In the SmartDashboard Global Properties > Log and Alert > Alert Commands
page, be sure to check the property Send popup alert to SmartView Monitor.
60) When defining thresholds in SmartView Monitor, if you choose one of the UserDefined options as the Alert Method, make sure that this method is defined in
SmartDashboard's Global Properties. If the alert method is not defined, a regular alert is
generated.
61) If SmartView Monitor is open when a new module is created in SmartDashboard, the
module will appear in SmartView Monitor with the status waiting until SmartView
Monitor is restarted. For details, refer to SecureKnowledge solution sk16122.
62) SmartView Monitor should be opened connecting to a SmartCenter Server and not to
a Log Server. When using SmartView Monitor on a Log Server, statuses may be
inaccurate.
63) OS information will not be available in SmartView Monitor if the monitored machine
is a Windows machine that does not run the Windows Management Instrumentation
service.
Clarifications and Limitations SmartCenter
64) Working with SmartView Monitor on clustered systems may lead to unpredictable
7/31/2019 Checkpoint NGX Release Notes
37/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 37
behavior. It is therefore recommended to turn off the Objects status in SmartMap
feature in clustered configurations. This is done from the View menu in
SmartDashboard, by unchecking the option Objects status in SmartMap.
65) In certain scenarios, such as a High Availability SmartCenter Server in a large
environment with many clustered gateways, SmartView Monitor may fail to display the
status of certain gateways.
Management High Availability
66) A SmartCenter server that is also a VPN-1 Pro module must have a policy installed on
it in order for other SmartCenter Servers to be able to communicate with it. This must
be done after initial setup, or after resetting SIC communication on the SmartCenter
Server.
67) Database versions which were created using the Revision Control feature should be
synchronized manually in a Management High Availability environment. To synchronize
it, do the following:
1 Run cpstop on the standby SmartCenter server.
2 Copy all files under$FWDIR/conf/db_versions/repository/* and
$FWDIR/conf/db_versions/database/* from the active management to the
standby SmartCenter server.
3 Run cpstart on the standby SmartCenter server.
68) If a primary SmartCenter Server is in a Standalone configuration, and a secondary
SmartCenter Server is active, policy installation from the secondary to the primaryserver will be prohibited immediately after upgrade. In order to resolve this, install the
policy locally on the primary server.
69) When using Management High Availability (between SmartCenter and/or CMA
and/or MDS), change over may not succeed when SmartPortal is connected in
Read/Write mode. To resolve this issue, you should allow access from SmartPortal to
Read-only administrators, only; or, use SmartView Monitor to disconnect Read/Write
mode in SmartPortal.
Trust Establishment (SIC)
70) If your SmartCenter Server is deployed in a standalone configuration, you must install
the policy locally (in other words, on the SmartCenter itself), beforeestablishing SIC
with Connectra devices.
Clarifications and Limitations SmartCenter
Platform Specific Windows
7/31/2019 Checkpoint NGX Release Notes
38/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 38
71) Windows 2000 specific issue: A SmartConsole connection to the SmartCenter Server
on Windows 2000 may fail with the message: No license for user interface if the
SmartCenter Server was disconnected from the network and then reconnected while
the VPN-1 Pro services on the machine were running. If this occurs, restart VPN-1 Pro
services (run cpstop and then cpstart).
72) On Windows platforms only, in some cases when performing the Restore Version
operation (from SmartDashboard, File > Database Revision Control > Restore Version)
while SmartView Tracker is open, the restore fails and the database cannot be saved.
The solution is to make sure that SmartView Tracker is closed before performing
Restore Version operations. If you already encountered such a problem, run cpstop andthen cpstart.
73) When trying to export a configuration either via the wrapper or via the
upgrade_export command on NG FP1, the export may fail with the following message:
Error: FWDIR environment variable is not set. Please set it and try again. A
workaround is to set the %FWDIR environment variable to the location where
VPN-1/Firewall-1 was installed. (The default is WINDOWSDIR:\WINNT\FW1\NG).
Platform Specific Nokia
74) When upgrading using the Import Configuration option in the wrapper, and the
machine you have exported the configuration from is a Nokia platform, a situation may
occur where Check Point packages that were inactive on the production machine will
either become active on the target machine if its OS is Nokia, or will be installed on
other platforms.
If this should occur, when the target machine is a Nokia platform, return the relevant
packages to the inactive state. For other platforms, uninstall the relevant packages.
OPSEC
75) In CPMI, the command line fw unload does not trigger an
eCPMI_NOTIFY_UNINSTALL_POLICY notification event.
Miscellaneous
76) After upgrading from NG FP2, the name of the Internal Certificate Authority (CA)
that was previously entered is not displayed in the Check Point Configuration Tool
(cpconfig > Certificate Authority tab), although it is still viable. If it is reconfigured, then
it is displayed.
Clarifications and Limitations SmartCenter
77) Using the cp_merge utility to merge large number of objects (more than 10,000) from
S C S k Thi i b i i di
7/31/2019 Checkpoint NGX Release Notes
39/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 39
two SmartCenter Servers may not work. This is because at some point two main audit
logs are generated. If you have a large number of objects, and you wish to perform the
merge even though from some point the audit logs will not be generated, then do as
follows:
1 Define the environment variable FWM_ALLOW_AUDIT_FAILURE from a shell.
2 Use the cp_merge command from the same shell.
OSE
78) The Drop action is not supported for Cisco OSE devices. If the Drop action is used, the
policy installation operation fails.
79) For Cisco routers, make sure that the host names are resolvable by DNS or by the hosts
file.
80) 3Com devices are not supported.
Dynamically Assigned IP Address (DAIP) Modules
81) The fw tab command on a SmartCenter Server is notsupported.
SmartPortal
82) Using sysconfig to install and configure SmartPortal on SecurePlatform is not
supported. Use one of the following two workarounds instead:
Use the SecurePlatform Web UI First-Time Configuration wizard
Configure the operating system via sysconfig, and then manually install SmartPortal
by running rpm -i on the SmartPortal RPM file located at
/sysimage/CPwrapper/Linux/CPportal.
83) The SIC activation key is not set in the Solaris SmartPortal installation, as cpconfig
does not run when the install completes. This issue is resolved by manually running
cpconfig. The license setup prompts in cpconfig can be safely ignored.
Clarifications and Limitations VPN
VPN
7/31/2019 Checkpoint NGX Release Notes
40/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 40
In This Section
Upgrade, Backout, and Backward Compatibility
1) VPN-1 Net is no longer supported.
VPN Routing
2) The IP pool NAT on a VPN-1 module which serves as a VPN router (in order to
forward VPN traffic from one VPN tunnel to another) should be defined as part of the
encryption domain of the VPN router. Otherwise, VPN connections via the VPN
router will fail.
Upgrade, Backout, and Backward Compatibility page 40
VPN Routing page 40
VPN Tunnel Management page 41
VPN Communities page 41
Multiple Entry Point (MEP) & VPN Load Distribution page 42
VPN-1 Clusters page 42
VPN-1 Hardware/Software Acceleration page 44
IKE, Interoperability page 44
PKI, PKCS page 44
NAT with VPN page 44
VPN-1 Diagnostics (Logging, Monitoring, Planning) page 45
Miscellaneous page 45 Office Mode page 45
L2TP Clients page 45
Nokia Clients Support (CryptoCluster & Symbian) page 46
VPN-1 and SecuRemote/SecureClient Issues page 46
Route Injection Mechanism page 46
Link Selection page 47
Routed VPN page 47
Multicast page 49
LDT (Locally Defined Tunnels) page 49
Clarifications and Limitations VPN
3) VPN Routing only connects the VPN domain of a DAIP Gateway that is hosted
behind the DAIP Gateway to the VPN domain of another DAIP Gateway Connections
7/31/2019 Checkpoint NGX Release Notes
41/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 41
behind the DAIP Gateway to the VPN domain of another DAIP Gateway. Connections
that originate on the DAIP Gateway itself or are directed at the DAIP Gateway cannot
be routed through the hub.
4) When using VPN routing to route all communication from the VPN domain of a
Satellite DAIP Gateway via the Hub to other Satellite Gateways or to the Internet, it is
not possible to open connections from the external IP of the Satellite DAIP Gateway to
the Internet.
5) Excluded services in the VPN Community are not supported with Routed VPN.
6) In NGX (R60), a new routing decision is undertaken after packets are encrypted. This
behavior is enabled by default (including after upgrade), and may cause a change inrouting behavior. If you experience problems, it is recommended to change the routing
configuration to incorporate the new behavior. However, you can disable the new
routing behavior per gateway by using the GuiDBedit tool to change the attribute
reroute_encrypted_packets on the gateway object to False.
Note: This behavior cannot be disabled on SecureXL.
7) After removing virtual tunnel interfaces definitions, the anti-spoofing warning messagesmay appear during all consequent policy installations.
VPN Tunnel Management
8) The feature Use the community settings (SmartDashboard > gateway object > VPN > VPN
Advanced > VPN Tunnel Sharing) is to be used only when all VPN peers are of version
NGX (R60) or later. Otherwise, use the Custom settings option.
VPN Communities
9) SmartDashboard allows VPN-1 modules with dynamic IP addresses to be added as
members of a VPN community in which aggressive mode for IKE Phase 1 is selected.
This configuration, however, is not supported.
10) If the Exportable for SecuRemote/SecureClient property is checked on a VPN-1 Pro
Enforcement Module (from the VPN tab underTraditional Mode configuration), the
modules topology information will be exported to SecuRemote/SecureClients even if
the Enforcement Module is not a member of the Remote Access community.
11) When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabled from
a Standalone machine, the policy fetch operation may not succeed once VPN has been
established between the Standalone and the ROBO Gateway in question. In order to
overcome this issue, you should add the CPD service as an excluded service for each of
the communities which have SmartLSM ROBO profiles. To do this:1 Open the community object.
Clarifications and Limitations VPN
2 In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as
an excluded service
7/31/2019 Checkpoint NGX Release Notes
42/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 42
an excluded service.
12) The setting Accept all encrypted traffic in the Site to Site Community Properties window
does not apply to connections which pass through the VPN Tunnel Interface.
Multiple Entry Point (MEP) & VPN Load Distribution
13) When using a traditional policy configuration, the IP pools mechanism is not supported
when configured differently per different rules. This issue is not relevant when using
VPN communities, since, in this case IP pools are configured globally and not per rule.
14) When configuring MEP gateways to have the same encryption domain and you enable
a backup gateway (Global Properties > VPN Advanced). This gateway will not affect theMEP configuration. This means that the configuration will continue to behave as if it
were a fully overlapping encryption domain MEP configuration.
If backup gateway functionality is required for a group of gateways in the MEP
configuration, the desired behavior (in which the primary gateway will have a higher
priority than the backup) can be achieved by configuring the Primary gateway to
include the desired encryption domain and the backup gateways to include only
themselves as part of their encryption domain.
15) Starting with version NGX (R60), only the site-to-site MEP load distribution
configuration is downloaded to VPN-1 Edge devices.
VPN-1 Clusters
16) When defining Office Mode IP pools, make sure each cluster member has a distinct
pool.17) When detaching a cluster member from a VPN cluster, manually remove the VPN
domain once the member has been detached.
18) When based on topology information, the VPN domain calculation contains only the
cluster member topology and not the cluster object topology. This may cause issues in
the VPN domain of clusters since the cluster object and members may have different
subnets. In this case, define the VPN domain manually on the cluster object. This issue
does not exist on VSX appliances.
19) Peer or secure remote Gateways may show error messages when working against an
overloaded Gateway cluster in Load Sharing mode. This is due to IPsec packets with an
old replay counter. These error messages can be safely ignored.
Clarifications and Limitations VPN
20) When based on topology information, the VPN domain calculation contains only the
cluster member topology and not the cluster object topology. This may create a
7/31/2019 Checkpoint NGX Release Notes
43/94
Release Notes for Check Point NGX (R60). Last Update May 16, 2005 43
cluster member topology and not the cluster object topology. This may create a
situation where the VPN domain of a cluster has different subnets between the
members and the cluster object. A workaround is to define the VPN domain manually
on the cluster object. This problem does not exist on VSX appliances.
21) If an SSL Network Extender connection to a Load Sharing gateway times out, the user
may not receive notification, but packets from the user are dropped.
22) During policy installation, the following messages may appear on the console:
[Expert@fault]# gated_xl[1383]: task_set_option: task MRouting socket 17option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0e
gated_xl[1383]: task_change_role reinitializing done
gated_xl[1383]: task_set_option: task MRouting socket 17 option GroupAdd(10)interface 56.2.2.1(vt-aaa) group 224.0.0.2: Address ale
gated_xl[1383]: task_change_role reinitializing done
gated_xl[1383]: task_change_role re-initializing
These messages can be safely ignored.
23) VPN Routing is not supported for SSL Network Extender remote access usersconnecting through a clustered central gateway in a Load Sharing deployment.
24) When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster
(i.e., the peer and the cluste
Top Related