18 August 2011

Release Notes

R71.40

Classification: [Public]

© 2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11894

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

18 August 2011 Removed R70.30 from the upgrade path

03 July 2011 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R71.40 Release Notes).

Contents

Important Information ............................................................................................. 3 Introduction ............................................................................................................. 5 What's New .............................................................................................................. 5

Included Releases ............................................................................................... 6 Platform Provisions and Requirements ................................................................ 6

Supported Upgrade Paths ................................................................................... 6 Supported Security Products by Platform ............................................................ 7

Security Software Containers by Platform ....................................................... 7 Dedicated Gateways ....................................................................................... 7 Security Gateway Software Blades by Platform .............................................. 8 Security Management Software Blades by Platform........................................ 9

Clients and Consoles by Windows Platform .......................................................10 Minimum System Requirements .........................................................................10 Required Disk Space ..........................................................................................11 Build Numbers ....................................................................................................12

Installing R71.40 ................................................................................................... 13 New Installation ..................................................................................................13 Installing the Client Applications .........................................................................14 Upgrading from R70.40 ......................................................................................14 Upgrading from R71 or Higher ............................................................................14

Upgrade Packages ........................................................................................15 Upgrading with the SecurePlatform Web User Interface ................................16 Upgrading with the Command Line ................................................................17 Upgrading with the Command Line for IPSO Flash-Based .............................18 Upgrading with SmartUpdate .........................................................................19 Upgrading with the SecurePlatform Embedded Web User Interface ..............19 IPS Pattern Granularity Installation ................................................................19

Uninstalling .........................................................................................................20 Configuring the R71.40 Features ......................................................................... 21

Configuring Implied IPS Exceptions ....................................................................21 Configuring Secure Workspace Applications by Vendor .....................................21 Configuring Windows Vista or Windows 7 for Mobile Access Portal ...................22 Configuring IPS Pattern Granularity ....................................................................23

Activating New Protections ............................................................................24 Network Exceptions for the New Protections .................................................24 Handling Multiple Matches of a Pattern ..........................................................24

Included Releases

Introduction Page 5

Introduction Thank you for updating to Check Point version R71.40. This version contains new features and resolves various issues for Check Point Software Blades. Please read this document carefully before installing.

For more information about R71.40 and to download the software, go to the R71.40 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk63761).

Known Limitations are listed in sk63762 (http://supportcontent.checkpoint.com/solutions?id=sk63762).

Resolved Issues are listed in sk63763 (http://supportcontent.checkpoint.com/solutions?id=sk63763).

What's New Upgrade from R70.40 directly to R71.40

Security Management

IPS improvements

SmartEvent enhancements

Increase pattern granularity - Header rejection, Http worm catcher and Cifs worm catcher patterns were converted into separate protections, giving more granularity in their settings. This feature is installed during the first IPS update process (online update, offline update or scheduled update).

Implied exceptions - Built-in exceptions to allow Check Point products trusted traffic.

Support for UTM-1 Edge 8.2 gateways

Security Gateway

IPS Geo database - The Geo country-ranges database accuracy has been significantly improved.

Security Gateway 80 Series

Support for VPN Link Selection

Support for local masters file

Improved communication when Security Management server is behind NAT

Support for IGMP Proxy

Windows 7 32-bit and 64-bit Support

Secure Workspace supports Windows 7 32-bit and 64-bit.

Mobile Access clients with Windows 7 64-bit can connect to Connectra and SSL VPN gateways

Support for SSL Network Extender Application mode and Network mode for Windows 7 32-bit and 64-bit.

Enhanced Secure Workspace

Faster and better performance.

Enhanced allowed application configuration by software vendor. You can easily allow all applications from a specific vendor.

VPN Client

This version includes a deployment package of Endpoint Security VPN R75, which replaces SecureClient and Endpoint Connect. For automatic deployment of the new VPN client, select a client upgrade mode in Global Properties > Remote Access > Endpoint Connect.

Included Releases

Platform Provisions and Requirements Page 6

Included Releases This release includes all features and fixes that were included in R71.30. See the R71.30 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11714).

This release includes the Windows 7 64-bit Hotfix for Connectra NGX R66.1 and SSL VPN R71.30.

Platform Provisions and Requirements

In This Section

Supported Upgrade Paths 6

Supported Security Products by Platform 7

Clients and Consoles by Windows Platform 10

Minimum System Requirements 10

Required Disk Space 11

Build Numbers 12

Supported Upgrade Paths If you are upgrading from a lower version, make sure you can do the necessary intermediate upgrades.

Product Version Upgrade Path

Security Gateway

Security Management Server

Provider-1 MDS

R70.40

R71

R71.10

R71.20

R71.30

Direct - Install the appropriate package ("Upgrading from R70.40" on page 14) on the existing installation.

R70.20 and lower, down to NGX R65

First upgrade to R71.10, then install the appropriate package.

lower than NGX R65 First upgrade to NGX R65, then upgrade to R71.10.

Security Gateway Series 80 Get image: fw1_R71_730156065_HFA40.img

Notes - This release is automatically activated on all Provider-1 Domains.

For advanced upgrade procedures, see the R71.40 Advanced Upgrade and Migration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12194).

Supported Security Products by Platform

Platform Provisions and Requirements Page 7

Supported Security Products by Platform These tables show the security products related to this release and on which platforms they are supported.

Security Software Containers by Platform

Software Blade Containers

Check Point Platforms and Operating Systems

Secure Platform

Security Gateway Series 80

Smart-1 Power-1 UTM-1 IPSO 6.2 Disk-based

IPSO 6.2

Flash-based

Security Management

(5, 25, 50)

Security Gateway

Provider-1 MDS

(50, 150)

Software Blade Containers

Other Platforms and Operating Systems

Windows Linux Crossbeam Solaris1

Server

2003/2008

(SP1-2)

32bit

7

Professional

Enterprise

Ultimate

32bit/64bit

RHEL 5.0 RHEL 5.4 kernel

2.6.18

32bit

X-series Ultra-

SPARC 8, 9, 10

Security Management

Security Gateway

Provider-1 MDS

Notes for Security Software Containers -

We recommend that you install Provider-1 on Sun M-Series servers. We do not recommend that you install Provider-1 on Sun T-Series servers.

Dedicated Gateways These dedicated gateways cannot be upgraded to R71.40:

Open Server - IPS-1 Sensor, VSX

Appliances - DLP-1, UTM-1 Edge, IPS-1 Sensor, VSX-1

Supported Security Products by Platform

Platform Provisions and Requirements Page 8

Security Gateway Software Blades by Platform

Software Blade

Platform and Operating System

Check Point

Windows

Crossbeam

Secure Platform

Secure Platform Embedded

IPSO 6.2 Disk-based

IPSO 6.2

Flash-based

Server

2003/2008

(SP1-2) 32bit

X-series

Firewall

IPSec VPN

IPS

SSL VPN

DLP

Anti-Virus & Anti-Malware

URL Filtering

Anti-Spam & Email Security

4

Web Security

Advanced Networking

Acceleration & Clustering

1

5

2

3

Notes -

1. The maximum number of supported cluster members in ClusterXL mode is five; in third-party mode the maximum is eight.

2. Only Clustering is supported in Windows. Acceleration is not supported.

3. Only third-party clustering is supported.

4. Based on IP reputation.

5. Only High Availability is supported.

Supported Security Products by Platform

Platform Provisions and Requirements Page 9

Security Management Software Blades by Platform

Software Blade Platform and Operating System

Check Point

Windows

Linux Solaris

Secure Platform

IPSO 6.2 Disk- based

Server 2003/2008 (SP1-2)

32bit

7

Professional Enterprise Ultimate

32bit/64bit

RHEL 5.0 RHEL 5.4 kernel 2.6.18

32bit

Ultra-

SPARC 8, 9, 10

Network Policy Management

Endpoint Policy Management

2003 only

Logging & Status

Monitoring

SmartProvisioning

Management Portal*

User Directory

SmartWorkflow

SmartEvent

SmartReporter

* Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5 - 3.0

Clients and Consoles by Windows Platform

Platform Provisions and Requirements Page 10

Clients and Consoles by Windows Platform

Check Point Product

XP Pro (SP3)

XP Home (SP3)

Server 2003 (SP1-2) 32bit

Vista (SP1) 32bit

Vista (SP1) 64bit

Server 2008 (SP1-2) 32bit

7

Professional

Enterprise

Ultimate

32bit

7 Professional

Enterprise

Ultimate

64bit

SmartConsole

Provider-1 MDG

SecureClient

SSL Network Extender

Endpoint Security Client

Endpoint Connect Client

DLP UserCheckTM

Minimum System Requirements The system requirements for R71.40 are the same as those listed in the R71 Release Notes (http://supportcontent.checkpoint.com/documentation_download?id=10330).

Required Disk Space

Platform Provisions and Requirements Page 11

Required Disk Space

Note - It is safe to delete the downloaded .tgz file after it is extracted, to have more disk space for installation.

Required Disk Space for Installation on Security Management Server

Operating System Packed and Extracted .tgz File

During Installation* Final Used Disk Space

SecurePlatform/

Linux

/var - 1 GB

root - 600 MB

/opt - 350 MB

/var - 200 MB

root - 400 MB

/opt - 350 MB

/var - 200 MB

IPSO Disk-based

/var - 500 MB

/opt - 260 MB

/var - 100 MB

/opt - 175 MB

/var - 100 MB

Windows 485 MB 520 MB 480 MB

Solaris

/var - 600 MB

root - 200 MB

/opt - 350 MB

/var - 200 MB

root - 100 MB

/opt - 250 MB

/var - 0 MB

* During installation, the process may use additional disk space that will be released when installation ends.

Required Disk Space for Installation on Security Gateway

Operating System Packed and Extracted .tgz File

During Installation* Final Used Disk Space

SecurePlatform

/var - 1 GB

root - 500 MB

/opt - 345 MB

/var - 100 MB

root - 400 MB

/opt - 340 MB

/var - 0 MB

IPSO Disk-based

/var - 500 MB

/opt - 270 MB

/var - 100 MB

/opt - 180 MB

/var - 100 MB

IPSO Flash-based

var - 255 MB

/preserve - 500 MB

/opt - 20 MB

/var - 125 MB

/preserve - 7 MB

/opt - 21 MB

/var - 1 MB

Windows 485 MB 285 MB 220 MB

* During installation, the process may use additional disk space that will be released when installation ends.

Build Numbers

Platform Provisions and Requirements Page 12

Build Numbers This table contains the R71.40 software products updated in this release and their build numbers. To confirm that the hotfix is installed, run the version command for each product. If the command returns the build number listed, the hotfix is installed.

Software Blade / Product Build No. Version Command

Security Gateway

976601084 fw ver -k

This is Check Point VPN-1(TM) &

FireWall-1(R) R71.40 - Build 084

kernel: R71.40 - Build 084

Security Management

976601023 fwm ver

This is Check Point Security Management

Server R71.40 - Build 023

SmartConsole Applications

976601035 Help > About Check Point <Application Name>

R71.40 (Build 976601035)

Provider-1 Multi-Domain Server (MDS)

976601027 fwm mds ver

This is Check Point Provider-1 Server

R71.40 - Build 027

Provider-1 Multi-Domain GUI (MDG)

976601009 Help > About Check Point Provider-1

R71.40 (Build 976601009)

SecurePlatform

976601020 splat_ver

New Installation

Installing R71.40 Page 13

Installing R71.40

In This Section

New Installation 13

Installing the Client Applications 14

Upgrading from R70.40 14

Upgrading from R71 or Higher 14

Uninstalling 20

New Installation You can install R71.40 as a new installation, rather than an upgrade. Install on a server that does not have Check Point products, to make a new management server, gateway or log server.

To install on all platforms:

1. Download the installation file for the platform from the Check Point Support Center.

You can mount the file in the operating system or burn the ISO to a DVD.

Platform DVD Image/File Name

SecurePlatform or Linux (Open Servers only)

Check_Point_R71.40.Splat.iso

IPSO 6.2 Disk-based Check_Point_R71.40.IPSO6.tgz

IPSO 6.2 Flash-based Check_Point_R71.40_Security_Gateway.IPSO6_2.tgz

Windows Check_Point_R71.40.Windows.iso

Solaris Security Management Check_Point_R71.40.Solaris.iso

Provider-1 MDS on SecurePlatform or Linux

Check_Point_R71.40_Provider-1.Splat.iso

Provider-1 MDS on Solaris

Check_Point_R71.40_Provider-1.Solaris.iso

Power-1 / UTM-1 / UTM 130 appliances

Check_Point_R71_40_Appliance.iso

Smart-1 appliances Check_Point_R71_40_Smart-1.iso

2. Continue with the installation according to the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).

To complete installation on IPSO Security Management Server:

On IPSO platforms, after installation and cpconfig, before reboot:

1. Go to the MiniWrapper directory.

2. Run UnixInstallScript.

Installing the Client Applications

Installing R71.40 Page 14

Installing the Client Applications The client applications for this release are part of the Check Point SmartConsole.

To manually install the SmartConsole:

1. Download Check_Point_SmartConsole_R71.40_Windows.exe.

2. Double-click the file to install the SmartConsole.

To install the Provider-1 MDG:

1. Download Check_Point_Provider-1_MDG_R71.40_Windows.exe.

2. Double-click the file to install the Provider-1 MDG.

Upgrading from R70.40 To upgrade from R70.40, download the appropriate installation file for your platform from the Check Point Support Center. You can mount the file in your operating system or burn the ISO to a DVD.

* - To upgrade a Smart-1 50/150 with Provider-1, use the CLI to upgrade from the Provider-1 MDS on SecurePlatform or Linux image.

The installation files are:

Platform DVD Image/File Name

SecurePlatform or Linux (Open Servers only)

Check_Point_R71_40_CD1.Splat.iso and

Check_Point_R71_40_CD2.Splat.iso

SecurePlatform or Linux (Open Servers and Appliances)*

Check_Point_Upgrade_for_R71.40.splat.tgz

IPSO 6.2 Disk-based Check_Point_R71.40.IPSO6.tgz

IPSO 6.2 Flash-based Check_Point_R71.40_Security_Gateway.IPSO6_2.tgz

Windows Check_Point_R71_40.Windows.iso

Solaris Security Management Check_Point_R71_40.Solaris.iso

Provider-1 MDS on SecurePlatform or Linux

Check_Point_R71.40_Provider-1.Splat.iso

Provider-1 MDS on Solaris Check_Point_R71.40_Provider-1.Solaris.iso

To learn how to upgrade, see the Upgrade sections of the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).

Upgrading from R71 or Higher This section includes the procedures for installing R71.40 on management servers, gateways and log servers that already have R71 or higher installed.

We recommend that you backup your system before installing this release package. For SecurePlatform, you can use snapshots which are discussed in the Snapshot Image Management section of the R71 SecurePlatform Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10313).

Upgrading from R71 or Higher

Installing R71.40 Page 15

Upgrade Packages Before upgrading from R71 or higher, download the upgrade package for your platform from the Check Point Support Center:

Important -

Turn off User Account Control (UAC) before you install on Windows 7.

Reboot after you install on Windows 7.

Platform and Upgrade Package Upgrade Procedure

SecurePlatform (Open Servers and Appliances) Check_Point_R71.40.linux.tgz

SecurePlatform Web User Interface

Command Line

SmartUpdate

Linux Check_Point_R71.40.linux.tgz

Command Line

IPSO 6.2 Disk-based Check_Point_R71.40.ipso6.tgz

Command Line

SmartUpdate

IPSO 6.2 Flash-based Check_Point_R71.40.ipso6_Flash.tgz

Command Line for IPSO Flash-Based

SmartUpdate

Windows Check_Point_R71_40.windows.tgz

Command Line

SmartUpdate

Solaris Check_Point_R71.40.Solaris.tgz

Command Line

SecurePlatform Embedded (Security Gateway Series 80) fw1_R71_730156065_HFA40.img

SecurePlatform Embedded Web User Interface

Upgrading from R71 or Higher

Installing R71.40 Page 16

Upgrading with the SecurePlatform Web User Interface You install R71.40 on SecurePlatform Security Gateways, Security Management open servers, appliances using the Web User Interface and Provider-1 Multi-Domain Servers.

To install R71.40 using the Web User Interface:

1. Download the upgrade package for your platform ("Upgrade Packages" on page 15).

2. Connect to the SecurePlatform Web User Interface:

Open server: https://<IP>

Appliance: https://<IP>:4434

3. Open the Upgrade page:

Open server: Device > Upgrade

Appliance: Appliance > Upgrade

4. In the Upgrade Steps pane, browse to the downloaded file.

5. Click the Upload package button.

6. In the Safe Upgrade step, make sure the Save a snapshot of the current system check box is selected.

Important - Make sure all GUI applications are closed and take a snapshot of the machine before you upgrade.

7. Click Start Upgrade.

At the end of the installation, the device automatically reboots.

8. Re-login to the machine.

Important - After upgrading, move the snapshot file from the Desktop to a pathname without spaces. This must be done before attempting to restore the machine.

Upgrading from R71 or Higher

Installing R71.40 Page 17

Upgrading with the Command Line You can use these instructions to install R71.40 using the CLI on open servers and IP series appliances, except for IPSO Flash-based appliances. To install on IPSO flash-based appliances, you must use the CLI instructions for IPSO flash-based appliances.

To install on Check Point appliances with SecurePlatform, use the Web User Interface or SmartUpdate.

To install on IPSO platforms, use the command line. Network Voyager is not supported.

You can safely delete the .tgz file after you extract the package (step 6).

To install R71.40 using the CLI:

1. Log onto the target machine.

2. If you are installing on SecurePlatform:

a) Run idle 120 to make sure that the installation is not interrupted by the automatic logon timeout.

b) Run expert to enter expert mode.

3. Verify that the target computer contains sufficient free disk space.

4. Create a temporary directory in the /var partition on non-Windows platforms, or in the c:\ partition on

Windows platforms.

5. Copy the upgrade package for your platform to the temporary directory using SFTP, SCP, or another secure utility.

6. Go to the temporary directory and extract the .tgz package.

On non-Windows platforms, run: gtar -zxvf <file name>

On Windows platforms, use an archive utility such as WinZip.

7. Start the installation routine:

Important -

Before installing on Provider-1, run mdsenv and then mdsstop.

If this is not done, the system will experience functionality issues.

We recommend that you backup the system by executing mds_backup command before

installation.

On non-Windows platforms, run: ./UnixInstallScript.

You must run this command from the /var partition.

On Windows platforms, run: Setup.exe

8. Do the instructions on the screen to install the applicable components. Only those components required for a specific target (management or gateway) are installed automatically.

When the installation finishes, each successfully installed component appears in a list followed by the word 'Succeeded'.

9. When prompted, reboot the computer.

10. Repeat the above steps for all management servers, log servers and gateways as required by your deployment.

11. After you complete the installation on all computers, install the security policy on gateways and servers as appropriate.

Upgrading from R71 or Higher

Installing R71.40 Page 18

Upgrading with the Command Line for IPSO Flash-Based

Notes

IPSO Flash-based platforms are supported for use as Security Gateways only.

Installation using Network Voyager is not supported and may result in system instability. You must install this version using the CLI only.

Only use this upgrade procedure for appliances with 4GB Flash (IP69x, IP128x and IP245x). For appliances with 1GB and 2GB Flash (IP29x, IP39x and IP56x), you must do a clean install.

Before installing on an IPSO Flash-based Appliance:

1. Delete any Check Point packages that are earlier than R71.10, and then delete any previous tgz files. You can do this using Network Voyager or using the command shell:

Using Network Voyager:

a) Choose Configuration > System Configuration > Packages > Delete Packages.

b) Select a previous installation package to delete, and click Apply.

c) Delete the any tgz files.

d) Click Apply.

Using the command shell, run the following commands:

newpkg -q

newpkg -u <previous package name>

rm opt/packages/<previous tgz name>

newpkg -q prints a list of the installed packages.

2. If there is an IPSO image on the machine that is not in use, delete it using Network Voyager:

a) Choose Configuration > System Configuration > images > Manage Images.

b) Click Delete IPSO Images.

c) Select the IPSO image to delete, and click Apply.

3. Verify that there is enough free disk space for the installation of the packages. ("Required Disk Space" on page 11)

To install and activate this version on an IPSO Flash-based Appliance:

1. Using the command shell, copy the upgrade package for IPSO Flash-based appliances ("Upgrade

Packages" on page 15) to /var/tmp on the IP Appliance through ftp.

Note - The installation package must be located in the /var/tmp directory.

2. Navigate to the /var/tmp directory.

3. Extract the tgz package by running:

tar -zxvf <file name>

4. Delete the tgz package by running:

rm -rf <file name>

5. Run ./UnixInstallScript

6. Follow the instructions on the screen to install the appropriate components. When prompted, stop all Check Point processes.

Only those components required for a specific target (management or gateway) are installed automatically. When the installation finishes, each successfully installed component appears in a list followed by the word 'Succeeded'.

7. When prompted, reboot the computer by pressing y.

Upgrading from R71 or Higher

Installing R71.40 Page 19

Upgrading with SmartUpdate You can use SmartUpdate to remotely install this version on Security Gateways installed on all supported platforms.

To install with SmartUpdate:

1. Install the upgrade package for your platform ("Upgrade Packages" on page 15) on the Security Management Server using the Command Line ("Upgrading with the Command Line" on page 17).

2. Open SmartUpdate and close SmartDashboard.

3. Click Packages > Get Data from All.

When the Operation Status of the known gateways is Done, the installed packages and their

versions are listed.

4. Open the Package Repository: Packages > View Repository.

5. Add the installation package file (*.tgz) for each required gateway platform to the Package Repository

(Packages > Add; or drag-and-drop).

Wait until the Operation Status of adding the package is Done. The packages appear in the Package Repository. This can take a few minutes.

6. Right-click the package and choose Distribute.

7. From the Distribute Package window, select the devices on which you want to install this version.

8. Click Distribute.

The installation package is distributed to and installed on the selected Security Gateways. The Security Gateways are rebooted automatically, except for those that are installed on Windows. You must manually reboot Security Gateways installed on Windows.

Note - On a Windows platform, if the gateway does not accept traffic after installing this version, re-install the policy.

Upgrading with the SecurePlatform Embedded Web User Interface

You can install R71.40 on Security Gateway Series 80 appliances using the SecurePlatform Embedded Web User Interface.

To install R71.40 using the SecurePlatform Embedded Web User Interface:

1. Download the upgrade package for your platform ("Upgrade Packages" on page 15).

2. Connect to the SecurePlatform Embedded Web User Interface at: https://<appliance_ip>:4344

3. Log in and open Appliance > System Operations > Upgrade.

4. Browse to the downloaded image and click Upload.

5. Save a local image with the Image Backup option.

6. Click Next to start the upgrade.

At the end of the installation, the device automatically reboots.

7. Re-login to the machine.

8. Go to Overview > System Information > Version to verify that you installed the correct build: R71 HFA30 (730156065)

IPS Pattern Granularity Installation The IPS pattern granularity (converting pattens into protections) will be installed during the first IPS update procedure (online update, offline update, or scheduled update). Therefore, the first update after installation of the HFA might take a few minutes longer than usual.

Uninstalling

Installing R71.40 Page 20

Uninstalling

Notes -

Uninstallation from IPSO flash-based appliances is not supported.

Uninstallation of IPS pattern granularity is not supported. After uninstall of R71.40, the patterns remain converted to protections.

To uninstall R71.40 in Security Management Server deployments:

1. Disable the IPS Event Analysis and/or SmartWorkflow Software Blades. If you already disabled them before upgrading to R71.40, you do not need to disable the Software Blades.

To do this, disable the Software Blades in the Security Management server's object.

2. On each management server and dedicated log server:

All non-Windows platforms:

Run: /opt/CPUninstall/R71.40/UnixUninstallScript

Windows platforms:

(i) Go to: C:\Program files\CheckPoint\CPUninstall\R71.40

(ii) Run: Uninstall.bat

To uninstall R71.40 in Provider-1 deployments:

1. Disable the R71.40 from each CMA as follows:

a) Login to the Provider-1 MDG.

b) In Versions & Blades Updates, right click and select Deactivate.

2. Run this command on each Multi-Domain Server, Domain Log Server and Multi-Domain Log Server:

/opt/CPUninstall/R71.40/UnixUninstallScript

3. Activate Software Blades that were active before the upgrade to R71.40.

Note - After uninstalling this release from a SecurePlatform machine, the command line login prompt and the Web interface Welcome screen will still display Check Point SecurePlatform R71.40 as the installed version. This is because packages related to the SecurePlatform operating system are not uninstalled during the uninstallation process. Use

the fw ver command to see the current version of your software.

To uninstall with SmartUpdate:

You can use SmartUpdate to remotely uninstall on gateways of all platforms, except IPSO.

1. Make sure SmartDashboard is closed.

2. Open SmartUpdate.

3. From the Packages menu choose Get Data From All.

4. Right-click each package with Minor_Version value of R71.40 and select Uninstall, in this order:

Security Gateway

SSL VPN (for SecurePlatform gateways, if installed)

all other Minor_Version products

Note - All packages must be uninstalled except for the SecurePlatform package that cannot be uninstalled from SecurePlatform gateways.

5. On Windows platforms, reboot manually.

Configuring Implied IPS Exceptions

Configuring the R71.40 Features Page 21

Configuring the R71.40 Features

In This Section

Configuring Implied IPS Exceptions 21

Configuring Secure Workspace Applications by Vendor 21

Configuring Windows Vista or Windows 7 for Mobile Access Portal 22

Configuring IPS Pattern Granularity 23

Configuring Implied IPS Exceptions Check Point components can use non-standard HTTP and SSL ports to communicate. Implied exceptions exclude this traffic from IPS inspection.

Note - To use implied exceptions in Provider-1 you must activate the R71.40 plug-in for the customer.

To view the implied exceptions:

In the View menu, select IPS Implied Exceptions.

You can see the implied exceptions in the Network Exceptions page of the IPS tab.

We do not recommend that you disable the implied exceptions. But, you can disable them from the IPS page of the Global Properties (Policy > Global Properties > IPS). To disable the implied exceptions, clear the Enable implied exceptions in my environment option.

Note - If you disable the implied exceptions and you do not add exceptions for the non-standard HTTP and SSL traffic manually, it is possible that some Check Point products will not work.

Configuring Secure Workspace Applications by Vendor

You can configure which applications users can access from Secure Workspace. If a vendor is trusted then all applications from this vendor are trusted.

By default, users can access applications from these vendors. You cannot add a vendor to the list.

Vendor ID Vendor Name Description

1 Adobe Signed by Adobe

2 Apple Signed by Apple

3 Check Point Signed by Check Point

4 Computer Associates Signed by Computer Associates

5 Google Signed by Google

6 IBM Signed by IBM

7 Intel Signed by Intel

Configuring Windows Vista or Windows 7 for Mobile Access Portal

Configuring the R71.40 Features Page 22

Vendor ID Vendor Name Description

8 Microsoft Signed by Microsoft

9 Mozilla Signed by Mozilla

10 Oracle Signed by Oracle

11 Sun Signed by Sun

12 Rare Ideas Signed by Rare Ideas

To change user access to vendor applications:

1. Use the instructions in sk34939 (http://supportcontent.checkpoint.com/solutions?id=sk34939) to:

Configure Secure Workspace to operate in local mode.

Open the local Secure Workspace policy file on the gateway.

2. Find the vendor that you want to change in the local Secure Workspace policy file:

3. Edit the file:

a) To block user access, add this attribute to the vendor tag: Config="_disabled".

For example: To block IBM applications, change the IBM line from: <ExecuteVendor id="6" VendorName="IBM" UIDescription="Signed by IBM"/>

to <ExecuteVendor id="6" VendorName="IBM" UIDescription="Signed by IBM"

Config="_disabled"/>

b) To allow user access to IBM applications, remove the Config attribute:

For example: Change the line back to:

<ExecuteVendor id="6" VendorName="IBM" UIDescription="Signed by IBM"/>

Configuring Windows Vista or Windows 7 for Mobile Access Portal

If users use Internet Explorer to open the SSL VPN portal on Windows Vista or Windows 7, they must disable Internet Explorer Protected Mode. If Protected Mode is not disabled, SSL VPN might run, but they can have unexpected errors.

On Windows 7 , protected mode is enabled by default. You can see that it is enabled:

In the Internet Options > Security tab. See that Enable Protected Mode is selected.

In the bottom right of the Internet Explorer browser window, it says Protected Mode On.

Configuring IPS Pattern Granularity

Configuring the R71.40 Features Page 23

If Endpoint Security on Demand is configured on the gateway, the scan detects that Protected mode is on and instruction to disable Protected mode open.

If Endpoint Security on Demand is not configured on the gateway, users are not alerted that they must disable Protected mode. However they must do the same steps to disable Protected mode so that they can access the SSL VPN portal without problems.

Here are the instructions for users to disable Protected Mode. All users must do these steps even if they do not get the instructions automatically.

A notification appears: You must disable Protected Mode to allow Check Point Endpoint Security On Demand to run in order to access this Web site.

To disable Protected Mode:

1. In Internet Explorer, click Tools > Internet Options.

2. In the Internet Options window, open the Security tab.

3. Select Trusted Sites and make sure that Enabled Protected Mode is not selected.

4. Click Sites.

5. In the Trusted Sites window, Add this website to the zone box, enter the portal web address and click Add.

6. Click Close.

7. Click OK.

8. Close all Internet Explorer windows.

The next time you open Internet Explorer, Protected mode is off.

Configuring IPS Pattern Granularity After upgrade to this version, after the first update of IPS protections, all patterns of Header rejection, Http worm catcher, and Cifs worm catcher protections are converted into new protections (dated to January 1, 2007). The three protections and the patterns under them are kept for NGX R65 and user-defined pattern support.

Configuring IPS Pattern Granularity

Configuring the R71.40 Features Page 24

Activating New Protections The activation mode of the new protections is set according to the IPS policy of the associated profile (the Severity and Confidence levels). You can change the settings as for other IPS protections. For example, you can change the action from Detect to Prevent.

Only the settings of patterns that were manually modified before upgrade are assigned to their converted protections. Those protections are marked as Override and do not get updates.

You cannot change the signature of the new protections. After upgrade, the previous patterns under the three protections are enforced only on NGX R65 gateways. The user-defined patterns are enforced on all gateways, including R7x and above, because they are not converted to protections.

Network Exceptions for the New Protections If you added Network Exceptions to the Header rejection, Http worm catcher, or Cifs worm catcher protections before upgrade to R71.40, then after the upgrade, they are valid only for user-defined patterns. To apply the Network Exceptions to a pattern, add them to the new protection converted from the relevant pattern.

Handling Multiple Matches of a Pattern If you changed the value of a pattern before upgrade, the pattern shows under the previous pattern list (Header rejection, Http worm catcher, Cifs worm catcher), as user-defined patterns. The pattern is also included as a new protection, marked for Follow Up. Sometimes, this causes multiple matches. To avoid this, turn off the modified patterns, or turn off the new protections.