information about this documentdownloads.checkpoint.com/fileserver/source/direct/id/...9. when...

Copyright © 2006 Check Point Software Technologies, Ltd. All rights reserved 1

...... NGX R62

Known Limitations SupplementFebruary 7, 2007

Information About This Document This document contains known limitations from versions prior to NGX R62 that are relevant for this release. Before setting up NGX R62, review this information in conjunction with the latest NGX R62 Release Notes, available at http://www.checkpoint.com/support/technical/documents/index.html.

Previously Published Clarifications and Limitations

In This Section

SmartCenter Server page 2

Provider-1/SiteManager-1 page 8

Integrity page 16

Eventia Reporter page 29

VPN page 31

Firewall page 33

VSX page 42

SmartUpdate page 45

SmartPortal page 47

SecureXL page 48

ClusterXL page 48

QoS page 59

http://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.html

http://www.checkpoint.com/support/technical/documents/index.html

SmartCenter Server

NGX R62 Known Limitations Supplement Last Update — February 7, 2007 2

SmartCenter Server

In This Section

Upgrade, Backout and Backward Compatibility1. When using the Upgrade Export and Import utilities on the Windows platform, the

machine should be connected to the network. Alternatively, a connector can be used to simulate a connection. Refer to SecureKnowledge solution sk19840 for more information regarding how to simulate a network connection during an upgrade.

2. When upgrading with a duplicate machine whose IP address differs from the original IP address of the SmartCenter server, if Central licenses are used, they should be updated to the new IP address. This can be done via the User Center at http://usercenter.checkpoint.com, by choosing the action License > Move IP > Activate Support and Subscription.

3. When using the Upgrade Export and Import utilities, if a specific product should fail to install, the entire operation will fail, with the exception of these products:

• SmartView Reporter

• SmartView Monitor

• SecureXL

• UserAuthority Server

Failure importing and/or exporting of these products will not cause the entire import/export operation to fail. Use the log file of the import/export operation to understand what caused the problem and fix it. The log file is located at:

Upgrade, Backout and Backward Compatibility page 2

Logging page 5

Management High Availability page 6

SmartConsole Applications page 5

SmartDirectory page 6

User Management page 6

Trust Establishment page 6

OSE page 6

Platform Specific - Nokia page 7

Platform Specific - Windows page 7

Policy Installation page 4

http://usercenter.checkpoint.com

SmartCenter Server


Windows: C:\program files\checkpoint\CPInstLog

Unix: /opt/CPInstLog

4. When upgrading a Log Server, always choose to upgrade and ignore the other options (to export the configuration or to perform pre-upgrade verifications). These options are irrelevant for Log Server upgrades. Also, the backwards compatibility (BC) package is installed on every Log Server. It can be safely removed, as it is not in use on a Log Server.

5. If, when using the Check Point Installation Wrapper, the download of updates fails during an upgrade (for example, because the machine is not connected to the Internet), then the upgrade will continue using the tools that exist on the CD. To use the most recent version:

a. Download the updates from: https://support.checkpoint.com/downloads/bin/autoupdate/ut/r61/index.htm.

b. Save the update on the local disk of your SmartCenter server.

c. Restart the installation wrapper and choose the second option on the download page: I already downloaded and extracted the Upgrade Utilities.

6. Check Point 4.1 gateways and embedded devices are no longer supported with this release. After upgrading the SmartCenter server to NGX, these objects will remain, but you will not be able to install policy on them.

7. VPN-1 Net is no longer supported.

8. After upgrading SmartCenter, but before upgrading the gateways, SecureID users may not be able to connect. A workaround is detailed on SecureKnowledge sk17820. This solution documented there should be implemented in the compatibility package directories as well:

For NG gateways (NG - R55)

- Unix /opt/CPngcmp-DAL/lib/

- Windows C:\Program Files\CheckPoint\NGCMP

For R55W gateways

- Unix /opt/CPR55Wcmp/lib

- Windows C:\Program Files\CheckPoint\R55WCmp\lib

9. When upgrading SmartCenter with a duplicate machine on the Windows platform, the following message may appear after selecting Import configuration file:

Failed to import configuration. Imported configuration file does not contain the correct data.

To resolve the issue, do one of the following:

https://support.checkpoint.com/downloads/bin/autoupdate/ut/r61/index.htm

SmartCenter Server


• Remove the file gzip.exe from the environment path.

• Remove gzip.exe altogether.

10. Advanced Upgrade from the wrapper, or use of the Export/Import tools, is not supported on a secondary SmartCenter server.

11. In this release, SmartCenter does not manage gateways prior to NG FP3. If you have such gateways, it is recommended that you upgrade them as well.

12. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature, previously defined VPN-1 Edge devices will not be able to connect to the SmartCenter server, and the Connection Wizard will generate "object non-registered" messages. To resolve this issue, use SmartUpdate to re-install a specific firmware package.

Policy Installation13. After aborting an installation and before attempting to install policy, make sure that

there are no processes running the fwm load command on the SmartCenter server.

14. By selecting the Install Policy option Install on all selected gateways, if it fails do not install on gateways of the same version, policy is installed on gateways by group. There are four such groups:

• VPN-1 UTM Edge

• R55W

• NGX

• all others (R55 and prior versions)

When this option is selected, if policy fails when installing to a member of one of the groups, the policy will not be installed to any other gateways in that group. Policy installation will continue uninterrupted to members of other groups, however.

15. Uninstall policy on LSM profiles is not supported.

16. Policy installation is divided into several stages: Verification, compilation, file transfer, etc. Each stage has a default time-out of 300 seconds. Should you encounter time-out problems while installing a policy, you can change the value of the timeout in the following way:

a. Run cpstop on the SmartCenter server.

b. Run DBedit and change the install_policy_timeout attribute that is located under firewall_properties in the global properties. A valid value is 0-10000.

c. Close DBEdit and run cpstart.

SmartCenter Server


17. Policy may not install successfully on an InterSpect device, even if SIC is established. To resolve this issue, make sure that the SmartCenter server's IP address(es) are configured in InterSpect's GUI Clients.

SmartConsole Applications18. When running a query on a Security Policy in SmartDashboard, only user-defined

rules are displayed in the query result. Implied rules matching the query are not displayed, even if the option View Implied Rules is selected.

19. When switching the active file from SmartView Tracker, the new active file name will be automatically name by the system. It will not receive the user-defined file name.

20. VPN-1 Edge objects cannot be defined from the Manage menu in SmartDashboard. To define VPN-1 Edge objects, from the Objects Tree, right-click Check Point > New.

21. A Connectra object cannot be dragged & dropped into the Address Translation Rule Base. To add a Connectra object to a rule, right click on the relevant cell, select Add, and select the relevant Connectra object.

22. To perform SmartDefense Online Update in Demo Mode, use Demo Mode Advanced. Other Demo Modes do not support this feature.

23. InterSpect objects cannot be added to NAT rules.

24. After deploying Anti Virus signatures, the Express CI Deployment Status is not updated by clicking Refresh on the SmartDefense Services tab. This issue is resolved by closing and restarting SmartDashboard.

Logging25. When a Log Server is installed on a DAIP module, management operations such as

"purge" and "log switch" can not be performed.

26. If using the cyclic logging feature, after upgrade it is recommended to back up the previous <FWDIR>/log files to another machine, and then to delete them.

27. When a Log Server runs out of disk space, any logs sent by ELA clients will be lost. To prevent this, be sure to maintain adequate disk space on the Log Server.

28. After upgrading a gateway, SmartView Tracker may report 0 active connections. To resolve this issue, reinstall policy on the gateway.

29. When a filter is applied in the Traffic or Audit log pages, logs may not display in sequential order, and using the scroll bar arrow to navigate through the logs does not appear to work. To scroll, click and drag the scroll bar or use the buttons Bottom and Top.

SmartCenter Server


Management High Availability30. If a primary SmartCenter server is in a Standalone configuration, and a secondary

SmartCenter server is active, then policy installation from the secondary to the primary server will be prohibited immediately after upgrade. In order to resolve this, install the policy locally on the primary server.

31. When modifying the file InternalCA.C, be sure to copy the modified file to the other management stations, and then install policy again for the changes to become active.

SmartDirectory32. If Use SmartDirectory (LDAP) is checked in Global Properties, but no LDAP account

unit is configured, the authentication of external users (as opposed to LDAP users) that are not defined in the user's database will not succeed. To resolve this issue, make sure that you uncheck Use SmartDirectory (LDAP) in the Global Properties.

User Management33. When manually defining branches on an Account Unit, spaces between elements in

the branch definition will not work. For example:

A good branch: ou=Finance,o=ABC,c=us

A bad branch: ou=Finance , o=ABC , c=us

SmartPortal34. When executing Management High Availability (between SmartCenter and/or CMA

and/or MDS) change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve this issue, restrict access from SmartPortal to Read-only administrators; or, use SmartView Monitor to disconnect the Read/Write mode in SmartPortal.

Trust Establishment35. Before establishing secure internal communication (SIC) between a standalone

SmartCenter server and a Connectra device, install policy to the SmartCenter server.

OSE36. The Drop action is not supported for Cisco OSE devices. If the Drop action is used,

the policy installation operation fails.

37. 3Com devices are not supported.

SmartCenter Server


Platform Specific - Nokia38. When upgrading using the Import Configuration option in the wrapper, and the

machine you have exported the configuration from is a Nokia platform the following may occur:

• Check Point packages that were inactive on the production machine will either become active on the target machine if its OS is Nokia, or will be installed on other platforms.

If this should occur, when the target machine is a Nokia platform, return the relevant packages to the inactive state. For other platforms, uninstall the relevant packages.

Platform Specific - Windows39. On Windows platforms only, in some cases, when performing the Restore Version

operation (from SmartDashboard, File > Database Revision Control > Restore Version) while SmartView Tracker is open, the restore fails and you are not able to save the database (File > Save). The solution is to make sure that SmartView Tracker is closed before performing Restore Version operations. If you already encountered such a problem, run cpstop and then cpstart.

40. After using the Advanced Upgrade tools to migrate a SmartCenter server to a different machine, RADIUS authentication servers will no longer be able connect to the SmartCenter server. To re-establish connection between them, do the following on the SmartCenter server:

1. Use Regedit to open the Windows registry.

2. Locate the key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT.

3. Delete the value NodeSecret.

4. Reboot the SmartCenter server.

Provider-1/SiteManager-1



In This Section

Installation/Upgrade1. Some of the issues reported by the Pre-Upgrade Verifier may require database

modifications. To avoid having to repeat these changes, remember to synchronize your mirror MDSs/CMAs and perform the ‘install database to CLM’ processes. It is highly recommended that you read the “Upgrading in Multi MDS environment” section in The Upgrade Guide.

2. After upgrading an MDS or MLM in a multi MDS environment, SmartDashboard displays CMA and CLM objects with the previous version, and the following error message appears when performing the operation Install Database:

Install Database on <CLM_name> Log Server can only be partially completed. To restore full functionality (full resolving and remote operations), upgrade the Log Server to be the same version as your Management Server.

In order to update the CMA/CLM objects to the most recent version, use the following procedure after upgrading all MDS and/or MLM servers:

1. Verify that all active CMAs are up and running with valid licenses, and that none of them currently has a SmartDashboard connected.

2. Run the following commands in a root shell on each MDS/MLM server:

Installation/Upgrade page 8

Configuration page 9

Licensing page 10

Backup and Restore page 10

Migrate page 11

Global Policy page 12

Global VPN page 13

Global SmartDefense page 13

SmartUpdate page 14

SmartPortal page 14

Status Monitoring page 14

Eventia Reporter page 15

Authentication page 15

Miscellaneous page 15



A. mdsenv

B. $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL

3. Synchronize all Standby CMAs and SmartCenter Backup servers and install the database on the CLMs.

In some cases, the MDG will display CMAs with the version that was used before the upgrade. To resolve this issue, after performing steps 1 - 3, do the following:

1. Make sure that each CMA that displays the wrong version is synchronized with the Customer's other CMAs.

2. Restart the MDS containers hosting the problematic CMAs by executing the following commands in a root shell:

A. mdsenv

B. mdsstop –m

C. mdsstart -m

3. After upgrading a pre-NGX SmartCenter to NGX R62, software packages (except for VPN-1 Edge firmware packages) that were displayed in the Package Repository of SmartUpdate do not appear. The packages are in the directory $SUROOT, and can be re-added to the Package Repository using the SmartUpdate command Add From File.

4. Management of FireWall-1 4.1 gateways and VPN-1 Net gateways is no longer supported in NGX R62. Prior to upgrading configurations that contain such gateways, the gateways need to be upgraded to the supported products/ versions. Since the pre-upgrade verification tools will not allow the upgrade to proceed as long as such gateways exist in the configuration database, the objects either need to be deleted from the source management or updated to represent a supported product/ version. If the objects are updated for the sake of allowing the upgrade to proceed, management of the gateways will not be allowed until the gateway software and license is upgraded as well.

Please also note that configurations that contain externally managed FireWall-1 4.1 gateways cannot be upgraded to NGX. To allow the upgrade to proceed, these objects need to be updated to represent a supported version.

Configuration5. In the SecurePlatform installation, the default maximum number of file handles is

set to 65536. This also applies to standard Linux installations, but the default number may vary.



For Provider-1/SiteManager-1 installations with a large number of CMAs, 65536 file handles may be insufficient. Indications that the system may not have enough available file handles can be failure of processes to start, and/or crashes of random processes.

• To check if insufficient file handles is indeed the problem, enter the following command from root or expert mode:

# cat /proc/sys/fs/file-nr

This command prints three numbers to the screen. If the middle number is close to zero, or the left number equals the right-most number, it is required to increase the maximum number of file handles.

• To increase the maximum number of file handles, enter the following command from root or expert mode:

# echo 131072 > /proc/sys/fs/file-max

The number above is for demonstration purposes; the actual figure should be derived from the amount of memory and the number of CMAs.

Licensing6. If you upgrade licenses after upgrading the MDS, the upgraded licenses will not be

displayed in the MDG until after restarting the MDS.

7. Under rare circumstances, a CMA license may not appear in the SmartUpdate view of the MDG, and yet appear in SmartUpdate when launched from the CMA. If this happens, do the following:

1. From the command line in the CMA environment, use the cplic command to remove the missing license, and then add it again.

2. In SmartUpdate, right-click the CMA and select Get Licenses.

Backup and Restore8. A backup file created on a Solaris platform with the mds_backup command cannot

be restored on a Linux platform, nor vice-versa. A backup made by mds_backup on Linux can be restored on SecurePlatform and vice-versa.

9. When saving the configuration of an MDS (via the command mds_backup), make sure to also back up the configuration of each of the VSX gateways/clusters that are managed by the MDS. When restoring the configuration of the MDS (via the command mds_restore), make sure to restore the configuration of all VSX gateways/clusters immediately afterwards.



Migrate10. After migrating a SmartCenter server running on a Nokia platform to an NGX R62

CMA, the VPN-1 Edge objects and Profiles creation option from SmartDashboard is not available. See SecureKnowledge SK26484 for more information.

11. Migrating a CMA/SmartCenter database to a Provider-1 CMA disables the CMA's PnP license, if any.

12. Migration of a CMA is not supported when VSX objects exist in the database.

13. After migrating Global Policies and CMAs that contain Global VPN Community, the VPN Communities mode of the Global Policies view in the MDG may not display all gateways participating in the Global VPN Communities. To resolve this issue, after completing the migration of all relevant configuration databases and starting the MDS and the CMA processes, issue the following commands in the root shell on the MDS:

1. mdsenv

2. fwm mds rebuild_global_communities_status all

14. When migrating complex databases, the MDG may timeout with the error message Failed to import Customer Management Add-on, even when the migration process continues and is successful. Therefore, when migrating large databases, it is recommended that you run the migrate operation from the command line. See the cma_migrate command in The Upgrade Guide.

15. The migrate_assist utility reports missing files, depending on FTP server type. If files are missing, copy the relevant files manually. More information regarding the relevant files and the directory structure is available in the “Upgrading Provider-1” chapter of The Upgrade Guide.

16. Before migrating the global database, if there are Global VPN Communities in the source database or in the target database, it is highly recommended that you read the “Gradual Upgrade with Global VPN Considerations” section of The Upgrade Guide.

17. If you delete a CMA that has been migrated from an existing CMA or SmartCenter database, and then want to recreate it, first create a new Customer with a new name. Add a new CMA to the new Customer and import the existing CMA or SmartCenter database into the new CMA.

18. After migrating SmartCenter or CMA databases with SmartLSM data, execute the command LSMenabler on on the CMA.

19. After migrating a SmartCenter database which contains SmartDashboard administrators or administrator group objects, these objects remain in the database but are not displayed in SmartDashboard. As the CMA is managed by Customer



Administrators via the MDG and not via SmartDashboard, these objects are irrelevant to the CMA. However, if you need to delete or edit one of these objects, use dbedit or GuiDBedit to do so.

20. When migrating a CMA or SmartCenter High Availability (HA) to a new CMA in a different Provider-1/SiteManager-1 environment, be sure to use the primary database of the CMA or SmartCenter HA for the migrate operation.

In addition, if the name used for the new CMA is not the name of the previous primary CMA or SmartCenter HA, the new CMA name may not be similar to a name already used for a network object in the migrated database, including the secondary management object.

Global Policy21. When deleting a Check Point host object created in Global SmartDashboard that

has the same name as one of the MDS/MLM servers, the SIC certificate of the matching MDS/MLM server may be revoked. To avoid this situation, refrain from defining Check Point host objects with names identical to MDS/MLM servers in the system. If the certificate of one of the MDS/MLM servers is revoked, see SecureKnowledge SK24204 to remedy the situation.

22. Avoid circular references in the Global Policy, as this will cause its assignment to fail.

23. To ensure the integrity of Global Policies, only Provider-1 Superuser and Customer Superuser administrators are allowed to perform a Database Revision Control operation on a CMA. This is to ensure that a lower level administrator does not change the Global Policy assigned to a Customer. This is not a limitation, but rather an effect of the administrator’s permission hierarchy.

24. Assigning a Global Policy to Customers may be a heavy operation. For this reason, it is recommended that you use MDG: Manage > Provider-1/SiteManager-1 Properties > Global Policies and configure Perform Policy operations on 1 customers at a time. For information about an MDS machine that includes a large amount of CMAs and big databases (global database and local CMAs' databases), refer to Hardware Requirements and Recommendations in the Provider-1/SiteManager-1 User Guide.

25. When installing policy from the MDG using the Assign/ Install Global Policy operation, the Security Policy is not installed on VPN-1 Edge profiles. Use SmartDashboard to install policy to VPN-1 Edge profiles.

26. When creating Connectra gateway objects (like other gateway objects, such as VPN-1, VPN-1 Edge, and Interspect), be sure to do so using the CMA SmartDashboard. Defining Connectra objects in Global SmartDashboard is not supported.



Global VPN27. Simplified VPN Mode Policies cannot work with gateways from versions prior to

FP2. You cannot assign a Global Simplified VPN Mode Policy to a CMA with gateways of version FP2 or lower.

28. Global VPN Communities do not support shared secret authentication.

29. Only Globally-enabled gateways can participate in Global VPN Communities. Gateway authentication is automatically defined using the CMA’s Internal Certificate Authority. Third-party Certificate Authorities are not supported.

30. VPN-1 Edge gateways cannot participate in Global VPN Communities.

31. Currently an external gateway can fetch CRL only according to the FQDN. Therefore, a peer gateway would fail to fetch a CRL when the primary CMA is down (even if the mirror CMA is operational). To avoid this scenario, you can change the FQDN to a resolvable DNS name by executing the following commands:

1. mdsenv <CMA>

2. Run cpconfig and select the menu item Certificate Authority

32. After enabling a module for global use from the MDG, install a policy on the module or use the Install Database operation on the management server in order for its VPN domain to be calculated.

33. When migrating a CMA, all CMAs that participate in a Global VPN Community must be migrated as well. If you do not migrate all relevant CMAs, it will affect Global Community functionality and maintenance.

34. A globally enabled gateway can be added to a Global VPN Community from Global SmartDashboard only through the community object and not from the VPN tab of the object.

35. When a VPN Simplified Mode Global Policy is assigned to a Customer, all of the Customer’s Security Policies must be VPN Simplified as well.

36. If the Install policy on gateway operation takes place while the MDS is down, the status of this gateway in the Global VPN Communities view is not updated.

37. When using VPN-1 VSX Virtual Systems in Global VPN Communities, the operating system and version displayed on objects representing Virtual Systems in peer CMAs is incorrect. This information can be safely ignored.

Global SmartDefense38. If a Customer is configured for SmartDefense Merge mode, modifications made to

the SmartDefense settings on a SmartCenter Backup server are not preserved after Global Policy is reassigned to the Customer.



SmartUpdate39. Firmware packages cannot be deleted from the SmartUpdate repository. In order to

delete packages, use the utility mds_delete_firmware.

40. When using the MDG’s SmartUpdate view, packages are added to the SmartUpdate repository of the MDS to which the MDG is connected. When in a Multi-MDS environment, make sure that each SmartUpdate package is added to each MDS individually.

When adding SofaWare firmware packages in such an environment, a package added to one MDS will appear to have been added to all other MDSs. In this case as well, make sure that each firmware package is added to each MDS individually.

41. After detaching a Central license from a CMA using the SmartUpdate view, the license remains in the License Repository, and therefore cannot be added again to the CMA from the MDG General view. To add it again, reattach the license using SmartUpdate.

42. SmartUpdate packages cannot be added to the MDS Package repository if no CMAs are defined. Before populating an MDS's SmartUpdate repository with packages, define at least one CMA.

SmartPortal43. When using Management High Availability (between a SmartCenter server and

either a CMA or an MDS), change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve this issue, do one of the following:

• Only allow access from SmartPortal to Read-only administrators

• Disconnect Read/Write SmartPortal clients from SmartView Monitor

Status Monitoring44. A CMA will report the status Waiting until it is started for the first time.

45. In a CMA High Availability configuration, the High Availability synchronization status in the MDG may contain inconsistent values if valid licenses have not been installed. If this is the case, the synchronization status should be ignored. In order to operate, however, all CMAs must have valid licenses.

46. SmartView Monitor displays invalid statuses when connecting to a CLM. To view Customer statuses using SmartView Monitor, connect to a CMA.



Eventia Reporter47. As Eventia Reporter data is not synchronized on multiple MDSs in High Availability

configurations, Eventia Reporter should be set to work with just one MDS. To do so, install the Eventia Reporter Add-on on one MDS only, and log into this MDS whenever using the Eventia Reporter client.

48. You must log into the Eventia Reporter client using a Provider-1 Superuser administrator account, or a Customer Superuser administrator account. Other administrator types are not supported.

49. Only one Eventia Reporter server is supported. Do not define more than one Eventia Reporter server in Global SmartDashboard.

50. For Eventia Reporter to function properly, all Customers must have a Global Policy assigned to them. If a Customer has not been assigned a Global Policy, all reports generated for this Customer will fail with the following error:

Could not retrieve CMA for customer <CUSTOMER-NAME>. CMA is either stopped or standby.

Authentication51. After defining RADIUS or TACACS server objects in Global SmartDashboard, wait

until the MDSs are synchronized before configuring administrators to authenticate via the new servers.

Miscellaneous52. In a CMA High Availability configuration, the MDG may variably report the status of

VPN-1 Edge gateways as either OK or Not Responding. To see the correct status, open SmartView Monitor on the Active management.

53. Certificates for Provider-1 administrators should be created only from an MDG connected to the MDS that currently hosts the active global database.

54. When working with a large CMA database, synchronizing this database may take some time. If you create a second CMA from the MDG it may seem that the operation was not successful on account of the timeout, when in fact the operation was done within a set period of time.

To make sure that this operation finished successfully after the MDG's timeout:

1. Wait until the second CMA is displayed on the MDG, with a Started status.

2. From SmartDashboard, connect to the active CMA.

3. Select Policy > Management High Availability and in the displayed window verify that the standby CMA's Status is Synchronized.

55. The cp_merge utility is not supported in Provider-1/SiteManager-1.

Integrity


56. When creating, deleting or updating a Virtual Device, the database of the CMA containing the VSX gateway will be locked during that time. If a user tries to connect to the CMA via SmartDashboard, a message will report that the database is locked. Selecting Disconnect does not unlock the database. Connection to the CMA may be resumed when the operation finishes.

57. SmartDashboard currently lacks appropriate error messages for the following scenarios:

• Using a SmartCenter Backup Server, the user cannot edit a Virtual System object where the VSX belongs to another CMA (main CMA), because there is no connection between them.

• The user cannot edit a Virtual System object in a CMA whose Active main CMA is a SmartCenter Backup Server, because there is no connection between them.

Integrity

In This Section

Integrity Server1. After installing Integrity server, the services Tomcat (ISTC) and Apache (ISAP) may

report being down. This can be safely ignored.

Notes on Instant Messenger (IM) SecurityWhen using this version of Integrity IM Security, please note the following:

2. To apply Integrity IM Security to IM clients that use HTTP tunneling, you must configure a proxy server for HTTP tunneling.

3. IM Security configuration options are available on a policy’s Messaging Settings tab. For more information, see the associated online help and the Integrity Advanced Server Administrator Guide.

Integrity Server page 16

Notes on Instant Messenger (IM) Security page 16

Documentation Issues page 17

Client Issues page 18

Server Issues page 19

Localization and Special Character Issues page 24

Gateway and Third Party Issues page 25

Integrity


4. Integrity does not support the use of an HTTP proxy server (for HTTP tunneling) with Trillian or Miranda.

5. If you are using Yahoo or MSN protocol, you cannot block audio sessions, video sessions, or file transfers independently.

To block any of these types of communication, you must block all three. Similarly, to block the transfer of any file type, you must block all file types. These limitations are due to recent changes in the Yahoo and MSN protocols.

Yahoo IM and MSN Messenger have recently introduced an additional peer-to-peer protocol for bandwidth-intensive communications, such as audio sessions, video sessions, and file transfers. Whenever a user establishes an audio or video session or transfers a file, the IM client establishes a peer-to-peer session to accommodate the communication. This session remains active after the communication is complete, meaning that it accommodates all subsequent requests for audio/video sessions and file transfers. Integrity IM Security parses the IM protocol and prevents peer-to-peer sessions for blocked communications. However, if you allow any audio/video sessions or file transfers, the resulting peer-to-peer session bypasses Integrity IM Security and allows all subsequent transfers of any type. Note that Integrity does not log or report any audio/video sessions or file transfers that occur over the peer-to-peer session.

Check Point will consider addressing the peer-to-peer protocol issue in a subsequent release of Integrity Advanced Server.

6. Video is not blocked provided Audio transmission is allowed

The Block Video checkbox does not affect Windows Messenger. Both video and audio conversations are blocked when Block Video checkbox is enabled, and both audio and video conversations are unblocked when Block Audio checkbox is disabled.

7. IM Security does not detect instant messenger programs

If IM Security is started after an instant messenger program, it will not detect the instant messenger and the user may be unable to send instant messages. Workaround: Restart the instant messenger program after starting IM Security.

8. IM Security blocks peer to peer

IM Security always blocks Peer to peer connections in ICQ 2003. As a result, a user will not be able to send files, audio, and video.

Documentation IssuesCorrections and additions to the documentation.

9. Instructions for integrating with InterSpect NGX

Integrity


Instructions in the Gateway Integration Guide for configuring InterSpect integration are specific to InterSpect 2.0. There may be user interface and other differences on the InterSpect side when using the NGX version of InterSpect. Please consult the InterSpect NGX documentation for additional information.

Client IssuesKnown issues affecting client installation, upgrade, or configuration.

10. No support for Windows 98, Windows NT, or Windows ME

Integrity clients do not support Windows 98, Windows NT, or Windows ME. If you try to install IAS on one of these operating systems, IAS will not issue a warning or prevent you from installing. However, proceeding with such an installation may cause unpredictable results.

11. Flex client must be rebooted to register changes to Return to Default buttons

When you change the setting of Hide Return to Default buttons in Integrity Flex (in the Advanced Settings section of a policy's Client Settings tab), the end user must reboot Integrity Flex client for the change to take effect.

12. Some out of compliance messages are truncated or repeated

The Integrity clients may repeat some messages and truncate others.

13. Malicious Code Protection does not work when a user is restricted

When a user is in the restricted state, Malicious Code Protection does not function.

14. SecureClient does not shut down

When installing Integrity SecureClient, the installation hangs or crashes. A workaround is to remove the directory %PROGRAMFILES%\Common Files\InstallShield before running the Integrity SecureClient installer.

15. Personal policy is not able to block MS Remote Desktop

You cannot block Microsoft Remote Desktop using application rules.

16. Client cannot download package from external source when restricted

If the client becomes restricted due to a client enforcement rule, and the rule specifies and upgrade package on an external URL, the client may not be able to download the external package. This can occur even if the 'external' URL is actually the same as an Integrity Advanced Server.

A workaround is to upgrade using the Upgrade package from Integrity Server option rather than upgrading from an external URL.

17. Integrity Flex does not support long custom text

Integrity


If you set custom text exceeding 180 characters, it will not display correctly in Integrity Flex.

18. Enterprise policies cannot override keyboard and mouse settings

If you set your policy to allow a program and to enforce the enterprise policy only and the user has set permissions in the personal policy to block the program, the program will be able to access the Zones as defined in the enterprise policy, but will not be able to perform keyboard and mouse activity.

Workaround: Users must set the program to allow the keyboard and mouse activity in the personal policy.

19. The set password command line is not supported

The command line to set the client password, ICLIENT.EXE -PWINSTSET, is not supported.

Server IssuesKnown issues affecting server installation, upgrade or configuration.

20. Integrity Agent does not support the Anti-Spyware Action setting Confirm

When creating a policy to be used with Integrity Agent clients, Anti-Spyware Action settings must be set to either Notify or Automatic. Integrity Agent does not support the Action setting Confirm, because there is no way for the user to confirm through the UI.

21. If IAS is configured to use a case-sensitive SQL database, some users must log in with case-sensitive user names

If Integrity Advanced Server is configured to use an SQL database that is case-sensitive, Integrity treats all user names in an imported Windows 2000 or Windows NT domain as case-sensitive. If you assign a policy directly to an individual user within such a domain (as opposed to assigning a policy to the domain or group to which the user belongs), and if the user then logs into the endpoint without observing case sensitivity, Integrity will not recognize the user name and will therefore not enforce the policy assigned directly to that user. Such a user will receive the default policy instead. To avoid this problem, administrators who have configured a case-sensitive SQL database and have assigned policies directly to certain users (who were imported as part of one of the relevant domain types) must give each such user the case-sensitive version of his or her user name and require him or her to log in with that version.

22. Adding a local policy to a client package causes Integrity to ignore some package-level settings

Integrity


If you add a local policy to a client package, Integrity ignores the following package settings: Launch Client Minimized, System Tray Icon, and System Tray Menu. In addition, policy settings override the package-level setting for the Client Shutdown option.

23. Custom support links in a personal policy always override those in the enterprise policy

If an enterprise policy and a personal policy both specify a custom support link (in their respective client settings sections), the Integrity client always shows the link specified in the personal policy and ignores the link specified in the enterprise policy, even if you select Enforce enterprise policies only in the enterprise policy's client settings.

24. Continuous looping of log uploads

If the minimum number of events is less than 2, continuous looping of log uploads occur.

In order to prevent continuous looping of log uploads, in the Client Configuration > Client Settings panel's Log Upload Size area, set the minimum number of events to be equal to or greater than 2.

25. SNMP trap messages in hex code

SNMP traps sent from the Integrity Advanced Server are logged to /var/log/messages file but the messages are in hex codes.

A workaround is to enable SYSLOG and SNMP traps in Linux by issuing the following commands:

syslogd -h -r -m 0 (to enable syslog with remote option)

snmptrapd -Oa (to enable snmptrapd and route the output to syslog)

26. Limitations when importing groups

Internet Explorer (6.x) limits to 3000 the number of groups you can import into an NTDomain, LDAP, or RADIUS catalog on Integrity Advanced Server. To import more than 3000 groups, use another of the supported browsers. Mozilla Firefox is the only compatible browser that accommodates imports of more than 10,000 groups. Note that, for very large imports, the import page may take up to ten minutes to display all imported groups.

When importing groups with a browser other than Internet Explorer, users may get a warning asking whether to abort the long-running javascript routine. Users should close the dialog box or choose to continue running javascript. For Firefox, you can suppress this message by typing about:config in the address bar, finding the entry for dom.max_script_run_time, and setting the number to 60 (on new computers) or 120 (on older computers).

Integrity


27. MAC address in the User Activity report is incorrect

When using VMware, the IP address column in the User activity report gives the wrong information.

28. Cannot delete some accounts

For Integrity installs with Oracle databases, administrator accounts with locked policies will not be deletable until the policy is unlocked. Only the locking administrator can unlock a policy.

29. Settings in custom config file are removed

If you upload a config.xml file, using the Client Packager page, and specify a local policy, only the connection settings in the config.xml will be used. All other settings in the uploaded configuration file will be overridden by the local policy selected.

30. Apache shows an error while running

While Apache is running, it shows the following error: (730038)An operation was attempted on something that is not a socket.: winnt_accept: AcceptEx failed. Attempting to recover.

Workaround: Place the directive Win32DisableAcceptEx on a separate line in the beginning of the httpd.conf configuration file (in ‹install_dir›\apache2\conf) and then restart Apache.

31. Localized characters are not supported in the Install Key

You cannot use non-English characters in the Install Key in the Client Packager page.

Workaround: Use only ascii characters for the Install Key.

32. Need to increase number of allowed processes

By default, each Integrity Advanced Server uses a maximum of 50 JDBC connections at peak load. If you are running more than one Integrity Advanced Server in a cluster, please configure the maximum connections allowed by the Database accordingly. In the case of Oracle 9i, please increase the number of processes by (n * 50) where n is the number of Integrity Advanced Servers in the cluster.

33. Info level logging produces a lot of data

Logging at the Info level can produce a lot of data. Do not set info-level notifications to e-mail.

34. Some policies cannot be imported

Some policies cannot be imported into the Integrity Advanced Server. For example: policies containing enforcement rules that use remediation files.

Integrity


A workaround is to edit the XML to remove the item from the policy that cannot be imported.

35. Global Spyware category settings are lost

If you disable and then reenable Global Spyware Protection, all category settings are lost.

36. Popup during upgrade

When upgrading an existing Flex installation, a pop-up message may appear requesting DNS access for the files msiexec.exe and fwkern.exe.

A workaround is to add program rules to your policy allowing DNS access for these two files.

37. NNTP is not supported by Malicious Code Protection

Integrity clients that receive policies where this protocol is selected in the SmartDefense policy tab will no longer observe or protect against malicious code that subverts NNTP port 119.

38. Licensing issues

Integrity SecureClient is designed to be licensed through the SecureClient license. SecureClient is licensed on the server but SecureClient also inserts an item in the desktop's registry once it connects to a Policy Server that has a license. The Integrity client checks for this registry setting to determine if it is also licensed. If the SecureClient has multiple sites that it is connecting to, it only has to connect to one site to be licensed.

In order to license the Integrity client, SecureClient has to connect to the VPN Policy Server within the Integrity client's 30 day trial period. If the user does not connect to the VPN Policy Server before the end of the trial period, then the Integrity client will prompt the user to enter in a license key.

If the Integrity Client is packaged with a license, it will use that license instead of checking the registry setting. Customers who buy an Integrity SecureClient license but want to deploy Integrity on an internal machine that does not have SecureClient, need to request an Integrity license. When entering the license key, be sure to remove the hyphens.

If, after installing the license on the gateway, SecureClient and Integrity Client do not operate beyond the trial period, you will need to install an update to the CPmacro. This update file is available at http://www.checkpoint.com/downloads/index.html.

39. Migrating from 5.x

http://www.checkpoint.com/downloads/index.html

Integrity


If you wish to migrate data to a 6.x installation, you must have a version of Integrity Server that is 5.1 or later but before 6.0. This version limitation applies both to the Server migration and the Integrity clients. Please also note that the Integrity Client version and the Integrity Server version must match. Using a server with a different version than the client is not supported. For more information about migrating Server information and re-distributing the new client to endpoint users, see the Integrity Advanced Server Installation Guide.

40. Integrity Advanced Server tries to download updates

The Integrity Advanced Server tries to download spyware definition updates regardless of whether or not Anti-Spyware is licensed.

41. Spurious Error

Occasionally, the following message may appear in the jakarta_stdout.log when the server is under heavy connection load:

This message does not signify any functional problem and should not be a cause for alarm.

42. Need to change default password

You must always change the default password to a password of your choosing when you first log into Integrity Administrator Console using the default password. However, if you log into the Integrity Administrator Console using a SmartConsole account, you will not be presented with the change password page and the default password will remain. To preserve the security of your Integrity installation, as soon as you have finished the installation, you should log into the Integrity Administrator Console using the default password and set a new password.

SEVERE: Error registeringIntegrity-Service:type=RequestProcessor,worker=jk-8009,name=JkRequest73javax.management.InstanceAlreadyExistsException:Integrity-Service:type=RequestProcessor,worker=jk-8009,name=JkRequest73at mx4j.server.MBeanServerImpl.register(MBeanServerImpl.java:1123)at mx4j.server.MBeanServerImpl.registerImpl(MBeanServerImpl.java:1054)at mx4j.server.MBeanServerImpl.registerMBeanImpl(MBeanServerImpl.java:1002)at mx4j.server.MBeanServerImpl.registerMBean(MBeanServerImpl.java:978)at org.apache.commons.modeler.Registry.registerComponent(Registry.java:871)at org.apache.jk.common.ChannelSocket.registerRequest(ChannelSocket.java:436)at org.apache.jk.common.HandlerRequest.decodeRequest(HandlerRequest.java:443)at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:352)at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:743)at

org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:675)at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:866)at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run

(ThreadPool.java:683)at java.lang.Thread.run(Thread.java:534)

Integrity


43. Need to redeploy when marking certain programs as 'changes frequently'

If you are using Program Advisor and you add a program to your policy (either individually or as part of a group) and then mark it as 'changes frequently', you must redeploy that policy in order for the 'changes frequently' setting to take effect.

Localization and Special Character IssuesKnown issues affecting localized versions of the product or the use of special characters.

44. In search fields, Integrity interprets "%" and "_" as search wildcards

In search fields in the Integrity Advanced Server administration console, Integrity interprets the characters "%" and "_" as search wildcards, NOT as literal characters for which to search.

45. Running 6.0 upgrade wipes prior settings in install-upgrade.properties

During upgrades, the settings in the install-upgrade.properties file on the Integrity Advanced Server will be lost. This file is used by the installLocale.sh and installLocale.bat files.

Workaround: If you need to add languages to your installation later, you should back up the install-upgrade.properties file.

If you have already lost your install-upgrade.property settings, contact Integrity support for instructions on re-creating the file before attempting to install new languages.

46. Classic Firewall Rules cannot contain certain symbols

You cannot use the ampersand symbol ('&'), quotation marks, or the less than symbol ('<') in the names of Classic Firewall Rules.

47. Some multi-byte characters are corrupted by migration

When migrating from 5.x to 6.x installations, the following objects become corrupted if they use multi-byte characters:

• MailSafe extensions

• Protocols

• Locations

• Firewall rules

• Program groups

• Enforcement rules

• File name

Integrity


• Policy names, descriptions, and notes

48. Cannot use non-English characters in file extensions

When creating MailSafe extensions, do not use non-English characters.

49. Auto Update not Supported with Localized Clients

Using Client Rules to update clients of different locales is not supported. The rules are applied regardless of the client locales, which results in all clients being updated to the same language. Workaround: Assign a different policy with a different Client Rule to each client with a different locale. You can move all users back to a shared policy after the upgrade has completed.

50. Cannot change the maximum connections using the Administrator Console

Changing the number of maximum connections in the Administrator Console has no effect.

A workaround is to update the file webapps/ROOT/conf/startup.xml. For example, change: <Property name="poolMaxActive" value="50"/> to <Property name="poolMaxActive" value="200"/>

Restart Integrity Advanced Server so the change takes effect.

51. Cannot use non-XML standard characters in Database passwords

The use of non-XML standard characters, such as ' " < & >, in Database passwords will cause errors during database initialization. Do not use these characters.

Gateway and Third Party IssuesKnown issues involving compatibility with gateways or third-party products

52. Integrity client fails to detect McAfee Virus Scan Enterprise Virus definition

The McAfee product's UI displays only a portion of the product version number. Internally, the full version number is used. You must use the full version number when referencing the McAfee product for Integrity client to detect McAfee Virus Scan Enterprise Virus definition.

53. SecureClient not compatible with PC-Cillin 2005

If you have SecureClient installed, you will not be able to also install PC-Cillin 2005.

54. Clustering with EAP gateways is not certified

Clustering your Integrity Advanced Servers is not supported when using EAP gateways.

55. SecureClient tunnel is dropped

Shutting down the Integrity Client results in the SecureClient tunnel being dropped.

Integrity


A workaround is to use SecureClient to reestablish the tunnel.

56. Endpoints may not get client downloads with 802.11B devices

Endpoints may not have enough time, when restricted, to download the client package over an 802.11B wireless access point. If you are using an 802.11B wireless access point, your endpoints may need to be attached to a wired LAN to download the Integrity Client package file.

A workaround is to use an 802.11G device, or have endpoints connect using a wired LAN to get the Integrity Client package.

57. Safe@Office RADIUS packets not processed

Safe@Office firmware 5.0.82 or earlier requires the NAS IP address to be 129.39.232.228 and the RADIUS client IP address to be the IP address of the Safe@Office device.

58. Integrity clients don't recognize full version numbers

Integrity clients only recognize version numbers up to two places after the first decimal point (x.xx).

59. Network Interface Card remains disabled

If you are using EAP and the Network Interface Card is disabled, it will remain disabled even after reboot.

Miscellaneous60. Changing the Integrity server SSL port will not work for heartbeat and sync using

Cisco VPN 3000 concentrators and co-op enforcement. If you are using the Cisco VPN 3000 concentrators do not change the default server's ports.

61. Integrity Advanced Server for SecurePlatform cannot be installed on a dual-CPU Dell 1850 computer.

62. If you are setting up a distributed installation (in which Integrity Advanced Server and SmartCenter run on separate hosts), Integrity does not automatically synchronize with SmartCenter. To synchronize Integrity with SmartCenter, restart Integrity after you install and configure SmartCenter, install the database, and establish secure internal communication (SIC).

63. If you are using an embedded database with your Integrity installation, you cannot use Japanese characters in enforcement rules.

64. SmartPortal may occasionally contain duplicate records of a single Integrity alert. Any duplicate records will be apparent and can be safely ignored.

65. When uninstalling Integrity Advanced Server on a Linux host, the uninstaller may occasionally fail to remove the Integrity dependency from the Check Point registry for SmartCenter and SmartPortal. If this occurs, you will receive an error when

Integrity


attempting to uninstall SmartCenter and SmartPortal, saying you must first uninstall Integrity. If you encounter this problem, contact the Check Point support team, who can provide a quick solution to the problem.

66. Integrity Advanced Server seat licenses cover a specific number of Integrity clients. If a customer exceeds the number of clients permitted by the seat license, the server goes into read-only mode. The Integrity seat-counting mechanism currently continues to count clients that were installed on computers that are no longer in use. This means licenses may become invalid even though you never exceed the seat limit. If you wish to purchase an Integrity seat license, you must contact your Check Point Integrity sales engineer first for details about a workaround for this issue.

67. When an Integrity client sends a Malicious Code Protection (MCP) alert to Integrity Advanced Server, the alert gives the policy ID as "0" rather than the actual ID of the policy deployed on the endpoint computer. As a result, MCP alert records viewed in SmartPortal or SmartView Tracker give the associated policy as "Default Policy" instead of the actual policy associated with the MCP alert.

68. Integrity log entries pertaining to client uploads may occasionally contain unexplained exceptions, for example:

LogUploadInternal] Error in processing log upload file. java.sql.SQLException: Trying to set null value to a non-nullable column

Such exceptions are caused by an error in the client upload itself, and can be safely ignored.

69. If you are running Integrity Advanced Server together with SmartCenter (either on the same host or on separate hosts), and your SmartCenter license expires or becomes invalid, you will not be able to log on to Integrity using your SmartCenter administrator credentials. This applies equally whether you are trying to log on to Integrity directly or through SmartDashboard. Use the cplic command to check and, if necessary, set a new SmartCenter license. (For information on cplic, see the Check Point Command Line Interface Guide.) Even if your SmartCenter license is invalid, however, you can log on to Integrity using your Integrity administrator credentials.

70. There are two ways to log in to the Integrity Advanced Server Administrator Console immediately after installation. If you have already installed SmartCenter and configured an Integrity object in SmartDashboard, you can log in to Integrity through SmartDashboard using the SmartCenter administrator credentials you created with the Check Point Configuration Tool (cpconfig). You can also log in to Integrity directly using the out-of-the-box master administrator credentials (user name 'masteradmin' and password 'password'). Be aware that, even if you log in to Integrity through SmartDashboard, it is still possible for other users to log in to

Integrity


Integrity directly (using the out-of-the-box master administrator credentials) until you change the default password for direct login. For security purposes, it is recommended to log in to Integrity directly and change the default password.

71. When Integrity Advanced Server displays compliance violation events, it intermittently omits the compliance_action field. In a related problem, SmartPortal receives duplicate copies of each compliance violation event. If such an event contains the compliance_action field, SmartPortal displays three log events (among which only the last one shows the compliance_action field); if such an event does not include the compliance_action field, SmartPortal displays two identical log events.

72. CP Watchdog, a tool that monitors and (if necessary) restarts critical Check Point processes, is not supported for Integrity Advanced Server. To monitor Integrity processes, use SmartView Monitor or a third-party watchdog tool for Apache and Tomcat.

Unsupported Features73. Upgrading from previous versions of Integrity Advanced Server

74. Using a previous version of Integrity client with this release of the IAS

75. Integrity Desktop client

76. Integrity Linux Agent

77. Localized Integrity clients

78. Clustering and fail-over configurations

79. The use of IBM DB2

80. Multi-byte characters in the logs. Because SmartPortal and SmartView Tracker do not support multi-byte characters, any logs that use these characters will display incorrectly.

81. Configuration of an external database from the Web UI version of the Integrity installer for Check Point SecurePlatform. If you want to configure an external database for use with Integrity on SecurePlatform, you must use the command-line version of the installer.

Eventia Reporter


Eventia Reporter

Installation, Upgrade and Backward Compatibility1. Eventia Reporter can be upgraded to NGX R61 from version NG R56 only. If you

are upgrading from a version prior to R56, uninstall the Reporter and continue with the upgrade.

2. The MySQL server on the Eventia Reporter conflicts with a MySQL server installation on the same computer. Install the Eventia Reporter server on a computer that does not contain a MySQL server installation.

3. Eventia Reporter will not continue consolidation sessions if the log files were manually upgraded on the Log Server.

4. After upgrading from R56 to NGX (NGX R61), a scheduled report that is selected for a specific module may fail to run. If this occurs, resave the report.

5. When using SmartUpdate to upgrade Eventia Reporter Server from NGX (R60) to NGX R61, the message Execution error may appear at the end of the upgrade process. This message may be safely ignored. To confirm that the upgrade was successful, in SmartUpdate select the Reporter Server and run the operation Get Gateway Data.

6. To upgrade a distributed deployment of Eventia Reporter from NGX (R60) to NGX R61 on SecurePlatform Pro, do the following:

1. Uninstall the package CPadvr-R60-00.

2. Run the upgrade.

3. Uninstall the package CPsuite-R60-00.

4. Reboot the machine.

7. When installing a distributed Eventia Reporter on SecurePlatform, make sure to restart the machine when the installation completes.

8. The Eventia Reporter Client requires SmartDashboard to be installed on the same machine in order to launch. When installing the Eventia Reporter Client, be sure to install SmartDashboard as well.

9. Eventia Reporter cannot be installed via the SecurePlatform WebUI on an Integrity Server.

10. When upgrading SmartCenter Express on Linux, SecurePlatform or Solaris platforms, a previous installation of Eventia Reporter is not upgraded. To upgrade Eventia Reporter, do the following:

For Linux and SecurePlatform

Eventia Reporter


1. Copy the file /Linux/CPrt/CPrt_unify-R62-00.i386.rpm from the CD to the SmartCenter server.

2. Run the following command: rpm -i CPrt_unify-R62-00.i386.rpm

For Solaris

1. Copy the file /solaris2/CPrt/CPrt.tgz from the CD to the SmartCenter server.

2. Run the following commands:

gtar zxvf CPrt.tgz

pkgadd -d .

General11. Account logs that are originated by a gateway cluster are counted twice. Thus,

reports of these logs will display inaccurate data.

12. Logs produced by VPN-1 Pro modules that also have QoS installed show twice the number of actual HTTP connections. As a result, reports generated on such modules will display an incorrect number of connections.

13. In High Availability mode, after switching the status of a SmartCenter server from active to inactive, reports that were generated on the now inactive SmartCenter server are unavailable from the Eventia Reporter GUI client. However, the reports are still available on the Eventia Reporter server's Results directory.

14. If SmartDashboard is connected to an inactive management, Eventia Reporter cannot be launched from the Window menu of SmartDashboard. Instead, launch Eventia Reporter via the Windows Start Menu.

15. When running Eventia Reporter on SecurePlatform, set the number of DNS threads to no more than 150. Setting this value higher may impede the closing of consolidation sessions.

16. If Eventia Reporter is running with multiple consolidation sessions, after running cpstop, ensure that all log_consolidator processes have terminated before running cpstart.

VPN


Configuration17. Eventia Reporter report definitions and other configuration data are not

synchronized by the MDS in High Availability Provider-1/SiteManager-1 configurations. To ensure that Eventia Reporter’s information is accurate, perform the following:

• Install Eventia Reporter Add-on on a single MDS.

• When starting the Eventia Reporter client, make sure to open it only on this MDS.

18. FTP or HTTP distribution of reports does not work with proxy settings. If a machine has proxy settings, use alternate distribution methods such as e-mail distribution, or copy files from the Report's Results directory instead.

19. When a Eventia Reporter Server's IP address has static NAT, a machine running the Eventia Reporter SmartConsole must be able to route connections to the Eventia Reporter server's real IP address. This can be achieved by running the Eventia Reporter SmartConsole on a machine in the Server's local network, or sometimes, by adding the appropriate route entries in the Eventia Reporter SmartConsole's routing table.

20. Only one Eventia Reporter Server can work with the same SmartCenter or MDS.

21. A distributed installation of Eventia Reporter Server is not supported on a machine which contains a VPN-1 Pro enforcement module, SecureClient, SmartCenter High Availability server or Provider-1/SiteManager-1 MDS.

22. The Log Server on an Eventia Analyzer machine cannot serve as a Log Server for Eventia Reporter.

VPN1. After upgrading a pre-NGX SmartCenter server to NGX, existing VPN connections

will be dropped the first time policy is installed if the enforcement modules are not also upgraded to NGX. New connections will succeed as expected. For connections with static source-destination ports (for example, GRE connections), reinitialize them by running cpstop/cpstart on the module.

2. The implied rule resulting from enabling the Accept all encrypted traffic property in a VPN Community conflicts with the scan performed by the Express CI Anti Virus. To resolve this issue, define a rule manually in the security policy to the same effect.

3. When configuring a rule with multiple LDAP AUs, with different groups on each LDAP AU, users belonging to one (or more) of these groups may fail to authenticate.

VPN


4. Dynamically Assigned IP address gateways support only Diffie Hellman Key Exchange algorithm group 2. When using other Diffie Hellman groups, the connection will fail.

5. When installing policy, a message will be displayed for all certificates of each Network Object which are about to expire in next the two months. The message will contain the certificate DN and expiration time.

VPN Communities6. When managing SmartLSM ROBO Gateways some of which are VPN-1 -enabled

from a standalone machine, the policy fetch operation may not succeed once VPN has been established between the standalone and the ROBO Gateway in question. In order to overcome this issue, you should add the CPD service as an excluded service for each of the communities which have SmartLSM ROBO profiles. To do this,

a. Open the community object.

b. In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as excluded service.

Firewall


Firewall

In This Section

Dynamically Assigned IP Address (DAIP) Modules1. The fw tab <remote DAIP Module> command on a SmartCenter server is not

supported.

Installation, Upgrade and Backward Compatibility2. In modules that pre-date version NG with Application Intelligence R55W, the Web

Intelligence defenses HTTP Format Sizes, ASCII Only Request, General HTTP Worm Catcher only support the protection scope apply to all HTTP connections; therefore, if one of these defenses is configured with protection scope apply to selected web servers and is installed on an older module, the protection scope apply to all HTTP connections will be applied on this module.

Installation, Upgrade and Backward Compatibility page 33

Platform Specific — Windows page 34

Platform Specific — Solaris page 35

Platform Specific — Linux page 35

SmartConsole Applications page 35

Load Sharing page 35


Security Servers page 36

Security page 36

Services page 37

Stateful Inspection page 37

IPv6 page 37

ISP Redundancy page 37

Logging page 38

Management page 38


SAM page 38


VoIP page 39

SecureClient page 40

Firewall


3. When making Inspect changes to the file user.def, do so to the copy of the file in the directory $FWDIR/conf (and not the version in the directory $FWDIR/lib, as was the practice in previous versions). This is because user.def is copied from the /conf directory to the /lib directory during policy installation.

Also, filenames are now adjusted to the different compatibility packages, so be sure to modify the appropriate file only:

• user.def.NGX_R60 - contains user code for NGX modules (this will overwrite the file $FWDIR/lib/user.def during policy install)

• user.def.R55WCMP - contains user code for R55W modules (this will overwrite the file user.def in the R55W compatibility package directory)

• user.def.MGCMP - contains user code for NG modules, R55 and below.

• user.def.EdgeCmp - contains user code for VPN-1 Edge modules.

4. When restoring settings using the Nokia IPSO backup utility, run the CPconfig tool after installing the CPsuite package and before the restore process starts.

5. After installing the firewall on a machine with functional PPPoE (ADSL) connectivity, PPPoE no longer works.

6. The name of the installation directory of VPN-1 may not end with a space.

7. On Linux systems and SecurePlatform, verify that there is at least 115 MB of free disk space in the "/" partition before upgrade.

8. After upgrading an R55 or older Enforcement Module, previously defined SAM rules need to be defined again.

Platform Specific — Windows9. The following message may be displayed when installing a policy: The NDISWANIP

interface is not protected by the anti-spoofing feature. This message can be safely ignored.

10. If an Intel NMS service is running during the VPN-1 Pro installation, it may crash. This is a known pre-NMS version 2.0.56.0, Intel NMS service issue, where crashes occur whenever an NDIS IM driver is installed. Since NMS version 2.0.56.0 was part of PC6.0, releases from and including PC6.0 do not have this issue.

11. The Network Load Balancing (NLB) driver is not supported with VPN-1.

12. VLAN tagging is not supported on Windows platforms.

Firewall


Platform Specific — Solaris13. On Solaris platforms with a qlc driver and the kernel memory allocator debugging

functionality enabled, the system may experience instability. In this case, install Solaris patch 113042-10 or higher.

14. The AGE driver will panic when it fails to allocate memory. This occurs during age NIC, when system resources are low and it cannot allocate memory for the packet.

Platform Specific — Linux15. The FTP Security Server does not support Kerberos when the RHEL FTP client is

trying to negotiate a Kerberos session. To avoid this issue, use the flag -u with the FTP client.

16. When working with VPN-1 on Red Hat Enterprise Linux 3.0, make sure to update E1000 drivers to the latest drivers available from Intel.

SmartConsole Applications17. When a client connects with SmartDashboard to SmartCenter and performs a

SmartDefense online update, a second client connecting with SmartDashboard to the same SmartCenter will see the new protections but not the new HTML descriptions. The situation is resolved by the second client logging out & logging in again.

A similar behavior may occur regarding the Silent Post-install Update. If new protections were added in that package, then the second client that logs in will not see the respective new HTML descriptions. The workaround is the same (client should log out & log in again).

18. A Multicast Address Range object cannot be used as a source or destination in the Rule Base. You can, however, define and use in its place a corresponding Address Range object.

Load Sharing19. When employing SecurID for authentication, it is recommended to define each

cluster member separately on the ACE/Server with its own unique (internal) IP address. In addition, to send packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for example, no_hide_services_ports = {<5500, 17>}, where 5500 is the service port and 17 (UDP) is the protocol.

Firewall


Authentication20. Client Authentication will fail if VPN-1 Pro machine name is configured with a

wrong IP address in the hosts file.

21. Clientless VPN with the Action Client Auth is not supported if the web server object is in the destination cell. The workaround is to add the gateway to the destination cell.

22. When using SmartDirectory server for internal password authentication, if the account lockout feature is disabled the Firewall will not attempt to modify the user's login failed count and last login failed attributes on the SmartDirectory server. This improves overall performance and eliminates unnecessary SmartDirectory modify errors when using SmartDirectory servers that do not have these attributes defined because they did not apply the Check Point SmartDirectory schema extension on the SmartDirectory server.

23. Issues may arise when using automatic or partially automatic client authentication for HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a decision function based only on IP addresses in order for connections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, refer to the product documentation for more information.

24. Definition of nested RADIUS Server groups is not supported.

Security Servers25. When a field in a URI specification file is too long, the Security server exits when

trying to load the file. Under load, the Firewall daemon (FWD) reloads the security server, which then exits. After a certain time cores are dumped.

26. Client authentication with agent automatic sign on is supported with all rules, with two exceptions:

• The rule must not use an HTTP resource.

• Rules where the destination is a web server.

27. When using SOAP filtering in the HTTP Security Server, the SOAP scheme file supports all forms of namespaces and methods, however, the feature is not supported if a method has no namespace at all.

Security28. When using a URI resource to allow or restrict access to specific paths (by filling

the path field), it is recommended to use the regular expression [/\] instead of / - this expression provides protection against Windows style paths.

Firewall


For example: instead of defining a path: /home/mydir/, define it as [/\]home[/\]mydir[/\].

Services29. A service using the FTP_BASIC protocol type cannot be used with the FTP Security

Server.

30. When using T.120 connections, make sure to manually add a rule that allows T.120 connections.

Stateful Inspection31. Changing the "match for any" option in the MSNP service to "false" it causes

connectivity problems after an upgrade in the following scenario:Service X other than Microsoft Messenger protocol was running on port 1863. No special rule was defined for this service (for example, the service was permitted by a rule with "Any" in service column). To solve this, define a special rule permitting the service with X in the "service" column.

IPv632. In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker.

33. Due to the fact that IPv6 is not supported for security servers, enabling Configuration apply to all connections under SmartDefense's FTP Security Server settings causes FTP (as well as HTTP and SMTP) connections over IPv6 to be rejected, and no log is generated.

34. The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it should unload only the IPv6 policy.

35. The RSH protocol is not supported for IPv6.

ISP Redundancy36. If a network cable is unplugged from a network card using 3c59x (3COM), Starfire,

or Tulip drivers, the link's status mistakenly indicates that the next hop is not responding, instead of reporting a network cable unplugged. This affects the messages produced by the product when the ISP redundancy feature is used. For instance, instead of indicating that the link is down, the message will indicate that the next hop is not responding.

37. ISP redundancy is not supported in a ClusterXL Different subnets configuration. This means the IP address of the cluster must be on the same subnet as the cluster members' real IP addresses.

Firewall


38. In a ClusterXL configuration, the names of the external interfaces of all cluster members must be identical and must correspond in turn to the names of the external interfaces of the cluster object. For example, if the cluster object has two external interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively.

Logging39. The elapsed time field (in logs and active connections) displays the number of

seconds followed by the symbol ':' and two digits. These two digits can be safely ignored.

Management40. Defining network objects with names identical to a service is not supported.

Policy Installation41. Check Point uses the notation starting with "SA_" for internal purposes. Defining

objects with names starting with this string is not supported.

42. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with the following error: Load on Module failed. To resolve this issue, do the following:

1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so that they include the environment variable FW_MANAGE_BRIDGE 1.

2. Install policy.

43. To install policy on NG enforcement modules via the command line, run the command fwm load from any directory other than $FWDIR/conf.

44. Policy installation may fail when there are 70 or more dynamic objects.

SAM45. A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if the

SmartCenter server is also a VPN-1 Pro enforcement module and no policy has been installed on it since adding the remote Gateway.

Miscellaneous46. The TCP Sequence Verifier is not supported with clusters using asymmetric routing.

Firewall


47. The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to a SmartCenter server object in specific cases only:

• to the primary IP defined for this object and

• only if there are interfaces defined in its Topology tab.

This may create connectivity problems when trying to install policies (or other operations included in the control connections). The workaround is to define explicit rules that allow connectivity to the SmartCenter object.

48. The following features may cause connectivity issues on VPN-1 Pro gateways running ClusterXL in bridge mode.

a. Features that use Security Servers

b. The following Web Intelligence protections:

• Header spoofing

• Directory listing

• Error concealment

• ASCII only response

• Send error page

c. SmartDefense protections for the following VoIP protocols:

• H.323

• SIP

• SCCP (Skinny)

49. A large database on a gateway may result in high CPU usage by the services VPND and DTPSD. To resolve this issue, use the cpprod utility to set a value for the setting SIC_SERVER_DEFAULT_TIMEOUT.

VoIP50. MSN Messenger version 5 is not supported. Additionally, there are a few known

issues regarding MSN Messenger when employing Hide NAT:

• When running SIP and the data connection tries to open MSN Messenger connections on hidden networks, the connection fails.

• While audio and video each work separately, they cannot be run concurrently.

51. When using the SIP protocol and a security rule uses the Action reject to block high_udp_ports (RTP ports - data connection), the incoming audio is rejected as well. A workaround is to use the Action drop in place of reject.

Firewall


52. When an H.323 IP phone that is not part of a handover domain tries to establish a call, the call attempt is blocked and the following message appears on the console: FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to make calls, add it to the handover domain, and the error message will no longer appear. Note that this console message may appear in other (non-VoIP) scenarios as well.

53. In some cases, when a user closes an MSN Messenger application (such as Whiteboard), the application will not close automatically on the remote end. The remote user will need to close the application manually.

54. When using the service SIP with Hide NAT enabled on internal IP phones, do not enable the SmartDefense flag "Block SIP calls that use two different voice connections (RTP) for incoming audio and outgoing audio". If the flag is enabled, the firewall may begin to drop RTP/RTCP packets. The flag is located in SmartDefense > VoIP > SIP.

55. When the SIP-proxy is in the DMZ, whiteboard and application sharing will not open between external to internal messengers.

56. In previous versions a VoIP signalling connection could not have a different encryption policy than a VoIP data connection. As of NGX the VoIP signalling connection can have a different encryption policy than the VoIP data connection.

SecureClient57. Policy installation fails if a combination of different user groups & network objects

are used in the same cell. For example, if the following appears in a source or destination cell, the policy will not install:

usergroup1@netobj1 & usergroup2@netobj2

If the user groups match or the network objects match, the installation will succeed. The following examples will allow the policy to install successfully:



58. The following Web Intelligence features require connections to be sticky:

• Header spoofing




• Send error page

Firewall


A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for Web connections in the following configurations:

• ClusterXL High Availability

• ClusterXL Load Sharing with Sticky Decision Function enabled

• ClusterXL Load Sharing with no VPN peers, no static NAT* rules and no SIP

• Nokia VRRP Cluster

• Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIP

• For other OPSEC certified clustering products - please refer to the OPSEC-certified product's documentation.

* including ConnectControl Logical Servers

59. The following VoIP Application Intelligence (AI) features require connections to be sticky:

• H.323

• SIP

• Skinny

A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for VoIP connections in the following configurations:


• ClusterXL Load Sharing with no VPN peers or static NAT* rules


• Nokia IP Clustering configuration with no VPN peers or static NAT* rules



VSX


VSX1. To upgrade VSX 2.0.1 objects (on a Provider-1 system) to VSX NG with Application

Intelligence, you must use GuiDBEdit to change the value of the property vsxver to 210 on all the Virtual Devices network objects. To update the version on all Virtual Systems/Routers across all CMAs, this should be done after upgrading the VSX 2.0.1 modules.

2. Make sure the time and date configurations on all modules are synchronized before establishing trust between the VSX modules and the SmartCenter server.

3. The names of network objects created in SmartDashboard:

1. Can contain numbers but not begin with them

2. Can contain the letters from a-z, upper or lower case

3. Cannot use the hyphen (-) character

4. All the interfaces on the VSX gateway that are configured with an IP address are considered as VSX interfaces when defining the VSX gateway object in SmartCenter server. To use such interfaces for other Virtual Devices, remove the desired interfaces from the VSX gateway's topology.

5. Deleting the VSX object from SmartDashboard removes the VSX object and its related Virtual Systems from the SmartCenter management only. The Virtual Systems are not deleted from the VSX gateway/cluster.

6. VLAN tag 4094 cannot be used.

7. The name of a Virtual Device should not exceed 64 characters. In cluster scenarios, the Member Virtual Device name is a composite of the Member name and the Cluster Virtual Device name. This could result in a Virtual Device name which contains more than 64 characters.

8. When defining NAT routes on the Topology tab of the Virtual System, insert two IP addresses, the first and last address of the IP range used for NATing. In addition, large ranges can result in a slow response from the SmartCenter server.

9. If the management has more than one interface, and the main IP address of the management is an interface address which is not reachable from the VSX gateway, trust cannot be established with the newly created Virtual System.

10. Make sure that the IP address of the management object is set before running vsx_util or creating any Virtual Devices.

11. A SmartCenter server managing a VSX Gateway/Cluster cannot be assigned a Static NAT address.

12. When working with a non dedicated management interface, it is not possible (using the vsx_util command) to add new members to an existing VSX cluster.

VSX


13. To avoid warning messages during policy installation, interfaces defined on a Virtual System/Router should be associated with a route.

14. A failure in applying a change to the configuration of a Virtual Device to one or more of its VSX cluster members may result in a non-identical configuration. This issue should be handled in the following manner:

1. Try to resolve the reported problem and then reapply the change.

2. If you cannot resolve the problem and need to cancel the operation, verify that the configuration on all cluster members is identical.

15. When creating, deleting or updating a Virtual Device, the database of the CMA containing the VSX gateway will be locked during that time. If a user tries to connect to the CMA via SmartDashboard, a message will report that the database is locked. Selecting Disconnect does not unlock the database. Connection to the CMA may be resumed when the operation finishes.

16. In a deployment that contains configured virtual systems, when enabling web server for a host object, set the protected by field on the web server tab to contain specific targets, targets that do not include virtual systems.

17. Editing the name of the VSX management interface is not supported.

18. When activating Web Intelligence for a VSX gateway, the General HTTP Worm Catcher protection (if turned on) applies to all HTTP traffic, regardless of the scope.

19. In VSX, the Phase 1 proposal for SecureClient is hardcoded. Consequently, changing the Phase 1 encryption method is not reflected in the client.

20. If the VSX Wizard fails, and changes need to be made to the defined configuration, avoid re-fetching the configuration from the modules. This means that if moving back to the SIC establishment dialog and then clicking Next, reply NO to the question regarding re-fetching the configuration from the VSX gateway(s).

21. When using the vsx_util reconfigure command line utility to reconfigure a VSX gateway, the SIC status of the network object does not change to Communicating. While this will result in warnings regarding trust establishment on Virtual System/Virtual Router on that member, these messages can be safely ignored.

22. Do not delete a Virtual System object from a Provider-1/SiteManager-1 CMA while SmartDashboard is connected to the CMA on which the VSX object that hosts the Virtual System resides.

23. The Install Database operation is not supported on Virtual Systems.

24. All the interfaces of a Virtual System in Bridge mode must have the same VLAN ID.

25. The number of interfaces that can be assigned to a Virtual System is limited to 64.

26. Propagating routes from Virtual Routers to Virtual System is not supported.

VSX


27. Deleting a VSX cluster/gateway is not supported when one of the virtual systems has Global Use enabled. To delete a VSX cluster/gateway, first make sure to disable global use on the virtual system.

VSX NG AI Management Issues28. When creating a NG AI Virtual Device, the main IP address of the Virtual Device

should be routable from the SmartCenter server.

29. When working with VSX NG AI clusters/gateways, changing the IP address of an interface leading to a virtual router will cause all manually defined routes to this virtual router to be deleted from the virtual system. To resolve this issue, re-enter the routes manually.

30. When creating a VSX NG AI Virtual Device and assigning a unique IP address that is already in use, the operation will fail. To resolve the issue, cancel the operation and create the Virtual Device again with an unused unique IP address.

31. After upgrading to NGX R61 and pushing configuration from the newly upgraded management, the routes to the internal network will be deleted from the Virtual System routing table. To resolve this issue, reboot the VSX NG AI gateways and the routes will appear again.

Platform Specific — Nokia32. On Nokia platforms running VSX NG AI, the encryption method AES128/MD5 is not

supported for VPN.

33. On Nokia platforms running VSX NG AI in a cluster configuration, an issue may arise when making a change to a VLAN interface on a Virtual Device. If the operation should fail at some point, the change may be applied to some cluster members and not others.

34. On a VSX NG AI Release 2.2 (Nokia) cluster/gateway, SecureClient connections are dropped during policy installation.

35. Prior to deleting a VSX NG AI Release 2 Virtual Device running on a Nokia platform, make sure it does not belong to a VPN Community. Such a device must be removed from the VPN Community before deletion.

36. When creating a NG AI VSX cluster on IPSO, delete from the physical interfaces list any interfaces which are not VRRP enabled. Remove these “unused” interfaces when using the VSX Wizard or immediately afterwards.

SmartUpdate


SmartUpdate

In This Section

Installation, Backward Compatibility, and Upgrade1. When a gateway has been upgraded and then rolled back to the previously installed

version, SmartUpdate will not be able to report its status. This occurs because the gateway restarts with the initial policy, instead of the last installed policy. The workaround is to re-install the old policy via SmartDashboard.

2. The command line executable for upgrading remote gateways, cprinstall, does not currently support the upgrade all option. Instead, run cprinstall install to upgrade individual packages, or use the SmartUpdate GUI.

3. After using SmartUpdate to install a firmware package on a VPN-1 Edge gateway, renaming the gateway in SmartDashboard may fail and result in the following message: Internal Error [12] while handling object edge1. Failed to update references of object edge1. Please contact technical support. If this should occur, you can safely ignore this message and perform the rename operation again. To avoid this message, leave SmartDashboard open during firmware installation.

4. After upgrading a pre-NGX SmartCenter to NGX R61, software packages (except for VPN-1 Edge firmware packages) that were displayed in the Package Repository of SmartUpdate do not appear. The packages are in the directory $SUROOT, and can be re-added to the Package Repository using the SmartUpdate command Add From File.

5. After upgrading a SecurePlatform gateway from NGX (R60) to NGX (R60A), SmartUpdate erroneously reports that the upgrade has failed. This message can be safely ignored.

6. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature, previously defined VPN-1 Edge devices will not be able to connect to the SmartCenter server, and the Connection Wizard will generate object non-registered messages. To resolve this issue, use SmartUpdate to re-install a specific firmware package.

Installation, Backward Compatibility, and Upgrade page 45


Platform Specific — Nokia page 46

Platform Specific — SecurePlatform page 47


GUI page 47

Licensing page 47

SmartUpdate


7. SmartUpdate can be used to upgrade a Log Server, but it cannot be used to downgrade a Log Server. Downgrading a Log Server should only be done locally.

8. SmartPortal NGX (R60) cannot be upgraded to NGX R61 via SmartUpdate. A workaround is to install SmartPortal NGX R61 directly (locally) to the NGX R60 machine.

9. When using SmartUpdate to upgrade Eventia Reporter Server from NGX (R60), the message Execution error may appear at the end of the upgrade process. This message may be safely ignored. To confirm that the upgrade was successful, in SmartUpdate select the Reporter Server and run the operation Get Gateway Data.

10. Eventia Analyzer cannot be upgraded to version NGX 2.0 via SmartUpdate, however SmartUpdate does support Eventia Analyzer license operations.

Miscellaneous11. When running Fetch CPInfo on a non-Windows Management server, while trying to

fetch CPInfo for the Management itself, in certain cases the command may halt unexpectedly. In this case, rerun the command, or run CPInfo locally.

12. When upgrading to any NGX version from any pre-NGX version (e.g., R55), the SmartUpdate Package Repository is not upgraded. After the upgrade, the SmartUpdate Package Repository will therefore be empty.

13. In SmartDashboard, the version number of an NGX (R60A) gateway may be changed to NGX (R60) when performing an operation via SmartUpdate. There are two workarounds to this issue:

• Always have SmartDashboard open when performing SmartUpdate operations on an NGX (R60A) gateway.

• If the version number has changed, open SmartDashboard and manually change the gateway's version to NGX (R60A).

14. If, while pushing new firmware to a VPN-1 Edge device, the Secondary SmartCenter has just failed over, the firmware may not be successfully installed. To resolve this issue, synchronize the Edge device with the Secondary SmartCenter and run the Push Now operation again.

Platform Specific — Nokia15. Upgrade All and separate transfer and install is not supported on flash-based Nokia.

To resolve this issue you should explicitly install Nokia IPSO and thereafter you should install the Check Point products, one by one. Alternatively, use Nokia Voyager to install the wrapper and manage the installation packages.

SmartPortal


16. When trying to install or verify an NG_AI R55P HFA package via SmartUpdate, the following error message may be displayed Package <package name> has wrong format. In this case, you should install your package locally on a module.

17. When upgrading Nokia flash-based machines via SmartUpdate, the following error message is displayed at the end of the upgrade process Execution error. CPRID session timed out. It is highly probable that your module was successfully upgraded, and that this message can be safely ignored. To ensure that this is the case, run the operation Get Gateway Data for this gateway and see that the module was indeed upgraded in SmartUpdate.

Platform Specific — SecurePlatform18. When using the SmartUpdate option Upgrade All, make sure that a VPN-1

Pro/Express Linux package is not in the Package Repository of any gateway running on SecurePlatform.

Policy Installation19. When upgrading from R55W on a SecurePlatform machine, SmartUpdate will not

reestablish a connection with the gateway after reboot. This is caused by the gateway failing to fetch a new policy and starting with an initial policy. To resolve this issue, go to the gateway and fetch the policy manually, or install policy from the SmartDashboard.

GUI20. The feature Add Package From Download Center is not supported if the machine

running SmartUpdate accesses the Download Center through a proxy server.

Licensing21. If a local license is detached from the license repository and then reattached

without first closing SmartUpdate, the license appears in the repository as unattached. In such a scenario, either attach the license manually, or close and restart SmartUpdate before reattaching the license.

SmartPortal1. When a filter is applied in the Traffic or Audit log pages, logs may not display in

sequential order, and using the scroll bar arrow to navigate through the logs does not appear to work. To scroll, click and drag the scroll bar or use the buttons Bottom and Top.

SecureXL


SecureXL

Platform Specific — Solaris2. On Solaris platforms, Performance Pack does not support the following types of

interfaces

• VLAN and virtual interfaces

• bge, dmfe and skge interfaces

ClusterXL

In This Section

Upgrade, Backout, and Backward Compatibility1. Full Connectivity Upgrade (FCU) to NGX R61 from versions prior to NGX (R60) is

not supported. A workaround is to perform the Zero Downtime upgrade, which may result in some connections being disconnected.

Upgrade, Backout, and Backward Compatibility page 48

General page 49

Configuration page 49

VPN-1 Clusters page 50

High Availability page 51

Load Sharing page 52


State Synchronization page 53

SmartConsole page 54

Security Servers page 54

Platform Specific — Nokia page 54

Platform Specific — Solaris page 55

Platform Specific — Windows page 56

Services page 56

ISP Redundancy page 57


Unsupported Features page 57

ConnectControl page 59

ClusterXL


General2. State synchronization during policy installation may in certain cases cause a cluster

member to initiate a failover. To prevent this situation, modify the enforcement module global parameter fwha_freeze_state_machine_timeout. This parameter sets the number of seconds during policy installation in which no state synchronization will be performed. Set this parameter to the shortest period which eliminates the issue; the recommended value is 30 seconds.

3. Performing an SNMP query on both the cluster’s IP address as well as on the members’ IP addresses concurrently, is not supported. The SNMP query can only be run on one or the other at time. Alternatively, you can wait for the UDP virtual session timeout between the SNMP queries on the different IP addresses. This timeout has a 40 second default, and can be defined in Global Properties > Stateful Inspection.

4. The Get Topology operation supports up to 256 interfaces. To define more than 256 interfaces, you will need to do so manually.

Configuration5. In the Rule Base, when adding a cluster object to the source or destination column

in a rule, this rule will only apply to the cluster addresses. If the rule needs to be applied to the cluster member addresses, add their objects to the rule as well.

6. The following error messages may appear on the console when enabling or disabling ClusterXL or state synchronization using the command cpconfig.

FW-1: fwkdebug_register: module cluster already registered

FW-1: fwha_kdebug_register: fwkdebug_register failed

These messages may be safely ignored.

7. To use manual client authentication through HTTP in a cluster environment, set the database property hclient_enable_new_interface to true. This forces the HTTP client authentication daemon to ask for both the user name and password in the same HTML page. When the IP addresses of the cluster members are not routable, the URLs returned in the HTML from the replying cluster member contain the non-routable IP address of the member instead of the IP address of the cluster. This would fail subsequent operations. The workaround in this case is to configure the cluster to use a domain name, using theahttpclientd_redirected_url global property. Make sure that your DNS servers resolve this domain name to the cluster's IP address.

8. Use the commands cpstop and cpstart instead of cprestart on cluster configurations. The command cprestart is not supported on cluster members.

ClusterXL


9. A cluster IP interface or a synchronization network interface cannot be defined as a non-monitored (i.e., disconnected) interface.

10. Performance Pack is not supported when using ClusterXL Load Sharing with Sticky Decision Function (SDF). When SDF is enabled, acceleration is automatically turned off. To re-enable acceleration, first make sure acceleration is enabled by running the cpconfig configuration tool. Then disable SDF (in SmartDashboard, edit the Gateway Cluster object, select the ClusterXL page, and click Advanced), and install the new Security Policy twice.

11. When defining VLAN tags on an interface, cluster IP addresses can be defined only on the VLAN interfaces (the tagged interfaces). Defining a cluster IP address on a physical interface that has VLANs is not supported. The physical interface should be defined with the Network Objective Monitored Private on ClusterXL clusters and as Private on third-party clusters.

12. When setting an interface whose current Network Objective is Sync to Non-Monitored Private, and setting another interface's Network Objective to Sync and installing policy, the status of the cluster members will change to Active Attention and Down. To avoid this issue, make this configuration change in two phases.

1. Set the interface with the Network Objective of Sync to Monitored Private (instead of Non-Monitored), and the other interface’s Network Objective to Sync and install policy.

2. Reconfigure the Monitored Private interface to Non-Monitored and install policy again.

13. When defining a Sync interface on a VLAN interface, it can only be defined on the lowest VLAN tag on a physical interface.

14. Defining the lowest VLAN tag on a physical interface as disconnected (Non-Monitored Private) is not supported.

15. Defining a Sync interface on a VLAN interface is not supported on Nokia clusters and on other 3rd party clusters.

VPN-1 Clusters16. When defining Office Mode IP pools, make sure each cluster member has a distinct

pool.

17. Before adding an existing gateway to a cluster, remove it from all VPN communities in which it participates.

18. When detaching a cluster member from a VPN cluster, manually remove the VPN domain once the member has been detached.

ClusterXL


19. Peer or secure remote Gateways may show error messages when working against an overloaded Gateway cluster in Load Sharing mode. This is due to IPsec packets with an old replay counter. These error messages can be safely ignored.

20. Using Sticky Decision Function with VPN features will guarantee connection stickiness for connections that pass through the cluster only, and not to connections originating from a cluster member or to it.

21. When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster (i.e., the peer and the cluster are located on the same VLAN and there is no Layer 3 (IP) routing device between them), the following features are not supported:

• ISP Redundancy

• VPN link selection - Reply from same interface

This issue can be resolved either by placing a router between the VPN peer and the cluster, or by disabling these features. (Neither feature is enabled by default.)

• To disable ISP redundancy, in SmartDashboard edit the gateway object > Topology > ISP Redundancy, and remove the check mark from Support ISP Redundancy.

• To disable VPN link selection - Reply from the same interface, in SmartDashboard edit the gateway object > VPN > Link Selection > Outgoing Route Selection, and do the following:

A. Under When initiating a tunnel, enable Operating system routing table,

B. and under When responding to remotely initiated tunnel, select Setup, and enable Use outgoing traffic configuration.

22. When configuring a VTI cluster interface, it should be assigned a name identical to the name of the member interface.

High Availability23. In legacy High Availability mode for ClusterXL, MAC address synchronization is not

supported for VLAN tagged interfaces. Use new High Availability mode, or manually configure the MAC addresses of the interfaces using the ifconfig CLI or WebUI.

24. Issuing a Stop Member command in SmartView Monitor performs the cphastop command on this member. Among other things, this disables the State Synchronization mechanism. Any connections opened while the member is stopped will not survive a failover event, even if the member is restarted using cphastart. However, connections opened after the member is restarted are synchronized as normal.

ClusterXL


Load Sharing25. Under load, tcp packet out of state error messages may appear. For each case there

is a specific way to resolve it. Refer to the “Firewall and SmartDefense” guide for a full explanation and security implications.

• message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-PUSH-ACK

In SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp end timeout. The recommended value is 60 seconds. If there are many connections consider enlarging the connection table size in the same ratio as the tcp end timeout.

• message_info: SYN packet for established connection

run the command: fw ctl set int fw_trust_rst_on_port <port>

When a single port is not enough, you can set the port number to -1, meaning that you trust a reset from every port.

• For other out of state messages:

run the command: fw ctl set int fwconn_merge_all_syncs 1. This allows a more reliable way of merging TCP states across asymmetric connections.

26. When employing SecurID for authentication, it is recommended to define each cluster member with its own unique (internal) IP address separately on the ACE/Server. In addition, to send packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for example, no_hide_services_ports = {<5500, 17>}, where 5500 is the service port and 17 (UDP) is the protocol.

27. For the first few seconds of an asymmetric connection, server-to-client packets are not accelerated. An asymmetric connection, such as an FTP data connection through an accelerated ClusterXL cluster, is where the server-to-client side is handled by a different member than the client-to-server side. Asymmetric connections are only opened when using VPN or static NAT. This is a temporary performance degradation that affects only a small percentage of traffic.

28. When installing a new policy that uses Sticky Decision Function (configured in SmartDashboard > Cluster Object > ClusterXL page > Advanced), and the old policy used the regular decision function, some connections may be lost, especially connections to or from the cluster members. New connections are unaffected.

29. After a failover, non-pivot members of a ClusterXL cluster in Unicast mode may report incorrect load distribution information. For the correct load distribution, review the information reported by the pivot member.

ClusterXL


30. When using ClusterXL in Load Sharing mode and the Sticky Decision Function is enabled, the failure of a module within 40 seconds of an IKE negotiation may cause a connectivity failure with that peer for up to 40 seconds.

• When the failure involves a PIX gateway, communications may be interrupted for up to 40 seconds.

• When the failure involves an L2TP client, communications may be disconnected, as keepalive packets are blocked during this period.

31. traceroute may fail if it passes through a Load Sharing cluster. To resolve this issue, on the Cluster object, select ClusterXL > Advanced and in the Advanced Load Sharing Configuration window you should either:

• select Use Sticky Decision Function, or

• change the selection for Use sharing method based on: to IPs.

Authentication32. When performing manual client authentication (using port 900) to a cluster where

the IP addresses of the members are not routable, the URLs returned in the HTML from the replying cluster member contain the non-routable IP address of the member instead of the cluster IP address. This fails subsequent operations. The workaround is to configure the cluster to use a domain name instead of an IP address in the client authentication HTML pages, using the ahttpclientd_redirected_url global property. Make sure that your DNS servers resolve this domain name to the IP address of the cluster.

33. Issues may arise when using automatic or partially automatic client authentication for HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a decision function based only on IP addresses in order for connections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, refer to the product documentation for more information.

State Synchronization34. A cluster member will stay in the down state if it is detached and then reattached

to the cluster, as it does not automatically perform a full sync upon reattachment. To force a full sync, run the following commands on the module: fw ctl setsync off and fw ctl setsync start.

35. Upon completion of full synchronization (Full sync), an error message State synchronization is in risk, is displayed on the cluster member on which the synchronization is taking place. If this message occurs only once immediately

ClusterXL


following Full sync, it can be safely ignored. If this message appears erratically, consult the ClusterXL user guide in the section Blocking New Connections Under Load.

SmartConsole36. When working with a 3rd party Cluster Object with QoS, if you move from the

Topology tab to a different tab, the following error message appears: No interface was activated in QoS tab for this host (Inbound or Outbound). Do you want to continue? Select Yes and continue your operation. This error message can be safely ignored.

37. SmartUpdate shows cluster members as distinct Gateways without the common cluster entity. When cluster members are not of the same version, applying Get Check Point Gateway Data on a cluster member will set the member's version on the Cluster object. To set the version of the cluster correctly, apply the Get Check Point Gateway Data command to the cluster member with the latest version.

38. If two or more interfaces on the same cluster member share the same IP address and Net Mask (as might occur when defining bridge interfaces), only one interface will be displayed in the Topology tab in SmartDashboard. To manage interfaces with the same IP address and Net Mask, use the GuiDBedit tool.

39. When using ClusterXL in High Availability Legacy mode, the Network Objective is set automatically to Cluster if all of the members' interfaces on that network have the same IP address and netmask. Changing the Network Objective to a different setting will, in this case, be overridden by the system, and change back to Cluster after clicking OK.

40. When deleting a network via the Topology page (Cluster Object > Properties > Topology > Edit Topology), selecting Name or IP address of one of the interfaces and then clicking Remove results in the following error message: Please select an interface. In order to remove a whole network, remove all the interfaces (members and cluster) and click OK.

Security Servers41. Security Servers are not supported with Sequence Verifier in Load Sharing cluster

environments.

Platform Specific — Nokia42. Either Nokia VRRP or Nokia IP Clustering configuration must be used when creating

a cluster based on an IPSO platform. Using other OPSEC Certified third party clustering products (such as OPSEC Certified external load balancers) to create a cluster based on IPSO platforms has limited support. Contact Check Point Support and receive configuration instruction and a list of associated limitations.

ClusterXL


43. After configuring a gateway cluster on a Nokia platform via the Simple mode (wizard), be sure to complete the cluster interface definition on the Topology page of the cluster object.

44. The feature Connectivity enhancements for multiple interfaces is not supported on Nokia IP clustering in Forwarding mode.

45. NAT rules should not be applied to VRRP traffic. To prevent NAT rules from being applied to VRRP traffic, define the following manual NAT rule and give it higher priority than other NAT rules that relate to Cluster VIPs or to their networks:

46. When configuring a Nokia IP Cluster, do not set the primary or secondary interfaces to Network Objective Private. Check Point recommends setting a Nokia IP Cluster’s primary interface to Network Objective Cluster, and its secondary interface to Network Objective Cluster or Sync.

Platform Specific — Solaris47. When configuring virtual interfaces on Solaris GigaSwift interfaces, the ClusterXL

product may not recognize the virtual interfaces in cases where no corresponding physical interface is defined. If the virtual interface is not recognized, it will not run a monitoring mechanism and eventually it will not perform failover. In order to make ClusterXL work properly on such virtual interfaces, the corresponding physical interface must be defined. For example, when a CE device with an instance of 0 is defined on the system, the /etc/hostname.ce0 file must be created and must contain some arbitrary IP address that will be assigned to the physical interface.

48. ClusterXL does not support defining VLANs on Solaris bge interfaces.

49. When configuring VLAN tags, set the IP address on the VLAN physical interface. If the physical (untagged) interface is not used, the IP address can be any IP address.

For example:

If the physical interface is ce1, and

the VLAN interfaces are ce1001 and ce2001, then

ce1 must also have an IP address.

50. ClusterXL in Unicast mode (Pivot) is not supported on Solaris when using VLAN tagging.

51. When using a Fujitsu GigEthernet NIC (fjgi and fjge interfaces) with Check Point Load Sharing (CPLS) multicast, packets can be received when the interface is set to promiscuous mode only.

Original Packet Translated Packet Install OnSource Destination Service Source Dest ServicePhysical IP of VRRP members

VRRP IP: 224.0.0.18 Any Original Original Original relevant cluster

ClusterXL


52. The local.arp file is not supported on ClusterXL gateways running Solaris. In order to use manual NAT on Solaris, use the following workaround:

On the command line, run the following command:

arp -s <NATed IP address> <mac_address_of_target> pub

For this command to survive boot, add a file under /etc/rc3.d/ (the name does not matter), and on each line enter an IP address to be NATed and its corresponding MAC address.

Save the file and chmod 777.

Platform Specific — Windows53. On Windows platforms, when switching from High Availability Legacy to High

Availability New Mode or Load Sharing, the CCP transport mode is set to broadcast instead of multicast. A workaround is to toggle the CCP mode via the following command on each cluster member: cphaconf set_ccp multicast.

54. Disabling a network connection (interface) is not supported on ClusterXL gateways on Windows platforms. A workaround is to:

1. Disconnect the network cable.

2. Wait 15 seconds and then set the network connection as disabled.

3. Reconnect the network cable after another 15 seconds.

If required to enable this interface again, do the following:

1. Disconnect the network cable.

2. Wait 15 seconds and set the network connection as enabled.

3. Reconnect the network cable after another 15 seconds.

Services55. When using T.120 connections, make sure you manually add a rule that allows

T.120 connections.

arp -s <1.1.1.1> <mac_address_of_target> pub

arp -s <1.1.1.2> <mac_address_of_target> pub

etc...

ClusterXL


ISP Redundancy56. In a ClusterXL ISP Redundancy configuration, the names of the external interfaces

of all cluster members must be identical and must correspond in turn to the names of the external interfaces of the cluster object. For example, if the cluster object has two external interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively.

Policy Installation57. When installing policy on a cluster with a Layer 2 bridge defined, the installation

may fail with the following error: Load on Module failed. To resolve this issue, do the following:

1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so that they include the environment variable FW_MANAGE_BRIDGE 1.

2. Install policy.

Unsupported Features58. Cluster deployments automatically hide the IP address of the cluster members

behind a virtual IP address. If you manually add NAT rules that contradict this configuration, the manually added NAT rules take precedence. For details, see the “ClusterXL Advanced Configuration” chapter of the ClusterXL Guide.

59. TCP connections inspected by Web Intelligence or VoIP Application Intelligence features will not survive failover. On the event of failover these connections will be reset.

60. The compatibility matrix for third party clustering solutions (other than Nokia) is specified in the following link: http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain third party solution is not specifically written as being supported for this release, you must assume it is currently not supported. For Nokia clustering (VRRP or IP Clustering), see the Check Point Software and Hardware Compatibility section of the ClusterXL guide for information regarding which IPSO release is supported with this VPN-1 release.

61. Mounting an NFS drive on a cluster member is not supported, as hide NAT changes the IP address of the cluster member, and the server cannot resolve the resulting mismatch.

62. The following Web Intelligence features require connections to be sticky:

• Header spoofing

http://www.opsec.com/solutions/perf_ha_load_balancing.html

ClusterXL





• Send error page

A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for Web connections in the following configurations:


• ClusterXL Load Sharing with Sticky Decision Function enabled

• ClusterXL Load Sharing with no VPN peers, no static NAT* rules and no SIP


• Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIP



63. The following VoIP Application Intelligence (AI) features require connections to be sticky:

• H.323

• SIP

• Skinny

A sticky connection is one where all of its packets, in either direction, are handled by a single cluster member. If you enable one of the features listed above, make sure that your clustering solution supports sticky connections. Sticky connections can be guaranteed for VoIP connections in the following configurations:


• ClusterXL Load Sharing with no VPN peers or static NAT* rules


• Nokia IP Clustering configuration with no VPN peers or static NAT* rules



QoS


64. Sticky connections cannot be guaranteed on ClusterXL Load Sharing Unicast mode with hide NAT.

65. To support SSL Network Extender in a ClusterXL Load Sharing configuration, enable the Sticky Decision Function.

ConnectControl66. The Server Load balance method is not supported.

67. The Domain balance method is not supported for Logical Servers.

68. If a Logical server is configured to have an IP address that belongs to the external network of the gateway, no Automatic Proxy ARP is configured on the gateway to the IP address of the Logical server. As a result there is no communication to the Logical server from external hosts. To resolve this issue, manually configure Proxy ARP using the file $FWDIR/conf/local.arp. See "Automatic Proxy ARP" in the ClusterXL User Guide for local.arp file configuration instructions.

69. Logical Servers are not supported in conjunction with Security Servers.

70. When configuring Server Availability for ConnectControl (SmartDashboard > Policy menu > Global Properties > ConnectControl), the value for the Server availability check interval must be a multiple of 5 and no less than 15.

QoS1. After upgrading a Standalone SmartCenter server on a Windows platform from R55

to R62, QoS policy installation fails with the following message:

Error - This is a SmartCenter only station, QoS policy cannot be downloaded.

To resolve this issue, run the following commands on the SmartCenter server:

1. cpstop (Note that this will disconnect SmartDashboard)

2. cpprod_util CPPROD_SetValue FW1 FloodGate 1 1 1

3. cpprod_util CPPROD_SetValue FW1 FGManagement 1 1 1

4. amon_config cpstatdll add stam %FGDIR%\lib fgcpstat

5. cpstart

6. Reinstall QoS policy.

information about this documentdownloads.checkpoint.com/fileserver/source/direct/id/...9. when...

Documents