Check Point® Provider-1/SiteManager-1 NGX (R60) Release Notes ...
Check Point® Provider-1/SiteManager-1 NGX (R60) Release Notes ...
Check Point® Provider-1/SiteManager-1 NGX (R60) Release Notes ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Check</strong> <strong>Point®</strong> <strong>Provider</strong>-1/<strong>SiteManager</strong>-1<br />
<strong>NGX</strong> (<strong>R60</strong>)<br />
<strong>Release</strong> <strong>Notes</strong><br />
October 26, 2005<br />
IMPORTANT<br />
Before you begin installation, read<br />
the latest available version of these release notes at:<br />
http://www.checkpoint.com/support/technical/documents/docs_prov1.html<br />
In This Document<br />
Information About This <strong>Release</strong> page 1<br />
What’s New page 8<br />
Clarifications and Limitations page 10<br />
Information About This <strong>Release</strong><br />
This document contains important information not included in the documentation. Review<br />
this information before setting up <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>).<br />
In This Section<br />
License Upgrade Requirement page 1<br />
<strong>NGX</strong> (<strong>R60</strong>) Products by Platform page 2<br />
Supported Upgrade Paths page 3<br />
Build Numbers page 3<br />
The Regular Expression (RX) Library page 4<br />
Minimum Hardware Requirements page 5<br />
Minimum Software Requirements page 7<br />
License Upgrade Requirement<br />
To upgrade to <strong>NGX</strong> (<strong>R60</strong>), you must first upgrade licenses for all NG products, as <strong>NGX</strong><br />
(<strong>R60</strong>) will not function with licenses from previous versions. The utility<br />
pv1_license_upgrade is included on the CD at Tools/LicenseUpgrade/. See the<br />
Upgrade Guide for instructions.<br />
Copyright © 2005 <strong>Check</strong> Point Software Technologies, Ltd. All rights reserved.
Product<br />
<strong>NGX</strong> (<strong>R60</strong>) Products by Platform<br />
Solaris<br />
UltraSPARC 1<br />
8<br />
32/64<br />
bit<br />
9 Server<br />
64 bit 2003<br />
2000<br />
Advanced<br />
Server<br />
(SP1-4)<br />
Microsoft Windows<br />
2000<br />
Server<br />
(SP1-4)<br />
2000<br />
Professional<br />
(SP1-4)<br />
XP<br />
Home<br />
&<br />
Profes<br />
-sional<br />
RHEL<br />
3.0<br />
<strong>Notes</strong> to Products by Platform Table<br />
1) See “Minimum Software Requirements” on page 7 for Solaris platforms.<br />
<strong>Check</strong><br />
Point<br />
Nokia<br />
2) The following SmartConsole Clients are not supported on Solaris UltraSPARC 8:<br />
Eventia Reporter Client, SmartView Monitor, SmartLSM and the SecureClient<br />
Packaging Tool.<br />
98<br />
SE<br />
&<br />
ME<br />
Hand-<br />
Held PC<br />
2000 &<br />
Pocket<br />
PC 2003<br />
kernel<br />
2.4.21<br />
Mac<br />
OS<br />
Secure IPSO<br />
Platform 3.9 X<br />
SmartConsole GUI X 2 X X X X X X X<br />
VPN-1 Pro Module<br />
X X X X X X X X<br />
.(including QoS, Policy Server)<br />
SmartCenter Server (incl. VSX) X X X X X X X X 3<br />
SmartPortal X X X X X X X<br />
SecuRemote X X X X X<br />
SecureClient X X X X X X X X<br />
ClusterXL (VPN-1 Pro.Module) X X X 4 X X X X X 5<br />
UserAuthority<br />
X X X X X X X X X X 6<br />
.(Management Add-on only)<br />
Eventia Reporter - Server X X X X X X X X 7<br />
SmartView Monitor X X X X X X X X<br />
VPN-1 Accelerator Driver II X X<br />
VPN-1 Accelerator Driver III X X X X X X X X<br />
Performance Pack X X X X 8<br />
SmartLSM - GUI X X X X X<br />
SmartLSM - Enabled<br />
X X X X X X X X<br />
.Management<br />
SmartLSM - Enabled ROBO<br />
X X X X X X<br />
.Gateways<br />
SmartLSM - Enabled CO X X X X X X X X<br />
.Gateways<br />
Advanced Routing X X 9<br />
SecureXL Turbocard<br />
X 10<br />
SSL Network Extender - Server X X X X X X X X<br />
SSL Network Extender - Client X X X<br />
<strong>Provider</strong>-1/<strong>SiteManager</strong>-1 X X X X<br />
<strong>Provider</strong>-1/<strong>SiteManager</strong>-1 GUI X X X X X X X<br />
OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14<br />
Cisco OS Versions: 9.x, 10.x, 11.x, 12.x<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 2
3) VPN-1 Edge devices cannot be managed from a SmartCenter server running Nokia<br />
IPSO.<br />
4) HA Legacy mode is not supported on Windows Server 2003.<br />
5) ClusterXL supported only in third party mode with VRRP or IP Clustering.<br />
6) UserAuthority is not supported on Nokia Diskless platforms.<br />
7) Only the Management Add-on of Eventia Reporter is supported on Nokia. Eventia<br />
Reporter is not supported on Nokia Diskless platforms.<br />
8) Nokia provides SecureXL as part of IPSO.<br />
9) Nokia provides Advanced Routing as part of IPSO.<br />
10) <strong>NGX</strong>-compatible Turbocard driver will be available in one of the first <strong>NGX</strong> HFAs.<br />
Supported Upgrade Paths<br />
The following table specifies the supported upgrade paths to <strong>Provider</strong>-1/<strong>SiteManager</strong>-1<br />
<strong>NGX</strong> (<strong>R60</strong>).<br />
Source Version<br />
See The Upgrade Guide for details on upgrading and migrating <strong>Provider</strong>-1/<strong>SiteManager</strong>-1<br />
components.<br />
Build Numbers<br />
'In-Place'<br />
Upgrade<br />
NG with Application Intelligence R55W Yes Yes<br />
NG with Application Intelligence R55 Yes Yes<br />
NG with Application Intelligence R54 Yes Yes<br />
VSX NG with Application Intelligence <strong>Release</strong> 2 Yes Yes<br />
VSX NG with Application Intelligence Yes Yes<br />
VSX 2.0.1 No No<br />
NG FP3 Yes Yes<br />
NG FP2 No Yes<br />
NG FP1 No Yes<br />
4.1 No No<br />
Migrate CMAs or<br />
SmartCenter Servers<br />
to <strong>NGX</strong> (<strong>R60</strong>) CMAs<br />
The following table lists all <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>) software products<br />
available, and the build numbers as they are distributed on the product CD. To verify each<br />
product’s build number, use the given command format.<br />
Product Build No Command<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 3
MDS 72 cpvinfo $MDSDIR/lib/libmds.so | grep "Build Number"<br />
MDG 269_1 Help > About <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1<br />
SmartConsole 654_1<br />
VPN-1 Pro<br />
457_4 (Windows)<br />
458_2 (all others)<br />
The Regular Expression (RX) Library<br />
Help > About <strong>Check</strong> Point SmartDashboard<br />
fw ver<br />
<strong>NGX</strong> (<strong>R60</strong>) uses the RX Library. You can download the library license agreement (LGPL)<br />
from:<br />
http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 4
Minimum Hardware Requirements<br />
In This Section<br />
Solaris Platforms page 5<br />
Linux Platforms page 5<br />
SecurePlatform page 6<br />
Windows Platforms page 6<br />
Solaris Platforms<br />
Minimum Requirements for <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 MDS<br />
On Solaris platforms, the minimum hardware requirements for installing <strong>Provider</strong>-1/<br />
<strong>SiteManager</strong>-1 MDS are:<br />
• UltraSPARC II<br />
• 800 MB free disk space for installation<br />
• 256 MB RAM<br />
• One or more network adapter cards<br />
• CD-ROM drive<br />
Minimum Requirements for <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 MDG<br />
On Solaris platforms, the minimum hardware requirements for installing the MDG are:<br />
• UltraSPARC III<br />
• 100 MB free disk space for installation<br />
• 256 MB RAM<br />
• One network adapter card<br />
• CD-ROM drive<br />
• 800 x 600 video adapter card<br />
Linux Platforms<br />
Minimum Requirements for <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 MDS<br />
On Linux platforms, the minimum hardware requirements for installing <strong>Provider</strong>-1/<br />
<strong>SiteManager</strong>-1 MDS:<br />
• Intel Pentium II 300 MHz or equivalent processor<br />
• 450 MB free disk space<br />
• 256 MB RAM<br />
• One or more network adapter cards<br />
• CD-ROM drive<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 5
SecurePlatform<br />
Minimum Requirements for <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 MDS<br />
On SecurePlatform, the minimum hardware requirements for installing <strong>Provider</strong>-1/<br />
<strong>SiteManager</strong>-1 MDS are:<br />
• Intel Pentium III 300+ MHz or equivalent processor<br />
• 4 GB free disk space<br />
• 256 MB RAM<br />
• One or more supported network adapter cards<br />
• CD-ROM drive<br />
• 1024 x 768 video adapter card<br />
For details regarding SecurePlatform on specific hardware platforms, see http://<br />
www.checkpoint.com/products/supported_platforms/recommended.html<br />
Windows Platforms<br />
Minimum Requirements for <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 MDG<br />
On Windows platforms, the minimum hardware requirements for installing the MDG:<br />
• Intel Pentium II 300 MHz or equivalent processor<br />
• 100 MB free disk space<br />
• 256 MB RAM<br />
• One network adapter card<br />
• CD-ROM drive<br />
• 800 x 600 video adapter card<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 6
Minimum Software Requirements<br />
Solaris Platform<br />
Required Packages<br />
• SUNWlibc<br />
• SUNWlibCx<br />
• SUNWter<br />
• SUNWadmc<br />
• SUNWadmfw<br />
Required Patches<br />
Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC<br />
platforms:<br />
Number System <strong>Notes</strong><br />
108528-18 All If the patches 108528-17 and 113652-01 are installed, remove<br />
113652-01, and then install 108528-18.<br />
110380-03 All<br />
109147-18 All<br />
109326-07 All<br />
108434-01 32 bit<br />
108435-01 64 bit<br />
Solaris 9: the following patch (or newer) is required on Solaris 9 UltraSPARC platforms:<br />
Number System <strong>Notes</strong><br />
112233-12 All<br />
112902-07 All<br />
116561-03 All Only if dmfe(7D) ethernet driver is defined on the machine<br />
To verify that you have these patches installed, use the command:<br />
showrev -p | grep <br />
The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches<br />
before installing 64-bit patches.<br />
Linux Platform<br />
This release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation<br />
instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade.<br />
Windows Platform<br />
This release requires that Service Packs be applied to Windows 2000 and Windows 2003<br />
systems. This release supports Service Packs SP1, SP2, SP3, and SP4.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 7
What’s New<br />
In This Section<br />
Unified Management page 8<br />
RedHat Enterprise Linux page 8<br />
SmartCenter Server can Backup CMA page 8<br />
<strong>Provider</strong>-1 Enterprise Edition License page 8<br />
Native Support of VSX-CMA Bundle License page 9<br />
Administrator Authentication page 9<br />
The mdscmd Utility page 9<br />
Eventia Reporter Support page 9<br />
Web-Based Access to SmartCenter — SmartPortal page 9<br />
Unified Management<br />
<strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>) supports the management of the following <strong>Check</strong><br />
Point products:<br />
• VPN-1 Pro<br />
• VPN-1 Edge<br />
• VPN-1 VSX (NG with Application Intelligence <strong>Release</strong> 2 and below)<br />
• Web Intelligence<br />
RedHat Enterprise Linux<br />
MDS is now supported on RedHat Enterprise Linux 3.0 (MDSs are no longer supported<br />
on Linux 7.x). The upgrade from an existing MDS on Linux 7.x to the <strong>NGX</strong> (<strong>R60</strong>) MDS<br />
is described in the The Upgrade Guide.<br />
SmartCenter Server can Backup CMA<br />
A SmartCenter server can be configured to back up a <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 CMA in<br />
High Availability configuration. The SmartCenter server can function as Active or Standby<br />
management for a Customer with one or two CMAs. For installation instructions see the<br />
<strong>Provider</strong>-1/<strong>SiteManager</strong>-1 User Guide.<br />
<strong>Provider</strong>-1 Enterprise Edition License<br />
<strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>) supports the new licenses for <strong>Provider</strong>-1 Enterprise<br />
Edition Products (Part Numbers CPMP-PRE-3-NG and CPMP-PRE-5-NG).<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 8
Native Support of VSX-CMA Bundle License<br />
The VSX-CMA bundle license is a single license, installed on the MDS level, enabling the<br />
management of Virtual Systems. The new bundle license is available since version VPN<br />
VSX NG with Application Intelligence <strong>Release</strong> 2. Prior to that version, every CMA<br />
managing Virtual Systems required a separate license to be installed on the CMA level.<br />
Now, with the support of VSX-CMA bundle licenses, CMAs can use this new MDS level<br />
license for managing Virtual Systems.<br />
In a Multi-MDS environment, a separate VSX-CMA bundle license is required on every<br />
MDS that has CMAs managing Virtual Systems. The VSX-CMA bundle license enables the<br />
definition of CMAs that are dedicated to manage the licensed Virtual Systems, and the<br />
MDS Container for these CMAs. For example: a CPPR-VSX-CMA-100-NG license<br />
enables the management of 100 Virtual Systems, the definition of up to 100 CMAs<br />
dedicated for managing these Virtual Systems, and the definition of one additional CMA for<br />
managing the respective VSX gateway(s).<br />
Administrator Authentication<br />
New authentication methods are available for <strong>Provider</strong>-1 administrators when logging into<br />
MDS and CMAs with SmartConsole applications, using the following external<br />
authentication servers:<br />
• TACACS<br />
• TACACS+<br />
• RADIUS<br />
Please refer to the <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 User Guide for details.<br />
The mdscmd Utility<br />
New commands (enable/disable global use) have been added to the mdscmd utility. For<br />
more information, refer to the <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 User Guide.<br />
Eventia Reporter Support<br />
Eventia Reporter supports <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>) Standard reports. For<br />
details, see the Getting Started chapter of the Eventia Reporter User Guide.<br />
Web-Based Access to SmartCenter — SmartPortal<br />
SmartPortal is a web-based management tool providing a centralized view of security<br />
policies, network and security activity status. In <strong>Provider</strong>-1/<strong>SiteManager</strong>-1, a single<br />
SmartPortal server can be globally defined, enabling web-based access to the MDS and all<br />
CMAs. For details, see the SmartPortal documentation in the SmartCenter User Guide.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 9
Clarifications and Limitations<br />
In This Section<br />
Installation/Upgrade page 10<br />
Configuration page 12<br />
Licensing page 12<br />
Backup and Restore page 13<br />
Migrate page 13<br />
Multi-Customer Log Module (MLM) page 14<br />
Global Policy page 15<br />
Global VPN page 16<br />
Identical Internal CA keys page 18<br />
SmartUpdate page 19<br />
SmartPortal page 19<br />
Status Monitoring page 20<br />
Eventia Reporter page 20<br />
Miscellaneous page 20<br />
Installation/Upgrade<br />
1) Some of the issues reported by the Pre-Upgrade Verifier may require database<br />
modifications. To avoid having to repeat these changes, remember to synchronize your<br />
mirror MDSs/CMAs and perform the ‘install database to CLM’ processes. It is highly<br />
recommended that you read the “Upgrading in Multi MDS environment” section in<br />
The Upgrade Guide.<br />
2) Avoid using the Plug-and-Play license for the <strong>Provider</strong>-1 configuration and use EVAL<br />
licenses instead.<br />
3) Managing 4.1 gateways is not supported.<br />
4) After upgrading an MDS or MLM in a multi MDS environment, SmartDashboard<br />
displays CMA and CLM objects with the previous version, and the following error<br />
message appears when performing the operation Install Database:<br />
Install Database on Log Server can only be partially completed.<br />
To restore full functionality (full resolving and remote operations), upgrade<br />
the Log Server to be the same version as your Management Server.<br />
In order to update the CMA/CLM objects to the most recent version, use the<br />
following procedure after upgrading all MDS and/or MLM servers:<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 10
1 Verify that all active CMAs are up and running with valid licenses, and that none of<br />
them currently has a SmartDashboard connected.<br />
2 Run the following commands in a root shell on each MDS/MLM server:<br />
a<br />
mdsenv<br />
b $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL<br />
3 Synchronize all Standby CMAs and SmartCenter Backup servers and install the<br />
database on the CLMs.<br />
In some cases, the MDG will display CMAs with the version that was used before the<br />
upgrade. To resolve this issue, after performing steps 1 - 3, do the following:<br />
1 Make sure that each CMA that displays the wrong version is synchronized with the<br />
Customer's other CMAs.<br />
2 Restart the MDS containers hosting the problematic CMAs by executing the<br />
following commands in a root shell:<br />
a<br />
mdsenv<br />
b mdsstop –m<br />
c mdsstart -m<br />
5) When upgrading to <strong>NGX</strong> <strong>R60</strong>, all SmartUpdate packages on the MDS (excluding<br />
SofaWare firmware packages) are deleted from the SmartUpdate Repository.<br />
6) Management of FireWall-1 4.1 gateways and VPN-1 Net gateways is no longer<br />
supported in <strong>NGX</strong> (<strong>R60</strong>). Prior to upgrading configurations that contain such<br />
gateways, the gateways need to be upgraded to the supported products/ versions. Since<br />
the pre-upgrade verification tools will not allow the upgrade to proceed as long as such<br />
gateways exist in the configuration database, the objects either need to be deleted from<br />
the source management or updated to represent a supported product/ version. If the<br />
objects are updated for the sake of allowing the upgrade to proceed, management of the<br />
gateways will not be allowed until the gateway software and license is upgraded as well.<br />
Please also note that configurations that contain externally managed FireWall-1 4.1<br />
gateways cannot be upgraded to <strong>NGX</strong>. To allow the upgrade to proceed, these objects<br />
need to be updated to represent a supported version.<br />
7) After upgrading an R55 SmartCenter server that manages VPN-1 Edge devices to<br />
<strong>NGX</strong> (<strong>R60</strong>), immediately reinstall policy to all VPN-1 Edge devices and Profiles to<br />
avoid loss of connectivity.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 11
Platform Specific Installation/Upgrade Issues — Solaris<br />
8) To upgrade from <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 NG FP3, be sure that Hotfix 2 has been<br />
installed.<br />
9) Starting with NG with Application Intelligence, Customer names can no longer contain<br />
spaces and special characters. When upgrading to <strong>NGX</strong> (<strong>R60</strong>), this limitation is<br />
examined by the Pre-Upgrade Verifier, and if required an interactive tool for renaming<br />
Customer names during the upgrade is offered. Additional details describing this tool<br />
can be found in the “Upgrading <strong>Provider</strong>-1” chapter of The Upgrade Guide.<br />
10) <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>) is not supported on Solaris 2.6. Be sure to<br />
upgrade the OS before running the command mds_setup.<br />
Configuration<br />
Licensing<br />
11) In the SecurePlatform installation, the default maximum number of file handles is set to<br />
65536. This also applies to standard Linux installations, but the default number may<br />
vary.<br />
For <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 installations with a large number of CMAs, 65536 file<br />
handles may be insufficient. Indications that the system may not have enough available<br />
file handles can be failure of processes to start, and/or crashes of random processes.<br />
• To check if insufficient file handles is indeed the problem, enter the following<br />
command from root or expert mode:<br />
# cat /proc/sys/fs/file-nr<br />
This command prints three numbers to the screen. If the middle number is close to<br />
zero, or the left number equals the rightmost number, it is required to increase the<br />
maximum number of file handles.<br />
• To increase the maximum number of file handles, enter the following command<br />
from root or expert mode:<br />
# echo 131072 > /proc/sys/fs/file-max<br />
The number above is for demonstration purposes; the actual figure should be derived<br />
from the amount of memory and the number of CMAs.<br />
12) If you upgrade licenses after upgrading the MDS, the upgraded licenses will not be<br />
displayed in the MDG until after restarting the MDS.<br />
13) Under rare circumstances, a CMA license may not appear in the SmartUpdate view of<br />
the MDG, and yet appear in SmartUpdate when launched from the CMA. If this<br />
happens, do the following:<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 12
1 From the command line in the CMA environment, use the cplic command to<br />
remove the missing license, and then add it again.<br />
2 In SmartUpdate, right-click the CMA and select Get Licenses.<br />
Backup and Restore<br />
Migrate<br />
14) To backup an MDS configuration, or replicate it to another station, use the mds_backup<br />
utility. To restore this backup on a new station, first perform a fresh install (using<br />
mds_setup), and then use the mds_restore utility.<br />
15) Before running the mds_backup utility, make sure that no SmartConsole Clients are<br />
running.<br />
16) A backup file created on a Solaris platform with the mds_backup command cannot be<br />
restored on a Linux platform, nor vice-versa. A backup made by mds_backup on Linux<br />
can be restored on SecurePlatform and vice-versa.<br />
Platform Specific Backup and Restore Issues — SecurePlatform<br />
17) When performing a backup and restore operation on SecurePlatform, do the following<br />
(refer to the SecurePlatform Guide for detailed instructions):<br />
1 Backup the SecurePlatform configuration.<br />
2 Move the backup files to another machine.<br />
3 Perform clean installations of the SecurePlatform OS and <strong>Provider</strong>-1/<strong>SiteManager</strong>-1.<br />
4 Restore the SecurePlatform configuration.<br />
18) After migrating a SmartCenter server running on a Nokia platform to an <strong>NGX</strong> (<strong>R60</strong>)<br />
CMA, the VPN-1 Edge objects and Profiles creation option from SmartDashboard is not<br />
available. See SecureKnowledge SK26484 for more information.<br />
19) Migrating a CMA/SmartCenter database to a <strong>Provider</strong>-1 CMA disables the CMA's PnP<br />
license, if any.<br />
20) Migration of a CMA is not supported when VSX objects exist in the database.<br />
21) After migrating Global Policies and CMAs that contain Global VPN Community, the<br />
VPN Communities mode of the Global Policies view in the MDG may not display all<br />
gateways participating in the Global VPN Communities. To resolve this issue, after<br />
completing the migration of all relevant configuration databases and starting the MDS<br />
and the CMA processes, issue the following commands in the root shell on the MDS:<br />
1 mdsenv<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 13
2 fwm mds rebuild_global_communities_status all<br />
22) When migrating complex databases, the MDG may timeout with the error message<br />
Failed to import Customer Management Add-on, even when the migration process<br />
continues and is successful. Therefore, when migrating large databases, it is<br />
recommended that you run the migrate operation from the command line. See the<br />
cma_migrate command in The Upgrade Guide.<br />
23) A pre-upgrade verification procedure is executed before actually migrating the database.<br />
If errors are found that prevent the upgrade, the migration operation is aborted and you<br />
are notified of changes that need to be made. The migrate procedure cannot proceed<br />
until requested changes are made on the source database. More information is available<br />
in the “Upgrading <strong>Provider</strong>-1” chapter of The Upgrade Guide.<br />
24) The migrate_assist utility reports missing files, depending on FTP server type. If files<br />
are missing, copy the relevant files manually. More information regarding the relevant<br />
files and the directory structure is available in the “Upgrading <strong>Provider</strong>-1” chapter of<br />
The Upgrade Guide.<br />
25) Before migrating the global database, if there are Global VPN Communities in the<br />
source database or in the target database, it is highly recommended that you read the<br />
“Gradual Upgrade with Global VPN Considerations” section of The Upgrade Guide.<br />
26) The migrate operation preserves the Internal Certificate Authority database. Therefore,<br />
migrating the same SmartCenter/CMA to multiple CMAs actually duplicates the<br />
Certificate Authority. To remedy this situation, perform fwm sic_reset after the<br />
migration, as described in SecureKnowledge SK17197.<br />
27) If you delete a CMA that has been migrated from an existing CMA or SmartCenter<br />
database, and then want to recreate it, first create a new Customer with a new name.<br />
Add a new CMA to the new Customer and import the existing CMA or SmartCenter<br />
database into the new CMA.<br />
28) After migrating SmartCenter or CMA databases with SmartLSM data, execute the<br />
command LSMenabler on on the CMA.<br />
29) After migrating a SmartCenter database which contains SmartDashboard administrators<br />
or administrator group objects, these objects remain in the database but are not<br />
displayed in SmartDashboard. As the CMA is managed by Customer Administrators via<br />
the MDG and not via SmartDashboard, these objects are irrelevant to the CMA.<br />
However, if you need to delete or edit one of these objects, use dbedit or GuiDBedit to<br />
do so.<br />
Multi-Customer Log Module (MLM)<br />
30) If a CLM on an MLM fails to start, even though you have a license, consult SK23736<br />
to resolve this issue.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 14
Global Policy<br />
31) Before upgrading to <strong>NGX</strong> (<strong>R60</strong>), if you have global network objects configured as Web<br />
Servers, the following operations must be performed:<br />
1 Uncheck the Web Server property in the General Properties of these objects in<br />
Global SmartDashboard.<br />
2 Synchronize the global databases.<br />
3 Reassign global policies.<br />
4 Synchronize all Mirror CMAs with their Primary CMAs.<br />
5 Install databases on all CLMs.<br />
32) When deleting a <strong>Check</strong> Point host object created in Global SmartDashboard that has<br />
the same name as one of the MDS/MLM servers, the SIC certificate of the matching<br />
MDS/MLM server may be revoked. To avoid this situation, refrain from defining <strong>Check</strong><br />
Point host objects with names identical to MDS/MLM servers in the system. If the<br />
certificate of one of the MDS/MLM servers is revoked, see SecureKnowledge SK24204<br />
to remedy the situation.<br />
33) Avoid circular references in the Global Policy, as this will cause its assignment to fail.<br />
34) To ensure the integrity of Global Policies, only <strong>Provider</strong>-1 Superuser and Customer<br />
Superuser administrators are allowed to perform a Database Revision Control operation<br />
on a CMA. This is to ensure that a lower level administrator does not change the<br />
Global Policy assigned to a Customer. This is not a limitation, but rather an effect of<br />
the administrator’s permission hierarchy.<br />
35) Assigning a Global Policy to Customers may be a heavy operation. For this reason, it is<br />
recommended that you use MDG: Manage > <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 Properties > Global<br />
Policies and configure Perform Policy operations on 1 customers at a time. For<br />
information about an MDS machine that includes a large amount of CMAs and big<br />
databases (global database and local CMAs' databases), refer to Hardware Requirements and<br />
Recommendations in the <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 User Guide.<br />
36) When installing policy from the MDG using the Assign/ Install Global Policy operation,<br />
the Security Policy is not installed on VPN-1 Edge profiles. Use SmartDashboard to<br />
install policy to VPN-1 Edge profiles.<br />
37) When creating Connectra gateway objects (like other gateway objects, such as VPN-1,<br />
VPN-1 Edge, and Interspect), be sure to do so using the CMA SmartDashboard.<br />
Defining Connectra objects in Global SmartDashboard is not supported.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 15
38) In NG FP1, when a Global Policy is assigned to a CMA, a default global service object<br />
may replace its respective local service object in a local policy. If the default definition<br />
of these service objects was changed, such that they are no longer equivalent, then this<br />
might change the enforced policy in an unexpected way.<br />
Global VPN<br />
This problem is not eliminated when upgrading (or migrating) to NG FP2 or to NG<br />
FP3.<br />
The mds_setup upgrade process automatically runs a pre-upgrade detector, which<br />
detects this problem, optionally fixes the conflicting objects, and instructs you to how to<br />
proceed. The Upgrade will proceed only on valid databases.<br />
• When upgrading MDS servers to <strong>NGX</strong> (<strong>R60</strong>), the default services are upgraded<br />
correctly.<br />
• When migrating CMA databases that contain this problem to <strong>NGX</strong> (<strong>R60</strong>), the<br />
migration process automatically detects the problem and will not allow the migration<br />
until the problem is resolved. The fix in this case would be to implement SK18517<br />
on the source CMA.<br />
• If you have already upgraded from NG FP1 to NG FP3 Edition1 or Edition2<br />
(whether or not you upgraded to NG FP2 in between), you are required to install<br />
<strong>Provider</strong>-1/<strong>SiteManager</strong>-1 FP3 HF2. See SecureKnowledge SK16866 for more<br />
details.<br />
39) Simplified VPN Mode Policies cannot work with gateways from versions prior to FP2.<br />
You cannot assign a Global Simplified VPN Mode Policy to a CMA with gateways of<br />
version FP2 or lower.<br />
40) Global VPN Communities do not support shared secret authentication.<br />
41) Only Globally-enabled gateways can participate in Global VPN Communities. Gateway<br />
authentication is automatically defined using the CMA’s Internal Certificate Authority.<br />
Third-party Certificate Authorities are not supported.<br />
42) VPN-1 Edge gateways cannot participate in Global VPN Communities.<br />
43) Currently an external gateway can fetch CRL only according to the FQDN. Therefore,<br />
a peer gateway would fail to fetch a CRL when the primary CMA is down (even if the<br />
mirror CMA is operational). To avoid this scenario, you can change the FQDN to a<br />
resolvable DNS name by executing the following commands:<br />
1 mdsenv <br />
2 Run cpconfig and select the menu item Certificate Authority<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 16
44) After enabling a module for global use from the MDG, install a policy on the module<br />
or use the Install Database operation on the management server in order for its VPN<br />
domain to be calculated.<br />
45) When migrating a CMA, all CMAs that participate in a Global VPN Community must<br />
be migrated as well. If you do not migrate all relevant CMAs, it will affect Global<br />
Community functionality and maintenance.<br />
46) A globally enabled gateway can be added to a Global VPN Community from Global<br />
SmartDashboard only through the community object and not from the VPN tab of the<br />
object.<br />
47) When a VPN Simplified Mode Global Policy is assigned to a Customer, all of the<br />
Customer’s Security Policies must be VPN Simplified as well.<br />
48) If the Install policy on gateway operation takes place while the MDS is down, the status<br />
of this gateway in the Global VPN Communities view is not updated.<br />
49) Performing a sic_reset operation on a Customer's CMA resets the Customer's Internal<br />
CA (Certificate Authority), and revokes all the certificates that were ever issued by this<br />
CA. For this reason, sic_reset should be avoided and should be done only in rare<br />
cases.<br />
Before performing this operation on a CMA, you must first remove the IKE certificates<br />
of all the VPN gateways. This change to gateway properties is blocked for gateways<br />
enabled for Global Use. The following procedure describes the steps to be taken to<br />
ensure the correct operation of Global VPN Communities when performing the<br />
sic_reset operation.<br />
Before Running the sic_reset Command<br />
1 In Global SmartDashboard, ensure that the VPN-1 gateway and encryption domain<br />
objects (of the Customer whose CA is to be reset) are removed from all Global VPN<br />
Communities and from security rules. Then save the Global Policy.<br />
2 In the MDG, disable these gateways from Global Use.<br />
3 Re-assign the Global Policy to the Customer owning the CMA that sic_reset is<br />
being performed on.<br />
4 In the CMA SmartDashboard, for each of the VPN-enabled gateways, open the<br />
VPN tab and remove all VPN communities from the list. Click OK. Then open the<br />
General Properties and uncheck the VPN checkbox in the <strong>Check</strong> Point products<br />
list. After unchecking the checkboxes, you can safely ignore warnings regarding the<br />
Certificates, IKE Matching Criteria and the defined encryption key. Save the policy.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 17
5 On the MDS computer, open a root shell and switch to CMA's environment using<br />
the command mdsenv , where is the name of the CMA to<br />
be reset.<br />
Run the sic_reset Command<br />
6 Execute the sic_reset operation using the command fwm sic_reset. While<br />
executing the command, read the displayed warnings and explanations carefully and<br />
proceed with all the operations required to complete the command.<br />
After Running the sic_reset Command<br />
7 Re-create the internal CA using the command:<br />
mdsconfig -ca <br />
where is the name of the CMA to be reset, and is the CMA's<br />
Virtual IP address.<br />
8 Start the CMA.<br />
9 In the SmartDashboard of the CMA, for all participating gateways (modified during<br />
step 4), check the VPN checkbox in the <strong>Check</strong> Point products list. After checking<br />
the checkboxes, please ignore warnings regarding creation of an internal CA<br />
certificate. Save the policy. Close SmartDashboard.<br />
10In the MDG, enable all the participating gateways (that were disabled during step 2)<br />
for Global Use.<br />
11In Global SmartDashboard, restore all rules and references to the gateways that were<br />
removed during step 1. Save the changes to the Global Policy.<br />
12Re-assign the Global Policy to all the Customers participating in the Global VPN<br />
Communities with the Customer whose CA has been reset, and re-install the policy<br />
on all gateways participating in the Global VPN.<br />
50) Enabling and disabling global use of a gateway that belongs to a Customer with a CMA<br />
High Availability configuration via the command mdscmd is supported only when the<br />
MDG is launched from one of the MDSs in the Multi MDS environment.<br />
51) When using VPN-1 VSX Virtual Systems in Global VPN Communities, the operating<br />
system and version displayed on objects representing Virtual Systems in peer CMAs is<br />
incorrect. This information can be safely ignored.<br />
Identical Internal CA keys<br />
52) It is possible to create a situation where multiple CMAs will have identical CA keys<br />
(although the CA names will be different). This situation may prevent site-to-site IKE<br />
VPN between two gateways managed by two CMAs with the same CA key.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 18
SmartUpdate<br />
Such a situation can be created in the following ways:<br />
• Multiple CMAs are created within the first hour after the MDS installation (or after<br />
its upgrade from 4.1). Affected versions: all NG versions, until (but not including)<br />
FP3.<br />
• The same CMA (or SmartCenter) is migrated many times into the same <strong>Provider</strong>-1<br />
system. Affected versions: All NG and later versions.<br />
CA keys are retained across upgrades, so upgrading an affected system will not change<br />
the problematic situation.<br />
The following solutions are available:<br />
• A fresh installation is not affected by multiple CMAs created within the first hour.<br />
Multiple CMAs can safely be created right after the installation.<br />
• In an upgrade scenario, the mds_setup process will automatically detect if the<br />
original system is affected. If detected, it will issue a detailed warning, and will refer<br />
you to the relevant SK.<br />
• The <strong>NGX</strong> (<strong>R60</strong>) package includes commands for manual invocation of the detection<br />
tool. The detector can be run on any of the affected versions: NG FP1/HF1, FP2<br />
and FP3. See SecureKnowledge SK17196 for details.<br />
53) Firmware packages cannot be deleted from the SmartUpdate repository. In order to<br />
delete packages, see SecureKnowledge SK30650.<br />
54) When using the MDG’s SmartUpdate view, packages are added to the SmartUpdate<br />
repository of the MDS to which the MDG is connected. When in a Multi-MDS<br />
environment, make sure that each SmartUpdate package is added to each MDS<br />
individually. When adding SofaWare firmware packages in such an environment, a<br />
package added to one MDS will appear to have been added to all other MDSs. In this<br />
case as well, make sure that each firmware package is added to each MDS individually.<br />
55) After detaching a Central license from a CMA using the SmartUpdate view, the license<br />
remains in the License Repository, and therefore cannot be added again to the CMA<br />
from the MDG General view. To add it again, reattach the license using SmartUpdate.<br />
56) SmartUpdate packages cannot be added to the MDS Package repository if no CMAs are<br />
defined. Before populating an MDS's SmartUpdate repository with packages, define at<br />
least one CMA.<br />
SmartPortal<br />
57) When using Management High Availability (between a SmartCenter server and either a<br />
CMA or an MDS), change over may not succeed when SmartPortal is connected in<br />
Read/Write mode. To resolve this issue, do one of the following:<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 19
• Only allow access from SmartPortal to Read-only administrators<br />
• Disconnect Read/Write SmartPortal clients from SmartView Monitor<br />
Status Monitoring<br />
58) A CMA will report the status Waiting until it is started for the first time.<br />
59) In a CMA High Availability configuration, the High Availability synchronization status<br />
in the MDG may contain inconsistent values if valid licenses have not been installed. If<br />
this is the case, the synchronization status should be ignored. In order to operate,<br />
however, all CMAs must have valid licenses.<br />
60) SmartView Monitor displays invalid statuses when connecting to a CLM. To view<br />
Customer statuses using SmartView Monitor, connect to a CMA.<br />
Eventia Reporter<br />
61) As Eventia Reporter data is not synchronized on multiple MDSs in High Availability<br />
configurations, Eventia Reporter should be set to work with just one MDS. To do so,<br />
install the Eventia Reporter Add-on on one MDS only, and log into this MDS<br />
whenever using the Eventia Reporter client.<br />
62) You must log into the Eventia Reporter client using a <strong>Provider</strong>-1 Superuser administrator<br />
account, or a Customer Superuser administrator account. Other administrator types are<br />
not supported.<br />
63) Only one Eventia Reporter server is supported. Do not define more than one Eventia<br />
Reporter server in Global SmartDashboard.<br />
64) For Eventia Reporter to function properly, all Customers must have a Global Policy<br />
assigned to them. If a Customer has not been assigned a Global Policy, all reports<br />
generated for this Customer will fail with the following error:<br />
Could not retrieve CMA for customer . CMA is either stopped or<br />
standby.<br />
Miscellaneous<br />
65) In a CMA High Availability configuration, the MDG may variably report the status of<br />
VPN-1 Edge gateways as either OK or Not Responding. To see the correct status, open<br />
SmartView Monitor on the Active management.<br />
66) Certificates for <strong>Provider</strong>-1 administrators should be created only from an MDG<br />
connected to the MDS that currently hosts the active global database.<br />
67) A VSX gateway cannot be deleted with a license attached, and attempting to do so<br />
causes a non-specific error message to appear. To delete the gateway, first detach the<br />
license using SmartUpdate or the CLI.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 20
68) When working with a large CMA database, synchronizing this database may take some<br />
time. If you create a second CMA from the MDG it may seem that the operation was<br />
not successful on account of the timeout, when in fact the operation was done within a<br />
set period of time.<br />
To make sure that this operation finished successfully after the MDG's timeout:<br />
1 Wait until the second CMA is displayed on the MDG, with a Started status.<br />
2 From SmartDashboard, connect to the active CMA.<br />
3 Select Policy > Management High Availability and in the displayed window verify that<br />
the standby CMA's Status is Synchronized.<br />
69) When in demo mode on a Solaris system, trying to launch SmartConsole applications<br />
from the MDG may result in the following error: The connection has been refused<br />
because the database could not be opened. To work with SmartConsole applications<br />
in demo mode, open them from the command line without using the launching option<br />
through the MDG. The SmartConsole applications are installed under $GUIDIR/bin. For<br />
Global SmartDashboard, use the following syntax from the command line: $GUIDIR/<br />
bin/PolicyEditor "connect *local localuser localpass /global"<br />
70) The cp_merge utility is not supported in <strong>Provider</strong>-1/<strong>SiteManager</strong>-1.<br />
71) In certain situations, after stopping CMA processes, the VPN-1 Edge management<br />
processes sms and smsstart_wd continue running. These processes should be terminated<br />
with the kill utility.<br />
72) CPInfo is a support tool included on the <strong>Provider</strong>-1 <strong>NGX</strong> CD that gathers a wide<br />
range of data concerning the <strong>Check</strong> Point packages in your system. When speaking<br />
with a <strong>Check</strong> Point Technical Support Engineer, you may be asked to run CPInfo and<br />
transmit the data to the Support Center. To use CPInfo on the MDS machine, install<br />
the CPInfo package using the commands pkgrm or rpm (according to the OS of the<br />
MDS). After installing CPInfo, if you should need to uninstall the MDS, be sure to<br />
uninstall CPInfo first using pkgrm or rpm.<br />
<strong>Release</strong> <strong>Notes</strong> for <strong>Check</strong> Point <strong>Provider</strong>-1/<strong>SiteManager</strong>-1 <strong>NGX</strong> (<strong>R60</strong>). Last Update — October 26, 2005 21