Check Point® Provider-1/SiteManager-1 NGX (R60) Release Notes ...

Check Point® Provider-1/SiteManager-1 

NGX (R60) 

Release Notes 

October 26, 2005 

IMPORTANT 

Before you begin installation, read 

the latest available version of these release notes at: 

http://www.checkpoint.com/support/technical/documents/docs_prov1.html 

In This Document 

Information About This Release page 1 

What’s New page 8 

Clarifications and Limitations page 10 

Information About This Release 

This document contains important information not included in the documentation. Review 

this information before setting up Provider-1/SiteManager-1 NGX (R60). 

In This Section 

License Upgrade Requirement page 1 

NGX (R60) Products by Platform page 2 

Supported Upgrade Paths page 3 

Build Numbers page 3 

The Regular Expression (RX) Library page 4 

Minimum Hardware Requirements page 5 

Minimum Software Requirements page 7 

License Upgrade Requirement 

To upgrade to NGX (R60), you must first upgrade licenses for all NG products, as NGX 

(R60) will not function with licenses from previous versions. The utility 

pv1_license_upgrade is included on the CD at Tools/LicenseUpgrade/. See the 

Upgrade Guide for instructions. 

Copyright © 2005 Check Point Software Technologies, Ltd. All rights reserved.

Product 

NGX (R60) Products by Platform 

Solaris 

UltraSPARC 1 

8 

32/64 

bit 

9 Server 

64 bit 2003 

2000 

Advanced 

Server 

(SP1-4) 

Microsoft Windows 

2000 

Server 

(SP1-4) 

2000 

Professional 

(SP1-4) 

XP 

Home 

& 

Profes 

-sional 

RHEL 

3.0 

Notes to Products by Platform Table 

1) See “Minimum Software Requirements” on page 7 for Solaris platforms. 

Check 

Point 

Nokia 

2) The following SmartConsole Clients are not supported on Solaris UltraSPARC 8: 

Eventia Reporter Client, SmartView Monitor, SmartLSM and the SecureClient 

Packaging Tool. 

98 

SE 

& 

ME 

Hand- 

Held PC 

2000 & 

Pocket 

PC 2003 

kernel 

2.4.21 

Mac 

OS 

Secure IPSO 

Platform 3.9 X 

SmartConsole GUI X 2 X X X X X X X 

VPN-1 Pro Module 

X X X X X X X X 

.(including QoS, Policy Server) 

SmartCenter Server (incl. VSX) X X X X X X X X 3 

SmartPortal X X X X X X X 

SecuRemote X X X X X 

SecureClient X X X X X X X X 

ClusterXL (VPN-1 Pro.Module) X X X 4 X X X X X 5 

UserAuthority 

X X X X X X X X X X 6 

.(Management Add-on only) 

Eventia Reporter - Server X X X X X X X X 7 

SmartView Monitor X X X X X X X X 

VPN-1 Accelerator Driver II X X 

VPN-1 Accelerator Driver III X X X X X X X X 

Performance Pack X X X X 8 

SmartLSM - GUI X X X X X 

SmartLSM - Enabled 

X X X X X X X X 

.Management 

SmartLSM - Enabled ROBO 

X X X X X X 

.Gateways 

SmartLSM - Enabled CO X X X X X X X X 

.Gateways 

Advanced Routing X X 9 

SecureXL Turbocard 

X 10 

SSL Network Extender - Server X X X X X X X X 

SSL Network Extender - Client X X X 

Provider-1/SiteManager-1 X X X X 

Provider-1/SiteManager-1 GUI X X X X X X X 

OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14 

Cisco OS Versions: 9.x, 10.x, 11.x, 12.x 

Release Notes for Check Point Provider-1/SiteManager-1 NGX (R60). Last Update — October 26, 2005 2

3) VPN-1 Edge devices cannot be managed from a SmartCenter server running Nokia 

IPSO. 

4) HA Legacy mode is not supported on Windows Server 2003. 

5) ClusterXL supported only in third party mode with VRRP or IP Clustering. 

6) UserAuthority is not supported on Nokia Diskless platforms. 

7) Only the Management Add-on of Eventia Reporter is supported on Nokia. Eventia 

Reporter is not supported on Nokia Diskless platforms. 

8) Nokia provides SecureXL as part of IPSO. 

9) Nokia provides Advanced Routing as part of IPSO. 

10) NGX-compatible Turbocard driver will be available in one of the first NGX HFAs. 

Supported Upgrade Paths 

The following table specifies the supported upgrade paths to Provider-1/SiteManager-1 

NGX (R60). 

Source Version 

See The Upgrade Guide for details on upgrading and migrating Provider-1/SiteManager-1 

components. 

Build Numbers 

'In-Place' 

Upgrade 

NG with Application Intelligence R55W Yes Yes 

NG with Application Intelligence R55 Yes Yes 

NG with Application Intelligence R54 Yes Yes 

VSX NG with Application Intelligence Release 2 Yes Yes 

VSX NG with Application Intelligence Yes Yes 

VSX 2.0.1 No No 

NG FP3 Yes Yes 

NG FP2 No Yes 

NG FP1 No Yes 

4.1 No No 

Migrate CMAs or 

SmartCenter Servers 

to NGX (R60) CMAs 

The following table lists all Provider-1/SiteManager-1 NGX (R60) software products 

available, and the build numbers as they are distributed on the product CD. To verify each 

product’s build number, use the given command format. 

Product Build No Command 


MDS 72 cpvinfo $MDSDIR/lib/libmds.so | grep "Build Number" 

MDG 269_1 Help > About Check Point Provider-1/SiteManager-1 

SmartConsole 654_1 

VPN-1 Pro 

457_4 (Windows) 

458_2 (all others) 

The Regular Expression (RX) Library 

Help > About Check Point SmartDashboard 

fw ver 

NGX (R60) uses the RX Library. You can download the library license agreement (LGPL) 

from: 

http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf. 


Minimum Hardware Requirements 


Solaris Platforms page 5 

Linux Platforms page 5 

SecurePlatform page 6 

Windows Platforms page 6 

Solaris Platforms 

Minimum Requirements for Provider-1/SiteManager-1 MDS 

On Solaris platforms, the minimum hardware requirements for installing Provider-1/ 

SiteManager-1 MDS are: 

• UltraSPARC II 

• 800 MB free disk space for installation 

• 256 MB RAM 

• One or more network adapter cards 

• CD-ROM drive 

Minimum Requirements for Provider-1/SiteManager-1 MDG 

On Solaris platforms, the minimum hardware requirements for installing the MDG are: 

• UltraSPARC III 

• 100 MB free disk space for installation 

• 256 MB RAM 

• One network adapter card 


• 800 x 600 video adapter card 

Linux Platforms 


On Linux platforms, the minimum hardware requirements for installing Provider-1/ 

SiteManager-1 MDS: 

• Intel Pentium II 300 MHz or equivalent processor 

• 450 MB free disk space 

• 256 MB RAM 

• One or more network adapter cards 



SecurePlatform 


On SecurePlatform, the minimum hardware requirements for installing Provider-1/ 

SiteManager-1 MDS are: 

• Intel Pentium III 300+ MHz or equivalent processor 

• 4 GB free disk space 

• 256 MB RAM 

• One or more supported network adapter cards 



For details regarding SecurePlatform on specific hardware platforms, see http:// 

www.checkpoint.com/products/supported_platforms/recommended.html 

Windows Platforms 

Minimum Requirements for Provider-1/SiteManager-1 MDG 

On Windows platforms, the minimum hardware requirements for installing the MDG: 

• Intel Pentium II 300 MHz or equivalent processor 

• 100 MB free disk space 

• 256 MB RAM 

• One network adapter card 




Minimum Software Requirements 

Solaris Platform 

Required Packages 

• SUNWlibc 

• SUNWlibCx 

• SUNWter 

• SUNWadmc 

• SUNWadmfw 

Required Patches 

Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC 

platforms: 

Number System Notes 

108528-18 All If the patches 108528-17 and 113652-01 are installed, remove 

113652-01, and then install 108528-18. 

110380-03 All 

109147-18 All 

109326-07 All 

108434-01 32 bit 

108435-01 64 bit 

Solaris 9: the following patch (or newer) is required on Solaris 9 UltraSPARC platforms: 

Number System Notes 

112233-12 All 

112902-07 All 

116561-03 All Only if dmfe(7D) ethernet driver is defined on the machine 

To verify that you have these patches installed, use the command: 

showrev -p | grep 

The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches 

before installing 64-bit patches. 

Linux Platform 

This release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation 

instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade. 

Windows Platform 

This release requires that Service Packs be applied to Windows 2000 and Windows 2003 

systems. This release supports Service Packs SP1, SP2, SP3, and SP4. 


What’s New 


Unified Management page 8 

RedHat Enterprise Linux page 8 

SmartCenter Server can Backup CMA page 8 

Provider-1 Enterprise Edition License page 8 

Native Support of VSX-CMA Bundle License page 9 

Administrator Authentication page 9 

The mdscmd Utility page 9 

Eventia Reporter Support page 9 

Web-Based Access to SmartCenter — SmartPortal page 9 

Unified Management 

Provider-1/SiteManager-1 NGX (R60) supports the management of the following Check 

Point products: 

• VPN-1 Pro 

• VPN-1 Edge 

• VPN-1 VSX (NG with Application Intelligence Release 2 and below) 

• Web Intelligence 

RedHat Enterprise Linux 

MDS is now supported on RedHat Enterprise Linux 3.0 (MDSs are no longer supported 

on Linux 7.x). The upgrade from an existing MDS on Linux 7.x to the NGX (R60) MDS 

is described in the The Upgrade Guide. 

SmartCenter Server can Backup CMA 

A SmartCenter server can be configured to back up a Provider-1/SiteManager-1 CMA in 

High Availability configuration. The SmartCenter server can function as Active or Standby 

management for a Customer with one or two CMAs. For installation instructions see the 

Provider-1/SiteManager-1 User Guide. 

Provider-1 Enterprise Edition License 

Provider-1/SiteManager-1 NGX (R60) supports the new licenses for Provider-1 Enterprise 

Edition Products (Part Numbers CPMP-PRE-3-NG and CPMP-PRE-5-NG). 


Native Support of VSX-CMA Bundle License 

The VSX-CMA bundle license is a single license, installed on the MDS level, enabling the 

management of Virtual Systems. The new bundle license is available since version VPN 

VSX NG with Application Intelligence Release 2. Prior to that version, every CMA 

managing Virtual Systems required a separate license to be installed on the CMA level. 

Now, with the support of VSX-CMA bundle licenses, CMAs can use this new MDS level 

license for managing Virtual Systems. 

In a Multi-MDS environment, a separate VSX-CMA bundle license is required on every 

MDS that has CMAs managing Virtual Systems. The VSX-CMA bundle license enables the 

definition of CMAs that are dedicated to manage the licensed Virtual Systems, and the 

MDS Container for these CMAs. For example: a CPPR-VSX-CMA-100-NG license 

enables the management of 100 Virtual Systems, the definition of up to 100 CMAs 

dedicated for managing these Virtual Systems, and the definition of one additional CMA for 

managing the respective VSX gateway(s). 

Administrator Authentication 

New authentication methods are available for Provider-1 administrators when logging into 

MDS and CMAs with SmartConsole applications, using the following external 

authentication servers: 

• TACACS 

• TACACS+ 

• RADIUS 

Please refer to the Provider-1/SiteManager-1 User Guide for details. 

The mdscmd Utility 

New commands (enable/disable global use) have been added to the mdscmd utility. For 

more information, refer to the Provider-1/SiteManager-1 User Guide. 

Eventia Reporter Support 

Eventia Reporter supports Provider-1/SiteManager-1 NGX (R60) Standard reports. For 

details, see the Getting Started chapter of the Eventia Reporter User Guide. 

Web-Based Access to SmartCenter — SmartPortal 

SmartPortal is a web-based management tool providing a centralized view of security 

policies, network and security activity status. In Provider-1/SiteManager-1, a single 

SmartPortal server can be globally defined, enabling web-based access to the MDS and all 

CMAs. For details, see the SmartPortal documentation in the SmartCenter User Guide. 


Clarifications and Limitations 


Installation/Upgrade page 10 

Configuration page 12 

Licensing page 12 

Backup and Restore page 13 

Migrate page 13 

Multi-Customer Log Module (MLM) page 14 

Global Policy page 15 

Global VPN page 16 

Identical Internal CA keys page 18 

SmartUpdate page 19 

SmartPortal page 19 

Status Monitoring page 20 

Eventia Reporter page 20 

Miscellaneous page 20 

Installation/Upgrade 

1) Some of the issues reported by the Pre-Upgrade Verifier may require database 

modifications. To avoid having to repeat these changes, remember to synchronize your 

mirror MDSs/CMAs and perform the ‘install database to CLM’ processes. It is highly 

recommended that you read the “Upgrading in Multi MDS environment” section in 

The Upgrade Guide. 

2) Avoid using the Plug-and-Play license for the Provider-1 configuration and use EVAL 

licenses instead. 

3) Managing 4.1 gateways is not supported. 

4) After upgrading an MDS or MLM in a multi MDS environment, SmartDashboard 

displays CMA and CLM objects with the previous version, and the following error 

message appears when performing the operation Install Database: 

Install Database on Log Server can only be partially completed. 

To restore full functionality (full resolving and remote operations), upgrade 

the Log Server to be the same version as your Management Server. 

In order to update the CMA/CLM objects to the most recent version, use the 

following procedure after upgrading all MDS and/or MLM servers: 


1 Verify that all active CMAs are up and running with valid licenses, and that none of 

them currently has a SmartDashboard connected. 

2 Run the following commands in a root shell on each MDS/MLM server: 

a 

mdsenv 

b $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL 

3 Synchronize all Standby CMAs and SmartCenter Backup servers and install the 

database on the CLMs. 

In some cases, the MDG will display CMAs with the version that was used before the 

upgrade. To resolve this issue, after performing steps 1 - 3, do the following: 

1 Make sure that each CMA that displays the wrong version is synchronized with the 

Customer's other CMAs. 

2 Restart the MDS containers hosting the problematic CMAs by executing the 

following commands in a root shell: 

a 

mdsenv 

b mdsstop –m 

c mdsstart -m 

5) When upgrading to NGX R60, all SmartUpdate packages on the MDS (excluding 

SofaWare firmware packages) are deleted from the SmartUpdate Repository. 

6) Management of FireWall-1 4.1 gateways and VPN-1 Net gateways is no longer 

supported in NGX (R60). Prior to upgrading configurations that contain such 

gateways, the gateways need to be upgraded to the supported products/ versions. Since 

the pre-upgrade verification tools will not allow the upgrade to proceed as long as such 

gateways exist in the configuration database, the objects either need to be deleted from 

the source management or updated to represent a supported product/ version. If the 

objects are updated for the sake of allowing the upgrade to proceed, management of the 

gateways will not be allowed until the gateway software and license is upgraded as well. 

Please also note that configurations that contain externally managed FireWall-1 4.1 

gateways cannot be upgraded to NGX. To allow the upgrade to proceed, these objects 

need to be updated to represent a supported version. 

7) After upgrading an R55 SmartCenter server that manages VPN-1 Edge devices to 

NGX (R60), immediately reinstall policy to all VPN-1 Edge devices and Profiles to 

avoid loss of connectivity. 


Platform Specific Installation/Upgrade Issues — Solaris 

8) To upgrade from Provider-1/SiteManager-1 NG FP3, be sure that Hotfix 2 has been 

installed. 

9) Starting with NG with Application Intelligence, Customer names can no longer contain 

spaces and special characters. When upgrading to NGX (R60), this limitation is 

examined by the Pre-Upgrade Verifier, and if required an interactive tool for renaming 

Customer names during the upgrade is offered. Additional details describing this tool 

can be found in the “Upgrading Provider-1” chapter of The Upgrade Guide. 

10) Provider-1/SiteManager-1 NGX (R60) is not supported on Solaris 2.6. Be sure to 

upgrade the OS before running the command mds_setup. 

Configuration 

Licensing 

11) In the SecurePlatform installation, the default maximum number of file handles is set to 

65536. This also applies to standard Linux installations, but the default number may 

vary. 

For Provider-1/SiteManager-1 installations with a large number of CMAs, 65536 file 

handles may be insufficient. Indications that the system may not have enough available 

file handles can be failure of processes to start, and/or crashes of random processes. 

• To check if insufficient file handles is indeed the problem, enter the following 

command from root or expert mode: 

# cat /proc/sys/fs/file-nr 

This command prints three numbers to the screen. If the middle number is close to 

zero, or the left number equals the rightmost number, it is required to increase the 

maximum number of file handles. 

• To increase the maximum number of file handles, enter the following command 

from root or expert mode: 

# echo 131072 > /proc/sys/fs/file-max 

The number above is for demonstration purposes; the actual figure should be derived 

from the amount of memory and the number of CMAs. 

12) If you upgrade licenses after upgrading the MDS, the upgraded licenses will not be 

displayed in the MDG until after restarting the MDS. 

13) Under rare circumstances, a CMA license may not appear in the SmartUpdate view of 

the MDG, and yet appear in SmartUpdate when launched from the CMA. If this 

happens, do the following: 


1 From the command line in the CMA environment, use the cplic command to 

remove the missing license, and then add it again. 

2 In SmartUpdate, right-click the CMA and select Get Licenses. 

Backup and Restore 

Migrate 

14) To backup an MDS configuration, or replicate it to another station, use the mds_backup 

utility. To restore this backup on a new station, first perform a fresh install (using 

mds_setup), and then use the mds_restore utility. 

15) Before running the mds_backup utility, make sure that no SmartConsole Clients are 

running. 

16) A backup file created on a Solaris platform with the mds_backup command cannot be 

restored on a Linux platform, nor vice-versa. A backup made by mds_backup on Linux 

can be restored on SecurePlatform and vice-versa. 

Platform Specific Backup and Restore Issues — SecurePlatform 

17) When performing a backup and restore operation on SecurePlatform, do the following 

(refer to the SecurePlatform Guide for detailed instructions): 

1 Backup the SecurePlatform configuration. 

2 Move the backup files to another machine. 

3 Perform clean installations of the SecurePlatform OS and Provider-1/SiteManager-1. 

4 Restore the SecurePlatform configuration. 

18) After migrating a SmartCenter server running on a Nokia platform to an NGX (R60) 

CMA, the VPN-1 Edge objects and Profiles creation option from SmartDashboard is not 

available. See SecureKnowledge SK26484 for more information. 

19) Migrating a CMA/SmartCenter database to a Provider-1 CMA disables the CMA's PnP 

license, if any. 

20) Migration of a CMA is not supported when VSX objects exist in the database. 

21) After migrating Global Policies and CMAs that contain Global VPN Community, the 

VPN Communities mode of the Global Policies view in the MDG may not display all 

gateways participating in the Global VPN Communities. To resolve this issue, after 

completing the migration of all relevant configuration databases and starting the MDS 

and the CMA processes, issue the following commands in the root shell on the MDS: 

1 mdsenv 


2 fwm mds rebuild_global_communities_status all 

22) When migrating complex databases, the MDG may timeout with the error message 

Failed to import Customer Management Add-on, even when the migration process 

continues and is successful. Therefore, when migrating large databases, it is 

recommended that you run the migrate operation from the command line. See the 

cma_migrate command in The Upgrade Guide. 

23) A pre-upgrade verification procedure is executed before actually migrating the database. 

If errors are found that prevent the upgrade, the migration operation is aborted and you 

are notified of changes that need to be made. The migrate procedure cannot proceed 

until requested changes are made on the source database. More information is available 

in the “Upgrading Provider-1” chapter of The Upgrade Guide. 

24) The migrate_assist utility reports missing files, depending on FTP server type. If files 

are missing, copy the relevant files manually. More information regarding the relevant 

files and the directory structure is available in the “Upgrading Provider-1” chapter of 

The Upgrade Guide. 

25) Before migrating the global database, if there are Global VPN Communities in the 

source database or in the target database, it is highly recommended that you read the 

“Gradual Upgrade with Global VPN Considerations” section of The Upgrade Guide. 

26) The migrate operation preserves the Internal Certificate Authority database. Therefore, 

migrating the same SmartCenter/CMA to multiple CMAs actually duplicates the 

Certificate Authority. To remedy this situation, perform fwm sic_reset after the 

migration, as described in SecureKnowledge SK17197. 

27) If you delete a CMA that has been migrated from an existing CMA or SmartCenter 

database, and then want to recreate it, first create a new Customer with a new name. 

Add a new CMA to the new Customer and import the existing CMA or SmartCenter 

database into the new CMA. 

28) After migrating SmartCenter or CMA databases with SmartLSM data, execute the 

command LSMenabler on on the CMA. 

29) After migrating a SmartCenter database which contains SmartDashboard administrators 

or administrator group objects, these objects remain in the database but are not 

displayed in SmartDashboard. As the CMA is managed by Customer Administrators via 

the MDG and not via SmartDashboard, these objects are irrelevant to the CMA. 

However, if you need to delete or edit one of these objects, use dbedit or GuiDBedit to 

do so. 

Multi-Customer Log Module (MLM) 

30) If a CLM on an MLM fails to start, even though you have a license, consult SK23736 

to resolve this issue. 


Global Policy 

31) Before upgrading to NGX (R60), if you have global network objects configured as Web 

Servers, the following operations must be performed: 

1 Uncheck the Web Server property in the General Properties of these objects in 

Global SmartDashboard. 

2 Synchronize the global databases. 

3 Reassign global policies. 

4 Synchronize all Mirror CMAs with their Primary CMAs. 

5 Install databases on all CLMs. 

32) When deleting a Check Point host object created in Global SmartDashboard that has 

the same name as one of the MDS/MLM servers, the SIC certificate of the matching 

MDS/MLM server may be revoked. To avoid this situation, refrain from defining Check 

Point host objects with names identical to MDS/MLM servers in the system. If the 

certificate of one of the MDS/MLM servers is revoked, see SecureKnowledge SK24204 

to remedy the situation. 

33) Avoid circular references in the Global Policy, as this will cause its assignment to fail. 

34) To ensure the integrity of Global Policies, only Provider-1 Superuser and Customer 

Superuser administrators are allowed to perform a Database Revision Control operation 

on a CMA. This is to ensure that a lower level administrator does not change the 

Global Policy assigned to a Customer. This is not a limitation, but rather an effect of 

the administrator’s permission hierarchy. 

35) Assigning a Global Policy to Customers may be a heavy operation. For this reason, it is 

recommended that you use MDG: Manage > Provider-1/SiteManager-1 Properties > Global 

Policies and configure Perform Policy operations on 1 customers at a time. For 

information about an MDS machine that includes a large amount of CMAs and big 

databases (global database and local CMAs' databases), refer to Hardware Requirements and 

Recommendations in the Provider-1/SiteManager-1 User Guide. 

36) When installing policy from the MDG using the Assign/ Install Global Policy operation, 

the Security Policy is not installed on VPN-1 Edge profiles. Use SmartDashboard to 

install policy to VPN-1 Edge profiles. 

37) When creating Connectra gateway objects (like other gateway objects, such as VPN-1, 

VPN-1 Edge, and Interspect), be sure to do so using the CMA SmartDashboard. 

Defining Connectra objects in Global SmartDashboard is not supported. 


38) In NG FP1, when a Global Policy is assigned to a CMA, a default global service object 

may replace its respective local service object in a local policy. If the default definition 

of these service objects was changed, such that they are no longer equivalent, then this 

might change the enforced policy in an unexpected way. 

Global VPN 

This problem is not eliminated when upgrading (or migrating) to NG FP2 or to NG 

FP3. 

The mds_setup upgrade process automatically runs a pre-upgrade detector, which 

detects this problem, optionally fixes the conflicting objects, and instructs you to how to 

proceed. The Upgrade will proceed only on valid databases. 

• When upgrading MDS servers to NGX (R60), the default services are upgraded 

correctly. 

• When migrating CMA databases that contain this problem to NGX (R60), the 

migration process automatically detects the problem and will not allow the migration 

until the problem is resolved. The fix in this case would be to implement SK18517 

on the source CMA. 

• If you have already upgraded from NG FP1 to NG FP3 Edition1 or Edition2 

(whether or not you upgraded to NG FP2 in between), you are required to install 

Provider-1/SiteManager-1 FP3 HF2. See SecureKnowledge SK16866 for more 

details. 

39) Simplified VPN Mode Policies cannot work with gateways from versions prior to FP2. 

You cannot assign a Global Simplified VPN Mode Policy to a CMA with gateways of 

version FP2 or lower. 

40) Global VPN Communities do not support shared secret authentication. 

41) Only Globally-enabled gateways can participate in Global VPN Communities. Gateway 

authentication is automatically defined using the CMA’s Internal Certificate Authority. 

Third-party Certificate Authorities are not supported. 

42) VPN-1 Edge gateways cannot participate in Global VPN Communities. 

43) Currently an external gateway can fetch CRL only according to the FQDN. Therefore, 

a peer gateway would fail to fetch a CRL when the primary CMA is down (even if the 

mirror CMA is operational). To avoid this scenario, you can change the FQDN to a 

resolvable DNS name by executing the following commands: 

1 mdsenv 

2 Run cpconfig and select the menu item Certificate Authority 


44) After enabling a module for global use from the MDG, install a policy on the module 

or use the Install Database operation on the management server in order for its VPN 

domain to be calculated. 

45) When migrating a CMA, all CMAs that participate in a Global VPN Community must 

be migrated as well. If you do not migrate all relevant CMAs, it will affect Global 

Community functionality and maintenance. 

46) A globally enabled gateway can be added to a Global VPN Community from Global 

SmartDashboard only through the community object and not from the VPN tab of the 

object. 

47) When a VPN Simplified Mode Global Policy is assigned to a Customer, all of the 

Customer’s Security Policies must be VPN Simplified as well. 

48) If the Install policy on gateway operation takes place while the MDS is down, the status 

of this gateway in the Global VPN Communities view is not updated. 

49) Performing a sic_reset operation on a Customer's CMA resets the Customer's Internal 

CA (Certificate Authority), and revokes all the certificates that were ever issued by this 

CA. For this reason, sic_reset should be avoided and should be done only in rare 

cases. 

Before performing this operation on a CMA, you must first remove the IKE certificates 

of all the VPN gateways. This change to gateway properties is blocked for gateways 

enabled for Global Use. The following procedure describes the steps to be taken to 

ensure the correct operation of Global VPN Communities when performing the 

sic_reset operation. 

Before Running the sic_reset Command 

1 In Global SmartDashboard, ensure that the VPN-1 gateway and encryption domain 

objects (of the Customer whose CA is to be reset) are removed from all Global VPN 

Communities and from security rules. Then save the Global Policy. 

2 In the MDG, disable these gateways from Global Use. 

3 Re-assign the Global Policy to the Customer owning the CMA that sic_reset is 

being performed on. 

4 In the CMA SmartDashboard, for each of the VPN-enabled gateways, open the 

VPN tab and remove all VPN communities from the list. Click OK. Then open the 

General Properties and uncheck the VPN checkbox in the Check Point products 

list. After unchecking the checkboxes, you can safely ignore warnings regarding the 

Certificates, IKE Matching Criteria and the defined encryption key. Save the policy. 


5 On the MDS computer, open a root shell and switch to CMA's environment using 

the command mdsenv , where is the name of the CMA to 

be reset. 

Run the sic_reset Command 

6 Execute the sic_reset operation using the command fwm sic_reset. While 

executing the command, read the displayed warnings and explanations carefully and 

proceed with all the operations required to complete the command. 

After Running the sic_reset Command 

7 Re-create the internal CA using the command: 

mdsconfig -ca 

where is the name of the CMA to be reset, and is the CMA's 

Virtual IP address. 

8 Start the CMA. 

9 In the SmartDashboard of the CMA, for all participating gateways (modified during 

step 4), check the VPN checkbox in the Check Point products list. After checking 

the checkboxes, please ignore warnings regarding creation of an internal CA 

certificate. Save the policy. Close SmartDashboard. 

10In the MDG, enable all the participating gateways (that were disabled during step 2) 

for Global Use. 

11In Global SmartDashboard, restore all rules and references to the gateways that were 

removed during step 1. Save the changes to the Global Policy. 

12Re-assign the Global Policy to all the Customers participating in the Global VPN 

Communities with the Customer whose CA has been reset, and re-install the policy 

on all gateways participating in the Global VPN. 

50) Enabling and disabling global use of a gateway that belongs to a Customer with a CMA 

High Availability configuration via the command mdscmd is supported only when the 

MDG is launched from one of the MDSs in the Multi MDS environment. 

51) When using VPN-1 VSX Virtual Systems in Global VPN Communities, the operating 

system and version displayed on objects representing Virtual Systems in peer CMAs is 

incorrect. This information can be safely ignored. 

Identical Internal CA keys 

52) It is possible to create a situation where multiple CMAs will have identical CA keys 

(although the CA names will be different). This situation may prevent site-to-site IKE 

VPN between two gateways managed by two CMAs with the same CA key. 


SmartUpdate 

Such a situation can be created in the following ways: 

• Multiple CMAs are created within the first hour after the MDS installation (or after 

its upgrade from 4.1). Affected versions: all NG versions, until (but not including) 

FP3. 

• The same CMA (or SmartCenter) is migrated many times into the same Provider-1 

system. Affected versions: All NG and later versions. 

CA keys are retained across upgrades, so upgrading an affected system will not change 

the problematic situation. 

The following solutions are available: 

• A fresh installation is not affected by multiple CMAs created within the first hour. 

Multiple CMAs can safely be created right after the installation. 

• In an upgrade scenario, the mds_setup process will automatically detect if the 

original system is affected. If detected, it will issue a detailed warning, and will refer 

you to the relevant SK. 

• The NGX (R60) package includes commands for manual invocation of the detection 

tool. The detector can be run on any of the affected versions: NG FP1/HF1, FP2 

and FP3. See SecureKnowledge SK17196 for details. 

53) Firmware packages cannot be deleted from the SmartUpdate repository. In order to 

delete packages, see SecureKnowledge SK30650. 

54) When using the MDG’s SmartUpdate view, packages are added to the SmartUpdate 

repository of the MDS to which the MDG is connected. When in a Multi-MDS 

environment, make sure that each SmartUpdate package is added to each MDS 

individually. When adding SofaWare firmware packages in such an environment, a 

package added to one MDS will appear to have been added to all other MDSs. In this 

case as well, make sure that each firmware package is added to each MDS individually. 

55) After detaching a Central license from a CMA using the SmartUpdate view, the license 

remains in the License Repository, and therefore cannot be added again to the CMA 

from the MDG General view. To add it again, reattach the license using SmartUpdate. 

56) SmartUpdate packages cannot be added to the MDS Package repository if no CMAs are 

defined. Before populating an MDS's SmartUpdate repository with packages, define at 

least one CMA. 

SmartPortal 

57) When using Management High Availability (between a SmartCenter server and either a 

CMA or an MDS), change over may not succeed when SmartPortal is connected in 

Read/Write mode. To resolve this issue, do one of the following: 


• Only allow access from SmartPortal to Read-only administrators 

• Disconnect Read/Write SmartPortal clients from SmartView Monitor 

Status Monitoring 

58) A CMA will report the status Waiting until it is started for the first time. 

59) In a CMA High Availability configuration, the High Availability synchronization status 

in the MDG may contain inconsistent values if valid licenses have not been installed. If 

this is the case, the synchronization status should be ignored. In order to operate, 

however, all CMAs must have valid licenses. 

60) SmartView Monitor displays invalid statuses when connecting to a CLM. To view 

Customer statuses using SmartView Monitor, connect to a CMA. 

Eventia Reporter 

61) As Eventia Reporter data is not synchronized on multiple MDSs in High Availability 

configurations, Eventia Reporter should be set to work with just one MDS. To do so, 

install the Eventia Reporter Add-on on one MDS only, and log into this MDS 

whenever using the Eventia Reporter client. 

62) You must log into the Eventia Reporter client using a Provider-1 Superuser administrator 

account, or a Customer Superuser administrator account. Other administrator types are 

not supported. 

63) Only one Eventia Reporter server is supported. Do not define more than one Eventia 

Reporter server in Global SmartDashboard. 

64) For Eventia Reporter to function properly, all Customers must have a Global Policy 

assigned to them. If a Customer has not been assigned a Global Policy, all reports 

generated for this Customer will fail with the following error: 

Could not retrieve CMA for customer . CMA is either stopped or 

standby. 

Miscellaneous 

65) In a CMA High Availability configuration, the MDG may variably report the status of 

VPN-1 Edge gateways as either OK or Not Responding. To see the correct status, open 

SmartView Monitor on the Active management. 

66) Certificates for Provider-1 administrators should be created only from an MDG 

connected to the MDS that currently hosts the active global database. 

67) A VSX gateway cannot be deleted with a license attached, and attempting to do so 

causes a non-specific error message to appear. To delete the gateway, first detach the 

license using SmartUpdate or the CLI. 


68) When working with a large CMA database, synchronizing this database may take some 

time. If you create a second CMA from the MDG it may seem that the operation was 

not successful on account of the timeout, when in fact the operation was done within a 

set period of time. 

To make sure that this operation finished successfully after the MDG's timeout: 

1 Wait until the second CMA is displayed on the MDG, with a Started status. 

2 From SmartDashboard, connect to the active CMA. 

3 Select Policy > Management High Availability and in the displayed window verify that 

the standby CMA's Status is Synchronized. 

69) When in demo mode on a Solaris system, trying to launch SmartConsole applications 

from the MDG may result in the following error: The connection has been refused 

because the database could not be opened. To work with SmartConsole applications 

in demo mode, open them from the command line without using the launching option 

through the MDG. The SmartConsole applications are installed under $GUIDIR/bin. For 

Global SmartDashboard, use the following syntax from the command line: $GUIDIR/ 

bin/PolicyEditor "connect *local localuser localpass /global" 

70) The cp_merge utility is not supported in Provider-1/SiteManager-1. 

71) In certain situations, after stopping CMA processes, the VPN-1 Edge management 

processes sms and smsstart_wd continue running. These processes should be terminated 

with the kill utility. 

72) CPInfo is a support tool included on the Provider-1 NGX CD that gathers a wide 

range of data concerning the Check Point packages in your system. When speaking 

with a Check Point Technical Support Engineer, you may be asked to run CPInfo and 

transmit the data to the Support Center. To use CPInfo on the MDS machine, install 

the CPInfo package using the commands pkgrm or rpm (according to the OS of the 

MDS). After installing CPInfo, if you should need to uninstall the MDS, be sure to 

uninstall CPInfo first using pkgrm or rpm.

Check Point® Provider-1/SiteManager-1 NGX (R60) Release Notes ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?