NGX R65 Release Notes - Check Point
NGX R65 Release Notes - Check Point
NGX R65 Release Notes - Check Point
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Check</strong> <strong>Point</strong> <strong>NGX</strong> <strong>R65</strong> Known Limitations<br />
Supplement<br />
Revised: February 4, 2008<br />
This Known Limitations Supplement document provides essential operating requirements and<br />
describes known issues for VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong>. Review this information before setting up<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong>.<br />
Note - Before you begin installation, read the latest available version of these release notes at:<br />
http://www.checkpoint.com/support/<br />
In This Document<br />
Information About This Document page 2<br />
Previously Published Clarifications and Limitations page 2<br />
Documentation Feedback page 42<br />
Copyright © February 4, 2008 <strong>Check</strong> <strong>Point</strong> Software Technologies, Ltd. All rights reserved 1
Information About This Document<br />
This document contains known limitations from versions prior to <strong>NGX</strong> <strong>R65</strong> that are relevant for this<br />
release. Before setting up <strong>NGX</strong> <strong>R65</strong>, review this information in conjunction with the latest <strong>NGX</strong><br />
<strong>R65</strong> <strong>Release</strong> <strong>Notes</strong>, available at<br />
http://www.checkpoint.com/support/technical/documents/index.html.<br />
Previously Published Clarifications and Limitations<br />
In This Section<br />
ClusterXL page 3<br />
Endpoint Security page 11<br />
Eventia Suite page 14<br />
Firewall page 16<br />
Provider-1/SiteManager-1 page 22<br />
SecureXL page 29<br />
SmartCenter Server page 31<br />
SmartPortal page 35<br />
SmartUpdate page 36<br />
UTM-1 Edge page 38<br />
VPN page 39<br />
VPN-1 Power VSX page 39<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 2
ClusterXL<br />
ClusterXL<br />
In This Section<br />
Authentication page 3<br />
Configuration page 3<br />
ConnectControl page 4<br />
General page 4<br />
High Availability page 5<br />
ISP Redundancy page 5<br />
Load Sharing page 5<br />
Platform Specific — Nokia page 6<br />
Platform Specific — Solaris page 7<br />
Platform Specific — Windows page 7<br />
Policy Installation page 7<br />
Security Servers page 7<br />
Services page 7<br />
SmartConsole page 8<br />
State Synchronization page 8<br />
Unsupported Features page 8<br />
VPN-1 Clusters page 9<br />
Authentication<br />
1. When performing manual client authentication (using port 900) to a cluster where the IP<br />
addresses of the members are not routable, the URLs returned in the HTML from the replying<br />
cluster member contain the non-routable IP address of the member instead of the cluster IP<br />
address. This fails subsequent operations. The workaround is to configure the cluster to use a<br />
domain name instead of an IP address in the client authentication HTML pages, using the<br />
ahttpclientd_redirected_url global property. Make sure that your DNS servers resolve this<br />
domain name to the IP address of the cluster.<br />
2. Issues may arise when using automatic or partially automatic client authentication for HTTP on<br />
Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a<br />
decision function based only on IP addresses in order for connections to open. For ClusterXL,<br />
go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters,<br />
refer to the product documentation for more information.<br />
Configuration<br />
3. In the Rule Base, when adding a cluster object to the source or destination column in a rule,<br />
this rule will only apply to the cluster addresses. If the rule needs to be applied to the cluster<br />
member addresses, add their objects to the rule as well.<br />
4. To use manual client authentication through HTTP in a cluster environment, set the database<br />
property hclient_enable_new_interface to true. This forces the HTTP client authentication<br />
daemon to ask for both the user name and password in the same HTML page. When the IP<br />
addresses of the cluster members are not routable, the URLs returned in the HTML from the<br />
replying cluster member contain the non-routable IP address of the member instead of the IP<br />
address of the cluster. This would fail subsequent operations. The workaround in this case is to<br />
configure the cluster to use a domain name, using theahttpclientd_redirected_url global<br />
property. Make sure that your DNS servers resolve this domain name to the cluster's IP address.<br />
5. Use the commands cpstop and cpstart instead of cprestart on cluster configurations. The<br />
command cprestart is not supported on cluster members.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 3
ClusterXL<br />
6. A cluster IP interface or a synchronization network interface cannot be defined as a<br />
non-monitored (i.e., disconnected) interface.<br />
7. Acceleration is not supported when using ClusterXL Load Sharing with Sticky Decision Function<br />
(SDF). When SDF is enabled, acceleration is automatically turned off. To re-enable<br />
acceleration, first make sure acceleration is enabled by running the cpconfig configuration tool.<br />
Then disable SDF (in SmartDashboard, edit the Gateway Cluster object, select the ClusterXL<br />
page, and click Advanced), and install the new Security Policy twice.<br />
Installing the Security Policy twice is also required when moving from ClusterXL Load Sharing<br />
with SDF to ClusterXL High Availability when acceleration is turned on.<br />
8. When defining VLAN tags on an interface, cluster IP addresses can be defined only on the<br />
VLAN interfaces (the tagged interfaces). Defining a cluster IP address on a physical interface<br />
that has VLANs is not supported. The physical interface should be defined with the Network<br />
Objective Monitored Private on ClusterXL clusters and as Private on third-party clusters.<br />
9. When setting an interface whose current Network Objective is Sync to Non-Monitored Private,<br />
and setting another interface's Network Objective to Sync and installing policy, the status of the<br />
cluster members will change to Active Attention and Down. To avoid this issue, make this<br />
configuration change in two phases.<br />
1. Set the interface with the Network Objective of Sync to Monitored Private (instead of<br />
Non-Monitored), and the other interface’s Network Objective to Sync and install policy.<br />
2. Reconfigure the Monitored Private interface to Non-Monitored and install policy again.<br />
10. When defining a Sync interface on a VLAN interface, it can only be defined on the lowest VLAN<br />
tag on a physical interface.<br />
11. Defining the lowest VLAN tag on a physical interface as disconnected (Non-Monitored Private)<br />
is not supported.<br />
12. Defining a Sync interface on a VLAN interface is not supported on Nokia clusters and on other<br />
third party clusters.<br />
13. A cluster object must contain two or more gateways. If configuring only one gateway, do not<br />
configure a cluster.<br />
ConnectControl<br />
14. The Server Load balance method is not supported.<br />
15. The Domain balance method is not supported for Logical Servers.<br />
16. If a Logical server is configured to have an IP address that belongs to the external network of<br />
the gateway, no Automatic Proxy ARP is configured on the gateway to the IP address of the<br />
Logical server. As a result there is no communication to the Logical server from external hosts.<br />
To resolve this issue, manually configure Proxy ARP using the file $FWDIR/conf/local.arp. See<br />
"Automatic Proxy ARP" in the ClusterXL User Guide for local.arp file configuration instructions.<br />
17. Logical Servers are not supported in conjunction with Security Servers.<br />
18. When configuring Server Availability for ConnectControl (SmartDashboard > Policy menu ><br />
Global Properties > ConnectControl), the value for the Server availability check interval must be a<br />
multiple of 5 and no less than 15.<br />
General<br />
1. In certain cases, installing policy on a cluster member may cause its state to change and a<br />
failover may subsequently occur. To prevent this situation, modify the firewall global parameter<br />
fwha_freeze_state_machine_timeout. This parameter sets the number of seconds during policy<br />
installation in which no state changes (including the "false" failover) will occur. Set this<br />
parameter to the shortest period which eliminates the issue; the recommended value is 30<br />
seconds.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 4
ClusterXL<br />
2. Performing an SNMP query on both the cluster’s IP address as well as on the members’ IP<br />
addresses concurrently, is not supported. The SNMP query can only be run on one or the other<br />
at time. Alternatively, you can wait for the UDP virtual session timeout between the SNMP<br />
queries on the different IP addresses. This timeout has a 40 second default, and can be<br />
defined in Global Properties > Stateful Inspection.<br />
High Availability<br />
3. In legacy High Availability mode for ClusterXL, MAC address synchronization is not supported<br />
for VLAN tagged interfaces. Use new High Availability mode, or manually configure the MAC<br />
addresses of the interfaces using the ifconfig CLI or WebUI.<br />
4. Issuing a Stop Member command in SmartView Monitor performs the cphastop command on<br />
this member. Among other things, this disables the State Synchronization mechanism. Any<br />
connections opened while the member is stopped will not survive a failover event, even if the<br />
member is restarted using cphastart. However, connections opened after the member is<br />
restarted are synchronized as normal.<br />
ISP Redundancy<br />
5. In a ClusterXL ISP Redundancy configuration, the names of the external interfaces of all<br />
cluster members must be identical and must correspond in turn to the names of the external<br />
interfaces of the cluster object. For example, if the cluster object has two external interfaces<br />
called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster<br />
member must have two external interfaces called eth0 and eth1 which should be connected to<br />
ISP-1 and ISP-2 respectively.<br />
Load Sharing<br />
6. Under load, tcp packet out of state error messages may appear. For each case there is a specific<br />
way to resolve it. Refer to the “Firewall and SmartDefense” guide for a full explanation and<br />
security implications.<br />
• message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK message_info:<br />
TCP packet out of state - first packet isn't SYN tcp_flags: FIN-PUSH-ACK<br />
In SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp end timeout. The<br />
recommended value is 60 seconds. If there are many connections consider enlarging the<br />
connection table size in the same ratio as the tcp end timeout.<br />
• message_info: SYN packet for established connection<br />
run the command: fw ctl set int fw_trust_rst_on_port <br />
When a single port is not enough, you can set the port number to -1, meaning that you<br />
trust a reset from every port.<br />
• For other out of state messages:<br />
run the command: fw ctl set int fwconn_merge_all_syncs 1. This allows a more reliable<br />
way of merging TCP states across asymmetric connections.<br />
7. When employing SecurID for authentication, it is recommended to define each cluster member<br />
with its own unique (internal) IP address separately on the ACE/Server. In addition, to send<br />
packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file<br />
table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for<br />
example, no_hide_services_ports = {}, where 5500 is the service port and 17<br />
(UDP) is the protocol.<br />
8. For the first few seconds of an asymmetric connection, server-to-client packets are not<br />
accelerated. An asymmetric connection, such as an FTP data connection through an<br />
accelerated ClusterXL cluster, is where the server-to-client side is handled by a different<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 5
ClusterXL<br />
member than the client-to-server side. Asymmetric connections are only opened when using<br />
VPN or static NAT. This is a temporary performance degradation that affects only a small<br />
percentage of traffic.<br />
9. When installing a new policy that uses Sticky Decision Function (configured in SmartDashboard<br />
> Cluster Object > ClusterXL page > Advanced), and the old policy used the regular decision<br />
function, some connections may be lost, especially connections to or from the cluster<br />
members. New connections are unaffected.<br />
10. After a failover, non-pivot members of a ClusterXL cluster in Unicast mode may report incorrect<br />
load distribution information. For the correct load distribution, review the information reported<br />
by the pivot member.<br />
11. When using ClusterXL in Load Sharing mode and the Sticky Decision Function is enabled, the<br />
failure of a module within 40 seconds of an IKE negotiation may cause a connectivity failure<br />
with that peer for up to 40 seconds.<br />
• When the failure involves a PIX gateway, communications may be interrupted for up to 40<br />
seconds.<br />
• When the failure involves an L2TP client, communications may be disconnected, as<br />
keepalive packets are blocked during this period.<br />
12. traceroute may fail if it passes through a Load Sharing cluster. To resolve this issue, on the<br />
Cluster object, select ClusterXL > Advanced and in the Advanced Load Sharing Configuration<br />
window you should either:<br />
• select Use Sticky Decision Function, or<br />
• change the selection for Use sharing method based on: to IPs.<br />
Platform Specific — Nokia<br />
13. Either Nokia VRRP or Nokia IP Clustering configuration must be used when creating a cluster<br />
based on an IPSO platform. Using other OPSEC Certified third party clustering products (such<br />
as OPSEC Certified external load balancers) to create a cluster based on IPSO platforms has<br />
limited support. Contact <strong>Check</strong> <strong>Point</strong> Support and receive configuration instruction and a list of<br />
associated limitations.<br />
14. After configuring a gateway cluster on a Nokia platform via the Simple mode (wizard), be sure to<br />
complete the cluster interface definition on the Topology page of the cluster object.<br />
15. The feature Connectivity enhancements for multiple interfaces is not supported on Nokia IP<br />
clustering in Forwarding mode.<br />
16. NAT rules should not be applied to VRRP traffic. To prevent NAT rules from being applied to<br />
VRRP traffic, define the following manual NAT rule and give it higher priority than other NAT<br />
rules that relate to Cluster VIPs or to their networks:<br />
Original Packet Translated Packet Install On<br />
Source Destination Service Source Dest Service<br />
Physical IP of VRRP IP: 224.0.0.18 Any Original Original Original relevant cluster<br />
VRRP members<br />
17. When configuring a Nokia IP Cluster, do not set the primary or secondary interfaces to Network<br />
Objective Private. <strong>Check</strong> <strong>Point</strong> recommends setting a Nokia IP Cluster’s primary interface to<br />
Network Objective Cluster, and its secondary interface to Network Objective Cluster or Sync.<br />
18. The Get Topology operation supports up to 256 interfaces on Nokia platforms. To define more<br />
than 256 interfaces, you need to do so manually.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 6
ClusterXL<br />
Platform Specific — Solaris<br />
19. When configuring virtual interfaces on Solaris GigaSwift interfaces, the ClusterXL product may<br />
not recognize the virtual interfaces in cases where no corresponding physical interface is<br />
defined. If the virtual interface is not recognized, it will not run a monitoring mechanism and<br />
eventually it will not perform failover. In order to make ClusterXL work properly on such virtual<br />
interfaces, the corresponding physical interface must be defined. For example, when a CE<br />
device with an instance of 0 is defined on the system, the /etc/hostname.ce0 file must be<br />
created and must contain some arbitrary IP address that will be assigned to the physical<br />
interface.<br />
20. ClusterXL does not support defining VLANs on Solaris bge interfaces.<br />
21. When configuring VLAN tags, set the IP address on the VLAN physical interface. If the physical<br />
(untagged) interface is not used, the IP address can be any IP address.<br />
For example:<br />
If the physical interface is ce1, and<br />
the VLAN interfaces are ce1001 and ce2001, then<br />
ce1 must also have an IP address.<br />
22. ClusterXL in Unicast mode (Pivot) is not supported on Solaris when using VLAN tagging.<br />
23. When using a Fujitsu GigEthernet NIC (fjgi and fjge interfaces) with <strong>Check</strong> <strong>Point</strong> Load Sharing<br />
(CPLS) multicast, packets can be received when the interface is set to promiscuous mode only.<br />
Platform Specific — Windows<br />
24. On Windows platforms, when switching from High Availability Legacy to High Availability New<br />
Mode or Load Sharing, the CCP transport mode is set to broadcast instead of multicast. A<br />
workaround is to toggle the CCP mode via the following command on each cluster member:<br />
cphaconf set_ccp multicast.<br />
Policy Installation<br />
25. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with<br />
the following error: Load on Module failed. To resolve this issue, do the following:<br />
1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is<br />
done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so<br />
that they include the environment variable FW_MANAGE_BRIDGE 1.<br />
2. Install policy.<br />
Security Servers<br />
26. Security Servers are not supported with Sequence Verifier in Load Sharing cluster<br />
environments.<br />
Services<br />
27. When using T.120 connections, make sure you manually add a rule that allows T.120<br />
connections.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 7
ClusterXL<br />
SmartConsole<br />
28. When working with a 3rd party cluster object with QoS, if you move from the Topology tab to a<br />
different tab, the following error message appears: No interface was activated in QoS tab for this<br />
host (Inbound or Outbound). Do you want to continue? Select Yes and continue your operation.<br />
This error message can be safely ignored.<br />
29. SmartUpdate shows cluster members as distinct gateways without the common cluster entity.<br />
When cluster members are not of the same version, applying Get <strong>Check</strong> <strong>Point</strong> Gateway Data on a<br />
cluster member will set the member's version on the cluster object. To set the version of the<br />
cluster correctly, apply the Get <strong>Check</strong> <strong>Point</strong> Gateway Data command to the cluster member with<br />
the latest version.<br />
30. If two or more interfaces on the same cluster member share the same IP address and Net Mask<br />
(as might occur when defining bridge interfaces), only one interface will be displayed in the<br />
Topology tab in SmartDashboard. To manage interfaces with the same IP address and Net<br />
Mask, use the GuiDBedit tool.<br />
31. When using ClusterXL in High Availability Legacy mode, the Network Objective is set<br />
automatically to Cluster if all of the members' interfaces on that network have the same IP<br />
address and netmask. Changing the Network Objective to a different setting will, in this case, be<br />
overridden by the system, and change back to Cluster after clicking OK.<br />
32. When deleting a network via the Topology page (Cluster Object > Properties > Topology > Edit<br />
Topology), selecting Name or IP address of one of the interfaces and then clicking Remove<br />
results in the following error message: Please select an interface. In order to remove a<br />
whole network, remove all the interfaces (members and cluster) and click OK.<br />
State Synchronization<br />
33. A cluster member will stay in the down state if it is detached and then reattached to the<br />
cluster, as it does not automatically perform a full sync upon reattachment. To force a full sync,<br />
run the following commands on the module: fw ctl setsync off and fw ctl setsync start.<br />
34. Upon completion of full synchronization (Full sync), an error message State synchronization is in<br />
risk, is displayed on the cluster member on which the synchronization is taking place. If this<br />
message occurs only once immediately following Full sync, it can be safely ignored. If this<br />
message appears erratically, consult the ClusterXL user guide in the section Blocking New<br />
Connections Under Load.<br />
Unsupported Features<br />
35. Cluster deployments automatically hide the IP address of the cluster members behind a virtual<br />
IP address. If you manually add NAT rules that contradict this configuration, the manually<br />
added NAT rules take precedence. For details, see the “ClusterXL Advanced Configuration”<br />
chapter of the ClusterXL Guide.<br />
36. TCP connections inspected by Web Intelligence or VoIP Application Intelligence features will<br />
not survive failover. On the event of failover these connections will be reset.<br />
37. The compatibility matrix for third party clustering solutions (other than Nokia) is specified in<br />
the following link: http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain<br />
third party solution is not specifically written as being supported for this release, you must<br />
assume it is currently not supported. For Nokia clustering (VRRP or IP Clustering), see the<br />
<strong>Check</strong> <strong>Point</strong> Software and Hardware Compatibility section of the ClusterXL guide for information<br />
regarding which IPSO release is supported with this VPN-1 release.<br />
38. Mounting an NFS drive on a cluster member is not supported, as hide NAT changes the IP<br />
address of the cluster member, and the server cannot resolve the resulting mismatch.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 8
ClusterXL<br />
39. The following Web Intelligence features require connections to be sticky:<br />
• Header spoofing<br />
• Directory listing<br />
• Error concealment<br />
• ASCII only response<br />
• Send error page<br />
A sticky connection is one where all of its packets, in either direction, are handled by a single<br />
cluster member. If you enable one of the features listed above, make sure that your clustering<br />
solution supports sticky connections. Sticky connections can be guaranteed for Web<br />
connections in the following configurations:<br />
• ClusterXL High Availability<br />
• ClusterXL Load Sharing with Sticky Decision Function enabled<br />
• ClusterXL Load Sharing with no VPN peers, no static NAT * rules and no SIP<br />
• Nokia VRRP Cluster<br />
• Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIP<br />
• For other OPSEC certified clustering products - please refer to the OPSEC-certified<br />
product's documentation.<br />
40. The following VoIP Application Intelligence (AI) features require connections to be sticky:<br />
• H.323<br />
• SIP over TCP<br />
• Skinny<br />
A sticky connection is one where all of its packets, in either direction, are handled by a single<br />
cluster member. If you enable one of the features listed above, make sure that your clustering<br />
solution supports sticky connections. Sticky connections can be guaranteed for VoIP<br />
connections in the following configurations:<br />
• ClusterXL High Availability<br />
• ClusterXL Load Sharing with no VPN peers or static NAT* rules<br />
• Nokia VRRP Cluster<br />
• Nokia IP Clustering configuration with no VPN peers or static NAT* rules<br />
• For other OPSEC certified clustering products - please refer to the OPSEC-certified<br />
product's documentation.<br />
41. Sticky connections cannot be guaranteed on ClusterXL Load Sharing Unicast mode with hide<br />
NAT.<br />
42. To support SSL Network Extender in a ClusterXL Load Sharing configuration, enable the Sticky<br />
Decision Function.<br />
VPN-1 Clusters<br />
43. When defining Office Mode IP pools, make sure each cluster member has a distinct pool.<br />
44. Before adding an existing gateway to a cluster, remove it from all VPN communities in which it<br />
participates.<br />
45. When detaching a cluster member from a VPN cluster, manually remove the VPN domain once<br />
the member has been detached.<br />
*.including ConnectControl Logical Servers<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 9
ClusterXL<br />
46. Peer or secure remote gateways may show error messages when working against an overloaded<br />
gateway cluster in Load Sharing mode. This is due to IPsec packets with an old replay counter.<br />
These error messages can be safely ignored.<br />
47. Using Sticky Decision Function with VPN features will guarantee connection stickiness for<br />
connections that pass through the cluster only, and not to connections originating from a<br />
cluster member or to it.<br />
48. When a <strong>Check</strong> <strong>Point</strong> VPN-1 <strong>NGX</strong> peer is connected directly to a <strong>Check</strong> <strong>Point</strong> cluster (i.e., the<br />
peer and the cluster are located on the same VLAN and there is no Layer 3 (IP) routing device<br />
between them), the following features are not supported:<br />
• ISP Redundancy<br />
• VPN link selection - Reply from same interface<br />
This issue can be resolved either by placing a router between the VPN peer and the cluster, or<br />
by disabling these features. (Neither feature is enabled by default.)<br />
• To disable ISP redundancy, in SmartDashboard edit the gateway object > Topology > ISP<br />
Redundancy, and remove the check mark from Support ISP Redundancy.<br />
• To disable VPN link selection - Reply from the same interface, in SmartDashboard edit the<br />
gateway object > VPN > Link Selection > Outgoing Route Selection, and do the following:<br />
A. Under When initiating a tunnel, enable Operating system routing table,<br />
B. and under When responding to remotely initiated tunnel, select Setup, and enable Use<br />
outgoing traffic configuration.<br />
49. When configuring a VTI cluster interface, it should be assigned a name identical to the name<br />
of the member interface.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 10
Endpoint Security<br />
Endpoint Security<br />
In This Section<br />
Server Installation, Upgrade, and Backward Compatibility page 11<br />
Client Installation, Upgrade, and Backward Compatibility page 11<br />
Integration page 11<br />
Logging, Alerts, and Errors page 12<br />
Localization and Special Characters page 12<br />
Gateways and Third Party Product Integrations page 12<br />
Miscellaneous page 13<br />
Server Installation, Upgrade, and Backward Compatibility<br />
1. By default, VPN-1/FireWall-1 and the <strong>Check</strong> <strong>Point</strong> SecurePlatform administration interface both<br />
use port 443 for SSL communication. If you plan to run VPN-1/FireWall-1 on SecurePlatform,<br />
change the SecurePlatform SSL to a different port during the operating system installation. Do<br />
not change the VPN-1/FireWall-1 default port, as this is not supported.<br />
2. Normally, after installing the VPN-1/FireWall-1, answering “Y” to the message “Would you like<br />
to start VPN-1/FireWall-1 after exiting?” starts VPN-1/FireWall-1. If this does not work, type<br />
cpstop and cpstart (or, with Provider-1 setup, type mdsstop and mdsstart) to successfully<br />
start VPN-1/FireWall-1.<br />
Client Installation, Upgrade, and Backward Compatibility<br />
3. Clients cannot download packages from an external source when they are restricted. If the<br />
client becomes restricted due to a client Enforcement rule, and the rule specifies an upgrade<br />
package on an external URL, the client may not be able to download the external package. This<br />
can occur even if the external URL is actually the same as an VPN-1/FireWall-1. A workaround<br />
is to upgrade using the Upgrade package from VPN-1/FireWall-1 option rather than upgrading<br />
from an external URL.<br />
Integration<br />
4. If you see an unexpected error when logging into VPN-1/FireWall-1 with your SmartCenter<br />
administrator credentials, it may be because your SmartCenter license has expired or become<br />
invalid. If you are running VPN-1/FireWall-1 together with SmartCenter (either on the same<br />
host or on separate hosts), and your SmartCenter license expires or becomes invalid, you are<br />
not able to log on to VPN-1/FireWall-1 using your SmartCenter administrator credentials. This<br />
occurs whether you are trying to log on to VPN-1/FireWall-1 directly or through<br />
SmartDashboard. Use the cplic command to check the status of your SmartCenter license, and<br />
if necessary, set a new SmartCenter license. (For information on cplic, see the <strong>Check</strong> <strong>Point</strong><br />
Command Line Interface Guide.) Even if your SmartCenter license is invalid, however, you can<br />
log in to VPN-1/FireWall-1 using your VPN-1/FireWall-1 administrator credentials.<br />
5. If you are setting up a distributed installation (in which VPN-1/FireWall-1 and SmartCenter run<br />
on separate hosts), VPN-1/FireWall-1 does not automatically synchronize with SmartCenter. To<br />
synchronize VPN-1/FireWall-1 with SmartCenter, restart VPN-1/FireWall-1 after you install and<br />
configure SmartCenter, install the database, and establish secure internal communication<br />
(SIC).<br />
6. If you are setting up a distributed installation (one in which VPN-1/FireWall-1 and<br />
SmartCenter run on separate hosts), changing the logging settings to store VPN-1/FireWall-1<br />
logs locally will result with an authentication error on every attempt to view logs from within<br />
VPN-1/FireWall-1. In this configuration, you can view the logs with SmartView Tracker or Smart<br />
Portal.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 11
Endpoint Security<br />
7. After installing an VPN-1/FireWall-1 on a Provider-1 MDS machine, perform the following<br />
steps to prevent a crash:<br />
1. Stop the CMA that works with the VPN-1/FireWall-1.<br />
2. Log out of the shell used to start the VPN-1/FireWall-1 installation.<br />
3. Log in again to the root account.<br />
4. Start the CMA.<br />
After upgrading a Provider-1 MDS server that includes an installation of VPN-1/FireWall-1 that<br />
is associated with one of the CMAs, perform the same procedure.<br />
Logging, Alerts, and Errors<br />
8. Continuous looping of log uploads occurs if the minimum number of events is less than 2. In<br />
order to prevent continuous looping of log uploads, in the Client Configuration > Client Settings<br />
panel's Log Upload Size area, set the minimum number of events to be equal to or greater than<br />
2.<br />
9. SNMP traps sent from the VPN-1/FireWall-1 are logged to /var/log/messages file, but the<br />
messages are in hex codes. A workaround is to enable SYSLOG and SNMP traps in Linux by<br />
issuing the following commands: syslogd -h -r -m 0 (to enable syslog with remote option)<br />
snmptrapd -Oa (to enable snmptrapd and route the output to syslog).<br />
10. While Apache is running, it shows the following error: (730038)An operation was attempted<br />
on something that is not a socket.: winnt_accept: AcceptEx failed. Attempting to<br />
recover. Workaround: Place the directive Win32DisableAcceptEx on a separate line in the<br />
beginning of the httpd.conf configuration file (in install_dir\apache2\conf), and then<br />
restart Apache.<br />
11. Logging at the Info level can produce a lot of data. For this reason, do not set Info level<br />
notifications to be sent to e-mail.<br />
Localization and Special Characters<br />
12. Classic Firewall Rules cannot contain certain symbols. You cannot use the ampersand symbol<br />
('&'), quotation marks, or the less than symbol ('
Endpoint Security<br />
18. Endpoint Security clients don't recognize full version numbers for Sophos antivirus products.<br />
Endpoint Security clients only recognize version numbers up to two places after the first<br />
decimal point (x.xx).<br />
19. A personal policy is not able to block Microsoft Remote Desktop. You cannot block Microsoft<br />
Remote Desktop using application rules.<br />
20. If you are using EAP and the Network Interface Card is disabled, it will remain disabled even<br />
after reboot.<br />
21. If a client is out of compliance with an Enforcement Rule that is configured to Warn or<br />
Observe, the VPN Security Configuration (or SCV status) is displayed as Verified. It is displayed<br />
as Not Verified only if the Enforcement Rule is configured to Restrict the client.<br />
Miscellaneous<br />
22. Scheduled Antispyware scan times can be incorrect when the Endpoint Security server and the<br />
Endpoint Security client are located in different time zones. This is because the scan time<br />
always occurs at the specified time in the server's time zone instead of the client's time zone.<br />
23. Internet Explorer (6.x) limits to 3000 the number of groups you can import into an NTDomain,<br />
LDAP, or RADIUS catalog on VPN-1/FireWall-1. To import more than 3000 groups, use another<br />
of the supported browsers. Mozilla Firefox is the only compatible browser that accommodates<br />
imports of more than 10,000 groups. For very large imports, the import page may take up to<br />
ten minutes to display all imported groups. When importing groups with a browser other than<br />
Internet Explorer, users may get a warning asking whether to abort the long-running javascript<br />
routine. Users should close the dialog box or choose to continue running javascript. For Firefox,<br />
you can suppress this message by typing about:config in the address bar, finding the entry for<br />
dom.max_script_run_time, and setting the number to 60 (on new computers) or 120 (on older<br />
computers).<br />
24. The Flex client must be rebooted to register changes to Return to Default buttons. When you<br />
change the setting of Hide Return to Default buttons in Flex (in the Advanced Settings section<br />
of a policy's Client Settings tab), the end user must reboot the Flex client for the change to<br />
take effect.<br />
25. Enterprise policies cannot override keyboard and mouse settings. If a policy allows a program<br />
and to enforce the enterprise policy only, and the user has set permissions in the personal<br />
policy to block the program, the program is able to access the Zones as defined in the<br />
enterprise policy, but is not able to perform keyboard and mouse activity. Workaround: Users<br />
must set the program to allow the keyboard and mouse activity in the personal policy.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 13
Eventia Suite<br />
Eventia Suite<br />
In This Section<br />
Eventia Analyzer page 14<br />
Eventia Reporter page 14<br />
Eventia Analyzer<br />
1. Eventia Analyzer does not support static NAT and therefore will not include logs with rules that<br />
use static NAT as part of the Event.<br />
2. Apache syslogs sometimes have a log suppression mechanism where a new log contains the<br />
phrase message repeat. These logs are not captured by Eventia Analyzer and therefore events<br />
based on these logs will not be generated.<br />
3. Changes to objects on a High Availability secondary server are not updated on the Eventia<br />
Analyzer Server.<br />
4. Changes to objects on a High Availability management server are not automatically updated on<br />
the Analyzer Server following a sync operation from another HA server. To force updates of the<br />
objects, on the Eventia Analyzer Client, select Policy tab > General Settings > Objects > Network<br />
Objects > Refresh.<br />
5. When attempting to use the Get Version option in the Eventia Analyzer module while editing its<br />
host properties in SmartDashboard, the version will result in an empty string. Select the most<br />
recent version available.<br />
6. Address range objects are not synchronized from SmartCenter or the MDS server to the Eventia<br />
Suite server. In order to include them on the Eventia Suite server, from the Eventia Analyzer<br />
Client, select Policy tab > General Settings > Network Objects and add the range manually.<br />
7. Eventia Analyzer cannot be installed with SmartUpdate.<br />
8. To define a new event based upon order logs, save and modify an existing event that uses the<br />
order logs, such as <strong>Check</strong> <strong>Point</strong> administrator credential guessing.<br />
9. On Solaris, no logs are received and processed for 10 minutes if the Log Server is stopped and<br />
restarted. If a Log Server is stopped and then started, restart the Correlation Units.<br />
10. The Global Exceptions product field does not filter out logs from the audit log.<br />
Eventia Reporter<br />
Installation, Upgrade and Backward Compatibility<br />
11. Eventia Reporter can be upgraded to <strong>NGX</strong> <strong>R65</strong> from version NG R56 and later. If you are<br />
upgrading from a version prior to R56, uninstall Reporter and continue with the upgrade.<br />
12. The MySQL server on the Eventia Reporter Server conflicts with a MySQL server installation on<br />
the same computer. Install the Eventia Reporter server on a computer that does not contain a<br />
MySQL server installation.<br />
13. Eventia Reporter will not continue consolidation sessions if the log files were manually<br />
upgraded on the Log Server.<br />
14. After upgrading from R56 to <strong>NGX</strong> (<strong>NGX</strong> R61), a scheduled report that is selected for a specific<br />
module may fail to run. If this occurs, resave the report.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 14
Eventia Suite<br />
15. To upgrade a distributed deployment of Eventia Reporter from <strong>NGX</strong> (R60) on SecurePlatform<br />
Pro, do the following:<br />
1. Uninstall the package CPadvr-R60-00.<br />
2. Run the upgrade.<br />
3. Uninstall the package CPsuite-R60-00.<br />
4. Reboot the machine.<br />
16. The Eventia Reporter Client requires SmartDashboard to be installed on the same machine in<br />
order to launch. When installing the Eventia Reporter Client, be sure to install SmartDashboard<br />
as well.<br />
General<br />
17. Account logs that are originated by a gateway cluster are counted twice. Thus, reports of these<br />
logs will display inaccurate data.<br />
18. Logs produced by VPN-1 Power/UTM modules that also have QoS installed show twice the<br />
number of actual HTTP connections. As a result, reports generated on such modules will<br />
display an incorrect number of connections.<br />
19. If SmartDashboard is connected to an inactive management, Eventia Reporter cannot be<br />
launched from the Window menu of SmartDashboard. Instead, launch Eventia Reporter via the<br />
Windows Start Menu.<br />
20. If Eventia Reporter is running with multiple consolidation sessions, after running cpstop,<br />
ensure that all log_consolidator processes have terminated before running cpstart.<br />
21. FTP or HTTP distribution of reports does not work with proxy settings. If a machine has proxy<br />
settings, use alternate distribution methods such as e-mail distribution, or copy files from the<br />
Report's Results directory instead.<br />
22. When a Eventia Reporter Server's IP address has static NAT, a machine running the Eventia<br />
Reporter SmartConsole must be able to route connections to the Eventia Reporter server's real<br />
IP address. This can be achieved by running the Eventia Reporter SmartConsole on a machine<br />
in the Server's local network, or sometimes, by adding the appropriate route entries in the<br />
Eventia Reporter SmartConsole's routing table.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 15
Firewall<br />
Firewall<br />
In This Section<br />
Installation, Upgrade and Backward Compatibility page 16<br />
Platform Specific — Windows page 17<br />
Platform Specific — Solaris page 17<br />
Platform Specific — Linux page 17<br />
SmartConsole Applications page 17<br />
Load Sharing page 17<br />
Authentication page 18<br />
Security Servers page 18<br />
Security page 18<br />
Services page 18<br />
Stateful Inspection page 18<br />
Dynamically Assigned IP Address (DAIP) Modules page 19<br />
IPv6 page 19<br />
ISP Redundancy page 19<br />
Management page 19<br />
OPSEC page 19<br />
Policy Installation page 19<br />
SAM page 20<br />
Miscellaneous page 20<br />
VoIP page 20<br />
SecureClient page 21<br />
Installation, Upgrade and Backward Compatibility<br />
1. In modules that pre-date version NG with Application Intelligence R55W, the Web Intelligence<br />
defenses HTTP Format Sizes, ASCII Only Request, General HTTP Worm Catcher only support the<br />
protection scope apply to all HTTP connections; therefore, if one of these defenses is configured<br />
with protection scope apply to selected web servers and is installed on an older module, the<br />
protection scope apply to all HTTP connections will be applied on this module.<br />
2. When making Inspect changes to the file user.def, do so to the copy of the file in the directory<br />
$FWDIR/conf (and not the version in the directory $FWDIR/lib, as was the practice in previous<br />
versions). This is because user.def is copied from the /conf directory to the /lib directory<br />
during policy installation.<br />
Also, filenames are now adjusted to the different compatibility packages, so be sure to modify<br />
the appropriate file only:<br />
• user.def.<strong>NGX</strong>_R60 - contains user code for <strong>NGX</strong> modules (this will overwrite the file<br />
$FWDIR/lib/user.def during policy install)<br />
• user.def.R55WCMP - contains user code for R55W modules (this will overwrite the file<br />
user.def in the R55W compatibility package directory)<br />
• user.def.MGCMP - contains user code for NG modules, R55 and below.<br />
• user.def.EdgeCmp - contains user code for UTM-1 Edge modules.<br />
3. When restoring settings using the Nokia IPSO backup utility, run the CPconfig tool after<br />
installing the CPsuite package and before the restore process starts.<br />
4. After installing the firewall on a machine with functional PPPoE (ADSL) connectivity, PPPoE no<br />
longer works.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 16
Firewall<br />
5. The name of the installation directory of VPN-1 may not end with a space.<br />
6. On Linux systems and SecurePlatform, verify that there is at least 115 MB of free disk space<br />
in the "/" partition before upgrade.<br />
7. After upgrading an R55 or older Enforcement Module, previously defined SAM rules need to be<br />
defined again.<br />
Platform Specific — Windows<br />
8. The following message may be displayed when installing a policy: The NDISWANIP interface is<br />
not protected by the anti-spoofing feature. This message can be safely ignored.<br />
9. If an Intel NMS service is running during the VPN-1 Power/UTM installation, it may crash. This<br />
is a known pre-NMS version 2.0.56.0, Intel NMS service issue, where crashes occur whenever<br />
an NDIS IM driver is installed. Since NMS version 2.0.56.0 was part of PC6.0, releases from<br />
and including PC6.0 do not have this issue.<br />
10. The Network Load Balancing (NLB) driver is not supported with VPN-1.<br />
11. VLAN tagging is not supported on Windows platforms.<br />
Platform Specific — Solaris<br />
12. On Solaris platforms with a qlc driver and the kernel memory allocator debugging<br />
functionality enabled, the system may experience instability. In this case, install Solaris patch<br />
113042-10 or higher.<br />
13. The AGE driver will panic when it fails to allocate memory. This occurs during age NIC, when<br />
system resources are low and it cannot allocate memory for the packet.<br />
Platform Specific — Linux<br />
14. The FTP Security Server does not support Kerberos when the RHEL FTP client is trying to<br />
negotiate a Kerberos session. To avoid this issue, use the flag -u with the FTP client.<br />
15. When working with VPN-1 Power/UTM on Red Hat Enterprise Linux 3.0, make sure to update<br />
E1000 drivers to the latest drivers available from Intel.<br />
SmartConsole Applications<br />
16. When a client connects with SmartDashboard to SmartCenter and performs a SmartDefense<br />
online update, a second client connecting with SmartDashboard to the same SmartCenter will<br />
see the new protections but not the new HTML descriptions. The situation is resolved by the<br />
second client logging out & logging in again.<br />
A similar behavior may occur regarding the Silent Post-install Update. If new protections were<br />
added in that package, then the second client that logs in will not see the respective new<br />
HTML descriptions. The workaround is the same (client should log out & log in again).<br />
17. A Multicast Address Range object cannot be used as a source or destination in the Rule Base.<br />
You can, however, define and use in its place a corresponding Address Range object.<br />
Load Sharing<br />
18. When employing SecurID for authentication, it is recommended to define each cluster member<br />
separately on the ACE/Server with its own unique (internal) IP address. In addition, to send<br />
packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file<br />
table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for<br />
example, no_hide_services_ports = {}, where 5500 is the service port and 17<br />
(UDP) is the protocol.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 17
Firewall<br />
Authentication<br />
19. Client Authentication will fail if VPN-1 Power/UTM machine name is configured with a wrong<br />
IP address in the hosts file.<br />
20. Clientless VPN with the Action Client Auth is not supported if the web server object is in the<br />
destination cell. The workaround is to add the gateway to the destination cell.<br />
21. When using SmartDirectory server for internal password authentication, if the account lockout<br />
feature is disabled the Firewall will not attempt to modify the user's login failed count and last<br />
login failed attributes on the SmartDirectory server. This improves overall performance and<br />
eliminates unnecessary SmartDirectory modify errors when using SmartDirectory servers that do<br />
not have these attributes defined because they did not apply the <strong>Check</strong> <strong>Point</strong> SmartDirectory<br />
schema extension on the SmartDirectory server.<br />
22. Issues may arise when using automatic or partially automatic client authentication for HTTP on<br />
Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a<br />
decision function based only on IP addresses in order for connections to open. For ClusterXL,<br />
go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters,<br />
refer to the product documentation for more information.<br />
23. Definition of nested RADIUS Server groups is not supported.<br />
Security Servers<br />
24. When a field in a URI specification file is too long, the Security server exits when trying to load<br />
the file. Under load, the Firewall daemon (FWD) reloads the security server, which then exits.<br />
After a certain time cores are dumped.<br />
25. Client authentication with agent automatic sign on is supported with all rules, with two<br />
exceptions:<br />
• The rule must not use an HTTP resource.<br />
• Rules where the destination is a web server.<br />
26. When using SOAP filtering in the HTTP Security Server, the SOAP scheme file supports all<br />
forms of namespaces and methods, however, the feature is not supported if a method has no<br />
namespace at all.<br />
Security<br />
27. When using a URI resource to allow or restrict access to specific paths (by filling the path<br />
field), it is recommended to use the regular expression [/\] instead of / - this expression<br />
provides protection against Windows style paths.<br />
For example: instead of defining a path: /home/mydir/, define it as [/\]home[/\]mydir[/\].<br />
Services<br />
28. A service using the FTP_BASIC protocol type cannot be used with the FTP Security Server.<br />
29. When using T.120 connections, make sure to manually add a rule that allows T.120<br />
connections.<br />
Stateful Inspection<br />
30. Changing the "match for any" option in the MSNP service to "false" it causes connectivity<br />
problems after an upgrade in the following scenario:<br />
Service X other than Microsoft Messenger protocol was running on port 1863. No special rule<br />
was defined for this service (for example, the service was permitted by a rule with "Any" in<br />
service column).<br />
To resolve this issue, define a rule permitting the service with X in the "service" column.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 18
Firewall<br />
31. In a cluster environment, TCP state enforcement allows a server to respond with an ACK packet<br />
on a SYN packet (instead of SYN-ACK). Sequence Verification enforcement will be applied to<br />
all the traffic of the connection.<br />
Dynamically Assigned IP Address (DAIP) Modules<br />
32. The fw tab command on a SmartCenter server is not supported.<br />
IPv6<br />
33. In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker.<br />
34. Due to the fact that IPv6 is not supported for security servers, enabling Configuration apply to<br />
all connections under SmartDefense's FTP Security Server settings causes FTP (as well as HTTP<br />
and SMTP) connections over IPv6 to be rejected, and no log is generated.<br />
35. The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it should<br />
unload only the IPv6 policy.<br />
36. The RSH protocol is not supported for IPv6.<br />
ISP Redundancy<br />
37. ISP redundancy is not supported in a ClusterXL Different subnets configuration. This means the<br />
IP address of the cluster must be on the same subnet as the cluster members' real IP<br />
addresses.<br />
38. In a ClusterXL configuration, the names of the external interfaces of all cluster members must<br />
be identical and must correspond in turn to the names of the external interfaces of the cluster<br />
object. For example, if the cluster object has two external interfaces called eth0 and eth1<br />
which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two<br />
external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2<br />
respectively.<br />
Management<br />
39. Defining network objects with names identical to a service is not supported.<br />
OPSEC<br />
40. TCP resource with cvp group is not supported.<br />
Policy Installation<br />
41. <strong>Check</strong> <strong>Point</strong> uses the notation starting with "SA_" for internal purposes. Defining objects with<br />
names starting with this string is not supported.<br />
42. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with<br />
the following error: Load on Module failed. To resolve this issue, do the following:<br />
1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is<br />
done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so<br />
that they include the environment variable FW_MANAGE_BRIDGE 1.<br />
2. Install policy.<br />
43. To install policy on NG enforcement modules via the command line, run the command fwm<br />
load from any directory other than $FWDIR/conf.<br />
44. Policy installation may fail when there are 70 or more dynamic objects.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 19
Firewall<br />
SAM<br />
45. A Suspicious Activity Monitor (SAM) rule will fail for a remote gateway if the SmartCenter<br />
server is also a VPN-1 Power/UTM gateway and no policy has been installed on it since adding<br />
the remote gateway.<br />
Miscellaneous<br />
46. The TCP Sequence Verifier is not supported with clusters using asymmetric routing.<br />
47. The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to a<br />
SmartCenter server object in specific cases only:<br />
• to the primary IP defined for this object and<br />
• only if there are interfaces defined in its Topology tab.<br />
This may create connectivity problems when trying to install policies (or other operations<br />
included in the control connections). The workaround is to define explicit rules that allow<br />
connectivity to the SmartCenter object.<br />
48. A large database on a gateway may result in high CPU usage by the services VPND and DTPSD.<br />
To resolve this issue, use the cpprod utility to set a value for the setting<br />
SIC_SERVER_DEFAULT_TIMEOUT.<br />
VoIP<br />
49. MSN Messenger version 5 is not supported. Additionally, there are a few known issues<br />
regarding MSN Messenger when employing Hide NAT:<br />
• When running SIP and the data connection tries to open MSN Messenger connections on<br />
hidden networks, the connection fails.<br />
• While audio and video each work separately, they cannot be run concurrently.<br />
50. When using the SIP protocol and a security rule uses the Action reject to block high_udp_ports<br />
(RTP ports - data connection), the incoming audio is rejected as well. A workaround is to use<br />
the Action drop in place of reject.<br />
51. When an H.323 IP phone that is not part of a handover domain tries to establish a call, the<br />
call attempt is blocked and the following message appears on the console: FW-1:<br />
fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to make calls,<br />
add it to the handover domain, and the error message will no longer appear. Note that this<br />
console message may appear in other (non-VoIP) scenarios as well.<br />
52. In some cases, when a user closes an MSN Messenger application (such as Whiteboard), the<br />
application will not close automatically on the remote end. The remote user will need to close<br />
the application manually.<br />
53. When using the service SIP with Hide NAT enabled on internal IP phones, do not enable the<br />
SmartDefense flag "Block SIP calls that use two different voice connections (RTP) for incoming<br />
audio and outgoing audio". If the flag is enabled, the firewall may begin to drop RTP/RTCP<br />
packets. The flag is located in SmartDefense > VoIP > SIP.<br />
54. When the SIP-proxy is in the DMZ, whiteboard and application sharing will not open between<br />
external to internal messengers.<br />
55. In previous versions a VoIP signalling connection could not have a different encryption policy<br />
than a VoIP data connection. As of <strong>NGX</strong> the VoIP signalling connection can have a different<br />
encryption policy than the VoIP data connection.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 20
Firewall<br />
SecureClient<br />
56. Policy installation fails if a combination of different user groups & network objects are used in<br />
the same cell. For example, if the following appears in a source or destination cell, the policy<br />
will not install:<br />
usergroup1@netobj1 & usergroup2@netobj2<br />
If the user groups match or the network objects match, the installation will succeed. The<br />
following examples will allow the policy to install successfully:<br />
usergroup1@netobj1 & usergroup2@netobj1<br />
usergroup1@netobj1 & usergroup1@netobj2<br />
57. The following Web Intelligence features require connections to be sticky:<br />
• Header spoofing<br />
• Directory listing<br />
• Error concealment<br />
• ASCII only response<br />
• Send error page<br />
A sticky connection is one where all of its packets, in either direction, are handled by a single<br />
cluster member. If you enable one of the features listed above, make sure that your clustering<br />
solution supports sticky connections. Sticky connections can be guaranteed for Web<br />
connections in the following configurations:<br />
• ClusterXL High Availability<br />
• ClusterXL Load Sharing with Sticky Decision Function enabled<br />
• ClusterXL Load Sharing with no VPN peers, no static NAT* rules and no SIP<br />
• Nokia VRRP Cluster<br />
• Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIP<br />
• For other OPSEC certified clustering products - please refer to the OPSEC-certified<br />
product's documentation.<br />
* including ConnectControl Logical Servers<br />
58. The following VoIP Application Intelligence (AI) features require connections to be sticky:<br />
• H.323<br />
• SIP over TCP<br />
• Skinny<br />
A sticky connection is one where all of its packets, in either direction, are handled by a single<br />
cluster member. If you enable one of the features listed above, make sure that your clustering<br />
solution supports sticky connections. Sticky connections can be guaranteed for VoIP<br />
connections in the following configurations:<br />
• ClusterXL High Availability<br />
• ClusterXL Load Sharing with no VPN peers or static NAT* rules<br />
• Nokia VRRP Cluster<br />
• Nokia IP Clustering configuration with no VPN peers or static NAT* rules<br />
• For other OPSEC certified clustering products - please refer to the OPSEC-certified<br />
product's documentation.<br />
* including ConnectControl Logical Servers<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 21
Provider-1/SiteManager-1<br />
Provider-1/SiteManager-1<br />
In This Section<br />
Installation, Upgrade, and Revert page 22<br />
Configuration page 23<br />
Licensing page 23<br />
Backup and Restore page 24<br />
Migrate page 24<br />
Global Policy page 25<br />
Global VPN page 26<br />
Global SmartDefense page 26<br />
SmartUpdate page 27<br />
SmartPortal page 27<br />
Status Monitoring page 27<br />
Eventia Reporter page 27<br />
Authentication page 28<br />
Miscellaneous page 28<br />
Installation, Upgrade, and Revert<br />
1. Some of the issues reported by the Pre-Upgrade Verifier may require database modifications. To<br />
avoid having to repeat these changes, remember to synchronize your mirror MDSs/CMAs and<br />
perform the ‘install database to CLM’ processes. It is highly recommended that you read the<br />
“Upgrading in Multi MDS environment” section in The Upgrade Guide.<br />
2. After upgrading an MDS or MLM in a multi MDS environment, SmartDashboard displays CMA<br />
and CLM objects with the previous version, and the following error message appears when<br />
performing the operation Install Database:<br />
Install Database on Log Server can only be partially completed. To<br />
restore full functionality (full resolving and remote operations), upgrade the Log<br />
Server to be the same version as your Management Server.<br />
In order to update the CMA/CLM objects to the most recent version, use the following<br />
procedure after upgrading all MDS and/or MLM servers:<br />
1. Verify that all active CMAs are up and running with valid licenses, and that none of them<br />
currently has a SmartDashboard connected.<br />
2. Run the following commands in a root shell on each MDS/MLM server:<br />
A. mdsenv<br />
B. $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL<br />
3. Synchronize all Standby CMAs and SmartCenter Backup servers and install the database on<br />
the CLMs.<br />
In some cases, the MDG will display CMAs with the version that was used before the upgrade.<br />
To resolve this issue, after performing steps 1 - 3, do the following:<br />
1. Make sure that each CMA that displays the wrong version is synchronized with the<br />
Customer's other CMAs.<br />
2. Restart the MDS containers hosting the problematic CMAs by executing the following<br />
commands in a root shell:<br />
A. mdsenv<br />
B. mdsstop –m<br />
C. mdsstart -m<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 22
Provider-1/SiteManager-1<br />
3. After upgrading a pre-<strong>NGX</strong> SmartCenter to <strong>NGX</strong> <strong>R65</strong>, software packages (except for UTM-1<br />
Edge firmware packages) that were displayed in the Package Repository of SmartUpdate do not<br />
appear. The packages are in the directory $SUROOT, and can be re-added to the Package<br />
Repository using the SmartUpdate command Add From File.<br />
4. Management of FireWall-1 4.1 gateways and VPN-1 Net gateways are not supported in <strong>NGX</strong><br />
<strong>R65</strong>. Prior to upgrading configurations that contain such gateways, the gateways need to be<br />
upgraded to the supported products/ versions. Since the pre-upgrade verification tools will not<br />
allow the upgrade to proceed as long as such gateways exist in the configuration database, the<br />
objects either need to be deleted from the source management or updated to represent a<br />
supported product/ version. If the objects are updated for the sake of allowing the upgrade to<br />
proceed, management of the gateways will not be allowed until the gateway software and<br />
license is upgraded as well.<br />
Please also note that configurations that contain externally managed FireWall-1 4.1 gateways<br />
cannot be upgraded to <strong>NGX</strong>. To allow the upgrade to proceed, these objects need to be updated<br />
to represent a supported version.<br />
5. After upgrading an MDS server that includes an installation of Endpoint Security Server that is<br />
associated with one of the CMAs, do the following: with one of the CMAs, do the following:<br />
1. Stop the CMA.<br />
2. Log in again to the root account.<br />
3. Start the CMA.<br />
Configuration<br />
6. In the SecurePlatform installation, the default maximum number of file handles is set to<br />
65536. This also applies to standard Linux installations, but the default number may vary.<br />
For Provider-1/SiteManager-1 installations with a large number of CMAs, 65536 file handles<br />
may be insufficient. Indications that the system may not have enough available file handles<br />
can be failure of processes to start, and/or crashes of random processes.<br />
• To check if insufficient file handles is indeed the problem, enter the following command<br />
from root or expert mode:<br />
# cat /proc/sys/fs/file-nr<br />
This command prints three numbers to the screen. If the middle number is close to zero,<br />
or the left number equals the right-most number, it is required to increase the maximum<br />
number of file handles.<br />
• To increase the maximum number of file handles, enter the following command from root or<br />
expert mode:<br />
Licensing<br />
# echo 131072 > /proc/sys/fs/file-max<br />
The number above is for demonstration purposes; the actual figure should be derived from<br />
the amount of memory and the number of CMAs.<br />
7. If you upgrade licenses after upgrading the MDS, the upgraded licenses will not be displayed<br />
in the MDG until after restarting the MDS.<br />
8. Under rare circumstances, a CMA license may not appear in the SmartUpdate view of the MDG,<br />
and yet appear in SmartUpdate when launched from the CMA. If this happens, do the<br />
following:<br />
1. From the command line in the CMA environment, use the cplic command to remove the<br />
missing license, and then add it again.<br />
2. In SmartUpdate, right-click the CMA and select Get Licenses.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 23
Provider-1/SiteManager-1<br />
Backup and Restore<br />
9. A backup file created on a Solaris platform with the mds_backup command cannot be restored<br />
on a Linux platform, nor vice-versa. A backup made by mds_backup on Linux can be restored on<br />
SecurePlatform and vice-versa.<br />
10. When saving the configuration of an MDS (via the command mds_backup), make sure to also<br />
back up the configuration of each of the VSX gateways/clusters that are managed by the MDS.<br />
When restoring the configuration of the MDS (via the command mds_restore), make sure to<br />
restore the configuration of all VSX gateways/clusters immediately afterwards.<br />
Migrate<br />
11. After migrating a SmartCenter server running on a Nokia platform to an <strong>NGX</strong> <strong>R65</strong> CMA, the<br />
UTM-1 Edge objects and Profiles creation option from SmartDashboard is not available. See<br />
SecureKnowledge SK26484 for more information.<br />
12. Migrating a CMA/SmartCenter database to a Provider-1 CMA disables the CMA's PnP license, if<br />
any.<br />
13. Migration of a CMA is not supported when VSX objects exist in the database.<br />
14. After migrating Global Policies and CMAs that contain Global VPN Community, the VPN<br />
Communities mode of the Global Policies view in the MDG may not display all gateways<br />
participating in the Global VPN Communities. To resolve this issue, after completing the<br />
migration of all relevant configuration databases and starting the MDS and the CMA processes,<br />
issue the following commands in the root shell on the MDS:<br />
1. mdsenv<br />
2. fwm mds rebuild_global_communities_status all<br />
15. When migrating complex databases, the MDG may timeout with the error message Failed to<br />
import Customer Management Add-on, even when the migration process continues and is<br />
successful. Therefore, when migrating large databases, it is recommended that you run the<br />
migrate operation from the command line. See the cma_migrate command in The Upgrade<br />
Guide.<br />
16. The migrate_assist utility reports missing files, depending on FTP server type. If files are<br />
missing, copy the relevant files manually. More information regarding the relevant files and the<br />
directory structure is available in the “Upgrading Provider-1” chapter of The Upgrade Guide.<br />
17. Before migrating the global database, if there are Global VPN Communities in the source<br />
database or in the target database, it is highly recommended that you read the “Gradual<br />
Upgrade with Global VPN Considerations” section of The Upgrade Guide.<br />
18. If you delete a CMA that has been migrated from an existing CMA or SmartCenter database,<br />
and then want to recreate it, first create a new Customer with a new name. Add a new CMA to<br />
the new Customer and import the existing CMA or SmartCenter database into the new CMA.<br />
19. After migrating SmartCenter or CMA databases with SmartLSM data, execute the command<br />
LSMenabler on on the CMA.<br />
20. After migrating a SmartCenter database which contains SmartDashboard administrators or<br />
administrator group objects, these objects remain in the database but are not displayed in<br />
SmartDashboard. As the CMA is managed by Customer Administrators via the MDG and not via<br />
SmartDashboard, these objects are irrelevant to the CMA. However, if you need to delete or edit<br />
one of these objects, use dbedit or GuiDBedit to do so.<br />
21. When migrating a CMA or SmartCenter High Availability (HA) to a new CMA in a different<br />
Provider-1/SiteManager-1 environment, be sure to use the primary database of the CMA or<br />
SmartCenter HA for the migrate operation.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 24
Provider-1/SiteManager-1<br />
In addition, if the name used for the new CMA is not the name of the previous primary CMA or<br />
SmartCenter HA, the new CMA name may not be similar to a name already used for a network<br />
object in the migrated database, including the secondary management object.<br />
22. When migrating a CMA or SmartCenter Backup server with Endpoint Security Server installed,<br />
the Endpoint Security Server installation does not migrate. The recommended approach for this<br />
configuration is the following:<br />
1. Before migrating, open SmartDashboard to the CMA/SmartCenter server to be migrated.<br />
2. Edit the CMA/SmartCenter server object, and deselect Endpoint Security Server from the list<br />
of <strong>Check</strong> <strong>Point</strong> Products.<br />
3. Run the migrate operation.<br />
4. Reinstall the Endpoint Security Server on the machine on which the CMA resides.<br />
5. Configure the migrated CMA to use Endpoint Security Server.<br />
23. When migrating SmartCenter or CMA configurations that contain SmartDefense settings and<br />
protections that were downloaded via SmartDefense Online Update, the migrate_assist tool<br />
does not copy all the necessary files, and the target machine will not contain the full original<br />
SmartDefense configuration. To resolve this issue, do one of the following:<br />
• Copy the directories manually from the source machine according to the instructions found<br />
in the Provider-1 User Guide.<br />
• Use migrate_assist, and then do the following operations before importing the<br />
configuration:<br />
A. On the source machine, go to $FWDIR/conf and copy the content of the subdirectory<br />
SMC_Files.<br />
B. Place the copied content in the directory /conf on the target machine.<br />
C. Delete the following files from the target machine:<br />
• SMC_Files/monitor/SmartViewMonitor.tar<br />
• SMC_Files/asm/post_install_sd_updates<br />
• SMC_Files/asm/post_install_sd.ver<br />
Global Policy<br />
24. When deleting a <strong>Check</strong> <strong>Point</strong> host object created in Global SmartDashboard that has the same<br />
name as one of the MDS/MLM servers, the SIC certificate of the matching MDS/MLM server<br />
may be revoked. To avoid this situation, refrain from defining <strong>Check</strong> <strong>Point</strong> host objects with<br />
names identical to MDS/MLM servers in the system. If the certificate of one of the MDS/MLM<br />
servers is revoked, see SecureKnowledge SK24204 to remedy the situation.<br />
25. Avoid circular references in the Global Policy, as this will cause its assignment to fail.<br />
26. To ensure the endpoint security of Global Policies, only Provider-1 Superuser and Customer<br />
Superuser administrators are allowed to perform a Database Revision Control operation on a<br />
CMA. This is to ensure that a lower level administrator does not change the Global Policy<br />
assigned to a Customer. This is not a limitation, but rather an effect of the administrator’s<br />
permission hierarchy.<br />
27. Assigning a Global Policy to Customers may be a heavy operation. For this reason, it is<br />
recommended that you use MDG: Manage > Provider-1/SiteManager-1 Properties > Global Policies<br />
and configure Perform Policy operations on 1 customers at a time. For information about an MDS<br />
machine that includes a large amount of CMAs and big databases (global database and local<br />
CMAs' databases), refer to Hardware Requirements and Recommendations in the<br />
Provider-1/SiteManager-1 User Guide.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 25
Provider-1/SiteManager-1<br />
28. When installing policy from the MDG using the Assign/ Install Global Policy operation, the<br />
Security Policy is not installed on UTM-1 Edge profiles. Use SmartDashboard to install policy<br />
to UTM-1 Edge profiles.<br />
29. When creating Connectra gateway objects (like other gateway objects, such as VPN-1<br />
Power/UTM, UTM-1 Edge, and InterSpect), be sure to do so using the CMA SmartDashboard.<br />
Defining Connectra objects in Global SmartDashboard is not supported.<br />
Global VPN<br />
30. Simplified VPN Mode Policies cannot work with gateways from versions prior to FP2. You<br />
cannot assign a Global Simplified VPN Mode Policy to a CMA with gateways of version FP2 or<br />
lower.<br />
31. Global VPN Communities do not support shared secret authentication.<br />
32. Only Globally-enabled gateways can participate in Global VPN Communities. Gateway<br />
authentication is automatically defined using the CMA’s Internal Certificate Authority.<br />
Third-party Certificate Authorities are not supported.<br />
33. UTM-1 Edge gateways cannot participate in Global VPN Communities.<br />
34. Currently an external gateway can fetch CRL only according to the FQDN. Therefore, a peer<br />
gateway would fail to fetch a CRL when the primary CMA is down (even if the mirror CMA is<br />
operational). To avoid this scenario, you can change the FQDN to a resolvable DNS name by<br />
executing the following commands:<br />
1. mdsenv <br />
2. Run cpconfig and select the menu item Certificate Authority<br />
35. After enabling a module for global use from the MDG, install a policy on the module or use the<br />
Install Database operation on the management server in order for its VPN domain to be<br />
calculated.<br />
36. When migrating a CMA, all CMAs that participate in a Global VPN Community must be<br />
migrated as well. If you do not migrate all relevant CMAs, it will affect Global Community<br />
functionality and maintenance.<br />
37. A globally enabled gateway can be added to a Global VPN Community from Global<br />
SmartDashboard only through the community object and not from the VPN tab of the object.<br />
38. When a VPN Simplified Mode Global Policy is assigned to a Customer, all of the Customer’s<br />
Security Policies must be VPN Simplified as well.<br />
39. If the Install policy on gateway operation takes place while the MDS is down, the status of this<br />
gateway in the Global VPN Communities view is not updated.<br />
40. When using VPN-1 Power VSX Virtual Systems in Global VPN Communities, the operating<br />
system and version displayed on objects representing Virtual Systems in peer CMAs is<br />
incorrect. This information can be safely ignored.<br />
Global SmartDefense<br />
41. If a Customer is configured for SmartDefense Merge mode, modifications made to the<br />
SmartDefense settings on a SmartCenter Backup server are not preserved after Global Policy is<br />
reassigned to the Customer.<br />
42. Customers subscribed to the Global SmartDefense service also receive updates to the Content<br />
Inspection > File Types list. All newly downloaded file types are by default set to Action type<br />
Scan. The SmartDefense mode assigned to the Customer determines whether any changes the<br />
CMA administrator has made to the File Types list are preserved when Global Policy is<br />
assigned.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 26
Provider-1/SiteManager-1<br />
SmartUpdate<br />
43. Firmware packages cannot be deleted from the SmartUpdate repository. In order to delete<br />
packages, use the utility mds_delete_firmware.<br />
44. When using the MDG’s SmartUpdate view, packages are added to the SmartUpdate repository of<br />
the MDS to which the MDG is connected. When in a Multi-MDS environment, make sure that<br />
each SmartUpdate package is added to each MDS individually.<br />
When adding SofaWare firmware packages in such an environment, a package added to one<br />
MDS will appear to have been added to all other MDSs. In this case as well, make sure that<br />
each firmware package is added to each MDS individually.<br />
45. After detaching a Central license from a CMA using the SmartUpdate view, the license remains<br />
in the License Repository, and therefore cannot be added again to the CMA from the MDG<br />
General view. To add it again, reattach the license using SmartUpdate.<br />
46. SmartUpdate packages cannot be added to the MDS Package repository if no CMAs are<br />
defined. Before populating an MDS's SmartUpdate repository with packages, define at least<br />
one CMA.<br />
SmartPortal<br />
47. When using Management High Availability (between a SmartCenter server and either a CMA or<br />
an MDS), change over may not succeed when SmartPortal is connected in Read/Write mode. To<br />
resolve this issue, do one of the following:<br />
• Only allow access from SmartPortal to Read-only administrators<br />
• Disconnect Read/Write SmartPortal clients from SmartView Monitor<br />
Status Monitoring<br />
48. A CMA will report the status Waiting until it is started for the first time.<br />
49. In a CMA High Availability configuration, the High Availability synchronization status in the<br />
MDG may contain inconsistent values if valid licenses have not been installed. If this is the<br />
case, the synchronization status should be ignored. In order to operate, however, all CMAs must<br />
have valid licenses.<br />
50. SmartView Monitor displays invalid statuses when connecting to a CLM. To view Customer<br />
statuses using SmartView Monitor, connect to a CMA.<br />
Eventia Reporter<br />
51. As Eventia Reporter data is not synchronized on multiple MDSs in High Availability<br />
configurations, Eventia Reporter should be set to work with just one MDS. To do so, install the<br />
Eventia Reporter Add-on on one MDS only, and log into this MDS whenever using the Eventia<br />
Reporter client.<br />
52. You must log into the Eventia Reporter client using a Provider-1 Superuser administrator<br />
account, or a Customer Superuser administrator account. Other administrator types are not<br />
supported.<br />
53. Only one Eventia Reporter server is supported. Do not define more than one Eventia Reporter<br />
server in Global SmartDashboard.<br />
54. For Eventia Reporter to function properly, all Customers must have a Global Policy assigned to<br />
them. If a Customer has not been assigned a Global Policy, all reports generated for this<br />
Customer will fail with the following error:<br />
Could not retrieve CMA for customer . CMA is either stopped or<br />
standby.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 27
Provider-1/SiteManager-1<br />
Authentication<br />
55. After defining RADIUS or TACACS server objects in Global SmartDashboard, wait until the<br />
MDSs are synchronized before configuring administrators to authenticate via the new servers.<br />
Miscellaneous<br />
56. In a CMA High Availability configuration, the MDG may variably report the status of UTM-1<br />
Edge gateways as either OK or Not Responding. To see the correct status, open SmartView<br />
Monitor on the Active management.<br />
57. Certificates for Provider-1 administrators should be created only from an MDG connected to the<br />
MDS that currently hosts the active global database.<br />
58. When working with a large CMA database, synchronizing this database may take some time. If<br />
you create a second CMA from the MDG it may seem that the operation was not successful on<br />
account of the timeout, when in fact the operation was done within a set period of time.<br />
To make sure that this operation finished successfully after the MDG's timeout:<br />
1. Wait until the second CMA is displayed on the MDG, with a Started status.<br />
2. From SmartDashboard, connect to the active CMA.<br />
3. Select Policy > Management High Availability and in the displayed window verify that the<br />
standby CMA's Status is Synchronized.<br />
59. The cp_merge utility is not supported in Provider-1/SiteManager-1.<br />
60. When creating, deleting or updating a Virtual Device, the database of the CMA containing the<br />
VPN-1 Power VSX gateway will be locked during that time. If a user tries to connect to the CMA<br />
via SmartDashboard, a message will report that the database is locked. Selecting Disconnect<br />
does not unlock the database. Connection to the CMA may be resumed when the operation<br />
finishes.<br />
61. SmartDashboard currently lacks appropriate error messages for the following scenarios:<br />
• Using a SmartCenter Backup Server, the user cannot edit a Virtual System object where the<br />
VPN-1 Power VSX belongs to another CMA (main CMA), because there is no connection<br />
between them.<br />
• The user cannot edit a Virtual System object in a CMA whose Active main CMA is a<br />
SmartCenter Backup Server, because there is no connection between them.<br />
62. When removing a Provider-1 installation from a machine that has Endpoint Security Server<br />
installed on it, Endpoint Security Server may not uninstall. A workaround is to uninstall<br />
Endpoint Security Server separately.<br />
63. After upgrading an MDS machine with Endpoint Security Server installed and associated with a<br />
certain CMA to <strong>NGX</strong> <strong>R65</strong>, reverting to the previous version of Provider-1 using the utility<br />
mds_remove will succeed, however the Endpoint Security configuration will contain information<br />
related to the newer version. To resolve this issue, do the following:<br />
1. Use a text editor to open the file /opt/CPEndpoint<br />
Security/engine/webapps/ROOT/bin/opsec/config.properties<br />
2. Enter the correct values for the following keys:<br />
• CMA_IP=[IP address of the CMA which is configured to use Endpoint Security]<br />
• CPDIR=[the CPDIR directory of the CMA]<br />
• FWDIR=[the FWDIR directory of the CMA]<br />
• MDS_CPDIR=[the new value of MDSDIR directory]<br />
• MSP_SOMEIP_ADDR=[IP address of the CMA which is configured to use Endpoint Security]<br />
64. Global SmartDashboard cannot be used to create Connectra or VPN-1 Power/UTM gateway<br />
objects. Instead, use a SmartDashboard connected to a specific CMA to create these objects.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 28
SecureXL<br />
SecureXL<br />
In This Section<br />
General page 29<br />
Platform Specific — Nokia page 29<br />
Platform Specific — Solaris page 30<br />
Accelerated Features page 30<br />
Unsupported Features page 30<br />
Unsupported Products page 30<br />
General<br />
1. When using Performance Pack or Turbocard in a cluster configuration, all members must have<br />
Performance Pack or Turbocard installed and running.<br />
2. For the first few seconds of an asymmetric connection, server-to-client packets are not<br />
accelerated. An asymmetric connection, such as an FTP data connection through an<br />
accelerated ClusterXL cluster, is where the server-to-client side is handled by a different<br />
member than the client-to-server side. Asymmetric connections are only opened when using<br />
VPN or NAT. This is a temporary performance degradation that affects only a small percentage<br />
of traffic.<br />
3. In a High Availability configuration, some accounting information held in the accelerator (for<br />
accelerated connections only) may be lost in the event of a failover. As a result, the accounting<br />
information reported may be lower than the actual traffic.<br />
4. When a gateway has IP pool NAT defined for site to site connections in a MEP environment and<br />
Automatic Hide NAT for internal networks is enabled, back connections to the IP pooled IP<br />
address are dropped by the gateway. To prevent these connections from being dropped, do one<br />
of the following:<br />
• Disable Automatic Hide NAT on the gateway.<br />
• Configure Hide NAT for the internal network object with manual or automatic rules.<br />
5. For a list of the recommended platforms for Performance Pack, see the Hardware Compatibility<br />
List for SecurePlatform at<br />
http://www.checkpoint.com/products/supported_platforms/secureplatform.html.<br />
Platform Specific — Nokia<br />
6. When the SmartDefense TCP Sequence Verifier feature is enabled and Flows acceleration is<br />
enabled, the Sequence Verifier feature is not enforced and the following message appears when<br />
installing policy:<br />
Flows: TCP Sequence Verifier acceleration is not supported on the Gateway.<br />
When SecureXL is enabled, you can enable the SmartDefense TCP Sequence Verifier feature by<br />
first enabling it in Nokia Network Voyager (System Configuration > Advanced System Tuning) and<br />
then in SmartDashboard (SmartDefense tab > Network Security > TCP). The Sequence Verifier<br />
feature will then be enforced on accelerated connections.<br />
7. The SmartDefense protection IP Fragments (SmartDefense tab > Network Security > IP and ICMP)<br />
is not supported on Turbocard and Nokia platforms with SecureXL enabled.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 29
SecureXL<br />
Platform Specific — Solaris<br />
8. On Solaris platforms, Performance Pack does not support the following types of interfaces<br />
• VLAN and virtual interfaces<br />
• bge, dmfe and skge interfaces<br />
Accelerated Features<br />
9. When flows are enabled, full sanity checks are performed for flowed (accelerated) connections<br />
for the IP layer. No sanity checks are performed on the UDP or TCP layer of flowed packets.<br />
The workaround is to disable flows.<br />
10. SmartView Monitor gets updates for every connection from SecureXL once every 30 seconds.<br />
Because of the difference between the SecureXL update interval and the SmartView Monitor<br />
update interval, you might not get a smooth line even when monitoring constant rate<br />
connection.<br />
This phenomenon is negligible when monitoring real life traffic that has many connections that<br />
open and close at random. Regardless of the number of connections, over a significant period<br />
of time, the average of the total number of monitored traffic, will be monitored accurately.<br />
11. The SmartDefense protection PPTP Enforcement does not allow acceleration of the GRE protocol<br />
over PPTP when enabled. In order to accelerate the GRE protocol over PPTP, disable this<br />
protection (on the SmartDefense tab, select Application Intelligence > VPN Protocols > PPTP<br />
Enforcement).<br />
Unsupported Features<br />
12. Fingerprint Scrambling causes a negative impact on performance. ISN Spoofing disables TCP<br />
templates, and TTL and IPID cause traffic to be handled by the firewall module only.<br />
13. The NetQuotas feature is not supported with SecureXL.<br />
14. The Overlapping NAT feature is not supported with SecureXL.<br />
15. WISP redundancy has the following limitations when working with SecureXL:<br />
• Connections passing through interfaces configured with ISP redundancy are not<br />
accelerated. Other connections (for example, an internal connection to a DMZ) are<br />
accelerated and are not affected by this limitation.<br />
• ISP redundancy over PPTP and PPPoE interfaces is not supported.<br />
16. When configuring Remote Access > Office Mode on a gateway that has multiple external<br />
interfaces with SecureXL enabled, make sure that Support connectivity enhancement for gateways<br />
with multiple external interfaces is checked.<br />
17. When SecureClient is connected to a <strong>Check</strong> <strong>Point</strong> gateway with two external interfaces and the<br />
connected interface goes down, SecureClient will lose connectivity. In order to resume<br />
connectivity, the user needs to disconnect and reconnect.<br />
18. Performance Pack does not support source-based routing.<br />
Unsupported Products<br />
19. <strong>Check</strong> <strong>Point</strong> QoS is not supported with SecureXL.<br />
20. PPTP and PPPoE interfaces are not supported by Performance Pack in configurations where<br />
NAT and/or VPN are used.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 30
SmartCenter Server<br />
SmartCenter Server<br />
In This Section<br />
Upgrade, Backout and Backward Compatibility page 31<br />
Policy Installation page 33<br />
SmartConsole Applications page 33<br />
Logging page 34<br />
SmartCenter High Availability page 34<br />
SmartDirectory page 34<br />
User Management page 34<br />
Trust Establishment page 34<br />
OSE page 34<br />
Platform Specific - Nokia page 35<br />
Platform Specific - Windows page 35<br />
Upgrade, Backout and Backward Compatibility<br />
1. When using the Upgrade Export and Import utilities on the Windows platform, the machine<br />
should be connected to the network. Alternatively, a connector can be used to simulate a<br />
connection. Refer to SecureKnowledge solution sk19840 for more information regarding how to<br />
simulate a network connection during an upgrade.<br />
2. When upgrading with a duplicate machine whose IP address differs from the original IP address<br />
of the SmartCenter server, if Central licenses are used, they should be updated to the new IP<br />
address. This can be done via the User Center at http://usercenter.checkpoint.com, by choosing<br />
the action License > Move IP > Activate Support and Subscription.<br />
3. When using the Upgrade Export and Import utilities, if a specific product should fail to install,<br />
the entire operation will fail, with the exception of these products:<br />
• SmartView Reporter<br />
• SmartView Monitor<br />
• SecureXL<br />
• UserAuthority Server<br />
Failure importing and/or exporting of these products will not cause the entire import/export<br />
operation to fail. Use the log file of the import/export operation to understand what caused the<br />
problem and fix it. The log file is located at:<br />
Windows: C:\program files\checkpoint\CPInstLog<br />
Unix: /opt/CPInstLog<br />
4. When upgrading a Log Server, always choose to upgrade and ignore the other options (to export<br />
the configuration or to perform pre-upgrade verifications). These options are irrelevant for Log<br />
Server upgrades. Also, the backwards compatibility (BC) package is installed on every Log<br />
Server. It can be safely removed, as it is not in use on a Log Server.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 31
SmartCenter Server<br />
5. If, when using the <strong>Check</strong> <strong>Point</strong> Installation Wrapper, the download of updates fails during an<br />
upgrade (for example, because the machine is not connected to the Internet), then the upgrade<br />
will continue using the tools that exist on the CD. To use the most recent version:<br />
a. Download the updates from:<br />
https://support.checkpoint.com/downloads/bin/autoupdate/ut/r61/index.htm.<br />
b. Save the update on the local disk of your SmartCenter server.<br />
c. Restart the installation wrapper and choose the second option on the download page: I<br />
already downloaded and extracted the Upgrade Utilities.<br />
6. <strong>Check</strong> <strong>Point</strong> 4.1 gateways and embedded devices are not supported with this release. After<br />
upgrading the SmartCenter server to <strong>NGX</strong>, these objects will remain, but you will not be able to<br />
install policy on them.<br />
7. VPN-1 Net is no longer supported.<br />
8. After upgrading SmartCenter, but before upgrading the gateways, SecureID users may not be<br />
able to connect. A workaround is detailed on SecureKnowledge sk17820. This solution<br />
documented there should be implemented in the compatibility package directories as well:<br />
For NG gateways (NG - R55)<br />
- Unix /opt/CPngcmp-DAL/lib/<br />
- Windows C:\Program Files\<strong>Check</strong><strong>Point</strong>\NGCMP<br />
For R55W gateways<br />
- Unix /opt/CPR55Wcmp/lib<br />
- Windows C:\Program Files\<strong>Check</strong><strong>Point</strong>\R55WCmp\lib<br />
9. When upgrading SmartCenter with a duplicate machine on the Windows platform, the following<br />
message may appear after selecting Import configuration file:<br />
Failed to import configuration. Imported configuration file does not contain the<br />
correct data.<br />
To resolve the issue, do one of the following:<br />
• Remove the file gzip.exe from the environment path.<br />
• Remove gzip.exe altogether.<br />
10. Advanced Upgrade from the wrapper, or use of the Export/Import tools, is not supported on a<br />
secondary SmartCenter server.<br />
11. In this release, SmartCenter does not manage gateways prior to NG FP3. If you have such<br />
gateways, it is recommended that you upgrade them as well.<br />
12. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature,<br />
previously defined UTM-1 Edge devices will not be able to connect to the SmartCenter server,<br />
and the Connection Wizard will generate "object non-registered" messages. To resolve this<br />
issue, use SmartUpdate to re-install a specific firmware package.<br />
13. To manage UTM-1 Edge devices with an <strong>NGX</strong> <strong>R65</strong> SmartCenter server that was migrated from<br />
Nokia to a different platform, see <strong>Check</strong> <strong>Point</strong> SecureKnowledge sk30389.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 32
SmartCenter Server<br />
Policy Installation<br />
14. After aborting an installation and before attempting to install policy, make sure that there are<br />
no processes running the fwm load command on the SmartCenter server.<br />
15. By selecting the Install Policy option Install on all selected gateways, if it fails do not install on<br />
gateways of the same version, policy is installed on gateways by group. There are four such<br />
groups:<br />
• UTM-1 Edge<br />
• R55W<br />
• <strong>NGX</strong><br />
• all others (R55 and prior versions)<br />
When this option is selected, if policy fails when installing to a member of one of the groups,<br />
the policy will not be installed to any other gateways in that group. Policy installation will<br />
continue uninterrupted to members of other groups, however.<br />
16. Uninstall policy on LSM profiles is not supported.<br />
17. Policy installation is divided into several stages: Verification, compilation, file transfer, etc.<br />
Each stage has a default time-out of 300 seconds. Should you encounter time-out problems<br />
while installing a policy, you can change the value of the timeout in the following way:<br />
a. Run cpstop on the SmartCenter server.<br />
b. Run DBedit and change the install_policy_timeout attribute that is located under<br />
firewall_properties in the global properties. A valid value is 0-10000.<br />
c. Close DBEdit and run cpstart.<br />
18. Policy may not install successfully on an InterSpect device, even if SIC is established. To<br />
resolve this issue, make sure that the SmartCenter server's IP address(es) are configured in<br />
InterSpect's GUI Clients.<br />
SmartConsole Applications<br />
19. When running a query on a Security Policy in SmartDashboard, only user-defined rules are<br />
displayed in the query result. Implied rules matching the query are not displayed, even if the<br />
option View Implied Rules is selected.<br />
20. When switching the active file from SmartView Tracker, the new active file name will be<br />
automatically name by the system. It will not receive the user-defined file name.<br />
21. UTM-1 Edge objects cannot be defined from the Manage menu in SmartDashboard. To define<br />
UTM-1 Edge objects, from the Objects Tree, right-click <strong>Check</strong> <strong>Point</strong> > New.<br />
22. A Connectra object cannot be dragged & dropped into the Address Translation Rule Base. To<br />
add a Connectra object to a rule, right click on the relevant cell, select Add, and select the<br />
relevant Connectra object.<br />
23. To perform SmartDefense Online Update in Demo Mode, use Demo Mode Advanced. Other<br />
Demo Modes do not support this feature.<br />
24. InterSpect objects cannot be added to NAT rules.<br />
25. After deploying Anti Virus signatures, the Express CI Deployment Status is not updated by<br />
clicking Refresh on the SmartDefense Services tab. This issue is resolved by closing and<br />
restarting SmartDashboard.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 33
SmartCenter Server<br />
Logging<br />
26. When a Log Server is installed on a DAIP module, management operations such as "purge" and<br />
"log switch" can not be performed.<br />
27. If using the cyclic logging feature, after upgrade it is recommended to back up the previous<br />
/log files to another machine, and then to delete them.<br />
28. When a Log Server runs out of disk space, any logs sent by ELA clients will be lost. To prevent<br />
this, be sure to maintain adequate disk space on the Log Server.<br />
29. After upgrading a gateway, SmartView Tracker may report 0 active connections. To resolve this<br />
issue, reinstall policy on the gateway.<br />
30. When a filter is applied in the Traffic or Audit log pages, logs may not display in sequential<br />
order, and using the scroll bar arrow to navigate through the logs does not appear to work. To<br />
scroll, click and drag the scroll bar or use the buttons Bottom and Top.<br />
SmartCenter High Availability<br />
31. If a primary SmartCenter server is in a Standalone configuration, and a secondary SmartCenter<br />
server is active, then policy installation from the secondary to the primary server will be<br />
prohibited immediately after upgrade. In order to resolve this, install the policy locally on the<br />
primary server.<br />
32. When modifying the file InternalCA.C, be sure to copy the modified file to the other<br />
management stations, and then install policy again for the changes to become active.<br />
33. When executing Management High Availability (between SmartCenter and/or CMA and/or MDS)<br />
change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve<br />
this issue, restrict access from SmartPortal to Read-only administrators; or, use SmartView<br />
Monitor to disconnect the Read/Write mode in SmartPortal.<br />
SmartDirectory<br />
34. If Use SmartDirectory (LDAP) is checked in Global Properties, but no LDAP account unit is<br />
configured, the authentication of external users (as opposed to LDAP users) that are not<br />
defined in the user's database will not succeed. To resolve this issue, make sure that you<br />
uncheck Use SmartDirectory (LDAP) in the Global Properties.<br />
User Management<br />
35. When manually defining branches on an Account Unit, spaces between elements in the branch<br />
definition will not work. For example:<br />
A good branch: ou=Finance,o=ABC,c=us<br />
A bad branch: ou=Finance , o=ABC , c=us<br />
Trust Establishment<br />
36. Before establishing secure internal communication (SIC) between a standalone SmartCenter<br />
server and a Connectra device, install policy to the SmartCenter server.<br />
OSE<br />
37. The Drop action is not supported for Cisco OSE devices. If the Drop action is used, the policy<br />
installation operation fails.<br />
38. 3Com devices are not supported.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 34
SmartPortal<br />
Platform Specific - Nokia<br />
39. When upgrading using the Import Configuration option in the wrapper, and the machine you<br />
have exported the configuration from is a Nokia platform the following may occur:<br />
• <strong>Check</strong> <strong>Point</strong> packages that were inactive on the production machine will either become<br />
active on the target machine if its OS is Nokia, or will be installed on other platforms.<br />
If this should occur, when the target machine is a Nokia platform, return the relevant packages<br />
to the inactive state. For other platforms, uninstall the relevant packages.<br />
Platform Specific - Windows<br />
40. On Windows platforms only, in some cases, when performing the Restore Version operation<br />
(from SmartDashboard, File > Database Revision Control > Restore Version) while SmartView<br />
Tracker is open, the restore fails and you are not able to save the database (File > Save). The<br />
solution is to make sure that SmartView Tracker is closed before performing Restore Version<br />
operations. If you already encountered such a problem, run cpstop and then cpstart.<br />
41. After using the Advanced Upgrade tools to migrate a SmartCenter server to a different<br />
machine, RADIUS authentication servers will no longer be able connect to the SmartCenter<br />
server. To re-establish connection between them, do the following on the SmartCenter server:<br />
1. Use Regedit to open the Windows registry.<br />
2. Locate the key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT.<br />
3. Delete the value NodeSecret.<br />
4. Reboot the SmartCenter server.<br />
SmartPortal<br />
1. When a filter is applied in the Traffic or Audit log pages, logs may not display in sequential<br />
order, and using the scroll bar arrow to navigate through the logs does not appear to work. To<br />
scroll, click and drag the scroll bar or use the buttons Bottom and Top.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 35
SmartUpdate<br />
SmartUpdate<br />
In This Section<br />
Installation, Backward Compatibility, and Upgrade page 36<br />
Miscellaneous page 37<br />
Platform Specific — Nokia page 37<br />
Platform Specific — SecurePlatform page 37<br />
Policy Installation page 37<br />
GUI page 37<br />
Licensing page 37<br />
Installation, Backward Compatibility, and Upgrade<br />
1. When a gateway has been upgraded and then rolled back to the previously installed version,<br />
SmartUpdate will not be able to report its status. This occurs because the gateway restarts with<br />
the initial policy, instead of the last installed policy. The workaround is to re-install the old<br />
policy via SmartDashboard.<br />
2. The command line executable for upgrading remote gateways, cprinstall, does not currently<br />
support the upgrade all option. Instead, run cprinstall install to upgrade individual<br />
packages, or use the SmartUpdate GUI.<br />
3. After using SmartUpdate to install a firmware package on a UTM-1 Edge gateway, renaming the<br />
gateway in SmartDashboard may fail and result in the following message: Internal Error [12]<br />
while handling object edge1. Failed to update references of object edge1. Please contact technical<br />
support. If this should occur, you can safely ignore this message and perform the rename<br />
operation again. To avoid this message, leave SmartDashboard open during firmware<br />
installation.<br />
4. After upgrading a pre-<strong>NGX</strong> SmartCenter to <strong>NGX</strong> R61, software packages (except for UTM-1<br />
Edge firmware packages) that were displayed in the Package Repository of SmartUpdate do not<br />
appear. The packages are in the directory $SUROOT, and can be re-added to the Package<br />
Repository using the SmartUpdate command Add From File.<br />
5. After upgrading a SecurePlatform gateway from <strong>NGX</strong> (R60) to <strong>NGX</strong> (R60A), SmartUpdate<br />
erroneously reports that the upgrade has failed. This message can be safely ignored.<br />
6. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature,<br />
previously defined UTM-1 Edge devices will not be able to connect to the SmartCenter server,<br />
and the Connection Wizard will generate object non-registered messages. To resolve this<br />
issue, use SmartUpdate to re-install a specific firmware package.<br />
7. SmartUpdate can be used to upgrade a Log Server, but it cannot be used to downgrade a Log<br />
Server. Downgrading a Log Server should only be done locally.<br />
8. SmartPortal <strong>NGX</strong> (R60) cannot be upgraded to <strong>NGX</strong> R61 via SmartUpdate. A workaround is to<br />
install SmartPortal <strong>NGX</strong> R61 directly (locally) to the <strong>NGX</strong> R60 machine.<br />
9. When using SmartUpdate to upgrade Eventia Reporter Server from <strong>NGX</strong> (R60), the message<br />
Execution error may appear at the end of the upgrade process. This message may be safely<br />
ignored. To confirm that the upgrade was successful, in SmartUpdate select the Reporter<br />
Server and run the operation Get Gateway Data.<br />
10. Eventia Analyzer cannot be upgraded to version <strong>NGX</strong> 2.0 via SmartUpdate, however<br />
SmartUpdate does support Eventia Analyzer license operations.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 36
SmartUpdate<br />
Miscellaneous<br />
11. When running Fetch CPInfo on a non-Windows Management server, while trying to fetch CPInfo<br />
for the Management itself, in certain cases the command may halt unexpectedly. In this case,<br />
rerun the command, or run CPInfo locally.<br />
12. When upgrading to any <strong>NGX</strong> version from any pre-<strong>NGX</strong> version (e.g., R55), the SmartUpdate<br />
Package Repository is not upgraded. After the upgrade, the SmartUpdate Package Repository<br />
will therefore be empty.<br />
13. In SmartDashboard, the version number of an <strong>NGX</strong> (R60A) gateway may be changed to <strong>NGX</strong><br />
(R60) when performing an operation via SmartUpdate. There are two workarounds to this issue:<br />
• Always have SmartDashboard open when performing SmartUpdate operations on an <strong>NGX</strong><br />
(R60A) gateway.<br />
• If the version number has changed, open SmartDashboard and manually change the<br />
gateway's version to <strong>NGX</strong> (R60A).<br />
14. If, while pushing new firmware to a UTM-1 Edge device, the Secondary SmartCenter has just<br />
failed over, the firmware may not be successfully installed. To resolve this issue, synchronize<br />
the Edge device with the Secondary SmartCenter and run the Push Now operation again.<br />
Platform Specific — Nokia<br />
15. Upgrade All and separate transfer and install is not supported on flash-based Nokia. To resolve<br />
this issue you should explicitly install Nokia IPSO and thereafter you should install the <strong>Check</strong><br />
<strong>Point</strong> products, one by one. Alternatively, use Nokia Voyager to install the wrapper and manage<br />
the installation packages.<br />
16. When trying to install or verify an NG_AI R55P HFA package via SmartUpdate, the following<br />
error message may be displayed Package has wrong format. In this case,<br />
you should install your package locally on a module.<br />
17. When upgrading Nokia flash-based machines via SmartUpdate, the following error message is<br />
displayed at the end of the upgrade process Execution error. CPRID session timed out. It is highly<br />
probable that your module was successfully upgraded, and that this message can be safely<br />
ignored. To ensure that this is the case, run the operation Get Gateway Data for this gateway and<br />
see that the module was indeed upgraded in SmartUpdate.<br />
Platform Specific — SecurePlatform<br />
18. When using the SmartUpdate option Upgrade All, make sure that a VPN-1 Power/UTM Linux<br />
package is not in the Package Repository of any gateway running on SecurePlatform.<br />
Policy Installation<br />
19. When upgrading from R55W on a SecurePlatform machine, SmartUpdate will not reestablish a<br />
connection with the gateway after reboot. This is caused by the gateway failing to fetch a new<br />
policy and starting with an initial policy. To resolve this issue, go to the gateway and fetch the<br />
policy manually, or install policy from the SmartDashboard.<br />
GUI<br />
20. The feature Add Package From Download Center is not supported if the machine running<br />
SmartUpdate accesses the Download Center through a proxy server.<br />
Licensing<br />
21. If a local license is detached from the license repository and then reattached without first<br />
closing SmartUpdate, the license appears in the repository as unattached. In such a scenario,<br />
either attach the license manually, or close and restart SmartUpdate before reattaching the<br />
license.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 37
UTM-1 Edge<br />
UTM-1 Edge<br />
Upgrade, Revert and Backward Compatibility<br />
1. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature,<br />
previously defined UTM-1 Edge devices will not be able to connect to the SmartCenter server,<br />
and the Connection Wizard will generate object non-registered messages. To resolve this issue,<br />
use SmartUpdate to re-install a specific firmware package.<br />
2. To manage UTM-1 Edge devices with an R62 SmartCenter server that was migrated from Nokia<br />
to a different platform, see SecureKnowledge sk30389.<br />
SmartCenter<br />
3. A Sofaware profile will fail to install if a <strong>Check</strong> <strong>Point</strong> gateway has an interface named in and<br />
the Sofaware Reducer is disabled. To resolve this issue, make sure that the Sofaware Reducer is<br />
enabled, or avoid naming <strong>Check</strong> <strong>Point</strong> gateway interfaces as in.<br />
4. Make sure that in the Advanced Permanent Tunnel configuration, the life_sign_timeout attribute<br />
is larger than life_sign_transmitter_interval attribute.<br />
5. UFP settings, CVP settings, and internal network settings of UTM-1 Edge ROBO gateways with<br />
firmware version 5.0 cannot be managed by this version of SmartLSM.<br />
Policy Installation<br />
6. When using the group All VPN-1 Embedded devices defined as Remote Access on the rulebase,<br />
the icon that is defined is wrong and can be safely ignored.<br />
7. In case an object of type Embedded Device exists in the database but is not DNS-resolvable,<br />
installing policy on any Edge devices may operate slowly. To solve the problem, either remove<br />
the Embedded Device object from the database, or make sure the name as exists in the<br />
database is resolvable by DNS on the management machine.<br />
VPN Communities<br />
8. In order for SofawareLoader to create topologies suitable for Sofaware 4.5 appliances, use a<br />
text editor to open the file SofawareLoader.ini, located in the directory<br />
%FWDIR%\FW1_EDGE_BC\conf. In the [Server] section, add the line TopologyOldFormat=1. The<br />
change takes effect without running the commands cpstop and cpstart.<br />
9. UTM-1 Edge devices do not support GRE tunnels, and therefore cannot be included in VPN<br />
Communities that use GRE tunnels.<br />
Other<br />
10. UTM-1 Edge gateways support only regular log tracking. When using other tracking on a rule<br />
that would be installed on such gateways, it is ignored.<br />
11. If, while pushing new firmware to a UTM-1 Edge device, the secondary management has just<br />
failed over, the firmware may not be successfully installed. To resolve this issue, synchronize<br />
the UTM-1 Edge device with the secondary management and run the Push Now operation again.<br />
12. Scanning is performed on archive files of the following types only: zip, gzip, and tar.<br />
13. Only the first 30 HTTP headers or worm patterns defined on UTM-1 Edge devices of version<br />
6.0.x are enforced.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 38
VPN<br />
VPN<br />
VPN Communities<br />
1. When managing SmartLSM ROBO gateways some of which are VPN-1 -enabled from a<br />
standalone machine, the policy fetch operation may not succeed once VPN has been<br />
established between the standalone and the ROBO gateway in question. In order to overcome<br />
this issue, you should add the CPD service as an excluded service for each of the communities<br />
which have SmartLSM ROBO profiles. To do this,<br />
a. Open the community object.<br />
b. In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as<br />
excluded service.<br />
VPN-1 Power VSX<br />
In This Section<br />
Miscellaneous page 39<br />
Provider-1/SiteManager-1 page 39<br />
SmartCenter page 40<br />
SmartDashboard page 40<br />
Policy Installation page 40<br />
VSX NG AI Management Issues page 40<br />
VSX ClusterXL page 41<br />
Platform Specific — Nokia page 41<br />
Miscellaneous<br />
1. When working with a non-dedicated management interface, you cannot add new members to an<br />
existing VSX cluster using the vsx_util command.<br />
2. On a VSX NG AI <strong>Release</strong> 2.2 (Nokia) cluster/gateway, SecureClient connections are dropped<br />
during policy installation.<br />
3. Upgrading to <strong>R65</strong> is not support for Nokia VSX.<br />
Provider-1/SiteManager-1<br />
4. Make sure that the IP address of the management object is set before running vsx_util or<br />
creating any Virtual Devices.<br />
5. When attempting to delete a Virtual Device from a CMA, and the CMA database on which the<br />
VSX is defined is locked, the operation will fail, and an error message will be displayed. This is<br />
the proper behavior. However, this operation also causes the Virtual Device to disappear from<br />
the Tree view. To resolve this issue, restart SmartDashboard.<br />
6. If the VSX Wizard fails, and changes need to be made to the defined configuration, avoid<br />
re-fetching the configuration from the modules. This means that if you move back to the SIC<br />
establishment dialog and click Next, you should reply NO to the question regarding re-fetching<br />
the configuration from the VSX gateway(s).<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 39
VPN-1 Power VSX<br />
SmartCenter<br />
7. To establish trust with newly created Virtual Devices, the IP address of the management server<br />
must be routable from the VSX gateway. When a management server has more then one<br />
interface, make sure to select the IP address of the proper interface to serve as the<br />
management server's IP address.<br />
8. The Install Database operation is not supported on Virtual Devices.<br />
9. The Policy Uninstall operation is not supported on VSX clusters.<br />
SmartDashboard<br />
10. After creating a VSX gateway or cluster, its IP address cannot be changed.<br />
11. The name of a Virtual Device should not exceed 64 characters. In cluster scenarios, the<br />
Member Virtual Device name is a composite of the Member name and the Cluster Virtual<br />
Device name. This could result in a Virtual Device name which contains more than 64<br />
characters.<br />
12. After resetting the SIC for a VSX gateway or cluster member, reinstall policy.<br />
13. When adding NATed addresses to the topology of a Virtual System, only address ranges are<br />
supported. To add a single IP address or an IP subnet, define it as an address range.<br />
14. Editing the name of the VSX management interface is not supported.<br />
15. When editing a VSX gateway or cluster object using the Creation Templates tab, you can only<br />
switch to a Customized Virtual System. Please note that this act is irreversible.<br />
16. Propagating routes from Virtual Routers to Virtual Systems is not supported.<br />
17. When using the vsx_util reconfigure command line utility to reconfigure a VSX gateway, the SIC<br />
status of the network object does not change to Communicating. While this will result in<br />
warnings regarding trust establishment on VS/VR for this specific object, the messages can be<br />
safely ignored.<br />
18. When configuring a host object as a Web Server in a deployment that contains configured<br />
Virtual Systems, on the Web Server tab, set the Protected by field to contain targets that do not<br />
include Virtual Systems.<br />
19. When defining NAT routes on the Topology tab of the Virtual System, insert two IP addresses,<br />
the first and last address of the IP range used for NATing. Note that large ranges can result in<br />
a slow response from the SmartCenter server.<br />
20. When activating the "General HTTP Worm Catcher" SmartDefense protection on a VSX gateway,<br />
all HTTP traffic is scanned for worms, regardless of the scope.<br />
Policy Installation<br />
21. Policy cannot be installed on more then 10 Virtual Systems simultaneously.<br />
22. VSX does not support the SmartDefense Profiles feature.<br />
23. Virtual Systems cannot be managed from a Secondary management server.<br />
VSX NG AI Management Issues<br />
24. When creating a NG AI Virtual Device, the main IP address of the Virtual Device should be<br />
routable from the SmartCenter server.<br />
25. When two Virtual Systems with internal IP addresses that originate from identical subnets (that<br />
is, overlapping subnets) are connected through a Virtual Switch, the internal interface of one of<br />
the Virtual Systems cannot be propagated.<br />
26. To enable the synchronization of routing information between cluster members, the policy on<br />
the VSX cluster must allow communication between cluster members on TCP port 2010.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 40
VPN-1 Power VSX<br />
27. When connecting from SmartDashboard to the management server through a Virtual Device, the<br />
Virtual Device topology or routing cannot be changed.<br />
28. If you change the IP address of an interface leading to a virtual router when editing VSX NG AI,<br />
all manually defined routes to this Virtual Router will be deleted from the Virtual System and<br />
should to be re-entered manually.<br />
29. In VSX, the Phase 1 proposal for SecureClient is hardcoded. Therefore, changing the Phase 1<br />
encryption method is not reflected in the client.<br />
30. To avoid warning messages during policy installation, interfaces defined on a Virtual System or<br />
Virtual Router should be associated with a route.<br />
31. The number of interfaces that can be assigned to a Virtual System is limited to 64.<br />
32. When an VSX NG AI Virtual Device is created it is assigned a unique IP. If the unique IP is<br />
already in use, the operation will fail. To fix this problem cancel the operation and create the<br />
Virtual Device with a unique IP that is not being used.<br />
33. On Nokia platforms running VSX NG AI in a cluster configuration, an issue may arise when<br />
changing the VLAN interface on a Virtual Device. If the operation fails at some point, the<br />
change may be applied to some cluster members and not others.<br />
VSX ClusterXL<br />
34. To prevent a Virtual System in Bridge mode from creating loops in a clustered environment, a<br />
spanning tree protocol is required.<br />
35. All Virtual System interfaces in bridge mode must have the same VLAN ID.<br />
Platform Specific — Nokia<br />
36. When creating a NG AI VSX cluster on IPSO, delete from the physical interfaces list any<br />
interfaces which are not VRRP enabled. Remove these “unused” interfaces when using the VSX<br />
Wizard or immediately afterwards.<br />
37. Encryption method AES128/MD5 is not supported for VPN.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 41
VPN-1 Power VSX<br />
Documentation Feedback<br />
<strong>Check</strong> <strong>Point</strong> is engaged in a continuous effort to improve its documentation. Please help us by<br />
sending your comments to:<br />
cp_techpub_feedback@checkpoint.com<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 42