NGX R65 Release Notes - Check Point

Check Point NGX R65 Known Limitations 

Supplement 

Revised: February 4, 2008 

This Known Limitations Supplement document provides essential operating requirements and 

describes known issues for VPN-1/FireWall-1 NGX R65. Review this information before setting up 

VPN-1/FireWall-1 NGX R65. 

Note - Before you begin installation, read the latest available version of these release notes at: 

http://www.checkpoint.com/support/ 

In This Document 

Information About This Document page 2 

Previously Published Clarifications and Limitations page 2 

Documentation Feedback page 42 

Copyright © February 4, 2008 Check Point Software Technologies, Ltd. All rights reserved 1

Information About This Document 

This document contains known limitations from versions prior to NGX R65 that are relevant for this 

release. Before setting up NGX R65, review this information in conjunction with the latest NGX 

R65 Release Notes, available at 

http://www.checkpoint.com/support/technical/documents/index.html. 

Previously Published Clarifications and Limitations 

In This Section 

ClusterXL page 3 

Endpoint Security page 11 

Eventia Suite page 14 

Firewall page 16 

Provider-1/SiteManager-1 page 22 

SecureXL page 29 

SmartCenter Server page 31 

SmartPortal page 35 

SmartUpdate page 36 

UTM-1 Edge page 38 

VPN page 39 

VPN-1 Power VSX page 39 

VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 2

ClusterXL 

ClusterXL 


Authentication page 3 

Configuration page 3 

ConnectControl page 4 

General page 4 

High Availability page 5 

ISP Redundancy page 5 

Load Sharing page 5 

Platform Specific — Nokia page 6 

Platform Specific — Solaris page 7 

Platform Specific — Windows page 7 

Policy Installation page 7 

Security Servers page 7 

Services page 7 

SmartConsole page 8 

State Synchronization page 8 

Unsupported Features page 8 

VPN-1 Clusters page 9 

Authentication 

1. When performing manual client authentication (using port 900) to a cluster where the IP 

addresses of the members are not routable, the URLs returned in the HTML from the replying 

cluster member contain the non-routable IP address of the member instead of the cluster IP 

address. This fails subsequent operations. The workaround is to configure the cluster to use a 

domain name instead of an IP address in the client authentication HTML pages, using the 

ahttpclientd_redirected_url global property. Make sure that your DNS servers resolve this 

domain name to the IP address of the cluster. 

2. Issues may arise when using automatic or partially automatic client authentication for HTTP on 

Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a 

decision function based only on IP addresses in order for connections to open. For ClusterXL, 

go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, 

refer to the product documentation for more information. 

Configuration 

3. In the Rule Base, when adding a cluster object to the source or destination column in a rule, 

this rule will only apply to the cluster addresses. If the rule needs to be applied to the cluster 

member addresses, add their objects to the rule as well. 

4. To use manual client authentication through HTTP in a cluster environment, set the database 

property hclient_enable_new_interface to true. This forces the HTTP client authentication 

daemon to ask for both the user name and password in the same HTML page. When the IP 

addresses of the cluster members are not routable, the URLs returned in the HTML from the 

replying cluster member contain the non-routable IP address of the member instead of the IP 

address of the cluster. This would fail subsequent operations. The workaround in this case is to 

configure the cluster to use a domain name, using theahttpclientd_redirected_url global 

property. Make sure that your DNS servers resolve this domain name to the cluster's IP address. 

5. Use the commands cpstop and cpstart instead of cprestart on cluster configurations. The 

command cprestart is not supported on cluster members. 


ClusterXL 

6. A cluster IP interface or a synchronization network interface cannot be defined as a 

non-monitored (i.e., disconnected) interface. 

7. Acceleration is not supported when using ClusterXL Load Sharing with Sticky Decision Function 

(SDF). When SDF is enabled, acceleration is automatically turned off. To re-enable 

acceleration, first make sure acceleration is enabled by running the cpconfig configuration tool. 

Then disable SDF (in SmartDashboard, edit the Gateway Cluster object, select the ClusterXL 

page, and click Advanced), and install the new Security Policy twice. 

Installing the Security Policy twice is also required when moving from ClusterXL Load Sharing 

with SDF to ClusterXL High Availability when acceleration is turned on. 

8. When defining VLAN tags on an interface, cluster IP addresses can be defined only on the 

VLAN interfaces (the tagged interfaces). Defining a cluster IP address on a physical interface 

that has VLANs is not supported. The physical interface should be defined with the Network 

Objective Monitored Private on ClusterXL clusters and as Private on third-party clusters. 

9. When setting an interface whose current Network Objective is Sync to Non-Monitored Private, 

and setting another interface's Network Objective to Sync and installing policy, the status of the 

cluster members will change to Active Attention and Down. To avoid this issue, make this 

configuration change in two phases. 

1. Set the interface with the Network Objective of Sync to Monitored Private (instead of 

Non-Monitored), and the other interface’s Network Objective to Sync and install policy. 

2. Reconfigure the Monitored Private interface to Non-Monitored and install policy again. 

10. When defining a Sync interface on a VLAN interface, it can only be defined on the lowest VLAN 

tag on a physical interface. 

11. Defining the lowest VLAN tag on a physical interface as disconnected (Non-Monitored Private) 

is not supported. 

12. Defining a Sync interface on a VLAN interface is not supported on Nokia clusters and on other 

third party clusters. 

13. A cluster object must contain two or more gateways. If configuring only one gateway, do not 

configure a cluster. 

ConnectControl 

14. The Server Load balance method is not supported. 

15. The Domain balance method is not supported for Logical Servers. 

16. If a Logical server is configured to have an IP address that belongs to the external network of 

the gateway, no Automatic Proxy ARP is configured on the gateway to the IP address of the 

Logical server. As a result there is no communication to the Logical server from external hosts. 

To resolve this issue, manually configure Proxy ARP using the file $FWDIR/conf/local.arp. See 

"Automatic Proxy ARP" in the ClusterXL User Guide for local.arp file configuration instructions. 

17. Logical Servers are not supported in conjunction with Security Servers. 

18. When configuring Server Availability for ConnectControl (SmartDashboard > Policy menu > 

Global Properties > ConnectControl), the value for the Server availability check interval must be a 

multiple of 5 and no less than 15. 

General 

1. In certain cases, installing policy on a cluster member may cause its state to change and a 

failover may subsequently occur. To prevent this situation, modify the firewall global parameter 

fwha_freeze_state_machine_timeout. This parameter sets the number of seconds during policy 

installation in which no state changes (including the "false" failover) will occur. Set this 

parameter to the shortest period which eliminates the issue; the recommended value is 30 

seconds. 


ClusterXL 

2. Performing an SNMP query on both the cluster’s IP address as well as on the members’ IP 

addresses concurrently, is not supported. The SNMP query can only be run on one or the other 

at time. Alternatively, you can wait for the UDP virtual session timeout between the SNMP 

queries on the different IP addresses. This timeout has a 40 second default, and can be 

defined in Global Properties > Stateful Inspection. 

High Availability 

3. In legacy High Availability mode for ClusterXL, MAC address synchronization is not supported 

for VLAN tagged interfaces. Use new High Availability mode, or manually configure the MAC 

addresses of the interfaces using the ifconfig CLI or WebUI. 

4. Issuing a Stop Member command in SmartView Monitor performs the cphastop command on 

this member. Among other things, this disables the State Synchronization mechanism. Any 

connections opened while the member is stopped will not survive a failover event, even if the 

member is restarted using cphastart. However, connections opened after the member is 

restarted are synchronized as normal. 

ISP Redundancy 

5. In a ClusterXL ISP Redundancy configuration, the names of the external interfaces of all 

cluster members must be identical and must correspond in turn to the names of the external 

interfaces of the cluster object. For example, if the cluster object has two external interfaces 

called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster 

member must have two external interfaces called eth0 and eth1 which should be connected to 

ISP-1 and ISP-2 respectively. 

Load Sharing 

6. Under load, tcp packet out of state error messages may appear. For each case there is a specific 

way to resolve it. Refer to the “Firewall and SmartDefense” guide for a full explanation and 

security implications. 

• message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK message_info: 

TCP packet out of state - first packet isn't SYN tcp_flags: FIN-PUSH-ACK 

In SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp end timeout. The 

recommended value is 60 seconds. If there are many connections consider enlarging the 

connection table size in the same ratio as the tcp end timeout. 

• message_info: SYN packet for established connection 

run the command: fw ctl set int fw_trust_rst_on_port 

When a single port is not enough, you can set the port number to -1, meaning that you 

trust a reset from every port. 

• For other out of state messages: 

run the command: fw ctl set int fwconn_merge_all_syncs 1. This allows a more reliable 

way of merging TCP states across asymmetric connections. 

7. When employing SecurID for authentication, it is recommended to define each cluster member 

with its own unique (internal) IP address separately on the ACE/Server. In addition, to send 

packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file 

table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for 

example, no_hide_services_ports = {}, where 5500 is the service port and 17 

(UDP) is the protocol. 

8. For the first few seconds of an asymmetric connection, server-to-client packets are not 

accelerated. An asymmetric connection, such as an FTP data connection through an 

accelerated ClusterXL cluster, is where the server-to-client side is handled by a different 


ClusterXL 

member than the client-to-server side. Asymmetric connections are only opened when using 

VPN or static NAT. This is a temporary performance degradation that affects only a small 

percentage of traffic. 

9. When installing a new policy that uses Sticky Decision Function (configured in SmartDashboard 

> Cluster Object > ClusterXL page > Advanced), and the old policy used the regular decision 

function, some connections may be lost, especially connections to or from the cluster 

members. New connections are unaffected. 

10. After a failover, non-pivot members of a ClusterXL cluster in Unicast mode may report incorrect 

load distribution information. For the correct load distribution, review the information reported 

by the pivot member. 

11. When using ClusterXL in Load Sharing mode and the Sticky Decision Function is enabled, the 

failure of a module within 40 seconds of an IKE negotiation may cause a connectivity failure 

with that peer for up to 40 seconds. 

• When the failure involves a PIX gateway, communications may be interrupted for up to 40 

seconds. 

• When the failure involves an L2TP client, communications may be disconnected, as 

keepalive packets are blocked during this period. 

12. traceroute may fail if it passes through a Load Sharing cluster. To resolve this issue, on the 

Cluster object, select ClusterXL > Advanced and in the Advanced Load Sharing Configuration 

window you should either: 

• select Use Sticky Decision Function, or 

• change the selection for Use sharing method based on: to IPs. 

Platform Specific — Nokia 

13. Either Nokia VRRP or Nokia IP Clustering configuration must be used when creating a cluster 

based on an IPSO platform. Using other OPSEC Certified third party clustering products (such 

as OPSEC Certified external load balancers) to create a cluster based on IPSO platforms has 

limited support. Contact Check Point Support and receive configuration instruction and a list of 

associated limitations. 

14. After configuring a gateway cluster on a Nokia platform via the Simple mode (wizard), be sure to 

complete the cluster interface definition on the Topology page of the cluster object. 

15. The feature Connectivity enhancements for multiple interfaces is not supported on Nokia IP 

clustering in Forwarding mode. 

16. NAT rules should not be applied to VRRP traffic. To prevent NAT rules from being applied to 

VRRP traffic, define the following manual NAT rule and give it higher priority than other NAT 

rules that relate to Cluster VIPs or to their networks: 

Original Packet Translated Packet Install On 

Source Destination Service Source Dest Service 

Physical IP of VRRP IP: 224.0.0.18 Any Original Original Original relevant cluster 

VRRP members 

17. When configuring a Nokia IP Cluster, do not set the primary or secondary interfaces to Network 

Objective Private. Check Point recommends setting a Nokia IP Cluster’s primary interface to 

Network Objective Cluster, and its secondary interface to Network Objective Cluster or Sync. 

18. The Get Topology operation supports up to 256 interfaces on Nokia platforms. To define more 

than 256 interfaces, you need to do so manually. 


ClusterXL 

Platform Specific — Solaris 

19. When configuring virtual interfaces on Solaris GigaSwift interfaces, the ClusterXL product may 

not recognize the virtual interfaces in cases where no corresponding physical interface is 

defined. If the virtual interface is not recognized, it will not run a monitoring mechanism and 

eventually it will not perform failover. In order to make ClusterXL work properly on such virtual 

interfaces, the corresponding physical interface must be defined. For example, when a CE 

device with an instance of 0 is defined on the system, the /etc/hostname.ce0 file must be 

created and must contain some arbitrary IP address that will be assigned to the physical 

interface. 

20. ClusterXL does not support defining VLANs on Solaris bge interfaces. 

21. When configuring VLAN tags, set the IP address on the VLAN physical interface. If the physical 

(untagged) interface is not used, the IP address can be any IP address. 

For example: 

If the physical interface is ce1, and 

the VLAN interfaces are ce1001 and ce2001, then 

ce1 must also have an IP address. 

22. ClusterXL in Unicast mode (Pivot) is not supported on Solaris when using VLAN tagging. 

23. When using a Fujitsu GigEthernet NIC (fjgi and fjge interfaces) with Check Point Load Sharing 

(CPLS) multicast, packets can be received when the interface is set to promiscuous mode only. 

Platform Specific — Windows 

24. On Windows platforms, when switching from High Availability Legacy to High Availability New 

Mode or Load Sharing, the CCP transport mode is set to broadcast instead of multicast. A 

workaround is to toggle the CCP mode via the following command on each cluster member: 

cphaconf set_ccp multicast. 

Policy Installation 

25. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with 

the following error: Load on Module failed. To resolve this issue, do the following: 

1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is 

done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so 

that they include the environment variable FW_MANAGE_BRIDGE 1. 

2. Install policy. 

Security Servers 

26. Security Servers are not supported with Sequence Verifier in Load Sharing cluster 

environments. 

Services 

27. When using T.120 connections, make sure you manually add a rule that allows T.120 

connections. 


ClusterXL 

SmartConsole 

28. When working with a 3rd party cluster object with QoS, if you move from the Topology tab to a 

different tab, the following error message appears: No interface was activated in QoS tab for this 

host (Inbound or Outbound). Do you want to continue? Select Yes and continue your operation. 

This error message can be safely ignored. 

29. SmartUpdate shows cluster members as distinct gateways without the common cluster entity. 

When cluster members are not of the same version, applying Get Check Point Gateway Data on a 

cluster member will set the member's version on the cluster object. To set the version of the 

cluster correctly, apply the Get Check Point Gateway Data command to the cluster member with 

the latest version. 

30. If two or more interfaces on the same cluster member share the same IP address and Net Mask 

(as might occur when defining bridge interfaces), only one interface will be displayed in the 

Topology tab in SmartDashboard. To manage interfaces with the same IP address and Net 

Mask, use the GuiDBedit tool. 

31. When using ClusterXL in High Availability Legacy mode, the Network Objective is set 

automatically to Cluster if all of the members' interfaces on that network have the same IP 

address and netmask. Changing the Network Objective to a different setting will, in this case, be 

overridden by the system, and change back to Cluster after clicking OK. 

32. When deleting a network via the Topology page (Cluster Object > Properties > Topology > Edit 

Topology), selecting Name or IP address of one of the interfaces and then clicking Remove 

results in the following error message: Please select an interface. In order to remove a 

whole network, remove all the interfaces (members and cluster) and click OK. 

State Synchronization 

33. A cluster member will stay in the down state if it is detached and then reattached to the 

cluster, as it does not automatically perform a full sync upon reattachment. To force a full sync, 

run the following commands on the module: fw ctl setsync off and fw ctl setsync start. 

34. Upon completion of full synchronization (Full sync), an error message State synchronization is in 

risk, is displayed on the cluster member on which the synchronization is taking place. If this 

message occurs only once immediately following Full sync, it can be safely ignored. If this 

message appears erratically, consult the ClusterXL user guide in the section Blocking New 

Connections Under Load. 

Unsupported Features 

35. Cluster deployments automatically hide the IP address of the cluster members behind a virtual 

IP address. If you manually add NAT rules that contradict this configuration, the manually 

added NAT rules take precedence. For details, see the “ClusterXL Advanced Configuration” 

chapter of the ClusterXL Guide. 

36. TCP connections inspected by Web Intelligence or VoIP Application Intelligence features will 

not survive failover. On the event of failover these connections will be reset. 

37. The compatibility matrix for third party clustering solutions (other than Nokia) is specified in 

the following link: http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain 

third party solution is not specifically written as being supported for this release, you must 

assume it is currently not supported. For Nokia clustering (VRRP or IP Clustering), see the 

Check Point Software and Hardware Compatibility section of the ClusterXL guide for information 

regarding which IPSO release is supported with this VPN-1 release. 

38. Mounting an NFS drive on a cluster member is not supported, as hide NAT changes the IP 

address of the cluster member, and the server cannot resolve the resulting mismatch. 


ClusterXL 

39. The following Web Intelligence features require connections to be sticky: 

• Header spoofing 

• Directory listing 

• Error concealment 

• ASCII only response 

• Send error page 

A sticky connection is one where all of its packets, in either direction, are handled by a single 

cluster member. If you enable one of the features listed above, make sure that your clustering 

solution supports sticky connections. Sticky connections can be guaranteed for Web 

connections in the following configurations: 

• ClusterXL High Availability 

• ClusterXL Load Sharing with Sticky Decision Function enabled 

• ClusterXL Load Sharing with no VPN peers, no static NAT * rules and no SIP 

• Nokia VRRP Cluster 

• Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIP 

• For other OPSEC certified clustering products - please refer to the OPSEC-certified 

product's documentation. 

40. The following VoIP Application Intelligence (AI) features require connections to be sticky: 

• H.323 

• SIP over TCP 

• Skinny 



solution supports sticky connections. Sticky connections can be guaranteed for VoIP 



• ClusterXL Load Sharing with no VPN peers or static NAT* rules 


• Nokia IP Clustering configuration with no VPN peers or static NAT* rules 



41. Sticky connections cannot be guaranteed on ClusterXL Load Sharing Unicast mode with hide 

NAT. 

42. To support SSL Network Extender in a ClusterXL Load Sharing configuration, enable the Sticky 

Decision Function. 

VPN-1 Clusters 

43. When defining Office Mode IP pools, make sure each cluster member has a distinct pool. 

44. Before adding an existing gateway to a cluster, remove it from all VPN communities in which it 

participates. 

45. When detaching a cluster member from a VPN cluster, manually remove the VPN domain once 

the member has been detached. 

*.including ConnectControl Logical Servers 


ClusterXL 

46. Peer or secure remote gateways may show error messages when working against an overloaded 

gateway cluster in Load Sharing mode. This is due to IPsec packets with an old replay counter. 

These error messages can be safely ignored. 

47. Using Sticky Decision Function with VPN features will guarantee connection stickiness for 

connections that pass through the cluster only, and not to connections originating from a 

cluster member or to it. 

48. When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster (i.e., the 

peer and the cluster are located on the same VLAN and there is no Layer 3 (IP) routing device 

between them), the following features are not supported: 

• ISP Redundancy 

• VPN link selection - Reply from same interface 

This issue can be resolved either by placing a router between the VPN peer and the cluster, or 

by disabling these features. (Neither feature is enabled by default.) 

• To disable ISP redundancy, in SmartDashboard edit the gateway object > Topology > ISP 

Redundancy, and remove the check mark from Support ISP Redundancy. 

• To disable VPN link selection - Reply from the same interface, in SmartDashboard edit the 

gateway object > VPN > Link Selection > Outgoing Route Selection, and do the following: 

A. Under When initiating a tunnel, enable Operating system routing table, 

B. and under When responding to remotely initiated tunnel, select Setup, and enable Use 

outgoing traffic configuration. 

49. When configuring a VTI cluster interface, it should be assigned a name identical to the name 

of the member interface. 


Endpoint Security 



Server Installation, Upgrade, and Backward Compatibility page 11 

Client Installation, Upgrade, and Backward Compatibility page 11 

Integration page 11 

Logging, Alerts, and Errors page 12 

Localization and Special Characters page 12 

Gateways and Third Party Product Integrations page 12 

Miscellaneous page 13 

Server Installation, Upgrade, and Backward Compatibility 

1. By default, VPN-1/FireWall-1 and the Check Point SecurePlatform administration interface both 

use port 443 for SSL communication. If you plan to run VPN-1/FireWall-1 on SecurePlatform, 

change the SecurePlatform SSL to a different port during the operating system installation. Do 

not change the VPN-1/FireWall-1 default port, as this is not supported. 

2. Normally, after installing the VPN-1/FireWall-1, answering “Y” to the message “Would you like 

to start VPN-1/FireWall-1 after exiting?” starts VPN-1/FireWall-1. If this does not work, type 

cpstop and cpstart (or, with Provider-1 setup, type mdsstop and mdsstart) to successfully 

start VPN-1/FireWall-1. 

Client Installation, Upgrade, and Backward Compatibility 

3. Clients cannot download packages from an external source when they are restricted. If the 

client becomes restricted due to a client Enforcement rule, and the rule specifies an upgrade 

package on an external URL, the client may not be able to download the external package. This 

can occur even if the external URL is actually the same as an VPN-1/FireWall-1. A workaround 

is to upgrade using the Upgrade package from VPN-1/FireWall-1 option rather than upgrading 

from an external URL. 

Integration 

4. If you see an unexpected error when logging into VPN-1/FireWall-1 with your SmartCenter 

administrator credentials, it may be because your SmartCenter license has expired or become 

invalid. If you are running VPN-1/FireWall-1 together with SmartCenter (either on the same 

host or on separate hosts), and your SmartCenter license expires or becomes invalid, you are 

not able to log on to VPN-1/FireWall-1 using your SmartCenter administrator credentials. This 

occurs whether you are trying to log on to VPN-1/FireWall-1 directly or through 

SmartDashboard. Use the cplic command to check the status of your SmartCenter license, and 

if necessary, set a new SmartCenter license. (For information on cplic, see the Check Point 

Command Line Interface Guide.) Even if your SmartCenter license is invalid, however, you can 

log in to VPN-1/FireWall-1 using your VPN-1/FireWall-1 administrator credentials. 

5. If you are setting up a distributed installation (in which VPN-1/FireWall-1 and SmartCenter run 

on separate hosts), VPN-1/FireWall-1 does not automatically synchronize with SmartCenter. To 

synchronize VPN-1/FireWall-1 with SmartCenter, restart VPN-1/FireWall-1 after you install and 

configure SmartCenter, install the database, and establish secure internal communication 

(SIC). 

6. If you are setting up a distributed installation (one in which VPN-1/FireWall-1 and 

SmartCenter run on separate hosts), changing the logging settings to store VPN-1/FireWall-1 

logs locally will result with an authentication error on every attempt to view logs from within 

VPN-1/FireWall-1. In this configuration, you can view the logs with SmartView Tracker or Smart 

Portal. 



7. After installing an VPN-1/FireWall-1 on a Provider-1 MDS machine, perform the following 

steps to prevent a crash: 

1. Stop the CMA that works with the VPN-1/FireWall-1. 

2. Log out of the shell used to start the VPN-1/FireWall-1 installation. 

3. Log in again to the root account. 

4. Start the CMA. 

After upgrading a Provider-1 MDS server that includes an installation of VPN-1/FireWall-1 that 

is associated with one of the CMAs, perform the same procedure. 

Logging, Alerts, and Errors 

8. Continuous looping of log uploads occurs if the minimum number of events is less than 2. In 

order to prevent continuous looping of log uploads, in the Client Configuration > Client Settings 

panel's Log Upload Size area, set the minimum number of events to be equal to or greater than 

2. 

9. SNMP traps sent from the VPN-1/FireWall-1 are logged to /var/log/messages file, but the 

messages are in hex codes. A workaround is to enable SYSLOG and SNMP traps in Linux by 

issuing the following commands: syslogd -h -r -m 0 (to enable syslog with remote option) 

snmptrapd -Oa (to enable snmptrapd and route the output to syslog). 

10. While Apache is running, it shows the following error: (730038)An operation was attempted 

on something that is not a socket.: winnt_accept: AcceptEx failed. Attempting to 

recover. Workaround: Place the directive Win32DisableAcceptEx on a separate line in the 

beginning of the httpd.conf configuration file (in install_dir\apache2\conf), and then 

restart Apache. 

11. Logging at the Info level can produce a lot of data. For this reason, do not set Info level 

notifications to be sent to e-mail. 

Localization and Special Characters 

12. Classic Firewall Rules cannot contain certain symbols. You cannot use the ampersand symbol 

('&'), quotation marks, or the less than symbol ('


18. Endpoint Security clients don't recognize full version numbers for Sophos antivirus products. 

Endpoint Security clients only recognize version numbers up to two places after the first 

decimal point (x.xx). 

19. A personal policy is not able to block Microsoft Remote Desktop. You cannot block Microsoft 

Remote Desktop using application rules. 

20. If you are using EAP and the Network Interface Card is disabled, it will remain disabled even 

after reboot. 

21. If a client is out of compliance with an Enforcement Rule that is configured to Warn or 

Observe, the VPN Security Configuration (or SCV status) is displayed as Verified. It is displayed 

as Not Verified only if the Enforcement Rule is configured to Restrict the client. 

Miscellaneous 

22. Scheduled Antispyware scan times can be incorrect when the Endpoint Security server and the 

Endpoint Security client are located in different time zones. This is because the scan time 

always occurs at the specified time in the server's time zone instead of the client's time zone. 

23. Internet Explorer (6.x) limits to 3000 the number of groups you can import into an NTDomain, 

LDAP, or RADIUS catalog on VPN-1/FireWall-1. To import more than 3000 groups, use another 

of the supported browsers. Mozilla Firefox is the only compatible browser that accommodates 

imports of more than 10,000 groups. For very large imports, the import page may take up to 

ten minutes to display all imported groups. When importing groups with a browser other than 

Internet Explorer, users may get a warning asking whether to abort the long-running javascript 

routine. Users should close the dialog box or choose to continue running javascript. For Firefox, 

you can suppress this message by typing about:config in the address bar, finding the entry for 

dom.max_script_run_time, and setting the number to 60 (on new computers) or 120 (on older 

computers). 

24. The Flex client must be rebooted to register changes to Return to Default buttons. When you 

change the setting of Hide Return to Default buttons in Flex (in the Advanced Settings section 

of a policy's Client Settings tab), the end user must reboot the Flex client for the change to 

take effect. 

25. Enterprise policies cannot override keyboard and mouse settings. If a policy allows a program 

and to enforce the enterprise policy only, and the user has set permissions in the personal 

policy to block the program, the program is able to access the Zones as defined in the 

enterprise policy, but is not able to perform keyboard and mouse activity. Workaround: Users 

must set the program to allow the keyboard and mouse activity in the personal policy. 


Eventia Suite 

Eventia Suite 


Eventia Analyzer page 14 

Eventia Reporter page 14 

Eventia Analyzer 

1. Eventia Analyzer does not support static NAT and therefore will not include logs with rules that 

use static NAT as part of the Event. 

2. Apache syslogs sometimes have a log suppression mechanism where a new log contains the 

phrase message repeat. These logs are not captured by Eventia Analyzer and therefore events 

based on these logs will not be generated. 

3. Changes to objects on a High Availability secondary server are not updated on the Eventia 

Analyzer Server. 

4. Changes to objects on a High Availability management server are not automatically updated on 

the Analyzer Server following a sync operation from another HA server. To force updates of the 

objects, on the Eventia Analyzer Client, select Policy tab > General Settings > Objects > Network 

Objects > Refresh. 

5. When attempting to use the Get Version option in the Eventia Analyzer module while editing its 

host properties in SmartDashboard, the version will result in an empty string. Select the most 

recent version available. 

6. Address range objects are not synchronized from SmartCenter or the MDS server to the Eventia 

Suite server. In order to include them on the Eventia Suite server, from the Eventia Analyzer 

Client, select Policy tab > General Settings > Network Objects and add the range manually. 

7. Eventia Analyzer cannot be installed with SmartUpdate. 

8. To define a new event based upon order logs, save and modify an existing event that uses the 

order logs, such as Check Point administrator credential guessing. 

9. On Solaris, no logs are received and processed for 10 minutes if the Log Server is stopped and 

restarted. If a Log Server is stopped and then started, restart the Correlation Units. 

10. The Global Exceptions product field does not filter out logs from the audit log. 

Eventia Reporter 

Installation, Upgrade and Backward Compatibility 

11. Eventia Reporter can be upgraded to NGX R65 from version NG R56 and later. If you are 

upgrading from a version prior to R56, uninstall Reporter and continue with the upgrade. 

12. The MySQL server on the Eventia Reporter Server conflicts with a MySQL server installation on 

the same computer. Install the Eventia Reporter server on a computer that does not contain a 

MySQL server installation. 

13. Eventia Reporter will not continue consolidation sessions if the log files were manually 

upgraded on the Log Server. 

14. After upgrading from R56 to NGX (NGX R61), a scheduled report that is selected for a specific 

module may fail to run. If this occurs, resave the report. 


Eventia Suite 

15. To upgrade a distributed deployment of Eventia Reporter from NGX (R60) on SecurePlatform 

Pro, do the following: 

1. Uninstall the package CPadvr-R60-00. 

2. Run the upgrade. 

3. Uninstall the package CPsuite-R60-00. 

4. Reboot the machine. 

16. The Eventia Reporter Client requires SmartDashboard to be installed on the same machine in 

order to launch. When installing the Eventia Reporter Client, be sure to install SmartDashboard 

as well. 

General 

17. Account logs that are originated by a gateway cluster are counted twice. Thus, reports of these 

logs will display inaccurate data. 

18. Logs produced by VPN-1 Power/UTM modules that also have QoS installed show twice the 

number of actual HTTP connections. As a result, reports generated on such modules will 

display an incorrect number of connections. 

19. If SmartDashboard is connected to an inactive management, Eventia Reporter cannot be 

launched from the Window menu of SmartDashboard. Instead, launch Eventia Reporter via the 

Windows Start Menu. 

20. If Eventia Reporter is running with multiple consolidation sessions, after running cpstop, 

ensure that all log_consolidator processes have terminated before running cpstart. 

21. FTP or HTTP distribution of reports does not work with proxy settings. If a machine has proxy 

settings, use alternate distribution methods such as e-mail distribution, or copy files from the 

Report's Results directory instead. 

22. When a Eventia Reporter Server's IP address has static NAT, a machine running the Eventia 

Reporter SmartConsole must be able to route connections to the Eventia Reporter server's real 

IP address. This can be achieved by running the Eventia Reporter SmartConsole on a machine 

in the Server's local network, or sometimes, by adding the appropriate route entries in the 

Eventia Reporter SmartConsole's routing table. 


Firewall 

Firewall 


Installation, Upgrade and Backward Compatibility page 16 

Platform Specific — Windows page 17 


Platform Specific — Linux page 17 

SmartConsole Applications page 17 

Load Sharing page 17 


Security Servers page 18 

Security page 18 

Services page 18 

Stateful Inspection page 18 

Dynamically Assigned IP Address (DAIP) Modules page 19 

IPv6 page 19 

ISP Redundancy page 19 

Management page 19 

OPSEC page 19 


SAM page 20 


VoIP page 20 

SecureClient page 21 

Installation, Upgrade and Backward Compatibility 

1. In modules that pre-date version NG with Application Intelligence R55W, the Web Intelligence 

defenses HTTP Format Sizes, ASCII Only Request, General HTTP Worm Catcher only support the 

protection scope apply to all HTTP connections; therefore, if one of these defenses is configured 

with protection scope apply to selected web servers and is installed on an older module, the 

protection scope apply to all HTTP connections will be applied on this module. 

2. When making Inspect changes to the file user.def, do so to the copy of the file in the directory 

$FWDIR/conf (and not the version in the directory $FWDIR/lib, as was the practice in previous 

versions). This is because user.def is copied from the /conf directory to the /lib directory 

during policy installation. 

Also, filenames are now adjusted to the different compatibility packages, so be sure to modify 

the appropriate file only: 

• user.def.NGX_R60 - contains user code for NGX modules (this will overwrite the file 

$FWDIR/lib/user.def during policy install) 

• user.def.R55WCMP - contains user code for R55W modules (this will overwrite the file 

user.def in the R55W compatibility package directory) 

• user.def.MGCMP - contains user code for NG modules, R55 and below. 

• user.def.EdgeCmp - contains user code for UTM-1 Edge modules. 

3. When restoring settings using the Nokia IPSO backup utility, run the CPconfig tool after 

installing the CPsuite package and before the restore process starts. 

4. After installing the firewall on a machine with functional PPPoE (ADSL) connectivity, PPPoE no 

longer works. 


Firewall 

5. The name of the installation directory of VPN-1 may not end with a space. 

6. On Linux systems and SecurePlatform, verify that there is at least 115 MB of free disk space 

in the "/" partition before upgrade. 

7. After upgrading an R55 or older Enforcement Module, previously defined SAM rules need to be 

defined again. 

Platform Specific — Windows 

8. The following message may be displayed when installing a policy: The NDISWANIP interface is 

not protected by the anti-spoofing feature. This message can be safely ignored. 

9. If an Intel NMS service is running during the VPN-1 Power/UTM installation, it may crash. This 

is a known pre-NMS version 2.0.56.0, Intel NMS service issue, where crashes occur whenever 

an NDIS IM driver is installed. Since NMS version 2.0.56.0 was part of PC6.0, releases from 

and including PC6.0 do not have this issue. 

10. The Network Load Balancing (NLB) driver is not supported with VPN-1. 

11. VLAN tagging is not supported on Windows platforms. 


12. On Solaris platforms with a qlc driver and the kernel memory allocator debugging 

functionality enabled, the system may experience instability. In this case, install Solaris patch 

113042-10 or higher. 

13. The AGE driver will panic when it fails to allocate memory. This occurs during age NIC, when 

system resources are low and it cannot allocate memory for the packet. 

Platform Specific — Linux 

14. The FTP Security Server does not support Kerberos when the RHEL FTP client is trying to 

negotiate a Kerberos session. To avoid this issue, use the flag -u with the FTP client. 

15. When working with VPN-1 Power/UTM on Red Hat Enterprise Linux 3.0, make sure to update 

E1000 drivers to the latest drivers available from Intel. 

SmartConsole Applications 

16. When a client connects with SmartDashboard to SmartCenter and performs a SmartDefense 

online update, a second client connecting with SmartDashboard to the same SmartCenter will 

see the new protections but not the new HTML descriptions. The situation is resolved by the 

second client logging out & logging in again. 

A similar behavior may occur regarding the Silent Post-install Update. If new protections were 

added in that package, then the second client that logs in will not see the respective new 

HTML descriptions. The workaround is the same (client should log out & log in again). 

17. A Multicast Address Range object cannot be used as a source or destination in the Rule Base. 

You can, however, define and use in its place a corresponding Address Range object. 

Load Sharing 

18. When employing SecurID for authentication, it is recommended to define each cluster member 

separately on the ACE/Server with its own unique (internal) IP address. In addition, to send 

packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file 

table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for 

example, no_hide_services_ports = {}, where 5500 is the service port and 17 

(UDP) is the protocol. 


Firewall 


19. Client Authentication will fail if VPN-1 Power/UTM machine name is configured with a wrong 

IP address in the hosts file. 

20. Clientless VPN with the Action Client Auth is not supported if the web server object is in the 

destination cell. The workaround is to add the gateway to the destination cell. 

21. When using SmartDirectory server for internal password authentication, if the account lockout 

feature is disabled the Firewall will not attempt to modify the user's login failed count and last 

login failed attributes on the SmartDirectory server. This improves overall performance and 

eliminates unnecessary SmartDirectory modify errors when using SmartDirectory servers that do 

not have these attributes defined because they did not apply the Check Point SmartDirectory 

schema extension on the SmartDirectory server. 

22. Issues may arise when using automatic or partially automatic client authentication for HTTP on 

Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a 

decision function based only on IP addresses in order for connections to open. For ClusterXL, 

go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, 

refer to the product documentation for more information. 

23. Definition of nested RADIUS Server groups is not supported. 

Security Servers 

24. When a field in a URI specification file is too long, the Security server exits when trying to load 

the file. Under load, the Firewall daemon (FWD) reloads the security server, which then exits. 

After a certain time cores are dumped. 

25. Client authentication with agent automatic sign on is supported with all rules, with two 

exceptions: 

• The rule must not use an HTTP resource. 

• Rules where the destination is a web server. 

26. When using SOAP filtering in the HTTP Security Server, the SOAP scheme file supports all 

forms of namespaces and methods, however, the feature is not supported if a method has no 

namespace at all. 

Security 

27. When using a URI resource to allow or restrict access to specific paths (by filling the path 

field), it is recommended to use the regular expression [/\] instead of / - this expression 

provides protection against Windows style paths. 

For example: instead of defining a path: /home/mydir/, define it as [/\]home[/\]mydir[/\]. 

Services 

28. A service using the FTP_BASIC protocol type cannot be used with the FTP Security Server. 

29. When using T.120 connections, make sure to manually add a rule that allows T.120 

connections. 

Stateful Inspection 

30. Changing the "match for any" option in the MSNP service to "false" it causes connectivity 

problems after an upgrade in the following scenario: 

Service X other than Microsoft Messenger protocol was running on port 1863. No special rule 

was defined for this service (for example, the service was permitted by a rule with "Any" in 

service column). 

To resolve this issue, define a rule permitting the service with X in the "service" column. 


Firewall 

31. In a cluster environment, TCP state enforcement allows a server to respond with an ACK packet 

on a SYN packet (instead of SYN-ACK). Sequence Verification enforcement will be applied to 

all the traffic of the connection. 

Dynamically Assigned IP Address (DAIP) Modules 

32. The fw tab command on a SmartCenter server is not supported. 

IPv6 

33. In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker. 

34. Due to the fact that IPv6 is not supported for security servers, enabling Configuration apply to 

all connections under SmartDefense's FTP Security Server settings causes FTP (as well as HTTP 

and SMTP) connections over IPv6 to be rejected, and no log is generated. 

35. The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it should 

unload only the IPv6 policy. 

36. The RSH protocol is not supported for IPv6. 

ISP Redundancy 

37. ISP redundancy is not supported in a ClusterXL Different subnets configuration. This means the 

IP address of the cluster must be on the same subnet as the cluster members' real IP 

addresses. 

38. In a ClusterXL configuration, the names of the external interfaces of all cluster members must 

be identical and must correspond in turn to the names of the external interfaces of the cluster 

object. For example, if the cluster object has two external interfaces called eth0 and eth1 

which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two 

external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 

respectively. 

Management 

39. Defining network objects with names identical to a service is not supported. 

OPSEC 

40. TCP resource with cvp group is not supported. 


41. Check Point uses the notation starting with "SA_" for internal purposes. Defining objects with 

names starting with this string is not supported. 

42. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with 

the following error: Load on Module failed. To resolve this issue, do the following: 

1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is 

done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so 

that they include the environment variable FW_MANAGE_BRIDGE 1. 

2. Install policy. 

43. To install policy on NG enforcement modules via the command line, run the command fwm 

load from any directory other than $FWDIR/conf. 

44. Policy installation may fail when there are 70 or more dynamic objects. 


Firewall 

SAM 

45. A Suspicious Activity Monitor (SAM) rule will fail for a remote gateway if the SmartCenter 

server is also a VPN-1 Power/UTM gateway and no policy has been installed on it since adding 

the remote gateway. 

Miscellaneous 

46. The TCP Sequence Verifier is not supported with clusters using asymmetric routing. 

47. The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to a 

SmartCenter server object in specific cases only: 

• to the primary IP defined for this object and 

• only if there are interfaces defined in its Topology tab. 

This may create connectivity problems when trying to install policies (or other operations 

included in the control connections). The workaround is to define explicit rules that allow 

connectivity to the SmartCenter object. 

48. A large database on a gateway may result in high CPU usage by the services VPND and DTPSD. 

To resolve this issue, use the cpprod utility to set a value for the setting 

SIC_SERVER_DEFAULT_TIMEOUT. 

VoIP 

49. MSN Messenger version 5 is not supported. Additionally, there are a few known issues 

regarding MSN Messenger when employing Hide NAT: 

• When running SIP and the data connection tries to open MSN Messenger connections on 

hidden networks, the connection fails. 

• While audio and video each work separately, they cannot be run concurrently. 

50. When using the SIP protocol and a security rule uses the Action reject to block high_udp_ports 

(RTP ports - data connection), the incoming audio is rejected as well. A workaround is to use 

the Action drop in place of reject. 

51. When an H.323 IP phone that is not part of a handover domain tries to establish a call, the 

call attempt is blocked and the following message appears on the console: FW-1: 

fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow this phone to make calls, 

add it to the handover domain, and the error message will no longer appear. Note that this 

console message may appear in other (non-VoIP) scenarios as well. 

52. In some cases, when a user closes an MSN Messenger application (such as Whiteboard), the 

application will not close automatically on the remote end. The remote user will need to close 

the application manually. 

53. When using the service SIP with Hide NAT enabled on internal IP phones, do not enable the 

SmartDefense flag "Block SIP calls that use two different voice connections (RTP) for incoming 

audio and outgoing audio". If the flag is enabled, the firewall may begin to drop RTP/RTCP 

packets. The flag is located in SmartDefense > VoIP > SIP. 

54. When the SIP-proxy is in the DMZ, whiteboard and application sharing will not open between 

external to internal messengers. 

55. In previous versions a VoIP signalling connection could not have a different encryption policy 

than a VoIP data connection. As of NGX the VoIP signalling connection can have a different 

encryption policy than the VoIP data connection. 


Firewall 

SecureClient 

56. Policy installation fails if a combination of different user groups & network objects are used in 

the same cell. For example, if the following appears in a source or destination cell, the policy 

will not install: 

usergroup1@netobj1 & usergroup2@netobj2 

If the user groups match or the network objects match, the installation will succeed. The 

following examples will allow the policy to install successfully: 



57. The following Web Intelligence features require connections to be sticky: 

• Header spoofing 

• Directory listing 

• Error concealment 

• ASCII only response 

• Send error page 



solution supports sticky connections. Sticky connections can be guaranteed for Web 



• ClusterXL Load Sharing with Sticky Decision Function enabled 

• ClusterXL Load Sharing with no VPN peers, no static NAT* rules and no SIP 


• Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIP 



* including ConnectControl Logical Servers 

58. The following VoIP Application Intelligence (AI) features require connections to be sticky: 

• H.323 

• SIP over TCP 

• Skinny 



solution supports sticky connections. Sticky connections can be guaranteed for VoIP 



• ClusterXL Load Sharing with no VPN peers or static NAT* rules 


• Nokia IP Clustering configuration with no VPN peers or static NAT* rules 



* including ConnectControl Logical Servers 


Provider-1/SiteManager-1 



Installation, Upgrade, and Revert page 22 

Configuration page 23 

Licensing page 23 

Backup and Restore page 24 

Migrate page 24 

Global Policy page 25 

Global VPN page 26 

Global SmartDefense page 26 

SmartUpdate page 27 

SmartPortal page 27 

Status Monitoring page 27 

Eventia Reporter page 27 



Installation, Upgrade, and Revert 

1. Some of the issues reported by the Pre-Upgrade Verifier may require database modifications. To 

avoid having to repeat these changes, remember to synchronize your mirror MDSs/CMAs and 

perform the ‘install database to CLM’ processes. It is highly recommended that you read the 

“Upgrading in Multi MDS environment” section in The Upgrade Guide. 

2. After upgrading an MDS or MLM in a multi MDS environment, SmartDashboard displays CMA 

and CLM objects with the previous version, and the following error message appears when 

performing the operation Install Database: 

Install Database on Log Server can only be partially completed. To 

restore full functionality (full resolving and remote operations), upgrade the Log 

Server to be the same version as your Management Server. 

In order to update the CMA/CLM objects to the most recent version, use the following 

procedure after upgrading all MDS and/or MLM servers: 

1. Verify that all active CMAs are up and running with valid licenses, and that none of them 

currently has a SmartDashboard connected. 

2. Run the following commands in a root shell on each MDS/MLM server: 

A. mdsenv 

B. $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL 

3. Synchronize all Standby CMAs and SmartCenter Backup servers and install the database on 

the CLMs. 

In some cases, the MDG will display CMAs with the version that was used before the upgrade. 

To resolve this issue, after performing steps 1 - 3, do the following: 

1. Make sure that each CMA that displays the wrong version is synchronized with the 

Customer's other CMAs. 

2. Restart the MDS containers hosting the problematic CMAs by executing the following 

commands in a root shell: 

A. mdsenv 

B. mdsstop –m 

C. mdsstart -m 



3. After upgrading a pre-NGX SmartCenter to NGX R65, software packages (except for UTM-1 

Edge firmware packages) that were displayed in the Package Repository of SmartUpdate do not 

appear. The packages are in the directory $SUROOT, and can be re-added to the Package 

Repository using the SmartUpdate command Add From File. 

4. Management of FireWall-1 4.1 gateways and VPN-1 Net gateways are not supported in NGX 

R65. Prior to upgrading configurations that contain such gateways, the gateways need to be 

upgraded to the supported products/ versions. Since the pre-upgrade verification tools will not 

allow the upgrade to proceed as long as such gateways exist in the configuration database, the 

objects either need to be deleted from the source management or updated to represent a 

supported product/ version. If the objects are updated for the sake of allowing the upgrade to 

proceed, management of the gateways will not be allowed until the gateway software and 

license is upgraded as well. 

Please also note that configurations that contain externally managed FireWall-1 4.1 gateways 

cannot be upgraded to NGX. To allow the upgrade to proceed, these objects need to be updated 

to represent a supported version. 

5. After upgrading an MDS server that includes an installation of Endpoint Security Server that is 

associated with one of the CMAs, do the following: with one of the CMAs, do the following: 

1. Stop the CMA. 

2. Log in again to the root account. 

3. Start the CMA. 

Configuration 

6. In the SecurePlatform installation, the default maximum number of file handles is set to 

65536. This also applies to standard Linux installations, but the default number may vary. 

For Provider-1/SiteManager-1 installations with a large number of CMAs, 65536 file handles 

may be insufficient. Indications that the system may not have enough available file handles 

can be failure of processes to start, and/or crashes of random processes. 

• To check if insufficient file handles is indeed the problem, enter the following command 

from root or expert mode: 

# cat /proc/sys/fs/file-nr 

This command prints three numbers to the screen. If the middle number is close to zero, 

or the left number equals the right-most number, it is required to increase the maximum 

number of file handles. 

• To increase the maximum number of file handles, enter the following command from root or 

expert mode: 

Licensing 

# echo 131072 > /proc/sys/fs/file-max 

The number above is for demonstration purposes; the actual figure should be derived from 

the amount of memory and the number of CMAs. 

7. If you upgrade licenses after upgrading the MDS, the upgraded licenses will not be displayed 

in the MDG until after restarting the MDS. 

8. Under rare circumstances, a CMA license may not appear in the SmartUpdate view of the MDG, 

and yet appear in SmartUpdate when launched from the CMA. If this happens, do the 

following: 

1. From the command line in the CMA environment, use the cplic command to remove the 

missing license, and then add it again. 

2. In SmartUpdate, right-click the CMA and select Get Licenses. 



Backup and Restore 

9. A backup file created on a Solaris platform with the mds_backup command cannot be restored 

on a Linux platform, nor vice-versa. A backup made by mds_backup on Linux can be restored on 

SecurePlatform and vice-versa. 

10. When saving the configuration of an MDS (via the command mds_backup), make sure to also 

back up the configuration of each of the VSX gateways/clusters that are managed by the MDS. 

When restoring the configuration of the MDS (via the command mds_restore), make sure to 

restore the configuration of all VSX gateways/clusters immediately afterwards. 

Migrate 

11. After migrating a SmartCenter server running on a Nokia platform to an NGX R65 CMA, the 

UTM-1 Edge objects and Profiles creation option from SmartDashboard is not available. See 

SecureKnowledge SK26484 for more information. 

12. Migrating a CMA/SmartCenter database to a Provider-1 CMA disables the CMA's PnP license, if 

any. 

13. Migration of a CMA is not supported when VSX objects exist in the database. 

14. After migrating Global Policies and CMAs that contain Global VPN Community, the VPN 

Communities mode of the Global Policies view in the MDG may not display all gateways 

participating in the Global VPN Communities. To resolve this issue, after completing the 

migration of all relevant configuration databases and starting the MDS and the CMA processes, 

issue the following commands in the root shell on the MDS: 

1. mdsenv 

2. fwm mds rebuild_global_communities_status all 

15. When migrating complex databases, the MDG may timeout with the error message Failed to 

import Customer Management Add-on, even when the migration process continues and is 

successful. Therefore, when migrating large databases, it is recommended that you run the 

migrate operation from the command line. See the cma_migrate command in The Upgrade 

Guide. 

16. The migrate_assist utility reports missing files, depending on FTP server type. If files are 

missing, copy the relevant files manually. More information regarding the relevant files and the 

directory structure is available in the “Upgrading Provider-1” chapter of The Upgrade Guide. 

17. Before migrating the global database, if there are Global VPN Communities in the source 

database or in the target database, it is highly recommended that you read the “Gradual 

Upgrade with Global VPN Considerations” section of The Upgrade Guide. 

18. If you delete a CMA that has been migrated from an existing CMA or SmartCenter database, 

and then want to recreate it, first create a new Customer with a new name. Add a new CMA to 

the new Customer and import the existing CMA or SmartCenter database into the new CMA. 

19. After migrating SmartCenter or CMA databases with SmartLSM data, execute the command 

LSMenabler on on the CMA. 

20. After migrating a SmartCenter database which contains SmartDashboard administrators or 

administrator group objects, these objects remain in the database but are not displayed in 

SmartDashboard. As the CMA is managed by Customer Administrators via the MDG and not via 

SmartDashboard, these objects are irrelevant to the CMA. However, if you need to delete or edit 

one of these objects, use dbedit or GuiDBedit to do so. 

21. When migrating a CMA or SmartCenter High Availability (HA) to a new CMA in a different 

Provider-1/SiteManager-1 environment, be sure to use the primary database of the CMA or 

SmartCenter HA for the migrate operation. 



In addition, if the name used for the new CMA is not the name of the previous primary CMA or 

SmartCenter HA, the new CMA name may not be similar to a name already used for a network 

object in the migrated database, including the secondary management object. 

22. When migrating a CMA or SmartCenter Backup server with Endpoint Security Server installed, 

the Endpoint Security Server installation does not migrate. The recommended approach for this 

configuration is the following: 

1. Before migrating, open SmartDashboard to the CMA/SmartCenter server to be migrated. 

2. Edit the CMA/SmartCenter server object, and deselect Endpoint Security Server from the list 

of Check Point Products. 

3. Run the migrate operation. 

4. Reinstall the Endpoint Security Server on the machine on which the CMA resides. 

5. Configure the migrated CMA to use Endpoint Security Server. 

23. When migrating SmartCenter or CMA configurations that contain SmartDefense settings and 

protections that were downloaded via SmartDefense Online Update, the migrate_assist tool 

does not copy all the necessary files, and the target machine will not contain the full original 

SmartDefense configuration. To resolve this issue, do one of the following: 

• Copy the directories manually from the source machine according to the instructions found 

in the Provider-1 User Guide. 

• Use migrate_assist, and then do the following operations before importing the 

configuration: 

A. On the source machine, go to $FWDIR/conf and copy the content of the subdirectory 

SMC_Files. 

B. Place the copied content in the directory /conf on the target machine. 

C. Delete the following files from the target machine: 

• SMC_Files/monitor/SmartViewMonitor.tar 

• SMC_Files/asm/post_install_sd_updates 

• SMC_Files/asm/post_install_sd.ver 

Global Policy 

24. When deleting a Check Point host object created in Global SmartDashboard that has the same 

name as one of the MDS/MLM servers, the SIC certificate of the matching MDS/MLM server 

may be revoked. To avoid this situation, refrain from defining Check Point host objects with 

names identical to MDS/MLM servers in the system. If the certificate of one of the MDS/MLM 

servers is revoked, see SecureKnowledge SK24204 to remedy the situation. 

25. Avoid circular references in the Global Policy, as this will cause its assignment to fail. 

26. To ensure the endpoint security of Global Policies, only Provider-1 Superuser and Customer 

Superuser administrators are allowed to perform a Database Revision Control operation on a 

CMA. This is to ensure that a lower level administrator does not change the Global Policy 

assigned to a Customer. This is not a limitation, but rather an effect of the administrator’s 

permission hierarchy. 

27. Assigning a Global Policy to Customers may be a heavy operation. For this reason, it is 

recommended that you use MDG: Manage > Provider-1/SiteManager-1 Properties > Global Policies 

and configure Perform Policy operations on 1 customers at a time. For information about an MDS 

machine that includes a large amount of CMAs and big databases (global database and local 

CMAs' databases), refer to Hardware Requirements and Recommendations in the 

Provider-1/SiteManager-1 User Guide. 



28. When installing policy from the MDG using the Assign/ Install Global Policy operation, the 

Security Policy is not installed on UTM-1 Edge profiles. Use SmartDashboard to install policy 

to UTM-1 Edge profiles. 

29. When creating Connectra gateway objects (like other gateway objects, such as VPN-1 

Power/UTM, UTM-1 Edge, and InterSpect), be sure to do so using the CMA SmartDashboard. 

Defining Connectra objects in Global SmartDashboard is not supported. 

Global VPN 

30. Simplified VPN Mode Policies cannot work with gateways from versions prior to FP2. You 

cannot assign a Global Simplified VPN Mode Policy to a CMA with gateways of version FP2 or 

lower. 

31. Global VPN Communities do not support shared secret authentication. 

32. Only Globally-enabled gateways can participate in Global VPN Communities. Gateway 

authentication is automatically defined using the CMA’s Internal Certificate Authority. 

Third-party Certificate Authorities are not supported. 

33. UTM-1 Edge gateways cannot participate in Global VPN Communities. 

34. Currently an external gateway can fetch CRL only according to the FQDN. Therefore, a peer 

gateway would fail to fetch a CRL when the primary CMA is down (even if the mirror CMA is 

operational). To avoid this scenario, you can change the FQDN to a resolvable DNS name by 

executing the following commands: 

1. mdsenv 

2. Run cpconfig and select the menu item Certificate Authority 

35. After enabling a module for global use from the MDG, install a policy on the module or use the 

Install Database operation on the management server in order for its VPN domain to be 

calculated. 

36. When migrating a CMA, all CMAs that participate in a Global VPN Community must be 

migrated as well. If you do not migrate all relevant CMAs, it will affect Global Community 

functionality and maintenance. 

37. A globally enabled gateway can be added to a Global VPN Community from Global 

SmartDashboard only through the community object and not from the VPN tab of the object. 

38. When a VPN Simplified Mode Global Policy is assigned to a Customer, all of the Customer’s 

Security Policies must be VPN Simplified as well. 

39. If the Install policy on gateway operation takes place while the MDS is down, the status of this 

gateway in the Global VPN Communities view is not updated. 

40. When using VPN-1 Power VSX Virtual Systems in Global VPN Communities, the operating 

system and version displayed on objects representing Virtual Systems in peer CMAs is 

incorrect. This information can be safely ignored. 

Global SmartDefense 

41. If a Customer is configured for SmartDefense Merge mode, modifications made to the 

SmartDefense settings on a SmartCenter Backup server are not preserved after Global Policy is 

reassigned to the Customer. 

42. Customers subscribed to the Global SmartDefense service also receive updates to the Content 

Inspection > File Types list. All newly downloaded file types are by default set to Action type 

Scan. The SmartDefense mode assigned to the Customer determines whether any changes the 

CMA administrator has made to the File Types list are preserved when Global Policy is 

assigned. 



SmartUpdate 

43. Firmware packages cannot be deleted from the SmartUpdate repository. In order to delete 

packages, use the utility mds_delete_firmware. 

44. When using the MDG’s SmartUpdate view, packages are added to the SmartUpdate repository of 

the MDS to which the MDG is connected. When in a Multi-MDS environment, make sure that 

each SmartUpdate package is added to each MDS individually. 

When adding SofaWare firmware packages in such an environment, a package added to one 

MDS will appear to have been added to all other MDSs. In this case as well, make sure that 

each firmware package is added to each MDS individually. 

45. After detaching a Central license from a CMA using the SmartUpdate view, the license remains 

in the License Repository, and therefore cannot be added again to the CMA from the MDG 

General view. To add it again, reattach the license using SmartUpdate. 

46. SmartUpdate packages cannot be added to the MDS Package repository if no CMAs are 

defined. Before populating an MDS's SmartUpdate repository with packages, define at least 

one CMA. 

SmartPortal 

47. When using Management High Availability (between a SmartCenter server and either a CMA or 

an MDS), change over may not succeed when SmartPortal is connected in Read/Write mode. To 

resolve this issue, do one of the following: 

• Only allow access from SmartPortal to Read-only administrators 

• Disconnect Read/Write SmartPortal clients from SmartView Monitor 

Status Monitoring 

48. A CMA will report the status Waiting until it is started for the first time. 

49. In a CMA High Availability configuration, the High Availability synchronization status in the 

MDG may contain inconsistent values if valid licenses have not been installed. If this is the 

case, the synchronization status should be ignored. In order to operate, however, all CMAs must 

have valid licenses. 

50. SmartView Monitor displays invalid statuses when connecting to a CLM. To view Customer 

statuses using SmartView Monitor, connect to a CMA. 

Eventia Reporter 

51. As Eventia Reporter data is not synchronized on multiple MDSs in High Availability 

configurations, Eventia Reporter should be set to work with just one MDS. To do so, install the 

Eventia Reporter Add-on on one MDS only, and log into this MDS whenever using the Eventia 

Reporter client. 

52. You must log into the Eventia Reporter client using a Provider-1 Superuser administrator 

account, or a Customer Superuser administrator account. Other administrator types are not 

supported. 

53. Only one Eventia Reporter server is supported. Do not define more than one Eventia Reporter 

server in Global SmartDashboard. 

54. For Eventia Reporter to function properly, all Customers must have a Global Policy assigned to 

them. If a Customer has not been assigned a Global Policy, all reports generated for this 

Customer will fail with the following error: 

Could not retrieve CMA for customer . CMA is either stopped or 

standby. 




55. After defining RADIUS or TACACS server objects in Global SmartDashboard, wait until the 

MDSs are synchronized before configuring administrators to authenticate via the new servers. 

Miscellaneous 

56. In a CMA High Availability configuration, the MDG may variably report the status of UTM-1 

Edge gateways as either OK or Not Responding. To see the correct status, open SmartView 

Monitor on the Active management. 

57. Certificates for Provider-1 administrators should be created only from an MDG connected to the 

MDS that currently hosts the active global database. 

58. When working with a large CMA database, synchronizing this database may take some time. If 

you create a second CMA from the MDG it may seem that the operation was not successful on 

account of the timeout, when in fact the operation was done within a set period of time. 

To make sure that this operation finished successfully after the MDG's timeout: 

1. Wait until the second CMA is displayed on the MDG, with a Started status. 

2. From SmartDashboard, connect to the active CMA. 

3. Select Policy > Management High Availability and in the displayed window verify that the 

standby CMA's Status is Synchronized. 

59. The cp_merge utility is not supported in Provider-1/SiteManager-1. 

60. When creating, deleting or updating a Virtual Device, the database of the CMA containing the 

VPN-1 Power VSX gateway will be locked during that time. If a user tries to connect to the CMA 

via SmartDashboard, a message will report that the database is locked. Selecting Disconnect 

does not unlock the database. Connection to the CMA may be resumed when the operation 

finishes. 

61. SmartDashboard currently lacks appropriate error messages for the following scenarios: 

• Using a SmartCenter Backup Server, the user cannot edit a Virtual System object where the 

VPN-1 Power VSX belongs to another CMA (main CMA), because there is no connection 

between them. 

• The user cannot edit a Virtual System object in a CMA whose Active main CMA is a 

SmartCenter Backup Server, because there is no connection between them. 

62. When removing a Provider-1 installation from a machine that has Endpoint Security Server 

installed on it, Endpoint Security Server may not uninstall. A workaround is to uninstall 

Endpoint Security Server separately. 

63. After upgrading an MDS machine with Endpoint Security Server installed and associated with a 

certain CMA to NGX R65, reverting to the previous version of Provider-1 using the utility 

mds_remove will succeed, however the Endpoint Security configuration will contain information 

related to the newer version. To resolve this issue, do the following: 

1. Use a text editor to open the file /opt/CPEndpoint 

Security/engine/webapps/ROOT/bin/opsec/config.properties 

2. Enter the correct values for the following keys: 

• CMA_IP=[IP address of the CMA which is configured to use Endpoint Security] 

• CPDIR=[the CPDIR directory of the CMA] 

• FWDIR=[the FWDIR directory of the CMA] 

• MDS_CPDIR=[the new value of MDSDIR directory] 

• MSP_SOMEIP_ADDR=[IP address of the CMA which is configured to use Endpoint Security] 

64. Global SmartDashboard cannot be used to create Connectra or VPN-1 Power/UTM gateway 

objects. Instead, use a SmartDashboard connected to a specific CMA to create these objects. 


SecureXL 

SecureXL 


General page 29 



Accelerated Features page 30 

Unsupported Features page 30 

Unsupported Products page 30 

General 

1. When using Performance Pack or Turbocard in a cluster configuration, all members must have 

Performance Pack or Turbocard installed and running. 

2. For the first few seconds of an asymmetric connection, server-to-client packets are not 

accelerated. An asymmetric connection, such as an FTP data connection through an 

accelerated ClusterXL cluster, is where the server-to-client side is handled by a different 

member than the client-to-server side. Asymmetric connections are only opened when using 

VPN or NAT. This is a temporary performance degradation that affects only a small percentage 

of traffic. 

3. In a High Availability configuration, some accounting information held in the accelerator (for 

accelerated connections only) may be lost in the event of a failover. As a result, the accounting 

information reported may be lower than the actual traffic. 

4. When a gateway has IP pool NAT defined for site to site connections in a MEP environment and 

Automatic Hide NAT for internal networks is enabled, back connections to the IP pooled IP 

address are dropped by the gateway. To prevent these connections from being dropped, do one 

of the following: 

• Disable Automatic Hide NAT on the gateway. 

• Configure Hide NAT for the internal network object with manual or automatic rules. 

5. For a list of the recommended platforms for Performance Pack, see the Hardware Compatibility 

List for SecurePlatform at 

http://www.checkpoint.com/products/supported_platforms/secureplatform.html. 


6. When the SmartDefense TCP Sequence Verifier feature is enabled and Flows acceleration is 

enabled, the Sequence Verifier feature is not enforced and the following message appears when 

installing policy: 

Flows: TCP Sequence Verifier acceleration is not supported on the Gateway. 

When SecureXL is enabled, you can enable the SmartDefense TCP Sequence Verifier feature by 

first enabling it in Nokia Network Voyager (System Configuration > Advanced System Tuning) and 

then in SmartDashboard (SmartDefense tab > Network Security > TCP). The Sequence Verifier 

feature will then be enforced on accelerated connections. 

7. The SmartDefense protection IP Fragments (SmartDefense tab > Network Security > IP and ICMP) 

is not supported on Turbocard and Nokia platforms with SecureXL enabled. 


SecureXL 


8. On Solaris platforms, Performance Pack does not support the following types of interfaces 

• VLAN and virtual interfaces 

• bge, dmfe and skge interfaces 

Accelerated Features 

9. When flows are enabled, full sanity checks are performed for flowed (accelerated) connections 

for the IP layer. No sanity checks are performed on the UDP or TCP layer of flowed packets. 

The workaround is to disable flows. 

10. SmartView Monitor gets updates for every connection from SecureXL once every 30 seconds. 

Because of the difference between the SecureXL update interval and the SmartView Monitor 

update interval, you might not get a smooth line even when monitoring constant rate 

connection. 

This phenomenon is negligible when monitoring real life traffic that has many connections that 

open and close at random. Regardless of the number of connections, over a significant period 

of time, the average of the total number of monitored traffic, will be monitored accurately. 

11. The SmartDefense protection PPTP Enforcement does not allow acceleration of the GRE protocol 

over PPTP when enabled. In order to accelerate the GRE protocol over PPTP, disable this 

protection (on the SmartDefense tab, select Application Intelligence > VPN Protocols > PPTP 

Enforcement). 

Unsupported Features 

12. Fingerprint Scrambling causes a negative impact on performance. ISN Spoofing disables TCP 

templates, and TTL and IPID cause traffic to be handled by the firewall module only. 

13. The NetQuotas feature is not supported with SecureXL. 

14. The Overlapping NAT feature is not supported with SecureXL. 

15. WISP redundancy has the following limitations when working with SecureXL: 

• Connections passing through interfaces configured with ISP redundancy are not 

accelerated. Other connections (for example, an internal connection to a DMZ) are 

accelerated and are not affected by this limitation. 

• ISP redundancy over PPTP and PPPoE interfaces is not supported. 

16. When configuring Remote Access > Office Mode on a gateway that has multiple external 

interfaces with SecureXL enabled, make sure that Support connectivity enhancement for gateways 

with multiple external interfaces is checked. 

17. When SecureClient is connected to a Check Point gateway with two external interfaces and the 

connected interface goes down, SecureClient will lose connectivity. In order to resume 

connectivity, the user needs to disconnect and reconnect. 

18. Performance Pack does not support source-based routing. 

Unsupported Products 

19. Check Point QoS is not supported with SecureXL. 

20. PPTP and PPPoE interfaces are not supported by Performance Pack in configurations where 

NAT and/or VPN are used. 


SmartCenter Server 



Upgrade, Backout and Backward Compatibility page 31 


SmartConsole Applications page 33 

Logging page 34 

SmartCenter High Availability page 34 

SmartDirectory page 34 

User Management page 34 

Trust Establishment page 34 

OSE page 34 

Platform Specific - Nokia page 35 

Platform Specific - Windows page 35 

Upgrade, Backout and Backward Compatibility 

1. When using the Upgrade Export and Import utilities on the Windows platform, the machine 

should be connected to the network. Alternatively, a connector can be used to simulate a 

connection. Refer to SecureKnowledge solution sk19840 for more information regarding how to 

simulate a network connection during an upgrade. 

2. When upgrading with a duplicate machine whose IP address differs from the original IP address 

of the SmartCenter server, if Central licenses are used, they should be updated to the new IP 

address. This can be done via the User Center at http://usercenter.checkpoint.com, by choosing 

the action License > Move IP > Activate Support and Subscription. 

3. When using the Upgrade Export and Import utilities, if a specific product should fail to install, 

the entire operation will fail, with the exception of these products: 

• SmartView Reporter 

• SmartView Monitor 

• SecureXL 

• UserAuthority Server 

Failure importing and/or exporting of these products will not cause the entire import/export 

operation to fail. Use the log file of the import/export operation to understand what caused the 

problem and fix it. The log file is located at: 

Windows: C:\program files\checkpoint\CPInstLog 

Unix: /opt/CPInstLog 

4. When upgrading a Log Server, always choose to upgrade and ignore the other options (to export 

the configuration or to perform pre-upgrade verifications). These options are irrelevant for Log 

Server upgrades. Also, the backwards compatibility (BC) package is installed on every Log 

Server. It can be safely removed, as it is not in use on a Log Server. 



5. If, when using the Check Point Installation Wrapper, the download of updates fails during an 

upgrade (for example, because the machine is not connected to the Internet), then the upgrade 

will continue using the tools that exist on the CD. To use the most recent version: 

a. Download the updates from: 

https://support.checkpoint.com/downloads/bin/autoupdate/ut/r61/index.htm. 

b. Save the update on the local disk of your SmartCenter server. 

c. Restart the installation wrapper and choose the second option on the download page: I 

already downloaded and extracted the Upgrade Utilities. 

6. Check Point 4.1 gateways and embedded devices are not supported with this release. After 

upgrading the SmartCenter server to NGX, these objects will remain, but you will not be able to 

install policy on them. 

7. VPN-1 Net is no longer supported. 

8. After upgrading SmartCenter, but before upgrading the gateways, SecureID users may not be 

able to connect. A workaround is detailed on SecureKnowledge sk17820. This solution 

documented there should be implemented in the compatibility package directories as well: 

For NG gateways (NG - R55) 

- Unix /opt/CPngcmp-DAL/lib/ 

- Windows C:\Program Files\CheckPoint\NGCMP 

For R55W gateways 

- Unix /opt/CPR55Wcmp/lib 

- Windows C:\Program Files\CheckPoint\R55WCmp\lib 

9. When upgrading SmartCenter with a duplicate machine on the Windows platform, the following 

message may appear after selecting Import configuration file: 

Failed to import configuration. Imported configuration file does not contain the 

correct data. 

To resolve the issue, do one of the following: 

• Remove the file gzip.exe from the environment path. 

• Remove gzip.exe altogether. 

10. Advanced Upgrade from the wrapper, or use of the Export/Import tools, is not supported on a 

secondary SmartCenter server. 

11. In this release, SmartCenter does not manage gateways prior to NG FP3. If you have such 

gateways, it is recommended that you upgrade them as well. 

12. After a SmartCenter server has been upgraded or copied via the Advanced Upgrade feature, 

previously defined UTM-1 Edge devices will not be able to connect to the SmartCenter server, 

and the Connection Wizard will generate "object non-registered" messages. To resolve this 

issue, use SmartUpdate to re-install a specific firmware package. 

13. To manage UTM-1 Edge devices with an NGX R65 SmartCenter server that was migrated from 

Nokia to a different platform, see Check Point SecureKnowledge sk30389. 




14. After aborting an installation and before attempting to install policy, make sure that there are 

no processes running the fwm load command on the SmartCenter server. 

15. By selecting the Install Policy option Install on all selected gateways, if it fails do not install on 

gateways of the same version, policy is installed on gateways by group. There are four such 

groups: 

• UTM-1 Edge 

• R55W 

• NGX 

• all others (R55 and prior versions) 

When this option is selected, if policy fails when installing to a member of one of the groups, 

the policy will not be installed to any other gateways in that group. Policy installation will 

continue uninterrupted to members of other groups, however. 

16. Uninstall policy on LSM profiles is not supported. 

17. Policy installation is divided into several stages: Verification, compilation, file transfer, etc. 

Each stage has a default time-out of 300 seconds. Should you encounter time-out problems 

while installing a policy, you can change the value of the timeout in the following way: 

a. Run cpstop on the SmartCenter server. 

b. Run DBedit and change the install_policy_timeout attribute that is located under 

firewall_properties in the global properties. A valid value is 0-10000. 

c. Close DBEdit and run cpstart. 

18. Policy may not install successfully on an InterSpect device, even if SIC is established. To 

resolve this issue, make sure that the SmartCenter server's IP address(es) are configured in 

InterSpect's GUI Clients. 

SmartConsole Applications 

19. When running a query on a Security Policy in SmartDashboard, only user-defined rules are 

displayed in the query result. Implied rules matching the query are not displayed, even if the 

option View Implied Rules is selected. 

20. When switching the active file from SmartView Tracker, the new active file name will be 

automatically name by the system. It will not receive the user-defined file name. 

21. UTM-1 Edge objects cannot be defined from the Manage menu in SmartDashboard. To define 

UTM-1 Edge objects, from the Objects Tree, right-click Check Point > New. 

22. A Connectra object cannot be dragged & dropped into the Address Translation Rule Base. To 

add a Connectra object to a rule, right click on the relevant cell, select Add, and select the 

relevant Connectra object. 

23. To perform SmartDefense Online Update in Demo Mode, use Demo Mode Advanced. Other 

Demo Modes do not support this feature. 

24. InterSpect objects cannot be added to NAT rules. 

25. After deploying Anti Virus signatures, the Express CI Deployment Status is not updated by 

clicking Refresh on the SmartDefense Services tab. This issue is resolved by closing and 

restarting SmartDashboard. 



Logging 

26. When a Log Server is installed on a DAIP module, management operations such as "purge" and 

"log switch" can not be performed. 

27. If using the cyclic logging feature, after upgrade it is recommended to back up the previous 

/log files to another machine, and then to delete them. 

28. When a Log Server runs out of disk space, any logs sent by ELA clients will be lost. To prevent 

this, be sure to maintain adequate disk space on the Log Server. 

29. After upgrading a gateway, SmartView Tracker may report 0 active connections. To resolve this 

issue, reinstall policy on the gateway. 

30. When a filter is applied in the Traffic or Audit log pages, logs may not display in sequential 

order, and using the scroll bar arrow to navigate through the logs does not appear to work. To 

scroll, click and drag the scroll bar or use the buttons Bottom and Top. 

SmartCenter High Availability 

31. If a primary SmartCenter server is in a Standalone configuration, and a secondary SmartCenter 

server is active, then policy installation from the secondary to the primary server will be 

prohibited immediately after upgrade. In order to resolve this, install the policy locally on the 

primary server. 

32. When modifying the file InternalCA.C, be sure to copy the modified file to the other 

management stations, and then install policy again for the changes to become active. 

33. When executing Management High Availability (between SmartCenter and/or CMA and/or MDS) 

change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve 

this issue, restrict access from SmartPortal to Read-only administrators; or, use SmartView 

Monitor to disconnect the Read/Write mode in SmartPortal. 

SmartDirectory 

34. If Use SmartDirectory (LDAP) is checked in Global Properties, but no LDAP account unit is 

configured, the authentication of external users (as opposed to LDAP users) that are not 

defined in the user's database will not succeed. To resolve this issue, make sure that you 

uncheck Use SmartDirectory (LDAP) in the Global Properties. 

User Management 

35. When manually defining branches on an Account Unit, spaces between elements in the branch 

definition will not work. For example: 

A good branch: ou=Finance,o=ABC,c=us 

A bad branch: ou=Finance , o=ABC , c=us 

Trust Establishment 

36. Before establishing secure internal communication (SIC) between a standalone SmartCenter 

server and a Connectra device, install policy to the SmartCenter server. 

OSE 

37. The Drop action is not supported for Cisco OSE devices. If the Drop action is used, the policy 

installation operation fails. 

38. 3Com devices are not supported. 


SmartPortal 

Platform Specific - Nokia 

39. When upgrading using the Import Configuration option in the wrapper, and the machine you 

have exported the configuration from is a Nokia platform the following may occur: 

• Check Point packages that were inactive on the production machine will either become 

active on the target machine if its OS is Nokia, or will be installed on other platforms. 

If this should occur, when the target machine is a Nokia platform, return the relevant packages 

to the inactive state. For other platforms, uninstall the relevant packages. 

Platform Specific - Windows 

40. On Windows platforms only, in some cases, when performing the Restore Version operation 

(from SmartDashboard, File > Database Revision Control > Restore Version) while SmartView 

Tracker is open, the restore fails and you are not able to save the database (File > Save). The 

solution is to make sure that SmartView Tracker is closed before performing Restore Version 

operations. If you already encountered such a problem, run cpstop and then cpstart. 

41. After using the Advanced Upgrade tools to migrate a SmartCenter server to a different 

machine, RADIUS authentication servers will no longer be able connect to the SmartCenter 

server. To re-establish connection between them, do the following on the SmartCenter server: 

1. Use Regedit to open the Windows registry. 

2. Locate the key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT. 

3. Delete the value NodeSecret. 

4. Reboot the SmartCenter server. 

SmartPortal 

1. When a filter is applied in the Traffic or Audit log pages, logs may not display in sequential 

order, and using the scroll bar arrow to navigate through the logs does not appear to work. To 

scroll, click and drag the scroll bar or use the buttons Bottom and Top. 


SmartUpdate 

SmartUpdate 


Installation, Backward Compatibility, and Upgrade page 36 



Platform Specific — SecurePlatform page 37 


GUI page 37 

Licensing page 37 

Installation, Backward Compatibility, and Upgrade 

1. When a gateway has been upgraded and then rolled back to the previously installed version, 

SmartUpdate will not be able to report its status. This occurs because the gateway restarts with 

the initial policy, instead of the last installed policy. The workaround is to re-install the old 

policy via SmartDashboard. 

2. The command line executable for upgrading remote gateways, cprinstall, does not currently 

support the upgrade all option. Instead, run cprinstall install to upgrade individual 

packages, or use the SmartUpdate GUI. 

3. After using SmartUpdate to install a firmware package on a UTM-1 Edge gateway, renaming the 

gateway in SmartDashboard may fail and result in the following message: Internal Error [12] 

while handling object edge1. Failed to update references of object edge1. Please contact technical 

support. If this should occur, you can safely ignore this message and perform the rename 

operation again. To avoid this message, leave SmartDashboard open during firmware 

installation. 

4. After upgrading a pre-NGX SmartCenter to NGX R61, software packages (except for UTM-1 

Edge firmware packages) that were displayed in the Package Repository of SmartUpdate do not 

appear. The packages are in the directory $SUROOT, and can be re-added to the Package 

Repository using the SmartUpdate command Add From File. 

5. After upgrading a SecurePlatform gateway from NGX (R60) to NGX (R60A), SmartUpdate 

erroneously reports that the upgrade has failed. This message can be safely ignored. 



and the Connection Wizard will generate object non-registered messages. To resolve this 

issue, use SmartUpdate to re-install a specific firmware package. 

7. SmartUpdate can be used to upgrade a Log Server, but it cannot be used to downgrade a Log 

Server. Downgrading a Log Server should only be done locally. 

8. SmartPortal NGX (R60) cannot be upgraded to NGX R61 via SmartUpdate. A workaround is to 

install SmartPortal NGX R61 directly (locally) to the NGX R60 machine. 

9. When using SmartUpdate to upgrade Eventia Reporter Server from NGX (R60), the message 

Execution error may appear at the end of the upgrade process. This message may be safely 

ignored. To confirm that the upgrade was successful, in SmartUpdate select the Reporter 

Server and run the operation Get Gateway Data. 

10. Eventia Analyzer cannot be upgraded to version NGX 2.0 via SmartUpdate, however 

SmartUpdate does support Eventia Analyzer license operations. 


SmartUpdate 

Miscellaneous 

11. When running Fetch CPInfo on a non-Windows Management server, while trying to fetch CPInfo 

for the Management itself, in certain cases the command may halt unexpectedly. In this case, 

rerun the command, or run CPInfo locally. 

12. When upgrading to any NGX version from any pre-NGX version (e.g., R55), the SmartUpdate 

Package Repository is not upgraded. After the upgrade, the SmartUpdate Package Repository 

will therefore be empty. 

13. In SmartDashboard, the version number of an NGX (R60A) gateway may be changed to NGX 

(R60) when performing an operation via SmartUpdate. There are two workarounds to this issue: 

• Always have SmartDashboard open when performing SmartUpdate operations on an NGX 

(R60A) gateway. 

• If the version number has changed, open SmartDashboard and manually change the 

gateway's version to NGX (R60A). 

14. If, while pushing new firmware to a UTM-1 Edge device, the Secondary SmartCenter has just 

failed over, the firmware may not be successfully installed. To resolve this issue, synchronize 

the Edge device with the Secondary SmartCenter and run the Push Now operation again. 


15. Upgrade All and separate transfer and install is not supported on flash-based Nokia. To resolve 

this issue you should explicitly install Nokia IPSO and thereafter you should install the Check 

Point products, one by one. Alternatively, use Nokia Voyager to install the wrapper and manage 

the installation packages. 

16. When trying to install or verify an NG_AI R55P HFA package via SmartUpdate, the following 

error message may be displayed Package has wrong format. In this case, 

you should install your package locally on a module. 

17. When upgrading Nokia flash-based machines via SmartUpdate, the following error message is 

displayed at the end of the upgrade process Execution error. CPRID session timed out. It is highly 

probable that your module was successfully upgraded, and that this message can be safely 

ignored. To ensure that this is the case, run the operation Get Gateway Data for this gateway and 

see that the module was indeed upgraded in SmartUpdate. 

Platform Specific — SecurePlatform 

18. When using the SmartUpdate option Upgrade All, make sure that a VPN-1 Power/UTM Linux 

package is not in the Package Repository of any gateway running on SecurePlatform. 


19. When upgrading from R55W on a SecurePlatform machine, SmartUpdate will not reestablish a 

connection with the gateway after reboot. This is caused by the gateway failing to fetch a new 

policy and starting with an initial policy. To resolve this issue, go to the gateway and fetch the 

policy manually, or install policy from the SmartDashboard. 

GUI 

20. The feature Add Package From Download Center is not supported if the machine running 

SmartUpdate accesses the Download Center through a proxy server. 

Licensing 

21. If a local license is detached from the license repository and then reattached without first 

closing SmartUpdate, the license appears in the repository as unattached. In such a scenario, 

either attach the license manually, or close and restart SmartUpdate before reattaching the 

license. 


UTM-1 Edge 

UTM-1 Edge 

Upgrade, Revert and Backward Compatibility 



and the Connection Wizard will generate object non-registered messages. To resolve this issue, 

use SmartUpdate to re-install a specific firmware package. 

2. To manage UTM-1 Edge devices with an R62 SmartCenter server that was migrated from Nokia 

to a different platform, see SecureKnowledge sk30389. 

SmartCenter 

3. A Sofaware profile will fail to install if a Check Point gateway has an interface named in and 

the Sofaware Reducer is disabled. To resolve this issue, make sure that the Sofaware Reducer is 

enabled, or avoid naming Check Point gateway interfaces as in. 

4. Make sure that in the Advanced Permanent Tunnel configuration, the life_sign_timeout attribute 

is larger than life_sign_transmitter_interval attribute. 

5. UFP settings, CVP settings, and internal network settings of UTM-1 Edge ROBO gateways with 

firmware version 5.0 cannot be managed by this version of SmartLSM. 


6. When using the group All VPN-1 Embedded devices defined as Remote Access on the rulebase, 

the icon that is defined is wrong and can be safely ignored. 

7. In case an object of type Embedded Device exists in the database but is not DNS-resolvable, 

installing policy on any Edge devices may operate slowly. To solve the problem, either remove 

the Embedded Device object from the database, or make sure the name as exists in the 

database is resolvable by DNS on the management machine. 

VPN Communities 

8. In order for SofawareLoader to create topologies suitable for Sofaware 4.5 appliances, use a 

text editor to open the file SofawareLoader.ini, located in the directory 

%FWDIR%\FW1_EDGE_BC\conf. In the [Server] section, add the line TopologyOldFormat=1. The 

change takes effect without running the commands cpstop and cpstart. 

9. UTM-1 Edge devices do not support GRE tunnels, and therefore cannot be included in VPN 

Communities that use GRE tunnels. 

Other 

10. UTM-1 Edge gateways support only regular log tracking. When using other tracking on a rule 

that would be installed on such gateways, it is ignored. 

11. If, while pushing new firmware to a UTM-1 Edge device, the secondary management has just 

failed over, the firmware may not be successfully installed. To resolve this issue, synchronize 

the UTM-1 Edge device with the secondary management and run the Push Now operation again. 

12. Scanning is performed on archive files of the following types only: zip, gzip, and tar. 

13. Only the first 30 HTTP headers or worm patterns defined on UTM-1 Edge devices of version 

6.0.x are enforced. 


VPN 

VPN 

VPN Communities 

1. When managing SmartLSM ROBO gateways some of which are VPN-1 -enabled from a 

standalone machine, the policy fetch operation may not succeed once VPN has been 

established between the standalone and the ROBO gateway in question. In order to overcome 

this issue, you should add the CPD service as an excluded service for each of the communities 

which have SmartLSM ROBO profiles. To do this, 

a. Open the community object. 

b. In the Advanced Setting tab, choose the Excluded Services tab and add the CPD as 

excluded service. 

VPN-1 Power VSX 



Provider-1/SiteManager-1 page 39 

SmartCenter page 40 

SmartDashboard page 40 


VSX NG AI Management Issues page 40 

VSX ClusterXL page 41 


Miscellaneous 

1. When working with a non-dedicated management interface, you cannot add new members to an 

existing VSX cluster using the vsx_util command. 

2. On a VSX NG AI Release 2.2 (Nokia) cluster/gateway, SecureClient connections are dropped 

during policy installation. 

3. Upgrading to R65 is not support for Nokia VSX. 


4. Make sure that the IP address of the management object is set before running vsx_util or 

creating any Virtual Devices. 

5. When attempting to delete a Virtual Device from a CMA, and the CMA database on which the 

VSX is defined is locked, the operation will fail, and an error message will be displayed. This is 

the proper behavior. However, this operation also causes the Virtual Device to disappear from 

the Tree view. To resolve this issue, restart SmartDashboard. 

6. If the VSX Wizard fails, and changes need to be made to the defined configuration, avoid 

re-fetching the configuration from the modules. This means that if you move back to the SIC 

establishment dialog and click Next, you should reply NO to the question regarding re-fetching 

the configuration from the VSX gateway(s). 



SmartCenter 

7. To establish trust with newly created Virtual Devices, the IP address of the management server 

must be routable from the VSX gateway. When a management server has more then one 

interface, make sure to select the IP address of the proper interface to serve as the 

management server's IP address. 

8. The Install Database operation is not supported on Virtual Devices. 

9. The Policy Uninstall operation is not supported on VSX clusters. 

SmartDashboard 

10. After creating a VSX gateway or cluster, its IP address cannot be changed. 

11. The name of a Virtual Device should not exceed 64 characters. In cluster scenarios, the 

Member Virtual Device name is a composite of the Member name and the Cluster Virtual 

Device name. This could result in a Virtual Device name which contains more than 64 

characters. 

12. After resetting the SIC for a VSX gateway or cluster member, reinstall policy. 

13. When adding NATed addresses to the topology of a Virtual System, only address ranges are 

supported. To add a single IP address or an IP subnet, define it as an address range. 

14. Editing the name of the VSX management interface is not supported. 

15. When editing a VSX gateway or cluster object using the Creation Templates tab, you can only 

switch to a Customized Virtual System. Please note that this act is irreversible. 

16. Propagating routes from Virtual Routers to Virtual Systems is not supported. 

17. When using the vsx_util reconfigure command line utility to reconfigure a VSX gateway, the SIC 

status of the network object does not change to Communicating. While this will result in 

warnings regarding trust establishment on VS/VR for this specific object, the messages can be 

safely ignored. 

18. When configuring a host object as a Web Server in a deployment that contains configured 

Virtual Systems, on the Web Server tab, set the Protected by field to contain targets that do not 

include Virtual Systems. 

19. When defining NAT routes on the Topology tab of the Virtual System, insert two IP addresses, 

the first and last address of the IP range used for NATing. Note that large ranges can result in 

a slow response from the SmartCenter server. 

20. When activating the "General HTTP Worm Catcher" SmartDefense protection on a VSX gateway, 

all HTTP traffic is scanned for worms, regardless of the scope. 


21. Policy cannot be installed on more then 10 Virtual Systems simultaneously. 

22. VSX does not support the SmartDefense Profiles feature. 

23. Virtual Systems cannot be managed from a Secondary management server. 

VSX NG AI Management Issues 

24. When creating a NG AI Virtual Device, the main IP address of the Virtual Device should be 

routable from the SmartCenter server. 

25. When two Virtual Systems with internal IP addresses that originate from identical subnets (that 

is, overlapping subnets) are connected through a Virtual Switch, the internal interface of one of 

the Virtual Systems cannot be propagated. 

26. To enable the synchronization of routing information between cluster members, the policy on 

the VSX cluster must allow communication between cluster members on TCP port 2010. 



27. When connecting from SmartDashboard to the management server through a Virtual Device, the 

Virtual Device topology or routing cannot be changed. 

28. If you change the IP address of an interface leading to a virtual router when editing VSX NG AI, 

all manually defined routes to this Virtual Router will be deleted from the Virtual System and 

should to be re-entered manually. 

29. In VSX, the Phase 1 proposal for SecureClient is hardcoded. Therefore, changing the Phase 1 

encryption method is not reflected in the client. 

30. To avoid warning messages during policy installation, interfaces defined on a Virtual System or 

Virtual Router should be associated with a route. 

31. The number of interfaces that can be assigned to a Virtual System is limited to 64. 

32. When an VSX NG AI Virtual Device is created it is assigned a unique IP. If the unique IP is 

already in use, the operation will fail. To fix this problem cancel the operation and create the 

Virtual Device with a unique IP that is not being used. 

33. On Nokia platforms running VSX NG AI in a cluster configuration, an issue may arise when 

changing the VLAN interface on a Virtual Device. If the operation fails at some point, the 

change may be applied to some cluster members and not others. 

VSX ClusterXL 

34. To prevent a Virtual System in Bridge mode from creating loops in a clustered environment, a 

spanning tree protocol is required. 

35. All Virtual System interfaces in bridge mode must have the same VLAN ID. 


36. When creating a NG AI VSX cluster on IPSO, delete from the physical interfaces list any 

interfaces which are not VRRP enabled. Remove these “unused” interfaces when using the VSX 

Wizard or immediately afterwards. 

37. Encryption method AES128/MD5 is not supported for VPN. 



Documentation Feedback 

Check Point is engaged in a continuous effort to improve its documentation. Please help us by 

sending your comments to: 

cp_techpub_feedback@checkpoint.com

NGX R65 Release Notes - Check Point

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?