NGX R65 Release Notes - Check Point

More documents

Recommendations

Info

ClusterXL 46. Peer or secure remote gateways may show error messages when working against an overloaded gateway cluster in Load Sharing mode. This is due to IPsec packets with an old replay counter. These error messages can be safely ignored. 47. Using Sticky Decision Function with VPN features will guarantee connection stickiness for connections that pass through the cluster only, and not to connections originating from a cluster member or to it. 48. When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster (i.e., the peer and the cluster are located on the same VLAN and there is no Layer 3 (IP) routing device between them), the following features are not supported: • ISP Redundancy • VPN link selection - Reply from same interface This issue can be resolved either by placing a router between the VPN peer and the cluster, or by disabling these features. (Neither feature is enabled by default.) • To disable ISP redundancy, in SmartDashboard edit the gateway object > Topology > ISP Redundancy, and remove the check mark from Support ISP Redundancy. • To disable VPN link selection - Reply from the same interface, in SmartDashboard edit the gateway object > VPN > Link Selection > Outgoing Route Selection, and do the following: A. Under When initiating a tunnel, enable Operating system routing table, B. and under When responding to remotely initiated tunnel, select Setup, and enable Use outgoing traffic configuration. 49. When configuring a VTI cluster interface, it should be assigned a name identical to the name of the member interface. VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 10
Endpoint Security Endpoint Security In This Section Server Installation, Upgrade, and Backward Compatibility page 11 Client Installation, Upgrade, and Backward Compatibility page 11 Integration page 11 Logging, Alerts, and Errors page 12 Localization and Special Characters page 12 Gateways and Third Party Product Integrations page 12 Miscellaneous page 13 Server Installation, Upgrade, and Backward Compatibility 1. By default, VPN-1/FireWall-1 and the Check Point SecurePlatform administration interface both use port 443 for SSL communication. If you plan to run VPN-1/FireWall-1 on SecurePlatform, change the SecurePlatform SSL to a different port during the operating system installation. Do not change the VPN-1/FireWall-1 default port, as this is not supported. 2. Normally, after installing the VPN-1/FireWall-1, answering “Y” to the message “Would you like to start VPN-1/FireWall-1 after exiting?” starts VPN-1/FireWall-1. If this does not work, type cpstop and cpstart (or, with Provider-1 setup, type mdsstop and mdsstart) to successfully start VPN-1/FireWall-1. Client Installation, Upgrade, and Backward Compatibility 3. Clients cannot download packages from an external source when they are restricted. If the client becomes restricted due to a client Enforcement rule, and the rule specifies an upgrade package on an external URL, the client may not be able to download the external package. This can occur even if the external URL is actually the same as an VPN-1/FireWall-1. A workaround is to upgrade using the Upgrade package from VPN-1/FireWall-1 option rather than upgrading from an external URL. Integration 4. If you see an unexpected error when logging into VPN-1/FireWall-1 with your SmartCenter administrator credentials, it may be because your SmartCenter license has expired or become invalid. If you are running VPN-1/FireWall-1 together with SmartCenter (either on the same host or on separate hosts), and your SmartCenter license expires or becomes invalid, you are not able to log on to VPN-1/FireWall-1 using your SmartCenter administrator credentials. This occurs whether you are trying to log on to VPN-1/FireWall-1 directly or through SmartDashboard. Use the cplic command to check the status of your SmartCenter license, and if necessary, set a new SmartCenter license. (For information on cplic, see the Check Point Command Line Interface Guide.) Even if your SmartCenter license is invalid, however, you can log in to VPN-1/FireWall-1 using your VPN-1/FireWall-1 administrator credentials. 5. If you are setting up a distributed installation (in which VPN-1/FireWall-1 and SmartCenter run on separate hosts), VPN-1/FireWall-1 does not automatically synchronize with SmartCenter. To synchronize VPN-1/FireWall-1 with SmartCenter, restart VPN-1/FireWall-1 after you install and configure SmartCenter, install the database, and establish secure internal communication (SIC). 6. If you are setting up a distributed installation (one in which VPN-1/FireWall-1 and SmartCenter run on separate hosts), changing the logging settings to store VPN-1/FireWall-1 logs locally will result with an authentication error on every attempt to view logs from within VPN-1/FireWall-1. In this configuration, you can view the logs with SmartView Tracker or Smart Portal. VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 11
Page 1 and 2: Check Point NGX R65 Known Limitatio
Page 3 and 4: ClusterXL ClusterXL In This Section
Page 5 and 6: ClusterXL 2. Performing an SNMP que
Page 7 and 8: ClusterXL Platform Specific — Sol
Page 9: ClusterXL 39. The following Web Int
Page 13 and 14: Endpoint Security 18. Endpoint Secu
Page 15 and 16: Eventia Suite 15. To upgrade a dist
Page 17 and 18: Firewall 5. The name of the install
Page 19 and 20: Firewall 31. In a cluster environme
Page 21 and 22: Firewall SecureClient 56. Policy in
Page 23 and 24: Provider-1/SiteManager-1 3. After u
Page 25 and 26: Provider-1/SiteManager-1 In additio
Page 27 and 28: Provider-1/SiteManager-1 SmartUpdat
Page 29 and 30: SecureXL SecureXL In This Section G
Page 31 and 32: SmartCenter Server SmartCenter Serv
Page 33 and 34: SmartCenter Server Policy Installat
Page 35 and 36: SmartPortal Platform Specific - Nok
Page 37 and 38: SmartUpdate Miscellaneous 11. When
Page 39 and 40: VPN VPN VPN Communities 1. When man
Page 41 and 42: VPN-1 Power VSX 27. When connecting

NGX R65 Release Notes - Check Point

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?