NGX R65 Release Notes - Check Point

More documents

Recommendations

Info

Firewall Authentication 19. Client Authentication will fail if VPN-1 Power/UTM machine name is configured with a wrong IP address in the hosts file. 20. Clientless VPN with the Action Client Auth is not supported if the web server object is in the destination cell. The workaround is to add the gateway to the destination cell. 21. When using SmartDirectory server for internal password authentication, if the account lockout feature is disabled the Firewall will not attempt to modify the user's login failed count and last login failed attributes on the SmartDirectory server. This improves overall performance and eliminates unnecessary SmartDirectory modify errors when using SmartDirectory servers that do not have these attributes defined because they did not apply the Check Point SmartDirectory schema extension on the SmartDirectory server. 22. Issues may arise when using automatic or partially automatic client authentication for HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a decision function based only on IP addresses in order for connections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters, refer to the product documentation for more information. 23. Definition of nested RADIUS Server groups is not supported. Security Servers 24. When a field in a URI specification file is too long, the Security server exits when trying to load the file. Under load, the Firewall daemon (FWD) reloads the security server, which then exits. After a certain time cores are dumped. 25. Client authentication with agent automatic sign on is supported with all rules, with two exceptions: • The rule must not use an HTTP resource. • Rules where the destination is a web server. 26. When using SOAP filtering in the HTTP Security Server, the SOAP scheme file supports all forms of namespaces and methods, however, the feature is not supported if a method has no namespace at all. Security 27. When using a URI resource to allow or restrict access to specific paths (by filling the path field), it is recommended to use the regular expression [/\] instead of / - this expression provides protection against Windows style paths. For example: instead of defining a path: /home/mydir/, define it as [/\]home[/\]mydir[/\]. Services 28. A service using the FTP_BASIC protocol type cannot be used with the FTP Security Server. 29. When using T.120 connections, make sure to manually add a rule that allows T.120 connections. Stateful Inspection 30. Changing the "match for any" option in the MSNP service to "false" it causes connectivity problems after an upgrade in the following scenario: Service X other than Microsoft Messenger protocol was running on port 1863. No special rule was defined for this service (for example, the service was permitted by a rule with "Any" in service column). To resolve this issue, define a rule permitting the service with X in the "service" column. VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 18
Firewall 31. In a cluster environment, TCP state enforcement allows a server to respond with an ACK packet on a SYN packet (instead of SYN-ACK). Sequence Verification enforcement will be applied to all the traffic of the connection. Dynamically Assigned IP Address (DAIP) Modules 32. The fw tab command on a SmartCenter server is not supported. IPv6 33. In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker. 34. Due to the fact that IPv6 is not supported for security servers, enabling Configuration apply to all connections under SmartDefense's FTP Security Server settings causes FTP (as well as HTTP and SMTP) connections over IPv6 to be rejected, and no log is generated. 35. The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it should unload only the IPv6 policy. 36. The RSH protocol is not supported for IPv6. ISP Redundancy 37. ISP redundancy is not supported in a ClusterXL Different subnets configuration. This means the IP address of the cluster must be on the same subnet as the cluster members' real IP addresses. 38. In a ClusterXL configuration, the names of the external interfaces of all cluster members must be identical and must correspond in turn to the names of the external interfaces of the cluster object. For example, if the cluster object has two external interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively. Management 39. Defining network objects with names identical to a service is not supported. OPSEC 40. TCP resource with cvp group is not supported. Policy Installation 41. Check Point uses the notation starting with "SA_" for internal purposes. Defining objects with names starting with this string is not supported. 42. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with the following error: Load on Module failed. To resolve this issue, do the following: 1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so that they include the environment variable FW_MANAGE_BRIDGE 1. 2. Install policy. 43. To install policy on NG enforcement modules via the command line, run the command fwm load from any directory other than $FWDIR/conf. 44. Policy installation may fail when there are 70 or more dynamic objects. VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 19
Page 1 and 2: Check Point NGX R65 Known Limitatio
Page 3 and 4: ClusterXL ClusterXL In This Section
Page 5 and 6: ClusterXL 2. Performing an SNMP que
Page 7 and 8: ClusterXL Platform Specific — Sol
Page 9 and 10: ClusterXL 39. The following Web Int
Page 11 and 12: Endpoint Security Endpoint Security
Page 13 and 14: Endpoint Security 18. Endpoint Secu
Page 15 and 16: Eventia Suite 15. To upgrade a dist
Page 17: Firewall 5. The name of the install
Page 21 and 22: Firewall SecureClient 56. Policy in
Page 23 and 24: Provider-1/SiteManager-1 3. After u
Page 25 and 26: Provider-1/SiteManager-1 In additio
Page 27 and 28: Provider-1/SiteManager-1 SmartUpdat
Page 29 and 30: SecureXL SecureXL In This Section G
Page 31 and 32: SmartCenter Server SmartCenter Serv
Page 33 and 34: SmartCenter Server Policy Installat
Page 35 and 36: SmartPortal Platform Specific - Nok
Page 37 and 38: SmartUpdate Miscellaneous 11. When
Page 39 and 40: VPN VPN VPN Communities 1. When man
Page 41 and 42: VPN-1 Power VSX 27. When connecting

NGX R65 Release Notes - Check Point

Create successful ePaper yourself

Delete template?

Save as template?