NGX R65 Release Notes - Check Point
NGX R65 Release Notes - Check Point
NGX R65 Release Notes - Check Point
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Firewall<br />
Authentication<br />
19. Client Authentication will fail if VPN-1 Power/UTM machine name is configured with a wrong<br />
IP address in the hosts file.<br />
20. Clientless VPN with the Action Client Auth is not supported if the web server object is in the<br />
destination cell. The workaround is to add the gateway to the destination cell.<br />
21. When using SmartDirectory server for internal password authentication, if the account lockout<br />
feature is disabled the Firewall will not attempt to modify the user's login failed count and last<br />
login failed attributes on the SmartDirectory server. This improves overall performance and<br />
eliminates unnecessary SmartDirectory modify errors when using SmartDirectory servers that do<br />
not have these attributes defined because they did not apply the <strong>Check</strong> <strong>Point</strong> SmartDirectory<br />
schema extension on the SmartDirectory server.<br />
22. Issues may arise when using automatic or partially automatic client authentication for HTTP on<br />
Load Sharing clusters (both ClusterXL and OPSEC clusters). A workaround is to define a<br />
decision function based only on IP addresses in order for connections to open. For ClusterXL,<br />
go to the ClusterXL tab > Load Sharing > Advanced, and select IPs only. For OPSEC clusters,<br />
refer to the product documentation for more information.<br />
23. Definition of nested RADIUS Server groups is not supported.<br />
Security Servers<br />
24. When a field in a URI specification file is too long, the Security server exits when trying to load<br />
the file. Under load, the Firewall daemon (FWD) reloads the security server, which then exits.<br />
After a certain time cores are dumped.<br />
25. Client authentication with agent automatic sign on is supported with all rules, with two<br />
exceptions:<br />
• The rule must not use an HTTP resource.<br />
• Rules where the destination is a web server.<br />
26. When using SOAP filtering in the HTTP Security Server, the SOAP scheme file supports all<br />
forms of namespaces and methods, however, the feature is not supported if a method has no<br />
namespace at all.<br />
Security<br />
27. When using a URI resource to allow or restrict access to specific paths (by filling the path<br />
field), it is recommended to use the regular expression [/\] instead of / - this expression<br />
provides protection against Windows style paths.<br />
For example: instead of defining a path: /home/mydir/, define it as [/\]home[/\]mydir[/\].<br />
Services<br />
28. A service using the FTP_BASIC protocol type cannot be used with the FTP Security Server.<br />
29. When using T.120 connections, make sure to manually add a rule that allows T.120<br />
connections.<br />
Stateful Inspection<br />
30. Changing the "match for any" option in the MSNP service to "false" it causes connectivity<br />
problems after an upgrade in the following scenario:<br />
Service X other than Microsoft Messenger protocol was running on port 1863. No special rule<br />
was defined for this service (for example, the service was permitted by a rule with "Any" in<br />
service column).<br />
To resolve this issue, define a rule permitting the service with X in the "service" column.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 18