NGX R65 Release Notes - Check Point

More documents

Recommendations

Info

ClusterXL 6. A cluster IP interface or a synchronization network interface cannot be defined as a non-monitored (i.e., disconnected) interface. 7. Acceleration is not supported when using ClusterXL Load Sharing with Sticky Decision Function (SDF). When SDF is enabled, acceleration is automatically turned off. To re-enable acceleration, first make sure acceleration is enabled by running the cpconfig configuration tool. Then disable SDF (in SmartDashboard, edit the Gateway Cluster object, select the ClusterXL page, and click Advanced), and install the new Security Policy twice. Installing the Security Policy twice is also required when moving from ClusterXL Load Sharing with SDF to ClusterXL High Availability when acceleration is turned on. 8. When defining VLAN tags on an interface, cluster IP addresses can be defined only on the VLAN interfaces (the tagged interfaces). Defining a cluster IP address on a physical interface that has VLANs is not supported. The physical interface should be defined with the Network Objective Monitored Private on ClusterXL clusters and as Private on third-party clusters. 9. When setting an interface whose current Network Objective is Sync to Non-Monitored Private, and setting another interface's Network Objective to Sync and installing policy, the status of the cluster members will change to Active Attention and Down. To avoid this issue, make this configuration change in two phases. 1. Set the interface with the Network Objective of Sync to Monitored Private (instead of Non-Monitored), and the other interface’s Network Objective to Sync and install policy. 2. Reconfigure the Monitored Private interface to Non-Monitored and install policy again. 10. When defining a Sync interface on a VLAN interface, it can only be defined on the lowest VLAN tag on a physical interface. 11. Defining the lowest VLAN tag on a physical interface as disconnected (Non-Monitored Private) is not supported. 12. Defining a Sync interface on a VLAN interface is not supported on Nokia clusters and on other third party clusters. 13. A cluster object must contain two or more gateways. If configuring only one gateway, do not configure a cluster. ConnectControl 14. The Server Load balance method is not supported. 15. The Domain balance method is not supported for Logical Servers. 16. If a Logical server is configured to have an IP address that belongs to the external network of the gateway, no Automatic Proxy ARP is configured on the gateway to the IP address of the Logical server. As a result there is no communication to the Logical server from external hosts. To resolve this issue, manually configure Proxy ARP using the file $FWDIR/conf/local.arp. See "Automatic Proxy ARP" in the ClusterXL User Guide for local.arp file configuration instructions. 17. Logical Servers are not supported in conjunction with Security Servers. 18. When configuring Server Availability for ConnectControl (SmartDashboard > Policy menu > Global Properties > ConnectControl), the value for the Server availability check interval must be a multiple of 5 and no less than 15. General 1. In certain cases, installing policy on a cluster member may cause its state to change and a failover may subsequently occur. To prevent this situation, modify the firewall global parameter fwha_freeze_state_machine_timeout. This parameter sets the number of seconds during policy installation in which no state changes (including the "false" failover) will occur. Set this parameter to the shortest period which eliminates the issue; the recommended value is 30 seconds. VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 4
ClusterXL 2. Performing an SNMP query on both the cluster’s IP address as well as on the members’ IP addresses concurrently, is not supported. The SNMP query can only be run on one or the other at time. Alternatively, you can wait for the UDP virtual session timeout between the SNMP queries on the different IP addresses. This timeout has a 40 second default, and can be defined in Global Properties > Stateful Inspection. High Availability 3. In legacy High Availability mode for ClusterXL, MAC address synchronization is not supported for VLAN tagged interfaces. Use new High Availability mode, or manually configure the MAC addresses of the interfaces using the ifconfig CLI or WebUI. 4. Issuing a Stop Member command in SmartView Monitor performs the cphastop command on this member. Among other things, this disables the State Synchronization mechanism. Any connections opened while the member is stopped will not survive a failover event, even if the member is restarted using cphastart. However, connections opened after the member is restarted are synchronized as normal. ISP Redundancy 5. In a ClusterXL ISP Redundancy configuration, the names of the external interfaces of all cluster members must be identical and must correspond in turn to the names of the external interfaces of the cluster object. For example, if the cluster object has two external interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2, respectively; each cluster member must have two external interfaces called eth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively. Load Sharing 6. Under load, tcp packet out of state error messages may appear. For each case there is a specific way to resolve it. Refer to the “Firewall and SmartDefense” guide for a full explanation and security implications. • message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-PUSH-ACK In SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp end timeout. The recommended value is 60 seconds. If there are many connections consider enlarging the connection table size in the same ratio as the tcp end timeout. • message_info: SYN packet for established connection run the command: fw ctl set int fw_trust_rst_on_port When a single port is not enough, you can set the port number to -1, meaning that you trust a reset from every port. • For other out of state messages: run the command: fw ctl set int fwconn_merge_all_syncs 1. This allows a more reliable way of merging TCP states across asymmetric connections. 7. When employing SecurID for authentication, it is recommended to define each cluster member with its own unique (internal) IP address separately on the ACE/Server. In addition, to send packets to the ACE/Server with their unique IP addresses and not the VIP address, edit the file table.def, located in $FWDIR/lib. Change the line starting with no_hide_services_ports to, for example, no_hide_services_ports = {}, where 5500 is the service port and 17 (UDP) is the protocol. 8. For the first few seconds of an asymmetric connection, server-to-client packets are not accelerated. An asymmetric connection, such as an FTP data connection through an accelerated ClusterXL cluster, is where the server-to-client side is handled by a different VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 5
Page 1 and 2: Check Point NGX R65 Known Limitatio
Page 3: ClusterXL ClusterXL In This Section
Page 7 and 8: ClusterXL Platform Specific — Sol
Page 9 and 10: ClusterXL 39. The following Web Int
Page 11 and 12: Endpoint Security Endpoint Security
Page 13 and 14: Endpoint Security 18. Endpoint Secu
Page 15 and 16: Eventia Suite 15. To upgrade a dist
Page 17 and 18: Firewall 5. The name of the install
Page 19 and 20: Firewall 31. In a cluster environme
Page 21 and 22: Firewall SecureClient 56. Policy in
Page 23 and 24: Provider-1/SiteManager-1 3. After u
Page 25 and 26: Provider-1/SiteManager-1 In additio
Page 27 and 28: Provider-1/SiteManager-1 SmartUpdat
Page 29 and 30: SecureXL SecureXL In This Section G
Page 31 and 32: SmartCenter Server SmartCenter Serv
Page 33 and 34: SmartCenter Server Policy Installat
Page 35 and 36: SmartPortal Platform Specific - Nok
Page 37 and 38: SmartUpdate Miscellaneous 11. When
Page 39 and 40: VPN VPN VPN Communities 1. When man
Page 41 and 42: VPN-1 Power VSX 27. When connecting

NGX R65 Release Notes - Check Point

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?