NGX R65 Release Notes - Check Point

More documents

Recommendations

Info

ClusterXL member than the client-to-server side. Asymmetric connections are only opened when using VPN or static NAT. This is a temporary performance degradation that affects only a small percentage of traffic. 9. When installing a new policy that uses Sticky Decision Function (configured in SmartDashboard > Cluster Object > ClusterXL page > Advanced), and the old policy used the regular decision function, some connections may be lost, especially connections to or from the cluster members. New connections are unaffected. 10. After a failover, non-pivot members of a ClusterXL cluster in Unicast mode may report incorrect load distribution information. For the correct load distribution, review the information reported by the pivot member. 11. When using ClusterXL in Load Sharing mode and the Sticky Decision Function is enabled, the failure of a module within 40 seconds of an IKE negotiation may cause a connectivity failure with that peer for up to 40 seconds. • When the failure involves a PIX gateway, communications may be interrupted for up to 40 seconds. • When the failure involves an L2TP client, communications may be disconnected, as keepalive packets are blocked during this period. 12. traceroute may fail if it passes through a Load Sharing cluster. To resolve this issue, on the Cluster object, select ClusterXL > Advanced and in the Advanced Load Sharing Configuration window you should either: • select Use Sticky Decision Function, or • change the selection for Use sharing method based on: to IPs. Platform Specific — Nokia 13. Either Nokia VRRP or Nokia IP Clustering configuration must be used when creating a cluster based on an IPSO platform. Using other OPSEC Certified third party clustering products (such as OPSEC Certified external load balancers) to create a cluster based on IPSO platforms has limited support. Contact Check Point Support and receive configuration instruction and a list of associated limitations. 14. After configuring a gateway cluster on a Nokia platform via the Simple mode (wizard), be sure to complete the cluster interface definition on the Topology page of the cluster object. 15. The feature Connectivity enhancements for multiple interfaces is not supported on Nokia IP clustering in Forwarding mode. 16. NAT rules should not be applied to VRRP traffic. To prevent NAT rules from being applied to VRRP traffic, define the following manual NAT rule and give it higher priority than other NAT rules that relate to Cluster VIPs or to their networks: Original Packet Translated Packet Install On Source Destination Service Source Dest Service Physical IP of VRRP IP: 224.0.0.18 Any Original Original Original relevant cluster VRRP members 17. When configuring a Nokia IP Cluster, do not set the primary or secondary interfaces to Network Objective Private. Check Point recommends setting a Nokia IP Cluster’s primary interface to Network Objective Cluster, and its secondary interface to Network Objective Cluster or Sync. 18. The Get Topology operation supports up to 256 interfaces on Nokia platforms. To define more than 256 interfaces, you need to do so manually. VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 6
ClusterXL Platform Specific — Solaris 19. When configuring virtual interfaces on Solaris GigaSwift interfaces, the ClusterXL product may not recognize the virtual interfaces in cases where no corresponding physical interface is defined. If the virtual interface is not recognized, it will not run a monitoring mechanism and eventually it will not perform failover. In order to make ClusterXL work properly on such virtual interfaces, the corresponding physical interface must be defined. For example, when a CE device with an instance of 0 is defined on the system, the /etc/hostname.ce0 file must be created and must contain some arbitrary IP address that will be assigned to the physical interface. 20. ClusterXL does not support defining VLANs on Solaris bge interfaces. 21. When configuring VLAN tags, set the IP address on the VLAN physical interface. If the physical (untagged) interface is not used, the IP address can be any IP address. For example: If the physical interface is ce1, and the VLAN interfaces are ce1001 and ce2001, then ce1 must also have an IP address. 22. ClusterXL in Unicast mode (Pivot) is not supported on Solaris when using VLAN tagging. 23. When using a Fujitsu GigEthernet NIC (fjgi and fjge interfaces) with Check Point Load Sharing (CPLS) multicast, packets can be received when the interface is set to promiscuous mode only. Platform Specific — Windows 24. On Windows platforms, when switching from High Availability Legacy to High Availability New Mode or Load Sharing, the CCP transport mode is set to broadcast instead of multicast. A workaround is to toggle the CCP mode via the following command on each cluster member: cphaconf set_ccp multicast. Policy Installation 25. When installing policy on a cluster with a Layer 2 bridge defined, the installation may fail with the following error: Load on Module failed. To resolve this issue, do the following: 1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server. This is done by updating the files $CPDIR/tmp/.CPprofile.csh and CPDIR/tmp/.CPprofile.sh so that they include the environment variable FW_MANAGE_BRIDGE 1. 2. Install policy. Security Servers 26. Security Servers are not supported with Sequence Verifier in Load Sharing cluster environments. Services 27. When using T.120 connections, make sure you manually add a rule that allows T.120 connections. VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 7
Page 1 and 2: Check Point NGX R65 Known Limitatio
Page 3 and 4: ClusterXL ClusterXL In This Section
Page 5: ClusterXL 2. Performing an SNMP que
Page 9 and 10: ClusterXL 39. The following Web Int
Page 11 and 12: Endpoint Security Endpoint Security
Page 13 and 14: Endpoint Security 18. Endpoint Secu
Page 15 and 16: Eventia Suite 15. To upgrade a dist
Page 17 and 18: Firewall 5. The name of the install
Page 19 and 20: Firewall 31. In a cluster environme
Page 21 and 22: Firewall SecureClient 56. Policy in
Page 23 and 24: Provider-1/SiteManager-1 3. After u
Page 25 and 26: Provider-1/SiteManager-1 In additio
Page 27 and 28: Provider-1/SiteManager-1 SmartUpdat
Page 29 and 30: SecureXL SecureXL In This Section G
Page 31 and 32: SmartCenter Server SmartCenter Serv
Page 33 and 34: SmartCenter Server Policy Installat
Page 35 and 36: SmartPortal Platform Specific - Nok
Page 37 and 38: SmartUpdate Miscellaneous 11. When
Page 39 and 40: VPN VPN VPN Communities 1. When man
Page 41 and 42: VPN-1 Power VSX 27. When connecting

NGX R65 Release Notes - Check Point

Create successful ePaper yourself

Delete template?

Save as template?