NGX R65 Release Notes - Check Point

ClusterXL
SmartConsole
28. When working with a 3rd party cluster object with QoS, if you move from the Topology tab to a
different tab, the following error message appears: No interface was activated in QoS tab for this
host (Inbound or Outbound). Do you want to continue? Select Yes and continue your operation.
This error message can be safely ignored.
29. SmartUpdate shows cluster members as distinct gateways without the common cluster entity.
When cluster members are not of the same version, applying Get Check Point Gateway Data on a
cluster member will set the member's version on the cluster object. To set the version of the
cluster correctly, apply the Get Check Point Gateway Data command to the cluster member with
the latest version.
30. If two or more interfaces on the same cluster member share the same IP address and Net Mask
(as might occur when defining bridge interfaces), only one interface will be displayed in the
Topology tab in SmartDashboard. To manage interfaces with the same IP address and Net
Mask, use the GuiDBedit tool.
31. When using ClusterXL in High Availability Legacy mode, the Network Objective is set
automatically to Cluster if all of the members' interfaces on that network have the same IP
address and netmask. Changing the Network Objective to a different setting will, in this case, be
overridden by the system, and change back to Cluster after clicking OK.
32. When deleting a network via the Topology page (Cluster Object > Properties > Topology > Edit
Topology), selecting Name or IP address of one of the interfaces and then clicking Remove
results in the following error message: Please select an interface. In order to remove a
whole network, remove all the interfaces (members and cluster) and click OK.
State Synchronization
33. A cluster member will stay in the down state if it is detached and then reattached to the
cluster, as it does not automatically perform a full sync upon reattachment. To force a full sync,
run the following commands on the module: fw ctl setsync off and fw ctl setsync start.
34. Upon completion of full synchronization (Full sync), an error message State synchronization is in
risk, is displayed on the cluster member on which the synchronization is taking place. If this
message occurs only once immediately following Full sync, it can be safely ignored. If this
message appears erratically, consult the ClusterXL user guide in the section Blocking New
Connections Under Load.
Unsupported Features
35. Cluster deployments automatically hide the IP address of the cluster members behind a virtual
IP address. If you manually add NAT rules that contradict this configuration, the manually
added NAT rules take precedence. For details, see the “ClusterXL Advanced Configuration”
chapter of the ClusterXL Guide.
36. TCP connections inspected by Web Intelligence or VoIP Application Intelligence features will
not survive failover. On the event of failover these connections will be reset.
37. The compatibility matrix for third party clustering solutions (other than Nokia) is specified in
the following link: http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain
third party solution is not specifically written as being supported for this release, you must
assume it is currently not supported. For Nokia clustering (VRRP or IP Clustering), see the
Check Point Software and Hardware Compatibility section of the ClusterXL guide for information
regarding which IPSO release is supported with this VPN-1 release.
38. Mounting an NFS drive on a cluster member is not supported, as hide NAT changes the IP
address of the cluster member, and the server cannot resolve the resulting mismatch.
VPN-1/FireWall-1 NGX R65 Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 8