NGX R65 Release Notes - Check Point
NGX R65 Release Notes - Check Point
NGX R65 Release Notes - Check Point
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ClusterXL<br />
SmartConsole<br />
28. When working with a 3rd party cluster object with QoS, if you move from the Topology tab to a<br />
different tab, the following error message appears: No interface was activated in QoS tab for this<br />
host (Inbound or Outbound). Do you want to continue? Select Yes and continue your operation.<br />
This error message can be safely ignored.<br />
29. SmartUpdate shows cluster members as distinct gateways without the common cluster entity.<br />
When cluster members are not of the same version, applying Get <strong>Check</strong> <strong>Point</strong> Gateway Data on a<br />
cluster member will set the member's version on the cluster object. To set the version of the<br />
cluster correctly, apply the Get <strong>Check</strong> <strong>Point</strong> Gateway Data command to the cluster member with<br />
the latest version.<br />
30. If two or more interfaces on the same cluster member share the same IP address and Net Mask<br />
(as might occur when defining bridge interfaces), only one interface will be displayed in the<br />
Topology tab in SmartDashboard. To manage interfaces with the same IP address and Net<br />
Mask, use the GuiDBedit tool.<br />
31. When using ClusterXL in High Availability Legacy mode, the Network Objective is set<br />
automatically to Cluster if all of the members' interfaces on that network have the same IP<br />
address and netmask. Changing the Network Objective to a different setting will, in this case, be<br />
overridden by the system, and change back to Cluster after clicking OK.<br />
32. When deleting a network via the Topology page (Cluster Object > Properties > Topology > Edit<br />
Topology), selecting Name or IP address of one of the interfaces and then clicking Remove<br />
results in the following error message: Please select an interface. In order to remove a<br />
whole network, remove all the interfaces (members and cluster) and click OK.<br />
State Synchronization<br />
33. A cluster member will stay in the down state if it is detached and then reattached to the<br />
cluster, as it does not automatically perform a full sync upon reattachment. To force a full sync,<br />
run the following commands on the module: fw ctl setsync off and fw ctl setsync start.<br />
34. Upon completion of full synchronization (Full sync), an error message State synchronization is in<br />
risk, is displayed on the cluster member on which the synchronization is taking place. If this<br />
message occurs only once immediately following Full sync, it can be safely ignored. If this<br />
message appears erratically, consult the ClusterXL user guide in the section Blocking New<br />
Connections Under Load.<br />
Unsupported Features<br />
35. Cluster deployments automatically hide the IP address of the cluster members behind a virtual<br />
IP address. If you manually add NAT rules that contradict this configuration, the manually<br />
added NAT rules take precedence. For details, see the “ClusterXL Advanced Configuration”<br />
chapter of the ClusterXL Guide.<br />
36. TCP connections inspected by Web Intelligence or VoIP Application Intelligence features will<br />
not survive failover. On the event of failover these connections will be reset.<br />
37. The compatibility matrix for third party clustering solutions (other than Nokia) is specified in<br />
the following link: http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain<br />
third party solution is not specifically written as being supported for this release, you must<br />
assume it is currently not supported. For Nokia clustering (VRRP or IP Clustering), see the<br />
<strong>Check</strong> <strong>Point</strong> Software and Hardware Compatibility section of the ClusterXL guide for information<br />
regarding which IPSO release is supported with this VPN-1 release.<br />
38. Mounting an NFS drive on a cluster member is not supported, as hide NAT changes the IP<br />
address of the cluster member, and the server cannot resolve the resulting mismatch.<br />
VPN-1/FireWall-1 <strong>NGX</strong> <strong>R65</strong> Known Limitations Supplement. Last Update — February 4, 2008 5:37 pm 8