Check Point® NG With Application Intelligence R55W HFA - R55W - 04 Release Notes

Check Point® NG with Application
Intelligence R55W
HFA_R55W_04
Release Notes
September 19, 2005
IMPORTANT
Check Point recommends that customers stay up-to-date with the latest
service packs, HFAs and versions of security products, as they contain
security enhancements and protection against new and changing attacks.
In This Section
Introduction page 1
Security Enhancements page 2
Supported Versions, Platforms and Builds page 2
Installation page 6
Uninstallation page 8
Resolved Issues in HFA_R55W_04 page 9
Issues Resolved in Previous HFAs page 10
Special Instructions page 14
Known Limitations page 17
Introduction
Thank you for using Check Point NG with Application Intelligence (R55W) Hotfix
Accumulator HFA_R55W_04. This Hotfix Accumulator is a recommended Hotfix, which
contains fixes for SVN Foundation, VPN-1/FireWall-1 and SecurePlatform. Check Point
highly recommends that customers stay up-to-date with the latest service packs, HFAs, and
versions of security products, as they contain security enhancements and protection against
new and changing attacks.
Make sure that you read this document carefully before installing NG with Application
Intelligence R55W, HFA_R55W_04 on your system. It is also recommended to read the
Check Point NG with Application Intelligence R55W User documentation.
This Hotfix Accumulator may also contains fixes that require the user to perform manual
modifications.
What’s New in this version
FireWall-1
• Services - TKEY and TSIG resource records are now supported.
• Acceleration - SecureXL templates for connections going to known web servers are
now enabled.
SecurePlatform
• pThe system clock is updated automically after daylight savings event. See Special
Instructions: R55W_04.
Security Enhancements
ICMP attacks against TCP - NISCC advisory (532967/ICMP) describes a potential attack
against TCP, which is based on Internet Control Message Protocol (ICMP), where if
exploited, this vulnerability could allow an attacker to initiate Denial of Service against
existing TCP connections. This may result in premature session termination. For more
information about the vulnerability, see the NISCC advisory.
While Check Point products are not vulnerable to this issue, other network devices may
require this protection. By upgrading to the latest HFAs offered by Check Point, you can
ensure that all vulnerable devices are properly secured. See Special Instructions: “ICMP
attacks against TCP” on page 14.
Supported Versions, Platforms and Builds
In This Section
Supported Versions page 2

Supported Platforms page 3
Currently Supported Builds page 6
Supported Builds History page 6
Supported Versions
• The HFA_R55W_04 must be installed on top of NG with Application Intelligence
(R55W).
Check Point NG with Application Intelligence R55W (HFA_R55W_04) Release Notes. Last Update — September 19, 2005 2
Supported Platforms
TABLE 1 Supported Platforms

Product Solaris Windows Red Hat Check IPSO
Linux Point
32 bit and 64 bit See note 2

Solaris 8 UltraSPARC
See note 2
64 bit only
Solaris 9 UltraSPARC
Server 2003
(SP1, SP2, SP3, SP4)

2000 Advanced Server
(SP1, SP2, SP3, SP4)

2000 Server
7.3
7.3
7.3
7.2
SecurePlatform
3.7.1 (see note 6,7,8)

3.7 (see note 6 and 7)
3.9
(Kernels
(Kernels
(Kernels
(Kernels
2.4.18.27) See Note 4
2.4.20) See Note 4
2.4.18.5) See Note 3

2.4.9.31) See Note 3
SVN Foundation and VPN-1 Pro module 9 9 9 9 9 9 9 9
SVN Foundation and VPN-1 Pro module & 9 9 9 9 9 9 9 9
SmartCenter Server (standalone)
Notes to Supported Platforms Tables

1) The minimum screen resolution for Check Point’s SmartConsole is 800x600. Lower
resolutions are not supported. Only standard installations of the above platforms are
supported.
2) Both patches and packages are required for Solaris 8 and 9 as follows:
Required Solaris Packages
• SUNWlibc
• SUNWlibCx
• SUNWter
• SUNWadmc
• SUNWadmfw
Required Solaris Patches

Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC
platforms:
patch numbers
108528-17 and
110380-03
and
113652-01 Note - 113652-01 is required only if 108528-17 is installed. For anything
higher than 108528-17, 113652-01 is already included.
109147-18
109326-07
32 bit: 108434-01
64 bit: 108435-01
Solaris 9: the following patches (or newer) are required on Solaris 9 UltraSPARC
platforms:
patch numbers
112902-07
To verify that you have these patches installed use the command:
showrev -p | grep <patch number>
The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches
before installing 64-bit patches.
3) Installation on Red Hat Linux 7.2 requires kernel version 2.4.9-31 which fixes critical
security issues in the Linux kernel. This kernel is not distributed with Red Hat Linux
7.2 by default. Download from:
http://ftp.redhat.com/pub/redhat/support/enterprise/isv/kernel-archive/7.2/2.4.9-31/
For Red Hat kernel installation instructions, visit:

http://www.redhat.com/support/resources/howto/kernel-upgrade/s1-upgrade.html
4) Installation on Red Hat Linux 7.3 requires kernel version 2.4.18-5. This kernel is not
distributed with Red Hat Linux 7.3 by default. The released version of the 2.4.18-5
kernel contains a remote denial of service vulnerability in the TCP/IP stack. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0244 to this issue. Further details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0244
Check Point recommends installing a 2.4.18-5 kernel that contains a fix for this
vulnerability, this kernel is available for download at the following locations:
kernel sources:
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-
2.4.18-5.ckp.src.zip
i386:
kernel-2.4.18-5.ckp.i386.rpm
2.4.18-5.ckp.i386.rpm
i586:
2.4.18-5.ckp.i586.rpm
kernel-smp-2.4.18-5.ckp.i586.rpm
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-smp-
2.4.18-5.ckp.i586.rpm
i686:
2.4.18-5.ckp.i686.rpm
kernel-smp-2.4.18-5.ckp.i686.rpm
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-smp-
2.4.18-5.ckp.i686.rpm
For Red Hat kernel installation instructions, visit:

http://www.redhat.com/support/resources/howto/kernel-upgrade/s1-upgrade.html.
5) The asterisk (*) beside the x in this column indicates that the product is Windows 2000
Professional SP3 compatible.
6) SmartConsole Clients that are not supported on Solaris 8 UltraSPARC
(32-bit and 64-bit) include: SmartView Reporter, SmartView Monitor, SmartLSM and
the SecureClient Packaging Tool.
7) For the latest Nokia platforms consult the Nokia web site at:http://www.nokia.com
or https://support.nokia.com.
8) SmartUpdate supports managing licenses but does not support managing products from
a Nokia SmartCenter Server.
Supported Platform’s Language Testing
Check Point's SmartCenter and Gateway products are supported on all language versions of
our supported operating systems but are fully-tested only on the American English versions
of most operating systems. In the unlikely event that you encounter any incorrect software
behavior on alternate languages, open a service request with Check Point’s Technical
Support team:
http://support.checkpoint.com/kb
The rx Library
Version NG with Application Intelligence R55W uses the rx library. You can download the
library license agreement (LGPL) from:
http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.
pdf
Currently Supported Builds
HFA_R55W_04 consists of the following builds:
Component Build Number Comment

SVN Foundation 550011003 The output of cpshared_ver
should be:
This is Check Point SVN
Foundation (R) NG with
Application Intelligence (R55W)
Hotfix 011 –- Build 003
FireWall-1 & Kernel 550011004 The output of fw ver -k

should be:
This is Check Point VPN-1(TM)
& FireWall-1 (R) NG with
Application Intelligence (R55W),
Hotfix 011 – Build 004
Supported Builds History

The following table displays the build history from the first to the latest HFA:
HFA/Component SVN Foundation FireWall-1 & Kernel

HFA_R55W_04 (Current) 550011003 550011004
HFA_R55W_03 550001011 550001014
HFA_R55W_02 550006002 550006003
HFA_R55W_01 541334007 541334002
Installation
General Installation Considerations
• This HFA should be installed both on Security Gateways and SmartCenter Servers
• HFA_R55W_04 can safely be installed on:
• Security Gateways that are managed by SmartCenter Server or Provider-1 of version
NG with Application Intelligence R55 and R55W management add-on.
• Security Gateways and SmartCenter Servers (Standalone) of version NG with
Application Intelligence R55W General Availability (GA).
• In the R55 SmartCenter Server configuration with R55W add-on, there is NO need to
install this HFA. Instead, you should install the R55 HFA 12 (or above) to provide the
required fixes.
• Before installing HFA_R55W_04, make sure that version NG with Application
Intelligence (R55W) is installed and configured on your machine.
• Installing HFA_R55W_04 overrides any current support Hotfix that has been applied
to version NG with Application Intelligence (R55W).
• It is recommended to read the ClusterXL Guide prior to applying the HFA in a cluster
environment.
• It is recommended to manually backup the FWDIR and CPDIR directories of the SVN
Foundation and FireWall-1 products before installing HFA_R55W_04.
The directories can be accessed:
• Windows: cd %FWDIR% and cd %CPDIR%
• Other platforms: cd $FWDIR and cd $CPDIR
Installation on Different Platforms
In This Section
Windows page 7
IPSO, Solaris, Linux and SecurePlatform page 7
Remotely Installing Using SmartUpdate page 8
Windows
The package SHF_HFA_R55W.win32.zip format consists of the following components:
• Install_hfa.bat
• Files/cpshared_550011003_1.tgz
• Files/fw1_550011004_1.tgz
1 Extract the package to a temporary directory.
2 Stop the Firewall processes by executing cpstop. In a cluster configuration, execute

cphastop, as well.
3 Execute the install_hfa.bat batch file in order to start the installation.
4 When the installation is complete, reboot the machine.
5 Install the Security Policy.

IPSO, Solaris, Linux and SecurePlatform
The package SHF_HFA_R55W_04<platform name>.tgz format consists of the following
components:
• Install_hfa.
• Uninstall_hfa
• files/cpshared_HOTFIX_HFA_R55W_04.tgz
• files/fw1_HOTFIX_HFA_R55W_04.tgz
• files/others…(specific OS files)
1 Extract the package to a temporary directory.

cphastop, as well.
3 Execute the install_hfa script in order to start the installation.
4 When the installation is complete, reboot the machine.
5 Install the Security Policy.

Remotely Installing Using SmartUpdate
Before using SmartUpdate, please make sure that there is enough free disk space on the
SmartCenter server, approximately 140MB is required. This feature is available only for
SVN Foundation and VPN-1 Pro.
To use SmartUpdate, HFA_R55W_04 must be installed on the SmartCenter Server (mgmt)
prior to adding HFA_R55W_04 to the products repository.
1 Install HFA_R55W_04 on the SmartCenter Server.
2 Extract SHF_HFA_R55W_04.tgz file to a temporary directory. The extract operation will

create two separate packages, one for SVN Foundation
(cpshared_HOTFIX_HFA_R55W_04.tgz) and one for Firewall
(fw1_HOTFIX_HFA_R55W_04.tgz). The next step is to add these packages to the
SmartUpdate repository.
3 Open the SmartUpdate SmartConsole.
4 Add ..\files\cpshared_HOTFIX_HFA_R55W_04.tgz to the SmartUpdate repository.
5 Add ..\files\fw1_HOTFIX_HFA_R55W_04.tgz to the SmartUpdate repository.
6 Select the target object and install the version NG with Application Intelligence
HFA_R55W_04 packages, starting with the SVN Foundation package, followed by the
Firewall package.
7 Installation of HFA_R55W_04 should be applied to a single package at a time. The
HFA_R55W_04 installation does not support the version NG with Application
Intelligence Upgrade All Products feature.
Uninstallation
Uninstallation on Different Platforms
In This Section
Windows page 9
IPSO, Solaris, Linux and SecurePlatform page 9
Windows
cphastop, as well.
2 From the Control Panel, open Add/Remove Programs and
• activate the line with Check Point VPN-1 Pro NG_AI_HFA_R55W_04.
• activate the line with Check Point SVN Foundation NG_AI_HFA_R55W_04.
3 Reboot the machine.
IPSO, Solaris, Linux and SecurePlatform
cphastop, as well.
2 Change the directory to the directory from which you installed the HFA.
3 Activate the uninstall script uninstall_hfa.
4 Reboot the machine.
Resolved Issues in HFA_R55W_04

Resolved issues for the current HFA.
TABLE 1-1 Resolved Issues: R55W_04
HFA_R55W_04 Description Install on

R55W_04-1 SmartCenter: Policy Server SmartCenter
Improved stability when dealing with large user databases. Server
R55W_04-2 SecurePlatform SecurePlatform
The system clock is updated automically after daylight savings
event: Special Instructions: R55W_04
R55W_04-3 SecurePlatform Gateway
When redefining SecurePlatform to utc referenced time, in (SecurePlatform
order for daylight savings to work, make sure that you change only)
the UTC field in the clock file to true.
R55W_04-4 FireWall-1: Acceleration Gateway
SecureXL templates for connections going to known web
servers are now enabled.
R55W_04-5 FireWall-1: Web Security Gateway
Improved connectivity when http request has additional
carriage return or line feed characters at the end of the http
headers.

R55W_04-6 FireWall-1: Logging SmartCenter
Improved consumption of file descriptors on the fwd process. Server &
Gateway.
R55W_04-7 FireWall-1: GUI SmartCenter
Resolved Block Suspicious Activity functionality in Server &
SmartView Monitor. Gateway with
HFA_R55_12
and above
installed.
R55W_04-8 FireWall-1: SAM Gateway
Connections are no longer blocked permanently by SAM
when multiple SAM requests for the same IP (or network) are
sent.
R55W_04-9 FireWall-1: SAM Gateway
To cause connections blocked by SAM to be globally dropped
rather than rejected, modify the kernel parameter
fwsam_reject either temporarily or permanently, as
explained in the SK item "how to modify kernel parameters".
R55W_04-10 FireWall-1: Services Gateway
TKEY and TSIG resource records are now supported.
R55W_04-11 FireWall-1: Security Servers Gateway
Connectivity enhancements when using Logical Servers (in
Connect Control) and Client Authentication in Wait Mode:
the firewall sends PING packets with correct ICMP
checksum.
R55W_04-12 FireWall-1: Platform Specific - Nokia Gateway
TCP connections will not be accelerated through Nokia
Flows, until their state changes to Established.
R55W_04-13 FireWall-1 Gateway
Fixed memory leak with SCV checks.
Erroneous prompt message saying that the user does not have
license for Address Translation is no longer displayed.
Issues Resolved in Previous HFAs

In This Section
HFA_R55W_03 page 11
HFA_R55W_02 page 13
HFA_R55W_01 page 14
HFA_R55W_03
.

R55W_03-1 ClusterXL: State Synchronization Gateway
Improves state synchronization when shutting down a cluster
member of an X40 cluster.
To enable the feature, add fw_sync_broadcast_ack=1
to $FWDIR/modules/fwkern.conf
R55W_03-2 Firewall: Crossbeam Gateway
In crossbeam dualbox configuration, you can avoid
unnecessary error message by adding the line
fwha_crossbeam_dualbox=1 to $FWDIR/modules/
fwkern.conf.
R55W_03-3 Firewall: SAM Gateway
Increased SAM monitor table size
Improved Suspicious Activity Monitor (SAM) functionality in
situation where the SAM client failed to execute an
operation, yet the return code indicated success.
When the SAM (Suspicious Activities Monitoring) server
issues a rule to block the IP address 0.0.0.0, all other IP
addresses are no longer blocked.
R55W_03-6 Firewall: NAT Gateway
Improved NAT execution in a cluster environment with
asymmetric routing, FTP now works properly with NAT,
when the NAT changes the length of the IP address.
R55W_03-7 Firewall: Services Gateway
Support of PORT and 227 commands which end in \n,
instead of \r\n.
R55W_03-8 Firewall: Logging Gateway
Improved behavior in the manner in which log files are saved
from the Gateway to the log server
R55W_03-9 Firewall: Licensing Gateway
Can now use a license that contains the CPVP-VFF-500-NG
string.
R55W_03-10 Firewall: SmartDefense Gateway
Enhanced Firewall streaming stability.
R55W_03-11 Performance Pack: Accelerated features Gateway
Improved connectivity for very long term connections (such
as SSH) while installing policy.

R55W_03-12 Firewall: Web Security Gateway
The HTML weeding protection provides a strong defense
against different client side attacks. However, under some
circumstances this defense can be circumvented using
Cascading Style Sheets (CSS).
Special Instructions: R55W_03-13
R55W_03-13 Firewall: Web Security Gateway
TCP keep-alive packets, whose only data is 1 NULL byte, are
now allowed by the TCP streaming mechanism.
R55W_03-14 Firewall: VoIP Gateway
When a different port is used on SIP, connections will not be
dropped as out of state.
R55W_03-15 Firewall: SynDefender SmartCenter
Any TCP traffic that uses data payloads on SYN packets - Server and
legitimate or otherwise - will be rejected by SynDefender Gateway
while operating in Relay Mode. This means that legitimate
traffic carrying data on SYN packets may be blocked when
SynDefender detects a SYN attack.
If the Gateway is to allow such traffic to pass through during
a SYN attack, the global parameter
'sm_synatk_count_syn_with_data may be set to 0.
By doing so:
1. Connectivity (for TCP traffic using data payloads on SYN
packets) will only be partially restored
2. SynDefender will not be able to protect against floods of
SYN packets carrying data.
R55W_03-16 Firewall: SynDefender Gateway
When switching from SynDefender Relay mode to passive
gateway mode, corrections on Nokia are no longer dropped.
R55W_03-17 Firewall: SynDefender Gateway
SYNDefender supports TCP connection establishment with
FIN/ACK instead of ACK as the 3rd packet. This feature is
turned off by default. To turn it on, use fw ctl set int
fwconn_src_fin_establishment 1.
R55W_03-18 Firewall: TCP Sequence Verifier Gateway
In TCP streaming long packets are no longer cut.
R55W_03-19 Firewall: Security Servers Gateway
When CVP is not defined in the ftp resource, data is no
longer sent to the cvp server.
Enhanced redirect mechanism for quick ufp.
Improved Security Server stability.

Stripping of attachments that use unknown encoding.
Special Instructions: R55W_03_24
R55W_03-23 Firewall Gateway
Weeding defense improvements can be activated by setting
the flag http_weeding_block_css to true. Special instructions:
R55W_02-1 and R55W_03_26
Resolved issue regarding stream-based inspections.
Improved handling of TCP timestamps
SCCP CallManager (all versions), are now supported.
You can now configure Maximum request body length.
Make sure that the HTTP Format Sizes defense is enabled.
Set the parameter fw ctl set int
g_ws_max_req_size 49152, where 49152 can be
replaced with the maximum request body size in bytes you
wish to allow. You must reinstall the policy in order for the
change to take place.
To turn off the defense, reset the parameter as follows

fw ctl set int g_ws_max_req_size -1 and
reinstall the policy.
HFA_R55W_02

Weeding defense improvements can be activated by setting
the flag http_weeding_block_css to true. Special
instructions: R55W_02-1 and R55W_03_26
HFA_R55W_01
HFA_R55W_01 Description
R55W_01-1 FireWall-1
Fixed memory leak when the firewall module fetches a policy from the SmartCenter
server.
Fixed a crash in the HTTP security server under certain conditions.
HTTP protocol inspection has been enhanced.
R55W_01-4 SmartCenter server and VPN-1 module
Fixed a problem with the SecurePlatform web UI.
Special Instructions
In This Section
R55W_04 page 14
ICMP attacks against TCP page 14
R55W_03 page 16
R55W_02 page 16
R55W_04
The system clock is updated automically after daylight savings event, and not only after
reboot operation. To resolve this issue the system clock should be set to utc. Install
HFA_R55W_04 and in the file /etc/sysconfig/clock : change the utc field from false
to true.
ICMP attacks against TCP
NISCC advisory (532967/ICMP) describes a potential attack against TCP based on ICMP.
The practical application of this vulnerability is very remote (because an attacker must know
both IP addresses of a valid, currently connected pair of computers). However, if exploited,
this vulnerability could allow an attacker to create a Denial of Service condition against
existing TCP connections, resulting in premature session termination. For more
information about the vulnerability, see the NISCC advisory.
While Check Point products are not vulnerable to this issue, other network devices may
require this protection. By upgrading to the latest HFAs offered by Check Point, you can
ensure that all vulnerable devices are properly secured by simply enabling a certain kernel
global parameter. The enabling of this parameter allows VPN-1 Pro to drop ICMP error
packets that belong to established TCP connections.
Installation Instructions
Set the kernel global parameter fw_drop_icmp_errors_over_tcp to 1. There is no need to
install the Security Policy. For more information about setting the kernel global parameter,
refer to SecureKnowledge Solution: sk26202.
Advanced Configuration
When using the ICMP attacks against TCP defense, there are some miscellaneous advanced
configuration issues that can be set, such as: specifying exclusion lists, fragmentation
requirements and enhancing connectivity when using SCV:
• Specify an exclusion list. This is a list of ICMP types and codes that should not be
monitored by the defense.
• To define this list, add a table called allowed_icmp_over_tcp_types (and
allowed_icmpv6_over_tcp_types for ICMPv6) to user.def file, located under
$FWDIR/lib directory on the SmartCenter Server machine. The table should
contain <type, code> pairs of ICMP packets that should not be monitored by the
new defense.
Example: the following table specifies that ICMP "host unreachable" (type 3, code 1)
and "port unreachable" (type 3, code 3) will not be monitored by the new defense:
allowed_icmp_over_tcp_types = {
<3,1>,
<3,3>
};
• Once this table has been added and edited, make sure that you install the Security
Policy.
• By default, ICMP "fragmentation needed" packets (ICMPv4 type 3 code 4, ICMPv6
type 2 code 0), are not dropped. Bandwidth attacks based on ICMP "fragmentation
needed" packets are handled by the SmartDefense Small PMTU defense. It is possible;
however, to enforce the new defense on "fragmentation needed" packets as well, by
setting the kernel global parameter fw_drop_icmp_frag_error_over_tcp to 1.
• When using Secure Client Verification (SCV), in some cases the connectivity of traffic
that is generated by machines which are inspected by SCV may be affected. To avoid
connectivity hitches when using SCV, set the kernel global parameter
fw_allow_icmp_error_scv to 1.
R55W_03
R55W_03-13
The HTML weeding protection provides a strong defense against different client side
attacks. However, under some circumstances this defense can be circumvented using
Cascading Style Sheets (CSS).
To get the highest level of protection, use GUI DBEdit to add the field
http_weeding_block_css (Boolean type) to the Global Properties with the value TRUE.
R55W_03_24
Stripping of attachments that use unknown encoding. When the existing property
smtp_unknown_encoding is unset (value is 0), the mail dequeuer l also strips utf-7
attachments when detected. The flag continues to strip the other attachments it used to
strip previously.
Activate this defense via the Smart Dashboard GUI.
1) Select the SmartDefense Tab.
Under Application Intelligence > Mail > Mail Security Servers > Mail and Recipient content
selection deselect Allow unknown encoding property.
R55W_02
R55W_02-1 and R55W_03_26
Weeding defense improvements can be activated by setting the flag
http_weeding_block_css to true in the following places:
1 1. $FWDIR/conf/classes.C - add the following line in bold under

firewall_properties:
: (firewall_properties)
:table (properties)
:querystring ("type = 'firewall_properties' | established_router
= '*'")
:baseobj (
: (properties_per_module)
)
:fields (
.....
: (http_weeding_allow_chunked :type (boolean))
: (http_weeding_block_css :type (boolean) :defvalue (false))
: (http_block_java_allow_chunked :type (boolean))
.......
2 In $FWDIR/conf/objects_5_0.C, add the following line in bold:
.......
:http_weeding_allow_chunked (false)
:http_weeding_block_css (true)
:ica_cert_op_timeout (120000)
......
After adding the line in both places mentioned above, install the Policy.
Known Limitations
ClusterXL
1) When using T.120 connections on loadsharing clusters, you must add a rule manually
that allows these T.120 connections. For H.323 you must disable the flag Enable
dynamic T.120 in SmartDefense. Alternatively, you can use a sticky decision function
using IP addresses only and not port numbers.
Services
2) The services PIM, SWIPE, IP_Mobility and SUN_ND have the property Match on Any
checked by default. This causes the Cisco IOS DoS protection to work on those
protocols, even if the defense is disabled in SmartDefense. As a result, packets of those
IP protocols with TTL less than 4, are dropped.
To resolve this, remove the check from the service (in the Advanced window,) or
remove the protection for that specific service in SmartDefense >IP and ICMP >Block
Cisco IOS DoS.

Check Point® NG With Application Intelligence R55W HFA - R55W - 04 Release Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Check Point® NG With Application Intelligence R55W HFA - R55W - 04 Release Notes

Uploaded by

Copyright:

Available Formats

Check Point® NG with Application

Supported Versions page 2

TABLE 1 Supported Platforms

32 bit and 64 bit See note 2

(SP1, SP2, SP3, SP4)

(SP1, SP2, SP3, SP4)

3.7.1 (see note 6,7,8)

2.4.18.5) See Note 3

Notes to Supported Platforms Tables

Required Solaris Patches

For Red Hat kernel installation instructions, visit:

For Red Hat kernel installation instructions, visit:

Component Build Number Comment

FireWall-1 & Kernel 550011004 The output of fw ver -k

Supported Builds History

HFA/Component SVN Foundation FireWall-1 & Kernel

HFA_R55W_03 550001011 550001014

HFA_R55W_02 550006002 550006003

HFA_R55W_01 541334007 541334002

• Other platforms: cd $FWDIR and cd $CPDIR

Installation on Different Platforms

1 Extract the package to a temporary directory.

2 Stop the Firewall processes by executing cpstop. In a cluster configuration, execute

4 When the installation is complete, reboot the machine.

5 Install the Security Policy.

2 Stop the Firewall processes by executing cpstop. In a cluster configuration, execute

4 When the installation is complete, reboot the machine.

5 Install the Security Policy.

2 Extract SHF_HFA_R55W_04.tgz file to a temporary directory. The extract operation will

4 Add ..\files\cpshared_HOTFIX_HFA_R55W_04.tgz to the SmartUpdate repository.

5 Add ..\files\fw1_HOTFIX_HFA_R55W_04.tgz to the SmartUpdate repository.

3 Activate the uninstall script uninstall_hfa.

4 Reboot the machine.

Resolved Issues in HFA_R55W_04

HFA_R55W_04 Description Install on

HFA_R55W_04 Description Install on

Issues Resolved in Previous HFAs

HFA_R55W_03 Description Install on

HFA_R55W_03 Description Install on

HFA_R55W_03 Description Install on

To turn off the defense, reset the parameter as follows

TABLE 1-3 Resolved Issues: R55W_02

HFA_R55W_02 Description Install on

TABLE 1-4 Resolved Issues: R55W_01

1 1. $FWDIR/conf/classes.C - add the following line in bold under

You might also like