Check Point® Enterprise Suite Next Generation With Application Intelligence (R55) Release Notes

Check Point® Enterprise Suite
Next Generation with

Application Intelligence (R55)
Release Notes
includes R55 HFA 04
October 15, 2006
IMPORTANT
Check Point recommends that customers stay up-to-date with the latest
service packs and versions of security products, as they contain security
enhancements and protection against new and changing attacks.
Introduction
Thank you for using Check Point’s Next Generation with Application Intelligence (R55).
This document contains important information not included in the documentation. Review
this information before installing your products.
The latest issues of both the “What’s New” document for Next Generation with
Application Intelligence (R55) and the “Resolved Issues” document from Next Generation
with Application Intelligence (R54) to Next Generation with Application Intelligence
(R55) can be downloaded from:
http://www.checkpoint.com/techsupport/downloads.jsp
IMPORTANT
Before you begin installation, read
the latest available version of these release notes at:
Check Point Express

Check Point Express is a new offering in NG with Application Intelligence (R55) designed
to provide superior security to businesses with up to 500 employees and multiple sites. It is
the industry's most comprehensive solution designed to deliver the highest levels of access
control, integrated network and application level attack protection, site-to-site and Remote
Access VPN, high-availability and a single intuitive, graphical user interface.
Check Point Express includes:
• VPN-1 Express gateway for protecting the privacy of site-to-site business
communications over the Internet
Last Update — October 15, 2006
• VPN-1 SecuRemote for protecting remote user communications over the Internet and
enables secure communication to your business
• FireWall-1 for market-leading, enterprise-class security to protect critical network
resources against unauthorized access
• SmartDefense for integrated network and application level attack protection
• SmartCenter Express for centrally deploying and managing all aspects of a
comprehensive security infrastructure.
• For further information see: http://www.checkpoint.com/products/express
Check Point Next Generation with Application Intelligence (R55) Release Notes. Last Update — October 15, 2006 2
In This Document
General Information
Introduction page 1
Check Point Express page 1
Supported Platforms page 4
Build numbers page 7
Minimum Hardware Requirements page 8
Installing Check Point Products page 9
Uninstalling Check Point Products page 12
Upgrade and Backward Compatibility Notes page 13
Security Notes page 24
Product Information
FireWall-1 page 25
SmartCenter page 37
VPN-1 page 44
SecuRemote/SecureClient page 49
SecurePlatform page 55
SmartUpdate page 58
SmartView Monitor page 58
SmartView Reporter page 60
SmartLSM page 63
Performance Pack page 65
ClusterXL page 65
FloodGate-1 page 70
UserAuthority page 72
OPSEC page 73
Supported Platforms
Notes to Supported Platforms Table
1) The minimum screen resolution for Check Point’s SmartConsole is 800x600. Lower
resolutions are not supported. Only standard installations of the above platforms are
supported.
2) Both patches and packages are required for Solaris 8 and 9 as follows:
Required Solaris Packages
• SUNWlibc
• SUNWlibCx
• SUNWter
• SUNWadmc
• SUNWadmfw
Required Solaris Patches

Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC
platforms:
patch numbers
108528-17 and
110380-03
and
113652-01 Note - 113652-01 is required only if 108528-17 is installed. For anything
higher than 108528-17, 113652-01 is already included.
109147-18
109326-07
32 bit: 108434-01
64 bit: 108435-01
Solaris 9: the following patches (or newer) are required on Solaris 9 UltraSPARC
platforms:
patch numbers
112902-07
To verify that you have these patches installed use the command:
showrev -p | grep <patch number>
The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches
before installing 64-bit patches.
3) Installation on Red Hat Linux 7.2 requires kernel version 2.4.9-31 which fixes critical
security issues in the Linux kernel. This kernel is not distributed with Red Hat Linux
7.2 by default. Download from:
http://ftp.redhat.com/pub/redhat/support/enterprise/isv/kernel-archive/7.2/2.4.9-31/
For Red Hat kernel installation instructions, visit:
http://www.redhat.com/support/resources/howto/kernel-upgrade/s1-upgrade.html
4) Installation on Red Hat Linux 7.3 requires kernel version 2.4.18-5. This kernel is not
distributed with Red Hat Linux 7.3 by default. The released version of the 2.4.18-5
kernel contains a remote denial of service vulnerability in the TCP/IP stack. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0244 to this issue. Further details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0244
Check Point recommends installing a 2.4.18-5 kernel that contains a fix for this
vulnerability, this kernel is available for download at the following locations:
kernel sources:
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-2.4.18
-5.ckp.src.zip
i386:
kernel-2.4.18-5.ckp.i386.rpm
-5.ckp.i386.rpm
i586:
-5.ckp.i586.rpm
kernel-smp-2.4.18-5.ckp.i586.rpm
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-smp-2.
4.18-5.ckp.i586.rpm
i686:
-5.ckp.i686.rpm
kernel-smp-2.4.18-5.ckp.i686.rpm
http://www.checkpoint.com/support/downloads/bin/vpn_des/firewall1/r54/linux/2.4.18-5/kernel-smp-2.
4.18-5.ckp.i686.rpm
For Red Hat kernel installation instructions, visit:

http://www.redhat.com/support/resources/howto/kernel-upgrade/s1-upgrade.html.
5) The asterisk (*) beside the x in this column indicates that the product is Windows 2000
Professional SP3 compatible.
6) SmartConsole Clients that are not supported on Solaris 8 UltraSPARC
(32-bit and 64-bit) include: SmartView Reporter, SmartView Monitor, SmartLSM and
the SecureClient Packaging Tool.
7) For the latest Nokia platforms consult the Nokia web site at:http://www.nokia.com
or https://support.nokia.com.
8) SmartUpdate supports managing licenses but does not support managing products from
a Nokia SmartCenter Server.
Supported Platform’s Language Testing
Check Point's SmartCenter and Enforcement Point products are supported on all language
versions of our supported operating systems but are fully-tested only on the American
English versions of most operating systems. In the unlikely event that you encounter any
incorrect software behavior on alternate languages, open a service request with Check
Point’s Technical Support team:
http://support.checkpoint.com/kb
Build numbers
The build numbers in the following table do not include the build numbers for HFA04.
Refer to the HFA04 release notes for the latest build information.
Product Command Platforms Build Number
VPN-1 Pro VPN-1 Pro: $FWDIR/bin/fw ver All platforms for VPN-1 Pro, 121
VPN-1 Edge Displayed on the default portal page VPN-1 Edge can be managed VPN-1 Edge S
from: Windows 2000, Solaris, R4057
SecurePlatform, Linux VPN-1 Edge X
R4057
VPN-1 Pro Backward Compatibility Solaris: /opt/CPfwbc-41/bin/fw ver All platforms 623
Windows: %FWDIR%\bin\fw ver
SmartConsole (GUI) Help>About Check Point SmartDashboard Windows, Solaris 127
SVN Foundation $CPDIR/bin/cpshared_ver Windows, Solaris, Linux, IPSO 144
SecuRemote/SecureClient Help>About Windows 082
SecurePlatform ver SecurePlatform 098
SecureClient Policy Server $FWDIR/bin/dtps ver Windows, Solaris, Linux, IPSO, 009
SecurePlatform
SmartView Monitor $FWDIR/bin/rtm ver Windows, Solaris, Linux, IPSO, 013
SecurePlatform
SmartView Reporter $RTDIR/bin/SVRServer ver Windows, Solaris, Linux, IPSO, 080
SecurePlatform
Performance Pack $PPKDIR/bin/sim ver -k Solaris, SecurePlatform 013
FloodGate-1 $FGDIR/bin/fgate ver Windows, Solaris, Linux, IPSO, 079
SecurePlatform
FloodGate-1 Backward Compatibility Solaris: /opt/CPfwbc-41/bin/fgate ver Windows, Solaris 607
Windows: %FWDIR%\bin\fgate ver
UserAuthority Server $UAGDIR/bin/netsod d –v Windows, Solaris, Linux, IPSO, 052
SecurePlatform
VPN-1 HW Accelerator I n/a Windows, Solaris 5
VPN-1 HW Accelerator II n/a Windows, Solaris, Linux 12
VPN-1 HW Accelerator III n/a Windows, Solaris, Linux, 15
SecurePlatform
Minimum Hardware Requirements

In This Section
Minimum Hardware Requirements — IPSO page 8

Minimum Hardware Requirements — Windows or Linux page 8
Minimum Hardware Requirements — Solaris page 8
Minimum Hardware Requirements — SmartConsole for Windows page 9
Minimum Hardware Requirements — SmartConsole for Solaris page 9
Minimum Hardware Requirements — IPSO

TABLE 1-1 lists the minimum hardware requirements for installing IPSO
TABLE 1-1 Minimum Requirements IPSO
Platform IP120, IP130, IP330, IP350, IP380, IP440, IP530, IP650, IP710, IP740,
IP1260
Memory 128 Mbytes
Minimum Hardware Requirements — Windows or Linux

TABLE 1-2 lists the minimum hardware requirements for installing a VPN-1/FireWall-1
SmartCenter Server or VPN-1 Pro Module.
TABLE 1-2 Minimum Requirements (SmartCenter Server or VPN-1 Pro Module)
CPU Intel Pentium II 300+ MHz or equivalent
Disk space 300 Mbytes (software installation only)
Memory 128 Mbytes
Minimum Hardware Requirements — Solaris

TABLE 1-3 VPN-1/FireWall-1 Minimum Requirements (Solaris Platforms)
CPU Architecture UltraSPARC II
Memory 128 Mbytes
Minimum Hardware Requirements — SecurePlatform
TABLE 1-4 VPN-1/FireWall-1 Minimum Requirements (SecurePlatform)
CPU Intel Pentium II 300+ MHz or equivalent
Disk space 4 Gigabyte hard drive, supported NICS
Memory 128 Mbytes (512 Mbytes recommended)
Minimum Hardware Requirements — SmartConsole for Windows

SmartConsole includes: SmartDashboard, SmartView Tracker, SmartView Status,
SmartView Monitor, SmartView Reporter, SmartUpdate, SmartLSM and User Monitor.
TABLE 1-5 lists the minimum hardware and operating system required for installing the
VPN-1/FireWall-1 SmartConsole Clients.
TABLE 1-5 SmartConsole Minimum Requirements for Windows
CPU Intel Pentium II 300 MHz or equivalent
Memory 128 Mbytes
Minimum Hardware Requirements — SmartConsole for Solaris

SmartConsole Clients include: SmartDashboard, SmartView Tracker, SmartView Status,
SmartUpdate, User Monitor.
TABLE 1-5 lists the minimum hardware and operating system required for installing the
VPN-1/FireWall-1 SmartConsole Clients.
SmartConsole Minimum Requirements for Solaris
CPU Architecture UltraSPARC II
Memory 128 Mbytes
Installing Check Point Products

In This Section
The Recommended Installation Method page 10

Nokia IPSO 3.7 and 3.7.1 page 10
Windows Platforms page 12
Solaris / Linux page 12
Upgrade Paths page 12
Upgrading via SmartUpdate page 12
Minimum Screen Resolution page 12
The Recommended Installation Method

The installation methods are listed below in the recommended order:
1) The recommended method for installing products is to use the CD wrapper. For full
instructions see the “Installation and Configuration” chapter in the “Check Point Getting
Started Guide”.
2) You can also upgrade Check Point products centrally via SmartUpdate. The
SmartCenter Server cannot be installed via SmartUpdate.
(See “Upgrading via SmartUpdate” on page 12.)
3) If you wish to use an on-line copy, download a specific wrapper from the Check Point
Download Center web site:
For full instructions see the “Installation and Configuration” chapter in the “Check Point
SmartCenter Guide”.
4) Installing individual products is not the recommended installation method. If you still
wish to do so, see the “Individual Installation” document on:
http://www.checkpoint.com/support/technical/documents/docs_r55.html
For further information, read the section “FireWall-1” on page 25.

Platform Specific Installation Notes
Nokia IPSO 3.7 and 3.7.1
Before the Nokia Installation
1) Before installing or upgrading to Next Generation with Application Intelligence (R55),

be sure to upgrade the IPSO operating system to IPSO 3.7 and 3.7.1 and reboot the
Nokia appliance.
2) Prior to installing FireWall-1 for Next Generation with Application Intelligence (R55)
on an Nokia appliance, make sure no previous FireWall-1 Next Generation with
Application Intelligence (R55) installation exists. No warning is issued if you attempt to
install Next Generation with Application Intelligence (R55) on an Nokia appliance that
already has Next Generation with Application Intelligence (R55) installed, but it may
cause some existing packages to be deleted.
3) Make sure that the Check Point VPN-1/FireWall-1 4.1 for Backward Compatibility
remains non-Active, before and after Next Generation with Application Intelligence
(R55) wrapper installation.
4) Confirm that you have the correct static host name associated with the external IP
address of the platform. From the Voyager home page, click the System Configuration
link, then click the Host Address Assignment link. If localhost is the only entry, add the
hostname of the gateway and the external IP address associated with it.
5) If a previous version of VPN-1/FireWall-1 NG is already installed, the wrapper package
must be installed as an upgrade, giving the VPN-1/FireWall-1 NG directory as the
upgrade parameter (see Command Line Installation, below). If you want to install Next
Generation with Application Intelligence (R55) as a new package rather than an
upgrade, you must turn off any active VPN-1 Pro NG packages before you begin the
installation.
6) Nokia IPSO OS images are not available on the CD. To obtain IPSO images, log into
the Nokia support site on: https://support.nokia.com/.
During the Nokia Installation
7) Install the Check Point Next Generation with Application Intelligence (R55) wrapper
package using the newpkg command or using Voyager. This is the standard way to install
all IPSO packages.
8) Installing Using the newpkg command:
You can type newpkg then press Enter and read the instructions or use the following
command via the command line interface:
Clean installation
newpkg -m LOCAL -n IPSO_wrapper_R55.tgz
For NG upgrade
newpkg -m LOCAL -n IPSO_wrapper_R55.tgz -o $FWDIR
After installing via the Wrapper, the following products are installed:
Product Status after Status after Upgrade
Clean
Installation
Check Point SVN Foundation NG with Application Intelligence (R55) Active Active
Check Point VPN-1 Pro NG with Application Intelligence (R55) Active Active
Check Point VPN-1/FireWall-1 4.1 For Backward Compatibility (R55) Not Active Not Active
Check Point Policy Server NG with Application Intelligence (R55) Not Active As it was prior to upgrade
Check Point FloodGate-1 NG with Application Intelligence (R55) Not Active As it was prior to upgrade
Check Point UserAuthority Server NG with Application Intelligence (R55) Not Active As it was prior to upgrade
Check Point SmartView Monitor NG with Application Intelligence (R55) Not Active As it was prior to upgrade
Check Point SmartView Reporter NG with Application Intelligence (R55) Not Active As it was prior to upgrade
After the Nokia Installation
9) After you activate or deactivate a product using Voyager, use a terminal or console
connection to login and perform cpstop then cpstart. When you activate or deactivate
FloodGate-1, you must reboot the appliance.
Windows Platforms
On Intel based Windows NT, Windows 2000 and Windows 98/ME for SmartConsole and
SecureClient/SecuRemote, insert the CDROM in the drive. The Check Point integrated
installation program starts automatically. You can manually launch the installation wrapper
by running setup.exe from the CD’s root directory.
Solaris / Linux
1 Insert the CDROM into the drive.
2 Run UnixInstallScript.
This program will guide you through the installation process.

Note - If you installed patch 110934-20 for Solaris 8, or patch 113713-17 for Solaris 9, during
installation you may receive an error message indicating that SVN Foundation is missing. You should
remove the patches, reinstall VPN-1 Pro and then reinstall the patches. For more information, see
sk30333.
Upgrade Paths
For additional upgrade information read Check Point’s “Upgrade Guide”. Version 4.1 SP5
or higher can be upgraded to Next Generation with Application Intelligence (R55). There
is no need for any additional packages.
Note - If not installing via the Wrapper, prior to installing Check Point Next Generation with Application
Intelligence (R55) products, verify that SVN-1 Foundation Next Generation with Application
Intelligence (R55) package is installed by running the command $CPDIR/bin/cpshared_ver
command, and ensure the version is “NG with Application Intelligence (R55) - Build 144”.
Upgrading via SmartUpdate

For further information regarding central upgrades using SmartUpdate, see the Upgrading
Check Point Gateways with SmartUpdate section of the “Upgrade Guide”.
Minimum Screen Resolution
It is recommended to install using a monitor with at least a minimum screen resolution of
1024x768 pixels.
Uninstalling Check Point Products
Uninstalling - Platform Specific Windows
On Windows platforms, the SNMP Service must be stopped before uninstalling FireWall-1.
If the SNMP Service is started, a message regarding locked files is displayed.
Uninstalling Individual Products
10) Uninstalling individual products documentation can be found in the “Individual
Installation” document on:
http://www.checkpoint.com/support/technical/documents/docs_r55.html
This guide has both individual product installations and uninstallations.

Uninstalling the SVN Foundation
On the Solaris platform uninstalling SVN Foundation NG FP2, after Next Generation with
Application Intelligence (R55)’s SVN-1 Foundation has been installed, results in the
following error message:
pkgrm: ERROR: unable to remove directory </opt/CPshared/5.0/tmp> Removal of
<CPshrd-50> partially failed.
You will be able to successfully remove SVN Foundation NG
FP 2 the second time you try and the removal does not affect Next Generation with
Application Intelligence (R55)’s SVN-1 Foundation.
Upgrade and Backward Compatibility Notes
For further upgrade information see “The Complete Check Point Upgrade Guide”.
In This Section
FireWall-1 page 13 SmartUpdate page 19

SmartCenter page 15 SmartView Monitor page 20
Managing FireWall-1 GX page 17 SmartView Reporter page 20
VPN-1 page 18 ClusterXL page 52
SecuRemote/SecureClient page 18 FloodGate-1 page 24
SecurePlatform page 19 UserAuthority page 24
FireWall-1
1) VPN-1 Pro Solaris packages have been updated with a fix to the problems related to an
error message that appeared after upgrading from a version of NG prior to NG with
Application Intelligence (R55) stating: FW-1: Restarting bootd: FW_BOOT_DIR
Environment variable not defined. To obtain a fix for existing installations and more
information on this issue, refer to SecureKnowledge solution sk21234.
2) After performing an upgrade, policies with different names become different policy
packages. To insert them into the same policy package, use Copy Policy to Packages to
save the policies under the same name.
3) SAM (Suspicious Activities Monitoring) dynamic rules are not automatically upgraded
from 4.1 to Next Generation with Application Intelligence.
4) Manual configuration to the file fwauthd.conf (For example: in.genericd configuration
to the generic TCP Security Server) are not preserved during upgrade and the changes
should be reapplied.
5) Xylan machines have not been supported since NG FP3. The same is true for
Embedded Devices of the type Other. If such objects existed in the database prior to
your upgrade they will appear as 4.0 Check Point objects with the same name after the
upgrade.
That means that the objects will still be visible in SmartDashboard (as 4.0 Check Point
Objects), but Install Policy on these Check Point objects will be blocked.
6) After upgrade from Version 4.1, in order to succeed in installing the policy, policies
with 31 characters (or more) should be saved with a shorter name containing up to 25
characters.
7) If a FireWall-1 gateway object is defined in the SmartDashboard with anti-spoofing
defined, and later on converted into a host gateway, compilation problems may occur
when installing the policy on a Version 4.1 gateway. The workaround is to delete the
object and redefine it.
8) On Windows platforms, the SNMP Service must be stopped before uninstalling
FireWall-1. If the SNMP Service is started before uninstalling, a message regarding
locked files is displayed.
9) Manually change the MAC address definitions in the local.arp Proxy-ARP
configuration file if you are performing an advanced upgrade and the target machine is
different than the original.
10) After upgrading from NG with Application Intelligence (R55), it is possible that when
adding targets to a rule, there will be displayed "High" "Medium" and "Low" options.
These may be safely ignored. Another option is to use the DBEdit utility and change the
value of the global property support_sofaware_profiles from true to false.
11) When trying to remove previous NG packages and NG with Application Intelligence
(R55) is installed and active, perform the following steps:
a. deactivate FireWall-1 (if other depended packages are active, deactivate it first)
b. deactivate the SVN Foundation for NG with Application Intelligence (R55),
c. activate the previous SVN Foundation,
d. delete previous FireWall-1, Deactivate the previous SVN Foundation, delete the
previous SVN Foundation,
e. activate the SVN Foundation for NG with Application Intelligence (R55)
f. activate FireWall-1 NG with Application Intelligence (R55) and activate dependent
products.
SmartCenter
1) The Upgrade process does not change the mail alert script in the Log and Alert section
of the Global Properties. Check Point recommends using the internal_sendmail
command:
internal_sendmail [-s subject] [-t server] [-f from] email-address
2) Xylan machines have not been supported since NG FP3. The same is true for
Embedded Devices of the type Other. If such objects existed in the database prior to
your upgrade they will appear as 4.0 Check Point objects with the same name after the
upgrade. That means that the objects will still be visible in SmartDashboard (as 4.0
Check Point objects), but Install Policy on these Check Point objects will be blocked.
3) The Check Point Installation Wrapper does not support Solaris 2.6 and Solaris 2.7. To
export configuration from these platforms use the command line command
upgrade_export. For more information about this command line command, refer to the
SmartCenter Upgrade chapter in the “Upgrade Guide”.
4) The Upgrade Utilities (Pre-Upgrade Verifier, upgrade_export and upgrade_import) do
not support the AIX platform.
5) When upgrading from 4.1 to Next Generation with Application Intelligence, cluster
members that were not attached to a cluster (in Version 4.1 - they were just marked as
a member) are not seen in SmartDashboard. After upgrading, these objects still exists in
the system so configuring objects with the same name is not possible. A workaround is
to run the dbedit command to edit the objects_5_0.C and objects.c files in order to
delete the hidden object.
6) When using the Export or Import upgrade utilities on Windows NT, the version of the
system DLL MSVCRT.dll should be 6.0 or higher. When running with a lower version of
this DLL, the operation will fail with the following error: The procedure entry point
__lc_collate_co could not be located in the dynamic link library MSVCRT.dll. To continue
the operation, allow the system to use this DLL from the current path by:
a. Use the REGEDIT application to add the string msvcrt.dll to the following registry
key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager
\ExcludeFromKnownDlls
b. Reboot your machine.
7) When upgrading with a duplicate machine whose IP Address differ from the origin
SmartCenter (Management) Server's IP Address, if central licenses are used, they should
be updated to the new IP Address. This can be done via the User Center at
http://usercenter.checkpoint.com, by choosing the action License > Move IP > Activate
Support and Subscription.
8) If the AMON private schema was previously imported using the amon_import tool, it
needs to be re-imported after the upgrade.
9) After upgrade from 4.1, policies with 31 characters (or more) should be saved with a
shorter name containing up to 25 characters, in order to succeed in installing the policy.
10) When using the Upgrade Export and Import utilities on the Windows platform, the
machine should be connected to the network. Alternatively, a connector can be used to
simulate a connection. Refer to SecureKnowledge, solution sk19840 for more
information regarding how to simulate a network connection during an upgrade.
11) Before using the command upgrade_export to export a configuration from a
SmartCenter Server, define the environment variables FWDIR and CPDIR.
12) When upgrading to a new machine using import/export, use the following instructions
to retain both users and administrators authentication:
a. When using SecurID for authentication, while the new SmartCenter Server has the
same IP Address as the original SmartCenter Server:
Windows Platforms
If the environment variable %VAR_ACE exists, copy the file %VAR_ACE\sdconf.rec
from the original machine to the new machine. Otherwise, copy the file
%WINDIR\system32/sdconf.rec from the original machine to the new machine. In
addition, copy the registry key HKLM->SOFTWARE->SDTI->ACECLIENT->NodeSecret from
the original machine to the new machine.
Unix Platforms
If the environment variable $VAR_ACE exists, copy the files $VAR_ACE/sdconf.rec
and $VAR_ACE/securid from the original machine to the new machine. Otherwise,
copy /var/ace/sdconf.rec and /var/ace/securid from the original machine to the
new machine.
b. In addition, if the new SmartCenter Server has a different IP Address than the
original SmartCenter Server, and one of the authentication servers RADIUS,
TACACS or ACE/Server are being used, redefine the IP Address of the
SmartCenter Server on the authentication server.
13) When upgrading from an earlier version of NG using import/export, and the new
SmartCenter Server has a different IP Address than the original SmartCenter Server, a
Plug-and-Play license will not be applicable on the new SmartCenter Server. The
license for the SmartCenter Server should be converted to a new IP Address at
http://usercenter.checkpoint.com by choosing the action License > Move IP > Activate
Support and Subscription. The license should then be installed on the new SmartCenter
Server.
14) When upgrading from 4.1 to a new machine using the import/export command line
with the new SmartCenter Server on SecurePlatform, the following steps should be
taken for the import:
a. During the installation on SecurePlatform:
• Do not initialize the Internal Certificate Authority (CA) or
• Initialize Internal Certificate Authority (CA) but run fwm sic_reset before
importing. Ignore the instructions printed to the console after running this
command.
b. Run upgrade_import.
c. Run cpconfig to initialize the Internal Certificate Authority (CA).
15) If you are upgrading via import/export and either the import or the export operation
fails for the product you are attempting to install on the machine, the entire operation
will fail with the exception of these products: SmartView Reporter, SmartView
Monitor, SecureXL and UserAuthority Server. Failure importing and/or exporting of
these products will not fail the entire import/export operation. Use the log file of the
import/export operation to understand what caused the problem and fix it. The log file
is located at:
• Windows: C:\program files\checkpoint\CPInstLog\wrapper_R55.elg
• Unix: /opt/CPInstLog/wrapper_R55.elg
16) When upgrading a Log Server, always choose to upgrade and ignore the other options
(to export the configuration or to perform pre-upgrade verifications). These options are
irrelevant for Log Server upgrades. Also, the backwards compatibility (BC) package is
installed on every Log Server. It can be safely removed, as it is not in use on a Log
Server.
17) If downloading updates during an upgrade using the Check Point Installation Wrapper
fails (for example, because the machine is not connected to the Internet), then the
upgrade will continue using the tools that exist on the CD. To use the most recent
version
a. Download the updates from:
https://support.checkpoint.com/downloads/bin/autoupdate/ut/r55/index.html
b. Save the update on the local disk of your SmartCenter Server
c. Restart the Wrapper and choose the second option in the Download page:
I already downloaded and extracted the Upgrade Utilities.
Managing FireWall-1 GX
1) A direct FireWall-1 GX 1.5 management to SmartCenter R55 is not supported.
However, this upgrade can be done by using the upgrade path: FireWall-1 GX 1.5 to
FireWall-1 GX 2.0.
2) When upgrading from FireWall-1 GX 2.0 a Management to VPN-1 Pro NG with
Application Intelligence (R55)’s SmartCenter Server the FireWall-1 GX product will be
deselected in in the FireWall-1 GX cluster. After upgrading the FireWall-1 GX product,
recheck the FireWall-1 GX cluster object.
VPN-1
1) An externally managed NG FP1 VPN-1 module cannot be added to a VPN
community with a star topology. When trying such configuration policy installation
fails.
2) After an upgrade of a management server of a version prior to NG FP2, rules with
encrypt action using AH rather than ESP (defined as part of the encrypt action
properties) will fail to be transformed to ESP properly (note: starting from NG FP2,
AH is not supported and upgrade process should transform such rules to use ESP
instead). To make the upgrade process successful one of the following can be
performed:
• Before upgrade AH rules can be modified manually to ESP.
• After upgrade, for upgraded encrypt rules (which were configured with AH prior to
the upgrade) modify the action to accept and then back to encrypt, or disable those
rules and add a new rule instead.
3) When upgrading a 4.1 Management Server to NG:
before the upgrade - rename the Internal CA back to its original name Internal CA
after the upgrade - reinitialization of SIC on SmartCenter is required (please note

that this process requires initialization of trust between the SmartCenter Server and all
the modules).
Otherwise if you modify the name of the Internal CA before the upgrade process, the
Internal CA will not be functional after the upgrade.
SecuRemote/SecureClient
1) When overwriting or upgrading SecureClient to a different directory than the one used
in your previous installation, a dialog stating: Files needed (OMVA.sys) may appear. To
complete the installation successfully, fill the current installation directory in the Copy
files from text box, then press OK.
2) When upgrading a branded version of SecuRemote/SecureClient, make sure that the

customized settings are included in the upgrade package.
3) At the first reboot after installation on Windows 98, it may take 1-2 minutes for the
Windows desktop to come up. This does not occur during subsequent boots.
4) Windows NT 4.0 is supported only with Internet Explorer 5.0 or higher.
5) The preferred SecuRemote/SecureClient installation sequence is
a. Install SecuRemote/SecureClient.
b. Boot.
c. Log in as an administrator.
If you are not an administrator:
a. Install SecuRemote/SecureClient.
b. Edit the registry, and under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce, delete the
value InstallShieldSetup.
c. Boot.
d. Log in as a user.
6) When Installing SecuRemote/SecureClient on a computer which has McAfee
VirusScan installed on it, follow the instructions below in order to assure
SecuRemote/SecureClient functionality:
a. Wait for message-box titled "McAfee Winsock Filter" (it may be during installation
or few minutes after the installation boot)
b. Press OK
c. Reboot
Note - Note that this is not relevant in case VirusScan is installed after SecuRemote/SecureClient
SecurePlatform
1) If you want to upgrade a SecurePlatform machine that was initially installed as an NG
FP2 version, before you start the upgrade process, apply a "Pre-Install-Patch" on the
machine. You can obtain the "Pre-Install-Patch" package from the download center at:
SmartUpdate
1) After upgrading SmartCenter, open the SmartUpdate SmartConsole and from the
Products menu select Get Data, to retrieve the installed product's information from the
remote modules.
2) Before uninstalling Performance Pack, make sure the Performance Pack package exists
in the Repository.
3) After upgrading the SmartCenter using the Export tool, run the cppkg get command on
the new SmartCenter to sync SmartUpdate's Package Repository.
4) After upgrading a version 4.1 Gateway to NG with Application Intelligence, the
gateway fails to fetch the policy from SmartCenter. Via SmartDashboard, install the new
policy on the Gateway.
5) Before using SmartUpdate's Upgrade All Products tool to upgrade a Nokia machine,
make sure the IPSO OS version specified in the SmartCenter Server in the
$SUDIR/ipso_ver.txt file, matches the version you want to install and exists in the
Repository.
6) After downgrading the SmartCenter Server from Next Generation with Application
Intelligence, delete the package repository on the SmartCenter Server. To do so, delete
the $FWDIR/conf/packages.c file and the $SUROOT/checkpoint directory.
Do NOT delete the directories $SUROOT, $SUROOT/tmp and $SUROOT/log.
SmartView Monitor
7) SmartView Monitor history reports of the SmartCenter Server are not retained in an
Advance Upgrade process that imports a machine from a different Operating System.
However, history reports of the remote modules are retained.
8) When downgrading Check Point VPN-1 Pro gateway, completely uninstall SmartView
Monitor and all previous Real-Time Monitor installations and then reinstall the older
version you desire.
SmartView Reporter
1) You can upgrade SmartView Reporter NG FP3 to NG with Application Intelligence
(R55). Upgrading from NG FP2 Reporting Tool (or a prior version) is not supported.
If you have an NG FP2 Reporting Tool installed, uninstall it before you upgrade to NG
with Application Intelligence (R55).
2) Before performing a backout of Check Point NG with Application Intelligence (R55)
Early Availability on Solaris, backup the database files. After the backout is performed
copy restore the files in $RTDIR/Database.
3) You must install or upgrade the SmartView Reporter via the CD. SmartUpdate does
not support SmartView Reporter.
4) When performing an advanced upgrade and migrating a SmartCenter Server that
contains FireWall-1 and SmartView Monitor to another machine, the Express reports
for the old machine are not maintained. New reports are generated for the target
machine.
5) Report schedules are not preserved properly when performing a backout of the
SmartView Reporter Server from NG with Application Intelligence (R55) to NG FP3.
Schedules that were created or modified after the upgrade from NG FP3 should be
deleted before the backout and should be regenerated after the backout to NG FP3 has
completed.
6) If you are performing an advanced upgrade and you are moving the Log server from
one machine to another, the Log Consolidator stops. The reason is that the Log
Consolidator attempts to start reading from the last log it read. But the logs are not
moved to the new machine as part of the upgrade. Therefore, when performing an
advanced upgrade, if you are moving the Log server from one machine to another,
reinstall the Log Consolidator policy.
7) If you are upgrading SmartView Reporter from NG FP3, it is best to produce reports
only from database tables that have data that was consolidated using SmartView
Reporter with NG with Application Intelligence. If you wish to create reports from
tables that contain data consolidated using SmartView Reporter
NG FP3, you may get inaccurate report results in some cases:
• You will get inaccurate results in all reports that count files, emails, URLs or sites.
• You will get inaccurate results for units that describe a reject reason for VPN or
SecureClient connections.
If you wish to get accurate report results, you can manually run the database upgrade
utility. This utility will upgrade the contents of any table in your database that you
specify in the command line. Before running this utility, you must make sure the
database cache size is 256MB or more.
Modify $RTDIR/Database/solid.ini, and edit CacheSize value to 268435456 bytes
(256MB) or more. For further information see the “SmartView Reporter User Guide”
section on Changing the SmartView Reporter Database Cache Size. If your machine
adheres to the minimum hardware requirements, it should have enough free memory
for this cache. If you do not have enough memory, set a smaller cache size, and run the
Database Upgrade utility with the parameter -r (outlined below).
To run the database upgrade utility do the following:
a. Stop all services except the database service by running the following commands:
i. cpstop
ii. rmdstart
iii.cpwd_admin stop -name LC
iv. cpwd_admin stop -name SVR
b. Run the database upgrade utility:

i. cd $RTDIR\bin
ii. SVR_DBUpgrade [-r num_rows] [Table-name | "*"]

(see parameters below)
c. Start all check point services
i. rmdstop (may take a while)
ii. cpstart
The valid arguments for the upgrade utility are:
This is an optional parameter with default value of 150000 rows. This parameter controls the
number of database rows that are updated in each SQL transaction, and it should fit into the
database cache.
If your database cache size is 256MB, you do not need to specify this parameter. If your cache size
is different, set row_num to:
num_rows <cache-size in bytes>/1800.
Table-name The database table you wish to upgrade. For example: SVR_DBUpgrade CONNECTIONS
Upgrade all the tables in your database. The quotation marks around the asterisk are
“*” necessary.
8) The export mechanism of the advanced upgrade does not copy the SmartView
Reporter database files and the report definition files. If you wish to perform a full
export that includes all the SmartView Reporter data, follow these steps:
Steps to perform on the original machine (the SmartCenter machine):
a. Run the cpstop command.
b. Backup the file $RTDIR/Database/solid.ini file for future reference.
c. If you are going to import the configuration to another machine, copy your
database files to a location that is accessible from that machine. If you are going to
import the configuration to the same machine, move your database files to a
location that will not be deleted when you uninstall Check Point products (i.e not
under any folder of a Check Point product)
d. Backup any company logo image file(s) that you placed under $RTDIR/bin
e. Run the CD wrapper and perform the export operation.
If you are going to import the configuration on the same machine
Uninstall all check point products from that machine.
Steps to perform on the new machine
a. Perform the Import operation on the machine you selected for that purpose.
b. Run the cpstop command.
c. Restore the database files from backup to the new machine. (Do not restore the
solid.ini file)
d. Restore your company logo image file(s) to $RTDIR/bin
e. Modify solid.ini to point to the new location of the database files.
f. Run the cpstart command.
9) After you perform an advanced upgrade for a SmartView Reporter distributed
configuration from FP3 to Next Generation with Application Intelligence (R55), if the
SmartCenter machine's IP address has changed, re-establish SIC between the
SmartCenter and SmartView Reporter server machines.
10) When importing a configuration into a machine that has SmartView Reporter installed,
select the type of SmartView Reporter installation (either standalone or add-on) that
was exported.
During the import process, in the Setup type dialog, select either Local SmartView
Reporter installation or SmartView Reporter SmartCenter Add-on - to match the exported
configuration. If the wrong SmartView Reporter setup type is selected, the imported
configuration will not work properly.
ClusterXL
1) When upgrading third party clusters the status reported by the SmartView Status and
the status reported by the utility cphaprob may report incorrect information. Ignore this
information until the upgrade process of all cluster members is complete.
2) The 15 days evaluation license that comes with every new installation is limited to one
ClusterXL Load Sharing cluster. The evaluation license does permit any number of
High Availability and third party clusters.
3) When upgrading a Version 4.1 Check Point High Availability cluster, if you do not
wish to change the mode of the cluster, choose Legacy High Availability mode in a new
ClusterXL object (and not the default value which is New High Availability). Moving
to a New High Availability configuration (recommended), requires a topological
change. Read more about it in the "ClusterXL" guide under Migrating from Legacy
High Availability.
4) When upgrading from Version 4.1 to NG with Application Intelligence (R55), cluster
members that were not attached to a cluster (in Version 4.1 they were just marked as a
member) are not seen in SmartDashboard. After upgrading, these objects still exists in
the system so configuring objects with the same name is not possible. A workaround is
to run the dbedit command to edit the $FWDIR/conf/objects.C file on the SmartCenter
Server, followed by an install policy, in order to delete the hidden object.
5) When some members of a cluster have already completed their upgrade to NG with
Application Intelligence (R55), but other are still in NG with Application Intelligence
(R54), if you try to install a policy on the NG with Application Intelligence (R55)
module, SmartDashboard reports that the policy was installed successfully. However, the
ClusterXL policy negotiation fails, leaving the cluster in an inconsistent state. The
reason for the negotiation failure is that modules with different versions cannot
communicate with each other.
It is not recommended to install a new policy on a cluster in the middle of the upgrade
process. Exceptions to this can be found in the “Upgrade Guide”. If this step is
required, run the following command on all modules first:
fw ctl set int fwha_conf_immediate 1 This work-around is not required when
upgrading from any version prior to NG with Application Intelligence (R55).
FloodGate-1
1) When upgrading FireWall-1 to NG with Application Intelligence, if you add
FloodGate-1 as a newly installed product (one that did not exist in the prior version),
run cpconfig after completing the upgrade/installation process.
2) On Windows, when downgrading from FloodGate-1 NG with Application Intelligence
to FloodGate-1 4.1, the FloodGate-1 service changes to manual. To solve this issue,
change the service state back to automatic.
UserAuthority
1) After installing the UA Server on Windows Domain Controller, configure a logon script
in order to distribute SecureAgent. When a user is defined in the Domain Controller
with a default group membership of Domain Users, your logon script might have no
effect. The workaround is to add Domain Administrator’s membership.
2) Before starting an upgrade of UserAuthority Server on a Windows platform a Locked
DLLs message may appear, and the installation may fail. Run the uagstop command,
verify that netsod processes are not running, and then restart the upgrade.
3) When using Legacy mode on SecurePlatform, the log_server entry in netso.ini should
have a reversed IP address. For example, instead of 172.16.0.1 it should be 1.0.16.172.
4) When upgrading a complex UA environment, UA Servers that are used to resolve user
identity should be reconfigured under the Network Object > UserAuthority tab in order
to create more efficient configuration.
5) When using Legacy mode a few fields in UserAuthority Server tab in Network Objects in
SmartDashboard have no effect. They are used only by UserAuthority Server running in
New mode. The fields are:
• Automatic Configuration
• Servers that share WebAccess authentication
• Citrix/Microsoft Terminal Services
Security Notes
1) When configuring an SMTP Security Server to strip specific file name attachments
and/or specific MIME types, it is possible that some email clients will display the files
that were supposed to be stripped. For configuration details refer to SecureKnowledge
solution sk14634.
2) The HTTP Security Server handles a proxied or a tunneled connection request
differently than earlier FireWall-1 versions. Beginning with FireWall-1 NG FP2, such
requests are not allowed if they are matched with an Accept rule. However, they are still
allowed if the request is matched with an Authentication or a Resource rule. This
change was done in order to harden security and prevent the CONNECT from looping
to the Security Server and then to another destination. In NG FP2 FTP over HTTP
proxy connections are allowed when using User Authentication even if they are not
allowed explicitly by a rule in the security policy. In Next Generation with Application
Intelligence (R55), in order to further harden security, these connections are not
allowed by default unless there's an explicit rule (using a URI Resource) that allows
them.
FireWall-1
FireWall-1 Clarifications and Limitations
FireWall-1 Clarifications
1) NG introduces a new type of object called Group with Exclusion. Before using an object
of this type as a member of another group, or in a rule base cell that includes multiple
objects, consult the SecureKnowledge solution: sk14832.
2) In Next Generation with Application Intelligence (R55) the S/key authentication
method is no longer supported.
SmartDirectory
3) Microsoft Active Directory disabled accounts no longer pass VPN-1 & FireWall-1
Password Authentication. The SmartDirectory (LDAP) server does not enforce this user
limitation directly. This is now enforced by FireWall-1 by evaluating the
userAccountControl user attribute as referenced by FireWall-1’s Microsoft_AD profile's
AccountDisabled attribute. Other External Authentication methods, such as SecureID, do
not enforce this user limitation and this should be enforced on authentication server
being used.
Platform Specific - Nokia
4) The TCP Sequence Verifier feature is not supported when Flows is enabled. If Flows
and the SmartDefense TCP Sequence Verifier feature are both enabled, the following
message appears when you install a policy from SmartDashboard: Flows: TCP Sequence
Verifier acceleration is not supported on the gateway. To configure the TCP Sequence
Verifier select the SmartDefense Tab > Network Security, > TCP and deselect the
Sequence Verifier check box.
5) Status of IP51 modules is not displayed in SmartView Status.

6) VRRP traffic between cluster member is being dropped because the source IP used for
this traffic is the VRRP multicast address and not the members' own IP addresses. The
workaround is to add a rule for manually accepting VRRP traffic.
7) The rule number of accounting logs for Security Server connections from Version 4.1
modules appear with -2 as the rule number in the log record instead of the actual rule
numbers that were matched.
8) When working with Flows, TFTP control connections are being closed even though a
data connection exists. This can happen with very long file transfers (longer than the
TFTP timeout). As a result the data connection closes as well.
9) When Flows are enabled full sanity checks are performed for Flowed (accelerated)
connections for the IP layer. No sanity checks are performed on the UDP or TCP layer
of flowed packets. The workaround is to disable Flows.
10) When installing a policy on a gateway with Flows enabled, the following warning
message is displayed, the message refers to SecureXL instead to Flows. The message
itself is informational and it does not indicate a problem: SecureXL: TCP Sequence
Verifier acceleration is not supported on the gateway. To allow Sequence Verification, turn
off acceleration on the gateway by running cpconfig.
Platform Specific - Windows

11) Windows 2000 specific issue: A SmartConsole connection to the SmartCenter Server
on Windows 2000 may fail with the message: No license for user interface if the
SmartCenter Server was disconnected from the network and then reconnected while
the VPN-1 Pro services on the machine were running. If this occurs, restart VPN-1 Pro
services (run cpstop and then cpstart).
12) Windows 2000 specific: 3Com DynamicAccess (802.1Q) virtual interfaces are not
supported.
13) Adaptec Duralink64 port aggregation/failover is not supported.
14) FireWall-1 limits its memory allocations to a certain percentage of the available
non-paged memory. This limit affects the number of concurrent connections that the
FireWall-1 Module can handle. The limit is intended to leave the rest of the system
enough memory resources for smooth operation. The default limit can be changed to
suit the system configuration. In Windows the limit can be set by setting the
MaxNonPagedPoolUsage value (DWORD) in the registry (under
<HKEY_LOCAL_MACHINES/SYSTEM/CurrentControlSet/Services/FW1/Parameters). Valid values
are 0-100 which represent the maximum percentage of memory which FireWall-1 can
use. In other operating systems, this can be set by changing the fw_salloc_maxmem_usage
global parameter.
15) The following message may be displayed when installing a policy: The NDISWANIP
interface is not protected by the anti-spoofing feature This message can be safely
ignored.
16) If an Intel NMS service is running during the FireWall-1 installation it may crash. This
is an issue in the Intel NMS service which crashes when ever an NDIS IM driver is
installed. However this is not an issue with NMS version 2.0.56.0 or later. NMS
2.0.56.0 was part of PC6.0. So any release including PC6.0 or after that does not have
this issue.
17) When installing a FireWall-1 gateway on a Windows 2003 server, manually enable IP
forwarding (from Administrative Tools > Routing and Remote Access).
18) Before installing VPN-1 Pro make sure the Network Load Balancing (NLB) service is
disabled. The Windows network load balancing is currently not supported under
Windows Server 2003.
Platform Specific - Solaris
19) The ZNB interface is not supported.
20) On the Solaris 8 platform 64bit, The maximum number of file descriptors must be set
to less than 8192. Setting a higher number can lead to unpredictable FireWall-1
behavior.
21) When using automatic ARP publishing with ATM interfaces on Solaris, errors like
"SIOCDARP: Protocol error" may appear on the console. These errors can be safely
ignored.
22) Machines using the Gigaswift network interface may crash. These crashes are caused by
the Gigaswift drivers provided by SUN and can also happen if
FireWall-1 is not installed. This problem happens only with the newest Gigaswift
interfaces, called Cassini+. The card's part number is 501-5524 rev 05.
23) In some configurations, when booting up you may see the message ap: ioctl failed: Out
of stream resources, followed by many other irrelevant messages. After this, perhaps no
harm will be done or the boot process may hang, or interfaces may not be properly
started.
The workaround is to edit the /etc/system file and add the line: set nautopush=64 to
the end of the file and reboot. If set nautopush= already exists with a smaller value,
replace it).
This is most likely to happen when the machine has more network device drivers
installed than those installed by default. This can happen if you are using non Sun
network interfaces or just have their drivers on the machine. For further information,
you can refer to SecureKnowledge solution sk22638.
Platform Specific - SecurePlatform
24) The fw tab -t sam_blocked_ips command does not display information on blocked
connections.
Platform Specific - Linux
25) Running fwstart on a machine that does not have the /boot/System.map file will fail. To
resolve the problem, create the /boot/System.map file manually.
26) If the host name is modified while VPN-1 Pro is running, performing cpstop may cause
a system crash. To avoid the problem, stop VPN-1 Pro prior to changing the host name.
27) ATM and ISDN interfaces are not supported.
28) New interfaces that are added after the FireWall-1 Module is started (ppp interface for
example) are not displayed by the fw stat -l command. Use the fw ctl iflist
command instead.
29) Anti-spoofing messages (such as The eth3 interface is not protected by the anti-spoofing
feature) are generated when installing a policy on a Module with VLAN interfaces,
even if anti-spoofing is set. In the Module topology, the source of these messages are the
physical interfaces that contain the VLAN logical interfaces.
30) When using the backward compatibility package on Linux, at the end of the install
script there is a message to copy certain libraries that are included within the CD.
Failing to copy those libraries will result in the following error when installing policy
on 4.1 modules: fwcpp: error while loading shared libraries: libstdc++-libc6.1-1.so.2:
cannot open shared object file: No such file or directory.
31) When NIS is enabled for resolving network services, Check Point processes may
experience memory leakage due to a memory leak in libC 2.2.4. work around: disable
NIS resolving (remove nis and nisplus from services: in /etc/nsswitch.conf).
Load Sharing
32) SecurID authentication: Each cluster member should be defined separately on the
ACE/Server with its unique (internal) IP. Then edit the following line to table.def
which will send the SecurID packets with their unique IP (and not the shared IP):
no_hide_services_ports = { .., <5500, 17> };.
NAT
33) Automatic ARP is not supported with IP Pool NAT.
34) When using the SmartCenter behind NAT feature, the Enforcement Module
automatically chooses the SmartCenter's address and simultaneously applies NAT
considerations while making this choice. There may be specific scenarios where the
Enforcement module decides to contact the SmartCenter server with an address that
does not suite the module's deployment. These situations include:
• Modules from versions prior to NG with Application Intelligence that are using
SmartCenter behind hide NAT or when
• The NG with Application Intelligence’s automatic decision does not conform with
the routing of the module's deployment.
Check Point's Technical Support has a hotfix that corrects these issues. After the hotfix
is applied, the following procedure should be performed:
a. Manually define the masters and loggers by specifying Use local definitions for Log
Servers and Use local definitions for Masters and
b. by specifying the correct IP addresses on the Enforcement Module. Note the this
solution has two sub-cases:
i. The module addresses the NATed IP address when you need for it to address
the real IP address.
ii. The module addresses the real IP address and you need it to address the NATed
IP address. If this is the case, in addition, specify the SIC name of the
SmartCenter Server in the masters file.
35) Microsoft Exchange Outlook Client UDP new mail notification does not work with
Hide NAT on the client. For the new mail notification both the Client and the Server
need to be in both the source and the destination cells:
Source Destination Service Action

Client Server MSExchange Accept
Server Client
In the FWDIR/libexchange.def file, enable this notification by setting

#define ALLOW_EXCHANGE_NOTIFY (as stated in the file comments).
36) Peer-to-peer H.323 connections are not supported with NAT Hide.
37) OSE objects cannot be used in NAT rules. The workaround is to define regular node
objects with the same addresses and to use them instead.
Authentication
38) When performing manual client authentication (using port 900) to a cluster where the
members' IP addresses are not routable, the URLs returned in the HTML from the
replying cluster member contain the member's own non-routable IP address instead of
the cluster IP address. This fails subsequent operations. The workaround is to configure
the cluster to use a domain name instead of an IP address in the client authentication
HTML pages, using the ahttpclientd_redirected_url global property. Make sure that
your DNS servers resolves this domain name to the cluster's IP.
39) ftp with User Authentication is not supported when used with Web browsers or NAT.
40) When configuring a non-standard port for Client authentication (i.e. ports other than
900 and 259) an explicit rule in the security policy is needed to allow traffic to the
FireWall-1 module on the requested port.
41) When changing the sdconf.rec file on a FireWall-1 (needed for SecurID authentication)
the new ACE setting is not applied. The new ACE setting is applied after restarting the
FireWall-1 services by running cpstop and cpstart.
42) Client Authentication will fail if FireWall-1 machine name is configured with a wrong
IP address in the hosts file.
43) SmartDirectory search requests no longer include an empty attribute in the query
attribute list. Now none of the attributes in the attribute list are empty. Empty attributes
caused certain SmartDirectory servers to fail attempts at decoding the SmartDirectory
search request.
44) When using SmartDirectory server for internal password authentication, if the account
lockout feature is disabled the Firewall will not attempt to modify the user's login failed
count and last login failed attributes on the SmartDirectory server. This will improve
overall performance and will eliminate unnecessary SmartDirectory modify errors when
using SmartDirectory servers that do not have these attributes defined because they did
not apply the Check Point SmartDirectory schema extension on the SmartDirectory
server.
45) Definition of nested RADIUS Server groups is not supported.
46) When using automatic or partially automatic client authentication for HTTP on CPLS
clusters (both ClusterXL and OPSEC clusters), define a decision function based only on
IP addresses in order for connections to open.
From the ClusterXL Gateway Property >Load Sharing >Advanced >select IPs (the third
radio button).
Defining a decision function on OPSEC clusters products is done via the individual
product. Refer to the individual product’s documentation for more information.
Security Servers
47) The HTTP Security Server handles a proxy or a tunneled connection request differently
than earlier FireWall-1 versions. Beginning with FireWall-1 NG FP2, such requests are
not allowed if they are matched with an Accept rule. However, they are still allowed if
the request is matched with an Authentication or a Resource rule. This change was done
in order to harden security and prevent the CONNECT from looping to the Security Server
and then to another destination.
In NG FP2 FTP over HTTP proxy connections are allowed when using User
Authentication even if they are not allowed explicitly by a rule in the security policy. In
Next Generation with Application Intelligence (R55), in order to further harden
security, these connections are not allowed by default unless there's an explicit rule
(using a URI Resource) that allows them.
48) When attempting to perform RADIUS authentication, and the RADIUS server is
down.The HTTP Security Server process may fail and restart.
49) Some email clients process and display invalid attachments that use badly placed slash '/'
characters (for example 'app/lication/x-msdownload' will be processed as the correct
'application/x-msdownload' type). When the SMTP Security Server is configured to
strip by MIME types, invalid types (like above) are not stripped, but it may appear like
the correct type is being stripped.
50) When using SMTP resources to filter files by their filename, an incorrect log message is
generated stating: Forbidden MIME attachment stripped.
51) UFP counters available via cpstat fw -f ufp give incorrect values.
52) If web browsers are configured to use an IP address for their proxy (instead of a
hostname), the next proxy definition of the HTTP Security Server must also use the
same IP address. If the next proxy definition is a hostname, connections using an IP
address will not be allowed to the proxy. It is recommend to use only hostnames in the
browser configuration.
53) Outlook Web Access is not supported with User Authentication.
54) When a field in a URI specification file is too long, the security server exits when
trying to load the file. Under load, the FireWall-1 daemon (FWD) reloads the security
server, which then exits. After a certain time cores are dumped.
55) Client authentication with agent automatic sign on is supported with all rules with two
exceptions:
• The rule must not use HTTP resource.
• Rules that have hosts that were defined as web servers as destination.
56) When using SOAP filtering in the HTTP Security Server, The SOAP scheme file
supports all forms of namespace and method names, however, the feature is not
supported if the method has no namespace at all.
57) When FireWall-1 Security Servers are used to protect servers running on the same
machine, the client-side connection and the server-side connection must use the same
destination port.
58) Security Servers are not supported with Sequence Verifier in cluster environments.
Anti Spoofing
59) On ClusterXL clusters, spoofed packets with the source IP of the cluster members
themselves, or of the cluster IPs may be dropped by the ClusterXL module and no log
will be sent telling you about it.
60) When a VPN-1 Pro Module first comes up, before the Security Policy defined by the
administrator becomes active, the Default Filter is installed on the Module. Installation
of the Default Filter causes anti-spoofing warnings to appear on the console (or Event
Viewer on Windows NT). These messages can be ignored.
Services
61) No warning is generated when a policy containing services with the Keep connections
open after Policy has been installed checked is installed on pre-Next Generation with
Application Intelligence (R55) modules. Such services will be enforced according to the
default behavior on these modules.
62) In NG FP3 if the DCERPC service is configured with the protocol type set to
MSexchange, the inspect code that enforced the MSExchange inspection replaces the
regular DCERPC inspection, and therefore reduces the enforcement level of the
DCERPC service. The reduced inspection means that Blaster is not blocked.
The MSExchange protocol type is needed only to allow UDP email notifications, it is
still possible to use Exchange traffic without it.
It is therefore recommended not to use the MSexchange service in NG FP3. The
problem does not exist in NG with Application Intelligence (R54) and above. For
further information read SecureKnowledge solution sk23070.
63) DCE-RPC services cannot be used in a rule that contains any other services or
enforced in a rule with any service. The workaround is to create dedicated rules for
DCE-RPC services.
64) When a SOAP request is approved, it is logged only if both Track SOAP connections is
set to Log, and the matched rule Track field is also set to Log.
65) When a SOAP request is rejected because it does not match the SOAP scheme defined
in the resource, a reject log is generated only if the Exception track in the General
Properties of the URI resource object is set to Log. If Log is specified the matched rule
Track field and additional Accept log will be generated, although the connection is
actually rejected.
66) When CIFS resources are used in rules with policy targets in their Install On fields,
policy installation on pre-Next Generation with Application Intelligence (R55)
modules may succeed without warning, although CIFS resource filtering is not
supported on these modules.
67) When using MSExchange DCE-RPC services and logging there are no new logs for
each Send/Receive operation performed by the client. The reason is that MSExchange
clients open TCP data connections only when the session starts, these connections are
kept established throughout the session's lifetime (this is different than other email
systems). Each Send/Receive operation is done on the same connection and therefore it
is not logged. Outlook clients are configured to automatically check for new mail every
10 minutes by default, so the data connections are kept alive in the FireWall-1
connection table even if the client is idle for a long time.
68) A service using the FTP_BASIC protocol type cannot be used with the FTP Security
Server.
69) Despite the fact that the correct security policy is enforced, due to a log display issue,
logs for HTTPS connections may appear as SSL_V3 connections even if you used SSL
version 2.
70) When using T.120 connections, make sure you manually add a rule that allows T.120
connections.
Web Security
71) Web servers security is normally enabled for all node objects, however, for cluster
members acting as web servers this feature is disabled. The feature will be enabled in
future versions.
Backward Compatibility
72) Installing a combined FireWall-1 and FloodGate-1 policy on a version 4.1
VPN-1/FireWall-1 Module may fail. To resolve this, install the FireWall-1 and
FloodGate-1 policies separately.
73) When managing version 4.1 Modules, changes to the connection table size are not
updated on the 4.1 Modules. To update the size of the connection table, follow the
instructions in SecureKnowledge solution 3.0.698764.2304823. Note that the relevant
table.def file is not the one in $FWDIR/lib. It is located in the directory
/opt/CPfwbc-41/lib for Unix platforms
%FWDIR%\FW1_4.1_BC\lib for Windows platforms.
74) Warning messages are displayed when installing a policy if Backward Compatibility is
installed and the policy contains DAIP modules. These messages can be safely ignored.
75) When several services use the same port, it is possible to mark which one of the services
should by matched for Any. If several services use the same port and all match, no
warning message is generated when the policy is installed on a version 4.1 Module. For
NG Modules, a warning message is generated.
76) In pre-NG with Application Intelligence modules, the parameter
http_max_request_url_length as set by the SmartDefense Dashboard, drops all
connections when is set to 0, unlike the NG with Application Intelligence behavior
which is to turn the feature off.
IPv6
77) In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker.
78) Discovery traffic is enabled by default on IPv6 enabled modules. To disable it, edit the
file $FWDIR/lib/implied_rules.def and comment out the line
'#define ACCEPT_DISCOVERY 1'.
79) Anti-spoofing is currently not supported with IPv6.

80) Boot policy is not supported on IPv6 enabled modules.
81) When connecting to the IPv6 IPv4 'compatible' address of FireWall-1 (::w.x.y.z., for
example), the following appear on the console: Jan 14 09:37:32 shif [LOG_CRIT] kernel:
fw_filterin: 0 unknown interface. This message can be safely ignored in such
configurations. In order to disable it completely, run this command:
modzap _fw_verbose_unknown_if $FWDIR/boot/modules/fwmod.o 0x0 and reboot.
82) Content of IPv6 in IPv4 tunnels (IPv4 protocol 41) passing through FireWall-1 is not
inspected.
83) CPMAD functionality is not supported with the IPv6 protocol.
84) IPv6: SmartDefense's ping size property is not enforced on ICMPv6 echo request
packets.
85) Due to the fact there is no ipv6 support for security servers, enabling Configuration
apply to all connections under SmartDefense Applet's FTP Security Server settings causes
FTP connections over IPv6 to be rejected, without any log. The same applies to HTTP
and SMTP connections.
86) The command fw6 unload localhost unloads both IPv6 and IPv4 policies, although it
should unload only the IPv6 policy.
87) IPv6 packets with extension headers which are not explicitly allowed via editing of the
table.def INSPECT script are dropped without being logged.
88) The RSH protocol is not supported for IPv6.

SmartConsole & SmartConsole Applications
89) FireWall-1 implied rules for SmartConsole Clients are not matched when using
wildcard (e.g. 1.1.*.*) or domain name formats in the cpconfig SmartConsole clients
definitions (e.g. support.acme.com). As a result connections from SmartConsole Clients
to the SmartCenter Server may be blocked if there is a FireWall-1 module between
them. Single IP definitions (e.g. 1.1.1.1) are supported. When specifying SmartConsole
Clients using any formats other than the IP address, add an explicit rule in the Rule Base
allowing the SmartConsole Clients to connect to the SmartCenter Server.
90) When upgrading from NG FP1 or lower, certain policies may be hidden in
SmartDashboard. Starting from NG FP2, only policies that belong to the current Policy
Package are displayed. To access other policies select File > Open and choose the
relevant Policy Package.
91) When using Smart Directory (LDAP) to manage users on Microsoft’s Active Directory,
if a branch other than cn=users has a group that exceeds 1000 members the group's
members do not show and the group appears to be empty.
ISP Redundancy
92) ISP Redundancy is not supported with FloodGate-1.
93) ISP Redundancy is not supported on IPSO 3.7. and 3.7.1
94) ISP redundancy is not supported in conjunction with the SynDefender feature.
95) If the ISP redundancy feature is enabled over either the PPPoE or the PPTP interfaces,
the MTU of any other external Ethernet interface should be lowered to match the
MTU of the PPPoE/PPTP interface. For example if eth1 is an external Ethernet
interface, eth0 is an Ethernet interface over which a PPPoE interface called pppoe0 is
defined, the MTU of eth1 should match the MTU of pppoe0.
On SecurePlatform this can be achieved by logging on to the box and running:
a. ifconfig ethX mtu newMTU
b. ifconfig --save
Where ethX is the name of the external Ethernet interface and new MTU is the MTU
of the PPPoE/PPTP interface. This change will be persistent across boots.
Notes:
a. The MTU of the PPPoE/PPTP interface can be obtained on SecurePlatform by
running the command: ifconfig pppXXX
Where pppXXX is the name of the PPPoE/PPTP interface.
b. In the above mentioned example, the MTU of eth0 should not be changed.
Logging
96) When working with a Log Server of an earlier version than the version of SmartCenter
Server, the logs fields of log records from new modules that were added after the
upgrade of SmartCenter Server might not be resolvable.
97) FTP data connections may appear in the Active connections view in SmartView Tracker
even after these connections have been terminated.
Policy Installation
98) There is a problem with install policy after the module policy has been explicitly
uninstalled as in the following scenario:
1. There is a FireWall Module installed on the SmartCenter Server.
2. There is no policy loaded on the SmartCenter Server, either after a clean installation
or when the policy was previously unloaded using the SmartConsole or a command line
(fwm unload or fw unloadlocal commands).
3. The policy is being installed on both the remote Module and the SmartCenter Server
at the same time.
As a workaround, install the policy separately on the SmartCenter Server and on the
remote Module.
99) When installing a policy on a module Anti spoofing warning messages for other
modules that are not being installed can appear in the policy installation log, if Anti
spoofing is not configured on these modules.
100)Policy installation may fail when there are 70 or more dynamic objects.
OSE
101)For Cisco and 3Com routers make sure that the host names are resolvable by DNS or
by the hosts file.
SAM
102)A Suspicious Activity Monitor (SAM) rule will fail for a remote gateway if the
SmartCenter Server is also a FireWall-1 module and no policy has been installed on it
since adding the remote gateway.
Dynamically Assigned IP Address (DAIP) Modules
103)When deleting and redefining the DAIP object in the SmartDashboard, restart the
DAIP Module (perform cpstop, cpstart).
104)The fw tab <remote DAIP Module> command on a SmartCenter Server is not supported.
Miscellaneous
105)A Network object with 0.0.0.0 both in the address and the mask is not supported.
106)Token ring adapters are not supported.
107)The Accept VPN-1 & FireWall-1 control connections Implied Rules setting is applicable to
a SmartCenter server object in specific cases only:
• to the primary IP defined for this object and
• only if there are interfaces defined in its Topology tab.
This may create connectivity problems when trying to install policies (or other
operations included in the control connections). The workaround is to define explicit
rules that allow connectivity to the SmartCenter object.
108)When executing the following command:
fw tab -u -f -t connections The error messages can be safely ignored like FW-1:
fwkbuf_length: invalid id number XXXX and Table kbufs - Invalid handle 6a6b8803 (bad
entry). In order to avoid the messages altogether, use the command:
fw tab -u -t connections instead.
SmartCenter
SmartCenter Clarifications and Limitations
Installation
1) SmartConsole NG with Application Intelligence fails to install on machines with a 3.0
GUI installed on the same machine.
Policy Installation
2) After aborting an installation, before attempting to install a policy, make sure that there
are no processes running the fwm load command on SmartCenter Server or your
installation may hang.
3) Policy installation may fail when there are 70 or more dynamic objects.
Configuration
4) When the FireWall-1 services on one or more cluster members are stopped using the
command fwstop, policy installation on the cluster will cause the installed policy to be
inconsistent between the active and stopped members. To make sure that the installed
policy is always consistent across all members use the cpstop command instead of the
fwstop command.
5) SmartView Reporter supports SmartCenter High Availability with some limitations:

• SmartView Reporter Server should be installed on a machine separate from the High
Availability SmartCenter machines.
• SIC is established between SmartView Reporter Server and the active SmartCenter
machine.
• All modules send their logs to a Log Server. The Log Server can be either one of the
SmartCenter machines, or a separate machine.
After performing change over:
• Log consolidator will continue working and processing log files from the Log Server
machine.
• You need to reestablish the SIC between the SmartView Reporter Server machine
and the new active SmartCenter.
• After re-establishing SIC, SmartView Reporter Server will resume its work, and
SmartView Reporter client can connect to the new active SmartCenter.
SmartCenter Server
6) Embedded Devices devices of version 4.1 are unable to fetch a policy from a
SmartCenter Server.
SmartConsole Applications
7) In order to be able to track Session ID information, an application should be opened
independently, meaning not from another Check Point application.
8) When deleting objects from SmartDashboard, in some cases the Where Used... option
will not report that objects are being used in the database, and it is possible to delete
these objects without any warning. The following are cases in reference:
a. RADIUS and TACACS servers referenced by Templates in the Authentication tab.
b. Users and User Groups contained by other User Groups.
c. For SmartDirectory Account Units referenced by External Groups the Where Used...
option is applicable but the Delete operation cannot be performed. As a
workaround, restart (cpstop, cpstart) the SmartCenter Server. Note that all cases
apply only if the objects were created after the SmartCenter Server was started.
9) The View rule in SmartDashboard feature in SmartView Tracker does not bring into
focus the SmartDashboard application if it is already opened to the right rule database.
10) When logs can not be generated from some reason, such as there is no disk space or the
logging process is down, then changes can not be saved from SmartDashboard. If this
occurs, the following error message appears: "The changes could not be saves. Please
make sure all Firewall-1 services are up and running. For more information use the
SmartView Status application".
11) When running a query on a Security Policy in SmartDashboard, only user-defined rules
are displayed in the query result. Implied rules matching the query will not be
displayed, even if the option View Implied Rules is selected.
12) When switching the active file from SmartView Tracker, the new active file name will
be given automatically by the system, and will not get the user defined file name.
13) When choosing to view Installed Policies from SmartDashboard on Motif, you may get
stuck if one of the VPN-1 Pro modules does not respond.
14) The capability for exporting logs from SmartView Tracker running on Motif is disabled
in this version.
15) If you cannot see OPSEC application status in SmartView Status, try changing the
OPSEC application object color/comments.
16) When upgrading from NG FP1 or lower, certain policies may be hidden in
SmartDashboard. Starting from NG FP2, only policies that belong to the current Policy
Package are displayed. To access other policies select File > Open and choose the
relevant Policy Package.
17) When using Smart Directory (LDAP) to manage users on Microsoft’s Active Directory,
if a branch other than cn=users has a group that exceeds 1000 members the group's
members do not show and the group appears to be empty. However SmartCenter will
not crash.
18) FireWall-1 implied rules for SmartConsole Clients are not matched when using
wildcard (e.g. 1.1.*.*) or domain name formats in the cpconfig SmartConsole clients
definitions (e.g. support.acme.com). As a result connections from SmartConsole Clients
to the SmartCenter Server may be blocked if there is a FireWall-1 module between
them. Single IP definitions (e.g. 1.1.1.1) are supported. When specifying SmartConsole
Clients using any formats other than the IP address, add an explicit rule in the Rule Base
allowing the SmartConsole Clients to connect to the SmartCenter Server.
19) When manually defining branches on an Account Unit, spaces between elements in the
branch definition will not work. Example:
A good branch: ou=Finance,o=ABC,c=us
A bad branch: ou=Finance , o=ABC , c=us
20) When a SmartDirectory user is based on an internal firewall template, internal groups
that the template belongs to will be added to the SmartDirectory user, but these groups
will not appear in the list of template groups in the user's Groups page.
Logging
21) Administrator with Read Only permission for Monitoring can still create, modify,
rename and delete queries in SmartView Tracker.
22) If you define or delete an object after logging in to SmartView Tracker, it will not be
shown in the Remote Files Management option of SmartView Tracker. Close and
reopen the SmartView Tracker to get an update.
23) When a Log Server is installed on a DAIP module, management operations such as
"purge" and "log switch" can not be performed.
24) Audit logs operation strings have changed (starting from NG with Application
Intelligence). Several new columns have been added and other existing column names
have been changed. These changes might cause existing filters to stop working.
25) When working with a Log Server of an earlier version than the version of SmartCenter
Server, the logs fields of log records from new modules that were added after the
upgrade of SmartCenter Server might not be resolvable.
26) Configuration including a VPN-1 Edge/Embedded object and Log Server. On the Log
Server, the VPN-1 Embedded Connector tries to login to fwm and fails. Subsequent to each
try, two audit log records are issued: one for login and one for logout. Do as follows on
your Log Server:
a Run cpstop.
On Windows platforms:
b Use REGEDIT to delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\SSC
c On Unix platforms:
d Run ckp_regedit -d //SOFTWARE//CheckPoint//SSC
e Run cpstart.
Monitoring
27) As of NG FP2, the cpstat_monitor command line utility can no longer be used to
define system alert parameters. System alert parameters are now configured in the
Check Point SmartView Status (see the Check Point SmartCenter Guide). The Check
Point SmartCenter Server has a system alert monitoring mechanism that takes the
system alert parameters you defined in SmartView Status and checks if that system alert
parameter has been reached. If so, it activates the action defined to be taken.
28) Issuing a Stop Member command in SmartView Status performs the cphastop command
on this member. This command also disables the State Synchronization mechanism. Any
connections opened while the member is stopped will not survive a failover event, even
if the member is restarted using cphastart. However, connections opened after the
member is restarted are normally synchronized.
29) When defining system alerts in SmartView Status, if you choose one of the User
Defined options as the Alert Method, make sure that this method is defined in
SmartDashboard's Global Properties. If the alert method is not defined, a regular alert is
generated.
30) When you create a new module in SmartDashboard, the module will appear with the
status waiting in SmartView Status until SmartView Status is restarted. For further
information refer to SecureKnowledge solution sk16122.
31) Alerts that are defined in the Check Point SmartView Status System Alert tab are not
sent to the SmartView Status System Status tab as popup alerts, until a first policy is
installed. In the SmartDashboard Global Properties, Log and Alert > Alert Commands
page, be sure to check the property Send popup alert to SmartView Status.
32) SmartView Status should be opened connecting to a SmartCenter Server and not to a
Log Server. When using SmartView Status on a Log Server, statuses may be inaccurate.
33) OS information will not be available both in SmartView Status and in SmartView
Monitor if the monitored machine is a Windows machine that does not run the
Windows Management Instrumentation service.
Management High Availability
34) If your primary SmartCenter Server is a Stand Alone configuration, and one of your
secondaries SmartCenter Servers is active, then right after upgrade, policy installation
from the secondary to the primary will be prohibited. In order to resolve this, locally
install policy on the primary server.
35) When creating a Management High Availability environment, all peers must be installed
with the same products. If one product is installed on one peer but not on the other,
product information may be lost and the product may not function properly.
36) Management High Availability does not automatically synchronize fw putkey shared
secrets for 4.1 VPN-1/FireWall-1 Modules. In other words, after you have established
control channels between the Primary SmartCenter Server and 4.1 VPN-1/FireWall-1
Modules using fw putkey, you must do the same on each of the Secondary High
Availability SmartCenter Servers. For example, if the High Availability configuration
consists of one Primary and one Secondary SmartCenter Server and one Version 4.1
VPN-1/FireWall-1 Module, you must run fw putkey four times: once on the Primary
SmartCenter Server, once on the Secondary SmartCenter Server, and twice on the
Module (once for each SmartCenter Server).
37) A SmartCenter Server that is also a FireWall-1 module must have a policy installed on
it in order for other SmartCenter Servers to be able to communicate with it. This must
be done after initial setup, or after resetting SIC communication on the SmartCenter
Server.
38) Database versions, which were created using the Revision Control feature, should be
synchronized manually in a Management High Availability environment. In order to
synchronize it you should:
1. Perform cpstop on the standby SmartCenter Server
2. Copy all files under
$FWDIR/conf/db_versions/repository/* and $FWDIR/conf/db_versions/database/*
from the active management to the standby SmartCenter Server
3. Perform cpstart on the standby SmartCenter Server
39) When adding a new Secondary SmartCenter, the machine should be synchronized once
manually before it starts synchronizing automatically.
40) Before installing a Secondary SmartCenter, make sure its clock is synchronized with the
clock of the Primary SmartCenter, or the Plug-and-Play license will not be available for
the Secondary SmartCenter.
Trust Establishment (SIC)
41) When defining a new DAIP module in SmartDashboard, the recommended way to establish SIC
trust is to push the SIC certificate using the current dynamic IP of the module. It is also possible
to establish SIC trust from the module side by pulling the SIC certificate. In this case the
following procedure is required:
a. Define the object for this DAIP module in SmartDashboard, fill in the SIC
activation key and initialize SIC.
b. Pull the certificate from SmartCenter Server (using the cp_pull_cert command on
the module).
c. Install the policy on the module; at this point the installation will fail.
d. Restart SmartCenter Server services (run cprestart on SmartCenter Server).
e. Fetch policy from the DAIP module.
It is recommended to establish SIC with DAIP module from SmartDashboard, while
configuration the current IP of the DAIP machine in order to push the SIC certificate.
However, if SIC is established from the module side (pull instead of push), then the
following procedure should be taken:
a. Configure the DAIP module and establish SIC from the module
b. Define the object for this DAIP module in SmartDashboard
c. Install the policy on the module; at this point the installation will fail
d. Issue cpstop and cpstart on the SmartCenter Server
e. The DAIP module will fetch the proper policy
42) Status of IP51 modules is not displayed in SmartView Status.
43) In order to manage FloodGate-1 modules from a Nokia SmartCenter, you need to
perform the following steps:
a. The product FloodGate-1 needs to be enabled in Voyager on SmartCenter.
b. Telnet into the Nokia SmartCenter and perform cpstop and cpstart (or reboot). In
cpstop, you can safely ignore the message etmstop: Module not loaded. When you
run cpstart on SmartCenter, you can safely ignore the message FloodGate-1: This is
a Management Server. No QoS Policy will be Loaded.
Trying to install a QoS policy on a module before executing these steps on

SmartCenter, will fail with the error message: Failed to start uninstall/install operation.
Platform Specific - Windows
44) Windows 2000 specific issue: A SmartConsole connection to the SmartCenter Server
on Windows 2000 may fail with the message: No license for user interface if the
SmartCenter Server was disconnected from the network and then reconnected while
the VPN-1 Pro services on the machine were running. If this occurs, restart VPN-1 Pro
services (run cpstop and then cpstart).
45) On Windows platforms only, in some cases, when performing the Restore Version
operation (from SmartDashboard, File > Database Revision Control > Restore Version)
while SmartView Tracker is open, the restore fails and you are not able to save database
(File > Save). The solution is to make sure that SmartView Tracker is closed before
performing Restore Version operations. If you already encountered such a problem, run
cpstop and then cpstart.

46) Policy can not be installed on Embedded Devices.
Backward Compatibility
47) Warning messages are displayed when installing a policy if Backward Compatibility is
installed and the policy contains DAIP modules. These messages can be safely ignored.
48) When several services use the same port, it is possible to mark which one of the services
should by matched for Any. If several services use the same port and all match, no
warning message is generated when the policy is installed on a version 4.1 Module. For
NG Modules, a warning message is generated.
49) Installing a combined FireWall-1 and FloodGate-1 policy on a version 4.1
VPN-1/FireWall-1 Module may fail. To resolve this, install the FireWall-1 and
FloodGate-1 policies separately.
OSE
50) The Drop action is not supported for 3Com and Cisco OSE devices. If the Drop action
is used, the policy installation operation fails.
51) For Cisco and 3Com routers make sure that the host names are resolvable by DNS or
by the hosts file.
Dynamically Assigned IP Address (DAIP) Modules
52) The fw tab <remote DAIP Module> command on a SmartCenter Server is not
supported.
53) When deleting and redefining the DAIP object in the SmartDashboard, restart the DAIP
Module (perform cpstop, cpstart).
Miscellaneous
54) Central Licenses can not be added from a file using the Check Point Configuration
Tool (cpconfig). Use SmartUpdate to add central licenses.
55) Using the cp_merge utility to merge large number of objects (more than 10,000) from
two SmartCenter Servers may not work. This is because at some point two many audit
logs are generated. If you have a large number of objects, and you wish to perform the
merge even though from some point the audit logs will not be generated, then do as
follows:
a. Define the environment variable FWM_ALLOW_AUDIT_FAILURE from a shell
b. Use the cp_merge command from the same shell
56) After upgrade from NG FP2, the name of Internal Certificate Authority (CA) that was
previously entered is not displayed in Check Point Configuration Tool (cpconfig >
Certificate Authority tab), although it is still viable. If it is reconfigured, then it is
displayed.
VPN-1
VPN-1 Clarifications and Limitations
VPN Routing
1) When using VPN routing to route all communication from the VPN domain of a
Satellite Gateway via the Hub to other Satellites Gateways or to the Internet, it is not
possible to open connections from the external IP of the Satellite Gateway to the
Internet.
2) The IP pool NAT on a VPN-1 module which serves as a VPN router (enables
forwarding of VPN traffic from one VPN tunnel to another) should be defined as part
of the encryption domain of the VPN router. Otherwise, VPN connections via the
VPN router might fail.
3) VPN Routing only connects the VPN domain of a DAIP gateway that is hosted behind
the DAIP gateway to the VPN domain of another DAIP Gateway. Connections that are
originated on the DAIP gateway itself or directed at the DAIP gateway itself cannot be
routed through the Hub.
4) VPN routing rules configured via vpn_route.conf can only be installed on SmartLSM
profiles and not on SmartDashboard-managed VPN-1 Edge profiles.
VPN Communities
5) SmartDashboard enables adding VPN-1 modules with dynamic IP address as members
of a VPN community in which aggressive mode for IKE Phase 1 is selected. This
configuration is not supported.
6) Defining services in the clear in the community (available in gateway-to-gateway
communities) is not supported if one of the internally managed members is of version
earlier than NG FP3.
7) Disabling NAT in the community (available in gateway-to-gateway communities in the
advanced properties tab) is not supported if one of the internally managed members is
of version earlier than NG FP3.
8) A pre-shared secret defined for externally managed VPN modules in the community is
not supported if one of the internally managed members is of version earlier than NG
FP3.
9) If Exportable for SecuRemote/SecureClient is checked on a
VPN-1/ FireWall-1 Enforcement Module (from the VPN tab under Traditional Mode
configuration), the modules topology information will be exported to
SecuRemote/SecureClients even if the Enforcement Module is not a member of the
Remote Access community.
10) fExcluded Services are not supported with VPN Communities that contain SofaWare
entities.
VPN-1 Clusters
11) Peer or secure remote gateways may show error messages when working against an
overloaded gateway cluster in load-sharing mode. This is due to IPsec packets with an
old replay counter. These error messages can be safely ignored.
12) When defining Office Mode IP pools, make sure each cluster member has a distinct
pool.
13) When detaching a cluster member from a VPN cluster, manually remove the VPN
domain once the member has been detached.
14) If a VPN-1 High Availability cluster is handling a connection from a Remote Access
VPN-1 Client located on the same subnet as the cluster and failover to another cluster
member occurs, the connection with the VPN-1 Client may be terminated.
15) When based on topology information, the VPN domain calculation contains only the
cluster member topology and not the cluster object topology. This may cause errors in
the VPN domain of clusters since the cluster object and members may have different
subnets. In this case, define the VPN domain manually on the cluster object. This issue
does not exist on VSX appliances.
VPN Hardware/Software Acceleration
16) VPN-1 accelerator cards will not offload the encryption tasks if SecureXL is installed on
the same machine. In this scenario the card can still be utilized for public key
operations.
17) VPN Accelerator II is not supported with SecurePlatform.
18) SecureClient using Office mode, when connecting to a Load Sharing cluster with
SecureXL. Multiple interfaces feature for Office mode may not route outgoing packets
properly, and connections may be disconnected as a result. In order to prevent this from
happening you can activate IP compression for the client.
19) To enable IKE acceleration on a Nokia platform with a Nokia Encryption Accelerator
card installed, use the following IPSO CLI command: set pkcs11-checkpoint register.
Currently, you cannot use Voyager to enable IKE acceleration.
IKE, Interoperability
20) Clarification: The global property Support Authentication methods: Pre-shared Secret,
under Remote Access -> VPN - Basic tab, applies only for the use of pre-shared secret
with aggressive mode in IKE phase 1. However, the user's pre-shared secret, which
appears in the IKE Phase 2 Properties window of a user object, is used for following
additional purposes, which are not affected by the above property:
1. IKE Hybrid mode with pre-shared secret for user authentication.
2. For L2TP termination (used by Microsoft IPSec clients) with MD5 challenge.
3. SSL authenticated topology download (not over IKE) for SecuRemote/SecureClient.
NAT with VPN
21) The use of the option that disables NAT (in the community) is applicable to hide NAT
and not to static NAT.
22) Using Static NAT on the destination of a SIP connection inside a VPN-1 tunnel is not
supported.
VPN-1 diagnostics (logging, monitoring, planning)
23) When using the IP pools NAT mechanism for gateway-to-gateway connections, no log
is available for the IP assignment.
24) If you are working on SecureXL and VPN-1, reports on traffic may display inaccurate
values.
25) When a host inside the encryption domain tries to open a back encrypted connection
to SecuRemote/SecureClient, an Accept log instead of Encrypt shows up in SmartView
Tracker.
26) An accept log may be received when using an SMTP resource with VPN even if the
connection was encrypted.
27) When a user is configured on SmartCenter to work with encryption algorithm
AES128, an inaccurate reject log entry appears in SmartView Monitor that can be safely
ignored stating: Client Encryption: the user is not defined properly. However, the
connections establishment succeeds.
L2TP Clients
28) Since Windows 2000 clients can open a single L2TP based VPN tunnel concurrently, it
is not possible to maintain L2TP connection with two VPN-1 Modules concurrently.
This may create problems when the VPN module is a CPLS cluster configuration.
Workaround: In order to work with L2TP in load sharing configuration, configure the
CPLS cluster to place each connection in the same gateway.
29) When using L2TP for remote access VPN Drop logs may be received due to traffic sent
from the L2TP client, with the following Information fields:
• encryption failure: received a cleartext packet within an encrypted
connection received when cleartext packets arrive from the physical IP of the client
• encryption failure: Cannot identify peer for encrypted connection received
when the destination is either broadcast or not part of the encryption domain.
These logs can be safely ignored.
30) When Microsoft IPSec VPN client (using L2TP) connects to a VPN-1 gateway, the
connection will be counted twice, which will be reflected in the counter of concurrent
Remote access VPN tunnels in SmartView Status and in the SmartView Monitor.
31) Using Microsoft IPsec/L2TP clients behind hide NAT where VPN-1 Net cluster is the
destination gateway and DHCP is in use for Office Mode is not supported.
32) When using Microsoft IPsec/L2TP clients for Remote Access VPN, routing traffic to
destinations other then the encryption domain of the VPN-1 Gateway (for example to
the Internet or to another destination in the VPN) is not supported.
Nokia Clients Support (CryptoCluster & Symbian)
33) Nokia clients are not supported when the gateway side is a load-sharing cluster
configuration.
VPN-1 and SecuRemote/SecureClient Issues
34) The combination of using multiple external Interfaces (route through different
interfaces) for SecuRemote/SecureClient and clusterXL pivot mode is not supported.
35) When connecting with a VPN-1 client to a VPN-1 cluster, the message "tunnel test
failed" may appear on the client side; however, connectivity between the client and the
gateway is not impaired.
Dynamic IP Address (DAIP) Gateway
36) In IKE Phase 1 for a DAIP Edge Device the chosen proposal is always AES-256 and
SHA1 regardless of the VPN community configuration.
Miscellaneous
37) When using the command cprestart on the SmartCenter Server, it will not apply to
the VPN-1 Module. In order to restart the VPN-1 Module, run cpstop followed by
cpstart.
38) When configuring VPN persistent tunnels, configuration remains after using the
command cprestart. In order to overcome this issue use cpstop and then cpstart.
39) Dynamic IP resolution is not supported in Traditional Policy mode, if under a rule's
Encrypt properties allowed peer gateway is enabled.
VPN-1 Edge/Embedded
VPN-1 Edge/Embedded Clarifications and Limitations
Policy Installation
1) If you have VPN-1 Edge/Embedded profiles or SmartLSM Edge/Embedded profiles,
when you create a new policy file, be aware that SmartDashboard will not warn you
that the new policy is also defined on profiles that were previously installed with
another policy. Instead, define specific targets per policy file.
2) Groups with exclusion are not supported on
VPN-1 Embedded/Edge rules.
3) Using the RTSP service with VPN-1 Edge/Embedded is not currently supported.
4) For SMP customers or customers who upgraded from NG with Application
Intelligence (R54) and used the SSC, the Profile Hi-Med-Low_Profile is combined from
three policy targets that can be used in the Install On column. However, those targets
are not included in the generic Policy Targets object. To workaround this, specify the
High, Medium or Low targets themselves in the Install On column. Otherwise if installing
it on Policy Targets, they will not have any effect on the VPN-1 Edge/Embedded
appliance.
5) When defining VPN-1 Edge/Embedded appliances to perform VPN as Remote Access,
avoid placing the appliance's profiles on the rule's destination cell.
6) Slow policy installation that eventually fails may occur when no DNS is configured on
your SmartCenter Server. Either define DNS (in the following order: resolution of files,
DNS and then NIS), or contact Technical Support.
7) When using the group All VPN-1 Embedded devices defined as Remote Access on the
rulebase, the icon that is defined is wrong and can be safely ignored.
8) When using rules with resources, avoid installing them on VPN-1 Edge/Embedded
profiles. Resources are currently not supported with VPN-1 Edge/Embedded
appliances.
9) The Reboot option is currently not supported when upgrading firmware.
VPN-1 Communities
10) Do not use the SmartDashboard feature that allows adding VPN-1 Edge/Embedded
objects to the Remote Access community as Participating Gateways. The appearance of
this option will be removed in the future.
Logging
11) VPN-1 Edge/Embedded gateways support only regular log tracking. When using other
tracking at a rule that would be installed on such gateways (profiles) they are ignored.
12) Logs from VPN-1 Edge/Embedded do not show the rule number.
13) The VPN-1 Edge/Embedded implied rule for SWTP_SMS and SWTP_Gateway protocols
does not generate logs so you will not see logs for these connections.
Platforms
14) VPN-1 Edge/Embedded can be managed if the SmartCenter is running on either
Windows 2000, Solaris2, Linux or SecurePlatform. In addition, if exporting from one
of the supported platforms and then importing to one of the non-supported platforms,
the global property support_sofaware_profiles must be set to false using DBEdit tool.
15) VPN-1 Edge/Embedded products cannot be managed from a Windows 2003 server.
SmartUpdate
16) The uninstall function is not currently supported when updating firmware using
SmartUpdate.
SmartView Status
17) After installing a Security Policy on a VPN-1 Edge/Embedded Profile the status of the
corresponding VPN-1 Edge/Embedded gateways is displayed as unknown until the next
time the gateways connect to the SmartCenter Server for periodic updates.
It is possible to force the VPN-1 Edge/Embedded gateway to connect to the
SmartCenter Server for updates, from the web portal of the appliance.
SecuRemote/SecureClient
SecuRemote/SecureClient Clarifications and Limitations
Office Mode
1) When using Office Mode and configuring internal DNS in the encryption domain, in
the SmartDashboard Global Properties Remote Access page, select Encrypt DNS traffic.
2) An Office Mode IP address is not granted during MEP failover. In n MEP
configuration, if the gateway that assigned the Office Mode IP address to the
SecureClient fails over to another MEP gateway, SecureClient does not receive a newly
assigned IP address from the MEP peer gateway. To resolve this issue, disconnect
SecureClient and then reconnect.
SecureClient Policy Server
3) Logon to Policy Server in Connect Mode may fail if the client machine is located inside
the encryption domain of the VPN-1 Pro Enforcement Module protecting the Policy
Server. You can avoid this by either creating connection profiles that do not include a
Policy Server logon, to be used when connecting from inside the encryption domain of
the Policy Server Module, or by configuring the Policy Server to be a different gateway
than the gateway configured in the profile.
4) SecureClient will always encrypt the Logon to Policy Server connection: It will first
perform the IKE key exchange and then encrypt the connection using IPSec (outside
the encryption domain) or SSL (inside the encryption domain).
Desktop Security
5) The Desktop Security Rule Base does not support groups with exclusions of network
objects.
6) The default boot policy of SecureClient is Accept All. It can now it can be changed to
Block Inbound. This policy will block any inbound traffic which is not required for the
boot process. To deploy Block Inbound boot policy:
a. change product.ini [install] section, from install_boot_policy.bat acceptall to
install_boot_policy.bat blockinbound and
b. set allow_inbound_when_no_policy to false in the options section of userc.c
Notes:
i. When this feature is enabled, Block Inbound is enforced only until the site
policy is loaded.
ii. After disabling policy, the enforced policy will be Accept All, SecureClient will
resume enforcing Block Inbound after the next boot.
7) The Desktop Security Rule Base does not support user groups restricted by IP range.
8) When using SecuRemote/SecureClient over ADSL which require PPTP and GRE
connections, you must define Desktop Security rules which allow PPTP and GRE.
9) To allow FTP data connections to survive events that reload the security policy
(connect, disconnect, logon to Policy Server, Enable Policy, interface up/down, etc.),
save_data_conns is set to true in userc.set. This means that data connections will survive
even if they should not. For example, if only logged on users (not AllUsers) are
permitted to perform FTP and open data connections, these connections will persist
after the user logs off the Policy Server. If for security reasons you prefer to block data
connections in these cases, you may set the attribute to false.
10) The Desktop Security Rule Base does not support Radius groups.
11) Zone Alarm personal firewall, installed with High security settings, interferes with
SecureClient, apparently due to a bug in Zone Alarm. To work around this, either
configure Zone Alarm with Medium security, or define each VPN gateway as a "host"
in the Zone Alarm configuration screen.
Secure Configuration Verification (SCV)
12) When working in Transparent Mode, the Secure Domain Logon (SDL) may fail if
connections to the Domain Controller are accepted:
• on Client Encrypt rules which require SCV verification, or
• if a Remote Access community is defined with SCV enabled.
If the SCV policy in SecureClient NG with Application Intelligence checks whether
the user is logged on to a Policy Server then the machine is considered not
securely-configured until a user has logged on to a Policy Server.
SDL connections (from SecureClient to a Domain Controller) that require SCV
verification fail because the user is not yet logged on to a Policy Server during
Windows logon.
13) Using Client Encrypt rules with SCV verification requires the VPN-1 gateway to have
IP forwarding enabled, even if the VPN-1 gateway is protecting only the machine itself
(VPN-1 SecureServer).
14) New SCV checks are installed with SecureClient, by means of SCVProd.exe. This
executable requires an up to date version of a Microsoft runtime library named
msvcrt.dll. This library may not be up to date on Windows 98 First Edition. As a
result, you may encounter error messages indicating a missing ordinal in this DLL.
Installing Microsoft Internet Explorer version 5.5 or higher will install the required
version.
15) When enforcing SCV rules on 4.1 Gateway, NG SecureClient will be blocked, although
its SCV state is verified.
16) When the client is on the LAN (inside the encryption domain), UDP packets
containing SCV state whose destination is a VPN-1 Pro gateway inside the encryption
domain are not encrypted.
SecureClient Software Distribution Server (SDS)
17) When running the SDS Agent in explicit mode and using Connect Mode, you must
Connect before opening a connection to the SDS Server.
18) Software distribution is not supported when more then one site is defined.
19) The SecureClient Software Distribution Server does not support the following
configurations:
• Using the SmartCenter Server machine as a Software Distribution Server
• Installation on a High Availability or CPLS Cluster
• Management High Availability
• Multiple Software Distribution Servers controlled by the same SmartCenter Server.
20) It is necessary to open TCP port 65524 (FW1_sds_logon_NG) to the SDS machines in
order to enable SecureClient to connect to the SDS.
21) Software distribution is not supported the Windows 98 or ME platforms.
SecuRemote/SecureClient - Certificates
22) To use an ICA certificate with a key length other than 1024, configure the property
user_certs_key_size in the options section of both the userc.C and object_5_0.C files
on the SmartCenter Server. To change object_5_0.C use the dbedit utility or the
Database Tool.
23) When using Entrust certificate (EPF) for authentication, and the certificate file has the
Read Only file attribute, authentication will fail.
SecuRemote/SecureClient - Windows XP Support
24) When Auto Local Logon or Secure Domain Logon is enabled, the Windows XP function
of Fast User Switching function is disabled.
25) Before upgrading from a previous Windows version to XP, you must uninstall
SecuRemote/SecureClient. After the upgrade, reinstall SecuRemote/SecureClient.
26) The Windows XP Internet Connection Firewall (ICF) is not supported with Office
Mode.
27) When using a classic mode Start Menu (Windows XP), it changes upon enabling ALL
(Auto Local Logon): turn off machine is replaced by shut down, and log off disappears.
Upon disabling ALL, things return to the normal classic mode state.
28) When disconnecting from one gateway in a MEP configuration and re-connecting to
another, UDP and ICMP connections (such as ping) may cause an attempt to
re-authenticate with the original gateway for up to 40 seconds after disconnecting from
the original gateway.
29) If the VPN-1 gateway does not support IKE Hybrid mode and certificates are not being
used, site definition and update may fail. This problem can be resolved by editing the
userc.C file and in the options section, setting the property topology_over_IKE to FALSE.
30) When using an SmartDirectory user account with multiple SecuRemote/SecureClient

users with the same UID, instruct these users to use their Dynamic Name for
authentication. If they use their UID, authentication may fail.
31) When more than one site is defined send_clear_traffic_between_encryption_domains is
disabled.
32) Full overlapping MEP configuration, in which one of the members is a CPLS cluster, is
not supported. The workaround is to define a group which includes the encryption
domain, the cluster and the gateway. Assign the group as the MEP's encryption domain.
33) SecuRemote/SecureClient using Connect Mode with MEP with fully-overlapping
encryption domains will not always connect to the gateway specified in the Connection
Profile. Instead the client will use the MEP logic to discover which gateways are
available, and connect to the first gateway that responds. If MEP Load Sharing is
enabled, the client will connect to a randomly chosen responding MEP gateway.
34) The length of a Dynamic Name for users is limited to 256 characters in
SecuRemote/SecureClient and VPN-1.
35) When more than one site is defined allow_clear_traffic_while_disconnected is
disabled.
36) Secure Domain Logon (SDL) over Visitor Mode is supported only in transparent proxy
(no proxy) configuration.
SecureClient Packaging Tool
37) If a Default Policy Server was not configured, Custom SecureClient packages created
using the Partial Topology option will not prompt the user to logon to a Policy Server
during the initial site update (during the first reboot after installing SecureClient).
Resolve this by configuring a Default Policy Server, or alternatively ask the users to log
on to a Policy Server after installation in order to download Desktop policies.
SecuRemote/SecureClient - Miscellaneous
38) Dial-Up integration is not supported in Windows 98, Windows 98SE or Windows ME.
As a workaround, a script which contains Command Line Interface (CLI) commands,
can be used as a post dialup script.
39) Proxy replacement is not supported with Secure Domain Logon (SDL).
40) Proxy replacement is not supported on Windows 98/ME platforms.
41) Installing SecureClient and TrendMicro’s (PC-cillin) personal firewall may result in a
blue screen after boot (It doesn't matter which one is installed first, the problem
happens after booting up). The issue is that SecureClient’s scap.sys and TrendMicro's
personal firewall are loaded together. For further information and a workaround see
SecureKnowledge solution sk20779.
42) SecuRemote/SecureClient Next Generation with Application Intelligence (R55) no
longer supports an Unauthenticated Topology download. If you:
• plan to upgrade your SmartCenter Server and VPN-1 Pro Enforcement Points
(rather than perform a new installation), and
• have Respond to Unauthenticated Topology Requests enabled, and
• are using a standalone SmartCenter Server prior to NG FP2 (that is, a

VPN-1 Pro Enforcement Module is not installed on the SmartCenter Server
machine),
Then, read the following document:
http://www.checkpoint.com/support/downloads/docs/firewall1/ng/fp2/SRSC_FP2_FWZ_Migration.pdf
43) The SecuRemote/SecureClient directory is not in the operating system search path. If
your application relies on the SecuRemote/SecureClient directory being in the path, it
must specify the full path when accessing SecuRemote/SecureClient files.
44) Dial-up integration with Connect Mode is not supported with AT&T and AOL dialers.
Dial-up integration can be achieved using the Command Line Interface.
45) When using Diagnostics Tool on Windows 98, the user may experience above average
memory consumption. It is advisable not to run Diagnostics Tool continually for a long
period of time.
46) If you are using AOL dialer from outside the USA, please select an access point that
supports AOLnet connections, and avoid GlobalNet connections. The type of
connection, by geographical location, can be viewed at
http://intlaccess.web.aol.com/. You can browse to this location by selecting the Access
keyword in your AOL browser.
47) When using iPAQ ActiveSync on Windows 98, while SecuRemote/SecureClient is
running, you may encounter connectivity problems. To resolve the problem:
a. Edit the registry, and under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP, add the registry
string value of MaxConnections with the value of 500
b. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP, add the
string Size\Small\Medium\Large and enter 3 as a value.
c. Restart the machine
48) On Windows NT 4.0, using Secure Domain Logon, NT logon sometimes fails. The
service named Check Point SecuRemote Service (sr_service.exe), which is configured
to start "manually" by the Watchdog service, may start too late for the domain logon.
Configuring the startup of this service to "Automatic" should solve the problem.
49) On Windows 98/ME, using Secure Domain Logon, some critical network activity with
the encryption domain may be attempted before encryption takes place. In Connect
mode, you should wait until the "connect" dialog pops up before logging on to the
domain. In transparent mode, you may need to wait a few seconds before attempting to
logon to the domain.
50) SecuRemote/SecureClient installs a file named cygwin1.dll. Some anti virus products
consider this file to be a virus. SecuRemote/SecureClient does not use this DLL
directly. It is used by gtar and gzip, which SecureClient utilizes to decompress packages
while updating software through the Automatic Software Distribution feature.
51) TRACERT to a destination in an encryption domain has limited functionality. All hops
before the encrypting gateway are shown without data, since they are unable to decrypt
the ICMP packet. ICMP data will be returned only from the encrypting gateway and
beyond.
52) When working in Connect Mode and using SecureID (RSA ACE Server) for
authentication, automatic New PIN generation will not be displayed to the user, and
further authentication attempts fail. The workaround is to have the user select new PIN
code manually.
53) If the machine on which SecuRemote/SecureClient is installed is configured to be
Master Browser, Master Browser functionality may fail. For further information see
SecureKnowledge solution sk20023.
54) SecureClient does not support IP address forwarding and Internet Connection Sharing
(ICS).
SecurePlatform
SecurePlatform Clarifications and Limitations
Platform Specific - SecurePlatform
1) Performance Pack is automatically disabled on PPTP and PPPoE interfaces.
Installation
2) To install SmartView Monitor on a SecurePlatform machine that contains SmartCenter
Express (with or without VPN-1 Express) and SmartView Reporter, do not use the
wrapper. Installation should only be done from the command line, as follows:
a. Enter Expert mode.
b. Run rpm -i /sysimg/CPwrapper/linux/CPrtm-50/CPrtm-R55-00.i386.rpm.
General
3) SmallOffice is not supported in this edition of SecurePlatform.
4) After updating the time zone of SecurePlatform, reboot the computer to insure that all
applications are aware of new time zone.
5) When configuring ClusterXL in Legacy High Availability mode, MAC synchronization
occurs only on reboot. In addition, MAC synchronization over VLAN interfaces is not
supported. Therefore, you cannot use Legacy High Availability mode with VLAN
interfaces, only with physical interfaces.
6) In the Web UI configuration wizard, you cannot add wild cards for SmartConsole
Clients. Using the cpconfig command line interface of SecurePlatform you can display
the time zone GMT offset according to the POSIX standard, which is the opposite of
the commonly accepted standard. Example: for GMT+2 offset, the command line
interface will show GMT -2). The Web UI uses the common notation.
7) The following machines with RAID Controller:
• HP/Compaq
• SmartArray 431 and
• RAID LC2
have a memory leak in the kernel caused by the "cpqarray" device driver. To fix the
problems, comment out (or delete) the following line:
modprobe md >/dev/null 2>&1
in /etc/rc.d/rc.sysinit and reboot your machine.

8) If you use a default subnet configuration, you should define the routing through the
device and not the IP address.
9) For better usage of memory on machines with more than 512MB of memory, add the
following configuration settings to /etc/fw.boot/modules/fwkern.conf and then reboot
the machine:
fw_hmem_use_alternate_malloc=1
fw_smem_use_alternate_malloc=1
Do not assign more than 1700MB to the Maximum memory pool size (it is set in the
Capacity Optimization tab of the module’s object in SmartDashboard).
10) The SecurePlatform restricted shell does not allow the symbol '/'. This prevents defining
networks with the IP & Maskbits format (eg. 10.10.0.0/16). Instead, use the Netmask
format (eg. 10.10.0.0 netmask 255.255.0.0).
11) Do not leave the SecurePlatform machine or any interface without a default route
definition.
12) When physically removing a NIC you must also remove its definitions in the
SecurePlatform network configuration.
13) Zebra configuration is not backed up during Backup/Restore procedures.
14) Backup/Restore does not backup the "Expert" password.
15) If you physically replace a NIC Card in a machine with SecurePlatform, the order of
the NICs may change. Verify that the NICs are mapped and connected according to
your needs.
16) You cannot install SecurePlatform on a machine that has more than two SCSI hard
drives (unless they are in a RAID configuration and seen as a single virtual drive).
17) This release note does not apply to upgrades performed via SmartUpdate. In order to
successfully upgrade SecurePlatform NG FP2 or NG FP3 from the distributed NG with
Application Intelligence (R55) CD, update the patch command before actually starting
the upgrade. In order to update the patch command, perform the following operations:
a. insert the CD and enter Expert mode
b. run mount /mnt/cdrom
c. run patch add /mnt/cdrom/SecurePlatform/patch CPpatch_command_540000138.tgz
d. Proceed with the patch add command to upgrade the operating system.
Installed Products
18) The following Check Point products are not supported on a Dynamic IP gateway:
• SmartCenter Server
• ClusterXL
• Log Server
• Policy Server
• SmartView Monitor
Web UI
19) Only Internet Explorer version’s 5.0, 5.5 and 6.0 are supported.
20) You cannot define a VLAN as a primary interface in a machine through the Web UI. If
you need to define a VLAN as a primary interface, use Sysconfig.
21) Do not use the character % in a password.
22) Do not use the character % in the password of an administrator.
23) Clicking a browser’s “Refresh” button causes immediate logout from the Web UI.
Logon again to continue working.
24) If you are using the Web UI to define VLANs, in rare occurrences, the final VLAN
configured is defined as Using Dynamic IP even if you do not mark it as Using Dynamic
IP. To fix this, edit the VLAN properties via Sysconfig and verify that it is not marked
as Using Dynamic IP. If it has been marked as Using Dynamic IP, change it, otherwise, the
IP address may be lost after rebooting SecurePlatform.
25) PPPoE connection settings misconfiguration when existing connection is edited via the
WebUI. Remove the connection and recreate it with new settings.
ISP Redundancy
26) When the following network card drivers are used: 3c59x (3COM), starfire, tulip, if the
network cable is unplugged from the card, the link's status is not reported as that of an
unplugged network cable, instead it will indicate that the next hop is not responding.
SmartUpdate
SmartUpdate Clarifications and Limitations
License Management
1) Use SmartUpdate to delete central licenses. CPConfig supports only local licenses and
cannot be used to mange central licenses. You can also do this operation using the cplic
del command line from the Check Point Gateway machine.
Product Management
2) SmartUpdate shows Clusters members as distinct gateways without the common Cluster
entity. When cluster members are not of the same version, applying Get Check Point
Gateway Data on a cluster member will set the member's version on the Cluster object.
To set the version of the cluster correctly, apply the Get Check Point Gateway Data
command to the cluster member with the latest version.
3) SmartUpdate supports managing licenses but does not support managing products from
a Nokia SmartCenter Server.
4) Before selecting upgrade all on a remote Nokia Gateway update the SmartCenter
Server file ipso_ver.txt in the $SUDIR/conf directory. This file specifies the IPSO image
that should be used in the remote upgrade of a Nokia Gateway. The file contains a
single text line in the following format: nokia;os;RELEASE;SUBRELEASE;ipso
5) The RELEASE and SUBRELEASE parameters are the only parameters that should be changed,
and should specify the IPSO release and subrelease versions as they appear in the image
Manifest. For example: nokia;os;3.7;BUILD031;ipso.
SmartView Monitor
SmartView Monitor Clarifications and Limitations
Installation
1) SmartView Monitor has a central licensing scheme. It is no longer necessary to attach
licenses to modules. Licensing is controlled exclusively by the SmartCenter Server.
SmartView Monitor services are provided with other licenses such as: SmartView,
SmartCenter Pro and FloodGate-1 modules.
If you do not have one of these bundles you can purchase and install either:
• SmartView for single Gateway/Module or
• SmartView for unlimited Gateways/Modules
2) When upgrading a Version 4.1 FloodGate-1 Gateway, to continue using the traffic
monitoring features, in addition to upgrading FloodGate-1, install SmartView Monitor
on the gateway.
General
3) Enabling SmartView Monitor Traffic history reports has some performance impact on
the module. It is suggested not to enable it on Gateways that have 100Mbps throughput
or higher.
4) To remotely control a 4.1 Real-Time Monitor module from a NG with Application
Intelligence SmartCenter Server, use only the SmartView Monitor’s SmartConsole
Client and not the command line.
5) When editing or adding objects (Network Objects, Services etc...) in SmartDashboard,
install the Security Policy in order for the SmartView Monitor to apply the changes.
6) When monitoring traffic in real time for traffic passing through a FireWall-1 resource,
traffic will be seen as the following: On the incoming interface there will be seen traffic
originating in the client and destined to the FireWall-1 Gateway. On the outgoing
interface the traffic will be seen as if it is originated from the original client and
destined to the desired server.
7) SmartView Monitor history tables will not be updated if you change the module’s
system time substantially backward. To work around this problem you need to stop the
module and run a utility that will clean the tables of records that still have later time
than the current time. To do this perform the following steps:
a run cpstop -fwflag -proc
b run "upgrade_persistency -clean"

c run cpstart
8) SmartView Monitor is the current name (in the products column) for what was
previously called Real-Time Monitor (RTM) in versions NG FP2 and before. Modules that
are NG FP2 and below are referred to, in SmartView Tracker, as RTM.
9) If you select a Gateway as a Source or Destination to Filter or Group by, only the
gateway’s main IP address is considered. If you want to include all of the gateway's IP
addresses, add them manually via the Custom IP dialog box.
Virtual Link Monitoring
10) To enable Virtual Links you must make sure your Security Policy allows the E2ECP
service to be accepted on the external interfaces of the desired modules.
11) A DAIP Module cannot be an end point of a Virtual Link.
12) When configuring a Virtual Link with an Externally Managed gateway, it is now
required that both gateways should be aware of each other. To create this awareness,
configure the local gateway on the external SmartCenter and install policy on the other
gateway.
13) A cluster cannot be defined as one of the end points of a Virtual Link.
Configuration Specific
14) A module running SecureXL is not supported for traffic monitoring in the SmartView
Monitor.
15) On a Nokia platform, SmartView Monitor does not support Flows. Traffic passing
through the Flows mechanism cannot be monitored by SmartView Monitor. Type the
command ipsofwd slowpath on the Gateway's console to deactivate Flows.
16) On a Nokia platform, SmartView Monitor does not support Flows. Traffic passing
through the Flows mechanism cannot be monitored by SmartView Monitor. Type the
command ipsofwd slowpath on the Gateway's console to deactivate Flows.
SAM
17) A Suspicious Activity Monitor (SAM) rule will fail for a remote gateway if the
SmartView Reporter
SmartView Reporter Clarifications and Limitations
Minimum Hardware Requirements
The following minimum hardware requirements were designed so that SmartView Reporter
Server will be able to process a volume of about 3 GB logs per day and generate reports
according to the performance numbers limitation. If you have less logs produced per day
you can use a machine with less CPU or memory. This may cause degradation in the
performance numbers. In addition, if your machine has less physical memory you will need
to change the database cache size. To do this follow the instructions in “SmartView
Reporter” User Guide under the section Changing the SmartView Reporter Database
Cache Size.
1) The minimum hardware requirements for installing SmartView Reporter are:
Windows Solaris
Processor Intel Pentium III UltraSPARC IIi
CPU 1000 MHz 400 MHz
Disk space Installation 60MB Installation 100 MB
Database 40 GB Database 40 GB
Memory 1 GB 1 GB
Hardware Recommendations
• Configure the network connection between the SmartView Reporter Server
machine and the SmartCenter or the Log server, to the optimal speed.
• Use the fastest disk available with a high RPM (revolutions per minute).
• Increase the machine's memory. It significantly improves performance.
• The SmartView Reporter Server machine should have a UPS.
Minimum Software Requirements
2) For Internet Explorer use at least 5.5 or higher. For Netscape Communicator use at
least 6.2 or higher.
Configuration
3) For SmartView Reporter installs on Solaris, install the X11 font sets and Motif that are
included in the Solaris distribution.
4) SmartView Reporter supports SmartCenter High Availability with some limitations:
• SmartView Reporter Server should be installed on a machine separate from the High
Availability SmartCenter machines.
• SIC is established with between SmartView Reporter Server and the active
SmartCenter machine.
• All modules send their logs to a Log Server. The Log Server can be either one of the
SmartCenter machine, or a separate machine.
After performing change over:
• Log consolidator will continue working and processing log files from the Log Server
machine.
• You need to re-initiate the SIC on the SmartView Reporter Server machine with
the new active SmartCenter.
After re-initiating SIC, SmartView Reporter Server will resume its work, and the
SmartView Reporter client can connect to the new active SmartCenter.
5) If you would like to install SmartView Reporter Server on an existing Log Server
machine, run the following commands after the SmartView Reporter installation
completes:
a. cpstop
b. cpd_config -a LcutilD lcutild_addon register_lcutild_addon
deregister_lcutild_addon
c. cpprod_util CPPROD_SetValue "Reporting Module" "ManagementEnhancement" 4 0 1
d. cpstart
6) When a SmartView Reporter Server's IP address is statically NATed, a machine running

the SmartView Reporter Client must be able to route connections to the real
SmartView Reporter server's IP address. This can be achieved by running the
SmartView Reporter Client on a machine in the Server's local network, or sometimes,
by adding the appropriate route entries in the SmartView Reporter Client’s routing
table.
7) FTP or HTTP distribution of reports does not work with proxy settings. If a your
machine has proxy settings, use alternate distribution methods such as e-mail
distribution or copy files from the Report's Results directory instead.
General
8) Account logs that originated by a gateway cluster, are counted twice. Thus, reports of
these logs will display inaccurate data.
9) The SmartView Reporter user interface only supports password-based login.
10) Logs produced by FireWall-1 modules that also have Floodgate-1 installed, show twice
the number of actual HTTP connections. As a result, reports generated on such
modules will display an incorrect number of connections.
11) When the log consolidator is working on the active log file, fw.log, the Management tab
shows the progress of the consolidation. However, when either a automatic or manual
log switch occurs, it is not indicated in the Management tab. The log consolidator
continues processing the active log file.
12) On rare occasions, the log consolidator may pause when “Starting” for a long time.
This situation can occurs after a power shutdown of the SmartView Reporter Server
machine or when restarting the log consolidator after it has reached an "aborted' state
due to exhausted disk space.
Therefore, always keep the database with enough disk space to avoid such problems.
13) When the SmartView Reporter has been deactivated on the IPSO platform, the
SmartView Reporter client cannot function. If you open your SmartView Reporter
client to an IPSO SmartCenter with a deactivated SmartView Reporter server, you will
not see reports in the GUI. Clicking any menu from SmartView Reporter’s GUI results
in an error message: An internal error has occurred in SmartView Reporter. All changes
will be lost and the SmartView Reporter client closes. If you encounter this issue,
activate the SmartView Reporter on the IPSO SmartCenter.
14) Processing the detailed URL information inside the logs consumes a lot of resources. By
default, this processing is therefore disabled. Extended URLs and file extensions are not
available by default. To enable URL processing to run on your SmartView Reporter
Server machine run:
a. the cpstop command
b. the log_consolidator -K true command
c. the cpstart command
After enabling URL processing, go over your web activity and FTP activity reports, and
select all the sections that display detailed URL-related information. The sections (in
the above reports) that are influenced are as follows:
a. Top Pages
b. Top Pages and their top sources
c. Top Files
d. Top file types.
If you wish to disable the detailed processing of URL information inside the logs again
run:
a. the cpstop command
b. the log_consolidator -K false command
c. the cpstart command
15) The Netscape browser does not print generated reports correctly and only displays them
correctly from Netscape version 6.2 or greater. Netscape could not handle page breaks
correctly. Instead, print the report with a version of Internet Explorer 5.5 or greater.
SmartLSM
SmartLSM Clarifications and Limitations
General
1) To enable LSM support and to start the LSM SmartConsole, run the commands
LSMenabler on and cpstop/cpstart on the SmartCenter Server.
2) SmartLSM supports status monitoring of up to 1000 gateways from a single

SmartCenter Server. The rest of the gateways receive the status Waiting.
3) To support High Availability of SmartCenter servers, define both SmartCenter servers
from SmartDashboard > Profile Object > Logs and Masters > Masters tab.
4) In SmartLSM, when removing a Dynamic Object from the list of Centrally Resolved
Dynamic Objects and executing a Push Dynamic Objects action, the previous values of
the removed Dynamic Object are not eliminated from the ROBO Gateway. The
elimination of these values will be done the next time the ROBO Gateway performs a
periodic policy fetch. You can invoke Push Policy (either instead of Push Dynamic
Objects or afterwards) to correctly eliminate them.
5) In Windows, the caret character (^) is ignored when you input it from the command
line. Do not use it in object names. For example: "aa^aa" is treated as "aaaa".
6) All actions in SmartUpdate are not supported for Profile Objects. Do not try to
perform these actions.
7) After converting a ROBO gateway to a Corporate Office gateway, or converting a
Corporate Office gateway to a ROBO gateway make sure you restart the Check Point
services (or reboot) on the gateway. Also make sure to install policy on all the rest of the
Corporate Office gateways.
8) SmartLSM does not support VPN-1 routing for satellites using the To center and to
other satellites through center option.
9) You should not create objects in SmartDashboard with names of ROBO Gateways
objects.
SmartLSM SmartConsole
10) When a critical notification is received and the Action tab is open, the critical icon
blinks in order to get your attention. Stop the blinking by opening the Critical
Notification tab. It may happen that after a critical notification has been received and the
icon is blinking, the critical status is then changed and the critical record is removed
before you had the chance to open the Critical Notification tab. In this scenario, the icon
will continue to blink but no record will be displayed when opening the Critical
Notification tab.
Installation and Configuration

11) After defining the interfaces of a ROBO gateway through cpconfig, you must perform
cprestart or fetch the policy for the new definitions to catch.
Policy Configuration
12) Uninstall Policyfrom a Profile object has no meaning. Uninstalling a profile will result
in error. You can safely ignore this error.
13) Resolve all Dynamic Objects that are used in the policy. An unresolved Dynamic
Object will result in dropping all the packets that match the other characteristics of the
rule.
ROBO Gateway
14) Before trying to pull a certificate from the SmartCenter server, configure the DNS
Server settings in the ROBO gateway.
15) In cpconfig running on a ROBO Gateway, the text for pulling a SIC Certificate from
the SmartCenter Server refers to a Dynamic Address Module. Enter the ROBO
Gateway Object name as defined in SmartLSM.
16) SmartLSM ROBO gateway on Nokia is only supported with IPSO version’s 3.5 and
3.7. and 3.7.1.
Performance Pack
Performance Pack Clarifications and Limitations
Unsupported Products
1) FloodGate-1 is not supported with SecureXL.
2) SmartView Monitor is not supported with SecureXL.
3) Virtual interfaces and VLAN interfaces are not supported by Performance Pack on
Solaris. bge, dmfe and skge interfaces are not supported by Performance Pack on Solaris.
4) PPTP and PPPoE interfaces are not supported by Performance Pack in configurations
where NAT and/or VPN-1 are used.
Unsupported Features
5) The Overlapping NAT feature is not supported with SecureXL.
6) Running dynamic routing daemons on the SecurePlatform gateway is not supported
with Performance Pack.
7) The ISP Redundancy feature has the following limitation when working with
SecureXL: Connections going through the interfaces configured by the ISP redundancy
feature will not be accelerated. Other connections (for example internal connections to
the DMZ) will be accelerated and will not be affected by this limitation. ISP
redundancy over PPTP and PPPoE interfaces is not supported.
8) Performance Pack doesn’t support dynamic interface changes on Solaris. Before
performing ifconfig up/down/plumb or unplumb, turn off acceleration by issuing the
fwaccel off command. After performing the above, enable the acceleration by issuing
the fwaccel on command.
ClusterXL
ClusterXL Clarifications and Limitations
General
1) When configuring ClusterXL in Legacy High Availability mode, MAC synchronization
occurs only on reboot. In addition, MAC synchronization over VLAN interfaces is not
supported. Therefore, you cannot use Legacy High Availability mode with VLAN
interfaces, only with physical interfaces.
2) When installing a Policy failover may occur. To avoid this enable a "freeze" mechanism
that prevents some actions that caused member to restart. By default this mechanism is
disabled.
To enable this mechanism run the following command:
fw ctl set int fwha_freeze_state_machine_timeout 30
To disable this mechanism run the following command:

fw ctl set int fwha_freeze_state_machine_timeout 0
Configuration
3) When the FireWall-1 services on one or more cluster members are stopped using the
command fwstop, policy installation on the cluster will cause the installed policy to be
inconsistent between the active and stopped members. To make sure that the installed
policy is always consistent across all members use the cpstop command instead of the
fwstop command.
4) Configuring a third party cluster without enabling State Synchronization is not
supported.
5) During a policy installation, the following error message is produced on the console of
some or all of the cluster members: CPHA: X machines confirmed policy update (phase I),
while waiting for Y machines CPHA: New policy will be enforced anyway. Please contact
Check Point support. This error can be safely ignored.
6) The following error messages may appear on the console when enabling or disabling the
ClusterXL or State synchronization from cpconfig.
FW-1: fwkdebug_register: module cluster already registered
FW-1: fwha_kdebug_register: fwkdebug_register failed
These messages may be safely ignored.

7) Use the cpstop and cpstart commands instead of cprestart in cluster configurations.
Using cprestart may lead to an unstable cluster state.
8) Pivot forwarding requires CCP running on all interfaces that have a cluster IP in order
to function properly. Therefore, pivot forwarding and defining cluster interfaces as
disconnected (i.e., CCP will not run on these interfaces) in LS Unicast mode cannot
work on disconnected cluster interfaces, rendering the cluster IP unusable. The
workaround is to use a different ClusterXL mode, or remove the disconnected interfaces
definition.
VPN-1 Clusters
9) When adding a gateway (that belongs to a VPN community) to an existing cluster:
a. first remove that gateway from the community
b. then add a gateway to the desired cluster
c. then add the cluster to the VPN community that this gateway belonged to prior to
step a.
10) When detaching a cluster member from a VPN cluster, manually remove the VPN
domain once the member has been detached.
11) When defining Office Mode IP pools, make sure each cluster member has a distinct
pool.
12) Peer or secure remote gateways may show error messages when working against an
overloaded gateway cluster in load-sharing mode. This is due to IPsec packets with an
old replay counter. These error messages can be safely ignored.
13) When working with TCPT and clusters, the remote connection will not survive
failover in the following cases:
• When there's an option to perform an 'administrative failover', in which case the
client doesn't receive any notification and considers itself connected to the
non-active cluster member.
• When working with a High Availability cluster: in the event that a cluster member
moves from Active state to Standby state, where the client doesn't receive any
notification and considers itself to be connected to the non-active cluster member.
This can happen, for example, when switching the priorities of the cluster members
in SmartDashboard and installing the new policy.
High Availability
14) Issuing a Stop Member command in SmartView Status performs the cphastop command
on this member. Among other things this disables the State Synchronization mechanism.
Any connections opened while the member is stopped will not survive a failover event,
even if the member is restarted using cphastart. However, connections opened after the
member is restarted are normally synchronized.
Load Sharing
15) Traceroute through any CPLS cluster may fail.
16) ISP redundancy is supported in Load Sharing Unicast only when working over
SecureXL or Performance Pack. In Load Sharing Multicast mode there is no such
restriction.
17) Under load, tcp packet out of state error messages may appear. For each one of the cases
there is a specific way to resolve it. Refer to the “FireWall-1 SmartDefense”
documentation for a full explanation and security implications.
1 message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACK
message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-PUSH-ACK
In SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp end timeout.
The recommended value is 60 seconds. If there are many connections consider
enlarging the connection table size in the same ratio as the tcp end timeout.
2 message_info: SYN packet for established connection
run the command: fw ctl set int fw_trust_rst_on_port <port>
When a single port is not enough, you can set the port number to -1, meaning that you
trust a reset from every port.
3 Other out of state messages: run the command: fw ctl set int fwconn_merge_all_syncs
1. This allows a more reliable way of merging tcp states across asymmetric connections.
Authentication
18) When using automatic or partially automatic client authentication for HTTP on CPLS
clusters (both ClusterXL and OPSEC clusters), define a decision function based only on
IP addresses in order for connections to open.
From the Gateway Cluster Properties > ClusterXL > Load Sharing >Advanced >select IPs
(the third radio button).
Defining a decision function on OPSEC clusters products is done via the individual
product. Refer to the individual product’s documentation for more information.
19) When performing manual client authentication (using port 900) to a cluster where the
members' IP addresses are not routable, the URLs returned in the HTML from the
replying cluster member contain the member's own non-routable IP address instead of
the cluster IP address. This fails subsequent operations. The workaround is to configure
the cluster to use a domain name instead of an IP address in the client authentication
HTML pages, using the ahttpclientd_redirected_url global property. Make sure that
your DNS servers resolves this domain name to the cluster's IP.
State Synchronization
20) Only one synchronization network can be defined per subnet. Use different subnets if
more than one synchronization network is defined.
SmartConsole
21) When working with a third Party Cluster object with FloodGate-1, if you move from
the Topology tab to a different tab the following errors message appears: No interface
was activated in QoS tab for this host (Inbound or Outbound). Do you want to continue?
Select Yes and continue your operation. This error message can be safely ignored.
22) SmartUpdate shows Cluster members as distinct Gateways without the common Cluster
entity. When cluster members are not of the same version, applying Get Check Point
Gateway Data on a cluster member will set the member's version on the Cluster object.
To set the version of the cluster correctly, apply the Get Check Point Gateway Data
command to the cluster member with the latest version.
Security Servers
23) Security Servers are not supported with Sequence Verifier in CPLS Cluster
environments.
24) When deleting a VRRP configuration from Nokia Configuration Manager (Voyager)
on a 3.7 and 3.7.1 IPSO system, first run cpstop on the cluster members before deleting
the VRRP configuration in order to avoid a panic on the cluster members. This
problem exists only when working on IPSO 3.7. and 3.7.1.
25) On the IPSO platform, in order to work with a third party cluster (a.k.a state
synchronization) you must work in a Nokia VRRP or Nokia IP Clustering
configuration. In order to work with other third party products (such as external load
balancers) you can work around the restriction mentioned above by configuring IP
Clustering with an empty IP Cluster. Just enter the cluster ID (same on all machines)
and an administrative password. This is done though a Nokia Configuration Tool (such
as Voyager).
26) When deleting a VRRP configuration from Nokia Configuration Manager (Voyager) in
a 3.7 and 3.7.1 IPSO system, a panic can occur on the cluster members. To circumvent
around this problem, first run cpstop on the cluster members before deleting the VRRP
configuration. This problem is fixed on IPSO 3.8.
27) When configuring VLAN tags, it is important to set the IP address on the VLAN
physical interface. If the physical (untagged) interface is not used, the IP address can be
any IP address.
For example
If the physical interface is eth0, and
the VLAN interfaces are eth0.1 and eth0.2, then
eth0 must also have an IP address.
28) ClusterXL in Unicast mode (Pivot) is not supported on Solaris when using VLAN
tagging.
29) There is a compatibility issue with the SUN driver for the NIC when using ClusterXL
in a VLAN tagging configuration with Gigaswift NICs on Solaris. The SUN driver,
under certain load scenarios, causes Solaris to panic. This configuration is supported,
pending a fix from SUN.
Services
30) When using T.120 connections, make sure you manually add a rule that allows T.120
connections.
31) The combination of using multiple external Interfaces (route through different
interfaces) for SecuRemote/SecureClient and clusterXL pivot mode is not supported.
FloodGate-1
FloodGate-1 Clarifications and Limitations
SmartCenter Installation
1) When Installing a SmartCenter Server, you should specifically select the FloodGate-1
product in addition to selecting the SmartCenter product. Selecting FloodGate-1 is
required in order to manage FloodGate-1 modules.
2) In order to use FloodGate-1, activate the product in Voyager, then re-login as
administrator using the terminal and perform cpstop then cpstart.
3) On Nokia, FloodGate-1 and VPN-1 Pro are two separate packages. When upgrading
VPN-1/FireWall-1 from 4.1 to an NG with Application Intelligence, make sure to
upgrade FloodGate-1 as well. After the upgrade,
FloodGate-1 is disabled by default. Use Voyager to turn on FloodGate-1.
Performance Pack
4) On machines where SecureXL is not configured to start automatically, and is started
manually, FloodGate-1 does not stop SecureXL during FloodGate's service startup.:
a. run the etmstop command
b. run the fwaccel off command
c. run the etmstart command
Clusters
5) It is not possible to convert a FloodGate-1 gateway into a cluster member if this
gateway appears in the Install On column in the rule-base. To resolve this:
a. Remove the FloodGate-1 gateway from the Install On column.
b. Convert it into a cluster member.
c. Add the member to the Install On column in the relevant rules.
6) When editing the Topology tab of a Cluster Object from Type third party, the following
message can be safely ignored: "No interface was activated in Qos tab for this host
(Inbound or Outbound). Do you want to continue?" On a third party cluster, the QoS
topology related definitions should be edited on the cluster member object.
Low Latency Queuing (LLQ) and DiffServ
7) When managing QoS Classes, there is an option to define new DiffServ Class of
Service Group. This option is not valid and should not be used.
8) The values Inbound Guaranteed and Outbound Guaranteed for the Best Effort class in the
table DiffServ and Low Latency classes in the QoS tab of the Topology window may be
inaccurate when adding a Low Latency class or a DiffServ class to the interface. Since this
error does not affect the correct scheduling of FloodGate-1, it can be ignored.
9) In the QoS Rule Base, although it is possible to paste an LLQ class before a DiffServ
class, it should not be done.
URI
10) Matching connections will fail to be correctly classified, in cases where you are using
Authenticated QoS and URI for QoS in the same QoS rule.
Logging
11) Sub rules do not inherit the log track from the parent rule. To overcome this issue, add
the Log/Account track to the specific sub rule you want to log.
12) Under heavy load, FloodGate-1’s accounting might lose the some of the connection
parameters such source/destination. Please ignore those account records.
Authenticated QoS
13) The Authenticated QoS feature uses the UserAuthority Server to get user
authentication data. Before using this feature, refer to the UserAuthority Server section
for the list of its known limitations.
Miscellaneous
14) FloodGate-1 may not schedule traffic on an interface that was newly enabled on the
gateway. In order for the interface to be recognized by FloodGate-1, run the command
cprestart.
15) Despite the message, deactivating an interface direction for QoS in the object topology
does not remove it from the Install On column in the rule base. To overcome this issue,
manually remove the interface direction from the Install On column.
UserAuthority
UserAuthority Server Clarifications and Limitations
Installation
1) Installation of UserAuthority Server NG with Application Intelligence on Terminal
Server or Citrix machine, may fail if the machine is not connected to the network.
General
2) While running in Legacy Mode, UserAuthority Server does not support WebAccess
encryption options in trust (e.g, you cannot enforce VPN encryption by using
UserAuthority WebAccess trust).
3) When using UserAuthority Server in a High Availability Cluster when failover occurs
the UserAuthority Server on the standby still maintain it's UAA session with all clients
(such as UserAuthority WebAccess) although it is no longer the active server. The
workaround is to: run both the uagstop and uagstart commands on the standby module
when failover occurs.
4) Routing configurations in which a destination can be reached through multiple
interfaces with the same metric is not supported. The Citrix UAS identifies connections
by a 4-tuple: source port, destination IP and destination port. The source IP is not
taken into account. As a result the Citrix UAS cannot differentiate between concurrent
connections that differ by their source IPs only. For example, if the two following
connections are opened simultaneously:
User Source IP Source Port Destination IP Destination Port
Joe 192.168.0.5 5001 209.81.7.23 80
Bob 192.168.0.2 5001 209.81.7.23 80
Then the UAS does not guarantee that the right user identification will be returned for
queries on those two connections.
5) UserAuthority Server. When changing Trusted Domains (under Global Properties >
UserAuthority) from All Domains to Specific Domains, some users may be required to
re-enter credentials to UserAuthority WebAccess in Web Single Sign-On scenario.
6) When using a log server, a Security rule which allows ELA traffic from the
UserAuthority Server to this log server, should be explicitly defined.
7) When users are authenticated on other VPN-1 Pro gateways using Client
Authentication, SecureClient or SecuRemote, the automatic configuration isn’t able to
resolve the connection to the username.
8) UserAuthority Server NG with Application Intelligence supports two modes on the
Solaris, Linux or Nokia platforms:
• Legacy - which has UAG FP3 functionality
• New - which has additional capabilities, such as integration with Windows Group
etc.
To check the mode - run "uagmode stat" from $UAGDIR.
To switch the mode - run "uagmode new" or "uagmode legacy"
Supported Platforms
9) UserAuthority Server NG with Application Intelligence is supported on the following
platforms:
• Nokia - IPSO 3.7 and 3.7.1
• All Windows Server platforms
• Solaris 5.8, Solaris 5.9

• Check Point’s SecurePlatform
Linux 7.2, Linux 7.3

OPSEC
SmartCenter
1) In CPMI the command line fw unload does not trigger an
eCPMI_NOTIFY_UNINSTALL_POLICY notification event.
2) An OPSEC application that reads logs using LEA supports up to 1000 log files (*.log
and *adtlog). If more are needed, move the log files from $FWDIR/log to another
directory.
3) An OPSEC application that reads logs using LEA may fail if the network objects
database contains more then 2000 objects.
FireWall-1
4) A Suspicious Activity Monitor (SAM) rule will fail for a remote gateway if the

Check Point® Enterprise Suite Next Generation With Application Intelligence (R55) Release Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Check Point® Enterprise Suite Next Generation With Application Intelligence (R55) Release Notes

Uploaded by

Copyright:

Available Formats

Check Point® Enterprise Suite

Next Generation with

October 15, 2006

Check Point Express

Required Solaris Patches

For Red Hat kernel installation instructions, visit:

For Red Hat kernel installation instructions, visit:

Minimum Hardware Requirements

Minimum Hardware Requirements — IPSO page 8

Minimum Hardware Requirements — IPSO

Minimum Hardware Requirements — Windows or Linux

CPU Intel Pentium II 300+ MHz or equivalent

Disk space 300 Mbytes (software installation only)

Memory 128 Mbytes

Minimum Hardware Requirements — Solaris

CPU Architecture UltraSPARC II

Disk space 300 Mbytes (software installation only)

Memory 128 Mbytes

CPU Intel Pentium II 300+ MHz or equivalent

Disk space 4 Gigabyte hard drive, supported NICS

Memory 128 Mbytes (512 Mbytes recommended)

Minimum Hardware Requirements — SmartConsole for Windows

CPU Intel Pentium II 300 MHz or equivalent

Disk space 100 Mbytes (software installation only)

Memory 128 Mbytes

Minimum Hardware Requirements — SmartConsole for Solaris

CPU Architecture UltraSPARC II

Disk space 100 Mbytes (software installation only)

Memory 128 Mbytes

Installing Check Point Products

The Recommended Installation Method page 10

The Recommended Installation Method

For further information, read the section “FireWall-1” on page 25.

1) Before installing or upgrading to Next Generation with Application Intelligence (R55),

During the Nokia Installation

This program will guide you through the installation process.

Upgrading via SmartUpdate

This guide has both individual product installations and uninstallations.

FireWall-1 page 13 SmartUpdate page 19

after the upgrade - reinitialization of SIC on SmartCenter is required (please note

2) When upgrading a branded version of SecuRemote/SecureClient, make sure that the

b. Run the database upgrade utility:

ii. SVR_DBUpgrade [-r num_rows] [Table-name | "*"]

• Servers that share WebAccess authentication

• Citrix/Microsoft Terminal Services

5) Status of IP51 modules is not displayed in SmartView Status.

Platform Specific - Windows

Source Destination Service Action

In the FWDIR/libexchange.def file, enable this notification by setting

79) Anti-spoofing is currently not supported with IPv6.

88) The RSH protocol is not supported for IPv6.

• only if there are interfaces defined in its Topology tab.

5) SmartView Reporter supports SmartCenter High Availability with some limitations:

A bad branch: ou=Finance , o=ABC , c=us

Trying to install a QoS policy on a module before executing these steps on

Platform Specific - Solaris

• Installation on a High Availability or CPLS Cluster

• Management High Availability

• Multiple Software Distribution Servers controlled by the same SmartCenter Server.

30) When using an SmartDirectory user account with multiple SecuRemote/SecureClient

• are using a standalone SmartCenter Server prior to NG FP2 (that is, a

• SmartArray 431 and

in /etc/rc.d/rc.sysinit and reboot your machine.