What’s New in Check Point® Enterprise Suite NG FP3

August 2002

In This Document
The Trial Period VPN-1 FireWall-1 SecuRemote/SecureClient SmartCenter page 1 page 1 page 3 page 5 page 6 ClusterXL SecurePlatform SmartView Monitor UserAuthority FloodGate-1 Profile Based Management Provider-1/SiteManager-1 page 7 page 7 page 8 page 8 page 9 page 9 page 10

User Management (LDAP Account Management) page 7 SmartUpdate page 7

The Trial Period
New Check Point product installations work out-of-the-box for a 15 day Trial Period, making it easy to evaluate the Check Point Product Suite. The trial period starts when Secure Internal Communication is established between the SmartCenter Server and the Module. The trial period allows the full functionality of the Check Point product. If a license is installed during the trial period it will override the trial period.

VPN-1
Support of SSL and SSH connections to VPN-1 Net Modules
Remote Device management using SSH or HTTPS (including the Voyager Web administration tool for Nokia platforms) is available for VPN-1 Net Modules. This is regardless of the policy type installed on the device, using implied rules configuration.

VPN Routing
The VPN Routing feature enables a VPN router to support back-to-back encryption, where the same connection is encrypted and decrypted against two peer gateways. Using a routing configuration file: Back to back tunnels can be configured on a single gateway. VPN path which is composed of more than one VPN tunnel can be Internal CA Enhancements

VPN Communities
Each VPN-1 Gateway can now participate both in a traditional and in a VPN communities based policy. The VPN-1 Gateway configuration process has been improved: Better separation between VPN communities and traditional mode: traditional mode configuration is now available from the VPN tab of each VPN-1 object.  

  

Last Update — August 15, 2002

To maximize the VPN performance.Basic. VPN Hardware Acceleration IKE Interoperability INITIAL CONTACT payloads are supported. Global properties for remote access VPN have been restructured into three sections: VPN . VPN-1 Clusters Interface resolving mechanisms for gateway-to-gateway and client-to-gateway VPN connections have been improved and added to the SmartDashboard on VPN-1 Gateways and in the Global Properties Multiple (Dynamic) interface resolving using RDP polling mechanism is now supported when the responding VPN-1 Gateway is hidden behind a VPN-1 cluster VPNx driver is now part of the VPN-1 installation. it is recommended to remove any previously installed VPNx packages. The mechanism for resolving address ranges (applicable for connections to hosts protected by VPN-1 Gateways with multiple interfaces) is now functional also if the protecting VPN-1 Gateway is behind a NAT device. VPNx activation/deactivation is now possible using Check Point configuration tool (cpconfig). This combination was not supported until now due to the fact that when using this CA it signs the certificates using only the full name and not the full DN. On Windows platforms VPNx is deactivated by default while on Solaris and Linux platforms VPNx is activated by default. VPNx performance is greatly improved on Windows platforms. Internal Certificate Authority Microsoft Enterprise CA using Active Directory on Windows 2000 server is now supported. What’s New in Check Point Enterprise Suite NG FP3 2 NAT-Related Issues                 . This tool provides a simple way to transition from an older rule base to a new one. When using VPN communities. It is possible to enlarge the key size of certificates produced by the Internal CA for VPN-1 clients or modules from the default of 1024 bits to be either 2048 or 4096. It created a problem since search of a user was based on the full DN. Using another identifier in the certificate enables a proper search. No additional package installation is required. VPN Advanced and Certificates. The tab allows services to be excluded from the community. which performs static NAT for the interfaces of the protecting module. NAT can be disabled inside VPN tunnels: a property to disable NAT is available on each Gateway to Gateway VPN community. Internal CA certificate can be stored on a hardware token using CAPI interface. Internal VPN-1 modules continue using Internal CA certificates while negotiating VPN tunnels. VPN throughput has been improved by up to 80%. Internal CA certificate automatic renewal for Secure Internal communication and for Remote Users is now available. Multiple (Dynamic) interface resolving using RDP polling mechanism is now supported when the responding VPN-1 Gateway is hidden behind a NAT device. A conversion tool from traditional mode to VPN communities is now available. pre-shared secret for IKE can be defined for external VPN modules. while packet rate has been increased by up to 60%.Simpler configuration of Remote Access VPN. Traffic of certain protocols and services to passed in the clear can be configured on the community: A new tab (Services in Clear) has been added to the community properties.

The NAT rule number for log entries is shown in the Log Manager. Overlapping NAT support. and a cache has been added for recent NAT lookups. The non-TCP quota is disabled by default and it can be set individually for each FireWall-1 Module. When entering the FireWall these packets are translated to a virtual IP network and when leaving the machine they are translated back to their original IP address. The feature includes: Support of Nokia vendor ID payloads in IKE negotiations Fetching user according to the DN sent on cert payload (and not according to FQDN on ID payload) Support of NAT Traversal (UDP encapsulation) Support of Addressing (Office Mode) Support of CRACK authentication scheme FireWall-1 SmartDefense SmartDefense provides a unified security framework for components that identify and prevent cyber attack. 2002 3 . Clientless VPN (SSL based VPN) VPN-1 Gateways include GUI support for HTTPS (SSL over HTTP) termination of remote users with no SecuRemote/SecureClient or any other IPsec VPN client installed. Network Address Translation (NAT)              Last Update — August 15. The SmartDefense package is now integrated into the Check Point Suite. The performance and scalability of NAT has been improved. Support for Nokia CryptoCluster Clients Nokia CryptoCluster clients are now supported. When the number of non-TCP connections reaches the quota. Protection against Denial of Service attacks: In order to avoid exhaustion of the connection table when under a UDP (or other protocol) flood attack. Persistent VPN Tunnels VPN tunnels can be maintained and opened at all times between VPN gateways and clients. only new TCP connections will be allowed. encrypted data rates. L2TP Support for Microsoft Clients VPN-1 Gateways support for MS Windows XP/2000 VPN client (which consists of L2TP/Transport IPsec). FireWall-1 is able to handle packets from overlapping IP networks coming from differences interfaces of the FireWall-1 gateway.VPN Diagnostics SmartView monitor for VPN-1 provides a comprehensive view of VPN. including tunnel establishment/failure rates. hardware acceleration rates and compression rates. NAT rules are searched much more efficiently. it is possible to define a quota for UDP (or other non TCP protocol) connections. Dynamic Objects can be used in the NAT Rule Base. VPN status monitoring using command line has been restructured and improved.

the RADIUS Servers object associated to the user object. Authentication Inspection of Peer to Peer Applications and Instant Messaging Applications that use HTTP to tunnel their data can be detected and blocked. This is in addition to the global property “hide_max_high_port” that controls the highest possible port used by FireWall-1 when performing hide NAT on a connection whose original source port is > 1024 The range of high ports used by NAT Hide is now configurable via the global properties hide_max_high_port.g. The group membership of a user can be retrieved when using the RADIUS or the Windows NT authentication object. If this association does not exist. When a FireWall-1 gateway performs a RADIUS authentication. and by hide_min_high_port. Security Servers The Security Servers can decode the following character encoding schemes when used in URLs or inside HTTP or SMTP content: UTF-8 UUencode '&#' encodings (numerical references) This decoding capability is enabled by changing the following global properties to true and installing the policy: http_web_encoding and smtp_mail_encoding.            What’s New in Check Point Enterprise Suite NG FP3 4 . The HTTP Security Server now supports by default the WebDAV HTTP methods (as specified in RFC 2518). Native SecurID ACE version 5 agent is supported for all platforms. These methods are required for email access over HTTP by some sites (e. FireWall-1 can enforce a granular access control policy to specific disk shares and printers and log access to these shares.The lowest possible port used by FireWall-1 when performing hide NAT can be controlled using the Global property “hide_min_high_port”. This includes peer-to-peer applications like KaZaA and Gnutella and also messaging applications like ICQ. thus overriding the RADIUS server associated with the specific user object. Based on this information FireWall-1 can match rules that are defined with these rules. that defines the minimal high port used by NAT Hide. This eliminates the need to associate a user with groups in the SmartDashboard. Specified users can be prevented from using the FireWall-1 to RADIUS server association. RADIUS and Windows NT groups are supported. CIFS functionality is available as a new type of a resource in the SmartDashboard. as before. Managing File Sharing CIFS. FireWall-1 inspects CIFS in the kernel using the Check Point high performance TCP streaming technology. the Microsoft protocol for file and print sharing (also known as SMB) is supported. in place of the *generic profile previously available. AOL Instant Messenger and MS messenger. which can parse and match regular expressions over HTTP headers. Multiple generic user authentication profiles (called External User Profiles) can be used. This information is updated dynamically whenever the user authenticates. Such group are defined with a special prefix to indicate this behavior. These properties can be modified using the dbedit utility. it can use RADIUS servers associated with the gateway object. the FireWall-1 Gateway will use. Hotmail). This is done by the HTTP Security Server. that defines the maximal high port used by NAT Hide.

Five new SCV checks have been included in the SecureClient installation.1 traffic and validate its integrity according to a user defined scheme. SOAP functionality is available via a new tab in the URI resource window.Services Simple Object Access Protocol (SOAP). IGMP is used for Multicast group membership management. This prevents a potential security misconfiguration where “Any” s used to allow outbound connections for protected servers. it should be allowed explicitly by a rule that uses this service.ini. FireWall-1 is able to parse SOAP version 1. though this is not recommended. The router-alert IP option used by IGMP protocol is supported. If such X11 connectivity is required. The Windows NT performance DLL is no longer included in FireWall-1. Operating system security patches. Screen Saver configuration. New Multicast support. X11 (X Window graphics system for UNIX) is blocked by default when it is matched with a rule that has “Any” service. Whether the user is logged on to a specific group (in domain or local machine). Dialup connection can be selected from the SecureClient connect dialog Disconnects dialup. The checks verify the following: Whether a process is running. connection or similar (ping. Internet security Settings (4 parameters in each security zone). The operating system version. is supported. SOAP relies on XML to encode the information and then adds the necessary HTTP headers to send it. Export Connect/Disconnect capabilities to third party applications. The Axent Pathways Defender authentication method is not longer supported. In earlier versions. The client will first attempt to connect to the gateway specified in the profile. They are available as a separate package for use with older (pre-NG FP3) clients. DSL support when working with Connect Mode. Enhanced VPN diagnostics and suggestions to the end user. 2002 5 . tunnel test. Automatic topology update is performed with the connected gateway. browser version (major/minor). Secure Configuration Verification (SCV) Diagnostics Tool Third Party Support                     Last Update — August 15. URL fetching). a standard for application data sharing over the Internet using HTTP. Using URI resources. DNS resolving. Service Pack. Ability to run tests on the VPN tunnel. Discontinued Features SecuRemote/SecureClient Connect Mode Connect Mode profiles can be created and distributed from the SmartCenter Server (via topology). Enable third party SCV packages to start and stop SecureClient. Install wizard runs external batch/executable according to product. The old behavior can be restored by setting the reject_x11_in_any global property to false. FireWall-1 dropped all packets with IP options (including IGMP).

This process allows for better viewing of the network backbone. query and edit the servers from the object on which they are installed and see the install-on objects from the Servers tree. SmartDashboard can be opened on the rule which generated the log. This can be done/undone globally or per network.No connections will be removed from the connection table. 3. Each section consists of a group of rules. Undo one step from the last action that changed the view (for instance zoom. Logical view for servers is similar to the previously introduced OPSEC view.Data connections will not be removed from the connection table. Keep data connections .           What’s New in Check Point Enterprise Suite NG FP3 6 . even if they are not allowed by the new security policy. even if they are not allowed by the new security policy. Several log files can be simultaneously viewed and managed. Automatic arrangement can be applied to selected objects only. The following options are available: 1. This is enabled for all machines with applications sending logs to the SmartCenter Server.Office Mode Office mode is now supported on Windows NT/2000/XP. Keep all connections . SmartCenter SmartCenter Server The Revision Control feature has been enhanced to allows the restoration of an earlier version of the database. SmartMap Status of Check Point modules is displayed in SmartMap. Selecting a Module enables Status Manager to be launched in order to view further status information. SmartCenter GUI Clients Administrator can login to the SmartCenter with a CAPI certificate. thus enabling easy viewing of the policy. layout or object move). Log Manager New user interface for easier viewing and managing of logs. including policies and objects could be created. The sections can be collapsed or expanded. with better progress indication and an organized installation error list. Previously. and all other connections are rematched against the new security policy. SmartDashboard Division of the Security Policy into sections: The policy can be organized into logical sections. and not only for Check Point installed products. the user can see on what network objects his servers are installed.data connections will be removed. Policy Installation The handling of established connections when installing a policy can be set using the SmartDashboard. New user interface for the Install Policy operation. snapshots of the database. Simple network nodes (hosts) can be hidden behind the network to which they are connected. using a SmartDashboard wizard. 2. Rematch connections (default option) .

It is also possible to search for expired licenses. This ensures that the policy in the cluster will be consistent.5 (NG FP2 based). To manage these Modules. A SmartCenter Server can manage FireWall-1 GX Modules of version 1. UserAuthority and WebAccess can be remotely installed All products on multiple remote Gateways can be remotely upgraded in parallel using a simple SmartUpdate wizard. A FireWall-1 GX specific license is required. following an extensive redesign of the objects.2. The security policy is now fetched first from another cluster member. rather than sharing the IP and MAC address among the cluster members. including SecurePlatform NG FP3 and Red Hat 7. the policy is fetched from the management. New CPHA mode and the Load sharing modes now use multicasts instead of broadcasts for the clustering protocol. The state of the cluster members can be controlled from the Status Manager.FireWall-1 GX SmartCenter Supplement FireWall-1 GX secures GPRS networks. If no other cluster member is available. SmartUpdate Product packages can be downloaded directly from the Check Point Download Center to the SmartUpdate Product Repository Licenses can be downloaded directly from the User Center to the SmartUpdate License Repository The SecurePlatform operating system and Performance Pack can be remotely upgraded Information about the latest available software updates is sent directly from the Check Point Download Center to SmartUpdate. The LDAP servers within an Account Unit are assigned different priorities which enable optimal load sharing if a server fails or if network traffic is very busy. and a one click transition to Load Sharing mode. install the FireWall-1 GX SmartCenter Supplement over the SmartCenter Server. The Nokia and Solaris platforms are supported. The state of a cluster member can be changed to “Up” or “Down” with no need to access the cluster member modules. The same product package can be used for all installation scenarios: new installation. ClusterXL Cluster and cluster member objects in the SmartDashboard are much easier to define. User Management (LDAP Account Management) An LDAP Account Unit contains several replicated LDAP servers. cpstart and cprestart). without the need to connect the keyboard to the installed computer itself. 2002                 7 . VLANs are now supported on Linux platforms. Last Update — August 15.1 and upgrade from NG Alerts can be configured to indicate when licenses are about to expire. A new High Availability mode (New CPHA) enables remote management. This significantly reduces cluster protocol traffic in the network. upgrades from version 4. SecurePlatform SecurePlatform can be installed from a Serial Console. New CPHA mode uses unique unicast IP addresses and MAC addresses. start and restart Check Point services (cpstop. Command line to remotely stop.

minimum and of the given value. day and week. Columns can be sorted. such as VPN-1/FireWall-1 or the Domain Controller. Disable Top view. Kernel debug support allows booting in debug mode.com/techsupport. SmartView Monitor New monitoring of Counters for VPN-1. allows the user to follow the current top entities without allowing new entities to enter the display. SecurePlatform supports up to 1024 interfaces.Added support for several new NICs. Provides an historical view of the last hour day and week of a selected subset of traffic views and Check Point counters. Allows a Real Time Monitor of the 1-50 top bandwidth consuming Services. CPU usage and encrypted bytes. New table view with statistical info. UserAuthority Cross-server authentication — in an organization with multiple Web Servers. For this purpose the user enters the system via the SignOn window (which allows you to sign on to the UserAuthority system) and Confirm window (which is an optional window that enables the user to                         What’s New in Check Point Enterprise Suite NG FP3 8 . which allows a fast upgrade directly from the SecurePlatform CD. (The view dynamically changes its entities according to the current top entities). IP addresses or FireWall-1 Rules. Detailed description of each counter is available on counter selection. thus a user authenticates once. New and improved SSO Flow — the SSO (Single Sign-On) Flow enables the user to enter the system once and thereafter to not have to reauthenticate at subsequent logons. Improved logging of UserAuthority Server. Monitor of top Services. Statistical columns which show the maximum. users in the organization often find themselves having to reauthenticate time and time again. Highlighting the legend highlights the view and vice versa. Upgrade patches from earlier versions are included. so that kernel crashes can be debugged. Toolbar option allows navigation between different time scales. Real Time Monitoring of different Check Point counters such as Tunnels. Up to 50 top items can be viewed. This is in addition to and separate from users that were recognized from having authenticated via other mechanisms. Multiple selection of counters from different categories. FloodGate-1 and the operating system. FireWall-1. Ability to patch from a CD. The kernel creates a dump of the machine memory in cases of crashes. Configurable file for history definitions. IP Addresses and FireWall-1 rules. and thereafter this authentication carries over to every other Web Server. For the full list of supported NICs please refer to http:// www. Traffic and counter reports for the last hour.checkpoint. UserAuthority allows user information to be shared between Servers. Factor Optimization—normalizes the counter value to the current view.

FloodGate-1 now supports more IP services. LLQ statistics. These windows smooth and ease SSO flow. The QoS Action window is used to determine the actions in a FloodGate-1 rule.4. 2002 9 . VPN-1/FireWall-1 Logs and Web Logs — helps web administrators. This window now contains a Simple and an Advanced mode. This is important because bandwidth allocation amongst cluster members is not synchronized. thus the security administrative overhead is greatly reduced per Gateway. To activate Express mode. it allows administrators to configure the relevant events in which they are interested and to give them the ability to get the information through a web interface or the Check Point Log Viewer. This is achieved by checking Apply rule only to encrypted traffic in the QoS Action window. Properties and policies are defined per Profile (using Check Point SmartDashboard). A new log system was added to UserAuthority WebAccess. FloodGate-1 FloodGate-1 can run in Express mode. They appear limitedly throughout the working day.3 (Kernel 2.                    A QoS rule can be marked as applicable only to VPN traffic. This makes it easier to define website permissions. thereby enabling the user to transition smoothly and easily through the system.view. These profiles represent multiple ROBO Gateways. Rules Exceptions — It is possible to define a rule exception. Traffic distribution between cluster members ensures that there are no bandwidth allocation discrepancies. These statistics can be used to configure the Maximal Delay in LLQ. FloodGate-1 now logs and accounts the following: Connections rejected by the admission policy (Per Connection Guarantee). edit and install an Express QoS policy. security administrators and helpdesk administrators to handle all operations in UserAuthority WebAccess. In Windows platforms the directory is located: \program files\checkpoint\fg1\ng\ Profile Based Management Hundreds of ROBO Gateways can be managed via a single SmartCenter Pro Server. FloodGate-1 now supports Linux Red-Hat 7. Packet dropped on account of buffer saturation and Drop policy LLQ (Low Latency Queuing) drops. UserAuthority Settings — a new Interface for users to handle their credentials to web application. QoS now has a new Install Policy window with enhanced functionality. A new environment variable that contains this path was introduced: FGDIR. Nokia and Solaris platforms the directory is located: /opt/CPfg1-53/. In this mode the performance of the products is greatly enhanced by the ability to choose a limited set of features.18) Last Update — August 15. The new set includes all the IP services supported by FireWall-1. FloodGate-1 files are now installed in a new default directory. In Linux. FloodGate-1 Modules can be assigned dynamic IP Addresses and defined as DAIP Modules. An area is designated in the scope of the rules to which the rule does not apply. learn and manipulate the system automatically). Each cluster member is allocated bandwidth independently. UserAuthority Settings allows users to change/insert their passwords to applications and to handle their personal preferences. FloodGate-1 can be installed on cluster members in Load Sharing mode.

The System Status view has been restructured to a tabular format. The feature is fully supported from the MDG. Central localization of policy per ROBO Gateway (by central resolution of Dynamic Objects per ROBO Gateway via the ROBO Manager GUI). Backconnections are also supported. ROBO Gateways support sending logs to different Log Servers. clearly displaying the maximal amount of information. The display can be sorted. CPStop/CPStart and Reboot. ROBO Gateways support Static or Dynamic IP addresses. “InternalNet”. Light-weight status monitoring of all ROBO Gateways. Provider-1/SiteManager-1 allows Check Point logs to be easily exported to an external Oracle Database. Troubleshooting actions per ROBO Gateway via the ROBO Manager GUI such as Push Policy. ROBO Gateways are regular Check Point Gateways which support security policy enforcement (and other FireWall-1 capabilities). ROBO Gateways support VPN Tunnels from SecuRemote clients. Encryption Domain. ROBO Gateways support Site-to-site VPN tunnels to a regular (Central-Office/CO) Gateway. simple and scalable ROBO Manager GUI. Provider-1/SiteManager-1 In version NG FP2. The Log Export feature enables the administrator to schedule an export operation per CMA and to easily select the log fields to be exported. These dynamic objects represent the ROBO Gateway and the networks behind the interfaces. these figures have been further reduced. Periodic Fetch of policy by the ROBO Gateway. as well as the resolution of dynamic objects such as “LocalMachine”. or exported to a file. the CMA memory usage was reduced to 10 to 20 MB per CMA (depending on the CMA’s activity).ROBO Gateways are managed in a new. In-Depth status monitoring of a ROBO Gateway per request. A Provider-1 CMA with a SmartCenter Pro license can manage ROBO Gateways as a regular SmartCenter Pro Server. The database can then be used to create any type of report with customer proprietary tools.                 What’s New in Check Point Enterprise Suite NG FP3 10 . modified to show selected data. “DMZNet” and “AuxiliaryNet”. Simplified setup on account of automatic calculation of information on the ROBO Gateway such as Anti spoofing. In version NG FP3.