Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) R55_HFA_19 Release Notes February 21, 2007

Transcription

1 Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) R55_HFA_19 Release Notes February 21, 2007 IMPORTANT Check Point recommends that customers stay up-to-date with the latest service packs, HFAs and versions of security products, as they contain security enhancements and protection against new and changing attacks. The information contained in this release note should be read in conjunction with the information in the corresponding FireWall-1 HFA. In This Section Introduction page 2 What s New page 2 Security Enhancements page 2 Supported Versions page 3 Supported Platforms page 4 Supported Builds page 4 Known Limitations page 6 Installation page 6 Uninstall Instructions page 7 Inspect File Replacement Utility page 8 Resolved Issues in Provider-1_R55_HFA_19 page 10 Resolved Issues in Previous HFAs page 10 Special Instructions page 15 Backup and Restore page 17 Please read these Release Notes before installing R55_HFA_19.

2 Introduction What s New The Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) Hotfix Accumulator Provider-1_R55_HFA_19 is a recommended Hotfix that contains fixes for SVN Foundation, VPN-1/FireWall-1 and Provider-1 Multi-Domain Server (MDS). Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) Provider- 1_R55_HFA_19 is designed for use on Provider-1/SiteManager-1 Solaris, Linux and SecurePlatform operating systems. Provider-1_R55_HFA_19 is installed without removing Provider-1/SiteManager-1 NG with Application Intelligence (R55). Check Point highly recommends that customers stay up-to-date with the latest service packs, HFAs, and security product versions, as they contain security enhancements and protection against new and changing attacks. Make sure that you read this document carefully before installing Provider-1/SiteManager-1 NG with Application Intelligence (R55) Provider-1_R55_HFA_19 on your system. It is also recommended to read Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) User Guide. Improved error reporting in distributed environments. VPN-1 Edge Firmware 6.5 is now supported. Security Enhancements The Hotfix Accumulator, Provider-1_R55_HFA_19, contains the following security enhancements: 1) Vulnerability in Integrity Clientless Security (ICS) has been discovered for version 3.x or earlier. The vulnerability may be used to forge successful scan results for any client machine. For additional details refer to sk ) ASN.1 Security Vulnerability - 28 July A vulnerability in ASN.1 has been discovered affecting Check Point VPN-1 products during IKE negotiations of a VPN tunnel which may cause a buffer overrun. Check Point Software customers who do not use Remote Access VPNs or gateway-to-gateway VPNs, are NOT affected by this vulnerability. Refer to Check Point alert site for further information: 3) ISAKMP Vulnerability - 4 May An ISAKMP vulnerability has been discovered that affects Check Point VPN-1 products during the negotiation of a VPN tunnel. The vulnerability may cause a buffer overflow, potentially compromising the gateway. Refer to Check Point alert site for further information: techsupport/alerts/ike_vpn.html

3 4) TCP RFC Alert - April 20, A recently published NISCC advisory (236929/ TCP) describes a potential RST attack on any operating system or software that has implemented TCP based on RFC 793 and RFC Refer to Check Point alert site for further information: Also see SecureKnowledge s SK ) OpenSSL Vulnerability - 26 March Recent OpenSSL advisories reveal vulnerabilities in OpenSSL. Refer to Check Point alert site for further information: 6) FireWall-1 HTTP Security Server Vulnerability - 06 February A vulnerability in the FireWall-1 HTTP Security Servers exists that may cause it to crash in certain circumstances. Refer to Check Point alert site for further information 7) H.323 Vulnerability - 26 January A recent NISCC advisory reveals vulnerabilities in H.323 equipment including GateKeepers, endpoints (phones, softphones, video cameras, etc.), and firewalls that enforce H.323 security. Refer to Check Point alert site for further information: techsupport/alerts/h323.html 8) Improved enforcement: VPN-1: IKE & topology download protocol. Relevant to users of VPN-1 only. Authentication protocols. Relevant users of Authentication capabilities in FireWall-1 only. Client Authentication: SSL/TLS protocol. HTTP Security Server authentication process. FTP, FTP over HTTP, and SMTP protocols. Relevant users of FTP, HTTP and SMTP security servers. Usually used for outgoing traffic. Check Point Secure Internal Communication (SIC) protocols. Provider-1: GUI logs in process. Topology download authentication General Enhancements Provider-1 of version HFA_13 and above, can manage VPN-1 Edge Gateways with Firmware 5.0. SmartUpdate of version HFA_13 and above, can install packages from version R55 plus, for NOKIA IPSO 3.8. Supported Versions Provider-1_R55_HFA_19 is installed on top of NG with Application Intelligence (R55) or on any preceding MDS_HFA_R55_XX.

4 Supported Platforms Provider-1_R55_HFA_19 is available for the following platforms: Solaris Linux SecurePlatform Supported Builds Provider-1_R55_HFA_19 consists of the following builds: Component Build Number Comment SVN Foundation The output of cpshared_ver should be: This is Check Point SVN Foundation (R) NG with Application Intelligence (R55) HFA_19, Hotfix 848- Build 018 FireWall The output of fw ver should be: This is Check Point VPN-1(TM) & FireWall-1 (R) NG with Application Intelligence (R55) HFA_19, Hotfix 848 Build 026 MDS The output of fwm mds ver should be: Check Point Provider-1 Server NG with Application Intelligence (R55), HFA_19 Hotfix Build 001 Backwards Compatibility SofaWare More information can be found in file swversion.txt in / opt.cpfw1-r55/bin directory

5 Supported Build History The following table displays the build history from the sixth to the latest HFA: HFA/Component SVN Foundation FireWall-1 & Kernel HFA_R55_19 (Current) HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_ HFA_R55_

6 Known Limitations Installing R55_HFA_19 overwrites the $FWDIR/lib/vpn_table.def file. There is a backup of the vpn_table.def file for each CMA under the lib directory. If this file was manually modified perform the modification again in the new vpn_table.def file. Installing Provider-1_R55_HFA_19 overrides any current Hotfix support that has been applied to NG with Application Intelligence (R55). Before installing Provider-1_R55_HFA_19, verify that NG with Application Intelligence (R55) is installed and configured on your machine. Installation Provider-1_R55_HFA_19 General Configuration Considerations As part of a standard upgrade procedure it is strongly recommended that you backup MDS prior to installing the Provider-1_R55_HFA_19 Hotfix. For detailed instructions on how to run this feature, please refer to the Backup and Restore on page 17. HFA_R55_19 installation packages should be placed in the /var file system, where sufficient space is available to the install scripts for installing the HFA. The Provider-1_R55_HFA_19.tgz format package consists of the following components: install_hfa uninstall_hfa files/cpshared_hotfix_hfa_r55_19_ tgz files/fw1_hotfix_hfa_r55_19_ tgz files/others (specific files) Installation on Different Platforms Solaris, Linux and SPLAT The package SHF_HFA_R55_19.tgz format consists of the following components: install_hfa uninstall_hfa files/cpshared_hotfix_hfa_r55_19_ tgz files/fw1_hotfix_hfa_r55_19_ tgz files/others 1 Extract the package to a temporary directory. 2 Stop MDS by running mdsstop. 3 Execute the install_hfa script in order to start the installation. 4 When the installation is complete, reboot the machine. 5 Re-install the security policy on all gateways.

7 Uninstall Instructions Provider-1_R55_HFA_19 1) Stop MDS by running mdsstop. 2) Set the directory as the directory from which you installed the Provider- 1_R55_HFA_19. If you replace the def file utility that was executed the restore def file utility must be executed before removing the HFA. 3) Execute the uninstall_hfa script from the installation directory. 4) Reboot the machine.

8 Inspect File Replacement Utility Provider-1_R55_HFA_19 - Linux The Hotfix installation does not modify the current *.def INSPECT files. New files (*_HFA.def) are placed in the /opt/cpfw1-r55/lib/ directory. In addition, the corresponding hash files (*_HFA.def.hash) are created in the /opt/cpfw1-r55/hash/ directory. Replacing INSPECT Files 1) Change the directory to the directory from which you installed the HFA. The script can be found in the./files/ directory. 2) Run the./replace_inspect_files script. 3) The script will verify whether or not manual modifications were made to the INSPECT files in each CMA before replacing them. If modifications were made, a notification will be presented and the user will be able to choose whether to replace the file or not. The replacement is automatically performed for CMAs that were not modified. 4) For each file replaced, there will be a backup file with the following extension: _pre15. For example, table.def will be table_pre14.def. Notes: a. Do not run the replace_inspect_files script more than once, consecutively. If you wish to run this script again, run the restore_inspect_files script, (See Restoring INSPECT files), and then run the replace_inspect_files again. a. If you choose not to replace files of a specific CMA during the execution of the replace_inspect_files script, you can replace those files later, manually. Before manually replacing the CMA s INSPECT files, please save the original files and corresponding hash files with the extention _pre15. For example, to replace the table.def file manually, save it with the name table_pre15.def in $FWDIR/lib, and save its corresponding hash file with the name table_pre15.def.hash, in $FWDIR/ hash. Restoring INSPECT files The CMA INSPECT files replacement operation can be reversed as follows: 1) Change the directory to the directory from which you installed the Provider- 1_R55_HFA_19. The restore_inspect_files script can be found under the files/ directory, under the installation directory. 2) Run./restore_inspect_files. 3) The restoration is automatically performed for all CMAs.

9 The INSPECT files with the _prexx extension, saved by the replacement script, will be restored instead of the Provider-1_R55_HFA_19 INSPECT files. Provider-1_R55_HFA_19 - Solaris The Hotfix installation does not modify the current *.def INSPECT files. New files (*_HFA.def) are placed in the /opt/cpfw1-r55/lib/ directory. In addition, the corresponding hash files (*_HFA.def.hash) are created in the /opt/cpfw1-r55/hash/ directory. In order to replace the new files in all the CMAs, the install_def_files script can be executed after installing HFA. Replacing INSPECT Files 1) Change the directory to the directory from which you installed the HFA. The script can be found in the./files/ directory. 2) Run./install_def_files. 3) The script will verify whether or not modifications were made to the replaced file in each CMA, before replacing it. a. If modifications were made, a notification will be presented with the following options: The replacement utility can be run in the following modes: Enter [1] to replace all CMA INSPECT files. Enter [2] to replace specific CMA INSPECT files. Enter [3] to exit without replacing any INSPECT files. b. The replacement is automatically performed for CMAs that were not modified. 4) For each file replaced, there will be a backup file with the following extension: pre_<hfa_name> For example, table.def will become table.def_pre_hfa_r55_xx. Restoring INSPECT files The CMA replacement operation can be reversed as follows: 1) Change the directory to the directory from which you installed the HFA. The script can be found in the../files/ directory. 2) run./restore_inspect_files. 3) The script will verify whether or not modifications were made to the replaced file in each CMA before replacing it. a. If modifications were made, a notification will be presented with the following options:

10 The replacement utility can be run in the following modes: Enter [1] to restore all CMA INSPECT files. Enter [2] to restore specific INSPECT files. Enter [3] to exit without replacing any INSPECT files. b. The replacement is automatically performed for CMAs that were not modified. Resolved Issues in Provider-1_R55_HFA_19 All relevant fixes for SmartCenter Firewall-1 R55_HFA_19 are resolved in Provider- 1_R55_HFA_19. For details please refer to the VPN-1 Pro HFA_R55_19 Release Notes. R55_19_1 R55_19-2 R55_19-3 R55_19-4 Provider-1: Status Monitoring Improved errors reporting in distributed environments. Provider-1: Global Policy Improved stability in specific cases of Global Policy Assignment. Clientless VPN: CVPN SNX Vulnerability in Integrity Clientless Security (ICS) has been discovered for version 3.x or earlier. The vulnerability may be used to forge successful scan results for any client machine. For additional details refer to sk For additional information refer Known Limitations on page 6. VPN-1 Edge VPN-1 Edge Firmware 6.5 is now supported. Resolved Issues in Previous HFAs In This Section MDS_HFA_R66_18 page 11 MDS_HFA_R66_17 page 11 MDS_HFA_R66_16 page 11 MDS_HFA_R55_15 page 11 MDS_HFA_R55_14 page 11 MDS_HFA_R55_13 page 12 MDS_HFA_R55_12 page 12 MDS_HFA_R55_09 page 13 MDS_HFA_R55_08 page 13 MDS_HFA_R55_07 page 13 MDS_HFA_R55_06 page 13

11 MDS_HFA_R66_18 R55_18_1 R55_18-2 Firewall-1: Policy Installation Improved Security Policy installation in a R55 and R55W mixed gateway environment. Provider-1: Miscellaneous Improved memory usage when logging in via SmartDashboard to a CMA. Install On: Provider-1 Multi Domain Server MDS_HFA_R66_17 R55_17_1 Provider-1 Global Policy When migrating the Global Policy, there is no need to import the fwauth.ndb file from the source global database. R55_17-2 SmartUpdate The command line cprinstall get gateway now works from a CMA environment when the gateway is a resilience box. MDS_HFA_R66_16 R55_16_1 Synch can now be established in Management High Availability when $FWDIR of the Primary Management is installed on a path with spaces. Previously, the primary Management was unable to create a backup tar.tgz file and a message Failed to backup was displayed. MDS_HFA_R55_15 R55_15_1 Syslog per CMA is now supported MDS_HFA_R55_14 R55_14_1 Increased amount of file descriptors per process in Solaris.

12 MDS_HFA_R55_13 R55_13-1 R55_13-2 R55_13-3 R55_13-4 R55_13-5 Applications whose status is unknown can now be handled by the MDS. Improved speed of Policy installation on a VPN-1 Edge profile. In the context of global VPN communities where two gateways are involved and managed by different CMAs and use dynamic interface resolving and have more than one interface that is routable from each other, the value of the property interface_resolving_ha_gw defined on a VPN gateway object defined on one CMA is not transferred to the other but should. The workaround is to use static interface resolving, set the property value in $FWDIR/conf/objects_5_0.C manually on each CMA for the object defined on another CMA, or to not use interface resolving at all (just use the address to which IKE traffic should be sent in the object's General Properties tab). Improved connectivity with the Web Visualization tool. Audits are sent for the following Provider-1 operations: Global Policy operations Enable/Disable global use Start/Stop CMA MDS_HFA_R55_12 R55_12-1 R55_12-2 R55_12-3 R55_12-4 R55_12-5 In the context of global VPN communities where two gateways are involved and managed by different CMAs and use dynamic interface resolving and have more than one interface that is routable from each other, the value of the property resolve_multiple_interfaces_gw defined on a VPN gateway object defined on one CMA is not transferred to the other but should. The workaround is to use static interface resolving, set the property value in $FWDIR/conf/objects_5_0.C manually on each CMA for the object defined on another CMA, or to not use interface resolving at all (just use the address to which IKE traffic should be sent in the object's General Properties tab). Resolved issue where there was a problem connecting to the Customer Logging Module's SmartView Tracker while installing a database on primary and secondary CLMs. Corrections made to scripts that prompt the user to reboot. Corrections to scripts according to customer request. install_hfa and uninstall_hfa scripts now backup a number of files which were manually replaced.

13 R Improved logging in the install_hfa and uninstall_hfa scripts. MDS_HFA_R55_09 R55_09-1 R55_09-2 R55_09-3 Provider-1 Failure of IKE negotiations when dynamic interface resolving is enabled. See special instructions: R55_09-1 Provider-1 Coexistence of R55W and HFA_09 now supported on MDS installation. Provider-1 Provider-1/SiteManager-1 NG with Application Intelligence HFA 09 supports the new licenses for Provider-1 Enterprise Edition Products (Part Numbers CPMP-PRE-3-NG and CPMP-PRE-5-NG). These licenses are being distributed and are available for purchase from July However, these licenses are not recognized by previous versions of Provider-1/SiteManager-1 VPN-1 VSX NG with Application Intelligence. MDS_HFA_R55_08 R55_08-1 Provider-1 - Miscellaneous: Failure to manage VPN-1 Edge devices resolved MDS_HFA_R55_07 R55_07-1 R55_07-2 Provider-1 - Miscellaneous: The VPN-1 Edge device can now connect to Provider-1 behind NAT. To configure this scenario, see Special Instructions: MDS_HFA_R55_07. Provider-1 - Miscellaneous: Improved ability to create and restore Database Revisions using Smart Dashboard. MDS_HFA_R55_06 R55_06-1 Provider-1 - Migrate: In certain scenarios, cma migration may not work.

14 R55_06-2 R55_06-3 R55_05-1 R55_05-2 R55_04-1 R55_03-1 Provider-1- Miscellaneous: Each CMA tries to load certain dlls (persistentagent and statisticaloid) which it shouldn t load. See Special Instructions: MDS_HFA_R55_06 Provider-1 - Miscellaneous: During the creation of the secondary CMA/CLM, when the start command is executed and the Primary CMA is meant to push the certification to the secondary CMA, the push operation doesn t always succeed. This happens because the Update Object operation takes place instead of the New Mirror CMA operation. Resolved connection issue to Edge device from a Provider-1 SmartCenter Server when the Provider-1 is behind NAT. Prevents Provider-1 from identifying a host with a dash in the name as an IP range and not a host name. Resolved libpersistentagent.so to causes CMA cpd stability issues. Can now un-exclude services that were assigned to a CMA using GVC.

15 Special Instructions In This Section FireWall-1 HTTP Security Servers page 15 MDS_HFA_R55_07 page 13 HFA_R55_06 page 17 FireWall-1 HTTP Security Servers FireWall-1 HTTP Security Servers information disclosure in automatic client and user authentication. In most deployments, the cpsc.conf file, located in the $FWDIR/lib/ directory and the cpsc.en_us file, located in the $FWDIR/conf/cpsc/ directory have not been adjusted manually. The HFA installation replaces these files. If the cpsc.en_us file (located in the $FWDIR/conf/cpsc/ directory) has been changed manually and the customer does not wish to override the changes, the following steps should be taken prior to installing this HFA: 1 Backup the current $FWDIR/conf/cpsc/cpsc.en_us file. 2 Install HFA. 3 Restore the backup file. 4 Edit the $FWDIR/conf/cpsc/cpsc.en_us file. Note - If you are using a language other than English, replace the cpsc.xxx file with the file appropriate for your language. 5 Search inside the file for the label: CPSC_HTTP_FW_UNAUTH 1024 "\n\n#local_host# Unauthorized to access the document.<br><br><li>authorization is needed for FW-1.<BR><BR>\n" (local_host realm user auth_prompt reason_title reason new_loc). The following instructions must be executed after installing HFA: a. Stop the MDS by running mdsstop. b. Run the command /bin/mv $CPDIR/lib/libpersistentAgent.so $CPDIR/lib/ libpersistentagent.so.not_used c. Start MDS by running mdsstart.

16 HFA_R55_09 R55_09-1 In the context of global VPN communities involving two gateways, each gateway managed by different CMAs using dynamic interface resolving and each gateway has more than one interface that is routable to the other, the value of the property resolve_multiple_interfaces_gw defined on a VPN gateway object defined on one CMA is not transferred to the other. Because this property is needed for IKE to work properly, IKE negotiations may fail when dynamic interface resolving is used. The workaround is to: 1 Use static interface resolving. 2 For each CMA, open its $FWDIR/conf/objects_5_0.C in a text editor, and manually set the property resolve_multiple_intefaces_gw to TRUE for the object defined on the other CMA. Alternatively, do not use interface resolving at all. Instead, use the address to which IKE traffic should be sent in the object's General Properties tab.

17 HFA_R55_07 R55_07-1: The VPN-1 Edge device can now connect to Provider-1 behind NAT. To configure this scenario, proceed as follows: 1 Stop the SMS by issuing smsstop, while in the CMA environment. 2 For each CMA edit the file $FWDIR/conf/sofaware/SWManagementServer.ini. 3 Search for the keyword; [Server], below it, add: ExternalIP=hiding_ip BindIP=cma_ip 4 Replace hiding_ip with the statically NATed IP address. 5 Replace cma_ip with the IP address of the CMA. 6 Start the sms by issuing smsstart, while in the CMA environment. HFA_R55_06 R55_ Each CMA tries to load certain dlls (persistentagent and statisticaloid) which it shouldn t load. In order to activate this fix follow the instructions below: 1. backup existing $MDSDIR/scripts/mdsadd_customer 2. rename $MDSDIR/scripts/mdsadd_customer_HFA to $MDSDIR/scripts/ mdsadd_customer. The HFA will now solve the problem for new CMAs only. To solve the problem for CMAs that have already been defined, execute the following for each CMA: 1 mdsenv <cma_name> 2 $CPDIR/bin/amon_config cpstatdll rem Persistency 3 $CPDIR/bin/amon_config cpstatdll rem STATISTICAL Backup and Restore The purpose of the backup/restore utility is to backup MDS as a whole (that is, including all the CMAs it maintains), and to restore it, when necessary. The restoration procedure reverts the MDS to the state it was in when the backup procedure was executed. The backup saves both user data and binaries. Restoration can be performed on the original machine, or, if your intention is to upgrade to another machine, by replicating your MDS for testing purposes. During the backup process, it is possible to view but not to modify any data using MDGs, SmartConsole clients or other clients. If the Provider-1/SiteManager-1 system consists of several MDS servers, the backup procedure must be performed on each and every MDS server. Likewise, when the restoration procedure takes place, it should be performed on all MDS servers concurrently.

18 mds_backup Running mds_backup requires super-user privileges. The mds_backup archives the data and binary root directories of a Provider-1 MDS installation. Additional information located under these directories is also backed up, except from files that are specified in the mds_exclude.dat ($MDSDIR/conf) file. The collected information is wrapped in a single zipped tar file. The name of the created archive file is constructed by the date and time of the backup, followed by the extension.mdsbk.tgz (for example, 13Sep mdsbk.tgz). The file is placed in the current working directory; therefore, it is important not to run mds_backup from one of the directories that will be backed up. For example, when backing up a NG FP3 MDS, do not run mds_backup from /opt/cpmds-53 because you will not be able to zip the directory to which you are writing the files. Usage mds_backup mds_restore Restores an MDS that was previously stored with mds_backup. For the operation to work successfully, mds_restore requires a fresh MDS installation with the same version as the MDS that needs to be restored. Usage For NG with Application Intelligence since (R54): mds_restore <backup file> For NG prior to NG with Application Intelligence since (R54): mds_restore <backup file> $MDSDIR/bin/set_mds_info -b -y Source: Upgrade Guide NG with Application Intelligence (R55), Upgrading Provider-1