Special Hotfix for R75.40VS

Transcription

1 Special Hotfix for R75.40VS Release Notes 20 January 2013 Protected

2 2013 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Refer to the Copyright page ( for a list of our trademarks. Refer to the Third Party copyright notices ( for a list of relevant copyrights and third-party licenses.

3 Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: For additional technical information, visit the Check Point Support Center ( Revision History Date Description 17 January 2013 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on Special Hotfix for R75.40VS Release Notes).

4 Contents Important Information... 3 Introduction... 5 What's New... 5 Firewall GX Support... 5 Stream Control Transmission Protocol (SCTP) Support... 5 Diameter Support... 6 Syslog Support... 6 LTE S1 VPN Functionality... 6 MSS Adjustment... 7 Installing R75.40VS Hotfix... 8 Uninstalling R75.40VS Hotfix... 8 Configuring R75.40VS Hotfix Features... 9 Configuring GTP Signaling Rate Limit... 9 Configuring SCTP Inspection... 9 Disabling SCTP Support...10 Configuring Diameter Inspection...11 Configuring Diameter Inspection Over SCTP...11 Configuring Diameter Inspection Over TCP...12 Rule Base Limitations for Diameter Service...12 Creating a Diameter Application...13 Creating New Application Commands...14 Blocking Application Commands...15 Disabling Diameter Support...16 Sending Check Point Logs to a Syslog Server...16 Defining Syslog Servers...16 Configuring Gateways to Send Logs to Syslog Servers...17 Configuring LTE S1 VPN Funcionality...17 Configuring Permanent Tunnels with DPD...17 Configuring Fragmentation for IPSec Traffic...17 Configuring Subnet Range Selection for Quick Mode IDs...18 Configuring Persistent VPN Kernel Parameters...18 Configuring Alternate CRL Distribution Points...18 Configuring Fail Open When CRL is Unavailable...18 Disabling IKEv2 Traffic Selector Narrowing...19 Configuring MSS Adjustment...19 Known Limitations GX Limitations...20 SCTP and Diameter Limitations...21 IPv6 VPN Limitations...21 Permanent Tunnels through DPD...21

5 Introduction Introduction Thank you for choosing Check Point R75.40VS. Please read this document carefully before installing. What's New R75.40VS LTE Hotfix contains important updates and new features for R75.40VS. The new features also supported in VSX environment, and are listed below. For resolved issues, see sk80780 ( Firewall GX Support Based on GX 5.0 stable release. For more on GX 5.0, see Firewall-1 GX 5.0 Administration Guide and Firewall-1 GX 5.0 Release Notes High connection capacity and high concurrent PDP contexts capacity based on 64-bit architecture. VSX support for multiple GX Virtual Systems. GTP Signaling Rate Limit can now be applied to groups of source network objects. GTPv1 support according to 3GPP TS spec up to release GTPv2 Fallback to GTPv1 support for maintaining connectivity with GTPv2-Aware network components. Note - GTPv2 is not fully supported in this version. Stream Control Transmission Protocol (SCTP) Support Multihomed SCTP endpoints have multiple IP addresses serving each SCTP association. In case of failover, each new active connection checked for access policy and for state. It is not automatically accepted because of an existing association Note - You can create one rule for an SCTP connection, but you must create a group of IP addresses associated with this connection for each multihomed endpoint. Key Features of SCTP: Fully complies with RFC4960, which describes the Stream Control Transmission Protocol. SCTP stateless verification - makes sure that each SCTP packet complies with RFC 4960 regardless of the packet's state. SCTP stateful inspection - accepts SCTP packets according to the association state. Support for multihomed SCTP - lets open multiple child connections under the established association. SCTP packet filtering - filters for access control through policy rule definition. SCTP with static NAT. SCTP Acceleration. Special Hotfix for R75.40VS Release Notes 5

6 Introduction Diameter Support Diameter is the authentication, authorization and accounting protocol (AAA) that uses TCP or SCTP, instead of UDP, and has these key features: Diameter packet verification - verifies that: Each Diameter packet complies with the RFC 3588 base protocol. Each application-command pair is checked with the policy. Diameter packet filtering: Lets define policy rules for services that use the Diameter protocol. Implements access control on the basis of application-id and command-id pairs. R75.40VS adds two types of Diameter service: Diameter over SCTP Diameter over TCP R75.40VS has 5 built-in default Diameter applications: Credit-Control GX-Application S13-S13-Application S6a-S6d-Application S9-Application You can also add new Diameter applications ("Creating a Diameter Application" on page 13). After installing R75.40VS, you must define the new Diameter service over TCP or SCTP, the application ID, and the application port. Syslog Support Syslog sends Check Point logs from gateways directly to syslog servers. Two versions of syslog protocols are supported - BSD (based on RFC 3164) and Syslog (based on RFC 5424). LTE S1 VPN Functionality Support for Dead Peer Detection (DPD) in IKEv1/IKEv2 - In IKEv1/IKEv2 DPD, Vendor ID is always sent to peers that have DPD configured, and to peers from which DPD Vendor ID has been received. No special configuration is required. Support for Permanent Tunnels with DPD - To monitor all peers through DPD, configure them for DPD in active or passive mode. The mode is determined by tunnel_keepalive_method property assignment: dpd - Defines the active DPD mode. Peer receives DPD requests at regular intervals (default is 10 seconds), unless it continuously sends IPSec traffic passive - Defines the passive DPD mode. Other peers do not send DPD requests to this peer. Tunnels with passive peers are monitored according to IPSec traffic and DPD requests from passive peers. Support for Fragmentation for IPSec Traffic - Set clear packets for fragmentation before encryption. This ensures that the size of transmitted packets does not exceed the MTU size. New Options for Subnet Range Selection in Quick Mode - Set whether the ranges in max_subnet_for_range apply to gateway's own ID, peer's ID, both, or none. Support for Persistent VPN Kernel Parameters - Set persistent VPN kernel parameters at boot time through modifications in vpnkern.conf file. Support for Alternate CRL DP - Configure several CRL DPs for each CA server. Special Hotfix for R75.40VS Release Notes 6

7 Introduction Support for Fail Open When CRL is Unavailable - Keeps the VPN session up when connection to CRL fails. Option to Disable IKEv2 Traffic Selector Narrowing. Support for Hardware Acceleration for AES. Support for Intel Multi Queuing. See sk MSS Adjustment MSS (Maximum Segment Size) is a TCP parameter that defines the maximum size of the packets that peers agree to receive. Interface granularity - Set the MSS Adjustment value to define the operation mode for each interface. Adjustment value Operation mode MTU Defined by user MTU Mode - the MSS Adjustment value equals the MTU of the interface. Value Mode - you set the MSS Adjustment value. Note: The MSS Adjustment value is equal to the size of the packet with the TCP header and the IP header. Central Control capability - Enable or disable the MSS Adjustment on the system with one command. Note: Previous state is always saved. Current configuration view - See settings on each interface. CoreXL and SecureXL support. Special Hotfix for R75.40VS Release Notes 7

8 Installing R75.40VS Hotfix Installing R75.40VS Hotfix Install this Hotfix on R75.40VS Security Management Servers and on R75.40VS Security Gateways. Important - If you install the Hotfix only on Security Management Servers, and not on gateways, the Security Management Servers will not be able to manage the gateways. To install the R75.40VS Hotfix: 1. Extract the installation file from the archive gtar xfz Check_Point_R75.40VS_GX_LTE.linux.tgz 2. Run the installation command./unixinstallscript To install SmartConsole: Run this executable on Windows machine: Check_Point_SmartConsole_R75_40VS_GX_LTE_Windows.exe Uninstalling R75.40VS Hotfix To uninstall the R75.40VS Hotfix: 1. Go to the directory with the uninstallation script cd /opt/cpuninstall/r75.40vs_gx_lte 2. Run the uninstallation script./unixuninstallscript Special Hotfix for R75.40VS Release Notes 8

9 Configuring R75.40VS Hotfix Features Configuring GTP Signaling Rate Limit GTP Signaling Rate Limit is set in PDUs per second, and can can now be set for groups of source network objects. To Configure GTP Signaling Rate Limit: 1. Create one or more groups of source network objects. a) In SmartDashboard select Network Objects navigation tree. b) Right-click Network Objects and select Groups > GSN Handover Group. The GSN Handover Group Properties window opens. Name - a unique character string identifier. Color - select a color for the group icon. c) Select Enforce GTP signal packet rate limit from this group and enter an integer value (in PDU/sec). d) From the Not in Group list, select network objects. e) Click Add to add the network objects to the group. f) Click OK. 2. Configure the sampling interval. a) In SmartDashboard click Edit Global Properties. The Global Properties window opens. b) In the navigation tree click FireWAll-1 GX. c) Enter an integer for GTP Signaling rate limit sampling interval (in seconds). d) Click OK. 3. Install policy. Configuring SCTP Inspection 1. Open SmartDashboard 2. On the Services tab, click New > SCTP. The SCTP Service Properties window opens. Name - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS. Port - The number of the port that gives this service. Keep connections open after policy has been installed - Even if the connections are not allowed in the new policy. This overrides the settings in the Connection Persistence page. If you change this property, the change will not affect open connections, but only future connections. 3. Click Advanced. The Advanced SCTP Service Properties window opens. Source Port - Enter a port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected when inspecting packets of this service. Otherwise, the source port is not inspected. Special Hotfix for R75.40VS Release Notes 9

10 Enable Aggressive Aging - Sets short (aggressive) timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When memory consumption or connections table capacity exceeds a certain user defined threshold (high watermark), aggressive aging starts to operate. At this stage, each incoming connection triggers the deletion of k connections that are eligible for deletion (where k is set to 10 by default). This behavior continues until memory consumption or connections capacity decreases below a certain low watermark. Note - VSX does not support aggressive aging. Synchronize connections on cluster - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster. Of the services allowed by the Rule Base, only those with Synchronize connections on cluster selected are synchronized as they pass through the cluster. By default, all new and existing services are synchronized. 4. Click OK. 5. Open Global properties > Stateful Inspection. Configure these Stateful Inspection options: Option Meaning SCTP start timeout A SCTP connection times out if the interval between the arrival of the first packet and establishment of the connection (STCP fourway handshake) exceeds the SCTP start timeout in seconds. SCTP session timeout Attribute name in GuiDBedit: sctpstarttimeout Length of time an idle connection remains in the Security Gateway connections table. Attribute name in GuiDBedit: sctptimeout SCTP end timeout A SCTP connection will only terminate SCTP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. Configure these options for Out of state packets: Attribute name in GuiDBedit: sctpendtimeout Option Meaning Drop out of state SCTP packets Drop SCTP packets which are not consistent with the current state of the SCTP connection. Attribute name in GuiDBedit: fw_drop_out_of_state_sctp Log on drop Generates a log entry when out of state SCTP packets are dropped. Attribute name in GuiDBedit: fw_log_out_of_state_sctp To accelerate SCTP, you must disable packet inspection: 1. Open GuiDBEdit. 2. Search for: fw_sctp_packet_inspection. 3. Set the property to FALSE. 4. Save the database and install the policy. Disabling SCTP Support To disable out of state packet drop: 1. Open SmartDashboard > Global properties > Stateful Inspection. 2. Clear the Drop out of state SCTP packets option. 3. Save and install the policy. Special Hotfix for R75.40VS Release Notes 10

11 Configuring Diameter Inspection You can configure Diameter Inspection over SCTP or TCP. Configuring Diameter Inspection Over SCTP 1. Open SmartDashboard. 2. On the Firewall tab open Services objects tree. 3. Right-click Services. 4. Select Diameter > Diameter SCTP. The Diameter SCTP Service Properties window opens. Name - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS. Comment - Enter any comment. Color - Select a color. Application - Select a Diameter application. If the required application is not in the list, create one ("Creating a Diameter Application" on page 13). Keep connections open after policy has been installed - Even if the connections are not allowed in the new policy. This setting overrides the settings in the Connection Persistence page. If you change this property, the change will not affect open connections, but only future connections. 5. Click Advanced. The Advanced SCTP Service Properties window opens. Source Port - Port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected during packet inspection. Otherwise, the source port is not inspected. Session Timeout - Time (in seconds) before the session times out. Default - Use the default value defined on the Stateful Inspection page in Global Properties. Other - Manually define a timeout period for this service. Enable Aggressive Aging - Enable Aggressive Aging with the default or another timeout value (in seconds). Note - VSX does not support aggressive aging. Synchronize connections on cluster - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster. Only services with the Synchronize connections on cluster option selected are synchronized. By default, all new and existing services are synchronized. Perform static NAT good port selection on Cluster - 6. Click OK. 7. Click OK. Use the new service in a policy rule, but pay attention to the limitations ("Rule Base Limitations for Diameter Service" on page 12). Use SmartView Tracker to track connections that use the SCTP service. Special Hotfix for R75.40VS Release Notes 11

12 Configuring Diameter Inspection Over TCP 1. Open SmartDashboard. 2. On the Firewall tab open Services objects tree. 3. Right-click Services. 4. Select Diameter > Diameter TCP. The Diameter TCP Service Properties window opens. Name - The name of the service. The name assigned here must be the same as the server service name (as in the services file). If NIS is used, the firewall automatically retrieves the information from NIS. Comment - Enter any comment. Color - Select a color. Application - Select a Diameter application. If the required application is not in the list, create one ("Creating a Diameter Application" on page 13). Keep connections open after policy has been installed - Even if the connections are not allowed in the new policy. This setting overrides the settings in the Connection Persistence page. If you change this property, the change will not affect open connections, but only future connections. 5. Click Advanced. The Advanced TCP Service Properties window opens. Source Port - Port number for the client side service. If specified, only those Source port Numbers will be Accepted, Dropped, or Rejected during packet inspection. Otherwise, the source port is not inspected. Enable for TCP Resource - Enables the TCP service for a TCP Resource. Match for Any. - If selected, this service is used when 'Any' is set for the rule's service and there are several service objects with the same source port and protocol. Session Timeout - Time (in seconds) before the session times out. Default - Use the default value defined on the Stateful Inspection page in Global Properties. Other - Manually define a timeout period for this service. Enable Aggressive Aging - Enable Aggressive Aging with the default or another timeout value (in seconds). Note - VSX does not support aggressive aging. Synchronize connections on cluster - Enables state-synchronized High Availability or Load Sharing on a ClusterXL or OPSEC-certified cluster. Only services with the Synchronize connections on cluster option selected are synchronized. By default, all new and existing services are synchronized. Perform static NAT good port selection on Cluster - 6. Click OK. 7. Click OK. Use the new service in a policy rule, but pay attention to the limitations "Rule Base Limitations for Diameter Service" on page 12. Rule Base Limitations for Diameter Service A new diameter service is a diameter application. It is an extension of the base protocol, and must support the base protocol to work. In SmartDashboard, the base protocol is a hidden service. Therefore: For connections that have the same source and destination addresses, all the diameter service objects must be in the same rule. Configure a diameter service with port 3868 as the destination port or service. When the service is in the rulebase, this port definition creates a hidden match on the base protocol first, not the application. If a second rule further down the rule base (configured for the same source and destination) specifies different diameter applications, the applications will be dropped. The base protocol (and applications to allow) is already negotiated for the policy. The base protocol is not rematched. Special Hotfix for R75.40VS Release Notes 12

13 You can use Diameter over SCTP and Diameter over TCP objects in the same rule, or in different rules. The Action column of the rule cannot be Drop. The match will drop the base protocol on the first packet match. For example if you have this configuration: Rule Service Action Rule 1 Rule 2 Diameter SCTP_app1 Drop Diameter SCTP_app2 Accept The first rule drops the base protocol, which prevents applications defined in the second rule from being inspected. The Action must always be Accept. Creating a Diameter Application 1. Open GuiDBedit. 2. On the Tables tab open Other and select diameter_service_cfg. 3. Click in the Object pane. 4. Click Object > New. The Create Object window opens. Class - select diameter_app. Object - enter the name of the new application. Click OK. The new object is added to list of objects and its fields shown in bottom pane of GuiDBedit. 5. In the bottom pane, Field Name column: a) Double-click app_cmds. The Add/Edit Element window opens. b) Select an application command from the Object list. If the command does not exist, create it. Repeat steps a. and b. as necessary to add more application commands. c) Double-click app_id. The Edit window opens. Special Hotfix for R75.40VS Release Notes 13

14 d) Enter a value for the application id. The app_id must be the same id as in the RFC for this application. e) Double click include_diameter_base_app. Make sure that the value is true, unless you want to block some application commands ("Blocking Application Commands" on page 15). f) Double click is_diameter_base_app. Make sure that the value is false. 6. Save and close GuiDBedit. In SmartDashboard, the new application is in Service Properties > Interface. Creating New Application Commands 1. In GuiDBedit, click in the Object Name column. 2. Click Objects > New. The Create Object window opens. 3. From Class select diameter_cmd. Note - diameter_avp is also an option. You can define AVPs for the diameter command, but they are not enforced in the policy. 4. In the Object field, enter a name for the new command. Application command names are defined by the related RFCs. Commands are answer commands or request commands. For example new_cmd_request, or new_cmd_answer. 5. Click OK. Special Hotfix for R75.40VS Release Notes 14

15 The new command shows in the Objects table. 6. Select the new command. 7. In the Field table: a) Double-click cmd_code In the Edit window, enter the value specified by the related RFC. Click OK. b) Double-click display_code In the Edit window, enter the value specified by the related RFC (a three-letter code, for example NCR or NCA). Click OK. c) Double-click request 8. Click OK. In the Edit window, select true or false: Application request commands must be true. Application answer commands must be false. 9. On the toolbar, click the Save all changed objects button. Important - You must save new commands before you can add them to a diameter application. Blocking Application Commands The include_diameter_base_app value is usually TRUE. To block some of the commands allowed by the base protocol: 1. Create your private base application with an ID that is not used by any RFC. Add only the commands you want. Set the include_diameter_base_app to FALSE. Special Hotfix for R75.40VS Release Notes 15

16 2. Add your private base application to the rule base, as described in Configuring Diameter Inspection Over SCTP "Configuring Diameter Inspection Over SCTP" on page 11 or Configuring Diameter Inspection Over TCP "Configuring Diameter Inspection Over TCP" on page Create a policy with your private base application in the Service field. 4. Install the policy. Notes - Make sure both the source and destination use the new private base application. Otherwise, the connection uses the RFC-based application. All diameter applications added as Service parameters to a rule in a rule base, must have the include_diameter_base_app flag set to the same value - either TRUE or FALSE. Otherwise, the private diameter applications use their RFC-based applications. Disabling Diameter Support To disable diameter support: In the rule base, replace the diameter services with TCP or SCTP services configured to port Diameter connections on port3868 continue but without inspection of the Diameter packets. Sending Check Point Logs to a Syslog Server By default, gateway logs are sent to the Security Management server. You can configure the gateways to send logs directly to syslog servers. First, define syslog servers. Then, update the logging properties of the gateways. These syslog protocols are supported: RFC 3164 (old) RFC 5424 (new) Defining Syslog Servers 1. Open SmartDashboard and click the Firewall tab. 2. In the Servers and OPSEC Applications object tree right-click on Servers. 3. Click New > Syslog. The Syslog Properties configuration window opens. Alternatively, go to Manage drop-down menu, select Servers and OPSEC Applications, and click New. 4. Fill in the Name, the Comment (optional), and the Port configuration fields. 5. Select a host from the Host drop-down menu. To configure a new host click New and fill in the parameters in the Host Node configuration window. 6. Select a syslog protocol version from the Version drop-down menu. Below are the log examples of both versions of the syslog protocol. Example of a BSD Protocol log entry (truncated): <81>Jul 25 17:26: Action="accept" src=" " dst=" " proto="17" product="vpn-1 & FireWall-1" service="1147" s_port="26666" product_family="network" Example of a Syslog Protocol log entry (truncated): <81> T17:17:50Z CP-GW - Log [Fields@ Action="accept" rule="1" src=" " dst=" " proto="17" product="vpn-1 & FireWall-1" service="1052" s_port="54444" product_family="network"] Special Hotfix for R75.40VS Release Notes 16

17 Configuring Gateways to Send Logs to Syslog Servers You can configure a gateway to send logs to multiple syslog servers. But the syslog servers must be the same type: BSD Protocol or Syslog Protocol. To send the logs of a gateway to syslog servers: 1. Open the properties of the gateway. 2. Open the Logs page. 3. In the Send logs and alerts to these log server table, click the green button to add syslog servers. 4. Click OK. 5. Install policy. Note - You cannot configure a Syslog server as a backup server. Configuring LTE S1 VPN Funcionality Configuring Permanent Tunnels with DPD To maintain VPN tunnels, peers configured for Dead Peer Detection (DPD) send DPD keepalive requests at regular intervals (by default, every 10 seconds). To configure Permanent Tunnels with DPD: Run this command in DBEdit: modify network_objects peer_object VPN:tunnel_keepalive_method [dpd passive tunnel_test] When a valid IKE SA is not available, DPD requests trigger a new IKE negotiation. To prevent new IKE negotiations: 1. Open the file $CPDIR/tmp/.CPprofile.sh in a text editor. 2. Add this line gatewayexport DPD_DONT_INIT_IKE=1 3. Save and close the file. 4. Reboot the gateway. Configuring Fragmentation for IPSec Traffic To ensure the size of the transmitted packets does not exceed the MTU size, configure fragmentation for IPSec traffic. To configure fragmentation for IPSec traffic: 1. Run this command in DBEdit: modify network_objects gateway_object VPN:ipsec_fragment_inner true 2. Install policy to the gateway. To configure fragmentation for IPSec traffic using Performance Pack: 1. Open the file $PPKDIR/boot/modules/simkern.conf in a text editor. NOTE: If the file does not exist, create it. 2. Add this line: vpn_f2f_for_fragmentation=1 3. Save and close the file. 4. Reboot the gateway. Special Hotfix for R75.40VS Release Notes 17

18 Configuring Subnet Range Selection for Quick Mode IDs In Quick Mode, you can apply the subnet range selection specified through max_subnet_for_range to the ID of the local gateway, to a peer's ID, to both, or to none. To configure the subnet range selection for Quick Mode IDs: On the gateway, run this command: fw ctl set int subnet_for_range_control [ ] VPN These are the options for the subnet_for_range_control value: 0 max_subnet_for_range table is ignored on both sides. 1 max_subnet_for_range table is ignored when own source IDs are selected. 2 max_subnet_for_range table is ignored when peer s destination IDs are selected. 3 The default: max_subnet_for_range table is never ignored. Configuring Persistent VPN Kernel Parameters If you change VPN kernel parameters (normally set through fw ctl set command), they return to their default values after the reboot. However, if you configure persistent VPN kernel parameters, those changes remain. To configure persistent VPN kernel parameters: 1. Create the file: $FWDIR/modules/vpnkern.conf. 2. Add the required parameter(s) to the vpnkern.conf file. For example: subnet_for_range_control=2. 3. Save the file. 4. Reboot the gateway. Configuring Alternate CRL Distribution Points For a single certificate authority domain, with the certificate revocation information distributed in multiple CRL databases (CRL Distribution Points), you can configure each CA server to access those Distribution Points. To configure alternate CRL Distribution Points for a CA server: 1. In DBEdit run this command for each DP you wish to add: addelement servers CA_SERVER_NAME forced_crl_dp URI Example: addelement servers MyCA forced_crl_dp 2. Install policy. NOTE: You can assign several CRL DPs for each CA server. Configuring Fail Open When CRL is Unavailable By default, if a CRL becomes unavailable, the VPN connections that rely on it for the certificate verification shut down. To maintain network availability during CRL failure, you can configure the Fail-Open mode on the gateways. To configure Fail-Open: 1. In DBEdit type: modify network_objects gateway_object VPN:ike_fetch_crl_fail_open true 2. Install policy to the gateway. Special Hotfix for R75.40VS Release Notes 18

19 Note - In Fail-Open mode, if CRL is not available or is not readable, certificate is not checked for revocation. Disabling IKEv2 Traffic Selector Narrowing During IKEv2 SA negotiation, the responder can narrow the traffic selector proposed by the initiator. You can disable this feature. To disable IKEv2 Traffic Selector Narrowing: Set the environment variable IKEV2_ACCEPT_ALL_TS of the vpnd process. 1. On the gateway, open the file $CPDIR/tmp/.CPprofile.sh in a text editor. 2. Add this line to.cpprofile.sh: export IKEV2_ACCEPT_ALL_TS=1 3. Save and close the file. 4. Reboot the gateway. Configuring MSS Adjustment You can configure MSS Adjustment only through GuiDBedit. To control MSS Adjustment on a gateway: 1. Start GuiDBEdit. 2. From the Tables navigation tree, select Global Properties > properties. 3. Click firewall_properties. 4. Click fw_clamp_tcp_mss and set its value: true - enable MSS Adjustment. false - disable MSS Adjustment. 5. From the Tables navigation tree, select Network Objects > network_objects. 6. Select a gateway. The attributes of the gateway show in the pane below. 7. Select interfaces. The list of interfaces on the gateway expands. 8. For each interface: Click mss_value and set its value: -1 Turns off MSS Adjustment. 0 Sets MSS clamping value to the MTU value. Number greater than 0 Sets MSS clamping value to this number. Special Hotfix for R75.40VS Release Notes 19

20 Known Limitations Known Limitations GX Limitations ID CR CR CR CR CR Description GTP Bandwidth Management using QoS is not supported. In the Security Rule Base, all rules that refer to SecureXL Templates that appear below rules relating to GTP are ignored. Be sure to place any rules referring to SecureXL templates above the GTP protocol rules in the Security Rule Base. If "Accelerate GTP User traffic" and "Apply FireWall-1 Security on User Traffic" (the Full Intra Tunnel inspection feature) are enabled at the same time in SmartDashboard, only the latter will take effect. GTP traffic is not accelerated when the Full Intra Tunnel feature is on. Upgrading from Firewall-1 GX 4.0 to GX 5.0 is not supported. Firewall-1 GX 5.0 can only be installed as a new installation. Standalone deployment is not supported. GX can only be installed as a Security Gateway. When Overbilling Attack Protection is enabled, you must define a rule that allows FW1_sam traffic from the GX object to the Gi Check Point gateway. For more details, see the Enabling Overbilling Attack Protection section in the Firewall-1 GX 5.0 Administration Guide. GX 5.0 does not support GTP Bandwidth Management using QoS. CR When establishing a SIC (trusted communication) connection on a newly installed GX 5.0 cluster object in SmartDashboard, the platform version has to be manually set to R70. CR CR CR When using the IPS and the Full Intra-Tunnel features, GTP traffic may not be inspected. The workaround is to change the IPS protection scope from Protect internal hosts only to Perform IPS inspection on all traffic. To change the protection scope: 1. Double-click the FireWall-1 GX object in SmartDashboard. 2. Select the IPS node (if IPS is missing, verify that the IPS blade was enabled). 3. In Protection Scope, select Perform IPS inspection on all traffic. 4. Install the Policy. When using the default setting Protect internal hosts only mode, the IPS blade inspects traffic from either the Internal to External interface or vice versa using the gateway topology (which is set on the GX object in SmartDashboard). Since the inner-gtp traffic does not have its own distinct topology settings and rulebase, the IPS blade inspects the inner-gtp packet using the GX object topology settings, which may cause it to skip the inspection. To override this, you must set the Perform IPS inspection on all traffic option. Full Intra-Tunnel inspection is enforced only on encapsulated IPv4 traffic. When installing Check Point appliances, the WebUI sometimes shows the loopback IP address as instead of or does not show it at all. This is a display issue that can be ignored. GTP PDU Integrity Tests (Verify Flow Labels and G-PDU seq number checks) are not supported in accelerated mode. For more details, see the GTP PDU Integrity Tests section in the Firewall-1 GX 5.0 Administration Guide. Special Hotfix for R75.40VS Release Notes 20

21 Known Limitations SCTP and Diameter Limitations ID CR Description Even though SCTP or Diameter objects cannot be inserted in service column of a manual NAT rule, NAT will still be applied for rules that match SCTP or Diameter traffic if the service is ANY. IPv6 VPN Limitations ID Description Global VPN communities defined in a Multi-Domain Security Management global policy are not supported for IPv6 traffic These encryption methods are not supported for IPv4 or IPv6 on gateways installed with this release: DES, DES-40CP, CAST, CAST-40 Permanent Tunnels through DPD ID Description When SecureXL is enabled, incoming IPSec traffic does not act as a proof that the peer is alive. In this case, unnecessary DPD requests may be sent to some peers. Special Hotfix for R75.40VS Release Notes 21