Security Gateway Virtual Edition R71 Release Notes 9 February 2012 Classification: [Restricted]
2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. VMware, VMware VMotion and VMware vsphere are registered trademarks and/or trademarks of VMware, Inc. in the United States and/or other jurisdictions.
Important Information Latest Version The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?=11535 For more technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date 6 September 2011 Abra is supported on Network Mode. 27 July 2011 Dynamic Routing is supported on Network Mode. 9 March 2011 Added known limitation 00649693. Updated known limitation 00525830. 6 February 2011 Added known limitation 00640862. 11 January 2011 Added supported platforms. Updated known limitations. New build number. 8 November 2010 Initial version. Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on Security Gateway Virtual Edition R71 Release Notes).
Contents Important Information... 3 Introduction... 5 What's New... 5 Selecting an Operation Mode... 6 Supported Features and Software Blades... 6 System Requirements... 7 Supported Builds and Platforms... 7 Known Limitations... 8 Security Gateway Virtual Edition Limitations... 8 Non-supported R71 Features... 8 VMware Feature Limitations... 8 General Limitations... 8 Hypervisor Mode Limitations... 9 Non-supported R71 Features... 9 Network Limitations...10 ESX Configuration Limitations...10 General Limitations...11 Hypervisor Mode Cluster Deployment Limitations...11 Non-supported R71 Features...11 Network Limitations...11 General Limitations...12
Introduction Introduction Check Point Security Gateway Virtual Edition protects dynamic virtual environments and external networks from internal and external threats by securing virtual machines and applications. This solution uses proven Check Point security technologies: Software Blade architecture, Firewall with content inspection, IPS, central management, and more. Security Gateway Virtual Edition has different operation modes. Decide which is best for your environment and plan the installation accordingly. The Hypervisor Mode enforces VM security within the VMware Hypervisor by inspecting inter-vm traffic, without changing the virtual network topology. The Network Mode is deployed as a virtual network device to protect virtual networks and physical environments. You can configure it as a router or a bridge, in the same way as a physical gateway. Note - All references to ESX throughout the document are also relevant for ESXi unless specifically noted otherwise. What's New Hypervisor Mode: Protects VMs and traffic between VMs. Secures dynamic virtual environments without network topology changes. Supports VMware VMsafe. Protects against security breaches caused by configuration errors. Gives out-of-the-box protection with easy configuration. Supports R71 Software Blade architecture. Maximizes security granularity at the vswitch, port group, and VM levels. Supports ESX clusters for VM high availability and load sharing. Enforces security with no downtime during vmotion migration. Lets growing enterprises protect expanding virtual networks while reducing hardware investment, maintenance, energy, and site costs. Optimizes performance for virtual environments. Network Mode: Operates as a layer-2 or layer-3 Security Gateway for virtual network environments. Supports ClusterXL for high availability and load sharing. Enforces security with no downtime during vmotion migration. Supports vmotion on the Security Gateway Virtual Edition virtual machine. Lets growing enterprises protect expanding virtual networks while reducing hardware investment, maintenance, energy, and site costs. Optimizes performance for virtual environments. Security Gateway Virtual Edition Release Notes R71 5
Introduction Selecting an Operation Mode To select the mode that is optimal for your environment, compare VMware and Check Point features. VMware Features Hypervisor Mode Network Mode VMotion for 3rd party VMs Yes Yes VMotion for the Security Gateway Virtual Edition VM No Yes DRS Yes Yes VMSafe Integration Yes No vshield No No Fault Tolerance No No DVS Yes Yes Nexus 1000v Yes Yes Supported Features and Software Blades Features and Software Blades Hypervisor Mode Network Mode Firewall Yes Yes NAT No Yes IPsec VPN No Yes IPS Yes Yes URL Filtering Yes Yes Email Security and Anti-Spam No Yes CoreXL No Yes ClusterXL No Yes IPv6 No Yes SSL VPN No Yes SSL Network Extender No Yes Mobile Client No No QoS No Yes Dynamic Routing No Yes Web Security Yes Yes VoIP No Yes Security Gateway Virtual Edition Release Notes R71 6
System Requirements Features and Software Blades Hypervisor Mode Network Mode Abra No Yes Anti-Malware Limited* Yes * See 00525807 in Known Limitations ("Non-supported R71 Features" on page 9). System Requirements Item Minimum Recommended Notes Memory 512 MB 2.5 GB Add more memory to inspect many connections concurrently. Disk Space 12 GB 12 GB Number of Virtual CPUs 1 2 Supported Builds and Platforms This table shows the supported builds and platforms for Security Gateway Virtual Edition. Build, Platform, Server Version Security Gateway Virtual Edition Build 976141008 To verify: fw ver -k VMware Platform VMware vsphere ESX 4.0, 4.1. VMware vsphere ESXi 4.0, 4.1. Note: For ESX/ESXi 4.0, the recommended build is 171294 or above. Build 164009 is not supported Check Point Security Management Server or Multi- Domain Security Management Multi-Domain Server R71 or higher Note - Security Gateway Virtual Edition is based on the R71.10 Security Gateway. Security Gateway Virtual Edition Release Notes R71 7
Known Limitations Known Limitations Note - The numbers next to each known limitation are for your tracking information. Check Point constantly makes an effort to improve released products. Check the tracking numbers in the next release for fixes. Security Gateway Virtual Edition Limitations Note - All Security Gateway R71 and R71.10 limitations (http://supportcontent.checkpoint.com/solutions?id=sk44993) apply also to Security Gateway Virtual Edition. In this section: Non-supported R71 Features 8 VMware Feature Limitations 8 General Limitations 8 Non-supported R71 Features 00631146 The Check Point Mobile client is not supported in Security Gateway Virtual Edition. 00631234 Management High Availability and Log Server are not supported on a standalone Security Gateway Virtual Edition. 00527267 Performance Pack Heavy Load Quality of Service feature (HLQoS) is not supported. VMware Feature Limitations 00575640 Cloning and templates are supported for Security Gateway Virtual Edition VM, if: The VM is a newly deployed Security Gateway Virtual Edition (immediately following the first boot). You have not yet configured any Check Point products. You have not yet done any configuration steps, such as sysconfig or cpconfig. 00526862 VMware Tools are not supported on a Security Gateway Virtual Edition Virtual Machine. General Limitations 00525830 Upgrade to R71 is not supported. You must install Security Gateway Virtual Edition R71 as a clean installation. You cannot install Security Gateway R71 HFA packages or releases above R71 on top of the Security Gateway Virtual Edition. Security Gateway Virtual Edition Release Notes R71 8
Known Limitations 00566886 CPU consumption for the Security Gateway Virtual Edition might show inaccurate results. To resolve this issue, reserve CPU resources on the ESX: 1. In the vsphere client, right click the Security Gateway Virtual Edition. 2. Select Edit Settings. 3. On the Resources tab, move the Reservation slider to allocate a guaranteed CPU share (in MHz). 00568259 You can configure up to 2 virtual CPUs for the Security Gateway Virtual Edition. 00566045 The SecurePlatform WebUI is disabled until you assign an IP address to one of its network adapters. 00649693 In environments with more than one Security Gateway Virtual Edition on one ESX host, (where one is in Hypervisor mode and the others are in Network Mode), apply this configuration on the Security Gateway Virtual Edition in Hypervisor Mode: 1. Run sysconfig and configure the security of the Security Gateway Virtual Edition in Network mode instances to bypassed 2. Run sysconfig and configure the security of the VMs that are secured by one of the Security Gateway Virtual Editions in Network mode to bypassed. 3. Run sysconfig and configure the global failure setting to fail-open. Hypervisor Mode Limitations In this section: Non-supported R71 Features 9 Network Limitations 10 ESX Configuration Limitations 10 General Limitations 11 Non-supported R71 Features Unsupported Feature 00525721 Security Gateway Virtual Edition in Hypervisor Mode cannot operate as a layer 3 network device (router). Layer 3 features, such as NAT and VPN, are not supported. 00525807 The following features are not supported in the current version: E-mail Security HTTP/FTP/SMTP with resource User/client/session authentication Anti-Virus in the proactive mode Anti-Virus for FTP Anti-Virus by file direction 00525819 ClusterXL high availability and load sharing are not supported. 00525822 QoS is not supported. 00526867 Bridge mode is not supported. Security Gateway Virtual Edition Release Notes R71 9
Known Limitations Unsupported Feature 00527315 CoreXL is not supported. 00568687 VoIP is not supported. 00575642 Header spoofing protection is not supported. 00631143 The SSL VPN blade and SSL Network Extender are not supported. 00631138 IPv6 is not supported. Network Limitations 00557690 Dynamic Routing is not supported. 00518814 When a VM operates as a router for other VMs, you must configure these settings: 1. Run sysconfig to configure the routing VM security setting to bypassed. 2. Do not configure IP Anti-spoofing for VMs that use the routing VM as a default gateway. 00526860 When a VM operates as a bridge for other VMs, run sysconfig to configure the bridge-vm security setting to bypassed. 00525805 You cannot configure a VLAN using the VM guest operating system in an ESX environment. Configure the VLAN using a vswitch. 00526946 Hypervisor Mode does not support duplicate IP or MAC addresses for different VMs. 00552805 You cannot change a vnic MAC address using the guest operation system. 00560767 A Check Point management server cannot connect to a Security Gateway Virtual Edition if all of these cases are true: The management server is installed on an ESX cluster member. The management server uses a dedicated network. The Security Gateway Virtual Edition is not directly connected to this network. Workaround: Connect the management server VM to the ESX management network or connect the Security Gateway Virtual Edition to the management network. 00568517 Microsoft Network Load Balancing (NLB) is not supported for VMs. ESX Configuration Limitations 00863806 VMDirectPath I/O is not supported. 00526845 You can only install one Security Gateway Virtual Edition with Hypervisor Mode on an ESX host. 00528634 Security Gateway Virtual Edition supports a maximum of 100 VMs on an ESX host. 00527283 When using the VMware Distributed Resource Scheduler, you must disable it on the Security Gateway Virtual Edition. Security Gateway Virtual Edition Release Notes R71 10
Known Limitations 00640862 vnetwork Appliance products are not supported with Security Gateway Virtual Edition in Hypervisor Mode. General Limitations 00558889 After creating a Virtual Machine from a template or after cloning a Virtual Machine, the following entry may show in the SmartView Tracker logs: "A misconfigured filter was created due to VM import, deployment of VM from template or VM cloning. Traffic is blocked for this new VM. Please reset the newly created VM in order to fix this issue." If this occurs, reset the new Virtual Machine. This message may also occur when powering on the source (original) Virtual Machine after cloning it. If this occurs, reset both the source and the newly cloned Virtual Machines. 00629564 The Reinstall Hypervisor Connector operation might fail on ESXi 4.1. See the Troubleshooting section of the R71 Security Gateway Virtual Edition Administration Guide (http://supportcontent.checkpoint.com/documentation_download?=11534) for instructions. Hypervisor Mode Cluster Deployment Limitations In this section: Non-supported R71 Features 11 Network Limitations 11 General Limitations 12 Non-supported R71 Features Unsupported Feature 00527310 ISN scrambling (spoofing) protection in IPS is not supported. 00527312 The SYN attack protection in IPS is not supported. 00565933 vmac is not supported. Network Limitations 00527318 After a VM migrates from one ESX host (source) to another (destination), the source member continues to inspect existing connections. If the source member fails, existing connections are dropped. 00524634 If routers (virtualized or physical) are used to route traffic between virtual networks, only one of the virtual networks can be secured by the Security Gateway Virtual Edition. You must configure the other networks in Bypass. Security Gateway Virtual Edition Release Notes R71 11
Known Limitations General Limitations 00553212 Hypervisor Mode supports up to ten cluster members. 00528627 You must install Hypervisor Mode on all ESX Cluster members. Security Gateway Virtual Edition Release Notes R71 12