VPN-1 Power VSX VSX NGX R65 HFA 10. Release Notes

Similar documents
How To Configure and Tune CoreXL on SecurePlatform

How to Configure ClusterXL for L2 Link Aggregation

Endpoint Security. E80.30 Localized Version. Release Notes

Security Gateway Virtual Edition

Remote Access Clients for Windows 32/64-bit

How To Troubleshoot VPN Issues in Site to Site

How To Import New Client MSI Files and Upgrade Profiles

How to Connect with SSL Network Extender using a Certificate

Remote Access Clients for Windows 32-bit/64-bit

Endpoint Security webrh

R Release Notes. 18 August Classification: [Public]

R Release Notes. 6 March Classification: [Protected] [Restricted] ONLY for designated groups and individuals

How To Configure OCSP

Data Loss Prevention. R75.40 Hotfix. Getting Started Guide. 3 May Classification: [Protected]

How To Configure IPSO as a DHCP Server

Endpoint Security Release Notes

Security Gateway Virtual Edition

R75.40VS. Release Notes. 20 January Protected

ClusterXL R Administration Guide. 3 March Classification: [Protected]

Check Point VPN-1 Pro NGX IPv6Pack Release Notes May 10, 2006

ClusterXL. Administration Guide Version R70

Performance Pack. Administration Guide Version R70. March 8, 2009

Check Point GO R75. Release Notes. 21 December Classification: [Public]

IPS R Administration Guide

SecuRemote for Windows 32-bit/64-bit

VPN-1 Power VSX NGX R65 Upgrade Guide

How To Install SecurePlatform with PXE

VPN-1 Power/UTM. Administration guide Version NGX R

Check Point VSX. NGX R67 for R75. Administration Guide. 20 February Classification: [Protected]

Security Acceleration Module

What s New in VPN-1 Power VSX NGX

Check Point Mobile VPN for ios

Special Hotfix for R75.40VS

Check Point IPS. Administration Guide Version R70

Security Gateway for OpenStack

Check Point IPS R75. Administration Guide

How To Install IPSO 6.2

Performance Tuning R76. Administration Guide. 26 February Classification: [Protected]

CoreXL Administration Guide

Data Loss Prevention R71. Release Notes

R Release Notes

R71. Release Notes. 12 August Classification: [Public]

SmartWorkflow R Administration Guide. 29 May Classification: [Restricted]

SmartView Monitor R75. Administration Guide

Endpoint Security. Administrator Guide Version NGX 7.0 GA

Endpoint Security webrh

Check Point Provider-1/SiteManager-1 NG with Application Intelligence (R55) R55_HFA_19 Release Notes February 21, 2007

SecurePlatform 2.6 for NGX R65 Release Notes

SmartCenter. Version NGX R61

VPN-1 Power VSX. Administration Guide NGX Scalability Pack

Remote Access Clients for Windows 32-bit/64-bit

NGX R65 Operational Changes

Next Generation Firewall

Stonesoft Next Generation Firewall

VPN-1 NGX R60_HFA_06 Release Notes

Endpoint Security. Gateway Integration Guide R72

Check Point VPN-1 Pro NGX IPv6Pack for Nokia Getting Started Guide. Check Point VPN-1 Pro NGX IPv6Pack Nokia IPSO 3.9 or 4.0

SOURCEFIRE 3D SYSTEM RELEASE NOTES

IPv6Pack R70. Administration Guide

Eventia Analyzer. Administration Guide Version R70. March 8, 2009

McAfee Network Security Platform 8.1

Technical Support Files Needed for Troubleshooting

Network Security Platform 8.1

Check Point Document Security

Security Gateway 80 R Administration Guide

Quality of Service R75.40VS. Administration Guide. 15 July Classification: [Protected]

Title Page. Getting Started Guide and Release Notes for Nokia IPSO 3.9

Stonesoft Next Generation Firewall. Release Notes Revision C

Check Point Troubleshooting and Debugging Tools for Faster Resolution January 24, 2006

Check Point for Nokia IPSO Getting Started Guide. Check Point NGX R62 Nokia IPSO 3.9, 4.1 and 4.2

McAfee Firewall Enterprise 8.3.2P05

Barracuda Firewall Release Notes 6.5.x

VSEC FOR OPENSTACK R80.10

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

McAfee Next Generation Firewall 5.9.1

Security Management Server. Administration Guide Version R70

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Checkpoint Check Point VPN-1 VSX NGX. Practice Test. Version 2.0

Stonesoft Next Generation Firewall. Release Notes Revision B

Installation and Upgrade Guide

This release of the product includes these new features that have been added since NGFW 5.5.

Sidewinder. Release Notes 8.3.2P11. Revision A

Device Management Basics

Provider-1/SiteManager-1. Version NGX R62

Firewall. Administration Guide Version R70

Endpoint Security Client

Network Security Platform 8.1

CheckPoint Accelerated CCSE 1.1 NGX. Download Full Version :

What is the main purpose for the Security managementserver?

AAD - ASSET AND ANOMALY DETECTION DATASHEET

This release of the product includes these new features that have been added since NGFW 5.5.

Barracuda Firewall Release Notes 6.6.X

WatchGuard System Manager Fireware Configuration Guide. WatchGuard Fireware Pro v8.1

Fundamentals of Network Security v1.1 Scope and Sequence

NGFW Security Management Center

This release of the product includes these new features that have been added since NGFW 5.5.

Solution Brief. Integrated IP Appliances (formerly Nokia): Top Reasons to Migrate

Exam : Title : Accelerated CCSE NGX ( )... Version : Demo

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Endpoint Security Management Server

Transcription:

VPN-1 Power VSX VSX NGX R65 HFA 10 Release Notes 12 November, 2009

More Information To view the latest version of this document, see the User Center (http://supportcontent.checkpoint.com/documentation_download?=10363). For additional technical information about Check Point visit Check Point Support Center (http://support.checkpoint.com). Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to us (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on VPN-1 Power VSX VSX NGX R65 HFA 10 Release Notes). 2003-2009 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights.

Contents Introduction... 4 What's New... 4 Supported Versions, Platforms, and Builds... 5 Supported VSX Versions... 5 Supported Platforms... 5 Included Builds... 5 Known Limitations... 7 Installation... 7 Uninstallation... 7 Resolved Issues... 8 VSX... 8 ClusterXL... 9 GateD... 9 SecurePlatform... 9 SecureXL... 10 SmartDefense... 10 URL Filtering... 10 VoIP... 11 VPN... 11 Gateway Protection... 11

Introduction Thank you for updating your Check Point products with VPN-1 Power VSX NGX R65 HFA 10 (Hotfix Accumulator). This HFA is a recommended update that resolves various issues and contains improvements for VPN-1 Power VSX and other Check Point products on a variety of platforms. Please read this document carefully prior to installing this HFA. We also recommend that you refer to the appropriate Check Point user documentation and release notes, which contain hardware requirements, software requirements, and version recommendations. What's New New Web Filtering engine focusing on hazardous and malicious websites New comprehensive protection against the sockstress vulnerability. Multiple stability issues have been fixed Resolutions for customer reported issues Fixes for major issues in VSX NGX R65 Improved quality of SmartDefense protections Improved quality of SecureXL Improved quality of Dynamic Routing Improved quality of VOIP Fixes for Linux security issues Important - During installation of the new Web Filtering engine, no default database is installed; therefore, the Web Filtering policy is not enforced until a signature update is performed.the first update may take a long time, depending on your environment. Subsequent updates should take significantly less time, as only incremental information is downloaded. Page 4

Supported Versions, Platforms, and Builds Supported VSX Versions This HFA can be installed on top of the Check Point VPN-1 VSX NGX R65 versions shown in the following table. To verify the build installed, run: fw ver -k. Platform VPN-1 VSX NGX R65 on SecurePlatform Build Number Output of fw ver -k 610000517 This is Check Point VPN-1 VSX NGX R65 - Build 517 kernel: NGX R65 - Build 517 VPN-1 VSX NGX R65 on SecurePlatform VPN-1 VSX NGX R65 on SecurePlatform VPN-1 VSX NGX R65 on VSX-1 VPN-1 VSX NGX R65 on IPSO 610000550 This is Check Point VPN-1 VSX NGX R65 - Build 550 kernel: NGX R65 - Build 550 610005004 This is Check Point VPN-1 VSX NGX R65, Hotfix 005 - Build 004 kernel: NGX R65, Hotfix 005 - Build 004 884000008 This is Check Point VPN-1 VSX NGX R65 - Build 008 kernel: NGX R65 - Build 008 610002011 This is Check Point VPN-1 VSX NGX R65, Hotfix 002 - Build 011 kernel: NGX R65, Hotfix 002 - Build 011 Supported Platforms The following operating systems and hardware platforms are supported for HFA installation: Platform Version SecurePlatform 2.4.21-21cpsmp IPSO 5.0 VSX-1 3070, 9070, 9090 Crossbeam XOS 8.1+ Included Builds To verify that you have the HFA described in this document: From the HFA file you downloaded, open take_number.conf and make sure it contains: take_29 Take 29 of VSX NGX R65 HFA 10 consists of the following builds: Page 5

Component Build Number Verify Command and Output Firewall 884610037 The output of fw ver -k should be similar to: This is Check Point VPN-1 VSX NGX R65 HFA_10, Hotfix 610 - Build 027 kernel: NGX R65 HFA_10, Hotfix 610 - Build 037 SecurePlatform 884610028 The output of splat_ver should be similar to: ecu hfa 884610028 Performance Pack 884610004 The output of sim ver -k should be similar to: This is Check Point Performance Pack version: NGX R65 HFA_10, Hotfix 610 - Build 004 Kernel version: NGX R65 HFA_10, Hotfix 610 - Build 004 Dynamic Routing 884610006 The output of gated_ver is a list of information including: 884610006 Page 6

Known Limitations This HFA is intended for enforcement gateway installation only. Installing this HFA on a SmartCenter server or Provider-1 MDS is not supported and may cause unexpected behavior If you install this HFA and activate Web Filtering, and then want to uninstall the HFA, take the following precaution: Deactivate Web Filtering on every SmartDashboard object before uninstalling the HFA. Leaving the Web Filtering activated may cause HTTP traffic to be blocked. If you already had Web Filtering before installing this HFA, you do not need to take this precaution before uninstalling the HFA. Installation Install this HFA on supported VSX gateways. To install the HFA: Note - The Full Connectivity Upgrade Procedure (FCU) is not supported for VSX. 1. Download the HFA.tgz file to the VSX Gateway and extract the package. For SecurePlatform: Check_Point_VSX_NGX_R65_HFA_10.linux.tgz ('http://supportcenter.checkpoint.com/file_download?id=10345) For IPSO: Check_Point_VSX_NGX_R65_HFA_10.ipso.tgz (http://supportcenter.checkpoint.com/file_download?id=10344) 2. Run the installation script:./unixinstallscript 3. Follow the on-screen instructions to install all of the components. When the installation completes, it says succeeded for each component. 4. Follow the prompt to reboot the machine. Uninstallation To uninstall the HFA on SecurePlatform or IPSO: Important - Do not run the uninstall command twice in a row. This may cause unexpected behavior. If you need to run the uninstall command again, reboot the machine first. 1. From the command line, run: /opt/cpuninstall/vsx_ngx_r65_hfa_10/unixinstallscript -u 2. Reboot the machine. Note - If you reboot the machine from the /opt/cpuninstall/vsx_ngx_r65_hfa_10 directory, an error message appears that can be ignored. Page 7

Resolved Issues In This Section: VSX 8 ClusterXL 9 GateD 9 SecurePlatform 9 SecureXL 10 SmartDefense 10 URL Filtering 10 VoIP 11 VPN 11 Gateway Protection 11 VSX 00432882 Improved gateway stability when enabling VPN-1 on Virtual Systems. 00465719 Improved stability when a gateway attempts to create a new VLAN tag and fails. 00405230 Improved stability when running cplogd. This resolves a problem where cplogd became unresponsive, and may have produced error messages such as, [cplogd 2025]@albert CLogDaemonApp::sigExitHandler : sig == 15, not in the main thread (2051!= 1024), forwarding to the main thread. 00418561 Improved stability in DHCP relay processes. 00502316 The correct value for hmem peak bytes is displayed when running: fw ctl pstat/snmp/cpstat -f hmem. 00496323 Improved stability during policy installation. 00496339 Improved stability when deleting a Virtual System. 00466960 Improved stability of the fwm logexport command. 00496342 Improved stability when unloading the fw driver. 00408898 Improved stability of interfaces with bnx2 drivers. 00445871 Improved gateway stability when installing policy after a customer deletes a service. 00416548 Improved stability in the fw process when running fw tab -u -t connections. 00494620 Sequence mismatch errors, which caused high CPU consumption by the fwd process, no longer appear. The following is an example of output that may have appeared in few.elg as a result of the sequence mismatch error: rtm_input: unexpected sequence number: expected 3554599, received 3675425 Page 8

ClusterXL 00414826 Failover on VSX with Load Sharing, configured with a Virtual Switch and with the kernel parameter fwha_recovery_delay_timeout enabled, now works correctly. 00414828 Improved performance, as there is no longer redundant CCP traffic on the Virtual Switch. 00426500 Improved connectivity in High Availability as a Standby Virtual System connected to a Virtual Switch sends ARP requests correctly, using the MAC address of the Active Virtual System. GateD 00441998 On Crossbeam, the OSPF restart process has been improved to allow additional time before checking the Self-Originated LSAs. 00442009 Improved GateD performance in Crossbeam after CPM Failover when the NFS is back up. 00446301 After failover between VAP group members in a Crossbeam Cluster, one GateD is set as master and the routing table is synchronized correctly. 00442032 Problems with synchronization between neighbors after a failover have been resolved. 00442031 Improved stability when updating while using dynamic routing in situations where a large amount of routes need to be learned. This resolves a problem with updates that may have produced the following error message in syslog: recvmsg failed 00441985 Routes learned from an IBGP peer are now successfully installed. 00441978 On Crossbeam, OSPF routing now works consistently after hard reset of the master VAP APM. 00441784 Improved stability in GateD when configuring an OSPF virtual link. SecurePlatform 00463858, 00433001, 00496501 Improved stability when a machine has reached its maximum memory usage. 00439748 When enabling crontab,the following error messages are no longer sent incorrectly to the gateway console: application bug: crond(1646) has SIGCHLD set to SIG_IGN but calls wait(), application bug: crond(1663) has SIGCHLD set to SIG_IGN but calls wait(). 00463856 Bnx2 drivers now automatically change settings to 1000/Full Duplex when autoneg is selected. Page 9

00415375 Fixed vulnerability CVE-2008-0960 - SNMPv3 HMAC: Verification relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte. 00446267 Fixed Vulnerability CVE-2007-5846 - The SNMP agent allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value. 00500658 Fixed Vulnerability CVE-2009-1385 - Integer underflow in the e1000_clean_rx_irq function allows remote attackers to cause a denial of service (panic) via a crafted frame size. SecureXL 00446110 SecureXL now supports the keep_df_flag (DF=Don't Fragment). 00407402 The link collision mechanism is now activated by default; this resolves issues with using NAT traversal and IP compression in order to connect to a VPN with SecureClient. SmartDefense 00414826 Failover on VSX with Load Sharing, configured with a Virtual Switch and with the kernel parameter fwha_recovery_delay_timeout enabled, now works correctly. 00414828 Improved performance, as there is no longer redundant CCP traffic on the Virtual Switch. 00426500 Improved connectivity in High Availability as a Standby Virtual System connected to a Virtual Switch sends ARP requests correctly, using the MAC address of the Active Virtual System. URL Filtering 00446383 Uncategorized websites can be blocked and unblocked using the following kernel parameters: vsx set <vsid> fw ctl set int g_ci_uncategorized_accept_vsid <vsid> fw ctl set int g_ci_uncategorized_accept_opt <0 to block, 1 accept> Page 10

VoIP 00421259 Improved stability when MGCP traffic is used. 00445916 MGCP traffic is no longer dropped due to the short buffer length of the Endpoint IP. 00421192 Improved stability in the event of Cluster failover with SIP TCP traffic. 00414193 In the SCCP inspection, all of the sk_hdr_content_verifier defenses are now per VS and not global to all Virtual Systems. 00496659 Improved stability of SCCP inspection, especially when logging is used. 00430220 SIP traffic now passes successfully when the 2xx response is to a port other than 5060. VPN 00446279 In SecureRemote/SecureClient, Remote access rules based on groups defined on the RADIUS server are now properly applied to all users. 00415615 The SecureClient connections are now maintained after a failover in VSX with Load Sharing. 00446239 Improved VPN connectivity after changing the authentication method from username/password to RADIUS ActiveIdentity. 00446242 In the event of an IP address collision between a remote access client and a host in the encryption domain, a new connection to the remote access client's IP address will be sent to the IP address in the encryption domain. Note: This behavior mitigates security threats associated with IP collision. For more details see sk34579 (http://supportcontent.checkpoint.com/solutions?id=sk34579). Gateway Protection 00509491 In response to the Sockstress TCP DoS vulnerability, this HFA provides a comprehensive protection for Check Point Security Gateways and the resources behind them. See sk42723 https://supportcontent.checkpoint.com/solutions?id=sk42723 Page 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback