Академический Документы
Профессиональный Документы
Культура Документы
Release Notes
12 August 2011
Classification: [Public]
2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10330 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date 12 August 2011 6 October 2010 Description Removed R70.30 from upgrade path Added note that upgrading from R70.40 is not supported ("Supported Management and gateway Upgrade Paths" on page 16) Added limitation notes for Sun T-series servers and cross-platform High Availability with Windows platforms First release of this document
8 June 2010
25 April 2010
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R71 Release Notes ).
Contents
Important Information .............................................................................................3 What's New in R71 ..................................................................................................6 New Terms .......................................................................................................... 7 Included in this Release .........................................................................................7 Data Loss Prevention Software Blade ................................................................. 7 Mobile Access Software Blade ............................................................................ 7 UTM Service Performance Boost ........................................................................ 8 Integrated Management Blade for IPS-1.............................................................. 8 IPSec VPN Enhancements .................................................................................. 8 SmartEvent (formerly Eventia) Enhancements .................................................... 9 Improved Multi-Domain Security Management Import and Export ....................... 9 New SmartLSM Clustering .................................................................................. 9 Security Management Enhancements ................................................................. 9 Security Management Servers with Dynamic IPs ............................................ 9 Firewall Rule Expiration .................................................................................10 Automatic Deletion of Old Database Versions................................................10 Object Management Improvements ...............................................................10 Other Security Management Enhancements ..................................................10 Check Point Appliance Enhancements ...............................................................10 Jumbo Frames Support for Power-1 ..............................................................10 Hardware Health Monitoring for Smart-1 ........................................................10 Supported Products .............................................................................................11 Software Licensing .............................................................................................11 Enforcement of IPS Software Blade Licenses ................................................11 Build Numbers ....................................................................................................11 Supported Security Products by Platform ...........................................................13 Security Software Containers by Platform ......................................................13 Security Gateway Software Blades by Platform .............................................14 Security Management Software Blades by Platform.......................................15 Dedicated Gateways ......................................................................................15 Clients and Consoles by Windows Platform .......................................................16 Supported Upgrade Paths and Interoperability ...................................................16 Supported Management and gateway Upgrade Paths ...................................16 Backward Compatibility For Gateways ...........................................................17 IPS-1 Upgrade Paths and Interoperability ......................................................17 Upgrade Notes...............................................................................................17 HFAs Included in this Release .............................................................................17 Platform Requirements ........................................................................................18 SecurePlatform...................................................................................................18 IPSO ..................................................................................................................18 Linux ..................................................................................................................18 Microsoft Windows .............................................................................................19 Solaris ................................................................................................................19 Maximum Number of Interfaces Supported by Platform ......................................20 Minimum System Requirements ..........................................................................21 Security Gateway Hardware Requirements ........................................................21 Security Management Hardware Requirements .................................................22 SmartConsole and SmartDomain Manager Hardware Requirements .................22 Multi-Domain Security Management Requirements ............................................23 Multi-Domain Security Management Resource Consumption ........................23 Performance Pack ..............................................................................................23 VSX Gateway Hardware Requirements ..............................................................24
SmartEvent (formerly Eventia Analyzer) Requirements ......................................24 SmartReporter (formerly Eventia Reporter) Requirements .................................24 Optimizing SmartReporter Performance ........................................................25 SecureClient Requirements ................................................................................25 Endpoint Security Requirements ........................................................................25 Known Limitations ................................................................................................25
New Terms
New Streaming architecture available with Anti-Virus & URL Filtering Software Blades provides performance boost for UTM features: Up to 15 times Anti-Virus Throughput improvement. Up to 80 times Anti-Virus & URL Filtering connection capacity improvement.
IPS Manageability
IPS-1 Sensors can now be managed from Security Management server / Provider-1. Update IPS Protections automatically according to a pre-defined schedule.
Management Enhancements
Various improvements in the Management Blades deployment (for example, the ability to install a Security Management server on Windows with DHCP), usability enhancements, and new features (such as Firewall Rule Expiration).
Page 6
New Terms
New Terms
The following product and technology names have changed for this version. Name Before R71 Eventia Analyzer Eventia Reporter IPS Event Analysis Name Starting with R71 SmartEvent SmartReporter SmartEvent Intro
data classification engine combines users, content and process into accurate
Self-educating system Does not require IT/security personnel for incident handling, while educating the users on proper data sharing policies.
For more information about Data Loss Prevention, see the R71 DLP Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10774).
Page 7
Raise network and remote endpoint security levels with multi-layered protection
Ensures in-depth security with integrated IPS, Anti-Virus and Anti-Malware. Easily control and manage remote access for a range of users: employees, partners, and contractors. Secure and minimize risk from known and unknown endpoints with a variety of protections.
For more information, see the R71 SSL VPN Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10322).
Page 8
IKEv2 IKEv2 Protocol is now available for VPN. Enhanced Protection against IKE DOS attacks New configuration exists for protection against IKE DOS attacks by authenticated peers. Multiple Certificates Per Certificate Authority (CA) Multiple signing certificates for a CA enable the administrator to expire a CA Certificate which invalidates all certificates signed by this CA, alleviating the need for coordinating long Certificate Revocation Lists (CRLs). Multicast IPSec A Multicast VPN solution that efficiently send multicast data through designated sender gateways (by VPN) to hosts behind multiple listener gateways.
Page 9
New-style object selectors in SmartDashboard - additional details appear for each object and filtering capabilities have been added. New-style editor for the Groups properties - additional details appear for each group member, filtering capabilities have been added and the window can now be resized. Grouping selected objects in SmartDashboard - it is possible to create a group by selecting objects in the Rule Base, Objects Tree and Objects List.
Page 10
Software Licensing
For more information, see Hardware Health Monitoring in the R71 SecurePlatform Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10313).
Supported Products
In This Section Software Licensing Build Numbers Supported Security Products by Platform Clients and Consoles by Windows Platform Supported Upgrade Paths and Interoperability 11 11 13 16 16
Software Licensing
From version R71, customers are required to use Software Blade licenses. If you have not yet migrated to Software Blade licenses, follow the migration options from Check Points website (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html). From R71, the software license enforcement module checks that users have current Software Blade Licensing. Users that have installed R71 software using NGX based licenses and not Software Blade licenses, will receive warnings on the Security Gateways and SmartDashboard.
For more information about the IPS contract enforcement, refer to sk44175 (http://supportcontent.checkpoint.com/solutions?id=sk44175).
Build Numbers
The following table lists all R71 software products available, and the build numbers as they are distributed on the product CD. To verify each products build number, use the given command format or direction within the GUI. All build numbers are subject to change. Software Blade / Product Security Gateway Build Number Linux & IPSO > 394 Win & Solaris > 389 Security Management SmartConsole Applications Build 142 Build 976000482 fwm ver Help > About Check Point <product name> Verifying Build Number. fw ver
Supported Products
Page 11
Build Numbers
Software Blade / Product SSL VPN Multi-Domain Security Management Multi-Domain Server (MDS) Multi-Domain Security Management Multi-Domain GUI (MDG) SecurePlatform Infrastructure (SVN Foundation) Acceleration (Performance Pack) Advanced Networking (QoS) Advanced Networking (Routing) Monitoring (SVM Server) Management Portal
Build 976000126_1
ver cpshared_ver
Build 043
sim ver -k
Build 026
fgate ver
ngc2.3
gated -ver
Build 028
rtm ver
Build 976000028
SmartEvent SmartReporter Endpoint Policy Server (SecureClient Policy Server) SecuRemote/SecureClient UTM-1 Edge Firmware Endpoint Security Client Flex/Agent Endpoint Security Server Compatibility Packages CPNGXCMP-R71-00 CPV40Cmp-R71-00 CPEdgecmp-R71-00 CPCON66CMP-R71-00 CPCON62CMP-R71-00
Help > About Displayed on the default portal page Right-click the System Tray icon and select About About
7.50.552.000
/opt/CPNGXCMP-R71/bin/fw_loader ver /opt/CPV40Cmp-R71/bin/fw_loader ver /opt/CPEdgecmp-R71/bin/fw ver /opt/CPCON66CMP-R71/bin/fw_loader ver /opt/CPCON62CMP-R71/bin/fw_loader ver
Supported Products
Page 12
+ +
+ +
Note - We recommend that you install Multi-Domain Security Management on Sun M-Series servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.
Supported Products
Page 13
Firewall IPSec VPN IPS SSL VPN DLP Anti-Virus & Anti-Malware URL Filtering Anti-Spam & Email Security Web Security Advanced Networking Acceleration & Clustering (1)
+ + + + + +
+ + +
+ +
+ +
(2)
(3)
Notes 1. The maximum number of supported cluster members in ClusterXL mode is five; in thirdparty mode the maximum is eight. 2. Only Clustering is supported in Windows. Acceleration is not supported. 3. Only third-party clustering is supported.
Supported Products
Page 14
Network Policy Management Endpoint Policy Management Logging & Status Monitoring
+ 2003 only + + + + + + + + + + + + + +
+ +
+ + + +
+ + + +
+ + + +
+ +
*Note - Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5 - 3.0
Dedicated Gateways
IPS-1, DLP-1, and VSX-1 are only supported on SecurePlatform. VPN-1 Power VSX is supported on SecurePlatform, IPSO 5, and Crossbeam X-series. For more details regarding IPSO models, see the VPN-1 Power VSX NGX R65 on IPSO 5.0 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10674 ).
Supported Products
Page 15
SmartConsole
Provider-1 MDG SecureClient SSL Network Extender Endpoint Security Client Endpoint Connect Client DLP UserCheck
TM
+ + +
+ + +
+ + +
Supported Products
Page 16
Upgrade Notes
To upgrade Check Point Suite Products before version NGX R65 to R71, you must first upgrade to NGX R65 and then to R71. NGX R65.4 cannot be upgraded to R71. When upgrading NGX R65, only the following plug-ins may be present: Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of any other plug-in will cause the upgrade process to fail. Important - If you upgrade from NGX R65 with plug-ins to R71, and later want to uninstall R71 (rollback to NGX R65), follow the instructions in sk37252 (http://supportcontent.checkpoint.com/solutions?id=sk37252) to avoid potential problems. It is recommended to read the list of Known Limitations, published in sk41909 (http://supportcontent.checkpoint.com/solutions?id=sk41909), prior to any upgrade procedure.
Page 17
SecurePlatform
Platform Requirements
In This Section SecurePlatform IPSO Linux Microsoft Windows Solaris Maximum Number of Interfaces Supported by Platform 18 18 18 19 19 20
SecurePlatform
This release is shipped with the latest SecurePlatform operating system, which supports a variety of hardware, including open servers and network interface cards. Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris). See the list of certified hardware (http://www.checkpoint.com/services/techsupport/hcl/index.html ) before installing SecurePlatform on the target hardware.
IPSO
When installing this release on IPSO: Advanced Routing and SecureXL are included by default. Clustering on IPSO supports VRRP and IP Clustering. UTM-1 Edge devices cannot be managed from a Security Management server running on IPSO. All available configurations (Disk-based, Flash-based and Hybrid) of currently available IP Series platforms are supported. This release supports IPSO 6.2 This release does not support IPSO 6.0.7
Linux
This release supports Red Hat Enterprise Linux 5.0 and 5.4 for specific management products only. Before installing a Check Point management product on Red Hat Enterprise Linux 5, perform the following steps.
To prepare Red Hat Enterprise Linux 5.0 or 5.4 for Check Point management installation:
1. Install the sharutils-4.6.1-2 package a) Check if you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5.
Platform Requirements
Page 18
Microsoft Windows
2. Install the compat-libstdc++-33-3.2.3-61 package a) Check if you have the compat-libstdc++-33-3.2.3-61 package by running: rpm qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. 3. Disable SeLinux a) Check if SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the machine. Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Microsoft Windows
Security Management and Gateways are supported on Windows Server 2003 and Windows Server 2008 32-bit only (see Management Products by Platform ("Supported Security Products by Platform" on page 13)). Windows Server 2000 is not supported. High Availability Legacy mode is not supported on Windows Server 2003.
Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Solaris
Security Management Server and Multi-Domain Security Management are supported with Solaris running on UltraSPARC 64-bit platforms (see Management Products by Platform ("Supported Security Products by Platform" on page 13)). R71 Security Gateways are not supported on Solaris.
Required Packages
SUNWlibC SUNWlibCx (except Solaris 10) SUNWter SUNWadmc SUNWadmfw
Required Patches
The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com (http://sunsolve.sun.com). To display your current patch level, use the command: showrev -p | grep <patch number> Platform Solaris 8 Required 108528-18 Recommended Notes If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.
110380-03
Platform Requirements
Page 19
Platform
Recommended
Notes
Required only for 32 bit systems Required only for 64 bit systems 109147-40 or higher
Solaris 9
112233-12 112902-07 116561-03 Only if dmfe(7D) Ethernet driver is defined on the machine 112963-25 or higher
Solaris 10
117461-08 or higher
We recommend that you install MultiDomain Security Management on Sun MSeries servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.
Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
IPSO Windows
1024 32
Platform Requirements
Page 20
Page 21
Intel Pentium Intel Pentium Processor Sun Processor E2140 E2140 or 2 GHz UltraSPARC IV or 2 GHz equivalent processor and higher equivalent processor 1.4GB 10GB (installation includes OS) 1GB Yes (bootable) One or more 1GB
Page 22
Optical Drive
Yes
Yes
Performance Pack
The recommended platform configuration for Performance Pack a computer with a Quad-Core Intel Xeon Processor 5xxx with 6GB RAM, or more. Check Point appliances with this configuration: Power-1 11000 Series
Examples of open servers with these configurations: HP ProLiant DL-360 G6 HP ProLiant DL-380 G6 Dell PowerEdge R610 Dell PowerEdge R710 IBM System x3550 M2 IBM System x3650 M2
Page 23
SmartEvent is not supported on Solaris platforms. Note - To optimize SmartEvent performance: Use the fastest disk available with the highest RPM, and a large buffer size. Increase the machine's memory.
Page 24
SecureClient Requirements
Solaris
80MB
80MB
100GB (60GB for 60GB (40GB for database, 40GB for temp database, 20GB for temp directory) directory) Yes Yes
CD-ROM Drive
Yes
SecureClient Requirements
For SecureClient Requirements, see the SecureClient NGX R66 Release Notes (http://downloads.checkpoint.com/dc/download.htm?ID=8371).
Known Limitations
Known Limitations for R71 are in sk41909 (http://supportcontent.checkpoint.com/solutions?id=sk41909).
Known Limitations
Page 25