R71

Release Notes

12 August 2011

Classification: [Public]

 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10330 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History
Date 12 August 2011 6 October 2010 Description Removed R70.30 from upgrade path Added note that upgrading from R70.40 is not supported ("Supported Management and gateway Upgrade Paths" on page 16) Added limitation notes for Sun T-series servers and cross-platform High Availability with Windows platforms First release of this document

8 June 2010

25 April 2010

Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R71 Release Notes ).

Contents
Important Information .............................................................................................3 What's New in R71 ..................................................................................................6 New Terms .......................................................................................................... 7 Included in this Release .........................................................................................7 Data Loss Prevention Software Blade ................................................................. 7 Mobile Access Software Blade ............................................................................ 7 UTM Service Performance Boost ........................................................................ 8 Integrated Management Blade for IPS-1.............................................................. 8 IPSec VPN Enhancements .................................................................................. 8 SmartEvent (formerly Eventia) Enhancements .................................................... 9 Improved Multi-Domain Security Management Import and Export ....................... 9 New SmartLSM Clustering .................................................................................. 9 Security Management Enhancements ................................................................. 9 Security Management Servers with Dynamic IPs ............................................ 9 Firewall Rule Expiration .................................................................................10 Automatic Deletion of Old Database Versions................................................10 Object Management Improvements ...............................................................10 Other Security Management Enhancements ..................................................10 Check Point Appliance Enhancements ...............................................................10 Jumbo Frames Support for Power-1 ..............................................................10 Hardware Health Monitoring for Smart-1 ........................................................10 Supported Products .............................................................................................11 Software Licensing .............................................................................................11 Enforcement of IPS Software Blade Licenses ................................................11 Build Numbers ....................................................................................................11 Supported Security Products by Platform ...........................................................13 Security Software Containers by Platform ......................................................13 Security Gateway Software Blades by Platform .............................................14 Security Management Software Blades by Platform.......................................15 Dedicated Gateways ......................................................................................15 Clients and Consoles by Windows Platform .......................................................16 Supported Upgrade Paths and Interoperability ...................................................16 Supported Management and gateway Upgrade Paths ...................................16 Backward Compatibility For Gateways ...........................................................17 IPS-1 Upgrade Paths and Interoperability ......................................................17 Upgrade Notes...............................................................................................17 HFAs Included in this Release .............................................................................17 Platform Requirements ........................................................................................18 SecurePlatform...................................................................................................18 IPSO ..................................................................................................................18 Linux ..................................................................................................................18 Microsoft Windows .............................................................................................19 Solaris ................................................................................................................19 Maximum Number of Interfaces Supported by Platform ......................................20 Minimum System Requirements ..........................................................................21 Security Gateway Hardware Requirements ........................................................21 Security Management Hardware Requirements .................................................22 SmartConsole and SmartDomain Manager Hardware Requirements .................22 Multi-Domain Security Management Requirements ............................................23 Multi-Domain Security Management Resource Consumption ........................23 Performance Pack ..............................................................................................23 VSX Gateway Hardware Requirements ..............................................................24

SmartEvent (formerly Eventia Analyzer) Requirements ......................................24 SmartReporter (formerly Eventia Reporter) Requirements .................................24 Optimizing SmartReporter Performance ........................................................25 SecureClient Requirements ................................................................................25 Endpoint Security Requirements ........................................................................25 Known Limitations ................................................................................................25

New Terms

What's New in R71

Check Point R71 is based on the Software Blades Architecture.

Data Loss Prevention Software Blade

Check Point Revolutionizes the DLP Market by moving from Detection to Prevention of Data Loss Incidents. Prevents loss of critical business information. Combines technology and processes to make DLP work. Easy deployment for immediate data loss prevention.

SSL VPN Software Blade

New integrated SSL VPN Software Blade secures remote workers anywhere, while delivering flexible, easy-to-use, and layered protection. Lower the cost and complexity of managing remote access by simply adding the SSL VPN blade to your existing Check Point gateway. Increase productivity with easy Web-based remote access. Raise network and remote endpoint security levels with multi-layered protection allowing services such as IPS and Anti-Virus for remote access connections.

Raising the Bar on UTM-1 Appliances & UTM Features Performance

UTM-1 appliances provide enhanced Firewall & IPS performance featuring patented SecureXL Technology available at no extra cost: Up to 4 times Firewall Throughput improvement. Up to 3 times IPS Throughput improvement. Up to 4 times connection/sec rate improvement.

New Streaming architecture available with Anti-Virus & URL Filtering Software Blades provides performance boost for UTM features: Up to 15 times Anti-Virus Throughput improvement. Up to 80 times Anti-Virus & URL Filtering connection capacity improvement.

IPS Manageability
IPS-1 Sensors can now be managed from Security Management server / Provider-1. Update IPS Protections automatically according to a pre-defined schedule.

Management Enhancements
Various improvements in the Management Blades deployment (for example, the ability to install a Security Management server on Windows with DHCP), usability enhancements, and new features (such as Firewall Rule Expiration).

IPSec VPN Enhancements

Continuing Check Point leadership in Enterprise class VPN solutions, this release includes multiple enhancements important for large network configurations and for customers interested in new VPN standards (such as IKEv2).

What's New in R71

Page 6

New Terms

New Terms
The following product and technology names have changed for this version. Name Before R71 Eventia Analyzer Eventia Reporter IPS Event Analysis Name Starting with R71 SmartEvent SmartReporter SmartEvent Intro

Included in this Release

Data Loss Prevention Software Blade
Data Loss Prevention (DLP) is an innovative solution for practical data loss prevention:

Prevents data leakage of critical business information

Stops users from sending or uploading sensitive information outside of the organization. Network-based solution prevents breach of corporate data sharing policies intentional or unintentional. Provides easy compliance with data protection standards (such as PCI-DSS, HIPPA, GLBA, SOX).

Combines technology and processes to make DLP work

Innovative MultiSpect decisions. New UserCheck
TM TM

data classification engine combines users, content and process into accurate

technology empowers users to remediate incidents in real time.

Self-educating system Does not require IT/security personnel for incident handling, while educating the users on proper data sharing policies.

Easy deployment for immediate data loss prevention

Implement a preventative DLP solution on your existing gateway in less than one day. Leverage over 250 pre-defined policies to create your own policy without the need for costly professional services. Get better control and auditing capabilities with centralized security management.

For more information about Data Loss Prevention, see the R71 DLP Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10774).

Mobile Access Software Blade

New integrated Mobile Access Software Blade secures remote workers anywhere, while delivering flexible, ease-to-use and layered protection.

Lower the cost and complexity of managing remote access

Efficiently manage and protect your existing investment with the simple add-on remote access blade. Eliminate the need to acquire dedicated gateways, clients, or third party authentication. Set up in just two steps and easily administrate from a unified intuitive interface.

Included in this Release

Page 7

UTM Service Performance Boost

Increase productivity with easy Web-based remote access

Minimize user interruption for a large range of applications. Easily sign in with built-in Single-Sign-On (SSO) Gain immediate secure access for a large user base during a disaster.

Raise network and remote endpoint security levels with multi-layered protection
Ensures in-depth security with integrated IPS, Anti-Virus and Anti-Malware. Easily control and manage remote access for a range of users: employees, partners, and contractors. Secure and minimize risk from known and unknown endpoints with a variety of protections.

For more information, see the R71 SSL VPN Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10322).

UTM Service Performance Boost

Check Point R71 offers a dramatic increase to the performance of both the Anti-Virus (AV) and URL Filtering software service blades. The Check Point AV blade offers a new AV detection mode, Stream Detection Mode. With this mode, which uses frequently updated state-of-the-art virus signatures, Anti-Virus performance is significantly improved because traffic is scanned for viruses without storing entire files. The Check Point URL Filtering Blade offers significant performance improvements. Connections are now handled in kernel space and not folded into the Security Servers. URL Filtering performance figures are significantly improved, as traffic is not interrupted while resolving the URL Filtering category.

Integrated Management Blade for IPS-1

Check Point R71 provides central management for IPS that lets you: Manage R71 IPS-1 sensors using SmartConsole applications such as SmartDashboard Manage IPS-1 Protections with an IPS policy Improve performance for IPS protection management Install an IPS Policy specifically tuned for IPS-1 protections Update IPS protections according to a defined schedule

IPSec VPN Enhancements

Load Sharing Mode for VPN Traffic Enables distributing VPN traffic among the available links between local and peer gateways. Service Based Link Selection Provides the ability to use different links for services that require different level of QoS. Administrators control outgoing VPN traffic and bandwidth use by assigning a service or a group of services to a specific interface for outgoing VPN routing decisions. Links availability and backup links are fully supported. Trusted Links Ability to define an interface as trusted for VPN traffic, where encryption is not required. Traffic routed through this interface is sent in the clear. A trusted link is handled the same as any other VPN link, thus enabling mixed MPLS/Internet environments.

Included in this Release

Page 8

SmartEvent (formerly Eventia) Enhancements

IKEv2 IKEv2 Protocol is now available for VPN. Enhanced Protection against IKE DOS attacks New configuration exists for protection against IKE DOS attacks by authenticated peers. Multiple Certificates Per Certificate Authority (CA) Multiple signing certificates for a CA enable the administrator to expire a CA Certificate which invalidates all certificates signed by this CA, alleviating the need for coordinating long Certificate Revocation Lists (CRLs). Multicast IPSec A Multicast VPN solution that efficiently send multicast data through designated sender gateways (by VPN) to hosts behind multiple listener gateways.

SmartEvent (formerly Eventia) Enhancements

Improved performance in the event correlation engine dramatically increases log correlation capacity. Pre-defined event timelines, queries and rules for the DLP blade. SmartEvent Intro for DLP provides centralized, real-time, security event correlation and management for the DLP blade.

Improved Multi-Domain Security Management Import and Export

Multi-Domain Security Management now supports the export and import of a whole MDS machine, Improved export and import of single CMA For more information, see the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).

New SmartLSM Clustering

SmartLSM Profile Security Clusters can now manage fully synchronized Check Point clusters. For more information, see the R71 SmartProvisioning Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10317).

Security Management Enhancements

Security Management Servers with Dynamic IPs
You can now install and use a Security Management Server on a Windows machine with a DHCP interface. See the R71 Security Management Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10315) for more information.

Included in this Release

Page 9

Check Point Appliance Enhancements

Firewall Rule Expiration

Rules in the Security Rule Base can now be made "temporary" by adding a time limit. The firewall rule is enforced over a specific time period. The new time period settings are part of the Time Properties object of each rule, with Activate On and Expire On fields for granular control. In addition: In SmartDashboard, Temporary Rules and Expired rules are marked by new clocked-shaped icons. Rule expiration can be added to existing rules, or created as an independent object and applied to multiple rules. New filtering options enable you to quickly find in the SmartDashboard Security Rule Base all temporary rules, or only those rules that have expired.

Automatic Deletion of Old Database Versions

In the Database Revision Control window, you can now configure one of four options to automatically delete database versions. This feature comes with the ability to specify that a certain version should never be automatically deleted. SmartWorkflow versions are not affected by this feature. They are neither counted nor deleted.

Object Management Improvements

Light filtering and undocking the Objects List Filtering objects by any of the fields displayed in the Objects List Filtering objects on the fly while typing the text Easy switching between the object types: Network Objects, Services, Users, etc. Undocking the Objects List view

New-style object selectors in SmartDashboard - additional details appear for each object and filtering capabilities have been added. New-style editor for the Groups properties - additional details appear for each group member, filtering capabilities have been added and the window can now be resized. Grouping selected objects in SmartDashboard - it is possible to create a group by selecting objects in the Rule Base, Objects Tree and Objects List.

Other Security Management Enhancements

Default access mode configuration for SmartDashboard - administrators can now configure the default mode (Read Only / Read Write) when accessing the Security Management server with SmartDashboard. SmartView Tracker queries by username - administrators can specify whether the text in the filter will be case-sensitive or not.

Check Point Appliance Enhancements

Jumbo Frames Support for Power-1
Power-1 appliances now support "Jumbo Frames," which are Ethernet packets larger than 1500 bytes. To utilize jumbo frames, use the Web User Interface or sysconfig to configure the required MTU for the network interface.

Hardware Health Monitoring for Smart-1

Sensors monitor fan speed, motherboard voltages and temperatures on the Smart-1 hardware. The information is available via SNMP and the SecurePlatform Web interface.

Included in this Release

Page 10

Software Licensing

For more information, see Hardware Health Monitoring in the R71 SecurePlatform Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10313).

Supported Products
In This Section Software Licensing Build Numbers Supported Security Products by Platform Clients and Consoles by Windows Platform Supported Upgrade Paths and Interoperability 11 11 13 16 16

Software Licensing
From version R71, customers are required to use Software Blade licenses. If you have not yet migrated to Software Blade licenses, follow the migration options from Check Points website (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html). From R71, the software license enforcement module checks that users have current Software Blade Licensing. Users that have installed R71 software using NGX based licenses and not Software Blade licenses, will receive warnings on the Security Gateways and SmartDashboard.

Enforcement of IPS Software Blade Licenses

Security Gateways with IPS Software Blades need to be under a valid IPS contract that has to be renewed annually. To manage your contracts go to your UserCenter account or contact your reseller. Indications and notifications that IPS service contracts are expiring will appear in multiple locations, including the overview window of IPS in the SmartDashboard, SmartUpdate, and in the product reports of the customers Check Point UserCenter account. If an IPS service contract has expired and the contract has not been renewed, the blade will remain operational with a signature set that was included in the GA of R70 (Q1/2009). Renew the IPS service contract to retrieve a full and updated signature set.

For more information about the IPS contract enforcement, refer to sk44175 (http://supportcontent.checkpoint.com/solutions?id=sk44175).

Build Numbers
The following table lists all R71 software products available, and the build numbers as they are distributed on the product CD. To verify each products build number, use the given command format or direction within the GUI. All build numbers are subject to change. Software Blade / Product Security Gateway Build Number Linux & IPSO > 394 Win & Solaris > 389 Security Management SmartConsole Applications Build 142 Build 976000482 fwm ver Help > About Check Point <product name> Verifying Build Number. fw ver

Supported Products

Page 11

Build Numbers

Software Blade / Product SSL VPN Multi-Domain Security Management Multi-Domain Server (MDS) Multi-Domain Security Management Multi-Domain GUI (MDG) SecurePlatform Infrastructure (SVN Foundation) Acceleration (Performance Pack) Advanced Networking (QoS) Advanced Networking (Routing) Monitoring (SVM Server) Management Portal

Build Number Build 273 Build 124

Verifying Build Number. cvpn_ver fwm mds ver

Build 976000126_1

Help > About Check Point Provider-1

Build 133 Build 416

ver cpshared_ver

Build 043

sim ver -k

Build 026

fgate ver

ngc2.3

gated -ver

Build 028

rtm ver

Build 976000028

cpvinfo /opt/CPportalR71/portal/bin/smartportalstart cpsemd ver SVRServer ver dtps ver

SmartEvent SmartReporter Endpoint Policy Server (SecureClient Policy Server) SecuRemote/SecureClient UTM-1 Edge Firmware Endpoint Security Client Flex/Agent Endpoint Security Server Compatibility Packages CPNGXCMP-R71-00 CPV40Cmp-R71-00 CPEdgecmp-R71-00 CPCON66CMP-R71-00 CPCON62CMP-R71-00

Build 073 Build 266 Build 015

Build 019 8.0.36 7.6.123

Help > About Displayed on the default portal page Right-click the System Tray icon and select About About

7.50.552.000

Build 015 Build 666 976000013 Build 1 Build 571

/opt/CPNGXCMP-R71/bin/fw_loader ver /opt/CPV40Cmp-R71/bin/fw_loader ver /opt/CPEdgecmp-R71/bin/fw ver /opt/CPCON66CMP-R71/bin/fw_loader ver /opt/CPCON62CMP-R71/bin/fw_loader ver

Supported Products

Page 12

Supported Security Products by Platform

Supported Security Products by Platform

These tables show the security products related to this release and on which platforms they are supported.

Security Software Containers by Platform

Software Blade Platform and Operating System Check Point Secure Platform IPSO 6.2 Diskbased + IPSO 6.2 Flashbased Windows Server 2003/2008 (SP1-2) 32bit + Linux RHEL 5.0 RHEL 5.4 kernel 2.6.18 32bit + Crossbeam Solaris X-series UltraSPARC 8, 9, 10 +

Security Management Security Gateway

+ +

+ +

Multi-Domain + Security Management MDS

Note - We recommend that you install Multi-Domain Security Management on Sun M-Series servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.

Supported Products

Page 13

Supported Security Products by Platform

Security Gateway Software Blades by Platform

Software Blade Platform and Operating System Check Point Secure Platform IPSO 6.2 Diskbased + + + IPSO 6.2 Flashbased + + + Windows Server 2003/ 2008 (SP12) 32bit + + + Linux RHEL 5.0 RHEL 5.4 kernel 2.6.18 32bit Crossbeam Solaris X-series UltraSPARC 8, 9, 10

Firewall IPSec VPN IPS SSL VPN DLP Anti-Virus & Anti-Malware URL Filtering Anti-Spam & Email Security Web Security Advanced Networking Acceleration & Clustering (1)

+ + + + + +

+ + +

+ +

+ +

(2)

(3)

Notes 1. The maximum number of supported cluster members in ClusterXL mode is five; in thirdparty mode the maximum is eight. 2. Only Clustering is supported in Windows. Acceleration is not supported. 3. Only third-party clustering is supported.

Supported Products

Page 14

Supported Security Products by Platform

Security Management Software Blades by Platform

Software Blade Platform and Operating System Check Point Secure Platform IPSO 6.2 Diskbased + IPSO 6.2 Flashbased Windows Server 2003/2008 (SP1-2) 32bit + Linux RHEL 5.0 RHEL 5.4 kernel 2.6.18 32bit + Crossbeam Solaris X-series UltraSPARC 8, 9, 10 +

Network Policy Management Endpoint Policy Management Logging & Status Monitoring

+ 2003 only + + + + + + + + + + + + + +

+ +

SmartProvisioning + Management Portal (*) User Directory SmartWorkflow SmartEvent SmartReporter +

+ + + +

+ + + +

+ + + +

+ +

*Note - Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5 - 3.0

Dedicated Gateways
IPS-1, DLP-1, and VSX-1 are only supported on SecurePlatform. VPN-1 Power VSX is supported on SecurePlatform, IPSO 5, and Crossbeam X-series. For more details regarding IPSO models, see the VPN-1 Power VSX NGX R65 on IPSO 5.0 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10674 ).

Supported Products

Page 15

Clients and Consoles by Windows Platform

Clients and Consoles by Windows Platform

Check Point Product XP Pro (SP3) + XP Home (SP3) + Server 2003 (SP1-2) 32 bit + Vista Vista Server (SP1) (SP1) 2008 32-bit 64-bit (SP1-2) 32 bit + + Windows 7 Ultimate & Enterprise 32bit + (except SmartEvent, SmartReporter, and IPS Event Analysis) + + + + + Windows 7 Ultimate & Enterprise 64-bit

SmartConsole

Provider-1 MDG SecureClient SSL Network Extender Endpoint Security Client Endpoint Connect Client DLP UserCheck
TM

+ + +

+ + +

+ + +

Supported Upgrade Paths and Interoperability

R71 supports upgrading from lower software versions and management of lower Security Gateway versions.

Supported Management and gateway Upgrade Paths

You can upgrade these Security Management server and Security Gateway versions R71: NGX R65 NGX R65 for SPLAT 2.6 NGX R65 for IPSO 6.0 NGX R65 Connectra NGX R66 Plug-in NGX R65 with Messaging Security NGX R65 VSX NGX R65 Management Plug-in NGX R65.3 NGX R65 UTM-1/Power-1 R70 UTM-1/Power-1/Smart-1 R70, R70.1, R70.20 Important - To upgrade from R70.40 to R71.20, refer to sk59481 (http://supportcontent.checkpoint.com/solutions?id=sk59481).

Supported Products

Page 16

Supported Upgrade Paths and Interoperability

Backward Compatibility For Gateways

R71 Security Management server supports the following gateway versions: Release Security Gateway VSX Connectra UTM-1 Edge GX Version NGX R62, NGX R65, R70, R70.1, R70.20 VSX NGX R65, VSX NGX R67 Centrally Managed NGX R62 and R66 7.5.x and above 4.0

Note - R71 cannot manage gateway versions before NGX R62.

IPS-1 Upgrade Paths and Interoperability

R71 Security Management servers can only manage R71 IPS-1 Sensors. To upgrade pre-R71 IPS-1 Sensors, re-install. See the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).

Upgrade Notes
To upgrade Check Point Suite Products before version NGX R65 to R71, you must first upgrade to NGX R65 and then to R71. NGX R65.4 cannot be upgraded to R71. When upgrading NGX R65, only the following plug-ins may be present: Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of any other plug-in will cause the upgrade process to fail. Important - If you upgrade from NGX R65 with plug-ins to R71, and later want to uninstall R71 (rollback to NGX R65), follow the instructions in sk37252 (http://supportcontent.checkpoint.com/solutions?id=sk37252) to avoid potential problems. It is recommended to read the list of Known Limitations, published in sk41909 (http://supportcontent.checkpoint.com/solutions?id=sk41909), prior to any upgrade procedure.

HFAs Included in this Release

This release includes fixes and improvements that were initially distributed as part of R70.20 (including NGX R65 Hotfix Accumulator (HFA) R65_HFA_60). See R70.20 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10515) See VPN-1 NGX R65 HFA 60 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10306) See Provider-1 NGX R65 HFA 60 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10307)

HFAs Included in this Release

Page 17

SecurePlatform

Platform Requirements
In This Section SecurePlatform IPSO Linux Microsoft Windows Solaris Maximum Number of Interfaces Supported by Platform 18 18 18 19 19 20

SecurePlatform
This release is shipped with the latest SecurePlatform operating system, which supports a variety of hardware, including open servers and network interface cards. Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris). See the list of certified hardware (http://www.checkpoint.com/services/techsupport/hcl/index.html ) before installing SecurePlatform on the target hardware.

IPSO
When installing this release on IPSO: Advanced Routing and SecureXL are included by default. Clustering on IPSO supports VRRP and IP Clustering. UTM-1 Edge devices cannot be managed from a Security Management server running on IPSO. All available configurations (Disk-based, Flash-based and Hybrid) of currently available IP Series platforms are supported. This release supports IPSO 6.2 This release does not support IPSO 6.0.7

Linux
This release supports Red Hat Enterprise Linux 5.0 and 5.4 for specific management products only. Before installing a Check Point management product on Red Hat Enterprise Linux 5, perform the following steps.

To prepare Red Hat Enterprise Linux 5.0 or 5.4 for Check Point management installation:
1. Install the sharutils-4.6.1-2 package a) Check if you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5.

Platform Requirements

Page 18

Microsoft Windows

2. Install the compat-libstdc++-33-3.2.3-61 package a) Check if you have the compat-libstdc++-33-3.2.3-61 package by running: rpm qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. 3. Disable SeLinux a) Check if SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the machine. Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).

Microsoft Windows
Security Management and Gateways are supported on Windows Server 2003 and Windows Server 2008 32-bit only (see Management Products by Platform ("Supported Security Products by Platform" on page 13)). Windows Server 2000 is not supported. High Availability Legacy mode is not supported on Windows Server 2003.

Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).

Solaris
Security Management Server and Multi-Domain Security Management are supported with Solaris running on UltraSPARC 64-bit platforms (see Management Products by Platform ("Supported Security Products by Platform" on page 13)). R71 Security Gateways are not supported on Solaris.

Required Packages
SUNWlibC SUNWlibCx (except Solaris 10) SUNWter SUNWadmc SUNWadmfw

Required Patches
The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com (http://sunsolve.sun.com). To display your current patch level, use the command: showrev -p | grep <patch number> Platform Solaris 8 Required 108528-18 Recommended Notes If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.

110380-03

Platform Requirements

Page 19

Maximum Number of Interfaces Supported by Platform

Platform

Required 109147-18 109326-07 108434-01 108435-01

Recommended

Notes

Required only for 32 bit systems Required only for 64 bit systems 109147-40 or higher

Solaris 9

112233-12 112902-07 116561-03 Only if dmfe(7D) Ethernet driver is defined on the machine 112963-25 or higher

Solaris 10

117461-08 or higher

We recommend that you install MultiDomain Security Management on Sun MSeries servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.

Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).

Maximum Number of Interfaces Supported by Platform

The maximum number of interfaces supported (physical and virtual) is shown by platform in the following table. Platform SecurePlatform Max Number of Interfaces 1015 Notes 1. SecurePlatform supports 255 virtual interfaces per physical interface. 2. When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are supported.

IPSO Windows

1024 32

Platform Requirements

Page 20

Security Gateway Hardware Requirements

Minimum System Requirements

In This Section Security Gateway Hardware Requirements Security Management Hardware Requirements SmartConsole and SmartDomain Manager Hardware Requirements Multi-Domain Security Management Requirements Performance Pack VSX Gateway Hardware Requirements SmartEvent (formerly Eventia Analyzer) Requirements SmartReporter (formerly Eventia Reporter) Requirements SecureClient Requirements Endpoint Security Requirements For SecureClient Requirements, see the SecureClient NGX R66 Release Notes (http://downloads.checkpoint.com/dc/download.htm?ID=8371). For Endpoint Security Server and Client requirements, see the Endpoint Security R73 HFA1 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11547). 21 22 22 23 23 24 24 24 25 25

Security Gateway Hardware Requirements

For open servers:
Component Processor Windows Intel Pentium IV or 1.5 GHz equivalent Free Disk Space Memory Optical Drive Network Adapter 1GB 512MB Yes One or more SecurePlatform on Open Servers Intel Pentium IV or 2 GHz equivalent 10GB 512MB Yes Linux Intel Pentium IV or 2 GHz equivalent 1.4GB 512MB Yes

One or more supported One or more cards

Minimum System Requirements

Page 21

Security Management Hardware Requirements

Security Management Hardware Requirements

For open servers:
Component Processor Windows Intel Pentium Processor E2140 or 2 GHz equivalent processor 1GB Linux SecurePlatform on Open Servers Solaris

Intel Pentium Intel Pentium Processor Sun Processor E2140 E2140 or 2 GHz UltraSPARC IV or 2 GHz equivalent processor and higher equivalent processor 1.4GB 10GB (installation includes OS) 1GB Yes (bootable) One or more 1GB

Free Disk Space

Memory Optical Drive Network Adapter

1GB Yes One or more

1GB Yes One or more

512MB Yes One or more

SmartConsole and SmartDomain Manager Hardware Requirements

This table shows the minimum hardware requirements for console applications, including: SmartDashboard, SmartView Tracker, SmartView Monitor, SmartProvisioning, SmartReporter, and SmartEvent, SecureClient Packaging Tool, SmartUpdate, and SmartDomain Manager. Component CPU Memory Disk Space Optical Drive Video Adapter Windows Intel Pentium Processor E2140 or 2 GHz equivalent processor 512MB 500MB Yes minimum resolution: 1024 x 768

Minimum System Requirements

Page 22

Multi-Domain Security Management Requirements

Multi-Domain Security Management Requirements

The minimum recommended system requirements for Multi-Domain Security Management are: Component CPU Linux Solaris SecurePlatform Intel Pentium Processor E2140 or 2 GHz equivalent processor 4GB 10GB (install includes OS) Yes (bootable) Intel Pentium Processor UltraSPARC III E2140 or 2 GHz 900MHz equivalent processor 4GB 2GB 4GB 2GB

Memory Disk Space

Optical Drive

Yes

Yes

Multi-Domain Security Management Resource Consumption

Actual disk space consumption depends on the scale of the deployment. The larger the deployment, the more disk space, memory, and CPU is required. The Multi-Domain Security Management disk space requirements are: For basic Multi-Domain Server installation: 800MB (mostly for /opt directory). For each Domain Management Server: 100MB (for the Domain Management Server directory located in /var/opt)

Performance Pack
The recommended platform configuration for Performance Pack a computer with a Quad-Core Intel Xeon Processor 5xxx with 6GB RAM, or more. Check Point appliances with this configuration: Power-1 11000 Series

Examples of open servers with these configurations: HP ProLiant DL-360 G6 HP ProLiant DL-380 G6 Dell PowerEdge R610 Dell PowerEdge R710 IBM System x3550 M2 IBM System x3650 M2

Minimum System Requirements

Page 23

VSX Gateway Hardware Requirements

VSX Gateway Hardware Requirements

Minimum system requirements recommended for optimal performance of a VSX gateway: Component Processor Memory Disk Space Optical Drive Network Interface Cards SecurePlatform Intel Pentium IV or 2 GHz equivalent processor 1GB 10GB Yes 3 (4 for VSX Clusters)

SmartEvent (formerly Eventia Analyzer) Requirements

SmartEvent can be installed on a Security Management server or on a dedicated machine. Component CPU Memory Disk Space Windows/Linux/SecurePlatform Intel Pentium IV 2.8 GHz 4GB 25GB

SmartEvent is not supported on Solaris platforms. Note - To optimize SmartEvent performance: Use the fastest disk available with the highest RPM, and a large buffer size. Increase the machine's memory.

SmartReporter (formerly Eventia Reporter) Requirements

The hardware requirements presented below are designed for a SmartReporter server that will process at least 15GB of logs per day and generate reports according to the performance numbers. For deployments that will generate fewer logs per day, a machine with less CPU or memory can be used. However, this may cause performance degradation. SmartReporter can be installed on a Security Management server or on a dedicated machine. Component CPU Memory Windows & Linux Minimum Intel Pentium IV 2.0 GHz 1GB Windows & Linux Recommended Dual CPU 3.0 GHz 2GB Solaris UltraSPARC III 900 MHz 1GB

Minimum System Requirements

Page 24

SecureClient Requirements

Component Disk Space Installation: Database:

Windows & Linux Minimum

Windows & Linux Recommended (on 2 physical disks)

Solaris

80MB 60GB (40GB for database, 20GB for temp directory)

80MB

80MB

100GB (60GB for 60GB (40GB for database, 40GB for temp database, 20GB for temp directory) directory) Yes Yes

CD-ROM Drive

Yes

Optimizing SmartReporter Performance

The following tips are recommended to optimize SmartReporter performance: Disable DNS resolution - consolidation performance may improve to 32GB of logs per day. Configure the network connection between the SmartReporter server and the Security Management or Log server to the optimal speed. Use the fastest disk available with the highest RPM (revolutions per minute) and a large buffer size. Use UpdateMySQLConfig to tune the database configuration and adjust the consolidation memory buffers to use the additional memory. Increase the machine's memory, as it significantly improves performance. Install an uninterruptible power supply (UPS) for the SmartReporter Server.

SecureClient Requirements
For SecureClient Requirements, see the SecureClient NGX R66 Release Notes (http://downloads.checkpoint.com/dc/download.htm?ID=8371).

Endpoint Security Requirements

For Endpoint Security Server and Client requirements, see the Endpoint Security R73 HFA1 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11547).

Known Limitations
Known Limitations for R71 are in sk41909 (http://supportcontent.checkpoint.com/solutions?id=sk41909).

Known Limitations

Page 25