Beruflich Dokumente
Kultur Dokumente
Release Notes
24 April 2013
Protected
2013 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: (http://supportcontent.checkpoint.com/documentation_download?ID=22933) For additional technical information, visit the Check Point Support Center (Check Point Support Center http://supportcenter.checkpoint.com). For more about this release, see the R76 home page (http://supportcontent.checkpoint.com/solutions?id=sk91140).
Revision History
Date 24 April 2013 Description Added Gaia open server system requirements for Security Management Server ("Security Management Open Server Hardware Requirements" on page 19) and Multi-Domain Server ("Multi-Domain Security Management Requirements" on page 19) R76 supports Crossbeam ("Other Platforms and Operating Systems" on page 14) 06 March 2013 Added Bypass Card Support to New Appliance and Hardware Support (on page 9) Reformatted Security Gateway Software Blades ("Security Gateway Software Blades on Check Point OS" on page 25)for clarity Added R70.50 to Compatibility with Gateways (on page 30) 27 February 2013 Updated IPv6 Support (on page 7) Updated Gaia Enhancements (on page 10) Updated Build Numbers (on page 11) Updated IPSO (on page 18) Updated Compatibility with Gateways (on page 30) Added Advanced Networking - Dynamic Routing to Important Notes on Security Gateway Software Blades ("Important Notes on Gateway Blades on Check Point Platforms" on page 25) Improved formatting and document layout 24 February 2013 First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R76 Release Notes).
Contents
Important Information .............................................................................................3 Introduction .............................................................................................................6 Important Solutions.............................................................................................. 6 Licensing ............................................................................................................. 6 What's New ..............................................................................................................7 IPv6 Support........................................................................................................ 7 Check Point Mobile for iOS.................................................................................. 8 Mobile Access Enhancements ............................................................................. 8 DLP Enhancements............................................................................................. 8 New Appliance and Hardware Support ................................................................ 9 Endpoint Security Blade ...................................................................................... 9 Application and URL Filtering Enhancements ...................................................... 9 SmartLog and SmartEvent .................................................................................. 9 Anti-Bot and Anti-Virus ........................................................................................ 9 VPN ....................................................................................................................10 DDoS/DoS Protection Enhancements ................................................................10 More Software Blade Enhancements .................................................................10 Gaia Enhancements ...........................................................................................10 Build Numbers ......................................................................................................11 System Requirements ..........................................................................................12 Check Point Appliance Naming Conventions ......................................................12 Check Point Appliances ......................................................................................13 Check Point Appliances in Virtual System Mode ............................................13 VPN Acceleration for Check Point 21000 Appliances with SAM Cards ..........14 Check Point Operating Systems .........................................................................14 Other Platforms and Operating Systems ............................................................14 Operating System Versions ...........................................................................15 Appliance Hardware Health Monitoring...............................................................15 Dedicated Gateways ..........................................................................................16 Platform Requirements .......................................................................................16 Gaia ...............................................................................................................16 SecurePlatform ..............................................................................................18 Linux ..............................................................................................................18 IPSO ..............................................................................................................18 Microsoft Windows .........................................................................................18 Maximum Number of Interfaces Supported by Platform .................................19 Security Management Open Server Hardware Requirements ........................19 Multi-Domain Security Management Requirements .......................................19 Security Gateway Open Server Hardware Requirements ..............................20 Virtual System Open Server Hardware Requirements ...................................20 Maximum Number of Gateway Cluster Members ...........................................20 Mobile Access Blade Requirements...............................................................21 SmartLog Requirements ................................................................................22 SmartEvent Requirements .............................................................................22 SmartReporter Requirements ........................................................................22 Console Requirements ..................................................................................23 UserCheck Client Requirements ....................................................................23 Legacy Hardware Platforms ...........................................................................23 Security Management Software Blades ..............................................................24 Security Gateway Software Blades .....................................................................24 Security Gateway Software Blades on Check Point OS .................................25 Important Notes on Gateway Blades on Check Point Platforms .....................25
Security Gateway Software Blades on Other OS ...........................................27 Important Notes on Gateway Blades on Microsoft Windows ..........................27 Security Gateway Bridge Mode ..........................................................................28 Clients and Consoles by Windows Platform .......................................................28 Clients and Consoles by Mac Platform ...............................................................28 Check Point GO Secure Portable Workspace.....................................................28 Upgrade Paths and Interoperability .....................................................................29 Upgrading to R76 ...............................................................................................29 Supported Upgrade Paths ..................................................................................29 Compatibility with Gateways ...............................................................................30 61000 Security System Management ............................................................30 Compatibility with Clients ....................................................................................31 Updating IPS Patterns ........................................................................................31 Uninstalling ...........................................................................................................31
Introduction
Introduction
Thank you for choosing Check Point R76. Please read this document carefully before installing.
Important Solutions
For more about R76 and to download the software, see the R76 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk91140). For a list of open issues, see the Known Limitations: sk91141 (http://supportcontent.checkpoint.com/solutions?id=sk91141) For a list of fixes, see the Resolved Issues: sk91142 (http://supportcontent.checkpoint.com/solutions?id=sk91142)
Licensing
Important - Check Point software versions R75.10 or higher must have a valid Software Blades license. Users with NGX licenses cannot install the software. To migrate NGX licenses to Software Blades licenses, see Software Blade Migration (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html) or contact Account Services. If you manage GX gateways from a Security Management Server, you must regenerate your GX licenses in the User Center to be compliant with Software Blades. This procedure is optional for Multi-Domain Servers and Domain Management Servers.
If your service contract expired, IPS continues to operate using the R70 (Q1/2009) signature set. Renew your IPS service contract to download and use the current signature set.
What's New
What's New
New Features IPv6 Support Check Point Mobile for iOS Mobile Access Enhancements DLP Enhancements New Appliance and Hardware Support Endpoint Security Blade Application and URL Filtering Enhancements SmartLog and SmartEvent Anti-Bot and Anti-Virus VPN DDoS/DoS Protection Enhancements More Software Blade Enhancements Gaia Enhancements 7 8 8 8 9 9 9 9 9 10 10 10 10
IPv6 Support
R76 extended support for IPv6 includes: Gaia operating system: Interface configuration SNMP RADIUS First Time Configuration Wizard OSPFv3 BGP with multiprotocol extensions VRRPv3 Firewall support, including dynamic objects and time objects Full Stateful Inspection for IPv6 connections NAT66 IPv6 support for all communications between Security Gateways, Security Management Servers, and SmartDashboard Dual-stack definition support for all network objects IPv6 address support in all IP containers Multiple IPv6 range support for objects IPv4 and IPv6 support in Get Topology Network Policy Management SmartView Monitor SmartEvent SmartLog Security Gateway Identity Awareness
R76 Release Notes | 7
Access Policy:
Central Management:
What's New
IPS, Application and URL Filtering, Acceleration & Clustering HA Anti-Bot and Anti-Virus
Virtual System (VSX) IPv6 support Support for IPv6-only Security Gateway and IPv6-only Security Management Server Site-to-Site IPsec VPN for fully meshed communities Authentication - RADIUS and LDAP UserCheck (for all Software Blades that support IPv6)
Note: Every fw command has a corresponding fw6 command for CLI control in IPv6.
Certificate management Mass distribution of client applications to users with UserCheck Email templates Unified, easy-to-read, comprehensive remote access login logs Mobile Access wizard for easy connection to Exchange server
DLP Enhancements
Fingerprinting: Protect files residing in network repositories. The gateway scans repositories and prevents files or parts of files from leaving the organization Whitelist policy easily define files that will not be matched by the DLP engine. Upload specific files to the Security Management server, or create a network repository User Access Roles in DLP rule base DLP email notifications to end-users for violations on all protocols DLP is now fully user aware for all protocols
UserCheck client single sign on UserCheck notification configuration and multi-language support SMTP Mirror mode for easy DLP Proof of Concept
What's New
When the Endpoint Policy Management blade is enabled, the Security Management Server also becomes an E80.40 Endpoint Security Management Server that manages E80.40 and earlier Endpoint Security clients, with R76 SmartEndpoint.
Enhanced reporting:
What's New
VPN
AES performance enhancements for high end appliances (12400, 12600, and 21000 series): Increased Site to Site VPN and Remote Access throughput HTTPS Inspection blacklist automatic updates Increased session rate for Identity Awareness Captive Portal
Monitoring - Netflow service support to collect data on traffic patterns and volume
Gaia Enhancements
WebUI and CLI configuration for Multi-Queue and CoreXL WebUI and CLI support for IPv6 addresses RADIUS, SNMP, NTP and Proxy support for IPv6 Dynamic Routing protocol support for IPv6: OSPFv3 and BGP with multiprotocol extensions VRRPv3 support for IPv6 Database engine optimization that improves administrative command performance by 80% Extended support for maximum physical memory for open servers running Multi-Domain Security Management up to 128GB Manage Proxy ARP entries Manage the behavior of Core Dumps Netflow support Password policy Multiple TACACS servers
Build Numbers
Build Numbers
`This table shows the R76 software products and their build numbers as included on the product DVD. Software Blade / Product Gaia SecurePlatform Security Gateway IPSO 6.2 MR4 Security Management SmartConsole Applications Mobile Access Multi-Domain Server SmartDomain Manager Acceleration (Performance Pack) Advanced Networking (Routing) Build Number OS build 265 Build 468 Build 380 Build 83 Build 082 989000365 Build 217 Build 205 988000155 Build 259 Verifying Build Number* show version all ver fw ver show version fwm ver Help > About Check Point <Application name> cvpn_ver fwm mds ver Help > About Check Point SmartDomain Manager sim ver -k
rtm ver cpvinfo /opt/CPportalR76/portal/bin/smartportalstart SVRServer ver cpvinfo /opt/CPda/bin/DAService|grep 'Build number'
Compatibility Packages** CPNGXCMP-R76-00 CPV40VSCmp-R76-00 Build 006 986000007 /opt/CPNGXCMP-R76/bin/fw_loader ver cpvinfo /opt/CPV40CmpR76/bin/fw_loader | grep Build /opt/CPEdgecmp-R76/bin/fw ver /opt/CPR71CMP-R76/bin/fw_loader ver /opt/CPR75CMP-R76/bin/fw_loader ver /opt/CPSG80R75CMP-R7600/bin/fw_loader ver
R76 Release Notes | 11
System Requirements
* Some of the commands to see the installed build show only the last three digits of the build number. ** To see build numbers on Windows, look at C:\Program Files\CheckPoint\R76 instead of /opt/../R76
System Requirements
Important - Resource consumption is dependent on the scale of your deployment. The larger the deployment, the more disk space, memory, and CPU are required. In This Section Check Point Appliance Naming Conventions Check Point Appliances Check Point Operating Systems Other Platforms and Operating Systems Appliance Hardware Health Monitoring Dedicated Gateways Platform Requirements Security Management Software Blades Security Gateway Software Blades Security Gateway Bridge Mode Clients and Consoles by Windows Platform Clients and Consoles by Mac Platform Check Point GO Secure Portable Workspace 12 13 14 14 15 16 16 24 24 28 28 28 28
System Requirements
* IP Appliances (IP150, IP280, IP290, IP390, IP560, IP690, IP1280, IP2450) can run R76 with IPSO 6.2 (MR4 and earlier MRs) or Gaia OS. IPSO systems are available in diskless flash-based and hybrid (flashbased systems with a supplemental hard disk for local logging). Gaia only supports disk-based IP-Systems. Standalone deployment is only supported on disk-based (IPSO or Gaia) systems. On Flash-based IPSO Appliances, 1G of RAM is sufficient to run Firewall, IPS, and VPN blades only. To activate more blades, 2G of RAM is required on IP290, IP390, and IP560 Flash-based Appliances.
System Requirements
VPN Acceleration for Check Point 21000 Appliances with SAM Cards
These algorithms are hardware accelerated by SAM cards: AES 128 with MD5 AES 128 with SHA-1 AES 256 with SHA-1 AES 256 with MD5 DES with MD5 DES with SHA-1 3DES with MD5 3DES with SHA-1 NULL with MD5 NULL with SHA-1
XP, 7
4.0, 4.1
5.0, 5.4
4.0, 4.1
System Requirements
UTM-1
(1)
Smart-1
(1)
1. Hardware sensors monitoring is supported on all UTM-1 models other than the xx50 series. 2. RAID Monitoring with SNMP is supported on Power-1 servers with RAID card (Power-1 9070 and Power-1 11070).
Open Servers
Hardware Sensors Monitoring: Use SNMP (polling and traps) or the WebUI to monitor hardware on IBM, HP, Dell, and Sun certified servers with an Intelligent Platform Management Interface (IPMI) card. The IPMI standard defines a set of interfaces to monitor system health. Note - IPMI is an open standard. We cannot guarantee the Hardware Health Monitoring performance on all systems and configurations. RAID Monitoring with SNMP: Use SNMP to monitor RAID on HP servers with HP Smart Array P400 Controller. The HP Smart Array P400i Controller is a different controller, not supported for hardware monitoring.
System Requirements
Dedicated Gateways
To install R76 on an R71 DLP-1 appliance or an R71 DLP open server, do a clean installation of R76. Note - To upgrade from DLP-1 9571 of version R71.x DLP, you must upgrade the BIOS. Then do a clean installation of R76. See sk62903 (http://supportcontent.checkpoint.com/solutions?id=sk62903) for details.
Platform Requirements
In This Section Gaia SecurePlatform Linux IPSO Microsoft Windows Maximum Number of Interfaces Supported by Platform Security Management Open Server Hardware Requirements Multi-Domain Security Management Requirements Security Gateway Open Server Hardware Requirements Virtual System Open Server Hardware Requirements Maximum Number of Gateway Cluster Members Mobile Access Blade Requirements SmartLog Requirements SmartEvent Requirements SmartReporter Requirements Console Requirements UserCheck Client Requirements Legacy Hardware Platforms 16 18 18 18 18 19 19 19 20 20 20 21 22 22 22 23 23 23
Gaia
This release is shipped with the Gaia operating system, which supports most Check Point appliance platforms, selected open servers, and selected network interface cards. If a 64-bit compatible open server has at least 6GB RAM, it can run in 64-bit mode. If it has less, it can run in 32-bit mode only. Gaia Open Servers - All open servers in the Hardware Compatibility List are supported (http://www.checkpoint.com/services/techsupport/hcl/all.html). Gaia and Performance Tuning - Performance Tuning is supported on all Gaia platforms.
System Requirements
Gaia on IP Appliances
Important - Gaia is not supported on Flash-Based or Hybrid platforms at this time. IP Appliance Disk Based Platform IP150 IP280 IP290 IP390 IP560 IP690 IP1280 IP2450 32-bit / 64-bit 32 32 32 32 32 32 32, 64 32, 64 64-bit is available on appliances with at least 4GB RAM. If the appliance is set to 32-bit, it needs at least 6GB to reconfigure to 64-bit.
Gaia WebUI
The Gaia WebUI (also known as the Gaia Portal) is supported on these browsers: Internet Explorer 8 or higher Chrome 14 or higher Firefox 6 or higher Safari 5 or higher
System Requirements
SecurePlatform
This release is shipped with the latest SecurePlatform operating system, which supports a variety of appliances and open servers. See the list of certified hardware (http://www.checkpoint.com/services/techsupport/hcl/index.html) before installing SecurePlatform on the target hardware.
Linux
Note - Cross-platform High Availability is not supported with a mix of Windows and non-Windows platforms. Before you install Security Management on Red Hat Enterprise Linux 5: 1. Install the sharutils-4.6.1-2 package. a) Make sure that you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5. 2. Install the compat-libstdc++-33-3.2.3-61 package. a) Make sure that you have the compat-libstdc++-33-3.2.3-61 package by running: rpm qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. 3. Disable SeLinux. a) Make sure that SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the computer.
IPSO
R76 is supported only on IPSO 6.2 MR4. For installation and upgrade instructions, see the IPSO 6.2 MR4 Release Notes http://supportcenter.checkpoint.com/documentation_download?ID=23661. Only clean installation of R76 is supported on IPSO flash-based models: IP290 IP390 IP560
Features: Advanced Routing and SecureXL are included by default. IPSO supports VRRP and IP Clusters. All currently available IPSO platform types (Disk-based, Flash-based, and Hybrid) are supported. Limitations: You cannot manage UTM-1 Edge devices from a Security Management Server on an IPSO platform.
Microsoft Windows
Note - Cross-platform High Availability is not supported with a mix of Windows and non-Windows platforms. High Availability Legacy mode is not supported on Windows.
System Requirements
32 64 4096 Includes VLANs and Warp Interfaces Includes VLANs and Warp Interfaces
Intel Pentium Processor E2140 or 2 GHz equivalent processor 1GB 1GB Yes One or more 1.4GB 1GB Yes One or more 10GB (installation includes OS) 1GB Yes (bootable) One or more
Intel Pentium Processor E2140 or 2 GHz equivalent processor 4GB 2GB Yes 4GB 10GB (install includes OS) Yes (bootable)
System Requirements
System Requirements
System Requirements
SmartLog Requirements
SmartLog collects log entries from Security Management Server and log servers that are R75.40 or higher, on Gaia, SecurePlatform, or Windows. Component CPU Memory Disk Space Recommended Intel Pentium IV 2.0 GHz 1GB 20GB
SmartEvent Requirements
You can install SmartEvent on a Security Management Server or on a different, dedicated computer. These are the requirements for the SmartEvent Server and for the SmartEvent Correlation Unit: Component CPU Memory Disk Space Windows/Linux/SecurePlatform Celeron-M 1.5 GHz 2GB 25GB
SmartReporter Requirements
These hardware requirements are for a SmartReporter server that monitors at least 15GB of logs each day and generates many reports. For deployments that monitor fewer logs, you can use a computer with less CPU or memory. SmartReporter can be installed on a Security Management Server or on a dedicated machine. Component CPU Memory Windows & Linux Minimum Intel Pentium IV 2.0 GHz 1GB Windows & Linux Recommended Dual CPU 3.0 GHz 2GB (on 2 physical disks) Disk Space Installation: Database: 80MB 60GB (40GB for database, 20GB for temp directory) Yes 80MB 100GB (60GB for database, 40GB for temp directory) Yes
DVD Drive
System Requirements
Install a disk with high RPM (revolutions per minute) and a large buffer size. Use UpdateMySQLConfig to adjust the database configuration and adjust the consolidation memory buffers to use the more memory. Increase memory for better performance.
Console Requirements
This table shows the minimum hardware requirements for console applications: SmartDashboard, SmartView Tracker, SmartView Monitor, SmartProvisioning, SmartReporter, SmartEvent, SmartLog, SecureClient Packaging Tool, SmartUpdate, SmartDomain Manager. Component CPU Memory Windows Intel Pentium Processor E2140 or 2 GHz equivalent processor 1024MB
Available Disk Space 900MB Video Adapter Minimum resolution: 1024 x 768
Blade DLP Anti-Bot and Anti-Virus Application Control and URL Filtering
Note: UserCheck is not supported on a Windows gateway. The UserCheck client is not compatible with Check Point GO or Secure Workspace. If a UserCheck client is installed on a machine and a violation occurs, the UserCheck client notification shows outside the Check Point GO or Secure Workspace environment. We recommend that you not install the UserCheck client on a machine that usually runs the Check Point GO or Secure Workspace environment. The UserCheck client is not supported on clusters in a load sharing environment.
System Requirements
Management Portal is supported on: Internet Explorer 7 and Firefox 1.5 - 3.0. SmartEvent on Windows Server 2008 is supported on 32-bit only.
System Requirements
Firewall Identity Awareness IPsec VPN IPS URL Filtering Application Control Advanced Networking - Dynamic Routing and Multicast Support Acceleration & Clustering Mobile Access Anti-Bot Anti-Virus Web Security Advanced Networking - QoS Data Loss Prevention Anti-Spam & Email Security
* *
System Requirements
System Requirements
System Requirements
Endpoint Security VPN Remote Access Clients E75.x SSL Network Extender DLP UserCheck DLP Exchange Agent Identity Agent
* DLP Exchange Agent supports Exchange Server 2007 and Exchange Server 2010 on Windows Server 2003 64-bit (SP1-2) and Windows Server 2008 64-bit (SP1-2). A 32-bit version is available for demo or educational purposes.
Upgrading to R76
You can upgrade SecurePlatform and IPSO Security Management servers and Security Gateways to Gaia R76, for supported upgrade paths. Note: Upgrade is not supported in an ISDN configuration.
You can upgrade IP appliances to R76: Disk-based and Flash-based on IPSO 6.2 MR4, for physical gateways (not Virtual Systems). Disk-based appliances on Gaia, for physical gateways or Virtual Systems. To learn more about upgrading IPSO to Gaia, see sk69640 (http://supportcontent.checkpoint.com/solutions?id=sk69640).
You can upgrade these versions of SecurePlatform VSX gateways to R76 Security Gateways in VSX mode: VSX R65, VSX R65.10, VSX R65.20 VSX R67, VSX R67.10
See the VSX upgrade instructions in the R76 Installation and Upgrade Guide. Important - To upgrade to R76 Gaia, make sure there is enough free disk space in /var/log. See the R76 Release Notes (http://supportcontent.checkpoint.com/solutions?id=sk91140).
To upgrade a Security Management Server on a 32-bit appliance to 64-bit Virtual System mode:
1. Install the SecurePlatform OS. 2. Change the configuration in cpconfig. 3. Reboot.
Uninstalling
Uninstallation of IPS pattern granularity is not supported. If you uninstall R76, the patterns remain, converted to protections.
Uninstalling
To uninstall R76, see the R76 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/solutions?id=sk91140).