Beruflich Dokumente
Kultur Dokumente
Provider-1
Release Notes
December 2009
Note - The latest available version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10142
Introduction page 3
What’s New page 3
Known Limitations page 4
Supported Versions, Platforms and Builds page 6
Installation and Uninstallation page 8
Resolved Issues in NGX R65 HFA_50 page 12
Resolved Issues in NGX R65 page 19
Documentation Feedback page 20
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 2
Introduction
Introduction
Thank you for updating your Check Point products with Provider-1/SiteManager-1 NGX R65
HFA_50 (Hotfix Accumulator). This HFA is a recommended update that resolves various issues and
contains improvements for Provider-1/SiteManager-1 and other Check Point products on a variety of
platforms.
Please read this document carefully prior to installing this HFA. We also recommend that you refer
to the appropriate Check Point user documentation and release notes, which contain hardware
requirements, software requirements, and version recommendations.
Note - The product name Provider-1, as used in this document, refers to both Provider-1 and
SiteManager-1, unless otherwise indicated.
What’s New
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 3
Known Limitations
Known Limitations
Provider-1
00427880
If this HFA is uninstalled, stored revisions that were made while it was installed cannot be viewed
or reloaded.
SecurePlatform
After installing Check_Point_NGX_R65_HFA_50.linux.tgz
http://supportcontent.checkpoint.com/file_download?id=10146 that contains a number of
packages on a SecurePlatform, the HFA package named SecurePlatform (for the Operating
System) cannot be uninstalled. Thus, SecurePlatform NGX R65 HFA_50 will be displayed after
uninstall.
Check Point NGX R65.4 is not supported for installation on top of R65 HFA 50 running on
SecurePlatform 2.6.
00466648
Uninstalling HFA 50 on SecurePlatform 2.6 is not supported as it may cause system instability.
Before installing HFA 50 on SecurePlatform 2.6, make sure to take a snapshot of the entire
system in order to enable reverting to the previous state if needed. For details refer to sk42329 at
http://supportcontent.checkpoint.com/solutions?id=sk42329
00523404
Before upgrading a SecurePlatform gateway to R70 from R65 with HFA 40 or HFA 50, you must
follow the instructions in sk43247 (http://supportcontent.checkpoint.com/solutions?id=sk43247).
VPN-1 Edge/Embedded
00437851, 00437914, 00438673
Installing a policy on a large number of VPN-1 UTM Edge devices managed from SmartDashboard
may not succeed.
Workaround: Install the policy on Edge devices in several batches.
4 Provider-1/SiteManager-1 NGX R65 HFA_50 Release Notes - Last Update — December 6, 2009
Known Limitations
VPN-1
00508572
L2TP connections initiated from a client located behind NAT will fail.
Database Revisions
00432491
A database version, created with the Policy Revision Control, cannot be viewed or restored if the
list of currently installed plug-ins is different from when the Revision Control version was created.
Connectra
Installation of Connectra NGX R62 Central Management plug-in is not supported on an NGX R65
MDS with certain other plug-ins. For a list of plug-in compatibility, see
http://www.checkpoint.com/ngx/upgrade/plugin/index.html
Eventia Analyzer
00467080
When changing the Database Maintenance configuration from a very large size (20 GB) to a
smaller size (2 GB) the cleaning process takes a very long time.
Workaround: In Database Maintenance, reduce the DB size gradually from 20 GB to 15 GB, then
to 10 GB, and so on.
R65.4 installation on Windows on top of HFA 50 or above is blocked. For a workaround, see
sk42965.
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 5
Supported Versions, Platforms and Builds
Supported Platforms
The following platforms are supported for Provider-1 NGX R65 HFA_50.
Platform Version
Smart-1 Models 5, 25 and 50
SecurePlatform NGX R65 on SecurePlatform 2.4 and 2.6
Solaris 5.8, 5.9, 5.10
Linux Red Hat Enterprise Linux 3.0 kernel 2.4
Supported Products
This HFA may be installed with various Check Point products.
6 Provider-1/SiteManager-1 NGX R65 HFA_50 Release Notes - Last Update — December 6, 2009
Supported Versions, Platforms and Builds
Supported Builds
To verify you have the HFA described in this document: extract the contents of the tgz package you
downloaded and open the take_number.conf file using a text editor. Verify that it contains:
take_95.
Take 95 of Provider-1 NGX R65 HFA_50 consists of the following builds:
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 7
Installation and Uninstallation
Installing on SecurePlatform
c
Important - The default idle timeout on SecurePlatform is ten minutes. After this time, the user is logged out. To
ensure that installation is not interrupted by this timeout, before entering expert mode, type: idle 60 in the
command line.
8 Provider-1/SiteManager-1 NGX R65 HFA_50 Release Notes - Last Update — December 6, 2009
Installation and Uninstallation
3. Verify that there is enough free disk space for the installation of the HFA packages.
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 9
Updating Customized INSPECT Files
If any INSPECT files in a CMA were previously modified, no INSPECT files are updated for this
CMA. The following message appears:
Signature mismatches were found for some CMAs. This indicates that manual
change were made to the Inspect files. These affected CMAs are listed in:
$MSDIR/tmp/manually_modified_cmas.txt
Please note that the specified Inspect files were NOT updated for these
CMAs. If you wish to update them, execute the following command:
hf_propagate o --override_manual
If the files were not replaced (signature mismatch message displayed), you must force the
INSPECT files to be updated.
Important - You must replace the previous files. If you do not, unexpected behavior may result.
The following procedure is done on ALL CMAs at once, not just the one you are working on.
4. Open the files that are listed in update_inspect_files_50.log and note the customized
lines.
6. Merge the customized content (that you noted in the previous steps) into the new INSPECT
file(s).
Note - Backups of the upgraded files are saved with _pre_HFA_50 in the filename.
10 Provider-1/SiteManager-1 NGX R65 HFA_50 Release Notes - Last Update — December 6, 2009
Installation and Uninstallation
Uninstallation
Important - After uninstallation, make sure the machine reboots before attempting to run uninstall
again. A second uninstall command may cause unexpected behavior.
Before you begin this procedure, note that the order of uninstallation executes is important. You
must follow the instructions in the order provided here; otherwise, the uninstallation could have
unwanted results. In addition, uninstallation of individual packages is not supported.
To uninstall NGX R65 HFA_50 from Provider-1 MDS:
1. Execute mdsstop.
2. Run ./opt/CPUninstall/R65_HFA_50/Unixinstallscript -u
Note - If you reboot the machine from opt/CPUninstall/R65_HFA_50 an error message appears
that can be ignored.
Post-Uninstall Notes
After uninstalling this HFA from a SmartCenter server machine which had plug-ins installed, you
may find that policy installation is not functioning correctly. To fix this issue, execute:
plugin_reset
After uninstalling this HFA from a SecurePlatform machine, the login prompt may still display
Check Point SecurePlatform NGX (R65) HFA 50 as the installed version, because the
SecurePlatform package was not uninstalled. Use the fw ver command to see the current version.
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 11
Resolved Issues in NGX R65 HFA_50
Eventia Analyzer
ID: 00436786, 00436755, 00436785
Description: Automatic archiving of large history files when Database Maintenance is enabled
now succeeds.
Install On: Dedicated server
Eventia Reporter
ID: 00432523, 00432506, 00450008
Description: The Log Consolidator process now ignores log entries with erroneous dates.
Erroneous dates are defined as later than the current date and earlier than the
current date minus a defined interval (360 days by default). These dates may be
generated by endpoint computers with date and time values incorrectly defined. The
ignored log records are stored in:
$RTDIR/log_consolidator_engine/log/<IP>/ignored_records.txt and can be
viewed by opening this file in a text editor.
For details on modifying the defined interval, refer to sk42348 at
http://supportcontent.checkpoint.com/solutions?id=sk42348
Install On: Dedicated server
12 Provider-1/SiteManager-1 NGX R65 HFA_50 Release Notes - Last Update — December 6, 2009
Resolved Issues in NGX R65 HFA_50
Firewall
ID: 00421161, 00366470, 00416530, 00420375, 00428220, 00447035,
00447310
Category: Policy Installation
Description: Policy installation now succeeds under the following circumstances:
• Defining NAT rules for an Edge object using large groups as the source or
destination.
• Defining NAT rules for an Edge object using a dynamic object as the source or
destination.
Install On: MDS
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 13
HFA Installation
HFA Installation
ID: 00440838, 00439588
Category: Installation
Description: It is now possible to install an HFA on top of an installation if the path with the
FWDIR variable contains a space character.
Install On: MDS
Management Server
ID: 00366985, 00366122, 00366986, 00371289, 00415251, 00449365
Description: Debug messages (as a result of an error or just informatory) now only appear in
Debug mode.
Install On: MDS
14 Provider-1/SiteManager-1 NGX R65 HFA_50 Release Notes - Last Update — December 6, 2009
Resolved Issues in NGX R65 HFA_50
Provider-1
ID: 00419740, 00417955, 00420956, 00430201, 00439136, 00464270
Category: Authentication
Description: All TCP sockets now close properly so that no file descriptor leaks occur when
connecting to a CMA via RADIUS server authentication.
Install On: MDS
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 15
Provider-1
ID: 00508596
Category: Licensing
Description: SNX licensing problems have been resolved. Licenses must be installed on the
MDS.
Install On: MDS
16 Provider-1/SiteManager-1 NGX R65 HFA_50 Release Notes - Last Update — December 6, 2009
Resolved Issues in NGX R65 HFA_50
Security Management
ID: 00412090, 00411259, 00466224, 00427725, 00443476, 00464269
Category: Policy Installation
Description: Enhancements made to the fwm process provide stability during policy installation.
Install On: MDS
VPN-1 Edge/Embedded
ID: 00446704, 00446709
Category: VPN-1 Edge
Description: Before installing a policy on an Edge device, it is no longer necessary to select VPN
in the products list on the General Properties page of the Edge object. Even though
VPN is not selected for the Edge object, the policy will be installed successfully.
Install On: MDS
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 17
VSX
VSX
ID: 00375553, 00371285, 00380532, 00403450, 00438948
Category: VSX
Description: Static routes are now automatically recreated with new interface names after
changes have been made to an interface name (normal or VLAN) and the next hop
is in the same subnet as the VS interface.
Install On: MDS
18 Provider-1/SiteManager-1 NGX R65 HFA_50 Release Notes - Last Update — December 6, 2009
Resolved Issues in NGX R65
Provider-1 NGX R65 HFA_50 Release Notes Last Update — December 6, 2009 19
Documentation Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your
comments to:
cp_techpub_feedback@checkpoint.com
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and
decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every
precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are
subject to change without notice.
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at
DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
www.checkpoint.com