Firewall - Check Point

......Check Point Enterprise Suite......Known Limitations Supplement for NGXR61February 7, 2007Information About This DocumentThis document contains known limitations from versions prior to NGX R61 that arerelevant for this release. Before setting up Check Point NGX R61, review thisinformation in conjunction with the latest NGX R61 Release Notes, available athttp://www.checkpoint.com/support/technical/documents/index.html.Previously Published Clarifications andLimitationsIn This SectionFirewall page 2SmartCenter page 12VPN-1 Edge/Embedded page 19VSX page 20SecurePlatform page 21SmartLSM page 29SmartUpdate page 30SmartView Monitor page 31Eventia Reporter page 33ClusterXL page 35SecureXL page 46Performance Pack page 47SSL Network Extender page 48UserAuthority Server page 50Integrity page 51Copyright © 2006 Check Point Software Technologies, Ltd. All rights reserved 1

FirewallFirewallIn This SectionInstallation, Upgrade and Backward Compatibility page 2Platform Specific — Nokia page 3Platform Specific — Windows page 3Platform Specific — Solaris page 4Platform Specific — Linux page 4Load Sharing page 5NAT page 5Authentication page 5Security Servers page 6Services page 7IPv6 page 7SmartConsole & SmartConsole Applications page 8ISP Redundancy page 8Logging page 9Policy Installation page 9SAM page 9Dynamically Assigned IP Address (DAIP) Modules page 10Miscellaneous page 10VoIP page 10SecureClient page 11Installation, Upgrade and Backward Compatibility1. When upgrading from earlier NG Feature Packs, the SYNDefender configurationmoves to a global configuration in SmartDefense and defaults to off. If aper-module configuration is desired, uncheck Override modules’ SYNDefenderconfiguration under TCP > SYN Attack Configuration in SmartDefense settings.2. Prior to NG with Application Intelligence (R54), setting the SmartDefense featureMax URL length to 0 would drop all connections. Since R54, setting the parameterto 0 disables this protection.3. When the Web Intelligence General HTTP Worm Catcher is enabled, policyinstallation on modules running NG FP1 cannot be performed. In order to installthe policy, you should either remove the NG FP1 modules from the list of PolicyInstallation Targets, or alternatively disable the General HTTP Worm Catcher.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 2

Firewall4. When the Web Intelligence General HTTP Worm Catcher is enabled, policyinstallation on modules running NG FP3 prior to HotFix-2 cannot be performed. Inorder to install the policy, you should upgrade the module to NG FP3 HotFix-2.5. In modules that pre-date version NG with Application Intelligence R55W, the WebIntelligence defenses HTTP Format Sizes, ASCII Only Request, General HTTP WormCatcher only support the protection scope apply to all HTTP connections; therefore, ifone of these defenses is configured with protection scope apply to selected webservers and is installed on an older module, the protection scope apply to all HTTPconnections will be applied on this module.6. When making Inspect changes to the file user.def, do so to the copy of the file inthe directory $FWDIR/conf (and not the version in the directory $FWDIR/lib, as wasthe practice in previous versions). This is because user.def is copied from the/conf directory to the /lib directory during policy installation.Also, filenames are now adjusted to the different compatibility packages, so be sureto modify the appropriate file only:• user.def.NGX_R60 - contains user code for NGX modules (this will overwrite thefile $FWDIR/lib/user.def during policy install)• user.def.R55WCMP - contains user code for R55W modules (this will overwritethe file user.def in the R55W compatibility package directory)• user.def.MGCMP - contains user code for NG modules, R55 and below.• user.def.EdgeCmp - contains user code for VPN-1 Edge modules.Platform Specific — Nokia7. When the SmartDefense TCP Sequence Verifier feature is enabled and Flowsacceleration is enabled, the Sequence Verifier feature is not enforced and thefollowing message appears when installing policy:“Flows: TCP Sequence Verifier acceleration is not supported on the Gateway.”When SecureXL is enabled, you can enable the SmartDefense TCP SequenceVerifier feature by first enabling it in Nokia Network Voyager (System Configuration> Advanced System Tuning) and then in SmartDashboard (SmartDefense tab >Network Security > TCP). The Sequence Verifier feature will then be enforced onaccelerated connections.Platform Specific — Windows8. Adaptec Duralink64 port aggregation/failover is not supported.9. VPN-1 Pro limits its memory allocations to a certain percentage of the availablenon-paged memory. This limit affects the number of concurrent connections thatthe Enforcement Module can handle. The limit is intended to leave the rest of theEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 3

Firewallsystem enough memory resources for smooth operation. The default limit can bechanged to suit the system configuration. In Windows the limit can be set bysetting the MaxNonPagedPoolUsage value (DWORD) in the registry (under

Firewall28. When using SmartDirectory server for internal password authentication, if theaccount lockout feature is disabled the Firewall will not attempt to modify theuser's login failed count and last login failed attributes on the SmartDirectoryserver. This improves overall performance and eliminates unnecessarySmartDirectory modify errors when using SmartDirectory servers that do not havethese attributes defined because they did not apply the Check Point SmartDirectoryschema extension on the SmartDirectory server.29. Issues may arise when using automatic or partially automatic client authenticationfor HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). Aworkaround is to define a decision function based only on IP addresses in order forconnections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing >Advanced, and select IPs only. For OPSEC clusters, refer to the productdocumentation for more information.30. Definition of nested RADIUS Server groups is not supported.Security Servers31. The HTTP Security Server handles a proxied or a tunneled connection requestdifferently than earlier Firewall versions. Beginning with FireWall-1 NG FP2, suchrequests are not allowed if they are matched with an Accept rule. However, they arestill allowed if the request is matched with an Authentication or a Resource rule.This change was done in order to harden security and prevent the CONNECT fromlooping to the Security Server and then to another destination.In R54, FTP over HTTP proxy connections were allowed when using UserAuthentication even if they were not allowed explicitly by a rule in the SecurityPolicy. In NGX (R60A), in order to further harden security, these connections arenot allowed by default unless there is an explicit rule (using a URI Resource) thatallows them. If you wish to revert to the old behavior refer to SecureKnowledgesolution sk14608.32. UFP counters available via cpstat fw -f ufp give incorrect values.33. If web browsers are configured to use an IP address for their proxy (instead of ahostname), the next proxy definition of the HTTP Security Server must also use thesame IP address. If the next proxy definition is a hostname, connections using anIP address will not be allowed to the proxy. It is recommend to use only hostnamesin the browser configuration.34. When a field in a URI specification file is too long, the Security server exits whentrying to load the file. Under load, the Firewall daemon (FWD) reloads the securityserver, which then exits. After a certain time cores are dumped.35. Client authentication with agent automatic sign on is supported with all rules, withtwo exceptions:Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 6

• The rule must not use an HTTP resource.• Rules where the destination is a web server.Firewall36. Security Servers are not supported with Sequence Verifier in Load Sharing Clusterenvironments.37. When using the HTTP Security Server in proxy mode (HTTP Tunneling), connectionsmay be encrypted over port 80 (e.g., the first command is in the clear, andsubsequent requests are in SSL). SmartDefense will block these connections andgenerate the following log entry: Binary character in request. To enable suchconnections, change the global property asm_http_allow_connect to True. Pleasenote that this change will cause SmartDefense to stop examining these connectionswhen an HTTP Connect command is detected in the proxied connection.38. When using SOAP filtering in the HTTP Security Server, the SOAP scheme filesupports all forms of namespaces and methods, however, the feature is notsupported if a method has no namespace at all.Services39. No warning is generated when a policy containing services with the Keepconnections open after Policy has been installed checked is installed on NG FP3modules. Such services will be enforced according to the default behavior on thesemodules.40. When CIFS resources are used in rules with policy targets in their Install On fields,policy installation on NG FP3 modules may succeed without warning, althoughCIFS resource filtering is not supported on these modules.41. A service using the FTP_BASIC protocol type cannot be used with the FTP SecurityServer.42. When using T.120 connections, make sure to manually add a rule that allows T.120connections.IPv643. In IPv6 logs, IPv6 address resolving is not supported in SmartView Tracker.44. Discovery traffic is enabled by default on IPv6 enabled modules. To disable it, editthe file $FWDIR/lib/implied_rules.def and comment out the line #defineACCEPT_DISCOVERY 1.45. Anti-spoofing is currently not supported with IPv6.46. Boot policy is not supported on IPv6 enabled modules.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 7

Firewall47. When connecting to the IPv6 IPv4 compatible address of VPN-1 Pro (::w.x.y.z., forexample), the following appears on the console: Jan 14 09:37:32 shif [LOG_CRIT]kernel: fw_filterin: 0 unknown interface. This message can be safely ignoredin such configurations. To prevent the message from appearing, run this command:modzap _fw_verbose_unknown_if $FWDIR/boot/modules/fwmod.o 0x0 and reboot.48. Content of IPv6 in IPv4 tunnels (IPv4 protocol 41) passing through VPN-1 Pro isnot inspected.49. CPMAD functionality is not supported with the IPv6 protocol.50. SmartDefense's ping size property is not enforced on ICMPv6 echo request packets.51. Due to the fact that IPv6 is not supported for security servers, enablingConfiguration apply to all connections under SmartDefense's FTP Security Serversettings causes FTP (as well as HTTP and SMTP) connections over IPv6 to berejected, and no log is generated.52. The command fw6 unload localhost unloads both IPv6 and IPv4 policies,although it should unload only the IPv6 policy.53. IPv6 packets with extension headers which are not explicitly allowed via editing ofthe table.def INSPECT script are dropped without being logged.54. The Remote Shell (RSH) protocol is not supported for IPv6.SmartConsole & SmartConsole Applications55. When a client connects with SmartDashboard to SmartCenter and performs aSmartDefense online update, a second client connecting with SmartDashboard tothe same SmartCenter will see the new protections but not the new HTMLdescriptions. The situation is resolved by the second client logging out & logging inagain.A similar behavior may occur regarding the Silent Post-install Update. If newprotections were added in that package, then the second client that logs in will notsee the respective new HTML descriptions. The workaround is the same (clientshould log out & log in again).ISP Redundancy56. When using the ISP load sharing configuration, outgoing traffic that passes througha security server is not load-shared, and will pass through a single ISP (the defaultroute). If this ISP fails, new connections will be opened through the second ISP.57. If a network cable is unplugged from a network card using 3c59x (3COM), Starfire,or Tulip drivers, the link's status mistakenly indicates that the next hop is notresponding, instead of reporting a network cable unplugged. This affects theEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 8

Firewallmessages produced by the product when the ISP redundancy feature is used. Forinstance, instead of indicating that the link is down, the message will indicate thatthe next hop is not responding.58. ISP redundancy is not supported in a ClusterXL Different subnets configuration. Thismeans the IP address of the cluster must be on the same subnet as the clustermembers' real IP addresses.59. In a ClusterXL configuration, the names of the external interfaces of all clustermembers must be identical and must correspond in turn to the names of theexternal interfaces of the cluster object. For example, if the cluster object has twoexternal interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2,respectively; each cluster member must have two external interfaces called eth0and eth1 which should be connected to ISP-1 and ISP-2 respectively.Logging60. FTP data connections may appear in the Active connections view in SmartViewTracker even after these connections have been terminated.Policy Installation61. When installing a policy on a module, the policy installation log may recordanti-spoofing warning messages from modules not included in the installation thatdo not have anti-spoofing configured.62. Policy installation may fail when there are 70 or more dynamic objects.63. When installing policy on a cluster with a Layer 2 bridge defined, the installationmay fail with the following error: Load on Module failed. To resolve this issue, do thefollowing:1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server.This is done by updating the files $CPDIR/tmp/.CPprofile.csh andCPDIR/tmp/.CPprofile.sh so that they include the environment variableFW_MANAGE_BRIDGE 1.2. Install policy.SAM64. A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if theSmartCenter Server is also a VPN-1 Pro enforcement module and no policy hasbeen installed on it since adding the remote Gateway.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 9

FirewallDynamically Assigned IP Address (DAIP) Modules65. The fw tab command on a SmartCenter Server is notsupported.Miscellaneous66. Token ring adapters are not supported.67. The TCP Sequence Verifier is not supported with clusters using asymmetric routing.68. The Accept VPN-1 & FireWall-1 control connections Implied Rules setting isapplicable to a SmartCenter server object in specific cases only:• to the primary IP defined for this object and• only if there are interfaces defined in its Topology tab.This may create connectivity problems when trying to install policies (or otheroperations included in the control connections). The workaround is to defineexplicit rules that allow connectivity to the SmartCenter object.69. When executing the following command: fw tab -u -f -t connections, errormessages such as FW-1: fwkbuf_length: invalid id number XXXX and Tablekbufs - Invalid handle 6a6b8803 (bad entry) can be safely ignored. To avoidthese messages, use the command fw tab -u -t connections instead.70. Deploying a DHCP server on a SecurePlatform machine running a VPN-1enforcement module is not supported. As a workaround, deploy the DHCP server ona SecurePlatform machine not running an enforcement module.71. A large database on a gateway may result in high CPU usage by the services vpndand dtpsd. To resolve this issue, use the cpprod utility to set a value for the settingSIC_SERVER_DEFAULT_TIMEOUT.VoIP72. MSN Messenger version 5 is not supported. Additionally, there are a few knownissues regarding MSN Messenger when employing Hide NAT:• When running SIP and the data connection tries to open MSN Messengerconnections on hidden networks, the connection fails.• While audio and video each work separately, they cannot be run concurrently.73. When using the SIP protocol and a security rule uses the Action reject to blockhigh_udp_ports (RTP ports - data connection), the incoming audio is rejected aswell. A workaround is to use the Action drop in place of reject.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 10

Firewall74. When an H.323 IP phone that is not part of a handover domain tries to establish acall, the call attempt is blocked and the following message appears on the console:FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow thisphone to make calls, add it to the handover domain, and the error message will nolonger appear. Note that this console message may appear in other (non-VoIP)scenarios as well.75. In some cases, when a user closes an MSN Messenger application (such asWhiteboard), the application will not close automatically on the remote end. Theremote user will need to close the application manually.76. When the SIP-proxy is in the DMZ, whiteboard and application sharing will not openbetween external to internal messengers.SecureClient77. Policy installation fails if a combination of different user groups & network objectsare used in the same cell. For example, if the following appears in a source ordestination cell, the policy will not install:usergroup1@netobj1 & usergroup2@netobj2If the user groups match or the network objects match, the installation willsucceed. The following examples will allow the policy to install successfully:usergroup1@netobj1 & usergroup2@netobj1usergroup1@netobj1 & usergroup1@netobj2Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 11

SmartCenterSmartCenterIn This SectionInstallation, Upgrade, and Backward Compatibility page 12SmartDirectory page 14Policy Installation page 14VPN Communities page 15SmartConsole Applications page 15SmartCenter Clients on Motif page 16Logging page 16Management High Availability page 17Trust Establishment (SIC) page 17Platform Specific — Windows page 17Platform Specific — Nokia page 18OPSEC page 18Miscellaneous page 18OSE page 18Dynamically Assigned IP Address (DAIP) Modules page 18SmartPortal page 19Installation, Upgrade, and Backward Compatibility1. After upgrading from NG FP2, the name of the Internal Certificate Authority (CA)that was previously entered is not displayed in the Check Point Configuration Tool(cpconfig > Certificate Authority tab), although it is still viable. If it is reconfigured,then it is displayed.2. When using the Upgrade Export and Import utilities on the Windows platform, themachine should be connected to the network. Alternatively, a connector can beused to simulate a connection. Refer to SecureKnowledge, solution sk19840 formore information regarding how to simulate a network connection during anupgrade.3. When upgrading with a duplicate machine whose IP address differs from theoriginal IP address of the SmartCenter Server, if Central licenses are used, theyshould be updated to the new IP address. This can be done via the User Center athttp://usercenter.checkpoint.com, by choosing the action License > Move IP >Activate Support and Subscription.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 12

SmartCenter4. If the Import or the Export operation fails while upgrading, the entire operation willfail with the exception of these products: Eventia Reporter, SmartView Monitor,SecureXL and UserAuthority Server. Use the log file of the Import/Export operationto understand what caused the problem and fix it. The log file is located at:• Windows: C:\program files\checkpoint\CPInstLog• Unix: /opt/CPInstLog5. When upgrading a Log Server, choose the Upgrade option and ignore the otheroptions (to export the configuration or to perform pre-upgrade verifications). Theseoptions are irrelevant for Log Server upgrades. Also, the backwards compatibility(BC) package is installed on every Log Server. It can be safely removed, as it is notin use on a Log Server.6. If, when using the Check Point Installation Wrapper, the download of updates failsduring an upgrade (for example, because the machine is not connected to theInternet), then the upgrade will continue using the tools that exist on the CD. Touse the most recent version:1. Download the updates from:https://support.checkpoint.com/downloads/bin/autoupdate/ut/r61/index.html2. Save the update on the local disk of your SmartCenter server3. Restart the installation wrapper and choose the second option on the downloadpage: I already downloaded and extracted the Upgrade Utilities.7. Check Point 4.1 gateways and embedded devices are no longer supported with thisrelease. After upgrading the SmartCenter Server to NGX (R60A), these objects willremain, but you will not be able to install policy on them.8. Support for VPN-1 Net has been discontinued.9. After upgrading SmartCenter, but before upgrading the gateways, SecureID usersmay not be able to connect. A workaround is detailed on SecureKnowledge(sk17820).This solution should be implemented in the compatibility package directories aswell:For NG gateways (NG FCS - R55):• Unix /opt/CPngcmp-R60/lib/• Windows C:\Program Files\CheckPoint\NGCMPFor R55W gateways:• Unix /opt/CPR55Wcmp/lib• Windows C:\Program Files\CheckPoint\R55WCmp\libEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 13

SmartCenter10. When upgrading SmartCenter with a duplicate machine on the Windows platform,the following message may appear after selecting Import configuration file: Failedto import configuration. Imported configuration file does not contain thecorrect data. The problem is resolved by either removing gzip.exe from theenvironment path, or removing the file altogether.11. A secondary SmartCenter server does not support the wrapper’s Advanced Upgradeor the Export/Import tools.12. In this release, SmartCenter does not manage gateways prior to NG FP3. If youhave such gateways, it is recommended that you upgrade them as well.13. After a SmartCenter server was upgraded or copied via the Advanced Upgradefeature, previously defined VPN-1 Edge devices will not be able to connect to it,and the Connection Wizard will generate object non-registered messages. Toresolve this issue, use SmartUpdate to re-install a specific firmware package.SmartDirectory14. When manually defining branches on an Account Unit, spaces between elements inthe branch definition will not work. Example:A good branch: ou=Finance,o=ABC,c=usA bad branch: ou=Finance , o=ABC , c=us15. If Use SmartDirectory (LDAP) is checked in the Global Properties, but no LDAPaccount unit is configured, the authentication of external users (as opposed toLDAP users) that are not defined in the user's database will not succeed. To resolvethis issue, make sure that you uncheck Use SmartDirectory (LDAP) in the GlobalProperties.Policy Installation16. Policy installation may fail when there are 70 or more dynamic objects.17. After aborting an installation, before attempting to install a policy, make sure thatthere are no processes running the fwm load command on SmartCenter server, oryour installation may halt.18. By selecting the Install Policy option Install on all gateways, if it fails do not install ongateways of the same version, policy is installed on gateways by group. There arefour such groups:• VPN-1 Edge• R55W• NGX• all others (R55 and prior versions)Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 14

SmartCenterWhen this option is selected, if policy fails when installing to a member of one ofthe groups, the policy will not be installed to any other gateways in that group.Policy installation will continue uninterrupted to members of other groups, however.19. Uninstall of policy on LSM profiles is not supported.20. Policy installation is divided into several stages: Verification, compilation, filetransfer, etc. Each stage has a default time out of 300 seconds.Should you encounter time out problems while installing policy, you can change thevalue of the timeout in the following way:1. Run the command cpstop on the SmartCenter server.2. Use the DBedit tool to change the attribut install_policy_timeout located inGlobal Properties > firewall_properties. A valid value is from 0 to 10000.3. Close DBedit and run the command cpstart.VPN Communities21. When managing SmartLSM ROBO Gateways, some of which are VPN-1-enabledfrom a Standalone machine, the policy fetch operation may not succeed once VPNhas been established between the Standalone and the ROBO Gateway in question.In order to overcome this issue, you should add the CPD service as an excludedservice for each of the communities which have SmartLSM ROBO profiles. To dothis:1. Open the community object.2. In the Advanced Setting tab, choose the Excluded Services tab and add the CPDas an excluded service.SmartConsole Applications22. When deleting objects from SmartDashboard, in some cases the Where Used...option will not report that objects are being used in the database, and it is possibleto delete these objects without any warning. The following are cases in reference:• RADIUS and TACACS servers referenced by Templates in the Authenticationtab.• Users and User Groups contained by other User Groups.• For SmartDirectory Account Units referenced by External Groups the WhereUsed... option is applicable but the Delete operation cannot be performed. As aworkaround, restart (cpstop, cpstart) the SmartCenter Server. Note that allcases apply only if the objects were created after the SmartCenter Server wasstarted.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 15

SmartCenter23. In order to be able to track Session ID information, an application should beopened independently, meaning not from another Check Point application.24. The capability for exporting logs from SmartView Tracker running on Motif isdisabled in this version.25. The View rule in SmartDashboard feature in SmartView Tracker does not bring intofocus the SmartDashboard application if it is already opened to the right ruledatabase.26. When choosing to view Installed Policies from SmartDashboard on Motif, a failuremay occur if one of the VPN-1 Pro modules fails to respond.27. When logs can not be generated from some reason, such as there is no disk spaceor the logging process is down, then changes can not be saved fromSmartDashboard. If this occurs, the following error message appears: The changescould not be saved. Please make sure all Firewall-1 services are up and running. Formore information use the SmartView Monitor application.28. When running a query on a Security Policy in SmartDashboard, only user-definedrules are displayed in the query result. Implied rules matching the query will not bedisplayed, even if the option View Implied Rules is selected.29. When switching the active file from SmartView Tracker, the new active file name isautomatically designated by the system. The user-defined file name is ignored.30. VPN-1 Edge objects cannot be defined from the Manage menu in SmartDashboard.To define VPN-1 Edge objects, from the Objects Tree, right click Check Point andselect New.SmartCenter Clients on Motif31. The View Rule in SmartDashboard feature in SmartView Tracker for Motif is notsupported.Logging32. When working with a Log Server of an earlier version than the version ofSmartCenter Server, the logs fields of log records from new modules that wereadded after the upgrade of SmartCenter Server may not be resolvable.33. An administrator with Read Only permission for Monitoring can still create, modify,rename and delete queries in SmartView Tracker.34. When a Log Server is installed on a DAIP module, management operations such aspurge and log switch can not be performed.35. If you are using the cyclic logging feature, it is recommended after upgrade to backup your old /log files to another machine, and then to delete them from theLog Server.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 16

SmartCenter36. When a Log Server runs out of disk space, any logs sent by ELA clients will be lost.To prevent this, be sure to maintain adequate disk space on the Log Server.Management High Availability37. A SmartCenter server that is also a VPN-1 Pro module must have a policy installedon it in order for other SmartCenter Servers to be able to communicate with it. Thismust be done after initial setup, or after resetting SIC communication on theSmartCenter Server.38. Database versions which were created using the Revision Control feature should besynchronized manually in a Management High Availability environment. Tosynchronize it, do the following:1. Run cpstop on the standby SmartCenter server.2. Copy all files under $FWDIR/conf/db_versions/repository/* and$FWDIR/conf/db_versions/database/* from the active management to thestandby SmartCenter server.3. Run cpstart on the standby SmartCenter server.39. If a primary SmartCenter Server is in a Standalone configuration, and a secondarySmartCenter Server is active, policy installation from the secondary to the primaryserver will be prohibited immediately after upgrade. In order to resolve this, installthe policy locally on the primary server.40. When modifying the file InternalCA.C, be sure to copy the modified file to theother management stations, and then install the policy again for the changes tobecome active.Trust Establishment (SIC)41. If your SmartCenter Server is deployed in a standalone configuration, you mustinstall the policy locally (in other words, on the SmartCenter itself), beforeestablishing SIC with Connectra devices.Platform Specific — Windows42. Windows 2000 specific issue: A SmartConsole connection to the SmartCenterServer on Windows 2000 may fail with the message: No license for user interface ifthe SmartCenter Server was disconnected from the network and then reconnectedwhile the VPN-1 Pro services on the machine were running. If this occurs, restartVPN-1 Pro services (run cpstop and then cpstart).43. On Windows platforms only, in some cases when performing the Restore Versionoperation (from SmartDashboard, File > Database Revision Control > Restore Version)while SmartView Tracker is open, the restore fails and the database cannot beEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 17

SmartCentersaved. The solution is to make sure that SmartView Tracker is closed beforeperforming Restore Version operations. If you already encountered such a problem,run cpstop and then cpstart.44. When trying to export a configuration either via the wrapper or via theupgrade_export command on NG FP1, the export may fail with the followingmessage: Error: FWDIR environment variable is not set. Please set it andtry again. A workaround is to set the %FWDIR environment variable to the locationwhere VPN-1/Firewall-1 was installed. (The default is WINDOWSDIR:\WINNT\FW1\NG).Platform Specific — Nokia45. When upgrading using the Import Configuration option in the wrapper, and themachine you have exported the configuration from is a Nokia platform, a situationmay occur where Check Point packages that were not installed on the productionmachine will be installed. If this should occur, uninstall the relevant packages.OPSEC46. In CPMI, the command line fw unload does not trigger aneCPMI_NOTIFY_UNINSTALL_POLICY notification event.Miscellaneous47. Using the cp_merge utility to merge large number of objects (more than 10,000)from two SmartCenter Servers may not work. This is because at some point twomain audit logs are generated. If you have a large number of objects, and you wishto perform the merge even though from some point the audit logs will not begenerated, then do as follows:1. Define the environment variable FWM_ALLOW_AUDIT_FAILURE from a shell.2. Use the cp_merge command from the same shell.OSE48. The Drop action is not supported for Cisco OSE devices. If the Drop action is used,the policy installation operation fails.49. 3Com devices are not supported.Dynamically Assigned IP Address (DAIP) Modules50. The fw tab command on a SmartCenter Server is notsupported.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 18

SmartPortalVPN-1 Edge/Embedded51. When executing Management High Availability (between SmartCenter and/or CMAand/or MDS) change over may not succeed when SmartPortal is connected inRead/Write mode. To resolve this issue, you should allow access from SmartPortalto Read-only administrators, only; or, use SmartView Monitor to disconnect theRead/Write mode in SmartPortal.VPN-1 Edge/EmbeddedUpgrade1. After a SmartCenter server has been upgraded or copied via the Advanced Upgradefeature, previously defined VPN-1 Edge devices will not be able to connect to theSmartCenter server, and the Connection Wizard will generate objectnon-registered messages. To resolve this issue, use SmartUpdate to re-install aspecific firmware package.SmartCenter2. A VPN-1 Edge gateway will fail to install if a Check Point gateway has an interfacenamed in and the SofaWare Reducer is disabled. To resolve this issue, make surethat the SofaWare Reducer is enabled, or avoid naming Check Point gatewayinterfaces as in.3. Make sure that in the Advanced Permanent Tunnel configuration, thelife_sign_timeout attribute is larger than life_sign_transmitter_intervalattribute.4. When making changes to the IP addresses of the DMZ or LAN, make sure that theaddress ranges of these two interfaces do not temporarily overlap, as unpredictablebehavior may occur.Policy Installation5. When using the group All VPN-1 Embedded devices defined as Remote Access on therulebase, the icon that is defined is wrong and can be safely ignored.6. The following error message may appear when compiling VPN-1 Edge policy fromthe command line: Incorrectly built binary which accesses errno or h_errnodirectly. Needs to be fixed. This message can be safely ignored.VPN Communities7. In order for SofawareLoader to create topologies suitable for Sofaware 4.5appliances, do the following:Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 19

1. Using a text editor, open the file SofawareLoader.ini, located in the directory%FWDIR%\FW1_EDGE_BC\conf.2. In the [Server] section, add the line TopologyOldFormat=1.The change takes effect without running the commands cpstop and cpstart.Logging8. VPN-1 Edge/Embedded Gateways support only regular log tracking. Other trackingat a rule that would be installed on such Gateways (profiles) is ignored.VSXVSX1. To upgrade VSX 2.0.1 objects (on a Provider-1 system) to VSX NG with ApplicationIntelligence, you must use GuiDBEdit to change the value of the property vsxver to210 on all the Virtual Devices network objects. To update the version on all VirtualSystems/Routers across all CMAs, this should be done after upgrading the VSX2.0.1 modules.2. Make sure the time and date configurations on all modules are synchronized beforeestablishing trust between the VSX modules and the SmartCenter Server.3. The names of network objects created in SmartDashboard:1. Can contain numbers but not begin with them2. Can contain the letters from a-z, upper or lower case3. Cannot use the hyphen (-) character4. All the interfaces on the VSX gateway that are configured with an IP address areconsidered as VSX interfaces when defining the VSX gateway object in SmartCenterServer. To use such interfaces for other Virtual Devices, remove the desiredinterfaces from the VSX gateway's topology.5. Deleting the VSX object from SmartDashboard removes the VSX object and itsrelated Virtual Systems from the SmartCenter management only. The VirtualSystems are not deleted from the VSX gateway/cluster.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 20

SecurePlatformSecurePlatformIn This SectionInstallation, Upgrade and Backward Compatibility page 21Unicast Routing page 22Multicast Routing page 23ClusterXL page 24General page 26Installed Products page 28Unsupported Features page 28WebUI page 28Installation, Upgrade and Backward Compatibility1. In order to upgrade SecurePlatform NG FP2 or NG FP3 using the NG withApplication Intelligence CD, update the patch command before beginning theupgrade. In order to update the patch command, proceed as follows:1. Log into SecurePlatform.2. Place the CD into the CD drive.3. Enter the Expert mode.4. Type mount /mnt/cdrom.5. Type patch add/mnt/cdrom/SecurePlatform/patch/CPpatch_command_update.tgz6. Proceed with the patch add cd to upgrade the OS.This release note does not apply to upgrades performed via SmartUpdate.2. To upgrade an NG FP2 SecurePlatform machine, you need to apply aPre-Install-Patch on the machine before you start the upgrade process. You candownload the Pre-Install-Patch package from the download center.3. On Dell and IBM systems with the BIOS feature Console Redirection, this featuremust be disabled to use SecurePlatform with a serial console.4. When using the command line to upgrade, exiting the installation before it finishesplaces the system in an unstable state. Be sure to take a Snapshot of the systembefore beginning the upgrade (or answer Y when asked to create a backup image atthe beginning of the upgrade).5. To repeat an upgrade procedure (e.g., after a failed upgrade), install the updatedpatch command from the SecurePlatform CD. To install it, proceed as follows:Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 21

SecurePlatform1. Log into SecurePlatform.2. Place the CD into the CD drive.3. Enter the Expert mode.4. Type mount /mnt/cdrom.5. Type patch add/mnt/cdrom/SecurePlatform/patch/CPpatch_command_update.tgz6. Answer y when prompted.After this update is complete, the system will allow multiple upgrade operations.6. When upgrading from SecurePlatform FP2, FP3 and FP4, you must update the"patch" command before proceeding with the upgrade. To apply the patch, insertthe SecurePlatform installation CD and run the following commands:1. mount /mnt/cdrom2. patch add /mnt/cdrom/SecurePlatform/patch/CPpatch_command_update.tgzAfter applying this patch, proceed with the upgrade.7. The installation process fails with some USB CD-ROM models. Use the floppy tostart the installation, or install via the network.8. During upgrade, the following console messages can be safely ignored:• INIT: version 2.78 reloading• INIT: version 2.85 reloading9. During the SecurePlatform upgrade, the following message may appear:cpprod_util: error while loading shared libraries: libcpprod50.so: cannotopen shared object file: No such file or directoryThis message does not indicate any problem and can be ignored.10. The SecurePlatform WebUI management interface will only upload an upgradepackage if the browser being used is Microsoft Internet Explorer.11. On some older computers (usually 5-6 years old), the SecurePlatform CDROM willfail to boot due to BIOS limitations. In this case, create a boot floppy and use it tostart the installation.Unicast Routing12. If working with the Advanced Routing suite, and Multihomed Link Selection isconfigured with identical routes via multiple redundant interfaces, the followingworkaround is required:Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 22

SecurePlatform• If there are only two identical routes, one of the routes must be split into tworoutes: The first route covers half of the subnet and the second route the otherhalf of the subnet.13. Configuring any redistribute options in the RIP environment will remove the defaultredistribute rip and redistribute direct options. These options can beconfigured manually, if needed.14. Despite establishing OSPF adjacency, kernel-sourced routes may not be distributedimmediately. In those cases, a 10 minute delay may be experienced.15. During reboot, a number of Dynamic Routing messages appear on the console.These messages can be safely ignored.16. When working with VTI unnumbered interfaces, changes to the IP address of theproxy interface do not immediately register with Dynamic Routing. For the changesto take effect, run the commands drouter stop and drouter start.17. After running the command service network restart, the previous kernel routespersist. For the changes to take effect, run the commands drouter stop anddrouter start.18. When publishing a network from two (or more) sources with the same Distance andMetric, the network will be deleted from the RIB of the operating system. Aworkaround is to change the metric for one of the peers, or if one peer is reachedvia a different interface, to change the metric of one of the local interfaces.19. When changing the VTI netmask to a specific mask length, the Dynamic Routingdaemon creates three routes: two connected routes for local and remote IPs, andone additional network kernel route for a defined subnet. After VTI removal, thethird network route is preserved in the Dynamic Routing table, but removed fromthe OS routing table.Multicast Routing20. Defining NAT on a host that transmits multicast traffic is not supported.21. To enable multicast service on a VPN gateway functioning as a rendezvous point,add a rule to the Security Policy of that gateway to allow only the specific multicastservice to be accepted unencrypted, and to accept all other services only throughthe community.22. A SecurePlatform machine with more than 10 interfaces may encounter difficultyrunning Multicast Dynamic Routing protocols (as well as OSPF). This issue may beaddressed by adjusting the number of multicast groups that can be joined by asingle process. The limit is set in the fileproc/sys/net/ipv4/igmp_max_memberships, and the default number is 20.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 23

SecurePlatform23. The Dynamic routing suite does not support multiple adjacencies to the samerouting neighbor, when one of the cluster IPs participating in the adjacency resideson different subnet. This means that if you have a configuration in which thecluster interface resides on network different from the member network on thesame interface, this IP cannot be used together with another regular clusterinterface for forming multiple adjacencies to the same routing neighbor.24. Defining Dynamic Routing protocols on the Cluster Sync interface is not supported.25. 224.0.0.x routes that remain in the routing table after dynamic routing is disabledcan be safely ignored.26. PIM multicast traffic is not supported with virtual tunnel interfaces configured withidentical local IP addresses.ClusterXL27. Dynamic routing does not support updates in rip multicast from static routes.28. The Dynamic Routing daemon adds the cluster IP address of VPN tunnel interfaceswhen full adjacency is established. This may, however, result in a variety ofproblems, such as losing adjacencies. Generally, VPNT interfaces should not beredistributed to the peers. It may be achieved, however, by using the route-mapcommand. See the following example:config terminalroute-map block-vpnt-distribution permit 5match ip address access-list vpnt-networkexitaccess-list vpnt-network permit access-list vpnt-network deny access-list vpnt-network deny exitrouter ospf 1redistribute direct route-map block-vpnt-distribution29. During policy installation, the following messages may appear on the console:[Expert@fault]# gated_xl[1383]: task_set_option: task MRouting socket 17option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0egated_xl[1383]: task_change_role reinitializing donegated_xl[1383]: task_set_option: task MRouting socket 17 optionGroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0.0.2: Address alegated_xl[1383]: task_change_role reinitializing doneEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 24

gated_xl[1383]: task_change_role re-initializingThese messages can be safely ignored.SecurePlatform30. When executing the command clusterXL_admin down on a cluster configurationwhich includes Dynamic Routing, be sure to wait 10 seconds or so before runningthe command clusterXL_admin up. Failing to do so may result in a delay of a fewseconds before the cluster member returns to normal (active or standby) state, andthe following error message:Operation failed: member is still down, run 'cphaprob list' for furtherdetails.This occurs because the command clusterXL_admin down causes the active clustermember running Dynamic Routing to start a sync of the FIB table, and will notenter the UP state until the sync completes.31. When using the Advanced Routing Suite with ClusterXL, make sure to perform thefollowing:1. In order to keep routes synchronized among cluster members, allow the serviceFIBMGRD in the Rule Base.2. To prevent FIBMGRD connections from exceeding the timeout threshold, add thefollowing lines to the file $FWDIR/lib/user.def on the management station:/*Cluster related definitions - cluster fold and others */#include "cluster.def"deffunc user_accept_non_syn() {(src in cluster_members_ips,dst in cluster_members_ips,( sport = 2010 ) or (dport = 2010))};32. When using VTIs on a ClusterXL gateway with Hitless Restart configured, be sure toset Hitless Restart to restart-type signaled.33. To ensure RIB synchronization in NGX (R60A), the following steps should beperformed:1. Define a new TCP service with destination port of 1024-65535 and source portof 2010.2. In the Advanced Properties tab, uncheck Match for ANY.3. Add a rule allowing the above service and the service FIBMGR between all thecluster members.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 25

SecurePlatform34. BGP is not supported on interfaces that have a Cluster IP address configured to adifferent subnet than the physical IP addresses.35. Dynamic Routing protocols do not support cluster IP addresses defined on a subnetother than that of the physical IP addresses of the interfaces.General36. In legacy High Availability mode for ClusterXL, MAC address synchronization is notsupported for VLAN tagged interfaces. Use new High Availability mode, or manuallyconfigure the MAC addresses of the interfaces using the ifconfig CLI or WebUI.37. If you use a default subnet configuration, you should define the routing through thedevice and not the IP address.38. Network installation from a Windows-based FTP Server is not supported. Use aLinux-based FTP Server instead.39. The cpconfig command line interface of SecurePlatform versions R55 and earlierdisplayed the time zone GMT offset according to the POSIX standard, which is theopposite of the commonly accepted standard. For example, for GMT+2, thecommand line interface shows GMT -2.In this release, the time zone display in the command line uses the commonlyaccepted notation. Please pay attention to this change when configuring the systemtime zone from the command line.40. For optimal usage of memory on machines with more than 512MB of memory, addthe following configuration settings to /etc/fw.boot/modules/fwkern.conf and thenreboot the machine:fw_hmem_use_alternate_malloc=1fw_smem_use_alternate_malloc=1You should not assign more than 1700MB to the Maximum memory pool size. Thisvalue is set in the Capacity Optimization page of the module’s object inSmartDashboard.41. Files larger than 2 GB cannot be copied as is from SecurePlatform using ftp, tftp orSCP tools, due to current file size limitations in those tools. Split the files intosmaller chunks using utilities like "dd" before transferring them fromSecurePlatform.42. During the Backup/Restore operation, the Expert password is not backed up.43. SecurePlatform cannot be installed on a machine that has more than two SCSI harddrives, unless they are in a RAID configuration and can be seen as a single virtualdrive.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 26

SecurePlatform44. After updating the time zone of SecurePlatform, make sure to reboot the computerto ensure that the new time zone is applied to all applications.45. Restoring the system settings via an SSH connection is not supported. Use aconsole that is locally connected to restore the system settings.46. When using multiple RADIUS servers, make sure that the servers are exact replicasof each other. When using multiple RADIUS servers that contain different users, thelogin failure or success depends on the listed order of the servers in theconfiguration file (i.e., when one RADIUS server denies access, SecurePlatform willdeny access, and does not try to authenticate the user against other RADIUSservers).47. When using RADIUS groups access and user lockout features at the same time,there is no way to see that users that accessed the system via RADIUS groups arelocked.48. When performing snapshot, revert, backup & restore operations, be sure that youhave at least 10% free space in the partition /var.49. Important Notice: This version modifies the way in which SecurePlatform handlesthe BIOS clock settings. For instance, it is no longer necessary to manually changethe BIOS clock when switching to or from daylight savings time. Make sure to setthe BIOS clock to UTC (GMT) time.50. When restoring system configuration from older versions of SecurePlatform, thetime zone configuration is not restored properly. Make sure to configure the timezone manually after restore.51. When using SNMP, enable the service prior to adding new users. The commandsnmp users show does not function as expected if the service is not enabled first.52. Under a high load, Advanced Routing messages are sometimes printed to theSecurePlatform console.53. SecurePlatform NGX (R60) can be configured to send system (syslog) messages toremote syslog servers. Note that system logs can include sensitive information likeIP addresses of the system, etc. Make sure that when you make use of this facilityyou are transferring logs only over encrypted or secured channels (e.g. trustednetworks or VPNs).54. Restart PPPoE and PPTP network connections if initial connection to the modemfails. When restarting the connection from the command line, you may need tore-enter PPP credentials.55. Deploying a DHCP server on a SecurePlatform machine running a VPN-1enforcement module is not supported. As a workaround, deploy the DHCP server ona SecurePlatform machine not running an enforcement module.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 27

SecurePlatform56. In legacy High Availability mode for ClusterXL, MAC address synchronization is notsupported for VLAN tagged interfaces. You should use new High Availability mode,or else, you should manually configure the MAC addresses of the interfaces usingthe ifconfig CLI or WebUI.Installed Products57. The following Check Point products are not supported on a Dynamic Address IP(DAIP) Gateway:• SmartCenter Server• ClusterXL• Log Server• Policy Server• SmartView MonitorUnsupported Features58. If you make a Snapshot of a system upgraded to NGX (R60A) and then revert toR55 or R55W, you cannot use that Snapshot to revert once again to version NGX(R60A). The revert process is limited in that it cannot revert to a newer OS versionfrom an older OS version. Consider upgrading again instead of reverting to thenewer OS Snapshot.59. NGX builds prior to take 160 do not support upgrade via SmartUpdate forSecurePlatform.WebUI60. If an error occurs when changing interface settings, the WebUI does not display theerror.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 28

SmartLSMSmartLSMInstallation, Upgrade and Configuration1. When upgrading or installing packages on a Nokia VPN-1 Pro/Express ROBOGateway via SmartLSM, even though the SmartUpdate Package Repository containsa newer IPSO image version, the IPSO image on the ROBO Gateway may not beupdated.2. A Dynamically assigned IP (DAIP) VPN-1 Pro/Express gateway cannot be a COGateway. Thus the command LSMenabler on should not be run on it.3. On a SmartCenter server running on Linux, Solaris, or SecurePlatform, defining anentry similar to the following in the /etc/hosts file should be avoided:127.0.0.1 mymachine localhost.localdomain localhostSuch an entry may cause the VPN routing tables and security policy of a ROBOGateway to not be updated after pushing policy, even though the SmartLSM GUIreports a successful policy installation. In such a situation, it is possible to fetchpolicy from the ROBO Gateway using the command fw fetch .4. When a gateway managed via SmartDashboard is converted to a ROBO gatewaymanaged via SmartLSM, or the opposite conversion takes place, install a securitypolicy needs on the gateway immediately after completing the conversion.General5. To support High Availability of SmartCenter servers, define both SmartCenterservers from SmartDashboard > Profile Object > Masters tab.Status Monitoring6. The SmartLSM GUI reports the status of ROBO Gateways as Waiting in the followingSmartCenter High Availability scenario:• One or more ROBO Gateways are managed in SmartLSM on a PrimarySmartCenter server• The Secondary SmartCenter server is synchronized for the first time.• Management HA Switchover is performed: The Primary SmartCenter server ischanged to standby, and the Secondary SmartCenter server is changed toactive.To resolve this issue, restart the status_proxy on the Secondary SmartCenterserver.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 29

LicensingSmartView Monitor9. If a local license is detached from the license repository and then reattachedwithout first closing SmartUpdate, the license appears in the repository asunattached. In such a scenario, either attach the license manually, or close andrestart SmartUpdate before reattaching the license.Miscellaneous10. When running Fetch CPInfo on a non-Windows Management server, while trying tofetch CPInfo for the Management itself, in certain cases the command may haltunexpectedly. In this case, rerun the command, or run CPInfo locally.11. When upgrading to any NGX version from any pre-NGX version (e.g., R55), theSmartUpdate Package Repository is not upgraded. After the upgrade, theSmartUpdate Package Repository will therefore be empty.Platform Specific - Nokia12. Upgrade All and separate transfer and install is not supported on flash-based Nokia.To resolve this issue you should explicitly install Nokia IPSO and thereafter youshould install the Check Point products, one by one. Alternatively, use NokiaVoyager to install the wrapper and manage the installation packages.SmartView MonitorGeneral1. After installing NGX R61, Last hour history tables in the System Counters view maybe empty. To resolve this issue, run the commands cpstop and cpstart.2. Gateway Overall Status may report inaccurate statuses for up to one minute. Thisissue can be resolved by clicking Refresh.Tunnel Monitoring3. When drilling-down to tunnel traffic on cluster gateways, tunnel traffic is displayedon only one of the cluster members.4. If a gateway to a regular tunnel is up and the peer gateway is down, Tunnel Monitormay display two entries, one reporting that the gateway is up and the other that thegateway is disconnected. The status of the regular tunnel displays correctly after (atthe longest) one hour. Check Point recommends using permanent tunnels for realtime tunnel status.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 31

SmartView MonitorTraffic Monitoring5. SmartView Monitor traffic component does not support Nokia Flows.6. In Traffic view, the default unit is now presented in kilo bits.User Monitoring7. The feature Reset tunnel is not supported on SSL Network Extender client tunnels.SAM8. A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if theSmartCenter Server is also a VPN-1 Pro module and no policy has been installed onit since adding the remote Gateway.9. When using the Block Suspicious Activity feature of SmartView Monitor, certainoperations may fail and produce the following message: Action has failed on module:. The operations affected by this issue are:• Block a certain service from a specific source (or source subnet) to anydestination• Block a connection from a specific source (or source subnet) to a specificdestination (or destination subnet) for any serviceA workaround is to block only the source (or source subnet), without specifying thedestination or service.Platform Specific — Solaris10. The total virtual memory counter is not supported for gateways on the Solarisplatform.Platform Specific — Windows11. The total virtual memory counter is not supported on gateways on the Windowsplatform if the virtual memory is larger than four Gigabytes.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 32

Eventia ReporterEventia ReporterInstallation, Upgrade and Backward Compatibility1. Eventia Reporter can be upgraded to NGX R61 from version NG R56 only. If youare upgrading from a version prior to R56, uninstall the Reporter and continue withthe upgrade.2. The MySQL server on the Eventia Reporter conflicts with a MySQL serverinstallation on the same computer. Install the Eventia Reporter server on acomputer that does not contain a MySQL server installation.3. Eventia Reporter will not continue consolidation sessions if the log files weremanually upgraded on the log server.4. After upgrading from R56 to NGX (NGX R61), a scheduled report that is selectedfor a specific module may fail to run. If this occurs, resave the report.General5. Account logs that are originated by a gateway cluster are counted twice. Thus,reports of these logs will display inaccurate data.6. Logs produced by VPN-1 Pro modules that also have QoS installed show twice thenumber of actual HTTP connections. As a result, reports generated on suchmodules will display an incorrect number of connections.7. In High Availability mode, after switching the status of a SmartCenter server fromactive to inactive, reports that were generated on the now inactive SmartCenterserver are unavailable from the Eventia Reporter GUI client. However, the reportsare still available on the Eventia Reporter server's Results directory.8. If SmartDashboard is connected to an inactive management, Eventia Reportercannot be launched from the Window menu of SmartDashboard. Instead, launchEventia Reporter via the Windows Start Menu.9. When running Eventia Reporter on SecurePlatform, set the number of DNS threadsto no more than 150. Setting this value higher may impede the closing ofconsolidation sessions.10. If Eventia Reporter is running with multiple consolidation sessions, after runningcpstop, ensure that all log_consolidator processes have terminated before runningcpstart.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 33

ConfigurationEventia Reporter11. Eventia Reporter report definitions and other configuration data are notsynchronized by the MDS in High Availability Provider-1/SiteManager-1configurations. To ensure that Eventia Reporter’s information is accurate, performthe following:• Install Eventia Reporter Add-on on a single MDS.• When starting the Eventia Reporter client, make sure to open it only on thisMDS.12. FTP or HTTP distribution of reports does not work with proxy settings. If a machinehas proxy settings, use alternate distribution methods such as e-mail distribution,or copy files from the Report's Results directory instead.13. When a Eventia Reporter Server's IP address has static NAT, a machine running theEventia Reporter SmartConsole must be able to route connections to the EventiaReporter server's real IP address. This can be achieved by running the EventiaReporter SmartConsole on a machine in the Server's local network, or sometimes,by adding the appropriate route entries in the Eventia Reporter SmartConsole'srouting table.14. Only one Eventia Reporter Server can work with the same SmartCenter or MDS.15. A distributed installation of Eventia Reporter Server is not supported on a machinewhich contains a VPN-1 Pro enforcement module, SecureClient, SmartCenter HighAvailability server or Provider-1/SiteManager-1 MDS.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 34

ClusterXLClusterXLIn This SectionUpgrade, Backout, and Backward Compatibility page 35General page 35Configuration page 36VPN-1 Clusters page 37High Availability page 38Load Sharing page 38Authentication page 40State Synchronization page 40SmartConsole page 40Security Servers page 41Platform Specific — Nokia page 41Platform Specific — Solaris page 42Platform Specific — Windows page 43Services page 43ISP Redundancy page 43Policy Installation page 43Unsupported Features page 44ConnectControl page 45Upgrade, Backout, and Backward Compatibility1. Full Connectivity Upgrade (FCU) to NGX R61 from versions prior to NGX (R60) isnot supported. A workaround is to perform the Zero Downtime upgrade, which mayresult in some connections being disconnected.General2. State synchronization during policy installation may in certain cases cause a clustermember to initiate a failover. To prevent this situation, modify the enforcementmodule global parameter fwha_freeze_state_machine_timeout. This parameter setsthe number of seconds during policy installation in which no state synchronizationwill be performed. Set this parameter to the shortest period which eliminates theissue; the recommended value is 30 seconds.3. Performing an SNMP query on both the cluster’s IP address as well as on themembers’ IP addresses concurrently, is not supported. The SNMP query can only berun on one or the other at time. Alternatively, you can wait for the UDP virtualEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 35

ClusterXLsession timeout between the SNMP queries on the different IP addresses. Thistimeout has a 40 second default, and can be defined in Global Properties > StatefulInspection.Configuration4. In the Rule Base, when adding a cluster object to the source or destination columnin a rule, this rule will only apply to the cluster addresses. If the rule needs to beapplied to the cluster member addresses, add their objects to the rule as well.5. The following error messages may appear on the console when enabling or disablingClusterXL or state synchronization using the command cpconfig.FW-1: fwkdebug_register: module cluster already registeredFW-1: fwha_kdebug_register: fwkdebug_register failedThese messages may be safely ignored.6. To use manual client authentication through HTTP in a cluster environment, set thedatabase property hclient_enable_new_interface to true. This forces the HTTPclient authentication daemon to ask for both the user name and password in thesame HTML page. When the IP addresses of the cluster members are not routable,the URLs returned in the HTML from the replying cluster member contain thenon-routable IP address of the member instead of the IP address of the cluster.This would fail subsequent operations. The workaround in this case is to configurethe cluster to use a domain name, using theahttpclientd_redirected_url globalproperty. Make sure that your DNS servers resolve this domain name to the cluster'sIP address.7. Use the commands cpstop and cpstart instead of cprestart on clusterconfigurations. The command cprestart is not supported on cluster members.8. A cluster IP interface or a synchronization network interface cannot be defined as anon-monitored (i.e., disconnected) interface.9. Performance Pack is not supported when using ClusterXL Load Sharing with StickyDecision Function (SDF). When SDF is enabled, acceleration is automaticallyturned off. To re-enable acceleration, first make sure acceleration is enabled byrunning the cpconfig configuration tool. Then disable SDF (in SmartDashboard, editthe Gateway Cluster object, select the ClusterXL page, and click Advanced), andinstall the new Security Policy twice.10. When defining VLAN tags on an interface, cluster IP addresses can be defined onlyon the VLAN interfaces (the tagged interfaces). Defining a cluster IP address on aphysical interface that has VLANs is not supported. The physical interface shouldbe defined with the Network Objective Monitored Private on ClusterXL clusters andas Private on third-party clusters.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 36

ClusterXL11. When setting an interface whose current Network Objective is Sync to Non-MonitoredPrivate, and setting another interface's Network Objective to Sync and installingpolicy, the status of the cluster members will change to Active Attention and Down.To avoid this issue, make this configuration change in two phases.1. Set the interface with the Network Objective of Sync to Monitored Private(instead of Non-Monitored), and the other interface’s Network Objective to Syncand install policy.2. Reconfigure the Monitored Private interface to Non-Monitored and install policyagain.12. When defining a Sync interface on a VLAN interface, it can only be defined on thelowest VLAN tag on a physical interface.13. Defining the lowest VLAN tag on a physical interface as disconnected(Non-Monitored Private) is not supported.14. Defining a Sync interface on a VLAN interface is not supported on Nokia clustersand on other 3rd party clusters.VPN-1 Clusters15. When defining Office Mode IP pools, make sure each cluster member has a distinctpool.16. Before adding an existing gateway to a cluster, remove it from all VPN communitiesin which it participates.17. When detaching a cluster member from a VPN cluster, manually remove the VPNdomain once the member has been detached.18. Peer or secure remote Gateways may show error messages when working against anoverloaded Gateway cluster in Load Sharing mode. This is due to IPsec packetswith an old replay counter. These error messages can be safely ignored.19. Using Sticky Decision Function with VPN features will guarantee connectionstickiness for connections that pass through the cluster only, and not toconnections originating from a cluster member or to it.20. When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster(i.e., the peer and the cluster are located on the same VLAN and there is no Layer3 (IP) routing device between them), the following features are not supported:• ISP Redundancy• VPN link selection - Reply from same interfaceThis issue can be resolved either by placing a router between the VPN peer and thecluster, or by disabling these features. (Neither feature is enabled by default.)Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 37

• To disable ISP redundancy, in SmartDashboard edit the gateway object >Topology > ISP Redundancy, and remove the check mark from Support ISPRedundancy.ClusterXL• To disable VPN link selection - Reply from the same interface, in SmartDashboardedit the gateway object > VPN > Link Selection > Outgoing Route Selection, anddo the following:A. Under When initiating a tunnel, enable Operating system routing table,B. and under When responding to remotely initiated tunnel, select Setup, andenable Use outgoing traffic configuration.21. When configuring a VTI cluster interface, it should be assigned a name identical tothe name of the member interface.High Availability22. In legacy High Availability mode for ClusterXL, MAC address synchronization is notsupported for VLAN tagged interfaces. Use new High Availability mode, or manuallyconfigure the MAC addresses of the interfaces using the ifconfig CLI or WebUI.23. Issuing a Stop Member command in SmartView Monitor performs the cphastopcommand on this member. Among other things, this disables the StateSynchronization mechanism. Any connections opened while the member is stoppedwill not survive a failover event, even if the member is restarted using cphastart.However, connections opened after the member is restarted are synchronized asnormal.Load Sharing24. Under load, tcp packet out of state error messages may appear. For each case thereis a specific way to resolve it. Refer to the “Firewall and SmartDefense” guide for afull explanation and security implications.• message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACKmessage_info: TCP packet out of state - first packet isn't SYN tcp_flags:FIN-PUSH-ACKIn SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp endtimeout. The recommended value is 60 seconds. If there are many connectionsconsider enlarging the connection table size in the same ratio as the tcp endtimeout.• message_info: SYN packet for established connectionrun the command: fw ctl set int fw_trust_rst_on_port When a single port is not enough, you can set the port number to -1, meaningthat you trust a reset from every port.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 38

• For other out of state messages:ClusterXLrun the command: fw ctl set int fwconn_merge_all_syncs 1. This allows amore reliable way of merging TCP states across asymmetric connections.25. When employing SecurID for authentication, it is recommended to define eachcluster member with its own unique (internal) IP address separately on theACE/Server. In addition, to send packets to the ACE/Server with their unique IPaddresses and not the VIP address, edit the file table.def, located in $FWDIR/lib.Change the line starting with no_hide_services_ports to, for example,no_hide_services_ports = {}, where 5500 is the service port and 17(UDP) is the protocol.26. For the first few seconds of an asymmetric connection, server-to-client packets arenot accelerated. An asymmetric connection, such as an FTP data connectionthrough an accelerated ClusterXL cluster, is where the server-to-client side ishandled by a different member than the client-to-server side. Asymmetricconnections are only opened when using VPN or static NAT. This is a temporaryperformance degradation that affects only a small percentage of traffic.27. When installing a new policy that uses Sticky Decision Function (configured inSmartDashboard > Cluster Object > ClusterXL page > Advanced), and the old policyused the regular decision function, some connections may be lost, especiallyconnections to or from the cluster members. New connections are unaffected.28. After a failover, non-pivot members of a ClusterXL cluster in Unicast mode mayreport incorrect load distribution information. For the correct load distribution,review the information reported by the pivot member.29. When using ClusterXL in Load Sharing mode and the Sticky Decision Function isenabled, the failure of a module within 40 seconds of an IKE negotiation maycause a connectivity failure with that peer for up to 40 seconds.• When the failure involves a PIX gateway, communications may be interruptedfor up to 40 seconds.• When the failure involves an L2TP client, communications may bedisconnected, as keepalive packets are blocked during this period.30. traceroute may fail if it passes through a Load Sharing cluster. To resolve thisissue, on the Cluster object, select ClusterXL > Advanced and in the Advanced LoadSharing Configuration window you should either:• select Use Sticky Decision Function, or• change the selection for Use sharing method based on: to IPs.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 39

AuthenticationClusterXL31. When performing manual client authentication (using port 900) to a cluster wherethe IP addresses of the members are not routable, the URLs returned in the HTMLfrom the replying cluster member contain the non-routable IP address of themember instead of the cluster IP address. This fails subsequent operations. Theworkaround is to configure the cluster to use a domain name instead of an IPaddress in the client authentication HTML pages, using theahttpclientd_redirected_url global property. Make sure that your DNS serversresolve this domain name to the IP address of the cluster.32. Issues may arise when using automatic or partially automatic client authenticationfor HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). Aworkaround is to define a decision function based only on IP addresses in order forconnections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing >Advanced, and select IPs only. For OPSEC clusters, refer to the productdocumentation for more information.State Synchronization33. A cluster member will stay in the down state if it is detached and then reattachedto the cluster, as it does not automatically perform a full sync upon reattachment.To force a full sync, run the following commands on the module: fw ctl setsyncoff and fw ctl setsync start.34. Upon completion of full synchronization (Full sync), an error message Statesynchronization is in risk, is displayed on the cluster member on which thesynchronization is taking place. If this message occurs only once immediatelyfollowing Full sync, it can be safely ignored. If this message appears erratically,consult the ClusterXL user guide in the section Blocking New Connections UnderLoad.SmartConsole35. When working with a 3rd party Cluster Object with QoS, if you move from theTopology tab to a different tab, the following error message appears: No interfacewas activated in QoS tab for this host (Inbound or Outbound). Do you want to continue?Select Yes and continue your operation. This error message can be safely ignored.36. SmartUpdate shows cluster members as distinct Gateways without the commoncluster entity. When cluster members are not of the same version, applying GetCheck Point Gateway Data on a cluster member will set the member's version on theCluster object. To set the version of the cluster correctly, apply the Get Check PointGateway Data command to the cluster member with the latest version.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 40

ClusterXL37. If two or more interfaces on the same cluster member share the same IP addressand Net Mask (as might occur when defining bridge interfaces), only one interfacewill be displayed in the Topology tab in SmartDashboard. To manage interfaces withthe same IP address and Net Mask, use the GuiDBedit tool.38. When using ClusterXL in High Availability Legacy mode, the Network Objective is setautomatically to Cluster if all of the members' interfaces on that network have thesame IP address and netmask. Changing the Network Objective to a different settingwill, in this case, be overridden by the system, and change back to Cluster afterclicking OK.39. When deleting a network via the Topology page (Cluster Object > Properties >Topology > Edit Topology), selecting Name or IP address of one of the interfaces andthen clicking Remove results in the following error message: Please select aninterface. In order to remove a whole network, remove all the interfaces(members and cluster) and click OK.Security Servers40. Security Servers are not supported with Sequence Verifier in Load Sharing clusterenvironments.Platform Specific — Nokia41. Either Nokia VRRP or Nokia IP Clustering configuration must be used when creatinga cluster based on an IPSO platform. Using other OPSEC Certified third partyclustering products (such as OPSEC Certified external load balancers) to create acluster based on IPSO platforms has limited support. Contact Check Point Supportand receive configuration instruction and a list of associated limitations.42. After configuring a gateway cluster on a Nokia platform via the Simple mode(wizard), be sure to complete the cluster interface definition on the Topology pageof the cluster object.43. The feature Connectivity enhancements for multiple interfaces is not supported onNokia IP clustering in Forwarding mode.44. NAT rules should not be applied to VRRP traffic. To prevent NAT rules from beingapplied to VRRP traffic, define the following manual NAT rule and give it higherpriority than other NAT rules that relate to Cluster VIPs or to their networks:Original Packet Translated Packet Install OnSource Destination Service Source Dest ServicePhysical IP ofVRRP membersVRRP IP: 224.0.0.18 Any Original Original Original relevant clusterEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 41

ClusterXL45. When configuring a Nokia IP Cluster, do not set the primary or secondary interfacesto Network Objective Private. Check Point recommends setting a Nokia IP Cluster’sprimary interface to Network Objective Cluster, and its secondary interface toNetwork Objective Cluster or Sync.Platform Specific — Solaris46. When configuring virtual interfaces on Solaris GigaSwift interfaces, the ClusterXLproduct may not recognize the virtual interfaces in cases where no correspondingphysical interface is defined. If the virtual interface is not recognized, it will notrun a monitoring mechanism and eventually it will not perform failover. In order tomake ClusterXL work properly on such virtual interfaces, the corresponding physicalinterface must be defined. For example, when a CE device with an instance of 0 isdefined on the system, the /etc/hostname.ce0 file must be created and mustcontain some arbitrary IP address that will be assigned to the physical interface.47. ClusterXL does not support defining VLANs on Solaris bge interfaces.48. When configuring VLAN tags, set the IP address on the VLAN physical interface. Ifthe physical (untagged) interface is not used, the IP address can be any IP address.For example:If the physical interface is ce1, andthe VLAN interfaces are ce1001 and ce2001, thence1 must also have an IP address.49. ClusterXL in Unicast mode (Pivot) is not supported on Solaris when using VLANtagging.50. When using a Fujitsu GigEthernet NIC (fjgi and fjge interfaces) with Check PointLoad Sharing (CPLS) multicast, packets can be received when the interface is setto promiscuous mode only.51. The local.arp file is not supported on ClusterXL gateways running Solaris. In orderto use manual NAT on Solaris, use the following workaround:On the command line, run the following command:arp -s pubFor this command to survive boot, add a file under /etc/rc3.d/ (the name does notmatter), and on each line enter an IP address to be NATed and its correspondingMAC address.arp -s pubarp -s pubetc...Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 42

ClusterXLSave the file and chmod 777.Platform Specific — Windows52. On Windows platforms, when switching from High Availability Legacy to HighAvailability New Mode or Load Sharing, the CCP transport mode is set to broadcastinstead of multicast. A workaround is to toggle the CCP mode via the followingcommand on each cluster member: cphaconf set_ccp multicast.53. Disabling a network connection (interface) is not supported on ClusterXL gatewayson Windows platforms. A workaround is to:1. Disconnect the network cable.2. Wait 15 seconds and then set the network connection as disabled.3. Reconnect the network cable after another 15 seconds.If required to enable this interface again, do the following:1. Disconnect the network cable.2. Wait 15 seconds and set the network connection as enabled.3. Reconnect the network cable after another 15 seconds.Services54. When using T.120 connections, make sure you manually add a rule that allowsT.120 connections.ISP Redundancy55. In a ClusterXL ISP Redundancy configuration, the names of the external interfacesof all cluster members must be identical and must correspond in turn to the namesof the external interfaces of the cluster object. For example, if the cluster objecthas two external interfaces called eth0 and eth1 which are connected to ISP-1 andISP-2, respectively; each cluster member must have two external interfaces calledeth0 and eth1 which should be connected to ISP-1 and ISP-2 respectively.Policy Installation56. When installing policy on a cluster with a Layer 2 bridge defined, the installationmay fail with the following error: Load on Module failed. To resolve this issue, do thefollowing:1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server.This is done by updating the files $CPDIR/tmp/.CPprofile.csh andCPDIR/tmp/.CPprofile.sh so that they include the environment variableFW_MANAGE_BRIDGE 1.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 43

ClusterXL2. Install policy.Unsupported Features57. Cluster deployments automatically hide the IP address of the cluster membersbehind a virtual IP address. If you manually add NAT rules that contradict thisconfiguration, the manually added NAT rules take precedence. For details, see the“ClusterXL Advanced Configuration” chapter of the ClusterXL Guide.58. TCP connections inspected by Web Intelligence or VoIP Application Intelligencefeatures will not survive failover. On the event of failover these connections will bereset.59. The compatibility matrix for third party clustering solutions (other than Nokia) isspecified in the following link:http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain thirdparty solution is not specifically written as being supported for this release, youmust assume it is currently not supported. For Nokia clustering (VRRP or IPClustering), see the Check Point Software and Hardware Compatibility section of theClusterXL guide for information regarding which IPSO release is supported with thisVPN-1 release.60. Mounting an NFS drive on a cluster member is not supported, as hide NAT changesthe IP address of the cluster member, and the server cannot resolve the resultingmismatch.61. The following Web Intelligence features require connections to be sticky:• Header spoofing• Directory listing• Error concealment• ASCII only response• Send error pageA sticky connection is one where all of its packets, in either direction, are handledby a single cluster member. If you enable one of the features listed above, makesure that your clustering solution supports sticky connections. Sticky connectionscan be guaranteed for Web connections in the following configurations:• ClusterXL High Availability• ClusterXL Load Sharing with Sticky Decision Function enabled• ClusterXL Load Sharing with no VPN peers, no static NAT* rules and no SIP• Nokia VRRP Cluster• Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIPEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 44

• For other OPSEC certified clustering products - please refer to theOPSEC-certified product's documentation.* including ConnectControl Logical ServersClusterXL62. The following VoIP Application Intelligence (AI) features require connections to besticky:• H.323• SIP• SkinnyA sticky connection is one where all of its packets, in either direction, are handledby a single cluster member. If you enable one of the features listed above, makesure that your clustering solution supports sticky connections. Sticky connectionscan be guaranteed for VoIP connections in the following configurations:• ClusterXL High Availability• ClusterXL Load Sharing with no VPN peers or static NAT* rules• Nokia VRRP Cluster• Nokia IP Clustering configuration with no VPN peers or static NAT* rules• For other OPSEC certified clustering products - please refer to theOPSEC-certified product's documentation.* including ConnectControl Logical Servers63. Sticky connections cannot be guaranteed on ClusterXL Load Sharing Unicast modewith hide NAT.64. To support SSL Network Extender in a ClusterXL Load Sharing configuration, enablethe Sticky Decision Function.ConnectControl65. The Server Load balance method is not supported.66. The Domain balance method is not supported for Logical Servers.67. If a Logical server is configured to have an IP address that belongs to the externalnetwork of the gateway, no Automatic Proxy ARP is configured on the gateway tothe IP address of the Logical server. As a result there is no communication to theLogical server from external hosts. To resolve this issue, manually configure ProxyARP using the file $FWDIR/conf/local.arp. See "Automatic Proxy ARP" in theClusterXL User Guide for local.arp file configuration instructions.68. Logical Servers are not supported in conjunction with Security Servers.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 45

SecureXL69. When configuring Server Availability for ConnectControl (SmartDashboard > Policymenu > Global Properties > ConnectControl), the value for the Server availabilitycheck interval must be a multiple of 5 and no less than 15.SecureXLUnsupported Features1. ISP redundancy, when working in conjunction with SecureXL, has the followinglimitations:• Some connections passing through interfaces configured with ISP redundancyare not accelerated, while other connections (for example, an internalconnection to a DMZ) are accelerated and are not affected by this limitation.• ISP redundancy over PPTP and PPPoE interfaces is not supported.2. When SecureClient is connected to a VPN-1 gateway with two external interfacesand the connected interface goes down, SecureClient will lose connectivity. In orderto resume connectivity, the user needs to disconnect and reconnect.3. When configuring Remote Access > Office Mode on a VPN gateway that has multipleexternal interfaces with SecureXL enabled, make sure that Support connectivityenhancement for gateways with multiple external interfaces is checked.4. QoS is not supported with SecureXL.Accelerated Features5. The SmartDefense feature PPTP Enforcement does not allow acceleration of the GREprotocol over PPTP when enabled. In order to accelerate the GRE protocol overPPTP, disable this feature (on the SmartDefense tab, select Application Intelligence> VPN Protocols > PPTP Enforcement).6. Overlapping NAT is not supported with Performance Pack.Platform Specific - Nokia7. When the SmartDefense TCP Sequence Verifier feature is enabled and SecureXL ison or Flows acceleration is enabled, a message appears when you install a policyfrom SmartDashboard and the Sequence Verifier feature is not enforced.• For SecureXL, the message displayed is: “Warning: This Gateway supportsSecureXL traffic acceleration. TCP Sequence Verifier (SmartDefense) will not beenforced on accelerated connections. To allow Sequence Verification, turn offacceleration on the Gateway by running cpconfig.”Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 46

• For Flows acceleration, the message is: “Flows: TCP Sequence Verifieracceleration is not supported on the Gateway.”Performance PackTo configure the TCP Sequence Verifier, select the SmartDefense tab > Network Security> TCP and deselect Sequence Verifier.Platform Specific — Solaris8. On Solaris platforms, Performance Pack does not support the following types ofinterfaces• VLAN and virtual interfaces• bge, dmfe and skge interfacesPerformance PackUnsupported Features1. Performance Pack does not support dynamic interface changes on Solaris. Beforeperforming ifconfig up/down/plumb or unplumb, turn off acceleration by issuing thefwaccel off command. Then enable acceleration by issuing the fwaccel oncommand.2. Performance Pack does not support source based routing.Unsupported Products3. Performance Pack is not supported when using ClusterXL Load Sharing with StickyDecision Function (SDF). When SDF is enabled, acceleration is automaticallyturned off. To re-enable acceleration, first make sure acceleration is enabled byrunning the cpconfig configuration tool. Then disable SDF (in SmartDashboard, editthe Gateway Cluster object, select the ClusterXL page, and click Advanced), andinstall the new Security Policy twice.4. PPTP and PPPoE interfaces are not supported by Performance Pack inconfigurations where NAT and/or VPN-1 are used.5. Virtual interfaces and VLAN interfaces are not supported by Performance Pack onSolaris.Accelerated Features6. The SmartDefense feature PPTP Enforcement does not allow acceleration of the GREprotocol over PPTP when enabled. In order to accelerate the GRE protocol overPPTP, disable this feature (on the SmartDefense tab, select Application Intelligence> VPN Protocols > PPTP Enforcement).Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 47

SSL Network Extender7. When using Performance Pack in a cluster configuration, all members must havePerformance Pack installed and running.Supported Platforms8. For a list of the recommended platforms for Performance Pack on SecurePlatform,see the Hardware Compatibility List for SecurePlatform at:http://www.checkpoint.com/products/supported_platforms/secureplatform.html.SSL Network ExtenderIn This SectionClient Limitations page 48Gateway Limitations page 49Client Limitations1. SSL Network Extender is not supported in a Fast User Switch environment.2. While SSL Network Extender and SecureClient can be installed on the samemachine, they can not be activated at the same time.3. The Office Mode IP per User feature is not supported if a user connects using bothSSL Network Extender and SecureClient, in that order. This means that a user thatconnects to a VPN-1 Gateway using SSL Network Extender receives an Office modeIP address. When the user disconnects and connects again using SecureClient,he/she will not receive an Office mode IP address.4. SSL Network Extender may not work properly with pop-up blockers. It isrecommended to disable them, or to configure them to allow pop-ups on the SSLNetwork Extender site.5. To use SSL Network Extender with WindowsXP SP2:1. Click the Internet Explorer Information bar, and select Always allow Pop-upsfrom this site.2. Select Tools > Internet Options > Security > Web Content Zone > Custom Level andenable Automatic prompting for ActiveX controls.6. In some Windows 2000 systems, the High Encryption Pack is not installed. Thosesystems can only perform SSL-56 bit encryption, which is not supported by SSLNetwork Extender. The administrator must install the High Encryption Pack in orderto use those Windows 2000 systems with the SSL Network Extender.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 48

SSL Network Extender7. To install SSL Network Extender, Microsoft Windows Installer (MSI) version 2.0must be installed on the client computer. While most Windows installations includeMSI 2.0, if it is not installed, it can be freely downloaded from Microsoft's website.Gateway Limitations8. If Secure Configuration Verification (SCV) is enabled in Global Properties, and youare working in a Simplified Mode Security Policy, packets from the SSL NetworkExtender will not be transferred.9. The Unique by Machine option, located in the Office Mode tab, is currently notsupported when Office Mode uses DHCP to allocate IP addresses. Enabling thisoption may lead to SSL Network Extender receiving different IP addresses whenconnecting from the same machine, or the same IP address when connecting fromdifferent machines.10. SSL Network Extender licenses are now installed on the management module, andnot on the enforcement modules as they were in R55. After installing the license onthe management module, activate the license by installing policy on allenforcement modules to which the clients will connect. Note that SSL NetworkExtender licenses installed on R55 modules must be retained after the upgrade, asthe management license does not apply to these modules.11. At present, the ICS Dynamic Upgrade feature is not supported.12. Under certain circumstances, the vpnd may not bind to the port designated as theVisitor Mode port, which will cause the SSL Network Extender not to work. Toresolve this issue, verify that the port is not taken by another process, and executethe command fw kill vpnd.13. The web page language does not change when selecting Hebrew. A workaround is toedit the file messages.js in $FWDIR/conf/extender/language/chkp/hebrew:1. on line 131 var MSG_RESTRICT_ACCESS ..., make sure the line ends with "; andnot just ;2. on line 133 var MSG_ASKUSER_ACCESS ..., add " in the beginning of the stringand "; at the end3. on line 181 install_required ..., add " in the beginning of the string and ";at the end4. on line 190 b64_alert ..., add " in the beginning of the string and "; at theend5. on line 202 browser_settings_error ..., add " in the beginning of the stringand "; at the endEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 49

UserAuthority Server14. When running SSL Network Extender on IPSO, the SSL Network Extender serverwill not start if the Voyager port is set to its default value of 443. The solution is tomove the Voyager server to another port.UserAuthority Server1. When using UserAuthority Server on Citrix/Terminal Server, routing configurationswhere a destination can be reached through multiple interfaces using the samemetric is not supported. The Citrix UAS identifies connections by a 4-tuple: sourceport, destination IP and destination port. The source IP address is not taken intoaccount. As a result the Citrix UAS cannot differentiate between concurrentconnections that differ by their source IP addresses only. In the following example,if the two connections are opened simultaneously, the UAS cannot guarantee thatthe right user identification will be returned for queries on those connections.User Source IP Source Port Destination IP Destination PortJoe 192.168.0.5 5001 10.1.1.2 80Bob 192.168.0.2 5001 10.1.1.2 802. When changing Trusted Domains (under Global Properties > UserAuthority) fromSpecific Domains to All Domains, some users may need to be redefined without the“DOMAIN\” prefix.3. When using a Log Server, a security rule which allows ELA traffic from theUserAuthority Server to this Log Server should be explicitly defined.4. UserAuthority Server is supported on single processor machines only. RunningUserAuthority Server on SMP may cause instability in the VPN-1 Pro kernel.5. When users are authenticated on other VPN-1 Pro Gateways using ClientAuthentication, SecureClient or SecuRemote, the automatic configuration is unableto resolve the connection to the username. This configuration can be done inmanual configuration, with the following settings: the VPN-1 Pro Gateway should bein a VPN-1 Pro/Express Gateway group, and the check box of the Windows DomainControllers field should be checked.6. The option to share identities with a VPN endpoint when VPN is established isunavailable. Chaining to another VPN-1 Pro Gateway can be done only in the clear.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 50

IntegrityIntegrityIn This SectionIntegrity Server page 51Notes on Instant Messenger (IM) Security page 51Documentation Issues page 52Client Issues page 52Server Issues page 54Localization and Special Character Issues page 58Gateway and Third Party Issues page 60Integrity Server1. After installing Integrity server, the services Tomcat (ISTC) and Apache (ISAP) mayreport being down. This can be safely ignored.Notes on Instant Messenger (IM) SecurityWhen using this version of Integrity IM Security, please note the following:2. To apply Integrity IM Security to IM clients that use HTTP tunneling, you mustconfigure a proxy server for HTTP tunneling.3. IM Security configuration options are available on a policy’s Messaging Settings tab.For more information, see the associated online help and the Integrity AdvancedServer Administrator Guide.4. Integrity does not support the use of an HTTP proxy server (for HTTP tunneling)with Trillian or Miranda.5. If you are using Yahoo or MSN protocol, you cannot block audio sessions, videosessions, or file transfers independently.To block any of these types of communication, you must block all three. Similarly,to block the transfer of any file type, you must block all file types. These limitationsare due to recent changes in the Yahoo and MSN protocols.Yahoo IM and MSN Messenger have recently introduced an additional peer-to-peerprotocol for bandwidth-intensive communications, such as audio sessions, videosessions, and file transfers. Whenever a user establishes an audio or video sessionor transfers a file, the IM client establishes a peer-to-peer session to accommodatethe communication. This session remains active after the communication iscomplete, meaning that it accommodates all subsequent requests for audio/videosessions and file transfers. Integrity IM Security parses the IM protocol andprevents peer-to-peer sessions for blocked communications. However, if you allowEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 51

Integrityany audio/video sessions or file transfers, the resulting peer-to-peer sessionbypasses Integrity IM Security and allows all subsequent transfers of any type. Notethat Integrity does not log or report any audio/video sessions or file transfers thatoccur over the peer-to-peer session.Check Point will consider addressing the peer-to-peer protocol issue in asubsequent release of Integrity Advanced Server.6. Video is not blocked provided Audio transmission is allowedThe Block Video checkbox does not affect Windows Messenger. Both video andaudio conversations are blocked when Block Video checkbox is enabled, and bothaudio and video conversations are unblocked when Block Audio checkbox isdisabled.7. IM Security does not detect instant messenger programsIf IM Security is started after an instant messenger program, it will not detect theinstant messenger and the user may be unable to send instant messages.Workaround: Restart the instant messenger program after starting IM Security.8. IM Security blocks peer to peerIM Security always blocks Peer to peer connections in ICQ 2003. As a result, a userwill not be able to send files, audio, and video.Documentation IssuesCorrections and additions to the documentation.9. Instructions for integrating with InterSpect NGXInstructions in the Gateway Integration Guide for configuring InterSpect integrationare specific to InterSpect 2.0. There may be user interface and other differences onthe InterSpect side when using the NGX version of InterSpect. Please consult theInterSpect NGX documentation for additional information.Client IssuesKnown issues affecting client installation, upgrade, or configuration.10. No support for Windows 98, Windows NT, or Windows MEIntegrity clients do not support Windows 98, Windows NT, or Windows ME. If youtry to install IAS on one of these operating systems, IAS will not issue a warning orprevent you from installing. However, proceeding with such an installation maycause unpredictable results.11. Flex client must be rebooted to register changes to Return to Default buttonsEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 52

IntegrityWhen you change the setting of Hide Return to Default buttons in Integrity Flex (inthe Advanced Settings section of a policy's Client Settings tab), the end user mustreboot Integrity Flex client for the change to take effect.12. Some out of compliance messages are truncated or repeatedThe Integrity clients may repeat some messages and truncate others.13. Malicious Code Protection does not work when a user is restrictedWhen a user is in the restricted state, Malicious Code Protection does not function.14. SecureClient does not shut downWhen installing Integrity SecureClient, the installation hangs or crashes. Aworkaround is to remove the directory %PROGRAMFILES%\CommonFiles\InstallShield before running the Integrity SecureClient installer.15. Personal policy is not able to block MS Remote DesktopYou cannot block Microsoft Remote Desktop using application rules.16. Client cannot download package from external source when restrictedIf the client becomes restricted due to a client enforcement rule, and the rulespecifies and upgrade package on an external URL, the client may not be able todownload the external package. This can occur even if the 'external' URL is actuallythe same as an Integrity Advanced Server.A workaround is to upgrade using the Upgrade package from Integrity Server optionrather than upgrading from an external URL.17. Integrity Flex does not support long custom textIf you set custom text exceeding 180 characters, it will not display correctly inIntegrity Flex.18. Enterprise policies cannot override keyboard and mouse settingsIf you set your policy to allow a program and to enforce the enterprise policy onlyand the user has set permissions in the personal policy to block the program, theprogram will be able to access the Zones as defined in the enterprise policy, butwill not be able to perform keyboard and mouse activity.Workaround: Users must set the program to allow the keyboard and mouse activityin the personal policy.19. The set password command line is not supportedThe command line to set the client password, ICLIENT.EXE -PWINSTSET, is notsupported.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 53

Server IssuesKnown issues affecting server installation, upgrade or configuration.20. Integrity Agent does not support the Anti-Spyware Action setting ConfirmIntegrityWhen creating a policy to be used with Integrity Agent clients, Anti-Spyware Actionsettings must be set to either Notify or Automatic. Integrity Agent does not supportthe Action setting Confirm, because there is no way for the user to confirm throughthe UI.21. If IAS is configured to use a case-sensitive SQL database, some users must log inwith case-sensitive user namesIf Integrity Advanced Server is configured to use an SQL database that iscase-sensitive, Integrity treats all user names in an imported Windows 2000 orWindows NT domain as case-sensitive. If you assign a policy directly to anindividual user within such a domain (as opposed to assigning a policy to thedomain or group to which the user belongs), and if the user then logs into theendpoint without observing case sensitivity, Integrity will not recognize the username and will therefore not enforce the policy assigned directly to that user. Sucha user will receive the default policy instead. To avoid this problem, administratorswho have configured a case-sensitive SQL database and have assigned policiesdirectly to certain users (who were imported as part of one of the relevant domaintypes) must give each such user the case-sensitive version of his or her user nameand require him or her to log in with that version.22. Adding a local policy to a client package causes Integrity to ignore somepackage-level settingsIf you add a local policy to a client package, Integrity ignores the following packagesettings: Launch Client Minimized, System Tray Icon, and System Tray Menu. Inaddition, policy settings override the package-level setting for the Client Shutdownoption.23. Custom support links in a personal policy always override those in the enterprisepolicyIf an enterprise policy and a personal policy both specify a custom support link (intheir respective client settings sections), the Integrity client always shows the linkspecified in the personal policy and ignores the link specified in the enterprisepolicy, even if you select Enforce enterprise policies only in the enterprise policy'sclient settings.24. Continuous looping of log uploadsIf the minimum number of events is less than 2, continuous looping of log uploadsoccur.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 54

IntegrityIn order to prevent continuous looping of log uploads, in the Client Configuration >Client Settings panel's Log Upload Size area, set the minimum number of events tobe equal to or greater than 2.25. SNMP trap messages in hex codeSNMP traps sent from the Integrity Advanced Server are logged to /var/log/messagesfile but the messages are in hex codes.A workaround is to enable SYSLOG and SNMP traps in Linux by issuing thefollowing commands:syslogd -h -r -m 0 (to enable syslog with remote option)snmptrapd -Oa (to enable snmptrapd and route the output to syslog)26. Limitations when importing groupsInternet Explorer (6.x) limits to 3000 the number of groups you can import into anNTDomain, LDAP, or RADIUS catalog on Integrity Advanced Server. To import morethan 3000 groups, use another of the supported browsers. Mozilla Firefox is theonly compatible browser that accommodates imports of more than 10,000 groups.Note that, for very large imports, the import page may take up to ten minutes todisplay all imported groups.When importing groups with a browser other than Internet Explorer, users may get awarning asking whether to abort the long-running javascript routine. Users shouldclose the dialog box or choose to continue running javascript. For Firefox, you cansuppress this message by typing about:config in the address bar, finding the entryfor dom.max_script_run_time, and setting the number to 60 (on new computers) or120 (on older computers).27. MAC address in the User Activity report is incorrectWhen using VMware, the IP address column in the User activity report gives thewrong information.28. Cannot delete some accountsFor Integrity installs with Oracle databases, administrator accounts with lockedpolicies will not be deletable until the policy is unlocked. Only the lockingadministrator can unlock a policy.29. Settings in custom config file are removedIf you upload a config.xml file, using the Client Packager page, and specify a localpolicy, only the connection settings in the config.xml will be used. All othersettings in the uploaded configuration file will be overridden by the local policyselected.30. Apache shows an error while runningEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 55

IntegrityWhile Apache is running, it shows the following error: (730038)An operation wasattempted on something that is not a socket.: winnt_accept: AcceptExfailed. Attempting to recover.Workaround: Place the directive Win32DisableAcceptEx on a separate line in thebeginning of the httpd.conf configuration file (in ‹install_dir›\apache2\conf) andthen restart Apache.31. Localized characters are not supported in the Install KeyYou cannot use non-English characters in the Install Key in the Client Packagerpage.Workaround: Use only ascii characters for the Install Key.32. Need to increase number of allowed processesBy default, each Integrity Advanced Server uses a maximum of 50 JDBCconnections at peak load. If you are running more than one Integrity AdvancedServer in a cluster, please configure the maximum connections allowed by theDatabase accordingly. In the case of Oracle 9i, please increase the number ofprocesses by (n * 50) where n is the number of Integrity Advanced Servers in thecluster.33. Info level logging produces a lot of dataLogging at the Info level can produce a lot of data. Do not set info-levelnotifications to e-mail.34. Some policies cannot be importedSome policies cannot be imported into the Integrity Advanced Server. For example:policies containing enforcement rules that use remediation files.A workaround is to edit the XML to remove the item from the policy that cannot beimported.35. Global Spyware category settings are lostIf you disable and then reenable Global Spyware Protection, all category settings arelost.36. Popup during upgradeWhen upgrading an existing Flex installation, a pop-up message may appearrequesting DNS access for the files msiexec.exe and fwkern.exe.A workaround is to add program rules to your policy allowing DNS access for thesetwo files.37. NNTP is not supported by Malicious Code ProtectionEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 56

IntegrityIntegrity clients that receive policies where this protocol is selected in theSmartDefense policy tab will no longer observe or protect against malicious codethat subverts NNTP port 119.38. Licensing issuesIntegrity SecureClient is designed to be licensed through the SecureClient license.SecureClient is licensed on the server but SecureClient also inserts an item in thedesktop's registry once it connects to a Policy Server that has a license. TheIntegrity client checks for this registry setting to determine if it is also licensed. Ifthe SecureClient has multiple sites that it is connecting to, it only has to connectto one site to be licensed.In order to license the Integrity client, SecureClient has to connect to the VPNPolicy Server within the Integrity client's 30 day trial period. If the user does notconnect to the VPN Policy Server before the end of the trial period, then theIntegrity client will prompt the user to enter in a license key.If the Integrity Client is packaged with a license, it will use that license instead ofchecking the registry setting. Customers who buy an Integrity SecureClient licensebut want to deploy Integrity on an internal machine that does not haveSecureClient, need to request an Integrity license. When entering the license key,be sure to remove the hyphens.If, after installing the license on the gateway, SecureClient and Integrity Client donot operate beyond the trial period, you will need to install an update to theCPmacro. This update file is available athttp://www.checkpoint.com/downloads/index.html.39. Migrating from 5.xIf you wish to migrate data to a 6.x installation, you must have a version of IntegrityServer that is 5.1 or later but before 6.0. This version limitation applies both to theServer migration and the Integrity clients. Please also note that the Integrity Clientversion and the Integrity Server version must match. Using a server with a differentversion than the client is not supported. For more information about migratingServer information and re-distributing the new client to endpoint users, see theIntegrity Advanced Server Installation Guide.40. Integrity Advanced Server tries to download updatesThe Integrity Advanced Server tries to download spyware definition updatesregardless of whether or not Anti-Spyware is licensed.41. Spurious ErrorEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 57

IntegrityOccasionally, the following message may appear in the jakarta_stdout.log whenthe server is under heavy connection load:SEVERE: Error registeringIntegrity-Service:type=RequestProcessor,worker=jk-8009,name=JkRequest73javax.management.InstanceAlreadyExistsException:Integrity-Service:type=RequestProcessor,worker=jk-8009,name=JkRequest73at mx4j.server.MBeanServerImpl.register(MBeanServerImpl.java:1123)at mx4j.server.MBeanServerImpl.registerImpl(MBeanServerImpl.java:1054)at mx4j.server.MBeanServerImpl.registerMBeanImpl(MBeanServerImpl.java:1002)at mx4j.server.MBeanServerImpl.registerMBean(MBeanServerImpl.java:978)at org.apache.commons.modeler.Registry.registerComponent(Registry.java:871)at org.apache.jk.common.ChannelSocket.registerRequest(ChannelSocket.java:436)at org.apache.jk.common.HandlerRequest.decodeRequest(HandlerRequest.java:443)at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:352)at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:743)atorg.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:675)at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:866)at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)at java.lang.Thread.run(Thread.java:534)This message does not signify any functional problem and should not be a cause foralarm.42. Need to change default passwordYou must always change the default password to a password of your choosing whenyou first log into Integrity Administrator Console using the default password.However, if you log into the Integrity Administrator Console using a SmartConsoleaccount, you will not be presented with the change password page and the defaultpassword will remain. To preserve the security of your Integrity installation, as soonas you have finished the installation, you should log into the Integrity AdministratorConsole using the default password and set a new password.43. Need to redeploy when marking certain programs as 'changes frequently'If you are using Program Advisor and you add a program to your policy (eitherindividually or as part of a group) and then mark it as 'changes frequently', youmust redeploy that policy in order for the 'changes frequently' setting to take effect.Localization and Special Character IssuesKnown issues affecting localized versions of the product or the use of specialcharacters.44. In search fields, Integrity interprets "%" and "_" as search wildcardsEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 58

IntegrityIn search fields in the Integrity Advanced Server administration console, Integrityinterprets the characters "%" and "_" as search wildcards, NOT as literal charactersfor which to search.45. Running 6.0 upgrade wipes prior settings in install-upgrade.propertiesDuring upgrades, the settings in the install-upgrade.properties file on the IntegrityAdvanced Server will be lost. This file is used by the installLocale.sh andinstallLocale.bat files.Workaround: If you need to add languages to your installation later, you should backup the install-upgrade.properties file.If you have already lost your install-upgrade.property settings, contact Integritysupport for instructions on re-creating the file before attempting to install newlanguages.46. Classic Firewall Rules cannot contain certain symbolsYou cannot use the ampersand symbol ('&'), quotation marks, or the less thansymbol ('

50. Cannot change the maximum connections using the Administrator ConsoleIntegrityChanging the number of maximum connections in the Administrator Console has noeffect.A workaround is to update the file webapps/ROOT/conf/startup.xml. For example,change: to Restart Integrity Advanced Server so the change takes effect.51. Cannot use non-XML standard characters in Database passwordsThe use of non-XML standard characters, such as ' " < & >, in Database passwordswill cause errors during database initialization. Do not use these characters.Gateway and Third Party IssuesKnown issues involving compatibility with gateways or third-party products52. Integrity client fails to detect McAfee Virus Scan Enterprise Virus definitionThe McAfee product's UI displays only a portion of the product version number.Internally, the full version number is used. You must use the full version numberwhen referencing the McAfee product for Integrity client to detect McAfee VirusScan Enterprise Virus definition.53. SecureClient not compatible with PC-Cillin 2005If you have SecureClient installed, you will not be able to also install PC-Cillin2005.54. Clustering with EAP gateways is not certifiedClustering your Integrity Advanced Servers is not supported when using EAPgateways.55. SecureClient tunnel is droppedShutting down the Integrity Client results in the SecureClient tunnel being dropped.A workaround is to use SecureClient to reestablish the tunnel.56. Endpoints may not get client downloads with 802.11B devicesEndpoints may not have enough time, when restricted, to download the clientpackage over an 802.11B wireless access point. If you are using an 802.11Bwireless access point, your endpoints may need to be attached to a wired LAN todownload the Integrity Client package file.A workaround is to use an 802.11G device, or have endpoints connect using awired LAN to get the Integrity Client package.57. Safe@Office RADIUS packets not processedEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 60

Safe@Office firmware 5.0.82 or earlier requires the NAS IP address to be129.39.232.228 and the RADIUS client IP address to be the IP address of theSafe@Office device.58. Integrity clients don't recognize full version numbersIntegrity clients only recognize version numbers up to two places after the firstdecimal point (x.xx).59. Network Interface Card remains disabledIf you are using EAP and the Network Interface Card is disabled, it will remaindisabled even after reboot.IntegrityEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 61