Firewall - Check Point
Firewall - Check Point Firewall - Check Point
FirewallDynamically Assigned IP Address (DAIP) Modules65. The fw tab command on a SmartCenter Server is notsupported.Miscellaneous66. Token ring adapters are not supported.67. The TCP Sequence Verifier is not supported with clusters using asymmetric routing.68. The Accept VPN-1 & FireWall-1 control connections Implied Rules setting isapplicable to a SmartCenter server object in specific cases only:• to the primary IP defined for this object and• only if there are interfaces defined in its Topology tab.This may create connectivity problems when trying to install policies (or otheroperations included in the control connections). The workaround is to defineexplicit rules that allow connectivity to the SmartCenter object.69. When executing the following command: fw tab -u -f -t connections, errormessages such as FW-1: fwkbuf_length: invalid id number XXXX and Tablekbufs - Invalid handle 6a6b8803 (bad entry) can be safely ignored. To avoidthese messages, use the command fw tab -u -t connections instead.70. Deploying a DHCP server on a SecurePlatform machine running a VPN-1enforcement module is not supported. As a workaround, deploy the DHCP server ona SecurePlatform machine not running an enforcement module.71. A large database on a gateway may result in high CPU usage by the services vpndand dtpsd. To resolve this issue, use the cpprod utility to set a value for the settingSIC_SERVER_DEFAULT_TIMEOUT.VoIP72. MSN Messenger version 5 is not supported. Additionally, there are a few knownissues regarding MSN Messenger when employing Hide NAT:• When running SIP and the data connection tries to open MSN Messengerconnections on hidden networks, the connection fails.• While audio and video each work separately, they cannot be run concurrently.73. When using the SIP protocol and a security rule uses the Action reject to blockhigh_udp_ports (RTP ports - data connection), the incoming audio is rejected aswell. A workaround is to use the Action drop in place of reject.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 10
Firewall74. When an H.323 IP phone that is not part of a handover domain tries to establish acall, the call attempt is blocked and the following message appears on the console:FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow thisphone to make calls, add it to the handover domain, and the error message will nolonger appear. Note that this console message may appear in other (non-VoIP)scenarios as well.75. In some cases, when a user closes an MSN Messenger application (such asWhiteboard), the application will not close automatically on the remote end. Theremote user will need to close the application manually.76. When the SIP-proxy is in the DMZ, whiteboard and application sharing will not openbetween external to internal messengers.SecureClient77. Policy installation fails if a combination of different user groups & network objectsare used in the same cell. For example, if the following appears in a source ordestination cell, the policy will not install:usergroup1@netobj1 & usergroup2@netobj2If the user groups match or the network objects match, the installation willsucceed. The following examples will allow the policy to install successfully:usergroup1@netobj1 & usergroup2@netobj1usergroup1@netobj1 & usergroup1@netobj2Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 11
- Page 1 and 2: ......Check Point Enterprise Suite.
- Page 3 and 4: Firewall4. When the Web Intelligenc
- Page 6 and 7: Firewall28. When using SmartDirecto
- Page 8 and 9: Firewall47. When connecting to the
- Page 12 and 13: SmartCenterSmartCenterIn This Secti
- Page 14 and 15: SmartCenter10. When upgrading Smart
- Page 16 and 17: SmartCenter23. In order to be able
- Page 18 and 19: SmartCentersaved. The solution is t
- Page 20 and 21: 1. Using a text editor, open the fi
- Page 22 and 23: SecurePlatform1. Log into SecurePla
- Page 24 and 25: SecurePlatform23. The Dynamic routi
- Page 26 and 27: SecurePlatform34. BGP is not suppor
- Page 28 and 29: SecurePlatform56. In legacy High Av
- Page 31 and 32: LicensingSmartView Monitor9. If a l
- Page 33 and 34: Eventia ReporterEventia ReporterIns
- Page 35 and 36: ClusterXLClusterXLIn This SectionUp
- Page 37 and 38: ClusterXL11. When setting an interf
- Page 39 and 40: • For other out of state messages
- Page 41 and 42: ClusterXL37. If two or more interfa
- Page 43 and 44: ClusterXLSave the file and chmod 77
- Page 45 and 46: • For other OPSEC certified clust
- Page 47 and 48: • For Flows acceleration, the mes
- Page 49 and 50: SSL Network Extender7. To install S
- Page 51 and 52: IntegrityIntegrityIn This SectionIn
- Page 53 and 54: IntegrityWhen you change the settin
- Page 55 and 56: IntegrityIn order to prevent contin
- Page 57 and 58: IntegrityIntegrity clients that rec
- Page 59 and 60: IntegrityIn search fields in the In
<strong>Firewall</strong>74. When an H.323 IP phone that is not part of a handover domain tries to establish acall, the call attempt is blocked and the following message appears on the console:FW-1: fw_conn_inspect: fwconn_chain_lookup failed. If you want to allow thisphone to make calls, add it to the handover domain, and the error message will nolonger appear. Note that this console message may appear in other (non-VoIP)scenarios as well.75. In some cases, when a user closes an MSN Messenger application (such asWhiteboard), the application will not close automatically on the remote end. Theremote user will need to close the application manually.76. When the SIP-proxy is in the DMZ, whiteboard and application sharing will not openbetween external to internal messengers.SecureClient77. Policy installation fails if a combination of different user groups & network objectsare used in the same cell. For example, if the following appears in a source ordestination cell, the policy will not install:usergroup1@netobj1 & usergroup2@netobj2If the user groups match or the network objects match, the installation willsucceed. The following examples will allow the policy to install successfully:usergroup1@netobj1 & usergroup2@netobj1usergroup1@netobj1 & usergroup1@netobj2Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 11