Firewall - Check Point

More documents

Recommendations

Info

FirewallFirewallIn This SectionInstallation, Upgrade and Backward Compatibility page 2Platform Specific — Nokia page 3Platform Specific — Windows page 3Platform Specific — Solaris page 4Platform Specific — Linux page 4Load Sharing page 5NAT page 5Authentication page 5Security Servers page 6Services page 7IPv6 page 7SmartConsole & SmartConsole Applications page 8ISP Redundancy page 8Logging page 9Policy Installation page 9SAM page 9Dynamically Assigned IP Address (DAIP) Modules page 10Miscellaneous page 10VoIP page 10SecureClient page 11Installation, Upgrade and Backward Compatibility1. When upgrading from earlier NG Feature Packs, the SYNDefender configurationmoves to a global configuration in SmartDefense and defaults to off. If aper-module configuration is desired, uncheck Override modules’ SYNDefenderconfiguration under TCP > SYN Attack Configuration in SmartDefense settings.2. Prior to NG with Application Intelligence (R54), setting the SmartDefense featureMax URL length to 0 would drop all connections. Since R54, setting the parameterto 0 disables this protection.3. When the Web Intelligence General HTTP Worm Catcher is enabled, policyinstallation on modules running NG FP1 cannot be performed. In order to installthe policy, you should either remove the NG FP1 modules from the list of PolicyInstallation Targets, or alternatively disable the General HTTP Worm Catcher.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 2
Firewall4. When the Web Intelligence General HTTP Worm Catcher is enabled, policyinstallation on modules running NG FP3 prior to HotFix-2 cannot be performed. Inorder to install the policy, you should upgrade the module to NG FP3 HotFix-2.5. In modules that pre-date version NG with Application Intelligence R55W, the WebIntelligence defenses HTTP Format Sizes, ASCII Only Request, General HTTP WormCatcher only support the protection scope apply to all HTTP connections; therefore, ifone of these defenses is configured with protection scope apply to selected webservers and is installed on an older module, the protection scope apply to all HTTPconnections will be applied on this module.6. When making Inspect changes to the file user.def, do so to the copy of the file inthe directory $FWDIR/conf (and not the version in the directory $FWDIR/lib, as wasthe practice in previous versions). This is because user.def is copied from the/conf directory to the /lib directory during policy installation.Also, filenames are now adjusted to the different compatibility packages, so be sureto modify the appropriate file only:• user.def.NGX_R60 - contains user code for NGX modules (this will overwrite thefile $FWDIR/lib/user.def during policy install)• user.def.R55WCMP - contains user code for R55W modules (this will overwritethe file user.def in the R55W compatibility package directory)• user.def.MGCMP - contains user code for NG modules, R55 and below.• user.def.EdgeCmp - contains user code for VPN-1 Edge modules.Platform Specific — Nokia7. When the SmartDefense TCP Sequence Verifier feature is enabled and Flowsacceleration is enabled, the Sequence Verifier feature is not enforced and thefollowing message appears when installing policy:“Flows: TCP Sequence Verifier acceleration is not supported on the Gateway.”When SecureXL is enabled, you can enable the SmartDefense TCP SequenceVerifier feature by first enabling it in Nokia Network Voyager (System Configuration> Advanced System Tuning) and then in SmartDashboard (SmartDefense tab >Network Security > TCP). The Sequence Verifier feature will then be enforced onaccelerated connections.Platform Specific — Windows8. Adaptec Duralink64 port aggregation/failover is not supported.9. VPN-1 Pro limits its memory allocations to a certain percentage of the availablenon-paged memory. This limit affects the number of concurrent connections thatthe Enforcement Module can handle. The limit is intended to leave the rest of theEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 3
Page 1: ......Check Point Enterprise Suite.
Page 6 and 7: Firewall28. When using SmartDirecto
Page 8 and 9: Firewall47. When connecting to the
Page 10 and 11: FirewallDynamically Assigned IP Add
Page 12 and 13: SmartCenterSmartCenterIn This Secti
Page 14 and 15: SmartCenter10. When upgrading Smart
Page 16 and 17: SmartCenter23. In order to be able
Page 18 and 19: SmartCentersaved. The solution is t
Page 20 and 21: 1. Using a text editor, open the fi
Page 22 and 23: SecurePlatform1. Log into SecurePla
Page 24 and 25: SecurePlatform23. The Dynamic routi
Page 26 and 27: SecurePlatform34. BGP is not suppor
Page 28 and 29: SecurePlatform56. In legacy High Av
Page 31 and 32: LicensingSmartView Monitor9. If a l
Page 33 and 34: Eventia ReporterEventia ReporterIns
Page 35 and 36: ClusterXLClusterXLIn This SectionUp
Page 37 and 38: ClusterXL11. When setting an interf
Page 39 and 40: • For other out of state messages
Page 41 and 42: ClusterXL37. If two or more interfa
Page 43 and 44: ClusterXLSave the file and chmod 77
Page 45 and 46: • For other OPSEC certified clust
Page 47 and 48: • For Flows acceleration, the mes
Page 49 and 50: SSL Network Extender7. To install S
Page 51 and 52: IntegrityIntegrityIn This SectionIn
Page 53 and 54:
IntegrityWhen you change the settin
Page 55 and 56:
IntegrityIn order to prevent contin
Page 57 and 58:
IntegrityIntegrity clients that rec
Page 59 and 60:
IntegrityIn search fields in the In
Page 61:
Safe@Office firmware 5.0.82 or earl
show all

Firewall - Check Point

Create successful ePaper yourself

Delete template?

Save as template?