Firewall - Check Point
Firewall - Check Point Firewall - Check Point
SecurePlatform1. Log into SecurePlatform.2. Place the CD into the CD drive.3. Enter the Expert mode.4. Type mount /mnt/cdrom.5. Type patch add/mnt/cdrom/SecurePlatform/patch/CPpatch_command_update.tgz6. Answer y when prompted.After this update is complete, the system will allow multiple upgrade operations.6. When upgrading from SecurePlatform FP2, FP3 and FP4, you must update the"patch" command before proceeding with the upgrade. To apply the patch, insertthe SecurePlatform installation CD and run the following commands:1. mount /mnt/cdrom2. patch add /mnt/cdrom/SecurePlatform/patch/CPpatch_command_update.tgzAfter applying this patch, proceed with the upgrade.7. The installation process fails with some USB CD-ROM models. Use the floppy tostart the installation, or install via the network.8. During upgrade, the following console messages can be safely ignored:• INIT: version 2.78 reloading• INIT: version 2.85 reloading9. During the SecurePlatform upgrade, the following message may appear:cpprod_util: error while loading shared libraries: libcpprod50.so: cannotopen shared object file: No such file or directoryThis message does not indicate any problem and can be ignored.10. The SecurePlatform WebUI management interface will only upload an upgradepackage if the browser being used is Microsoft Internet Explorer.11. On some older computers (usually 5-6 years old), the SecurePlatform CDROM willfail to boot due to BIOS limitations. In this case, create a boot floppy and use it tostart the installation.Unicast Routing12. If working with the Advanced Routing suite, and Multihomed Link Selection isconfigured with identical routes via multiple redundant interfaces, the followingworkaround is required:Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 22
SecurePlatform• If there are only two identical routes, one of the routes must be split into tworoutes: The first route covers half of the subnet and the second route the otherhalf of the subnet.13. Configuring any redistribute options in the RIP environment will remove the defaultredistribute rip and redistribute direct options. These options can beconfigured manually, if needed.14. Despite establishing OSPF adjacency, kernel-sourced routes may not be distributedimmediately. In those cases, a 10 minute delay may be experienced.15. During reboot, a number of Dynamic Routing messages appear on the console.These messages can be safely ignored.16. When working with VTI unnumbered interfaces, changes to the IP address of theproxy interface do not immediately register with Dynamic Routing. For the changesto take effect, run the commands drouter stop and drouter start.17. After running the command service network restart, the previous kernel routespersist. For the changes to take effect, run the commands drouter stop anddrouter start.18. When publishing a network from two (or more) sources with the same Distance andMetric, the network will be deleted from the RIB of the operating system. Aworkaround is to change the metric for one of the peers, or if one peer is reachedvia a different interface, to change the metric of one of the local interfaces.19. When changing the VTI netmask to a specific mask length, the Dynamic Routingdaemon creates three routes: two connected routes for local and remote IPs, andone additional network kernel route for a defined subnet. After VTI removal, thethird network route is preserved in the Dynamic Routing table, but removed fromthe OS routing table.Multicast Routing20. Defining NAT on a host that transmits multicast traffic is not supported.21. To enable multicast service on a VPN gateway functioning as a rendezvous point,add a rule to the Security Policy of that gateway to allow only the specific multicastservice to be accepted unencrypted, and to accept all other services only throughthe community.22. A SecurePlatform machine with more than 10 interfaces may encounter difficultyrunning Multicast Dynamic Routing protocols (as well as OSPF). This issue may beaddressed by adjusting the number of multicast groups that can be joined by asingle process. The limit is set in the fileproc/sys/net/ipv4/igmp_max_memberships, and the default number is 20.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 23
- Page 1 and 2: ......Check Point Enterprise Suite.
- Page 3 and 4: Firewall4. When the Web Intelligenc
- Page 6 and 7: Firewall28. When using SmartDirecto
- Page 8 and 9: Firewall47. When connecting to the
- Page 10 and 11: FirewallDynamically Assigned IP Add
- Page 12 and 13: SmartCenterSmartCenterIn This Secti
- Page 14 and 15: SmartCenter10. When upgrading Smart
- Page 16 and 17: SmartCenter23. In order to be able
- Page 18 and 19: SmartCentersaved. The solution is t
- Page 20 and 21: 1. Using a text editor, open the fi
- Page 24 and 25: SecurePlatform23. The Dynamic routi
- Page 26 and 27: SecurePlatform34. BGP is not suppor
- Page 28 and 29: SecurePlatform56. In legacy High Av
- Page 31 and 32: LicensingSmartView Monitor9. If a l
- Page 33 and 34: Eventia ReporterEventia ReporterIns
- Page 35 and 36: ClusterXLClusterXLIn This SectionUp
- Page 37 and 38: ClusterXL11. When setting an interf
- Page 39 and 40: • For other out of state messages
- Page 41 and 42: ClusterXL37. If two or more interfa
- Page 43 and 44: ClusterXLSave the file and chmod 77
- Page 45 and 46: • For other OPSEC certified clust
- Page 47 and 48: • For Flows acceleration, the mes
- Page 49 and 50: SSL Network Extender7. To install S
- Page 51 and 52: IntegrityIntegrityIn This SectionIn
- Page 53 and 54: IntegrityWhen you change the settin
- Page 55 and 56: IntegrityIn order to prevent contin
- Page 57 and 58: IntegrityIntegrity clients that rec
- Page 59 and 60: IntegrityIn search fields in the In
- Page 61: Safe@Office firmware 5.0.82 or earl
SecurePlatform• If there are only two identical routes, one of the routes must be split into tworoutes: The first route covers half of the subnet and the second route the otherhalf of the subnet.13. Configuring any redistribute options in the RIP environment will remove the defaultredistribute rip and redistribute direct options. These options can beconfigured manually, if needed.14. Despite establishing OSPF adjacency, kernel-sourced routes may not be distributedimmediately. In those cases, a 10 minute delay may be experienced.15. During reboot, a number of Dynamic Routing messages appear on the console.These messages can be safely ignored.16. When working with VTI unnumbered interfaces, changes to the IP address of theproxy interface do not immediately register with Dynamic Routing. For the changesto take effect, run the commands drouter stop and drouter start.17. After running the command service network restart, the previous kernel routespersist. For the changes to take effect, run the commands drouter stop anddrouter start.18. When publishing a network from two (or more) sources with the same Distance andMetric, the network will be deleted from the RIB of the operating system. Aworkaround is to change the metric for one of the peers, or if one peer is reachedvia a different interface, to change the metric of one of the local interfaces.19. When changing the VTI netmask to a specific mask length, the Dynamic Routingdaemon creates three routes: two connected routes for local and remote IPs, andone additional network kernel route for a defined subnet. After VTI removal, thethird network route is preserved in the Dynamic Routing table, but removed fromthe OS routing table.Multicast Routing20. Defining NAT on a host that transmits multicast traffic is not supported.21. To enable multicast service on a VPN gateway functioning as a rendezvous point,add a rule to the Security Policy of that gateway to allow only the specific multicastservice to be accepted unencrypted, and to accept all other services only throughthe community.22. A SecurePlatform machine with more than 10 interfaces may encounter difficultyrunning Multicast Dynamic Routing protocols (as well as OSPF). This issue may beaddressed by adjusting the number of multicast groups that can be joined by asingle process. The limit is set in the fileproc/sys/net/ipv4/igmp_max_memberships, and the default number is 20.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 23