Firewall - Check Point

More documents

Recommendations

Info

SecurePlatform23. The Dynamic routing suite does not support multiple adjacencies to the samerouting neighbor, when one of the cluster IPs participating in the adjacency resideson different subnet. This means that if you have a configuration in which thecluster interface resides on network different from the member network on thesame interface, this IP cannot be used together with another regular clusterinterface for forming multiple adjacencies to the same routing neighbor.24. Defining Dynamic Routing protocols on the Cluster Sync interface is not supported.25. 224.0.0.x routes that remain in the routing table after dynamic routing is disabledcan be safely ignored.26. PIM multicast traffic is not supported with virtual tunnel interfaces configured withidentical local IP addresses.ClusterXL27. Dynamic routing does not support updates in rip multicast from static routes.28. The Dynamic Routing daemon adds the cluster IP address of VPN tunnel interfaceswhen full adjacency is established. This may, however, result in a variety ofproblems, such as losing adjacencies. Generally, VPNT interfaces should not beredistributed to the peers. It may be achieved, however, by using the route-mapcommand. See the following example:config terminalroute-map block-vpnt-distribution permit 5match ip address access-list vpnt-networkexitaccess-list vpnt-network permit access-list vpnt-network deny access-list vpnt-network deny exitrouter ospf 1redistribute direct route-map block-vpnt-distribution29. During policy installation, the following messages may appear on the console:[Expert@fault]# gated_xl[1383]: task_set_option: task MRouting socket 17option GroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0egated_xl[1383]: task_change_role reinitializing donegated_xl[1383]: task_set_option: task MRouting socket 17 optionGroupAdd(10) interface 56.2.2.1(vt-aaa) group 224.0.0.2: Address alegated_xl[1383]: task_change_role reinitializing doneEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 24
gated_xl[1383]: task_change_role re-initializingThese messages can be safely ignored.SecurePlatform30. When executing the command clusterXL_admin down on a cluster configurationwhich includes Dynamic Routing, be sure to wait 10 seconds or so before runningthe command clusterXL_admin up. Failing to do so may result in a delay of a fewseconds before the cluster member returns to normal (active or standby) state, andthe following error message:Operation failed: member is still down, run 'cphaprob list' for furtherdetails.This occurs because the command clusterXL_admin down causes the active clustermember running Dynamic Routing to start a sync of the FIB table, and will notenter the UP state until the sync completes.31. When using the Advanced Routing Suite with ClusterXL, make sure to perform thefollowing:1. In order to keep routes synchronized among cluster members, allow the serviceFIBMGRD in the Rule Base.2. To prevent FIBMGRD connections from exceeding the timeout threshold, add thefollowing lines to the file $FWDIR/lib/user.def on the management station:/*Cluster related definitions - cluster fold and others */#include "cluster.def"deffunc user_accept_non_syn() {(src in cluster_members_ips,dst in cluster_members_ips,( sport = 2010 ) or (dport = 2010))};32. When using VTIs on a ClusterXL gateway with Hitless Restart configured, be sure toset Hitless Restart to restart-type signaled.33. To ensure RIB synchronization in NGX (R60A), the following steps should beperformed:1. Define a new TCP service with destination port of 1024-65535 and source portof 2010.2. In the Advanced Properties tab, uncheck Match for ANY.3. Add a rule allowing the above service and the service FIBMGR between all thecluster members.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 25
Page 1 and 2: ......Check Point Enterprise Suite.
Page 3 and 4: Firewall4. When the Web Intelligenc
Page 6 and 7: Firewall28. When using SmartDirecto
Page 8 and 9: Firewall47. When connecting to the
Page 10 and 11: FirewallDynamically Assigned IP Add
Page 12 and 13: SmartCenterSmartCenterIn This Secti
Page 14 and 15: SmartCenter10. When upgrading Smart
Page 16 and 17: SmartCenter23. In order to be able
Page 18 and 19: SmartCentersaved. The solution is t
Page 20 and 21: 1. Using a text editor, open the fi
Page 22 and 23: SecurePlatform1. Log into SecurePla
Page 26 and 27: SecurePlatform34. BGP is not suppor
Page 28 and 29: SecurePlatform56. In legacy High Av
Page 31 and 32: LicensingSmartView Monitor9. If a l
Page 33 and 34: Eventia ReporterEventia ReporterIns
Page 35 and 36: ClusterXLClusterXLIn This SectionUp
Page 37 and 38: ClusterXL11. When setting an interf
Page 39 and 40: • For other out of state messages
Page 41 and 42: ClusterXL37. If two or more interfa
Page 43 and 44: ClusterXLSave the file and chmod 77
Page 45 and 46: • For other OPSEC certified clust
Page 47 and 48: • For Flows acceleration, the mes
Page 49 and 50: SSL Network Extender7. To install S
Page 51 and 52: IntegrityIntegrityIn This SectionIn
Page 53 and 54: IntegrityWhen you change the settin
Page 55 and 56: IntegrityIn order to prevent contin
Page 57 and 58: IntegrityIntegrity clients that rec
Page 59 and 60: IntegrityIn search fields in the In
Page 61: Safe@Office firmware 5.0.82 or earl

Firewall - Check Point

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?