Firewall - Check Point
Firewall - Check Point Firewall - Check Point
ClusterXLsession timeout between the SNMP queries on the different IP addresses. Thistimeout has a 40 second default, and can be defined in Global Properties > StatefulInspection.Configuration4. In the Rule Base, when adding a cluster object to the source or destination columnin a rule, this rule will only apply to the cluster addresses. If the rule needs to beapplied to the cluster member addresses, add their objects to the rule as well.5. The following error messages may appear on the console when enabling or disablingClusterXL or state synchronization using the command cpconfig.FW-1: fwkdebug_register: module cluster already registeredFW-1: fwha_kdebug_register: fwkdebug_register failedThese messages may be safely ignored.6. To use manual client authentication through HTTP in a cluster environment, set thedatabase property hclient_enable_new_interface to true. This forces the HTTPclient authentication daemon to ask for both the user name and password in thesame HTML page. When the IP addresses of the cluster members are not routable,the URLs returned in the HTML from the replying cluster member contain thenon-routable IP address of the member instead of the IP address of the cluster.This would fail subsequent operations. The workaround in this case is to configurethe cluster to use a domain name, using theahttpclientd_redirected_url globalproperty. Make sure that your DNS servers resolve this domain name to the cluster'sIP address.7. Use the commands cpstop and cpstart instead of cprestart on clusterconfigurations. The command cprestart is not supported on cluster members.8. A cluster IP interface or a synchronization network interface cannot be defined as anon-monitored (i.e., disconnected) interface.9. Performance Pack is not supported when using ClusterXL Load Sharing with StickyDecision Function (SDF). When SDF is enabled, acceleration is automaticallyturned off. To re-enable acceleration, first make sure acceleration is enabled byrunning the cpconfig configuration tool. Then disable SDF (in SmartDashboard, editthe Gateway Cluster object, select the ClusterXL page, and click Advanced), andinstall the new Security Policy twice.10. When defining VLAN tags on an interface, cluster IP addresses can be defined onlyon the VLAN interfaces (the tagged interfaces). Defining a cluster IP address on aphysical interface that has VLANs is not supported. The physical interface shouldbe defined with the Network Objective Monitored Private on ClusterXL clusters andas Private on third-party clusters.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 36
ClusterXL11. When setting an interface whose current Network Objective is Sync to Non-MonitoredPrivate, and setting another interface's Network Objective to Sync and installingpolicy, the status of the cluster members will change to Active Attention and Down.To avoid this issue, make this configuration change in two phases.1. Set the interface with the Network Objective of Sync to Monitored Private(instead of Non-Monitored), and the other interface’s Network Objective to Syncand install policy.2. Reconfigure the Monitored Private interface to Non-Monitored and install policyagain.12. When defining a Sync interface on a VLAN interface, it can only be defined on thelowest VLAN tag on a physical interface.13. Defining the lowest VLAN tag on a physical interface as disconnected(Non-Monitored Private) is not supported.14. Defining a Sync interface on a VLAN interface is not supported on Nokia clustersand on other 3rd party clusters.VPN-1 Clusters15. When defining Office Mode IP pools, make sure each cluster member has a distinctpool.16. Before adding an existing gateway to a cluster, remove it from all VPN communitiesin which it participates.17. When detaching a cluster member from a VPN cluster, manually remove the VPNdomain once the member has been detached.18. Peer or secure remote Gateways may show error messages when working against anoverloaded Gateway cluster in Load Sharing mode. This is due to IPsec packetswith an old replay counter. These error messages can be safely ignored.19. Using Sticky Decision Function with VPN features will guarantee connectionstickiness for connections that pass through the cluster only, and not toconnections originating from a cluster member or to it.20. When a Check Point VPN-1 NGX peer is connected directly to a Check Point cluster(i.e., the peer and the cluster are located on the same VLAN and there is no Layer3 (IP) routing device between them), the following features are not supported:• ISP Redundancy• VPN link selection - Reply from same interfaceThis issue can be resolved either by placing a router between the VPN peer and thecluster, or by disabling these features. (Neither feature is enabled by default.)Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 37
- Page 1 and 2: ......Check Point Enterprise Suite.
- Page 3 and 4: Firewall4. When the Web Intelligenc
- Page 6 and 7: Firewall28. When using SmartDirecto
- Page 8 and 9: Firewall47. When connecting to the
- Page 10 and 11: FirewallDynamically Assigned IP Add
- Page 12 and 13: SmartCenterSmartCenterIn This Secti
- Page 14 and 15: SmartCenter10. When upgrading Smart
- Page 16 and 17: SmartCenter23. In order to be able
- Page 18 and 19: SmartCentersaved. The solution is t
- Page 20 and 21: 1. Using a text editor, open the fi
- Page 22 and 23: SecurePlatform1. Log into SecurePla
- Page 24 and 25: SecurePlatform23. The Dynamic routi
- Page 26 and 27: SecurePlatform34. BGP is not suppor
- Page 28 and 29: SecurePlatform56. In legacy High Av
- Page 31 and 32: LicensingSmartView Monitor9. If a l
- Page 33 and 34: Eventia ReporterEventia ReporterIns
- Page 35: ClusterXLClusterXLIn This SectionUp
- Page 39 and 40: • For other out of state messages
- Page 41 and 42: ClusterXL37. If two or more interfa
- Page 43 and 44: ClusterXLSave the file and chmod 77
- Page 45 and 46: • For other OPSEC certified clust
- Page 47 and 48: • For Flows acceleration, the mes
- Page 49 and 50: SSL Network Extender7. To install S
- Page 51 and 52: IntegrityIntegrityIn This SectionIn
- Page 53 and 54: IntegrityWhen you change the settin
- Page 55 and 56: IntegrityIn order to prevent contin
- Page 57 and 58: IntegrityIntegrity clients that rec
- Page 59 and 60: IntegrityIn search fields in the In
- Page 61: Safe@Office firmware 5.0.82 or earl
ClusterXLsession timeout between the SNMP queries on the different IP addresses. Thistimeout has a 40 second default, and can be defined in Global Properties > StatefulInspection.Configuration4. In the Rule Base, when adding a cluster object to the source or destination columnin a rule, this rule will only apply to the cluster addresses. If the rule needs to beapplied to the cluster member addresses, add their objects to the rule as well.5. The following error messages may appear on the console when enabling or disablingClusterXL or state synchronization using the command cpconfig.FW-1: fwkdebug_register: module cluster already registeredFW-1: fwha_kdebug_register: fwkdebug_register failedThese messages may be safely ignored.6. To use manual client authentication through HTTP in a cluster environment, set thedatabase property hclient_enable_new_interface to true. This forces the HTTPclient authentication daemon to ask for both the user name and password in thesame HTML page. When the IP addresses of the cluster members are not routable,the URLs returned in the HTML from the replying cluster member contain thenon-routable IP address of the member instead of the IP address of the cluster.This would fail subsequent operations. The workaround in this case is to configurethe cluster to use a domain name, using theahttpclientd_redirected_url globalproperty. Make sure that your DNS servers resolve this domain name to the cluster'sIP address.7. Use the commands cpstop and cpstart instead of cprestart on clusterconfigurations. The command cprestart is not supported on cluster members.8. A cluster IP interface or a synchronization network interface cannot be defined as anon-monitored (i.e., disconnected) interface.9. Performance Pack is not supported when using ClusterXL Load Sharing with StickyDecision Function (SDF). When SDF is enabled, acceleration is automaticallyturned off. To re-enable acceleration, first make sure acceleration is enabled byrunning the cpconfig configuration tool. Then disable SDF (in SmartDashboard, editthe Gateway Cluster object, select the ClusterXL page, and click Advanced), andinstall the new Security Policy twice.10. When defining VLAN tags on an interface, cluster IP addresses can be defined onlyon the VLAN interfaces (the tagged interfaces). Defining a cluster IP address on aphysical interface that has VLANs is not supported. The physical interface shouldbe defined with the Network Objective Monitored Private on ClusterXL clusters andas Private on third-party clusters.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 36