Firewall - Check Point

More documents

Recommendations

Info

• To disable ISP redundancy, in SmartDashboard edit the gateway object >Topology > ISP Redundancy, and remove the check mark from Support ISPRedundancy.ClusterXL• To disable VPN link selection - Reply from the same interface, in SmartDashboardedit the gateway object > VPN > Link Selection > Outgoing Route Selection, anddo the following:A. Under When initiating a tunnel, enable Operating system routing table,B. and under When responding to remotely initiated tunnel, select Setup, andenable Use outgoing traffic configuration.21. When configuring a VTI cluster interface, it should be assigned a name identical tothe name of the member interface.High Availability22. In legacy High Availability mode for ClusterXL, MAC address synchronization is notsupported for VLAN tagged interfaces. Use new High Availability mode, or manuallyconfigure the MAC addresses of the interfaces using the ifconfig CLI or WebUI.23. Issuing a Stop Member command in SmartView Monitor performs the cphastopcommand on this member. Among other things, this disables the StateSynchronization mechanism. Any connections opened while the member is stoppedwill not survive a failover event, even if the member is restarted using cphastart.However, connections opened after the member is restarted are synchronized asnormal.Load Sharing24. Under load, tcp packet out of state error messages may appear. For each case thereis a specific way to resolve it. Refer to the “<strong>Firewall</strong> and SmartDefense” guide for afull explanation and security implications.• message_info: TCP packet out of state - first packet isn't SYN tcp_flags: FIN-ACKmessage_info: TCP packet out of state - first packet isn't SYN tcp_flags:FIN-PUSH-ACKIn SmartDashboard > Global Properties > Stateful Inspection, enlarge tcp endtimeout. The recommended value is 60 seconds. If there are many connectionsconsider enlarging the connection table size in the same ratio as the tcp endtimeout.• message_info: SYN packet for established connectionrun the command: fw ctl set int fw_trust_rst_on_port When a single port is not enough, you can set the port number to -1, meaningthat you trust a reset from every port.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 38
• For other out of state messages:ClusterXLrun the command: fw ctl set int fwconn_merge_all_syncs 1. This allows amore reliable way of merging TCP states across asymmetric connections.25. When employing SecurID for authentication, it is recommended to define eachcluster member with its own unique (internal) IP address separately on theACE/Server. In addition, to send packets to the ACE/Server with their unique IPaddresses and not the VIP address, edit the file table.def, located in $FWDIR/lib.Change the line starting with no_hide_services_ports to, for example,no_hide_services_ports = {}, where 5500 is the service port and 17(UDP) is the protocol.26. For the first few seconds of an asymmetric connection, server-to-client packets arenot accelerated. An asymmetric connection, such as an FTP data connectionthrough an accelerated ClusterXL cluster, is where the server-to-client side ishandled by a different member than the client-to-server side. Asymmetricconnections are only opened when using VPN or static NAT. This is a temporaryperformance degradation that affects only a small percentage of traffic.27. When installing a new policy that uses Sticky Decision Function (configured inSmartDashboard > Cluster Object > ClusterXL page > Advanced), and the old policyused the regular decision function, some connections may be lost, especiallyconnections to or from the cluster members. New connections are unaffected.28. After a failover, non-pivot members of a ClusterXL cluster in Unicast mode mayreport incorrect load distribution information. For the correct load distribution,review the information reported by the pivot member.29. When using ClusterXL in Load Sharing mode and the Sticky Decision Function isenabled, the failure of a module within 40 seconds of an IKE negotiation maycause a connectivity failure with that peer for up to 40 seconds.• When the failure involves a PIX gateway, communications may be interruptedfor up to 40 seconds.• When the failure involves an L2TP client, communications may bedisconnected, as keepalive packets are blocked during this period.30. traceroute may fail if it passes through a Load Sharing cluster. To resolve thisissue, on the Cluster object, select ClusterXL > Advanced and in the Advanced LoadSharing Configuration window you should either:• select Use Sticky Decision Function, or• change the selection for Use sharing method based on: to IPs.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 39
Page 1 and 2: ......Check Point Enterprise Suite.
Page 3 and 4: Firewall4. When the Web Intelligenc
Page 6 and 7: Firewall28. When using SmartDirecto
Page 8 and 9: Firewall47. When connecting to the
Page 10 and 11: FirewallDynamically Assigned IP Add
Page 12 and 13: SmartCenterSmartCenterIn This Secti
Page 14 and 15: SmartCenter10. When upgrading Smart
Page 16 and 17: SmartCenter23. In order to be able
Page 18 and 19: SmartCentersaved. The solution is t
Page 20 and 21: 1. Using a text editor, open the fi
Page 22 and 23: SecurePlatform1. Log into SecurePla
Page 24 and 25: SecurePlatform23. The Dynamic routi
Page 26 and 27: SecurePlatform34. BGP is not suppor
Page 28 and 29: SecurePlatform56. In legacy High Av
Page 31 and 32: LicensingSmartView Monitor9. If a l
Page 33 and 34: Eventia ReporterEventia ReporterIns
Page 35 and 36: ClusterXLClusterXLIn This SectionUp
Page 37: ClusterXL11. When setting an interf
Page 41 and 42: ClusterXL37. If two or more interfa
Page 43 and 44: ClusterXLSave the file and chmod 77
Page 45 and 46: • For other OPSEC certified clust
Page 47 and 48: • For Flows acceleration, the mes
Page 49 and 50: SSL Network Extender7. To install S
Page 51 and 52: IntegrityIntegrityIn This SectionIn
Page 53 and 54: IntegrityWhen you change the settin
Page 55 and 56: IntegrityIn order to prevent contin
Page 57 and 58: IntegrityIntegrity clients that rec
Page 59 and 60: IntegrityIn search fields in the In
Page 61: Safe@Office firmware 5.0.82 or earl

Firewall - Check Point

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?