Firewall - Check Point

More documents

Recommendations

Info

AuthenticationClusterXL31. When performing manual client authentication (using port 900) to a cluster wherethe IP addresses of the members are not routable, the URLs returned in the HTMLfrom the replying cluster member contain the non-routable IP address of themember instead of the cluster IP address. This fails subsequent operations. Theworkaround is to configure the cluster to use a domain name instead of an IPaddress in the client authentication HTML pages, using theahttpclientd_redirected_url global property. Make sure that your DNS serversresolve this domain name to the IP address of the cluster.32. Issues may arise when using automatic or partially automatic client authenticationfor HTTP on Load Sharing clusters (both ClusterXL and OPSEC clusters). Aworkaround is to define a decision function based only on IP addresses in order forconnections to open. For ClusterXL, go to the ClusterXL tab > Load Sharing >Advanced, and select IPs only. For OPSEC clusters, refer to the productdocumentation for more information.State Synchronization33. A cluster member will stay in the down state if it is detached and then reattachedto the cluster, as it does not automatically perform a full sync upon reattachment.To force a full sync, run the following commands on the module: fw ctl setsyncoff and fw ctl setsync start.34. Upon completion of full synchronization (Full sync), an error message Statesynchronization is in risk, is displayed on the cluster member on which thesynchronization is taking place. If this message occurs only once immediatelyfollowing Full sync, it can be safely ignored. If this message appears erratically,consult the ClusterXL user guide in the section Blocking New Connections UnderLoad.SmartConsole35. When working with a 3rd party Cluster Object with QoS, if you move from theTopology tab to a different tab, the following error message appears: No interfacewas activated in QoS tab for this host (Inbound or Outbound). Do you want to continue?Select Yes and continue your operation. This error message can be safely ignored.36. SmartUpdate shows cluster members as distinct Gateways without the commoncluster entity. When cluster members are not of the same version, applying GetCheck Point Gateway Data on a cluster member will set the member's version on theCluster object. To set the version of the cluster correctly, apply the Get Check PointGateway Data command to the cluster member with the latest version.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 40
ClusterXL37. If two or more interfaces on the same cluster member share the same IP addressand Net Mask (as might occur when defining bridge interfaces), only one interfacewill be displayed in the Topology tab in SmartDashboard. To manage interfaces withthe same IP address and Net Mask, use the GuiDBedit tool.38. When using ClusterXL in High Availability Legacy mode, the Network Objective is setautomatically to Cluster if all of the members' interfaces on that network have thesame IP address and netmask. Changing the Network Objective to a different settingwill, in this case, be overridden by the system, and change back to Cluster afterclicking OK.39. When deleting a network via the Topology page (Cluster Object > Properties >Topology > Edit Topology), selecting Name or IP address of one of the interfaces andthen clicking Remove results in the following error message: Please select aninterface. In order to remove a whole network, remove all the interfaces(members and cluster) and click OK.Security Servers40. Security Servers are not supported with Sequence Verifier in Load Sharing clusterenvironments.Platform Specific — Nokia41. Either Nokia VRRP or Nokia IP Clustering configuration must be used when creatinga cluster based on an IPSO platform. Using other OPSEC Certified third partyclustering products (such as OPSEC Certified external load balancers) to create acluster based on IPSO platforms has limited support. Contact Check Point Supportand receive configuration instruction and a list of associated limitations.42. After configuring a gateway cluster on a Nokia platform via the Simple mode(wizard), be sure to complete the cluster interface definition on the Topology pageof the cluster object.43. The feature Connectivity enhancements for multiple interfaces is not supported onNokia IP clustering in Forwarding mode.44. NAT rules should not be applied to VRRP traffic. To prevent NAT rules from beingapplied to VRRP traffic, define the following manual NAT rule and give it higherpriority than other NAT rules that relate to Cluster VIPs or to their networks:Original Packet Translated Packet Install OnSource Destination Service Source Dest ServicePhysical IP ofVRRP membersVRRP IP: 224.0.0.18 Any Original Original Original relevant clusterEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 41
Page 1 and 2: ......Check Point Enterprise Suite.
Page 3 and 4: Firewall4. When the Web Intelligenc
Page 6 and 7: Firewall28. When using SmartDirecto
Page 8 and 9: Firewall47. When connecting to the
Page 10 and 11: FirewallDynamically Assigned IP Add
Page 12 and 13: SmartCenterSmartCenterIn This Secti
Page 14 and 15: SmartCenter10. When upgrading Smart
Page 16 and 17: SmartCenter23. In order to be able
Page 18 and 19: SmartCentersaved. The solution is t
Page 20 and 21: 1. Using a text editor, open the fi
Page 22 and 23: SecurePlatform1. Log into SecurePla
Page 24 and 25: SecurePlatform23. The Dynamic routi
Page 26 and 27: SecurePlatform34. BGP is not suppor
Page 28 and 29: SecurePlatform56. In legacy High Av
Page 31 and 32: LicensingSmartView Monitor9. If a l
Page 33 and 34: Eventia ReporterEventia ReporterIns
Page 35 and 36: ClusterXLClusterXLIn This SectionUp
Page 37 and 38: ClusterXL11. When setting an interf
Page 39: • For other out of state messages
Page 43 and 44: ClusterXLSave the file and chmod 77
Page 45 and 46: • For other OPSEC certified clust
Page 47 and 48: • For Flows acceleration, the mes
Page 49 and 50: SSL Network Extender7. To install S
Page 51 and 52: IntegrityIntegrityIn This SectionIn
Page 53 and 54: IntegrityWhen you change the settin
Page 55 and 56: IntegrityIn order to prevent contin
Page 57 and 58: IntegrityIntegrity clients that rec
Page 59 and 60: IntegrityIn search fields in the In
Page 61: Safe@Office firmware 5.0.82 or earl

Firewall - Check Point

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?