Firewall - Check Point

More documents

Recommendations

Info

ClusterXL2. Install policy.Unsupported Features57. Cluster deployments automatically hide the IP address of the cluster membersbehind a virtual IP address. If you manually add NAT rules that contradict thisconfiguration, the manually added NAT rules take precedence. For details, see the“ClusterXL Advanced Configuration” chapter of the ClusterXL Guide.58. TCP connections inspected by Web Intelligence or VoIP Application Intelligencefeatures will not survive failover. On the event of failover these connections will bereset.59. The compatibility matrix for third party clustering solutions (other than Nokia) isspecified in the following link:http://www.opsec.com/solutions/perf_ha_load_balancing.html. If a certain thirdparty solution is not specifically written as being supported for this release, youmust assume it is currently not supported. For Nokia clustering (VRRP or IPClustering), see the <strong>Check</strong> <strong>Point</strong> Software and Hardware Compatibility section of theClusterXL guide for information regarding which IPSO release is supported with thisVPN-1 release.60. Mounting an NFS drive on a cluster member is not supported, as hide NAT changesthe IP address of the cluster member, and the server cannot resolve the resultingmismatch.61. The following Web Intelligence features require connections to be sticky:• Header spoofing• Directory listing• Error concealment• ASCII only response• Send error pageA sticky connection is one where all of its packets, in either direction, are handledby a single cluster member. If you enable one of the features listed above, makesure that your clustering solution supports sticky connections. Sticky connectionscan be guaranteed for Web connections in the following configurations:• ClusterXL High Availability• ClusterXL Load Sharing with Sticky Decision Function enabled• ClusterXL Load Sharing with no VPN peers, no static NAT* rules and no SIP• Nokia VRRP Cluster• Nokia IP Clustering configuration with no VPN peers, static NAT* rules or SIPEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 44
• For other OPSEC certified clustering products - please refer to theOPSEC-certified product's documentation.* including ConnectControl Logical ServersClusterXL62. The following VoIP Application Intelligence (AI) features require connections to besticky:• H.323• SIP• SkinnyA sticky connection is one where all of its packets, in either direction, are handledby a single cluster member. If you enable one of the features listed above, makesure that your clustering solution supports sticky connections. Sticky connectionscan be guaranteed for VoIP connections in the following configurations:• ClusterXL High Availability• ClusterXL Load Sharing with no VPN peers or static NAT* rules• Nokia VRRP Cluster• Nokia IP Clustering configuration with no VPN peers or static NAT* rules• For other OPSEC certified clustering products - please refer to theOPSEC-certified product's documentation.* including ConnectControl Logical Servers63. Sticky connections cannot be guaranteed on ClusterXL Load Sharing Unicast modewith hide NAT.64. To support SSL Network Extender in a ClusterXL Load Sharing configuration, enablethe Sticky Decision Function.ConnectControl65. The Server Load balance method is not supported.66. The Domain balance method is not supported for Logical Servers.67. If a Logical server is configured to have an IP address that belongs to the externalnetwork of the gateway, no Automatic Proxy ARP is configured on the gateway tothe IP address of the Logical server. As a result there is no communication to theLogical server from external hosts. To resolve this issue, manually configure ProxyARP using the file $FWDIR/conf/local.arp. See "Automatic Proxy ARP" in theClusterXL User Guide for local.arp file configuration instructions.68. Logical Servers are not supported in conjunction with Security Servers.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 45
Page 1 and 2: ......Check Point Enterprise Suite.
Page 3 and 4: Firewall4. When the Web Intelligenc
Page 6 and 7: Firewall28. When using SmartDirecto
Page 8 and 9: Firewall47. When connecting to the
Page 10 and 11: FirewallDynamically Assigned IP Add
Page 12 and 13: SmartCenterSmartCenterIn This Secti
Page 14 and 15: SmartCenter10. When upgrading Smart
Page 16 and 17: SmartCenter23. In order to be able
Page 18 and 19: SmartCentersaved. The solution is t
Page 20 and 21: 1. Using a text editor, open the fi
Page 22 and 23: SecurePlatform1. Log into SecurePla
Page 24 and 25: SecurePlatform23. The Dynamic routi
Page 26 and 27: SecurePlatform34. BGP is not suppor
Page 28 and 29: SecurePlatform56. In legacy High Av
Page 31 and 32: LicensingSmartView Monitor9. If a l
Page 33 and 34: Eventia ReporterEventia ReporterIns
Page 35 and 36: ClusterXLClusterXLIn This SectionUp
Page 37 and 38: ClusterXL11. When setting an interf
Page 39 and 40: • For other out of state messages
Page 41 and 42: ClusterXL37. If two or more interfa
Page 43: ClusterXLSave the file and chmod 77
Page 47 and 48: • For Flows acceleration, the mes
Page 49 and 50: SSL Network Extender7. To install S
Page 51 and 52: IntegrityIntegrityIn This SectionIn
Page 53 and 54: IntegrityWhen you change the settin
Page 55 and 56: IntegrityIn order to prevent contin
Page 57 and 58: IntegrityIntegrity clients that rec
Page 59 and 60: IntegrityIn search fields in the In
Page 61: Safe@Office firmware 5.0.82 or earl

Firewall - Check Point

Create successful ePaper yourself

Delete template?

Save as template?