Firewall - Check Point
Firewall - Check Point Firewall - Check Point
SecureXL69. When configuring Server Availability for ConnectControl (SmartDashboard > Policymenu > Global Properties > ConnectControl), the value for the Server availabilitycheck interval must be a multiple of 5 and no less than 15.SecureXLUnsupported Features1. ISP redundancy, when working in conjunction with SecureXL, has the followinglimitations:• Some connections passing through interfaces configured with ISP redundancyare not accelerated, while other connections (for example, an internalconnection to a DMZ) are accelerated and are not affected by this limitation.• ISP redundancy over PPTP and PPPoE interfaces is not supported.2. When SecureClient is connected to a VPN-1 gateway with two external interfacesand the connected interface goes down, SecureClient will lose connectivity. In orderto resume connectivity, the user needs to disconnect and reconnect.3. When configuring Remote Access > Office Mode on a VPN gateway that has multipleexternal interfaces with SecureXL enabled, make sure that Support connectivityenhancement for gateways with multiple external interfaces is checked.4. QoS is not supported with SecureXL.Accelerated Features5. The SmartDefense feature PPTP Enforcement does not allow acceleration of the GREprotocol over PPTP when enabled. In order to accelerate the GRE protocol overPPTP, disable this feature (on the SmartDefense tab, select Application Intelligence> VPN Protocols > PPTP Enforcement).6. Overlapping NAT is not supported with Performance Pack.Platform Specific - Nokia7. When the SmartDefense TCP Sequence Verifier feature is enabled and SecureXL ison or Flows acceleration is enabled, a message appears when you install a policyfrom SmartDashboard and the Sequence Verifier feature is not enforced.• For SecureXL, the message displayed is: “Warning: This Gateway supportsSecureXL traffic acceleration. TCP Sequence Verifier (SmartDefense) will not beenforced on accelerated connections. To allow Sequence Verification, turn offacceleration on the Gateway by running cpconfig.”Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 46
• For Flows acceleration, the message is: “Flows: TCP Sequence Verifieracceleration is not supported on the Gateway.”Performance PackTo configure the TCP Sequence Verifier, select the SmartDefense tab > Network Security> TCP and deselect Sequence Verifier.Platform Specific — Solaris8. On Solaris platforms, Performance Pack does not support the following types ofinterfaces• VLAN and virtual interfaces• bge, dmfe and skge interfacesPerformance PackUnsupported Features1. Performance Pack does not support dynamic interface changes on Solaris. Beforeperforming ifconfig up/down/plumb or unplumb, turn off acceleration by issuing thefwaccel off command. Then enable acceleration by issuing the fwaccel oncommand.2. Performance Pack does not support source based routing.Unsupported Products3. Performance Pack is not supported when using ClusterXL Load Sharing with StickyDecision Function (SDF). When SDF is enabled, acceleration is automaticallyturned off. To re-enable acceleration, first make sure acceleration is enabled byrunning the cpconfig configuration tool. Then disable SDF (in SmartDashboard, editthe Gateway Cluster object, select the ClusterXL page, and click Advanced), andinstall the new Security Policy twice.4. PPTP and PPPoE interfaces are not supported by Performance Pack inconfigurations where NAT and/or VPN-1 are used.5. Virtual interfaces and VLAN interfaces are not supported by Performance Pack onSolaris.Accelerated Features6. The SmartDefense feature PPTP Enforcement does not allow acceleration of the GREprotocol over PPTP when enabled. In order to accelerate the GRE protocol overPPTP, disable this feature (on the SmartDefense tab, select Application Intelligence> VPN Protocols > PPTP Enforcement).Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 47
- Page 1 and 2: ......Check Point Enterprise Suite.
- Page 3 and 4: Firewall4. When the Web Intelligenc
- Page 6 and 7: Firewall28. When using SmartDirecto
- Page 8 and 9: Firewall47. When connecting to the
- Page 10 and 11: FirewallDynamically Assigned IP Add
- Page 12 and 13: SmartCenterSmartCenterIn This Secti
- Page 14 and 15: SmartCenter10. When upgrading Smart
- Page 16 and 17: SmartCenter23. In order to be able
- Page 18 and 19: SmartCentersaved. The solution is t
- Page 20 and 21: 1. Using a text editor, open the fi
- Page 22 and 23: SecurePlatform1. Log into SecurePla
- Page 24 and 25: SecurePlatform23. The Dynamic routi
- Page 26 and 27: SecurePlatform34. BGP is not suppor
- Page 28 and 29: SecurePlatform56. In legacy High Av
- Page 31 and 32: LicensingSmartView Monitor9. If a l
- Page 33 and 34: Eventia ReporterEventia ReporterIns
- Page 35 and 36: ClusterXLClusterXLIn This SectionUp
- Page 37 and 38: ClusterXL11. When setting an interf
- Page 39 and 40: • For other out of state messages
- Page 41 and 42: ClusterXL37. If two or more interfa
- Page 43 and 44: ClusterXLSave the file and chmod 77
- Page 45: • For other OPSEC certified clust
- Page 49 and 50: SSL Network Extender7. To install S
- Page 51 and 52: IntegrityIntegrityIn This SectionIn
- Page 53 and 54: IntegrityWhen you change the settin
- Page 55 and 56: IntegrityIn order to prevent contin
- Page 57 and 58: IntegrityIntegrity clients that rec
- Page 59 and 60: IntegrityIn search fields in the In
- Page 61: Safe@Office firmware 5.0.82 or earl
SecureXL69. When configuring Server Availability for ConnectControl (SmartDashboard > Policymenu > Global Properties > ConnectControl), the value for the Server availabilitycheck interval must be a multiple of 5 and no less than 15.SecureXLUnsupported Features1. ISP redundancy, when working in conjunction with SecureXL, has the followinglimitations:• Some connections passing through interfaces configured with ISP redundancyare not accelerated, while other connections (for example, an internalconnection to a DMZ) are accelerated and are not affected by this limitation.• ISP redundancy over PPTP and PPPoE interfaces is not supported.2. When SecureClient is connected to a VPN-1 gateway with two external interfacesand the connected interface goes down, SecureClient will lose connectivity. In orderto resume connectivity, the user needs to disconnect and reconnect.3. When configuring Remote Access > Office Mode on a VPN gateway that has multipleexternal interfaces with SecureXL enabled, make sure that Support connectivityenhancement for gateways with multiple external interfaces is checked.4. QoS is not supported with SecureXL.Accelerated Features5. The SmartDefense feature PPTP Enforcement does not allow acceleration of the GREprotocol over PPTP when enabled. In order to accelerate the GRE protocol overPPTP, disable this feature (on the SmartDefense tab, select Application Intelligence> VPN Protocols > PPTP Enforcement).6. Overlapping NAT is not supported with Performance Pack.Platform Specific - Nokia7. When the SmartDefense TCP Sequence Verifier feature is enabled and SecureXL ison or Flows acceleration is enabled, a message appears when you install a policyfrom SmartDashboard and the Sequence Verifier feature is not enforced.• For SecureXL, the message displayed is: “Warning: This Gateway supportsSecureXL traffic acceleration. TCP Sequence Verifier (SmartDefense) will not beenforced on accelerated connections. To allow Sequence Verification, turn offacceleration on the Gateway by running cpconfig.”Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 46