Firewall - Check Point

More documents

Recommendations

Info

<strong>Firewall</strong>47. When connecting to the IPv6 IPv4 compatible address of VPN-1 Pro (::w.x.y.z., forexample), the following appears on the console: Jan 14 09:37:32 shif [LOG_CRIT]kernel: fw_filterin: 0 unknown interface. This message can be safely ignoredin such configurations. To prevent the message from appearing, run this command:modzap _fw_verbose_unknown_if $FWDIR/boot/modules/fwmod.o 0x0 and reboot.48. Content of IPv6 in IPv4 tunnels (IPv4 protocol 41) passing through VPN-1 Pro isnot inspected.49. CPMAD functionality is not supported with the IPv6 protocol.50. SmartDefense's ping size property is not enforced on ICMPv6 echo request packets.51. Due to the fact that IPv6 is not supported for security servers, enablingConfiguration apply to all connections under SmartDefense's FTP Security Serversettings causes FTP (as well as HTTP and SMTP) connections over IPv6 to berejected, and no log is generated.52. The command fw6 unload localhost unloads both IPv6 and IPv4 policies,although it should unload only the IPv6 policy.53. IPv6 packets with extension headers which are not explicitly allowed via editing ofthe table.def INSPECT script are dropped without being logged.54. The Remote Shell (RSH) protocol is not supported for IPv6.SmartConsole & SmartConsole Applications55. When a client connects with SmartDashboard to SmartCenter and performs aSmartDefense online update, a second client connecting with SmartDashboard tothe same SmartCenter will see the new protections but not the new HTMLdescriptions. The situation is resolved by the second client logging out & logging inagain.A similar behavior may occur regarding the Silent Post-install Update. If newprotections were added in that package, then the second client that logs in will notsee the respective new HTML descriptions. The workaround is the same (clientshould log out & log in again).ISP Redundancy56. When using the ISP load sharing configuration, outgoing traffic that passes througha security server is not load-shared, and will pass through a single ISP (the defaultroute). If this ISP fails, new connections will be opened through the second ISP.57. If a network cable is unplugged from a network card using 3c59x (3COM), Starfire,or Tulip drivers, the link's status mistakenly indicates that the next hop is notresponding, instead of reporting a network cable unplugged. This affects theEnterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 8
<strong>Firewall</strong>messages produced by the product when the ISP redundancy feature is used. Forinstance, instead of indicating that the link is down, the message will indicate thatthe next hop is not responding.58. ISP redundancy is not supported in a ClusterXL Different subnets configuration. Thismeans the IP address of the cluster must be on the same subnet as the clustermembers' real IP addresses.59. In a ClusterXL configuration, the names of the external interfaces of all clustermembers must be identical and must correspond in turn to the names of theexternal interfaces of the cluster object. For example, if the cluster object has twoexternal interfaces called eth0 and eth1 which are connected to ISP-1 and ISP-2,respectively; each cluster member must have two external interfaces called eth0and eth1 which should be connected to ISP-1 and ISP-2 respectively.Logging60. FTP data connections may appear in the Active connections view in SmartViewTracker even after these connections have been terminated.Policy Installation61. When installing a policy on a module, the policy installation log may recordanti-spoofing warning messages from modules not included in the installation thatdo not have anti-spoofing configured.62. Policy installation may fail when there are 70 or more dynamic objects.63. When installing policy on a cluster with a Layer 2 bridge defined, the installationmay fail with the following error: Load on Module failed. To resolve this issue, do thefollowing:1. Set the environment variable FW_MANAGE_BRIDGE to 1 on the SmartCenter server.This is done by updating the files $CPDIR/tmp/.CPprofile.csh andCPDIR/tmp/.CPprofile.sh so that they include the environment variableFW_MANAGE_BRIDGE 1.2. Install policy.SAM64. A Suspicious Activity Monitor (SAM) rule will fail for a remote Gateway if theSmartCenter Server is also a VPN-1 Pro enforcement module and no policy hasbeen installed on it since adding the remote Gateway.Enterprise Suite NGX R61 Known Limitations Supplement Last Update — February 7, 2007 9
Page 1 and 2: ......Check Point Enterprise Suite.
Page 3 and 4: Firewall4. When the Web Intelligenc
Page 6 and 7: Firewall28. When using SmartDirecto
Page 10 and 11: FirewallDynamically Assigned IP Add
Page 12 and 13: SmartCenterSmartCenterIn This Secti
Page 14 and 15: SmartCenter10. When upgrading Smart
Page 16 and 17: SmartCenter23. In order to be able
Page 18 and 19: SmartCentersaved. The solution is t
Page 20 and 21: 1. Using a text editor, open the fi
Page 22 and 23: SecurePlatform1. Log into SecurePla
Page 24 and 25: SecurePlatform23. The Dynamic routi
Page 26 and 27: SecurePlatform34. BGP is not suppor
Page 28 and 29: SecurePlatform56. In legacy High Av
Page 31 and 32: LicensingSmartView Monitor9. If a l
Page 33 and 34: Eventia ReporterEventia ReporterIns
Page 35 and 36: ClusterXLClusterXLIn This SectionUp
Page 37 and 38: ClusterXL11. When setting an interf
Page 39 and 40: • For other out of state messages
Page 41 and 42: ClusterXL37. If two or more interfa
Page 43 and 44: ClusterXLSave the file and chmod 77
Page 45 and 46: • For other OPSEC certified clust
Page 47 and 48: • For Flows acceleration, the mes
Page 49 and 50: SSL Network Extender7. To install S
Page 51 and 52: IntegrityIntegrityIn This SectionIn
Page 53 and 54: IntegrityWhen you change the settin
Page 55 and 56: IntegrityIn order to prevent contin
Page 57 and 58: IntegrityIntegrity clients that rec
Page 59 and 60:
IntegrityIn search fields in the In
Page 61:
Safe@Office firmware 5.0.82 or earl
show all

Firewall - Check Point

Create successful ePaper yourself

Delete template?

Save as template?