13.07.2015 Views

Release Notes for Nokia Virtual Firewall for Check Point VSX NGX ...

Release Notes for Nokia Virtual Firewall for Check Point VSX NGX ...

Release Notes for Nokia Virtual Firewall for Check Point VSX NGX ...

SHOW MORE
SHOW LESS
  • No tags were found...

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong><strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong><strong>VSX</strong> <strong>NGX</strong> R65<strong>Check</strong> <strong>Point</strong> VPN-1 Power <strong>VSX</strong> <strong>NGX</strong> R65IPSO 5.0 build 041 <strong>for</strong> <strong>VSX</strong> <strong>NGX</strong> R65Part No. N450000589 Rev 001Published June 2008


COPYRIGHT©2008 <strong>Nokia</strong>. All rights reserved.Rights reserved under the copyright laws of the United States.RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure by the United States Government is subject to restrictions as set <strong>for</strong>th in subparagraph(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,the rights of the United States Government regarding its use, reproduction, and disclosure are as set <strong>for</strong>th in theCommercial Computer Software-Restricted Rights clause at FAR 52.227-19.IMPORTANT NOTE TO USERSThis software and hardware is provided by <strong>Nokia</strong> Inc. as is and any express or implied warranties, including, but notlimited to, implied warranties of merchantability and fitness <strong>for</strong> a particular purpose are disclaimed. In no event shall<strong>Nokia</strong>, or its affiliates, subsidiaries or suppliers be liable <strong>for</strong> any direct, indirect, incidental, special, exemplary, orconsequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, orprofits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort(including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility ofsuch damage.<strong>Nokia</strong> reserves the right to make changes without further notice to any products herein.TRADEMARKS<strong>Nokia</strong> is a registered trademark of <strong>Nokia</strong> Corporation. Other products mentioned in this document are trademarks orregistered trademarks of their respective holders.0701012 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


<strong>Nokia</strong> Contact In<strong>for</strong>mationCorporate HeadquartersWeb SiteTelephonehttp://www.nokia.com1-888-477-4566 or1-650-625-2000Fax 1-650-691-2170MailAddress<strong>Nokia</strong> Inc.313 Fairchild DriveMountain View, Cali<strong>for</strong>nia94043-2215 USARegional Contact In<strong>for</strong>mationAmericas<strong>Nokia</strong> Inc.313 Fairchild DriveMountain View, CA 94043-2215USATel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: info.ipnetworking_americas@nokia.comEurope,Middle East,and Africa<strong>Nokia</strong> House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UKTel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: info.ipnetworking_emea@nokia.comAsia-Pacific438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968Tel: +65 6588 3364email: info.ipnetworking_apac@nokia.com<strong>Nokia</strong> Customer SupportWeb Site:Email:Americashttps://support.nokia.com/tac.support@nokia.comEuropeVoice:1-888-361-5030 or1-613-271-6721Voice: +44 (0) 125-286-8900Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666Asia-PacificVoice: +65-67232999Fax: +65-67232897050602<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 3


4 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Contents1 New Features in <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65 . . . . . . . 7Enhancements and Fixes in Build 041 of <strong>Nokia</strong>IPSO 5.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Support <strong>for</strong> Role Based Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Support <strong>for</strong> Non-local User Secure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 8New Network Voyager Graphical User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . 8Support <strong>for</strong> Resource Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Support <strong>for</strong> Quality of Services (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<strong>Virtual</strong> Switch Support on ADP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Link Aggregation Support on ADP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Support <strong>for</strong> Unnumbered Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Transparent Mode Support <strong>for</strong> IP 2250. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9PIM Acceleration Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Enhancement <strong>for</strong> Daylight Savings Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Transparent Mode and <strong>Virtual</strong> Switch Configurationwith <strong>Check</strong> <strong>Point</strong> GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Support <strong>for</strong> <strong>Check</strong> <strong>Point</strong> vsx_util . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Supported Plat<strong>for</strong>ms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Supported Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Installing <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65 . . . . . . . . . . . . 13Obtaining the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65Software Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Be<strong>for</strong>e You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Ensuring Enough Disk Space on Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Identify Your Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Configuration With <strong>Virtual</strong> Switch or Transparent Mode . . . . . . . . . . . . . . . . . . . . . 15Configuration Without <strong>Virtual</strong> Switch or Transparent Mode . . . . . . . . . . . . . . . . . . . 16Per<strong>for</strong>ming a Fresh Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Configuring <strong>Nokia</strong> IPSO Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Changing Physical Interface Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Setting the Time, Date, and Time Zone In<strong>for</strong>mation . . . . . . . . . . . . . . . . . . . . . . . 20Enabling HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Installing <strong>Nokia</strong> License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 5


3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Not Supported in <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong><strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Hotswapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<strong>VSX</strong> Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Installation and Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25SecureXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26<strong>Nokia</strong> Network Voyager and IPSO CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Changing Properties by Using the Multidomain GUI . . . . . . . . . . . . . . . . . . . . . . 26Miscellaneous Provider-1 Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<strong>VSX</strong> Clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Miscellaneous VRRP Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Problems with VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Problems with NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Problems with Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Per<strong>for</strong>mance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Miscellaneous Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Harmless Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


1 New Features in <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong><strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65<strong>Nokia</strong> is pleased to announce new features <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong><strong>NGX</strong> R65, which consists of <strong>Check</strong> <strong>Point</strong> VPN-1 Power <strong>VSX</strong> <strong>NGX</strong> R65 and <strong>Nokia</strong> IPSO 5.0.<strong>Nokia</strong> has tested and verified a <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> environment with50 virtual systems.NoteFor the latest available version of <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong><strong>VSX</strong> <strong>NGX</strong> R65 and resolutions pertaining to <strong>VSX</strong> <strong>NGX</strong> R65, go to https://support.nokia.com.Enhancements and Fixes in Build 041 of <strong>Nokia</strong>IPSO 5.0The following enhancements have been introduced with the release of Build 041 ofIPSO 5.0:Build 041 also provides the following fixes:The numbers in angle brackets after the headings in the following sections are the trackingnumbers <strong>for</strong> the issues in <strong>Nokia</strong>’s internal database of problem reports. Reference theappropriate number if you contact <strong>Nokia</strong> about any of these items.• Support <strong>for</strong> Role Based Administration• Support <strong>for</strong> Non-local User Secure Authentication• New Network Voyager Graphical User Interface• Support <strong>for</strong> Resource Control• Support <strong>for</strong> Quality of Services (QoS)• <strong>Virtual</strong> Switch Support on ADP• Link Aggregation Support on ADP• Support <strong>for</strong> Unnumbered Interfaces• Transparent Mode Support <strong>for</strong> IP 2250<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 7


1 New Features in <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65• PIM Acceleration Support• Enhancement <strong>for</strong> Daylight Savings Time• Transparent Mode and <strong>Virtual</strong> Switch Configuration with <strong>Check</strong> <strong>Point</strong> GUI• Support <strong>for</strong> <strong>Check</strong> <strong>Point</strong> vsx_utilSupport <strong>for</strong> Role Based AdministrationIPSO 5.0 supports Role Based Administration (RBA). RBA gives you the ability to assignaccess to features by linking the access to a specific user role. By creating a user role andassigning access to that role, you can allow a user access to some features and not other featuresand assign read and write access privileges or read only. You can also define how the user willaccess the gateway, either through <strong>Nokia</strong> Network Voyager or the command line interface.Support <strong>for</strong> Non-local User Secure AuthenticationIPSO 5.0 supports non-local user secure authentication. The feature provides you with theability to have remote authentication servers using RADIUS and TACACS+ with RBAen<strong>for</strong>cement login.<strong>Nokia</strong> IPSO implements Pluggable Authentication Modules (PAM), an industry-standardframework <strong>for</strong> authenticating and authorizing users. Using PAM, authentication, accountmanagement, and session management algorithms are contained in shared modules that youconfigure on your appliance.New Network Voyager Graphical User Interface<strong>Nokia</strong> IPSO 5.0 uses a new graphical user interface (GUI). The new GUI uses a menu with a treeview which makes it more intuitive and easier to navigate.Support <strong>for</strong> Resource ControlIPSO 5.0 supports resource control. The feature assigns percentages of CPU processingdepending on the priority level of a given virtual system. This ensures that virtual systemsproviding more critical functions continue to receive the proper CPU resources <strong>for</strong> their tasks.For the IPSO 5.0, to enable resource control you must edit the resctl.conf file in /var/etc. Replacethe text resource-control disable with resource-control enable. Then enter the virtual system IDyou want to configure followed by a number, <strong>for</strong> example, 2 10. Do this on a separate line <strong>for</strong>each virtual system you would like to configure. The number following the virtual ID is apercentage of CPU you want to allocate <strong>for</strong> that virtual system. The percentages must be inmultiples of five and the total <strong>for</strong> all virtual systems cannot be more than 80 percent.To monitor the CPU usage of your virtual systems, input the following:ipsctl -n kern:rctl:rmon:(x)min:(VSID)8 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Enhancements and Fixes in Build 041 of <strong>Nokia</strong> IPSO 5.0Where x is the value in minutes that you want to sample and VSID is the virtual system ID. Youcan monitor in 1, 5 and 10 minute time frames.Support <strong>for</strong> Quality of Services (QoS)IPSO 5.0 supports QoS. QoS provides a way to manage data flows by giving priority to certaindata flows or limiting other data flows. The <strong>Nokia</strong> IPSO implementation provides you with theability to control throughput and latency on interfaces.<strong>Virtual</strong> Switch Support on ADPIPSO 5.0 supports creation of virtual switches on advance data path interfaces. In the currentrelease, ADP acceleration is not supported nor are virtual private networks (VPNs).Link Aggregation Support on ADPIPSO 5.0 supports link aggregations on advance data path interfaces.Support <strong>for</strong> Unnumbered InterfacesIPSO 5.0 supports the use of unnumbered interfaces. By using unnumbered interfaces, you canconfigure a serial interface with an IP address by borrowing an existing IP address.Transparent Mode Support <strong>for</strong> IP 2250IPSO 5.0 supports transparent mode on the IP 2250.PIM Acceleration SupportIPSO 5.0 supports PIM acceleration.Enhancement <strong>for</strong> Daylight Savings TimeA number of countries have revised their daylight savings rules to comply with changesimplemented in 2007. IPSO 5.0 includes updated in<strong>for</strong>mation about daylight savings time invarious countries.<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 9


1 New Features in <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65Transparent Mode and <strong>Virtual</strong> Switch Configurationwith <strong>Check</strong> <strong>Point</strong> GUIWith IPSO 5.0, you configure transparent mode and virtual switch in Provider-1/SiteManager-1<strong>VSX</strong> <strong>NGX</strong> R65 or SmartConsole <strong>VSX</strong> <strong>NGX</strong> R65. See the <strong>Check</strong> <strong>Point</strong> VPN-1 Power<strong>VSX</strong> <strong>NGX</strong> R65 guide.Support <strong>for</strong> <strong>Check</strong> <strong>Point</strong> vsx_utilIPSO 5.0 supports <strong>Check</strong> <strong>Point</strong> vsx_util. The command runs on the management station.vsx_util upgrade and vsx_util reconfigure are commands used during installation.You can getconfiguration in<strong>for</strong>mation on selected virtual systems by using vsx_util check-conf. See the<strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65 User Guide <strong>for</strong> more in<strong>for</strong>mation on vsx_util commands.Supported Plat<strong>for</strong>msNoteYou must have a minimum of 1 Gigabyte of memory on disk-based and flash-based systemsto run <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65. For best per<strong>for</strong>mance, <strong>Nokia</strong>recommends that you have 2 Gigabytes of memory on flash-based systems. <strong>VSX</strong> is notsupported on Hybrid plat<strong>for</strong>ms.You can run <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65 on the following <strong>Nokia</strong>plat<strong>for</strong>ms:• <strong>Nokia</strong> IP2450• <strong>Nokia</strong> IP2250 and IP2255• <strong>Nokia</strong> IP1220 and IP1260• <strong>Nokia</strong> IP690• <strong>Nokia</strong> IP740• <strong>Nokia</strong> IP560• <strong>Nokia</strong> IP39010 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Supported SoftwareSupported SoftwareTable 1 shows the supported software components <strong>for</strong> <strong>VSX</strong> <strong>NGX</strong> R65.Table 1 <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65 Software ComponentsSoftwareComponent Software Version Operating SystemEn<strong>for</strong>cementModuleVPN-1 <strong>VSX</strong> <strong>NGX</strong> R65 IPSO 5.0Provider-1ServerProvider-1/SiteManager-1 <strong>VSX</strong> <strong>NGX</strong> R65SecurePlat<strong>for</strong>mSolaris 8, 9, 10Red Hat Enterprise Linux 3.0Provider-1ClientsProvider-1/SiteManager-1 <strong>VSX</strong> <strong>NGX</strong> R65SmartConsole <strong>VSX</strong> <strong>NGX</strong> R65WindowsSmartCenterServerSmartCenterClientSmartCenter <strong>VSX</strong> <strong>NGX</strong> R65SmartConsole <strong>VSX</strong> <strong>NGX</strong> R65IPSOSecure Plat<strong>for</strong>mSolaris 8,9,10WindowsWindows<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 11


1 New Features in <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R6512 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


2 Installing <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong><strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65Obtaining the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong><strong>NGX</strong> R65 Software PackagesThe following procedures describe how to obtain the <strong>Nokia</strong> IPSO image and the <strong>Check</strong> <strong>Point</strong>packages.To obtain the IPSO 5.0 image1. Log on to the <strong>Nokia</strong> customer support Web site at https://support.nokia.com.2. Click the Software tab.3. Click the <strong>Nokia</strong> ES Product link.4. Click the Security and Mobile Connectivity link.5. Click the Network Security link.6. Click the <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> link.7. Click the <strong>NGX</strong> link.8. Click the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 link.9. Download the following files to an FTP server or workstation, making note of their MD5values:ipso.tgz10. If you want Network Voyager and CLI documentation to be available online from NetworkVoyager, download the <strong>Nokia</strong> security plat<strong>for</strong>m online documentation package (nicdoc42.tgz),which is available under the Documentation tab. Select IPSO 4.2 andclick Go.<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 13


2 Installing <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65NoteThe <strong>Nokia</strong> Network Voyager Reference Guide and the CLI Reference Guide are basedon <strong>Nokia</strong> IPSO 4.2, which does not support routing instances. For in<strong>for</strong>mation aboutconfiguring routing instances <strong>for</strong> features such as VRRP, transparent mode, and routing,please consult the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65 Installation andConfiguration Guide.NoteTo get <strong>Check</strong> <strong>Point</strong> software go to http://www.checkpoint.com.Be<strong>for</strong>e You StartBe<strong>for</strong>e you start the installation process, you should:• Ensure that there is enough disk space in the root partition to install the IPSO 5.0 image.• Transfer the software packages to the appliance, if you want to per<strong>for</strong>m installation from thelocal file system. You can skip this step if you want to install directly from the remote FTPserver, since the tools can transfer the files from the server <strong>for</strong> you.Ensuring Enough Disk Space on RootYou need at least 140 megabytes of free disk space in your root partition to install an IPSO 5.0image. To determine the available disk space, log in to the IPSO shell through a terminal orconsole connection and enter df -k. If the first number in the Avail column (which shows theavailable space in the root partition) is less than 140000 K bytes, you should make more spaceavailable in the root partition by deleting the temporary files specified below if they are present.(These files may not be present, depending on how the upgrades were done on your system.)Execute the following commands to delete the list of unwanted files:mount -uw /rm -f /image/*/bootmgr/*.savrm -f /image/*/bootmgr/*.tmprm -f /image/VERSIONmount -ur /If you use the df command after you install IPSO 5.0 as a third image, you might see that theroot partition is more than 100 percent full. If no errors were displayed while you installed IPSO5.0, you can safely ignore this output from df.Identify Your Configuration OptionsIn IPSO 5.0, the procedure you follow to install the software on your gateway and managementstation depends on your configuration. If you have configured virtual switch or transparent mode14 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Configuration With <strong>Virtual</strong> Switch or Transparent Modesee “Configuration With <strong>Virtual</strong> Switch or Transparent Mode” on page 15 <strong>for</strong> your installationprocedure. With configurations that do not have virtual switch or transparent mode configuredsee “Configuration Without <strong>Virtual</strong> Switch or Transparent Mode” on page 16.Configuration With <strong>Virtual</strong> Switch or Transparent ModeIf you have virtual switch or transparent mode configured on your gateway, follow the stepsbelow to install the IPSO 5.0 software <strong>for</strong> your gateway and management station:1. Upgrade your management station to <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65.2. Backup your management station and your gateway configurations.3. From your management station, delete the <strong>VSX</strong> gateway objects.4. Per<strong>for</strong>m a fresh installation of IPSO as described in “Per<strong>for</strong>ming a Fresh Installation” onpage 16.5. Install the <strong>Check</strong> <strong>Point</strong> packages.6. To install SmartConsole:a. Uninstall any previous installation of SmartConsole and the SmartConsole plug-inpackage.b. Install SmartConsole.c. Install SmartConsole plug-in package.7. Management installation:d. Install the management HOTFIX from the command line by using execute the command./UnixInstallScript.This will install the contents of CD1.tgz.8. Reboot your management server.9. Run vsx_config. For more in<strong>for</strong>mation, see the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong>Installation and Configuration Guide.10. Run cpconfig. For more in<strong>for</strong>mation, see the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong>Installation and Configuration Guide.11. If this gateway is part of a vrrp pair, repeat steps 3 through 5 on the other gatewayNoteYou must configure virtual switch and transparent mode through the <strong>Check</strong> <strong>Point</strong> GUI.For more in<strong>for</strong>mation, see the <strong>Check</strong> <strong>Point</strong> VPN-1 Power <strong>VSX</strong> <strong>NGX</strong> R65 guide.<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 15


2 Installing <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65Configuration Without <strong>Virtual</strong> Switch or Transparent ModeIf you do not have virtual switch or transparent mode configured on your gateway, follow thesteps below to install the IPSO 5.0 software <strong>for</strong> your gateway and management station:1. Upgrade your management station to <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65.2. Backup your management station and your gateway configurations.3. Per<strong>for</strong>m a fresh installation of IPSO as described in “Per<strong>for</strong>ming a Fresh Installation” onpage 16.4. Install the <strong>Check</strong> <strong>Point</strong> package.5. To install SmartConsole:a. Uninstall any previous installation of SmartConsole and the SmartConsole plug-inpackage.b. Install SmartConsole.c. Install SmartConsole plug-in package.6. If you are going to use Provider-1:d. Install Provider-1e. Install the Provider-1 HOTFIX.7. Management installation:f. Install the management HOTFIX from the command line by using execute the command./UnixInstallScript.8. This will install the contents of CD1.tgz.Reboot your management server.9. Run cpconfig. For more in<strong>for</strong>mation, see the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong>Installation and Configuration Guide.10. If this gateway is part of a vrrp pair, repeat steps 3 through 5 on the other gateway.11. Run vsx_util on your management station. See the <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65 User Guide<strong>for</strong> in<strong>for</strong>mation on vsx_util commands.Per<strong>for</strong>ming a Fresh InstallationYou must per<strong>for</strong>m a fresh installation of <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> R65 .Since a fresh installation will erase your current configuration, you should note your currentconfiguration be<strong>for</strong>e per<strong>for</strong>ming a fresh installation. Note the following configurations:• Dynamic routing• DHCP Relay• <strong>Virtual</strong> switch• Transparent mode• The vsx_config summary16 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Per<strong>for</strong>ming a Fresh InstallationNoteThis procedure will re-image the hard drive and remove all previous installations andconfigurations. Please make sure you backup your system be<strong>for</strong>e proceeding.<strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> must be installed on a plat<strong>for</strong>m that has not beenconfigured <strong>for</strong> another installation. If your plat<strong>for</strong>m has a previous installation on it, you mustper<strong>for</strong>m the procedure described in this section, which will delete the existing installations andconfiguration.Be<strong>for</strong>e you beginTo install the <strong>Nokia</strong> IPSO image and <strong>Check</strong> <strong>Point</strong> VPN-1 Power <strong>VSX</strong> <strong>NGX</strong> R65 packages,make sure:• You have downloaded the ipso.tgz, and fw1_xxxxxxxx_x.tgz files to a directory on aninternal FTP server. See “Obtaining the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong>R65 Software Packages” on page 13 <strong>for</strong> in<strong>for</strong>mation on obtaining these packages.• The management interface that you will configure on the <strong>VSX</strong> gateway can reach the FTPserver.• The management interface is connected to your network and you have a link established.Also, make sure that you know:• The serial number of your <strong>Nokia</strong> IP security appliance. The number is on a sticker attachedto the appliance and is preceded by “S/N.”• The IP address and netmask <strong>for</strong> the management interface.• The IP address of the FTP server.• The path to ipso.tgz and the <strong>Check</strong> <strong>Point</strong> packages on the FTP server.To per<strong>for</strong>m the installation1. Establish a physical console connection to the appliance.The console can be any standard VT100-compatible terminal or terminal emulator with thefollowing properties:• RS-232 data terminal equipment (DTE)• 9600 bps• 8 data bits• No parity• 1 stop bitYou can also use a data communications equipment (DCE) device.<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 17


2 Installing <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65To establish the physical console connection, follow these steps:a. Connect the appropriate cable to the local console port on the front panel of theappliance.If the console is DTE, use the supplied null-modem cable (console cable). If the consoleis DCE, use a straight-through cable.b. Connect the other end of the cable to the console system.2. Boot the system and enter the boot manager when the following text appears during the bootprocess:Starting bootmgr.Loading boot manager.Boot manager loaded.Entering autoboot mode.Type any character to enter command mode.Press any key when the Type any character to enter command mode text appears.The boot manager command prompt appears.BOOTMGR[1]>If you do not press a key, the system continues to boot. Turn the plat<strong>for</strong>m off, then turn it onagain. Make sure you watch the screen output while the system boots so you enter the bootmanager when prompted.3. At the boot manager command prompt, type install.4. Respond to the installation script prompts.a. Enter n in response to the questions about IGRP and BGP.b. Enter your choice of an installation method.c. Enter IP address of the management interface <strong>for</strong> the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong><strong>Point</strong> <strong>VSX</strong> gateway, <strong>for</strong> example 172.16.1.1.d. Enter the mask length, <strong>for</strong> example, 24.e. Enter IP address of the FTP server on which the IPSO image resides.f. Enter IP address of the default gateway.g. When you are prompted to choose a physical interface, enter the choice <strong>for</strong> themanagement interface <strong>for</strong> the appliance.h. Set the link speed and duplex settings <strong>for</strong> the interface you selected.i. Enter the path to the IPSO package on the FTP server and then enter the filename (ipsoxxxx-buildxxx.tgz).j. When you are prompted to choose one of the following options:• 1. Retrieve all valid packages, with no further prompting.• 2. Retrieve packages one-by-one, prompting <strong>for</strong> each.• 3. Retrieve no packages.18 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Configuring <strong>Nokia</strong> IPSO PropertiesEnter 1 or 2 to install the <strong>Check</strong> <strong>Point</strong> VPN-1 Power <strong>VSX</strong> <strong>NGX</strong> R65 packages that are inthe same FTP directory as the IPSO image.k. At the appropriate prompt, enter y to confirm that the values you entered are correct, orenter n to change any of the values you entered.The installation begins and might take several minutes. During the installation you areasked whether to upgrade the boot manager. Respond to the prompt to continue with theinstallation.5. When prompted, press Enter to reboot your system and complete the IPSO installation.Configuring <strong>Nokia</strong> IPSO PropertiesBe<strong>for</strong>e you begin to configure your <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> gateway asdescribed in the next chapter, <strong>Nokia</strong> recommends that you configure the properties described inthe following sections. The procedures described in these sections assume you are using <strong>Nokia</strong>Network Voyager to per<strong>for</strong>m the configuration. To log in to <strong>Nokia</strong> Network Voyager:1. Start a Web browser and enter into the Location or Address field the IP address of theinterface you configured during the initial configuration.2. Enter the user name admin and the password you entered during the initial configuration.Changing Physical Interface Properties<strong>Nokia</strong> recommends that you change the interface link speed or half or full duplex properties tobe compatible with various devices on your network such as switches, hubs, and routers be<strong>for</strong>eyou per<strong>for</strong>m any configuration from the <strong>Check</strong> <strong>Point</strong> GUI. This can be done from the CLI or<strong>Nokia</strong> Network Voyager.If you plan to aggregate management ports, you should not set up link aggregation now usingNetwork Voyager. Instead, you should configure the link aggregation group, including thephysical properties <strong>for</strong> the individual member interfaces, when you run vsx_config, as describedin Chapter 4, “Configuring the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65Gateway.”To change the interface properties1. From Network Voyager, select Interface Configuration > Interfaces.2. In the Physical Interface column, click the interface you want to change.3. Change the link speed or duplex properties in the Physical Configuration field.4. Click Apply, and then click Save.Configuring DNS<strong>Nokia</strong> recommends that you configure DNS at this time. From <strong>Nokia</strong> Network Voyager, selectSystem Configuration > DNS.<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 19


2 Installing <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65Setting the Time, Date, and Time Zone In<strong>for</strong>mationEnabling HTTPSThe <strong>Check</strong> <strong>Point</strong> license will not work if the time and date <strong>for</strong> the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong><strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> gateway and the management server are not set to the same date and time.Also, you might not be able to establish trust between the gateway and the management server ifthe time and date in<strong>for</strong>mation are not the same. From Network Voyager, select System Configuration > Local Time Setup.Alternatively, you can configure NTP services on the plat<strong>for</strong>m so that the time and date iscontinuously updated from an NTP time server. To do so, select Router Services > NTP.When you per<strong>for</strong>m the initial configuration of the <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong>gateway as described in the next chapter, you will be given the choice of installing a firewallpolicy that will allow immediate HTTPS access to the gateway after the plat<strong>for</strong>m is rebooted andthe firewall starts.NoteTo have the firewall policy automatically installed <strong>for</strong> you, you must type n when the cpconfigutility asks if the system should be rebooted. Only then will you be given the choice ofinstalling the policy that allows access to the HTTPS port.Since the appliance has HTTPS service disabled by default, you also need to enable HTTPS onthe appliance.To enable HTTPS1. From <strong>Nokia</strong> Network Voyager, click Security and Access Configuration > Voyager WebAccess.2. In the Require encryption field, select the level of encryption you want HTTPS to require.3. Click Apply and then Save.Note<strong>Nokia</strong> IP security plat<strong>for</strong>ms come with a default SSL certificate already installed. To ensuresecure connections to your appliance, you should replace this default SSL certificate.Consult the <strong>Nokia</strong> Network Voyager Reference Guide <strong>for</strong> more details on how to do so.Installing <strong>Nokia</strong> License KeysTo use the dynamic routing protocols and transparent mode features in <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong><strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong>, you must install the appropriate license key.20 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Configuring <strong>Nokia</strong> IPSO PropertiesTo install the license key1. Open the license file (.lic) with a text editor.2. Find the string that looks something like this:INCREMENT IPSO-<strong>VSX</strong>-ROUTE NOKIA 4.2 permanent uncounted HOSTID=ANY \SN=0002868 SIGN="00A0 ...string of hex values...543A"3. Copy the entire string through to the ending quotation mark.4. From <strong>Nokia</strong> Network Voyager, click the Config button and then click the Licenses link at thebottom of the page.5. Paste the string into the appropriate license field.6. Click Apply and Save.<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 21


2 Installing <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R6522 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


3 LimitationsThis section describes known limitations associated with <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong>R65.See the release notes provided with <strong>Check</strong> <strong>Point</strong> VPN-1 Power <strong>VSX</strong> <strong>NGX</strong> R65 <strong>for</strong> morelimitations. This document is available as a documentation download at the <strong>Check</strong> <strong>Point</strong> Website.Not Supported in <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong><strong>Point</strong> <strong>VSX</strong> <strong>NGX</strong> R65The following features are not supported:• Security servers• ConnectControl• ClusterXL Load Sharing (High Availability is supported)• UserAuthority server• CPMAD• SmartUpdate (For <strong>VSX</strong> software updates)• SAM• SmartView Reporter• FloodGate-1• RemoteAccess Visitor Mode• SecureClient (On ADP Plat<strong>for</strong>ms) • <strong>Virtual</strong> private networks (VPNs) on virtual switches (On ADPplat<strong>for</strong>ms Hotswapping• If you reboot the <strong>Nokia</strong> Multiple Domain Security gateway when an interface is notphysically present, then you must rebuild the gateway. <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 23


3 Limitations• To hotswap a new network card into a VRRP configuration, follow this procedure:1. Plug in the card.2. Use Network Voyager to set the speed and duplicity of the interfaces.3. Run vsx_config to enable VRRP on the new interfaces.4. If you are installing a new network card into an IP1220 or IP1260, you need to change thelogical interface names so that they follow the naming convention of the existinginterfaces. For example, change eth-s1/s1p1c0 to e-s1s1p1c0.Using Network Voyager, select the logical interface on the Interfaces Configuration page(MVS > Interfaces) and then change the logical name in the Logical name field.5. In the <strong>Check</strong> <strong>Point</strong> GUI, add the new logical interfaces and install the configuration onthe gateways.6. Reboot the gateways.You can now add the new interfaces to an existing VS or create a new VS that uses theinterfaces.If you do not per<strong>for</strong>m step 2 (enabling and then disabling the interfaces), you will beunable to create virtual systems or routers that use the interfaces. • To remove an interface card:1. Delete any virtual routers or virtual systems that are using interfaces on the card.2. Install the policy.You will get errors about the interfaces not being protected by the anti-spoofing feature.Ignore these messages.3. Remove the interface card.4. Remove all the interfaces from the Physical Interfaces tab <strong>for</strong> the cluster inSmartDashboard.5. Install the policy.You will still receive anti-spoofing errors, which can be ignored. These messagesdisappear if you reboot the system.• To replace an interface card with a new one:1. Remove the old interface card and insert the new one.2. Install the policy.You do not need to make changes to the <strong>VSX</strong> cluster object if the physical interface namesare unchanged. If the names have changed, then follow the above procedure to add newinterfaces.• If you remove an interface card after you have configured VRRP on one of its interfaces,vsx_config erroneously continues to include the interface in its list of interfaces that haveVRRP configured on them. 24 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


<strong>VSX</strong> Gateway<strong>VSX</strong> Gateway• If NAT (Automatic or Manual, Static NAT or Hide NAT) is defined <strong>for</strong> an IP address in theSecurity Policy of a virtual system (VS), a route to that IP address needs to be added to anyvirtual router connected to that VS. To do so, add a propagated dummy route <strong>for</strong> the NATedIP address, that is, the public IP address, on the VS where the next hop is an IP address of theinternal interface.• Using SNMP to retrieve status in<strong>for</strong>mation on the <strong>VSX</strong> gateway is supported only <strong>for</strong> themanagement VS.• Large encrypted packets (typically packets larger than 14000 bytes) might not pass throughthe firewall with SecureXL turned off. Installation and Configuration• If you rebuild your gateway using the newsystem -f command and then delete the firewallpackage, the old firewall configuration will remain requiring you to do a fresh installation ofIPSO.The following is the workaround:Deactivate the firewall package and then delete the package be<strong>for</strong>e running newsystem -fRun newsystem -fReboot.• On an IP2255, after upgrading from <strong>VSX</strong> <strong>NGX</strong> R65. ADP slots 1 and 3 are not berecognized when virtual systems are created on a VLAN interface. • When doing a fresh installation from the boot manager, the configuration script does not ask<strong>for</strong> a serial number .• To prevent getting the error messages vnode_pager_output: I/O error 5 andvnode_pager_output: residual I/O 16384 at 0, after completing cpconfig, choose not toreboot and reboot from the IPSO command prompt. • After you run cpconfig, to enable <strong>Nokia</strong> Network Voyager access, you must enable SSLencryption be<strong>for</strong>e your first reboot. Complete either of the following actions:• Run the defaultfilter_open_https command after you run cpconfig• At the end of the cpconfig script, enter n when asked if the system should be rebootedand then y at the following prompt:Do you want to open HTTPS port (443) <strong>for</strong> Voyager Access?If you do not enable SSL encryption be<strong>for</strong>e the first reboot, the default filter does not allow<strong>Nokia</strong> Network Voyager access; there<strong>for</strong>e, when you reboot after installation, no remote<strong>Nokia</strong> Network Voyager access is available to the module until you install a policy with anaccepting rule. • You can push policies on up to 10 VSs at one time. • If you change the virtual IP address of a VS physical interface using the Provider-1 GUI andthen push the policy, you must flush the existing firewall connection using Provider-1. If you<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 25


3 Limitationsdo not flush the existing firewall connection, OSPF adjacency does not occur because thefirewall connection table maintains the previous virtual IP address. • If you need to make changes after the cpconfig has been run, but be<strong>for</strong>e the configurationhas been pushed from the management server, you will need to remove the <strong>Check</strong> <strong>Point</strong>packages, per<strong>for</strong>m a newsystem -r and then reinstall the <strong>Check</strong> <strong>Point</strong> packages be<strong>for</strong>e rerunningthe vsx_config script.• vsx_config displays the wrong error message if your configuration would result in twointerfaces being in the same network, which is not an allowable configuration. The messageit displays is:Error saving config. Please check IPSO version is compatible with<strong>VSX</strong> • When you use vsx_config to reconfigure the gateway, make sure you do not have an active<strong>Nokia</strong> Network Voyager or IPSO CLI connection to the gateway. If you do have an activeconnection, the vsx_config reconfiguration settings will not be saved. • If you make many configuration changes, you could get the following error message: <strong>VSX</strong>interface cannot be set. Contact <strong>Nokia</strong> Technical Support to resolve this issue.SecureXL• When the number of connections is more than 480,000 flows, the fwaccel command returns0 connections. This is not the case. To see the actual number of connections, use thefollowing command:ipsctl -i net:ip:flow:sxl:vfw:vs:stats• If you are per<strong>for</strong>ming multiple traceroutes to the same destination when SecureXL is turnedon, use a different port number (traceroute -p option) <strong>for</strong> each trace. If you do not,traceroute per<strong>for</strong>mance may be slow and it may drop in<strong>for</strong>mation about a hop. <strong>Nokia</strong> Network Voyager and IPSO CLI• Route monitor page might show instead of the wrpXX interface name.• <strong>Nokia</strong> Network Voyager allows you to enter policy-based routes with empty source fields.These policy-based routes are invalid and they will not take effect. Changing Properties by Using the Multidomain GUI• You cannot change the IP address of a CMA or remove the CMA.• When you change the anti-spoofing properties of a VS by using the MDG, you must install apolicy on that VS <strong>for</strong> changes to take effect.• Changing the connection limit of a VS from the multidomain GUI takes effect only after apolicy is installed on that VS.26 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


<strong>VSX</strong> ClustersMiscellaneous Provider-1 Issues• If you see duplicate entries added <strong>for</strong> group and subnet objects in the MDG orSmartDashboard, delete the duplicated objects.• When you use management High Availability, do not use the "Sync on Install"configuration. Use either "manual sync," "scheduled sync," or "sync on save" instead.• Provider-1 does not allow the MVS interface to be configured with VLAN .• Any changes through <strong>Nokia</strong> Network Voyager or the CLI not specified in documentationmight conflict with Provider-1 or SmartCenter configurations. If such events occur, theymight render the appliance unusable. • You can configure an initial route with multiple next-hop addresses and metrics from theProvider-1 GUI. However, if you edit a route with multiple next-hop addresses fromProvider-1, the route might disappear from the routing table in <strong>Nokia</strong> Network Voyager. Toavoid this issue, use Network Voyager to edit all routes with multiple next-hop addresses.• You do not see a route between the VS and the IVR in a VRRP configuration from theProvider-1 GUI. You can, however, see this route in <strong>Nokia</strong> Network Voyager. • You must use <strong>Nokia</strong> Network Voyager to configure a static route with a VPP interface as thenext hop. You cannot use the <strong>Check</strong> <strong>Point</strong> GUI to configure a static route with a VPPinterface as the next hop. • To configure a policy-based route that includes an inbound interface, you must use <strong>Nokia</strong>Network Voyager. You cannot use the <strong>Check</strong> <strong>Point</strong> GUI to do this. See the <strong>Nokia</strong> MultipleDomain Security Installation and Configuration Guide <strong>for</strong> more detailed in<strong>for</strong>mation.• Protocol MTU does not show in <strong>Nokia</strong> Network Voyager or the CLI, only the physicalMTU. If you modify the MTU using the Provider 1 or SmartDashboard GUIs, only theprotocol MTU is affected. • Provider-1 and SmartDashboard GUI support only 55 simultaneous policy-based routes.• If the CMA does not start, you will need to per<strong>for</strong>m an mdsstop and mdsstart on theProvider-1 management server. • If a route already exists in a dynamic routing table, it will not be added as a static route whenyou propagate the route using Provider-1 GUI. <strong>VSX</strong> Clusters• Changing the cluster product type (product installed: <strong>Nokia</strong> VRRP) on a <strong>VSX</strong> cluster, whichhas VSs running on it, is currently not supported.• Changing an interface IP address <strong>for</strong> a VS takes effect only after a policy is installed on therespective VS.• You might get an error message and fail to obtain configuration from cluster membersthrough Provider-1 or the SmartCenter GUI. Make sure that you configured the correct IPaddress <strong>for</strong> a sync interface when you ran the vsx_config script. For example, if you<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 27


3 Limitationsconfigure a network interface, such as 80.80.80.0/24 rather than a specific interface, thesystem fails to get configuration from cluster members. Per<strong>for</strong>m the following workaroundto change the IP address <strong>for</strong> the sync interface so that you can successfully obtainconfiguration from cluster members: Open a console session and use lynx to go to NetworkVoyager and change the IP address <strong>for</strong> the sync interface.• A <strong>VSX</strong> stand-alone configuration cannot be converted to a clustered configuration.• When configuring a VRRP cluster, if a VLAN interface has been deselected and it isrequired again, you must configure it as a monitored interface using vsx_config. • ICMP errors are sent using the cluster member IP address and not the virtual IP address.• If you select ten or more additional interfaces <strong>for</strong> VRRP while running vsx_config, thenafter completion of the gateway configuration make sure that:• all the interfaces are plugged in• all the interfaces that are configured <strong>for</strong> VRRP are in the active or on state in the NetworkVoyager default instance (either the MVS in DMI or the EVR in non-DMIconfigurations)• VRRP will not work properly if these conditions are not met. You might encountera situation where you receive the following messages when you create a VS and push thepolicy to the <strong>VSX</strong> cluster:Failed to configure cluster with the following errors:cluster-member error :Interface cannot be setcluster-member error :Interface cannot be setThis error typically occurs after you delete a VS with a non-VLAN interface, rerunvsx_config to configure VRRP on that interface, while choosing the same router ID asbe<strong>for</strong>e, and then create a VS using that interface.If you receive these errors, contact <strong>Nokia</strong> support <strong>for</strong> help. Miscellaneous VRRP Limitations• When you configure two interfaces in VRRP active-active mode in a transparentmode configuration, <strong>for</strong> example VSB1 and VSB2, VSB2’s interfaces will be listedin the VSB1 Voyager VRRP configuration page. The workaround <strong>for</strong> this issue is todelete the VSB2 interfaces from the VSB1 configuration. • In a VRRP configuration, when the master is rebooted, reboot time will takeapproximately 1 minuter per configured virtual system to complete.• In a VRRP configuration, if you change the VLAN IDs on a transparent mode VS,the older VLAN IDs continue to me monitored. This causes failovers from themaster to the backup. • Do not delete or add an interface to an active (in production) VRRP configuration.This will cause a failover. 28 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Link Aggregation• VRRP packets are dropped by the firewall with antispoofing messages on VLANtrunk interfaces. The workaround <strong>for</strong> this issues is to configure each VLAN trunkinterface on a separate native VLAN, which is the same <strong>for</strong> both master and backup<strong>for</strong> the same interface. For example, if the eth-1 interface is configured on nativeVLAN 100 on the master, you must also configure the eth-1 interface on nativeVLAN 100 on the backup. Also, each trunk interface must be configured to be on adifferent native VLAN. • When you configure additional VRRP interfaces through vsx_config, you mightencounter an error in the virtual router identification (VRID) list. If you have usedVRIDs in the upper range limits combined with the lower range limits, <strong>for</strong> example,253, 254, 255 and 3, the display of VRIDs already on the system will look like this:253-3. The workaround, to avoid this confusion described above, is to use VRIDsthat are consecutive and do not cross the higher to lower boundary ranges.• You must enable all VRRP interfaces when you run vsx_config <strong>for</strong> VRRP to workproperly in a transparent mode configuration. • VRRP is not working properly in a non-DMI configuration. The workaround is todisable anti-spoofing. • Adding and removing a VRRP cluster member to a <strong>VSX</strong> cluster that has VSs running on it isnot supported.• You cannot communicate from the backup router when you have a non-DMI configuration.• Using the cphaprob stat command does not give you reliable in<strong>for</strong>mation with <strong>Nokia</strong> VRRP.• You cannot communicate from the backup router when you have a non-DMI configuration.• You might observe transitions in VPP interfaces. • VLAN interfaces are not monitored by VRRP. Only the physical interfaces are monitored.• If you want to add an interface to a VRRP cluster, you must first configure VRRP on theinterface using vsx_config (active-passive mode) or <strong>Nokia</strong> Network Voyager (active-activemode) be<strong>for</strong>e you add the interface using the <strong>Check</strong> <strong>Point</strong> GUI. • When you delete a VS that has VRRP implemented but does not have any VLANs and youwant to re-use that interface, you must reconfigure that interface to be monitored by VRRPby either rerunning the vsx_config script (active-passive mode) or by using <strong>Nokia</strong> NetworkVoyager (active-active mode). Link Aggregation• If you want to create a virtual switch (VSW) on a link aggregation interface (LAG), do thefollowing:1. run vsx_config.<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 29


3 Limitations2. select 13. select Yes. This will show the LAG interface in the list of interfaces on which VRRP canbe configured.4. Select Exit.Now add the LAG interface in the <strong>Check</strong> <strong>Point</strong> GUI to the physical interfaces and create aVSW with that interface. • Traffic does not flow through a VRRP configuration when transparent mode is created witha link aggregate interface (LAG). The workaround <strong>for</strong> this issue is to reboot the system aftercreating a virtual system (VS) in transparent mode. Rebooting the system will put theinterface in a state to pass traffic.• Interfaces cannot be used <strong>for</strong> link aggregation once they are removed <strong>for</strong> either a virtualrouter or virtual system. The workaround is to remove the interfaces from the VLAN trunkso they can be used in link aggregation. • Link aggregation does not work with VLAN interfaces. VRRP gets disabled. • <strong>Nokia</strong> recommends that you use vsx_config, not Network Voyager, to configure a linkaggregation group <strong>for</strong> the firewall sync interface.• The <strong>VSX</strong>_config script lists all ports as configurable in link aggregation, but only firewallsync ports should be configured <strong>for</strong> Link Aggregation. On the IP 22xx systems, the syncports are s5p1 through s5p4 and represent on-board management ports. • In Network Voyager, existing link aggregation interfaces are incorrectly included in thepulldown list of interfaces that can be added to a link aggregation group. Do not select a linkaggregation interface as a member of an link aggregation group. • The Physical Interface page <strong>for</strong> a link aggregation group consisting of Gigabit Ethernetinterfaces incorrectly allows you to set the link speed <strong>for</strong> the aggregated interface to either10 or 100 mps. Do not try to set the link speed to either value. • In the pulldown list of interfaces that can be added to a link aggregation group, NetworkVoyager might incorrectly show an interface that has an IP address configured on it inanother virtual system (or routing instance). Do not select an interface to be a member of alink aggregation group if it has an IP address configured on it in any virtual system.• If you have link aggregation configured on the built-in 10/100 mps Ethernet ports and thenyou replace them with Gigabit Ethernet ports, you must per<strong>for</strong>m a fresh installation of <strong>VSX</strong>and then use vsx_config to reconfigure link aggregation.• If you made a mistake while setting up link aggregation with vsx_config—<strong>for</strong> example,configuring a member interface with a speed or duplicity that is different from the primaryinterface—exit vsx_config. Using Network Voyager, select Interface Configuration > LinkAggregation and correct your mistake by adding or deleting interfaces in the LinkAggregation group.If you are adding an interface, make sure you set the correct speed and duplicity first. SelectInterface Configuration > Interfaces and then the physical interface link to do so.30 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Problems with VPNWhen you are finished reconfiguring link aggregation, rerun vsx_config, but skip the linkaggregation configuration by typing n when asked if you want to create Link Aggregatedinterfaces. Problems with VPN• <strong>Virtual</strong> private networks (VPNs) are not supported on virtual switches on ADPplat<strong>for</strong>ms • While using SecuRemote/SecureClient on the IP2250 and IP2255, you will see the wrongsource IP address on VPN packets during the first negotiation. The VPN will start workingafter the subsequent key exchange with the correct source IP address.Problems with NAT• When NAT is enabled <strong>for</strong> an internal network of a VS, disable propagate <strong>for</strong> that interface toprevent internal network routes from being reachable from the outside. Problems with Routing• The default route does not get set if you change the configuration of a numbered interface toan unnumbered interface and vice a versa. The workaround <strong>for</strong> this issue is to remove thedefault route, push the configuration and then add the default route and push theconfiguration. • Changes to the virtual system (VS) interfaces cause the propagated routes to disappear onthe virtual router (VR) routing table. After reboot the VS security policy becomes inactive.• When you initially configure OSPF between multiple virtual systems (VSs) and a virtualrouter (VR), the routing table may not be correct. The workaround <strong>for</strong> this issue is to rebootthe plat<strong>for</strong>m. • RIP routes become static routes after cpstop/cpstart. You can delete the static routes fromVoyager. • BGP multi hop fails to establish the relationship between two VSs when <strong>VSX</strong> VRRP pairsare used at both ends. BGP multi hop works when you pair the VRRP with another router orstand-alone <strong>VSX</strong> gateway.• When you configure policy-based routes in Voyager, you cannot add 0.0.0.0/0 as thedestination network even though the help text indicates that you can use this address as adefault route. You must configure 0.0.0.0/0 as a normal route if you want to use the addressas a destination address. • In a VRRP configuration, you cannot use MD5 authentication <strong>for</strong> BGP between the EVRand VS. <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 31


3 Limitations• Policy-based routes are applied to any packet, including locally originated packets. For thisreason, if you are running VRRP, you should create policy-based routes that allow <strong>for</strong> theproper routing of VRRP packets.You can either:• Make sure that no policy-based routes have a 0.0.0.0/0 destination address.• Add a policy-based route <strong>for</strong> VRRP packets. For example, <strong>for</strong> an IVR you might add aroute like this:Source 10/57/57.0/24 Destination 224.0.0.18 Interface ANY nexthop • When implementing PIM Sparse-Mode, if you configure a virtual system as a candidaterendezvous point (RP) and it later becomes the elected RP, the interface selected as the RP<strong>for</strong> a multicasting group is never included in the outgoing interface list of a data stream <strong>for</strong>that group. <strong>Nokia</strong> recommends that you not configure a virtual system as a candidaterendezvous point. • If you redistribute a general route <strong>for</strong> an IP subnet (<strong>for</strong> example, 1.2.3.0/24), more specificroutes within that subnet (<strong>for</strong> example, 1.2.3.1/32) are redistributed even if you did notexplicitly select them <strong>for</strong> redistribution. • Using a policy-based route <strong>for</strong> encapsulated/encrypted packets is not supported. Because thepacket is encapsulated, a policy-based route cannot take effect. And, currently, the packet isleaked in clear text. • When you configure a policy-based or static route between a virtual system and a virtualrouter, set the next-hop type to logical and use the wrp interface between them as the nexthopinterface. • If you have a dynamic routing protocol configured on the external interface of an EVR, theEVR does not automatically redistribute the static routes to the VSs main IP addresses to thedynamic routing protocol on the external interface. • Although the range <strong>for</strong> the cost metric is given as 1 through 16777215 <strong>for</strong> OSPF routedistribution, the value 16777215 is not supported and routes will not be redistributed if thisvalue is used. • When you configure a BGP connection between an EVR and a VS, you must enable thepassive option <strong>for</strong> the peer VS in the EVR BGP configuration. Per<strong>for</strong>mance• An IP2250 and IP2255 security plat<strong>for</strong>ms with 2 GB RAM can accept a maximum of 550Kconnections. • If you have a large number of VSs configured, you might see a problem where the CPU busypercentage spikes every 60 seconds. If you encounter this problem, <strong>Nokia</strong> recommendsdisabling the monitoring of interfaces, which is CPU-intensive.32 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Miscellaneous LimitationsTo turn off monitoring of interfaces:1. In Network Voyager, select the monitor link <strong>for</strong> the default instance.2. Select the Monitor Report Configuration link under the Current and Historical NetworkReports section.3. Click the off button <strong>for</strong> the events you wish to no longer monitor. , • Creating more than 20 virtual systems on a gateway might degrade per<strong>for</strong>mance, even if thevirtual systems are not used. Miscellaneous Limitations• When creating virtual systems in transparent mode, do not assign IP addresses that are in ahost <strong>for</strong>mat such as 15.15.15.1/255.255.255.255 in the <strong>Check</strong> <strong>Point</strong> GUI. The <strong>Check</strong> <strong>Point</strong>GUI cannot check that this has an invalid netmask <strong>for</strong> a network address.• Role Based Administration does not function correctly if you assign user IDs in the range of103-65533. The workaround is to assign user IDs from 0-102. • DHCP relay fails after a failover and failback or when you use cpstop/cpstart. • If you have a configuration of two virtual switches attached to a virtual system, and youremove an interface attached to one of the virtual switches, your firewall will fail. • When you use backup and restore, you cannot push a configuration or security policy to thegateway after the gateway is restored. To workaround this problem do the following:1) Restore the configuration2) Reboot3) Run the command cpstop4) Run the command cpstart5) Push the configuration or security policy• IPSO does not support virtual local area networks on a virtual switch.• Do not use the debug kernel. Using the debug kernel results in the following panic: debugkernel:assertion failed: (np->nf_flags && NFF_TEMPLATE) == 0 at ../../netinet/ip_flowswitch.c line 1151, followed by a reboot. • Turn off Web Intelligence to prevent the following panic: FW-1: Could not stop acceleration(reason: cphwd_timed_stat_api_call failed). • Cannot see logs in Smartview Tracker <strong>for</strong> traffic passing through the gateway, under heavytraffic conditions.• If you query <strong>for</strong> a VS/VR that does not exist, you receive the following error message:Failed to set process context. This means that the VS does not exist.• The following is an example of an error message you might receive when you configure astatic host name:cpconfig: Host name resolution <strong>for</strong> plat<strong>for</strong>m failed...correct it ... use Voyager -> Configure -> Static Host Entries<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 33


3 LimitationsThe message should read:cpconfig: Host name resolution <strong>for</strong> plat<strong>for</strong>m failed...correct it ... use Voyager -> Configure -> Host Address AssignmentThe problem is intermittent and is caused by cpconfig not recognizing that IPSO added hostname resolution automatically when you assigned a name to the <strong>VSX</strong> gateway. • The fwaccel stats shows command returns errors when no vsid is specified. • You might see an unexpected SYN response in the SmartView Tracker <strong>for</strong> management TCPtraffic. • To add the virtual link between EVR and MVS, use any unique IP address <strong>for</strong> that interfacethat can be accessible from the management server, or use the IP address that has the samesubnet as the VS main IP address.1. From the main customer, right-click to create a virtual router <strong>for</strong> EVR.2. From MVS add a new interface that leads to EVR with a unique IP address, preferably thesame subnet as the VS main IP address that can be accessed from MDS.• A static route added through <strong>Check</strong> <strong>Point</strong> management might not display in NetworkVoyager. • Editing the next hop metric <strong>for</strong> a static route with multiple next hops causes entries to be lostin <strong>Nokia</strong> Network Voyager. • During boot manager installation, you must enter either f, F, full or Full if you want fullduplex on an interface. If you enter y, the interface will default to half duplex. • When you use backup or restore in <strong>Nokia</strong> Network Voyager, you will not receive a messageindicating that the process is finished. • Heavy VPN traffic on one interface may decrease VPN throughput on other interfaces.• Opened sockets do not reflect the change of an IP address in the system. • <strong>VSX</strong> will fail to push a security policy if you use the same VS name, differentiated only byupper or lower case, <strong>for</strong> two different objects, <strong>for</strong> example VS1 and vs1. • SmartDefense might be active on the EVR. The logs <strong>for</strong> the EVR might show thatSmartDefense dropped packets destined <strong>for</strong> a VS. • If you per<strong>for</strong>m a traceroute in policy-based routing to the external network from the host ofthe internal IVR network, the next hop IP address shown is incorrect. • In the account log view numbers may not be accurate if a value exceeds the capacity of asigned integer. Harmless MessagesYou can safely ignore these messages:• When you connect to the gateway using SecuRemote/SecureClient, you might see an“internal error” message associated with the connection in the client log. This message canbe ignored. 34 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65


Harmless Messages• When a configuration change occurs, you might receive the following harmless consolemessages:FW-1: Hardware accelerator already started (vsid=x). SecureXL device hasbeen enabled <strong>for</strong> vsid x • The following console message might appear when you run the cpstart command. Themessage is harmless, and you can ignore it.Failed to retrieve an active peer policy or configuration data. Error:failed to synchronize <strong>Virtual</strong> Systems/<strong>Virtual</strong> Routers policies• When you run the cpstop command with a stand-alone firewall, the following consolemessage might appear. The message is harmless, and you can ignore it.vrrp_fwmonitor: firewall stopping vrrp • SmartView Tracker might display the following console message even when policy serversare not supported. The message is harmless, and you can ignore it.PS: Desktop Security not installed on policy server • After you complete <strong>Check</strong> <strong>Point</strong> NG installation on your device followed by a reboot and<strong>VSX</strong> configuration, which is also followed by a reboot, the following console messagemight appear. The message is harmless, and you can ignore it.FW-1: No license <strong>for</strong> SecureXL • When you install a security policy on multiple VSs, you might receive a console errormessage such as the one that follows. This message is harmless, and you can ignore it.kernel: cluster : failed to send a log in alert_policy_id_mismatch • You might see error messages when you run the cpstart, cpstop, and halt commands inVRRP mode. The following are examples of error messages you might receive.Log messages seen on master after you run the cpstart command on master:kernel: fw_send_kmsg: No buffer <strong>for</strong> tsid=0 vsid=4kernel: fw_send_kmsg: No buffer <strong>for</strong> tsid=0 vsid=3kernel: fw_send_kmsg: No buffer <strong>for</strong> tsid=0 vsid=2Console and log messages seen on backup after you run the cpstop command onmaster:FW-1: fwldbcast_update_block_new_conns: sync has stabilized.fw_sync_block_new_conns returned to 0kernel: FW-1: fwldbcast_update_block_new_conns: sync has stabilized.fw_sync_block_new_conns returned to 0<strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65 35


3 LimitationsConsole and log messages seen on backup after you run the cpstart command on master:FW-1: fwldbcast_update_block_new_conns: sync in risk: did not receive ack<strong>for</strong> the last 2455 packets.FW-1: fwldbcast_update_block_new_conns: starting to block new connections !kernel: FW-1: fwldbcast_update_block_new_conns: sync in risk: did notreceive ack <strong>for</strong> the last 2455 packets.kernel: FW-1: fwldbcast_update_block_new_conns: starting to block newconnections !FW1: Finishing to serve as Full Sync serverkernel: FW1: Finishing to serve as Full Sync serverFW-1: fwldbcast_update_block_new_conns: sync has stabilized.fw_sync_block_new_conns returned to 0FW-1: fwldbcast_update_block_new_conns: sync has stabilized. fw_sync_block_new_conns returned to 0Console and log messages on backup after you run the halt system command onmaster:FW-1: fwldbcast_update_block_new_conns: sync in risk: did not receive ack <strong>for</strong> the last 410 packets.FW-1: fwldbcast_update_block_new_conns: starting to block new connections !kernel: FW-1: fwldbcast_update_block_new_conns: sync in risk: did not receive ack <strong>for</strong> the last 410 packets.kernel: FW-1: fwldbcast_update_block_new_conns: starting to block newconnections !All of the preceding messages are harmless, and you can ignore them. • You might receive the following console messages. All these messages are harmless, andyou may ignore them.fw_end_acct_conn: got BAD kbuf: 2a30000 kernel: ld_set_wto_ttl: vsid=2 d=118 lp=outbound_SPI tuple; flags 0segment_time: 12Apr2004 21:5444 • During start up, enabling half/full duplex messages may appear several times. These areharmless error message and you may ignore them. • When you send packets larger than 2048 bytes to a VRRP IP address during cpstart orcpstop, you will receive error messages indicating no allocation to the memory buffer. Theseare harmless error messages and you may ignore them. • You may receive messages during a security policy push if the VPN is configured. These areharmless error messages and you may ignore them. • You might get an error message from fwhandle_get indicating an invalid handle when usingcpstop and cpstart commands in SecuRemote. This is a harmless error message and you canignore it. • You may see error messages referring to client mspi failure index when you use the cpstartand cpstop commands under a master VRRP configuration. These are harmless errormessages and you can ignore them. 36 <strong>Release</strong> <strong>Notes</strong> <strong>for</strong> <strong>Nokia</strong> <strong>Virtual</strong> <strong>Firewall</strong> <strong>for</strong> <strong>Check</strong> <strong>Point</strong> <strong>VSX</strong> R65

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!