october 26, 2005 - check point software · release notes for check point provider-1/sitemanager-1...

Check Point® Provider-1/SiteManager-1 NGX (R60)

Release NotesOctober 26, 2005

Copyright © 2005 Check Point Software Technologies, Ltd. All rights reserved.

In This Document

Information About This Release This document contains important information not included in the documentation. Review this information before setting up Provider-1/SiteManager-1 NGX (R60).

In This Section

License Upgrade Requirement

To upgrade to NGX (R60), you must first upgrade licenses for all NG products, as NGX (R60) will not function with licenses from previous versions. The utility pv1_license_upgrade is included on the CD at Tools/LicenseUpgrade/<platform>. See the Upgrade Guide for instructions.

IMPORTANTBefore you begin installation, read

the latest available version of these release notes at:http://www.checkpoint.com/support/technical/documents/docs_prov1.html

Information About This Release page 1

What’s New page 8

Clarifications and Limitations page 10

License Upgrade Requirement page 1

NGX (R60) Products by Platform page 2

Supported Upgrade Paths page 3

Build Numbers page 3

The Regular Expression (RX) Library page 4

Minimum Hardware Requirements page 5

Minimum Software Requirements page 7

http://www.checkpoint.com/support/technical/documents/docs_prov1.html

NGX (R60) Products by Platform

Notes to Products by Platform Table

1) See “Minimum Software Requirements” on page 7 for Solaris platforms.

2) The following SmartConsole Clients are not supported on Solaris UltraSPARC 8: Eventia Reporter Client, SmartView Monitor, SmartLSM and the SecureClient Packaging Tool.

ProductRHEL

3.0 Check Point Nokia

Mac OS

8 32/64 bit

9 64 bit

Server 2003

2000 Advanced Server (SP1-4)

2000 Server (SP1-4)

2000 Profes-sional (SP1-4)

XP Home

& Profes-sional

98 SE & ME

Hand-Held PC 2000 & Pocket PC 2003

kernel 2.4.21

Secure Platform

IPSO 3.9

X

SmartConsole GUI X 2 X X X X X X X

VPN-1 Pro Module .(including QoS, Policy Server)

X X X X X X X X

SmartCenter Server (incl. VSX) X X X X X X X X 3

SmartPortal X X X X X X X

SecuRemote X X X X X

SecureClient X X X X X X X X

ClusterXL (VPN-1 Pro.Module) X X X 4 X X X X X 5

UserAuthority .(Management Add-on only)

X X X X X X X X X X 6

Eventia Reporter - Server X X X X X X X X 7

SmartView Monitor X X X X X X X X

VPN-1 Accelerator Driver II X X

VPN-1 Accelerator Driver III X X X X X X X X

Performance Pack X X X X 8

SmartLSM - GUI X X X X X

SmartLSM - Enabled .Management

X X X X X X X X

SmartLSM - Enabled ROBO .Gateways

X X X X X X

SmartLSM - Enabled CO .Gateways

X X X X X X X X

Advanced Routing X X 9

SecureXL Turbocard X 10

SSL Network Extender - Server X X X X X X X X

SSL Network Extender - Client X X X

Provider-1/SiteManager-1 X X X X

Provider-1/SiteManager-1 GUI X X X X X X X

OSE Supported Routers Nortel Versions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14

Cisco OS Versions: 9.x, 10.x, 11.x, 12.x

Microsoft WindowsSolaris

UltraSPARC 1

Release Notes for Check Point Provider-1/SiteManager-1 NGX (R60). Last Update — October 26, 2005 2

3) VPN-1 Edge devices cannot be managed from a SmartCenter server running Nokia IPSO.

4) HA Legacy mode is not supported on Windows Server 2003.

5) ClusterXL supported only in third party mode with VRRP or IP Clustering.

6) UserAuthority is not supported on Nokia Diskless platforms.

7) Only the Management Add-on of Eventia Reporter is supported on Nokia. Eventia Reporter is not supported on Nokia Diskless platforms.

8) Nokia provides SecureXL as part of IPSO.

9) Nokia provides Advanced Routing as part of IPSO.

10) NGX-compatible Turbocard driver will be available in one of the first NGX HFAs.

Supported Upgrade Paths

The following table specifies the supported upgrade paths to Provider-1/SiteManager-1 NGX (R60).

See The Upgrade Guide for details on upgrading and migrating Provider-1/SiteManager-1 components.

Build Numbers

The following table lists all Provider-1/SiteManager-1 NGX (R60) software products available, and the build numbers as they are distributed on the product CD. To verify each product’s build number, use the given command format.

Source Version 'In-Place' Upgrade

Migrate CMAs or SmartCenter Servers to NGX (R60) CMAs

NG with Application Intelligence R55W Yes YesNG with Application Intelligence R55 Yes YesNG with Application Intelligence R54 Yes YesVSX NG with Application Intelligence Release 2 Yes YesVSX NG with Application Intelligence Yes YesVSX 2.0.1 No NoNG FP3 Yes YesNG FP2 No YesNG FP1 No Yes4.1 No No

Product Build No Command


The Regular Expression (RX) Library

NGX (R60) uses the RX Library. You can download the library license agreement (LGPL) from:

http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf.

MDS 72 cpvinfo $MDSDIR/lib/libmds.so | grep "Build Number"

MDG 269_1 Help > About Check Point Provider-1/SiteManager-1

SmartConsole 654_1 Help > About Check Point SmartDashboard

VPN-1 Pro 457_4 (Windows)458_2 (all others)

fw ver


http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r55/GNU_LGPL.pdf

Minimum Hardware Requirements

In This Section

Solaris Platforms

Minimum Requirements for Provider-1/SiteManager-1 MDS

On Solaris platforms, the minimum hardware requirements for installing Provider-1/SiteManager-1 MDS are:

• UltraSPARC II • 800 MB free disk space for installation• 256 MB RAM

• One or more network adapter cards• CD-ROM drive

Minimum Requirements for Provider-1/SiteManager-1 MDG

On Solaris platforms, the minimum hardware requirements for installing the MDG are:

• UltraSPARC III • 100 MB free disk space for installation• 256 MB RAM

• One network adapter card• CD-ROM drive • 800 x 600 video adapter card

Linux Platforms


On Linux platforms, the minimum hardware requirements for installing Provider-1/SiteManager-1 MDS:

• Intel Pentium II 300 MHz or equivalent processor

• 450 MB free disk space

• 256 MB RAM

• One or more network adapter cards

• CD-ROM drive

Solaris Platforms page 5

Linux Platforms page 5

SecurePlatform page 6

Windows Platforms page 6


SecurePlatform


On SecurePlatform, the minimum hardware requirements for installing Provider-1/SiteManager-1 MDS are:

• Intel Pentium III 300+ MHz or equivalent processor • 4 GB free disk space

• 256 MB RAM• One or more supported network adapter cards• CD-ROM drive

• 1024 x 768 video adapter card

For details regarding SecurePlatform on specific hardware platforms, see http://www.checkpoint.com/products/supported_platforms/recommended.html

Windows Platforms

Minimum Requirements for Provider-1/SiteManager-1 MDG

On Windows platforms, the minimum hardware requirements for installing the MDG:

• Intel Pentium II 300 MHz or equivalent processor

• 100 MB free disk space

• 256 MB RAM

• One network adapter card

• CD-ROM drive

• 800 x 600 video adapter card


http://www.checkpoint.com/products/supported_platforms/recommended.html

http://www.checkpoint.com/products/supported_platforms/recommended.html

Minimum Software Requirements

Solaris Platform

Required Packages

• SUNWlibc

• SUNWlibCx

• SUNWter

• SUNWadmc

• SUNWadmfw

Required Patches

Solaris 8: the following patches (or newer) are required on Solaris 8 UltraSPARC platforms:

Solaris 9: the following patch (or newer) is required on Solaris 9 UltraSPARC platforms:

To verify that you have these patches installed, use the command:showrev -p | grep <patch number>

The patches can be downloaded from: http://sunsolve.sun.com. Install the 32-bit patches before installing 64-bit patches.

Linux Platform

This release supports Red Hat Enterprise Linux 3.0. For Red Hat kernel installation instructions, visit: http://www.redhat.com/support/resources/howto/kernel-upgrade.

Windows Platform

This release requires that Service Packs be applied to Windows 2000 and Windows 2003 systems. This release supports Service Packs SP1, SP2, SP3, and SP4.

Number System Notes

108528-18 All If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.

110380-03 All109147-18 All109326-07 All108434-01 32 bit108435-01 64 bit

Number System Notes

112233-12 All112902-07 All116561-03 All Only if dmfe(7D) ethernet driver is defined on the machine


http://sunsolve.sun.com

http://sunsolve.sun.com

http://www.redhat.com/support/resources/howto/kernel-upgrade/s1-upgrade.html

http://www.redhat.com/support/resources/howto/kernel-upgrade

http://www.checkpoint.com/techsupport/downloads.jsp

What’s New

In This Section

Unified Management

Provider-1/SiteManager-1 NGX (R60) supports the management of the following Check Point products:

• VPN-1 Pro

• VPN-1 Edge

• VPN-1 VSX (NG with Application Intelligence Release 2 and below)

• Web Intelligence

RedHat Enterprise Linux

MDS is now supported on RedHat Enterprise Linux 3.0 (MDSs are no longer supported on Linux 7.x). The upgrade from an existing MDS on Linux 7.x to the NGX (R60) MDS is described in the The Upgrade Guide.

SmartCenter Server can Backup CMA

A SmartCenter server can be configured to back up a Provider-1/SiteManager-1 CMA in High Availability configuration. The SmartCenter server can function as Active or Standby management for a Customer with one or two CMAs. For installation instructions see the Provider-1/SiteManager-1 User Guide.

Provider-1 Enterprise Edition License

Provider-1/SiteManager-1 NGX (R60) supports the new licenses for Provider-1 Enterprise Edition Products (Part Numbers CPMP-PRE-3-NG and CPMP-PRE-5-NG).

Unified Management page 8

RedHat Enterprise Linux page 8

SmartCenter Server can Backup CMA page 8

Provider-1 Enterprise Edition License page 8

Native Support of VSX-CMA Bundle License page 9

Administrator Authentication page 9

The mdscmd Utility page 9

Eventia Reporter Support page 9

Web-Based Access to SmartCenter — SmartPortal page 9


Native Support of VSX-CMA Bundle License

The VSX-CMA bundle license is a single license, installed on the MDS level, enabling the management of Virtual Systems. The new bundle license is available since version VPN VSX NG with Application Intelligence Release 2. Prior to that version, every CMA managing Virtual Systems required a separate license to be installed on the CMA level.

Now, with the support of VSX-CMA bundle licenses, CMAs can use this new MDS level license for managing Virtual Systems.

In a Multi-MDS environment, a separate VSX-CMA bundle license is required on every MDS that has CMAs managing Virtual Systems. The VSX-CMA bundle license enables the definition of CMAs that are dedicated to manage the licensed Virtual Systems, and the MDS Container for these CMAs. For example: a CPPR-VSX-CMA-100-NG license enables the management of 100 Virtual Systems, the definition of up to 100 CMAs dedicated for managing these Virtual Systems, and the definition of one additional CMA for managing the respective VSX gateway(s).

Administrator Authentication

New authentication methods are available for Provider-1 administrators when logging into MDS and CMAs with SmartConsole applications, using the following external authentication servers:

• TACACS

• TACACS+

• RADIUS

Please refer to the Provider-1/SiteManager-1 User Guide for details.

The mdscmd Utility

New commands (enable/disable global use) have been added to the mdscmd utility. For more information, refer to the Provider-1/SiteManager-1 User Guide.

Eventia Reporter Support

Eventia Reporter supports Provider-1/SiteManager-1 NGX (R60) Standard reports. For details, see the Getting Started chapter of the Eventia Reporter User Guide.

Web-Based Access to SmartCenter — SmartPortal

SmartPortal is a web-based management tool providing a centralized view of security policies, network and security activity status. In Provider-1/SiteManager-1, a single SmartPortal server can be globally defined, enabling web-based access to the MDS and all CMAs. For details, see the SmartPortal documentation in the SmartCenter User Guide.


Clarifications and Limitations

In This Section

Installation/Upgrade

1) Some of the issues reported by the Pre-Upgrade Verifier may require database modifications. To avoid having to repeat these changes, remember to synchronize your mirror MDSs/CMAs and perform the ‘install database to CLM’ processes. It is highly recommended that you read the “Upgrading in Multi MDS environment” section in The Upgrade Guide.

2) Avoid using the Plug-and-Play license for the Provider-1 configuration and use EVAL licenses instead.

3) Managing 4.1 gateways is not supported.

4) After upgrading an MDS or MLM in a multi MDS environment, SmartDashboard displays CMA and CLM objects with the previous version, and the following error message appears when performing the operation Install Database:Install Database on <CLM_name> Log Server can only be partially completed. To restore full functionality (full resolving and remote operations), upgrade the Log Server to be the same version as your Management Server.

In order to update the CMA/CLM objects to the most recent version, use the following procedure after upgrading all MDS and/or MLM servers:

Installation/Upgrade page 10

Configuration page 12

Licensing page 12

Backup and Restore page 13

Migrate page 13

Multi-Customer Log Module (MLM) page 14

Global Policy page 15

Global VPN page 16

Identical Internal CA keys page 18

SmartUpdate page 19

SmartPortal page 19

Status Monitoring page 20

Eventia Reporter page 20

Miscellaneous page 20


1 Verify that all active CMAs are up and running with valid licenses, and that none of them currently has a SmartDashboard connected.

2 Run the following commands in a root shell on each MDS/MLM server:

a mdsenv

b $MDSDIR/scripts/mds_fix_cmas_clms_version -c ALL

3 Synchronize all Standby CMAs and SmartCenter Backup servers and install the database on the CLMs.

In some cases, the MDG will display CMAs with the version that was used before the upgrade. To resolve this issue, after performing steps 1 - 3, do the following:

1 Make sure that each CMA that displays the wrong version is synchronized with the Customer's other CMAs.

2 Restart the MDS containers hosting the problematic CMAs by executing the following commands in a root shell:

a mdsenv

b mdsstop –m

c mdsstart -m

5) When upgrading to NGX R60, all SmartUpdate packages on the MDS (excluding SofaWare firmware packages) are deleted from the SmartUpdate Repository.

6) Management of FireWall-1 4.1 gateways and VPN-1 Net gateways is no longer supported in NGX (R60). Prior to upgrading configurations that contain such gateways, the gateways need to be upgraded to the supported products/ versions. Since the pre-upgrade verification tools will not allow the upgrade to proceed as long as such gateways exist in the configuration database, the objects either need to be deleted from the source management or updated to represent a supported product/ version. If the objects are updated for the sake of allowing the upgrade to proceed, management of the gateways will not be allowed until the gateway software and license is upgraded as well.

Please also note that configurations that contain externally managed FireWall-1 4.1 gateways cannot be upgraded to NGX. To allow the upgrade to proceed, these objects need to be updated to represent a supported version.

7) After upgrading an R55 SmartCenter server that manages VPN-1 Edge devices to NGX (R60), immediately reinstall policy to all VPN-1 Edge devices and Profiles to avoid loss of connectivity.


Platform Specific Installation/Upgrade Issues — Solaris

8) To upgrade from Provider-1/SiteManager-1 NG FP3, be sure that Hotfix 2 has been installed.

9) Starting with NG with Application Intelligence, Customer names can no longer contain spaces and special characters. When upgrading to NGX (R60), this limitation is examined by the Pre-Upgrade Verifier, and if required an interactive tool for renaming Customer names during the upgrade is offered. Additional details describing this tool can be found in the “Upgrading Provider-1” chapter of The Upgrade Guide.

10) Provider-1/SiteManager-1 NGX (R60) is not supported on Solaris 2.6. Be sure to upgrade the OS before running the command mds_setup.

Configuration

11) In the SecurePlatform installation, the default maximum number of file handles is set to 65536. This also applies to standard Linux installations, but the default number may vary.

For Provider-1/SiteManager-1 installations with a large number of CMAs, 65536 file handles may be insufficient. Indications that the system may not have enough available file handles can be failure of processes to start, and/or crashes of random processes.

• To check if insufficient file handles is indeed the problem, enter the following command from root or expert mode:

# cat /proc/sys/fs/file-nr

This command prints three numbers to the screen. If the middle number is close to zero, or the left number equals the rightmost number, it is required to increase the maximum number of file handles.

• To increase the maximum number of file handles, enter the following command from root or expert mode:

# echo 131072 > /proc/sys/fs/file-max

The number above is for demonstration purposes; the actual figure should be derived from the amount of memory and the number of CMAs.

Licensing

12) If you upgrade licenses after upgrading the MDS, the upgraded licenses will not be displayed in the MDG until after restarting the MDS.

13) Under rare circumstances, a CMA license may not appear in the SmartUpdate view of the MDG, and yet appear in SmartUpdate when launched from the CMA. If this happens, do the following:


1 From the command line in the CMA environment, use the cplic command to remove the missing license, and then add it again.

2 In SmartUpdate, right-click the CMA and select Get Licenses.

Backup and Restore

14) To backup an MDS configuration, or replicate it to another station, use the mds_backup utility. To restore this backup on a new station, first perform a fresh install (using mds_setup), and then use the mds_restore utility.

15) Before running the mds_backup utility, make sure that no SmartConsole Clients are running.

16) A backup file created on a Solaris platform with the mds_backup command cannot be restored on a Linux platform, nor vice-versa. A backup made by mds_backup on Linux can be restored on SecurePlatform and vice-versa.

Platform Specific Backup and Restore Issues — SecurePlatform

17) When performing a backup and restore operation on SecurePlatform, do the following (refer to the SecurePlatform Guide for detailed instructions):

1 Backup the SecurePlatform configuration.

2 Move the backup files to another machine.

3 Perform clean installations of the SecurePlatform OS and Provider-1/SiteManager-1.

4 Restore the SecurePlatform configuration.

Migrate

18) After migrating a SmartCenter server running on a Nokia platform to an NGX (R60) CMA, the VPN-1 Edge objects and Profiles creation option from SmartDashboard is not available. See SecureKnowledge SK26484 for more information.

19) Migrating a CMA/SmartCenter database to a Provider-1 CMA disables the CMA's PnP license, if any.

20) Migration of a CMA is not supported when VSX objects exist in the database.

21) After migrating Global Policies and CMAs that contain Global VPN Community, the VPN Communities mode of the Global Policies view in the MDG may not display all gateways participating in the Global VPN Communities. To resolve this issue, after completing the migration of all relevant configuration databases and starting the MDS and the CMA processes, issue the following commands in the root shell on the MDS:

1 mdsenv


2 fwm mds rebuild_global_communities_status all

22) When migrating complex databases, the MDG may timeout with the error message Failed to import Customer Management Add-on, even when the migration process continues and is successful. Therefore, when migrating large databases, it is recommended that you run the migrate operation from the command line. See the cma_migrate command in The Upgrade Guide.

23) A pre-upgrade verification procedure is executed before actually migrating the database. If errors are found that prevent the upgrade, the migration operation is aborted and you are notified of changes that need to be made. The migrate procedure cannot proceed until requested changes are made on the source database. More information is available in the “Upgrading Provider-1” chapter of The Upgrade Guide.

24) The migrate_assist utility reports missing files, depending on FTP server type. If files are missing, copy the relevant files manually. More information regarding the relevant files and the directory structure is available in the “Upgrading Provider-1” chapter of The Upgrade Guide.

25) Before migrating the global database, if there are Global VPN Communities in the source database or in the target database, it is highly recommended that you read the “Gradual Upgrade with Global VPN Considerations” section of The Upgrade Guide.

26) The migrate operation preserves the Internal Certificate Authority database. Therefore, migrating the same SmartCenter/CMA to multiple CMAs actually duplicates the Certificate Authority. To remedy this situation, perform fwm sic_reset after the migration, as described in SecureKnowledge SK17197.

27) If you delete a CMA that has been migrated from an existing CMA or SmartCenter database, and then want to recreate it, first create a new Customer with a new name. Add a new CMA to the new Customer and import the existing CMA or SmartCenter database into the new CMA.

28) After migrating SmartCenter or CMA databases with SmartLSM data, execute the command LSMenabler on on the CMA.

29) After migrating a SmartCenter database which contains SmartDashboard administrators or administrator group objects, these objects remain in the database but are not displayed in SmartDashboard. As the CMA is managed by Customer Administrators via the MDG and not via SmartDashboard, these objects are irrelevant to the CMA. However, if you need to delete or edit one of these objects, use dbedit or GuiDBedit to do so.

Multi-Customer Log Module (MLM)

30) If a CLM on an MLM fails to start, even though you have a license, consult SK23736 to resolve this issue.


Global Policy

31) Before upgrading to NGX (R60), if you have global network objects configured as Web Servers, the following operations must be performed:

1 Uncheck the Web Server property in the General Properties of these objects in Global SmartDashboard.

2 Synchronize the global databases.

3 Reassign global policies.

4 Synchronize all Mirror CMAs with their Primary CMAs.

5 Install databases on all CLMs.

32) When deleting a Check Point host object created in Global SmartDashboard that has the same name as one of the MDS/MLM servers, the SIC certificate of the matching MDS/MLM server may be revoked. To avoid this situation, refrain from defining Check Point host objects with names identical to MDS/MLM servers in the system. If the certificate of one of the MDS/MLM servers is revoked, see SecureKnowledge SK24204 to remedy the situation.

33) Avoid circular references in the Global Policy, as this will cause its assignment to fail.

34) To ensure the integrity of Global Policies, only Provider-1 Superuser and Customer

Superuser administrators are allowed to perform a Database Revision Control operation on a CMA. This is to ensure that a lower level administrator does not change the Global Policy assigned to a Customer. This is not a limitation, but rather an effect of the administrator’s permission hierarchy.

35) Assigning a Global Policy to Customers may be a heavy operation. For this reason, it is recommended that you use MDG: Manage > Provider-1/SiteManager-1 Properties > Global

Policies and configure Perform Policy operations on 1 customers at a time. For information about an MDS machine that includes a large amount of CMAs and big databases (global database and local CMAs' databases), refer to Hardware Requirements and Recommendations in the Provider-1/SiteManager-1 User Guide.

36) When installing policy from the MDG using the Assign/ Install Global Policy operation, the Security Policy is not installed on VPN-1 Edge profiles. Use SmartDashboard to install policy to VPN-1 Edge profiles.

37) When creating Connectra gateway objects (like other gateway objects, such as VPN-1, VPN-1 Edge, and Interspect), be sure to do so using the CMA SmartDashboard. Defining Connectra objects in Global SmartDashboard is not supported.


38) In NG FP1, when a Global Policy is assigned to a CMA, a default global service object may replace its respective local service object in a local policy. If the default definition of these service objects was changed, such that they are no longer equivalent, then this might change the enforced policy in an unexpected way.

This problem is not eliminated when upgrading (or migrating) to NG FP2 or to NG FP3.

The mds_setup upgrade process automatically runs a pre-upgrade detector, which detects this problem, optionally fixes the conflicting objects, and instructs you to how to proceed. The Upgrade will proceed only on valid databases.

• When upgrading MDS servers to NGX (R60), the default services are upgraded correctly.

• When migrating CMA databases that contain this problem to NGX (R60), the migration process automatically detects the problem and will not allow the migration until the problem is resolved. The fix in this case would be to implement SK18517 on the source CMA.

• If you have already upgraded from NG FP1 to NG FP3 Edition1 or Edition2 (whether or not you upgraded to NG FP2 in between), you are required to install Provider-1/SiteManager-1 FP3 HF2. See SecureKnowledge SK16866 for more details.

Global VPN

39) Simplified VPN Mode Policies cannot work with gateways from versions prior to FP2. You cannot assign a Global Simplified VPN Mode Policy to a CMA with gateways of version FP2 or lower.

40) Global VPN Communities do not support shared secret authentication.

41) Only Globally-enabled gateways can participate in Global VPN Communities. Gateway authentication is automatically defined using the CMA’s Internal Certificate Authority. Third-party Certificate Authorities are not supported.

42) VPN-1 Edge gateways cannot participate in Global VPN Communities.

43) Currently an external gateway can fetch CRL only according to the FQDN. Therefore, a peer gateway would fail to fetch a CRL when the primary CMA is down (even if the mirror CMA is operational). To avoid this scenario, you can change the FQDN to a resolvable DNS name by executing the following commands:

1 mdsenv <CMA>

2 Run cpconfig and select the menu item Certificate Authority


44) After enabling a module for global use from the MDG, install a policy on the module or use the Install Database operation on the management server in order for its VPN domain to be calculated.

45) When migrating a CMA, all CMAs that participate in a Global VPN Community must be migrated as well. If you do not migrate all relevant CMAs, it will affect Global Community functionality and maintenance.

46) A globally enabled gateway can be added to a Global VPN Community from Global SmartDashboard only through the community object and not from the VPN tab of the object.

47) When a VPN Simplified Mode Global Policy is assigned to a Customer, all of the Customer’s Security Policies must be VPN Simplified as well.

48) If the Install policy on gateway operation takes place while the MDS is down, the status of this gateway in the Global VPN Communities view is not updated.

49) Performing a sic_reset operation on a Customer's CMA resets the Customer's Internal CA (Certificate Authority), and revokes all the certificates that were ever issued by this CA. For this reason, sic_reset should be avoided and should be done only in rare cases.

Before performing this operation on a CMA, you must first remove the IKE certificates of all the VPN gateways. This change to gateway properties is blocked for gateways enabled for Global Use. The following procedure describes the steps to be taken to ensure the correct operation of Global VPN Communities when performing the sic_reset operation.

Before Running the sic_reset Command

1 In Global SmartDashboard, ensure that the VPN-1 gateway and encryption domain objects (of the Customer whose CA is to be reset) are removed from all Global VPN Communities and from security rules. Then save the Global Policy.

2 In the MDG, disable these gateways from Global Use.

3 Re-assign the Global Policy to the Customer owning the CMA that sic_reset is being performed on.

4 In the CMA SmartDashboard, for each of the VPN-enabled gateways, open the VPN tab and remove all VPN communities from the list. Click OK. Then open the General Properties and uncheck the VPN checkbox in the Check Point products list. After unchecking the checkboxes, you can safely ignore warnings regarding the Certificates, IKE Matching Criteria and the defined encryption key. Save the policy.


5 On the MDS computer, open a root shell and switch to CMA's environment using the command mdsenv <cma name>, where <cma name> is the name of the CMA to be reset.

Run the sic_reset Command

6 Execute the sic_reset operation using the command fwm sic_reset. While executing the command, read the displayed warnings and explanations carefully and proceed with all the operations required to complete the command.

After Running the sic_reset Command

7 Re-create the internal CA using the command: mdsconfig -ca <cma name> <cma ip>

where <cma name> is the name of the CMA to be reset, and <cma ip> is the CMA's Virtual IP address.

8 Start the CMA.

9 In the SmartDashboard of the CMA, for all participating gateways (modified during step 4), check the VPN checkbox in the Check Point products list. After checking the checkboxes, please ignore warnings regarding creation of an internal CA certificate. Save the policy. Close SmartDashboard.

10 In the MDG, enable all the participating gateways (that were disabled during step 2) for Global Use.

11 In Global SmartDashboard, restore all rules and references to the gateways that were removed during step 1. Save the changes to the Global Policy.

12Re-assign the Global Policy to all the Customers participating in the Global VPN Communities with the Customer whose CA has been reset, and re-install the policy on all gateways participating in the Global VPN.

50) Enabling and disabling global use of a gateway that belongs to a Customer with a CMA High Availability configuration via the command mdscmd is supported only when the MDG is launched from one of the MDSs in the Multi MDS environment.

51) When using VPN-1 VSX Virtual Systems in Global VPN Communities, the operating system and version displayed on objects representing Virtual Systems in peer CMAs is incorrect. This information can be safely ignored.

Identical Internal CA keys

52) It is possible to create a situation where multiple CMAs will have identical CA keys (although the CA names will be different). This situation may prevent site-to-site IKE VPN between two gateways managed by two CMAs with the same CA key.


Such a situation can be created in the following ways:

• Multiple CMAs are created within the first hour after the MDS installation (or after its upgrade from 4.1). Affected versions: all NG versions, until (but not including) FP3.

• The same CMA (or SmartCenter) is migrated many times into the same Provider-1 system. Affected versions: All NG and later versions.

CA keys are retained across upgrades, so upgrading an affected system will not change the problematic situation.

The following solutions are available:

• A fresh installation is not affected by multiple CMAs created within the first hour. Multiple CMAs can safely be created right after the installation.

• In an upgrade scenario, the mds_setup process will automatically detect if the original system is affected. If detected, it will issue a detailed warning, and will refer you to the relevant SK.

• The NGX (R60) package includes commands for manual invocation of the detection tool. The detector can be run on any of the affected versions: NG FP1/HF1, FP2 and FP3. See SecureKnowledge SK17196 for details.

SmartUpdate

53) Firmware packages cannot be deleted from the SmartUpdate repository. In order to delete packages, see SecureKnowledge SK30650.

54) When using the MDG’s SmartUpdate view, packages are added to the SmartUpdate repository of the MDS to which the MDG is connected. When in a Multi-MDS environment, make sure that each SmartUpdate package is added to each MDS individually. When adding SofaWare firmware packages in such an environment, a package added to one MDS will appear to have been added to all other MDSs. In this case as well, make sure that each firmware package is added to each MDS individually.

55) After detaching a Central license from a CMA using the SmartUpdate view, the license remains in the License Repository, and therefore cannot be added again to the CMA from the MDG General view. To add it again, reattach the license using SmartUpdate.

56) SmartUpdate packages cannot be added to the MDS Package repository if no CMAs are defined. Before populating an MDS's SmartUpdate repository with packages, define at least one CMA.

SmartPortal

57) When using Management High Availability (between a SmartCenter server and either a CMA or an MDS), change over may not succeed when SmartPortal is connected in Read/Write mode. To resolve this issue, do one of the following:


• Only allow access from SmartPortal to Read-only administrators

• Disconnect Read/Write SmartPortal clients from SmartView Monitor

Status Monitoring

58) A CMA will report the status Waiting until it is started for the first time.

59) In a CMA High Availability configuration, the High Availability synchronization status in the MDG may contain inconsistent values if valid licenses have not been installed. If this is the case, the synchronization status should be ignored. In order to operate, however, all CMAs must have valid licenses.

60) SmartView Monitor displays invalid statuses when connecting to a CLM. To view Customer statuses using SmartView Monitor, connect to a CMA.

Eventia Reporter

61) As Eventia Reporter data is not synchronized on multiple MDSs in High Availability configurations, Eventia Reporter should be set to work with just one MDS. To do so, install the Eventia Reporter Add-on on one MDS only, and log into this MDS whenever using the Eventia Reporter client.

62) You must log into the Eventia Reporter client using a Provider-1 Superuser administrator account, or a Customer Superuser administrator account. Other administrator types are not supported.

63) Only one Eventia Reporter server is supported. Do not define more than one Eventia Reporter server in Global SmartDashboard.

64) For Eventia Reporter to function properly, all Customers must have a Global Policy assigned to them. If a Customer has not been assigned a Global Policy, all reports generated for this Customer will fail with the following error:Could not retrieve CMA for customer <CUSTOMER-NAME>. CMA is either stopped or standby.

Miscellaneous

65) In a CMA High Availability configuration, the MDG may variably report the status of VPN-1 Edge gateways as either OK or Not Responding. To see the correct status, open SmartView Monitor on the Active management.

66) Certificates for Provider-1 administrators should be created only from an MDG connected to the MDS that currently hosts the active global database.

67) A VSX gateway cannot be deleted with a license attached, and attempting to do so causes a non-specific error message to appear. To delete the gateway, first detach the license using SmartUpdate or the CLI.


68) When working with a large CMA database, synchronizing this database may take some time. If you create a second CMA from the MDG it may seem that the operation was not successful on account of the timeout, when in fact the operation was done within a set period of time.

To make sure that this operation finished successfully after the MDG's timeout:

1 Wait until the second CMA is displayed on the MDG, with a Started status.

2 From SmartDashboard, connect to the active CMA.

3 Select Policy > Management High Availability and in the displayed window verify that the standby CMA's Status is Synchronized.

69) When in demo mode on a Solaris system, trying to launch SmartConsole applications from the MDG may result in the following error: The connection has been refused because the database could not be opened. To work with SmartConsole applications in demo mode, open them from the command line without using the launching option through the MDG. The SmartConsole applications are installed under $GUIDIR/bin. For Global SmartDashboard, use the following syntax from the command line: $GUIDIR/bin/PolicyEditor "connect *local localuser localpass /global"

70) The cp_merge utility is not supported in Provider-1/SiteManager-1.

71) In certain situations, after stopping CMA processes, the VPN-1 Edge management processes sms and smsstart_wd continue running. These processes should be terminated with the kill utility.

72) CPInfo is a support tool included on the Provider-1 NGX CD that gathers a wide range of data concerning the Check Point packages in your system. When speaking with a Check Point Technical Support Engineer, you may be asked to run CPInfo and transmit the data to the Support Center. To use CPInfo on the MDS machine, install the CPInfo package using the commands pkgrm or rpm (according to the OS of the MDS). After installing CPInfo, if you should need to uninstall the MDS, be sure to uninstall CPInfo first using pkgrm or rpm.


october 26, 2005 - check point software · release notes for check point provider-1/sitemanager-1...

Documents