Release Notes
29 March 2011
2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11647 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Revision History
Date 29 March 2011 Description Added instructions about Endpoint Security VPN R75 ("What's New in R75" on page 5) Updated Compatibility with Gateways and Endpoint Clients (on page 16) to exclude support for NGX R62 gateways Updated DLP note in Security Gateway Software Blades (on page 13) Updated the supported web browsers for the DLP portal ("Security Gateway Software Blades" on page 13) Added that you must install HFA70 on NGX R65 for IPSO 6.2 before you upgrade to R75. ("Supported Management and Gateway Upgrade Paths" on page 16) First release of this document
17 February 2011
27 January 2011
19 January 2011
30 December 2010
26 December 2010
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R75 Release Notes ).
Contents
Important Information .............................................................................................3 Introduction to R75 .................................................................................................5 What's New in R75 ..................................................................................................5 New Terms .......................................................................................................... 8 Minor Release Content ........................................................................................ 8 Supported Products ...............................................................................................9 Software Licensing .............................................................................................. 9 Enforcement of IPS Software Blade Licenses ................................................. 9 Build Numbers ..................................................................................................... 9 Supported Security Products by Platform ...........................................................11 Security Software Containers.........................................................................11 Security Gateway Software Blades ................................................................13 Security Management Software Blades .........................................................14 Clients and Consoles by Windows Platform .......................................................15 Supported Upgrade Paths and Interoperability ...................................................16 Supported Management and Gateway Upgrade Paths ..................................16 Compatibility with Gateways and Endpoint Clients .........................................16 IPS-1 Upgrade Paths and Interoperability ......................................................17 Platform Provisions and Requirements ..............................................................18 SecurePlatform...................................................................................................18 IPSO ..................................................................................................................18 Linux ..................................................................................................................18 Microsoft Windows .............................................................................................19 Solaris ................................................................................................................19 Maximum Number of Interfaces Supported by Platform ......................................20 Minimum System Requirements ..........................................................................21 Security Gateway Hardware Requirements ........................................................21 Security Management Hardware Requirements .................................................22 SmartConsole and SmartDomain Manager Hardware Requirements .................22 Multi-Domain Security Management Requirements ............................................23 Multi-Domain Security Management Resource Consumption ........................23 SmartEvent Requirements..................................................................................23 SmartReporter Requirements .............................................................................23 Optimizing SmartReporter Performance ........................................................24 Performance Pack ..............................................................................................24 SecureClient Requirements ................................................................................24 Endpoint Security Server and Client Requirements ............................................25 Known Limitations ................................................................................................26
New Terms
Introduction to R75
Thank you for installing Check Point version R75. Please read this document carefully before installing R75. Note - For more information about R75 and to download the software, go to the R75 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk58362).
Introduction to R75
Page 5
New Terms
Other Improvements
Security Management Server supports Series 80 Appliances gateways for centrally managed branch offices You can set a different authentication method per blade on the same gateway. For example, a user can login to Mobile Access with certificate authentication and login to DLP with username and password authentication. In Gateway Properties, configure the desired authentication method for Check Point IPSec VPN and Mobile Access in its respective Authentication page, and for Identity Awareness in its Authentication Settings page. You can now use multiple portals over port 443 and port 80. For example, the SecurePlatform Web User interface and the Mobile Access portal can both be on port 443. In the SmartDashboard Gateway properties window, set the Portal URL for the different portals on the portal configuration pages. The user search for remote access users works according to the user groups. If a user authenticates with an IPSEC VPN client and the user is in the LDAP groups of a Remote Access VPN Community, then the user will be found in the LDAP server. If a user authenticates to the Mobile Access portal, and the user is defined in the Access to Application rules as part of the Internal Database groups, the user will be found in the Internal Database.
Page 6
New Terms
Page 7
New Terms
New Terms
These product and technology names have changed for this version: Name Before R75 Identity Logging SSL VPN Software Blade Name Starting with R75 Identity Awareness Mobile Access Software Blade
Provider-1 Provider-1 MDG Multi-domain server (MDS) Customer Customer Management Add-on (CMA) Customer Log Module (CLM) Multi-Domain Log Module (MLM)
Multi-Domain Security Management SmartDomain Manager Multi-Domain Server Domain Domain Management Server Domain Log Server Multi-Domain Log Server
Page 8
Software Licensing
Supported Products
In This Section Software Licensing Build Numbers Supported Security Products by Platform Clients and Consoles by Windows Platform Supported Upgrade Paths and Interoperability 9 9 11 15 16
Software Licensing
From version R71, customers are required to use Software Blade licenses. If you have not yet migrated to Software Blade licenses, follow the migration options from Check Points website (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html). From R71, the software license enforcement module checks that users have current Software Blade Licensing. Users that have installed R71 software using NGX based licenses and not Software Blade licenses, will receive warnings on the Security Gateways and SmartDashboard.
For more information about the IPS contract enforcement, refer to sk44175 (http://supportcontent.checkpoint.com/solutions?id=sk44175).
Build Numbers
The following table lists all R75 software products available, and the build numbers as they are distributed on the product DVD. To verify each products build number, use the given command format or direction within the GUI. Software Blade / Product Security Gateway Security Management SmartConsole Applications Build Number Build 254 Build 111 Build 979000426 Verifying Build Number fw ver fwm ver Help > About Check Point <Application name> cvpn_ver
Mobile Access
Build 085
Supported Products
Page 9
Build Numbers
Verifying Build Number fwm mds ver Help > About Check Point Multi-Domain Security Management ver cpshared_ver
SecurePlatform Infrastructure (SVN Foundation) Acceleration (Performance Pack) Advanced Networking (QoS) Advanced Networking (Routing) Monitoring (SVM Server) Management Portal
Build 017
sim ver -k
Build 013
fgate ver
Build 005
gated -ver
Build 011
rtm ver
Build 979000020
SmartEvent SmartReporter Endpoint Policy Server (SecureClient Policy Server) SecuRemote/SecureClient UTM-1 Edge Firmware Endpoint Security Client R73 HFA1 Endpoint Security Server Compatibility Packages CPNGXCMP-R75-00 CPV40Cmp-R75-00 CPEdgecmp-R75-00 CPCON66CMP-R75-00 CPCON62CMP-R75-00 CPR71CMP-R75-00 CPSG80CMP-R75-00
Help > About Displayed on the default portal page Right-click the System Tray icon and select About About
7.60.076.000
Build 008 Build 008 Build 007 Build 006 Build 007 Build 012 Build 002
/opt/CPNGXCMP-R75/bin/fw_loader ver /opt/CPV40Cmp-R75/bin/fw_loader ver /opt/CPEdgecmp-R75/bin/fw ver /opt/CPCON66CMP-R75/bin/fw_loader ver /opt/CPCON62CMP-R75/bin/fw_loader ver /opt/CPR71CMP-R75/bin/fw_loader ver /opt/CPSG80CMP-R75/bin/fw_loader ver
Supported Products
Page 10
Power-1
UTM-1
(50, 150)
Other Platforms and Operating Systems For more about supported operating system versions, refer to Operating System Versions (on page 12). Microsoft Windows Server 2003, 2008 Windows XP, 7 RedHat Linux RHEL 5.0, 5.4 Crossbeam X-series
3
Solaris Ultra-SPARC 8, 9, 10
Notes about Security Software Containers 1. The supported IP Appliances models are 150, 290, 390, 560, 690, 1280, and 2450. 2. We recommend that you install Multi-Domain Security Management on Sun M-Series servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers. 3. Crossbeam support is planned to be available in Q1 '11.
Supported Products
Page 11
N/A N/A
32-bit 32-bit
Notes 1. For Windows 2003 SP1, you must install the hotifx specified in Microsoft KB 906469 (http://support.microsoft.com/kb/906469). 2. Windows 2008 Server 64-bit is supported for Security Management only.
Dedicated Gateways
To install R75 on an R71 DLP open server, do a clean install of R75. These dedicated gateways cannot be upgraded to R75: Open Server - IPS-1 Sensor, VSX Appliances - DLP-1, Series 80, UTM-1 Edge, IPS-1 Sensor, VSX-1
Supported Products
Page 12
Secure IPSO 6.2 IPSO 6.2 Windows Platform DiskFlashServer 2003 based based Firewall Firewall with 2 Identity Awareness IPSec VPN IPS Mobile Access DLP
4
Application Control Anti-Virus & Anti-Malware URL Filtering Anti-Spam & Email Security Web Security Advanced Networking QOS Advanced Networking Dynamic Routing and Multicast Support Acceleration & Clustering
Notes about Security Gateway Software Blades 1. Crossbeam support is planned to be available in Q1 '11. 2. Identity Awareness supports connections to Microsoft Active Directory (AD) on Windows Server 2003 and 2008. Connections to AD on Windows Server 2000 is not supported. 3. IPSO supports identity enforcement and logging. For Identity Acquisition (AD Query, Identity Agents and Captive Portal) use a SecurePlatform gateway and share the identities with your IPSO gateways. 4. DLP is supported in High-Availability clusters, including Full HA. On UTM-1 130/270, you can either use DLP with Firewall and other Security Gateway software blades, or with Firewall and Security Management software blades. The DLP portal supports these web browsers: Internet Explorer 6, 7, 8; Firefox 3; Chrome 8; and Safari 5. 5. Only Clustering is supported on Windows. Acceleration is not supported. 6. Only third-party clustering is supported on Crossbeam.
Supported Products
Page 13
Network Policy Management Network Policy Management with Identity Awareness Endpoint Policy Management Logging & Status Monitoring SmartProvisioning Management Portal* User Directory SmartWorkflow SmartEvent SmartReporter
* Management Portal is supported on the following Web browsers: Internet Explorer 7, and Mozilla Firefox 1.5 - 3.0
Supported Products
Page 14
SmartConsole SmartDomain Manager SecureClient Endpoint Security VPN SSL Network Extender DLP UserCheck Identity Agent
Notes about Clients and Consoles 1. SSL Network Extender is supported on Windows 7 for Network Mode only. 2. Endpoint Security VPN and Identity Agent clients support all editions of Windows 7.
Supported Products
Page 15
Upgrading from NGX R65 When you upgrade from NGX R65, only these plug-ins may be present: Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of any other plug-in will cause the upgrade process to fail. If you upgrade from NGX R65 with plug-ins to R75, and later want to uninstall R75 (rollback to NGX R65), follow the instructions in sk37252 (http://supportcontent.checkpoint.com/solutions?id=sk37252).
Supported Products
Page 16
Release UTM-1 Edge GX Endpoint Clients SecureClient Endpoint Connect Endpoint Security
up to SecureClient NGX R60 HFA 3 with support for Windows 7 32-bit up to Endpoint Security VPN R75 for Windows up to R73 HFA1
Note R75 Security Management servers cannot manage gateway versions lower than NGX R65.
Supported Products
Page 17
SecurePlatform
SecurePlatform
This release is shipped with the latest SecurePlatform operating system, which supports a large variety of hardware, including open servers and network interface cards. See a comprehensive list of certified hardware (http://www.checkpoint.com/services/techsupport/hcl/index.html ). Check this list before installing SecurePlatform on the target hardware. Note - Cross-platform High Availability is supported if all of the platforms are either SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
IPSO
When installing this release on IPSO: Advanced Routing and SecureXL are included by default. Clustering on IPSO supports VRRP and IP Clustering. UTM-1 Edge devices cannot be managed from a Security Management server running on IPSO. All available configurations (Disk-based, Flash-basedand Hybrid) of currently available IP Series platforms are supported.
Linux
Before you install Security Management on Red Hat Enterprise Linux 5:
1. Install the sharutils-4.6.1-2 package a) Check if you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2 b) If the package is not already installed, install it by running: rpm i sharutils-4.6.1-2.i386.rpm This package can be found on CD 3 of RHEL 5. 2. Install the compat-libstdc++-33-3.2.3-61 package
Page 18
Microsoft Windows
a) Check if you have the compat-libstdc++-33-3.2.3-61 package by running: rpm qa | grep compat-libstdc++-33-3.2.3-61 b) If the package is not already installed, install it by running: rpm i compat-libstdc++-33-3.2.3-61.i386.rpm This package can be found on CD 2 of RHEL 5. 3. Disable SeLinux a) Check if SeLinux is disabled by running: getenforce b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file and rebooting the machine. Note - Cross-platform High Availability is supported if all of the platforms are either SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Microsoft Windows
High Availability Legacy mode is not supported on Windows. Note - Cross-platform High Availability is supported if all of the platforms are either SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Solaris
Security Management Server and Multi-Domain Security Management are supported with Solaris running on UltraSPARC 64-bit platforms (see Management Products by Platform ("Supported Security Products by Platform" on page 11)). R71 Security Gateways are not supported on Solaris.
Required Packages
SUNWlibC SUNWlibCx (except Solaris 10) SUNWter SUNWadmc SUNWadmfw
Required Patches
The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com (http://sunsolve.sun.com). To display your current patch level, use the command: showrev -p | grep <patch number> Platform Solaris 8 Required 108528-18 Recommended Notes If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.
110380-03 109147-18
Page 19
Platform
Recommended
Notes
Required only for 32 bit systems Required only for 64 bit systems 109147-40 or higher
Solaris 9
112233-12 112902-07 116561-03 Only if dmfe(7D) Ethernet driver is defined on the machine 112963-25 or higher
Solaris 10
117461-08 or higher
We recommend that you install MultiDomain Security Management on Sun MSeries servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.
Note - Cross-platform High Availability is supported if all of the platforms are either SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
IPSO Windows
1024 32
Page 20
Page 21
Intel Pentium Intel Pentium Processor Sun Processor E2140 E2140 or 2 GHz UltraSPARC IV or 2 GHz equivalent processor and higher equivalent processor 1.4GB 10GB (installation includes OS) 1GB Yes (bootable) One or more 1GB
Page 22
Optical Drive
Yes
Yes
SmartEvent Requirements
SmartEvent can be installed on a Security Management server or on a dedicated machine. Component CPU Memory Disk Space Windows/Linux/SecurePlatform Intel Pentium IV 2.8 GHz 4GB 25GB
SmartEvent is not supported on Solaris platforms. Note - To optimize SmartEvent performance: Use the fastest disk available with the highest RPM, and a large buffer size. Increase the machine's memory.
SmartReporter Requirements
These hardware requirements are for a SmartReporter server that processes at least 15GB of logs per day and generates reports according to the performance numbers. For deployments that will generate fewer logs per day, a machine with less CPU or memory can be used, but this may cause performance degradation.
Minimum System Requirements Page 23
Performance Pack
SmartReporter can be installed on a Security Management server or on a dedicated machine. Component CPU Memory Disk Space Installation: Database: Windows & Linux Minimum Intel Pentium IV 2.0 GHz 1GB Windows & Linux Recommended Dual CPU 3.0 GHz 2GB (on 2 physical disks) 80MB 60GB (40GB for database, 20GB for temp directory) 80MB 80MB Solaris UltraSPARC III 900 MHz 1GB
100GB (60GB for 60GB (40GB for database, 40GB for temp database, 20GB for temp directory) directory) Yes Yes
DVD Drive
Yes
Performance Pack
The recommended platform configuration is to use Performance Pack on a platform configured with a QuadCore Intel Xeon Processor 5xxx with 6GB RAM, or more. Check Point appliances with such configuration include: Power-1 11000 Series
Examples of open servers with such configurations include: HP ProLiant DL-360 G6 HP ProLiant DL-380 G6 Dell PowerEdge R610 Dell PowerEdge R710 IBM System x3550 M2 IBM System x3650 M2
SecureClient Requirements
For information about SecureClient Requirements, see the SecureClient NGX R66 Release Notes (http://downloads.checkpoint.com/dc/download.htm?ID=8371).
Page 24
Page 25
Known Limitations
Known Limitations for R75 are in sk59040. (http://supportcontent.checkpoint.com/solutions?id=sk59040)
Known Limitations
Page 26