Professional Documents
Culture Documents
40
Release Notes
3 July 2011
2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11894 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date 03 July 2011 Description First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R71.40 Release Notes).
Contents
Important Information .............................................................................................3 Introduction .............................................................................................................5 What's New ..............................................................................................................5 Included Releases ............................................................................................... 6 Platform Provisions and Requirements ................................................................6 Supported Upgrade Paths ................................................................................... 6 Supported Security Products by Platform ............................................................ 7 Security Software Containers by Platform ....................................................... 7 Dedicated Gateways ....................................................................................... 7 Security Gateway Software Blades by Platform .............................................. 8 Security Management Software Blades by Platform........................................ 9 Clients and Consoles by Windows Platform .......................................................10 Minimum System Requirements .........................................................................10 Required Disk Space ..........................................................................................11 Build Numbers ....................................................................................................12 Installing R71.40 ...................................................................................................13 New Installation ..................................................................................................13 Installing the Client Applications .........................................................................14 Upgrading from R70.40 ......................................................................................14 Upgrading from R71 or Higher ............................................................................14 Upgrade Packages ........................................................................................15 Upgrading with the SecurePlatform Web User Interface ................................15 Upgrade Using the Command Line ................................................................16 Upgrading with the Command Line for IPSO Flash-Based .............................17 Upgrade Using SmartUpdate .........................................................................18 Upgrading with the SecurePlatform Embedded Web User Interface ..............18 IPS Pattern Granularity Installation ................................................................18 Uninstalling .........................................................................................................19 Configuring the R71.40 Features .........................................................................20 Configuring Implied IPS Exceptions ....................................................................20 Configuring Secure Workspace Applications by Vendor .....................................20 Configuring Windows Vista or Windows 7 for Mobile Access Portal ...................21 Configuring IPS Pattern Granularity....................................................................22 Activating New Protections ............................................................................23 Network Exceptions for the New Protections .................................................23 Handling Multiple Matches of a Pattern ..........................................................23
Included Releases
Introduction
Thank you for updating to Check Point version R71.40. This version contains new features and resolves various issues for Check Point Software Blades. Please read this document carefully before installing. For more information about R71.40 and to download the software, go to the R71.40 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk63761). Known Limitations are listed in sk63762 (http://supportcontent.checkpoint.com/solutions?id=sk63762). Resolved Issues are listed in sk63763 (http://supportcontent.checkpoint.com/solutions?id=sk63763).
What's New
Upgrade from R70.40 directly to R71.40 Security Management
IPS improvements SmartEvent enhancements Increase pattern granularity - Header rejection, Http worm catcher and Cifs worm catcher patterns were converted into separate protections, giving more granularity in their settings. This feature is installed during the first IPS update process (online update, offline update or scheduled update). Implied exceptions - Built-in exceptions to allow Check Point products trusted traffic.
Security Gateway
IPS Geo database - The Geo country-ranges database accuracy has been significantly improved.
VPN Client
This version includes a deployment package of Endpoint Security VPN R75, which replaces SecureClient and Endpoint Connect. For automatic deployment of the new VPN client, select a client upgrade mode in Global Properties > Remote Access > Endpoint Connect.
Introduction
Page 5
Included Releases
Included Releases
This release includes all features and fixes that were included in R71.30. See the R71.30 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11714). This release includes the Windows 7 64-bit Hotfix for Connectra NGX R66.1 and SSL VPN R71.30.
lower than NGX R65 First upgrade to NGX R65, then upgrade to R71.10. Security Gateway Series 80 Get image: fw1_R71_730156065_HFA40.img
Notes - This release is automatically activated on all Provider-1 Domains. For advanced upgrade procedures, see the R71.40 Advanced Upgrade and Migration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12194).
Page 6
Smart-1
Power-1
UTM-1
Windows Server 2003/2008 (SP1-2) 32bit Security Management Security Gateway Provider-1 MDS 7 Professional Enterprise Ultimate 32bit/64bit
Crossbeam X-series
Solaris
UltraSPARC 8, 9, 10
Notes for Security Software Containers We recommend that you install Provider-1 on Sun M-Series servers. We do not recommend that you install Provider-1 on Sun T-Series servers.
Dedicated Gateways
These dedicated gateways cannot be upgraded to R71.40: Open Server - IPS-1 Sensor, VSX Appliances - DLP-1, UTM-1 Edge, IPS-1 Sensor, VSX-1
Page 7
Windows IPSO 6.2 IPSO 6.2 Server Disk-based Flash-based 2003/2008 (SP1-2) 32bit
Crossbeam X-series
Notes 1. The maximum number of supported cluster members in ClusterXL mode is five; in thirdparty mode the maximum is eight. 2. Only Clustering is supported in Windows. Acceleration is not supported. 3. Only third-party clustering is supported. 4. Based on IP reputation. 5. Only High Availability is supported.
Page 8
2003 only
* Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5 - 3.0
Page 9
SmartConsole Provider-1 MDG SecureClient SSL Network Extender Endpoint Security Client Endpoint Connect Client DLP UserCheck
TM
Page 10
* During installation, the process may use additional disk space that will be released when installation ends.
* During installation, the process may use additional disk space that will be released when installation ends.
Page 11
Build Numbers
Build Numbers
This table contains the R71.40 software products updated in this release and their build numbers. To confirm that the hotfix is installed, run the version command for each product. If the command returns the build number listed, the hotfix is installed. Software Blade / Product Build No. Security Gateway 976601084 Version Command fw ver -k This is Check Point VPN-1(TM) & FireWall-1(R) R71.40 - Build 084 kernel: R71.40 - Build 084 Security Management 976601023 fwm ver This is Check Point Security Management Server R71.40 - Build 023 SmartConsole Applications 976601035 Help > About Check Point <Application Name> R71.40 (Build 976601035) 976601027 fwm mds ver This is Check Point Provider-1 Server R71.40 - Build 027 976601009 Help > About Check Point Provider-1 R71.40 (Build 976601009) 976601020 splat_ver
SecurePlatform
Page 12
New Installation
Installing R71.40
In This Section New Installation Installing the Client Applications Upgrading from R70.40 Upgrading from R71 or Higher Uninstalling 13 14 14 14 19
New Installation
You can install R71.40 as a new installation, rather than an upgrade. Install on a server that does not have Check Point products, to make a new management server, gateway or log server.
Solaris Security Management Check_Point_R71.40.Solaris.iso Provider-1 MDS on SecurePlatform or Linux Provider-1 MDS on Solaris Power-1 / UTM-1 / UTM 130 appliances Smart-1 appliances Check_Point_R71.40_Provider-1.Splat.iso
Check_Point_R71.40_Provider-1.Solaris.iso
Check_Point_R71_40_Appliance.iso
Check_Point_R71_40_Smart-1.iso
2. Continue with the installation according to the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).
Installing R71.40
Page 13
Check_Point_R71.40_Provider-1.Solaris.iso
To learn how to upgrade, see the Upgrade sections of the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).
Installing R71.40
Page 14
Upgrade Packages
Before upgrading from R71 or higher, download the upgrade package for your platform from the Check Point Support Center: Important Turn off User Account Control (UAC) before you install on Windows 7. Reboot after you install on Windows 7. Upgrade Procedure Linux Check_Point_R71.40.linux.tgz IPSO 6.2 Disk-based Check_Point_R71.40.ipso6.tgz IPSO 6.2 Flash-based Check_Point_R71.40.ipso6_Flash.tgz SecurePlatform Web User Interface Command Line SmartUpdate
Platform and Upgrade Package SecurePlatform (Open Servers and Appliances) Check_Point_R71.40.linux.tgz
Command Line
Command Line SmartUpdate Command Line for IPSO FlashBased SmartUpdate Command Line SmartUpdate
Windows Check_Point_R71_40.windows.tgz Solaris Check_Point_R71.40.Solaris.tgz SecurePlatform Embedded (Security Gateway Series 80) fw1_R71_730156065_HFA40.img
Command Line
3. Open the Upgrade page: Appliance: Appliance > Upgrade 4. In the Upgrade Steps pane, browse to the downloaded file. 5. Click the Upload package button. 6. In the Safe Upgrade step, make sure the Save a snapshot of the current system check box is selected. Important - Make sure all GUI applications are closed and take a snapshot of the machine before you upgrade.
Installing R71.40
Page 15
7. Click Start Upgrade. At the end of the installation, the device automatically reboots. 8. Re-login to the machine. Important - After upgrading, move the snapshot file from the Desktop to a pathname without spaces. This must be done before attempting to restore the machine.
8. Do the instructions on the screen to install the applicable components. Only those components required for a specific target (management or gateway) are installed automatically. When the installation finishes, each successfully installed component appears in a list followed by the word 'Succeeded'. 9. When prompted, reboot the computer. 10. Repeat the above steps for all management servers, log servers and gateways as required by your deployment. 11. After you complete the installation on all computers, install the security policy on gateways and servers as appropriate.
Installing R71.40
Page 16
Installing R71.40
Page 17
Installing R71.40
Page 18
Uninstalling
Uninstalling
Notes Uninstallation from IPSO flash-based appliances is not supported. Uninstallation of IPS pattern granularity is not supported. After uninstall of R71.40, the patterns remain converted to protections.
Installing R71.40
Page 19
We do not recommend that you disable the implied exceptions. But, you can disable them from the IPS page of the Global Properties (Policy > Global Properties > IPS). To disable the implied exceptions, clear the Enable implied exceptions in my environment option. Note - If you disable the implied exceptions and you do not add exceptions for the non-standard HTTP and SSL traffic manually, it is possible that some Check Point products will not work.
Page 20
Vendor ID 8 9 10 11 12
Description Signed by Microsoft Signed by Mozilla Signed by Oracle Signed by Sun Signed by Rare Ideas
Page 21
If Endpoint Security on Demand is configured on the gateway, the scan detects that Protected mode is on and instruction to disable Protected mode open. If Endpoint Security on Demand is not configured on the gateway, users are not alerted that they must disable Protected mode. However they must do the same steps to disable Protected mode so that they can access the SSL VPN portal without problems. Here are the instructions for users to disable Protected Mode. All users must do these steps even if they do not get the instructions automatically. A notification appears: You must disable Protected Mode to allow Check Point Endpoint Security On Demand to run in order to access this Web site.
Page 22
Page 23