R71.

40

Release Notes

3 July 2011

 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11894 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History
Date 03 July 2011 Description First release of this document

Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R71.40 Release Notes).

Contents
Important Information .............................................................................................3 Introduction .............................................................................................................5 What's New ..............................................................................................................5 Included Releases ............................................................................................... 6 Platform Provisions and Requirements ................................................................6 Supported Upgrade Paths ................................................................................... 6 Supported Security Products by Platform ............................................................ 7 Security Software Containers by Platform ....................................................... 7 Dedicated Gateways ....................................................................................... 7 Security Gateway Software Blades by Platform .............................................. 8 Security Management Software Blades by Platform........................................ 9 Clients and Consoles by Windows Platform .......................................................10 Minimum System Requirements .........................................................................10 Required Disk Space ..........................................................................................11 Build Numbers ....................................................................................................12 Installing R71.40 ...................................................................................................13 New Installation ..................................................................................................13 Installing the Client Applications .........................................................................14 Upgrading from R70.40 ......................................................................................14 Upgrading from R71 or Higher ............................................................................14 Upgrade Packages ........................................................................................15 Upgrading with the SecurePlatform Web User Interface ................................15 Upgrade Using the Command Line ................................................................16 Upgrading with the Command Line for IPSO Flash-Based .............................17 Upgrade Using SmartUpdate .........................................................................18 Upgrading with the SecurePlatform Embedded Web User Interface ..............18 IPS Pattern Granularity Installation ................................................................18 Uninstalling .........................................................................................................19 Configuring the R71.40 Features .........................................................................20 Configuring Implied IPS Exceptions ....................................................................20 Configuring Secure Workspace Applications by Vendor .....................................20 Configuring Windows Vista or Windows 7 for Mobile Access Portal ...................21 Configuring IPS Pattern Granularity....................................................................22 Activating New Protections ............................................................................23 Network Exceptions for the New Protections .................................................23 Handling Multiple Matches of a Pattern ..........................................................23

Included Releases

Introduction
Thank you for updating to Check Point version R71.40. This version contains new features and resolves various issues for Check Point Software Blades. Please read this document carefully before installing. For more information about R71.40 and to download the software, go to the R71.40 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk63761). Known Limitations are listed in sk63762 (http://supportcontent.checkpoint.com/solutions?id=sk63762). Resolved Issues are listed in sk63763 (http://supportcontent.checkpoint.com/solutions?id=sk63763).

What's New
Upgrade from R70.40 directly to R71.40 Security Management
IPS improvements SmartEvent enhancements Increase pattern granularity - Header rejection, Http worm catcher and Cifs worm catcher patterns were converted into separate protections, giving more granularity in their settings. This feature is installed during the first IPS update process (online update, offline update or scheduled update). Implied exceptions - Built-in exceptions to allow Check Point products trusted traffic.

Support for UTM-1 Edge 8.2 gateways

Security Gateway
IPS Geo database - The Geo country-ranges database accuracy has been significantly improved.

Security Gateway 80 Series

Support for VPN Link Selection Support for local masters file Improved communication when Security Management server is behind NAT Support for IGMP Proxy

Windows 7 32-bit and 64-bit Support

Secure Workspace supports Windows 7 32-bit and 64-bit. Mobile Access clients with Windows 7 64-bit can connect to Connectra and SSL VPN gateways Support for SSL Network Extender Application mode and Network mode for Windows 7 32-bit and 64bit.

Enhanced Secure Workspace

Faster and better performance. Enhanced allowed application configuration by software vendor. You can easily allow all applications from a specific vendor.

VPN Client
This version includes a deployment package of Endpoint Security VPN R75, which replaces SecureClient and Endpoint Connect. For automatic deployment of the new VPN client, select a client upgrade mode in Global Properties > Remote Access > Endpoint Connect.

Introduction

Page 5

Included Releases

Included Releases
This release includes all features and fixes that were included in R71.30. See the R71.30 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11714). This release includes the Windows 7 64-bit Hotfix for Connectra NGX R66.1 and SSL VPN R71.30.

Platform Provisions and Requirements

In This Section Supported Upgrade Paths Supported Security Products by Platform Clients and Consoles by Windows Platform Minimum System Requirements Required Disk Space Build Numbers 6 7 10 10 11 12

Supported Upgrade Paths

If you are upgrading from a lower version, make sure you can do the necessary intermediate upgrades. Product Security Gateway Security Management Server Provider-1 MDS Version R70.40 R71 R71.10 R71.20 R71.30 R70.30 and lower, down to NGX R65 First upgrade to R71.10, then install the appropriate package. Upgrade Path Direct - Install the appropriate package ("Upgrading from R70.40" on page 14) on the existing installation.

lower than NGX R65 First upgrade to NGX R65, then upgrade to R71.10. Security Gateway Series 80 Get image: fw1_R71_730156065_HFA40.img

Notes - This release is automatically activated on all Provider-1 Domains. For advanced upgrade procedures, see the R71.40 Advanced Upgrade and Migration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12194).

Platform Provisions and Requirements

Page 6

Supported Security Products by Platform

Supported Security Products by Platform

These tables show the security products related to this release and on which platforms they are supported.

Security Software Containers by Platform

Software Blade Containers Check Point Platforms and Operating Systems

Secure Platform Security Management Security Gateway Provider-1 MDS

Security Gateway Series 80

Smart-1

Power-1

UTM-1

IPSO 6.2 IPSO 6.2 Disk-based Flash-based

(5, 25, 50) (50, 150)

Software Blade Containers

Other Platforms and Operating Systems

Windows Server 2003/2008 (SP1-2) 32bit Security Management Security Gateway Provider-1 MDS 7 Professional Enterprise Ultimate 32bit/64bit

Linux RHEL 5.0 RHEL 5.4 kernel 2.6.18 32bit

Crossbeam X-series

Solaris

UltraSPARC 8, 9, 10

Notes for Security Software Containers We recommend that you install Provider-1 on Sun M-Series servers. We do not recommend that you install Provider-1 on Sun T-Series servers.

Dedicated Gateways
These dedicated gateways cannot be upgraded to R71.40: Open Server - IPS-1 Sensor, VSX Appliances - DLP-1, UTM-1 Edge, IPS-1 Sensor, VSX-1

Platform Provisions and Requirements

Page 7

Supported Security Products by Platform

Security Gateway Software Blades by Platform

Software Blade Platform and Operating System Check Point Secure Platform Firewall IPSec VPN IPS SSL VPN DLP Anti-Virus & Anti-Malware URL Filtering Anti-Spam & Email Security Web Security Advanced Networking Acceleration & 1 Clustering
5

Windows IPSO 6.2 IPSO 6.2 Server Disk-based Flash-based 2003/2008 (SP1-2) 32bit

Crossbeam X-series

Secure Platform Embedded

Notes 1. The maximum number of supported cluster members in ClusterXL mode is five; in thirdparty mode the maximum is eight. 2. Only Clustering is supported in Windows. Acceleration is not supported. 3. Only third-party clustering is supported. 4. Based on IP reputation. 5. Only High Availability is supported.

Platform Provisions and Requirements

Page 8

Supported Security Products by Platform

Security Management Software Blades by Platform

Software Blade Platform and Operating System Check Point Secure IPSO Platform 6.2 Diskbased Network Policy Management Endpoint Policy Management Logging & Status Monitoring SmartProvisioning Management Portal* User Directory SmartWorkflow SmartEvent SmartReporter Windows Server 2003/2008 (SP1-2) 32bit 7 Professional Enterprise Ultimate 32bit/64bit Linux RHEL 5.0 RHEL 5.4 kernel 2.6.18 32bit Solaris UltraSPARC 8, 9, 10

2003 only

* Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5 - 3.0

Platform Provisions and Requirements

Page 9

Clients and Consoles by Windows Platform

Clients and Consoles by Windows Platform

Check Point Product XP Pro (SP3) XP Server Home 2003 (SP3) (SP1-2) 32bit Vista (SP1) 32bit Vista (SP1) 64bit Server 2008 (SP1-2) 32bit 7 Professional Enterprise Ultimate 32bit 7 Professional Enterprise Ultimate 64bit

SmartConsole Provider-1 MDG SecureClient SSL Network Extender Endpoint Security Client Endpoint Connect Client DLP UserCheck
TM

Minimum System Requirements

The system requirements for R71.40 are the same as those listed in the R71 Release Notes (http://supportcontent.checkpoint.com/documentation_download?id=10330).

Platform Provisions and Requirements

Page 10

Required Disk Space

Required Disk Space

Note - It is safe to delete the downloaded .tgz file after it is extracted, to have more disk space for installation.

Required Disk Space for Installation on Security Management Server

Operating System SecurePlatform/ Linux /var - 1 GB IPSO Disk-based /var - 500 MB Windows Solaris 485 MB Packed and Extracted During Installation* .tgz File root - 600 MB /opt - 350 MB /var - 200 MB /opt - 260 MB /var - 100 MB 520 MB root - 200 MB /opt - 350 MB /var - 600 MB /var - 200 MB Final Used Disk Space root - 400 MB /opt - 350 MB /var - 200 MB /opt - 175 MB /var - 100 MB 480 MB root - 100 MB /opt - 250 MB /var - 0 MB

* During installation, the process may use additional disk space that will be released when installation ends.

Required Disk Space for Installation on Security Gateway

Operating System SecurePlatform Packed and Extracted During Installation* .tgz File root - 500 MB /opt - 345 MB /var - 1 GB IPSO Disk-based /opt - 270 MB /var - 500 MB IPSO Flash-based /var - 100 MB /preserve - 500 MB /opt - 20 MB var - 255 MB Windows 485 MB /var - 125 MB 285 MB /opt - 180 MB /var - 100 MB /preserve - 7 MB /opt - 21 MB /var - 1 MB 220 MB /var - 100 MB Final Used Disk Space root - 400 MB /opt - 340 MB /var - 0 MB

* During installation, the process may use additional disk space that will be released when installation ends.

Platform Provisions and Requirements

Page 11

Build Numbers

Build Numbers
This table contains the R71.40 software products updated in this release and their build numbers. To confirm that the hotfix is installed, run the version command for each product. If the command returns the build number listed, the hotfix is installed. Software Blade / Product Build No. Security Gateway 976601084 Version Command fw ver -k This is Check Point VPN-1(TM) & FireWall-1(R) R71.40 - Build 084 kernel: R71.40 - Build 084 Security Management 976601023 fwm ver This is Check Point Security Management Server R71.40 - Build 023 SmartConsole Applications 976601035 Help > About Check Point <Application Name> R71.40 (Build 976601035) 976601027 fwm mds ver This is Check Point Provider-1 Server R71.40 - Build 027 976601009 Help > About Check Point Provider-1 R71.40 (Build 976601009) 976601020 splat_ver

Provider-1 Multi-Domain Server (MDS)

Provider-1 Multi-Domain GUI (MDG)

SecurePlatform

Platform Provisions and Requirements

Page 12

New Installation

Installing R71.40
In This Section New Installation Installing the Client Applications Upgrading from R70.40 Upgrading from R71 or Higher Uninstalling 13 14 14 14 19

New Installation
You can install R71.40 as a new installation, rather than an upgrade. Install on a server that does not have Check Point products, to make a new management server, gateway or log server.

To install on all platforms:

1. Download the installation file for the platform from the Check Point Support Center. You can mount the file in the operating system or burn the ISO to a DVD. Platform SecurePlatform or Linux (Open Servers only) IPSO 6.2 Disk-based IPSO 6.2 Flash-based Windows DVD Image/File Name Check_Point_R71.40.Splat.iso

Check_Point_R71.40.IPSO6.tgz Check_Point_R71.40_Security_Gateway.IPSO6_2.tgz Check_Point_R71.40.Windows.iso

Solaris Security Management Check_Point_R71.40.Solaris.iso Provider-1 MDS on SecurePlatform or Linux Provider-1 MDS on Solaris Power-1 / UTM-1 / UTM 130 appliances Smart-1 appliances Check_Point_R71.40_Provider-1.Splat.iso

Check_Point_R71.40_Provider-1.Solaris.iso

Check_Point_R71_40_Appliance.iso

Check_Point_R71_40_Smart-1.iso

2. Continue with the installation according to the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).

To complete installation on IPSO Security Management Server:

On IPSO platforms, after installation and cpconfig, before reboot: 1. Go to the MiniWrapper directory. 2. Run UnixInstallScript.

Installing R71.40

Page 13

Installing the Client Applications

Installing the Client Applications

The client applications for this release are part of the Check Point SmartConsole.

To manually install the SmartConsole:

1. Download Check_Point_SmartConsole_R71.40_Windows.exe. 2. Double-click the file to install the SmartConsole.

To install the Provider-1 MDG:

1. Download Check_Point_Provider-1_MDG_R71.40_Windows.exe. 2. Double-click the file to install the Provider-1 MDG.

Upgrading from R70.40

To upgrade from R70.40, download the appropriate installation file for your platform from the Check Point Support Center. You can mount the file in your operating system or burn the ISO to a DVD. * - To upgrade a Smart-1 50/150 with Provider-1, use the CLI to upgrade from the Provider-1 MDS on SecurePlatform or Linux image. The installation files are: Platform SecurePlatform or Linux (Open Servers only) SecurePlatform or Linux (Open Servers and Appliances)* IPSO 6.2 Disk-based IPSO 6.2 Flash-based Windows Solaris Security Management Provider-1 MDS on SecurePlatform or Linux Provider-1 MDS on Solaris DVD Image/File Name Check_Point_R71_40_CD1.Splat.iso and Check_Point_R71_40_CD2.Splat.iso Check_Point_Upgrade_for_R71.40.splat.tgz

Check_Point_R71.40.IPSO6.tgz Check_Point_R71.40_Security_Gateway.IPSO6_2.tgz Check_Point_R71_40.Windows.iso Check_Point_R71_40.Solaris.iso Check_Point_R71.40_Provider-1.Splat.iso

Check_Point_R71.40_Provider-1.Solaris.iso

To learn how to upgrade, see the Upgrade sections of the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).

Upgrading from R71 or Higher

This section includes the procedures for installing R71.40 on management servers, gateways and log servers that already have R71 or higher installed. We recommend that you backup your system before installing this release package. For SecurePlatform, you can use snapshots which are discussed in the Snapshot Image Management section of the R71 SecurePlatform Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10313).

Installing R71.40

Page 14

Upgrading from R71 or Higher

Upgrade Packages
Before upgrading from R71 or higher, download the upgrade package for your platform from the Check Point Support Center: Important Turn off User Account Control (UAC) before you install on Windows 7. Reboot after you install on Windows 7. Upgrade Procedure Linux Check_Point_R71.40.linux.tgz IPSO 6.2 Disk-based Check_Point_R71.40.ipso6.tgz IPSO 6.2 Flash-based Check_Point_R71.40.ipso6_Flash.tgz SecurePlatform Web User Interface Command Line SmartUpdate

Platform and Upgrade Package SecurePlatform (Open Servers and Appliances) Check_Point_R71.40.linux.tgz

Command Line

Command Line SmartUpdate Command Line for IPSO FlashBased SmartUpdate Command Line SmartUpdate

Windows Check_Point_R71_40.windows.tgz Solaris Check_Point_R71.40.Solaris.tgz SecurePlatform Embedded (Security Gateway Series 80) fw1_R71_730156065_HFA40.img

Command Line

SecurePlatform Embedded Web User Interface

Upgrading with the SecurePlatform Web User Interface

You install R71.40 on SecurePlatform Security Gateways, Security Management open servers, appliances using the Web User Interface and Provider-1 Multi-Domain Servers.

To install R71.40 using the Web User Interface:

1. Download the upgrade package for your platform ("Upgrade Packages" on page 15). 2. Connect to the SecurePlatform Web User Interface: Open server: https://<IP> Appliance: https://<IP>:4434 Open server: Device > Upgrade

3. Open the Upgrade page: Appliance: Appliance > Upgrade 4. In the Upgrade Steps pane, browse to the downloaded file. 5. Click the Upload package button. 6. In the Safe Upgrade step, make sure the Save a snapshot of the current system check box is selected. Important - Make sure all GUI applications are closed and take a snapshot of the machine before you upgrade.

Installing R71.40

Page 15

Upgrading from R71 or Higher

7. Click Start Upgrade. At the end of the installation, the device automatically reboots. 8. Re-login to the machine. Important - After upgrading, move the snapshot file from the Desktop to a pathname without spaces. This must be done before attempting to restore the machine.

Upgrade Using the Command Line

You can use these instructions to install R71.40 using the CLI on open servers and IP series appliances, except for IPSO Flash-based appliances. To install on IPSO flash-based appliances, you must use the CLI instructions for IPSO flash-based appliances. To install on Check Point appliances with SecurePlatform, use the Web User Interface or SmartUpdate. To install on IPSO platforms, use the command line. Network Voyager is not supported. You can safely delete the .tgz file after you extract the package (step 6).

To install R71.40 using the CLI:

1. Log onto the target machine. 2. If you are installing on SecurePlatform: a) Run idle 120 to make sure that the installation is not interrupted by the automatic logon timeout. b) Run expert to enter expert mode. 3. Verify that the target computer contains sufficient free disk space. 4. Create a temporary directory in the /var partition on non-Windows platforms, or in the c:\ partition on Windows platforms. 5. Copy the upgrade package for your platform to the temporary directory using SFTP, SCP, or another secure utility. 6. Go to the temporary directory and extract the .tgz package. On non-Windows platforms, run: gtar -zxvf <file name> On Windows platforms, use an archive utility such as WinZip. 7. Start the installation routine: Important Before installing on Provider-1, run mdsenv and then mdsstop. If this is not done, the system will experience functionality issues. We recommend that you backup the system by executing mds_backup command before installation. On non-Windows platforms, run: ./UnixInstallScript. You must run this command from the /var partition. On Windows platforms, run: Setup.exe

8. Do the instructions on the screen to install the applicable components. Only those components required for a specific target (management or gateway) are installed automatically. When the installation finishes, each successfully installed component appears in a list followed by the word 'Succeeded'. 9. When prompted, reboot the computer. 10. Repeat the above steps for all management servers, log servers and gateways as required by your deployment. 11. After you complete the installation on all computers, install the security policy on gateways and servers as appropriate.

Installing R71.40

Page 16

Upgrading from R71 or Higher

Upgrading with the Command Line for IPSO Flash-Based

Notes IPSO Flash-based platforms are supported for use as Security Gateways only. Installation using Network Voyager is not supported and may result in system instability. You must install this version using the CLI only. Only use this upgrade procedure for appliances with 4GB Flash (IP69x, IP128x and IP245x). For appliances with 1GB and 2GB Flash (IP29x, IP39x and IP56x), you must do a clean install.

Before installing on an IPSO Flash-based Appliance:

1. Delete any Check Point packages that are earlier than R71.10, and then delete any previous tgz files. You can do this using Network Voyager or using the command shell: Using Network Voyager: a) Choose Configuration > System Configuration > Packages > Delete Packages. b) Select a previous installation package to delete, and click Apply. c) Delete the any tgz files. d) Click Apply. Using the command shell, run the following commands: newpkg -q newpkg -u <previous package name> rm opt/packages/<previous tgz name> newpkg -q prints a list of the installed packages. 2. If there is an IPSO image on the machine that is not in use, delete it using Network Voyager: a) Choose Configuration > System Configuration > images > Manage Images. b) Click Delete IPSO Images. c) Select the IPSO image to delete, and click Apply. 3. Verify that there is enough free disk space for the installation of the packages. ("Required Disk Space" on page 11)

To install and activate this version on an IPSO Flash-based Appliance:

1. Using the command shell, copy the upgrade package for IPSO Flash-based appliances ("Upgrade Packages" on page 15) to /var/tmp on the IP Appliance through ftp. Note - The installation package must be located in the /var/tmp directory. 2. Navigate to the /var/tmp directory. 3. Extract the tgz package by running: tar -zxvf <file name> 4. Delete the tgz package by running: rm -rf <file name> 5. Run ./UnixInstallScript 6. Follow the instructions on the screen to install the appropriate components. When prompted, stop all Check Point processes. Only those components required for a specific target (management or gateway) are installed automatically. When the installation finishes, each successfully installed component appears in a list followed by the word 'Succeeded'. 7. When prompted, reboot the computer by pressing y.

Installing R71.40

Page 17

Upgrading from R71 or Higher

Upgrade Using SmartUpdate

You can use SmartUpdate to remotely install this version on Security Gateways installed on all supported platforms.

To install with SmartUpdate:

1. Install the upgrade package for your platform ("Upgrade Packages" on page 15) on the Security Management Server using the Command Line ("Upgrade Using the Command Line" on page 16). 2. Open SmartUpdate and close SmartDashboard. 3. Click Packages > Get Data from All. When the Operation Status of the known gateways is Done, the installed packages and their versions are listed. 4. Open the Package Repository: Packages > View Repository. 5. Add the installation package file (*.tgz) for each required gateway platform to the Package Repository (Packages > Add; or drag-and-drop). Wait until the Operation Status of adding the package is Done. The packages appear in the Package Repository. This can take a few minutes. 6. Right-click the package and choose Distribute. 7. From the Distribute Package window, select the devices on which you want to install this version. 8. Click Distribute. The installation package is distributed to and installed on the selected Security Gateways. The Security Gateways are rebooted automatically, except for those that are installed on Windows. You must manually reboot Security Gateways installed on Windows. Note - On a Windows platform, if the gateway does not accept traffic after installing this version, re-install the policy.

Upgrading with the SecurePlatform Embedded Web User Interface

You can install R71.40 on Security Gateway Series 80 appliances using the SecurePlatform Embedded Web User Interface.

To install R71.40 using the SecurePlatform Embedded Web User Interface:

1. 2. 3. 4. 5. 6. Download the upgrade package for your platform ("Upgrade Packages" on page 15). Connect to the SecurePlatform Embedded Web User Interface at: https://<appliance_ip>:4344 Log in and open Appliance > System Operations > Upgrade. Browse to the downloaded image and click Upload. Save a local image with the Image Backup option. Click Next to start the upgrade. At the end of the installation, the device automatically reboots. 7. Re-login to the machine. 8. Go to Overview > System Information > Version to verify that you installed the correct build: R71 HFA30 (730156065)

IPS Pattern Granularity Installation

The IPS pattern granularity (converting pattens into protections) will be installed during the first IPS update procedure (online update, offline update, or scheduled update). Therefore, the first update after installation of the HFA might take a few minutes longer than usual.

Installing R71.40

Page 18

Uninstalling

Uninstalling
Notes Uninstallation from IPSO flash-based appliances is not supported. Uninstallation of IPS pattern granularity is not supported. After uninstall of R71.40, the patterns remain converted to protections.

To uninstall R71.40 in Security Management Server deployments:

1. Disable the IPS Event Analysis and/or SmartWorkflow Software Blades. If you already disabled them before upgrading to R71.40, you do not need to disable the Software Blades. To do this, disable the Software Blades in the Security Management server's object. 2. On each management server and dedicated log server: All non-Windows platforms: Run: /opt/CPUninstall/R71.40/UnixUninstallScript Windows platforms: (i) Go to: C:\Program files\CheckPoint\CPUninstall\R71.40 (ii) Run: Uninstall.bat

To uninstall R71.40 in Provider-1 deployments:

1. Disable the R71.40 from each CMA as follows: a) Login to the Provider-1 MDG. b) In Versions & Blades Updates, right click and select Deactivate. 2. Run this command on each Multi-Domain Server, Domain Log Server and Multi-Domain Log Server: /opt/CPUninstall/R71.40/UnixUninstallScript 3. Activate Software Blades that were active before the upgrade to R71.40. Note - After uninstalling this release from a SecurePlatform machine, the command line login prompt and the Web interface Welcome screen will still display Check Point SecurePlatform R71.40 as the installed version. This is because packages related to the SecurePlatform operating system are not uninstalled during the uninstallation process. Use the fw ver command to see the current version of your software.

To uninstall with SmartUpdate:

You can use SmartUpdate to remotely uninstall on gateways of all platforms, except IPSO. 1. 2. 3. 4. Make sure SmartDashboard is closed. Open SmartUpdate. From the Packages menu choose Get Data From All. Right-click each package with Minor_Version value of R71.40 and select Uninstall, in this order: Security Gateway SSL VPN (for SecurePlatform gateways, if installed) all other Minor_Version products Note - All packages must be uninstalled except for the SecurePlatform package that cannot be uninstalled from SecurePlatform gateways. 5. On Windows platforms, reboot manually.

Installing R71.40

Page 19

Configuring Implied IPS Exceptions

Configuring the R71.40 Features

In This Section Configuring Implied IPS Exceptions Configuring Secure Workspace Applications by Vendor Configuring Windows Vista or Windows 7 for Mobile Access Portal Configuring IPS Pattern Granularity 20 20 21 22

Configuring Implied IPS Exceptions

Check Point components can use non-standard HTTP and SSL ports to communicate. Implied exceptions exclude this traffic from IPS inspection. Note - To use implied exceptions in Provider-1 you must activate the R71.40 plug-in for the customer.

To view the implied exceptions:

In the View menu, select IPS Implied Exceptions. You can see the implied exceptions in the Network Exceptions page of the IPS tab.

We do not recommend that you disable the implied exceptions. But, you can disable them from the IPS page of the Global Properties (Policy > Global Properties > IPS). To disable the implied exceptions, clear the Enable implied exceptions in my environment option. Note - If you disable the implied exceptions and you do not add exceptions for the non-standard HTTP and SSL traffic manually, it is possible that some Check Point products will not work.

Configuring Secure Workspace Applications by Vendor

You can configure which applications users can access from Secure Workspace. If a vendor is trusted then all applications from this vendor are trusted. By default, users can access applications from these vendors. You cannot add a vendor to the list. Vendor ID 1 2 3 4 5 6 7 Vendor Name Adobe Apple Check Point Computer Associates Google IBM Intel Description Signed by Adobe Signed by Apple Signed by Check Point Signed by Computer Associates Signed by Google Signed by IBM Signed by Intel

Configuring the R71.40 Features

Page 20

Configuring Windows Vista or Windows 7 for Mobile Access Portal

Vendor ID 8 9 10 11 12

Vendor Name Microsoft Mozilla Oracle Sun Rare Ideas

Description Signed by Microsoft Signed by Mozilla Signed by Oracle Signed by Sun Signed by Rare Ideas

To change user access to vendor applications:

1. Use the instructions in sk34939 (http://supportcontent.checkpoint.com/solutions?id=sk34939) to: Configure Secure Workspace to operate in local mode. Open the local Secure Workspace policy file on the gateway. 2. Find the vendor that you want to change in the local Secure Workspace policy file: 3. Edit the file: a) To block user access, add this attribute to the vendor tag: Config="_disabled". For example: To block IBM applications, change the IBM line from: <ExecuteVendor id="6" VendorName="IBM" UIDescription="Signed by IBM"/> to <ExecuteVendor id="6" VendorName="IBM" UIDescription="Signed by IBM" Config="_disabled"/> b) To allow user access to IBM applications, remove the Config attribute: For example: Change the line back to: <ExecuteVendor id="6" VendorName="IBM" UIDescription="Signed by IBM"/>

Configuring Windows Vista or Windows 7 for Mobile Access Portal

If users use Internet Explorer to open the SSL VPN portal on Windows Vista or Windows 7, they must disable Internet Explorer Protected Mode. If Protected Mode is not disabled, SSL VPN might run, but they can have unexpected errors. On Windows 7 , protected mode is enabled by default. You can see that it is enabled: In the Internet Options > Security tab. See that Enable Protected Mode is selected. In the bottom right of the Internet Explorer browser window, it says Protected Mode On.

Configuring the R71.40 Features

Page 21

Configuring IPS Pattern Granularity

If Endpoint Security on Demand is configured on the gateway, the scan detects that Protected mode is on and instruction to disable Protected mode open. If Endpoint Security on Demand is not configured on the gateway, users are not alerted that they must disable Protected mode. However they must do the same steps to disable Protected mode so that they can access the SSL VPN portal without problems. Here are the instructions for users to disable Protected Mode. All users must do these steps even if they do not get the instructions automatically. A notification appears: You must disable Protected Mode to allow Check Point Endpoint Security On Demand to run in order to access this Web site.

To disable Protected Mode:

1. 2. 3. 4. 5. In Internet Explorer, click Tools > Internet Options. In the Internet Options window, open the Security tab. Select Trusted Sites and make sure that Enabled Protected Mode is not selected. Click Sites. In the Trusted Sites window, Add this website to the zone box, enter the portal web address and click Add. 6. Click Close. 7. Click OK. 8. Close all Internet Explorer windows. The next time you open Internet Explorer, Protected mode is off.

Configuring IPS Pattern Granularity

After upgrade to this version, after the first update of IPS protections, all patterns of Header rejection, Http worm catcher, and Cifs worm catcher protections are converted into new protections (dated to January 1, 2007). The three protections and the patterns under them are kept for NGX R65 and user-defined pattern support.

Configuring the R71.40 Features

Page 22

Configuring IPS Pattern Granularity

Activating New Protections

The activation mode of the new protections is set according to the IPS policy of the associated profile (the Severity and Confidence levels). You can change the settings as for other IPS protections. For example, you can change the action from Detect to Prevent. Only the settings of patterns that were manually modified before upgrade are assigned to their converted protections. Those protections are marked as Override and do not get updates. You cannot change the signature of the new protections. After upgrade, the previous patterns under the three protections are enforced only on NGX R65 gateways. The user-defined patterns are enforced on all gateways, including R7x and above, because they are not converted to protections.

Network Exceptions for the New Protections

If you added Network Exceptions to the Header rejection, Http worm catcher, or Cifs worm catcher protections before upgrade to R71.40, then after the upgrade, they are valid only for user-defined patterns. To apply the Network Exceptions to a pattern, add them to the new protection converted from the relevant pattern.

Handling Multiple Matches of a Pattern

If you changed the value of a pattern before upgrade, the pattern shows under the previous pattern list (Header rejection, Http worm catcher, Cifs worm catcher), as user-defined patterns. The pattern is also included as a new protection, marked for Follow Up. Sometimes, this causes multiple matches. To avoid this, turn off the modified patterns, or turn off the new protections.

Configuring the R71.40 Features

Page 23