Checkpoint NGX WhatsNew
Transcript of Checkpoint NGX WhatsNew
-
7/31/2019 Checkpoint NGX WhatsNew
1/30
Copyright 2005 Check Point Software Technologies, Ltd. All rights reserved.
Whats Newin Check Point Enterprise Suite
NGX (R60)
5/16/05
In This Document
The latest version of the Whats New documentation is available online at
http://www.checkpoint.com/techsupport/downloads.jsp .
Unified Software Package page 2
Firewall page 3
VPN page 14
SecuRemote/SecureClient page 18
Integrity page 21
SSL Network Extender page 21
SmartCenter page 22
VPN-1 Edge page 23
SmartView Monitor page 24
Eventia Reporter page 25
SmartUpdate page 26 SmartLSM page 27
SecurePlatform page 27
ClusterXL page 29
Performance Pack page 29
VSX page 29
QoS page 30
UserAuthority page 30
http://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsphttp://www.checkpoint.com/techsupport/downloads.jsp -
7/31/2019 Checkpoint NGX WhatsNew
2/30
New Features Unified Software Package
Whats New in Check Point NGX R60 Last Update 5/16/05 2
Unified Software Package
In previous versions, each product had its own software package (for example, Check Point
SVN Foundation - cpshared_R55__.tgz). NGX (R60) binds a
number of products into a unified software package to simplify the installation process. Thefollowing products are included in the package fw1_R60__.tgz,
where represents the package version and represents the relevant
operating system:
Check Point SVN Foundation
VPN-1 Pro
SecureClient Policy Server
SmartView Monitor
QoS (previously FloodGate-1)
Software packages not included in this list are distributed in their own packages located on
the product CD.
-
7/31/2019 Checkpoint NGX WhatsNew
3/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 3
Firewall
In This Section
Web Intelligence
1 New web protections have been added to prevent:
Directory Listing
LDAP Injection
Display of web server error messages in the browser, a feature known as Error
Concealment
2 Specific behavioral patterns to be blocked by the Cross-Site Scripting, SQL Injection
and Command Injection defenses in Web Intelligence can now be defined by the user.
3 Malicious code protector is now supported on SPARC processors.
4 It is now possible to make all protections on specific web servers run in monitor only
mode, while on other servers the protection will be active.
5 Different HTTP method schemes can now be set for each web server.
6 Server-based Security Policy configuration is enhanced, and completely integrated into
SmartDefense. The result is an easy and granular defense configuration that retains theglobal view that is present in SmartDefense.
Monitor-only Mode
7 Many of the new features have a monitor-only mode where features are activated in a
mode that issues logs but does not block traffic. This usability element is helpful in the
transition phase, when features are applied for the first time at a customer's site, and will
be helpful in discovering configuration problems in the deployment stage. With a singleclick the defaults of each protection can be restored. Monitor-only mode also supports
audit-only deployments.
Web Intelligence page 3
Voice over IP (VoIP) page 6
Network Security page 7
DNS Security page 8
Check Point Active Streaming page 10
Application Intelligence for Additional Protocols page 10
Malicious Activity Prevention page 12
General page 13
-
7/31/2019 Checkpoint NGX WhatsNew
4/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 4
SQL Injection
8 VPN-1 Pro rejects HTTP requests containing SQL commands inside the URL or body.
An attacker can use flaws in the web application to inject malicious commands that will
be run directly in the application database and cause damage or information disclosure.This defense has three levels of protection: low, medium and high. The definitions for
these three levels are conveniently displayed as you slide the change bar to select a
different mode in SmartDashboard.
Shell Command Injection
9 VPN-1 Pro rejects HTTP requests containing shell commands inside the URL or body.
An attacker can use flaws in the scripting engine to inject malicious commands that willbe run directly on the host. This defense has three levels of protection: low, medium
and high. The definitions for these three levels are conveniently displayed as you slide
the change bar to select a different mode in SmartDashboard.
Cross Site Scripting
10 VPN-1 Pro rejects HTTP requests sent using the POST command that contain
scripting code. Attackers can use scripting commands inside URLs and forms to steal aninnocent user's identity. This form of stealing is particularly insidious because the
administrator and the user do not know they are being tricked. VPN-1 Pro also
understands the encoded data sent as part of the URL, which is an alternative way of
submitting information. The scripting code is not stripped from the request, but rather
the whole request is rejected. The defense has three levels of protection: low, medium
and high.
Directory Traversal Attacks
11 Directory traversal attacks allow hackers to access files and directories that should be out
of their reach. In many attacks, this leads to running executable code on the web server
with one simple URL. Most of the attacks are based on the ".." notation within a file
system. VPN-1 Pro blocks requests in which the URL contains an illegal directory
request. For example, http://www.server.com/first/second/../../.. is illegal because it
goes deeper than the root directory. http://www.server.com/first/second/../ is legal
because it is equivalent to http://www.server.com/first/. VPN-1 Pro supports the same
capability for URLs that are encoded with Unicode and % encoding.
HTTP Format Sizes
12 The sizes of different elements in HTTP request/response are not limited; this can used
to perform DOS attack on a web server. In addition, many buffer-overflow attacks
require a considerably large buffer to be sent to the web server. It is good security
-
7/31/2019 Checkpoint NGX WhatsNew
5/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 5
practice to limit these buffers. This reduces the chance for buffer overruns and limits the
size of code that can be inserted using the overflow. This defense provides the ability to
impose a limit on the following elements:
Maximum URL length Maximum Header length
Maximum number of headers
Specific header length, by giving a regular expression to describe the header name
and value.
The maximum allowed length is adjustable using SmartDefense.
Blocking Non-ASCII Characters Request
13 VPN-1 Pro blocks non-ASCII characters (32-127) in the HTTP request/response
headers. Other than the fact that the HTTP RFC does not allow binary characters
anywhere in the HTTP headers, blocking them is good security practice because
executables and buffer-overrun exploits usually need binary characters. The defense can
be turned on using SmartDefense, in the Request\Response Headers section of the
ASCII Only Request window.
Allowed HTTP Methods
14 The HTTP RFC allows a restricted set of standard HTTP methods (GET, PUT,
HEAD, POST). Many of the non-standard methods have a very bad security record and
so, by default, they are blocked. WebDAV methods are blocked by default but can be
added either as a group or individually. Other methods, blocked by default can be added
individually too.
Header Rejection
15 A web server or application parses not only the URL, but also the rest of the HTTP
header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities.
Such attacks, while RFC compliant, can be blocked using signatures that are defined
using regular expressions.
HTTP Header Spoofing
16 One of the first steps an attacker takes before attacking a web site is to fingerprint it.
The attacker analyzes the web server's response in order gather as much information as
possible about it. Some information in the response is redundant; this defense removes
such information by either removing the relevant header or changing its value. The
relevant headers can be added using regular expressions for name and value, each header
can be stripped (removed), or replaced from SmartDefense.
-
7/31/2019 Checkpoint NGX WhatsNew
6/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 6
Voice over IP (VoIP)
17 Supported SIP RFCs and Standards
3372 (SIP-T)
3311 (Update message)
SIP over TCP
18 Supported SIP Advanced Features
Call forwarding capabilities
Forward on busy
Forward on no answer Find me, Follow me
Forward unconditional
Registration timeout configuration
Third party registration
Proxy failover
DoS Protection. A maximum number of new VoIP sessions that can be initiated perminute from a specific IP address can be set. This feature is not enforced for Proxies
or IP addresses on the White List.
19 Supported H.323 RFCs and Standards
H.323 V.2, V.3, V.4
H.234 V.3, V.5, V.7
H.225 V.2, V.3, V.4
20 Supported H.323 Network Configurations when NAT is in use
Gatekeepers, Gateways and PBX can be installed using Static NAT in the external
network, internal network or DMZ.
Incoming calls to Hide NAT are supported.
H.323-PSTN gateways can be installed anywhere using either Static or Hide NAT.
21 Advanced H.323 features
FastStart and NAT support.
H.245 Tunneling and NAT support.
DoS Protection. A maximum number of new VoIP sessions that can be initiated per
minute from a specific IP address can be set.
22 MGCP service - Support for the MGCP protocol, including:
Dynamic management of RTP sessions (open data connection dynamically)
Analysis and enforcement of message states
-
7/31/2019 Checkpoint NGX WhatsNew
7/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 7
Verification of existence and correctness of call parameters
Keep call state for each call
Enforcement of call hand-over
Logging of call information, and reporting of security vulnerabilities
Sample Attack or vulnerability - call denial-of-service, call hijacking, fooling a billing
service
Getting Here - Configure a VoIP domain, and then using SmartDashboard select
SmartDefense > Application Intelligence > VoIP > MGCP. Use the MGCP services in the
Security rule base.
23 Advanced MGCP features: DoS Protection. A maximum number of new VoIP sessions
that can be initiated per minute from a specific IP address can be set.
24 Skinny Client Control Protocol (SCCP) - VPN-1 supports the SCCP protocol, including:
Dynamic management of RTP sessions (open data connection dynamically)
Analysis and enforcement of message states
Verification of existence and correctness of call parameters
Keep call state for each call
Enforcement of hand-over domains
Logs call information, report security vulnerabilities
Sample Attack or vulnerability - Call denial-of-service, call hijacking, fooling a billing
service
Getting Here - Configure a VoIP domain, and then using SmartDashboard selectSmartDefense > Application Intelligence > VoIP > SCCP. Use the SCCP service in the
Security rule base.
25 Advanced SCCP features: DoS Protection. A maximum number of new VoIP sessions that
can be initiated per minute from a specific IP address can be set.
Network Security
Port Scanning
26 Port Scanning detects scanning attempts in real-time (during packet processing). Scans
are detected whether they are perpetrated by a single host or several (distributed scans).
The feature detects two types of scans:
scans aimed at detecting all services that a given computer runs (host port scan), and
scans aimed at detecting the computers in a given network running a certain service(sweep scan).
-
7/31/2019 Checkpoint NGX WhatsNew
8/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 8
This feature is useful in detecting worms such as Welchia that scan networks in order to
spread themselves.
Sample Attack or vulnerability - Welchia worm
Getting Here - In SmartDashboard select SmartDefense > Network Security > Port ScanDetections
DShield Storm Center
27 Automatic integration in the rule base with the SANS Storm Center. SANS monitors
the top malicious sources in the Internet. This feature allows both the updating of
SANS with malicious hosts detected by VPN-1 Pro and the ability to block hosts
known to be malicious by SANS automatically. This offers protection from DistributedDenial of Service (DDOS) at the Firewall and further "upstream" by other Check Point
customers.
Sample Attack or vulnerability - Code Redor any DDOS attack.
Getting Here - In SmartDashboard, select SmartDefense > Network Security > DShield
Storm Center > Report to DShield
DNS Security
DNS Verification
28 VPN-1 enforces the DNS protocol on DNS UDP and TCP traffic ensuring that the
traffic that crosses the Firewall is valid DNS traffic.
The RFC-defined header-size, domain and FQDN (Fully Qualified Domain Name)
syntax are enforced. This protects clients and servers from buffer overruns.
VPN-1 enforces the proper content of the header (Z flag, QR bit, OPCODE),
Resource Records counters and formats. This includes:
enforcing a domain's proper syntax on queries and responses,
enforcing proper format of the TYPE values, and
enforcing format of Inverse Queries.
In addition, VPN-1 verifies that every response matches a certain request by the sessionID.
-
7/31/2019 Checkpoint NGX WhatsNew
9/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 9
UDP Protocol Enforcement
29 DNS protocol inspection (supporting RFCs 1034/1035 (General), 1996 (Notify), 2136
(update), 2317 (classless delegation), 2535 (DNS security extensions), 2671 (EDNS0),
draft-ietf-dnsext-axfr-clarify-05. Enforcement on lengths, counters, header flags, properdomain format, Resource Record formats, response matching a previous request, bound
checking, type and domain logging.
Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Protocol Enforcement, and enable UDP Protocol Enforcement.
TCP Protocol Enforcement30 Inspect DNS over TCP - In addition to the UDP capabilities mentioned above, inspect
TCP zone transfer traffic.
Sample Attack or vulnerability - Trojan Horses, DNS cache poisoning
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Protocol Enforcement, and enable TCP Protocol Enforcement.
Defense Against Cache Poisoning
31 IDscrambling- Some DNS implementation use trivial transaction ID and source ports
that are easy to predict for their DNS queries, this allows hackers to craft spoofed
response packets that will poison the DNS server's cache. VPN-1 tracks each request,
and randomizes the transaction ID and source port of outgoing queries using strong
cryptographic algorithms. Replies are validated to have matching query entries.
Sample Attack or vulnerability - DNS cache poisoningGetting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Cache Poisoning > Scrambling.
32 Birthday-Attack Defense- An attacker sends many simultaneous queries to the attacked
server, triggering it to issue many queries to external servers, which the attacker then
spoofs the replies for. If a spoofed reply matches one of the server's requests, the result
may be poisoning the server's cache; because of the birthday paradox, the chances of a
spoofed reply to match a server request are high. This defense prevents external queriesto internal DNS servers if the DNS server is not authoritative for the queried domain.
Sample Attack or vulnerability - DNS birthday attack
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Cache Poisoning > Drop Inbound Requests.
33 Excessive ID Mismatch Detection - DNS cache poisoning attacks (especially the
"Birthday Attack") usually have a by-product of many mismatching DNS replies in ashort time. An excessive number of DNS replies that do not have a matching query can
indicate a cache-poisoning attack. VPN-1 generates a special alert when thresholds of
-
7/31/2019 Checkpoint NGX WhatsNew
10/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 10
mismatched replies in a specified duration of time are surpassed. These thresholds are
configurable (default is 50 over 5 seconds) and administrators can be notified in a
variety of manners (log, email, SMTP Trap or one of three User Defined Actions).
Sample Attack or vulnerability - DNS cache poisoningGetting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Cache Poisoning > Mismatched Replies.
Domains Block List
34 Damaging or malicious traffic can sometimes be characterized by the DNS domain it is
trying to reach. In VPN-1 you can now maintain a block-list of DNS domains. Queries
regarding the domains in the block-list are blocked. This method is effective forblocking traffic to this domain when the destination IP address hosts additional sites
besides the prohibited one. This important advantage over blocking traffic to this
domain in the Security rule-base grants safe domains access while keeping the unsafe
ones out.
Sample Attack or vulnerability - Undesired traffic to a site characterized by its domain.
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > DNS
> Domains block-list.
Check Point Active Streaming
35 The new Active Streaming technology enhances the streaming capabilities that already
exist in VPN-1 to new levels of inspection. Check Point Active Streaming reassembles
TCP segments, enabling inspection of complete protocol units before any of them reach
the client or server.
Application Intelligence for Additional Protocols
36 POP3 and IMAP - VPN-1 can verify that the username entered for reading mail using
POP3 or IMAP is similar to the username entered for VPN authentication and/or for
UserAuthority authentication. In addition, protocol validation including blocking of
binary data will be made on the username, and on other protocol elements.
Sample Attack or vulnerability - Restrict a user from reading another user's mail.
Getting Here - In order to configure username verification, define the gateway object as
a Mail Server, then edit the Mail Server page of the object, and enable the property
Verify username with VPN tunnel user.
37 Block Peer to Peer Applications - Peer to peer applications use their own proprietary
protocols, which use arbitrary port numbers, and therefore are hard to block using
standard methods (such as via the Security rule base). These applications can cause a
-
7/31/2019 Checkpoint NGX WhatsNew
11/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 11
variety of problems. VPN-1 can block the common peer to peer applications, including
Kazaa, eDonkey, Gnutella, and gives administrators the opportunity to exclude specific
ports and network objects from peer to peer detection.
Sample Attack or vulnerability - Exposing private data, exposing the network to virusesand Trojan horses, wasting CPU time, exploiting storage and bandwidth resources,
wasting employees' time and raising legal issues (piracy and intellectual property rights).
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence > Peer
to Peer
38 DCE-RPC - DCE-RPC is a protocol for calling a procedure on a remote machine as if it
were a local procedure call. The protocol uses a Universal Unique Identifier (UUID) to
connect remote machine Interfaces. Many DCE-RPC attacks are based on malformedor objectionable DCE-RPC traffic.
VPN-1's DCE-RPC packet verification will prevent DOS attacks and exploits. VPN-1
addresses this protocol validation by authorizing DCE-RPC UUIDs and opening high
ports dynamically only if the UUID is allowed and the protocol flow is not violated.
Sample Attack or vulnerability - Blaster Worm, Spike
Getting Here - Enabled by default in VPN-1s DCE-RPC enforcement.
39 DCOM Protocol Validation - Recent attacks against DCOM are based on malformed
DCOM traffic on port 135. VPN-1 will allow DCOM communication, allow traffic for
UUIDs needed by DCOM, but prevent the Blaster and other attacks
Sample Attack or vulnerability - The Blaster attack creates buffer overflow on DCOM
server on port 135
Getting Here- Enabled by default in VPN-1s DCE-RPC enforcement.
40 SNMP Version Enforcement - SNMPv3 is much more secure than earlier versions.
VPN-1 will verify that all SNMP traffic is from version 3. The default is set to allow all
SNMP traffic but if you switch to SNMPv3, all traffic from earlier versions is blocked.
Sample Attack or vulnerability - SNMPv2 trivial communities; data is not encrypted,
poor authentication mechanisms.
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence >
SNMP and enable Allow only SNMPv3 traffic.
-
7/31/2019 Checkpoint NGX WhatsNew
12/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 12
41 Communities Block-list - Common network devices have default well-known
community strings. These communities are often not disabled, and thus expose a
vulnerability by leaving an easy way to create unauthorized SNMP access to the
machine. VPN-1 enforces an SNMP domain block-list, blocking SNMPv2 and earlier
connections that use these trivial community strings.
Sample Attack or vulnerability - SNMPv2 trivial communities
Getting Here - In SmartDashboard, select SmartDefense > Application Intelligence >
SNMP and enable Drop requests with default community strings for SNMPv1 and SNMPv2.
42 MS-SQL - An administrator can now block the Slammer worm on the SQL monitoring
UDP protocol by looking for pre-defined patterns.
Sample Attack or vulnerability - Slammer worm
Getting Here - In SmartDashboard, include the service MSSQL_Resolver in any access
rule in the Security rule base.
Malicious Activity Prevention
43 Malicious Code Protector - Most HTTP worms and exploits take advantage of buffer
overflow vulnerability. This vulnerability is generally a result of mishandling of inputlength. An attacker can exploit this vulnerability by sending an enlarged buffer which is
copied on top of the smaller buffer by the application, thus creating a memory
corruption. This memory corruption might lead to any of the following:
a brutal application termination
a denial of service attack
in the event of a well crafted attack - malicious code execution
Malicious Code Protection is a Check Point patent-pending technology that blocks
hackers from sending malicious code to target servers and applications. It can detect
malicious executable code within communications by identifying not only the existence
of executable code in a data stream but its potential for malicious behavior. Malicious
Code Protection is a kernel-based protection delivering wire-speed performance. Its
core functions are:
Monitor communication for potential executable code
Confirm the presence of executable code
Identify if the code is malicious
-
7/31/2019 Checkpoint NGX WhatsNew
13/30
New Features Firewall
Whats New in Check Point NGX R60 Last Update 5/16/05 13
Block malicious executable code from reaching target host
It is important to understand that this defense does not rely upon pattern detection,
which means it can stop both known andunknown attacks.
Sample Attack or vulnerability - Some common worms: Nimda, CodeRed, and manyexploits such as IIS WebDAV exploits.
Getting Here - In SmartDashboard, select Web Intelligence > Malicious Code > Malicious
Code Protector.
General
44DCE-RPC can now communicate over ports other than 135.
45 Multicast traffic can now be allowed or blocked for each multicast group. Configuration
is per interface. For example, define a new object called multicast address range, and use it
when defining the network topology on the interface.
46 IPv6 security is now supported on the Linux platform.
47 NAT hide can now be defined for PPTP clients.
48 Authentication capabilities have been enhanced to better protect against brute force
attacks.
49 It is now possible to disable the logging of anti-spoofing activity of local interfaces and
clusters.
50 Individual interfaces can now be configured to accept or block traffic from specific
multicast groups.
51 ISP redundancy on the Nokia platform is now supported.
52 ISP Redundancy DNS features can now be configured using SmartDashboard.
53 The SmartDefense service now protects IPv6 networks.
54 SmartDefense update can now traverse web proxy with authentication.
55 It is now possible to define a name for each security rule. The rule name will appear inthe logs created by that rule and will persist across policy changes.
56 Enhanced SmartDefense updates infrastructure with improved inspection capabilities.
-
7/31/2019 Checkpoint NGX WhatsNew
14/30
New Features VPN
Whats New in Check Point NGX R60 Last Update 5/16/05 14
VPN
In This Section
VPN Routing
1 To tighten security and enhance granularity of the VPN security policy, enforcement of
VPN rules by the direction of a connection is now possible.
For example, it is possible to define in the VPN column:
2 OSPF/BGP over VPN is enabled with VPN-1 gateway on SecurePlatform and IPSO.
Every VPN tunnel is represented as a virtual adapter, enabling encapsulation of OSPF
and BGP traffic. These virtual adapters can be used to establish integrated dynamic
routing configurations with the routing domains in the protected networks. In effect
this new technology enables unification of all the VPN-protected networks to a unified
dynamically adaptable network.
VPN Routing page 14
VPN Tunnel Management page 15
Multiple Entry Point (MEP) and VPN Load Distribution page 15
VPN-1 Clusters page 16
PKI, PKCS page 16
NAT with VPN page 16 VPN-1 Diagnostics (Logging, Monitoring, Planning) page 16
Connectivity page 16
Office Mode page 17
L2TP Clients page 17
Multicast page 17
Route Injection Mechanism (RIM) page 17
Source Destination
Community A Community B
Community A Any
Local domain Community A
Local domain Remote Access Community
-
7/31/2019 Checkpoint NGX WhatsNew
15/30
New Features VPN
Whats New in Check Point NGX R60 Last Update 5/16/05 15
3 Support of Back-up links and On-Demand links is enabled by multiple VPN links
between VPN-1 gateways. Multiple VPN links are available when a single VPN-1
gateway is connected to multiple network infrastructures (e.g., multiple ISPs). Two
VPN gateways may have several paths of communication that they can use to reach each
other. Also new are Link Selection mechanisms, which provide additional methods to
resolve a gateways IP address, such as defining a fixed IP address to always be used, and
defining a DNS name to be resolved, which is most useful for gateways with
dynamically allocated IP addresses.
4 GRE is now supported over IPsec in order to interoperate with devices that support
dynamic routing over the VPN only with GRE.
5 Wire mode VPN is now available: Internal (safe) VPN connectivity is supported byreducing security checks on VPN traffic.
6 On Linux, SecurePlatform, and SecurePlatform Pro, encrypted packets will now be
rerouted again after they are encrypted (and the destination was changed to the gateway
IP address). (This behavior already takes place on Nokia platforms.)
VPN Tunnel Management7 VPN tunnels may now be defined on VPN-1 gateways. The functionality is accessed
using the command line interface to the gateway. This extends the interface to external
management tools for Check Point gateways.
8 VPN links can now be configured to be always on. This feature enables:
VPN link (tunnel) monitoring - link-properties, link-state, traffic through the link
and more. Better support of sensitive applications for link setup delays.
Configuration of Route Injection Mechanism when using MEP.
Alert upon tunnel failure
9 SmartView Monitor can now monitor VPN tunnels. SmartViews of VPN tunnel
properties and status, both for site to site and for remote access VPN, are now available.
Multiple Entry Point (MEP) and VPN Load Distribution
10 For site to site VPN, Explicit MEP configuration is now available at the center of a star
community. There are several methods to connect to the MEP gateway, including
explicit priority among entry points (which is independent of the VPN domain
definition of entry points). For Remote Access VPN, the old MEP configuration still
exists.
-
7/31/2019 Checkpoint NGX WhatsNew
16/30
New Features VPN
Whats New in Check Point NGX R60 Last Update 5/16/05 16
VPN-1 Clusters
11 By enabling the new Sticky Decision Function, ClusterXL Load Sharing now supports:
VPN routing of third party gateways that require stickiness
SecureClient Visitor mode
SSL Network Extender clients
L2TP and Nokia clients
Support for these features requires certain additional configuration. Consult the
ClusterXL guide for more details.
PKI, PKCS12 Internal CA diagnostics are now available through SmartView Monitor.
13 Internal CA enhancements include:
Certificate enrollment using PKCS10 is available.
Generatecertificate - as PKCS12 (used in CAPI token)
Additional, configurable level of administration privileges
14 Certificate enrollment to a VPN-1 module using SCEP and CMP protocols is now
available.
15 Online Certificate Status Protocol (OCSP) is now supported.
16 An existing CA certificate can now be replaced with a newer one in a VPN-1 system,
provided that the new certificate has the exact same pair of keys as the certificate that it
is replacing.
NAT with VPN
17 SecureClient now supports NAT-T.
VPN-1 Diagnostics (Logging, Monitoring, Planning)
18 The usability of VPN activity logs has been enhanced.
Connectivity
19 SecuRemote/SecureClient can now resolve the address of the remote gateway by using
one of the following link selection methods:
Main IP / Single IP
Topology calculation
N F t VPN
-
7/31/2019 Checkpoint NGX WhatsNew
17/30
New Features VPN
Whats New in Check Point NGX R60 Last Update 5/16/05 17
RDP probing, which allows the possibility of configuring the primary interface and
manual IP list for probing.
20 The encryption domain of the gateway can now be defined differently for site-to-site
VPN, and for remote access VPN.
21 Third party DAIP gateways and externally managed DAIP gateways are now supported
with certificate authentication.
Office Mode
22 Office Mode assignment can now be used to access other gateways in the site.
23 A RADIUS server can now be used for Office Mode IP assignment.
L2TP Clients
24 Legacy authentication schemes, such as Check Point password, OS password, RADIUS,
LDAP, TACACS, etc., are now supported for L2TP clients.
Multicast25 Through the use of VPN Virtual interfaces, multicast traffic can now be encrypted and
passed through VPN tunnels.
Route Injection Mechanism (RIM)
26 RIM is now supported both with and without MEP. It can be configured under the
Tunnel Management page on the community.
New Features SecuRemote/SecureClient
-
7/31/2019 Checkpoint NGX WhatsNew
18/30
New Features SecuRemote/SecureClient
Whats New in Check Point NGX R60 Last Update 5/16/05 18
SecuRemote/SecureClient
In This Section
NAT with VPN
1 SecureClient now supports NAT-T.
User Experience
2 SecuRemote/SecureClient user interface now supports the following languages:
English, French, Italian, German and Spanish.
3 The Hotspot Registration feature now limits the number of unsuccessful registration
attempts and disables registration IP addresses once the client connects.
Connectivity
4 In MEP configuration, the client MEP decision can be disabled, in which case the
client connects to the gateway specified in the profile.
5 In an MEP configuration, a backup gateway can be specified in a centrally managed
connection profile. If so specified, and the primary gateways are unreachable, theSecuRemote/SecureClient connects to the specified backup gateway and does not
perform an MEP decision.
6 The encryption domain of the gateway can now be defined differently for site-to-site
VPN, and for remote access VPN.
7 SecuRemote/SecureClient can now resolve the address of the remote gateway by using
one of the following link selection methods: Main IP / Single IP
NAT with VPN page 18
User Experience page 18
Connectivity page 18
Office Mode page 19
Desktop Security page 19
Secure Configuration Verification (SCV) page 19 Windows - XP-specific Issues page 20
Miscellaneous page 20
SecureClient Software Distribution Sever (SDS) page 20
New Features SecuRemote/SecureClient
-
7/31/2019 Checkpoint NGX WhatsNew
19/30
New Features SecuRemote/SecureClient
Whats New in Check Point NGX R60 Last Update 5/16/05 19
Topology calculation
RDP probing, which allows the possibility of configuring the primary interface and
manual IP list for probing.
Office Mode
8 Office Mode assignment can now be used to access other gateways in the site.
9 A RADIUS server can now be used for Office Mode IP assignment.
10 VPN-1 Pro gateway DHCP requests can contain various client attributes that allow
DHCP clients to differentiate themselves. The attributes are pre-configured on the
client side operating system, and can be used by different DHCP servers in the processof distributing IP addresses. VPN-1 Pro gateway DHCP requests can contain the
following attributes:
Host Name
Fully Qualified Domain Name (FQDN)
Vendor Class
User Class
Desktop Security
11 When policy expiration is enabled and SecureClient is connected, it will attempt to
update policy every expire_time/2. If it fails to update the policy, SecureClient will not
revert to the default policy.
12 Desktop security rules now support RADIUS groups.13 Policy server logon is by default set to the Policy Server on the gateway to which you
connect. Centrally managed profiles can be configured to direct logons to a different
Policy Server. Perform the following:
1 Specify the Policy Server in the profile.
2 Use the dbedit database tool to set the property use_profile_ps_configuration
to true.
Secure Configuration Verification (SCV)
14 When enforcing Secure Configuration Verification on simplified mode VPN (VPN-1
communities), specific hosts and services may be defined as exceptions to the rule (e.g.,
to allow anti-virus updates, even if the client machine is not verified).
New Features SecuRemote/SecureClient
-
7/31/2019 Checkpoint NGX WhatsNew
20/30
Whats New in Check Point NGX R60 Last Update 5/16/05 20
15 SecuRemote (which does not support SCV) can be regarded as verified when SCV is
enforced. To enable it set scv_allow_sr_clients to true in userc.c, (by default it this
value is set to false). This global flag can be overridden by the administrator by setting
the matching flag in the topology, using the dbedit tool.
16 OS Monitor is now supported on Windows 2003 Server.
17 The operatorgreater than (>) is supported in signature file comparison in AntiVirus
monitor.
18 ZoneAlarm Pro antivirus signatures version validation is supported for AntiVirus
monitor.
19 The following enhancements for SCV monitors are now available:
You can now check keys under HKCU, HKU and HKLM in the Registry Monitor
While in Secure Domain Logon (SDL), each check under the Registry Monitor, OS
Monitor and Browser Monitor can be disabled.
Windows - XP-specific Issues
20 Improved integration with Windows XP SP2 Firewall.
Miscellaneous
21 The following R56 local attributes can now be centrally managed:
Hotspot registration configuration
Disconnect_when_in_enc_domain
Simplified_client_route_all_traffic
22 SecureClient now reports the following parameters to User Monitor:
OS version, Client version and build
last known SCV failure reason
23 Secure Domain Logon (SDL) by default will not be part of the Windows logon
procedure when the client machine is part of the encryption domain. To force SDL
when inside the encryption domain, use the Windows Registry editor to setSdlIgnoreEncDomain to 0 (DWORD) in HKLM\Software\CheckPoint\SecuRemote.
24 VPN-1 Pro now enforces the amount of licensed remote access connections, this
include the amount of SecuRemote allowed according to the gateway size plus the
amount of SecureClient licenses.
SecureClient Software Distribution Sever (SDS)
25 The SDS server and the SDS agent are no longer part of the SecureClient product.
New Features Integrity
-
7/31/2019 Checkpoint NGX WhatsNew
21/30
Whats New in Check Point NGX R60 Last Update 5/16/05 21
Integrity
1 Integrity Product Family achieves Total Access Protection for all PCs that connect to
your network. Check Point Integr ity endpoint security products ensure that both
employee and guest users' PCs are secure before they're granted network access. Bystopping worms, spyware, and hacker attacks, Integrity maintains business continuity,
supports regulatory compliance, and protects you against financial loss due to endpoint
attacks.
2 Integrity client and server software secures all networked PCs by centrally managing
proactive defenses and enforcing policy compliance.
3 Integrity for Linux offers enterprises easy-to-manage endpoint security for the growingnumber of Linux workstations, providing sophisticated attack protections coupled with
centralized policy deployment and reporting.
4 Integrity SecureClient unites the complementary strengths of VPN-1 SecureClient and
Integrity to deliver the most advanced remote access, endpoint security, and access
policy enforcement.
5 Integrity Clientless Security mitigates risks posed by employee and guest endpoints
accessing enterprise resources via the Web. It delivers spyware disablement, ensures
session confidentiality, and enforces network access policy.
6 Integrity Desktop delivers preemptive protection against the latest worms, viruses,
spyware, and hacker attacks.
SSL Network Extender
1 The SSL Network Extender is now centrally managed, and can be configured on
SmartDashboard.
2 SSL Network Extender now supports SecureIDs New Pin Mode and password changes
for RADIUS and LDAP authentication servers.
3 SSL Network Extender now supports ICS.
4 SSL Network Extender clients are supported on ClusterXL gateways in Load Sharingmode when the Sticky Decision Function is enabled.
5 SSL Network Extender now supports Integr ityTM Clientless Security (ICS) version 3.0,
including IntegrityTM Secure Browser (ISB).
6 The SSL Network Extender end-user interface can now be customized, as well as
localized for the following languages (user-selectable):
English French
New Features SmartCenter
-
7/31/2019 Checkpoint NGX WhatsNew
22/30
Whats New in Check Point NGX R60 Last Update 5/16/05 22
Italian
German
Spanish
Japanese Traditional Chinese
Simplified Chinese
Portuguese (Brazilian)
Hebrew
SmartCenterCloning Network Objects
1 Networks and Host Nodes can now be cloned with a right click. The newly created
object has field values in common with the original object.
SmartGroups
2 Groups can be viewed hierarchically in the Objects Tree. Additionally, a new feature in
SmartDashboard allows you to configure group conventions. When you do so,
SmartDashboard makes suggestions to assign newly created objects to groups based on
their name, color or network location.
Tooltips
3 Details about a network object or service, such as IP/port, version, and comment, arenow visible within SmartDashboard rule bases without opening the object or service.
Unique Rule Identifier
4 A new feature in SmartView Tracker allows you to open SmartDashboard to the rule
that a certain connection matched on. Also, an enhanced rule filter provides the ability
to search within SmartView Tracker for other connections that matched on that rule,either by rule number or unique rule ID. A new feature in SmartDashboard allows you
to view all logs generated for a certain rule.
Improved Manageability of Administrators
5 In this release, cpconfig allows the definition of just one administrator. Others can be
added through SmartDashboard. All cpconfig administrators can be converted to
administrators in SmartDashboard by using the $FWDIR/bin/cp_admin_convert tool.
New Features VPN-1 Edge
-
7/31/2019 Checkpoint NGX WhatsNew
23/30
Whats New in Check Point NGX R60 Last Update 5/16/05 23
Mandatory Session Description
6 SmartDashboard users can now be compelled to enter a session ID describing the
changes they have made. This provides a better ability to track database changes in the
audit logs.
GUI Client Disconnect
7 When logging into a SmartCenter Server, an administrator can now disconnect other
users who are logged in and locking the database.
Central Management for Connectra
8 Connectra devices are now part of Check Points centralized SMART management,
integrating security, monitoring, logging, reporting, updating and intelligent
information processing in a single interface.
Web-Based Access to SmartCenter SmartPortal
9 SmartPortal is a web-based management tool providing a centralized view of security
policies, network and security activity status, and administrator information. This
web-based access to SmartCenter extends the visibility of security policies to groups
outside of the IT security team and enables collaborative management of SmartCenter
administrators.
VPN-1 Edge
1 VPN-1 Pro now supports VPN-1 Edge behind NAT devices. This can implemented byusing NAT traversal (port 4500), which encapsulates the IKE/IPSEC in UDP packets,
between the VPN-1 Edge device and the VPN-1 Pro.
2 Enhanced VPN-1 Edge configuration in SmartDashboard, including:
time of log generation and forwarding
time at which the VPN-1 Edge device is updated with new configuration settings
content filtering (CVP and UFP) Unrestricted mode (connections from centrally managed peers that do not undergo
access control or NAT)
3 VPN-1 Edge (with firmware 4.5 or higher) is now integrated with Eventia Reporter.
4 Excluded Services are now supported with VPN Communities that contain SofaWare
entities.
5 VPN-1 Edge Web UI can now be launched from within SmartDashboard, as follows:
New Features SmartView Monitor
-
7/31/2019 Checkpoint NGX WhatsNew
24/30
Whats New in Check Point NGX R60 Last Update 5/16/05 24
Select a VPN-1 Edge object in the Objects tree, right click and choose Manage
Device in the displayed menu.
In the VPN-1 Edge Objects General Properties page, click Configure Edge Using
Web Interface.
6 VPN Enhancements: VPN-1 Edge now supports different IKE methods, rules with
communities in the VPN column, Multiple Entry Point (MEP) enhancements, shared
secrets, excluded services, as well as Link selection.
7 Content filtering for VPN-1 Edge can now be centrally managed from SmartCenter.
This can be done using the Content filtering section of the VPN-1 Edge page of the
Global Properties, or the Content Filtering page of the VPN-1 Edge object. The
configuration includes specifying OPSEC UFP, CVP & SMTP servers, and determiningwhich Edge devices use UFP/CVP.
8 NAT rules can now be configured and installed on VPN-1 Edge gateways. NAT rules
can either be manual, by placing a VPN-1 Edge gateway in a NATed rule in the Install
On column, orautomaticby choosing a VPN-1 Edge gateway as the Install on gateway
in the network objects NAT page.
9 A High Availability (HA) deployment can now be configured for VPN-1 Edge devicesusing SmartCenter. Configuring HA for VPN-1 Edge is done in the VPN page of the
VPN-1 Edge Gateway Objects Properties window. Select Use Backup Gateways and
specify the (VPN-1 Edge) gateway that will function as the backup gateway.
10 A configuration script can now be added to the VPN-1 Edge object window. This
script is downloaded to the VPN-1 Edge device. It controls various features and
settings, (for example QoS settings, Wireless Settings).
SmartView Monitor
1 SmartView Monitor has become a new monitoring application that combines the
functionality of the following applications:
SmartView Status
SmartView Monitor
User Monitor
In addition it has new capabilities. The GUI is an MDI (Multi-document interface)
application that allows users to see side-by-side multiple views of traffic in different
aspects.
2 It is now possible to monitor the following elements in SmartView Monitor Traffic
Monitoring:
Traffic by top or specific tunnels Traffic by top or specific interfaces
New Features Eventia Reporter
-
7/31/2019 Checkpoint NGX WhatsNew
25/30
Whats New in Check Point NGX R60 Last Update 5/16/05 25
Packet size distribution
Traffic by top individual connections
Connection direction filter
3 Tunnel Monitoring is a new feature that allows the user to view the current gateway togateway tunnels in the organization. The user can define filters to present specific
tunnels, as well as display tunnel state and other properties. The user can also reset a
tunnel and drill down to view its traffic.
4 SmartView Monitor now has new ways of presenting traffic monitoring:
Traffic data can now be presented in a pie graph or in a table.
After drilling down into data, a back button is now available to undo drill downs. Exporting to HTML is now possible.
Inbound and outbound traffic can now be viewed side by side
5 The various SmartView Status applications have been replaced with Gateway views.
SmartView Monitor now presents a table view that displays all gateways and
configurable status columns. In addition there is a detail view that allows browser-like
drill down.
Eventia Reporter
1 Eventia Reporter Add-On and Eventia Reporter Server can now be installed on a
Solaris 64-bit platform.
2 Eventia Reporter is faster than previous versions.
Report generation - a report based on 20 GB of logs can be generated in little overan hour.
Log consolidation the log consolidator can process 32 GB per day (without DNS).
3 Eventia Reporter now provides more flexible and meaningful report content.
Clearer Reports
Unnecessary details and sections have been removed from the reports. By default,
graphs are only created for time/date reports so as to achieve a smaller output. Internal filters
Internal filters are displayed for better report comprehension and flexibility. A user
can now filter reports based on communication direction, firewall action, VPN-1
fields, email sender/recipient, etc.
4 Consolidator and database management controls have moved from the SmartDashboard
and are now integrated in the Reporter Client.
New Features SmartUpdate
-
7/31/2019 Checkpoint NGX WhatsNew
26/30
Whats New in Check Point NGX R60 Last Update 5/16/05 26
5 When the database grows too large, the Reporter can automatically archive or delete
the oldest records. Database maintenance can be defined in terms of database space or
record age.
6 Provider-1 now supports log-based reports.
7 Improved Security Rule support:
Rule name support: users can now tag rules with names. Names will be displayed in
reports and can be used in filters.
UUID support for rules can be used to track rule usage regardless of their location
in the Rule Base.
Rule Base Activity: the Rule Bases Analysis report includes a section that shows allrules in a policy and their usage.
Support for Rule Base policies in reports.
SmartUpdate
1 Packages can now be distributed to remote devices and then installed at a later date.
This is beneficial in a number of ways:
The risk of a loss of connectivity during installation is minimized, as the package is
delivered to the remote device before the remote install command is issued.
Upgrade performance is improved, as packages can be transferred in parallel to
multiple devices.
The process is now more efficient, as it can more easily be performed after hours,
when the load on the network is less.
Downtime due to upgrade is reduced.
2 SmartUpdate can now upgrade remote devices to versions earlier than that of the
management server. Earlier versions supported are R54, R55, R55W, and R55P, and
their respective HFAs.
3 The Upgrade All option in SmartUpdate allows Nokia platforms to be upgraded to any
IPSO OS version. To do so, the desired Nokia IPSO OS package must first be added to
the SmartUpdate Package Repository and set as the default package, followed byselecting the Upgrade All option.
4 SmartUpdate supports an automatic revert from an unsuccessful upgrade when
upgrading SecurePlatform gateways. SmartUpdate creates the image backup before the
upgrade starts. Should the Upgrade not complete successfully, the SecurePlatform
machine will revert to the backed up image.
5 SmartUpdate supports the CPInfo utility. The CPInfo utility runs on remote gateways
and/or the SmartCenter server, and collects information about that machine into a
single text file. This text file is fetched and accessible from the GUI machine.
New Features SmartLSM
-
7/31/2019 Checkpoint NGX WhatsNew
27/30
Whats New in Check Point NGX R60 Last Update 5/16/05 27
6 The SmartUpdate command line tool can make a snapshot of the SecurePlatform
machine. A list of currently available snapshots on a machine can be compiled and used
to revert a machine to one of the snapshots.
SmartLSM1 When defining VPN Domain for VPN-1 Express/Pro or VPN-1 Edge ROBO
Gateways, the user should use the new Topology table available in the SmartLSM GUI
(or the parallel capabilities of LSMcli). It is possible to define the VPN Domain for
ROBO Gateway in one of the following ways:
Use the external IP address of the Gateway only
VPN Domain includes all of the networks behindthe Gateway's internal interfaces(based on topology)
VPN Domain consists of manually defined IP address ranges.
2 Controlling the settings of internal interfaces of VPN-1 Edge ROBO Gateways is now
supported from the centralized SmartLSM management. The following settings can be
controlled and enforced on the VPN-1 Edge ROBO Gateway:
Interface is enabled/disabled Interface IP address and netmask
NAT Hide of the network behind the interface is enabled/disabled
DHCP server on the interface is enabled/disabled
Range of IP addresses distributed by the DHCP server
DHCP server serves as a relay to another external DHCP server
3 It is now possible to launch VPN-1 Edge Portal Web GUI when using context menusof items representing VPN-1 Edge gateways and VPN-1 Edge ROBO Gateways in the
SmartLSM main view.
SecurePlatform
Installation
1 SecurePlatform can be installed in two flavors: the regular flavor, and the
SecurePlatform Pro flavor. SecurePlatform Pro is an enhanced version of
SecurePlatform. SecurePlatform Pro adds advanced networking and management
capabilities to SecurePlatform such as:
Dynamic routing
RADIUS authentication for SecurePlatform administrators
To install SecurePlatform Pro select SecurePlatform Pro option during the installation.
New Features SecurePlatform
-
7/31/2019 Checkpoint NGX WhatsNew
28/30
Whats New in Check Point NGX R60 Last Update 5/16/05 28
To convert regular SecurePlatform to SecurePlatform Pro, from the expert mode command
line run: pro enable.
For information regarding advanced routing, see the Check Point Advanced Routing Suite
guide.
2 In this release, the SecurePlatform installation allows adding new hardware drivers for
mass storage and networking devices, during the installation phase.
3 There is a change in behavior from R55 and earlier SecurePlatform versions. When no
key is pressed after the SecurePlatform installation has begun, the installation will be
aborted, and the system boots from the hard disk.
General
4 Speed/Duplex settings of Ethernet interfaces can be controlled using the eth_set utility
in the command line, or by using the WebUI. The interface settings configured via theWebUI, or via the command line utility will survive reboot and become persistent.
5 The patch add command now supports scp as one of the options, allowing convenient
and secure transfer of patch files to SecurePlatform.
6 VPN-1 log files are not included in the backup operation by default.
7 The display of time zones in the command line was changed from the POSIX
convention to the commonly accepted convention. For example, for a region locatedtwo hours to the east of the GMT region, the time zone will show GMT+2 and not
GMT-2, as in earlier versions.
8 During the installation of SecurePlatform, one interface is selected as the management
interface. The IP address of this interface cannot be set to 0.0.0.0, as this will disrupt
operation of the product. The commands sysconfig and ifconfig enforce this
limitation in this release. If a specific interface must receive the IP address 0, a different
interface must first be configured to be the management interface, and then the IP
address 0.0.0.0 can assigned to the specific interface.
User Experience
9 Starting with this release, Netscape 7.1 is supported for use with the administration
WebUI. This allows using the WebUI from non-Windows systems.
Note - SecurePlatform Pro requires a separate license that must be installed on the
SmartCenter Server that manages the SecurePlatform Pro enforcement modules.
New Features ClusterXL
-
7/31/2019 Checkpoint NGX WhatsNew
29/30
Whats New in Check Point NGX R60 Last Update 5/16/05 29
ClusterXL
Configuration
1 ClusterXL has a new (and optional) packet distribution scheme for Load Shar ing whichis supported with the two Load Sharing modes: Multicast and Unicast. In the new
distribution scheme (called Sticky Decision Function), a connection that started on a
certain cluster member will continue to pass only through that member. The Sticky
Decision Function is not supported with Performance Pack or with an Acceleration
device.
VPN-1 Clusters2 ClusterXL Load Sharing now supports SecureClient visitor mode and SSL extender
clients when the Sticky Decision Function is enabled.
3 Third party peers can now open VPN tunnels on ClusterXL in Load Sharing mode
with the Sticky Decision Function enabled.
4 ClusterXL Load Sharing now supports VPN routing configuration, in which both sides
of the connection are encrypted for peer gateways of third parties, such as Cisco, whichrequires stickiness. This support is limited to when the Sticky Decision Function is
enabled, and requires certain additional configuration. Consult the ClusterXL guide for
more details.
Supported Features
5 Dynamic routing is now supported in SecurePlatform clusters.
6 Multicast data traffic is supported on ClusterXL in High Availability mode, and in Load
Sharing mode under certain conditions. Refer to the Release Notes for more details.
Performance Pack
1 BGE interface is now supported on Solaris.
2 SmartView Monitor is now supported by Performance Pack.
3 Dynamic Routing changes are now supported by Performance Pack on SecurePlatform.
VSX
1 SmartCenter Server can now manage the following versions of VSX:
VSX 2.0.1
VSX NG AI
New Features QoS
-
7/31/2019 Checkpoint NGX WhatsNew
30/30
Whats New in Check Point NGX R60 Last Update 5/16/05 30
VSX NG AI Release 2
2 For more information on these releases, please see the documentation at
http://www.checkpoint.com/support/technical/documents/index.html .
QoS
1 The license for QoS Express should be installed on the SmartCenter server instead of
on the Enforcement module. QoS supports licenses for 1, 3 or 5 modules. These
licenses should be added via SmartUpdate and then attached to the SmartCenter
Gateway Object.
2 QoS is now supported by and can run on the same Enforcement Module that runs WebIntelligence.
UserAuthority
1 UserAuthority now supports outbound identity-based access control for non-TCP
connections.
2User credentials can now be fetched using UserAuthority Servers on other SICdomains.
http://www.checkpoint.com/support/technical/documents/index.htmlhttp://www.checkpoint.com/support/technical/documents/index.html