16 April 2012

Release Notes

R75.30

Classification: [Protected]

© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12964

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

16 April 2012 Update to Endpoint Connect compatibility table

02 April 2012 Added release of dual boot, fixed IP appliance support for Disk Based only models

14 March 2012 Added Clean Install instructions

8 March 2012 Updates to Required Disk Space

26 February 2012 Added IPSO 6.2 support for SmartWorkflow

7 February 2012 Update to installation instructions

29 January 2012 Added R75.20 to the list of Gateway versions supported by this release of management

16 January 2012 Added gateway/client compatibility

12 January 2012 Added upgrade instructions for maintaining customizations

9 January 2012 Update to Disk Space requirements, added supported appliances

5 January 2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R75.30 Release Notes).

Contents

Important Information ............................................................................................. 3 Introduction ............................................................................................................. 5

What's New ......................................................................................................... 5 Important Solutions.............................................................................................. 5

Supported Upgrade Path ........................................................................................ 5 Compatibility with Gateways and Endpoint Clients .............................................. 6

Supported Security Products by Platform ............................................................ 7 Supported OS on Open Servers .......................................................................... 7 Supported Appliances ......................................................................................... 8 Security Gateway Software Blades ...................................................................... 9 Security Management Software Blades ..............................................................10 Clients and Consoles by Windows Platform .......................................................11

Required Disk Space ............................................................................................ 12 Console Requirements ......................................................................................... 12 Build Numbers ...................................................................................................... 13 Installing R75.30 ................................................................................................... 14

New Installation ..................................................................................................14 Cleaning IPSO Flash-Based Gateways .........................................................14 Downloading the Clean Install Package .........................................................14 Clean Install on Flash-Based with CLI ...........................................................15 Clean Install on Flash-Based with Manual Download .....................................15 Clean Install on Disk-Based with Network Voyager ........................................15 Installing the Client Applications ....................................................................16

Upgrading ...........................................................................................................17 Before You Upgrade! .....................................................................................17 Downloading the Upgrade Package ...............................................................17 Upgrading with CLI ........................................................................................18 Upgrading with CLI for IPSO Flash-Based .....................................................19 Upgrading with SmartUpdate .........................................................................20 Upgrading with the SecurePlatform Web User Interface ................................20

Troubleshooting IPS-1 Sensor ............................................................................. 21 Uninstalling ........................................................................................................... 22

Introduction

R75.30 Release Notes | 5

Introduction Thank you for updating to Check Point version R75.30. This version resolves issues for R75.20. Please read this document carefully before installing R75.30.

Important - Check Point software versions R75.10 or higher must have a valid Software Blades license. Users with NGX licenses cannot install the software. To migrate NGX licenses to Software Blades licenses, see Software Blade Migration (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html) or contact Account Services.

If you manage GX gateways from a Security Management server, you must regenerate your GX licenses in the User Center to be compliant with Software Blades. This procedure is optional for Multi-Domain Servers and Domain Management Servers.

What's New This release has numerous resolutions to known limitations of earlier releases.

Dual Boot on appliances:

Check Point appliances are preinstalled with two images: R71.40 and R75.30.

To learn how to change images on an appliance, see the relevant R75.30 Image Management Guide.

Important Solutions Check Point R75.30 Home Page - sk66283 (http://supportcontent.checkpoint.com/solutions?id=sk66283)

R75.30 Resolved Issues - sk66286 (http://supportcontent.checkpoint.com/solutions?id=sk66286)

R75.30 Known Limitations - sk66284 (http://supportcontent.checkpoint.com/solutions?id=sk66284)

Supported Upgrade Path R75.20 Security Gateways, Security Management servers, and Multi-Domain Servers can be upgraded to R75.30.

Important - If you installed any hotfix post R75.20, run the Validation utility (http://supportcontent.checkpoint.com/documentation_download?ID=13681).

Supported Upgrade Path

R75.30 Release Notes | 6

Compatibility with Gateways and Endpoint Clients R75.30 Management servers (Security Management server and Multi-Domain Server) can manage Check Point gateways and Endpoint Security clients of these versions.

Release Version

Gateways

Security Gateway NGX R65, R70, R70.1, R70.20, R70.30, R70.40, R71, R71.10, R71.20, R71.30, R75, R75.10, R75.20

DLP-1 R71 and higher

IPS-1 R71

Series 80 R71

VSX VSX NGX R65, VSX NGX R67

Connectra Centrally Managed NGX R66

UTM-1 Edge 7.5.x and above *

GX 4.0

Endpoint Clients

SecureClient up to SecureClient NGX R60 HFA 3 with support for Windows 7 32-bit

Endpoint Connect up to Endpoint Connect R73 HFA1

Endpoint Security up to R73 HFA1

*- UTM-1 Edge and Safe@ devices that use locally configured VPN connections with download configuration settings, may experience VPN connectivity failure with R75.30 Security Gateways. To enable this configuration with R75.30, see sk65369 (http://supportcontent.checkpoint.com/solutions?id=sk65369).

Supported Security Products by Platform

R75.30 Release Notes | 7

Supported Security Products by Platform

These tables show the security products related to this release and on which platforms they are supported.

Supported OS on Open Servers You can install these Check Point components on a platform that supports and is running these operating systems.

OS \ Component Security Management Server

Security Gateway Multi-Domain Security Management

SecurePlatform

MS Windows Server 2003 SP1* or SP2, on 32-bit

MS Windows Server 2008, MS Windows Server 2008 R2 SP1 or SP2

32 or 64

32-bit

MS Windows XP Professional SP3 32-bit

MS Windows 7 Professional, Enterprise, Ultimate, 32 or 64

Red Hat EL 5.0 32-bit

Red Hat EL 5.4 kernel 2.6.18, 32-bit

Crossbeam X-series

Solaris Ultra-SPARC 8, 9, 10 (on Sun M-Series)

* - For Windows 2003 SP1, you must install the hotifx specified in Microsoft KB 906469 (http://support.microsoft.com/kb/906469).

Supported Security Products by Platform

R75.30 Release Notes | 8

Supported Appliances

Platform Security Management Server

Security Gateway Multi-Domain Security Management

2200 Appliance

4000 Appliances

12000 Appliances

21400 Appliance

Smart-1 Appliances 5, 25, 50 50, 150

IP150, IP280, IP290, IP390, IP560, IP690, IP1280, IP2450

(on IPSO Disk-

Based)

(on IPSO Disk-Based or

Flash-Based*)

Power-1 Appliances

UTM-1 Appliances

* - 1G of RAM is enough to run Firewall, IPS and VPN blades only. To activate more blades, 2G of RAM is required on IP290, IP390, and IP560 flash-based appliances.

You cannot upgrade these appliances to R75.30:

Series 80

UTM-1 Edge

IPS-1 Sensor

VSX-1

DLP-1

Supported Security Products by Platform

R75.30 Release Notes | 9

Security Gateway Software Blades

Software Blade Operating System

Check Point Microsoft Crossbeam

Secure Platform

IPSO 6.2 Disk- based

IPSO 6.2 Flash- based

Windows Server 2003

Windows Server 2008

X-series

Firewall

Identity Awareness

IPSec VPN

IPS4

Mobile Access

DLP1

Application Control4

Anti-Virus & Anti-Malware

URL Filtering4

Anti-Spam & Email Security

Web Security

Advanced Networking - QOS

Advanced Networking - Dynamic Routing and Multicast Support

Acceleration & Clustering 2

2

3

Notes about Security Gateway Software Blades

1. DLP supports High-Availability clusters, including Full HA.

DLP supports Load Sharing clusters in the Detect mode.

On UTM-1 130/270, you can use DLP with Firewall and other Security Gateway software blades, or with Firewall and Security Management software blades.

The DLP portal supports these web browsers: Internet Explorer 6, 7, 8, 9; Firefox 3,4; Chrome 8; and Safari 5.

2. Only Clustering is supported on Windows. Acceleration is not supported.

3. Only third-party clustering is supported on Crossbeam.

4. HTTPS Inspection is not supported Windows.

Supported Security Products by Platform

R75.30 Release Notes | 10

Security Management Software Blades

Software Blade Operating System

Check Point Microsoft RedHat Linux

Solaris

Secure Platform

IPSO 6.2 Disk- based

Windows Server 2003

Windows Server 2008

Windows XP, 7

RHEL 5.0, 5.4

Ultra- SPARC

Network Policy Management

Endpoint Policy Management

Logging & Status

Monitoring

SmartProvisioning

Management Portal*

User Directory

SmartWorkflow

SmartEvent **

SmartReporter

* Management Portal is supported on the following Web browsers: Internet Explorer 7, and Firefox 1.5 - 3.0

** SmartEvent is supported on 32-bit only.

Supported Security Products by Platform

R75.30 Release Notes | 11

Clients and Consoles by Windows Platform

Check Point Product

XP Home (SP3) 32-bit

XP Pro (SP3) 32-bit

Server 2003 (SP1-2) 32-bit

Server 2008 (SP1-2) 32-bit

Vista (SP1) 32-bit

Vista (SP1) 64-bit

Windows 7

Ultimate & Enterprise 32-bit

Windows 7 Ultimate & Enterprise 64-bit

SmartConsole 1

2

2

SmartDomain Manager

SecureClient

Endpoint Security VPN

3

3

SSL Network Extender

3

3

DLP User Check

DLP Exchange Agent

4

4

Identity Agent 3

3

Remote Access Clients E75.x

3

3

Notes about Clients and Consoles

1. SmartConsole supports Windows Server 2008 R2.

2. SmartConsole supports Windows 7 Professional (32 and 64 bit).

3. Endpoint Security VPN, SSL Network Extender, and Identity Agent clients support all editions of Windows 7.

4. DLP Exchange Agent supports Exchange Server 2007 and Exchange Server 2010 on both Windows Server 2003 64-bit (SP1-2) and Windows Server 2008 64-bit (SP1-2). A 32-bit version is available for demo or educational purposes.

Required Disk Space

R75.30 Release Notes | 12

Required Disk Space

Note - It is safe to delete the downloaded .tgz file after it is extracted, to have more disk space for installation.

Required Disk Space for Installation on Security Management Server

Operating System Packed and Extracted .tgz File

During Installation* Final Used Disk Space

SecurePlatform/

Linux

/var - 700 MB

root - 160 MB

/opt - 745 MB

/var - 300 MB

root - 4.7 MB

/opt - 351 MB

/var - 100 MB

IPSO Disk-based

/var - 540 MB

/opt - 400 MB

/var - 100 MB

/opt - 150 MB

/var - 100 MB

Windows 630 MB 690 MB 600 MB

Solaris

/var - 300 MB

/opt - 345 MB

/var - 400 MB

/opt - 190 MB

/var - 400 MB

* During installation, the process may use additional disk space that will be released when installation ends.

Required Disk Space for Installation on Security Gateway

Operating System Packed and Extracted .tgz File

During Installation* Final Used Disk Space

SecurePlatform

/var - 1.3 GB

root - 170 MB

/opt - 700 MB

/var - 1 GB

root - 12 MB

/opt - 500 MB

/var - 700 MB

IPSO Disk-based

/var 700 MB

/opt - 345 MB

/var - 500 MB

/opt - 185 MB

/var - 400 MB

IPSO Flash-based /preserve - 295 MB /preserve - 700 MB

/opt - 20 MB

/var - 400 MB

/preserve - 6 MB

/opt - 16 MB

/var - 170 MB

Windows 590 MB 680 MB 520 MB

* During installation, the process may use additional disk space that will be released when installation ends.

Console Requirements This table shows the minimum hardware requirements for console applications: SmartDashboard, SmartView Tracker, SmartView Monitor, SmartProvisioning, SmartReporter, and SmartEvent, SecureClient Packaging Tool, SmartUpdate, and SmartDomain Manager.

Build Numbers

R75.30 Release Notes | 13

Component Windows

CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor

Memory 1024MB

Available Disk Space 900MB

Video Adapter Minimum resolution: 1024 x 768

Build Numbers This table contains the R75.30 software products updated in this release and their build numbers. To confirm that the hotfix is installed, run the version command for each product. If the command returns the build number shown here, or the last three digits of the build number, the hotfix is installed.

Software Blade / Product Upgrade Clean Install Version Command*

Security Gateway 983625066 983625126 fw ver -k

Security Management 983625008 983625008 fwm ver

SmartConsole Applications

983625020 983625022 Help > About Check Point <Application Name>

Multi-Domain Server 983625022 983625022 fwm mds ver

SmartDomain Manager 983625012 983625012 Help > About Check Point SmartDomain Manager

SecurePlatform 983625007 983625023 upgrade - splat_ver

clean install - ver

* When you run the command on a CLI, it shows only the last three digits of the build number.

Installing R75.30

R75.30 Release Notes | 14

Installing R75.30

In This Section

New Installation 14

Upgrading 17

Important - Check Point software versions R75.10 or higher must have a valid Software Blades license. Users with NGX licenses cannot install the software. To migrate NGX licenses to Software Blades licenses, see Software Blade Migration (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html) or contact Account Services.

If you manage GX gateways from a Security Management server, you must regenerate your GX licenses in the User Center to be compliant with Software Blades. This procedure is optional for Multi-Domain Servers and Domain Management Servers.

New Installation R75.30 is released as:

an upgrade to version R75.20

a clean installation for IPSO Flash-based appliances, including 1GB and 2GB Flash appliances (IP29x,IP39x and IP56x)

Cleaning IPSO Flash-Based Gateways

To install on IPSO, clean the Security Gateway of Check Point installations, TGZ files, and unused IPSO images. You use Network Voyager or the command shell. (Use Voyager to delete unused IPSO images.)

To delete Check Point packages using Network Voyager:

1. Click Configuration > System Configuration > Packages > Delete Packages.

2. Select an installation package to delete, and click Apply.

3. Delete TGZ files.

4. Click Apply.

To delete Check Point packages using command shell:

1. Run: newpkg -q

The output is the list of installed packages. Use this output in the next commands.

2. Run: newpkg -u <package name>

3. Run: rm opt/packages/<tgz name>

To delete unused IPSO images using Network Voyager:

1. Click Configuration > System Configuration > Images > Manage Images.

2. Click Delete IPSO Images.

3. Select the IPSO image to delete, and click Apply.

Downloading the Clean Install Package

Download the R75.30 Full ISO package for your platform from the Check Point Support Center.

Installing R75.30

R75.30 Release Notes | 15

Platform Package

Power-1, UTM-1, 2012 Models Check_Point_R75.30_Appliance.iso

Smart-1 Appliances Check_Point_R75.30_Smart-1.iso

IPSO 6.2 Disk-based Check_Point_R75.30_IPSO6.2.tgz

IPSO 6.2 Flash-based Check_Point_R75.30_Fresh.IPSO6_2.tgz

Clean Install on Flash-Based with CLI

To install on IPSO Flash-based Security Gateway with CLI:

1. If there are installed Check Point installations, TGZ files, or unused IPSO images, clean the gateway ("Cleaning IPSO Flash-Based Gateways" on page 14).

2. Make sure there is enough free disk space for installation.

3. Download the R75.30 Fresh Install Package for IPSO 6.2 Flash-based Systems (Check_Point_R75.30_Fresh.IPSO6_2_Flash.tgz ) to /preserve/opt/packages.

4. Run: newpkg

5. Type the number (1 - 3) for the FTP server or local path where the TGZ is.

6. Enter the IP address, credentials, and pathnames when prompted.

7. Type y to download the TGZ. The file is downloaded and installation starts.

8. When prompted for installation type, type 1 to select Install this as a new package.

R75.30 is installed under /opt.

Clean Install on Flash-Based with Manual Download

To install on IPSO Flash-based Security Gateway with manual download:

1. Download the R75.30 Fresh Install Package for IPSO 6.2 Flash-based Systems (Check_Point_R75.30_Fresh.IPSO6_2_Flash.tgz).

2. Install the package:

Network Voyager - See "Installation on IPSO" in the R75.20 Installation and Upgrade Guide.

Command Line add package - Copy the file to an ftp server and run:

add package media ftp addr <ip_address> user <username> password

<password> name Check_Point_R75.30_Fresh.IPSO6_2_Flash.tgz

Clean Install on Disk-Based with Network Voyager

To install on IPSO disk-based appliances with Network Voyager:

1. Download the package: Check_Point_R75.30_IPSO6.2.tgz.

2. Put the downloaded package on an FTP site or on your local disk.

3. Log in to your appliance using Network Voyager.

4. In the Network Voyager tree, select Configuration > System Configuration > Packages > Install Package.

5. Upload the package file using one of these methods:

Upload from an FTP site:

a) In the Voyager Install Package window, select FTP.

b) Enter the name or IP address of the FTP server.

c) Enter the path to the directory on the FTP server where the packages are stored.

d) If necessary, enter the applicable user name and password.

e) Click Apply. The names of the available packages show in the Site Listing window.

Installing R75.30

R75.30 Release Notes | 16

f) Select the package .tgz file in the Site Listing window and click Apply.

g) When the <package name> downloaded to message shows, click it and then click Apply again.

Upload from a local disk:

(i) In the Voyager Install Package window, select Upload.

(ii) Click Browse and navigate to the package .tgz file.

(iii) Click Apply.

(iv) Select the package .tgz file in the Unpack Package window and click Apply.

6. Click the Click here to install/upgrade link to continue with the installation.

7. In the Package Installation and Upgrade pane, select Install and then click Apply.

8. Click the Install Package branch in the Voyager tree to see the installation progress.

9. Go to the Manage Packages page.

The R75.30 and Check Point CPInfo packages are automatically activated during installation (disk-based appliances only).

Enable other packages, with the compatibility packages, as needed for your deployment.

Important - When you install a package using Network Voyager, this message shows:

Voyager environment has been updated with the latest package

info.

The telnet session environment will be updated by:

logging out and logging in again the telnet session.

This message can be misleading. Click Manage Packages to verify that the package is actually installed correctly. Refresh the page periodically until you see that the installation is complete.

10. Log out of Network Voyager and then log in again.

Installing the Client Applications

The client applications for this release are part of the Check Point SmartConsole.

To manually install the SmartConsole:

1. Download R75.30 SmartConsole for Windows: Check_Point_SmartConsole_R75.30.Windows.exe

2. Double-click the file to install the SmartConsole.

To install the Multi-Domain Security Management SmartDomain Manager:

1. Download R75.30 SmartDomain Manager for Windows: Check_Point_R75.30_SmartDomain_Manager.Windows.exe

2. Double-click the file to install the SmartDomain Manager.

Installing R75.30

R75.30 Release Notes | 17

Upgrading

Important - If you installed any hotfix post R75.20, run the Validation utility (http://supportcontent.checkpoint.com/documentation_download?ID=13681).

We recommend that you back up your system before installing this release package. Save a manually created image before you install.

Before You Upgrade!

If you use the Mobile Access Software Blade and you edited the R75.20 configurations, make sure that you review the edits before you upgrade to R75.30.

1. Open these files and make note of your changes.

Data Path

Gateway Configurations $CVPNDIR/conf/cvpnd.C

Apache Configuration Files $CVPNDIR/conf/httpd.conf

$CVPNDIR/conf/includes/*

Local certificate authorities $CVPNDIR/var/ssl/ca-bundle/

DynamicID (SMS OTP) Local Phone List $CVPNDIR/conf/SmsPhones.lst

RSA configuration /var/ace/sdconf.rec

Any PHP files that were edited

Any image file that was replaced (*.gif, *.jpg)

2. Upgrade to R75.30.

3. Update Endpoint Compliance (SmartDashboard > Mobile Access > Endpoint Security On Demand > Update Databases Now).

4. Manually edit the new versions of the files, to include your changes.

Do not overwrite the R75.30 files with your customized files!

Downloading the Upgrade Package

Download the R75.30 upgrade package for your platform from the Check Point Support Center.

Platform R75.30 Upgrade Package Upgrade Procedure

SecurePlatform, Linux on open server

Appliances: Power-1, UTM-1, Smart-1, 21000, 12000 appliances, 40000 appliances

Check_Point_Upgrade_for_R75.30_Splat.tgz SecurePlatform

Web UI

CLI

SmartUpdate

IPSO 6.2 Disk-based

Check_Point_R75.30_Upgrade.IPSO6_2.tgz CLI

SmartUpdate

Installing R75.30

R75.30 Release Notes | 18

Platform R75.30 Upgrade Package Upgrade Procedure

IPSO 6.2 Flash-based (*) Check_Point_R75.30_Upgrade.IPSO6_2_Flash.tgz IPSO Flash-

Based CLI

SmartUpdate

Windows Check_Point_R75.30_Upgrade.Windows.tgz CLI

SmartUpdate

Solaris Check_Point_R75.30_Upgrade.Solaris.tgz CLI

* This upgrade package is only for appliances with 4GB Flash (IP69x, IP128x and IP245x). For appliances with 2GB Flash (IP29x, IP39x and IP56x), you must do a clean install.

Upgrading with CLI

You can use these instructions to install R75.30 using the CLI on open servers and IP series appliances, except for IPSO Flash-based appliances. To install on IPSO flash-based appliances, you must use the CLI instructions for IPSO flash-based appliances.

To install on Check Point appliances with SecurePlatform, use the Web User Interface or SmartUpdate.

To install on IPSO platforms, use the command line. Network Voyager is not supported.

You can safely delete the .tgz file after you extract the package (step 6).

To install R75.30 using the CLI:

1. Log onto the target machine.

2. If you are installing on SecurePlatform:

a) Run idle 120 to make sure that the installation is not interrupted by the automatic logon timeout.

b) Run expert to enter expert mode.

3. Verify that the target computer contains sufficient free disk space.

4. Create a temporary directory in the /var partition on non-Windows platforms, or in the c:\ partition on

Windows platforms.

5. Copy the upgrade package for your platform to the temporary directory using SFTP, SCP, or another secure utility.

6. Go to the temporary directory and extract the .tgz package.

On non-Windows platforms, run: gtar -zxvf <file name>

On Windows platforms, use an archive utility such as WinZip.

Important - Before installing on Multi-Domain Security Management, run mdsenv and then

mdsstop.

If this is not done, the system will experience functionality issues.

We recommend that you back up the system before installation: mds_backup

7. Start installation:

On non-Windows platforms, run: ./UnixInstallScript.

You must run this command from the /var partition.

On Windows platforms, run: Setup.exe

8. Do the instructions on the screen to install the applicable components. Only those components required for a specific target (management or gateway) are installed automatically.

When the installation finishes, each successfully installed component appears in a list followed by the word Succeeded.

9. When prompted, reboot the computer.

10. Open SmartDashboard and log in to the R75.30 Security Management server that controls the upgraded gateways.

11. Open the gateway object properties window for an upgraded gateway and change the version to R75.30.

Installing R75.30

R75.30 Release Notes | 19

12. Repeat the above steps for all management servers, log servers and gateways.

13. Install the security policy on upgraded gateways and servers.

14. Install the database on the Security Management server.

Upgrading with CLI for IPSO Flash-Based

Notes

IPSO Flash-based platforms are supported for use as Security Gateways only.

Installation using Network Voyager is not supported and may result in system instability. You must install this version using the CLI only.

Only use this upgrade procedure for appliances with 4GB Flash (IP69x, IP128x and IP245x). For appliances with 2GB Flash (IP29x, IP39x and IP56x), you must do a clean install.

Before installing on an IPSO Flash-based Appliance:

1. Delete any Check Point packages that are earlier than R75.20, and then delete any previous tgz files. You can do this using Network Voyager or using the command shell:

Using Network Voyager:

a) Choose Configuration > System Configuration > Packages > Delete Packages.

b) Select a previous installation package to delete, and click Apply.

c) Delete the any tgz files.

d) Click Apply.

Using the command shell, run:

newpkg -q

newpkg -u <previous package name>

rm opt/packages/<previous tgz name>

newpkg -q prints a list of the installed packages.

2. If there is an IPSO image on the machine that is not in use, delete it using Network Voyager:

a) Choose Configuration > System Configuration > images > Manage Images.

b) Click Delete IPSO Images.

c) Select the IPSO image to delete, and click Apply.

3. Verify that there is enough free disk space for the installation of the packages. ("Required Disk Space" on page 12)

4. The installation package must be in the /var/tmp directory.

To install and activate this version on an IPSO Flash-based Appliance:

1. Using the command shell, copy the upgrade package for IPSO Flash-based appliances to /var/tmp on

the IP Appliance through ftp.

2. Navigate to the /var/tmp directory.

3. Extract the tgz package by running:

tar -zxvf <file name>

4. Delete the tgz package by running:

rm -rf <file name>

5. Run ./UnixInstallScript

6. Follow the instructions on the screen to install the appropriate components. When prompted, stop all Check Point processes.

Only those components required for a specific target (management or gateway) are installed automatically. When the installation finishes, each successfully installed component appears in a list followed by the word 'Succeeded'.

7. When prompted, reboot the computer by pressing y.

Installing R75.30

R75.30 Release Notes | 20

Upgrading with SmartUpdate

You can use SmartUpdate to remotely install this version on Security Gateways installed on all supported platforms.

To install with SmartUpdate:

1. Install the upgrade package for your platform on the Security Management Server using the Command Line ("Upgrading with CLI" on page 18).

2. Open SmartUpdate and close SmartDashboard.

3. Click Packages > Get Data from All.

When the Operation Status of the known gateways is Done, the installed packages and their

versions are listed.

4. Open the Package Repository: Packages > View Repository.

5. Add the installation package file (*.tgz) for each required gateway platform to the Package Repository

(Packages > Add; or drag-and-drop).

Wait until the Operation Status of adding the package is Done. The packages appear in the Package Repository. This can take a few minutes.

6. Right-click the package and choose Distribute.

7. From the Distribute Package window, select the devices on which you want to install this version.

8. Click Distribute.

The installation package is distributed to and installed on the selected Security Gateways. The Security Gateways are rebooted automatically, except for those that are installed on Windows. You must manually reboot Security Gateways installed on Windows.

Note - On a Windows platform, if the gateway does not accept traffic after installing this version, re-install the policy.

Upgrading with the SecurePlatform Web User Interface

You can install R75.30 on SecurePlatform Security Gateways and Security Management open servers and appliances using the Web User Interface.

Important - Safe Upgrade is not supported from R75.20 to R75.30. Make a manual snapshot of the machine before you upgrade.

To install R75.30 using the Web User Interface:

1. Make sure all GUI applications are closed.

2. Download the upgrade package for your platform.

3. Connect to the SecurePlatform Web User Interface:

Open server: https://<IP>

Appliance: https://<IP>:4434

4. Open the Upgrade page:

Open server: Device > Upgrade

Appliance: Appliance > Upgrade

5. In the Upgrade Steps pane, browse to the downloaded file.

6. Click the Upload package button.

7. Click Start Upgrade.

At the end of the installation, the device automatically reboots.

8. Re-login to the machine.

Important - After upgrading, move the snapshot file from the Desktop to a pathname without spaces. This must be done before attempting to restore the machine.

To uninstall afterwards, revert to the snapshot manually.

Troubleshooting IPS-1 Sensor

R75.30 Release Notes | 21

Troubleshooting IPS-1 Sensor If install policy fails on an IPS-1 Sensor appliance at the Verification step, do these steps:

1. Remove profiles associated with IPS-1 sensor. For example: IPS-1_Recommended and sofa

2. Remove the IPS-1 sensor object.

3. Run: cpstop

4. Delete the FWDIR/conf/CPMIL* file.

5. Run: cpstart

6. Configure the object again.

7. Install policy.

Uninstalling

R75.30 Release Notes | 22

Uninstalling

Notes -

Uninstallation from IPSO flash-based appliances is not supported.

Uninstallation of IPS pattern granularity is not supported. After uninstall of R75.30, the patterns remain converted to protections.

To uninstall R75.30 in Security Management Server deployments:

1. Disable the IPS Event Analysis and/or SmartWorkflow Software Blades. If you already disabled them before upgrading to R75.30, you do not need to disable the Software Blades.

To do this, disable the Software Blades in the Security Management server's object.

2. On each management server and dedicated log server:

All non-Windows platforms:

Run: /opt/CPUninstall/R75.30/UnixUninstallScript

Windows platforms:

(i) Go to: C:\Program files\CheckPoint\CPUninstall\R75.30

(ii) Run: Uninstall.bat

To uninstall R75.30 in Multi-Domain Security Management deployments:

1. Disable the R75.30 from each CMA as follows:

a) Login to the Multi-Domain Security Management MDG.

b) In Versions & Blades Updates, right click and select Deactivate.

2. Run this command on each Multi-Domain Server, Domain Log Server and Multi-Domain Log Server:

/opt/CPUninstall/R75.30/UnixUninstallScript

3. Activate Software Blades that were active before the upgrade to R75.30.

Note - After uninstalling this release from a SecurePlatform machine, the command line login prompt and the Web interface Welcome screen will still display Check Point SecurePlatform R75.30 as the installed version. This is because packages related to the SecurePlatform operating system are not uninstalled during the uninstallation process. Use

the fw ver command to see the current version of your software.

To uninstall with SmartUpdate:

You can use SmartUpdate to remotely uninstall on gateways of all platforms, except IPSO.

1. Make sure SmartDashboard is closed.

2. Open SmartUpdate.

3. From the Packages menu choose Get Data From All.

4. Right-click each package with Minor_Version value of R75.30 and select Uninstall, in this order:

Security Gateway

Mobile Access (for SecurePlatform gateways, if installed)

all other Minor_Version products

Note - All packages must be uninstalled except for the SecurePlatform package that cannot be uninstalled from SecurePlatform gateways.

5. On Windows platforms, reboot manually.