CP R75.40 ReleaseNotes

32
3 May 2012 Release Notes R75.40 Classification: [Protected]

Transcript of CP R75.40 ReleaseNotes

Page 1: CP R75.40 ReleaseNotes

3 May 2012

Release Notes

R75.40

Classification: [Protected]

Page 2: CP R75.40 ReleaseNotes

© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Page 3: CP R75.40 ReleaseNotes

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13079

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

3 May 2012 Updated link to package ("Upgrade Package with CLI" on page 31)

30 April 2012 Updated Whats New ("Operating System - Gaia" on page 7) and Upgrade Paths ("Upgrading to Gaia" on page 30)

23 April 2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on R75.40 Release Notes).

Page 4: CP R75.40 ReleaseNotes

Contents

Important Information ............................................................................................. 3 Introduction ............................................................................................................. 6

Important Solutions.............................................................................................. 6 Licensing ............................................................................................................. 6

What's New .............................................................................................................. 7 Operating System - Gaia ..................................................................................... 7 New Appliances ................................................................................................... 8 Anti-Bot ............................................................................................................... 8 New Anti-Virus ..................................................................................................... 8 IPS ...................................................................................................................... 8 Application Control and URL Filtering .................................................................. 9 Data Loss Prevention .......................................................................................... 9 UserCheck .........................................................................................................10 Identity Awareness .............................................................................................10 SmartEvent ........................................................................................................10 HTTPS Inspection ..............................................................................................11 HTTP Proxy ........................................................................................................11 IPsec VPN ..........................................................................................................11 SmartLog ............................................................................................................11 Enhancements ...................................................................................................11

Build Numbers ...................................................................................................... 12 System Requirements .......................................................................................... 13

Check Point Appliance Naming Conventions ......................................................13 Security Software Containers .............................................................................14

Check Point Operating Systems ....................................................................14 Check Point Appliances .................................................................................14 Other Platforms and Operating Systems ........................................................15 Appliance Hardware Health Monitoring ..........................................................16 Dedicated Gateways ......................................................................................16

Platform Requirements .......................................................................................17 Gaia Requirements ........................................................................................17 SecurePlatform ..............................................................................................19 IPSO ..............................................................................................................19 Linux ..............................................................................................................20 Solaris ...........................................................................................................20 Microsoft Windows .........................................................................................21 Maximum Number of Interfaces Supported by Platform .................................21 Security Management Open Server Hardware Requirements ........................22 Multi-Domain Security Management Requirements .......................................22 Security Gateway Open Server Hardware Requirements ..............................23 Mobile Access Blade Requirements ...............................................................23 SmartEvent Requirements .............................................................................24 SmartReporter Requirements ........................................................................25 Console Requirements ..................................................................................25 UserCheck Client Requirements ....................................................................26 Performance Pack .........................................................................................26

Security Management Software Blades ..............................................................27 Security Gateway Software Blades .....................................................................28 Clients and Consoles by Windows Platform .......................................................29 Clients and Consoles by Mac Platform ...............................................................29 Check Point GO Secure Portable Workspace .....................................................29

Upgrade Paths and Interoperability ..................................................................... 30

Page 5: CP R75.40 ReleaseNotes

Upgrading to Gaia ..............................................................................................30 Supported Management and Gateway Upgrade Paths .......................................30 Compatibility with Gateways and Clients ............................................................30 IPS-1 Upgrade Paths and Interoperability ...........................................................31 Upgrade Package with CLI .................................................................................31 Updating IPS Patterns ........................................................................................31

Uninstalling ........................................................................................................... 32

Page 6: CP R75.40 ReleaseNotes

Introduction

R75.40 Release Notes | 6

Introduction Thank you for choosing to install Check Point version R75.40. Please read this document carefully before installing R75.40.

Important Solutions For more about R75.40 and to download the software, go to the R75.40 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk67581).

For a list of open issues, see the Known Limitations (http://supportcontent.checkpoint.com/solutions?id=sk67582).

For a list of fixes, see the Resolved Issues (http://supportcontent.checkpoint.com/solutions?id=sk67583).

Licensing

Important - Check Point software versions R75.10 or higher must have a valid Software Blades license. Users with NGX licenses cannot install the software. To migrate NGX licenses to Software Blades licenses, see Software Blade Migration (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html) or contact Account Services.

If you manage GX gateways from a Security Management server, you must regenerate your GX licenses in the User Center to be compliant with Software Blades. This procedure is optional for Multi-Domain Servers and Domain Management Servers.

IPS Software Blade License

Virtual Systems with IPS Software Blades must have a current, valid IPS contract that is renewed annually. To manage your contracts, go to your UserCenter account or contact your reseller.

Notifications that IPS service contracts are expiring show in many locations, including:

The IPS SmartDashboard window

SmartUpdate

Product reports in your Check Point UserCenter account

If your service contract has expired, IPS continues to operate using the R70 (Q1/2009) signature set. Renew your IPS service contract to download and use the current signature set.

For more about IPS contract enforcement, see sk44175 (http://supportcontent.checkpoint.com/solutions?id=sk44175).

Page 7: CP R75.40 ReleaseNotes

What's New

R75.40 Release Notes | 7

What's New New Terms:

These product and technology names are changed.

Name in R75.20 Name in R75.40

SmartDirectory (LDAP) User Directory

Check Point Abra Check Point GO

Operating System - Gaia Gaia is Check Point's next generation operating system for security applications. In Greek mythology, Gaia is the mother of all, representing closely integrated parts to form a single, efficient system. The Gaia Operating System supports the full portfolio of Check Point Software Blades, Gateway and Security Management products.

Gaia is a single, unified network security Operating System that combines the best of Check Point's SecurePlatform operating system, and IPSO, the operating system from appliance security products. Gaia is available for all Check Point security appliances and open servers.

Designed from the ground up for modern high-end deployments, Gaia includes support for:

IPv4 and IPv6 - fully integrated into the Operating System.

High Connection Capacity - 64bit support.

Load Sharing - ClusterXL and Interface bonding.

High Availability - ClusterXL, VRRP, Interface bonding.

Dynamic and Multicast Routing - BGP, OSPF, RIP, and PIM-SM, PIM-DM, IGMP.

Easy to use Command Line Interface - Commands are structured using the same syntactic rules. An enhanced help system and auto-completion further simplifies user operation.

Role Based Administration - Enables Gaia administrators to create different roles. Administrators can allow users to access features by adding those functions to the user's role definition. Each role can include a combination of administrative (read/write) access to some features, monitoring (read-only) access to other features, and no access to other features.

Simple and Easy upgrade - from IPSO and SecurePlatform.

Gaia Software Updates

Get updates for licensed Check Point products directly through the operating system.

Download and install the updates more quickly. Download automatically, manually, or periodically. Install manually or periodically.

Get email notifications for newly available updates and for downloads and installations.

Easy rollback from new update.

Gaia Web User Interface

The Gaia WebUI is an advanced, web-based interface for configuring Gaia platforms. Almost all system configuration tasks can be done through this Web-based interface.

Easy Access - Simply go to https://<Device IP Address>.

Browser Support - Internet Explorer, Firefox, Chrome and Safari.

Page 8: CP R75.40 ReleaseNotes

What's New

R75.40 Release Notes | 8

Powerful Search Engine - makes it easy to find features or functionality to configure.

Easy Operation - Two operating modes. 1) Simplified mode shows only basic configuration options. 2) Advanced mode shows all configuration options. You can easily change modes.

Web-Based Access to Command Line - Clientless access to the Gaia CLI directly from your browser.

New Appliances New Check Point appliances support R75.40:

21400 Appliance

12000 Appliances

4000 Appliances

2200 Appliances

Anti-Bot Check Point Anti-Bot prevents damage and blocks bot communication between infected hosts and a remote operator.

The Anti-Bot Software Blade:

Uses the multi-layered ThreatSpect engine to analyze network traffic and identify bot infected machines in the organization.

Uses ThreatCloud repository Real-Time security intelligence to identify bot infections based on millions of bot command and control IP/DNS/URL addresses and bot initiated spam outbreaks.

Uses different views and reports to provide threat visibility for the organization and help assess damages and decide on corrective actions.

Integrates with other Software Blades for a unique Anti-Bot and Anti-Malware solution on a Security Gateway.

New Anti-Virus Check Point Anti-Virus provides superior Anti-Virus protection against modern malware multiple attack vectors and threats.

The Anti-Virus Software Blade:

Offers powerful security coverage by supporting millions of signatures.

Leverages the Check Point ThreatCloud repository to identify and block incoming malicious files (such as exe, doc, xls, pdf) from entering the organization.

Prevents web-based malware download from sites known to contain malware.

Uses different views and reports to provide threat visibility for the organization and help assess damages and decide on corrective actions.

Consolidated Anti-Bot and Anti-Virus approach for dealing with malware threats (including policy setting, event analysis, and malware reports).

Uses a separate policy installation (together with the Anti-Bot Software Blade) to minimize risk and operational impact.

IPS Significant reduction (about 90%) of false positives of non-compliant HTTP and TCP-streaming

protections and of redundant logs.

Page 9: CP R75.40 ReleaseNotes

What's New

R75.40 Release Notes | 9

Increase pattern granularity - Header rejection, Http worm catcher and Cifs worm catcher patterns were converted into separate protections, giving more granularity in their settings. This feature is installed during the first IPS update process (online update, offline update or scheduled update).

Implied exceptions - Built-in exceptions to allow Check Point products trusted traffic.

New tool to control IPS functionality from the gateway through CLI

Improved TCP streaming infrastructure

Enhanced HTTP and Web Sockets protection

Improved TAP mode support

Granular TCP logging

New GEO database and additional countries and significantly improved accuracy

Application Control and URL Filtering Use the Limit action in rules to limit the bandwidth permitted for a rule

Add a Time object to a rule to make the rule active only during specified times.

The UserCheck client adds the option to send notifications for applications that are not in a web browser, such as Skype or iTunes.

New UserCheck features ("UserCheck" on page 10): Cancel button on messages and UserCheck Frequency.

If traffic is not detected by other applications, it is declared an unknown application. This lets you block all unknown traffic and better handle known traffic.

Data Loss Prevention Watermarking: Add visible and hidden marks to Microsoft Office documents when they are sent as email attachments (outgoing and internal emails).

Visible Watermarks alert users to sensitive document content when viewed or printed. Examples:

Add customized text footer to Power Point slides: "Highly Restricted, sent by John Smith on 7/7/11".

Add a large diagonal "Classified" visible watermark on the first page of Word documents that match a DLP rule.

Hidden Watermarks are encrypted and let DLP tag documents without affecting format.

Does not change the visible document layout.

The tag can be identified in DLP scans.

The tag can be used for forensic analysis to track leaked documents.

Improved Privacy Options:

Can choose to not store original messages with the DLP incident.

Send the original email to the data owner.

Easy to view HTML-based messages include highlighted matched content and masked credit card numbers.

Time Object:

Limit rules to certain times of the day, day of week or day of month.

Stop DLP rules on set date, when the data is no longer sensitive (for example, after financial data is publicly released).

Improved Compliance and Matching:

Easily view and quickly apply multiple compliance-related rules.

Improved template matching identifies files by text and by embedded images (for example, upload company logo to match documents using the company template with that logo embedded).

Page 10: CP R75.40 ReleaseNotes

What's New

R75.40 Release Notes | 10

New Message Attributes data type to match based on overall message size, number of attachments, and number of words.

UserCheck In Application and URL Filtering, UserCheck Frequency lets you set the number of times that users get

UserCheck messages for accessing applications that are not permitted by the policy. You can also set the notifications to be based on accessing the rule, application category, or the application itself.

UserCheck Scoping enhances notifications to match not only by rule, but also by category and site in the Application Control Rule Base.

A dedicated UserCheck agent on the endpoint gives users notifications and options, according to your rules, when their user actions match DLP or Application and URL Filtering rules.

If you don't need users to enter their reason for wanting to do an action that is caught by DLP or Application and URL Filtering rules, you can disable this requirement. See the UserCheck Interaction window > Conditions.

Cancel button added to the Inform and Ask web pages, to stop loading a requested page or to stop an email in progress.

UserCheck Revoke Page lets you delete (revoke) all UserCheck entries when you access the Revoke Page (https://<UserCheck Portal URL>/RevokePage).

Identity Awareness New Identity acquisition methods:

Terminal Servers / Citrix communicate with the gateway through one IP address, but are used to host multiple users. The gateway identifies the originating user behind connections from these multi-user hosts.

Transparent Portal Authentication redirects an unauthenticated user to a URL, for authentication (using Kerberos SSO) and then redirects the user back to the originally requested URL. If the transparent authentication fails, the user is redirected to the Captive Portal for manual authentication. The new Browser-Based Authentication lets you configure Captive Portal and Transparent Portal Authentication for Identity Awareness.

SSO with Remote Access Clients integrates the Mobile Access blade with the Identity Awareness blade. It adds identity data for VPN client users (coming from E75.x clients, E80.x clients, SecureClient, SSL Network Extender, and so on).

Identity Agent for MAC OS (10.6 and 10.7) on 32-bit and 64-bit. It can be downloaded from the Identity Awareness Captive Portal.

Nested Groups are enforced by the Identity Awareness blade. You can set a parent group as an Access Role in a rule, and it applies to all users in the sub groups.

SmartEvent Reports:

Enhanced Reports tab, for richer management functionality of SmartEvent reports and ease of use.

Get reports in PDF format.

New layout for Anti-Malware reports.

Anti-Malware:

Enhanced overall support for Anti-Malware.

SmartEvent Intro for Anti-Malware.

Usability and Performance Enhancements:

Summary view of Grouped Events, for Application Control and Anti-Malware events.

Page 11: CP R75.40 ReleaseNotes

What's New

R75.40 Release Notes | 11

Easy to activate SmartEvent on a standalone environment - no configuration needed, just activate the Software Blade on the Security Management Server properties.

Enhanced SmartEvent performance: support for 2 Million events per day (8,000 to 15,000 users behind Application Control and URL Filtering).

HTTPS Inspection Support for HTTPS Inspection on inbound traffic.

Automatic update for Trusted CA list.

HTTP Proxy You can configure a Security Gateway to be an HTTP/HTTPS web proxy, in transparent or non-transparent mode.

IPsec VPN Support for Suite-B GCM encryption. See RFC 6379 for more information.

SmartLog New SmartLog for full-text, ultra-fast search over billions of log records.

SmartLog is a next generation solution for managing logs generated by Check Point Security Gateways. This solution is designed to answer the challenges of storing, searching and filtering logs in modern environments with continually increasing log volume.

Enhancements General

Configure Multi Portal access through VPN clients (connected with Office Mode), to protect your portals from external network exposure. This new option applies to all portals: Mobile Access Portal, UserCenter Portal, Identity Awareness Captive Portal, Platform Portal, and DLP Portal.

SmartProvisioning supports Security Gateway 80 appliances.

Performance

NAT and log templates in SecureXL

IPv6 acceleration, MultiCore and ClusterXL HA support on Gaia and SecurePlatform.

Accelerated Drop Rules, explained in sk67861 (http://supportcontent.checkpoint.com/solutions?id=sk67861).

Licensing

R75.40 management servers do not need IPv6 licenses.

Gaia can automatically attach licenses for Security Gateways and management servers.

SmartConsole

Hit count - shows number of instances a rule in the Application Control or Firewall Rule Bases was matched to traffic.

Improved performance and easier installation of SmartConsole.

Page 12: CP R75.40 ReleaseNotes

Build Numbers

R75.40 Release Notes | 12

Build Numbers This table shows the R75.40 software products and their build numbers as included on the product DVD. To verify each product build number, use the show command syntax or do the steps in the GUI.

Software Blade / Product Build Number Verifying Build Number*

Gaia OS build 338 show version all

SecurePlatform 986000069 ver

Security Gateway 986000275 Windows - 274

fw ver

Security Management 986000064 fwm ver

SmartConsole Applications 986000375 Help > About Check Point <Application name>

Mobile Access 986000128 cvpn_ver

Multi-Domain Server 986000210 fwm mds ver

SmartDomain Manager 986000229 Help > About Check Point Multi-Domain Security Management

Acceleration (Performance Pack)

986000044 sim ver -k

Advanced Networking (Routing)

986000010 Gaia - 056

SecurePlatform: gated_ver

Gaia: rpm -qf /bin/routed

Server Monitoring (SVM Server) 986000010 rtm ver

Management Portal 986000016 cpvinfo /opt/CPportal-

R75.40/portal/bin/smartportalstart

SmartReporter 986000227 SVRServer ver

Compatibility Packages**

CPNGXCMP-R75.40-00 020

/opt/CPNGXCMP-R75.40/bin/fw_loader

ver

CPV40Cmp-R75.40-00 976121001 cpvinfo /opt/CPV40Cmp-

R75.40/bin/fw_loader | grep Build

CPEdgecmp-R75.40-00 986000003 /opt/CPEdgecmp-R75.40/bin/fw ver

CPR71CMP-R75.40-00 001 /opt/CPR71CMP-R75.40/bin/fw_loader

ver

CPR75CMP-R75.40-00 001 /opt/CPR75CMP-R75.40/bin/fw_loader

ver

CPSG80CMP-R75.40-00 029 /opt/CPSG80CMP-R75.40/bin/fw_loader

ver

Page 13: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 13

Software Blade / Product Build Number Verifying Build Number*

CPR7520CMP-R75.40-00 003 /opt/CPR7520CMP-

R75.40/bin/fw_loader ver

CPCON66CMP-R75.40-00 Build 004 /opt/CPCON66CMP-

R75.40/bin/fw_loader ver

* Some of the commands to see the installed build show only the last three digits of the build number.

** To see build numbers on Windows, look at C:\Program Files\CheckPoint\R75.40 instead of /opt/../R75.40

System Requirements

Important - Resource consumption is dependent on the scale of your deployment. The larger the deployment, the more disk space, memory, and CPU are required.

In This Section

Check Point Appliance Naming Conventions 13

Security Software Containers 14

Platform Requirements 17

Security Management Software Blades 27

Security Gateway Software Blades 28

Clients and Consoles by Windows Platform 29

Clients and Consoles by Mac Platform 29

Check Point GO Secure Portable Workspace 29

Check Point Appliance Naming Conventions An appliance model name that ends with 00 (two zeros) is the generic name of the model. Any other number shows the number of Software Blades on the appliance. Some model names end with one zero.

This document uses the generic appliance names.

For example:

Check Point 4800 is the generic name of the model.

Check Point 4810 is the model with 10 Software Blades.

Check Point IP2450 is the generic name of the model.

Check Point IP2457 has 7 Software Blades.

Page 14: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 14

Security Software Containers Management servers and gateways are supported on these operating systems and platforms.

Check Point Operating Systems

Software Blade Containers Gaia SecurePlatform IPSO

Disk-based

IPSO

Flash-based

Security Management

Security Gateway *

Multi-Domain Security Management

* On Flash-based Appliances, 1G of RAM is enough to run Firewall, IPS and VPN blades only. To activate more blades, 2G of RAM is required on IP290, IP390, and IP560 flash-based appliances.

Check Point Appliances

Appliance Security Management Security Gateway Multi-Domain Security Management

2200 Appliance

4000 Appliances

12000 Appliances

21400 Appliance

IP Appliances (IP150, IP280, IP290, IP390, IP560, IP690, IP1280, IP2450)

Smart-1 5

Smart-1 25

Smart-1 50

Smart-1 150

Power-1

UTM-1

IP Appliance platforms are available in disk-based, diskless flash-based and hybrid (flash-based systems with a supplemental hard disk for local logging, swap space and core file storage) configurations.

Page 15: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 15

Other Platforms and Operating Systems

Microsoft Red Hat Linux Crossbeam Solaris

Software Blade Containers

Windows Server

2003, 2008

Windows

XP, 7

RHEL

5.0, 5.4

X-series Ultra-SPARC

8, 9, 10

Security Management

1

Security Gateway

Multi-Domain Security Management

2

1. Security Management Server supports Windows Server 2008 R2.

2. We recommend that you install Multi-Domain Security Management on Sun M-Series servers. Sun T-Series servers are not supported.

Operating System Versions

The versions of the Microsoft and RedHat operating systems that are listed in the Security Software Containers table are:

Operating System Editions Service Pack 32 or 64-bit

Microsoft

Windows XP Professional SP3 32-bit

Windows 2003 Server N/A SP11, SP2 32-bit

Windows 2008 Server N/A SP1, SP2 32-bit, 64-bit2

Windows 7 Professional, Enterprise, Ultimate

N/A 32-bit, 64-bit

RedHat

RHEL 5.0 N/A 32-bit

RHEL 5.4 kernel 2.6.18 N/A 32-bit

Notes -

1. For Windows 2003 SP1, you must install the hotifx specified in Microsoft KB 906469 (http://support.microsoft.com/kb/906469).

2. Windows 2008 Server 64-bit is supported for Security Management only.

Page 16: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 16

Appliance Hardware Health Monitoring

SecurePlatform supports these Hardware Health Monitoring features:

RAID health: Monitor the health of the disks in the RAID array, and be notified of the states of the volumes and disks. The information is available via SNMP.

Sensors: Monitor fan speed, motherboard voltages and temperatures on the hardware. The information is available via SNMP and, for Check Point appliances, also via the SecurePlatform Web interface.

Check Point Appliances

21000 12000 4000 and 2200

Power-1 UTM-1 Smart-1

Hardware sensors monitoring with SNMP (polling and traps)

(1)

Hardware sensors monitoring with the WebUI (polling and traps)

(1)

RAID monitoring with SNMP (3)

Open Servers

IBM HP Dell Sun

Hardware sensors monitoring with SNMP (polling and traps)

(2)

(2)

(2)

(2)

Hardware sensors monitoring with the WebUI (polling and traps)

RAID monitoring with SNMP (4)

Notes

1. Hardware sensors monitoring is supported on all UTM-1 models except the xx50 series.

2. Hardware sensors monitoring for open servers is supported on certified servers with an Intelligent Platform Management Interface (IPMI) card installed. The IPMI specification defines a set of common interfaces to a computer system, which system administrators can use to monitor system health.

3. RAID Monitoring with SNMP is supported on Power-1 servers with RAID card installed (Power-1 9070 and Power-1 11070).

4. RAID Monitoring with SNMP on HP servers is supported with a P400 RAID controller.

Dedicated Gateways

To install R75.40 on an R71 DLP-1 appliance or an R71 DLP open server, do a clean installation of R75.40.

Note - To upgrade from DLP-1 9571 of version R71.x DLP, you must upgrade the BIOS. Then do a clean installation of R75.40. See sk62903 (http://supportcontent.checkpoint.com/solutions?id=sk62903) for details.

You cannot upgrade these dedicated gateways to R75.40:

Open Server - IPS-1 Sensor, VSX

Appliances - Security Gateway 80, UTM-1 Edge, IPS-1 Sensor, VSX-1

Page 17: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 17

Platform Requirements

In This Section

Gaia Requirements 17

SecurePlatform 19

IPSO 19

Linux 20

Solaris 20

Microsoft Windows 21

Maximum Number of Interfaces Supported by Platform 21

Security Management Open Server Hardware Requirements 22

Multi-Domain Security Management Requirements 22

Security Gateway Open Server Hardware Requirements 23

Mobile Access Blade Requirements 23

SmartEvent Requirements 24

SmartReporter Requirements 25

Console Requirements 25

UserCheck Client Requirements 26

Performance Pack 26

Gaia Requirements

This release is shipped with the new Gaia operating system, which supports most Check Point appliance platforms, selected open servers, and selected network interface cards.

If your open server has 6GB RAM or less, it can run in 32-bit mode only. You can run 64-bit compatible open servers with over 6GB RAM in 64-bit mode.

Gaia Open Servers - All open servers in the Hardware Compatibility List are supported (http://www.checkpoint.com/services/techsupport/hcl/all.html).

Gaia and Performance Pack - Performance Pack is supported on all Gaia platforms.

Page 18: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 18

Gaia on Check Point Security Appliances

Appliances 32-bit / 64-bit*

2200 32

4200 32

4600 32

4800 32, 64

12200 32, 64

12400 32, 64

12600 32, 64

21400 32, 64

* 64-bit is available with over 6GB RAM.

Gaia on IP Appliances

Important - Gaia is not supported on Flash-Based or Hybrid platforms at this time.

These configurations are supported:

IP Appliance Disk Based Platform 32-bit / 64-bit*

IP150 32

IP280 32

IP290 32

IP390 32

IP560 32

IP690 32

IP1280 32, 64

IP2450 32, 64

* 64-bit is available on appliances with over 6GB RAM. The basic configuration for IP appliances includes 4GB of RAM.

Page 19: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 19

Gaia on Power-1, UTM-1 and Smart-1 Appliances

Platform 32-bit / 64-bit

Power-1 11000 32, 64 (default is 64)

Power-1 9070 32

Power-1 5070 32

UTM-1 3070 32

UTM-1 2070 32

UTM-1 1070 32

UTM-1 570 32

UTM-1 270 32

UTM-1 130 32

Smart-1 5 32

Smart-1 25 32

Smart-1 50 * 32

Smart-1 150 * 32

* Not supported for Multi-Domain Security Management.

Gaia WebUI

The Gaia WebUI (also known as the Gaia Portal) is supported on these browsers:

Internet Explorer 8 or higher Firefox 6 or higher

Chrome 14 or higher Safari 5 or higher

SecurePlatform

This release is shipped with the latest SecurePlatform operating system, which supports a variety of appliances and open servers.

See the list of certified hardware (http://www.checkpoint.com/services/techsupport/hcl/index.html) before installing SecurePlatform on the target hardware.

IPSO

Only clean installation of R75.40 is supported on IPSO flash-based models:

IP290

IP390

IP560

Features: Advanced Routing and SecureXL are included by default. Clustering on IPSO supports VRRP and IP Clustering. All currently available IPSO platform types (Disk-based, Flash-based, and Hybrid) are supported. You can select 32-bit or 64-bit in the Boot Manager for IP appliances.

Page 20: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 20

Limitations: You cannot manage UTM-1 Edge devices from a Security Management server on an IPSO platform. R75.40 on IPSO flash-based models requires 2GB RAM. (Note - This is more required disk space than that required by versions before R75.20.)

Linux

Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with a mix of Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).

Before you install Security Management on Red Hat Enterprise Linux 5:

1. Install the sharutils-4.6.1-2 package.

a) Make sure that you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2

b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm

This package can be found on CD 3 of RHEL 5.

2. Install the compat-libstdc++-33-3.2.3-61 package.

a) Make sure that you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61

b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm

This package can be found on CD 2 of RHEL 5.

3. Disable SeLinux.

a) Make sure that SeLinux is disabled by running: getenforce

b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file

and rebooting the computer.

Solaris

Security Management Server and Multi-Domain Security Management are supported with Solaris running on UltraSPARC 64-bit platforms. See Management Products by Platform.

Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).

Required Packages

SUNWlibC

SUNWlibCx (except Solaris 10)

SUNWter

SUNWadmc

SUNWadmfw

Required Patches

The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com (http://sunsolve.sun.com).

To display your current patch level, use the command: showrev -p | grep <patch number>

Page 21: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 21

Platform Required Recommended Notes

Solaris 8

108528-18 109147-40 or higher If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.

110380-03

109147-18

109326-07

108434-01 Required only for 32 bit systems

108435-01 Required only for 64 bit systems

Solaris 9

112233-12 112963-25 or higher

112902-07

116561-03 Only if dmfe(7D) Ethernet driver is defined on the machine

Solaris 10 117461-08 or higher

Multi-Domain Security Management is not supported on Sun T-Series servers.

Microsoft Windows

High Availability Legacy mode is not supported on Windows.

Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with a mix of Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).

Maximum Number of Interfaces Supported by Platform

The maximum number of interfaces supported (physical and virtual) is shown by platform in this table.

Platform Max Number of Interfaces

Notes

Gaia 1024

SecurePlatform 1015 1. SecurePlatform supports 255 virtual interfaces per physical interface.

2. When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are supported.

IPSO 1024

Windows 32

Page 22: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 22

Security Management Open Server Hardware Requirements

Component Windows Linux SecurePlatform on Open Servers

Solaris

Processor Intel Pentium Processor E2140 or 2 GHz equivalent processor

Intel Pentium Processor E2140 or 2 GHz equivalent processor

Intel Pentium Processor E2140 or 2 GHz equivalent processor

Sun UltraSPARC IV and higher

Free Disk Space 1GB 1.4GB 10GB (installation includes OS)

1GB

Memory 1GB 1GB 1GB 512MB

Optical Drive Yes Yes Yes (bootable) Yes

Network Adapter One or more One or more One or more One or more

Multi-Domain Security Management Requirements

The minimum recommended system requirements for Multi-Domain Security Management are:

Component Linux Solaris SecurePlatform

CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor

UltraSPARC III 900MHz

Intel Pentium Processor E2140 or 2 GHz equivalent processor

Memory 4GB 4GB 4GB

Disk Space 2GB 2GB 10GB (install includes OS)

Optical Drive Yes Yes Yes (bootable)

Important - We recommend that you install Multi-Domain Security Management on Sun M-Series servers. Sun T-Series servers are not supported.

Multi-Domain Security Management Resource Consumption

Resource consumption is dependent on the scale of your deployment. The larger the deployment, the more disk space, memory, and CPU are required.

The Multi-Domain Security Management disk space requirements are:

For basic Multi-Domain Server installations: 2GB (1GB /opt, 1GB /var/opt).

For each Domain Management Server: 400MB (for the Domain Management Server directory located in

/var/opt)

Page 23: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 23

Security Gateway Open Server Hardware Requirements

Component Windows SecurePlatform on Open Servers

Processor Intel Pentium IV or

1.5 GHz equivalent

Intel Pentium IV or

2 GHz equivalent

Free Disk Space 1GB 10GB

Memory 512MB 512MB

Optical Drive Yes Yes

Network Adapter One or more One or more supported cards

Mobile Access Blade Requirements

Endpoint Operating System Compatibility

Feature Windows Linux Mac iOS Android

Mobile Access Portal

Clientless access to web applications (Link Translation)

Endpoint Security on Demand

SecureWorkspace

SSL Network Extender - Network Mode

SSL Network Extender - Application Mode

Downloaded from Mobile Access applications

Clientless Citrix

File Shares - Windows File Explorer viewer (WebDAV)

File Shares - Web- based file viewer (HTML)

Web mail

Page 24: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 24

Endpoint Browser Compatibility

Feature Internet Explorer

Google Chrome

Mozilla Firefox

Macintosh Safari

Opera for Windows

Mobile Access Portal

Clientless access to web applications (Link Translation)

Endpoint Security on Demand

SecureWorkspace

SSL Network Extender - Network Mode

SSL Network Extender - Application Mode

Downloaded from Mobile Access applications

Clientless Citrix

File Shares - Windows File Explorer viewer (WebDAV)

IE6 only

File Shares - Web- based file viewer (HTML)

Web mail

SmartEvent Requirements

You can install SmartEvent on a Security Management Server or on a different, dedicated computer.

Component Windows/Linux/SecurePlatform

CPU Intel Pentium IV 2.8 GHz

Memory 4GB

Disk Space 25GB

SmartEvent is not supported on Solaris platforms.

To optimize SmartEvent performance:

Use a disk available high RPM, and a large buffer size.

Increase the server memory.

Page 25: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 25

SmartReporter Requirements

These hardware requirements are for a SmartReporter server that monitors at least 15GB of logs each day and generates many reports. For deployments that monitor fewer logs, you can use a computer with less CPU or memory.

SmartReporter can be installed on a Security Management Server or on a dedicated machine.

Component Windows & Linux Minimum

Windows & Linux Recommended

Solaris

CPU Intel Pentium IV 2.0 GHz Dual CPU 3.0 GHz UltraSPARC III 900 MHz

Memory 1GB 2GB 1GB

Disk Space Installation:

Database:

80MB

60GB (40GB for database, 20GB for temp directory)

(on 2 physical disks)

80MB

100GB (60GB for database, 40GB for temp directory)

80MB

60GB (40GB for database, 20GB for temp directory)

DVD Drive Yes Yes Yes

Important - We recommend that you install Multi-Domain Security Management on Sun M-Series servers. Sun T-Series servers are not supported.

Optimizing SmartReporter Performance

We recommend these tips to optimize SmartReporter performance:

Disable DNS resolution. This can increase consolidation performance to as much as 32GB of logs for each day.

Configure the network connection between the SmartReporter server and the Security Management server to the optimal speed.

Install a disk with high RPM (revolutions per minute) and a large buffer size.

Use UpdateMySQLConfig to adjust the database configuration and adjust the consolidation memory

buffers to use the more memory.

Increase memory for better performance.

Console Requirements

This table shows the minimum hardware requirements for console applications: SmartDashboard, SmartView Tracker, SmartView Monitor, SmartProvisioning, SmartReporter, and SmartEvent, SecureClient Packaging Tool, SmartUpdate, and SmartDomain Manager.

Component Windows

CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor

Memory 1024MB

Available Disk Space 900MB

Video Adapter Minimum resolution: 1024 x 768

Page 26: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 26

UserCheck Client Requirements

The UserCheck client can be installed on endpoint computers running Windows.

UserCheck for DLP client notification are supported on Gaia and SecurePlatform gateways.

UserCheck for Application and URL Filtering client notifications are supported on SecurePlatform, IPSO, and Gaia gateways.

The UserCheck client is not compatible with Check Point GO or Secure Workspace.

If a UserCheck client is installed on a machine and a violation occurs, the UserCheck client notification shows outside the Check Point GO or Secure Workspace environment. We recommend that you not install the UserCheck client on a machine that usually runs the Check Point GO or Secure Workspace environment.

The UserCheck client is not supported on clusters in a load sharing environment.

Performance Pack

Performance Pack is supported on:

Check Point UTM-1 and Power-1 appliances.

Open servers that meet requirements and have valid licenses.

Page 27: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 27

Security Management Software Blades

Software Blade Operating System

Check Point Microsoft Windows RedHat Linux

Solaris

Gaia Secure Platform

IPSO 6.2 Disk- based

Server 2003

Server 2008

XP, 7 RHEL 5.0, 5.4

Ultra- SPARC

Network Policy Management

Logging & Status

Monitoring

SmartProvisioning

Management Portal *

User Directory

SmartWorkflow

SmartEvent **

SmartReporter

* Management Portal is supported on: Internet Explorer 7 and Firefox 1.5 - 3.0

** SmartEvent is supported on 32-bit only.

Page 28: CP R75.40 ReleaseNotes

System Requirements

R75.40 Release Notes | 28

Security Gateway Software Blades

Software Blade

Check Point Operating System Microsoft Windows

Crossbeam

Gaia SecurePlatform

IPSO 6.2 Disk- based

IPSO 6.2 Flash- based

Server 2003

Server 2008

X-series

Firewall

Identity Awareness

IPSec VPN

IPS

Mobile Access

DLP

Application Control4

URL Filtering

Anti-Bot & Anti-Virus Anti-Bot

Anti-Spam & Email Security

Web Security

Advanced Networking - QOS

Advanced Networking - Dynamic Routing and Multicast Support

Acceleration & Clustering

Notes about Security Gateway Software Blades

1. DLP supports High-Availability clusters, including Full HA, on SecurePlatform and Gaia.

DLP supports Load Sharing clusters in the Detect mode.

On UTM-1 130/270, you can use DLP with Firewall and other Security Gateway software blades, or with Firewall and Security Management software blades.

The DLP portal supports Internet Explorer 6, 7, 8, 9; Firefox 3, 4; Chrome 8; and Safari 5.

DLP does not support VRRP on Gaia.

2. Only Clustering is supported on Windows. Acceleration is not supported.

3. Only third-party clustering is supported on Crossbeam.

4. HTTPS Inspection is not supported on Windows.

Page 29: CP R75.40 ReleaseNotes

Upgrade Paths and Interoperability

R75.40 Release Notes | 29

Clients and Consoles by Windows Platform

Check Point Product

XP Home (SP3) 32-bit

XP Pro (SP3) 32-bit

Server 2003 (SP2) 32-bit

Server 2008 (SP1-2) 32 / 64

Server 2008R2 (+SP1)

Vista (SP2) 32-bit

Vista (SP1) 64-bit

Windows 7

Ult, Pro, Ent

(+SP1)

32 / 64

SmartConsole

SmartDomain Manager

SecureClient

(32-bit only)

Endpoint Security VPN

Remote Access Clients E75.x

SSL Network Extender

DLP UserCheck

DLP Exchange Agent

*

*

Identity Agent

* DLP Exchange Agent supports Exchange Server 2007 and Exchange Server 2010 on Windows Server 2003 64-bit (SP1-2) and Windows Server 2008 64-bit (SP1-2). A 32-bit version is available for demo or educational purposes.

Clients and Consoles by Mac Platform

Check Point Product Mac OS X 10.6 Mac OS X 10.7

Identity Agent 32-bit / 64-bit 32-bit / 64-bit

SecureClient 32-bit 32-bit

Endpoint Security VPN E75 for Mac 32-bit / 64-bit 32-bit / 64-bit

Check Point GO Secure Portable Workspace R75.40 Security Gateways only support Check Point GO Secure Portable Workspace R75. Check Point GO R70.1 and R70 (formerly known as Check Point Abra) are not supported.

Page 30: CP R75.40 ReleaseNotes

Upgrade Paths and Interoperability

R75.40 Release Notes | 30

Upgrade Paths and Interoperability R75.40 supports upgrading from lower software versions and management of lower Security Gateway versions.

Upgrading to Gaia You can upgrade SecurePlatform and IPSO Security Management servers and Security Gateways to Gaia R75.40, according to the upgrade paths listed below.

Note: Upgrade is not supported in an ISDN configuration.

Supported Management and Gateway Upgrade Paths You can upgrade these Security Management Server and Security Gateway versions to R75.40:

R70.50

R71.40

R71.45

R75

R75.10

R75.20

R75.30

Note - If you upgrade a 32-bit appliance, it remains 32-bit by default. To change it to 64-bit, if the open server or appliance meets 64-bit requirements, use cpconfig, on all

platforms except Gaia. On Gaia, run the command set edition default 64-bit

and reboot.

Compatibility with Gateways and Clients This release is compatible with these gateways and Endpoint clients.

Release Version

Gateways

Security Gateway NGX R65, R70.x, R71.x, R75.x

DLP-1 R71 and higher

IPS-1 R71

Series 80 R71 and higher

VSX VSX NGX R65, VSX NGX R67

Connectra Centrally Managed NGX R66

UTM-1 Edge 7.5.x and higher*

GX 4.0

Page 31: CP R75.40 ReleaseNotes

Upgrade Paths and Interoperability

R75.40 Release Notes | 31

Release Version

Endpoint Clients

SecureClient up to SecureClient NGX R60 HFA 3 with support for Windows 7 32-bit

Endpoint Connect up to Endpoint Security R73 HFA 1

Remote Access up to Remote Access Clients E75.20 for Windows up to Endpoint Security VPN E75 for Mac

Endpoint Security up to Endpoint Security E80.31

* UTM-1 Edge and Safe@ devices that use locally configured VPN connections with download configuration settings, may experience VPN connectivity failure with R75.40 Security Gateways. To enable this configuration with R75.40, see sk65369 (http://supportcontent.checkpoint.com/solutions?id=sk65369).

IPS-1 Upgrade Paths and Interoperability R75 Security Management servers only can manage R71 IPS-1 Sensors. To upgrade pre-R71 IPS-1 Sensors, do a clean install of R71 IPS-1 Sensor software on the IPS-1 Sensor. (http://supportcontent.checkpoint.com/documentation_download?ID=10327)

Upgrade Package with CLI Install R75.40 with an ISO file, with these commands, when WebUI is not available.

To install R75.40 using the CLI:

1. Download the applicable ISO file from the R75.40 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk67581).

2. Copy the ISO file to /var/tmp.

3. Run these commands:

mount –o loop /var/tmp/<name>.iso /mnt/cdrom

cd /mnt/cdrom

patch add cd

Updating IPS Patterns The IPS pattern granularity (converting patterns into protections) will be installed during the first IPS update procedure (online update, offline update, or scheduled update). Therefore, the first update after installation can take a few minutes longer than usual.

Uninstallation of IPS pattern granularity is not supported. If you uninstall R75.40, the patterns remain, converted to protections.

Page 32: CP R75.40 ReleaseNotes

Uninstalling

R75.40 Release Notes | 32

Uninstalling

Important - This does not remove Multi-Domain Security Management products.

Use these procedures to install R75.40.

Platform Procedure

Windows 1. Open Start > Check Point > Uninstall R75.40

2. At the prompt, enter Y to continue.

Linux IPSO Solaris

1. Change directory to: /opt/CPUninstall/R75.40/

2. Run: ./UnixUninstallScript

Example of Uninstall output:

***********************************************************

Welcome to Check Point R75.40 Uninstall Utility

***********************************************************

All R75.40 packages will be uninstalled.

Uninstallation program is about to stop all Check Point processes.

Do you want to continue (y/n) ? y

Uninstalling Management Portal package...Done!

Uninstalling SmartEvent and SmartReporter Suite package...Done!

Uninstalling R75 Compatibility package...Done!

Uninstalling R75.20 Compatibility package...Done!

Uninstalling R71 Compatibility package...Done!

Uninstalling CPSG 80 Series compatibility package...Done!

Uninstalling Connectra R66 Compatibility package...Done!

Uninstalling NGX Compatibility package...Done!

Uninstalling V40 Compatibility package...Done!

Uninstalling UTM-1 Edge compatibility package...Done!

Uninstalling CPinfo package...Done!

Uninstalling Security Gateway / Security Management package...Done!

************************************************************************

Package Name Status

------------ ------

Management Portal Succeeded

SmartEvent and SmartReporter Suite Succeeded

R75 Compatibility Succeeded

R75.20 Compatibility Succeeded

R71 Compatibility Succeeded

CPSG 80 Series compatibility Succeeded

Connectra R66 Compatibility Succeeded

NGX Compatibility Succeeded

V40 Compatibility Succeeded

UTM-1 Edge compatibility Succeeded

CPinfo Succeeded

Security Gateway / Security Management Succeeded

************************************************************************

Uninstallation program completed successfully.

Do you wish to reboot your machine (y/n) ?

If any package fails to uninstall, the script generates a log file and prints its location on the screen.