NGX R65 Hfa 70: Release Notes

VPN-1
NGX R65 HFA 70

Release Notes
27 April, 2010
More Information
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10703
For additional technical information about Check Point visit Check Point Support Center
(http://supportcenter.checkpoint.com).
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your
comments to us (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on VPN-1 NGX R65
HFA 70 Release Notes).
© 2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Please refer to our Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Please refer to our Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a
list of relevant copyrights.
Contents
Introduction .............................................................................................................4
What's New ......................................................................................................... 4
Supported Versions, Platforms, and Builds..........................................................6
Supported Platforms ............................................................................................ 6
Supported Versions ............................................................................................. 7
Supported Builds ................................................................................................. 7
Installation ...............................................................................................................9
Required Disk Space ........................................................................................... 9
Installing with SecurePlatform WebUI - Appliance and Open Server ..................10
Verifying Installation with SecurePlatform Web User Interface .......................10
Installing on SecurePlatform Open Server ..........................................................10
Installing on Solaris, Linux, and IPSO Disk-Based ..............................................11
Installing on IPSO Flash-Based ..........................................................................12
Installing on Windows .........................................................................................13
Installing with SmartUpdate ................................................................................13
Updating Customized INSPECT Files ................................................................14
Installing HFA on Clusters ..................................................................................14
Upgrading from IPSO 6 to IPSO 6.2 ...................................................................16
Installing IPSO 6.2 Using Network Voyager ...................................................16
Installing IPSO 6.2 Using the Command Shell ...............................................16
Uninstallation ........................................................................................................18
Uninstalling with SecurePlatform Web User Interface .........................................18
Uninstalling with Command Line.........................................................................18
Uninstalling with SmartUpdate ............................................................................19
Uninstalling from Windows .................................................................................19
Post-Uninstall Notes ...........................................................................................19
Resolved Issues in NGX R65 HFA 70 ..................................................................20
Firewall ...............................................................................................................20
Management ......................................................................................................23
SmartDefense ....................................................................................................24
ClusterXL ...........................................................................................................24
VOIP ..................................................................................................................25
SSL Network Extender .......................................................................................25
SmartLSM ..........................................................................................................25
Eventia Reporter/Analyzer ..................................................................................26
SmartView Monitor .............................................................................................27
Known Limitations ................................................................................................28
SecurePlatform...................................................................................................28
SecurePlatform Web User Interface ...................................................................29
IPSO ..................................................................................................................29
Windows.............................................................................................................29
VPN-1 Edge/Embedded .....................................................................................30
Database Revisions............................................................................................30
Endpoint Connect ...............................................................................................30
Connectra...........................................................................................................30
Eventia Analyzer and Reporting Server ..............................................................31
ClusterXL ...........................................................................................................31
Introduction
Thank you for updating your Check Point products with VPN-1 NGX R65 HFA 70 (Hotfix Accumulator). This
HFA includes all fixes and improvements from all previous NGX R65 HFAs and is the recommended update
for NGX R65.
Please read this document and the NGX R65 Known Limitations
(http://supportcontent.checkpoint.com/solutions?id=sk36267) carefully before installing this HFA.
What's New
Highlights of NGX R65 HFA 70 include the following:
Support for IPSO 6.2

New support for IPSO 6.2 including all of the fixes and improvements from all previous NGX R65 HFAs.
Customers running R65 on IPSO 6.0 or IPSO 6.1 will need to upgrade to IPSO 6.2 before installing this
HFA.
Inspect File Synchronization in High Availability

Inspect files (*.def) are now automatically synchronized between members of management High Availability
members. When you modify Inspect files on a management server, instead of you having to manually copy
the modified files to every member, the latest files are automatically synchronized to all members.
 SmartCenter servers and CMAs - When Management High Availability synchronization is triggered, the
Inspect files from all members are compared and the files with the latest timestamp are copied to all
members.
Important - If a new CMA is created and added to Management High Availability, the
new CMA's Inspect files will have a later timestamp than the files of the other members
and they will overwrite the Inspect files of the other members.
To make sure the customized Inspect files are preserved do one of the following before
creating the new CMA:
1. Backup the customized Inspect files and re-apply them to one of the members after
creating the new CMA
2. Copy the customized Inspect files into the CMA template so that they will be included
when any new CMA is created
 MDS - When Management High Availability synchronization is triggered, the Inspect files from the CMA
template of the active MDS will overwrite the Inspect files in the CMA templates of any standby MDSs.
For more information about management High Availability file synchronization, see the Management High
Availability chapter of the R65 SmartCenter Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=7256) or the High Availability chapter
of the R65 Provider-1 Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=7251).
Improved VOIP H.323 Support

Improved support for VOIP H.323 protocol for use with Avaya Communication Manager (ACM).
vsx_util Enhancements
Enhancements to the vsx_util command include improved user experience and additional functionality.
 Additional command line arguments provide more efficient ways to invoke vsx_util commands.
 Improved vsx_util vsls command that provides a persistent, centrally managed method for manually
configuring VSLS distribution. The vsx_util redistribute_vsls and vsx_util vsls commands
Introduction Page 4
have been consolidated into a single menu, allowing administrators to easily update the configuration,
export configurations to a CSV file, edit the configuration file and import configurations.
 Two new commands are added to vsx_util. These commands are supported for SPLAT and Crossbeam
VSX modules.
 vsx_util change_interfaces - This new command allows you to automatically replace existing
interfaces with new interfaces on all virtual devices to which the existing interfaces connect. This
command is useful when converting from open server deployment to appliance and when converting
a deployment to use Link Aggregation, especially where VLANs connect to many virtual devices.
 vsx_util show_interfaces - This new command allows you to view information for a
selected interface, including interface types, connections to virtual devices, and IP addresses.
The output appears on the screen and is also saved to the interfacesconfig.csv file.
Introduction Page 5
Supported Versions, Platforms, and
Builds
In this Section
Supported Platforms 6
Supported Versions 7
Supported Builds 7
Supported Platforms
The following platforms are supported for VPN-1 NGX R65 HFA 70:
Platform Version
Power-1 Models 5070 and 9070
UTM-1 Models 130, 270, 450, 570, 1050, 1070, 2050, 2070, 3070
Smart-1 Models 5, 25 and 50
SecurePlatform 2.4 and 2.6
IPSO 4.2 Platforms IP150/IP152, IP260, IP290/IP295, IP350/IP355, IP380/IP385,

IP390/IP395, IP560/IP565, IP690/IP695, IP710, IP740, IP1220,
IP1260, IP1280/IP1285, IP2250/2255, IP2450/IP2455
IPSO 6.2 Platforms IP150/152, IP290/IP295, IP390/IP395, IP560/IP565, IP690/IP695,

IP1280/IP1285, IP2450/IP2455
Windows 2000 Server and Advanced Server SP1-SP4, 2003 Server SP1-SP2
Solaris 8, 9, 10
NEC UNIVERGE UnifiedWall 1000, 2000, 4000
Linux Red Hat Enterprise Linux 3 (kernel 2.4)

Red Hat Enterprise Linux 3 Update 9 (kernel 2.4)
Supported Versions, Platforms, and Builds Page 6

Supported Versions
This HFA may be installed with the following Check Point version:
Note - This HFA is not supported for installation on NGX R65 with CoreXL.
Check Point NGX R65 Version Supports R65_HFA_70

Installation?
NGX R65, including the following HFAs: 01, 02, 30, 40, 50, and 60 YES
NGX R65.4 YES
NGX R65 with Messaging Security YES
NGX R65 with R65 VSX Management Update (and revision 2) YES
NGX R65 with Messaging Security on Power-1/UTM-1 appliances YES
NGX R65 for IPSO 6.0 YES (requires upgrade to

IPSO 6.2)
NGX R65 for SPLAT 2.6 YES
NGX R65 with CoreXL NO
Supported Builds
To verify you have the HFA described in this document: extract the contents of the tgz package you
downloaded and open the take_number.conf file using a text editor. Verify that it contains: take_67.
Take 67 of NGX R65 HFA 70 consists of the following builds:
Component Build Number Verify Command and Output
Firewall 620670033 The output of fw ver -k should be similar to:

This is Check Point VPN-1(TM) & Firewall(R) NGX
(R65) HFA_70, Hotfix 670 - Build 033
SecurePlatform 620670009
Performance 620670008 The output of sim ver -k should be similar to:

Pack
This is Check Point Performance Pack version:
NGX (R65) HFA_70, Hotfix 670 - Build 008
VPN-1 UTM 620670002
Edge
Compatibility
Eventia 620670004 The output of SVRServer ver should be similar to:

This is Check Point Eventia Reporter Server (TM)
NGX (R65) HFA_70, Hotfix 670 - Build 004

Component Build Number Verify Command and Output
Advanced 620670003 The output of gated_ver is a list of information including:

Dynamic Routing
003
for
SecurePlatform
MDS 620670004 The output of fwm mds ver should appear similar to:
This is Check Point Provider-1 Server NGX (R65)
HFA_70, Hotfix 670 - Build 004

Installation
In this Section
Required Disk Space 9

Installing with SecurePlatform WebUI - Appliance and Open Server 10
Installing on SecurePlatform Open Server 10
Installing on Solaris, Linux, and IPSO Disk-Based 11
Installing on IPSO Flash-Based 12
Installing on Windows 13
Installing with SmartUpdate 13
Updating Customized INSPECT Files 14
Installing HFA on Clusters 14
Upgrading from IPSO 6 to IPSO 6.2 16
Note - To install the HFA on Power-1 and UTM-1 appliances, you may use SmartUpdate or
the SecurePlatform Web User Interface.
Required Disk Space

The table below shows the amount of free disk space in MB required to download, extract, and install NGX
R65 HFA 70.
Note - It is safe to delete the downloaded .tgz file after it is extracted in order to allow
more disk space for installation.
Platform To download and extract To install
Power-1 576 /opt = 500

UTM-1 /var = 200
Smart-1
root = 200
SecurePlatform
NEC UNIVERGE UnifiedWall
IPSO Disk-based 235 /opt = 350

/var = 450
IPSO Flash-based (see "Installing on IPSO

Flash-Based" on page 12)
Windows 145 500
Solaris 311 /opt = 530
Linux 576 /opt = 500

/var = 200
Installation Page 9
Installing with SecurePlatform WebUI -
Appliance and Open Server
Use the Web User Interface to install this HFA on Check Point Power-1, UTM-1, Smart-1 appliances, or on
open servers running SecurePlatform.
Before installing this HFA on SecurePlatform with Web User Interface, make sure to take a snapshot of the
machine.
To install NGX R65 HFA 70 with SecurePlatform Web User Interface:
1. Download the HFA file: Check_Point_NGX_R65_HFA_70.linux.tgz
(http://supportcontent.checkpoint.com/file_download?id=10681)
2. Connect to the SecurePlatform Web User Interface:
 Open server: https://<IP>
 Appliance: https://<IP>:4434
3. Open the Upgrade page:
 Open server: Device > Upgrade
 Appliance: Appliance > Upgrade
4. In the Upgrade Steps pane, browse to the downloaded HFA.
5. Click the Upload package button.
6. In the Safe Upgrade step, make sure the Save a snapshot of the current system check box is
selected.
Important - Be sure that all GUI applications are closed and then to select the option that
takes a snapshot of the machine, before installing an HFA.
7. Click Start Upgrade.

At the end of the installation, the device automatically reboots.
8. Re-login to the machine.
Important - After upgrading, move the snapshot file from the Desktop to a pathname
without spaces. This must be done before attempting to restore the machine.
Verifying Installation with SecurePlatform Web User

Interface
To verify NGX R65 HFA 70 installation through the SecurePlatform Web User Interface, make sure that
HFA 70 appears in the Build information, according to the platform type:
 Open server: Status > Version and Build
 Power-1 and UTM-1: Information > Appliance Status > Version and Build
Installing on SecurePlatform Open Server

Important - The default idle timeout on SecurePlatform is ten minutes. After this time, the
user is logged out. To ensure that installation is not interrupted by this timeout, before
entering expert mode, type: idle 60 in the command line.
Installation Page 10
Note - Before upgrading or uninstalling HFAs on SecurePlatform
operating systems, it is highly recommended that you take a snapshot
of the machine. For details refer to sk42329
(http://supportcontent.checkpoint.com/solutions?id=sk42329).
On Power-1 and UTM-1 appliances, the snapshot file is stored in:
/var/log/CPsnapshot/snapshots/NGX_R65_/
On open-servers, the snapshot files is stored in:
/var/CPsnapshot/snapshots
To install this HFA on SecurePlatform open server with CLI:

1. Create a snapshot. Run snapshot and go through the options of the CLI snapshot wizard.
2. Create a temporary directory on /var: mkdir /var/hfa
3. Verify that there is enough free disk space for the installation of the HFA packages.
4. Navigate to the new directory: cd /var/hfa
5. Download the HFA file Check_Point_NGX_R65_HFA_70.linux.tgz
(http://supportcontent.checkpoint.com/file_download?id=10681) to /var/hfa.
6. Extract the packages.
7. Execute: ./UnixInstallScript and follow the instructions.
8. Reboot the machine after the installation is done.
Installing on Solaris, Linux, and IPSO

Disk-Based
To install NGX R65 HFA 70 on Solaris, Linux, or Disk-based IPSO:
Note - You must follow the steps precisely to avoid installation problems.
Important - NGX R65 HFA_70 can only be installed on gateways running IPSO 4.2 or 6.2.
 To install NGX R65 HFA_70 on a gateway currently running IPSO 4.2 you must first
upgrade your IPSO OS to IPSO 4.2 Build 106a04 (MR8) or higher. Instructions for
upgrading to IPSO 4.2 are found in the Getting Started Guide and Release Notes for
Check Point IPSO 4.2 MR8a (Build 106a04)
(http://supportcontent.checkpoint.com/file_download?id=10743).
 To install NGX R65 HFA_70 on a gateway currently running IPSO 6.0 or 6.1, you must
first upgrade your IPSO OS to IPSO 6.2 ("Upgrading from IPSO 6 to IPSO 6.2" on page
16).
1. Create a temporary directory on /opt: mkdir /opt/hfa
2. Navigate to the new directory: cd /opt/hfa
4. Download the HFA file for your platform to /opt/hfa.
 Solaris: Check_Point_NGX_R65_HFA_70.solaris2.tgz
 Linux: Check_Point_NGX_R65_HFA_70.linux.tgz
 IPSO 4.2: Check_Point_NGX_R65_HFA_70.ipso.tgz
 IPSO 6.2: Check_Point_NGX_R65_HFA_70.ipso6.tgz
5. Extract the contents.
6. Execute: ./UnixInstallScript and follow on-screen instructions.
7. Reboot the machine.
Installing on IPSO Flash-Based
This HFA can be installed on IPSO Flash-based platforms running IPSO 4.2 or 6.2. You must follow the
steps precisely to avoid installation problems.
Important - NGX R65 HFA_70 can only be installed on gateways running IPSO 4.2 or 6.2.
 To install NGX R65 HFA_70 on a gateway currently running IPSO 4.2 you must first
upgrade your IPSO OS to IPSO 4.2 Build 106a04 (MR8) or higher. Instructions for
upgrading to IPSO 4.2 are found in the Getting Started Guide and Release Notes for
Check Point IPSO 4.2 MR8a (Build 106a04)
(http://supportcontent.checkpoint.com/file_download?id=10743).
 To install NGX R65 HFA_70 on a gateway currently running IPSO 6.0 or 6.1, you must
first upgrade your IPSO OS to IPSO 6.2 ("Upgrading from IPSO 6 to IPSO 6.2" on page
16).
Important - Only the administrator running the installation process can be logged into the
server during the installation. No other console or SSH session can be open during the
installation.
Before installing on an IPSO Flash-based Appliance:

1. Make sure that the R65 Firewall and CPInfo packages are the only packages stored on the server. All
other Check Point packages must be deleted. You can do this using Network Voyager or using the
command shell.
Using Network Voyager:
a) Choose Configuration > System Configuration > Packages > Delete Packages.
b) Select a previous installation package to delete, and click Apply.
c) Delete any tgz files.
d) Click Apply.
Using the command shell, run the following commands:
newpkg -q
newpkg –u <previous package name>
rm opt/packages/<previous tgz name>
2. If there is an IPSO image that is not in use on the machine, delete it using Network Voyager:
a) Choose Configuration > System Configuration > images > Manage Images.
b) Click Delete IPSO Images.
c) Select the IPSO image to delete, and click Apply.
3. Verify that there is enough free flash disk space for the installation of the packages:
 For /preserve, you need at least 455000 KB free.
(To find absolute free space: run the df -k /preserve command and subtract the 3rd column
Used from the 2nd column 1K-blocks).
 For /opt and /var, you need at least 382000 KB free.
To install NGX R65 HFA 70 on IPSO Flash-based Appliance:
1. Run: cpstop
2. (For IPSO 4.2 only) If using 1GB RAM systems, run the following command to extend the /opt RAM disk
partition:
/sbin/mount -u -o extend_partition /dev/null /opt
To verify that the /opt partition was extended to at least 500000 KB, run the df command.
3. Create a temporary directory on /opt: mkdir /opt/hfa
4. Navigate to the home directory: cd ~
5. Download the HFA file for your platform to the home directory.
 For IPSO 4.2, download: Check_Point_NGX_R65_HFA_70.ipso_Flash.tgz
 For IPSO 6.2, download: Check_Point_NGX_R65_HFA_70.ipso6_Flash.tgz
6. Extract the contents to /opt/hfa: tar –zxvf Check_Point_NGX_R65_HFA_70.ipso_Flash.tgz -C
/opt/hfa
7. Delete the *.tgz file to save flash disk space.
8. Navigate to the /opt directory: cd /opt
9. Move the hfa directory to admin: mv /opt/hfa /var/emhome/admin/
10. Navigate to the /var/emhome/admin/hfa directory: cd /var/emhome/admin/hfa
11. Install the HFA: ./UnixInstallScript
13. After reboot, remove the hfa directory: rm -rf /var/emhome/admin/hfa
Installing on Windows
To install NGX R65 HFA 70 on Windows NGX R65:
2. Download the HFA file: Check_Point_NGX_R65_HFA_70.windows.tgz
3. Extract the packages.
4. Run Setup.bat
Installing with SmartUpdate

You can use SmartUpdate to remotely install this HFA on SecurePlatform (open server or appliance),
Solaris, Linux, Windows, and IPSO gateways.
To install with SmartUpdate:
1. Install this HFA on the SmartCenter server, using the Command Line or SecurePlatform Web User
Interface.
2. Open SmartUpdate and close SmartDashboard.
3. Click Packages > Get Data from All.
When the Operation Status of the known gateways is Done, the installed packages and their versions
are listed.
4. Open the Package Repository: Packages > View Repository.
5. Add the HFA file (*.tgz) of each required gateway platform to the Package Repository (Packages > Add;
or drag-and-drop).
Wait until the Operation Status of adding the package is Done. The HFA package appears in the
Package Repository: Check Point Suite VPN-1.
6. Right-click the package and select Distribute.
The Distribute Package window opens.
7. Select the gateways on which you want to install the HFA.
8. Click Distribute.
The HFA is distributed to and installed on the selected gateways. The selected gateways automatically
reboot.
Important - After completing the installation, IPSO 6.2 gateways must be rebooted
manually.
Notice in SmartUpdate, the Minor Version of the upgraded packages is R65_70.
Note - If after installing this HFA on a Windows machine the gateway does not accept
traffic, re-install the policy.
Updating Customized INSPECT Files
The SmartCenter server contains several INSPECT (*.def) files, typically located in the $FWDIR/lib
directory. This HFA may include one or more updated INSPECT files, which replace the files currently in
use.
For environments using only original Check Point INSPECT files, the updated INSPECT files are installed
automatically: the previous *.def files are replaced with the new ones.
If even one INSPECT file was manually customized, none of the new INSPECT files replace the previous
ones. The following message appears:
The updated inspect files were NOT installed due to signature mismatches or errors.
To complete the installation replace the inspect files.
Inspect files that were not replaced may lead to unexpected behavior!
To force update of the inspect files run: update_inspect_files -f
If the files were not replaced (signature mismatch message displayed), you must force the INSPECT files to
be updated.
Important - You must replace the previous files. If you do not, unexpected behavior may
result.
To force INSPECT files to be updated:

1. Make note of the customized INSPECT files.
To see which INSPECT files were not replaced, see the log:
 Unix - /opt/CPInstLog/update_inspect_files_70.log
 Windows - C:\Program Files\CheckPoint\CPInstLog\update_inspect_files_70.log
If the files were not replaced because of customizations, the log shows:
<filename>.def was changed by user, signature didn’t match!
2. Open the files that are listed in update_inspect_files_70.log and note the customized lines.
3. Run: update_inspect_files -f
The log will show: <filename>.def was replaced.
4. Merge the customized content (that you noted in the previous steps) into the new INSPECT file(s).
5. Re-install the Security Policy to enable the new INSPECT files.
Installing HFA on Clusters

When upgrading directly from NGX R65, the following upgrade options are available and explained in the
NGX R65 Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=7259):
 Minimal Effort Upgrade - For more information, refer to the Minimal Effort Upgrade on a ClusterXL
chapter in the NGX R65 Upgrade Guide
 Zero Down Time Upgrade - For more information, refer to the Zero Down Time Upgrade on a
ClusterXL Cluster chapter in the NGX R65 Upgrade Guide
 Full Connectivity Upgrade – For more information, refer to the Full Connectivity Upgrade on a
ClusterXL Cluster chapter in the NGX R65 Upgrade Guide
Notes:
 When performing a Full Connectivity Upgrade, follow all steps described in the Full Connectivity
Upgrade on a ClusterXL Cluster chapter in the Upgrade guide. This includes running the fw fcu
command and understanding the relevance of the Ready state as described in step 7 of the Zero Down
Time Upgrade on a ClusterXL Cluster section in the NGX R65 Upgrade Guide
 The Full Connectivity Upgrade is not supported when upgrading a cluster from any version prior to NGX.
Only Minimal Effort or Zero Down-Time upgrades can be done in this circumstance.
 The maximum number of cluster members that is supported in ClusterXL mode is five; in third-party
mode the maximum is eight.
Upgrading from IPSO 6 to IPSO 6.2
R65 HFA_70 now supports IPSO 6.2. To install HFA_70 on a gateway running IPSO 6.0 or 6.1, you must
first upgrade your IPSO OS to version 6.2.
Installing IPSO 6.2 Using Network Voyager

The following procedure allows you to upgrade to IPSO 6.2 from IPSO 4.x, IPSO 6.0 and IPSO 6.1.
To upgrade to IPSO 6.2 using Network Voyager:
1. Download the IPSO 6.2 image (http://supportcontent.checkpoint.com/file_download?id=10561) and
place it on an FTP site that your device can connect to.
2. Enter the Network Voyager. Also, open a CLI console for verifying when the installation process is
complete.
3. Click Configuration > System Configuration > Images > Upgrade Images.
The Upgrade Image window opens.
4. Enter the following for the FTP site where the IPSO 6.2 image file is located:
Enter URL to the image location
Enter HTTP Realm (for HTTP URLs only)
Enter Username (if applicable)
Enter Password (if applicable)
5. Click Apply.
You are informed that the file download and image installation may take some time.
6. Click Continue and then click Apply.
7. Click the Upgrade Image Status link.
In the IPSO Image Management window, follow the upgrade status messages.
8. When the upgrade has completed, activate the newly installed image:
a) Go to the Manage Images page.
b) Choose the “Last Image Downloaded”.
c) Reboot.
9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to
the Network Voyager home page and check the software release to verify that the image was set
properly.
Now you have IPSO 6.2 installed and you are ready to upgrade the gateway to R65 HFA_70.
Installing IPSO 6.2 Using the Command Shell

The following procedure allows you to upgrade to IPSO 6.2 from IPSO 4.2, IPSO 6.0 and IPSO 6.1.
To upgrade to IPSO 6.2 using the CLI shell:
1. Download the IPSO 6.2 image (http://supportcontent.checkpoint.com/file_download?id=10561) and
place it on in the local filesystem or on an FTP site that your device can connect to.
2. Verify that you are in /var/emhome/admin directory.
3. Run: newimage -ik
If you add a new version of IPSO by using the newimage command and the -k (keep) option, your
previous packages are active with the new IPSO version. If you use newimage without -k option, all the
optional packages currently installed on the platform are turned off, but they are not deleted.
4. Specify where the ipso.tgz image is located. For example choose one of
a) Install from FTP server with user and password.
b) Install from local filesystem.
5. FTP only: Enter the FTP server location and credentials.
6. Enter the pathname to the packages, or enter "." for the current directory.
7. Enter the ipso.tgz pkg name, and press Enter.
Note - On some appliances, installing the image can take some time.
The newimage program might display the message “Setting up new
image...” for a few minutes with no other sign of activity.
8. After the upgrade process completes choose the image to run. For example, choose Newly
Installed image.
9. Reboot the machine. At the prompt type reboot
10. Verify the current image by running: uname -a
6.2 should be the current IPSO image.
Now you have IPSO 6.2 installed and you are ready to upgrade the gateway to R65 HFA_70.
Uninstallation
In this Section
Uninstalling with SecurePlatform Web User Interface 18

Uninstalling with Command Line 18
Uninstalling with SmartUpdate 19
Uninstalling from Windows 19
Post-Uninstall Notes 19
Uninstalling with SecurePlatform Web User

Interface
If you are using SecurePlatform Web User Interface only, you may restore the SecurePlatform (open server
or appliance), to its state before the HFA installation.
Important - Any database change or configuration definitions will not be preserved. It is

recommended that if possible you use the uninstall executable from the command line.
To restore SecurePlatform, UTM-1, or Power-1 to pre-HFA state:

1. Connect to the SecurePlatform Web User Interface:
 Open server: https://<IP>
 Power-1 and UTM-1: https://<IP>:4434
2. Open the Image Management page:
 Open server: Device > Image Management
 Power-1 and UTM-1: Appliance > Image Management
3. In the Available Images pane, find the relevant image.
4. Click Revert and then Apply.
5. In the message, click Yes.
The device automatically reboots.
6. Reconnect.
Uninstalling with Command Line

This procedure should be used for uninstalling the HFA from IPSO, Solaris, Linux, or SecurePlatform open
servers (not including appliances and SecurePlatform 2.6).
Important - Uninstallation of NGX R65 HFA 70 from flash-based IP appliances is not

supported.
To uninstall this HFA with command line:

1. Navigate to: /opt/CPUninstall/R65_HFA_70/
2. Execute: UnixUninstallScript -u
Note - On SecurePlatform, if you reboot the machine from

/opt/CPUninstall/R65_HFA_70 an error message appears that can be ignored.
Uninstallation Page 18
Uninstalling with SmartUpdate
You can use SmartUpdate to remotely uninstall this HFA on gateways of all platforms, except IPSO.
To uninstall with SmartUpdate:
1. Make sure SmartDashboard is closed.
2. Open SmartUpdate.
3. From the Packages menu choose Get Data From All.
4. Right-click each package with Minor_Version value of R65_70 and choose Uninstall in the following
order:
 VPN-1 Power/UTM
 Performance Pack (for SecurePlatform and Solaris gateways, if installed)
Note - All packages must be uninstalled except for the SecurePlatform

package that cannot be uninstalled from SecurePlatform gateways.
5. On Windows platforms, reboot manually.
Uninstalling from Windows

To uninstall NGX R65 HFA 70 from Windows:
1. Go to: C:\Program Files\CheckPoint\CPUninstall\R65_HFA_70
2. Run: Setup.bat -u
Post-Uninstall Notes
After uninstalling this HFA from a management server machine which had plug-ins installed, you may find
that policy installation is not functioning correctly. To fix this issue, execute: plugin_reset
After uninstalling this HFA from a SecurePlatform machine, the login prompt may still display Check Point
SecurePlatform NGX (R65) HFA 70 as the installed version, because the SecurePlatform package was
not uninstalled. Use the fw ver command to see the current version.
Uninstallation Page 19
Resolved Issues in NGX R65 HFA 70
In this Section
Firewall 20
Management 23
SmartDefense 24
ClusterXL 24
VOIP 25
SSL Network Extender 25
SmartLSM 25
Eventia Reporter/Analyzer 26
SmartView Monitor 27
Installing this HFA provides performance enhancements and functionality fixes to Check Point Suite NGX
R65. It includes fixes of previous NGX R65 HFAs. A complete list of resolved issues in NGX R65 and
previous HFA versions is in sk42318 (http://supportcontent.checkpoint.com/solutions?id=sk42318).
Note - The numbers associated with each issue below are reference numbers in Check Point’s
internal database. Refer to this number if you contact Check Point Support about an issue.
If you have previously installed a hotfix provided by Check Point, search for the tracking number
of the hotfix (not to be confused with the build number) in this document.
 If your hotfix is not included in this HFA (or if you do not have the number of the hotfix),
contact Check Point Support (http://supportcenter.checkpoint.com) before installing this
HFA.
 If your hotfix is not included in the HFA, installing this HFA may overwrite the hotfix.
Note - When you use the fw ctl set int command to set a parameter, the parameter will
revert back to its original value after reboot.
For more instructions on how to set a global parameter, refer to SecureKnowledge article
sk26202 (http://supportcontent.checkpoint.com/solutions?id=sk26202).
Firewall
ID Description Install On
00505513, Improved stability of fwd cpu usage regarding cluster related Gateway
operations.
00423573
00501459, Enhancements to SecureXL fixed memory leak. Gateway

00496768,
00501461
Resolved Issues in NGX R65 HFA 70 Page 20

00506176, Improved stability in cluster environment when using VoIP and/or the Gateway
following IPS protections: Header Spoofing, Directory Listing, Error
00361444,
Concealment, ASCII only response headers or any IPS protection for
00361452, which “send error page” is enabled.
00361453,
00361454,
00412775,
00433069,
00496185
00509612 Enhancements to VPND fixed memory leak. Gateway
00526667, Improved memory management of fwd during dynamic object Gateway

resolving process fixed memory leak.
00522061
00526440, Improved stability of fwd when dynamic object incorrectly defined. Gateway
00521934,
00528269
00499613, Improved handling of SNMPv3. SmartCenter server

00501102,
00504002,
00523687
00517097 Improved security for connections to the ICA management portal over SmartCenter server
OpenSSL.
00500605, Improved stability of clientless VPN. Gateway

00505879,
00506369,
00507298,
00531233,
00531195
00500711, Improvements to gateway cluster synchronization allow better Gateway

management of fwx_alloc table entries for non-synchronized
00502744,
connections.
00506235,
By default the fwx_alloc_selective_sync kernel parameter is
00511732, set to 1. To disable it, run fw ctk set int
00517082, fwx_alloc_selective_sync 0.
00519239

00217680, Improved stability during manual client authentication. Gateway

00517800,
00427744,
00217801,
00344698,
00431868,
00446794,
00450257,
00463273,
00506268,
00530340
00495421, Improved stability of security servers running on IPSO. Gateway

00496735,
00496736
00496433, Improved stability of fwd during log purge operations. SmartCenter server
and Gateway
00404972,
00405134,
00405136,
00405138,
00405140,
00407420,
00510266,
00512372,
00511796,
00409445,
00425647,
00434513
00519772, Improved stability in fwd during process initialization. SmartCenter server

00520249,
00520302,
00525292,
00522039
00495534, Includes updated list of Skinny message types to be allowed by the Gateway
gateway.
00498495,
00499355,
00526954

00435687, Improvements to firewall processes reduce extraneous error logs. Gateway

00436390,
00438458,
00446572,
00447995,
00466886,
00494160,
00524069,
00506224,
00509837,
00528201
Management
00505535, Improvements to policy compilation fix an issue that could have SmartCenter server
occurred when CPDShield and other dynamic objects are used in
00503342
rules.
00510980, Improved stability when listing large Account Units in the SmartCenter server
SmartDashboard.
00519517
00432322, Improved stability during security policy installation. SmartCenter server

00502717,
00523713,
00511174
00450225, Enhancements to the fwm process fixed memory leak which occurred SmartCenter server
during certain user management operations.
00502893,
00508111,
00527960,
00506361,
00511205,
00522418
00423122, Users with policy download permissions also have permissions for SmartCenter server
database revision control.
00506350
00500350, The $FWDIR/conf/ipassignment.conf file will no longer be overwritten SmartCenter server

during synchronization of a UTM-1 cluster in High Availability.
00504065,
00504978

00414727, When changing the color of a group object, the chosen color is saved SmartCenter server
and will display correctly even after reopening SmartDashboard.
00416543,
00506880
00339780, SmartCenter successfully installs policy for topologies with more than SmartCenter server
140 VPN communities.
00339880,
00339881,
00339882,
00349112,
00367550,
00428390,
00523514,
00527130
SmartDefense
00450311, To prevent a DNS UDP truncated response from being dropped by Gateway
the firewall run the following command:
00499947,
fw ctl set int dns_allow_udp_truncated_msg 1
00526088,
To disable the feature, set the value to 0.
00499949
00506258, To allow a DNS query with class "ANY" run the following command: Gateway
00431103, fw ctl set int fwdns_check_question_allow_class_any 1
00527458, To disable the feature, set the value to 0.
00506259
ClusterXL
00506325, In ClusterXL Legacy mode, only the Active machine will reply to ARP Gateway
requests sent by the Server on a non shared VLAN interface.
00506327,
00506407,
00336356,
00405735
00511534, QoS properties on cluster members are preserved for IPSO SmartCenter server
platforms. This resolves the issue discussed in sk40021
00520585,
00520586,
00532306

VOIP
00508897, Improved support for VOIP H.323 protocol for use with Avaya Gateway
Communication Manager (ACM).
00410142,
The endpoint normally initiates the H.323 (H.225) TCP connection to
00527894
the Gatekeeper or server. In scenarios where the Gatekeeper
initiates the TCP connection to the endpoint, set the global parameter
h323_gk_init_tcp_conn, by running the command fw ctl set
int h323_gk_init_tcp_conn 1. Note that when running Avaya
Communication Manager (ACM), the TTS (Time to service) feature
may be enabled by default. When TTS is enabled, the Gatekeeper
initiates the TCP connection to the endpoint, and so the
h323_gk_init_tcp_conn parameter must be set.
00506718, IPv6 Neighbor-Advertisement packets are no longer dropped by the Gateway

00446366, firewall as Out of State ICMPv6 packets.
00448023,
00449051,
00503185,
00506567,
00506718
00404877, The firewall can be configured to allow a SIP (Session Initiation Gateway
Protocol) connection to continue despite receiving a SIP CANCEL
00506253,
request by running the following command:
00506254 fw ctl set int sip_accept_session_after_cancel 1
To disable the feature, set the value to 0.
SSL Network Extender

00507785, Improved stability in policy installation after the gateway has made Gateway
multiple LDAP requests.
00509916,
00509917,
00509918
SmartLSM
00505308, Increases the maximum size of a script line of SmartLSM Edge SmartCenter server
gateway scripts using the LSMcli utility.
00506886

00465471, Improvements to LSMcli better manage modifications to dynamic SmartCenter server

objects.
00466070,
00517799,
00533184,
00517840,
00517841
Eventia Reporter/Analyzer
00518676, Improved synchronization between Provider-1 and Eventia Eventia servers

databases.
00517121,
00518679,
00444817,
00444569,
00450114,
00526422
00519449, Improved stability in Eventia Analyzer server process. Eventia servers

00518516,
00519451,
00520397,
00526220
00510205, Improved stability in Eventia Reporter when running many SmartReporter

consolidation sessions. servers
00498197,
00510207
00448019, Improved stability in synchronization between management and Eventia servers

Eventia databases.
00447456,
00450107
00502477, Improved stability in generation of RuleBase Analysis report with SmartReporter

"Active Policy Analysis" and "Per gateway" checked. servers
00498940,
00502480,
00503585,
00511945
00506387, Additional information added to report generation logs. SmartReporter

servers
00423093,
00428461

SmartView Monitor
00467171, Modules running Solaris ZFS filesystems do not show disk space Gateway
usage in SmartView Monitor
00506995,
00521534,
00533677
00511458, Enhanced SNMP monitoring of CPU Idle time. Gateway

00517867,
00522370
00363993, Connectra users are promptly removed from the list of connected Gateway
users in SmartView Monitor after they disconnect.
00442656,
00508628,
00508630,
00508631
00432800, More precise monitoring of CPU usage with SmartView Monitor on Gateway
multiprocessor systems running SecurePlatform 2.6.
00256749,
00434161,
00441857,
00494101,
00523645,
00523979,
00502612,
00503221,
00503295,
00505487,
00511182,
00518623,
00519478,
00522561,
00522803

Known Limitations
In this Section
SecurePlatform 28
SecurePlatform Web User Interface 29
IPSO 29
Windows 29
VPN-1 Edge/Embedded 30
Database Revisions 30
Endpoint Connect 30
Connectra 30
Eventia Analyzer and Reporting Server 31
ClusterXL 31
SecurePlatform
ID Description
After installing Check_Point_NGX_R65_HFA_70.linux.tgz

(http://supportcontent.checkpoint.com/file_download?id=10681) that contains a number
of packages on a SecurePlatform, the HFA package named SecurePlatform (for the
Operating System) cannot be uninstalled.
Check Point SecurePlatform NGX (R65) HFA 70 will be displayed after uninstall.
Make sure to read the notes about important steps to do after uninstalling.
00466648 After upgrading directly from R65 on SecurePlatform 2.6 to R65 HFA_70, uninstalling the
HFA is not supported as it may cause system instability. Before installing NGX R65 HFA
70 on SecurePlatform 2.6, make sure to take a snapshot of the entire system to enable
reverting to the previous state if needed. For details refer to sk42329
However, uninstalling HFA_70 on SecurePlatform 2.6 is supported if done after
upgrading from a previous R65 SPLAT 2.6 supported HFA (HFA_50 or HFA_60) to
HFA_70.
SecurePlatform 2.6: Check Point NGX R65.4 is not supported for installation on top of
NGX R65 HFA 70 running on SecurePlatform 2.6.
Known Limitations Page 28

ID Description
SecurePlatform 2.4: On SecurePlatform Pro 2.4 using stand-alone architecture (with the
SmartCenter server and Gateway installed on the same machine) with Advanced
Routing, the installation of NGX R65.4 on top of NGX R65 HFA 70 overwrites the
Advanced Routing installation of build 62064001 (included in HFA_40).
To repair the Advanced Routing package:
a) Download and unpack HFA 70:
tar zxvf Check_Point_NGX_R65_HFA_70.linux.tgz
b) Go to the Advanced Routing directory:
cd hotfixes/dr_splat/
c) Unpack the dr_splat package:
tar zxvf dr_splat_R65_HFA.tgz
d) Install the package:
./dr_splat_HOTFIX_R65_70_620670003_1 -FORCED
e) Follow the installation instructions.
SecurePlatform Web User Interface

ID Description
00435874 When using SecurePlatform Web User Interface to restore a machine from a snapshot
with a path name that has spaces, the restore will fail on error:
“Filename must not contain spaces.”
Workaround: Restore the machine from a path name that has no spaces.
00520229 When upgrading with the Web User Interface, if snapshot is enabled, you must close all
GUI applications before the snapshot can start.
IPSO
ID Description
Installation of this HFA by Voyager is not supported.
After installing this HFA on IPSO Flash-based platforms, the installation log files are
automatically deleted after reboot.
After installing this HFA on IPSO 6.2 using SmartUpdate, you must manually reboot the
gateway.
Windows
ID Description
00194720 Using SmartUpdate to uninstall this HFA from Windows gateways requires a manual
reboot of the gateway.
To install this HFA on Windows gateways using SmartUpdate, a previous HFA must
have been installed on the gateway via CLI.

ID Description
00520349, R65.4 installation on top of HFA 50 or above is blocked. For a workaround, see sk42965
(sk42965 - http://supportcontent.checkpoint.com/solutions?id=sk42965).
00520346
Uninstallation of both R65.4 and this HFA is not supported.
VPN-1 Edge/Embedded
ID Description
00437851 Installing a policy on a large number of VPN-1 UTM Edge devices managed from
SmartDashboard may not succeed.
Workaround: Install the policy on Edge devices in several batches.
00522831 During HFA installation, all INSPECT files related to the UTM-1 Edge compatibility
package (located at /opt/CPEdgecmp-R65/libsw/) are overwritten. Any manual changes
made on these files will be lost.
For details see: sk43158 https://supportcontent.checkpoint.com/solutions?id=sk43158
Database Revisions
ID Description
00432491 A database version created with the Policy Revision Control cannot be viewed or
restored if the list of currently installed plug-ins is different from when the Revision
Control version was created.
Endpoint Connect
ID Description
00416341 When using Smart Card certificate authentication, renewal of certificates that were
enrolled to the Smart Card is not supported. Note: Renewal from the local (CAPI) store is
supported.
00434786 Endpoint Connect requires MSXML3.dll on Windows 2000 SP4. This dll can be obtained
from Windows Update (Microsoft site). Place it in C:\WINDOWS\System32.
00426700 If the trac_client_1.ttm file should be edited on a Windows platform, it must be done in
Notepad; Wordpad will corrupt the file.
00434083 Connecting from two different machines to the same gateway with the same username is
not supported, because they may both get the same Office Mode IP, which would
disconnect the first session.
Connectra
ID Description
Installation of Connectra NGX R62 Central Management plug-in is not supported on an

NGX R65 SmartCenter server with certain other plug-ins. For a list of plug-in
compatibility, see (http://www.checkpoint.com/ngx/upgrade/plugin/index.html).

Eventia Analyzer and Reporting Server
ID Description
00467080 When changing the Database Maintenance configuration from a very large size (20 GB)
to a smaller size (2 GB) the cleaning process takes a very long time.
Workaround: In Database Maintenance, reduce the DB size gradually from 20 GB to 15
GB, then to 10 GB, and so on.
00519595 After uninstalling this HFA from a machine with Eventia Reporting Server, on which R65
HFA 25 was previously installed, the cpsemd process will not be able to start.
Workaround:
1. cpstop
2. execute:
 Unix: CPRegSvr -p $RTDIR/lib libCPSet2Sql.so
 Windows: CPRegSvr /p "%RTDIR%\lib" CPSet2Sql.dll
3. cpstart
ClusterXL
ID Description
00501854 All interfaces that are not part of the ClusterXL topology should be defined in:
$FWDIR/conf/discntd.if
00510097 A connection from one side of the ClusterXL (external or internal) with a destination IP
address of one of the non-active members' physical IP addresses on the other side of
the ClusterXL, will work only when 'fwha_forw_packet_to_not_active' is set to 1. That
connection will be forwarded by the 'active' member to the destination non-active
member on top of the 'sync' network.

NGX R65 Hfa 70: Release Notes

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NGX R65 Hfa 70: Release Notes

Uploaded by

Copyright:

Available Formats

VPN-1

NGX R65 HFA 70

© 2010 Check Point Software Technologies Ltd.

Support for IPSO 6.2

Inspect File Synchronization in High Availability

Improved VOIP H.323 Support

Power-1 Models 5070 and 9070

Smart-1 Models 5, 25 and 50

SecurePlatform 2.4 and 2.6

IPSO 4.2 Platforms IP150/IP152, IP260, IP290/IP295, IP350/IP355, IP380/IP385,

IPSO 6.2 Platforms IP150/152, IP290/IP295, IP390/IP395, IP560/IP565, IP690/IP695,

NEC UNIVERGE UnifiedWall 1000, 2000, 4000

Linux Red Hat Enterprise Linux 3 (kernel 2.4)

Supported Versions, Platforms, and Builds Page 6

Check Point NGX R65 Version Supports R65_HFA_70

NGX R65.4 YES

NGX R65 with Messaging Security YES

NGX R65 with Messaging Security on Power-1/UTM-1 appliances YES

NGX R65 for IPSO 6.0 YES (requires upgrade to

NGX R65 for SPLAT 2.6 YES

NGX R65 with CoreXL NO

Component Build Number Verify Command and Output

Firewall 620670033 The output of fw ver -k should be similar to:

Performance 620670008 The output of sim ver -k should be similar to:

Eventia 620670004 The output of SVRServer ver should be similar to:

Supported Versions, Platforms, and Builds Page 7

Advanced 620670003 The output of gated_ver is a list of information including:

Supported Versions, Platforms, and Builds Page 8

Required Disk Space 9

Required Disk Space

Power-1 576 /opt = 500

IPSO Disk-based 235 /opt = 350

IPSO Flash-based (see "Installing on IPSO

Windows 145 500

Solaris 311 /opt = 530

Linux 576 /opt = 500

7. Click Start Upgrade.

Verifying Installation with SecurePlatform Web User

Installing on SecurePlatform Open Server

To install this HFA on SecurePlatform open server with CLI:

Installing on Solaris, Linux, and IPSO

Before installing on an IPSO Flash-based Appliance:

Installing with SmartUpdate

Notice in SmartUpdate, the Minor Version of the upgraded packages is R65_70.

To force INSPECT files to be updated:

Installing HFA on Clusters

Installing IPSO 6.2 Using Network Voyager

Installing IPSO 6.2 Using the Command Shell

Uninstalling with SecurePlatform Web User Interface 18

Uninstalling with SecurePlatform Web User

Important - Any database change or configuration definitions will not be preserved. It is

To restore SecurePlatform, UTM-1, or Power-1 to pre-HFA state:

Uninstalling with Command Line

Important - Uninstallation of NGX R65 HFA 70 from flash-based IP appliances is not

To uninstall this HFA with command line:

Note - On SecurePlatform, if you reboot the machine from

Note - All packages must be uninstalled except for the SecurePlatform

5. On Windows platforms, reboot manually.

Uninstalling from Windows

00501459, Enhancements to SecureXL fixed memory leak. Gateway

Resolved Issues in NGX R65 HFA 70 Page 20

00509612 Enhancements to VPND fixed memory leak. Gateway