Upload
luiz-eduardo-improta
View
513
Download
2
Tags:
Embed Size (px)
Citation preview
13 August 2012
Release Notes
R75.40
Classification: [Protected]
© 2012 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=13079
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
For more about this release, see the R75.40 home page (http://supportcontent.checkpoint.com/solutions?id=sk76540).
Revision History
Date Description
13 August 2012 Updated: Support for Standalone Full High Availability Deployment, and Smart-1 does not support Standalone ("Check Point Appliances" on page 14).
Updated: Open Server support for Appliance Hardware Health Monitoring (on page 15).
Updated: SmartEvent Requirements (on page 23)
Updated: Anti-Virus Software Blade is not supported on IPSO ("Security Gateway Software Blades" on page 26).
Added: Bridge Mode supported platforms ("Security Gateway Bridge Mode" on page 27). This supersedes the information in the Firewall Administration Guide.
17 May 2012 Updated DLP data
15 May 2012 New SmartConsole ("Build Numbers" on page 12)
03 May 2012 Updated link to package ("Upgrade Package with CLI" on page 29)
30 April 2012 Updated What's New ("Operating System - Gaia" on page 7) and Upgrade Paths ("Upgrading to Gaia" on page 28)
23 April 2012 First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on R75.40 Release Notes).
Contents
Important Information ............................................................................................. 3 Introduction ............................................................................................................. 6
Important Solutions.............................................................................................. 6 Licensing ............................................................................................................. 6
What's New .............................................................................................................. 7 Operating System - Gaia ..................................................................................... 7 New Appliances ................................................................................................... 8 Anti-Bot ............................................................................................................... 8 New Anti-Virus ..................................................................................................... 8 IPS ...................................................................................................................... 8 Application Control and URL Filtering .................................................................. 9 Data Loss Prevention .......................................................................................... 9 UserCheck .........................................................................................................10 Identity Awareness .............................................................................................10 SmartEvent ........................................................................................................10 HTTPS Inspection ..............................................................................................11 HTTP Proxy ........................................................................................................11 IPsec VPN ..........................................................................................................11 SmartLog ............................................................................................................11 Enhancements ...................................................................................................11
Build Numbers ...................................................................................................... 12 System Requirements .......................................................................................... 13
Check Point Appliance Naming Conventions ......................................................13 Security Software Containers .............................................................................14
Check Point Operating Systems ....................................................................14 Check Point Appliances .................................................................................14 Other Platforms and Operating Systems ........................................................15 Appliance Hardware Health Monitoring ..........................................................15 Dedicated Gateways ......................................................................................16
Platform Requirements .......................................................................................16 Gaia Requirements ........................................................................................16 SecurePlatform ..............................................................................................18 IPSO ..............................................................................................................18 Linux ..............................................................................................................19 Solaris ...........................................................................................................19 Microsoft Windows .........................................................................................20 Maximum Number of Interfaces Supported by Platform .................................20 Security Management Open Server Hardware Requirements ........................21 Multi-Domain Security Management Requirements .......................................21 Security Gateway Open Server Hardware Requirements ..............................22 Mobile Access Blade Requirements ...............................................................22 SmartEvent Requirements .............................................................................23 SmartReporter Requirements ........................................................................24 Console Requirements ..................................................................................24 UserCheck Client Requirements ....................................................................25 Performance Pack .........................................................................................25
Security Management Software Blades ..............................................................25 Security Gateway Software Blades .....................................................................26 Security Gateway Bridge Mode ..........................................................................27 Clients and Consoles by Windows Platform .......................................................27 Clients and Consoles by Mac Platform ...............................................................27 Check Point GO Secure Portable Workspace .....................................................28
Upgrade Paths and Interoperability ..................................................................... 28 Upgrading to Gaia ..............................................................................................28 Supported Management and Gateway Upgrade Paths .......................................28 Compatibility with Gateways and Clients ............................................................28 Upgrade Package with CLI .................................................................................29 Updating IPS Patterns ........................................................................................29
Uninstalling ........................................................................................................... 30
Introduction
R75.40 Release Notes | 6
Introduction Thank you for choosing to install Check Point version R75.40. Please read this document carefully before installing R75.40.
Important Solutions For more about R75.40 and to download the software, go to the R75.40 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk76540).
For a list of open issues, see the Known Limitations (http://supportcontent.checkpoint.com/solutions?id=sk79260).
For a list of fixes, see the Resolved Issues (http://supportcontent.checkpoint.com/solutions?id=sk67583).
Licensing
Important - Check Point software versions R75.10 or higher must have a valid Software Blades license. Users with NGX licenses cannot install the software. To migrate NGX licenses to Software Blades licenses, see Software Blade Migration (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html) or contact Account Services.
If you manage GX gateways from a Security Management server, you must regenerate your GX licenses in the User Center to be compliant with Software Blades. This procedure is optional for Multi-Domain Servers and Domain Management Servers.
IPS Software Blade License
Virtual Systems with IPS Software Blades must have a current, valid IPS contract that is renewed annually. To manage your contracts, go to your UserCenter account or contact your reseller.
Notifications that IPS service contracts are expiring show in many locations, including:
The IPS SmartDashboard window
SmartUpdate
Product reports in your Check Point UserCenter account
If your service contract has expired, IPS continues to operate using the R70 (Q1/2009) signature set. Renew your IPS service contract to download and use the current signature set.
For more about IPS contract enforcement, see sk44175 (http://supportcontent.checkpoint.com/solutions?id=sk44175).
What's New
R75.40 Release Notes | 7
What's New New Terms:
These product and technology names are changed.
Name in R75.20 Name in R75.40
SmartDirectory (LDAP) User Directory
Check Point Abra Check Point GO
Operating System - Gaia Gaia is Check Point's next generation operating system for security applications. In Greek mythology, Gaia is the mother of all, representing closely integrated parts to form a single, efficient system. The Gaia Operating System supports the full portfolio of Check Point Software Blades, Gateway and Security Management products.
Gaia is a single, unified network security Operating System that combines the best of Check Point's SecurePlatform operating system, and IPSO, the operating system from appliance security products. Gaia is available for all Check Point security appliances and open servers.
Designed from the ground up for modern high-end deployments, Gaia includes support for:
IPv4 and IPv6 - fully integrated into the Operating System.
High Connection Capacity - 64bit support.
Load Sharing - ClusterXL and Interface bonding.
High Availability - ClusterXL, VRRP, Interface bonding.
Dynamic and Multicast Routing - BGP, OSPF, RIP, and PIM-SM, PIM-DM, IGMP.
Easy to use Command Line Interface - Commands are structured using the same syntactic rules. An enhanced help system and auto-completion further simplifies user operation.
Role Based Administration - Enables Gaia administrators to create different roles. Administrators can allow users to access features by adding those functions to the user's role definition. Each role can include a combination of administrative (read/write) access to some features, monitoring (read-only) access to other features, and no access to other features.
Simple and Easy upgrade - from IPSO and SecurePlatform.
Gaia Software Updates
Get updates for licensed Check Point products directly through the operating system.
Download and install the updates more quickly. Download automatically, manually, or periodically. Install manually or periodically.
Get email notifications for newly available updates and for downloads and installations.
Easy rollback from new update.
Gaia Web User Interface
The Gaia WebUI is an advanced, web-based interface for configuring Gaia platforms. Almost all system configuration tasks can be done through this Web-based interface.
Easy Access - Simply go to https://<Device IP Address>.
Browser Support - Internet Explorer, Firefox, Chrome and Safari.
What's New
R75.40 Release Notes | 8
Powerful Search Engine - makes it easy to find features or functionality to configure.
Easy Operation - Two operating modes. 1) Simplified mode shows only basic configuration options. 2) Advanced mode shows all configuration options. You can easily change modes.
Web-Based Access to Command Line - Clientless access to the Gaia CLI directly from your browser.
New Appliances New Check Point appliances support R75.40:
21400 Appliance
12000 Appliances
4000 Appliances
2200 Appliances
Anti-Bot Check Point Anti-Bot prevents damage and blocks bot communication between infected hosts and a remote operator.
The Anti-Bot Software Blade:
Uses the multi-layered ThreatSpect engine to analyze network traffic and identify bot infected machines in the organization.
Uses ThreatCloud repository Real-Time security intelligence to identify bot infections based on millions of bot command and control IP/DNS/URL addresses and bot initiated spam outbreaks.
Uses different views and reports to provide threat visibility for the organization and help assess damages and decide on corrective actions.
Integrates with other Software Blades for a unique Anti-Bot and Anti-Malware solution on a Security Gateway.
New Anti-Virus Check Point Anti-Virus provides superior Anti-Virus protection against modern malware multiple attack vectors and threats.
The Anti-Virus Software Blade:
Offers powerful security coverage by supporting millions of signatures.
Leverages the Check Point ThreatCloud repository to identify and block incoming malicious files (such as exe, doc, xls, pdf) from entering the organization.
Prevents web-based malware download from sites known to contain malware.
Uses different views and reports to provide threat visibility for the organization and help assess damages and decide on corrective actions.
Consolidated Anti-Bot and Anti-Virus approach for dealing with malware threats (including policy setting, event analysis, and malware reports).
Uses a separate policy installation (together with the Anti-Bot Software Blade) to minimize risk and operational impact.
IPS Significant reduction (about 90%) of false positives of non-compliant HTTP and TCP-streaming
protections and of redundant logs.
What's New
R75.40 Release Notes | 9
Increase pattern granularity - Header rejection, Http worm catcher and Cifs worm catcher patterns were converted into separate protections, giving more granularity in their settings. This feature is installed during the first IPS update process (online update, offline update or scheduled update).
Implied exceptions - Built-in exceptions to allow Check Point products trusted traffic.
New tool to control IPS functionality from the gateway through CLI
Improved TCP streaming infrastructure
Enhanced HTTP and Web Sockets protection
Improved TAP mode support
Granular TCP logging
New GEO database and additional countries and significantly improved accuracy
Application Control and URL Filtering Use the Limit action in rules to limit the bandwidth permitted for a rule
Add a Time object to a rule to make the rule active only during specified times.
The UserCheck client adds the option to send notifications for applications that are not in a web browser, such as Skype or iTunes.
New UserCheck features ("UserCheck" on page 10): Cancel button on messages and UserCheck Frequency.
If traffic is not detected by other applications, it is declared an unknown application. This lets you block all unknown traffic and better handle known traffic.
Data Loss Prevention Watermarking: Add visible and hidden marks to Microsoft Office 2007 and 2010 documents when they are sent as email attachments (outgoing and internal emails).
Visible Watermarks alert users to sensitive document content when viewed or printed. Examples:
Add customized text footer to Power Point slides: "Highly Restricted, sent by John Smith on 7/7/11".
Add a large diagonal "Classified" visible watermark on the first page of Word documents that match a DLP rule.
Hidden Watermarks are encrypted and let DLP tag documents without affecting format.
Does not change the visible document layout.
The tag can be identified in DLP scans.
The tag can be used for forensic analysis to track leaked documents.
Improved Privacy Options:
Can choose to not store original messages with the DLP incident.
Send the original email to the data owner.
Easy to view HTML-based messages include highlighted matched content and masked credit card numbers.
Time Object:
Limit rules to certain times of the day, day of week or day of month.
Stop DLP rules on set date, when the data is no longer sensitive (for example, after financial data is publicly released).
Improved Compliance and Matching:
Easily view and quickly apply multiple compliance-related rules.
Improved template matching identifies files by text and by embedded images (for example, upload company logo to match documents using the company template with that logo embedded).
What's New
R75.40 Release Notes | 10
New Message Attributes data type to match based on overall message size, number of attachments, and number of words.
UserCheck In Application and URL Filtering, UserCheck Frequency lets you set the number of times that users get
UserCheck messages for accessing applications that are not permitted by the policy. You can also set the notifications to be based on accessing the rule, application category, or the application itself.
UserCheck Scoping enhances notifications to match not only by rule, but also by category and site in the Application Control Rule Base.
A dedicated UserCheck agent on the endpoint gives users notifications and options, according to your rules, when their user actions match DLP or Application and URL Filtering rules.
If you don't need users to enter their reason for wanting to do an action that is caught by Application and URL Filtering rules, you can disable this requirement. See the UserCheck Interaction window > Conditions.
Cancel button added to the Inform and Ask web pages, to stop loading a requested page or to stop an email in progress.
UserCheck Revoke Page lets you delete (revoke) all UserCheck entries when you access the Revoke Page (https://<UserCheck Portal URL>/RevokePage).
Identity Awareness New Identity acquisition methods:
Terminal Servers / Citrix communicate with the gateway through one IP address, but are used to host multiple users. The gateway identifies the originating user behind connections from these multi-user hosts.
Transparent Portal Authentication redirects an unauthenticated user to a URL, for authentication (using Kerberos SSO) and then redirects the user back to the originally requested URL. If the transparent authentication fails, the user is redirected to the Captive Portal for manual authentication. The new Browser-Based Authentication lets you configure Captive Portal and Transparent Portal Authentication for Identity Awareness.
SSO with Remote Access Clients integrates the Mobile Access blade with the Identity Awareness blade. It adds identity data for VPN client users (coming from E75.x clients, E80.x clients, SecureClient, SSL Network Extender, and so on).
Identity Agent for MAC OS (10.6 and 10.7) on 32-bit and 64-bit. It can be downloaded from the Identity Awareness Captive Portal.
Nested Groups are enforced by the Identity Awareness blade. You can set a parent group as an Access Role in a rule, and it applies to all users in the sub groups.
SmartEvent Reports:
Enhanced Reports tab, for richer management functionality of SmartEvent reports and ease of use.
Get reports in PDF format.
New layout for Anti-Malware reports.
Anti-Malware:
Enhanced overall support for Anti-Malware.
SmartEvent Intro for Anti-Malware.
Usability and Performance Enhancements:
Summary view of Grouped Events, for Application Control and Anti-Malware events.
What's New
R75.40 Release Notes | 11
Easy to activate SmartEvent on a standalone environment - no configuration needed, just activate the Software Blade on the Security Management Server properties.
Enhanced SmartEvent performance: support for 2 Million events per day (8,000 to 15,000 users behind Application Control and URL Filtering).
HTTPS Inspection Support for HTTPS Inspection on inbound traffic.
Automatic update for Trusted CA list.
HTTP Proxy You can configure a Security Gateway to be an HTTP/HTTPS web proxy, in transparent or non-transparent mode.
IPsec VPN Support for Suite-B GCM encryption. See RFC 6379 for more information.
SmartLog New SmartLog for full-text, ultra-fast search over billions of log records.
SmartLog is a next generation solution for managing logs generated by Check Point Security Gateways. This solution is designed to answer the challenges of storing, searching and filtering logs in modern environments with continually increasing log volume.
Enhancements General
Configure Multi Portal access through VPN clients (connected with Office Mode), to protect your portals from external network exposure. This new option applies to all portals: Mobile Access Portal, UserCenter Portal, Identity Awareness Captive Portal, Platform Portal, and DLP Portal.
SmartProvisioning supports Security Gateway 80 appliances.
Performance
NAT and log templates in SecureXL
IPv6 acceleration, MultiCore and ClusterXL HA support on Gaia and SecurePlatform.
Accelerated Drop Rules, explained in sk67861 (http://supportcontent.checkpoint.com/solutions?id=sk67861).
Licensing
R75.40 management servers do not need IPv6 licenses.
Gaia can automatically attach licenses for Security Gateways and management servers.
SmartConsole
Hit count - shows number of instances a rule in the Application Control or Firewall Rule Bases was matched to traffic.
Improved performance and easier installation of SmartConsole.
Build Numbers
R75.40 Release Notes | 12
Build Numbers This table shows the R75.40 software products and their build numbers as included on the product DVD. To verify each product build number, use the show command syntax or do the steps in the GUI.
Software Blade / Product Build Number Verifying Build Number*
Gaia OS build 338 show version all
SecurePlatform 986000069 ver
Security Gateway 986000275 Windows - 274
fw ver
Security Management 986000064 fwm ver
SmartConsole Applications 986000382 Help > About Check Point <Application name>
Mobile Access 986000128 cvpn_ver
Multi-Domain Server 986000210 fwm mds ver
SmartDomain Manager 986000229 Help > About Check Point Multi-Domain Security Management
Acceleration (Performance Pack)
986000044 sim ver -k
Advanced Networking (Routing)
986000010 Gaia - 056
SecurePlatform: gated_ver
Gaia: rpm -qf /bin/routed
Server Monitoring (SVM Server) 986000010 rtm ver
Management Portal 986000016 cpvinfo
/opt/CPportal-R75.40/portal/bin/sma
rtportalstart
SmartReporter 986000227 SVRServer ver
Compatibility Packages**
CPNGXCMP-R75.40-00 020
/opt/CPNGXCMP-R75.40/bin/fw_loader
ver
CPV40Cmp-R75.40-00 976121001 cpvinfo
/opt/CPV40Cmp-R75.40/bin/fw_loader |
grep Build
CPEdgecmp-R75.40-00 986000003 /opt/CPEdgecmp-R75.40/bin/fw ver
CPR71CMP-R75.40-00 001 /opt/CPR71CMP-R75.40/bin/fw_loader
ver
CPR75CMP-R75.40-00 001 /opt/CPR75CMP-R75.40/bin/fw_loader
ver
System Requirements
R75.40 Release Notes | 13
Software Blade / Product Build Number Verifying Build Number*
CPSG80CMP-R75.40-00 029 /opt/CPSG80CMP-R75.40/bin/fw_loader
ver
CPR7520CMP-R75.40-00 003 /opt/CPR7520CMP-R75.40/bin/fw_loade
r ver
CPCON66CMP-R75.40-00 Build 004 /opt/CPCON66CMP-R75.40/bin/fw_loade
r ver
* Some of the commands to see the installed build show only the last three digits of the build number.
** To see build numbers on Windows, look at C:\Program Files\CheckPoint\R75.40 instead of /opt/../R75.40
System Requirements
Important - Resource consumption is dependent on the scale of your deployment. The larger the deployment, the more disk space, memory, and CPU are required.
In This Section Check Point Appliance Naming Conventions 13
Security Software Containers 14
Platform Requirements 16
Security Management Software Blades 25
Security Gateway Software Blades 26
Security Gateway Bridge Mode 27
Clients and Consoles by Windows Platform 27
Clients and Consoles by Mac Platform 27
Check Point GO Secure Portable Workspace 28
Check Point Appliance Naming Conventions An appliance model name that ends with 00 (two zeros) is the generic name of the model. Any other number shows the number of Software Blades on the appliance. Some model names end with one zero.
This document uses the generic appliance names.
For example:
Check Point 4800 is the generic name of the model.
Check Point 4810 is the model with 10 Software Blades.
Check Point IP2450 is the generic name of the model.
Check Point IP2457 has 7 Software Blades.
System Requirements
R75.40 Release Notes | 14
Security Software Containers Management servers and gateways are supported on these operating systems and platforms.
Check Point Operating Systems
Software Blade Containers Gaia SecurePlatform IPSO
Disk-based
IPSO
Flash-based
Security Management
Security Gateway *
Multi-Domain Security Management
* On Flash-based Appliances, 1G of RAM is enough to run Firewall, IPS and VPN blades only. To activate more blades, 2G of RAM is required on IP290, IP390, and IP560 flash-based appliances.
Check Point Appliances
Appliance Security Management
Security Gateway
Standalone Deployment
Standalone Full High Availability Deployment
Multi-Domain Security Management
2200 Appliance
4000 Appliances
12000 Appliances
21400 Appliance
IP Appliances (IP150, IP280, IP290, IP390, IP560, IP690, IP1280, IP2450)
Smart-1 5
Smart-1 25
Smart-1 50
Smart-1 150
Power-1
UTM-1
IP Appliance platforms are available in disk-based, diskless flash-based and hybrid (flash-based systems with a supplemental hard disk for local logging, swap space and core file storage) configurations.
System Requirements
R75.40 Release Notes | 15
Other Platforms and Operating Systems
Microsoft Red Hat Linux Crossbeam Solaris
Software Blade Containers
Windows Server
2003, 2008
Windows
XP, 7
RHEL
5.0, 5.4
X-series Ultra-SPARC
8, 9, 10
Security Management
1
Security Gateway
Multi-Domain Security Management
2
1. Security Management Server supports Windows Server 2008 R2.
2. We recommend that you install Multi-Domain Security Management on Sun M-Series servers. Sun T-Series servers are not supported.
Operating System Versions
These are the supported versions of Microsoft and RedHat operating systems.
For Windows 2003 SP1, you must install the hotifx specified in Microsoft KB 906469 (http://support.microsoft.com/kb/906469).
Windows 2008 Server 64-bit is supported for Security Management only.
Operating System Editions Service Pack 32/64-bit
Microsoft
Windows XP Professional SP3 32-bit
Windows 2003 Server N/A SP1, SP2 32-bit
Windows 2008 Server N/A SP1, SP2 32-bit, 64-bit
Windows 7 Professional, Enterprise, Ultimate N/A 32-bit, 64-bit
RedHat
RHEL 5.0 N/A 32-bit
RHEL 5.4 kernel 2.6.18 N/A 32-bit
Appliance Hardware Health Monitoring
R75.40 supports these Hardware Health Monitoring features for Gaia and SecurePlatform:
RAID Health: Use SNMP to monitor the health of the disks in the RAID array, and be notified of the states of the volumes and disks.
Hardware Sensors: Use the WebUI or SNMP to monitor fan speed, motherboard voltages, power supply health, and temperatures. Open Servers are only supported when they have an IPMI card installed.
System Requirements
R75.40 Release Notes | 16
Check Point Appliances
21000 12000 4000 and 2200
Power-1 UTM-1 Smart-1
Hardware sensors monitoring with SNMP (polling and traps)
(1)
Hardware sensors monitoring with the WebUI
(1)
RAID monitoring with SNMP (2)
Notes
1. Hardware sensors monitoring is supported on all UTM-1 models except the xx50 series.
2. RAID Monitoring with SNMP is supported on Power-1 servers with RAID card installed (Power-1 9070 and Power-1 11070).
Open Servers
Hardware Sensors Monitoring: Use SNMP (polling and traps) or the WebUI to monitor hardware on IBM, HP, Dell, and Sun certified servers with an Intelligent Platform Management Interface (IPMI) card installed. The IPMI standard defines a set of common interfaces for a computer system, which system administrators can use to monitor system health.
Note - IPMI is an open standard, and we cannot guarantee the Hardware Health Monitoring performance on all systems and configurations.
RAID Monitoring with SNMP: Use SNMP to monitor RAID on HP servers with HP Smart Array P400 Controller. Note the HP Smart Array P400i Controller is a different controller, which is not supported for hardware monitoring.
Dedicated Gateways
To install R75.40 on an R71 DLP-1 appliance or an R71 DLP open server, do a clean installation of R75.40.
Note - To upgrade from DLP-1 9571 of version R71.x DLP, you must upgrade the BIOS. Then do a clean installation of R75.40. See sk62903 (http://supportcontent.checkpoint.com/solutions?id=sk62903) for details.
You cannot upgrade these dedicated gateways to R75.40:
Open Server - IPS-1 Sensor, VSX
Appliances - Security Gateway 80, UTM-1 Edge, IPS-1 Sensor, VSX-1
Platform Requirements
Gaia Requirements
This release is shipped with the new Gaia operating system, which supports most Check Point appliance platforms, selected open servers, and selected network interface cards.
If your open server has less than 6GB RAM, it can run in 32-bit mode only. You can run 64-bit compatible open servers with 6GB RAM or more in 64-bit mode.
Gaia Open Servers - All open servers in the Hardware Compatibility List are supported (http://www.checkpoint.com/services/techsupport/hcl/all.html).
Gaia and Performance Pack - Performance Pack is supported on all Gaia platforms.
System Requirements
R75.40 Release Notes | 17
Gaia on Check Point Security Appliances
Appliances 32-bit / 64-bit*
2200 32
4200 32
4600 32
4800 32, 64
12200 32, 64
12400 32, 64
12600 32, 64
21400 32, 64
* 64-bit is available with over 6GB RAM.
Gaia on IP Appliances
Important - Gaia is not supported on Flash-Based or Hybrid platforms at this time.
These configurations are supported:
IP Appliance Disk Based Platform 32-bit / 64-bit*
IP150 32
IP280 32
IP290 32
IP390 32
IP560 32
IP690 32
IP1280 32, 64
IP2450 32, 64
* 64-bit is available on appliances with over 6GB RAM. The basic configuration for IP appliances includes 4GB of RAM.
System Requirements
R75.40 Release Notes | 18
Gaia on Power-1, UTM-1 and Smart-1 Appliances
Platform 32-bit / 64-bit
Power-1 11000 32, 64 (default is 64)
Power-1 9070 32
Power-1 5070 32
UTM-1 3070 32
UTM-1 2070 32
UTM-1 1070 32
UTM-1 570 32
UTM-1 270 32
UTM-1 130 32
Smart-1 5 32
Smart-1 25 32
Smart-1 50 * 32
Smart-1 150 * 32
* Not supported for Multi-Domain Security Management.
Gaia WebUI
The Gaia WebUI (also known as the Gaia Portal) is supported on these browsers:
Internet Explorer 8 or higher Firefox 6 or higher
Chrome 14 or higher Safari 5 or higher
SecurePlatform
This release is shipped with the latest SecurePlatform operating system, which supports a variety of appliances and open servers.
See the list of certified hardware (http://www.checkpoint.com/services/techsupport/hcl/index.html) before installing SecurePlatform on the target hardware.
IPSO
Only clean installation of R75.40 is supported on IPSO flash-based models:
IP290
IP390
IP560
Features: Advanced Routing and SecureXL are included by default. Clustering on IPSO supports VRRP and IP Clustering. All currently available IPSO platform types (Disk-based, Flash-based, and Hybrid) are supported. You can select 32-bit or 64-bit in the Boot Manager for IP appliances.
System Requirements
R75.40 Release Notes | 19
Limitations: You cannot manage UTM-1 Edge devices from a Security Management server on an IPSO platform. R75.40 on IPSO flash-based models requires 2GB RAM. (Note - This is more required disk space than that required by versions before R75.20.)
Linux
Note - Cross-platform High Availability is not supported with a mix of Windows and non-Windows platforms.
Before you install Security Management on Red Hat Enterprise Linux 5:
1. Install the sharutils-4.6.1-2 package.
a) Make sure that you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2
b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm
This package can be found on CD 3 of RHEL 5.
2. Install the compat-libstdc++-33-3.2.3-61 package.
a) Make sure that you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61
b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm
This package can be found on CD 2 of RHEL 5.
3. Disable SeLinux.
a) Make sure that SeLinux is disabled by running: getenforce
b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file
and rebooting the computer.
Solaris
Security Management Server and Multi-Domain Security Management are supported with Solaris running on UltraSPARC 64-bit platforms. See Management Products by Platform.
Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Required Packages
SUNWlibC
SUNWlibCx (except Solaris 10)
SUNWter
SUNWadmc
SUNWadmfw
Required Patches
The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com (http://sunsolve.sun.com).
To display your current patch level, use the command: showrev -p | grep <patch number>
System Requirements
R75.40 Release Notes | 20
Platform Required Recommended Notes
Solaris 8
108528-18 109147-40 or higher If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.
110380-03
109147-18
109326-07
108434-01 Required only for 32 bit systems
108435-01 Required only for 64 bit systems
Solaris 9
112233-12 112963-25 or higher
112902-07
116561-03 Only if dmfe(7D) Ethernet driver is defined on the machine
Solaris 10 117461-08 or higher
Multi-Domain Security Management is not supported on Sun T-Series servers.
Microsoft Windows
High Availability Legacy mode is not supported on Windows.
Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with a mix of Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Maximum Number of Interfaces Supported by Platform
The maximum number of interfaces supported (physical and virtual) is shown by platform in this table.
Platform Max Number of Interfaces
Notes
Gaia 1024
SecurePlatform 1015 1. SecurePlatform supports 255 virtual interfaces per physical interface.
2. When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are supported.
IPSO 1024
Windows 32
System Requirements
R75.40 Release Notes | 21
Security Management Open Server Hardware Requirements
Component Windows Linux SecurePlatform on Open Servers
Solaris
Processor Intel Pentium Processor E2140 or 2 GHz equivalent processor
Intel Pentium Processor E2140 or 2 GHz equivalent processor
Intel Pentium Processor E2140 or 2 GHz equivalent processor
Sun UltraSPARC IV and higher
Free Disk Space 1GB 1.4GB 10GB (installation includes OS)
1GB
Memory 1GB 1GB 1GB 512MB
Optical Drive Yes Yes Yes (bootable) Yes
Network Adapter One or more One or more One or more One or more
Multi-Domain Security Management Requirements
The minimum recommended system requirements for Multi-Domain Security Management are:
Component Linux Solaris SecurePlatform
CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor
UltraSPARC III 900MHz
Intel Pentium Processor E2140 or 2 GHz equivalent processor
Memory 4GB 4GB 4GB
Disk Space 2GB 2GB 10GB (install includes OS)
Optical Drive Yes Yes Yes (bootable)
Important - We recommend that you install Multi-Domain Security Management on Sun M-Series servers. Sun T-Series servers are not supported.
Multi-Domain Security Management Resource Consumption
Resource consumption is dependent on the scale of your deployment. The larger the deployment, the more disk space, memory, and CPU are required.
The Multi-Domain Security Management disk space requirements are:
For basic Multi-Domain Server installations: 2GB (1GB /opt, 1GB /var/opt).
For each Domain Management Server: 400MB (for the Domain Management Server directory located in
/var/opt)
System Requirements
R75.40 Release Notes | 22
Security Gateway Open Server Hardware Requirements
Component Windows SecurePlatform on Open Servers
Processor Intel Pentium IV or
1.5 GHz equivalent
Intel Pentium IV or
2 GHz equivalent
Free Disk Space 1GB 10GB
Memory 512MB 512MB
Optical Drive Yes Yes
Network Adapter One or more One or more supported cards
Mobile Access Blade Requirements
Endpoint OS Compatibility Windows Linux Mac iOS Android
Mobile Access Portal
Clientless access to web applications (Link Translation)
Endpoint Security on Demand
SecureWorkspace
SSL Network Extender - Network Mode
SSL Network Extender - Application Mode
Downloaded from Mobile Access applications
Clientless Citrix
File Shares - Windows File Explorer viewer (WebDAV)
File Shares - Web- based file viewer (HTML)
Web mail
System Requirements
R75.40 Release Notes | 23
Endpoint Browser Compatibility Internet Explorer
Google Chrome
Mozilla Firefox
Macintosh Safari
Opera for Windows
Mobile Access Portal
Clientless access to web applications (Link Translation)
Endpoint Security on Demand
SecureWorkspace
SSL Network Extender - Network Mode
SSL Network Extender - Application Mode
Downloaded from Mobile Access applications
Clientless Citrix
File Shares - Windows File Explorer viewer (WebDAV)
IE6 only
File Shares - Web- based file viewer (HTML)
Web mail
SmartEvent Requirements
You can install SmartEvent on a Security Management Server or on a different, dedicated computer.
These are the requirements for the SmartEvent Server and the SmartEvent Correlation Unit:
Component Windows/Linux/SecurePlatform
CPU Celeron-M 1.5 GHz
Memory 2GB
Disk Space 25GB
SmartEvent is not supported on Solaris platforms.
To optimize SmartEvent performance:
Use a disk available high RPM, and a large buffer size.
Increase the server memory.
System Requirements
R75.40 Release Notes | 24
SmartReporter Requirements
These hardware requirements are for a SmartReporter server that monitors at least 15GB of logs each day and generates many reports. For deployments that monitor fewer logs, you can use a computer with less CPU or memory.
SmartReporter can be installed on a Security Management Server or on a dedicated machine.
Component Windows & Linux Minimum
Windows & Linux Recommended
Solaris
CPU Intel Pentium IV 2.0 GHz Dual CPU 3.0 GHz UltraSPARC III 900 MHz
Memory 1GB 2GB 1GB
Disk Space Installation:
Database:
80MB
60GB (40GB for database, 20GB for temp directory)
(on 2 physical disks)
80MB
100GB (60GB for database, 40GB for temp directory)
80MB
60GB (40GB for database, 20GB for temp directory)
DVD Drive Yes Yes Yes
Important - We recommend that you install Multi-Domain Security Management on Sun M-Series servers. Sun T-Series servers are not supported.
Optimizing SmartReporter Performance
We recommend these tips to optimize SmartReporter performance:
Disable DNS resolution. This can increase consolidation performance to as much as 32GB of logs for each day.
Configure the network connection between the SmartReporter server and the Security Management server to the optimal speed.
Install a disk with high RPM (revolutions per minute) and a large buffer size.
Use UpdateMySQLConfig to adjust the database configuration and adjust the consolidation memory
buffers to use the more memory.
Increase memory for better performance.
Console Requirements
This table shows the minimum hardware requirements for console applications: SmartDashboard, SmartView Tracker, SmartView Monitor, SmartProvisioning, SmartReporter, SmartEvent, SmartLog, SecureClient Packaging Tool, SmartUpdate, SmartDomain Manager.
Component Windows
CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor
Memory 1024MB
Available Disk Space 900MB
Video Adapter Minimum resolution: 1024 x 768
System Requirements
R75.40 Release Notes | 25
UserCheck Client Requirements
The UserCheck client can be installed on endpoint computers running Windows.
UserCheck for DLP client notification are supported on Gaia and SecurePlatform gateways.
UserCheck for Application and URL Filtering client notifications are supported on SecurePlatform, and Gaia gateways.
The UserCheck client is not compatible with Check Point GO or Secure Workspace.
If a UserCheck client is installed on a machine and a violation occurs, the UserCheck client notification shows outside the Check Point GO or Secure Workspace environment. We recommend that you not install the UserCheck client on a machine that usually runs the Check Point GO or Secure Workspace environment.
The UserCheck client is not supported on clusters in a load sharing environment.
Performance Pack
Performance Pack is supported on:
Check Point UTM-1 and Power-1 appliances.
Open servers that meet requirements and have valid licenses.
Security Management Software Blades
Software Blade Operating System
Check Point Microsoft Windows RedHat Linux
Solaris
Gaia Secure Platform
IPSO 6.2 Disk- based
Server 2003
Server 2008
XP, 7 RHEL 5.0, 5.4
Ultra- SPARC
Network Policy Management
Logging & Status
Monitoring
SmartProvisioning
Management Portal *
User Directory
SmartWorkflow
SmartEvent **
SmartReporter
* Management Portal is supported on: Internet Explorer 7 and Firefox 1.5 - 3.0
** SmartEvent is supported on 32-bit only.
System Requirements
R75.40 Release Notes | 26
Security Gateway Software Blades
Software Blade
Check Point Operating System Microsoft Windows
Crossbeam
Gaia & SecurePlatform
SecurePlatform
IPSO 6.2 Disk- based
IPSO 6.2 Flash- based
Server 2003
Server 2008
X-series
Firewall
Identity Awareness
IPSec VPN
IPS
Mobile Access
DLP
Application Control
URL Filtering
Anti-Bot
Anti-Virus
Anti-Spam & Email Security
Web Security
Advanced Networking - QOS
Advanced Networking - Dynamic Routing and Multicast Support
Acceleration & Clustering
Notes about Security Gateway Software Blades
1. DLP supports High-Availability clusters, including Full HA, on SecurePlatform and Gaia. DLP supports Load Sharing clusters in Detect and Prevent mode.
On UTM-1 130/270, you can use DLP with Firewall and other Security Gateway software blades, or with Firewall and Security Management software blades.
The DLP portal supports Internet Explorer 6, 7, 8, 9; Firefox 3, 4; Chrome 8; and Safari 5.
DLP does not support VRRP on Gaia.
2. Application Control - HTTPS Inspection is not supported on Windows.
3. Acceleration & Clustering - Clustering is supported on Windows, but Acceleration is not. Only third-party clustering is supported on Crossbeam.
System Requirements
R75.40 Release Notes | 27
Security Gateway Bridge Mode Bridge mode is supported on these platforms:
Gaia
SecurePlatform
Crossbeam
Clients and Consoles by Windows Platform
Check Point Product
XP Home (SP3) 32-bit
XP Pro (SP3) 32-bit
Server 2003 (SP2) 32-bit
Server 2008 (SP1-2) 32 / 64
Server 2008R2 (+SP1)
Vista (SP2) 32-bit
Vista (SP1) 64-bit
Windows 7
Ult, Pro, Ent
(+SP1)
32 / 64
SmartConsole
SmartDomain Manager
SecureClient
(32-bit only)
Endpoint Security VPN
Remote Access Clients E75.x
SSL Network Extender
DLP UserCheck
DLP Exchange Agent
*
*
Identity Agent
* DLP Exchange Agent supports Exchange Server 2007 and Exchange Server 2010 on Windows Server 2003 64-bit (SP1-2) and Windows Server 2008 64-bit (SP1-2). A 32-bit version is available for demo or educational purposes.
Clients and Consoles by Mac Platform
Check Point Product Mac OS X 10.6 Mac OS X 10.7
Identity Agent 32-bit / 64-bit 32-bit / 64-bit
SecureClient 32-bit 32-bit
Endpoint Security VPN E75 for Mac 32-bit / 64-bit 32-bit / 64-bit
Upgrade Paths and Interoperability
R75.40 Release Notes | 28
Check Point GO Secure Portable Workspace R75.40 Security Gateways only support Check Point GO Secure Portable Workspace R75. Check Point GO R70.1 and R70 (formerly known as Check Point Abra) are not supported.
Upgrade Paths and Interoperability R75.40 supports upgrading from lower software versions and management of lower Security Gateway versions.
Upgrading to Gaia You can upgrade SecurePlatform and IPSO Security Management servers and Security Gateways to Gaia R75.40, according to the upgrade paths listed below.
Note: Upgrade is not supported in an ISDN configuration.
Supported Management and Gateway Upgrade Paths You can upgrade these Security Management Server and Security Gateway versions to R75.40:
R70.50
R71.40
R71.45
R75
R75.10
R75.20
R75.30
Note - If you upgrade a 32-bit appliance, it remains 32-bit by default. To change it to 64-bit, if the open server or appliance meets 64-bit requirements, use cpconfig, on all
platforms except Gaia. On Gaia, run the command set edition default 64-bit
and reboot.
Compatibility with Gateways and Clients This release is compatible with these gateways and Endpoint clients.
Release Version
Gateways
Security Gateway NGX R65, R70.x, R71.x, R75.x
DLP-1 R71 and higher
IPS-1 R71
Series 80 R71 and higher
VSX VSX NGX R65, VSX NGX R67
Connectra Centrally Managed NGX R66
Upgrade Paths and Interoperability
R75.40 Release Notes | 29
Release Version
UTM-1 Edge 7.5.x and higher*
GX 4.0
Endpoint Clients
SecureClient up to SecureClient NGX R60 HFA 3 with support for Windows 7 32-bit
Endpoint Connect up to Endpoint Security R73 HFA 1
Remote Access up to Remote Access Clients E75.20 for Windows up to Endpoint Security VPN E75 for Mac
Endpoint Security up to Endpoint Security E80.31
* UTM-1 Edge and Safe@ devices that use locally configured VPN connections with download configuration settings, may experience VPN connectivity failure with R75.40 Security Gateways. To enable this configuration with R75.40, see sk65369 (http://supportcontent.checkpoint.com/solutions?id=sk65369).
Upgrade Package with CLI Install R75.40 with an ISO file, with these commands, when WebUI is not available.
To install R75.40 using the CLI:
1. Download the applicable ISO file from the R75.40 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk76540).
2. Copy the ISO file to /var/tmp.
3. Run these commands:
mount –o loop /var/tmp/<name>.iso /mnt/cdrom
cd /mnt/cdrom
patch add cd
Updating IPS Patterns The IPS pattern granularity (converting patterns into protections) will be installed during the first IPS update procedure (online update, offline update, or scheduled update). Therefore, the first update after installation can take a few minutes longer than usual.
Uninstallation of IPS pattern granularity is not supported. If you uninstall R75.40, the patterns remain, converted to protections.
Uninstalling
R75.40 Release Notes | 30
Uninstalling
Important - This does not remove Multi-Domain Security Management products.
Use these procedures to install R75.40.
Platform Procedure
Windows 1. Open Start > Check Point > Uninstall R75.40
2. At the prompt, enter Y to continue.
Linux IPSO Solaris
1. Change directory to: /opt/CPUninstall/R75.40/
2. Run: ./UnixUninstallScript
Example of Uninstall output:
***********************************************************
Welcome to Check Point R75.40 Uninstall Utility
***********************************************************
All R75.40 packages will be uninstalled.
Uninstallation program is about to stop all Check Point processes.
Do you want to continue (y/n) ? y
Uninstalling Management Portal package...Done!
Uninstalling SmartEvent and SmartReporter Suite package...Done!
Uninstalling R75 Compatibility package...Done!
Uninstalling R75.20 Compatibility package...Done!
Uninstalling R71 Compatibility package...Done!
Uninstalling CPSG 80 Series compatibility package...Done!
Uninstalling Connectra R66 Compatibility package...Done!
Uninstalling NGX Compatibility package...Done!
Uninstalling V40 Compatibility package...Done!
Uninstalling UTM-1 Edge compatibility package...Done!
Uninstalling CPinfo package...Done!
Uninstalling Security Gateway / Security Management package...Done!
************************************************************************
Package Name Status
------------ ------
Management Portal Succeeded
SmartEvent and SmartReporter Suite Succeeded
R75 Compatibility Succeeded
R75.20 Compatibility Succeeded
R71 Compatibility Succeeded
CPSG 80 Series compatibility Succeeded
Connectra R66 Compatibility Succeeded
NGX Compatibility Succeeded
V40 Compatibility Succeeded
UTM-1 Edge compatibility Succeeded
CPinfo Succeeded
Security Gateway / Security Management Succeeded
************************************************************************
Uninstallation program completed successfully.
Do you wish to reboot your machine (y/n) ?
If any package fails to uninstall, the script generates a log file and prints its location on the screen.