CP R71 Release Notes

12 August 2011

R71

Release Notes

Classification: [Public]

© 2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10330

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

12 August 2011 Removed R70.30 from upgrade path

6 October 2010 Added note that upgrading from R70.40 is not supported ("Supported Management and gateway Upgrade Paths" on page 16)

8 June 2010 Added limitation notes for Sun T-series servers and cross-platform High Availability with Windows platforms

25 April 2010 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on R71 Release Notes ).

http://supportcontent.checkpoint.com/documentation_download?ID=10330

http://supportcenter.checkpoint.com/

mailto:[email protected]?subject=Feedback%20on%20R71%20Release%20Notes

Contents

Important Information ............................................................................................. 3 What's New in R71 .................................................................................................. 6

New Terms .......................................................................................................... 7 Included in this Release ......................................................................................... 7

Data Loss Prevention Software Blade ................................................................. 7 Mobile Access Software Blade ............................................................................ 7 UTM Service Performance Boost ........................................................................ 8 Integrated Management Blade for IPS-1 .............................................................. 8 IPSec VPN Enhancements .................................................................................. 8 SmartEvent (formerly Eventia) Enhancements .................................................... 9 Improved Multi-Domain Security Management Import and Export ....................... 9 New SmartLSM Clustering .................................................................................. 9 Security Management Enhancements ................................................................. 9

Security Management Servers with Dynamic IPs ............................................ 9 Firewall Rule Expiration .................................................................................10 Automatic Deletion of Old Database Versions................................................10 Object Management Improvements ...............................................................10 Other Security Management Enhancements ..................................................10

Check Point Appliance Enhancements ...............................................................10 Jumbo Frames Support for Power-1 ..............................................................10 Hardware Health Monitoring for Smart-1 ........................................................10

Supported Products ............................................................................................. 11 Software Licensing .............................................................................................11

Enforcement of IPS Software Blade Licenses ................................................11 Build Numbers ....................................................................................................11 Supported Security Products by Platform ...........................................................13

Security Software Containers by Platform ......................................................13 Security Gateway Software Blades by Platform .............................................14 Security Management Software Blades by Platform.......................................15 Dedicated Gateways ......................................................................................15

Clients and Consoles by Windows Platform .......................................................16 Supported Upgrade Paths and Interoperability ...................................................16

Supported Management and gateway Upgrade Paths ...................................16 Backward Compatibility For Gateways ...........................................................17 IPS-1 Upgrade Paths and Interoperability ......................................................17 Upgrade Notes...............................................................................................17

HFAs Included in this Release ............................................................................. 17 Platform Requirements ........................................................................................ 18

SecurePlatform ...................................................................................................18 IPSO ..................................................................................................................18 Linux ..................................................................................................................18 Microsoft Windows .............................................................................................19 Solaris ................................................................................................................19 Maximum Number of Interfaces Supported by Platform ......................................20

Minimum System Requirements .......................................................................... 21 Security Gateway Hardware Requirements ........................................................21 Security Management Hardware Requirements .................................................22 SmartConsole and SmartDomain Manager Hardware Requirements .................22 Multi-Domain Security Management Requirements ............................................23

Multi-Domain Security Management Resource Consumption ........................23 Performance Pack ..............................................................................................23 VSX Gateway Hardware Requirements ..............................................................24

SmartEvent (formerly Eventia Analyzer) Requirements ......................................24 SmartReporter (formerly Eventia Reporter) Requirements .................................24

Optimizing SmartReporter Performance ........................................................25 SecureClient Requirements ................................................................................25 Endpoint Security Requirements ........................................................................25

Known Limitations ................................................................................................ 25

New Terms

What's New in R71 Page 6

What's New in R71 Check Point R71 is based on the Software Blades Architecture.

Data Loss Prevention Software Blade

Check Point Revolutionizes the DLP Market by moving from Detection to Prevention of Data Loss Incidents.

Prevents loss of critical business information.

Combines technology and processes to make DLP work.

Easy deployment for immediate data loss prevention.

SSL VPN Software Blade

New integrated SSL VPN Software Blade secures remote workers anywhere, while delivering flexible, easy-to-use, and layered protection.

Lower the cost and complexity of managing remote access by simply adding the SSL VPN blade to your existing Check Point gateway.

Increase productivity with easy Web-based remote access.

Raise network and remote endpoint security levels with multi-layered protection allowing services such as IPS and Anti-Virus for remote access connections.

Raising the Bar on UTM-1 Appliances & UTM Features Performance

UTM-1 appliances provide enhanced Firewall & IPS performance featuring patented SecureXL Technology available at no extra cost:

Up to 4 times Firewall Throughput improvement.

Up to 3 times IPS Throughput improvement.

Up to 4 times connection/sec rate improvement.

New Streaming architecture available with Anti-Virus & URL Filtering Software Blades provides performance boost for UTM features:

Up to 15 times Anti-Virus Throughput improvement.

Up to 80 times Anti-Virus & URL Filtering connection capacity improvement.

IPS Manageability

IPS-1 Sensors can now be managed from Security Management server / Provider-1.

Update IPS Protections automatically according to a pre-defined schedule.

Management Enhancements

Various improvements in the Management Blades deployment (for example, the ability to install a Security Management server on Windows with DHCP), usability enhancements, and new features (such as Firewall Rule Expiration).

IPSec VPN Enhancements

Continuing Check Point leadership in Enterprise class VPN solutions, this release includes multiple enhancements important for large network configurations and for customers interested in new VPN standards (such as IKEv2).

New Terms

Included in this Release Page 7

New Terms The following product and technology names have changed for this version.

Name Before R71 Name Starting with R71

Eventia Analyzer SmartEvent

Eventia Reporter SmartReporter

IPS Event Analysis SmartEvent Intro

Included in this Release

Data Loss Prevention Software Blade Data Loss Prevention (DLP) is an innovative solution for practical data loss prevention:

Prevents data leakage of critical business information

Stops users from sending or uploading sensitive information outside of the organization.

Network-based solution prevents breach of corporate data sharing policies – intentional or unintentional.

Provides easy compliance with data protection standards (such as PCI-DSS, HIPPA, GLBA, SOX).

Combines technology and processes to make DLP work

Innovative MultiSpectTM

data classification engine combines users, content and process into accurate decisions.

New UserCheckTM

technology empowers users to remediate incidents in real time.

Self-educating system – Does not require IT/security personnel for incident handling, while educating the users on proper data sharing policies.

Easy deployment for immediate data loss prevention

Implement a preventative DLP solution on your existing gateway in less than one day.

Leverage over 250 pre-defined policies to create your own policy without the need for costly professional services.

Get better control and auditing capabilities with centralized security management.

For more information about Data Loss Prevention, see the R71 DLP Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10774).

Mobile Access Software Blade New integrated Mobile Access Software Blade secures remote workers anywhere, while delivering flexible, ease-to-use and layered protection.

Lower the cost and complexity of managing remote access

Efficiently manage and protect your existing investment with the simple add-on remote access blade.

Eliminate the need to acquire dedicated gateways, clients, or third party authentication.

Set up in just two steps and easily administrate from a unified intuitive interface.


UTM Service Performance Boost


Increase productivity with easy Web-based remote access

Minimize user interruption for a large range of applications.

Easily sign in with built-in Single-Sign-On (SSO)

Gain immediate secure access for a large user base during a disaster.

Raise network and remote endpoint security levels with multi-layered protection

Ensures in-depth security with integrated IPS, Anti-Virus and Anti-Malware.

Easily control and manage remote access for a range of users: employees, partners, and contractors.

Secure and minimize risk from known and unknown endpoints with a variety of protections.

For more information, see the R71 SSL VPN Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10322).

UTM Service Performance Boost Check Point R71 offers a dramatic increase to the performance of both the Anti-Virus (AV) and URL Filtering software service blades.

The Check Point AV blade offers a new AV detection mode, Stream Detection Mode. With this mode, which uses frequently updated state-of-the-art virus signatures, Anti-Virus performance is significantly improved because traffic is scanned for viruses without storing entire files.

The Check Point URL Filtering Blade offers significant performance improvements. Connections are now handled in kernel space and not folded into the Security Servers. URL Filtering performance figures are significantly improved, as traffic is not interrupted while resolving the URL Filtering category.

Integrated Management Blade for IPS-1 Check Point R71 provides central management for IPS that lets you:

Manage R71 IPS-1 sensors using SmartConsole applications such as SmartDashboard

Manage IPS-1 Protections with an IPS policy

Improve performance for IPS protection management

Install an IPS Policy specifically tuned for IPS-1 protections

Update IPS protections according to a defined schedule

IPSec VPN Enhancements Load Sharing Mode for VPN Traffic

Enables distributing VPN traffic among the available links between local and peer gateways.

Service Based Link Selection

Provides the ability to use different links for services that require different level of QoS. Administrators control outgoing VPN traffic and bandwidth use by assigning a service or a group of services to a specific interface for outgoing VPN routing decisions. Links availability and backup links are fully supported.

Trusted Links

Ability to define an interface as trusted for VPN traffic, where encryption is not required. Traffic routed through this interface is sent in the clear. A trusted link is handled the same as any other VPN link, thus enabling mixed MPLS/Internet environments.


SmartEvent (formerly Eventia) Enhancements


IKEv2

IKEv2 Protocol is now available for VPN.

Enhanced Protection against IKE DOS attacks

New configuration exists for protection against IKE DOS attacks by authenticated peers.

Multiple Certificates Per Certificate Authority (CA)

Multiple signing certificates for a CA enable the administrator to expire a “CA Certificate” which invalidates all certificates signed by this CA, alleviating the need for coordinating long Certificate Revocation Lists (CRLs).

Multicast IPSec

A Multicast VPN solution that efficiently send multicast data through designated sender gateways (by VPN) to hosts behind multiple listener gateways.

SmartEvent (formerly Eventia) Enhancements

Improved performance in the event correlation engine dramatically increases log correlation capacity.

Pre-defined event timelines, queries and rules for the DLP blade.

SmartEvent Intro for DLP provides centralized, real-time, security event correlation and management for the DLP blade.

Improved Multi-Domain Security Management Import and Export

Multi-Domain Security Management now supports the export and import of a whole MDS machine,

Improved export and import of single CMA

For more information, see the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).

New SmartLSM Clustering SmartLSM Profile Security Clusters can now manage fully synchronized Check Point clusters.

For more information, see the R71 SmartProvisioning Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10317).

Security Management Enhancements

Security Management Servers with Dynamic IPs You can now install and use a Security Management Server on a Windows machine with a DHCP interface.

See the R71 Security Management Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10315) for more information.




Check Point Appliance Enhancements


Firewall Rule Expiration Rules in the Security Rule Base can now be made "temporary" by adding a time limit. The firewall rule is enforced over a specific time period. The new time period settings are part of the Time Properties object of each rule, with Activate On and Expire On fields for granular control. In addition:

In SmartDashboard, Temporary Rules and Expired rules are marked by new clocked-shaped icons.

Rule expiration can be added to existing rules, or created as an independent object and applied to multiple rules.

New filtering options enable you to quickly find in the SmartDashboard Security Rule Base all temporary rules, or only those rules that have expired.

Automatic Deletion of Old Database Versions In the Database Revision Control window, you can now configure one of four options to automatically

delete database versions.

This feature comes with the ability to specify that a certain version should never be automatically deleted.

SmartWorkflow versions are not affected by this feature. They are neither counted nor deleted.

Object Management Improvements Light filtering and undocking the Objects List

Filtering objects by any of the fields displayed in the Objects List

Filtering objects on the fly while typing the text

Easy switching between the object types: Network Objects, Services, Users, etc.

Undocking the Objects List view

New-style object selectors in SmartDashboard - additional details appear for each object and filtering capabilities have been added.

New-style editor for the Group’s properties - additional details appear for each group member, filtering capabilities have been added and the window can now be resized.

Grouping selected objects in SmartDashboard - it is possible to create a group by selecting objects in the Rule Base, Objects Tree and Objects List.

Other Security Management Enhancements Default access mode configuration for SmartDashboard - administrators can now configure the default

mode (Read Only / Read Write) when accessing the Security Management server with SmartDashboard.

SmartView Tracker queries by username - administrators can specify whether the text in the filter will be case-sensitive or not.

Check Point Appliance Enhancements

Jumbo Frames Support for Power-1 Power-1 appliances now support "Jumbo Frames," which are Ethernet packets larger than 1500 bytes. To

utilize jumbo frames, use the Web User Interface or sysconfig to configure the required MTU for the

network interface.

Hardware Health Monitoring for Smart-1 Sensors monitor fan speed, motherboard voltages and temperatures on the Smart-1 hardware. The information is available via SNMP and the SecurePlatform Web interface.

Software Licensing

Supported Products Page 11

For more information, see Hardware Health Monitoring in the R71 SecurePlatform Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10313).

Supported Products

In This Section

Software Licensing 11

Build Numbers 11

Supported Security Products by Platform 13

Clients and Consoles by Windows Platform 16

Supported Upgrade Paths and Interoperability 16

Software Licensing From version R71, customers are required to use Software Blade licenses. If you have not yet migrated to Software Blade licenses, follow the migration options from Check Point’s website (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html).

From R71, the software license enforcement module checks that users have current Software Blade Licensing. Users that have installed R71 software using NGX based licenses and not Software Blade licenses, will receive warnings on the Security Gateways and SmartDashboard.

Enforcement of IPS Software Blade Licenses Security Gateways with IPS Software Blades need to be under a valid IPS contract that has to be renewed annually. To manage your contracts go to your UserCenter account or contact your reseller.

Indications and notifications that IPS service contracts are expiring will appear in multiple locations, including the overview window of IPS in the SmartDashboard, SmartUpdate, and in the product reports of the customer’s Check Point UserCenter account.

If an IPS service contract has expired and the contract has not been renewed, the blade will remain operational with a signature set that was included in the GA of R70 (Q1/2009). Renew the IPS service contract to retrieve a full and updated signature set.

For more information about the IPS contract enforcement, refer to sk44175 (http://supportcontent.checkpoint.com/solutions?id=sk44175).

Build Numbers The following table lists all R71 software products available, and the build numbers as they are distributed on the product CD. To verify each product’s build number, use the given command format or direction within the GUI. All build numbers are subject to change.

Software Blade / Product Build Number Verifying Build Number.

Security Gateway Linux & IPSO > 394

Win & Solaris > 389

fw ver

Security Management Build 142 fwm ver

SmartConsole Applications Build 976000482 Help > About Check Point <product name>


http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html

http://supportcontent.checkpoint.com/solutions?id=sk44175

Build Numbers


Software Blade / Product Build Number Verifying Build Number.

SSL VPN Build 273 cvpn_ver

Multi-Domain Security Management Multi-Domain Server (MDS)

Build 124 fwm mds ver

Multi-Domain Security Management Multi-Domain GUI (MDG)

Build 976000126_1 Help > About Check Point Provider-1

SecurePlatform Build 133 ver

Infrastructure (SVN Foundation)

Build 416 cpshared_ver

Acceleration (Performance Pack)

Build 043 sim ver -k

Advanced Networking (QoS)

Build 026 fgate ver

Advanced Networking (Routing)

ngc2.3 gated -ver

Monitoring (SVM Server)

Build 028 rtm ver

Management Portal Build 976000028 cpvinfo /opt/CPportal-

R71/portal/bin/smartportalstart

SmartEvent Build 073 cpsemd ver

SmartReporter Build 266 SVRServer ver

Endpoint Policy Server (SecureClient Policy Server)

Build 015 dtps ver

SecuRemote/SecureClient Build 019 Help > About

UTM-1 Edge Firmware 8.0.36 Displayed on the default portal page

Endpoint Security Client Flex/Agent

7.6.123 Right-click the System Tray icon and select About

Endpoint Security Server 7.50.552.000 About

Compatibility Packages

CPNGXCMP-R71-00 Build 015 /opt/CPNGXCMP-R71/bin/fw_loader ver

CPV40Cmp-R71-00 Build 666 /opt/CPV40Cmp-R71/bin/fw_loader ver

CPEdgecmp-R71-00 976000013 /opt/CPEdgecmp-R71/bin/fw ver

CPCON66CMP-R71-00 Build 1 /opt/CPCON66CMP-R71/bin/fw_loader ver

CPCON62CMP-R71-00 Build 571 /opt/CPCON62CMP-R71/bin/fw_loader ver

Supported Security Products by Platform


Supported Security Products by Platform These tables show the security products related to this release and on which platforms they are supported.

Security Software Containers by Platform

Software Blade Platform and Operating System

Check Point

Windows

Linux Crossbeam Solaris

Secure Platform

IPSO 6.2 Disk- based

IPSO 6.2 Flash- based

Server

2003/2008

(SP1-2)

32bit

RHEL 5.0 RHEL 5.4 kernel 2.6.18

32bit

X-series Ultra-

SPARC 8, 9, 10

Security Management

+ + + + +

Security Gateway + + + + +

Multi-Domain Security Management MDS

+ + +

Note - We recommend that you install Multi-Domain Security Management on Sun M-Series servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.



Security Gateway Software Blades by Platform


Check Point

Windows


Secure Platform



Server 2003/ 2008 (SP1-2) 32bit

RHEL 5.0 RHEL 5.4 kernel

2.6.18

32bit

X-series Ultra-

SPARC 8, 9, 10

Firewall + + + + +

IPSec VPN + + + + +

IPS + + + + +

SSL VPN +

DLP +

Anti-Virus & Anti-Malware

+

URL Filtering +

Anti-Spam & Email Security

+

Web Security + + + + +

Advanced Networking

+

Acceleration & Clustering (1)

+ + + (2) (3)

Notes -

1. The maximum number of supported cluster members in ClusterXL mode is five; in third-party mode the maximum is eight.

2. Only Clustering is supported in Windows. Acceleration is not supported.

3. Only third-party clustering is supported.



Security Management Software Blades by Platform


Check Point

Windows


Secure Platform



Server

2003/2008

(SP1-2)

32bit

RHEL 5.0 RHEL 5.4 kernel 2.6.18

32bit

X-series Ultra-

SPARC 8, 9, 10

Network Policy Management

+ + +

+ +

Endpoint Policy Management

+ + 2003 only

Logging & Status + + + + +

Monitoring + + + + +

SmartProvisioning + + + +

Management Portal (*)

+ + + +

User Directory + + + + +

SmartWorkflow + + + +

SmartEvent + + +

SmartReporter + + + +

*Note - Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5 - 3.0

Dedicated Gateways IPS-1, DLP-1, and VSX-1 are only supported on SecurePlatform.

VPN-1 Power VSX is supported on SecurePlatform, IPSO 5, and Crossbeam X-series. For more details regarding IPSO models, see the VPN-1 Power VSX NGX R65 on IPSO 5.0 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10674 ).


Clients and Consoles by Windows Platform


Clients and Consoles by Windows Platform

Check Point Product

XP Pro (SP3)

XP Home (SP3)

Server 2003 (SP1-2) 32 bit

Vista (SP1) 32-bit

Vista (SP1) 64-bit

Server 2008 (SP1-2) 32 bit

Windows 7 Ultimate & Enterprise 32-bit

Windows 7 Ultimate & Enterprise 64-bit

SmartConsole + + + + + + (except SmartEvent, SmartReporter, and IPS Event Analysis)

Provider-1 MDG + + + + + +

SecureClient + + + +

SSL Network Extender

+ + + + + +

Endpoint Security Client

+ + + +

Endpoint Connect Client

+ + + + + +

DLP UserCheckTM

+ + + + +

Supported Upgrade Paths and Interoperability

R71 supports upgrading from lower software versions and management of lower Security Gateway versions.

Supported Management and gateway Upgrade Paths You can upgrade these Security Management server and Security Gateway versions R71:

NGX R65

NGX R65 for SPLAT 2.6

NGX R65 for IPSO 6.0

NGX R65 Connectra NGX R66 Plug-in

NGX R65 with Messaging Security

NGX R65 VSX NGX R65 Management Plug-in

NGX R65.3

NGX R65 UTM-1/Power-1

R70 UTM-1/Power-1/Smart-1

R70, R70.1, R70.20

Important - To upgrade from R70.40 to R71.20, refer to sk59481 (http://supportcontent.checkpoint.com/solutions?id=sk59481).


Supported Upgrade Paths and Interoperability

HFAs Included in this Release Page 17

Backward Compatibility For Gateways R71 Security Management server supports the following gateway versions:

Release Version

Security Gateway NGX R62, NGX R65, R70, R70.1, R70.20

VSX VSX NGX R65, VSX NGX R67

Connectra Centrally Managed NGX R62 and R66

UTM-1 Edge 7.5.x and above

GX 4.0

Note - R71 cannot manage gateway versions before NGX R62.

IPS-1 Upgrade Paths and Interoperability R71 Security Management servers can only manage R71 IPS-1 Sensors. To upgrade pre-R71 IPS-1 Sensors, re-install. See the R71 Installation and Upgrade Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10327).

Upgrade Notes To upgrade Check Point Suite Products before version NGX R65 to R71, you must first upgrade to NGX

R65 and then to R71.

NGX R65.4 cannot be upgraded to R71.

When upgrading NGX R65, only the following plug-ins may be present: Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of any other plug-in will cause the upgrade process to fail.

Important - If you upgrade from NGX R65 with plug-ins to R71, and later want to uninstall R71 (rollback to NGX R65), follow the instructions in sk37252 (http://supportcontent.checkpoint.com/solutions?id=sk37252) to avoid potential problems.

It is recommended to read the list of Known Limitations, published in sk41909 (http://supportcontent.checkpoint.com/solutions?id=sk41909), prior to any upgrade procedure.

HFAs Included in this Release This release includes fixes and improvements that were initially distributed as part of R70.20 (including NGX R65 Hotfix Accumulator (HFA) R65_HFA_60).

See R70.20 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10515)

See VPN-1 NGX R65 HFA 60 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10306)

See Provider-1 NGX R65 HFA 60 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10307)







SecurePlatform

Platform Requirements Page 18

Platform Requirements

In This Section

SecurePlatform 18

IPSO 18

Linux 18

Microsoft Windows 19

Solaris 19

Maximum Number of Interfaces Supported by Platform 20

SecurePlatform This release is shipped with the latest SecurePlatform operating system, which supports a variety of hardware, including open servers and network interface cards.

Note - Cross-platform High Availability is supported if all of the platforms are SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).

See the list of certified hardware (http://www.checkpoint.com/services/techsupport/hcl/index.html ) before installing SecurePlatform on the target hardware.

IPSO When installing this release on IPSO:

Advanced Routing and SecureXL are included by default.

Clustering on IPSO supports VRRP and IP Clustering.

UTM-1 Edge devices cannot be managed from a Security Management server running on IPSO.

All available configurations (Disk-based, Flash-based and Hybrid) of currently available IP Series platforms are supported.

This release supports IPSO 6.2

This release does not support IPSO 6.0.7

Linux This release supports Red Hat Enterprise Linux 5.0 and 5.4 for specific management products only. Before installing a Check Point management product on Red Hat Enterprise Linux 5, perform the following steps.

To prepare Red Hat Enterprise Linux 5.0 or 5.4 for Check Point management installation:

1. Install the sharutils-4.6.1-2 package

a) Check if you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2

b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm

This package can be found on CD 3 of RHEL 5.

http://www.checkpoint.com/services/techsupport/hcl/index.html

Microsoft Windows


2. Install the compat-libstdc++-33-3.2.3-61 package

a) Check if you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61

b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm

This package can be found on CD 2 of RHEL 5.

3. Disable SeLinux

a) Check if SeLinux is disabled by running: getenforce

b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file

and rebooting the machine.


Microsoft Windows Security Management and Gateways are supported on Windows Server 2003 and Windows Server 2008 32-bit only (see Management Products by Platform ("Supported Security Products by Platform" on page 13)). Windows Server 2000 is not supported.

High Availability Legacy mode is not supported on Windows Server 2003.


Solaris Security Management Server and Multi-Domain Security Management are supported with Solaris running on UltraSPARC 64-bit platforms (see Management Products by Platform ("Supported Security Products by Platform" on page 13)). R71 Security Gateways are not supported on Solaris.

Required Packages

SUNWlibC

SUNWlibCx (except Solaris 10)

SUNWter

SUNWadmc

SUNWadmfw

Required Patches

The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com (http://sunsolve.sun.com).

To display your current patch level, use the command: showrev -p | grep <patch number>

Platform Required Recommended Notes

Solaris 8

108528-18 If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.

110380-03

http://sunsolve.sun.com/

Maximum Number of Interfaces Supported by Platform


Platform Required Recommended Notes

109147-18

109326-07

108434-01 Required only for 32 bit systems

108435-01 Required only for 64 bit systems

109147-40 or higher

Solaris 9

112233-12

112902-07

116561-03 Only if dmfe(7D) Ethernet driver is defined on the machine

112963-25 or higher

Solaris 10 117461-08 or higher

We recommend that you install Multi-Domain Security Management on Sun M-Series servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.


Maximum Number of Interfaces Supported by Platform

The maximum number of interfaces supported (physical and virtual) is shown by platform in the following table.

Platform Max Number of Interfaces Notes

SecurePlatform 1015 1. SecurePlatform supports 255 virtual interfaces per physical interface.

2. When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are supported.

IPSO 1024

Windows 32

Security Gateway Hardware Requirements

Minimum System Requirements Page 21

Minimum System Requirements

In This Section

Security Gateway Hardware Requirements 21

Security Management Hardware Requirements 22

SmartConsole and SmartDomain Manager Hardware Requirements 22

Multi-Domain Security Management Requirements 23

Performance Pack 23

VSX Gateway Hardware Requirements 24

SmartEvent (formerly Eventia Analyzer) Requirements 24

SmartReporter (formerly Eventia Reporter) Requirements 24

SecureClient Requirements 25

Endpoint Security Requirements 25

For SecureClient Requirements, see the SecureClient NGX R66 Release Notes (http://downloads.checkpoint.com/dc/download.htm?ID=8371).

For Endpoint Security Server and Client requirements, see the Endpoint Security R73 HFA1 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11547).

Security Gateway Hardware Requirements

For open servers:

Component Windows SecurePlatform on Open Servers

Linux

Processor Intel Pentium IV or

1.5 GHz equivalent

Intel Pentium IV or

2 GHz equivalent

Intel Pentium IV or

2 GHz equivalent

Free Disk Space 1GB 10GB 1.4GB

Memory 512MB 512MB 512MB

Optical Drive Yes Yes Yes

Network Adapter One or more One or more supported cards

One or more

http://downloads.checkpoint.com/dc/download.htm?ID=8371


Security Management Hardware Requirements


Security Management Hardware Requirements

For open servers:

Component Windows Linux SecurePlatform on Open Servers

Solaris

Processor Intel Pentium Processor E2140 or 2 GHz equivalent processor

Intel Pentium Processor E2140 or 2 GHz equivalent processor


Sun UltraSPARC IV and higher

Free Disk Space 1GB 1.4GB 10GB (installation includes OS)

1GB

Memory 1GB 1GB 1GB 512MB

Optical Drive Yes Yes Yes (bootable) Yes

Network Adapter One or more One or more One or more One or more

SmartConsole and SmartDomain Manager Hardware Requirements

This table shows the minimum hardware requirements for console applications, including: SmartDashboard, SmartView Tracker, SmartView Monitor, SmartProvisioning, SmartReporter, and SmartEvent, SecureClient Packaging Tool, SmartUpdate, and SmartDomain Manager.

Component Windows

CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor

Memory 512MB

Disk Space 500MB

Optical Drive Yes

Video Adapter minimum resolution: 1024 x 768

Multi-Domain Security Management Requirements


Multi-Domain Security Management Requirements

The minimum recommended system requirements for Multi-Domain Security Management are:

Component Linux Solaris SecurePlatform

CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor

UltraSPARC III 900MHz


Memory 4GB 4GB 4GB

Disk Space 2GB 2GB 10GB (install includes OS)

Optical Drive Yes Yes Yes (bootable)

Multi-Domain Security Management Resource Consumption

Actual disk space consumption depends on the scale of the deployment. The larger the deployment, the more disk space, memory, and CPU is required.

The Multi-Domain Security Management disk space requirements are:

For basic Multi-Domain Server installation: 800MB (mostly for /opt directory).

For each Domain Management Server: 100MB (for the Domain Management Server directory located in

/var/opt)

Performance Pack The recommended platform configuration for Performance Pack a computer with a Quad-Core Intel Xeon Processor 5xxx with 6GB RAM, or more.

Check Point appliances with this configuration:

Power-1 11000 Series

Examples of open servers with these configurations:

HP ProLiant DL-360 G6

HP ProLiant DL-380 G6

Dell PowerEdge R610

Dell PowerEdge R710

IBM System x3550 M2

IBM System x3650 M2

VSX Gateway Hardware Requirements


VSX Gateway Hardware Requirements Minimum system requirements recommended for optimal performance of a VSX gateway:

Component SecurePlatform

Processor Intel Pentium IV or 2 GHz equivalent processor

Memory 1GB

Disk Space 10GB

Optical Drive Yes

Network Interface Cards 3 (4 for VSX Clusters)

SmartEvent (formerly Eventia Analyzer) Requirements

SmartEvent can be installed on a Security Management server or on a dedicated machine.

Component Windows/Linux/SecurePlatform

CPU Intel Pentium IV 2.8 GHz

Memory 4GB

Disk Space 25GB

SmartEvent is not supported on Solaris platforms.

Note - To optimize SmartEvent performance:

Use the fastest disk available with the highest RPM, and a large buffer size.

Increase the machine's memory.

SmartReporter (formerly Eventia Reporter) Requirements

The hardware requirements presented below are designed for a SmartReporter server that will process at least 15GB of logs per day and generate reports according to the performance numbers. For deployments that will generate fewer logs per day, a machine with less CPU or memory can be used. However, this may cause performance degradation.

SmartReporter can be installed on a Security Management server or on a dedicated machine.

Component Windows & Linux Minimum Windows & Linux Recommended

Solaris

CPU Intel Pentium IV 2.0 GHz Dual CPU 3.0 GHz UltraSPARC III 900 MHz

Memory 1GB 2GB 1GB

SecureClient Requirements

Known Limitations Page 25

Component Windows & Linux Minimum Windows & Linux Recommended

Solaris

Disk Space Installation:

Database:

80MB

60GB (40GB for database, 20GB for temp directory)

(on 2 physical disks)

80MB


80MB


CD-ROM Drive Yes Yes Yes

Optimizing SmartReporter Performance The following tips are recommended to optimize SmartReporter performance:

Disable DNS resolution - consolidation performance may improve to 32GB of logs per day.

Configure the network connection between the SmartReporter server and the Security Management or Log server to the optimal speed.

Use the fastest disk available with the highest RPM (revolutions per minute) and a large buffer size.

Use UpdateMySQLConfig to tune the database configuration and adjust the consolidation memory

buffers to use the additional memory.

Increase the machine's memory, as it significantly improves performance.

Install an uninterruptible power supply (UPS) for the SmartReporter Server.

SecureClient Requirements For SecureClient Requirements, see the SecureClient NGX R66 Release Notes (http://downloads.checkpoint.com/dc/download.htm?ID=8371).

Endpoint Security Requirements For Endpoint Security Server and Client requirements, see the Endpoint Security R73 HFA1 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11547).

Known Limitations Known Limitations for R71 are in sk41909 (http://supportcontent.checkpoint.com/solutions?id=sk41909).

http://downloads.checkpoint.com/dc/download.htm?ID=8371



Documents

CP R71 Release Notes