Release Notes and Getting Started Guide. IPSO 6.2 MR3 (Build GA055B01)

Transcription

1 Release Notes and Getting Started Guide IPSO 6.2 MR3 (Build GA055B01) April 6, 2011

2

3 Contents Chapter 1 Main Enhancements and Fixes in IPSO 6.2 Enhancements in IPSO 6.2 MR3 (Build GA055B01) Enhancements in IPSO 6.2 MR2 (Build GA039) Enhancements in IPSO 6.2 MR1 (Build GA29a02) Enhancements and Fixes that are New in IPSO Dynamic Adjustment of Descriptor Ring Size Allow Console Messages to be Redirected < > VRRP Enhancement for Load Balancers < > DNS Fast Expire Enhancement < > PIM with NAT < > Auto Detect Support for the Endpoint Connect VPN client Supports 1Gb and 10Gb Ethernet Cards Enhancement for Configuration Summary Tool < > Enhancement for IP Broadcast Helper < > Enhancement for ICMP Reply Throttling < > Enhancement for Argentina Time Zone Changes < > Changes to Upgrade and Installation Process Chapter 2 What s New in Check Point IPSO 6.2 Compared to IPSO 6.1 Support for R70 and Higher with CoreXL Configuring IPSO for CoreXL Performance Monitoring Enhancements Compared to IPSO Connection Dashboard Connection Map Dashboard System Health Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO Performance Monitoring Enhancements Compared to IPSO Connection Dashboard Connection Map Dashboard Traffic Dashboard Forwarding Dashboard Interface Dashboard System Dashboard ADP Dashboard Custom Dashboard Support for Netflow Services Defining Flows Flow Records Enhancement for ACL Rules Table of Contents 3

4 Time Zone Package High-Availability Enhancements HA Voyager IP Clustering Enhancements Configuration Migrator Acquiring Configuration Information Migrating Configuration Information IPSO Automated Configuration Enhanced Configuration Summary Tool Enhancement for Increased Network Voyager Security Routing Enhancements OSPF and BGP Graceful Restart Helper Enhancements for RIP and OSPF Route Tags Support for USB Modem Enhancement for Firewall Kernel Tuning Chapter 4 What s New in Check Point IPSO 6.2 Compared to IPSO 4.2 IPSO Ported to FreeBSD 6.x New Features Compared to IPSO Chapter 5 Chapter 6 Chapter 7 Comparison with Previous Versions High Level Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With Supported Platforms, Versions and Memory Configurations Supported IP Appliance Platforms Supported Check Point Versions Supported Memory Configurations Performing the Initial Configuration Using DHCP to Configure the System Configuring Your DHCP server Running the DHCP Client on the Check Point System Using the Console to Configure the System Performing the Configuration Registering the IP Appliance Performing Additional Configuration Using Check Point Network Voyager Using the IPSO CLI Chapter 8 Upgrading to Check Point IPSO 6.2 Changes to Upgrade and Installation Procedures

5 Boot Security Downloading IPSO 6.2 and Related Files IPSO 6.2-Related Documentation Before Installing IPSO IP2450 Might Require BIOS Upgrade If You Use Link Redundancy Before Upgrading to Change to rc.local Support Verify Free Space in Root Partition Putting the ipso.tgz file on Your Platform Adding Images Versus Overwriting Existing Images Adding an IPSO 6.2 Image and a Security Gateway Package Deleting Images and Packages Adding an IPSO Image Installing R65 HFA Adding and Activating R70, R71 or R Adding and Activating R71.x For Flash-Based IP290, IP390 and IP Adding and Activating R70.x For Flash-Based IP290, IP390 and IP Adding and Activating R70.x or R71.x For Disk-Based IP Appliances Overwriting Existing Images (Fresh Installation) Fresh Installation of the IPSO Image Using the Command shell Fresh installation of R70 or Higher Package Using Network Voyager Other Upgrade Methods: Horizon Manager and the IPSO Shell Using Horizon Manager to Install IPSO and Packages Chapter 9 Configuration Tips, Limitations and Resolved Issues Configuration Tips Limitations Resolved Issues in IPSO 6.2 MR Table of Contents 5

6 6

7 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Please refer to for a list of our trademarks For third party notices, see

8

9 Chapter 1 Main Enhancements and Fixes in IPSO 6.2 Check Point IPSO 6.2 is a new version of the IPSO operating system used on Check Point IP Appliance platforms. This chapter describes enhancements and fixes that are new in IPSO 6.2. Also, this chapter summarizes the changes to the upgrade and installation procedure. The numbers in angle brackets after the headings in the following sections are the tracking numbers for the issues in Check Point s internal database of problem resolutions. Reference the number if you contact Check Point about any of these items. In This Chapter Enhancements in IPSO 6.2 MR3 (Build GA055B01) page 10 Enhancements in IPSO 6.2 MR2 (Build GA039) page 10 Enhancements in IPSO 6.2 MR1 (Build GA29a02) page 10 Enhancements and Fixes that are New in IPSO 6.2 page 11 Changes to Upgrade and Installation Process page 16 Note - The latest version of this document is at: 9

10 Enhancements in IPSO 6.2 MR3 (Build GA055B01) Enhancements in IPSO 6.2 MR3 (Build GA055B01) IPSO6.2 MR3 (Build GA055B01) includes a large number of resolved issues. See Resolved Issues in IPSO 6.2 MR3 on page 118. Enhancements in IPSO 6.2 MR2 (Build GA039) IPSO6.2 MR2 (Build GA039) supports the IP282 appliance. Enhancements in IPSO 6.2 MR1 (Build GA29a02) IPSO6.2 MR1 (Build GA29a02) fixes an issue which may occur on some IP1280/1285 or IP2450/2455 systems, resulting in persistent false over-temperature or voltage alarms being reported, which may further cause packet loss and resulting performance degradation. 10

11 Enhancements and Fixes that are New in IPSO 6.2 Enhancements and Fixes that are New in IPSO 6.2 The enhancements and fixes listed in this section are new to IPSO 6.2 and were not available in any previous IPSO version. IPSO 6.2 also includes all the features of IPS0 6.1 and IPSO For those features, see Chapter 2, What s New in Check Point IPSO 6.2 Compared to IPSO 6.1 Chapter 3, What s New in Check Point IPSO 6.2 Compared to IPSO Chapter 4, What s New in Check Point IPSO 6.2 Compared to IPSO 4.2 This release of IPSO 6.2 contains all the enhancements and fixes that are included in previous IPSO 6.2 releases. In This Section Dynamic Adjustment of Descriptor Ring Size page 11 Allow Console Messages to be Redirected < > page 12 VRRP Enhancement for Load Balancers < > page 12 DNS Fast Expire Enhancement < > page 13 PIM with NAT < > page 13 Auto Detect Support for the Endpoint Connect VPN client page 13 Dynamic Adjustment of Descriptor Ring Size This enhancement allows the administrator to adjust the pools of memory descriptors used by an interface when transmitting or receiving packets. The pools for transmit and receive can be set independently. This feature is useful when packet loss occurs for a traffic pattern that is bursty in nature. To configure transmit and receive ring size in Network Voyager, select Configuration > Interface Configuration > Interfaces, and then edit the physical interface. To configure ring size in the CLI use the commands set interface <interface name> rx-ringsize/tx-ringsize and show interface <interface name> rx-ringsize/tx-ringsize Chapter 1 Main Enhancements and Fixes in IPSO

12 Allow Console Messages to be Redirected < > Transmit (TX) and receive (RX) ring size values are also displayed for general show commands such as show interface <interface name> all Allow Console Messages to be Redirected < > This enhancement allows console messages to be redirected to a file or some other device. A common use is for when Policies are being installed on gateways. VRRP Enhancement for Load Balancers < > The Virtual Router Redundancy Protocol (VRRP) uses virtual MAC addresses to ensure that traffic continues to flow if the VRRP master fails. In the event of a failure, the new VRRP master takes ownership of the virtual IP and MAC addresses, and attached routers send traffic to the new master. IPSO uses the virtual MAC address as the source MAC for VRRP protocol traffic and uses the real (physical) MAC address as the source for all other traffic. Some load balancing devices cache the physical MAC address information for optimization purposes and continue to send traffic to that address even if the associated virtual router fails, which causes the traffic to be dropped. This version of IPSO includes the Source Data from Virtual MAC option, which you can enable to prevent this problem from occurring. To source the data using the Virtual MAC: 1. Go to the Network Voyager page: Configuration > High Availability > VRRP > Legacy VRRP Configuration 2. For an interface, select the VRRP Mode, either monitored circuit or VRRPv2. The option is not available if you use simplified monitored-circuit VRRP or HA Voyager (which requires simplified monitored-circuit VRRP). 3. Define an Own VRID 4. Enable the Source Data from Virtual MAC option for the interface All the traffic sent from the interface then uses the virtual MAC address as the source MAC. (When the option is disabled the default setting only VRRP protocol traffic uses the virtual MAC address as the source. The physical MAC address is used as the source for all other traffic.) Enabling the option causes attached devices to send all traffic to the virtual MAC, so traffic continues to flow when a new master assumes ownership of the virtual MAC. 12

13 DNS Fast Expire Enhancement < > DNS Fast Expire Enhancement < > Check Point IP Appliance platforms running previous releases can drop UDP traffic as a result of a large number of UDP connections being stored in the firewall connection table. This can occur even when the load on the system is light and can happen with all UDP traffic, but it is most likely to affect DNS packets. When the issue occurs with DNS traffic, it can cause name resolution failures and long delays in connection establishment. With this release you can prevent this problem from happening by configuring the system using ipsctl commands. See Knowledge Base Resolution on the customer support site ( for more information about this issue and how to configure your system to prevent it. PIM with NAT < > PIM Sparse mode can be used with Network Address Translation (NAT). For configuration details, see the Network Voyager Reference Guide for IPSO 6.2 at Auto Detect Support for the Endpoint Connect VPN client This IPSO release provides enhanced support for the Endpoint Connect VPN client (available since NGX R65 HFA 40): The Auto Detect and Connect feature of the client is now supported. Whenever the VPN gateway or client s location changes, the Endpoint Connect client autodetects the best method to establish a connection, using either NAT-T (UDP port 4500) or Visitor mode (TCP port 443), intelligently auto-switching between the two modes as necessary. Supports 1Gb and 10Gb Ethernet Cards IPSO supports 1 Gigabit Ethernet and 10 Gigabit Ethernet cards as optional add-ons for the following Check Point network IP Security platforms: IP2450 IP1280 IP690 Chapter 1 Main Enhancements and Fixes in IPSO

14 Enhancement for Configuration Summary Tool < > These cards deliver high throughput for network environments that do not require the specialized acceleration offered by Check Point ADP modules. 1 Gigabit Ethernet Cards Check Point offers new four-port 1 Gigabit Ethernet cards in two versions: Network interface card for Check Point IP1280 and Check Point IP2450 with integrated RJ-45 connectors Network interface card for Check Point IP1280 and Check Point IP2450 with sockets that accept interchangeable SFP transceivers available in 1000Base-T, 1000Base-SX, and 1000Base-LX versions These cards implement a new design that leverages the latest technological advances and connect directly to the PCI-e data bus to improve the speed and efficiency of moving packets between the interfaces and the multiple CPU cores. 10 Gigabit Ethernet Cards Check Point offers new dual-port 10 Gigabit Ethernet cards in two versions: Network interface card with XMC connectors for Check Point IP2450 and Check Point IP1280 Network interface card with PMC connectors for Check Point IP690 Both versions include sockets that accept interchangeable SFP+ transceivers. These cards can help your network meet the increasing demands of transporting content types such as video and VoIP or accommodate virtualization. Enhancement for Configuration Summary Tool < > If you open support case with Check Point, you might be asked to provide an ECST file. To create this file, you use the Enhanced Configuration Summary Tool (ECST), which allows you to capture your current IPSO configuration, log files, core dumps and other information in a single file. 14

15 Enhancement for IP Broadcast Helper < > With this release, ECST provides more data for analysis by capturing Accelerated Data Path (ADP) kernel and core files that the system dumps when an ADP subsystem crashes. The file names begin with kcore and kaza, as in the following examples: kcore-u1s z kaza.perf_g-u1s z Enhancement for IP Broadcast Helper < > You can use IPSO s IP Broadcast Helper to relay broadcast UDP packets as unicasts to one or more remote servers. The maximum packet size for UDP packets relayed by this feature has been increased to 1480 bytes. IP Broadcast Helper can relay packets as large as bytes without fragmenting them. Enhancement for ICMP Reply Throttling < > To protect networks, IPSO now throttles ping replies that exceed certain limits. Because this rate limiting might affect other network devices that use ping for health check purposes, IPSO lets you disable the throttling by entering the following command at the IPSO shell prompt: ipsctl -w net:ip:icmp:ratelimit:enable disable To reenable the rate limiting function, enter ipsctl -w net:ip:icmp:ratelimit:enable enable Enhancement for Argentina Time Zone Changes < > IPSO includes an enhancement to support recent time zone changes in Argentina. Chapter 1 Main Enhancements and Fixes in IPSO

16 Changes to Upgrade and Installation Process Changes to Upgrade and Installation Process In some circumstances, the process of upgrading or installing IPSO 6.2 requires additional steps that are not necessary when upgrading or installing versions of IPSO previous to 6.2. For details, see Changes to Upgrade and Installation Procedures on page

17 2 Chapter What s New in Check Point IPSO 6.2 Compared to IPSO 6.1 This chapter describes the new features and enhancements in IPSO 6.2 compared to IPSO 6.1. These features and enhancements are included in IPSO In addition, IPSO 6.2 includes the new features listed in Main Enhancements and Fixes in IPSO 6.2 on page 9. In This Chapter Support for R70 and Higher with CoreXL page 18 Performance Monitoring Enhancements Compared to IPSO 6.1 page 20 17

18 Support for R70 and Higher with CoreXL Support for R70 and Higher with CoreXL IPSO 6.2 supports R70 and higher with CoreXL. The combination of IPSO 6.2 and Check Point R70 and higher improves firewall performance by taking advantage of the multicore CPU architecture of Check Point network security platforms. You can use CoreXL and SecureXL improve performance using different technologies and can work together in a complementary fashion. Use cpconfig to enable or disable SecureXL or CoreXL. SecureXL is enabled by default. Use the R70 and higher version of SmartCenter and SmartConsole to manage CoreXL gateways. Do not use other versions of these applications. For details of CoreXL, search for Firewall R7x Administration Guide on (replace R7x with the applicable version). In the guide, search for the CoreXL section. Configuring IPSO for CoreXL CoreXL creates multiple firewall instances (in effect, multiple firewalls) and assigns each instance to a CPU core. You can use the cpconfig to control the number of firewall instances. CoreXL improves the performance of your platform by accelerating traffic that cannot be accelerated by SecureXL. The default setting for the number of firewall instances is based on achieving optimal performance. You can configure this depending on your traffic profile. Choose the number of firewall instances you create based on the anticipated traffic load. If the majority of your traffic will be accelerated by SecureXL, create a smaller number of firewall instances. Note - If you change the number of instances, you must reboot the platform to make the change take effect. Use the following sources to obtain information to help you choose the optimal number of firewall instances for your platform and traffic mix: The Firewall Instance Configuration page provides data about SecureXL-based acceleration. To monitor CPU core usage, enter top -p in the IPSO command shell. 18

19 Configuring IPSO for CoreXL To get information about load balancing between the firewall instances, enter fw ctl multik stat or ipsctl -a net:sxl:inst in the IPSO command shell. Note - If you use IP clustering, make sure to configure the same number of firewall instances on each node. When you enter firewall commands, they generally apply to the gateway as a whole rather than to a specific firewall instance. To make a command apply to a specific instance, add -i number (in which number is the number of the instance) to the command. For example, to view the connections table for firewall instance 3, enter: fw -i 3 tab -t connections Chapter 2 What s New in Check Point IPSO 6.2 Compared to IPSO

20 Performance Monitoring Enhancements Compared to IPSO 6.1 Performance Monitoring Enhancements Compared to IPSO 6.1 Note - Performance monitoring features that were already supported in IPSO 6.1 are described in Performance Monitoring Enhancements Compared to IPSO on page 22. Performance Monitoring statistics provide a detailed and comprehensive view of your system s performance by allowing you to monitor a variety of historical information presented in graphical format. You can configure the graphs to show a wide range of time periods. Connection Dashboard When multiple firewall instances are enabled, the Transactions Vs. Connections graph represents the total number of transactions and connections across all the firewall instances enabled for the selected time interval. Connection Map Dashboard Any or all of the firewall instances that are active in the selected time interval can be selected. Individual line graphs are displayed for each firewall instance selected. Radio buttons are available at the bottom to view Accelerated, VPN, NAT and TCP connections. By default the graph displays one line (consolidated) which is the sum of all connections across all firewall instances. System Health The Live SecureXL FW Connection Statistics graph displays a separate graph for each firewall instance. Each graph plots number of connections created, deleted, current number of active connections, connections created from templates, NAT and TCP connections. The graph refreshes every 20 seconds. 20

21 3 Chapter What s New in Check Point IPSO 6.2 Compared to IPSO This chapter describes the new features and enhancements in IPSO 6.2 compared to IPSO These features and enhancements are included in IPSO 6.1. In addition, IPSO 6.2 includes the new features listed in Main Enhancements and Fixes in IPSO 6.2 on page 9. In This Chapter Performance Monitoring Enhancements Compared to IPSO page 22 Support for Netflow Services page 26 Enhancement for ACL Rules page 28 High-Availability Enhancements page 30 Configuration Migrator page 33 IPSO Automated Configuration page 38 Enhanced Configuration Summary Tool page 39 Enhancement for Increased Network Voyager Security page 41 Routing Enhancements page 42 Support for USB Modem page 44 Enhancement for Firewall Kernel Tuning page 45 21

22 Performance Monitoring Enhancements Compared to IPSO Performance Monitoring Enhancements Compared to IPSO Note - Performance monitoring features that were already supported in IPSO are described in Performance Monitoring Enhancements Compared to IPSO 6.1 on page 20. This feature provides a detailed and comprehensive view of your system s performance by allowing you to monitor a variety of historical information presented in graphical format. You can configure the graphs to show a wide range of time periods. Use the information provided by this feature to tune your system for optimum performance, troubleshoot difficult performance issues, or simply confirm that traffic patterns are as expected. For example, you can compare how much of your traffic has been accelerated by SecureXL versus the amount that has been sent to the firewall for processing and see how much traffic has been forwarded by Check Point Accelerated Data Path (ADP) interfaces versus non-adp interfaces. The performance monitoring graphs are organized into configurable dashboards that you access by clicking Monitor > Performance Monitoring on the Network Voyager navigation tree. Note - The dashboards replace the Voyager pages that you access in previous IPSO versions by clicking Monitor > Reports. The following sections describe the new dashboards and their component graphs. Note - You will not be able to display historical performance data captured by a previous IPSO release after you upgrade to IPSO 6.2. If you want to preserve this data, do so before you upgrade by using Network Voyager to display the data in delimited format and copying it into a spreadsheet or other application. Connection Dashboard Connection Life histogram: Displays the number of connections within a configurable time and their lifetimes in IPSO. The lifetime of a connection is the amount of time it occupies IPSO memory. 22

23 Connection Map Dashboard Transaction Size histogram: Displays the transaction sizes associated with different connections within a configurable time. The transaction size is the number of bytes exchanged in the context of a connection from the start to the end of the connection. Templates vs. Non-Templates: Displays the percentage of connections created by SecureXL templates within a configurable time. You can use this information to help you define a firewall policy so that more connections are created by templates (and are therefore accelerated). Transactions vs. Connections: Displays the rates of connection and transaction creation within a configurable time. For TCP, connection creation is defined as the arrival of a SYN packet, and transaction creation is defined as the completion of 3-way handshake. For non-tcp connections, connection and transaction creation occurs at the same rate. New in IPSO 6.2: For multiple firewall instances the Transactions vs. Connections graph represents the total number of connections and transactions across all the firewall instances enabled at that time. Connection Map Dashboard Users are now provided with an option to select any or all of the firewall instances that are active in the selected time period. Individual line graphs are displayed for each firewall instance selected. Radio buttons are available at the bottom of the graph to view Accelerated, VPN, NAT and TCP connections. By default the graph displays one line (consolidate) which is the sum of all connections across all firewall instances. Accelerated Connections Map: Displays the total number of connections within a configurable time and the number that were accelerated. The difference between the total number of connections and the number of accelerated connections gives the number of connections for which every packet was inspected by the firewall. Accelerated connections are further classified as connections accelerated by ADP and connections accelerated by IPSO. VPN Connections Map: Displays the total number of connections within a configurable time and the number that required VPN services. NAT Connections Map: Displays the total number of connections within a configurable time and the number that required NAT services. TCP Connections Map: Displays the total number of connections within a configurable time and the number of TCP connections. The difference between total connections and TCP connections gives the number of non-tcp connections, such as UDP, ICMP, etc. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

24 Traffic Dashboard Traffic Dashboard IPSO Packet Size Map: Displays the distribution of packet sizes forwarded by IPSO within a configurable time. This information is helpful in understanding which packet sizes are dominant. ADP Packet Size Map: This graph is present only on platforms on which an ADP module is detected. It displays the distribution of packet sizes that were forwarded by ADP interfaces. This information is helpful in understanding which packet sizes are dominant in traffic transiting ADP interfaces. Forwarding Dashboard Accelerated Traffic Map: Displays the total number of packets that were forwarded by IPSO and the number of packets that were accelerated by IPSO within a configurable time. The difference between the total number of packets and the number of accelerated packets is the number of packets that were forwarded to the firewall. VPN Traffic Map: Displays the total number of packets that were forwarded by IPSO and the number of packets that required VPN services within a configurable time. This information is helpful in understanding the percentage of traffic that requires VPN services. NAT Traffic Map: Displays the total number of packets that were forwarded by IPSO and the number of packets that required NAT services within a configurable time. This information is helpful in understanding the percentage of traffic that requires NAT services. Interface Dashboard Packet Throughput: Displays the rates of incoming and outgoing packets on a given interface within a configurable time. Byte Throughput: Displays the rates of incoming and outgoing bytes on a given interface within a configurable time. This information is helpful in determining if a link is reaching its capacity. Multicast Throughput: Displays the rates of incoming and outgoing multicast packets on a given interface within a configurable time. This information is helpful in determining if a link is reaching its capacity. Broadcast Throughput: Displays the rates of incoming and outgoing broadcast packets on a given interface within a configurable time. This information is helpful in determining if a link is reaching its capacity. 24

25 System Dashboard System Dashboard CPU Utilization: Displays the CPU utilization for all the CPU cores within a configurable time. Memory Utilization: Displays the memory utilization in IPSO within a configurable time. ADP Dashboard This dashboard displays the number of packets that were forwarded by IPSO and number of packets that were forwarded by the ADP subsystem within a configurable time. You can also see the average and maximum number of buffers utilized at the interface layer in incoming and outgoing directions within a configurable time.this information is helpful in understanding the value provided by ADP modules. Custom Dashboard Use this dashboard to create custom profiles that include your choice of performance graphs. After you have created profiles, click the Custom Dashboard link again to select a profile to display. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

26 Support for Netflow Services Support for Netflow Services Netflow services can be used to collect information about network traffic patterns and volume. To provide this information, IPSO tracks network flows. A flow is a unidirectional stream of packets that share a given set of characteristics. Click Configuration > Traffic Management > Netflow to access the Netflow Configuration page. IPSO exports information about flows in flow records.to gather and analyze flow records, you must export them to a Netflow collector. Check Point has tested the following collectors: NetFlow Analyzer (AdventNet, Inc.): supports Versions 5 and 9 Scrutinizer (Plixer International): supports Versions 5 and 9 Defining Flows You control how IPSO defines flows by using metering modes: Flows mode: If you use this mode, a flow is any sequence of packets that share Source and destination IP addresses Source and destination port numbers IP protocol When you use flows mode, IPSO exports each flow in an individual flow record. This mode requires that a firewall is running and SecureXL is enabled. Note - When you enable flows mode, IPSO automatically reduces the concurrent connection capacity by 25 percent. If you later disable flows mode, IPSO automatically increases the connection capacity to the previous value. When you enable or disable this mode, you should make the same adjustment in Check Point s SmartDashboard application. ACL mode: If you use this mode, you define flows by configuring ACL rules. Traffic that matches a rule is a flow. (You must also enable the Netflow Metering option for any rule that you want to use for this purpose.). When you use ACL mode, all the traffic that matches a rule is exported in one flow record. You can use both modes simultaneously. In this case, traffic that matches an ACL rule is reflected in a Flows mode flow and also in an ACL mode flow. 26

27 Flow Records Flow Records You configure IPSO to export flow records using the formats specified by Cisco for NetFlow Versions 5 and 9. (Version 9 is specified in RFC 3954.) Regardless of which export format you choose, IPSO exports values for the following fields: source IP address source subnet mask (used only when record is generated by an ACL flow) destination IP address destination subnet mask (used only when record is generated by an ACL flow) source port destination port input physical interface index (defined by SNMP) output physical interface index (defined by SNMP) packet count for this flow byte count for this flow start of flow timestamp (FIRST_SWITCHED) end of flow timestamp (LAST_SWITCHED) IP protocol number Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

28 Enhancement for ACL Rules Enhancement for ACL Rules When you create an access control list (ACL), you populate the ACL with rules that take configurable actions when traffic matches a pattern specified by the rule. With this enhancement, one of the actions you can configure for a rule is Bypass-FW, which causes ICMP traffic to bypass the firewall. You might use this action to prevent disruptive traffic that always comes from a known and trusted source from reaching the firewall. Warning - Lengthy ACLs can degrade performance because all traffic first must be compared to the ACL. Use ACLs with caution. 28

29 Time Zone Package Time Zone Package You can now use a time zone package to update your time zone information without having to upgrade your IPSO image. You might want to do this to apply the latest daylight savings rules for your time zone, for example. IPSO time zone information is based the tz or zoneinfo database available at elsie.nci.nih.gov/pub. When the tz database is updated, Check Point releases a new time zone package with the updated time zones. You can then update the time zone information on your system by installing the package. The time zone package name uses the same versioning convention as the tz database. For example, if the tz database version being used is 2009b, the time zone package is named timezones-2009b.tgz. You can download the time zone package from the Check Point customer support site. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

30 High-Availability Enhancements High-Availability Enhancements New features and enhancements are included for the high-availability configurations that you can create using IP clustering and Check Point s implementation of the Virtual Router Redundancy Protocol (VRRP). In This Section HA Voyager HA Voyager page 30 IP Clustering Enhancements page 31 HA Voyager has a new approach to creating and managing VRRP configurations. The main VRRP configuration page now includes a link for creating an HA VRRP configuration. Using this option allows you to configure and manage all the members of a VRRP group in a centralized way by using HA Voyager on one system. (When you use HA Voyager to configure VRRP, you create a simplified monitored-circuit configuration.) When you create an HA VRRP configuration, Voyager displays a new tab (labeled HA Voyager) in the navigation tree. Clicking this tab displays many of the same links that appear under the System tab in the navigation tree. When you access a configuration page by using the HA Voyager navigation tree, any changes you make are implemented on all the members of the group. This simplifies your work and helps you keep the configuration of the group members synchronized. Note - You can use HA Voyager on any member of the group. Regardless of which member you log into, your changes will be implemented on all the other members. Once you create an HA configuration group on one system, you can use HA Voyager on that system to add members to the group. You probably want to configure certain settings to be identical on all of your HA configuration group members. For example, you probably want each member to have the same static routes and settings for DNS, time, and Voyager web access. HA Voyager makes it easy for you to configure the members in this way by providing the Configuration Cloning option. 30

31 IP Clustering Enhancements The IPSO online documentation and the Network Voyager Reference Guide include a configuration example that provides step-by-step instructions for using HA Voyager. Configuring VRRP with HA Voyager You can use HA Voyager to easily configure VRRP on all the members of an HA configuration group. This is the simplest way to configure VRRP, and it also makes it easy for you to ensure that the global VRRP options are set identically on all the members. When you use HA Voyager to configure VRRP, you create a simplified monitored-circuit configuration, and all the requirements of simplified monitored-circuit apply. For example, before you create a VRRP backup (virtual) address you must make sure that each member has an address with the same network address as the backup address. For example, the following is a valid combination: Member A address: Member B address: VRRP backup address: For complete information on configuring simplified monitored-circuit VRRP, see the chapter High Availability Solutions in the IPSO online documentation and the Network Voyager Reference Guide. IP Clustering Enhancements Check Point s IP clustering high availability solution has the following enhancements: Simplified clustering Cluster topology choices Advanced cluster tuning ISP redundancy supported Simplified Clustering Configuring an IP cluster and putting it into service is made easier by means of the new Simplified Clustering Configuration page. This page allows you to set up a cluster by making an absolute minimum set of configuration choices. When you Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

32 IP Clustering Enhancements create a cluster in this way, IPSO chooses default values for a variety of cluster settings. You can still change any of these settings by using the Cluster Configuration page. Cluster Topologies Flexibility in designing IP clusters is provided by means of the following cluster topologies: Load balancing: All the nodes in the cluster will be active, and connections will be assigned to all of them. This is the default choice and is only the topology used in previous versions of IPSO. N+1: N is the (configurable) number of nodes that will be active and will have connections assigned to them. The remaining node will be in hot standby mode, which means that connections are synchronized with the node on an ongoing basis so that it is immediately ready for service should one of the active nodes fail. The load will be balanced among the active nodes. Active/Hot Standby: One node will be active and the other will be in hot standby mode. Use this topology for two-node clusters in which you want only one node to be active. This topology is similar to an active/passive VRRP configuration except that failover happens faster because existing connections are continually synchronized with the standby node. Advanced Cluster Tuning Some advanced cluster options can be used to prevent certain issues that can occur in very specific circumstances. ISP Redundancy Supported Previous versions of IPSO do not support the use of Check Point s ISP Redundancy feature with IP clusters. This constraint is removed. 32

33 Configuration Migrator Configuration Migrator There are times when you might want to copy much of the configuration information from one Check Point network security platform to another. For example, when you replace a Check Point network security platform with another Check Point platform, you might want to migrate much of the configuration from the system being replaced to the new system.you can now do this by using Network Voyager and the Configuration Migration feature. You can access the Voyager pages for this feature by clicking Tools > Configuration Migration at the bottom of the Voyager navigation tree. When using the Migrate Configuration feature, keep the following terms in mind: Source platform: This is the platform from which you will acquire the configuration information. If you are replacing a platform, you probably want to use the platform being replaced as the source. Target platform: This is the platform on which you will apply the migrated configuration. If you are replacing a platform, the target is the new (replacement) platform. Note - You perform almost all the operations using Voyager on the target platform. The only operations you might need to perform on the source are creating a configuration file or database file and enabling network access to the source. It is important to understand that the Migrate Configuration feature is designed to copy configuration from one platform to another, not to make configuration changes on the target. If you want to make configuration changes on the target platform for example, if you want to assign new IP addresses that are not assigned to the source platform do so after you complete the migration. Think of it as a two or three step process: 1. Migrate the configuration from the source to the target. 2. Make any required changes on the target. 3. If desired, export the configuration from the target to another system. Migrate Configuration allows you to map interface configuration across the platforms. For example, you can map interface A on the source to interface B on the target so that interface B is configured identically to A. You can also choose whether to migrate configuration information for specific features. For example, if you use Protocol-Independent Multicast (PIM) on the source but don t want to use it on the target, you can choose not to migrate it. You might also choose not to migrate PIM if you do intend to use it on the target but want to configure it from scratch. Choosing to not migrate a feature means only Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

34 Acquiring Configuration Information that the configuration information for that feature is not migrated. The feature itself is still available on the target. In this example, PIM is still be available on the target after the migration but it is not enabled or configured. Acquiring Configuration Information You can acquire configuration information from a Check Point platform running any version of IPSO between IPSO 3.7 and IPSO 4.2 (inclusive). You acquire configuration information by copying an IPSO configuration file or backup file from the source to the target. You can move these files directly from the source to the target (using Voyager or another method) or move them to a workstation. Depending on how you want to move the file to the target, use the following options on the Acquire Configuration page: Remote Device: Use this option to transfer a file directly from the source to the target. You must have network access to the source. If you specify a file (configuration file or backup file), you must specify the complete path. < > If you do not specify a file, IPSO automatically copies the current configuration database file from the source. Note - This is probably the easiest way to acquire a configuration file. Upload: Use this option if you have moved the IPSO configuration file or backup file from the source to your workstation (the computer that is running Network Voyager). Local File: Use this option if you have moved the IPSO configuration file or backup file from the source to the target using FTP or a similar method. If you use this option, you must save the configuration file or backup file in one of several specified directories. To see which directories you can use, expand the directory tree in the Select File to Acquire box. Select the appropriate configuration or backup file by clicking on it. Voyager then displays the selected file in boldface type. Regardless of which method you choose, click Apply once you have selected the appropriate file. If IPSO recognizes that the file is a valid configuration file or backup file (and transfers it to the target, if necessary), you see a message indicating that the process succeeded and telling you to access the Migrate 34

35 Migrating Configuration Information Configuration page. < > If either of the following is true, IPSO also displays information about the model number of the source platform and the IPSO version used to make the configuration or backup file: You acquired a backup file (using any option). You used SCP as the protocol when using the Remote Device option to acquire a configuration file. Migrating Configuration Information Access the Migrate Configuration page by clicking the appropriate link under Migration in the Voyager navigation tree. If there are any unsaved configuration changes (changes to the current configuration on the target platform), Voyager displays a message telling you to click Save. After you do so, you can continue with the migration. Voyager displays the IPSO version of the source configuration at the top of the page to help you verify that you acquired appropriate configuration information. IPSO needs to know the model number of the source platform. If IPSO was able to determine the number because of the method you used to acquire the configuration or backup file, the number is displayed near the top of the page. Otherwise there is a menu from which you must choose the model of the source platform. Mapping Interfaces and Completing the Process You use the Migrate Configuration page primarily to map interfaces from the source to the target. Voyager provides information to help you choose which interfaces on the target are the best matches for the interfaces on the source. The table on the left lists all the physical interfaces on the source platform and also identifies all the attributes associated with each interface. For example, you can see whether routing protocols, VRRP, SNMP, and so on are configured for an interface. This table also lists the configured speeds for the source interfaces. < > The table on the right lists the physical interfaces on the target platform and their available speeds. In addition to the physical interfaces on the source platform, the table on the left lists all the logical interfaces that have IP addresses assigned. When you map a physical interface, IPSO migrates all the logical configuration for that interface to the physical interface on the target. You cannot map logical interfaces individually. If there is a logical interface without an associated IP address on the source platform (for example, if there is a VLAN interface without an address), the logical interface does not appear in the table and is not migrated to the target. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

36 Migrating Configuration Information You must map each source interface or explicitly choose to not migrate it by making selections in the Interface on Target Platform column. If you click Next or Finish without making a selection for every source physical interface, Voyager displays a message telling you that you must choose an entry for every interface and does not display the next page. Warning - If an interface on the target is configured before you perform the migration, that configuration information is deleted when the new configuration is applied even if you do not choose a mapping for it. For example, if a target interface has an IP address before the migration and you do not select it during the mapping process, the IP address is deleted when the new configuration is applied. You cannot map multiple source interfaces to one interface on the target platform. If you attempt to do so, Voyager displays a message telling you that this is invalid. The actual steps you take to complete the migration vary depending on whether there are any link aggregation group (LAG) or link redundancy group (LRG) interfaces on the source platform. If there are no LAG or LRG interfaces 1. For each interface, choose a mapping or explicitly choose to not migrate it. 2. Choose to migrate all features (accept the default setting) or prohibit selected features from being migrated. Remember that choosing to not migrate a feature means only that the configuration information for that feature is not migrated. The feature itself is still available on the target. See Migrating Features on page 37 for important information about this step. 3. Reboot or test boot the target platform. If there are LAG or LRG interfaces on the source If there are LAG or LRG interfaces on the source, the process is similar except that the LAG and LRG interfaces are presented on separate pages: 1. Map or explicitly choose to not migrate each non-lag/non-lrg interface. 2. Map or explicitly choose to not migrate each LAG interface (if any). 3. Map or explicitly choose to not migrate each LRG interface (if any). If an LAG interface is part of an LRG interface, you can choose whether to migrate it as part of the LRG or whether to remove it from the LRG during the migration. (If you chose to not migrate this LAG interface in step 2, it is still listed in the table of LRG interfaces but you cannot migrate it as part of the LRG.) < > 36

37 Migrating Configuration Information 4. Choose to migrate all features (accept the default setting) or prohibit selected features from being migrated. See Migrating Features on page 37 for important information about this step. 5. Reboot or test boot the target platform. Note - When the Finish button is available, you can click it to skip the process of selecting features to migrate. In this case, all the IPSO features on the source are migrated (the default setting). Clicking Finish always displays a page that allows you to complete the migration by rebooting or test booting the target platform. Migrating Features If you include Users as one of the features that will be migrated (the default setting), the admin password of the source platform becomes the admin password of the target platform after you reboot it. If you want to prevent this, remove Users from the list of features that will be migrated before you finish the migration. In this case, the original admin password of the target platform is retained after you reboot the target. Configuration information for certain features cannot be migrated because it is not stored in IPSO configuration files. Examples include: optional disks PPPoE ISDN IPv6 host address (if the source configuration is from an IPSO version previous to 6.1) < > If configuration information for a feature cannot be migrated, the feature is not included in the list. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

38 IPSO Automated Configuration IPSO Automated Configuration You can use a USB storage device to install IPSO images, IPSO configuration files, and package files, such as Check Point package files, onto Check Point security appliances that have IPSO installed but have not yet been configured. Note - You cannot use this feature to configure systems running a version of IPSO previous to 6.1. This feature allows experienced personnel at a central site to set up a USB device with the appropriate files for deploying new appliances at another site and then provide the USB device to a person at the other site to perform the deployment. The local operator inserts the USB device in an appliance to be configured and boots the system. The IPSO automated configuration feature installs the specified software and configuration on the appliance, with no intervention needed by the operator. The USB device can hold specific configuration information for different appliances, allowing multiple appliances to be configured from the same USB device. See the document Read Me: IPSO Automated Configuration for complete information about how to use this feature. Warning - If you use a USB memory device (or a USB modem) with an IP290 or IP690 running IPSO 6.1 or higher, the following BIOS versions are required: IP290: version or later IP690: version or later If you use a USB device with an IP290 or IP690 that does not meet this requirement, the system might hang if it is restarted with the USB device attached. To update the BIOS,contact Check Point Support ( 38

39 Enhanced Configuration Summary Tool Enhanced Configuration Summary Tool The Enhanced Configuration Summary Tool (ECST) allows you to capture your current IPSO configuration, log files, core dumps and other information in a single file that can be sent to Check Point customer support for analysis. Typically, you would run ECST if you have opened a case with Check Point support and you have been asked to provide an ECST file. You can access the Voyager pages for this feature by clicking Tools > ECST Configuration at the bottom of the Voyager navigation tree. When you run ECST, you can include any or all of the following information in the output file: Offline Network Voyager pages captured Network Voyager pages that show your current configuration and that can be viewed offline by Check Point customer support. You must supply your user name and password for ECST to capture the Network Voyager pages. To ensure that all the configuration information is captured, you should have at least read-only access to all IPSO features. When you include offline Network Voyager pages, ECST saves your current configuration before it captures the pages. Firewall information firewall status, objects, tables, and diagnostics, as captured from utilities such as cpinfo, cpstat, and fw tab. IPSO information captured output from the utilities listed below: date arp -a uname -a vmstat -mis ifconfig -v -a dbget -rv dynamic ps -auxw ipsctl -a df -k ntpdc -pn pstat -ks ls -l netstat IPSO log files copies of the syslog log files, httpd access logs, httpd error logs, cron logs, and other logs. IPSRD/Core dumps copies of the configuration files in /config, user directories in /var/emhome, IPSRD and core dumps, and firewall logs. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

40 Enhanced Configuration Summary Tool All ECST output files are stored in /opt/ecst_output on the appliance. Because the ECST output files can be quite large if you include the Network Voyager offline pages, Check Point recommends that you do not keep more than three output files on your appliance at a time. You can also run ECST from the IPSO shell, using the command: # ecst [ -cfhilv ] If you include no options, ECST collects information based on the configuration in its current configuration file. The contents of this file are determined by the Service Summary selections in Network Voyager. If no configuration file exists, ECST collects all information. If you specify options, ECST ignores the configuration file and collects just the information specified by the options.the options are described in Table 3-1. Table 3-1 ECST Options Option Description -c Specifies that the core dump files, configuration files, and user home directories should be collected. -f Specifies that firewall information should be collected. -h Displays help for the ecst command. -i Specifies that the output of various utilities should be captured (same content as the legacy ipsoinfo utility) -l Specifies that the log files should be collected. -v Specifies that Network Voyager pages should be captured for offline viewing. The files produced by ECST are in the /opt/ecst_output directory. 40

41 Enhancement for Increased Network Voyager Security Enhancement for Increased Network Voyager Security With previous versions of IPSO, Network Voyager is vulnerable to an exploit known as cross-site request forgery. In IPSO 6.1 and higher, this vulnerability has been eliminated. All URLs in Network Voyager now contain a random secret that is generated for each authenticated session. Any request made without this secret will be considered a breach and the user will be re-directed to the login page. When the user logs off or the authenticated session times out, the URL random string becomes invalid. The secret is not displayed in the browser address bar. Because of this, you will be returned to the login page if you use: The refresh button Bookmarks to reach a Network Voyager page Typed URL to reach a Network Voyager page Check Point recommends that you use the navigation pane for navigation within Network Voyager. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

42 Routing Enhancements Routing Enhancements This section explains the enhancements for routing protocols in IPSO 6.1 or higher. OSPF and BGP Graceful Restart Helper When a router running OSPF or BGP restarts, all the routing peers detect that the session failed and recovered. This transition results in a routing flap and causes routes to be recomputed, updates to be generated, and unnecessary churn to the forwarding tables. With IPSO 6.1 or higher you can enable a Graceful Restart Helper option on the OSPF Configuration and BGP Peer Configuration pages. Enabling this option can minimize the negative effects caused by peer routers restarting by maintaining the forwarding state advertised by peer routers even when they restart. To use the IPSO CLI to configure the Graceful Restart Helper option, use the following commands: set ospf graceful-restart-helper <on off> set bgp external remote-as as_number peer ip_address graceful-restart-helper <on off> graceful-restart-helper-stalepath-time seconds In the above BGP command, the stalepath time is the maximum amount of time that routes previously received from a restarting router are kept so that they can be revalidated. The timer is started after the peer sends an indication that it has recovered. Enhancements for RIP and OSPF Route Tags If a Check Point platform running IPSO 4.2 receives a route tag in a RIP update, it passes the tag along in RIP updates that it sends out. (IPSO 6.0 does not forward RIP tags.) However, IPSO 4.2 does not forward OSPF route tags or let you create tags for RIP or OSPF. IPSO 6.1 or higher does forward OSPF route tags, and you can now also create RIP and OSPF tags using Network Voyager and the IPSO CLI. You can create route tags by using the following Voyager pages: Redistribute from OSPF External to RIP Redistribute from BGP (AS NUMBER) to RIP 42

43 Enhancements for RIP and OSPF Route Tags Redistribute from ASPATH to RIP Redistribute from BGP (AS NUMBER) to OSPF Redistribute from ASPATH to OSPF To create route tags using the IPSO CLI, use the following commands: set routemap rm_name id < > action ospfautomatictag tag ospfmanualtag tag riptag tag Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

44 Support for USB Modem Support for USB Modem IPSO 6.1 or higher includes support for the Radicom V92MB-U-E USB modem. You can use this modem for dialup or dialup/callback access. Warning - If you use a USB modem (or USB memory device) with an IP290 or IP690 running IPSO 6.1 or higher, the following BIOS versions are required: IP290: version or later IP690: version or later If you use a USB device with an IP290 or IP690 that does not meet this requirement, the system might hang if it is restarted with the USB device attached. To update the BIOS,contact Check Point Support ( 44

45 Enhancement for Firewall Kernel Tuning Enhancement for Firewall Kernel Tuning You can use Voyager to modify Check Point firewall kernel variables by using the Firewall Kernel Tuning Configuration page. This page provides the same functionality as the modzap shell command. Warning - Use this feature only in consultation with a customer service representative. Do not modify firewall kernel variables unless instructed to do so by a service representative. When you install IPSO or run Voyager for the first time on a new platform, the Firewall Kernel Tuning Configuration page does not appear. If a customer service representative instructs you to use this page, you must first display it by performing these steps: 1. Establish a command line connection to the platform (using a network connection or a console connection). 2. At the IPSO shell prompt, enter dbset advanced:loader t 3. Run Voyager (or exit Voyager and run it again if Voyager was open when you entered the previous command). 4. Click Configuration > Tools > Firewall Kernel Tuning in the navigation tree. To use this page, enter the firewall kernel variables as instructed by your customer service representative and then click Apply. Clicking Apply applies the firewall kernel variables and also saves the Voyager configuration so that the Firewall Kernel Tuning Configuration page will appear again if you reboot the platform. If you do not want Voyager to display the Firewall Kernel Tuning Configuration page, perform these steps: 1. Establish a command line connection to the platform (using a network connection or a console connection). 2. At the IPSO shell prompt, enter dbset advanced:loader 3. Run Voyager (or exit Voyager and run it again if Voyager was open when you entered the previous command). When you run Voyager after entering this command, the Firewall Kernel Tuning Configuration page does not appear, but your settings for firewall kernel variables are preserved. If you also want to undo all the settings you implemented, delete the Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

46 Enhancement for Firewall Kernel Tuning file /image/current/loader.conf and reboot the platform. After the reboot, any variables you configured by using the Firewall Kernel Tuning Configuration page have their previous values. 46

47 4 Chapter What s New in Check Point IPSO 6.2 Compared to IPSO 4.2 This chapter describes the new features and enhancements in IPSO 6.2 compared to IPSO 4.2. In addition, IPSO 6.2 includes the new features listed in Main Enhancements and Fixes in IPSO 6.2 on page 9. In This Chapter IPSO Ported to FreeBSD 6.x page 48 New Features Compared to IPSO 4.2 page 49 47

48 IPSO Ported to FreeBSD 6.x IPSO Ported to FreeBSD 6.x Early versions of IPSO are based on FreeBSD FreeBSD has been greatly enhanced since version was released, and Check Point has taken advantage of these developments by porting IPSO to FreeBSD 6.x. For example, FreeBSD 6.x and IPSO 6.0 and above have improved memory management, performance, scheduling, threading, POSIX-compliance, and other operating system features. 48

49 New Features Compared to IPSO 4.2 New Features Compared to IPSO 4.2 Check Point IPSO 6.2, when compared to IPSO 4.2, contains all the new features and enhancements that were introduced in IPSO and IPSO 6.1. See: What s New in Check Point IPSO 6.2 Compared to IPSO 6.1 on page 17 What s New in Check Point IPSO 6.2 Compared to IPSO on page 21 Chapter 4 49

50 New Features Compared to IPSO

51 Chapter 5 Comparison with Previous Versions This chapter provides both a high level and a detailed comparison of the features in IPSO 4.2, 6.0.7, and 6.1 with 6.2. In This Chapter High Level Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 page 52 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 page 53 51

52 High Level Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 High Level Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 Table 5-1 presents a high level comparison of IPSO 4.2, IPSO 6.0.7, IPSO 6.1 with IPSO 6.2. Table 5-1 High Level Comparison Features IPSO 4.2 IPSO IPSO 6.1 IPSO 6.2 Supported Check Point Releases R55p to R65 R70 R65 for IPSO 6.0 See Supported Check Point Versions on page 63. CoreXL no yes no yes UTM Features FW, IPS, AV, URL Filtering FW, IPS FW, IPS FW, IPS SecureXL Version Multiprocessing no yes yes yes Multithreading no yes yes yes Legacy Flows yes no no no 52

53 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 This section present a detailed comparison of the features supported by IPSO 4.2, IPSO 6.0.7, IPSO 6.1 and IPSO 6.2. In This Section Interface Features page 53 System Configuration Features page 53 High Availability Features page 55 Security and Access Features page 55 Routing Features page 56 Miscellaneous Features page 57 Command Line Features page 58 Table 5-2 Interface Features Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 Transparent Mode yes no yes Link Aggregation yes (dynamic and static) yes (static only) yes (dynamic and static) Link Redundancy yes no yes PPPoE yes no no ARP Mirroring for VRRP yes no yes Table 5-3 System Configuration Features Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 Banner and MOTD yes yes yes DHCP and DNS yes yes yes Disk Mirroring yes yes yes Chapter 5 Comparison with Previous Versions 53

54 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 Optional Disk yes yes yes Hybrid Mode yes yes yes Logging to Optional Disk Core Dump to Optional Disk Core Dump to Remote Server System Failure Notification yes yes yes yes not required yes yes yes yes yes yes yes Mail Relay yes yes yes Autokey Authentication for NTP Daylight Savings Time Enhancements no yes yes yes yes yes Syslog yes yes yes Configuration Sets yes yes yes Backup and Restore yes yes yes Job Scheduler yes yes yes Licenses yes yes yes Advanced System Tuning yes yes (TCP MSS configuration not included) yes (TCP MSS moved to interface page) Upgrade Images yes yes yes 54

55 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 Upgrade and Manage Packages yes yes yes Asset Information yes yes yes Table 5-4 High Availability Features Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 VRRP yes yes yes (including HA Voyager) IP Clustering yes yes yes (including simplified clustering and advanced tuning) IP Clustering Unicast Mode External Load Balancer yes no yes yes no yes Single License VRRP yes (Removed from IPSO 4.2 MR4, since it violates the Check Point EULA no no Table 5-5 Security and Access Features Features IPSO 4.2 IPSO IPSO 6.1 and 6.2 Users yes yes yes Chapter 5 Comparison with Previous Versions 55

56 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 Groups yes yes yes Enhanced Password Configuration yes yes yes AAA yes yes ( nonlocal users not supported with TACACS+) yes ( nonlocal users are supported with TACACS+) Network Access and Services Role Based Administration yes yes yes yes yes yes Voyager Web Access yes yes yes SSH yes yes yes IPSec yes no no Miscellaneous Security Settings yes no no Table 5-6 Routing Features Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 BGP yes yes yes BGP Route Refresh yes no yes BGP Graceful Restart no no yes Remove Private AS Numbers from BGP Updates yes no yes OSPF yes yes yes OSPF Route Tags (create and forward) no no yes 56

57 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 OSPF Graceful Restart no no yes OSPFv3 with VRRPv3 yes no yes RIP yes yes yes RIP Route Tags yes (forward only) no yes (create and forward) IGRP yes yes yes IGMP yes yes yes IGMP local and static groups yes no yes PIM yes yes yes PIM Over VTIs yes no yes PIM SSM yes no yes PIM dense mode state refresh yes no yes DVMRP yes yes yes Static Routes yes yes yes Static Multicast Routes yes no yes Mobile IPv4 yes (unsupporte d) no no Table 5-7 Miscellaneous Features Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 IPv6 yes yes yes Traffic Management (including QoS) yes no yes Chapter 5 Comparison with Previous Versions 57

58 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 Policy Based Routing yes no yes PIM accelerated yes no yes SNMP yes yes yes Voyager and CLI monitoring Features Enhanced Graphing for Monitoring Pages (requires Adobe Flash version 8.0 or newer in the client browser) yes yes yes no yes yes Table 5-8 Command Line Features Features IPSO 4.2 IPSO 6.0 IPSO 6.1 and 6.2 ipsctl yes yes yes dbset, dbget yes yes yes top no yes yes vmstat yes yes yes fw commands yes yes yes fwaccel commands yes yes yes clish yes yes yes bash shell no yes default shell yes default shell tcsh shell no yes yes sh shell yes yes (but is not the default) yes (but is not the default) 58

59 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With 6.2 Default Shell Inactivity Timeout (configured on Voyager User Management page) no yes yes rc.local support yes yes (but see Change to rc.local Support on page 83) yes (but see Change to rc.local Support on page 83) Chapter 5 Comparison with Previous Versions 59

60 Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With

61 6 Chapter Supported Platforms, Versions and Memory Configurations In This Chapter Supported IP Appliance Platforms page 62 Supported Check Point Versions page 63 Supported Memory Configurations page 64 61

62 Supported IP Appliance Platforms Supported IP Appliance Platforms Table 6-1 lists the platforms supported by IPSO 6.2 and includes the platforms supported by IPSO 4.2, and 6.1 for comparison. Table 6-1 Supported IP Appliance Platforms Platforms IPSO 4.2 IPSO IPSO 6.1 IPSO 6.2 IP45, IP60 no no no no IP150 yes no yes yes IP260, IP265 yes no no no IP282 yes (IPSO 4.2 MR8B (Build 106A05) and higher) no no yes (IPSO 6.2 MR2 (Build GA039) and higher) IP290 yes no yes yes IP390 yes no yes yes IP560 yes yes yes yes IP690 yes yes (leverages multiple CPU cores) yes (leverages multiple CPU cores) yes IP1220, IP1260 yes no no no IP1280 yes yes (leverages multiple CPU cores) yes (leverages multiple CPU cores) yes IP2250, IP2255 yes no no no IP2450 yes yes (leverages multiple CPU cores) yes (leverages multiple CPU cores) yes 62

63 Supported Check Point Versions Supported Check Point Versions You can install or upgrade to the following Check Point firewall versions on IPSO 6.2: R65 HFA70 R70 and R70.x releases R71 and all R71.x releases R75 Download the releases and the release notes from the Check Point Support site Chapter 6 Supported Platforms, Versions and Memory Configurations 63

64 Supported Memory Configurations Supported Memory Configurations When running SecureXL on an IP Appliance, for a given amount of memory, the appliance supports fewer connections when SecureXL is enabled than when it is running firewall flows, that is when SecureXL is not enabled. Generally, when SecureXL is enabled, one connection is the equivalent of two flows; when SecureXL is disabled, two flows are created for TCP connections. For unidirectional UDP traffic, one flow is created. However, if there is corresponding UDP traffic in the other direction, another flow is created; thus, the net effect in this case is that two flows are created for the UDP traffic. For information about the number of connections supported for specific amounts of memory, consult Table 6-2 and Table 6-3. Use the maximum connection values to determine which value to enter in the Check Point SmartDashboard for the maximum number of connections. The values in both tables assume that you use SecureXL. If you do not use SecureXL (and do use firewall flows instead), IPSO supports roughly twice the number of connections listed in the second column. A platform does not create more connections than its memory supports (even if you enter a value greater than the appropriate one listed here). If you configure IPSO to collect and export Netflow flow records, IPSO supports a smaller number of connections, as indicated in the tables. Configure settings in SmartDashboard. Edit the gateway object and select Capacity Optimization. Table 6-2 Disk-Based IP Security Platforms DRAM Check Point maximum connections 1 GB 360,000 (270,000 with Netflow) 2 4 GB 900,000 (675,000 with Netflow) Hash table, Memory pool and Maximum memory size Use automatic settings Use automatic settings 64

65 Supported Memory Configurations Table 6-3 Flash-Based IP Appliance Platforms DRAM Check Point maximum connections 1 GB 225,000 (168,750 with Netflow) 2 4 GB 725,000 (543,750 with Netflow) Hash table, Memory pool and Maximum memory size Use automatic settings Use automatic settings Chapter 6 Supported Platforms, Versions and Memory Configurations 65

66 Supported Memory Configurations 66

67 Chapter 7 Performing the Initial Configuration When you turn on a Check Point IP Appliance platform for the first time, you must provide it with some initial configuration information. You can use two methods to perform the initial configuration: In an automated fashion by using the built-in dynamic host configuration protocol (DHCP) client. Manually by using a console (direct serial) connection. After you decide which method to use, follow the instructions in Using DHCP to Configure the System or Using the Console to Configure the System on page 71 to perform the initial configuration. Regardless of which method you use, see Performing Additional Configuration on page 75 for important information about how to proceed after you complete the initial configuration. In This Chapter Using DHCP to Configure the System page 68 Using the Console to Configure the System page 71 Registering the IP Appliance page 74 Performing Additional Configuration page 75 67

68 Using DHCP to Configure the System Using DHCP to Configure the System The Check Point IPSO DHCP feature allows a properly configured DHCP server to provide your system with the following information: Host name IP address Default route You can then use Check Point Network Voyager to reconfigure any of these settings. When you do so, Voyager keeps the modified settings. (DHCP is not used if configuration information already exists.) Your DHCP server automatically sets the administrative password of the IP system to password. To use DHCP to configure your system, perform the following steps (which are explained in the following sections): 1. Configure your DHCP server. 2. Run the DHCP client on the Check Point system. Configuring Your DHCP server Configure a DHCP server with (at a minimum) mappings for: A host name for the Check Point system. The serial number of the Check Point IP Appliance platform. A static IP address for the platform. IPSO also supports MAC-address based configuration. Note - Your DHCP server must be on the same network as the Check Point platform or the DHCP/BOOTP relay must be configured on the intermediate routers. 68

69 Running the DHCP Client on the Check Point System The following example shows relevant DHCP configuration information: ddns-update-style ad-hoc; subnet netmask { # default gateway option routers ; option subnet-mask ; option domain-name-servers ; range dynamic-bootp ; host IP2450fixed { # serial number of the box option dhcp-client-identifier "123456"; } } fixed-address ; option host-name "IP2450"; Running the DHCP Client on the Check Point System Note - Do not perform the following procedures unless you configured an appropriate DHCP server with configuration information for your platform. 1. Connect a NIC installed in your platform to your network. 2. Turn the platform on. The DHCP client program in the system starts automatically, and your DHCP server provides the appropriate configuration information. (This can require 5 to 10 minutes.) 3. From a computer on the same network, ping the IP address that you configured your DHCP server to provide to the Check Point system. When you receive replies from ping, you can use Check Point Network Voyager to connect to the system. Chapter 7 Performing the Initial Configuration 69

70 Running the DHCP Client on the Check Point System 4. Connect to the system by using Voyager. To connect, start a Web browser and enter the IP address or host name of the system in the address or URL field of the browser. 5. Enter the user name admin and the password password. 6. Modify the configuration of the system as appropriate. Note - Check Point strongly recommends that you change the password. For information about how to proceed, see Performing Additional Configuration on page 75. If you intend to use the IPSO CLI or shell, be sure to see Using the IPSO CLI on page

71 Using the Console to Configure the System Using the Console to Configure the System If you are installing a new Check Point IP Appliance platform and are not using DHCP to perform the initial configuration, follow the instructions in this section to perform the initial configuration. Before you begin, make sure that you know: A host name to assign to the platform. An IP address that you will assign to the platform. The appropriate network mask length. The IP address of the default gateway for the platform. An appropriate password to assign to the administrator account. Performing the Configuration 1. Establish a physical console connection to the Check Point IP Appliance platform. The console can be any standard VT100-compatible terminal or terminal emulator with the following properties: RS-232 data terminal equipment (DTE) 9600 bps 8 data bits No parity 1 stop bit You can also use a data communications equipment (DCE) device. To establish the physical console connection, follow these steps: 1. Connect the appropriate cable to the local console port on the front panel of the platform. If the console is DTE, use the supplied null-modem cable (console cable). If the console is DCE, use a straight-through cable. 2. Connect the other end of the cable to the console system. 2. Turn the platform on. Chapter 7 Performing the Initial Configuration 71

72 Performing the Configuration After some miscellaneous output appears on the console connection, the following prompt appears: Hostname? If the Hostname? prompt does not appear on the console, see the installation guide of the relevant IP appliance platform for troubleshooting suggestions. 3. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from starting. If you wait more than approximately 30 seconds before you type a response to the host name prompt, the DHCP client program starts automatically, and the system might be provided with a host name and IP address that is unknown to you. (This could happen if a DHCP server on your network is configured to supply configuration information to any system that requests it.) If this happens, follow these steps: 1. Establish a console connection to the platform. 2. Log into the system using the user name admin and the password password. 3. Enter: rm /config/active or mv /config/active /config/active.old 4. Reboot the platform. 5. Respond to the configuration prompts in a timely manner. 4. Respond to the following prompts. When you see the following message, type 1: You can configure your system in two ways: 1) configure an interface and use our Web-based Voyager via a remote browser 2) configure an interface by using the CLI Please enter a choice [ 1-2, q ]: 5. You are prompted to select a network interface to configure: Select an interface from the following for configuration: 1) eth-s3p1 72

73 Performing the Configuration 2) eth-s4p1 3) eth-s4p2 4) eth-s4p3 5) eth-s4p4 Enter choice [1-5]: The list of interfaces that you see depends on the NICs that are installed. In the preceding example, eth-s3p1 is an ethernet interface in chassis slot 3, port 1, and eth-s4p4 is an ethernet interface in chassis slot 4, port 4. Type the number for the interface to configure. Remember that this is the interface you will connect to with Check Point Network Voyager or the CLI to continue with the configuration. 6. At the prompt, enter the IP address and subnetwork mask length. 7. When you see the following message, choose y (the default option): Do you wish to set the default route [ y ]? If you choose n, you cannot use Network Voyager unless you do one of the following: Perform the installation procedure again and set a default route. Use the command-line interface over a console connection to create a default route or static route. Connect to the platform by using a system that is on the same network as a configured interface on the platform. 8. If you have a modem installed, you see a message similar to the following: Modem detected on /dev/cuaa1. Enable logins on this modem [y,n]: To enable logging in to the platform through the modem, you can configure the modem now or you can configure it in Nokia Network Voyager or the IPSO CLI after you complete the installation. To configure the modem for logins now, type y. You are then prompted to configure a country code for the modem. 9. When you are prompted to reboot the system, type: reboot and press Enter. Chapter 7 Performing the Initial Configuration 73

74 Registering the IP Appliance Registering the IP Appliance To activate the IP Appliance, you must first register it. To register the appliance, you must provide its MAC address. The registration generates a Check Point license and shows you how to install it. Use either of the following methods: Appliance registration wizard at Check Point User Center 74

75 Performing Additional Configuration Performing Additional Configuration After you reboot the system, you are ready to continue configuring it. You can connect to the network interface you configured and perform the additional configuration using either: Check Point Network Voyager The IPSO CLI Using Check Point Network Voyager To log in to the system by using Network Voyager, follow these steps: 1. Start a Web browser on a workstation that has network connectivity to the Check Point IP Appliance platform. 2. In the Location or Address field of the browser, enter the IP address of the interface you configured on the platform. 3. Enter the user name admin and the password you entered when you performed the initial configuration in the appropriate fields. Using the IPSO CLI After the system reboots, SSH is on by default as a security measure. This means that you have two options to connect to a network interface and use the IPSO CLI (or the IPSO shell): Use an SSH client. This is the recommended approach. For more information, see Using an SSH Client. If you do not want users to be able to access the system with an SSH client, see Disabling SSH on page 77 for information about how to disable SSH. Connect to the configured network interface by using Telnet if it is enabled. Telnet is disabled by default if you: purchase a platform with IPSO 6.1 installed perform a fresh installation of IPSO 6.1 (use the boot manager install command) load a factory default configuration database Chapter 7 Performing the Initial Configuration 75

76 Using the IPSO CLI To maintain optimum security, Check Point recommends that you disable Telnet and use an SSH client. For more information about how to disable Telnet, see Disabling Telnet on page 77. Note - SSH does not apply to console connections. Regardless of whether SSH is enabled, you can always access the Check Point IP Appliance platform over a console connection. Using an SSH Client To communicate with your Check Point system by using SSH, you must have an SSH client program installed on a workstation that has network connectivity to the Check Point IP Appliance platform. You can get information about SSH client programs at At a minimum, you should use a host key as explained in Using a Host Key. For even better security, use authorized keys as well. For more information about how to use SSH with your Check Point system, see the Network Voyager Reference Guide Using a Host Key IPSO automatically generates a host public and private key pair after you perform the initial configuration. For maximum security, you can install the public part of this key on the workstations that you will use to connect to the Check Point system. Having the host public key installed allows the SSH client program to verify that it really is communicating with the Check Point system and not a system that is falsely purporting to be the Check Point system. If you do install the host public key on workstations, the most secure way to transport the key is to use an out-of-band method, such as transporting the key on a floppy disk. This reduces the possibility that the key could be stolen in transit. If you do not install the public host key on a workstation that you use to connect to the platform, the Check Point system asks the SSH client to accept the key the first time you attempt to connect: If you choose to accept the key, the connection is established. This procedure is potentially less secure because the SSH client cannot be sure that the host key is really being supplied by the Check Point system. If you choose to not accept the key, you are not able to connect to the Check Point system. 76

77 Using the IPSO CLI When a workstation has the host public key (regardless of how it received it), the SSH client program can connect to the Check Point system as long as the host public and private key pair is valid. Disabling Telnet You can use Check Point Network Voyager or the IPSO CLI to disable Telnet. Note - You must have Telnet enabled on your Check Point IP security platforms for Check Point Horizon Manager to communicate with the platforms in the unsecure mode. See the Horizon Manager documentation for more information. To use Check Point Network Voyager to disable Telnet 1. Log into the platform by using Check Point Network Voyager. Enter the user name admin and the password you configured for this user when you performed the initial configuration. 2. In the Network Voyager navigation tree, select Configuration > Security and Access > Network Access and Services. 3. Click No for the Allow TELNET Access field. 4. Click Apply. 5. Click Save to make your change persistent across reboots. To use the CLI to disable Telnet 1. Establish a console connection to the platform. 2. Log in using the user name admin and the password you configured for this user when you performed the initial configuration. 3. Start the CLI by entering: clish 4. Enter: set net-access telnet no Disabling SSH You can use Check Point Network Voyager or the IPSO CLI to disable SSH. Note - SSH must be enabled on your Check Point IP security platforms for Horizon Manager to communicate with the Check Point platforms in the secure mode. For more information, see the Horizon Manager documentation. To use Check Point Network Voyager to disable SSH 1. Log in to the platform by using Network Voyager. Chapter 7 Performing the Initial Configuration 77

78 Using the IPSO CLI Enter the user name admin and the password you configured for this user when you performed the initial configuration. 2. In the Network Voyager navigation tree, select Configuration > Security and Access > SSH (Secure Shell) > SSH Configuration. 3. Click No for Enable SSH service (daemon sshd). 4. Click Apply. 5. Click Save to make your change persistent across reboots. To use the IPSO CLI to disable SSH 1. Establish a console connection to the platform. 2. Log in by using the user name admin and the password you configured for this user when you performed the initial configuration. 3. Start the CLI by entering: clish 4. Enter: set ssh server enable off 78

79 Chapter 8 Upgrading to Check Point IPSO 6.2 This chapter explains the requirements and procedures for installing or upgrading to IPSO 6.2. It is possible to upgrade to IPSO 6.2 directly from version 4.2 and higher. IPSO 6.2 supports the Check Point versions listed in Supported Check Point Versions on page 63. You can install IPSO and packages using: Check Point Network Voyager CLI Shell (newimage and newpkg commands) IPSO command shell (clish command line) Horizon Manager (on multiple IP Appliance platforms simultaneously) You can also install IPSO and packages on multiple cluster nodes simultaneously by using Cluster Voyager or the Cluster CLI. For more information, see the Clustering Configuration Guide for IPSO

80 In This Chapter Changes to Upgrade and Installation Procedures page 81 Downloading IPSO 6.2 and Related Files page 82 Before Installing IPSO 6.2 page 83 Adding Images Versus Overwriting Existing Images page 87 Adding an IPSO 6.2 Image and a Security Gateway Package page 88 Overwriting Existing Images (Fresh Installation) page 99 Other Upgrade Methods: Horizon Manager and the IPSO Shell page

81 Changes to Upgrade and Installation Procedures Changes to Upgrade and Installation Procedures With the introduction of IPSO 6.x, there are significant changes to the upgrade and installation procedures. Note the following important requirements: If you use Network Voyager or the newimage shell command to upgrade to Check Point IPSO 6.2, see Boot Security on page 81 for information about a change to this procedure. If you perform a fresh installation of IPSO 6.2 on a platform running IPSO 4.x (if you use the boot manager to perform the installation), you must follow the instructions in Overwriting Existing Images (Fresh Installation) on page 99. The process is different from installing IPSO 4.x, and you must follow the new procedure to perform a successful installation of IPSO 6.2. The file ipso.tgz is included in the file ipso 6.2 zip file on the Check Point Support site. Download and unzip this file to get the IPSO 6.2 version of ipso.tgz. Boot Security When a Check Point platform boots a version of IPSO previous to 6.x, it immediately loads the Check Point Security Gateway firewall and default filter (assuming that the firewall is installed and enabled). This provides security until IPSO and the firewall become fully active. When you boot IPSO 6.x, it cannot load a module for any firewall version other than NGX R65 for IPSO 6.x or R70 or higher for IPSO 6.2. Therefore, until you install and enable R70 or higher for IPSO 6.2, the firewall cannot provide security during the bootup phase. When you upgrade from IPSO 4.x to IPSO 6.x, IPSO 6.x initially provides security by installing a set of rules using ipfw, the FreeBSD firewall. When IPSO detects that NGX R65 for IPSO 6.x or R70 or higher for IPSO 6.2 is installed, this temporary security measure is disabled. Note - When the ipfw rules are in effect, you can access the platform using HTTPS. To do so, you must enable SSL in IPSO 4.x before you begin the upgrade (see Adding an IPSO Image Using Network Voyager on page 91 and Adding an IPSO Image from the Command Shell on page 92). You can also access the platform during this time using a console connection or SmartUpdate.< > Chapter 8 Upgrading to Check Point IPSO

82 Downloading IPSO 6.2 and Related Files Downloading IPSO 6.2 and Related Files To download IPSO and related files: 1. Download IPSO 6.2 from the Check Point Support Center at (username and password required). 2. In the download page, note the MD5 value for verifying file integrity before installation. 3. Download the zip file to an FTP server or workstation. 4. Unzip the zip file to get ipso.tgz and other files. 5. To install the Check Point release packages, download them from the Check Point Support site ( You can now install IPSO 6.2 and the Check Point packages remotely from the FTP server or workstation. (See Adding Images Versus Overwriting Existing Images on page 87.) The IPSO 6.2 download package contains IPSO 6.2 installable image (ipso.tgz), 6.2 Boot Manager file, BIOS Upgrade images for IP2450 & IP1280 platforms and IPSO 6.2-related documentation. IPSO 6.2-Related Documentation Getting Started Guide and Release Notes for IPSO 6.2 MR3 (this document) Network Voyager Reference Guide for IPSO CLI Reference Guide for IPSO Clustering Configuration Guide for IPSO IPSO Boot Manager Reference Guide Using IPSO Automated Configuration 82

83 Before Installing IPSO 6.2 Before Installing IPSO 6.2 This section explains information you should know and some tasks that you should perform before you install IPSO 6.2. IP2450 Might Require BIOS Upgrade On the IP2450, IPSO 6.2 requires version 2.12 or later of the system BIOS. (If you purchased an IP2450 with IPSO 6.2 already installed, the BIOS does not need to be upgraded.) Before you install IPSO 6.2 on a platform, verify the BIOS version by navigating to Configuration > Asset Information > Asset Summary in Network Voyager. The following examples show how to identify the version: V2.9 (version 2.9 must be upgraded) V2.12 (version 2.12 does not need to be upgraded) V or later (recommended for performance but not required) Note - If your IP1280 or IP2450 has BIOS version 2.12, Check Point recommends that you update to V or later to improve performance with IPSO 6.2, but this upgrade is not required. To update the BIOS, contact Check Point Support ( Do NOT downgrade the BIOS to a lower version than is already on the appliance. If You Use Link Redundancy Before Upgrading to 6.2 < > If you create a link redundancy group with IPSO 6.2, the maximum number of ports in the group is two. However, this constraint does not apply if you have a link redundancy group with more than two ports in IPSO 4.x and upgrade to IPSO 6.2 by adding the 6.2 image. In this case, all the ports work after the upgrade but you cannot add any more ports to the group. Change to rc.local Support You can use the optional rc.local file to run site-specific commands when a system is booted. If you use an rc.local file, please be aware of the following: IPSO 6.x looks for the rc.local file in /etc rather than in /var/etc as earlier IPSO releases did. After you upgrade to IPSO 6.x, create a symbolic link file in /etc that references /var/etc/rc local file by executing the following commands: Chapter 8 Upgrading to Check Point IPSO

84 Verify Free Space in Root Partition # cd /etc # mount -uw / # ln -s /var/etc/rc.local /etc/rc.local Because the /etc directory is overwritten every time you perform an IPSO image upgrade, you must recreate the symbolic link after an upgrade. Verify Free Space in Root Partition On all platforms, you should have at least 180 MB of free disk space in your root partition to install an IPSO 6.2 image. Before the installation begins, an automatic check is made to ensure that enough free space is available. If necessary, determine the available disk space and make space available as follows: 1. Log in to the IPSO shell through a terminal or console connection To determine the available disk space, 2. Enter df -k. at the IPSO shell If the first number in the Avail column (which shows the available space in the root partition) is less than Kbytes, make more space available. 3. Make more space available in the root partition by deleting the temporary files specified in the following command if they are present. (These files might not be present, depending on how the upgrades were done on your system.) Execute the following commands to delete the list of unwanted files: mount -uw / rm -f /image/*/bootmgr/*.sav rm -f /image/*/bootmgr/*.tmp sync mount -ur / If you use the df command after you install IPSO 6.2 as a third image, you might see that the root partition is more than 100 percent full. If no errors were displayed while you installed IPSO 6.2, you can safely ignore this output from df. When you have enough space in the root partition, follow the instructions in Putting the ipso.tgz file on Your Platform. 84

85 Putting the ipso.tgz file on Your Platform Putting the ipso.tgz file on Your Platform After you make sure that at least Kbytes are available on the root partition, put the ipso.tgz file on an FTP server and transfer this file to the platform. You can transfer the ipso.tgz in either one of the following two ways: FTP the ipso.tgz file to the platform and install IPSO in one procedure. Follow the appropriate instructions in Adding Images Versus Overwriting Existing Images on page 87. FTP the ipso.tgz file to the platform first and then install IPSO in a separate procedure. Transferring IPSO 6.2 to your platform as a separate step allows you to perform a local installation (as opposed to a remote installation from an FTP server). Follow the instructions in Transferring the ipso.tgz file and Verifying File Integrity on page 86 and then follow the appropriate instructions under Adding Images Versus Overwriting Existing Images on page 87. Warning - If you perform a fresh installation of IPSO, you must download the ipso.tgz file and perform the installation at one time. Do not copy the ipso.tgz file to the platform first it will be overwritten during the installation procedure. For more information, see Overwriting Existing Images (Fresh Installation) on page 99. Transferring the ipso.tgz file Transferring IPSO 6.2 to your platform as a separate step allows you to perform a local installation (as opposed to a remote installation from an FTP server). 1. Use Check Point Network Voyager to enable FTP access to the platform. To do so: 1. In Network Voyager, select Security and Access > Network Access and Services 2. In the Allow FTP access field, click Yes. 3. Click Apply. 4. Click Save to make your change permanent. 2. Open the directory on the FTP client that contains the ipso.tgz file. 3. Begin an FTP session to the IP Appliance platform. By default, the current directory should be /var/emhome/admin Do not change the current directory. 4. At the prompt, enter: Chapter 8 Upgrading to Check Point IPSO

86 Putting the ipso.tgz file on Your Platform bin 5. Transfer the ipso.tgz file to the platform. At the prompt, enter: put ipso.tgz 6. Close the FTP session. Verifying File Integrity Make sure that there were no errors in the file download and transfer: 1. Log in to the IP Appliance platform though a console connection 2. Create an MD5 value for the ipso.tgz file 3. Verify it matches the value posted on the download page. If the values are identical, the download was successful and the file is good. If not, download the file again, ftp it (in binary) again, and repeat this procedure. 86

87 Adding Images Versus Overwriting Existing Images Adding Images Versus Overwriting Existing Images You can change the version of IPSO running on your platform in either of the following ways: Add the new version of IPSO (also known as an IPSO image) without removing the existing images or your configuration information. If you add a new version, you can revert to the earlier versions stored on the platform. When you do so, your IPSO configuration information is not affected. The procedures is explained in Adding an IPSO 6.2 Image and a Security Gateway Package on page 88. When you add an IPSO image, the IPSO boot manager is upgraded automatically if your system does not have the boot manager for the image you are adding. Perform a fresh installation, which removes the existing images and your configuration information. If you perform a fresh installation, you can restore versions of IPSO that were previously installed, but the process is more involved and all of your configuration information is removed again. For information about how to perform a fresh installation, Overwriting Existing Images (Fresh Installation) on page 99. Chapter 8 Upgrading to Check Point IPSO

88 Adding an IPSO 6.2 Image and a Security Gateway Package Adding an IPSO 6.2 Image and a Security Gateway Package Use the procedures in this section to add the new version of IPSO (also known as an IPSO image), a Security Gateway Package (R65 HFA70 or R70 (and above)) and other packages -- without removing the existing images or packages, or your configuration information. If you add a new version, you can revert to the earlier versions stored on the platform. When you do so, your IPSO configuration information is not affected. You can add IPSO images and Security Gateway packages to the IP Appliance by using Network Voyager, or by using the CLI shell. When you add an IPSO image, the IPSO boot manager is upgraded automatically if your system does not have the boot manager for the image you are adding. The workflow for adding an IPSO image and a Security Gateway package is as follows: 1. Deleting Images and Packages on page 89. Note - Only required when upgrading the IP290, IP390 and IP560 flash-based, diskless platforms to R70.x or R71.x. On IP290 flash-based, IP390 flash-based, and IP560 flash-based IP Appliances there is not enough flash space to upgrade to R75. You must do "fresh" installation (issue ). See the R75 Installation and Upgrade Guide 2. Adding an IPSO Image on page To install R65 HFA70, see Installing R65 HFA70 on page 94. To install R70 and above: a. Add the Security Gateway major version Adding and Activating R70, R71 or R75 on page 94. b. Add the Security Gateway minor version: Adding and Activating R71.x For Flash-Based IP290, IP390 and IP560 on page 97. Adding and Activating R70.x For Flash-Based IP290, IP390 and IP560 on page 97. Adding and Activating R70.x or R71.x For Disk-Based IP Appliances on page

89 Deleting Images and Packages Deleting Images and Packages On the IP290, IP390 and IP560 flash-based, diskless platforms, which have only 1 or 2 Gbyte of flash memory, you can have a maximum of two IPSO images installed at a time. Therefore, before upgrading those flash-based platforms to R70.1, you must delete old images and packages in order to ensure that you have, at most: One IPSO 6.1, 6.07 or 4.2 image. One firewall R65 package. One IPSO documentation package. To upgrade the IP290, IP390 and IP560 flash-based, diskless platforms to R70.x, R71.x or R75.x, delete old images by following the procedures in this section. For disk-based IP Appliance platforms, this is not required. In This Section Deleting an IPSO Image Using Network Voyager page 89 Deleting an IPSO Image Using the Clish Shell page 89 Deleting a Package Using Network Voyager page 90 Deleting a Package Using the Command Shell page 90 Deleting an IPSO Image Using Network Voyager To delete an IPSO image using Network Voyager: 1. In Network Voyager, choose Configuration > System configuration > Images > Manage Images. 2. Choose Delete IPSO Images. 3. Select the image to delete. 4. Click Apply. Deleting an IPSO Image Using the Clish Shell To delete an IPSO Image from the clish shell: Chapter 8 Upgrading to Check Point IPSO

90 Deleting Images and Packages 1. At the CLI command prompt type clish. Note - The clish shell cannot be used on a system that was previously accessed by Network Voyager or another user, because the system is locked. To unlock the system, run the command set config-lock on override 2. To show existing images, type show image 3. To delete an image, type delete image <image_name> Deleting a Package Using Network Voyager To delete a package using Network Voyager: 1. In Network Voyager, choose Configuration > System configuration > Packages > Manage Packages. 2. Deselect the Enable check box of the package you want to delete. 3. Choose Configuration > System configuration > Packages > Delete Packages. 4. Select the packages to delete. 5. Click Apply. 6. For the Flash-based (diskless) IP290, IP390 and IP560 only: Delete the installation tgz file: Select the installation tgz file. 7. Click Apply. Deleting a Package Using the Command Shell To delete a package using the command shell: 1. At the CLI command prompt, to show existing packages, type newpkg -q 2. To delete a package type newpkg -u <package_name> 3. For the Flash-based (diskless) IP290, IP390 and IP560 only: Delete the installation tgz file: rm /opt/packages/<firewall_package_name.tgz> 90

91 Adding an IPSO Image Adding an IPSO Image Use the procedures in this section to add the new version of IPSO (also known as an IPSO image) without removing the existing images or your configuration information. If you add a new version, you can revert to the earlier versions stored on the platform. When you do so, your IPSO configuration information is not affected. Note - It is not possible to revert from R70.1 to an earlier version on the IP290, IP390 and IP560 flash-based, diskless platforms You can add IPSO images to the IP Appliance by using Network Voyager, or by using the CLI shell. When you add an IPSO image, the IPSO boot manager is upgraded automatically if your system does not have the boot manager for the image you are adding. In This Section Adding an IPSO Image Using Network Voyager page 91 Adding an IPSO Image from the Command Shell page 92 Adding an IPSO Image Using Network Voyager To upgrade the IPSO image to IPSO 6.2 using Network Voyager: 1. Enter the Network Voyager, and also open a CLI console. 2. This step applies only to upgrades from IPSO 4.2: Before upgrading, enable https in Network Voyager so that it will be possible to access Network Voyager after the upgrade: a. In Network Voyager, choose Configuration > Security and Access > Voyager Web Access > Voyager Web Options b. In the Require encryption section, select an encryption level. c. Click Save. d. Close Network Voyager. e. Make sure an HTTPS rule is enabled on the firewall so that access to Network Voyager with HTTPS is not blocked. Use SmartDashboard to connect to the Security Management and change the Security rules appropriately. Chapter 8 Upgrading to Check Point IPSO

92 Adding an IPSO Image f. Access Network Voyager using https. 3. Choose Configuration > System Configuration > Images > Upgrade Images. The Upgrade Image window opens. 4. Enter the following information: Enter URL to the image location Enter HTTP Realm (for HTTP URLs only) Enter Username (if applicable) Enter Password (if applicable) 5. Click Apply. You are informed that the file download and image installation may take some time. 6. Click Continue and then click Apply. 7. Click the Upgrade Image Status link. In the IPSO Image Management window, follow the upgrade status messages. 8. When the upgrade has completed, activate the newly installed image: 1. Go to the Manage Images page 2. Choose the IPSO 6.2 image for the next boot. Typically this will be the Last Image Downloaded 3. Reboot. 9. Access the CLI console to see when the reboot is complete. 10. When the reboot is complete, reconnect to Network Voyager home page via http. Note: When upgrading from IPSO 4.2, connect via https. 11. Check the software release to verify that the image was set properly. At this point you have IPSO 6.2. You are now ready to upgrade the firewall to R70. Adding an IPSO Image from the Command Shell To add an IPSO image using the CLI shell 1. This step applies only to upgrades from IPSO 4.2: Before upgrading, enable https in Network Voyager so that it will be possible to access Network Voyager after the upgrade: 92

93 Adding an IPSO Image a. At the CLI command prompt type clish. Note - The clish shell cannot be used on a system that was previously accessed by Network Voyager or another user, because the system is locked. To unlock the system, run the command set config-lock on override b. Set the encryption level to 40, 56, or 128. For example, to set it to 128-bit or stronger. Run set voyager ssl-level 128 c. Now save the configuration. Run: save configuration d. Exit clish. Run: exit e. Make sure an HTTPS rule is enabled on the firewall so that access to Network Voyager with HTTPS is not blocked. Use SmartDashboard to connect to the Security Management and change the Security rules appropriately. 2. Verify that you are in /var/emhome/admin directory. 3. Run: newimage -ik If you add a new version of IPSO by using the newimage command and the -k (keep) option, your previous packages are active with the new IPSO version. If you use newimage without -k option, all the optional packages currently installed on the platform are turned off, but they are not deleted. To turn these packages on again, see Activating Packages on page Specify where the ipso.tgz image for IPSO 6.2 is located. For example choose one of Install from FTP server with user and password. Install from local filesystem. 5. FTP only: Enter the FTP server location and credentials. 6. Enter the pathname to the packages, or enter "." for the current directory. 7. Enter the ipso.tgz pkg name, and press Enter. Note - On some appliances, installing the image can take some time. The newimage program might display the message Setting up new image... for a few minutes with no other sign of activity. 8. After the upgrade process completes choose the image to run. For example, choose Newly Installed image Chapter 8 Upgrading to Check Point IPSO

94 Installing R65 HFA70 9. Reboot the machine. At the prompt type reboot 10. Verify the current image. Type uname -a IPSO 6.2 should be the current IPSO image. Installing R65 HFA70 To install R65 HFA70, see the R65 HFA70 release notes ( Adding and Activating R70, R71 or R75 In This Section Adding and Activating R70, R71 or R75 Using Network Voyager page 94 Adding and Activating R70, R71 or R75 Using the CLI Shell page 95 Upgraded Packages on a Security Gateway-Only IP Appliance page 96 Updating the Security Gateway Version in SmartDashboard page 96 Adding and Activating R70, R71 or R75 Using Network Voyager Note - These instructions apply only to R70. For R71 or R75 search for the R71 Installation and Upgrade Guide or the R75 Installation and Upgrade Guide on the Check Point Support site On IP290 flash-based, IP390 flash-based, and IP560 flash-based IP Appliances there is not enough flash space to upgrade to R75. You must do "fresh" installation (issue ). See the R75 Installation and Upgrade Guide To install and activate an R70 package using Network Voyager: 1. Enter the Network Voyager, 2. For Flash-based IP290, IP390 and IP560 only: a. Choose Configuration > System configuration > Packages > Delete Packages. b. Select the R65 installation tgz file for deletion (but do not uninstall the R65 package). 94

95 Adding and Activating R70, R71 or R75 c. Click Apply. 3. Choose Configuration > System configuration > Packages > Install Packages 4. Choose the remote location of the package. FTP to upload from an FTP server Upload to upload from a local machine 5. For FTP, enter the FTP site location and credentials. 6. For both FTP and Upload method, choose the package. 7. Click Save. 8. Click the link to install/upgrade the package 9. In the Package Installation and Upgrade window, select Upgrade, and select the package to Upgrade From 10. Click Apply. The upgrade begins. 11. To monitor progress, click the Install package link.the upgrade log is shown. < > 12. When an Installation Completed message appears, click Save. 13. Reboot the system. Choose Configuration > System configuration > Reboot or Shutdown System, and select Reboot. Alternatively, at the CLI console type reboot. After the reboot, R70 will be active. 14. Verify that R70 is active by running the following CLI console command newpkg q Adding and Activating R70, R71 or R75 Using the CLI Shell These instructions apply only to R70. For R71 or R75 search for the R71 Installation and Upgrade Guide or the R75 Installation and Upgrade Guide on the Check Point Support site On IP290 flash-based, IP390 flash-based, and IP560 flash-based IP Appliances there is not enough flash space to upgrade to R75. You must do "fresh" installation (issue ). See the R75 Installation and Upgrade Guide To install and activate the R70 package using the CLI shell: Chapter 8 Upgrading to Check Point IPSO

96 Adding and Activating R70, R71 or R75 1. Access the CLI console, and log in. 2. For Flash-based IP290, IP390 and IP560 only: Delete the R65 tgz file located in /preserve/opt/packages/ipso6_wrapper_r65.tgz Do not delete the installed R65 package files under /opt/packages/installed. 3. Type newpkg, and press Enter. 4. Use the FTP menu option to transfer the R70 package. Choose the option: Upgrade from an old package. 5. Upgrade to the R70 package. Wait until a message informs you that the process is complete. 6. Type reboot and press Enter. The package is activated after the reboot. 7. Verify that R70 is active by running the following command newpkg q 8. Verify that R70 is the current version. Run fw ver on a Security Gateway or fwm ver on a Security Management server. Upgraded Packages on a Security Gateway-Only IP Appliance On a Check Point Security Gateway that is not a Security Management server, only the following packages are upgraded: /opt/cpinfo-10 /opt/cpsuite-r70 /opt/cpuag-r70 When upgrading a Check Point Security Gateway-only machine, the Backward Compatibility (BC) packages are not upgraded. This is because BC packages are only required on Security Management servers.< > Updating the Security Gateway Version in SmartDashboard At this point the IP Appliance enforces the Initial Policy which does not allow http connections. It is therefore not possible to connect via Network Voyager. To enforce the Security Policy and make it possible to connect to the IP Appliance via Network Voyager, install the Security Policy (that allows http) via SmartDashboard. 96

97 Adding and Activating R71.x For Flash-Based IP290, IP390 and IP560 To install the Policy on the IP Appliance: 1. Log in to the R70 SmartDashboard that controls the Security Management Server that manages the IP Appliance. 2. Edit the Check Point Security Gateway object of the IP Appliance. 3. Update the Security Gateway version. In the General Properties page, click Get. 4. Install the Policy. Adding and Activating R71.x For Flash-Based IP290, IP390 and IP560 Before installing R71.10 and R71.20, you must first install the major release (R71). See Adding and Activating R70, R71 or R75 on page 94. R71.30 must be installed as a new installation on these Flash-Based platforms. Do not install R71 before installing R To install R71.x releases, search for the release notes on the Check Point Support site Adding and Activating R70.x For Flash-Based IP290, IP390 and IP560 Before installing the minor release package (R70.x), you must first install the major release (R70). See Adding and Activating R70, R71 or R75 on page 94. To install R70.1 see Adding and Activating the R70.1 Package - For Flash-Based IP290, IP390 and IP560 in the IPSO 6.2 MR2 Release Notes and Getting Started Guide To install other R70.x releases, search for the release notes on the Check Point Support site Chapter 8 Upgrading to Check Point IPSO

98 Adding and Activating R70.x or R71.x For Disk-Based IP Appliances Adding and Activating R70.x or R71.x For Disk-Based IP Appliances Before installing the minor release package (R70.x or R71.x), you must first install the major release (R70 or R71). See Adding and Activating R70, R71 or R75 on page 94. Note - These instructions apply to R70.1. To install R70.x or R71.x search for the release notes on the Check Point Support site To install and activate the R70.1 package: 1. Using the command shell, download the R70.1 package via ftp to a location on the IP Appliance. 2. Untar the R70.1 package: tar zxvf <filename.tgz> 3. Install the R70.1 package. Run./UnixInstallScript 4. When prompted, stop all Check Point processes. 5. After the installation is complete, you are prompted to reboot. Press y to accept. 98

99 Overwriting Existing Images (Fresh Installation) Overwriting Existing Images (Fresh Installation) Before performing a fresh installation, you must install the IPSO 6.2 boot manager. If you later want to perform a fresh installation of IPSO 4.x, you must reinstall the IPSO 4.x boot manager. The following summarizes the constraints: You cannot use the IPSO 6.2 boot manager to perform a fresh installation of IPSO 4.x. You cannot use the IPSO 4.x boot manager to perform a fresh installation of IPSO 6.2. Note - The installation process takes longer on flash-based systems than on comparable disk-based systems. For example, if you install an image (using either of the above methods) on a flash-based IP690 and a disk-based IP690, the installation time is noticeably longer on the flash-based system. This is expected and does not indicate any problem. Warning - The following procedure deletes any existing images and configuration information on your platform. Back up any files that you want to keep and copy them back to the platform after you install the new system. Before you begin, make sure that you know: The serial number of your platform. The number is on a sticker attached to the platform and is preceded by S/N. Whether the platform will run IGRP. Whether the platform will run BGP. Whether to run the platform in flash-based (diskless) mode. For disk based platforms, enter n, for no when you are prompted after the following question: Do you want to install a diskless image (y/n)? Note - If there is a flash-memory PC card installed in a flash-based platform, the installation script also asks you whether you want to install the image or store log files on the card. You should not install an image on a PC flash card. If possible, you should not store log files on the card either. The best way to store logs locally on a flash-based platform is to use a hard disk installed as an optional disk. An IP address that you will assign to the platform. The appropriate network mask length. The IP address of the FTP server. Chapter 8 Upgrading to Check Point IPSO

100 Fresh Installation of the IPSO Image Using the Command shell The path to the ipso.tgz file on the FTP server. The IP address of the default gateway for the platform. A host name to assign to the platform. An appropriate password to assign to the administrator account. The boot manager password (if any). If you need information about this password, see the IPSO Boot Manager Reference Guide Note - If you perform a fresh installation and later downgrade to an earlier version of IPSO, all current configuration information except basic connectivity information is deleted. For example, if you perform a fresh installation of IPSO 6.2 and later downgrade to IPSO 4.2, everything except your connectivity configuration is deleted after you reboot your platform. In This Section Fresh Installation of the IPSO Image Using the Command shell page 100 Fresh installation of R70 or Higher Package Using Network Voyager page 103 Fresh Installation of the IPSO Image Using the Command shell This section describes how to perform a fresh installation of the IPSO image using the install command. 1. Download nkipflash-6.2.bin to the platform you will upgrade. This file contains the IPSO 6.2 boot manager and is available on the Check Point support site on the same page as the IPSO 6.2 image. Note - Check Point strongly recommends that you use the IPSO 6.2 boot manager to fresh install IPSO 6.2. If you install IPSO 6.2 on a platform running 6.0, using the 6.2 boot manager instead of the 6.0 boot manager can provide improved performance.you cannot use an IPSO 4.x boot manager to install IPSO 6.2.< > 2. Log on to the platform using a console connection if you have not done so already. 3. Navigate to the directory in which nkipflash-6.2.bin is stored. 4. Make sure that there were no download errors by creating a SHA1 or MD5 value for the file and verifying that it matches the value posted on the download page. 100

101 Fresh Installation of the IPSO Image Using the Command shell If the values are identical, the download was successful and the file is good. If not, download the file (in binary) again and repeat this procedure. 5. Enter: upgrade_bootmgr [boot_device] nkipflash-6.2.bin in which you should replace boot_device with wd0 or wd1 as indicated below: Flash-based platforms: wd0 Disk-based platforms (except IP2450): wd1 Disk-based IP1280/IP2450: wd0 If the platform is currently running IPSO 6.0, you do not need to specify the boot device. 6. If you see a message similar to the following, type y to continue the upgrade. This message is misleading and can be safely ignored. *** WARNING *** wd1 does not look like a boot manager device. Are you sure you want to write the boot manager image to wd1? Continue? [n] 7. When the system indicates that the boot manager upgrade is complete, enter: reboot 8. When the system enters autoboot mode and displays the following message Type any character to enter command mode press any key to display the boot manager prompt. 9. At the boot manager prompt, enter: set-defaults 10. At the boot manager prompt, enter: install If a password is configured, the system prompts you to enter the boot manager password. The installation script runs. Follow the prompts to install the new IPSO image from an FTP server. Chapter 8 Upgrading to Check Point IPSO

102 Fresh Installation of the IPSO Image Using the Command shell 11. If you are asked whether you want to upgrade the boot manager, choose to do so. 12. If you are installing IPSO on a flash-based platform with one gigabyte of DRAM, do not choose to install packages when you see the message Retrieve all valid packages, with no further prompting? Your system does not have enough memory to extract the Check Point wrapper package, and the package installation will fail. < > After you successfully install IPSO 6.2, use Network Voyager or the newpkg command to install your packages. 13. At the end of the installation procedure, press Enter when you see this prompt: Installation completed. Reset system or hit <Enter> to reboot. 14. After your platform reboots, follow the prompts to configure basic settings such as hostname and admin password. 15. When you see the following message, type 1: You can configure your system in two ways: 1) configure an interface and use our Web-based Voyager via a remote browser 2) configure an interface by using the CLI Please enter a choice [ 1-2, q ]: 16. Configure the appliance interface by responding to the prompts. When you see the following message, choose y (the default option): Do you wish to set the default route [ y ]? If you choose n, you cannot use Network Voyager unless you do one of the following: Perform the installation procedure again and set a default route. Use the command-line interface over a console connection to create a default route or static route. Connect to the platform by using a system that is on the same network as a configured interface on the platform. 17. When you are prompted to log in to the platform, you are ready to continue configuring your platform. Do one of the following: Log into the platform and use the newpkg command to install packages. 102

103 Fresh installation of R70 or Higher Package Using Network Voyager Use Check Point Network Voyager to complete the configuration (including installing packages). To log in by using Network Voyager, enter the IP address you configured for the platform in the URL field of your browser. Fresh installation of R70 or Higher Package Using Network Voyager To perform a fresh installation of the R70 packages using Network Voyager: 1. Log on to your platform by using Check Point Network Voyager. 2. In the Network Voyager navigation tree, select Configuration > System Configuration > Packages > Install Package. 3. Enter the name or IP address of the FTP server. 4. Enter the path to the directory on the FTP server where the packages are stored. 5. If necessary, enter the appropriate user name and password. 6. Click Apply. The names of the available packages appear in the Site Listing window. 7. Select the package you want to install. 8. Click Apply. The selected package is downloaded to the platform. When the download is complete, the package appears in the Unpack New Packages field. 9. Select the package in the Select a package to unpack field. 10. Click Apply. 11. Click the link to install or upgrade the package. 12. (Optional) To display all installed packages, click Display all packages; then click Apply. 13. (Optional) To perform a first-time installation, click Install; then click Apply. 14. (Optional) To upgrade a package, click Upgrade. 15. (Optional) To upgrade a package, click the button of the package that you want to upgrade under Choose one of the following packages to upgrade from. 16. Click Apply. 17. Click Save to make your changes permanent. Chapter 8 Upgrading to Check Point IPSO

104 Fresh installation of R70 or Higher Package Using Network Voyager The packages are automatically activated as part of the installation process. To confirm the package installation and activation, check the Manage Packages page. If a package has not been activated, you can activate as described in Activating Packages Warning - When you install a package Using Network Voyager, you see the following message: Voyager environment has been updated with the latest package info. The telnet session environment will be updated by: logging out and logging in again the telnet session. This message might not be accurate. Click Manage Packages to verify that the package is installed. Refresh the page periodically until you see that the installation is complete. < > Activating Packages To turn on optional packages that were deactivated when you added a new version of Check Point IPSO by using the newimage command: 1. Log on to the platform using Check Point Network Voyager. 2. In the Network Voyager navigation tree, select Configuration > System Configuration > Packages > Manage Packages. 3. Click On next to the packages you want to turn on. 4. Click Apply. 5. Click Save. 6. Reboot your platform. Your installation of IPSO 6.2 and R70 or higher is complete, and the packages that you selected are activated. 104

105 Other Upgrade Methods: Horizon Manager and the IPSO Shell Other Upgrade Methods: Horizon Manager and the IPSO Shell In addition to using Horizon Manager or the CLI Shell, it is possible to upgrade to IPSO 6.2 and R70 using: IPSO command shell (clish console session). For information about the IPSO shell, see the CLI Reference Guide for IPSO Horizon Manager (on multiple IP Appliance platforms simultaneously) Using Horizon Manager to Install IPSO and Packages You can use Check Point Horizon Manager to automate the process of installing, upgrading, and enabling IPSO 6.2 and software packages on multiple IP Appliance platforms. Horizon Manager employs Do No Harm intelligence to prevent any incompatible IPSO version upgrades and software packages. Use the OS Install action to install IPSO 6.2 on as many as 2500 platforms in a single data set. Horizon Manager also provides actions that automate the installation and upgrade of software packages, such as Check Point R70. Horizon Manager automates the entire installation process, including backing up configuration information before the upgrade and rebooting platforms to activate the new version of IPSO. You can download, install, or activate packages by using Horizon Manager on all of your Check Point platforms simultaneously or on groups of multiple devices simultaneously. For detailed information about the installation and upgrade process, see the Horizon Manager documentation. For information about using Horizon Manager to install and activate packages, see the Horizon Manager Release Notes, v1.8 (N Rev 001) Chapter 8 Upgrading to Check Point IPSO

106 Using Horizon Manager to Install IPSO and Packages 106

107 9 Chapter Configuration Tips, Limitations and Resolved Issues Check Point wants to hear about information you might have regarding the limitations in this chapter. For information about how to contact Check Point Customer Service, see the contact information at the beginning of this document. The following sections describe configuration tips and known limitations associated with IPSO 6.2. It also lists a number of limitations that were fixed in IPSO 6.2 To see the most current list, download this document from the Check Point Support site at The number associated with each configuration tip or limitation is the tracking number for the issue in Check Point s internal database. Reference this number if you contact Check Point about an item in this chapter. In This Chapter Configuration Tips page 108 Limitations page 114 Resolved Issues in IPSO 6.2 MR3 page

108 Configuration Tips Configuration Tips This section provides suggestions that you might find useful when configuring IPSO 6.2 on an IP Appliance platform Remote Authentication Check Point IPSO allows the administrator to configure the mechanism for authenticating and authorizing users. This includes support for authentication via a remote server (using the RADIUS or TACACS+ protocols). If you configure a system so that users can be authenticated only by a remote server (you disable local authentication), and if that server does not allow access (perhaps because it does not have any record of the user), then the user will not be able to log in, even via the console. In IPSO 4.2 and earlier, a special exception existed for console access, but in IPSO 6.0 there is no such exception. If using a remote authentication server, it is recommended to configure in that server a password for each and every user account with which you administer IPSO, including admin (or some other user with equivalent permissions) Cabling an IP2450 Platform When cabling an IP2450 platform with copper cables, follow these guidelines: If you directly connect two IP2450 platforms (back-to-back), use a crossover cable. If you connect an IP2450 to a switch or hub, use a straight-through cable , Use Half Duplex with Hubs When connecting a Check Point network security platform to a hub, configure the Check Point interface to use half duplex duplicity. If you set the interface to full duplex, the link will come up but many collisions will occur, which could cause the link to flap or fail. Chapter 9 Configuration Tips, Limitations and Resolved Issues 108

109 Configuration Tips Optional Disks Erased when Selected When you select a hard disk or card as an optional disk, any existing data on the device is erased. If you remove a PC card that contains log files and want to permanently store the data, insert the card into a PC or other computer and save the data to that system before reinserting the card into a Check Point flash-based platform. The IPSO CLI allows you to reselect an optional disk that you have already selected by reissuing a set optional-disk command. Doing so repartitions the optional disk. Chapter 9 Configuration Tips, Limitations and Resolved Issues 109

110 Configuration Tips A Configuring Gigabit Ethernet Descriptor Size Gigabit Ethernet interfaces can drop packets under specific circumstances in which the CPU is too busy to service the interfaces in a timely fashion. This problem is most likely to occur if there is a large amount of unaccelerated traffic, most of the traffic transits two interfaces, and both interfaces are Gigabit Ethernet. You can prevent this problem from occurring by increasing the number of descriptors that are available for some Gigabit Ethernet interfaces. This allows the system to temporarily store more packets while waiting for the CPU to service them. The system uses one descriptor per packet unless it receives jumbo frames (Ethernet frames larger than 1518 bytes), in which case it uses multiple descriptors per packet. (You must explicitly enable support for jumbo frames by configuring the MTU for a Gigabit Ethernet interface to be greater than 1518 bytes.) You can configure the number of descriptors by entering a value in the Descriptor Size field on the Network Voyager page for configuring physical Gigabit Ethernet interfaces. The acceptable values are 128, 256, and 512, and the default value is 128. The value you enter must be a multiple of 8. This option is not available on IP2250 or IP2255 systems and is also not available for certain Gigabit Ethernet interfaces that can be installed in other platforms. Optimizing IP2450 Performance Gigabit Ethernet interfaces on the IP2450 have a default descriptor value size of 256. Only configure a descriptor size of 512 on the IP2450 if inbound and outbound production traffic is through just two Gigabit Ethernet ports. Do not configure the 512 descriptor size for any other port configuration unless instructed by Check Point Support, because it may cause severe performance degradation. Configuring Remote Core Dump Servers You can configure flash-based systems to transfer both application and kernel core files to a remote FTP server. When you do so, IPSO uses the user name ftp and the password passwd to log into the remote server anonymously. Some FTP servers do not allow this user name and password for anonymous logins. If this is true of your FTP server, you must create a user with this user name and password to allow IPSO to transfer application and kernel core files to the server. Chapter 9 Configuration Tips, Limitations and Resolved Issues 110

111 Configuration Tips Providing User Access to Monitor Pages When you assign a role that provides access to a feature, the user gets access to the configuration pages for that feature but not to the monitor pages. To provide access to the monitor pages, you must include the monitor privilege for that feature in the role definition SNMP User privpassphrase Option Inaccurately Displayed When you use the tab completion feature of the CLI to view the options for adding or modifying an SNMP user that has a security level of authnopriv, the privpassphrase option is displayed. You do not need to set a privacy pass phrase for a user with a security level set to authnopriv and you can ignore this option in this case. If you attempt to set a privacy pass phrase, a message appears indicating that this is not necessary Audit Log Setting Not Permanently Saved The system configuration audit log setting is not saved in the configuration file. You must reset it after a reboot to enable logging again. You set the system configuration audit log using Network Voyager by clicking System Logging under Configuration > System Configuration and selecting either Logging of Transient Changes or Logging of Transient and Permanent changes. With the CLI, you set this parameter with the following command: set syslog auditlog <disable transient permanent> Chapter 9 Configuration Tips, Limitations and Resolved Issues 111

112 Configuration Tips , Terminal Emulator Display Configuration If you use a terminal emulator (such as Microsoft Windows HyperTerminal) to connect to an IP390 or IP560, the system may display undesirable foreground and background colors as selected by the emulator software. To allow the IP390 or IP560 to automatically select the colors (typically white letters on a black background), configure your terminal emulation software to recognize ANSI characters with full ISO color emulation. To configure HyperTerminal in this way, perform these steps: 1. Pull down the File menu and select Properties. 2. In the Properties dialog box, select the Settings tab. 3. Set the emulation to ANSI. 4. Click OK. As an alternative approach, you can disable ANSI emulation and manually configure the foreground and background colors Do Not Insert or Remove PC Card During Boot Do not insert or remove a PC card while a Check Point platform is starting up (for example, before you see the login prompt at the command line). Doing this can cause the system to hang Route Maps with BGP Confederations You cannot use route maps in BGP confederations. To configure route filters and redistribution for BGP confederations, use the Inbound Route Filters and Route Redistribution pages in Network Voyager. Chapter 9 Configuration Tips, Limitations and Resolved Issues 112

113 Configuration Tips Workaround to Disable ifwd Daemon Check Point firewall versions NGX R60 and later do not require the ifwd daemon. Whether the ifwd daemon is running or not has no affect on the firewall operation. If you want to permanently disable the ifwd daemon, perform these steps: 1. In the Network Voyager navigation tree, select Firewall and Other Packages. 2. Click the Check Point Firewall-1 link. 3. Click the off radio button after the Run ifwd daemon to monitor interface changes? question. 4. Click Apply. 5. Because there is no Save button on this page, you need to save your changes from another Network Voyager page: 1. Go to any other Network Voyager configuration page. 2. Click in a text box on the page. This enables the Save button. 3. Click Save. Chapter 9 Configuration Tips, Limitations and Resolved Issues 113

114 Limitations Limitations This section includes information about limitations in IPSO UTM Rxx is Not Supported UTM Rxx is not supported on IPSO 6.2. Customers running IPSO 4.2 and UTM Rxx are advised to not upgrade Upgrade to R70 Issue When SmartUpdate is not Used After upgrading to R70, the Initial Policy is loaded if SmartUpdate is not used to upgrade the firewall package. In that case, you must install the Policy after upgrading Spurious Console Messages When R70 is Installed You may see a large amount of text appear on the Network Voyager page after installing R70. You can ignore the text as long as the Voyager page indicates that Success. If the Network Voyager page indicates Error, then consult the text to determine the reason for the failure Before Installing Ensure Same Version Is Not Installed Before installing a package, make sure that the same version is not already installed Silent Mode Support in newpkg The newpkg command does not support silent mode (-S) for package activation (-a) or deactivation (-D). The newpkg help incorrectly documents it as doing so Cannot Uninstall R70.1 from Flash-Based Platforms R70.1 cannot be uninstalled from flash-based IP Appliance platforms PBR Does Not Work with VPNs Policy based routing (PBR) does not work if a VPN is enabled on the system. Chapter 9 Configuration Tips, Limitations and Resolved Issues 114

115 Limitations Issue with IKE Acceleration and IP690 ADP Module If you attempt to enable IKE acceleration for a VPN tunnel that terminates at an interface on an Accelerated Data Path (ADP) module installed in an IP690 platform, the system does not accelerate IKE traffic and you see console errors similar to the following: Dec 3 11:07:56 IP690-zulu <daemon.[log_err]>opencryptokimodule [1460]: PKCS11 config initialization: No Hardware Tokens Present Issue with ADP Interface LEDs If you have an RJ-45 only ADP services module (one that does not use SFP modules) in an IP2450 or IP1280, a problem occurs if you disable the Autoadvertise option for an interface while there is no cable connected to the interface. In this situation, the interface link LED on the module illuminates, incorrectly indicating that the link is active. Voyager also incorrectly indicates that the link is active. This problem does not occur with fiber optic interfaces or with RJ-45 SFP modules , Issue with UDLD Under Heavy Traffic If you enable the Cisco Unidirectional Link Detection (UDLD) protocol on a fiber-optic interface (to improve detection of partial link failures), a problem can occur if the platform receives very heavy traffic. Under this condition, some UDLD packets might get dropped, which causes IPSO to see the link as unidirectional and deactivate the interface. If IPSO deactivates a UDLD interface, a connected Cisco switch also deactivates the corresponding port and does not reactivate that port without user intervention unless configured to do so HA Voyager Does Not Respond When a High Availability (HA) member goes down, HA Voyager pages become intermittently unavailable. If that occurs, wait for a minute or two for the HA Voyager to become available again. Chapter 9 Configuration Tips, Limitations and Resolved Issues 115

116 Limitations IP690 Console Access Issue at Max. Connection Capacity The IP690 platform running IPSO-6.2 might temporarily not have access through a console connection when it is operating at the maximum capacity of 900,000 connections with NAT enabled on all of them. This is only temporary, and when the number of concurrent connections falls below the maximum supported limit, console access is restored. This behavior does not occur when the number of concurrent connections is at 80% of capacity Memory Issue when Netflow is Enabled When Netflow is enabled, additional memory is required to maintain Netflow related statistics and information on a per flow basis. Due to this additional memory requirement, the concurrent connection capacity of the box is reduced by about 25% when Netflow is enabled. If Netflow is not enabled, there is no impact on the concurrent connection capacity of the appliance IPv6 for Access Control Lists Not supported IPv6 for Access Control Lists is not supported Configuring 1000M/Full Duplex Using Voyager with IE When using Network Voyager with Internet Explorer 6, 7 or 8 to configure the speed for a physical interface, if you choose the speed to be 1000 Mbps, the Duplex is automatically selected as "Full", but in fact, Full Duplex is not configured. Use either of the following workarounds to configure the interface correctly: 1. Use Firefox browser to configure the speed. With Firefox the duplex does get correctly configured as "Full Duplex". 2. First configure the interface as 10Mbps/Full-Duplex or 100Mbps/Full-Duplex, then change the speed to 1000 Mbps. This will correctly configure Full Duplex with a speed 1000 Mbps. Chapter 9 Configuration Tips, Limitations and Resolved Issues 116

117 Limitations No Swap Space Allocated on Flash-Based Systems On flash-based systems, due to lack of disk-space, no swap space allocated. If the system runs out of memory, processes are terminated. This will be most noticeable when running the Enhanced Configuration Summary Tool (ECST), which launches many processes to collect information from the system. Processes that are managed by 'pm' (the IPSO Program Manager) are restarted automatically Firewall R70 Package Information Display Firewall R70 package information is displayed in Network Voyager as Release 00, in the Packages > Install Packages page and in the Packages > Manage Packages page. This Release number can be ignored Deleted ARP Entries on Interface Disconnect After disconnecting the Interface, all proxy ARP entries are deleted from the ARP table but they are not restored when connecting the Interface back. To prevent the entries from being deleted, run the command ipsctl -w net:ip:arp:hold_statics 1, or add the proxy arp entries manually via Voyager Transparent Mode with IPv6 Transparent mode does not work with IPv6 Chapter 9 Configuration Tips, Limitations and Resolved Issues 117

118 Resolved Issues in IPSO 6.2 MR3 Resolved Issues in IPSO 6.2 MR3 This section includes information about limitations that existed in previous versions, that have been fixed in IPSO 6.2 MR3. ID Description/Improvement UniDirectional Link Detection (UDLD) protocol packets are no longer dropped by ADP cards Stability issues with the xpand process used by Network Voyager and the configuration system have been fixed The clish command "show asset packages" now works correctly when used in CRON Invalid error messages displayed in the Network Voyager page Monitor > System Health > SecureXL Firewall Connection Statistics are fixed The Static Routes page in the HA Voyager tab shows up to 50 static routes, and there is a link to see more. This link now works correctly when running VRRP and HA Voyager is enabled, and there are hundreds of Static Routes configured The snmp interface index number of the interface on which a Virtual Router (VR) is created now stays the same, as it should, after a VRRP transition When disabling and then re-enabling a Link Aggregation Group (LAG), the interface settings are now correctly set to the values that were used before the interface was disabled The value of the snmp v1 trap "vrrptrapnewmaster" enterprise field is now the same as in IPSO 4.2 and other vendor snmp v1 implementations Site-to-Site VPN performance of IPSO 6.2 with R70 and higher on uniprocessor platforms has been improved so that it is the same as the performance of IPSO 4.2 with R65. Chapter 9 Configuration Tips, Limitations and Resolved Issues 118

119 Resolved Issues in IPSO 6.2 MR3 ID Description/Improvement tcpdump has been fixed so that it no longer reports duplicate packets On IP290 and IP390 appliances, the "ipsctl -a hw:memory" command now reports correct information Previous releases were not able to process TCP connections that require PSL processing in bridging mode. Samba services therefore did not work properly. This is now fixed When a tcpdump was performed on an IP Appliance Security Gateway, the gateway would do a core dump and reboot, in certain hardware configurations. This has been fixed The dbpasswd command required by Horizon Manager was added The Disable/Enable All Virtual Routers option (introduced in IPSO 4.2) now appears in the Network Voyager Legacy VRRP Configuration page If a host sends a traceroute request through the IP Appliance gateway to a network that is defined in the gateway routing tables as unreachable, the gateway sends a "Destination Unreachable"message to the host. In previous versions, when the default route is defined as unreachable, the gateway does not send a "Destination Unreachable" message. In this version, gateway does send a "Destination Unreachable"message When performing an advanced upgrade to IPSO 6.2 from IPSO 4.2 using the upgrade_export and upgrade_import commands, the management server configuration is correctly imported to the target management server The Clish command for VRRP monitored circuits: "set vrrp interface <interface name> monitored-circuit vrid <vrid #> <on/off>" now recognizes the on/off portion of the command. Chapter 9 Configuration Tips, Limitations and Resolved Issues 119

120 Resolved Issues in IPSO 6.2 MR3 ID Description/Improvement The time-out for applying configuration changes has been increased, to avoid time-out errors when saving changes to a very large configuration database (such as 2 MB) In previous versions the snmp counters of ethernet interfaces incorrectly reported counter values using 32-bit values. In this version the counters are correctly shown using 64-bit values When handling IPv6 traffic, the operating system is now stable Generic Routing Encapsulation (GRE) tunnel keepalive packets are not dropped by the IP Appliance gateway Adding overlapping routes from the Network Voyager page "Add New Static Route" no longer causes a problem in the ipsrd routing configuration file. If an overlapping route was added in a previous IPSO 6.2 version, clean up the database as follows: 1. Run dbset on all the static route bindings to set them to NULL. For example: dbset ipsrd:instance:default:static:network: :masklen:23:gateway:address: dbset ipsrd:instance:default:static:network: :masklen:23:gateway:address: Save the database. Run dbset :save The IP Appliance will now forward non-rfc compliant DHCP and BOOTP packets.this makes it possible to use the IP Appliance as a relay that connects certain older-model printers to a LAN It is now possible to creates a graph for a logical interface using the "Interface Dashboard" function (found in Network Voyager under Monitor > Performance Monitor) even after changing the name of the logical interface. Chapter 9 Configuration Tips, Limitations and Resolved Issues 120

121 Resolved Issues in IPSO 6.2 MR3 ID Description/Improvement Internal BGP sessions use a metric called the local preference, which is carried in internal BGP update packets in the path attribute LOCAL_PREF. This metric indicates the degree of preference for an external route. LOCAL_PREF no longer changes when it passing through IP Appliance The system status view for an IP 390 appliance (in Network Voyager System > Monitor > Hardware Monitoring > System Status) now shows all the values (Fan, Power Supply, Temperature and Voltage) It is now possible to enable VRRP if support for an external load balancer is enabled When adding a new member to a VRRP High Availability (HA) cluster, the HA secret can now use special characters. For example:!, $, %,@,&,*,(,),<,>,+) The Network Voyager option "Monitor Firewall State" (under System > Configuration > IPv6 Configuration > Router Services > IPv6 VRRP) is now handled correctly URL logging now works correctly with Check Point R71. (URL Logging is configured in SmartDashboard by adding a URI Resource to the service of a Firewall rule.) When disabling a Policy Based Routing (PBR) route within Network Voyager, the route is now removed from the list of routes SNMP performance monitoring messages generated by the perfmond daemon, such as "perfmond: SQL error fwd: database is locked" are now limited so that fewer messages are printed. These messages are not serious, so they are limited in order not to distract monitoring systems Link aggregation and link redundancy incoming packet errors on Ethernet interfaces are now counted correctly by the "netstat" command. Chapter 9 Configuration Tips, Limitations and Resolved Issues 121

122 Resolved Issues in IPSO 6.2 MR3 ID Description/Improvement IPv6 route advertisement packets no longer cause memory leaks. Chapter 9 Configuration Tips, Limitations and Resolved Issues 122