Release Notes and Getting Started Guide. IPSO 6.2 MR3 (Build GA055B01)

Transcription

1 Release Notes and Getting Started Guide IPSO 6.2 MR3 (Build GA055B01) April 6, 2011

2

3 Contents Chapter 1 Main Enhancements and Fixes in IPSO 6.2 Enhancements in IPSO 6.2 MR3 (Build GA055B01) Enhancements in IPSO 6.2 MR2 (Build GA039) Enhancements in IPSO 6.2 MR1 (Build GA29a02) Enhancements and Fixes that are New in IPSO Dynamic Adjustment of Descriptor Ring Size Allow Console Messages to be Redirected < > VRRP Enhancement for Load Balancers < > DNS Fast Expire Enhancement < > PIM with NAT < > Auto Detect Support for the Endpoint Connect VPN client Supports 1Gb and 10Gb Ethernet Cards Enhancement for Configuration Summary Tool < > Enhancement for IP Broadcast Helper < > Enhancement for ICMP Reply Throttling < > Enhancement for Argentina Time Zone Changes < > Changes to Upgrade and Installation Process Chapter 2 What s New in Check Point IPSO 6.2 Compared to IPSO 6.1 Support for R70 and Higher with CoreXL Configuring IPSO for CoreXL Performance Monitoring Enhancements Compared to IPSO Connection Dashboard Connection Map Dashboard System Health Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO Performance Monitoring Enhancements Compared to IPSO Connection Dashboard Connection Map Dashboard Traffic Dashboard Forwarding Dashboard Interface Dashboard System Dashboard ADP Dashboard Custom Dashboard Support for Netflow Services Defining Flows Flow Records Enhancement for ACL Rules Table of Contents 3

4 Time Zone Package High-Availability Enhancements HA Voyager IP Clustering Enhancements Configuration Migrator Acquiring Configuration Information Migrating Configuration Information IPSO Automated Configuration Enhanced Configuration Summary Tool Enhancement for Increased Network Voyager Security Routing Enhancements OSPF and BGP Graceful Restart Helper Enhancements for RIP and OSPF Route Tags Support for USB Modem Enhancement for Firewall Kernel Tuning Chapter 4 What s New in Check Point IPSO 6.2 Compared to IPSO 4.2 IPSO Ported to FreeBSD 6.x New Features Compared to IPSO Chapter 5 Chapter 6 Chapter 7 Comparison with Previous Versions High Level Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With Detailed Comparison of IPSO Versions 4.2, 6.0.7, 6.1 With Supported Platforms, Versions and Memory Configurations Supported IP Appliance Platforms Supported Check Point Versions Supported Memory Configurations Performing the Initial Configuration Using DHCP to Configure the System Configuring Your DHCP server Running the DHCP Client on the Check Point System Using the Console to Configure the System Performing the Configuration Registering the IP Appliance Performing Additional Configuration Using Check Point Network Voyager Using the IPSO CLI Chapter 8 Upgrading to Check Point IPSO 6.2 Changes to Upgrade and Installation Procedures

5 Boot Security Downloading IPSO 6.2 and Related Files IPSO 6.2-Related Documentation Before Installing IPSO IP2450 Might Require BIOS Upgrade If You Use Link Redundancy Before Upgrading to Change to rc.local Support Verify Free Space in Root Partition Putting the ipso.tgz file on Your Platform Adding Images Versus Overwriting Existing Images Adding an IPSO 6.2 Image and a Security Gateway Package Deleting Images and Packages Adding an IPSO Image Installing R65 HFA Adding and Activating R70, R71 or R Adding and Activating R71.x For Flash-Based IP290, IP390 and IP Adding and Activating R70.x For Flash-Based IP290, IP390 and IP Adding and Activating R70.x or R71.x For Disk-Based IP Appliances Overwriting Existing Images (Fresh Installation) Fresh Installation of the IPSO Image Using the Command shell Fresh installation of R70 or Higher Package Using Network Voyager Other Upgrade Methods: Horizon Manager and the IPSO Shell Using Horizon Manager to Install IPSO and Packages Chapter 9 Configuration Tips, Limitations and Resolved Issues Configuration Tips Limitations Resolved Issues in IPSO 6.2 MR Table of Contents 5

6 6

7 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Please refer to for a list of our trademarks For third party notices, see

8

9 Chapter 1 Main Enhancements and Fixes in IPSO 6.2 Check Point IPSO 6.2 is a new version of the IPSO operating system used on Check Point IP Appliance platforms. This chapter describes enhancements and fixes that are new in IPSO 6.2. Also, this chapter summarizes the changes to the upgrade and installation procedure. The numbers in angle brackets after the headings in the following sections are the tracking numbers for the issues in Check Point s internal database of problem resolutions. Reference the number if you contact Check Point about any of these items. In This Chapter Enhancements in IPSO 6.2 MR3 (Build GA055B01) page 10 Enhancements in IPSO 6.2 MR2 (Build GA039) page 10 Enhancements in IPSO 6.2 MR1 (Build GA29a02) page 10 Enhancements and Fixes that are New in IPSO 6.2 page 11 Changes to Upgrade and Installation Process page 16 Note - The latest version of this document is at: 9

10 Enhancements in IPSO 6.2 MR3 (Build GA055B01) Enhancements in IPSO 6.2 MR3 (Build GA055B01) IPSO6.2 MR3 (Build GA055B01) includes a large number of resolved issues. See Resolved Issues in IPSO 6.2 MR3 on page 118. Enhancements in IPSO 6.2 MR2 (Build GA039) IPSO6.2 MR2 (Build GA039) supports the IP282 appliance. Enhancements in IPSO 6.2 MR1 (Build GA29a02) IPSO6.2 MR1 (Build GA29a02) fixes an issue which may occur on some IP1280/1285 or IP2450/2455 systems, resulting in persistent false over-temperature or voltage alarms being reported, which may further cause packet loss and resulting performance degradation. 10

11 Enhancements and Fixes that are New in IPSO 6.2 Enhancements and Fixes that are New in IPSO 6.2 The enhancements and fixes listed in this section are new to IPSO 6.2 and were not available in any previous IPSO version. IPSO 6.2 also includes all the features of IPS0 6.1 and IPSO For those features, see Chapter 2, What s New in Check Point IPSO 6.2 Compared to IPSO 6.1 Chapter 3, What s New in Check Point IPSO 6.2 Compared to IPSO Chapter 4, What s New in Check Point IPSO 6.2 Compared to IPSO 4.2 This release of IPSO 6.2 contains all the enhancements and fixes that are included in previous IPSO 6.2 releases. In This Section Dynamic Adjustment of Descriptor Ring Size page 11 Allow Console Messages to be Redirected < > page 12 VRRP Enhancement for Load Balancers < > page 12 DNS Fast Expire Enhancement < > page 13 PIM with NAT < > page 13 Auto Detect Support for the Endpoint Connect VPN client page 13 Dynamic Adjustment of Descriptor Ring Size This enhancement allows the administrator to adjust the pools of memory descriptors used by an interface when transmitting or receiving packets. The pools for transmit and receive can be set independently. This feature is useful when packet loss occurs for a traffic pattern that is bursty in nature. To configure transmit and receive ring size in Network Voyager, select Configuration > Interface Configuration > Interfaces, and then edit the physical interface. To configure ring size in the CLI use the commands set interface <interface name> rx-ringsize/tx-ringsize and show interface <interface name> rx-ringsize/tx-ringsize Chapter 1 Main Enhancements and Fixes in IPSO

12 Allow Console Messages to be Redirected < > Transmit (TX) and receive (RX) ring size values are also displayed for general show commands such as show interface <interface name> all Allow Console Messages to be Redirected < > This enhancement allows console messages to be redirected to a file or some other device. A common use is for when Policies are being installed on gateways. VRRP Enhancement for Load Balancers < > The Virtual Router Redundancy Protocol (VRRP) uses virtual MAC addresses to ensure that traffic continues to flow if the VRRP master fails. In the event of a failure, the new VRRP master takes ownership of the virtual IP and MAC addresses, and attached routers send traffic to the new master. IPSO uses the virtual MAC address as the source MAC for VRRP protocol traffic and uses the real (physical) MAC address as the source for all other traffic. Some load balancing devices cache the physical MAC address information for optimization purposes and continue to send traffic to that address even if the associated virtual router fails, which causes the traffic to be dropped. This version of IPSO includes the Source Data from Virtual MAC option, which you can enable to prevent this problem from occurring. To source the data using the Virtual MAC: 1. Go to the Network Voyager page: Configuration > High Availability > VRRP > Legacy VRRP Configuration 2. For an interface, select the VRRP Mode, either monitored circuit or VRRPv2. The option is not available if you use simplified monitored-circuit VRRP or HA Voyager (which requires simplified monitored-circuit VRRP). 3. Define an Own VRID 4. Enable the Source Data from Virtual MAC option for the interface All the traffic sent from the interface then uses the virtual MAC address as the source MAC. (When the option is disabled the default setting only VRRP protocol traffic uses the virtual MAC address as the source. The physical MAC address is used as the source for all other traffic.) Enabling the option causes attached devices to send all traffic to the virtual MAC, so traffic continues to flow when a new master assumes ownership of the virtual MAC. 12

13 DNS Fast Expire Enhancement < > DNS Fast Expire Enhancement < > Check Point IP Appliance platforms running previous releases can drop UDP traffic as a result of a large number of UDP connections being stored in the firewall connection table. This can occur even when the load on the system is light and can happen with all UDP traffic, but it is most likely to affect DNS packets. When the issue occurs with DNS traffic, it can cause name resolution failures and long delays in connection establishment. With this release you can prevent this problem from happening by configuring the system using ipsctl commands. See Knowledge Base Resolution on the customer support site ( for more information about this issue and how to configure your system to prevent it. PIM with NAT < > PIM Sparse mode can be used with Network Address Translation (NAT). For configuration details, see the Network Voyager Reference Guide for IPSO 6.2 at Auto Detect Support for the Endpoint Connect VPN client This IPSO release provides enhanced support for the Endpoint Connect VPN client (available since NGX R65 HFA 40): The Auto Detect and Connect feature of the client is now supported. Whenever the VPN gateway or client s location changes, the Endpoint Connect client autodetects the best method to establish a connection, using either NAT-T (UDP port 4500) or Visitor mode (TCP port 443), intelligently auto-switching between the two modes as necessary. Supports 1Gb and 10Gb Ethernet Cards IPSO supports 1 Gigabit Ethernet and 10 Gigabit Ethernet cards as optional add-ons for the following Check Point network IP Security platforms: IP2450 IP1280 IP690 Chapter 1 Main Enhancements and Fixes in IPSO

14 Enhancement for Configuration Summary Tool < > These cards deliver high throughput for network environments that do not require the specialized acceleration offered by Check Point ADP modules. 1 Gigabit Ethernet Cards Check Point offers new four-port 1 Gigabit Ethernet cards in two versions: Network interface card for Check Point IP1280 and Check Point IP2450 with integrated RJ-45 connectors Network interface card for Check Point IP1280 and Check Point IP2450 with sockets that accept interchangeable SFP transceivers available in 1000Base-T, 1000Base-SX, and 1000Base-LX versions These cards implement a new design that leverages the latest technological advances and connect directly to the PCI-e data bus to improve the speed and efficiency of moving packets between the interfaces and the multiple CPU cores. 10 Gigabit Ethernet Cards Check Point offers new dual-port 10 Gigabit Ethernet cards in two versions: Network interface card with XMC connectors for Check Point IP2450 and Check Point IP1280 Network interface card with PMC connectors for Check Point IP690 Both versions include sockets that accept interchangeable SFP+ transceivers. These cards can help your network meet the increasing demands of transporting content types such as video and VoIP or accommodate virtualization. Enhancement for Configuration Summary Tool < > If you open support case with Check Point, you might be asked to provide an ECST file. To create this file, you use the Enhanced Configuration Summary Tool (ECST), which allows you to capture your current IPSO configuration, log files, core dumps and other information in a single file. 14

15 Enhancement for IP Broadcast Helper < > With this release, ECST provides more data for analysis by capturing Accelerated Data Path (ADP) kernel and core files that the system dumps when an ADP subsystem crashes. The file names begin with kcore and kaza, as in the following examples: kcore-u1s z kaza.perf_g-u1s z Enhancement for IP Broadcast Helper < > You can use IPSO s IP Broadcast Helper to relay broadcast UDP packets as unicasts to one or more remote servers. The maximum packet size for UDP packets relayed by this feature has been increased to 1480 bytes. IP Broadcast Helper can relay packets as large as bytes without fragmenting them. Enhancement for ICMP Reply Throttling < > To protect networks, IPSO now throttles ping replies that exceed certain limits. Because this rate limiting might affect other network devices that use ping for health check purposes, IPSO lets you disable the throttling by entering the following command at the IPSO shell prompt: ipsctl -w net:ip:icmp:ratelimit:enable disable To reenable the rate limiting function, enter ipsctl -w net:ip:icmp:ratelimit:enable enable Enhancement for Argentina Time Zone Changes < > IPSO includes an enhancement to support recent time zone changes in Argentina. Chapter 1 Main Enhancements and Fixes in IPSO

16 Changes to Upgrade and Installation Process Changes to Upgrade and Installation Process In some circumstances, the process of upgrading or installing IPSO 6.2 requires additional steps that are not necessary when upgrading or installing versions of IPSO previous to 6.2. For details, see Changes to Upgrade and Installation Procedures on page

17 2 Chapter What s New in Check Point IPSO 6.2 Compared to IPSO 6.1 This chapter describes the new features and enhancements in IPSO 6.2 compared to IPSO 6.1. These features and enhancements are included in IPSO In addition, IPSO 6.2 includes the new features listed in Main Enhancements and Fixes in IPSO 6.2 on page 9. In This Chapter Support for R70 and Higher with CoreXL page 18 Performance Monitoring Enhancements Compared to IPSO 6.1 page 20 17

18 Support for R70 and Higher with CoreXL Support for R70 and Higher with CoreXL IPSO 6.2 supports R70 and higher with CoreXL. The combination of IPSO 6.2 and Check Point R70 and higher improves firewall performance by taking advantage of the multicore CPU architecture of Check Point network security platforms. You can use CoreXL and SecureXL improve performance using different technologies and can work together in a complementary fashion. Use cpconfig to enable or disable SecureXL or CoreXL. SecureXL is enabled by default. Use the R70 and higher version of SmartCenter and SmartConsole to manage CoreXL gateways. Do not use other versions of these applications. For details of CoreXL, search for Firewall R7x Administration Guide on (replace R7x with the applicable version). In the guide, search for the CoreXL section. Configuring IPSO for CoreXL CoreXL creates multiple firewall instances (in effect, multiple firewalls) and assigns each instance to a CPU core. You can use the cpconfig to control the number of firewall instances. CoreXL improves the performance of your platform by accelerating traffic that cannot be accelerated by SecureXL. The default setting for the number of firewall instances is based on achieving optimal performance. You can configure this depending on your traffic profile. Choose the number of firewall instances you create based on the anticipated traffic load. If the majority of your traffic will be accelerated by SecureXL, create a smaller number of firewall instances. Note - If you change the number of instances, you must reboot the platform to make the change take effect. Use the following sources to obtain information to help you choose the optimal number of firewall instances for your platform and traffic mix: The Firewall Instance Configuration page provides data about SecureXL-based acceleration. To monitor CPU core usage, enter top -p in the IPSO command shell. 18

19 Configuring IPSO for CoreXL To get information about load balancing between the firewall instances, enter fw ctl multik stat or ipsctl -a net:sxl:inst in the IPSO command shell. Note - If you use IP clustering, make sure to configure the same number of firewall instances on each node. When you enter firewall commands, they generally apply to the gateway as a whole rather than to a specific firewall instance. To make a command apply to a specific instance, add -i number (in which number is the number of the instance) to the command. For example, to view the connections table for firewall instance 3, enter: fw -i 3 tab -t connections Chapter 2 What s New in Check Point IPSO 6.2 Compared to IPSO

20 Performance Monitoring Enhancements Compared to IPSO 6.1 Performance Monitoring Enhancements Compared to IPSO 6.1 Note - Performance monitoring features that were already supported in IPSO 6.1 are described in Performance Monitoring Enhancements Compared to IPSO on page 22. Performance Monitoring statistics provide a detailed and comprehensive view of your system s performance by allowing you to monitor a variety of historical information presented in graphical format. You can configure the graphs to show a wide range of time periods. Connection Dashboard When multiple firewall instances are enabled, the Transactions Vs. Connections graph represents the total number of transactions and connections across all the firewall instances enabled for the selected time interval. Connection Map Dashboard Any or all of the firewall instances that are active in the selected time interval can be selected. Individual line graphs are displayed for each firewall instance selected. Radio buttons are available at the bottom to view Accelerated, VPN, NAT and TCP connections. By default the graph displays one line (consolidated) which is the sum of all connections across all firewall instances. System Health The Live SecureXL FW Connection Statistics graph displays a separate graph for each firewall instance. Each graph plots number of connections created, deleted, current number of active connections, connections created from templates, NAT and TCP connections. The graph refreshes every 20 seconds. 20

21 3 Chapter What s New in Check Point IPSO 6.2 Compared to IPSO This chapter describes the new features and enhancements in IPSO 6.2 compared to IPSO These features and enhancements are included in IPSO 6.1. In addition, IPSO 6.2 includes the new features listed in Main Enhancements and Fixes in IPSO 6.2 on page 9. In This Chapter Performance Monitoring Enhancements Compared to IPSO page 22 Support for Netflow Services page 26 Enhancement for ACL Rules page 28 High-Availability Enhancements page 30 Configuration Migrator page 33 IPSO Automated Configuration page 38 Enhanced Configuration Summary Tool page 39 Enhancement for Increased Network Voyager Security page 41 Routing Enhancements page 42 Support for USB Modem page 44 Enhancement for Firewall Kernel Tuning page 45 21

22 Performance Monitoring Enhancements Compared to IPSO Performance Monitoring Enhancements Compared to IPSO Note - Performance monitoring features that were already supported in IPSO are described in Performance Monitoring Enhancements Compared to IPSO 6.1 on page 20. This feature provides a detailed and comprehensive view of your system s performance by allowing you to monitor a variety of historical information presented in graphical format. You can configure the graphs to show a wide range of time periods. Use the information provided by this feature to tune your system for optimum performance, troubleshoot difficult performance issues, or simply confirm that traffic patterns are as expected. For example, you can compare how much of your traffic has been accelerated by SecureXL versus the amount that has been sent to the firewall for processing and see how much traffic has been forwarded by Check Point Accelerated Data Path (ADP) interfaces versus non-adp interfaces. The performance monitoring graphs are organized into configurable dashboards that you access by clicking Monitor > Performance Monitoring on the Network Voyager navigation tree. Note - The dashboards replace the Voyager pages that you access in previous IPSO versions by clicking Monitor > Reports. The following sections describe the new dashboards and their component graphs. Note - You will not be able to display historical performance data captured by a previous IPSO release after you upgrade to IPSO 6.2. If you want to preserve this data, do so before you upgrade by using Network Voyager to display the data in delimited format and copying it into a spreadsheet or other application. Connection Dashboard Connection Life histogram: Displays the number of connections within a configurable time and their lifetimes in IPSO. The lifetime of a connection is the amount of time it occupies IPSO memory. 22

23 Connection Map Dashboard Transaction Size histogram: Displays the transaction sizes associated with different connections within a configurable time. The transaction size is the number of bytes exchanged in the context of a connection from the start to the end of the connection. Templates vs. Non-Templates: Displays the percentage of connections created by SecureXL templates within a configurable time. You can use this information to help you define a firewall policy so that more connections are created by templates (and are therefore accelerated). Transactions vs. Connections: Displays the rates of connection and transaction creation within a configurable time. For TCP, connection creation is defined as the arrival of a SYN packet, and transaction creation is defined as the completion of 3-way handshake. For non-tcp connections, connection and transaction creation occurs at the same rate. New in IPSO 6.2: For multiple firewall instances the Transactions vs. Connections graph represents the total number of connections and transactions across all the firewall instances enabled at that time. Connection Map Dashboard Users are now provided with an option to select any or all of the firewall instances that are active in the selected time period. Individual line graphs are displayed for each firewall instance selected. Radio buttons are available at the bottom of the graph to view Accelerated, VPN, NAT and TCP connections. By default the graph displays one line (consolidate) which is the sum of all connections across all firewall instances. Accelerated Connections Map: Displays the total number of connections within a configurable time and the number that were accelerated. The difference between the total number of connections and the number of accelerated connections gives the number of connections for which every packet was inspected by the firewall. Accelerated connections are further classified as connections accelerated by ADP and connections accelerated by IPSO. VPN Connections Map: Displays the total number of connections within a configurable time and the number that required VPN services. NAT Connections Map: Displays the total number of connections within a configurable time and the number that required NAT services. TCP Connections Map: Displays the total number of connections within a configurable time and the number of TCP connections. The difference between total connections and TCP connections gives the number of non-tcp connections, such as UDP, ICMP, etc. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

24 Traffic Dashboard Traffic Dashboard IPSO Packet Size Map: Displays the distribution of packet sizes forwarded by IPSO within a configurable time. This information is helpful in understanding which packet sizes are dominant. ADP Packet Size Map: This graph is present only on platforms on which an ADP module is detected. It displays the distribution of packet sizes that were forwarded by ADP interfaces. This information is helpful in understanding which packet sizes are dominant in traffic transiting ADP interfaces. Forwarding Dashboard Accelerated Traffic Map: Displays the total number of packets that were forwarded by IPSO and the number of packets that were accelerated by IPSO within a configurable time. The difference between the total number of packets and the number of accelerated packets is the number of packets that were forwarded to the firewall. VPN Traffic Map: Displays the total number of packets that were forwarded by IPSO and the number of packets that required VPN services within a configurable time. This information is helpful in understanding the percentage of traffic that requires VPN services. NAT Traffic Map: Displays the total number of packets that were forwarded by IPSO and the number of packets that required NAT services within a configurable time. This information is helpful in understanding the percentage of traffic that requires NAT services. Interface Dashboard Packet Throughput: Displays the rates of incoming and outgoing packets on a given interface within a configurable time. Byte Throughput: Displays the rates of incoming and outgoing bytes on a given interface within a configurable time. This information is helpful in determining if a link is reaching its capacity. Multicast Throughput: Displays the rates of incoming and outgoing multicast packets on a given interface within a configurable time. This information is helpful in determining if a link is reaching its capacity. Broadcast Throughput: Displays the rates of incoming and outgoing broadcast packets on a given interface within a configurable time. This information is helpful in determining if a link is reaching its capacity. 24

25 System Dashboard System Dashboard CPU Utilization: Displays the CPU utilization for all the CPU cores within a configurable time. Memory Utilization: Displays the memory utilization in IPSO within a configurable time. ADP Dashboard This dashboard displays the number of packets that were forwarded by IPSO and number of packets that were forwarded by the ADP subsystem within a configurable time. You can also see the average and maximum number of buffers utilized at the interface layer in incoming and outgoing directions within a configurable time.this information is helpful in understanding the value provided by ADP modules. Custom Dashboard Use this dashboard to create custom profiles that include your choice of performance graphs. After you have created profiles, click the Custom Dashboard link again to select a profile to display. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

26 Support for Netflow Services Support for Netflow Services Netflow services can be used to collect information about network traffic patterns and volume. To provide this information, IPSO tracks network flows. A flow is a unidirectional stream of packets that share a given set of characteristics. Click Configuration > Traffic Management > Netflow to access the Netflow Configuration page. IPSO exports information about flows in flow records.to gather and analyze flow records, you must export them to a Netflow collector. Check Point has tested the following collectors: NetFlow Analyzer (AdventNet, Inc.): supports Versions 5 and 9 Scrutinizer (Plixer International): supports Versions 5 and 9 Defining Flows You control how IPSO defines flows by using metering modes: Flows mode: If you use this mode, a flow is any sequence of packets that share Source and destination IP addresses Source and destination port numbers IP protocol When you use flows mode, IPSO exports each flow in an individual flow record. This mode requires that a firewall is running and SecureXL is enabled. Note - When you enable flows mode, IPSO automatically reduces the concurrent connection capacity by 25 percent. If you later disable flows mode, IPSO automatically increases the connection capacity to the previous value. When you enable or disable this mode, you should make the same adjustment in Check Point s SmartDashboard application. ACL mode: If you use this mode, you define flows by configuring ACL rules. Traffic that matches a rule is a flow. (You must also enable the Netflow Metering option for any rule that you want to use for this purpose.). When you use ACL mode, all the traffic that matches a rule is exported in one flow record. You can use both modes simultaneously. In this case, traffic that matches an ACL rule is reflected in a Flows mode flow and also in an ACL mode flow. 26

27 Flow Records Flow Records You configure IPSO to export flow records using the formats specified by Cisco for NetFlow Versions 5 and 9. (Version 9 is specified in RFC 3954.) Regardless of which export format you choose, IPSO exports values for the following fields: source IP address source subnet mask (used only when record is generated by an ACL flow) destination IP address destination subnet mask (used only when record is generated by an ACL flow) source port destination port input physical interface index (defined by SNMP) output physical interface index (defined by SNMP) packet count for this flow byte count for this flow start of flow timestamp (FIRST_SWITCHED) end of flow timestamp (LAST_SWITCHED) IP protocol number Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

28 Enhancement for ACL Rules Enhancement for ACL Rules When you create an access control list (ACL), you populate the ACL with rules that take configurable actions when traffic matches a pattern specified by the rule. With this enhancement, one of the actions you can configure for a rule is Bypass-FW, which causes ICMP traffic to bypass the firewall. You might use this action to prevent disruptive traffic that always comes from a known and trusted source from reaching the firewall. Warning - Lengthy ACLs can degrade performance because all traffic first must be compared to the ACL. Use ACLs with caution. 28

29 Time Zone Package Time Zone Package You can now use a time zone package to update your time zone information without having to upgrade your IPSO image. You might want to do this to apply the latest daylight savings rules for your time zone, for example. IPSO time zone information is based the tz or zoneinfo database available at elsie.nci.nih.gov/pub. When the tz database is updated, Check Point releases a new time zone package with the updated time zones. You can then update the time zone information on your system by installing the package. The time zone package name uses the same versioning convention as the tz database. For example, if the tz database version being used is 2009b, the time zone package is named timezones-2009b.tgz. You can download the time zone package from the Check Point customer support site. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

30 High-Availability Enhancements High-Availability Enhancements New features and enhancements are included for the high-availability configurations that you can create using IP clustering and Check Point s implementation of the Virtual Router Redundancy Protocol (VRRP). In This Section HA Voyager HA Voyager page 30 IP Clustering Enhancements page 31 HA Voyager has a new approach to creating and managing VRRP configurations. The main VRRP configuration page now includes a link for creating an HA VRRP configuration. Using this option allows you to configure and manage all the members of a VRRP group in a centralized way by using HA Voyager on one system. (When you use HA Voyager to configure VRRP, you create a simplified monitored-circuit configuration.) When you create an HA VRRP configuration, Voyager displays a new tab (labeled HA Voyager) in the navigation tree. Clicking this tab displays many of the same links that appear under the System tab in the navigation tree. When you access a configuration page by using the HA Voyager navigation tree, any changes you make are implemented on all the members of the group. This simplifies your work and helps you keep the configuration of the group members synchronized. Note - You can use HA Voyager on any member of the group. Regardless of which member you log into, your changes will be implemented on all the other members. Once you create an HA configuration group on one system, you can use HA Voyager on that system to add members to the group. You probably want to configure certain settings to be identical on all of your HA configuration group members. For example, you probably want each member to have the same static routes and settings for DNS, time, and Voyager web access. HA Voyager makes it easy for you to configure the members in this way by providing the Configuration Cloning option. 30

31 IP Clustering Enhancements The IPSO online documentation and the Network Voyager Reference Guide include a configuration example that provides step-by-step instructions for using HA Voyager. Configuring VRRP with HA Voyager You can use HA Voyager to easily configure VRRP on all the members of an HA configuration group. This is the simplest way to configure VRRP, and it also makes it easy for you to ensure that the global VRRP options are set identically on all the members. When you use HA Voyager to configure VRRP, you create a simplified monitored-circuit configuration, and all the requirements of simplified monitored-circuit apply. For example, before you create a VRRP backup (virtual) address you must make sure that each member has an address with the same network address as the backup address. For example, the following is a valid combination: Member A address: Member B address: VRRP backup address: For complete information on configuring simplified monitored-circuit VRRP, see the chapter High Availability Solutions in the IPSO online documentation and the Network Voyager Reference Guide. IP Clustering Enhancements Check Point s IP clustering high availability solution has the following enhancements: Simplified clustering Cluster topology choices Advanced cluster tuning ISP redundancy supported Simplified Clustering Configuring an IP cluster and putting it into service is made easier by means of the new Simplified Clustering Configuration page. This page allows you to set up a cluster by making an absolute minimum set of configuration choices. When you Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

32 IP Clustering Enhancements create a cluster in this way, IPSO chooses default values for a variety of cluster settings. You can still change any of these settings by using the Cluster Configuration page. Cluster Topologies Flexibility in designing IP clusters is provided by means of the following cluster topologies: Load balancing: All the nodes in the cluster will be active, and connections will be assigned to all of them. This is the default choice and is only the topology used in previous versions of IPSO. N+1: N is the (configurable) number of nodes that will be active and will have connections assigned to them. The remaining node will be in hot standby mode, which means that connections are synchronized with the node on an ongoing basis so that it is immediately ready for service should one of the active nodes fail. The load will be balanced among the active nodes. Active/Hot Standby: One node will be active and the other will be in hot standby mode. Use this topology for two-node clusters in which you want only one node to be active. This topology is similar to an active/passive VRRP configuration except that failover happens faster because existing connections are continually synchronized with the standby node. Advanced Cluster Tuning Some advanced cluster options can be used to prevent certain issues that can occur in very specific circumstances. ISP Redundancy Supported Previous versions of IPSO do not support the use of Check Point s ISP Redundancy feature with IP clusters. This constraint is removed. 32

33 Configuration Migrator Configuration Migrator There are times when you might want to copy much of the configuration information from one Check Point network security platform to another. For example, when you replace a Check Point network security platform with another Check Point platform, you might want to migrate much of the configuration from the system being replaced to the new system.you can now do this by using Network Voyager and the Configuration Migration feature. You can access the Voyager pages for this feature by clicking Tools > Configuration Migration at the bottom of the Voyager navigation tree. When using the Migrate Configuration feature, keep the following terms in mind: Source platform: This is the platform from which you will acquire the configuration information. If you are replacing a platform, you probably want to use the platform being replaced as the source. Target platform: This is the platform on which you will apply the migrated configuration. If you are replacing a platform, the target is the new (replacement) platform. Note - You perform almost all the operations using Voyager on the target platform. The only operations you might need to perform on the source are creating a configuration file or database file and enabling network access to the source. It is important to understand that the Migrate Configuration feature is designed to copy configuration from one platform to another, not to make configuration changes on the target. If you want to make configuration changes on the target platform for example, if you want to assign new IP addresses that are not assigned to the source platform do so after you complete the migration. Think of it as a two or three step process: 1. Migrate the configuration from the source to the target. 2. Make any required changes on the target. 3. If desired, export the configuration from the target to another system. Migrate Configuration allows you to map interface configuration across the platforms. For example, you can map interface A on the source to interface B on the target so that interface B is configured identically to A. You can also choose whether to migrate configuration information for specific features. For example, if you use Protocol-Independent Multicast (PIM) on the source but don t want to use it on the target, you can choose not to migrate it. You might also choose not to migrate PIM if you do intend to use it on the target but want to configure it from scratch. Choosing to not migrate a feature means only Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

34 Acquiring Configuration Information that the configuration information for that feature is not migrated. The feature itself is still available on the target. In this example, PIM is still be available on the target after the migration but it is not enabled or configured. Acquiring Configuration Information You can acquire configuration information from a Check Point platform running any version of IPSO between IPSO 3.7 and IPSO 4.2 (inclusive). You acquire configuration information by copying an IPSO configuration file or backup file from the source to the target. You can move these files directly from the source to the target (using Voyager or another method) or move them to a workstation. Depending on how you want to move the file to the target, use the following options on the Acquire Configuration page: Remote Device: Use this option to transfer a file directly from the source to the target. You must have network access to the source. If you specify a file (configuration file or backup file), you must specify the complete path. < > If you do not specify a file, IPSO automatically copies the current configuration database file from the source. Note - This is probably the easiest way to acquire a configuration file. Upload: Use this option if you have moved the IPSO configuration file or backup file from the source to your workstation (the computer that is running Network Voyager). Local File: Use this option if you have moved the IPSO configuration file or backup file from the source to the target using FTP or a similar method. If you use this option, you must save the configuration file or backup file in one of several specified directories. To see which directories you can use, expand the directory tree in the Select File to Acquire box. Select the appropriate configuration or backup file by clicking on it. Voyager then displays the selected file in boldface type. Regardless of which method you choose, click Apply once you have selected the appropriate file. If IPSO recognizes that the file is a valid configuration file or backup file (and transfers it to the target, if necessary), you see a message indicating that the process succeeded and telling you to access the Migrate 34

35 Migrating Configuration Information Configuration page. < > If either of the following is true, IPSO also displays information about the model number of the source platform and the IPSO version used to make the configuration or backup file: You acquired a backup file (using any option). You used SCP as the protocol when using the Remote Device option to acquire a configuration file. Migrating Configuration Information Access the Migrate Configuration page by clicking the appropriate link under Migration in the Voyager navigation tree. If there are any unsaved configuration changes (changes to the current configuration on the target platform), Voyager displays a message telling you to click Save. After you do so, you can continue with the migration. Voyager displays the IPSO version of the source configuration at the top of the page to help you verify that you acquired appropriate configuration information. IPSO needs to know the model number of the source platform. If IPSO was able to determine the number because of the method you used to acquire the configuration or backup file, the number is displayed near the top of the page. Otherwise there is a menu from which you must choose the model of the source platform. Mapping Interfaces and Completing the Process You use the Migrate Configuration page primarily to map interfaces from the source to the target. Voyager provides information to help you choose which interfaces on the target are the best matches for the interfaces on the source. The table on the left lists all the physical interfaces on the source platform and also identifies all the attributes associated with each interface. For example, you can see whether routing protocols, VRRP, SNMP, and so on are configured for an interface. This table also lists the configured speeds for the source interfaces. < > The table on the right lists the physical interfaces on the target platform and their available speeds. In addition to the physical interfaces on the source platform, the table on the left lists all the logical interfaces that have IP addresses assigned. When you map a physical interface, IPSO migrates all the logical configuration for that interface to the physical interface on the target. You cannot map logical interfaces individually. If there is a logical interface without an associated IP address on the source platform (for example, if there is a VLAN interface without an address), the logical interface does not appear in the table and is not migrated to the target. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

36 Migrating Configuration Information You must map each source interface or explicitly choose to not migrate it by making selections in the Interface on Target Platform column. If you click Next or Finish without making a selection for every source physical interface, Voyager displays a message telling you that you must choose an entry for every interface and does not display the next page. Warning - If an interface on the target is configured before you perform the migration, that configuration information is deleted when the new configuration is applied even if you do not choose a mapping for it. For example, if a target interface has an IP address before the migration and you do not select it during the mapping process, the IP address is deleted when the new configuration is applied. You cannot map multiple source interfaces to one interface on the target platform. If you attempt to do so, Voyager displays a message telling you that this is invalid. The actual steps you take to complete the migration vary depending on whether there are any link aggregation group (LAG) or link redundancy group (LRG) interfaces on the source platform. If there are no LAG or LRG interfaces 1. For each interface, choose a mapping or explicitly choose to not migrate it. 2. Choose to migrate all features (accept the default setting) or prohibit selected features from being migrated. Remember that choosing to not migrate a feature means only that the configuration information for that feature is not migrated. The feature itself is still available on the target. See Migrating Features on page 37 for important information about this step. 3. Reboot or test boot the target platform. If there are LAG or LRG interfaces on the source If there are LAG or LRG interfaces on the source, the process is similar except that the LAG and LRG interfaces are presented on separate pages: 1. Map or explicitly choose to not migrate each non-lag/non-lrg interface. 2. Map or explicitly choose to not migrate each LAG interface (if any). 3. Map or explicitly choose to not migrate each LRG interface (if any). If an LAG interface is part of an LRG interface, you can choose whether to migrate it as part of the LRG or whether to remove it from the LRG during the migration. (If you chose to not migrate this LAG interface in step 2, it is still listed in the table of LRG interfaces but you cannot migrate it as part of the LRG.) < > 36

37 Migrating Configuration Information 4. Choose to migrate all features (accept the default setting) or prohibit selected features from being migrated. See Migrating Features on page 37 for important information about this step. 5. Reboot or test boot the target platform. Note - When the Finish button is available, you can click it to skip the process of selecting features to migrate. In this case, all the IPSO features on the source are migrated (the default setting). Clicking Finish always displays a page that allows you to complete the migration by rebooting or test booting the target platform. Migrating Features If you include Users as one of the features that will be migrated (the default setting), the admin password of the source platform becomes the admin password of the target platform after you reboot it. If you want to prevent this, remove Users from the list of features that will be migrated before you finish the migration. In this case, the original admin password of the target platform is retained after you reboot the target. Configuration information for certain features cannot be migrated because it is not stored in IPSO configuration files. Examples include: optional disks PPPoE ISDN IPv6 host address (if the source configuration is from an IPSO version previous to 6.1) < > If configuration information for a feature cannot be migrated, the feature is not included in the list. Chapter 3 What s New in Check Point IPSO 6.2 Compared to IPSO

38 IPSO Automated Configuration IPSO Automated Configuration You can use a USB storage device to install IPSO images, IPSO configuration files, and package files, such as Check Point package files, onto Check Point security appliances that have IPSO installed but have not yet been configured. Note - You cannot use this feature to configure systems running a version of IPSO previous to 6.1. This feature allows experienced personnel at a central site to set up a USB device with the appropriate files for deploying new appliances at another site and then provide the USB device to a person at the other site to perform the deployment. The local operator inserts the USB device in an appliance to be configured and boots the system. The IPSO automated configuration feature installs the specified software and configuration on the appliance, with no intervention needed by the operator. The USB device can hold specific configuration information for different appliances, allowing multiple appliances to be configured from the same USB device. See the document Read Me: IPSO Automated Configuration for complete information about how to use this feature. Warning - If you use a USB memory device (or a USB modem) with an IP290 or IP690 running IPSO 6.1 or higher, the following BIOS versions are required: IP290: version or later IP690: version or later If you use a USB device with an IP290 or IP690 that does not meet this requirement, the system might hang if it is restarted with the USB device attached. To update the BIOS,contact Check Point Support ( 38