cp r75 releasenotes
TRANSCRIPT
29 March 2011
R75
Release Notes
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11647
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Revision History
Date Description
29 March 2011 Added instructions about Endpoint Security VPN R75 ("What's New in R75" on page 5)
17 February 2011 Updated Compatibility with Gateways and Endpoint Clients (on page 16) to exclude support for NGX R62 gateways
27 January 2011 Updated DLP note in Security Gateway Software Blades (on page 13)
19 January 2011 Updated the supported web browsers for the DLP portal ("Security Gateway Software Blades" on page 13)
30 December 2010 Added that you must install HFA70 on NGX R65 for IPSO 6.2 before you upgrade to R75. ("Supported Management and Gateway Upgrade Paths" on page 16)
26 December 2010 First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on R75 Release Notes ).
Contents
Important Information ............................................................................................. 3 Introduction to R75 ................................................................................................. 5 What's New in R75 .................................................................................................. 5
New Terms .......................................................................................................... 8 Minor Release Content ........................................................................................ 8
Supported Products ............................................................................................... 9 Software Licensing .............................................................................................. 9
Enforcement of IPS Software Blade Licenses ................................................. 9 Build Numbers ..................................................................................................... 9 Supported Security Products by Platform ...........................................................11
Security Software Containers .........................................................................11 Security Gateway Software Blades ................................................................13 Security Management Software Blades .........................................................14
Clients and Consoles by Windows Platform .......................................................15 Supported Upgrade Paths and Interoperability ...................................................16
Supported Management and Gateway Upgrade Paths ..................................16 Compatibility with Gateways and Endpoint Clients .........................................16 IPS-1 Upgrade Paths and Interoperability ......................................................17
Platform Provisions and Requirements .............................................................. 18 SecurePlatform ...................................................................................................18 IPSO ..................................................................................................................18 Linux ..................................................................................................................18 Microsoft Windows .............................................................................................19 Solaris ................................................................................................................19 Maximum Number of Interfaces Supported by Platform ......................................20
Minimum System Requirements .......................................................................... 21 Security Gateway Hardware Requirements ........................................................21 Security Management Hardware Requirements .................................................22 SmartConsole and SmartDomain Manager Hardware Requirements .................22 Multi-Domain Security Management Requirements ............................................23
Multi-Domain Security Management Resource Consumption ........................23 SmartEvent Requirements ..................................................................................23 SmartReporter Requirements .............................................................................23
Optimizing SmartReporter Performance ........................................................24 Performance Pack ..............................................................................................24 SecureClient Requirements ................................................................................24 Endpoint Security Server and Client Requirements ............................................25
Known Limitations ................................................................................................ 26
New Terms
Introduction to R75 Page 5
Introduction to R75 Thank you for installing Check Point version R75. Please read this document carefully before installing R75.
Note - For more information about R75 and to download the software, go to the R75 Home Page (http://supportcontent.checkpoint.com/solutions?id=sk58362).
What's New in R75 Check Point R75 is based on the Software Blades Architecture™.
Check Point Identity Awareness™ in the Check Point Security Gateway™
Identity based Firewall and Application Control polices including users, user-group and machines
Logging of user identities makes troubleshooting simpler and allows better trend analysis
Multiple and flexible methods for obtaining user identity including seamless integration with Active Directory (no need to install agent on Domain Controller), captive web portal for clientless user authentication or thin client for strong authentication and impersonation prevention based on unique patent-pending technology for light signature of packet information
Scalable identity sharing between multiple gateways to identify users in one or many sites and share with other gateways in the same or different sites
Check Point Application Control Software Blade™
Granular Application Control to identify, allow or block thousands of applications
Largest application library with AppWiki - Comprehensive application control leveraging the largest application library that scans and detects more than 100,000 applications and Social Network widgets
Auto-updates for applications database on the gateway (NO need to re-install policy)
Detect rapidly changing Social Network Widgets via online service
Integrated Check Point DLP™ Software Blade™
Check Point's innovative Data Loss Prevention™, now available as an integrated Software Blade.
Prevents data loss of critical business information
Network-based solution prevents breach of corporate data
Compliance with data protection standards (such as PCI-DSS, HIPPA, GLBA, SOX, etc.)
Cutting edge technology for DLP processes enforcement
Innovative MultiSpect™ data classification engine combines users, content and process into accurate decisions
New UserCheck™ technology empowers users to remediate incidents
Low maintenance, self-educating system does not require IT/security personnel in incident handling while educating the users on proper data sharing policies
Easy deployment for immediate data loss prevention
Less the one day deployment of preventative DLP solution
Over 250 pre-defined types to create your own policy
Better control and auditing capabilities with centralized security management
New DLP features:
ClusterXL® HA support quarantine database is synchronized between cluster members
Incident storage at Management server
New Terms
What's New in R75 Page 6
Check Point Mobile Access Blade™
Remote Access - SSL VPN technology is used for secure encrypted communication from unmanaged mobile devices, PCs and Macs to your corporate IT infrastructure
Check Point Mobile™ Client - For simple and secure connectivity to corporate resources from smartphones and PCs
Mobile Access Portal - For connecting securely to corporate resources through a portal from a web browser
SSL Network Extender (On-demand client - SNX) - For secure connectivity to corporate resources using non-web-based applications via an on-demand, dissolvable client
Endpoint Security™ VPN R75
Endpoint Security VPN introduces the Next Generation of SecureClient®, including 64-bit support. It
provides mobile users seamless and secure connectivity to corporate resources by establishing an encrypted and authenticated IPSec tunnel with Check Point Security Gateways.
This version includes a deployment package of Endpoint Security VPN R75. By default, Endpoint Connect clients are upgraded automatically to Endpoint Security VPN R75. After you upgrade the Security Management server and install a policy, users who connect with Endpoint Connect clients get a prompt to accept an automatic upgrade. The included deployment package cannot upgrade SecureClient to Endpoint Security VPN R75. SecureClient users are not affected.
To disable the automatic upgrade of the VPN clients, do this before installing or upgrading the Security Management server:
1. Open Global Properties > Remote Access > Endpoint Connect.
2. Set Client upgrade mode to Do not upgrade.
Enhanced Check Point IPS™ Signature Support
Increase scalability of the IPS engine when adding many more protections
Decrease memory footprint (currently some pattern based protections require large memory footprint)
Provide a new framework for using non-regular keywords replacing complex regular expressions
Enhance the IPS engine to support simpler and more efficient CIFS and DCE-RPC protections
Multi-Domain Security Management™ (based on proven Provider-1® technology)
R75 supports the new licensing scheme of Multi-Domain Security Management. You can easily convert an existing Security Management deployment to a Multi-Domain Security Management deployment by adding Software Blades.
Other Improvements
Security Management Server supports Series 80 Appliances™ gateways for centrally managed branch offices
You can set a different authentication method per blade on the same gateway. For example, a user can login to Mobile Access with certificate authentication and login to DLP with username and password authentication. In Gateway Properties, configure the desired authentication method for Check Point IPSec VPN™ and Mobile Access in its respective Authentication page, and for Identity Awareness in its Authentication Settings page.
You can now use multiple portals over port 443 and port 80. For example, the SecurePlatform™ Web User interface and the Mobile Access portal can both be on port 443. In the SmartDashboard™ Gateway properties window, set the Portal URL for the different portals on the portal configuration pages.
The user search for remote access users works according to the user groups. If a user authenticates with an IPSEC VPN client and the user is in the LDAP groups of a Remote Access VPN Community, then the user will be found in the LDAP server. If a user authenticates to the Mobile Access portal, and the user is defined in the Access to Application rules as part of the Internal Database groups, the user will be found in the Internal Database.
New Terms
What's New in R75 Page 7
New Terms
What's New in R75 Page 8
New Terms These product and technology names have changed for this version:
Name Before R75 Name Starting with R75
Identity Logging Identity Awareness
SSL VPN Software Blade Mobile Access Software Blade
Provider-1 Multi-Domain Security Management
Provider-1 MDG SmartDomain Manager
Multi-domain server (MDS) Multi-Domain Server
Customer Domain
Customer Management Add-on (CMA) Domain Management Server
Customer Log Module (CLM) Domain Log Server
Multi-Domain Log Module (MLM) Multi-Domain Log Server
Minor Release Content This release includes fixes and improvements that were initially distributed as part of NGX R65 HFA 70, R70.40 and R71.10. For more information about those releases, refer to:
R71.10 Release Notes (http://supportcontent.checkpoint.com/documentation_download?id=10909)
R70.40 Release Notes (http://supportcontent.checkpoint.com/documentation_download?id=10770)
VPN-1 NGX R65 HFA 70 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10703)
Provider-1 NGX R65 HFA 70 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10704)
Software Licensing
Supported Products Page 9
Supported Products
In This Section
Software Licensing 9
Build Numbers 9
Supported Security Products by Platform 11
Clients and Consoles by Windows Platform 15
Supported Upgrade Paths and Interoperability 16
Software Licensing From version R71, customers are required to use Software Blade licenses. If you have not yet migrated to Software Blade licenses, follow the migration options from Check Point’s website (http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html).
From R71, the software license enforcement module checks that users have current Software Blade Licensing. Users that have installed R71 software using NGX based licenses and not Software Blade licenses, will receive warnings on the Security Gateways and SmartDashboard.
Enforcement of IPS Software Blade Licenses Security Gateways with IPS Software Blades need to be under a valid IPS contract that has to be renewed annually. To manage your contracts go to your UserCenter account or contact your reseller.
Indications and notifications that IPS service contracts are expiring will appear in multiple locations, including the overview window of IPS in the SmartDashboard, SmartUpdate, and in the product reports of the customer’s Check Point UserCenter account.
If an IPS service contract has expired and the contract has not been renewed, the blade will remain operational with a signature set that was included in the GA of R70 (Q1/2009). Renew the IPS service contract to retrieve a full and updated signature set.
For more information about the IPS contract enforcement, refer to sk44175 (http://supportcontent.checkpoint.com/solutions?id=sk44175).
Build Numbers The following table lists all R75 software products available, and the build numbers as they are distributed on the product DVD. To verify each product’s build number, use the given command format or direction within the GUI.
Software Blade / Product Build Number Verifying Build Number
Security Gateway Build 254 fw ver
Security Management Build 111 fwm ver
SmartConsole Applications Build 979000426 Help > About Check Point <Application name>
Mobile Access Build 085 cvpn_ver
Build Numbers
Supported Products Page 10
Software Blade / Product Build Number Verifying Build Number
Multi-Domain Server Build 153 fwm mds ver
SmartDomain Manager Build 979000125 Help > About Check Point Multi-Domain Security Management
SecurePlatform Build 145 ver
Infrastructure (SVN Foundation)
Build 247 cpshared_ver
Acceleration (Performance Pack)
Build 017 sim ver -k
Advanced Networking (QoS)
Build 013 fgate ver
Advanced Networking (Routing)
Build 005 gated -ver
Monitoring (SVM Server)
Build 011 rtm ver
Management Portal Build 979000020 cpvinfo /opt/CPportal-
R75/portal/bin/smartportalstart
SmartEvent Build 111 cpsemd ver
SmartReporter Build 157 SVRServer ver
Endpoint Policy Server (SecureClient Policy Server)
Build 015 dtps ver
SecuRemote/SecureClient R60 HFA1 Build 019 Help > About
UTM-1 Edge Firmware 8.1.21 Displayed on the default portal page
Endpoint Security Client R73 HFA1
7.6.165 Right-click the System Tray icon and select About
Endpoint Security Server 7.60.076.000 About
Compatibility Packages
CPNGXCMP-R75-00 Build 008 /opt/CPNGXCMP-R75/bin/fw_loader ver
CPV40Cmp-R75-00 Build 008 /opt/CPV40Cmp-R75/bin/fw_loader ver
CPEdgecmp-R75-00 Build 007 /opt/CPEdgecmp-R75/bin/fw ver
CPCON66CMP-R75-00 Build 006 /opt/CPCON66CMP-R75/bin/fw_loader ver
CPCON62CMP-R75-00 Build 007 /opt/CPCON62CMP-R75/bin/fw_loader ver
CPR71CMP-R75-00 Build 012 /opt/CPR71CMP-R75/bin/fw_loader ver
CPSG80CMP-R75-00 Build 002 /opt/CPSG80CMP-R75/bin/fw_loader ver
Supported Security Products by Platform
Supported Products Page 11
Supported Security Products by Platform These tables show the security products related to this release and on which platforms they are supported.
Security Software Containers Software containers are supported on these operating systems and platforms.
Software Blade Containers
Check Point Platforms and Operating Systems
Secure Platform
Smart-1
Smart-1 SmartEvent
Power-1 UTM-1 IPSO
Disk-based
1
IPSO
Flash-based
1
Security Management
(5, 25, 50)
Security Gateway
Multi-Domain Security Management
(50, 150)
Software Blade Containers
Other Platforms and Operating Systems
For more about supported operating system versions, refer to Operating System Versions (on page 12).
Microsoft RedHat Linux Crossbeam3 Solaris
Windows Server
2003, 2008
Windows
XP, 7
RHEL
5.0, 5.4
X-series Ultra-SPARC
8, 9, 10
Security Management
Security Gateway
Multi-Domain Security Management
2
Notes about Security Software Containers
1. The supported IP Appliances models are 150, 290, 390, 560, 690, 1280, and 2450.
2. We recommend that you install Multi-Domain Security Management on Sun M-Series servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.
3. Crossbeam support is planned to be available in Q1 '11.
Supported Security Products by Platform
Supported Products Page 12
Operating System Versions
The versions of the Microsoft and RedHat operating systems that are listed in the Security Software Containers table ("Security Software Containers" on page 11) are:
Operating System Editions Service Pack 32 or 64-bit
Microsoft
Windows XP Professional SP3 32-bit
Windows 2003 Server N/A SP11, SP2 32-bit
Windows 2008 Server N/A SP1, SP2 32-bit, 64-bit2
Windows 7 Professional, Enterprise, Ultimate
N/A 32-bit, 64-bit
RedHat
RHEL 5.0 N/A 32-bit
RHEL 5.4 kernel 2.6.18 N/A 32-bit
Notes -
1. For Windows 2003 SP1, you must install the hotifx specified in Microsoft KB 906469 (http://support.microsoft.com/kb/906469).
2. Windows 2008 Server 64-bit is supported for Security Management only.
Dedicated Gateways
To install R75 on an R71 DLP open server, do a clean install of R75.
These dedicated gateways cannot be upgraded to R75:
Open Server - IPS-1 Sensor, VSX
Appliances - DLP-1, Series 80, UTM-1 Edge, IPS-1 Sensor, VSX-1
Supported Security Products by Platform
Supported Products Page 13
Security Gateway Software Blades
Software Blade Operating System
Check Point Microsoft Crossbeam1
Secure Platform
IPSO 6.2 Disk- based
IPSO 6.2 Flash- based
Windows Server 2003
Windows Server 2008
X-series
Firewall
Firewall with Identity Awareness
2
3
3
IPSec VPN
IPS
Mobile Access
DLP4
Application Control
Anti-Virus & Anti-Malware
URL Filtering
Anti-Spam & Email Security
Web Security
Advanced Networking - QOS
Advanced Networking - Dynamic Routing and Multicast Support
Acceleration & Clustering 5
5
6
Notes about Security Gateway Software Blades
1. Crossbeam support is planned to be available in Q1 '11.
2. Identity Awareness supports connections to Microsoft Active Directory (AD) on Windows Server 2003 and 2008. Connections to AD on Windows Server 2000 is not supported.
3. IPSO supports identity enforcement and logging. For Identity Acquisition (AD Query, Identity Agents and Captive Portal) use a SecurePlatform gateway and share the identities with your IPSO gateways.
4. DLP is supported in High-Availability clusters, including Full HA.
On UTM-1 130/270, you can either use DLP with Firewall and other Security Gateway software blades, or with Firewall and Security Management software blades.
The DLP portal supports these web browsers: Internet Explorer 6, 7, 8; Firefox 3; Chrome 8; and Safari 5.
5. Only Clustering is supported on Windows. Acceleration is not supported.
6. Only third-party clustering is supported on Crossbeam.
Supported Security Products by Platform
Supported Products Page 14
Security Management Software Blades
Software Blade Operating System
Check Point Microsoft RedHat Linux
Solaris
Secure Platform
IPSO 6.2 Disk- based
Windows Server 2003
Windows Server 2008
Windows XP, 7
RHEL 5.0, 5.4
Ultra- SPARC
Network Policy Management
Network Policy Management with Identity Awareness
Endpoint Policy Management
Logging & Status
Monitoring
SmartProvisioning
Management Portal*
User Directory
SmartWorkflow
SmartEvent
SmartReporter
* Management Portal is supported on the following Web browsers: Internet Explorer 7, and Mozilla Firefox 1.5 - 3.0
Clients and Consoles by Windows Platform
Supported Products Page 15
Clients and Consoles by Windows Platform
Check Point Product
XP Home (SP3) 32-bit
XP Pro (SP3) 32-bit
Server 2003 (SP1-2) 32-bit
Vista (SP1) 32-bit
Vista (SP1) 64-bit
Server 2008 (SP1-2) 32-bit
Windows 7 Ultimate & Enterprise 32-bit
Windows 7 Ultimate & Enterprise 64-bit
SmartConsole
SmartDomain Manager
SecureClient
Endpoint Security VPN
2
2
SSL Network Extender
1
1
DLP UserCheck
Identity Agent 2
2
Notes about Clients and Consoles
1. SSL Network Extender is supported on Windows 7 for Network Mode only.
2. Endpoint Security VPN and Identity Agent clients support all editions of Windows 7.
Supported Upgrade Paths and Interoperability
Supported Products Page 16
Supported Upgrade Paths and Interoperability
R75 supports upgrading from lower software versions and management of lower Security Gateway versions.
Supported Management and Gateway Upgrade Paths You can upgrade these Security Management server and Security Gateway versions to R75:
NGX R65
NGX R65 for SecurePlatform 2.6
NGX R65 for IPSO 6.2 (with HFA70 only)
NGX R65 Connectra NGX R66 Plug-in
NGX R65 with Messaging Security
NGX R65 VSX NGX R65 Management Plug-in
NGX R65.3
NGX R65 UTM-1/Power-1
R70, R70.1, R70.20, R70.30, R70.40
R71, R71.10, R71.20
Important
Upgrading from NGX R65.4 to R75 or higher is not supported.
To upgrade Check Point Suite Products lower than NGX R65 to R75, you must first upgrade to NGX R65 and then to R75.
Upgrading from NGX R65
When you upgrade from NGX R65, only these plug-ins may be present: Connectra, SmartProvisioning, VSX, and Messaging Security. The presence of any other plug-in will cause the upgrade process to fail.
If you upgrade from NGX R65 with plug-ins to R75, and later want to uninstall R75 (rollback to NGX R65), follow the instructions in sk37252 (http://supportcontent.checkpoint.com/solutions?id=sk37252).
Compatibility with Gateways and Endpoint Clients R75 Security Management server can also manage gateways and endpoint clients with these versions:
Release Version
Gateways
Security Gateway NGX R65, R70, R70.1, R70.20, R70.30, R70.40, R71, R71.10, R71.20
DLP-1 R71 and higher
IPS-1 R71
Series 80 Series 80
VSX VSX NGX R65, VSX NGX R67
Connectra Centrally Managed NGX R62 and R66
Supported Upgrade Paths and Interoperability
Supported Products Page 17
Release Version
UTM-1 Edge 7.5.x and above
GX 4.0
Endpoint Clients
SecureClient up to SecureClient NGX R60 HFA 3 with support for Windows 7 32-bit
Endpoint Connect up to Endpoint Security VPN R75 for Windows
Endpoint Security up to R73 HFA1
Note -
R75 Security Management servers cannot manage gateway versions lower than NGX R65.
IPS-1 Upgrade Paths and Interoperability R75 Security Management servers can only manage R71 IPS-1 Sensors. To upgrade pre-R71 IPS-1 Sensors, do a clean install of R71 IPS-1 Sensor software on the IPS-1 Sensor. (http://supportcontent.checkpoint.com/documentation_download?ID=10327)
SecurePlatform
Platform Provisions and Requirements Page 18
Platform Provisions and Requirements
In This Section
SecurePlatform 18
IPSO 18
Linux 18
Microsoft Windows 19
Solaris 19
Maximum Number of Interfaces Supported by Platform 20
SecurePlatform This release is shipped with the latest SecurePlatform operating system, which supports a large variety of hardware, including open servers and network interface cards. See a comprehensive list of certified hardware (http://www.checkpoint.com/services/techsupport/hcl/index.html ).
Check this list before installing SecurePlatform on the target hardware.
Note - Cross-platform High Availability is supported if all of the platforms are either SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
IPSO When installing this release on IPSO:
Advanced Routing and SecureXL are included by default.
Clustering on IPSO supports VRRP and IP Clustering.
UTM-1 Edge devices cannot be managed from a Security Management server running on IPSO.
All available configurations (Disk-based, Flash-basedand Hybrid) of currently available IP Series platforms are supported.
Linux Before you install Security Management on Red Hat Enterprise Linux 5:
1. Install the sharutils-4.6.1-2 package
a) Check if you have the sharutils-4.6.1-2 package installed by running: rpm -qa | grep sharutils-4.6.1-2
b) If the package is not already installed, install it by running: rpm –i sharutils-4.6.1-2.i386.rpm
This package can be found on CD 3 of RHEL 5.
2. Install the compat-libstdc++-33-3.2.3-61 package
Microsoft Windows
Platform Provisions and Requirements Page 19
a) Check if you have the compat-libstdc++-33-3.2.3-61 package by running: rpm –qa | grep compat-libstdc++-33-3.2.3-61
b) If the package is not already installed, install it by running: rpm –i compat-libstdc++-33-3.2.3-61.i386.rpm
This package can be found on CD 2 of RHEL 5.
3. Disable SeLinux
a) Check if SeLinux is disabled by running: getenforce
b) If SeLinux is enabled, disable it by setting SELINUX=disabled in the /etc/selinux/config file
and rebooting the machine.
Note - Cross-platform High Availability is supported if all of the platforms are either SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Microsoft Windows High Availability Legacy mode is not supported on Windows.
Note - Cross-platform High Availability is supported if all of the platforms are either SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Solaris Security Management Server and Multi-Domain Security Management are supported with Solaris running on UltraSPARC 64-bit platforms (see Management Products by Platform ("Supported Security Products by Platform" on page 11)). R71 Security Gateways are not supported on Solaris.
Required Packages
SUNWlibC
SUNWlibCx (except Solaris 10)
SUNWter
SUNWadmc
SUNWadmfw
Required Patches
The patches listed below are required to run Check Point software on Solaris platforms. They can be downloaded from: http://sunsolve.sun.com (http://sunsolve.sun.com).
To display your current patch level, use the command: showrev -p | grep <patch number>
Platform Required Recommended Notes
Solaris 8
108528-18 If the patches 108528-17 and 113652-01 are installed, remove 113652-01, and then install 108528-18.
110380-03
109147-18
Maximum Number of Interfaces Supported by Platform
Platform Provisions and Requirements Page 20
Platform Required Recommended Notes
109326-07
108434-01 Required only for 32 bit systems
108435-01 Required only for 64 bit systems
109147-40 or higher
Solaris 9
112233-12
112902-07
116561-03 Only if dmfe(7D) Ethernet driver is defined on the machine
112963-25 or higher
Solaris 10 117461-08 or higher
We recommend that you install Multi-Domain Security Management on Sun M-Series servers. We do not recommend that you install Multi-Domain Security Management on Sun T-Series servers.
Note - Cross-platform High Availability is supported if all of the platforms are either SecurePlatform, Linux, or Solaris. It is not supported with Windows and non-Windows platforms (SecurePlatform, Linux, and Solaris).
Maximum Number of Interfaces Supported by Platform
The maximum number of interfaces supported (physical and virtual) is shown by platform in the following table.
Platform Max Number of Interfaces Notes
SecurePlatform 1015 1. SecurePlatform supports 255 virtual interfaces per physical interface.
2. When using Dynamic Routing on SecurePlatform, 200 virtual interfaces per physical interface are supported.
IPSO 1024
Windows 32
Security Gateway Hardware Requirements
Minimum System Requirements Page 21
Minimum System Requirements
In This Section
Security Gateway Hardware Requirements 21
Security Management Hardware Requirements 22
SmartConsole and SmartDomain Manager Hardware Requirements 22
Multi-Domain Security Management Requirements 23
SmartEvent Requirements 23
SmartReporter Requirements 23
Performance Pack 24
SecureClient Requirements 24
Endpoint Security Server and Client Requirements 25
Security Gateway Hardware Requirements
For open servers:
Component Windows SecurePlatform on Open Servers
Linux
Processor Intel Pentium IV or
1.5 GHz equivalent
Intel Pentium IV or
2 GHz equivalent
Intel Pentium IV or
2 GHz equivalent
Free Disk Space 1GB 10GB 1.4GB
Memory 512MB 512MB 512MB
Optical Drive Yes Yes Yes
Network Adapter One or more One or more supported cards
One or more
Security Management Hardware Requirements
Minimum System Requirements Page 22
Security Management Hardware Requirements
For open servers:
Component Windows Linux SecurePlatform on Open Servers
Solaris
Processor Intel Pentium Processor E2140 or 2 GHz equivalent processor
Intel Pentium Processor E2140 or 2 GHz equivalent processor
Intel Pentium Processor E2140 or 2 GHz equivalent processor
Sun UltraSPARC IV and higher
Free Disk Space 1GB 1.4GB 10GB (installation includes OS)
1GB
Memory 1GB 1GB 1GB 512MB
Optical Drive Yes Yes Yes (bootable) Yes
Network Adapter One or more One or more One or more One or more
SmartConsole and SmartDomain Manager Hardware Requirements
The following table shows the minimum hardware requirements for console applications, including: SmartDashboard, SmartView Tracker, SmartView Monitor, SmartProvisioning, SmartReporter, and SmartEvent, SecureClient Packaging Tool, SmartUpdate, and SmartDomain Manager.
Component Windows
CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor
Memory 512MB
Disk Space 500MB
Optical Drive Yes
Video Adapter minimum resolution: 1024 x 768
Multi-Domain Security Management Requirements
Minimum System Requirements Page 23
Multi-Domain Security Management Requirements
The minimum system requirements recommended for optimal performance:
Component Linux Solaris SecurePlatform
CPU Intel Pentium Processor E2140 or 2 GHz equivalent processor
UltraSPARC III 900MHz
Intel Pentium Processor E2140 or 2 GHz equivalent processor
Memory 4GB 4GB 4GB
Disk Space 2GB 2GB 10GB (install includes OS)
Optical Drive Yes Yes Yes (bootable)
Multi-Domain Security Management Resource Consumption
Actual disk space consumption depends on the scale of the deployment. The larger the deployment, the more disk space, memory, and CPU is required.
The Multi-Domain Security Management disk space requirements are:
For basic Multi-Domain Server installation: 2GB (1GB /opt; 1GB /var/opt).
For each Domain Management Server: 400MB (for the Domain Management Server directory located in
/var/opt)
SmartEvent Requirements SmartEvent can be installed on a Security Management server or on a dedicated machine.
Component Windows/Linux/SecurePlatform
CPU Intel Pentium IV 2.8 GHz
Memory 4GB
Disk Space 25GB
SmartEvent is not supported on Solaris platforms.
Note - To optimize SmartEvent performance:
Use the fastest disk available with the highest RPM, and a large buffer size.
Increase the machine's memory.
SmartReporter Requirements These hardware requirements are for a SmartReporter server that processes at least 15GB of logs per day and generates reports according to the performance numbers. For deployments that will generate fewer logs per day, a machine with less CPU or memory can be used, but this may cause performance degradation.
Performance Pack
Minimum System Requirements Page 24
SmartReporter can be installed on a Security Management server or on a dedicated machine.
Component Windows & Linux Minimum Windows & Linux Recommended
Solaris
CPU Intel Pentium IV 2.0 GHz Dual CPU 3.0 GHz UltraSPARC III 900 MHz
Memory 1GB 2GB 1GB
Disk Space Installation:
Database:
80MB
60GB (40GB for database, 20GB for temp directory)
(on 2 physical disks)
80MB
100GB (60GB for database, 40GB for temp directory)
80MB
60GB (40GB for database, 20GB for temp directory)
DVD Drive Yes Yes Yes
Optimizing SmartReporter Performance The following tips are recommended to optimize SmartReporter performance:
Disable DNS resolution - consolidation performance may improve to 32GB of logs per day.
Configure the network connection between the SmartReporter server and the Security Management or Log server to the optimal speed.
Use the fastest disk available with the highest RPM (revolutions per minute) and a large buffer size.
Use UpdateMySQLConfig to tune the database configuration and adjust the consolidation memory
buffers to use the additional memory.
Increase the machine's memory, as it significantly improves performance.
Install an uninterruptible power supply (UPS) for the SmartReporter Server.
Performance Pack The recommended platform configuration is to use Performance Pack on a platform configured with a Quad-Core Intel Xeon Processor 5xxx with 6GB RAM, or more.
Check Point appliances with such configuration include:
Power-1 11000 Series
Examples of open servers with such configurations include:
HP ProLiant DL-360 G6
HP ProLiant DL-380 G6
Dell PowerEdge R610
Dell PowerEdge R710
IBM System x3550 M2
IBM System x3650 M2
SecureClient Requirements For information about SecureClient Requirements, see the SecureClient NGX R66 Release Notes (http://downloads.checkpoint.com/dc/download.htm?ID=8371).
Endpoint Security Server and Client Requirements
Minimum System Requirements Page 25
Endpoint Security Server and Client Requirements
For Endpoint Security Server and Client requirements, refer to the Endpoint Security R73 HFA1 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11547).
Endpoint Security Server and Client Requirements
Known Limitations Page 26
Known Limitations Known Limitations for R75 are in sk59040. (http://supportcontent.checkpoint.com/solutions?id=sk59040)