Transcription
FireWall-1 GX 4.0 Release NotesDecember 1, 2008IMPORTANTBefore you begin installation, read the latest available version of these releasenotes at: nts/index.htmlIn This DocumentWhat’s New in FireWall-1 GX 4.0page 2Information About This Releasepage 3Known Limitations and Clarificationspage 5Copyright December 1, 2008 Check Point Software Technologies, Ltd. All rights reserved1
GTP User Traffic AccelerationWhat’s New in FireWall-1 GX 4.0Check Point continues to add features and flexibility to its cellular security offerings. This releasefocuses on security in the following areas: User traffic acceleration, bandwidth demands, anddynamic routing deployments. FireWall-1 GX 4.0 has its own management console, capable ofmanaging VPN-1 Pro NGX (R60), and any earlier module type. FireWall-1 GX 4.0 can also bemanaged by NGX R62 and NGX R65.GTP User Traffic AccelerationFireWall-1 GX 4.0 introduces GTP traffic acceleration with concomitant enforcement of GTPsecurity filtering. Traffic acceleration provides significant improvements both in packet rate andthroughput.User traffic acceleration is available for Nokia IPSO 4.2.PDP Context–Based Bandwidth ManagementFireWall-1 GX is now able to allocate bandwidth to subscribers of partner networks by setting QoSrules for the partner networks. By leveraging QoS capabilities, FireWall-1 GX can be used to limit acertain bandwidth for user traffic per PDP Context. Different bandwidth criteria can be set fortraffic from different partners. Each mobile user of a partner network receives the identicalbandwidth, as set by the QoS rule.Beside adding support for QoS on data packets (T-PDUs), FireWall-1 GX has improved the methodof identifying the home network of mobile users. The user's home network can be specified via GTPservice property (IMSI, APN or MS-ISDN), replacing the need to specify GGSN and SGSN IPaddresses.VPN-1/FireWall-1 FireWall-1 GX 4.0 Release Notes. Last Update — December 1, 20082
Verifying Component Build NumbersInformation About This ReleaseThank you for using Check Point's FireWall-1 GX. This document contains important informationnot included in the documentation. Review this information before installing your products.In This SectionVerifying Component Build Numberspage 3Minimum Requirementspage 4Installation Instructionspage 4Verifying Component Build NumbersThe following table lists the various components of FireWall-1 GX 4.0. To verify each product’sbuild number, use the given command format or direction within the GUI.ProductFireWall-1 GX 4.0FireWall-1 GX 4.0 kernelSmartConsoleSVN FoundationCLI Command or GUI Selection FWDIR/bin/fw ver FWDIR/bin/fw ver -kHelp About Check Point SmartDashboard CPDIR/bin/cpshared verVPN-1/FireWall-1 FireWall-1 GX 4.0 Release Notes. Last Update — December 1, 20083
Minimum RequirementsMinimum RequirementsNokiaFireWall-1 GX 4.0 is supported for IPSO version 3.9 and later; however GTP acceleration requiresIPSO 4.2 and later.FireWall-1 GX 4.0 is supported on the following Nokia IP platforms:Hardware PlatformDisk-based IP130, IP260, IP330, IP350, IP380, IP390, IP530, IP560, IP650, IP690,PlatformsIP710, IP740, IP1220, IP1260, IP1280, IP2255, IP2450Flash-based IP355, IP385, IP690, IP1220, IP1260, IP1280, IP2250, IP2450PlatformsNote - Nokia IPSO flash-based platform IP265 is currently not supported. Please contact CheckPoint Technical Services if you would like to use this platform.For the latest information on which IPSO releases are supported, see the Nokia Support Website ssorCPUFree Disk SpaceMemoryCD-ROM DriveNetwork AdapterVideo AdapterMinimum RequirementIntel Pentium III300 MHz or equivalent processor10GB256MB (512MB recommended)Required bootableOne or moreSupports 1024 x 768 resolutionFor details regarding SecurePlatform on specific hardware platforms, see:http://www.checkpoint.com/products/supported ssorCPUFree Disk SpaceMemoryCD-ROM DriveNetwork AdapterVideo AdapterMinimum RequirementIntel Pentium II300MHz or equivalent processor300MBLinux: 256MB (512MB recommended)RequiredOne or moreSupports 1024 x 768 resolutionCrossbeam XOS 7.2.1 or later on X45, X40 and X80 chassis running on APM-8400 modules XOS 7.3 or later on X45, X40 and X80 chassis running on APM-8600 modules COS 6.0 or later on all models of the C2, C6, C12 and C25 platformsContact Crossbeam for the latest supported platform status.Installation InstructionsPlease see the FireWall-1 GX Getting Started Guide for installation instructions, and the FireWall-1GX Upgrade Guide for Upgrade Instructions. You can download the documents ocuments/.VPN-1/FireWall-1 FireWall-1 GX 4.0 Release Notes. Last Update — December 1, 20084
Installation InstructionsKnown Limitations and Clarifications1. In the Security Rule Base, all rules referring to SecureXL Templates that appear below rulesrelating to GTP are ignored. Be sure to place any rules referring to SecureXL templates abovethe GTP protocol rules in the Security Rule Base.2. The FTP Security Server does not support GSSAPI authentication.3. Intra-tunnel GTP traffic is not inspected if traffic is accelerated, even if intra-tunnel inspectionis enabled.4. Do not use the command fw tab -t gtp tunnels -x -y to delete all entries in thegtp tunnels table. Running this command affects the normal functioning of the gateway, andis not supported.5. GTP traffic containing encapsulated fragmented IP packets (not the outer IP packets) is notaccelerated.6. In some cases QoS Policy is not enforced after turning on QoS. If this should occur, install theQoS Policy again (it is not necessary to re-install the security policy).7. GTP traffic will not be accelerated if the MTU is larger than 1492.If the MTU is larger than1492 the traffic will be fragmented, and thus not accelerated.8. After editing the QoS tab in the GW topology for each cluster member, a warning No interfacewas activated in QoS tab for this host (Inbound or Outbound). Do you want to continue? is displayed.Ignore this warning.9. When upgrading to GX4.0, the BC packages cannot be upgraded. Remove the BC packages,and reinstall them from the GX4.0 CD. This issue occurs only when upgrading from Firewall-1GX NGX.10. GX4.0 does not support VPN. The VPN checkbox in the gateway properties window can beselected but it will have no effect.11. After upgrading to Firewall-1 GX 4.0, you may lose the SIC connection with gateways. To solvethis issue, restart SIC on all affected gateways.12. Policy installation that contains rules with GTP services fails when non-GX gateways arepresent. This issue occurs, when the 'INSTALL ON' target of the GTP rule is set to 'PolicyTargets'.To work around this issue, change the 'INSTALL ON' target to the specific GX gateways (forrules that contain GTP services).13. GX 4.0 on SecurePlatform does not support upgrades from older GX versions.VPN-1/FireWall-1 FireWall-1 GX 4.0 Release Notes. Last Update — December 1, 20085
dynamic routing deployments. FireWall-1 GX 4.0 has its own management console, capable of managing VPN-1 Pro NGX (R60), and any earlier module type. FireWall-1 GX 4.0 can also be managed by NGX R62 and NGX R65. GTP User Traffic Acceleration FireWall-1 GX 4.0 introduces GTP traffic acceleration with concomitant enforcement of GTP security filtering.
