Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Current Release Note Information on VPN-1/FireWall-1

Supported Platforms
The supported platforms for VPN-1/FireWall-1 are listed in Platform Summary:
Platform Summary

Component

Platforms

GUI Client

 Windows 9x, Windows NT 4.0 (SP3, SP4) -- Intel and compatibles only
  • X/Motif (Solaris, HP-UX 10.20, IBM AIX)

Management Module or FireWall Module

 Windows NT 4.0 (SP3, SP4) -- Intel and compatibles only
  • Solaris 2.6, Solaris Operating Environment 7 (formerly known as Solaris 2.7) -- SPARC and x86
  • HP-UX 10.20, 11.0
  • IBM AIX 4.2.1, 4.3.2

SecuRemote

Windows 9x, Windows NT 4.0 (SP3, SP4) -- Intel and compatibles only

Build Numbers
The build numbers for the VPN-1/FireWall-1 Version 4.1 components are given in Build Numbers.

Build Numbers

Product

Build Number

To verify, see ...

VPN-1/FireWall-1 GUI Clients (all platforms)

41437

Help '¤ About

fw executable (all platforms)

41439

$FWDIR/bin/fw ver

kernel module (AIX, HP-UX 10.20)

41436

$FWDIR/bin/fw ver -k

kernel module (Solaris, Windows NT, HP-UX 11)

41439

$FWDIR/bin/fw ver -k


Installation
HP-UX, x86 and AIX -- The installation wrapper installs only VPN-1/FireWall-1 and the integrated GUI. Other products must be installed individually, according to the procedures specified in the User Guides of those products.

Navigating in the Installation Wrapper -- If you click on this sequence of buttons: Distributed '¤ Next '¤ Prev '¤ Standalone, you will not be able to proceed forward. The solution is to back up one level, that is: Distributed '¤ Next '¤ Prev '¤ Standalone '¤ Prev '¤ Next '¤ Next.

Upgrading and Backward Compatibility
  1. For important information about upgrading VPN-1/FireWall-1 and backward compatibility, see the See Installing VPN-1/FireWall-1 chapter of Getting Started with VPN-1/FireWall-1.

  2. In order to be able to manage Version 3.0 or Version 4.0 VPN/FireWall Modules from a Version 4.1 Management Module, you must do one of the following:

  3. upgrades -- Upgrade the Management Module to Version 4.1 from Version 4.0 SP3. If the Management Module is pre-Version 4.0 SP3, then you must first upgrade it to Version 4.0 SP3 and then upgrade to Version 4.1.

  4. new installation -- Install the backward compatibility feature (on the Management Module). On Windows NT you will be asked whether to install the backward compatibility feature during the installation procedure. On Unix platforms, the backward compatibility feature is a separate package. Important: Do not install the backward compatibility feature if you are upgrading.

  5. When upgrading VPN-1/FireWall-1 directly, i.e. not via the installation wrapper, you must stop the following services (if they are running):

  6. FloodGate-1

  7. In the SmartView Reporter: Log Consolidator and Report Server

  8. If you install the backward compatibility feature, you will need a valid Version 4.0 license on the Management Module in order to manage Version 3.0 or Version 4.0 VPN/FireWall Modules. After installing the backward compatibility feature, install the Version 4.0 license as follows:
Unix
  1. Set the FWDIR environment variable to point to the directory where Version 4.0 is installed.

    2. platform

    directory

    Solaris

    /opt/CKPfw

    HP

    /FireWall-1

    AIX

    /usr/lpp/FireWall-1


  2. Install the Version 4.0 license using the $FWDIR/bin/fw putlic command.

  3. Restore FWDIR to its previous value (that is, to point to the directory where Version 4.1 is installed).
NT
  1. cd \winnt\fw1\4.1 -- This is the directory in which you installed VPN-1/FireWall-1.

  2. cd FW1_4.0_BC\bin

  3. fw putlic < a valid 4.0 license >

  4. fw printlic-- This command verifies that the license was added.

  5. If the machine was rebooted after the installation, then stop and restart VPN-1/FireWall-1 (from Control Panel/Services).

  6. When you upgrade, the $FWDIR/lib/control.map file is replaced. If you have made any changes to control.map, they will not be preserved in the new control.map, so you must make the same changes in the new version.

  7. Session Authentication Agent -- Installing the Version 4.1 Session Authentication Agent does not overwrite the Version 4.0 Session Authentication Agent. You must uninstall the Version 4.0 Session Authentication Agent (using the Control Panel's Add/Remove Programs applet) and then install the Version 4.1 Session Authentication Agent. Note that the Session Authentication Agent is shut down as part of the uninstallation process, so you must manually restart it (or reboot).
Installing VPN-1/FireWall-1
  1. HP-UX -- The Check Point installation procedure checks whether the /usr/lib/libCsup.1 file is at level 07. If not, you must apply the appropriate HP patch, as follows:

  2. HP-UX 11: PHSS_14577 or later

  3. HP-UX 10: PHSS_16585 or later

  4. HP-UX -- The Check Point CD is created in the Rock Ridge format. It is recommended by HP that pfs_mountd and pfsd be started by rc and invoked in the background.

    5. hostname# pfs_mountd &
    hostname# pfsd 4 &

These commands will start four pfs daemons with the default cache sizes.

Now you can use the following special mount command.

hostname# pfs_mount -t rrip /dev/device /cdrom

You can leave Rock Ridge running on your machine. If you wish to stop it, make sure that all mount commands have been terminated.

See the man page for the pfs_mount command for details on setting up an /etc/pfs_fstab file.

Uninstalling VPN-1/FireWall-1
  1. Before uninstalling VPN-1/FireWall-1, stop the ELA proxy (if it is running).

  2. Unix

    3. # cd $FWDIR/bin

    # ./elaproxyService -stop

    # ./elaproxyService -remove

NT

Stop the ELA proxy service (from Control Panel/Services) and change its startup state to manual.

  1. If both the VPN-1/FireWall-1 and Motif GUI packages are installed, and the VPN-1/FireWall-1 package is removed, then the $FWDIR/bin/fwpolicy executable file is deleted and the Motif GUI cannot be run. To prevent this from happening, make a copy of fwpolicy before uninstalling the VPN-1/FireWall-1 package and then copy fwpolicy back to its original location in $FWDIR/bin. You should also create symbolic links to fwpolicy named fwlog and fwstatus.

  2. The backward compatibility feature is not uninstalled when VPN-1/FireWall-1 is uninstalled, but must be separately uninstalled.

  3. Before uninstalling VPN-1/FireWall-1 Version 4.1 on HP-UX, ensure that you have at least 15 MB free in the /stand directory.
Downgrading
  1. If you upgrade a VPN/FireWall Module to Version 4.1 and afterwards downgrade it to Version 4.0 by uninstalling Version 4.1, then the Management Station still has a Version 4.1 Security Policy for this VPN/FireWall Module. After rebooting, the Version 4.0 VPN/FireWall Module will now try to fetch the Version 4.1 Security Policy, with which it is incompatible.

You can prevent this from happening as follows:

  1. Before rebooting the downgraded VPN/FireWall Module machine, remove (on the Management Station) all files named $FWDIR/state/<module host name>.*.
  2. In the Workstation Properties window for the VPN/FireWall Module, set the version number to 4.0.
  3. Reboot the VPN/FireWall Module machine.
  4. Install the Security Policy.
  5. When downgrading VPN-1/FireWall-1 you must stop the following services (if they are running):
  6. FloodGate-1
  7. In the SmartView Reporter: Log Consolidator and Report Server

Note that downgrading cannot be done through the installation wrapper.

VPN-1 Accelerator Card
  1. Installation and operating instructions for the VPN-1 Accelerator Card can be found in the Check Point VPN-1 Accelerator Card Installation Guide PDF file on the CD.
  2. A Version 4.1 VPN-1/FireWall-1 Management Station cannot manage a Version 4.0 VPN/FireWall Module with a VPN-1 Accelerator Card.
  3. VPN-1 Accelerator Card -- If you are upgrading from VPN-1/FireWall-1 Version 4.0 with the VPN-1 Accelerator Card, then you must uninstall the VPN-1 Accelerator Card, upgrade to VPN-1/FireWall-1 Version 4.1, and then install the VPN-1 Accelerator Card. You must do this on the Management Module and on each of the FireWall Modules. Note that VPN-1/FireWall-1 Version 4.1 cannot manage a Version 4.0 VPN-1 Accelerator card.
Certificates (PKI)
  1. There is no Entrust (PKI) functionality for the IBM AIX 4.3.2 platform. Solaris x68 supports Entrust 3.0 and VPN-1 Certificate Manager for registration and Entrust 4.0 for validation. Thus, if Entrust 4.0 is used, a Solaris x86 machine cannot function as a VPN-1/FireWall-1 Management Module but only as a VPN/FireWall Module.
  2. Verisign and Microsoft certificates are not supported on HP-UX.
  3. The clocks on a SecuRemote Client and the VPN-1/FireWall-1 Server must be synchronized if certificates are used for authentication. Differences in the time settings (date, time, daylight saving time policy in NT) will sometimes lead to failure in certificate validation.
  4. Each module can have multiple certificates only if each was issued by a different CA. In theory, for key renewal it should be possible to have temporarily two certificate objects of the same CA (until the new certificate is issued, then the old one is deleted), but this is not currently supported. For key renewal, an old certificate object must be deleted prior to creating a new certificate request.
  5. When retrieving a CRL from an LDAP server, VPN-1/FireWall-1 looks for it under one of the attributes: certificaterevocationlist or certificaterevocationlist;binary. With some LDAP servers, the CRL is not retrievable from certificaterevocationlist;binary, in which case you must ensure that the CRL appears under certificaterevocationlist. This does not happen with the Netscape LDAP Server shipped with VPN-1.
Backward Compatibility
This section applies when a VPN-1/FireWall-1 Management Station that has been upgraded to Version 4.1 manages a Version 4.0 VPN/FireWall Module.

If the Version 4.0 VPN/FireWall Module supports certificates, the Version 4.1 Management Station takes the cms.ini file (which contains CA data) from the conf directory of its VPN-1/FireWall-1 Version 4.0 tree.

There are two possible scenarios:

The Management Station was using Entrust CAs before the upgrade

After the upgrade, there are two instances of the cms.ini file on the Management Station, one in the VPN-1/FireWall-1 Version 4.0 directory (named cms.ini) and one in the Version 4.1 directory (named entrust_My_CA.ini). If you wish to change the file, you must change both instances.

The Management Station was not using Entrust CAs before the upgrade

To use an Entrust CA after the upgrade, proceed as follows:

Create the CA object on the Version 4.1 Management Station in the usual way.
  1. Copy the entrust_<CA name>.ini file from the Version 4.1 conf directory to cms.ini in the Version 4.0 conf directory.
  2. In conf/fwrl.conf (in the Version 4.0 tree), insert a path to cms.ini by adding a line (in the FILTERLOAD segment) similar to the following (the exact syntax depends on the OS):

NAME = conf\cms.ini; DST = database\cms.ini;

SecuRemote
  1. The version of the SecuRemote on this CD may cause problems on Windows 9x when the PC is shut down. A corrected version of the SecuRemote Client can be obtained from http://www/checkpoint.com/techsupport.
  2. When SecuRemote is installed, the user is asked whether to install the Desktop Security feature (SecureClient). The default is "Yes."

It is possible to customize the installation procedure to change the default and/or not give the user the opportunity to make the choice. This is done by modifying product.ini on disk1 of the package. The relevant parameters are:

  • DesktopSecurityDefault

1 indicates SecureClient (enabled Desktop Security) is the default.

0 indicates SecuRemote (disabled Desktop Security) is the default.

  • DesktopSecurityAskUser

1 indicates that the user will be asked whether to install the Desktop Security feature.

0 indicates that the user will not be asked whether to install the Desktop Security feature, and the default specified by DesktopSecurityDefault will be chosen automatically.

  1. If a previous version of SecuRemote is running when you upgrade (or overwrite) SecuRemote to a new version, then when the installation procedure attempts to shut down the previous version, an application error is sometimes generated.
  2. Starting with VPN-1/FireWall-1 Version 4.1, SecuRemote Clients download site information through SecuRemote Server port 264 (using the FW1_topo service). In previous versions, this information was downloaded through SecuRemote Server port 256 (using the FW1 service). For information on how to enable backward compatibility with pre-Version 4.1 SecuRemote Clients, see "Pre-Version 4.1 SecuRemote Clients" on page 141 of Check Point Virtual Private Networks .
  3. If on NT you choose "Install on Dialup Adapters Only", but no DialUp Networking is configured, the installation will succeed, but obviously no encryption will occur. In addition to this, each time SecuRemote starts you will receive an internal error message.
  4. It is no longer possible to indicate a default certificate for authentication from the command line.
  5. For Entrust Entelligence users -- If you logon to certificates through the Entelligence logon windows, and you are using Entelligence 4.0, then you must manually check the "work offline" checkbox for SecuRemote authentication. In a later version of Entelligence it will be checked automatically.
  6. The entrust.ini file installed with SecuRemote contains the following lines needed to enable Netscape certificates:
  7. Under [OIDAlias] -- uid=userid
  8. Under [OIDTable] -- userid=0.9.2342.19200300.100.1.1
  9. Under [X500AttrSyntax] -- userid=caseIgnoreStringSyntax

If a copy of entrust.ini already exists in the Windows directory, it will not be overwritten. In this case, it may be necessary to add the above lines in the corresponding sections manually (if you will be using Netscape certificates).

Also, it may be necessary to add similar lines to support special attributes in other vendors' certificates.

  1. DHCP -- On Windows 95B (OSR 2) and on Windows 98, installing the SecuRemote Client may interfere with the PC's ability to obtain an IP address at boot time. Whether or not the problem occurs depends on the length of the DHCP leases and the frequency with which the PC is restarted. It will generally occur only if the lease has expired while the PC was shut off.

The workaround is to renew the lease manually using winipcfg.

  1. icmpcryptver -- All gateways and SecuRemote Clients participating in an FWZ VPN must agree on the value for icmpcryptver in order to enable ICMP. icmpcryptver is defined in objects.C on the gateway and in state/userc.set on the SecuRemote Client. Its default value is 1. Note that the existing value is not overwritten during an upgrade. A value of 0 enables compatibility with VPN-1/FireWall-1 Version 3.0.

In SecuRemote Version 4.1, FWZ encrypted pings will not work if icmpcryptver is 0.

  1. In the Properties Setup window (under Desktop Security) you can configure how often the desktop invalidates the user's authentication, forcing re-authentication. If multiple sites are defined, the timeout for all sites will be the minimum of all the sites' timeouts.
  2. NT -- If you choose the Reboot option at the end of the installation process, you may only be logged off. In this case, you should select Shut Down and restart the computer. This will generally not happen if you adhere to the installation warning recommending that you close all applications before proceeding with the installation.
  3. In both of the following cases, a SecuRemote user will be unable to download the topology from a Management Station on which no FireWall Module is running:
  4. The user authenticates using cerificates.
  5. The user authenticates using pre-shared secrets and is defined on an LDAP Server.
SecureClient specific
  1. If you delete the site from which a SecureClient's Desktop Policy was downloaded, the SecureClient continues to enforce the last downloaded Desktop Policy.
  2. If you install SecureClient on all adapters and then connect on a dial-up line (after physically removing the network adapter), the SecureClient may still attempt to route connections through the network adapter. The solution is to rebind the adapters ( Rebind adapters in the Tools menu). Note that this may conflict with the Desktop Configuration Verification Options specified in the Desktop Security tab of the Properties Setup window.
  3. If your Desktop Policy is Allow Outgoing Only or Allow Outgoing and Encrypted, cleartext back connections will function properly only for: FTP, VDOLive and RealAudio.
  4. When downloading topology from a VPN-1/FireWall-1 Version 4.0 Server that is managed by a VPN-1/FireWall-1 Version 4.1 Management Server, policy servers do not appear as part of the topology. The solution is to upgrade the Version 4.0 Server to Version 4.1.
Miscellaneous
  1. An administrator who does not have permission to edit the user database (User Edit) cannot add user groups to rules, even if the administrator has permission to edit the Rule Base (Rules Edit).
  2. In See Properties Setup of VPN-1/FireWall-1 Administration Guide, the first sentence in the description of the Apply Gateway Rules to Interface Direction property ( Security Policy tab of the Properties Setup window) should read as follows:

"This property specifies the communication direction in which a rule will be enforced when Gateways is specified in its Install On column."

  1. In See Properties Setup" of VPN-1/FireWall-1 Administration Guide, in the explanation of the Accept Outgoing Packets Originating from Gateway property, delete the text "On gateways, rules are usually enforced in the inbound direction only."

  2. The default values of some of the properties in the Security Policy tab of the Properties Setup window have changed as follows:

    3. New Default Values for Security Policy tab properties

    Property

    New Default Value

    Apply Gateway Rules to Interface Direction

    eitherbound

    Accept VPN-1 & FireWall-1 Control Connections

    enabled, First

    Accept RIP

    disabled

    Accept Domain Name Over UDP (Queries)

    disabled

    Accept Domain Name Over TCP (Zone Transfer)

    disabled

    Accept ICMP

    disabled

    Accept Outgoing Packets Originating from Gateway

    enabled, Before Last

    Log Implied Rules

    disabled

The new default values apply only to new installations. When you upgrade from a previous version, the existing values will not be changed.

Note
You should verify that the values in the Security Policy tab are what you expect them to be.

  1. Solaris -- fwd can sometimes crash when running UAM. The solution is to replace fwuam.so with the new version on the CD, as follows:

  2. Stop VPN-1/FireWall-1 ( fwstop).

  3. Replace /usr/lib/fwuam.so with /solaris2/Add-Ons/fwuam/fwuam.so (on the CD).

  4. Restart VPN-1/FireWall-1 ( fwstart).

  5. VPN-1/FireWall-1 HP Open View Extension supports Solaris and HP-UX with HP OV version 4.x. HP-UX with HP OV versions 5.x and 6.x is not supported.

  6. If you are using the VPN-1/FireWall-1 4.1 backward compatibility feature to manage VPN-1/FireWall-1 Version 4.0 SP1 or SP2 FireWall Modules and you use Client Authentication rules, the following workaround must be applied:

  7. Edit the file $FWDIR/lib/base.def (where FWDIR contains the directory in which the VPN-1/FireWall-1 Version 4.0 software or VPN-1/FireWall-1 Version 4.1 backward compatibility module is installed), replacing the lines:

#define pm_prog [(UDPDATA+40+rpc_cred_len+rpc_ver_len),b]
#define pm_prot [(UDPDATA+48+rpc_cred_len+rpc_ver_len),b]

by the lines:

#define pm_prog [68, b]
#define pm_prot [68+8, b]

  1. Reinstall the Security Policy on the FireWall Module.

  2. fw expdate command -- This command changes the expiration date of the users in the VPN-1/FireWall-1 users database. Any open GUI Client should be closed before running the command, otherwise the GUI will override the changes made by the command. On NT only, if fw expdate is executed while the Management Server was running, the Management Server should be restarted in order for the command to take effect.

  3. If Enable Exportable SKIP (in the Encryption tab of the Properties Setup window) is checked, then if an internal VPN/FireWall Module has Local selected in the Key Manager tab of its SKIP Properties window, you must generate an exportable DH key for it (in its SKIP Properties window). Selective SKIP configuration (that is, some SKIP communications use exportable DH keys and some use non-exportable DH keys) can only be managed in the Rule Base.
  4. The Excessive Log Grace Period (in the Log and Alert tab of the Properties Setup window) should not be set to 0 (zero). If it is set to 0, then when you install the Security Policy, the compilation will fail and the following error message will be reported:

"/opt/CPfw1-41/lib/base.def", line 2572:
ERROR:table <logged> undefined

  1. Users defined on an LDAP Server cannot have S/Key as their authentication scheme.

  2. If you change a Management Server's control channel encryption key (for example, by using the fw putkey command), then you must restart any ELA proxy that is running on that Management Server. See See Uninstalling VPN-1/FireWall-1 for information on how to stop the ELA proxy.

  3. Unix platforms -- when remote modules are configured using the cpconfig program, if you try to add a new remote module you will not be able to see the list of previously configured modules. However, these modules are still defined and there is no need to reconfigure them. If you do reconfigure them, you must run fw putkey command again for each module.
Open Security Extension (OSE)
Supported Routers and Security Devices
Open Security Extension (OSE) for VPN-1/FireWall-1 Version 4.1 supports the following routers and security devices:
  • Bay Networks Routers: Version 7.x - 12.x
  • Cisco Routers: IOS Version 9,10,11
  • Cisco PIX Firewall: Version 3.0, 4.0, 4.1x
  • 3Com NetBuilder: Version 9.x
  • Microsoft Routing and Remote Access Service (RRAS) for Windows NT Server 4.0

Restrictions
Open Security Extension supports two PIX interfaces only: the internal and external interfaces.

Documentation Errors
In the Virtual Private Networking book, the reference on page 10 to Table 2-2 should be to Table 13-1 on page 249.