Whats New in Check Point Enterprise Suite NG FP3

August 2002

In This Document
The Trial Period VPN-1 FireWall-1 SecuRemote/SecureClient SmartCenter page 1 page 1 page 3 page 5 page 6 ClusterXL SecurePlatform SmartView Monitor UserAuthority FloodGate-1 Profile Based Management Provider-1/SiteManager-1 page 7 page 7 page 8 page 8 page 9 page 9 page 10

User Management (LDAP Account Management) page 7 SmartUpdate page 7

The Trial Period

New Check Point product installations work out-of-the-box for a 15 day Trial Period, making it easy to evaluate the Check Point Product Suite. The trial period starts when Secure Internal Communication is established between the SmartCenter Server and the Module. The trial period allows the full functionality of the Check Point product. If a license is installed during the trial period it will override the trial period.

VPN-1
Support of SSL and SSH connections to VPN-1 Net Modules
Remote Device management using SSH or HTTPS (including the Voyager Web administration tool for Nokia platforms) is available for VPN-1 Net Modules. This is regardless of the policy type installed on the device, using implied rules configuration.

VPN Routing
The VPN Routing feature enables a VPN router to support back-to-back encryption, where the same connection is encrypted and decrypted against two peer gateways. Using a routing configuration file: Back to back tunnels can be configured on a single gateway. VPN path which is composed of more than one VPN tunnel can be Internal CA Enhancements

VPN Communities
Each VPN-1 Gateway can now participate both in a traditional and in a VPN communities based policy. The VPN-1 Gateway configuration process has been improved: Better separation between VPN communities and traditional mode: traditional mode configuration is now available from the VPN tab of each VPN-1 object.

Last Update August 15, 2002

Simpler configuration of Remote Access VPN. Global properties for remote access VPN have been restructured into three sections: VPN - Basic, VPN Advanced and Certificates. Traffic of certain protocols and services to passed in the clear can be configured on the community: A new tab (Services in Clear) has been added to the community properties. The tab allows services to be excluded from the community. A conversion tool from traditional mode to VPN communities is now available. This tool provides a simple way to transition from an older rule base to a new one. When using VPN communities, pre-shared secret for IKE can be defined for external VPN modules. Internal VPN-1 modules continue using Internal CA certificates while negotiating VPN tunnels.

VPN-1 Clusters
Interface resolving mechanisms for gateway-to-gateway and client-to-gateway VPN connections have been improved and added to the SmartDashboard on VPN-1 Gateways and in the Global Properties Multiple (Dynamic) interface resolving using RDP polling mechanism is now supported when the responding VPN-1 Gateway is hidden behind a VPN-1 cluster VPNx driver is now part of the VPN-1 installation. No additional package installation is required. To maximize the VPN performance, it is recommended to remove any previously installed VPNx packages. VPNx activation/deactivation is now possible using Check Point configuration tool (cpconfig). On Windows platforms VPNx is deactivated by default while on Solaris and Linux platforms VPNx is activated by default. VPNx performance is greatly improved on Windows platforms. VPN throughput has been improved by up to 80%, while packet rate has been increased by up to 60%.

VPN Hardware Acceleration

IKE Interoperability
INITIAL CONTACT payloads are supported.

Internal Certificate Authority

Microsoft Enterprise CA using Active Directory on Windows 2000 server is now supported. This combination was not supported until now due to the fact that when using this CA it signs the certificates using only the full name and not the full DN. It created a problem since search of a user was based on the full DN. Using another identifier in the certificate enables a proper search. Internal CA certificate automatic renewal for Secure Internal communication and for Remote Users is now available. It is possible to enlarge the key size of certificates produced by the Internal CA for VPN-1 clients or modules from the default of 1024 bits to be either 2048 or 4096. Internal CA certificate can be stored on a hardware token using CAPI interface. The mechanism for resolving address ranges (applicable for connections to hosts protected by VPN-1 Gateways with multiple interfaces) is now functional also if the protecting VPN-1 Gateway is behind a NAT device, which performs static NAT for the interfaces of the protecting module. Multiple (Dynamic) interface resolving using RDP polling mechanism is now supported when the responding VPN-1 Gateway is hidden behind a NAT device. NAT can be disabled inside VPN tunnels: a property to disable NAT is available on each Gateway to Gateway VPN community.
Whats New in Check Point Enterprise Suite NG FP3 2

NAT-Related Issues

VPN Diagnostics
SmartView monitor for VPN-1 provides a comprehensive view of VPN, including tunnel establishment/failure rates, encrypted data rates, hardware acceleration rates and compression rates. VPN status monitoring using command line has been restructured and improved.

Persistent VPN Tunnels

VPN tunnels can be maintained and opened at all times between VPN gateways and clients.

L2TP Support for Microsoft Clients

VPN-1 Gateways support for MS Windows XP/2000 VPN client (which consists of L2TP/Transport IPsec).

Clientless VPN (SSL based VPN)

VPN-1 Gateways include GUI support for HTTPS (SSL over HTTP) termination of remote users with no SecuRemote/SecureClient or any other IPsec VPN client installed.

Support for Nokia CryptoCluster Clients

Nokia CryptoCluster clients are now supported. The feature includes: Support of Nokia vendor ID payloads in IKE negotiations Fetching user according to the DN sent on cert payload (and not according to FQDN on ID payload) Support of NAT Traversal (UDP encapsulation) Support of Addressing (Office Mode) Support of CRACK authentication scheme

FireWall-1
SmartDefense
SmartDefense provides a unified security framework for components that identify and prevent cyber attack. The SmartDefense package is now integrated into the Check Point Suite. Protection against Denial of Service attacks: In order to avoid exhaustion of the connection table when under a UDP (or other protocol) flood attack, it is possible to define a quota for UDP (or other non TCP protocol) connections. When the number of non-TCP connections reaches the quota, only new TCP connections will be allowed. The non-TCP quota is disabled by default and it can be set individually for each FireWall-1 Module. The performance and scalability of NAT has been improved. NAT rules are searched much more efficiently, and a cache has been added for recent NAT lookups. The NAT rule number for log entries is shown in the Log Manager. Dynamic Objects can be used in the NAT Rule Base. Overlapping NAT support. FireWall-1 is able to handle packets from overlapping IP networks coming from differences interfaces of the FireWall-1 gateway. When entering the FireWall these packets are translated to a virtual IP network and when leaving the machine they are translated back to their original IP address.

Network Address Translation (NAT)

Last Update August 15, 2002

The lowest possible port used by FireWall-1 when performing hide NAT can be controlled using the Global property hide_min_high_port. This is in addition to the global property hide_max_high_port that controls the highest possible port used by FireWall-1 when performing hide NAT on a connection whose original source port is > 1024 The range of high ports used by NAT Hide is now configurable via the global properties hide_max_high_port, that defines the maximal high port used by NAT Hide, and by hide_min_high_port, that defines the minimal high port used by NAT Hide. These properties can be modified using the dbedit utility. When a FireWall-1 gateway performs a RADIUS authentication, it can use RADIUS servers associated with the gateway object, thus overriding the RADIUS server associated with the specific user object. If this association does not exist, the FireWall-1 Gateway will use, as before, the RADIUS Servers object associated to the user object. Specified users can be prevented from using the FireWall-1 to RADIUS server association. Native SecurID ACE version 5 agent is supported for all platforms. Multiple generic user authentication profiles (called External User Profiles) can be used, in place of the *generic profile previously available. RADIUS and Windows NT groups are supported. The group membership of a user can be retrieved when using the RADIUS or the Windows NT authentication object. Based on this information FireWall-1 can match rules that are defined with these rules. Such group are defined with a special prefix to indicate this behavior. This eliminates the need to associate a user with groups in the SmartDashboard. This information is updated dynamically whenever the user authenticates.

Authentication

Inspection of Peer to Peer Applications and Instant Messaging

Applications that use HTTP to tunnel their data can be detected and blocked. This includes peer-to-peer applications like KaZaA and Gnutella and also messaging applications like ICQ, AOL Instant Messenger and MS messenger. This is done by the HTTP Security Server, which can parse and match regular expressions over HTTP headers.

Security Servers
The Security Servers can decode the following character encoding schemes when used in URLs or inside HTTP or SMTP content: UTF-8 UUencode '&#' encodings (numerical references) This decoding capability is enabled by changing the following global properties to true and installing the policy: http_web_encoding and smtp_mail_encoding. The HTTP Security Server now supports by default the WebDAV HTTP methods (as specified in RFC 2518). These methods are required for email access over HTTP by some sites (e.g. Hotmail).

Managing File Sharing

CIFS, the Microsoft protocol for file and print sharing (also known as SMB) is supported. FireWall-1 can enforce a granular access control policy to specific disk shares and printers and log access to these shares. FireWall-1 inspects CIFS in the kernel using the Check Point high performance TCP streaming technology. CIFS functionality is available as a new type of a resource in the SmartDashboard.

Whats New in Check Point Enterprise Suite NG FP3

Services
Simple Object Access Protocol (SOAP), a standard for application data sharing over the Internet using HTTP, is supported. SOAP relies on XML to encode the information and then adds the necessary HTTP headers to send it. Using URI resources, FireWall-1 is able to parse SOAP version 1.1 traffic and validate its integrity according to a user defined scheme. SOAP functionality is available via a new tab in the URI resource window. New Multicast support. The router-alert IP option used by IGMP protocol is supported. IGMP is used for Multicast group membership management. In earlier versions, FireWall-1 dropped all packets with IP options (including IGMP). X11 (X Window graphics system for UNIX) is blocked by default when it is matched with a rule that has Any service. This prevents a potential security misconfiguration where Any s used to allow outbound connections for protected servers. If such X11 connectivity is required, it should be allowed explicitly by a rule that uses this service. The old behavior can be restored by setting the reject_x11_in_any global property to false, though this is not recommended. The Windows NT performance DLL is no longer included in FireWall-1. The Axent Pathways Defender authentication method is not longer supported.

Discontinued Features

SecuRemote/SecureClient
Connect Mode
Connect Mode profiles can be created and distributed from the SmartCenter Server (via topology). DSL support when working with Connect Mode. Dialup connection can be selected from the SecureClient connect dialog Disconnects dialup. The client will first attempt to connect to the gateway specified in the profile. Automatic topology update is performed with the connected gateway. Five new SCV checks have been included in the SecureClient installation. They are available as a separate package for use with older (pre-NG FP3) clients. The checks verify the following: Whether a process is running. Whether the user is logged on to a specific group (in domain or local machine). The operating system version, Service Pack, Screen Saver configuration. Operating system security patches. Internet security Settings (4 parameters in each security zone), browser version (major/minor). Enhanced VPN diagnostics and suggestions to the end user. Ability to run tests on the VPN tunnel, connection or similar (ping, tunnel test, DNS resolving, URL fetching). Export Connect/Disconnect capabilities to third party applications. Enable third party SCV packages to start and stop SecureClient. Install wizard runs external batch/executable according to product.ini.

Secure Configuration Verification (SCV)

Diagnostics Tool

Third Party Support

Last Update August 15, 2002

Office Mode
Office mode is now supported on Windows NT/2000/XP.

SmartCenter
SmartCenter Server
The Revision Control feature has been enhanced to allows the restoration of an earlier version of the database, using a SmartDashboard wizard. Previously, snapshots of the database, including policies and objects could be created.

SmartCenter GUI Clients

Administrator can login to the SmartCenter with a CAPI certificate. SmartDashboard Division of the Security Policy into sections: The policy can be organized into logical sections. Each section consists of a group of rules. The sections can be collapsed or expanded, thus enabling easy viewing of the policy. New user interface for the Install Policy operation, with better progress indication and an organized installation error list. SmartMap Status of Check Point modules is displayed in SmartMap. Selecting a Module enables Status Manager to be launched in order to view further status information. This is enabled for all machines with applications sending logs to the SmartCenter Server, and not only for Check Point installed products. Simple network nodes (hosts) can be hidden behind the network to which they are connected. This can be done/undone globally or per network. This process allows for better viewing of the network backbone. Automatic arrangement can be applied to selected objects only. Undo one step from the last action that changed the view (for instance zoom, layout or object move). Logical view for servers is similar to the previously introduced OPSEC view, the user can see on what network objects his servers are installed, query and edit the servers from the object on which they are installed and see the install-on objects from the Servers tree. Log Manager New user interface for easier viewing and managing of logs. Several log files can be simultaneously viewed and managed. SmartDashboard can be opened on the rule which generated the log.

Policy Installation
The handling of established connections when installing a policy can be set using the SmartDashboard. The following options are available: 1. Keep all connections - No connections will be removed from the connection table, even if they are not allowed by the new security policy. 2. Keep data connections - Data connections will not be removed from the connection table, even if they are not allowed by the new security policy. 3. Rematch connections (default option) - data connections will be removed, and all other connections are rematched against the new security policy.

Whats New in Check Point Enterprise Suite NG FP3

FireWall-1 GX SmartCenter Supplement

FireWall-1 GX secures GPRS networks. A SmartCenter Server can manage FireWall-1 GX Modules of version 1.5 (NG FP2 based). To manage these Modules, install the FireWall-1 GX SmartCenter Supplement over the SmartCenter Server. A FireWall-1 GX specific license is required. The Nokia and Solaris platforms are supported.

User Management (LDAP Account Management)

An LDAP Account Unit contains several replicated LDAP servers. The LDAP servers within an Account Unit are assigned different priorities which enable optimal load sharing if a server fails or if network traffic is very busy.

SmartUpdate
Product packages can be downloaded directly from the Check Point Download Center to the SmartUpdate Product Repository Licenses can be downloaded directly from the User Center to the SmartUpdate License Repository The SecurePlatform operating system and Performance Pack can be remotely upgraded Information about the latest available software updates is sent directly from the Check Point Download Center to SmartUpdate. Command line to remotely stop, start and restart Check Point services (cpstop, cpstart and cprestart). UserAuthority and WebAccess can be remotely installed All products on multiple remote Gateways can be remotely upgraded in parallel using a simple SmartUpdate wizard. The same product package can be used for all installation scenarios: new installation, upgrades from version 4.1 and upgrade from NG Alerts can be configured to indicate when licenses are about to expire. It is also possible to search for expired licenses.

ClusterXL
Cluster and cluster member objects in the SmartDashboard are much easier to define, following an extensive redesign of the objects. The state of the cluster members can be controlled from the Status Manager. The state of a cluster member can be changed to Up or Down with no need to access the cluster member modules. A new High Availability mode (New CPHA) enables remote management, and a one click transition to Load Sharing mode. New CPHA mode uses unique unicast IP addresses and MAC addresses, rather than sharing the IP and MAC address among the cluster members. New CPHA mode and the Load sharing modes now use multicasts instead of broadcasts for the clustering protocol. This significantly reduces cluster protocol traffic in the network. The security policy is now fetched first from another cluster member. If no other cluster member is available, the policy is fetched from the management. This ensures that the policy in the cluster will be consistent. VLANs are now supported on Linux platforms, including SecurePlatform NG FP3 and Red Hat 7.2.

SecurePlatform
SecurePlatform can be installed from a Serial Console, without the need to connect the keyboard to the installed computer itself.
Last Update August 15, 2002

Added support for several new NICs. For the full list of supported NICs please refer to http:// www.checkpoint.com/techsupport. SecurePlatform supports up to 1024 interfaces. Ability to patch from a CD, which allows a fast upgrade directly from the SecurePlatform CD. Upgrade patches from earlier versions are included. Kernel debug support allows booting in debug mode, so that kernel crashes can be debugged. The kernel creates a dump of the machine memory in cases of crashes.

SmartView Monitor
New monitoring of Counters for VPN-1, FireWall-1, FloodGate-1 and the operating system. Real Time Monitoring of different Check Point counters such as Tunnels, CPU usage and encrypted bytes. Multiple selection of counters from different categories. Detailed description of each counter is available on counter selection. Traffic and counter reports for the last hour, day and week. Provides an historical view of the last hour day and week of a selected subset of traffic views and Check Point counters. Toolbar option allows navigation between different time scales. Configurable file for history definitions. Monitor of top Services, IP Addresses and FireWall-1 rules. Allows a Real Time Monitor of the 1-50 top bandwidth consuming Services, IP addresses or FireWall-1 Rules. (The view dynamically changes its entities according to the current top entities). Up to 50 top items can be viewed. Disable Top view, allows the user to follow the current top entities without allowing new entities to enter the display. New table view with statistical info. Statistical columns which show the maximum, minimum and of the given value. Columns can be sorted. Highlighting the legend highlights the view and vice versa. Factor Optimizationnormalizes the counter value to the current view.

UserAuthority
Cross-server authentication in an organization with multiple Web Servers, users in the organization often find themselves having to reauthenticate time and time again. UserAuthority allows user information to be shared between Servers, thus a user authenticates once, and thereafter this authentication carries over to every other Web Server. This is in addition to and separate from users that were recognized from having authenticated via other mechanisms, such as VPN-1/FireWall-1 or the Domain Controller. Improved logging of UserAuthority Server. New and improved SSO Flow the SSO (Single Sign-On) Flow enables the user to enter the system once and thereafter to not have to reauthenticate at subsequent logons. For this purpose the user enters the system via the SignOn window (which allows you to sign on to the UserAuthority system) and Confirm window (which is an optional window that enables the user to

Whats New in Check Point Enterprise Suite NG FP3

view, learn and manipulate the system automatically). These windows smooth and ease SSO flow. They appear limitedly throughout the working day; thereby enabling the user to transition smoothly and easily through the system. UserAuthority Settings a new Interface for users to handle their credentials to web application, UserAuthority Settings allows users to change/insert their passwords to applications and to handle their personal preferences. VPN-1/FireWall-1 Logs and Web Logs helps web administrators, security administrators and helpdesk administrators to handle all operations in UserAuthority WebAccess. A new log system was added to UserAuthority WebAccess, it allows administrators to configure the relevant events in which they are interested and to give them the ability to get the information through a web interface or the Check Point Log Viewer. Rules Exceptions It is possible to define a rule exception. An area is designated in the scope of the rules to which the rule does not apply. This makes it easier to define website permissions.

FloodGate-1
FloodGate-1 can run in Express mode. In this mode the performance of the products is greatly enhanced by the ability to choose a limited set of features. To activate Express mode, edit and install an Express QoS policy. FloodGate-1 Modules can be assigned dynamic IP Addresses and defined as DAIP Modules. FloodGate-1 files are now installed in a new default directory. A new environment variable that contains this path was introduced: FGDIR. In Linux, Nokia and Solaris platforms the directory is located: /opt/CPfg1-53/. In Windows platforms the directory is located: \program
files\checkpoint\fg1\ng\

Profile Based Management

Hundreds of ROBO Gateways can be managed via a single SmartCenter Pro Server. Properties and policies are defined per Profile (using Check Point SmartDashboard). These profiles represent multiple ROBO Gateways, thus the security administrative overhead is greatly reduced per Gateway.

A QoS rule can be marked as applicable only to VPN traffic. This is achieved by checking Apply rule only to encrypted traffic in the QoS Action window. QoS now has a new Install Policy window with enhanced functionality. The QoS Action window is used to determine the actions in a FloodGate-1 rule. This window now contains a Simple and an Advanced mode. FloodGate-1 now logs and accounts the following: Connections rejected by the admission policy (Per Connection Guarantee). Packet dropped on account of buffer saturation and Drop policy LLQ (Low Latency Queuing) drops. LLQ statistics. These statistics can be used to configure the Maximal Delay in LLQ. FloodGate-1 can be installed on cluster members in Load Sharing mode. Each cluster member is allocated bandwidth independently. Traffic distribution between cluster members ensures that there are no bandwidth allocation discrepancies. This is important because bandwidth allocation amongst cluster members is not synchronized. FloodGate-1 now supports more IP services. The new set includes all the IP services supported by FireWall-1. FloodGate-1 now supports Linux Red-Hat 7.3 (Kernel 2.4.18)

Last Update August 15, 2002

ROBO Gateways are managed in a new, simple and scalable ROBO Manager GUI. Simplified setup on account of automatic calculation of information on the ROBO Gateway such as Anti spoofing, Encryption Domain, as well as the resolution of dynamic objects such as LocalMachine, InternalNet, DMZNet and AuxiliaryNet. These dynamic objects represent the ROBO Gateway and the networks behind the interfaces. Central localization of policy per ROBO Gateway (by central resolution of Dynamic Objects per ROBO Gateway via the ROBO Manager GUI). Periodic Fetch of policy by the ROBO Gateway. Troubleshooting actions per ROBO Gateway via the ROBO Manager GUI such as Push Policy, CPStop/CPStart and Reboot. Light-weight status monitoring of all ROBO Gateways. In-Depth status monitoring of a ROBO Gateway per request. ROBO Gateways are regular Check Point Gateways which support security policy enforcement (and other FireWall-1 capabilities). ROBO Gateways support Static or Dynamic IP addresses. ROBO Gateways support Site-to-site VPN tunnels to a regular (Central-Office/CO) Gateway. Backconnections are also supported. ROBO Gateways support VPN Tunnels from SecuRemote clients. ROBO Gateways support sending logs to different Log Servers. A Provider-1 CMA with a SmartCenter Pro license can manage ROBO Gateways as a regular SmartCenter Pro Server.

Provider-1/SiteManager-1
In version NG FP2, the CMA memory usage was reduced to 10 to 20 MB per CMA (depending on the CMAs activity). In version NG FP3, these figures have been further reduced. Provider-1/SiteManager-1 allows Check Point logs to be easily exported to an external Oracle Database. The database can then be used to create any type of report with customer proprietary tools. The Log Export feature enables the administrator to schedule an export operation per CMA and to easily select the log fields to be exported. The feature is fully supported from the MDG. The System Status view has been restructured to a tabular format, clearly displaying the maximal amount of information. The display can be sorted, modified to show selected data, or exported to a file.

Whats New in Check Point Enterprise Suite NG FP3

10