FW-1.de - Further information about Check Point VPN-1/FireWall-1

Service provided by AERAsec Network Services and Security GmbH, D-85662 Hohenbrunn, Germany

Here you find some further information about Check Point R70 and above, NGX and VPN-1/FireWall-1 Next Generation.

Latest Versions:

The latest version is R71, published in May 2010. New Software Blades for DLP and SmartEvent have been published with it. It's based on the latest major release, published in March 2009: R70. This version introduced Software Blades, making the licensing very modular. Because this is a new major release, a new license is needed to get access to all new features. Please contact your reseller to obtain it.
Please be aware that Check Point has changed the licensing for RAS - today, you need an Endpoint Security Container with Service Blades for the use of e.g. VPN, Full Disk Encryption or Endpoint Security Secure Access.
Basically R70 will work with the license for NGX R65, but Check Point has announced that the new licensing scheme will be strictly enforced soon.
Please be aware that Check Point currently runs a promo to upgrade to the same functionality for FREE. When having administrative access to your Account in the Check Point UserCenter and having all products in a service contract with Check Point, you can do the upgrade via the UserCenter. It problems or questions occur, please contact your reseller.

NGX R65 is available since February 2007, being supported until end of March 2011. It has introduced a new management architecture, so plug ins can be added, if needed (e.g. central management of Check Point Connectra or VSX NGX R65). Optional URL and anti-virus Filtering are available, too.

Other versions (NGX R62, NGX R61, and NGX R60) were officially supported until May 2009 only. If you cannot upgrade, please contact your reseller to obtain (restricted) support. A quarterly fee per system is due.

Latest Hotfixes:

Please note: To obtain a HFA for any version, you will need a valid Software Subscription (CES) for all of your products registered in your UserCenter Account!

R71:
In July 2010, the first HFA has been published for R71. When using the SSL VPN Software Blade, please use version R71.10 only, since there is a security problem when using SSL VPN in R71 without patch.

R70:
The latest version of R70 is R70.30. Some important improvements as well as more features (to be licensed) can be found in Version R70.20. It's available for all users of R70. At least this version should be used in productive environments. As usual, please regard that SmartConsole needs to be the same version as the one of the Security Management.

NGX R65:
When using the latest version, you should use HFA_70 for NGX R65. Also this HFA delivers many improvements. Since December 2007 SmartConsole NGX R65 HFA_01 is available for Microsoft Windows.

Older versions are no more fully supported.

Version
	Ports
R70	Ports used by Check Point R70
R60-R65	Ports used by Check Point NGX
R50-R55	Ports used by Check Point VPN-1/FireWall-1 Next Generation (not supported any more)
4.0/4.1	Ports used by Check Point VPN-1/FireWall-1 4.x (not supported any more)

	Further information Links to FAQ's, mailing lists and further information about Check Point FireWall-1/VPN-1

	Licensing, Products and basic Installation
R70/R71	"Basic" License Features of R70 (software only)
R60-R65	"Basic" License Features of NGX
R54/R55	"Basic" License Features of NG AI and earlier versions
R54/R55	"Extended" License Features of NG AI
NGX - R70	Direct comparison of license features of NGX and R70
R70	About licensing RAS clients for R70
R70/R71	About licensing Endpoint Security for R70 using Software Blades
R65/R70	About Check Point Appliances for NGX R65 and R70
>R53	Terms used since Next Generation Feature Pack 3
R70	Terms used since Check Point R70
R70	About the use of computers with Dual Core or Quad Core Processors (outdated)
R70	About the use of computers with Dual Core or Quad Core Processors since 2010
<R70	Compatibility between Nokia IPSO and Check Point VPN-1/FireWall-1
R70	Nokia Hardware compatible with Check Point R70
R54/R55	Installation fails on patched Sun Solaris 8 or 9

	Useful tools
all	Tool for generating INSPECT code using a GUI: Ginspect
NG/NGX	Tool for State Tables in human readable form fw1-tool.pl by AERAsec (supports SSH and some more features, covers Unix/Linux, SecurePlatform as well as Windows)
NG/NGX	Tool for Traffic Analysis "tcpdump"-like wrapper for "fw monitor": fw1-dump.sh (fw1-dump.sh.zip) by AERAsec Use the syntax of the well known command "tcpdump" to use "fw monitor".
all	Tool for Managing Check Point SecurePlatform Easier remote Management with SmartSPLAT
NG/NGX	Tools for Management of Check Point objects Ofiller and Odumper are used for editing Check Point object databases.

	Authentication
4.1	Using OpenLDAP to authenticate users with Check Point VPN-1/FireWall-1 4.1
NG	Authentication using OpenLDAP with Check Point NG is described on the OPSEC server
4.x/NG	To configure the LDAP server, you will need the correct schema file (4.1, NG AI R55)
R53	How to integrate Novell eDirectory 8.7 with Check Point NG FP3 is described by Oren Green
R53	The use of CRYPTOCard Authentication with Check Point NG FP3 is described by CRYPTOCard
	Secure Computing describes how to authenticate users by SafeWord PremierAccess 3.0
all	Configuring Client Authentication using HTTPS
R52	Authentication with SecurID/ACE-Server doesn't work

	VPN
all	Links to hints for VPN between Check Point and other products
	VPN with Linux FreeS/WAN using pre-shared-secret or X.509 certificates
	VPN with Racoon (under Linux),VPN from Gateway to Gateway
	VPN with BinTec IPsec enabled router using pre-shared-secret or X.509 certificates
R70	Endpoint Connect cannot download Topology
	VPN-1 configuration for use of an external CA
all	Problem with an overlapping encryption domain
R51	Problem with Extranet under Linux
<R55	Problem with Extranet when using the "Simplified Mode"
<R55	How to configure an Extranet

	Installation of rulebase, Objects, Services and Resources
all	Rulebase will not install - atomic loading failed
R53	Rulebase will not install - no memory
all	Check Point FireWall-1 acting as a Mail-Relay?!
all	What to do against sender-specific routing for E-Mail
R52..	Problem when changing or creating a TCP Service
R53	ICMP doesn't work sometimes
R53	NG blocks HTTPS/SSL when using a Proxy
	HTTP/HTTPS connections are being blocked by NG
R54	Timeout for Oracle Services SQL*Net2 not working

	SYN Defender
	Short graphical description of SYNDefender Relay, Gateway and passive Gateway (PDF)
	Which kind of SYNDefender is supported by Check Point version X?

	NAT
	Problem with manual NAT on Microsoft Windows 2000 Server

	Logging
R53	Sending syslog messages to SmartView Tracker is possible now
R53	Time of SmartView Tracker is one hour late
<R60	Rule numbers in SmartView Tracker aren't in the rulebase
all	Negative Rule numbers in SmartView Tracker

	Upgrade
R51	Upgrading Check Point VPN-1/FireWall-1 from 4.0 to Next Generation FP1 (outdated)
R51	Upgrading Check Point VPN-1/FireWall-1 from 4.1 to Next Generation FP1 (outdated)
	Problem with Internal CA after upgrading from version 4.1 to Next Generation
NG AI	Problem exporting a configuration using upgrade_export

	Auditing
4.x	Lance Spitzner has published a good paper called "Auditing Your Firewall Setup", based on 4.x
all	Auditing NG AI, NGX, and R70 is offered by AERAsec

We provide these information freely. If you have corrections, comments or suggestions, please feel free to contact us by E-Mail.
All information is provided "as is" and might be used at your own risk only. There is no guarantee at all and we are not liable for any consequential direct or indirect damage which might occur when using these hints. All mentioned names and products are protected by international law, esp. Check Point Software Technologies, Ltd.

Information about Check Point VPN-1/FireWall-1