Information about Check Point VPN-1/FireWall-1

Service provided by AERAsec Network Services and Security GmbH, D-85662 Hohenbrunn, Germany


AERAsec Network Services and Security GmbH Check Point Silver Partner


Here you find some further information about Check Point R70 and above, NGX and VPN-1/FireWall-1 Next Generation.

Latest Versions: 

The latest version is R77. It has all advantages as R76 (intgegrated Multi-Domain Security Management, Virtual Systems, Endpoint Policy Management Blade), but additionally many bugfixes. It also intrduces the Threat Emulation Software Blade as well as the Compliance Blade. Additionally, HyperSPECT Technlology is introduced. It delivers a much higher performance, esp. for IPS, APCL and URLF.
If you want to have the new look and feel of SmartCosole as introduced with R75.40VS, please use R77 only due to stability reasons and included bugfixes

Version R75 introduced the Application Control Software Blade, Identity Awareness, the Integrated DLP Software Blade and Mobile Access blade. 
Before, R71 has been published in May 2010. New Software Blades for DLP and SmartEvent have been published with it. It's based on R70. This version introduced Software Blades, making the licensing very modular. Because R7x is a new major release, a new license is needed to get access to all new features. Please contact your reseller to obtain it.

Please be aware that Check Point has changed the licensing for RAS - today, you need an Endpoint Security Container with Service Blades for the use of e.g. VPN, Full Disk Encryption or Endpoint Security Secure Access.

Licenses for NGX and earlier will only work with R70. Since R71 the new licensing scheme using Software Blades is strictly enforced. If you haven't updated yet, please do it. In most cases you can do it for free in your Check Point UserCenter account.

Other versions (R70, NGX R65, NGX R62, NGX R61, and NGX R60) were officially supported until March 2013 and earlier only. If you cannot upgrade, please contact your reseller to obtain (restricted) support. A quarterly fee per system is due. If you still have NG AI (e.g. R54/R55) or NGX before R65 in production, please upgrade as soon as possible!


Latest Hotfixes: Please note: To obtain a HFA for any version, you will need a valid Software Subscription (CES) for all of your products registered in your UserCenter Account!

R77:
In January 2014 the first version of R77.10 has been published. Some improvements for GAiA are delivered. Besides this, Remote Access has been improved (supporting IPv6, VSX, Push Notifications, Remote Wipe etc.) and an integrated "Appliance Hardware Diagnostic Tool" has been introduced. The second version has been published in April 2014, delivering more enhancements.

R76:
Even if there were rumours about R76.10 fixing many problems in R76, this HFA is still pending. Many fixes are included in R77, so this version is currently recommended.

R75:
In July 2012, Check Point has released R75.40VS. This version has integrated VSX which is now also licensed by using Software Blades. Besides this, a modified GUI comes with this version.
The latest hotfix of the regular version is R75.47. Please be aware that currently no direct upgrade from R75.47 to R77 is possible. It includes many fixes and has all features of R75.40 and subsequent HFAs. This release delivered many new features as well as the new Operating System called GAIA. It includes all bufixes that were published with R75.30. The release before (R75.20) started offering many improvements regarding URL filtering combined with new features regarding DLP as well as SSL inspection for IPS, APCL, URLF, and DLP. The earlier published R75.10 delivers some improvements like e.g. better performance for the GUI, support of Edge Firmware 8.2 and SecuRemote R75.10.

R71:
In May 2012, version R71.50 has been published. It shows some improvements in comparison with the earlier version R71.45, e.g. support of Security Gateway 80. These versions deliver more functionality and compatibility, as also R71.40 does. These two versions offer direct upgrade to R75.40, but R71.50 does this currently not. When using the SSL VPN Software Blade (i.e. Mobile Access Blade), please use at least version R71.10, since there is a security problem when using SSL VPN in R71 without patch. 

R70:
The latest version of R70 is R70.50. If you plan an upgrade to R75.40, a direct upgrade is possible (but not to earlier versions). Using R70.30 might still be useful if an upgrade to other version as R75.40 is planned. Some important improvements as well as more features (to be licensed) have been introduced with Version R70.20. It's available for all users of R70. At least this version should be used in productive environments. As usual, please regard that the GUI needs to be of the same version as the Security Management, e.g. SmartConsole 70.30 for the corresponding versions of R70.
Please be aware that this version isn't supported any more by Check Point.

NGX R65:
When using this (outdated and no more supported) version, you should use HFA_70 for NGX R65. Since December 2007 the corresponding GUI für Microsoft Windows is SmartConsole NGX R65 HFA_01. Please be aware that neither this nor elder versions are supported any more by Check Point.  


Version

Ports
R70 Ports used by Check Point R70 and above
R60-R65 Ports used by Check Point NGX
R50-R55 Ports used by Check Point VPN-1/FireWall-1 Next Generation (not supported any more)
4.0/4.1 Ports used by Check Point VPN-1/FireWall-1 4.x (not supported any more)


Further information
Links to FAQ's, mailing lists and further information about Check Point FireWall-1/VPN-1

Licensing, Products and basic Installation
R71/R75 "Basic" License Features of R7x (software only)
R70 "Basic" License Features of R70 (software only)
R60-R65 "Basic" License Features of NGX (not supported any more)
R54/R55 "Basic" License Features of NG AI and earlier versions (not supported any more)
R54/R55 "Extended" License Features of NG AI (not supported any more)
NGX - R7x Direct comparison of license features of NGX and R71/R75
NGX - R70 Direct comparison of license features of NGX and R70
R70 About licensing RAS clients for R70
R70/R71 About licensing Endpoint Security for R70 using Software Blades  

R65/R70

About Check Point Appliances for NGX R65 and R70

>R53

Terms used since Next Generation Feature Pack 3
R70 Terms used since Check Point R70

R70

About the use of computers with Dual Core or Quad Core Processors (outdated)
R70 About the use of computers with Dual Core or Quad Core Processors since 2010 

<R70

Compatibility between Nokia IPSO and Check Point VPN-1/FireWall-1
R70 Nokia Hardware compatible with Check Point R70

R54/R55

Installation fails on patched Sun Solaris 8 or 9

Useful tools 
all Tool for generating INSPECT code using a GUI: Ginspect
NG/NGX Tool for State Tables in human readable form
fw1-tool.pl by AERAsec
(supports SSH and some more features, covers Unix/Linux, SecurePlatform as well as Windows)
NG/NGX
Tool for Traffic Analysis
"tcpdump"-like wrapper for "fw monitor": fw1-dump.sh (fw1-dump.sh.zip) by AERAsec
Use the syntax of the well known command "tcpdump" to use "fw monitor".
all Tool for Managing Check Point SecurePlatform
Easier remote Management with SmartSPLAT
NG/NGX Tools for Management of Check Point objects
Ofiller and Odumper are used for editing Check Point object databases.

Authentication
4.1 Using OpenLDAP to authenticate users with Check Point VPN-1/FireWall-1 4.1
NG Authentication using OpenLDAP with Check Point NG is described on the OPSEC server
4.x/NG To configure the LDAP server, you will need the correct schema file (4.1, NG AI R55)
R53 How to integrate Novell eDirectory 8.7 with Check Point NG FP3 is described by Oren Green
R53 The use of CRYPTOCard Authentication with Check Point NG FP3 is described by CRYPTOCard
Secure Computing describes how to authenticate users by SafeWord PremierAccess 3.0
all Configuring Client Authentication using HTTPS
R52 Authentication with SecurID/ACE-Server doesn't work

VPN 
all Links to hints for VPN between Check Point and other products
VPN with Linux FreeS/WAN using pre-shared-secret or X.509 certificates
VPN with Racoon (under Linux),VPN from Gateway to Gateway
VPN with BinTec IPsec enabled router using pre-shared-secret or X.509 certificates
R70 Endpoint Connect cannot download Topology
R75.4x Endpoint Client does not follow configuration for Hotel/Hotspot Registration
VPN-1 configuration for use of an external CA
all Problem with an overlapping encryption domain
R51 Problem with Extranet under Linux
<R55 Problem with Extranet when using the "Simplified Mode"
<R55 How to configure an Extranet

Installation of rulebase, Objects, Services and Resources
all Rulebase will not install - atomic loading failed
R53 Rulebase will not install - no memory
all Check Point FireWall-1 acting as a Mail-Relay?!
all What to do against sender-specific routing for E-Mail
R52.. Problem when changing or creating a TCP Service
R53 ICMP doesn't work sometimes
R53 NG blocks HTTPS/SSL when using a Proxy
HTTP/HTTPS connections are being blocked by NG
R54 Timeout for Oracle Services SQL*Net2 not working

SYN Defender
Short graphical description of SYNDefender Relay, Gateway and passive Gateway (PDF)
Which kind of SYNDefender is supported by Check Point version X?

NAT
Problem with manual NAT on Microsoft Windows 2000 Server

Logging
R53 Sending syslog messages to SmartView Tracker is possible now
R53 Time of SmartView Tracker is one hour late
<R60 Rule numbers in SmartView Tracker aren't in the rulebase
all Negative Rule numbers in SmartView Tracker

Upgrade
R51 Upgrading Check Point VPN-1/FireWall-1 from 4.0 to Next Generation FP1 (outdated)
R51 Upgrading Check Point VPN-1/FireWall-1 from 4.1 to Next Generation FP1 (outdated)
Problem with Internal CA after upgrading from version 4.1 to Next Generation
NG AI Problem exporting a configuration using upgrade_export
R7x Problem importing a configuration in a new version
R75.40 Problem upgrading with fwkern.conf  configured
R7x Upgrading Check Point Appliances

Auditing
4.x Lance Spitzner has published a good paper called "Auditing Your Firewall Setup", based on 4.x
all Auditing NG AI, NGX, and R7x is offered by AERAsec


We provide these information freely. If you have corrections, comments or suggestions, please feel free to contact us by E-Mail.
All information is provided "as is" and might be used at your own risk only. There is no guarantee at all and we are not liable for any consequential direct or indirect damage which might occur when using these hints. All mentioned names and products are protected by international law, esp. Check Point Software Technologies, Ltd.

Your Feedback is welcome!
2001-2014 AERAsec Network Services and Security GmbH, last change 2014-04-21
back to http://www.vpn-1.de/