R60_HFA05

[Tetaworx]

Hi out there,

does anyone know, when HFA05 will be released to the public? It is not yet accessible through Checkpoint Usercenter but seems to be available to CSP as I've heard.

Has anyone access to the release notes and could give an overview, what has been changed?

Thanks in advance, regards,

Dennis Breithaupt

[rayden69]

Resolved Issues in R60_HFA_05:

R60_05-1:
HTTP client authentication fails on port 900 with long headers (more than 512 characters).
Install On: Gateway

R60_05-2:
NAT Stability issues.
Install On: Gateway

R60_05-3:
Hide NAT rule fails to redirect traffic to a gateway’s own IP address when that gateway is a member of group object.
Install On: Gateway

R60_05-4:
ARP response for VLAN interface does not include VLAN tag.
Install On: Gateway

R60_05-5:
The following error message errorneously appears on diskless Nokia platforms: “The log repository quota has been exceeded. No file could be deleted.”
Install On: Gateway

R60_05-6:
Nokia 3rd party cluster joins non-existent IGMP groups.
Install On: Gateway

R60_05-7:
Instability issues with VRRP on Nokia platforms.
Install On: Gateway

R60_05-8:
Updated NIC support
Install On: Gateway and/or SmartCenter server as appropriate.

R60_05-9:
Updated NIC support
Install On: Gateway and/or SmartCenter server as appropriate.

R60_05-10:
Kernel Instability
Install On: Gateway

R60_05-11:
Improper user authentication via a group to which the user does not belong.
Install On: SmartCenter server and Gateway

R60_05-12:
Stability issues during wrap-around on check_retransmission.
Install On: SmartCenter Server

R60_05-13:
Cluster member fails to maintain connection via its Virtual IP address following disconnection, failover and reconnection.
Install On: All cluster members

R60_05-14:
Solaris 10 gateway with a BGE Interface returns an incorrect MAC address (00-00-00).
Install On: Gateway

R60_05-15:
Policy installation does not require verification for NAT for DNS traffic when the DNS verification option is disabled.
Install On: SmartCenter Server

R60_05-16:
Enforcement issues when Packet Sanity is disabled or in the Monitor Only mode.
Install On: Gateway

R60_05-17:
Email address enclosed in quotes are erroneously rejected.
Install On: Gateway

R60_05-18:
Attachments with MIME header names are inappropriately stripped from email messages.
Install On: Gateway

R60_05-19:
MIME attachments are inappropriately stripped from valid email messages.
Install On: Gateway

R60_05-20:
Debug error causes system instability when using strip tags.
Install On: Gateway

R60_05-21:
Non-RFC reply received in response to CONNECT request when connecting to the security server as a Proxy (URI resource).
Install On: Gateway

R60_05-22:
System instability may occur during policy installation if a user has deleted the service with the highest service ID AND there is an open connection to that service.
Install On: Gateway

R60_05-23:
DHCP traffic is dropped when the DHCP server or DHCP relay is reactivated on a SecurePlatform machine.
Install On: Gateway and SmartCenter Server

R60_05-24:
Cannot globally allow out-of-state packets for a specific gateway.
Install On: Gateway

R60_05-25:
RTSP data connection is not properly recorded when two setup messages are used.
Install On: SmartCenter Server

R60_05-26:
Connectivity issues while SYN Defender is enabled.
Install On: Gateway

R60_05-27:
NAT support for MGCP phones
Install On: Gateway

R60_05-28:
NAT support for SIP phones
Install On: Gateway

R60_05-29:
Allowed UDP packets are incorrectly recorded as "Unknown SIP message type" in the log.
Install On: Gateway

R60_05-30:
FireWall rejects MGCP call IDs with a length of 32 characters.
Install On: Gateway

R60_05-31:
Packets dropped when the HTTP response contains both contentlength and transfer-encoding headers.
Install On: Gateway

R60_05-32:
VPN stability issues.
Install On: Gateway

R60_05-33:
Intermittent gateway stability issues following installation of R60 HFA_02 when using a traditional mode policy.
Install On: Gateway

R60_05-34:
IP pool not properly initialized in cluster environment
Install On: Gateway

R60_05-35:
Connectivity issues in Office Mode cluster environments.
Install On: SmartCenter Server

R60_05-36:
Office Mode from Radius server does not function properly with SNX.
Install On: Gateway

R60_05-37:
OpenSSL fails to properly verify RSA signatures.
Install On: Gateway and SmartCenter server

R60_05-38:
OCSP signing key purpose ID is not supported in the ExtendedKeyUsage field.
Install On: Gateway

R60_05-39:
Stability issue when the CRL expiration date exceeds 24 days.
Install On: SmartCenter server

R60_05-40:
OCSP update interval greater than 2 hours is not supported.
Install On: Gateway

R60_05-41:
Self-signed certificate not supported for OCSP.
Install On: Gateway

R60_05-42:
Connectivity issues when SecureClient attempts to access a gateway connected to multiple ISPs via multiple interfaces.
Install On: Gateway

R60_05-43:
Connectivity Issues after policy installation on a gateway.
Install On: Gateway

R60_05-44:
Installing Security Policy to a VPN-1 gateway disrupts existing connections of remote users. Remote Access users might experience temporary packet loss when a new security policy is installed on the gateway to which they are connected.
Install On: SmartCenter Server

R60_05-45:
Performance degradation with many users connected.
Install On: Gateway

R60_05-46:
Temporary gate performance issues after updating Corporate Office.
Install On: Gateway

R60_05-47:
VPN performance issues when permanent tunnels with ROBO peers are enabled.
Install On: Gateway

R60_05-48:
Connectivity issues during policy installation in an environment where many ROBOs are managed by a Large Scale Manager (LSM).
Install On: Gateway

R60_05-49:
Cannot download policy from Load Sharing cluster.
Install On: Gateway

R60_05-50:
Setting FireWall group permissions for a group other then the root group will not allow a user of this group to execute FireWall commands.
Install On: SmartCenter Server

R60_05-51:
Stability issues with SmartDashboard on Solaris.
Install On: SmartCenter Server

R60_05-52:
Synchronization between the active primary and secondary SmartCenter severs fails when performed via the SmartDashboard Synchronize Me option.
Install On: SmartCenter Server

R60_05-53:
Web Intelligence ASCII-Only protection incorrectly requires a Web Intelligence license.
Install On: SmartCenter Server

R60_05-54:
Anti-Spoofing verification installs successfully on a standalone gateway when the the internal interface definition is set to "Not Defined" and the "Perform Anti-Spoofing based on interface topology" option is selected for the external interface. This combination should produce an error message and policy installation should fail.
Install On: SmartCenter Server (Standalone Mode)

R60_05-55:
Fw local logging does not work on IP clustering and VRRP, with no option to configure it on SmartCenter servers.
Install On: SmartCenter server and gateway (Requires IPSO 4.1 build 22 or above).

R60_05-56:
Instability during HFA installation on Secure Platform.
Install On: SmartCenter Server

R60_05-57:
Connectivity problems during policy installation in ClusterXL LS.
Install On: Gateway cluster members

R60_05-58:
Cluster interface defined as disconnected, incorrectly answers 250 ARP requests.
Install On: Cluster gateway members

R60_05-59:
Connectivity issues in third party cluster configurations with multiple VLANS sharing one interface.
Install On: Cluster gateway members

R60_05-60:
QoS does not enforce a rule if the Install On field contains any selection other than Any in the ClusterXL High Availability mode.
Install On: Cluster members

R60_05-61:
When installing a QoS Policy, the message “Error - No Valid FloodGate- 1 License” appears in error.
Install On: SmartCenter Server

R60_05-62:
Cannot define an SNX Integrity Clientless Server (ICS) policy for each individual user group.
Install On: SmartCenter Server and VPN-1 gateway

R60_05-63:
Cannot define an encryption domain for each individual user group.
Install On: VPN-1 Gateway

R60_05-64:
Cannot disable the proxy PAC file script.
Install On: SmartCenter Server

R60_05-65:
Manual proxy configuration is ignored when using SNX with proxy replacement. This may allow direct access to some sites that should not accessed through a proxy.
Install On: SmartCenter server and Gateway

R60_05-66:
When SNX is used together with a proxy, system instability may occur if the host name of the site is not resolvable.
Install On: SmartCenter server and Gateway

R60_05-67:
Performance issues when uploading from CIFS.
Install On: Gateway

R60_05-68:
Latency and performance issues when using Syn Defender in the Active mode and with Static NAT LS (asymmetric routing).
Install On: Gateway

R60_05-69:
HFA package installation on SecurePlatform via Web UI upgrade fails.
Install On: SecurePlatform Gateway or SmartCenter server. This feature is available only if R60_HFA_04 is already installed on the SecurePlatform machine.

[rayden69]

Also available here:

https://knowledgemedia.nokia.com/sit...M8lXeqDu9dyhyi

[Tetaworx]

Hi,

thank you for the information! Ther're very interesting changes in that HFA for our setup.

As it seems our accesslevel is only able to access HFA04, yet.

Does anyone know, when the public relase of HFA05 will be?

Thanks,

Dennis Breithaupt

[northlandboy]

If one of those sounds like it will solve a specific problem you're having, then either ask your CSP or log a case, and they should give it to you.

If you don't have a specific reason for needing to upgrade right now, it may pay to hold off a little bit though.

[melipla]

Thanks for the info. A lot of gateway fixes in there...any word on whether or not R61 / R62 will have an HFA simultaneously?

[Tetaworx]

1) Since our support contract has been activated now, I've direct access to nokia support now.

Interesting enough, R60_HFA05 is officially listed and downloadable there. But at the checkpoint-account it isn't.

Our support-partner told me, that HFA05 is officially released, but is not sure, why it is not listed on the webpage now.

However, since there're at least 5 changes directly related to problems we have/had we'll definitly install next week.

2) I nowhere can see an upcoming HFA-release for R61 or R62. I think, that will need some time...

***

Checkpoints lists the following versions/dates as last releases:

# NGX R61R61_HFA_01 25-Oct-2006
# NGX R60R60_HFA_04 28-Aug-2006

[RayPesek]

R61 HFA01 was available to CSPs for only a few weeks before it became available to us lowly customers. That's the fastest I've ever heard of it happening. I've seen others take a few months.

I really do not understand the reason for this. Is it to use CSPs as a wider beta audience? It could help non-CSP customers because a defective update might get fixed before we get it, but that seems to be a nebulous reason at best.

The companies paying the support contract invoices are the real customers of Check Point, not their channel partners.

Ray

[chillyjim]

Quote:

Originally Posted by RayPesek

I really do not understand the reason for this. Is it to use CSPs as a wider beta audience? It could help non-CSP customers because a defective update might get fixed before we get it, but that seems to be a nebulous reason at best.

That's the theory anyway. HFA's normally don't go through an EA process, so the CSPs are the beta test pool.

If there is a fix you need and the HFA is out to the CSPs you can always call support and get it.

[RayPesek]

I think you meant "... so the CSPs customers are the beta test pool." :-)

I wouldn't mind it so much if the known issues were documented in SK articles faster, and before the HFA release, so I would know if the symptoms I'm seeing have already been reported and resolved. It's a real time-waster trying to document how to reproduce an issue, open a case, only to find out it's a known issue and already available in a non-public fix.

Ray

[Tetaworx]

We've made the update to R60_05 but now have some issues with topolgy updates auf SecureClients, which do not work any longer.

netstat -an | grep 264
tcp 0 0 *.264 *.* LISTEN

Packets can be seen incoming on the enforcement points and the deamon is listening at tcp/264 but topology update does not work.

***

Has anyone seen this messages in dtps.elg? It seems, that they occour, when a topology update failes.

[dtps 1538 250112]@XXX[XX Jan 10:02:55] fwasync_make_connection: connect to 127.0.0.1 failed: Connection refused
[dtps 1538 250112]@XXX[XX Jan 10:02:55] sic_client_connection_failed: Failed to connect to peer
[dtps 1538 250112]@XXX[XX Jan 10:02:55] CFwdCommStream: Failed to connect to FWD (log connection).


We've updated our case and are awaiting information from CP.

***

Is anyone else using R60_HFA05 and has similar problems with SC?

Thanks!

[RayPesek]

Thanks for the warning. Please keep us updated.

Ray

[Tetaworx]

* We've seen, that FW1_topo fails only with external connects. Locally (127.0.0.1 or local IP of node) the connect on port 264 works. (tested with telnet to port 264)

* We think, that the firewallkernel drops connections to port 264 (FW1_topo). However, Tracker shows "accept" for FW1_topo, since the Fiewall VM accepts the packet but the problem appears later in the chain.

* With fw monitor we see, that the drop appears between

"11: 2000000 (a361ab3c) (00000003) vpn policy inbound (vpn_pol)" and
"12: 10000000 (9f7e414c) (00000003) SecureXL inbound (secxl)"

* Everytime a failed connection to FW1_topo happens we see the following kernel-error:

"[LOG_CRIT] kernel: FW-1: ld_set_wto_ttl_ex: 1p is NULL or bad_time(-1) is not zero"

* Topologyupdates still do not work.

We are still waiting for checkpoint to tell us, what is going wrong.

[Tetaworx]

Through kernel debugging we are one step further:

"25Jan2007 9:27:04.733332;FW-1: ld_set_wto_ttl_ex: 1p is NULL or bad_time(-1) is not zero
25Jan2007 9:27:04.733341;fw_log_drop: Packet proto=6 x.x.x.x:1826 -> y.y.y.y:264 dropped by vpn_inbound_policy_chain Reason: vpn inbound nat after vm failed"

But now we have to find out, why "vpn inbound nat after vm failed"...

Still nothing from Checkpoint :-(

[hahnibal]

Quote:

Originally Posted by Tetaworx

...

Still nothing from Checkpoint :-(

I don't even wonder...

[Tetaworx]

Solved! Finally...

***

Checkpoint got the solution and gave it to our CSP and so to us.

In the release-notes it reads:

"Special Notes
HFA Installation
HFA installation does not automatically overwrite modified *.def files. [...]"

We always interpreted that the HFA-installation only preserves modified .def-files. As we never had made manual modifications on the .def-files we thought, that we could ignore that paragraph.

But it is meant, that HFA installation preserves _all_ .def-files. One has always and after each hfa-upgrade _manually_ copy the created HFA.def-files over the older ones. We had not done this.

After manual activation of the new vpn_table.def everything works very well now! We'll also activate the other updated .def-files later.

So I think, everything is ok with R60_HFA05 :-)

[joeri]

Any news on R62 HFA01 ? Any target dates set ?

[RayPesek]

Whoa, that's pretty bad. I thought it only preserved changed ones as well.

Thanks for the follow-up,

Ray

[Tetaworx]

Yeah, would be great, if Checkpoint could write a big fat hint in the installation manual, that one must update this files manually anyway.

Furthermore it should be possible to write an intelligent updater, which discovers, if the files have been changed or not.

***

So, but we are happy now with HFA05 :-)

[melipla]

R60 HFA 05 is now public:

http://www.checkpoint.com/downloads/...wer/index.html