CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 27

Thread: Check Point R77.20

  1. #1
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Check Point R77.20

    Now available at sk101208.

    R77.20 delivers the latest resolved issues with additional support for existing features:

    • VSX stability fixes and enhancements.
    • MultiCore support for SSL - improved performance for portals (including Mobile Access) and SSL Network Extender. See sk101223 for more information.
    • New upgrade procedure for clusters, Connectivity Upgrade, which maintains connectivity when you upgrade from R76 and R75.40VS, to R77.20.
    • Threat Prevention detection and functionality enhancements:
      • Scan files that are passing on CIFS
      • Anti-Spam support in MTA
      • Anti-Virus support for links inside emails *
      • Threat Emulation support in VSX *
    • DHCP simplified configuration and stability fixes. See sk98839.
    • IPsec VPN enhancements, including: MSS adjustments and 3rd party connectivity. For more enhancements, see sk101219.
    • SNMP: Quality improvements and Best Practices Guide.
    • Routing stability fixes and enhancements. See sk98226.

    * The R77.20 Add-on brings more enhancements to R77.20. Read more in sk101217.
    Last edited by PhoneBoy; 2014-07-08 at 11:46. Reason: With links this time
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Check Point R77.20

    i read through sk98839 (dhcp sk) and found this note about using the new R77.20 dhcp objects.

    These new DHCP services disable SecureXL Accept Templates. Therefore, if SecureXL is used, security rules with these new DHCP servies should be located as low as possible in the rulebase (for more information about SecureXL, refer to sk32578).

    First I get "Solution Could not be found in the system." for sk32578.

    secondly, why would anyone want to use this new dhcp feature especially if it can dork up accept templates?

    Maybe i'm missing something.

  3. #3
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Check Point R77.20

    If you look at SmartDashboard, you can see the DHCP services are just port-based, making it relatively easy to accelerate with SecureXL.
    I'm assuming the new services are a little more complex, thus the need to disable SecureXL templates.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Check Point R77.20

    Quote Originally Posted by PhoneBoy View Post
    If you look at SmartDashboard, you can see the DHCP services are just port-based, making it relatively easy to accelerate with SecureXL.
    I'm assuming the new services are a little more complex, thus the need to disable SecureXL templates.
    yeah, i understand what your saying, but what i'm saying is what is the benefit to using the new objects? So far i'm not seeing any. Its like saying we made things better by making them worse.

    What is the down side to using the legacy objects?

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Check Point R77.20

    It's stateful inspection of DHCP.
    So rather than just allowing all packets that come to UDP port 67/68, as is the case with the "legacy" definition, there more intelligence behind what is allowed and what is not.
    I don't know precisely what inspection is done here, but I'll find out.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Check Point R77.20

    Quote Originally Posted by PhoneBoy View Post
    It's stateful inspection of DHCP.
    So rather than just allowing all packets that come to UDP port 67/68, as is the case with the "legacy" definition, there more intelligence behind what is allowed and what is not.
    I don't know precisely what inspection is done here, but I'll find out.
    Thanks!

  7. #7
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: Check Point R77.20

    I'm happy to see the new HFA :)

    Quote Originally Posted by PhoneBoy View Post
    * The R77.20 Add-on brings more enhancements to R77.20. Read more in sk101217.
    What's the reasoning behind releasing a patch that already has a patch (so to speak)? Why not integrate it directly?

    Quote Originally Posted by PhoneBoy View Post
    It's stateful inspection of DHCP.
    AKA Check Point broke how they handle DHCP and have been trying to fix it for several releases now, can't says as if I find the new approach any easier but at least it sounds more secure.

    Quote Originally Posted by PhoneBoy View Post
    MultiCore support for SSL
    Great, now they can focus on improving usability / feature set of the SSL VPN!
    Its all in the documentation.

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Check Point R77.20

    Quote Originally Posted by melipla View Post
    What's the reasoning behind releasing a patch that already has a patch (so to speak)? Why not integrate it directly?
    In the past anyway, add-ons were used to maintain backward/forward compatibility for some (e.g. manage X+1 release from X) while allowing for features that actually required UI changes and the like.

    AKA Check Point broke how they handle DHCP and have been trying to fix it for several releases now, can't says as if I find the new approach any easier but at least it sounds more secure.
    I've asked R&D to add some explanation to the SK as to exactly what those "new DHCP services" do.
    But, yes, the general idea is to fix bugs in DHCP handling and make it more secure :)
    The issue where the new services disable SecureXL templates is something that is planned to be addressed in the next HFA.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Check Point R77.20

    Quote Originally Posted by PhoneBoy View Post
    In the past anyway, add-ons were used to maintain backward/forward compatibility for some (e.g. manage X+1 release from X) while allowing for features that actually required UI changes and the like.



    I've asked R&D to add some explanation to the SK as to exactly what those "new DHCP services" do.
    But, yes, the general idea is to fix bugs in DHCP handling and make it more secure :)
    The issue where the new services disable SecureXL templates is something that is planned to be addressed in the next HFA.
    Yeah, i was just looking over the examples. If the dhcp relay request is being handled statefully, why do i need to code in anything besides

    src any, dst broadcast, service dhcp-rely

    I mean i could see how if say, the firewall didn't understand that it even had a dhcp relay installed on it so how could it know to open the relay out, but rules 2 and 3 might as well be
    src, dst, icmp echo request
    dst, src, icmp echo reply

    Which doesn't look stateful at all.

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Check Point R77.20

    Certainly the new services are actually verifying the packets in question ARE dhcp-request and dhcp-reply packets as it's possible to send packets on those ports and have them NOT be dhcp packets at all.
    In any case, hopefully the SK will be updated soon with clarifications.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Check Point R77.20

    Quote Originally Posted by PhoneBoy View Post
    Certainly the new services are actually verifying the packets in question ARE dhcp-request and dhcp-reply packets as it's possible to send packets on those ports and have them NOT be dhcp packets at all.
    In any case, hopefully the SK will be updated soon with clarifications.
    You are %100 correct, if you've verified the in bound unicast is a dhcp-request, then you should in theory know what the reply is going to look like so you should be creating state for the reply, just like say DNS right? I mean its all unicast for rules 2 and 3. Honestly it sounds like this was a rushed feature. I'm guessing the breaking of securexl wasn't noticied in time as well since your saying thats going to fixed in the next release.

    Really if i was thinking this was done correctly you would be putting something in somewhere (no idea where) that says "This interface has dhcp rely" and then only that interface would allow the dhcp broadcast. I know checkpoint doesn't really have a per interface rule so no idea if that is even possible.

  12. #12
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: Check Point R77.20

    Quote Originally Posted by jflemingeds View Post
    I know checkpoint doesn't really have a per interface rule so no idea if that is even possible.
    Well it does....in SPLAT you have to DHCP relay via interfaces [under sysconfig] and in Gaia you have to:

    set bootp interface Internal.40 relay-to 10.1.1.30 on
    set bootp interface Internal.40 primary 10.10.40.254 wait-time default on
    set bootp interface Internal.40 maxhopcount default
    The Gaia R75.40 - R77.10 DHCP bug which requires special NAT rules happens only if you have SecureXL enabled. So they've had a variation of this SecureXL limitation in DHCP for a while...its just getting more publicity now that they have a partial fix. That's pretty much how Check Point operates with fixing bugs like this, they span multiple HFAs with some of them making it "better" but not 100% fixed [ie Radius Group bugs]. SecureXL has come a long way, however I expected that by now we'd stop seeing issues which get fixed when you turn off SecureXL but sadly these things still exist.
    Its all in the documentation.

  13. #13
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: Check Point R77.20

    Quote Originally Posted by melipla View Post
    Well it does....in SPLAT you have to DHCP relay via interfaces [under sysconfig] and in Gaia you have to:



    The Gaia R75.40 - R77.10 DHCP bug which requires special NAT rules happens only if you have SecureXL enabled. So they've had a variation of this SecureXL limitation in DHCP for a while...its just getting more publicity now that they have a partial fix. That's pretty much how Check Point operates with fixing bugs like this, they span multiple HFAs with some of them making it "better" but not 100% fixed [ie Radius Group bugs]. SecureXL has come a long way, however I expected that by now we'd stop seeing issues which get fixed when you turn off SecureXL but sadly these things still exist.
    Quote sure is strange all the sudden...

    Anyway, yeah i guess i didn't make myself clear. I was talking about a security rule. Yes i understand you can do this at the application layer.

    Can you tell me more about this Nat bug? First i'm hearing (or at least processing!) about a bug with dhcp relay and nat.
    Last edited by jflemingeds; 2014-07-12 at 14:11.

  14. #14
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    16

    Default Re: Check Point R77.20

    Quote Originally Posted by jflemingeds View Post
    Quote sure is strange all the sudden...
    I think it was in this thread that someone's quoting (quoting a previous post in one's reply) was messed up because someone had accidentally deleted part of the "QUOTE" tag; I saw it and jumped in and fixed it.
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

  15. #15
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: Check Point R77.20

    Quote Originally Posted by jflemingeds View Post
    Can you tell me more about this Nat bug? First i'm hearing (or at least processing!) about a bug with dhcp relay and nat.
    The best source is sk97566 which we're also seeing in R77.10. & wow R77 was in Sep 2013? Seems so long ago...and yet it's right about time for the next major release...

    Quote Originally Posted by Barry J. Stiefel View Post
    I saw it and jumped in and fixed it.
    Thanks Barry! I knew there was a reason why PhoneBoy always says nice things about you.
    Its all in the documentation.

  16. #16
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Check Point R77.20

    Please note that R77.20 Home Page now includes links to the following SKs under “R77.20 Released Hotfixes” section:

    1. sk101589 - In-place MDM/MLM upgrade to R77.20 may fail due to lack of disk space on root partition. As of 20 July 2014, the Gaia Upgrade Package from R76 and R75.4x using CLI and SecurePlatform Upgrade Package for Multi-Domain from R76 have been replaced to resolve this issue. The Gaia Upgrade Package from R76 using CPUSE resolving sk101589 is expected soon.

    2. sk101610 - Smart-1 upgrade from R77.10 to R77.20 using legacy packages fails on conflict with hotfix GYPSY_SOC_HF_007 on platforms: 205, 210, 225, 3050 and 3150.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  17. #17
    Join Date
    2012-11-25
    Location
    Paradise
    Posts
    78
    Rep Power
    8

    Default Re: Check Point R77.20

    is there an image for 41K/61K as well for R77.20?

    Also in release maps R80 onwards there wont be any updates to IPSO or splat, it will only be GAIA thereafter...

  18. #18
    Join Date
    2006-01-25
    Location
    Americas
    Posts
    1,535
    Rep Power
    15

    Default Re: Check Point R77.20

    If you choose to keep the R77 or R77.10 Security Management Server to manage R77.20 Security Gateways, you must NOT install the R77.20 SmartConsole. The SmartConsole and the Security Management Server versions must match.
    No more upgrading the management server? Interesting...

    My initial experience with the management server on R77.20 seems like it takes longer to install policy & am seeing some packet loss during policy installs, YMMV.
    Its all in the documentation.

  19. #19
    Join Date
    2005-08-30
    Posts
    234
    Rep Power
    15

    Default Re: Check Point R77.20

    Hi Guys

    has anyone successfully managed to upgrade to R77.20 from R77 on secureplatform? keeps failing on me and its not disk a disk space - it successfully uploaded the file
    tdvit
    CCSA
    CCSE

  20. #20
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    15

    Default Re: Check Point R77.20

    We start to use GAIA since R75. but even with this *brand-new-best* OS you will have to have a trouble duiring upgrade.
    CP give you several ways to upgrade, but not all of them are working.
    Of course you can make cliean install at any time...


    Just example :
    SmartCenter (clean installed R70 > R70.50 > R75.40) R75.40 upgrade using CLI Check_Point_R77.20_T127_Upgrade.Gaia.iso
    but upgade does not woks at all by using WenUI (R75.40 to R77.20) - also with correct files..

    Upgrade path :
    1. Upgrade from R70.50 to R75.40 :
    R75.40 SecurePlatform Upgrade Package for Open Server/Power-1/UTM-1/2012 Models/Data Center/Smart-1 5,25,50 using WebUI
    2. Upgrade from R75.40 to R77.20 :
    R77.20 Gaia Fresh Install/Upgrade Package from R75.4x,R75.40VS,R76 for 2012 Models/Data Center/Smart-1/Open Servers/Power-1/UTM-1/IP Appliances/Threat Emulation
    or
    R77.20 Gaia Upgrade Package from R75.4x,R75.40VS,R76 for SecurePlatform and Gaia for 2012 Models/Data Center/Smart-1/Open Servers/Power-1/UTM-1/IP Appliances/Threat Emulation using WebUI and SmartUpdate
    Last edited by serlud; 2014-09-23 at 08:15.

Page 1 of 2 12 LastLast

Similar Threads

  1. Check Point R77
    By PhoneBoy in forum R77
    Replies: 50
    Last Post: 2014-02-03, 15:52
  2. Replies: 3
    Last Post: 2012-05-17, 20:48
  3. Check Point R71.50
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 12
    Last Post: 2012-05-09, 16:53
  4. Check Point DLP
    By dominodan in forum Data Loss Prevention Blade (DLP))
    Replies: 0
    Last Post: 2010-04-29, 17:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •