Support Center > Search Results > SecureKnowledge Details
R77.30 - Security and stability enhancements for Security Gateway (Hotfix #5)
Solution

Table of Contents:

  • Introduction
  • Installation instructions
  • Uninstall instructions
  • How to force a minimal allowed Endpoint Security Client version for Remote Access connection
  • Hotfix availability for other versions
  • Related solutions

 

Click Here to Show Entire Article

 

This hotfix is accumulative and contains the previous R77.30 Recommended Hotfixes (#1, #2, #3 and #4) - for more details, refer to sk106389 - R77.30 Recommended Hotfixes.

This Hotfix includes security and stability enhancements, and it is highly recommended to install it.

Introduction

This article provides a unified hotfix package for the following issues:

  • Fixed a memory leak in SecureXL related to multicast connections when Protocol-Independent Multicast (PIM) is enabled (by default, PIM is disabled).
  • Improved handling of invalid ClusterXL Control Protocol (CCP) packets received on non-trusted (non-sync) interfaces (refer to sk108360).
  • Improved handling of proprietary SSL tunnel protocols (e.g., Skype) when Security Gateway acts as Proxy.
  • Added the ability to force a minimal allowed Endpoint Security Client version for Remote Access connection (must manually enable this feature after installing the hotfix).
  • Fixed a rare crash of FWK process on VSX Gateway with enabled IPS blade and activated protection "Non-Compliant HTTP".
  • Reduced Anti-Virus blade memory consumption during scan of large files transferred over HTTP.
  • Improved handling of HTTP compressions.

This hotfix package should be installed on all the following machines in the environment:

  • Security Gateway
  • Cluster members
  • VSX
  • Standalone machine (Gateway + Management)

 

Installation instructions

  • Instructions for Gaia OS using CPUSE (Check Point Update Service Engine)

    Important Note: Refer to sk111555 - VPND daemon crashes after installing R77.30 Jumbo Hotfix Accumulator over R77.30 Recommended Hotfix #5.

    • Online installation

      1. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
      2. Select the hotfix package R77.30 Hotfix for sk108192 (Important security and stability enhancements for Security Gateway (Hotfix #5)) - click on Install Update button on the toolbar.
      3. Reboot is required.
    • Offline installation

      OS R77.30
      Gaia - CPUSE

      1. Download the Gaia CPUSE Offline package from the table above.
      2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane (in Gaia R77.20 and above) / to Software Updates pane (in Gaia R77.10 and lower) - click on Status and Actions.
      3. On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on Upload.
      4. Select the hotfix package R77.30 Hotfix for sk108192 (Important security and stability enhancements for Security Gateway (Hotfix #5)) - click on Install Update button on the toolbar.
      5. Reboot is required.

    Notes:

    • For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
    • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
    • Hotfix has to be installed on all Check Point machines running on Gaia OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Instructions for Gaia OS (manual installation in Command Line)

    OS R77.30
    Gaia - CLI

    Procedure:

    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
      [Expert@HostName]# tar -zxvf Check_Point_Hotfix_R77.30_Gaia_sk108192.tgz
    2. Install the hotfix:
      [Expert@HostName]# ./UnixInstallScript
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.

    Notes:

    • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
    • Hotfix has to be installed on all Check Point machines running on Gaia OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Instructions for SecurePlatform OS and X-Series XOS

    OS R77.30
    SecurePlatform
    and XOS - CLI

    Procedure:

    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
      [Expert@HostName]# tar -zxvf Check_Point_Hotfix_R77.30_Linux_sk108192.tgz
    2. Install the hotfix:
      [Expert@HostName]# ./UnixInstallScript
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.

    Notes:

    • Make sure to take a snapshot of your Check Point machine before installing this hotfix (on SecurePlatform OS).
    • Hotfix has to be installed on all Check Point machines running on SecurePlatform OS / Linux OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Instructions for IPSO OS

    OS R77.30
    IPSO

    Procedure:

    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it:
      [admin]# tar -zxvf Check_Point_Hotfix_R77.30_IPSO_sk108192.tgz
    2. Install the hotfix:
      [admin]# ./UnixInstallScript
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.

    Notes:

    • Hotfix has to be installed on all Check Point machines running on IPSO OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • Instructions for Windows OS

    OS R77.30
    Windows

    Procedure:

    1. Download the relevant hotfix package from the table above, transfer the hotfix package to the machine and unpack it using an archive program (e.g., WinZIP, WinRAR, 7-zip, etc.).
    2. Install the hotfix: Right-click on the Setup.exe - click on Run as administrator
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.

    Notes:

    • Hotfix has to be installed on all Check Point machines running on Windows OS.
    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.

 

Uninstall instructions

  • On Gaia OS using CPUSE (Check Point Update Service Engine)

    1. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) pane - click on Status and Actions.
    2. Select Installed in the menu near the Help icon.
    3. Select the hotfix package R77.30 Hotfix for sk108192 (Important security and stability enhancements for Security Gateway (Hotfix #5)) - click on More button on the toolbar - click on Uninstall.
      Example:
    4. Reboot is required.

    Notes:



  • On Gaia OS, SecurePlatform OS, X-Series XOS and IPSO OS (manual uninstall in Command Line)

    1. Download and unpack the hotfix package (refer to the "Installation instructions" (manual installation in Command Line) above).
    2. Run the installation script with "-u" flag:
      # ./UnixInstallScript -u
    3. Reboot is required.

    Notes:

    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.


  • On Windows OS

    1. Go to Control Panel:
      • On Windows 2000 / 2003 - click on Add/Remove Programs
      • On Windows 2008 / Vista / 7 - click on Programs and Features
    2. Select the hotfix Check Point R77.30 Hotfix R77_30_HF5SW - click on Uninstall button.
      Note: The script will stop all of Check Point services ('cpstop') - read the output on the screen.
    3. Reboot is required.

    Alternatively, run the installation program with '-u' flag:

    1. Open the elevated Command Prompt:
      Start - Programs - Accessories - right-click on 'Command Prompt' icon - select 'Run as administrator'.
    2. Navigate to the folder where you unpacked the hotfix package:
      DISK:\> cd "path_to_unpacked_hotfix_package"
    3. Run the installation program with '-u' flag:
      DISK:\path_to_unpacked_hotfix_package\> Setup.exe -u
    4. Reboot is required.

    Notes:

    • In cluster environment, this procedure must be performed on all members of the cluster.
    • In Management HA environment, this procedure must be performed on both Management Servers.

 

How to force a minimal allowed Endpoint Security Client version for Remote Access connection

This hotfix adds the ability to force a minimal allowed Endpoint Security Client version for Remote Access connection (does not apply to Endpoint Connect Clients).

Note: In cluster environment, this procedure must be performed on all members of the cluster.

  • Show / Hide instructions for enabling this feature

    1. Connect to command line on Security Gateway.

    2. Log in to Expert mode.

    3. Backup the current Registry:

      [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL

    4. Add the new attribute enable_client_version_check to registry:

      [Expert@HostName:0]# ckp_regedit -a SOFTWARE\\CheckPoint\\VPN1 enable_client_version_check -n 1

    5. Verify that the new attribute enable_client_version_check was added to registry:

      • Either run this command:

        [Expert@HostName:0]# grep -C 2 enable_client_version_check $CPDIR/registry/HKLM_registry.data

        Should get:

        : (VPN1
                :CurrentVersion (6.0)
                :enable_client_version_check ("[4]1")
                : (6.0)
        
      • Or run this command:

        [Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\VPN1

        Should get:

        SOFTWARE\CheckPoint\VPN1\ : { CurrentVersion=[s]6.0 enable_client_version_check=[n]1 }
        .6.0 : { }
        
    6. Backup the current $FWDIR/conf/extender/CSHELL/trac_ver.txt file:

      [Expert@HostName:0]# cp -v $FWDIR/conf/extender/CSHELL/trac_ver.txt $FWDIR/conf/extender/CSHELL/trac_ver.txt_ORIGINAL

    7. Edit the current $FWDIR/conf/extender/CSHELL/trac_ver.txt file:

      [Expert@HostName:0]# vi $FWDIR/conf/extender/CSHELL/trac_ver.txt

    8. Change the current defined version to the desired minimal allowed version of Endpoint Security Client.


  • Show / Hide instructions for disabling this feature

    1. Connect to command line on Security Gateway.

    2. Log in to Expert mode.

    3. Backup the current Registry:

      [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_FORCE_MINIMAL_EPC

    4. Add the new attribute enable_client_version_check to registry:

      [Expert@HostName:0]# ckp_regedit -f SOFTWARE\\CheckPoint\\VPN1 enable_client_version_check

    5. Verify that the new attribute enable_client_version_check was removed from registry:

      • Either run this command:

        [Expert@HostName:0]# grep -A 4 ': (VPN1' $CPDIR/registry/HKLM_registry.data

        Should get:

        : (VPN1
                :CurrentVersion (6.0)
                : (6.0)
        )
        : (SSC
        
      • Or run this command:

        [Expert@HostName:0]# ckp_regedit -p SOFTWARE\\CheckPoint\\VPN1

        Should get:

        SOFTWARE\CheckPoint\VPN1\ : { CurrentVersion=[s]6.0 }
        .6.0 : { }
        
    6. Backup the current $FWDIR/conf/extender/CSHELL/trac_ver.txt file:

      [Expert@HostName:0]# cp -v $FWDIR/conf/extender/CSHELL/trac_ver.txt $FWDIR/conf/extender/CSHELL/trac_ver.txt_FORCE_MINIMAL_EPC

    7. Restore the desired version of Endpoint Security Client:

      • Either from the $FWDIR/conf/extender/CSHELL/trac_ver.txt_ORIGINAL file
      • Or by manually editing the $FWDIR/conf/extender/CSHELL/trac_ver.txt file

 

Hotfix availability for other versions

Version Hotfix availability
R80.10 integrated
R77.30 Take_84 of Jumbo Hotfix Accumulator for R77.30
R77.20 Take_180 of Jumbo Hotfix Accumulator for R77.20
R77.20
HFA_51
for SMB
appliances
integrated

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment