Support Center > Search Results > SecureKnowledge Details
IPv6 support enhancement Hotfix
Solution

Table of Contents:

  • Introduction
  • Installation instructions
  • UnInstall instructions
  • Important notes about upgrading the systems with IPv6 support enhancement Hotfix

 

Introduction

IPv6 support enhancement is a special Hotfix package that includes the following improvements:

  • Several Check Point pre-defined services were hardened for IPv6 support.

  • Policy Verification was extended to prevent usage of services that are unsupported for IPv6 traffic.

    The following services are affected by verification:

    all_dce_rpc, backweb, cachefsd, cmsd, dcom-oxid_resolver, dcom-remoteactivation, dcom-remunknown2, dcom-systemactivation, endpointmapper, exec, freetel-incoming, freetel-outgoing-client, freetel-outgoing-server, fw1_cvp, hp-opcctla, hp-opcctla-bulk, hp-opcctla-cfgpush, hp-opcdistm, hp-opcmsgrd-coa, hp-opcmsgrd-m2m, hp-opcmsgrd-std, http_mapped, ip_mobility, mountd, msexchangeadl, msexchangedatabase, msexchangedirref, msexchangedirrep, msexchangedsnspi, msexchangedsrep, msexchangedsxds, msexchangeinformationstore1, msexchangeinformationstore2, msexchangeinformationstore3, msexchangeis, msexchangemta, msexchangeqadmin, msexchangestoreadm, msexchangestoreadmin1, msexchangestoreadmin3, msexchangestoreasyncemsmdb, msexchangesysatt, msexchangesysattpriv, msmq, msnms, mssql_resolver, ms-sql-monitor_sd, ms-sql-server_sd, ms-wins-replication-tcp_sd, ms-wins-replication-udp_sd, nbdatagram, nbname, netshow, nfsprog, nisplus, nlockmgr, oas-nameserver, oas-orb, orbix-1570, orbix-1571, pcnfsd, pim_cisco_ios, real-audio, rpcmanagement, rstat, rtsp, rwall, sadmind, sasser-icmp, shell, smtp_mapped, snmp-read, snmp-read-only, snmpxdmid, sqlnet2-1521, sqlnet2-1525, sqlnet2-1526, ssh_version_2, ssl_v3, statd, sun_nd, swipe, ttdbserverd, tunnel_test_mapped, welchia-icmp, witty_worm, x11-verify, ypbind, yppasswd, ypserv, ypupdated, ypxfrd.

    Note: VoIP is not supported with IPv6 in all versions.

  • This IPv6 support enhancement is not relevant if only IPv4 traffic passes through Security Gateway.

  • This IPv6 support enhancement is not relevant for R76 Security Gateways.

  • This IPv6 support enhancement is not relevant for Security Gateways running on SecurePlatform OS.

 

Installation instructions

This problem was fixed. The fix is included in:

(*) On R75.47 Clean installation, users must run the "update_inspect_files" tool:
[Expert@HostName]# $FWDIR/bin/update_inspect_files

Check Point recommends to always upgrade to the most recent version (upgrade Security Management Server / upgrade Multi-Domain Security Management Server / upgrade SmartConsole).

For R75.40 / R75.40VS / R75.45 / R75.46 / R76, you can download the required hotfixes directly from this article.

  1. Hotfixes have to be installed only on Security Management Server / Multi-Domain Security Management Server.

  2. Download the hotfix packages:

    Notes:

    • For R75.40 / R75.40VS / R75.45 / R75.46 / R76*, refer to the download matrix below (the same package is applicable to Security Management Server and to Multi-Domain Security Management Server).
      *Clarification: This hotfix package should be installed only if your Management Server R76 manages Security Gateways with versions lower than R76 (hotfix replaces the files in the Backward Compatibility folders that are used to manage versions lower than the version of Management Server).

    • For R75.47 Fresh installation on Gaia/SecurePlatform OS, the fix is already included. Users must run the 'update_inspect_files' tool:
      [Expert@HostName]# $FWDIR/bin/update_inspect_files

    • For other supported versions, contact Check Point Support to get this Hotfix.
      A Support Engineer will make sure the Hotfix is compatible with your environment before providing it.
      For faster resolution and verification, please collect CPinfo file from the Security Management Server involved in the case.

    Hotfix packages:

    1. Download the main hotfix package with IPv6 support enhancement:

      Platform R75.40 R75.40VS R75.45 R75.46 R76*
      Gaia (TGZ) (TGZ) (TGZ) (TGZ) (TGZ)
      SecurePlatform (TGZ) (TGZ) (TGZ) (TGZ) (TGZ)
      Linux (TGZ) (TGZ) (TGZ) (TGZ) (TGZ)
      IPSO 6 (TGZ) (TGZ) (TGZ) (TGZ) (TGZ)
      Windows (TGZ) (TGZ) (TGZ) (TGZ) (TGZ)
      Solaris (TGZ) not supported (TGZ) (TGZ) not supported

      *Clarification: This hotfix package should be installed only if your Management Server R76 manages Security Gateways with versions lower than R76 (hotfix replaces the files in the Backward Compatibility folders that are used to manage versions lower than the version of Management Server).

    2. Download the additional hotfix package (without this hotfix, installation of default policy onto VSX objects or onto Interoperable Devices might fail):

      Platform R75.40 R75.40VS R75.45 R75.46
      Gaia (TGZ) (TGZ) (TGZ) (TGZ)
      SecurePlatform (TGZ) (TGZ) (TGZ) (TGZ)
      Linux (TGZ) (TGZ) (TGZ) (TGZ)
      IPSO 6 (TGZ) (TGZ) (TGZ) (TGZ)
      Windows (TGZ) (TGZ) (TGZ) (TGZ)
  3. Transfer the hotfix packages to the Security Management Server / Multi-Domain Security Management Server
    (e.g., main hotfix package with IPv6 support enhancement into /some_path_to_main_fix/ directory,
    and additional hotfix package for policy installation failure on VSX objects into /some_path_to_vsx_fix/ directory).

  4. Unpack the main hotfix package with IPv6 support enhancement:

    • On Gaia / SecurePlatform / Linux / IPSO / Solaris OS:

      [Expert@HostName]# cd /some_path_to_main_fix/
      [Expert@HostName]# tar -xvfz Check_Point_<HOTFIX_NAME>.tgz
    • On Windows OS:

      Use any archive application (e.g., WinZIP, WinRAR, TUGZip, 7-Zip, etc.) to unpack the TGZ file.
  5. Install the main hotfix package with IPv6 support enhancement:

    • On Gaia / SecurePlatform / Linux / IPSO / Solaris OS:

      [Expert@HostName]# cd /some_path_to_main_fix/
      [Expert@HostName]# ./UnixInstallScript
    • On Windows OS:

      1. Go to the folder where you unpacked the hotfix package.
      2. Right-click on the Setup.exe - choose 'Run as administrator'.
  6. Important step: Reboot the Security Management Server / Multi-Domain Security Management Server.

  7. Unpack the additional hotfix package for policy installation failure on VSX objects:

    • On Gaia / SecurePlatform / Linux / IPSO OS:

      [Expert@HostName]# cd /some_path_to_vsx_fix/
      [Expert@HostName]# tar -xvfz Check_Point_<HOTFIX_NAME>.tgz
    • On Windows OS:

      Use any archive application (e.g., WinZIP, WinRAR, TUGZip, 7-Zip, etc.) to unpack the TGZ file.
  8. Install the additional hotfix package for policy installation failure on VSX objects:

    • On Gaia / SecurePlatform / Linux / IPSO OS:

      [Expert@HostName]# cd /some_path_to_vsx_fix/
      [Expert@HostName]# ./fw1_wrapper_<HOTFIX_NAME>
    • On Windows OS:

      1. Go to the folder where you unpacked the hotfix package.
      2. Go into the folder Disk_Images.
      3. Go into the folder Disk1.
      4. Right-click on the setup.exe - choose 'Run as administrator'.
  9. Important step: Reboot the Security Management Server / Multi-Domain Security Management Server.

  10. Connect to Security Management Server / to each Domain Management Server with SmartDashboard.

  11. Crucial step: Install the policy onto all Security Gateways that are managed by this Security Management Server / Multi-Domain Security Management Server.

 

UnInstall instructions

  1. On Gaia OS: Download and install the latest version of the CPUSE Agent from sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(3) Latest build of CPUSE and What's New".

  2. To uninstall the additional hotfix package for policy installation failure on VSX objects:

    • On Gaia / SecurePlatform / Linux / IPSO / Solaris OS:

      1. Run the uninstall script:

        [Expert@HostName]# sh /opt/CPsuite-R<XX>/uninstall_fw1_wrapper_<HOTFIX_NAME>
      2. Important step: Reboot the Security Management Server / Multi-Domain Security Management Server.

    • On Windows OS:

      1. Open Windows Command Prompt:

        Start - Run... - type cmd - click 'OK' or press Enter.
      2. Navigate to the folder where you unpacked the hotfix package:

        C:\> cd /d "DISK:\some_path_to_vsx_fix\"
      3. Run the installation program with '-u' flag:

        DISK:\path_to_unpacked_hotfix_package\> Setup.exe -u

        Alternatively, go to Windows Control Panel - Add/Remove Programs - uninstall the <HOTFIX_NAME>.
      4. Important step: Reboot the Security Management Server / Multi-Domain Security Management Server.

  3. To uninstall the main hotfix package with IPv6 support enhancement:

    1. Navigate to the folder where you unpacked the IPv6 support enhancement hotfix package:

      • On Gaia / SecurePlatform / Linux / IPSO / Solaris OS:

        [Expert@HostName]# cd /some_path_to_main_fix/
      • On Windows OS:

        1. Open Windows Command Prompt:

          Start - Run... - type cmd - click 'OK' or press Enter.
        2. Navigate to the folder where you unpacked the hotfix package:

          C:\> cd /d "DISK:\some_path_to_main_fix\"
    2. Run the installation program with '-u' flag:

      • On Gaia / SecurePlatform / Linux / IPSO / Solaris OS:

        [Expert@HostName]# ./UnixInstallScript -u
      • On Windows OS:

        DISK:\path_to_unpacked_hotfix_package\> Setup.exe -u
    3. Should get the following text on the screen:

      ***********************************************************
      Welcome to Check Point <HOTFIX_NAME> Uninstall Utility
      ***********************************************************
      
      All <HOTFIX_NAME> packages will be uninstalled.
      Uninstallation program is about to stop all Check Point processes.
      Do you want to continue (y/n) ?
      

 

Important notes about upgrading the systems with IPv6 support enhancement Hotfix

  • For R75.40:

    If this hotfix package is installed on top of R75.40, then such system can not be upgraded to R75.45 / R75.46.
    If an upgrade from R75.40 to R75.45 / R75.46 is required, then follow these steps:
    1. uninstall this hotfix package from R75.40
    2. upgrade to R75.45 / R75.46
    3. install this hotfix package created for the upgraded version R75.45 / R75.46
  • For R75.45:

    If this hotfix package is installed on top of R75.45, then such system can not be upgraded to R75.46.
    If an upgrade from R75.45 to R75.46 is required, then follow these steps:
    1. uninstall this hotfix package from R75.45
    2. upgrade to R75.46
    3. install this hotfix package created for the upgraded version R75.46
Applies To:
  • 01133900 , 01140066 , 01233827 , 01233837 , 01140065
  • 01149919 , 01153622

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment