Patch Name: PHNE_17235 Patch Description: s700_800 10.20 FireWall-1 v3.0b Exportable patch (Non-VPN) Creation Date: 99/01/13 Post Date: 99/02/11 Hardware Platforms - OS Releases: s700: 10.20 s800: 10.20 Products: Check Point FireWall-1 V3.0b (Non-VPN) Filesets: FireWall-1.V3.0b Automatic Reboot?: No Status: General Release Critical: Yes PHNE_17235: MEMORY_LEAK PHNE_14796: HANG Path Name: /hp-ux_patches/s700_800/10.X/PHNE_17235 Symptoms: PHNE_17235: Various Symptoms may be found in the following areas: 1. Security Servers 2. Encryption 3. GUI Client 4. OpenLook GUI 5. Router Management (RSC/SRE) 6. Miscellaneous Service Pack 3072: Various Symptoms may be found in the following areas: 1. Windows and Motif GUI Client 2. OpenLook GUI 3. Encryption 4. Logging 5. Address Translation 6. Router Management 7. Security Servers 8. User Authentication 9. Management 10. Kernel PHNE_14796: Various Symptoms may be found in the following areas: 1. OPSEC 2. Windows NT - memory leaks 3. HTTP Security Server 4. SMTP Security Server 5. FTP Security Server 6. FireWall Synchronization 7. Address Translation 8. Encryption 9. Management GUI 10. INSPECT 11. Authentication - SecurID PHNE_13484: Various Symptoms may be found in the following areas: 1. State Synchronization - several crash scenarios 2. SMTP Security Server 3. HTTP Security Server 4. FTP Security Server 5. UFP 6. Authentication 7. Windows NT 8. Address Translation 9. GUI 10. INSPECT 11. Encryption 12. Security Properties Defect Description: PHNE_17235: This Service Pack includes all the bug fixes and changes which were provided by preceding 3.0 service packs (3045, 3064, 3072 and un-posted 3078), and can be applied to any 3.0b version (patched or unpatched) of FireWall-1. Bug Fixes: Security Servers: 1. Fixed a memory leak in SMTP when using MIME stripping. 2. Fixed a bug in the SMTP daemon where error mails were deleted from the spool directory if a server was unreachable, if the 'Notify sender on error' option was checked. 3. Fixed a bug which could cause the HTTP security server to crash when using URI resources with accounting and long URLs. 4. Fixed a bug in the handling of replacement URL which could cause delays in the appearance of the authentication prompt, depending on the length of the replacement URL. The default maximal length for replacement URL is 2048. This length can be configured by editing the value of the property : http_max_url_length in $FWDIR/conf/objects.C. 5. Fixed a bug that was introduced in Service Pack 3078, where the HTTP daemon would crash when using POST operations (e.g. sending out web forms). 6. Fixed bug in accounting for HTTP resources with 'accept outgoing packets' first. 6. In the HTTP security server made the match of the scheme (e.g. HTTP ) and the method (e.g. GET) case insensitive. 7. Fixed a bug on UNIX platforms, where the in.telnetd process was orphaned after the connection is closed in backward compatibility mode when using user authentication with the FireWall as the destination. 9. Corrected handling of multiple simultaneous SecurID authentication sessions. Multiple users can now authenticate concurrently using SecurID. 10. To control the timeout when the security server gives up on connecting the destination server, you may now define (or modify) the au_connect_timout property in objects.C to specify the requested timeout (default is 10 seconds if no such property is specified). Encryption: 1. Fixed bug in de-fragmentation which could cause connections to hang when using SKIP with large packets. 2. Enlarged the stack used on Solaris to prevent kernel crashes when using SKIP. 3. Fixed bug where connections were incorrectly rejected when using SKIP with ESP only or AH only and with User Authentication on the decrypt side. 4. Fixed a bug where SKIP 1.1 would not work on NT for some keys exported from Solaris. 5. Enabled multiple Gateway tunnels so that the Gateway can connect to two sites using Manual IPSEC. 6. Fixed the way decryption is handled in Manual IPSEC to prevent crashes. 6. Corrected logs to reflect if AH or ESP were used alone in Manual IPSEC, instead of always showing that they were used together. 7. Fixed bug in FWZ encapsulation problem between SecuRemote 4.0 and FireWall-1 3.0. on all platforms except HP, where the problem still exists. 8. Fixed a bug which could cause the FireWall to crash when on a SecuRemote client the expiration timeout for the password was set to zero. 9. Dropped support for RC4 in Manual IPSEC, since connectivity is not guaranteed in this mode. GUI Client: 1. Fixed a bug in the handling of nested user groups. When an item was deleted from an included group, the including group was not updated correctly. 2. Fixed Year 2000 bugs in select and find functions in the Log Viewer. With this fix, all known Year 2000 limitations on FireWall-1 3.0b are closed. 3. On Dual CPU machines, fixed a bug which prevented the GUI client and the Management from working when both were installed on the same machine. 4. Corrected GUI (specifically bitmaps) allocation which could cause the GUI client to get stuck on Win95 when working with very large rulebase. 5. When fetching interfaces for a network object, if a fetched interface existed previous to the fetch its definition will now be overwritten by the result of the fetch. 6. It is no longer permitted to enter a drive prefix to the file name (e.g. 'a:filename') when using 'save as' for a policy. 7. Disabled the use of address range objects in the security policy rulebase. It is still available for defining NAT rules. OpenLook GUI: 1. Fixed a bug where the values "Mail server" and "Error handling server" were not shown in the OpenLook GUI, although they were defined in objects.C. Router Management (RSC/SRE): 1. On Cisco, 3com and Steelhead routers, using the predefined RIP service produced incorrect access lists for that service. A RIP rule can now be correctly defined either from the access-list properties or from the rule-base editor. 2. Fixed a bug where using the format 'n" : Bigger than n, but not n "m-n" : between m and n, include m and n. "n" : only n To define "any" in the port field - enter ">0". "<=", ">=" are currently illegal. source-port-from allows only "m", and source-port-to allows only "n", and the meaning is always the same as "m-n" in the port field. To put "any" in the source port, leave both source-port-from and source-port-to empty. 3. Fixed a bug where on installation of a new policy the access list was uninstalled from a Bay router although the new policy had no rules to install on the router. Miscellaneous: 1. Fix problem where 'fw lichosts' on HP was showing one month behind. 2. Removed from SNMP configuration files specific IP addresses which were being used as place holders. 3. Corrected the location of snmp_version and snmp_community_len in snmp.def. 4. Corrected the responses of the FireWall SNMP daemon. 4. Fixed file descriptor leak in Load Balancing, HTTP method. 5. When FireWall-1 is reconfigured using FwConfig on WinNT or fwconfig on UNIX platforms, if the change requires restarting the FireWall, only the daemons are now stopped instead of unloading the policy and disabling the FireWall module, as was done previously. 6. During the compilation of a policy, if conflicts are found between objects in the policy, the compilation will now fail where before only a warning message was given. 8. For FTP, match the PORT command in mixed case letters. 10. Reduced the memory requirements for presenting kernel tables when using 'fw tab'. 11. For FireWall-1 Modules on Bay routers: updated the message describing the format for interfaces necessary for Anti-Spoofing to comply with Bay version 12.10. 12. Fixed problem which prevented from synchronizing two FireWalls unidirectionally (i.e. FireWall A is updating B, but B is not updating A). Limitations and Known Bugs: 1. FWZ encapsulation problem exists between SecuRemote 4.0 and FireWall-1 3.0b for HPUX platforms. Service Pack 3072: The Service Pack 3072 can be applied to any 3.0b version of FireWall-1 including those systems running Build 3045 or 3064. Bug Fixes: Windows and Motif GUI Client: 1. Fixed a GUI resource leak which had a number of symptoms. For example when scrolling through a lot of rules the GUI would hang and the graphics get distorted. 2. When opening the GUI as 'Read Only' you can now scroll through group object members. 2. Fixed printing of a Rule Base from GUI where all the last rules of each page were only half printed. 4. In the Motif Log and System Status GUIs, fixed problem where different configuration parameters were written to the directory the application was launched instead of $FWDIR/conf directory. 5. For Motif GUI, prevent 'en_US language' error when starting the GUI. 6. For Motif GUI there is available in this Service Pack an application which will save colors for the FireWall-1 GUI. This prevents problems of the GUI crashing when colors are not available. This application should be installed on the machine running the display and run automatically before any other application is opened on the display. See instructions in the Installation Instructions bellow. OpenLook GUI: 1. When defining a network object on Solaris 2.5.1 x86, fixed the problem which was causing the message 'llegal Netmask 255.255.255.0'. 2. Fixed triggering of alerts for actions in the System Status window. Encryption: 1. Fixed reassembly of fragmented SKIP packets. 3. Fixed SKIP bug which occasionally caused the fw daemon to crash. Logging: 1. Fixed bug in 'fw logswitch' mechanism, related to the fw.logtrack file, which was causing the fw daemon to fail due to too many open file descriptors. 3. Removed message "fwd: Unable to open 'dev/fw0'" which was being displayed on the management station whenever the active log file ($FWDIR/log/fw.vlog) exceeded the default size of 10KB. 4. Changed representation of date in 'fw log' output to be Y2K compliant. 5. Changed representation of date in the name of the log file switched by 'fw logswitch' to be Y2K compliant. Address Translation: 1. In Address translation made testing of minimum length be protocol sensitive. This fixes problems such as ICMP type 9 packets being wrongly dropped when translation is applied. Router Management: 1. When using Cisco access-lists, it is now possible to define a filter that checks the source port of a packet. Security Servers: 1. The SMTP security server now adds full name, including domain, to the HELO command. 2. The SMTP security server now sends 552 error messages for mail that's too large, and not 452. 3. Fixed handling of multiple mail messages on a single connection. 3. Fixed the sendmail.exe program for NT to correct a problem where mail alerts changed according to the date. 4. In FTP security server correct handling of 220 multiline messages. 6. In FTP security server fix a problem with Welcome message that ends with a new line (\n), which was preventing connections from opening. 7. In FTP security server the reason log for CVP server will be sent even if CVP message is empty. 7. Corrected handling of HTTP server replies which have no headers. User Authentication: 1. Fix SecurID related FireWall daemon crashes on NT. 2. Defining a user with time limitation using the interval 00:00 to 23:59 now covers the minute from 23:59 to midnight. Management: 1. Protection from 'Radio Flyer' attack, where opening connections to the FireWall management daemon could prevent any FireWall administrator from connecting to the management station. Kernel: 1. Fixed a problem that could cause a kernel crash on AIX in a situation where packets must be modified (NAT or encryption) and the FireWall-1 gateway does not have an ARP entry of the next hop. 2. Protection from the fragmentation attack, where sending fragmented packets can cause the FireWall to stop forwarding packets. 3. There are also several configurable parameters which can help the user fine tune FireWall-1 to deal best with this kind of attack. For NT there are 4 new registry parameters: 1. PacketPoolSize - How many packets can be handled by the FireWall simultaneously. Default = 1024. 2. BufferPoolSize - How many buffers can be handled by the FireWall simultaneously (a packet may divide into a number of buffers). Default = 2048 3. MaxPendingPackets - How many packets can be pending - waiting on 'hold' (for encryption or session authentication) or for defragmentation at one time. Default = max-100 5. MaxPendingBuffers - How many buffers can be held by pending packets at one time. Default= max-200 For Unix the packets come from a system pool controlled by the operating system which grows dynamically as the need arises. In addition, for all platforms, the following 3 parameters may be defined in objects.C under the 'props:' line (after editing objects.C run fwstop and fwstart for the change to take effect): 1. fwfrag_limit - how many fragment chains are allowed to be in the middle of assembly. Default is 1000. 2. fwfrag_minsize - the smallest acceptable fragment size (maximum is 576). Default is 0. 3. fwfrag_timeout - how long do we wait for fragment chain completion before we give up on the packet and free its resources. Default is 20 seconds. Limitations and Known Bugs: 1. The Windows 95/NT GUI may get stuck or reach a 100% CPU. To work-around this problem, please follow the instructions below: Make sure no GUI client is running on your machine. Copy these two files, msvcrt.dll and mfc42.dll to your Windows system directory - On Windows 95 to /system On Windows NT to /system32 2. When managing pre-3072 modules with FireWall-1 3.0b build 3072 Management, Security Status window in the GUI crashes, gets stuck or shows no info for pre-3072 modules. This symptom is noticed when using Windows NT Service Pack 3. On Solaris, symptom is rather similar; fwui crashes as soon as you click anywhere. To work-around this problem, please follow the instructions below: Stop FireWall-1 Management using 'fwstop'. Edit the file $FWDIR/lib/snmp/mib.txt as follows: Change the line - checkpoint OBJECT IDENTIFIER ::= enterprises 2620 } To the line - checkpoint OBJECT IDENTIFIER ::= enterprises 1919 } Start FireWall-1 Management using 'fwstart'. 3. A problem in the SMTP server causes it not send any logs. You will receive logs on mail messages only from the mail dequeuer process. For example connections which are rejected by the Rule Base should be logged by the SMTP server, but these logs will not be received, on the other hand any mail that was accepted and reached its target will be logged as usual by the mail dequeuer. 4. Occasionally, during multiple, concurrent authentication between a FM and an ACE server, the challenge will return a failure even if the right PIN was entered. This will be fixed in a subsequent hot fix. Important Note: This Service Pack includes a new control.map file which includes new configuration for OPSEC communications protocols. Installing the Service Pack will Replace your existing control.map with the new one. If you have changes in control.map which you want to save, you must copy the file aside before installing this Service Pack. After the installation you can then either merge the two files manually, or if you are not using OPSEC you can replace the newly installed control.map with your old one. PHNE_14796: This patch contains all bug fixes to 3045, 3055 (not a general patch release) as well as OPSEC SDK support, and several bug fixes to the SMTP, HTTP, and FTP security servers. This patch can be applied to any 3.0b version of FireWall-1 including those systems running Build 3045. Bug Fixes: OPSEC: 1.OPSEC/SDK Support is now provided. 2.Fixes many CVP and UFP problems. Windows NT: 1.Executing alerts on Windows NT creates system memory leaks. 2."fw log -ft" on Windows NT did not work. HTTP Security Server: 1.FTP from Netscape Communicator failed in some circumstances. 2.HTTP Security Server crashed under heavy load. 3.When the HTTP Resource Path is *:*, a redundant DNS query was submitted. 4.HTTP Security Server - When a URL specified in a URI Resource was reloaded a few times, the ahttpd.log grew abnormally. 5.UFP - The process of fetching a dictionary from a UFP server sometimes crashed if the UFP server was down. 6.SecurID: Entering next PASSCODE through HTTP crashes HTTP Security Server SMTP Security Server: 1.When non multipart attachments are to be stripped, MIME Content-Type is changed for text/plain. Other 'Content-' fields are stripped. 2.Too many open files messages. 3.Mail occasionally lost under load (i.e. scores of mails in the spool). 4.smtpd crashes (after a number of mails were rejected). 5.Using a rewriting scheme 'Field Contents ->' in an SMTP resource with empty rewritten string caused smtpd crashes. 6.SMTP->resource with Client Authentication was not logged correctly. 7.Quoted characters recognized in SMTP commands MAIL and RCPT and also in message headers. 8.smtpd crashed when command DATA was sent preceded by SMTP commands FROM and RCPT containing illegal mail paths. 9.In sending error notifications the header last line was dropped when a mail with empty body was sent. 10.Mails stuck in the spool when working with Eliashim AntiVirus Server. 11.Occasionally added blank line in big attachments. 12.When error notification was sent, the last attachment boundary line was misplaced. 13.Error server definition absent from the FireWall-1 Configuration SMTP dialog box (NT only). 14.SMTP transaction failures, due to resource restrictions, e.g. "Too much mail data", not logged correctly. It is now logged in accordance with the resource 'Exception track' definition. FTP Security Server: 1.FTP Security server did not support PASV FTP with Accounting. 2.FTP + CVP full path file name logged is in URL format (e.g. ftp://...). FireWall Synchronization: 1.FireWall Synchronization with address translation is supported. Address Translation: 1.Number of NAT Rules is up to 2048 rules instead of 1024. Encryption: 1.SKIP Encryption problems when used with NAT. Management GUI: 1.When defining an object whose IP address identical to a FireWalled object, encryption does not work properly. 2.When all users checkboxes are unset, adding a user crashes OpenLook fwui. 3.Windows and X/Motif GUI: State transition alerts did not work in System Status view. 4.Long names for Admin authentication crashes fwm. INSPECT: 1.When rule base exceeds ~250 rules, the INSPECT Virtual Machine stack could overflow. 2.Land Attack protection provided. 3.RealAudio and VDOLive services are now supported in FASTPATH mode. 4.Large FTP transfers: If a file transfer through the FireWall-1 took more than TCP_TIMEOUT (set by default to 60 minutes) the control connection is cut in the middle resulting in file transfer failure. After installing Patch 3055, if you need to transfer files for more then TCP_TIMEOUT, you need to modify the file $FWDIR/lib/base.def changing the line '#define FTP_CONTROL_TIMEOUT TCP_TIMEOUT' to '#define FTP_CONTROL_TIMEOUT ' where is the number of seconds you want the control connection to remain open. Miscellaneous: 1.$FWDIR/conf/fwauthd.conf had a limit of no more than 10 security servers. Number increased from 10 to 64. 2.More then ~20 domain objects in the Rule Base did not work. Authentication: 1.SecurID new PIN mode was not working properly when used via browser. Feature Enhancements: SMTP Security Server: 1.Multiple mail servers/error handling servers can be defined in a resource or in smtp.conf:E.g. Mail server: {smtp-gw1,smtp-gw2,smtp-gw3} 2.Error notification log format changed. An error notification attempt is logged with INFO as in the following example: "Error notification sent: originally from someone@org to soembody@org" 3.In an error notification message the original header is returned together with the message body. Limitations and Known Bugs: 1.NT - When using a HTTP resource with UFP, the category string in the log viewer is the mask and not the category string. 2.AIX, Solaris/X86 VPN+DES - When using a HTTP resource with the File option, the file is not copied to $FWDIR/database/lists during the policy download. A temporary workaround is to add the file name to the $FWDIR/state/fwrl.conf on the management station. 3.Using UNIX (tested using AIX/Motif and Sun/OpenLook), it was not possible to manage a BAY embedded FireWall Module by downloading a policy. The following error is seen: fetch_bload : get_rule_base failed Failed to install security policy on {Bay Module name}: File exists 4.Back channel connections (e.g., FTP Data connection) do not work when using FireWall-1 Synchronization in an asymmetric routing configuration. This limitation will be lifted in the next release of FireWall-1. PHNE_13484: Detailed problem solving description - patch 3045 Release Notes: Bug Fixes: State Synchronization - several crash scenarios 1.FireWalls stopped synchronization after a policy load. 2.FireWall-1 daemon crashed when more then 64K needs to be synchronized at one chunk. 3.FireWalls might get out of synchronization from time to time. 4.Security Servers might stop working if running on two synchronized machines. 5.FireWall synchronization does not behave properly after reload of a policy. 6.System crashes under heavy load. 7.Using synchronization with several features caused system crashes. See Limitations section, below. SMTP Security Server 1.SMTP Security Server reports "Too many open files" error message. 2.Long header lines logging. 3.Redundant spaces in sender and recipient were not RFC-821 compliant. 4.Some files were queued in the spool directory when CVP was used. 5.Mail error notifications were not sent properly. HTTP Security Server 1.Crashes under load with CVP. 2.Crashes when CVP Server goes down. 3.HTTP Server sends a redundant drop request. 4.Crashes under load if 'Block JAVA Code' is enabled. FTP Security Server 1.Crashes under load with CVP. 2.When failing to connect CVP Server, client (a.ftpd) goes out of sync. UFP 1.FireWall-1 omits the query from the URL passing to UFP Server. Authentication 1.Support now provided for the SecurID New PIN Mode. 2.Ability to change RADIUS port added. Windows NT 1.Service Pack 3 PPP Support. 2.NT 4.0 fwntperf.dll. 3.Windows NT DNS crashes. 4.Windows NT Network Card of type El90x3 created incorrect Anti spoofing code. Address Translation 1.UDP DST Static Address Translation. GUI 1.FwStatus - Year 2000 Compliance (FireWall-1 now fully Year 2000 compliant). 2.*local mode on Motif. 3.FwStatus - correct SNMP communities are now used. 4.Windows and Motif GUI allowed creating Groups with illegal. INSPECT 1.Network Cards with / in them caused compilation errors. 2.Others + Anti Spoofing specification creates wrong INSPECT code. 3.Defining a network object with name 'servers' creates wrong INSPECT code. Encryption 1.SKIP and IPSec with 'Decrypt upon accept' and ICMP caused daemon crash. Security Properties 1.SNMP From external machines (like HP OpenView) will not be accepted automatically but requires an explicit rule. Miscellaneous 1.URI resource URL list file was not downloaded properly to remote FireWall Modules. 2.Support longer INSPECT filters (up to 128K). 3.'fw logexport' crashes if info field is longer than 1024 bytes. Limitations and known bugs: 1.The patch does not support State Synchronization of the following features (but can still be used with synchronized modules): - Network Address Translation. - Encryption (VPN and SecuRemote). - Accounting. - Security Servers (Authentication & Content Security). - Load Balancing (Logical Servers). 2.The patch is incompatible with the following embedded systems: - Xylan switches running FireWall-1. - Bay routers running FireWall-1. (Please note that Bay routers running Access List are not considered embedded systems, and as such, they will run properly with this patch). This implies that in order to control these embedded systems, a user must keep the old Management station, rather than apply the patch. A user with a combined environment, who needs the latest bug fixes that are incorporated into this patch, must keep two separate Management stations; the old one for usage with his embedded systems, and the new one for all other systems. 3.User Authentication done by PASV FTP via NetScape 3.0, 4.0 browsers does not work (for instance, trying to issue: ftp://username:passwd@workstation.checkpoint.com). SR: 0000000000 Patch Files: /tmp/ckp_3083_non-vpn.tar /tmp/ckp_3083_non-vpn.README_FIRST what(1) Output: /tmp/ckp_3083_non-vpn.tar: Copyright (c) 1993 Regents of the University of Mich igan. Copyright (c) 1990 Regents of the University of Mich igan. Copyright (c) 1990 Regents of the University of Mich igan. Copyright (c) 1993 The Regents of the University of Michigan. Copyright (c) 1995 Regents of the University of Mich igan. gcm.c 2.12 91/10/15 Copyright 1989 Sun Microsystems gfm.c 2.30 91/10/15 Copyright 1990 Sun Microsystems group_data.c 2.7 91/10/15 Copyright 1991 Sun Microsy stems gfm_load_dir.c 2.22 91/10/15 Copyright 1990 Sun Micr osystems group.c 2.27 91/10/15 Copyright 1991 Sun Microsystem s /tmp/ckp_3083_non-vpn.README_FIRST: None cksum(1) Output: 1066902895 662 /tmp/ckp_3083_non-vpn.README_FIRST 1457198727 16640000 /tmp/ckp_3083_non-vpn.tar Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_13484 PHNE_14796 Equivalent Patches: None Patch Package Size: 16310 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_17235 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_17235.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_17235.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_17235. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_17235.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_17235.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: Note: This patch is for FireWall-1 V3.0b only. Customer must have FireWall-1 V3.0b installed before this patch can be applied. This patch does not upgrade previously released FireWall-1 products. Note: DO NOT select the "match what target has" test option in SWINSTALL menu. This test will fail because the FireWall-1 product was not installed using SD method. SUBSYSTEM_SHUT All active connection through the firewall must be closed before installing this patch. Follow the instructions below to complete the installation of this patch after you have swinstall'ed PHNE_17235. 1) cd /tmp/ 2) tar xvf ckp_3083_non-vpn.tar 3) cd ckp_3083_non-vpn A) To apply the patch for a firewall module A1) cd fw_patch A2) Issue "fwinstallpatch". This will start the patch installation. B) to apply patches to GUI client B1) cd gui_patch B2) issue "fwguiinstallpatch" to start the installation If your Firewall and GUI management console are installed on the same machine, apply both patches.