Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
iii
About This Guide
This guide describes how to install and configure the Check Point VPN-1 Power NGX R62 application on X-
Series and C-Series security switches. For more information regarding the Check Point VPN-1 Power NGX R62
application, visit: (http://www.checkpoint.com/).
This guide is intended for system integrators and other qualified service personnel responsible for installing,
configuring, and managing the software on an X-Series or C-Series system.
Related Documentation
Conventions
The following conventions are used throughout this guide to emphasize certain information, such as, user input,
screen options and output, and menu selections.
italics − Indicates book and section titles.
Courier - Indicates user input and program output.
Courier italics - Indicates variables in commands.
Menu => − Indicates to select an Option from the menu pull-down.
Check Point NGX R62 for Crossbeam Security Switches Installation and Configuration Guide v
Warnings, Cautions, and Notes indicate the following:
NOTE − Provides helpful suggestions or reference to materials not contained in this manual.
Support
Crossbeam Systems and our ISV (Independent Software Vendor) partners offer technical support. Support calls
for applications should be directed to the originating ISV. All other support calls should be directed to Crossbeam
Systems Customer Service.
For additional information, please contact your account representative or refer to www.crossbeamsystems.com.
Crossbeam Systems also offers customer training for our products. Refer to the web site for the course offering
and schedules.
Customer Comments
Customer comments are not only welcomed, they are encouraged. Please take a moment and let us know how we
are doing. To do this, respond in one of the following ways:
• E-mail your comments to documentation@crossbeamsystems.com.
• FAX your comments to 978-287-4210, attention Technical Publications.
vi Check Point NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
1
Before Installing Check Point VPN-1 Power NGX
R62
Crossbeam Systems provides industry-leading firewall solutions for a broad range of uses in both carrier and
enterprise networks. These solutions scale from 350Mbps of throughput up to 8G and offer a wide variety of
equipment options on both X-Series and C-Series equipment for perimeter, data center, network core and remote
office deployments. All Crossbeam Systems solutions, including the firewall functionality, can be deployed
either in standalone mode or as part of an integrated UTM configuration.
To load the Check Point VPN-1 Power NGX R62 application on a C-Series system under COS, use the following
RPM file:
app-firewallng-NGXR62-1-4.11.0.5.7xCOS.i686.rpm
Check Point NGX R62 for Crossbeam Security Switches Installation and Configuration Guide 7
Application Management Circuit Configuration
The application requires a circuit configured for managing the application. The circuit must be configured with
the ip-flow-rule-no-failover option. The circuit must also be configured with increment-per-vap parameter, even
if the VAP group contains only one VAP. For example:
circuit mgmt circuit-id
device-name mgmt
vap-group MyNet
ip-flow-rule-no-failover
ip 192.168.20.39/24 192.168.20.255 increment-per-vap 192.168.20.39
NOTE: Refer to the XOS Configuration Guide for more information about configuring a management circuit.
Managing Applications
Use the following commands at the XOS system prompt to perform basic application management:
NOTE: The VAP must be listed as “UP” for the following Start, Stop, and Restart commands to take effect.
• Start an application:
application <app-name> vap-group <vap-group-name> start
• Configure an application:
application <app-name> vap-group <vap-group-name> config
• Stop an application:
application <app-name> vap-group <vap-group-name> stop
• Restart an application:
application <app-name> vap-group <vap-group-name> restart
• Update VAPs. This command is used when the VAP count of the VAP group is incremented after the
application configuration. The update command installs the application on the newly created VAPs.
application-update vap-group <vap-group-name>
• Display all applications installed on all VAP groups or a specified VAP group:
show application [vap-group <vap-group-name>]
The following example shows the state of the application on a VAP group named FW-1:
VAP_Group = fw Application = FW1 Version = NGXR62
Admin State = ENABLED Application Monitoring = ENABLED
fw_1 Operational State = NOT RUNNING
fw_2 Operational State = NOT RUNNING
fw_3 Operational State = RUNNING
fw_4 Operational State = RUNNING
The Admin State shows whether the application will start during VAP boot (enabled) or not (disabled). The
Admin State is enabled at install time and when the user runs the application start CLI command.
Similarly, the Admin State is disabled when the user runs the application stop CLI command.
The Operational State shows the application’s status (running or not running) for each VAP in the VAP
group. The XOS health system will poll the application every five seconds to determine the application’s
state and report it to the CLI.
NOTE: On a XOS system, the XOS health system polls application processes on each VAP in the VAP group
every five seconds to make sure that they are running. If the application is not running on a VAP and application
monitoring is enabled, the health system notifies the NPM to stop new flows this VAP. This can be verified on
the CLI with the show flow-distribution command. This process is performed dynamically without modifying
the VAP group’s load balance list.
Application monitoring cannot detect process hangs. If the process is not functioning but is still running, the
XOS health system will continue to report the application as running.
Check Point NGX R62 for Crossbeam Security Switches Installation and Configuration Guide 9
2
Installing Check Point VPN-1 Power NGX
Software on an X-Series System
This chapter describes how to install Check Point® VPN-1 Power NGX R62 on an X-Series system.
Only one FireWall application can be installed on any specific VAP group. Refer to the ADF Release Notes to
determine the minimum version of XOS required for each application.
Prerequisites
• For an X-Series system, use XOS V7.0.4 (or later).
• SIC activation key.
• Check Point VPN-1 Power NGX R62 requires XS Linux v3.
Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
Installing the Application onto a VAP Group
After you have loaded the VPN-1 Power software, install the application onto the desired VAP groups as follows:
1. Exit from the root:
[root@xxxxx rpm]# exit
NOTE: Depending on the FireWall application you chose, the installation script prompts you with various
questions. The following steps highlight some of the questions.
4. The End-user License Agreement appears. Enter 'y' to accept the license agreement and continue.
5. If you have previously installed VPN-1 Power on this VAP group, you are prompted to use an existing
configuration. You can choose to re-use or not use the older VPN-1 Power configuration. If you choose to
use the older configuration, it does not stop you from changing those settings during the configuration
questioning period.
6. When prompted, enter the SIC activation key.
7. When prompted to configure local license information, you need to enter the licensing information for each
VAP, along with the VAP management IP address. Alternatively you can configure licenses through
SmartUpdate. If you do not enter license information you will be granted a 15-day evaluation license.
The following is an example of the VAP licensing process. In this example, the strings used are not valid
Check Point strings.
Enter Check Point VPN-1 Power License Information>
Host ()> home
Date ()> 28May2006
String ()> xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx
Features ()> CPMP-EVAL-1-3DES-NG CK-CP
The license questions repeat for all VAPs partitioned on the CP module disk and may contain up to 10 VAPs.
It is also possible to use SmartUpdate to apply licenses from the management server. In order to do this,
select “No” when prompted to enter the licenses by the install script and then refer to the Check Point
documentation for steps on applying licenses using SmartUpdate after the install has completed.
8. If you choose to activate High-Availability (HA) and the mode (Re-Load Balancing or Switch Over) when
prompted, you will need to configure the firewalls as a cluster.
9. After Check Point VPN-1 Power is installed on all VAPs, you are prompted to reboot the APMs. Use the
reload vap-group vap-group-name CLI command to reboot all APMs that are a part of this VAP group.
The firewall should be running on all APMs at this time.
NOTE: With VPN-1 Power NGX R62, Floodgate and Smartview Monitor are also installed by default. As a
result, you may see messages that these applications are not started or disabled.
The following example shows the state of the application on a VAP group named fw:
VAP_Group = fw Application = FW1 Version = NGXR62 Admin State = ENABLED
Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
Enabling Intra-Box VPN-1 Power Synchronization
After completing the VPN-1 Power installation, enable intra-box VPN-1 Power Synchronization as follows.
1. Enable VPN-1 Power Synchronization:
CBS# application FW1 vap-group <vapGroupName> version NGXR62 config
----------------------
(1) Licenses
(2) Enable SNMP Extensions
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable Check Point High Availability/State Synchronization
(7) Enable Check Point SecureXL
(8) Enable Advanced Routing
(9) Enable Application Monitoring
(10) Automatic start of Check Point FireWall-1
(11) Install Check Point packages
(12) Configure Check Point fwkern.conf file
(13) Configure Dynamic Routing
(14) Exit
Enter your choice (1-14) : 6
2. Choose “Enable Check Point High Availability/State Synchronization”. You are brought back to the VPN-1
Power interview process.
When exiting from this menu, the following question may appear depending upon whether VPN-1 Power is
already running or not:
You have changed VPN-1 & FireWall-1 Configuration. Would you like to restart
VPN-1 & FireWall-1 now so your changes can take affect? (y/n) [y]
Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
The Check Point Cluster XL solution is not supported or needed on the XOS X-Series system, as the XOS
X-Series system has built in High Availability and Load Balancing capabilities.
To configure a VPN Gateway Cluster on a XOS X-Series system from within the Check Point Management
Server configure a gateway cluster containing the following:
• All VAPs in the XOS X-Series system’s VAP groups.
• Desired VPN configuration including the VPN domain, and a synchronization network.
The X-Series system can be used in both Single Entry Point (SEP), as well as, Multi Entry Point (MEP) VPNs.
Refer to the Check Point VPN-1 Users Guide for additional information.
Zen
Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
In this example:
Flows initiated from the Site Encryption Domain
When the tunnel is established, all traffic for that tunnel (IKE and IPsec traffic) is load balanced to one VAP in
the VAP group. When “Alice” communicates with server “Zen” over the encrypted tunnel, there are two flows:
• The encrypted tunnel traffic flow between Gateway 66.1.1.2 and the Cluster 172.168.1.100.
• The flow after decryption, which is the flow between Alice (20.20.20.25) and the Server Zen (192.168.2.9).
The IPsec (and IKE) flow is received by the NP module and consequently an entry in the Active Flow Table
(AFT) is created, as follows:
CBS# sho flow active destination-address-low 172.168.1.100
NOTE: In the above example, both IKE (500) and IPsec (50) traffic is load-balanced to VAP vpn_2. It is
common, but not required, that IKE and IPsec traffic are load-balanced using the same VAP.
The second (decrypted) flow is not in the Active Flow Table (AFT), since it is not originated by the VAP and
there is no outbound classification.
Return packets (packets from Server to Alice) are classified by the NP module as a new flow and may be load
balanced to a different VAP other than the originating VAP. These packets may be dropped by the firewall
because they are of “out-of-state”:
CBS# sho flow active destination-address-low 172.168.1.100
Note that the different VAPs are reported for the flows, illustrating a possible “out -of-state” situation.
Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
Bob’s response is sent over the existing tunnel, which traffic is received on VAP vpn_2. This packet may be
dropped by VPN-1 Power, because it is “out-of-state”. However, the packet is accepted and consequently
forwarded by the Firewall under the condition that all VAPs are fully synchronized.
As soon as the first response packet is received by the NP module, it detects that an AFT entry already exist for
this flow but on another VAP (vpn_3). The NP module clears this situation by updating the original AFT entry
with the new VAP index (vpn_3 -> vpn_2).
After the first response packet is detected by the NP module, the AFT has the following entries for the flows
between Alice and Zen and Bob and Zen:
Module Source Destination Protocol TTL
np1 66.1.1.2: 0 172.168.1.100: 0 50 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 192.168.2.9: 3449 20.20.20.25: 5001 6 0m 45s
Rx Modules vpn_3
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 20.20.20.66: 5001 192.168.2.9: 3449 6 1m 0s
Tx
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 192.168.2.9: 3768 20.20.20.66: 5001 6 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 20.20.20.66 5001 192.168.2.9: 3768 6 1m 0s
Tx
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
In summary, flows initiated from within the cluster encryption domain and destined to a host in a remote
encryption domain could potentially be load-balanced to a VAP different from the VAP decrypting traffic for the
particular tunnel. In this scenario, the NP module reclassifies the outbound flow to the VAP receiving the
encrypted IPsec traffic for that tunnel as soon as the first return packet is received.
As previously mentioned, this requires all VAPs in the VAP group to be fully synchronized. However, the
returned packet may be received before the cluster is synchronized. In this scenario, the firewall drops the first
return packet because it is “out of state”. Depending on the protocol, packets are retransmitted until the cluster is
fully synchronized.
The time it takes to synchronize the session state tables depends largely on the number of connections going
through the firewall. To improve the synchronization time, only synchronize necessary traffic. For example, by
disabling the synchronization of http traffic, the size of the session state table and the consequent synchronization
time is reduced significantly.
If the protocol doesn’t support packet retransmission or if “out-of state” packet drops is undesirable, then the
cluster can be configured to wait, sending the first packet until all members are synchronized.
To enable this, check “support non-Sticky connections” in the “3rd party configuration” menu of the cluster
object. In pre-NG AI/R54 Firewall/1-VPN/1 versions, this could be controlled by setting the variable
“use_limited_flushnack” to true in $FWDIR/conf/Objects.C on the management server. It is recommended, that
you do not change this property, in order to gain the highest cluster performance.
NOTE: If the Check Point VPN-1 Power NGX R62 application is installed on multiple VAP groups, repeat the
previous steps for each VAP group.
2. Uninstall the Check Point VPN-1 Power NGX R62 RPM file as follows:
[root@xxxxx admin]# rpm -e <app-rpm-name>
3. If using a CP redundancy configuration, you must uninstall the Check Point VPN-1 Power NGX R62 RPM
file from the secondary CPM.
NOTES: If you have a High Availability configuration with multiple X-Series systems, manage each system
separately. Therefore, to remove the application from multiple systems, repeat this procedure for each system. By
default, the disk swap space is equal to the amount of memory in the X-Series system. However, APMs with a
local disk drive are configured with two 2GB swap partitions, although disk swap space is not enabled.
Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
3
Installing Check Point VPN-1 Power NGX
Software on a C-Series System
This chapter describes how to install the Check Point VPN-1 Power NGX R62 application on a C-Series Security
Switch. The Check Point NGX application includes the Policy Server and Real Time Monitor packages.
Prerequisites
• For a C-Series system, use COS 4.0.1 (or later). Note that the C25 requires COS 5.1.0 (or later) and that the
C12 requires COS 5.1.1 (or later).
• This application requires COS CS Linux v3.
2. Use FTP to copy the application RPMs to the C-Series system. The default directory for these RPMs is:
/usr/os/apps/
3. Execute the following command at the admin prompt to display the Main Menu.
[root@hostname admin]# cos_config
7. You will be prompted to enable dynamic routing. Enter “N”. Check Point Dynamic Routing is not supported
in this release.
NOTES:
• For this release, the RPM name is:
app-firewallng-NGXR62-1-4.11.0.5.7xCOS.i686.rpm
• If multiple versions of the Check Point VPN-1 Power are present, you are prompted to pick one. Only one
variation of Check Point VPN-1 Power can be installed.
Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide 23
Configuration Considerations
The following section lists items that you need to be aware of when installing Check Point VPN-1 Power NGX
R62.
• If installing the FireWall application individually or as part of a software package, do not reboot the system
when prompted. Instead, choose to reboot at a later time. Otherwise, the rest of the COS installation script
will not be invoked.
• Requires COS CS Linux v3.
• Floodgate and Smartview Monitor are installed by default. As a result, you may see messages that these
applications are not started or disabled.