Check Point Security Gateway R70 Installation and Configuration Guide For Crossbeam X-Series Platforms

Check Point® Security Gateway R70
Installation and Configuration Guide for

Crossbeam® X-Series Platforms
Crossbeam CBI Version: 1.2.0.0
Crossbeam XOS Version: 8.5 or later
Part Number 005592A

March 2009
Copyright and Trademark Information
Copyright © 2009 by Crossbeam Systems®
Boxborough, MA, USA
All Rights Reserved
The products, specifications, and other technical information regarding the products contained in this
document are subject to change without notice. All information in this document is believed to be accurate
and reliable, but is presented without warranty of any kind, expressed or implied, and users must take full
responsibility for their application of any products specified in this document. Crossbeam Systems disclaims
responsibility for errors that may appear in this document, and it reserves the right, in its sole discretion and
without notice, to make substitutions and modifications in the products and practices described in this
document.
This material is protected by the copyright and trade secret laws of the United States and other countries. It
may not be reproduced, distributed, or altered in any fashion by any entity (either internal or external to
Crossbeam Systems), except in accordance with applicable agreements, contracts, or licensing, without the
express written consent of Crossbeam Systems.
For permission to reproduce or distribute please contact your Crossbeam Systems account executive.
Crossbeam, Crossbeam Systems, iBeam, X-Series, XOS, X80, and any logos associated therewith are
trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S. Patent and Trademark Office,
and several international jurisdictions.
All other product names mentioned in this manual may be trademarks or registered trademarks of their
respective companies.
Contents
About This Guide
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Cautions, Warnings, and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Crossbeam Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Check Point Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 1: Introduction to Check Point Security Gateway R70 for Crossbeam

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
X-Series Platform Architecture Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Check Point Security Gateway R70 VAPs and VAP Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Application Data, Management Interfaces, and Synchronization Circuits . . . . . . . . . . . . . . . . . . . . . 11
Network Topology Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Standalone with Dual-Box High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Check Point Security Gateway R70 Installation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Secure Internal Communication (SIC) Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Local License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Performance Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Crossbeam High Availability/State Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
CoreXL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 2: Hardware, Software, and Network Requirements

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
General Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Application Processor Module (APM) Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Software Version Compatibility Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
XOS Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
VAP Group Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Circuit Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Additional XOS Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Required Crossbeam Installation (CBI) Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Network Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
CoreXL Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Running SecureXL with CoreXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 3: Preparing for Installation on the X-Series Platform

Preinstallation Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Prerequisite Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Basic X-Series Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Creating and Configuring a VAP Group for the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Creating and Configuring a Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating and Configuring a Traffic Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating and Configuring Non-VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating and Configuring VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating and Configuring a Synchronization Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 3
Chapter 4: Installing the Application on the X-Series Platform
Pre-Staged Installation and Pre-Staged Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Copying the Crossbeam Installation (CBI) Package onto the X-Series Platform . . . . . . . . . . . . . . . . . . 27
Installing the CBI Application Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Verifying the CBI Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Troubleshooting the CBI Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Completing the High Availability State Synchronization Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Uninstalling the CBI Application Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Troubleshooting the Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 5: XOS Configuration Examples for Supported Single-Application Use Cases

Standalone Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Simple Interface Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Topology Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
LACP Trunk Interface Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
VLAN Trunk Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Standalone with Dual-Box High Availability (DBHA) Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Topology Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 6: Managing and Monitoring the Application Installed on the X-Series Platform
Managing the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
XOS Command Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Entering License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Enabling and Disabling Check Point Products SNMP daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Changing the Secure Internal Communication (SIC) Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Enabling and Disabling High Availability/State Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Installing and Uninstalling Performance Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Enabling and Disabling SecureXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring Check Point CoreXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Enabling Check Point CoreXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Disabling Check Point CoreXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Changing the Number of CoreXL Firewall Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Adding and Removing VAP Group Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Adding a VAP to a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Removing a VAP from a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Performing VAP Group Backups and Restores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Backing Up a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Restoring a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Deleting a VAP Group Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Monitoring the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
XOS Application Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Displaying Application Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Displaying VAP Group Application Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Disabling a VAP Group’s Application Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Enabling a VAP Group for Application Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
SNMP Health and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring Trap Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Displaying SNMP Trap Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Allowing SNMPv3 User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Enabling Check Point SNMP MIB Polling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4
About This Guide
This guide describes how to install and configure Check Point Security Gateway R70 on the Crossbeam
X-Series Platform.
IMPORTANT: For the latest updates and revisions to X-Series Platform documentation, log in to the
Crossbeam Online Support Portal at www.crossbeam.com/services/online_support.php.
Intended Audience
This guide is intended for system integrators and other qualified service personnel responsible for installing,
configuring, and managing the software on the Crossbeam X-Series Platform.
Related Documentation
The following related documents are provided on the Crossbeam Documentation DVD, and are available on
the Crossbeam Customer Support Web site located at www.crossbeam.com/services/online_support.php.
 XOS Configuration Guide, XOS V8.5
 XOS Command Reference Guide, XOS V8.5
 XOS V8.5 Release Notes
 Install Server User Guide, V6.0
See the Check Point documentation for information about Check Point Security Gateway R70.
Conventions
Typographical Conventions
For paragraph text conventions, see Table 1 on page 1-6.
For command-line text conventions, see Table 2 on page 1-7.
Table 1. Typographical Conventions Used in Paragraph Text
Typographical
Types of Information Usage Examples
Convention
Bold Elements on the In the IP Address field, type the IP address of the first VAP
graphical user interface. in the group.
Click OK to close the dialog.
Select the Print to File check box.
Courier Keys on the keyboard. Press Esc to return to the main menu.
File names, folder Save the user.txt file in the user_install directory.
names, and command
Use the start command to start the application.
names.
In the Username field, type Administrator.
Any information that you
must type exactly as The X-Series operating system (XOS) CLI show
shown. calendar command displays the system calendar:
Program output text. Fri Mar 20 13:32:03 2009
Courier File names, folder In the Version Number field, type 8.5.patch_number.
Italic names, command
names, or other
information that you
must supply.
> A sequence of From the taskbar, choose Start > Run.
commands from the task
From the main menu, choose File > Save As...
bar or menu bar.
Right-click on the desktop and choose Arrange Icons By >
Name from the pop-up menu.
6
Table 2. Typographical Conventions Used in Command-Line Text
Typographical
Types of Information Usage Examples
Convention
Courier User prompts and CBS# show calendar

program output text.
Fri Mar 20 13:32:03 2009
Courier Bold Information that you [root@xxxxx]# md crossbeam
must type in exactly as
shown.
<Courier Angle brackets [root@xxxxx]# md <your_folder_name>
Italic> surrounding Courier
italic text indicate file
names, folder names,
command names, or
other information that
you must supply.
[] Square brackets contain [root@xxxxx]# dir [drive:] [path]
optional information that [<filename>] [/P] [/W] [/D].
may be supplied with a
command.
| Separates two or more [root@xxxxx]# verify [ON|OFF]
mutually exclusive
options.
{} Braces contain two or CBS# configure vap-group <vap_group_name>
more mutually exclusive
CBS(config-vap-grp)# raid {0|1}
options from which you
must choose one.
Cautions, Warnings, and Notes

Caution: Lists precautions that you must take to avoid temporary data loss or data
unavailability.
Warning: Lists precautions that you must take to avoid personal injury, permanent data
loss, or equipment damage.
IMPORTANT: Lists important steps that you must perform properly or important information that you must
take into consideration to avoid performing unnecessary work.
NOTE: Provides special information or tips that help you properly understand or carry out a task.
Crossbeam Customer Support
Crossbeam offers a variety of service plans designed to meet your specific technical support requirements.
For information on purchasing a service plan for your organization, please contact your account
representative or refer to www.crossbeam.com/services/support_overview.php.
If you have purchased a Crossbeam product service plan and need technical assistance, you can report
issues by telephone:
United States: +1 800-331-1338 OR +1 978-318-7595
EMEA: + 33 4 9228 8989 (during normal working hours)
+1 978-318-7595 (outside office hours and on public holidays, if applicable)
Asia Pacific: +1 978-318-7595
You can also report issues via email to support@crossbeam.com.
In addition, all of our service plans include access to the Crossbeam Online Support web site located at
www.crossbeam.com/services/online_support.php.
The Crossbeam Online Support Web site provides you with access to a variety of resources, including
Customer Support Knowledge base articles, technical bulletins, product documentation, and release notes.
You can also access our real-time problem reporting application, which lets you submit new technical support
requests and view all your open requests.
Crossbeam also offers extensive customer training on all of its products. Please refer to the Crossbeam
Training and Education Web site for current course offerings and schedules located at
www.crossbeam.com/services/training_education.php.
Check Point Customer Support

Check Point provides technical support through its Web site. The Check Point Support Web site, located at
http://support.checkpoint.com, provides direct access to online user documentation and technical support.
8
1
Introduction to Check Point Security
Gateway R70 for Crossbeam
This chapter provides an overview of how Check Point Security Gateway R70 operates on the Crossbeam
X-Series Platform, network topology configuration options, and describes configuration options available
during the installation interview.
This chapter provides the following sections:

 Overview on page 9
 Network Topology Configuration Options on page 13
 Check Point Security Gateway R70 Installation Options on page 15
Overview
Check Point Security Gateway R70 provides a comprehensive security solution for very large enterprises and
organizations. It integrates access control, authentication, and encryption to guarantee the security of
network connections, the authenticity of local and remote users, and the privacy and integrity of data
communications.
This section provides the following information:

 X-Series Platform Architecture Overview on page 9
 Check Point Security Gateway R70 VAPs and VAP Groups on page 10
 Application Data, Management Interfaces, and Synchronization Circuits on page 11
X-Series Platform Architecture Overview

The Crossbeam X-Series Platform running the XOS software is an open-networked application platform
designed to deliver enhanced application services while providing high performance and high availability. The
X-Series Platform’s modular design allows it to run multiple applications, while providing multi-gigabit
throughput performance for all applications. The X-Series Platform has a unique, modular architecture
design, which provides performance scalability for applications running on the X-Series Platform, and which
provides high availability in case of module failure.
Each X-Series Platform contains three types of hardware modules:

 Control Processor Module (CPM) maintains overall system configuration, management, and integrity.
 Application Processor Module (APM) hosts a Virtual Application Processor (VAP). A VAP is an
application operating environment that runs on an APM. A VAP consists of the OS, system software, and
one application.
 Network Processor Module (NPM) provides network connectivity for the X-Series Platform, classifies
packets, and load-balances flows among groups of APMs.
The X-Series Platform can be configured to provide high availability for all three types of modules and to
provide performance scalability for NPMs and APMs.
Refer to the XOS V8.5 Release Notes for information about the X-Series Platform and modules that are
supported for use with Check Point Security Gateway R70.
Figure 1 shows how traffic flows through an X-Series Platform with Check Point Security Gateway R70
installed on two APMs in an X-Series chassis that contains two CPMs, two NPMs, and three APMs.
Figure 1. High-Level X-Series Platform Architecture
Check Point Security Gateway R70 VAPs and VAP Groups

A Virtual Application Processor (VAP) is an application operating environment that runs on an APM. A VAP
consists of the OS, system software, and one application (such as the Check Point Security Gateway R70).
A VAP group is a collection of APMs configured to provide load-balanced network services to run applications
installed on the VAP group and to provide high availability to those applications in the event of an APM failure.
Check Point Security Gateway R70 is installed on a VAP group that consists of one or more VAPs. Each VAP
on which Check Point Security Gateway R70 is installed can function as a single appliance, but if the VAP
group contains more than one VAP, all of the appliances (VAPs) in the group act in concert with each other,
creating a virtual processing engine comprised of APMs.
You must create and configure interfaces for a VAP group to enable the members of that VAP group to send
and receive traffic.
10
A VAP group interface has three parts:
 Circuit — A virtualized Ethernet connection configured for members of a VAP group.
The primary purpose of a circuit is to provide a connection between the members of a VAP group and a
physical interface on a Network Processor Module (NPM). However, you can also configure a circuit to
provide an internal connection between members of one or more VAP groups configured on the same
X-Series Platform.
You create and configure a circuit, assign the circuit to one or more VAP groups, and configure each
VAP group to process traffic passing through the circuit.
When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit
on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs
as Linux networking interfaces.
NOTE: Some circuit configuration settings change VND configuration settings, thereby changing the
configuration of a VAP group’s Linux networking devices.
 Physical interface — An Ethernet port on an NPM that you configure to pass traffic between the X-Series
Platform and an external network.
 Logical interface — An interface that logically links a circuit’s VNDs to a physical interface on an NPM.
You configure a logical interface on a physical interface and then map the logical interface to a circuit that
you have assigned to one or more VAP groups. An NPM uses logical interface mapping to identify the
VNDs that send and receive traffic over each of its physical interfaces.
NOTE: You can map only one circuit to each logical interface. However, you can map multiple logical
interfaces to the same physical interface, allowing multiple circuits to pass traffic over a single
physical interface.
You can also use link aggregation to bond multiple physical interfaces to a single logical interface,
allowing one circuit to pass traffic over multiple physical interfaces.
Before you install Check Point Security Gateway R70, you must first use the XOS CLI to configure a VAP
group, define the number of VAPs in the group by setting the VAP count and using other parameter settings
to control the assignment of VAPs to physical APMs. See Creating and Configuring a VAP Group for the
Application on page 22 for more information.
Application Data, Management Interfaces, and Synchronization Circuits

Before installing Check Point Security Gateway R70, you must use the XOS CLI to configure the interfaces
that the application will use to monitor traffic and respond to network security threats. You must also use the
CLI to configure the interface that the Check Point Management Station will use to manage the application.
See Basic X-Series Configuration Procedures on page 22 for information about configuring interfaces in
XOS.
Within XOS, application management and data interfaces have four types of components: physical interfaces,
logical interfaces, circuits, and Virtual Network Devices (VNDs). Within XOS, each physical interface on the
NPM that is to be used to pass traffic in or out of the VAP group must be mapped to one or more logical
interfaces. Each logical interface is then mapped to a circuit.
In addition, some circuits are defined and configured to provide internal connections between members of
one or more VAP groups configured on the same X-Series Platform. These circuits do not need to be mapped
to physical interfaces on the NPM unless the circuits will also be used to pass traffic to and from the X-Series
Platform, since all APMs are connected by a shared data plane.
Figure 2 shows the different components of an XOS configuration of a management or data interface.
Figure 2. XOS Configuration Components of an Application Data or Management Interface
12
Network Topology Configuration Options
The following sections describe the network topology configuration options for the Check Point Security
Gateway R70 on a X-Series Platform.
 Standalone Configuration on page 13
 Standalone with Dual-Box High Availability on page 14
Standalone Configuration
Figure 3 shows Check Point Security Gateway R70 running on the X-Series Platform in a standalone
configuration.
Figure 3. Standalone
Standalone with Dual-Box High Availability
In this scenario, Check Point Security Gateway R70 is installed standalone on two systems in a network
environment configured for Dual-Box High Availability (DBHA).
Virtual Router Redundancy Protocol (VRRP) ensures that all packets in a flow are sent to a single X-Series
Platform.
Figure 4 shows a topology diagram that illustrates this option.
Figure 4. Standalone with Dual-Box High Availability
14
Check Point Security Gateway R70 Installation Options
The following sections describe the configuration options available during the application installation on the
X-Series Platform. See the Check Point documentation for more information.
 Secure Internal Communication (SIC) Key on page 15
 Local License Information on page 15
 Performance Pack on page 15
 Crossbeam High Availability/State Synchronization on page 15
 CoreXL on page 16
Secure Internal Communication (SIC) Key

Secure Internal Communication (SIC) secures communication among all Check Point distributed components
belonging to a single management domain. SIC is a Certificate-based channel for communication among
Security Gateway components.
Local License Information

You can download license information from the Check Point Management Station, or enter the information
locally during the interview. You need the management IP address, expiration date, signature key, and the
features string. If the license is not available, the application installation program automatically uses the
15-day trial license.
NOTE: The 15-day trial license only allows limited features.
Performance Pack
Performance Pack is a software acceleration product installed as an add-on to Security Gateway.
Performance Pack significantly enhances and improves performance of Security Gateway.
Performance Pack uses Check Point SecureXL technology and other innovative network acceleration
techniques, in order to deliver wire-speed Security Gateway throughput for gigabit networks.
Crossbeam High Availability/State Synchronization

The X-Series Platform provides a number of features to ensure that the system remains operational. The
features include:
 CP Redundancy. Each chassis contains two Control Processor Modules (CPM), where one is Active and
the other is Standby.
 Interface Redundancy. A physical interface can be configured as a backup to another physical interface.
Failover occurs quickly and is transparent to the application.
 LACP (Link Aggregation Control Protocol). Multiple physical interfaces can be combined into one
interface. A failure of one physical link does not prevent traffic flow.
 Virtual Application Processor (VAP) Load Balancing. Each VAP corresponds to an APM. In a VAP group,
each VAP runs an instance of the application, and traffic is load balanced among the VAPs. Should an
Application Processor Module (APM) fail, the system automatically redistributes the traffic flow among
the remaining VAPs.
 Standby VAP. An unused VAP is configured as Standby. Should a VAP in any VAP group fail, the
standby VAP automatically joins that group.
 Backup VAPs. A VAP can be assigned as a backup to another VAP in the group. These VAPs are
unused until the primary VAP fails.
 APM Preemption Mode. Applications are assigned a priority. Should a higher priority application have a
VAP failure, it can take a VAP from a lower priority application.
 Multi-System High Availability. Using VRRP, two or more X-Series Platform can be configured to provide
HA.
 VAP Load Balancing with Synchronization. State synchronization may be necessary when switching a
flow from one VAP to another while stateful packet processing is being performed. Using Check Point
Security Gateway synchronization, when a flow is reassigned to another VAP within the group, that VAP
will have the proper Security Gateway connection state to process the arriving packets.
 Cluster Synchronization. Check Point Security Gateway cluster synchronization can be combined with
the XOS re-load balancing feature to provide service redundancy. Each flow is assigned a VAP. When a
VAP fails, traffic flows that were being processed on that VAP are re-load balanced to another VAP,
which is automatically selected at that time.
CoreXL
Check Point CoreXL is a performance-enhancing technology for gateways on multi-core processing
platforms. CoreXL enhances performance by enabling the processing cores to concurrently perform multiple
tasks. Increase in performance is achieved without requiring any changes to management or to network
topology.
In a CoreXL gateway, the firewall kernel is replicated multiple times. Each replicated copy, or instance, of the
firewall kernel runs on one processing core. The instances handle traffic concurrently, and each instance is a
complete and independent inspection kernel.
In respect to network topology, management configuration, and security policies, a CoreXL gateway functions
as a regular gateway. All of the kernel instances of a gateway handle traffic going through the same gateway
interfaces and apply the same gateway security policy.
16
2
Hardware, Software, and Network
Requirements
This chapter provides the hardware, software, and network configuration requirements for installing Check
Point Security Gateway R70 onto the Crossbeam X-Series Platform.
Before installing Check Point Security Gateway R70, you must make sure the X-Series Platform meets the
following requirements:
 Hardware Requirements on page 17
 Software Requirements on page 18
 Required Crossbeam Installation (CBI) Package on page 20
 Network Configuration Requirements on page 20
 CoreXL Configuration Requirements on page 20
Hardware Requirements
You must make sure the X-Series Platform meets the following hardware requirements:
 General Requirements on page 17
 Application Processor Module (APM) Requirements on page 17
General Requirements
 The platform must include only the supported models of Crossbeam hardware components. See the
XOS V8.5 Release Notes to determine the chassis and module support.
 All models of Control Processor Modules (CPMs), Network Processor Modules (NPMs), and Application
Processor Modules (APMs) included in the same X-Series Platform must be compatible with one
another. Refer to the X80 Platform Hardware Installation Guide for detailed module compatibility
matrices.
Application Processor Module (APM) Requirements

 All of the Application Processor Modules (APMs) in a Virtual Application Processor (VAP) group must be
the same model.
 Each APM must have a minimum of 2 GB of RAM (4 GB if using Check Point CoreXL).
 APMs have the same memory configuration.
Software Requirements
You must make sure the X-Series Platform meets the following software requirements:
 Software Version Compatibility Requirements on page 18
 XOS Configuration Requirements on page 18
Software Version Compatibility Requirements

 Check Point Security Gateway R70 is only supported on XOS V8.5, and later.
 You cannot upgrade from previous Check Point versions to Check Point Security Gateway R70. If you
have a previous version of Check Point installed, you must uninstall it, create a new VAP group, re-link
all the circuits and IP addresses to the xslinux_v5 VAP OS, install Check Point Security Gateway R70,
upgrade the Check Point Management Station, reinitialize the SIC, and push the policy.
 For more information on Check Point Security Gateway R70 version support, see the XOS V8.5 Release
Notes.
XOS Configuration Requirements

You must complete the following XOS configuration procedures that are described in Preparing for
Installation on the X-Series Platform on page 21.
 Create and configure a VAP group for the application.
See Creating and Configuring a VAP Group for the Application on page 22 for instructions.
 Create and configure a management interface for the application, and map the circuit to use a unique IP
address to access each VAP in the group.
See Creating and Configuring a Management Interface on page 23 for instructions.
 Create and configure traffic interfaces for the application and map the circuits to the application’s VAP
group.
See for Creating and Configuring a Traffic Interface on page 24 for instructions.
 Create and configure a synchronization circuit for the application, and map the circuit to the application’s
VAP group.
See Creating and Configuring a Synchronization Circuit on page 25 for instructions.
The above components of the XOS configuration must meet the requirements listed in the following sections:
 VAP Group Configuration Requirements on page 18
 Circuit Configuration Requirements on page 19
 Additional XOS Considerations on page 19
VAP Group Configuration Requirements

A Virtual Application Processor (VAP) is an application operating environment that runs on an APM. A VAP
consists of the VAP operating system, system software, and one application per VAP.
 The VAP group on which you plan to install the application cannot have any other applications installed
on it.
 The application’s VAP group must be configured to use the xslinux_v5 VAP OS.
18
 RP filtering must be disabled. If RP filtering is enabled for a VAP group, the VAPs in the group drop any
packet whose incoming interface is different from its reply packet’s outgoing interface. A VAP group
applies RP filtering only to packets whose source or destination IP address belongs to a network directly
connected to the VAP group. By default, RP filtering is enabled on all VAP groups.
See the XOS Configuration Guide, XOS V8.5, for more information about VAP configuration.
Circuit Configuration Requirements

You must use the XOS CLI, or the Element Management System (EMS), to configure the management
circuit, the synchronization circuit, and any other external and internal circuits that the application will use.
These circuits must meet the following requirements:
 All circuits must be configured with user-specified device names, using the device-name
<device_name> parameter. Check Point Security Gateway R70 uses device names to identify circuits.
 Device names must be assigned to all circuits.
 Each physical interface to be used by the application must be assigned to a circuit. All physical interfaces
must be physically plugged in, and all links must be UP before the application is installed.
 To use Dual-Box High Availability (DBHA), the IP addresses assigned to the synchronization interface be
contiguous across all cluster members (VAP group members) on both X-Series Platforms. Make sure
you assign a large enough range of IP addresses to the synchronization circuit to accommodate potential
expansion of the VAP group on both X-Series Platforms.
Management Interface Requirements

 The management circuit must be configured with the increment-per-vap parameter, even if the VAP
group contains only one VAP.
 The physical link to the management circuit must be UP before the application is installed.
Synchronization Circuit Requirements

 The synchronization circuit must be configured with the increment-per-vap parameter.
 The synchronization circuit must be configured with the internal parameter.
 Each synchronization circuit should be unique for each VAP group. There should not be a common
synchronization circuit between different firewall clusters on the same network.
 For dual-system communication, you must assign the Synchronization circuit on each system to a
physical link between the two systems, but you still need to configure each Synchronization circuit with
the internal parameter.
 For dual-system communication, all synchronization circuit IP addresses must be consecutive across all
systems.
 You cannot use the eth0 or eth1 interface as a synchronization network.
 Only synchronization traffic should use the synchronization interface.
Traffic Interface Requirements

 You must configure at least two traffic circuits for the VAP group on which you plan to install the
application— an egress circuit and ingress circuit.
Additional XOS Considerations

To install Check Point Security Gateway R70 on multiple VAP groups in the same X-Series Platform, you
must install the application on each VAP group separately. You cannot install the application on multiple VAP
groups at the same time.
Required Crossbeam Installation (CBI) Package
To run the CBI for Check Point Security Gateway R70, you must first place the CPSG-R70-x.x.x.x-y.cbi
package into the /usr/os/apps/archive directory on the CPM.
NOTE: See the XOS V8.5 Release Notes for the CBI package name.
See Copying the Crossbeam Installation (CBI) Package onto the X-Series Platform on page 27 for
instructions on obtaining the CBI package the CBI package from the Crossbeam Customer Support
Download Portal.
Network Configuration Requirements

 All physical network connections required to support the desired application deployment and
configuration options must be functioning normally.
CoreXL Configuration Requirements

 During application installation, you must choose to enable or disable CoreXL. When CoreXL is enabled,
the firewall kernel is replicated multiple times. Each replicated instance of the firewall kernel runs on one
processing core.
 All VAPs in a VAP group must have the same hardware configuration.
 All cluster members must have the same hardware configuration.
 All cluster members must have the same number of firewall instances configured when both CoreXL and
High Availability (HA) are enabled.
 The number of firewall instances should not be greater than the smallest number of cores among the
VAPs in the VAP group. This also applies to multiple boxes in multi-box environments, you must
configure the same number of firewall instances for all members on all chassis. If you enter a number
greater than the number of cores on the APM, Check Point Security Gateway R70 won't start on the VAP.
 If you choose to enable CoreXL on an APM which has less than 8-cores, Check Point recommends using
two firewall instances for the 2-core APM, and three firewall instances for the 4-core APM.
IMPORTANT: At the time of this release, Crossbeam recommends using only the 8-core APM with six
firewall instances.
NOTE: To avoid configuring different number of firewall instances on cluster members, do not use the
Check Point command “cpconfig” to change the CoreXL configuration. Always use the CLI
command “application CPSG vap-group <VAP-group_name> configure” command.
Running SecureXL with CoreXL

CoreXL can run with or without SecureXL. The effect on performance in a CoreXL gateway can vary
according to the nature of the traffic passing through the gateway. CoreXL and SecureXL increase
performance using different technologies, and can function together in a complementary fashion. If you install
SecureXL and later decide not to run it, you can disable it.
20
3
Preparing for Installation on the X-Series
Platform
This chapter describes the procedures that you must perform before installing Check Point Security Gateway
R70 on a Crossbeam X-Series Platform.
NOTE: This chapter only describes how to configure the X-Series Platform prior to installing Check Point
Security Gateway R70 as a standalone application. For information about multi-application
serialization deployment, see the following Crossbeam document:
 Multiple-Application Serialization Deployments Supported with XOS V8.5.
This chapter contains the following sections:

 Preinstallation Procedure Overview on page 21
 Prerequisite Reading on page 22
 Basic X-Series Configuration Procedures on page 22
Preinstallation Procedure Overview

Before installing Check Point Security Gateway R70, you must perform the following steps:
1. Read the Crossbeam and Check Point Security Gateway R70 documents listed in Prerequisite Reading
on page 22.
You must have a thorough understanding of this material before attempting to install, configure, and run
Check Point Security Gateway R70.
2. Make sure the X-Series Platform meets all the requirements listed in Hardware, Software, and Network
Requirements on page 17.
3. Ensure that all chassis and module configurations required for the configuration options chosen are
compatible. See the XOS V8.5 Release Notes.
4. Choose the configuration options that you want to implement upon installation of Check Point Security
Gateway R70. See Overview on page 9 for installation interview options.
5. Configure the X-Series Platform to meet all the requirements listed in XOS Configuration Requirements
on page 18 and Network Configuration Requirements on page 20.
6. Configure the X-Series Platform to meet the basic requirements as described in Basic X-Series
Configuration Procedures on page 22.
Prerequisite Reading
Before installing Check Point Security Gateway R70, you must have a thorough understanding of the material
presented in the following documents:
 Crossbeam documents available on the Crossbeam DVD, and on the Crossbeam Customer Support
Web site located at www.crossbeam.com/services/online_support.php:
 XOS Configuration Guide, XOS V8.5
 XOS Command Reference Guide, XOS V8.5
 XOS V8.5 Release Notes
 Check Point documents are available on the Check Point Customer Web site, located at
http://support.checkpoint.com
Basic X-Series Configuration Procedures

To meet the basic configuration requirements, based on your network configuration, you must perform the
following tasks:
 Create and configure a VAP group for the application.
See Creating and Configuring a VAP Group for the Application on page 22 for instructions.
 Create and configure a management interface, and map the circuit to use a unique IP address to access
each VAP in the group.
See Creating and Configuring a Management Interface on page 23 for instructions.
 Create and configure traffic interfaces for the application, and map the circuit to the application’s VAP
group.
See Creating and Configuring a Traffic Interface on page 24 for instructions.
 Create and configure an internal synchronization circuit to connect VAP members.
See Creating and Configuring a Synchronization Circuit on page 25.
Creating and Configuring a VAP Group for the Application

1. Create a VAP group for Check Point Security Gateway R70 and configure it to use the xslinux_v5 VAP
OS.
CBS# configure vap-group <VAP_group_name> xslinux_v5
2. Set the VAP count for redundancy and additional capacity:
CBS(config-vap-grp)# vap-count <number_of_APMs_in_group>
3. Set the max load count to the number of active VAP members in the VAP group:
CBS(config-vap-grp)# max-load-count <number_of_APMs_in_group>
4. Disable RP filtering.
CBS(config-vap-grp)# no rp-filter
5. Configure the APM list for the VAP group. All VAP members must run on the same model of APM. Use
show chassis from the CLI to verify the APM models installed in your chassis, if necessary.
NOTE: It is not required that APMs be UP, or present, during installation of Check Point Security
Gateway R70 on the XOS. However, the APMs must be UP for configuration of the gateway/
cluster through the Check Point Management Station GUI.
22
CBS(config-vap-grp)# ap-list <apm_module_name1> [<apm_module_name2>]
[<apm__module_name3>] ...
where <apm_module_name> is the name that the X-Series Platform has assigned to the APM.
6. Configure a default IP flow rule for the VAP group, and return to the main CLI context. There are four
steps to configure the default IP flow rule:
a. Create the default IP flow rule:
CBS(config-vap-grp)# ip-flow-rule <ip_flow_rule_name>
b. Set the IP flow rule action to load-balance traffic to all available VAP members:
CBS(ip-flow-rule)# action load-balance
c. Set the activate flag to enable the action:
CBS(ip-flow-rule)# activate
d. Return to the main CLI context:
CBS(ip-flow-rule)# end
CBS#
Creating and Configuring a Management Interface

1. Create a management circuit:
CBS# configure circuit <management_circuit_name>
2. Assign a device name to circuit. The device name should be the same as, or based on, the circuit name.
CBS(conf-cct)# device-name <management_circuit_device_name>
3. Assign the VAP group to the management circuit:
CBS(conf-cct)# vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)#
4. Configure the management circuit to use a unique IP address to access each VAP in the group. Use
increment-per-vap to assign a unique IP address per VAP member, allowing individual management
connections. When configuring the management IP addresses, it is recommended to leave some unused
IP addresses so that additional APMs and VAPs can be added as the platform grows.
CBS(conf-cct-vapgroup)# ip <First_IP_address_of_first_VAP_in_group>/
<netmask> <broadcast_address> increment-per-vap
<IP_address_of_last_VAP_in_group>
CBS(conf-cct-vapgroup-ip)# end
5. Assign the management circuit to a physical interface:
NOTE: The NPM8600 ports 11 and 12 only support 10 Gigabit Ethernet. The NPM8620 does not have
10 Gigabit Ethernet ports.
CBS# configure interface {gigabitethernet | 10gigabitethernet}
<NPM_slot_number>/<port_number>
CBS(conf-intf-<iftype>)# logical <logical_name>

CBS(intf-<iftype>-logical)# circuit <management_circuit_name>
CBS(intf-<iftype>-logical)# end
6. Configure an IP route for the VAPs to communicate with the management server:
CBS# configure ip route <destination_IP_address>/<netmask>
<next_hop_IP_address> vap-group <VAP_group_name> circuit
<management_circuit_name>
For example:
CBS# configure ip route 10.1.1.0/24 10.213.212.111 vap-group fw circuit mgmt
7. Save the running configuration:
CBS# wr
Creating and Configuring a Traffic Interface

This section provides the following configuration information:
 Creating and Configuring Non-VLAN Interfaces on page 24
 Creating and Configuring VLAN Interfaces on page 24
Creating and Configuring Non-VLAN Interfaces

Configure both traffic circuits as follows:
1. Create the traffic circuit:
CBS# configure circuit <circuit_name>
CBS(conf-cct)
2. Assign a device name to the circuit. The device name is the interface name. The name should be the
same as, or based on, the circuit name.
CBS(conf-cct)# device-name <device_name>
CBS(conf-cct)#
3. Assign the circuit to the VAP group to allow traffic to flow across the circuit.
CBS(conf-cct)# configure vap-group <VAP_group_name>
4. Assign an IP address to be used by the circuit, and return to the main CLI context.
CBS(conf-cct-vapgroup)# ip <IP_address>/<netmask>
5. Assign the circuit to an interface:
CBS(intf-<iftype>-logical)# circuit <circuit_name>
Creating and Configuring VLAN Interfaces

The procedure in this section provides the configuration information to create VLAN interfaces for a VAP
group processing VLAN traffic. Each interface can map to multiple VLANs on the client subnet, and must
have a unique circuit name, device name, and IP address.
1. Assign a name to the VLAN circuit.
CBS# configure circuit <VLAN_circuit_name>
CBS(conf-cct)#
24
2. Assign a device name to circuit. The device name is the interface name. The name should be the same
as, or based on, the circuit name.
CBS(conf-cct)# device-name <VLAN_device_name>
CBS(conf-cct)#
3. Assign a VAP group to the circuit.
4. Assign a tag (egress) to the VLAN circuit:
CBS(conf-cct-vapgroup)# default-egress-vlan-tag <VLAN_tag>
5. Assign an IP address to the VLAN circuit, and return to the main CLI context:
CBS(conf-cct-vapgroup)# ip <IP_address>/<netmask>
6. Configure the interface:
7. Add a logical with the ingress tag:
CBS(conf-intf-<iftype>)# logical <logical_name> ingress-vlan-tag <VLAN_tag>
8. Assign the circuit to this interface:
CBS(intf-<iftype>-logical)# circuit <VLAN_circuit_name>
CBS(intf-<iftype>-logical)# exit
Creating and Configuring a Synchronization Circuit

A synchronization circuit is an internal circuit that connects VAP members. Check Point Security Gateway
R70 requires this circuit to maintain state synchronization and communications between cluster members.
1. Create a circuit for synchronization, and configure the circuit as internal:
CBS# configure circuit <sync_circuit_name>
CBS(conf-cct)# internal
2. Assign a device name to the circuit. The device name should be the same as, or based on, the circuit
name:
CBS(conf-cct)# device-name <device_name>
3. Assign the circuit to the VAP group.
4. Assign an internal IP address to the circuit and return to the main CLI context. Use the
increment-per-vap parameter to assign an individual IP address for each VAP member.
NOTE: The range should be expanded to allow VAPs to be added to the VAP group as the platform
grows.
CBS(conf-cct-vapgroup)# ip <IP_address_of_first_VAP_in_group>/<netmask>
<broadcast_address> increment-per-vap <IP_address_of_last_VAP_in_group>
5. Assign the circuit to a physical interface (DBHA only):
NOTE: Only assign the synchronization circuit to an interface if you are planning to use DBHA.
CBS(intf-<iftype>-logical)# circuit <sync_circuit_name>
6. Save the running configuration:
CBS# wr
Configuration is complete, go to Installing the Application on the X-Series Platform on page 27.
26
4
Installing the Application on the X-Series
Platform
This chapter describes how to install Check Point Security Gateway R70 onto the Crossbeam X-Series
Platform.
IMPORTANT: Before installing Check Point Security Gateway R70, make sure you meet the Hardware,
Software, and Network Requirements on page 17, and complete the procedures in Preparing
for Installation on the X-Series Platform on page 21.

 Pre-Staged Installation and Pre-Staged Configuration on page 27
 Copying the Crossbeam Installation (CBI) Package onto the X-Series Platform on page 27
 Installing the CBI Application Bundle on page 28
 Verifying the CBI Installation on page 30
 Troubleshooting the CBI Installation on page 30
 Completing the High Availability State Synchronization Configuration on page 31
 Uninstalling the CBI Application Bundle on page 31
 Troubleshooting the Uninstallation on page 31
Pre-Staged Installation and Pre-Staged Configuration

The Check Point Security Gateway R70 CBI allows pre-staged installation of the application on a VAP without
the APM present in the X-Series Platform, and pre-staged configuration of a VAP group without the APM. You
setup the installation and configuration as though the APM is physically in place. When the APM is installed at
a later date, the pre-staged installation of the APM and the pre-staged configuration are automatically applied
to the APM.
Copying the Crossbeam Installation (CBI) Package onto the

X-Series Platform
NOTE: See the XOS V8.5 Release Notes for the CBI package name.
To load the application onto the X-Series Platform, perform the following steps on each CPM in the X-Series
Platform:
1. Download the CPSG-R70-x.x.x.x-y.cbi CBI package from the Crossbeam Customer Support
Download Portal, www.crossbeam.com/services/online_support.php to the X-Series Platform.
NOTE: You must have an active support contract to access the Crossbeam Customer Support Center.
2. Log into your XOS as root.
CBS# unix su
Password:
[root@xxxx admin]#
3. Copy the CBI file, CPSG-R70-x.x.x.x-y.cbi, to /usr/os/apps/archive on the CPM.
[root@xxxx admin]# cp CPSG-R70-x.x.x.x-y.cbi /usr/os/apps/archive
4. Exit from root:
[root@xxxx admin]# exit
Installing the CBI Application Bundle

IMPORTANT: Before installing Check Point Security Gateway R70 on a VAP group, you must make sure the
following conditions are met:
 No other application is installed on the VAP group.
 No previous version of the Check Point is installed on the VAP group.
If any of the above requirements are not met, the installation will fail. If the installation fails, see
Troubleshooting the CBI Installation on page 30.
Use the CBI to install Check Point Security Gateway R70, as follows:
1. Enter the following XOS CLI command to verify that Check Point Security Gateway R70 is loaded on the
X-Series Platform.
CBS# show application
App ID: : CPSG
Name : Check Point Security Gateway
Version : R70
Release : 2.0.0.0-9
CBI Version : 1.2.0.0
2. Enter the following XOS CLI command to install the application on the VAP group you created:
CBS# application CPSG vap-group <VAP_group_name> install
For <VAP_group_name> enter the name of the VAP group you created for Check Point Security
Gateway R70.
3. The XOS checks the integrity of the CBI package and its dependencies, displaying the following text:
Checking Bundle Integrity: [####################] 100% [ ok ]
Checking Dependencies: [####################] 100% [ ok ]
Check Point Software Technologies Ltd.
License Agreement
4. The XOS begins the CBI interview process by displaying the terms and definitions for the Check Point
Security Gateway R70 license agreement, and prompts you to read the agreement:
Press ENTER to read or 'q' to quit:
5. Enter y (for yes) and press Enter to accept the license agreement.
[License agreement displayed here]
Do you accept the license agreement?[n]: y
Answer the questions below to configure this application. Type '?' for help.
28
6. Enter the Secure Internal Communication information.
The Secure Internal Communication (SIC) key is a one time Activation Key that is used to establish trust
with the Check Point Management Server. On XOS, the Activation Key is used for all VAPs in the VAP
group.
Enter the Secure Internal Communication (SIC) key below.
Password:
Confirm Password:
7. Enter the local license information.
Enter local license information?[n]:
If you wish to enter license information at this time, enter y (for yes) to continue. When prompted, enter
the management IP address, license expiration date, signature key, and the SKU/feature for each VAP in
the group. If the license is not available, the application installation program automatically uses a 15-day
trial license. The 15-day trial license only allows limited features.
NOTE: This license information is optional, as you can always push a central license from the Check
Point Management Station.
8. The following interview questions appear:
 Install Performance Pack?[y]:
The Performance Pack is a software-based acceleration module for Check Point Security Gateway
R70. Accelerating key security functions such as access control, encryption, NAT, attack signature
detection, and accounting, enables wire-speed firewall throughput for gigabit networks.
If you entered y, the “Do you want to enable SecureXL?” prompt appears. Enter y to enable
SecureXL.
 Enable High Availability/State Synchronization?[y]:
NOTE: You must enable High Availability State Synchronization if you are creating a Check Point
Security Gateway cluster.
 Do you want to enable CoreXL? [n]:y
Enter y to enable CoreXL.
NOTE: At the time of this release, Crossbeam recommends using only the 8-core APM with six firewall
instances. If you choose to enable CoreXL on an APM which has less than 8-cores, Check
Point recommends two firewall instances for the 2-core APM, and three firewall instances for
the 4-core APM.
NOTE: If you entered y, please enter ? to read important information about CoreXL before entering the
number of firewall instances to enable, and refer to CoreXL Configuration Requirements on
page 20.
How many firewall instances would you like to enable (2 to 8)? 6
(Enter '?' for important information) []:
 Are there any changes needed?[n]: n
If you do not want to change configuration settings, enter n and press Enter. If you want to change
any configuration settings before installing this application, enter y and press Enter to return to the
first question in the installation interview.
9. XOS installs Check Point Security Gateway R70 on the VAP group you specified in Step 2. The XOS
displays the progress of the application installation on each VAP, and then prompts you to save the
configuration.
NOTE: To save the configuration to the database, enter y and press Enter. If you enter n, the
configuration is not saved to the database.
For example, the following text appears when the application is installed on a VAP group called fwvpn
that consists of three VAPs:
** A reboot is required for the change(s) to take affect. **
Extracting Bundle: [####################] 100% [ ok ]
Installing CPSG on VAP fwvpn_3: [####################] 100% [ ok ]
In order to successfully complete the application install, the XOS
configuration must be saved.
Any unsaved configuration will be lost.

Do you want to save it to startup-config? <Y or N>[Y]: y
Saving configuration ... Please be patient...
10. After the installation is complete, reboot the VAP group for the installation to take effect.
CBS# reload vap-group <VAP_group_name>
IMPORTANT: If you are configured to use High Availability Application Synchronization, and enabled it
during the installation interview, go to Completing the High Availability State Synchronization
Configuration on page 31.
Verifying the CBI Installation

Use the following command to verify that the application is running:
CBS# show application vap-group <VAP_group_name>
For example, the following text is displayed if you installed Check Point Security Gateway R70 on the VAP
group fwvpn, which has two VAPs in the group:
CBS# show application vap-group fwvpn
VAP Group : fwvpn
App ID : CPSG
Version : R70
Release : 2.0.0.0-9
Start on Boot : yes
App Monitor : on
App State (fwvpn_1): Up
App State (fwvpn_2): Up
The Start on Boot field shows whether the application will start during VAP boot (yes or no). If no, you
must run the application CPSG vap-group <VAP-group_name> start CLI command to start the
application.
See Table 3 on page 58 for descriptions of the information provided.
Troubleshooting the CBI Installation

If the installation is complete, you can view the Syslog file on the CPM in /var/log/messages.
30
Completing the High Availability State Synchronization
Configuration
This section provides the additional steps necessary to complete the High Availability State Synchronization
configuration after installing Check Point Security Gateway R70.
This section assumes the following:

 You followed the preinstallation configuration procedures in Preparing for Installation on the X-Series
Platform on page 21.
 You enabled High Availability/State Synchronization during the installation interview.
To disable or enable High Availability Application Synchronization, see Enabling and Disabling High
Availability/State Synchronization on page 48.
To complete the High Availability State Synchronization configuration, you must perform the following steps
on the Check Point Management Station:
1. Create a Gateway Cluster object and include each VAP as a cluster member.
2. Set the Secure Internal Communication (SIC).
3. Get the topology.
4. Set the synchronization network.
5. Download policies to the Cluster object.
See the Check Point documentation for configuration information.
Uninstalling the CBI Application Bundle

1. To uninstall the application, enter the following command at the XOS prompt:
CBS# application CPSG vap-group <VAP-group-name> uninstall
2. Enter y at the “Do you want to save it to startup-config?” prompt to save the configuration.
Unsaved configurations will be lost.
3. After uninstall is complete, reload the VAP group.
If the application is installed on multiple VAP groups, repeat the previous steps for each VAP group. After
uninstalling the application, reload each VAP group.
Troubleshooting the Uninstallation

If the uninstall fails before it is complete, you can view the log on the CPM, in the /var/log/messages file.
You can also view the uninstallation error and warning messages by entering the following command:
CBS# show logging console component cbi level error
32
5
XOS Configuration Examples for
Supported Single-Application Use Cases
This chapter provides topology diagrams that illustrate the single-application use cases supported for Check
Point Security Gateway R70 installed on the Crossbeam X-Series Platform. It also provides XOS
configuration examples for the supported use cases for each topology configuration option.
For examples of multi-application serialization deployments, refer to the Multiple-Application Serialization

Deployments Supported with XOS V8.5 document.

 Standalone Examples on page 33
 Standalone with Dual-Box High Availability (DBHA) Example on page 40
Standalone Examples
With a standalone Check Point Security Gateway R70 deployment, you can use any of the following interface
types:
 Simple Interface
 Simple Interface with Redundancy
 LACP (Link Aggregation Control Protocol, IEEE 802.3ad)
 VLAN Trunk (802.1q)
 VLAN Trunk over LACP
This section contains examples that show how to use the XOS CLI to configure traffic interfaces of the
following types:
 Simple Interface Example on page 34
 LACP Trunk Interface Example on page 36
 VLAN Trunk Example on page 38
NOTE: The examples in this section do not provide configuration information for the management and
synchronization circuits. See Creating and Configuring a Management Interface on page 23 and
Creating and Configuring a Synchronization Circuit on page 25 for configuration of these circuits.
Simple Interface Example
The example in this section shows the configuration of two traffic circuits to the physical interfaces.
Topology Diagram
Figure 5 illustrates the topology configuration for two traffic circuits (wan and lan) mapped to the physical
interfaces. A configuration example of this topology is provided below the topology diagram.
Figure 5. Simple Interface Topology Diagram
To create the topology configuration shown in Figure 5:

1. Create the two traffic circuits, one for ingress traffic and one for egress traffic:
CBS# configure circuit lan
CBS(conf-cct)# device-name lan
CBS(conf-cct)# vap-group fwvpn
CBS(conf-cct-vapgroup)# ip 172.16.2.1/24
CBS#
CBS# configure circuit wan
CBS(conf-cct)# device-name wan
CBS#
34
2. Configure the physical interfaces for ingress and egress traffic.
CBS# configure interface gigabitethernet 2/1
CBS(conf-intf-gig)# logical lan
CBS(intf-gig-logical)# circuit lan
CBS(intf-gig-logical)# end
CBS#

CBS(conf-intf-gig)# logical wan
CBS(intf-gig-logical)# circuit wan
CBS#
LACP Trunk Interface Example
LACP trunks aggregate multiple physical interfaces to form one logical channel, which the X-Series Platform
treats as a single interface. This unification provides interface redundancy and an increase in bandwidth
capacity, but does not increase complexity from the application standpoint.
Topology Diagram
Figure 6 illustrates the topology configuration for two traffic circuits (mltv1 and mltv2) mapped to the LACP
trunk interfaces. A configuration example of this topology is provided below the topology diagram.
Figure 6. LACP Trunk Interface Topology Diagram

CBS# configure circuit mltv1
CBS(conf-cct)# device-name mltv1
CBS#

CBS#
36
2. Configure the two LACP Trunk interfaces, and assign each LACP Trunk interface to a traffic circuit:
CBS# configure group-interface mltv1
CBS(conf-group-intf)# mode multi-link circuit mltv1
CBS(conf-group-intf)# interface-type gigabitethernet
CBS(conf-grp-intf-gig)# exit
CBS(conf-group-intf)# interface 1/1
CBS(conf-group-intf-intf)# exit
CBS(conf-group-intf-intf)# end
CBS#

CBS#
VLAN Trunk Example
In a VLAN configuration using an 802.1q trunk for VLANs, a single physical interface may handle several
subnets. The X-Series Platform can be configured to handle a VLAN trunk by assigning many logical
interfaces to a single physical interface. Each logical interface is associated with a VLAN tag or range of
VLAN tags.
See the XOS Configuration Guide, XOS V8.5 to limit the VLANs that are expected, and to specify whether
untagged packets are accepted.
Topology Diagram
Figure 7 illustrates a topology configuration for VLANs. A configuration example of this topology is provided
below the topology diagram.
Figure 7. VLAN Trunk Topology Example

CBS# configure circuit lan
CBS(conf-cct)# device-name lan
CBS(conf-cct-vapgroup)# default-egress-vlan-tag 100
CBS#
CBS# configure circuit wan

CBS(conf-cct)# device-name wan
38
CBS(CBS(conf-cct-vapgroup)# ip 172.16.6.1/24
CBS#
2. Map the two traffic circuits to the interface:
CBS(conf-intf-gig)# logical lan ingress-vlan-tag 100
CBS(intf-gig-logical)# circuit lan

CBS(conf-intf-gig)# logical wan
CBS(intf-gig-logical)# circuit wan
Standalone with Dual-Box High Availability (DBHA) Example
A successful DBHA configuration depends upon external devices configured to provide failure detection and
traffic failover in the event that one X-Series system fails. Crossbeam provides this functionality by using
VRRP.
You can use any combination of the following five interface types, which are supported for a standalone
deployment:
 Simple Interface
 Simple Interface with redundancy
 LACP (Link Aggregation Control Protocol, IEEE 802.3ad)
 VLAN Trunk (802.1q)
 VLAN Trunk over LACP
The following items must be different in each chassis.

 Remote system ID
 Chassis IP address
 Synchronization Circuit IP address
 VRRP Priority
 Traffic Circuit IP address
 Management Circuit IP address
40
Topology Diagram
You can configure multiple X-Series Platform’s for High Availability (HA) using the VRRP. However, you do
not need to configure one system as master and another as standby. Instead, you create a group containing
one or more VAP groups and circuits. You create a similar group with the same ID on one or more systems.
Should one group fail, the counterpart group on another system becomes master. In the meantime, the same
group ID on each system can be actively passing traffic so that no system is under-utilized.
Figure 8 illustrates the topology of a standalone when it is installed on two X-Series Platforms that are
configured for dual-box high availability (DBHA).
A configuration example of this topology is provided below the topology diagram.
Figure 8. Standalone with Dual-Box High Availability Topology Diagram
The following example shows how to configure XOS to enable a dual-box, high-availability (DBHA)
deployment of Check Point Security Gateway R70. This example uses LACP trunk interfaces for the traffic
circuits, and a simple interface for the management and synchronization circuits.
To create the topology configuration shown in Figure 8, perform the following steps on each X-Series
Platform.
1. Configure the remote system ID and IP address. The remote system ID is specific to the system, and the
IP address is the address of the CPM on the other system.
CBS# configure remote-box 5 172.16.1.20
CBS(conf-remote-box)# end
CBS#
2. Use the following commands to create a VAP group to use the xslinux_v5 operating system, specify the
number of VAP members in the group, and the maximum number of VAPs in the group.
CBS# configure vap-group fwvpn xslinux_v5
CBS(config-vap-grp)# vap-count 3
CBS(config-vap-grp)# max-load-count 3
3. Disable RP filtering.
CBS(config-vap-grp)# no rp-filter
4. Specify the list of APMs to be loaded. All VAP members should be identical APMs. Use show chassis
from the CLI to verify the configuration of each APM if necessary.
CBS(config-vap-grp)# ap-list ap7 ap8 ap9
CBS(config-vap-grp)# load-balance-vap-list 1 2 3
5. Configure a basic load balancing flow rule for the VAP group:
CBS(config-vap-grp)# ip-flow-rule lb
CBS(ip-flow-rule)# action load-balance
CBS(ip-flow-rule)# activate
CBS(ip-flow-rule)# end
6. Configure the management circuit, assign a device name to the circuit, and map the circuit to the
application’s VAP group:
CBS# configure circuit mgmt
CBS(conf-cct)# device-name mgmt
7. Configure the management circuit to use a unique IP address to access each VAP in the group:
CBS(conf-cct-vapgroup)# ip 192.168.10.1/24 increment-per-vap 192.168.10.3
8. Configure a circuit for synchronization:
CBS# configure circuit sync
CBS(conf-cct)# internal
CBS(conf-cct)# device-name sync
CBS(conf-cct-vapgroup)# ip 9.9.9.4/24 9.9.9.255 increment-per-vap 9.9.9.8
9. Map the synchronization circuit and the management circuit to the interface:
CBS(conf-intf-gig)# logical mgmt
CBS(intf-gig-logical)# circuit mgmt

CBS(conf-intf-gig)# logical sync
CBS(intf-gig-logical)# circuit sync
42
10. Create two traffic circuits, one for egress traffic and one for ingress traffic:

11. Configure the two traffic circuits to use the LACP Trunks:
CBS#

CBS#
12. Create the VRRP failover group by assigning it a name, and ID.
CBS# configure vrrp failover-group vrrp_fwvpn failover-group-id 200
CBS(conf-vrrp-group)#
13. Set the VRRP priority. Valid values are 1 to 255. The default is 100. The chassis that has the failover
group with the highest priority becomes the master for this failover group.
CBS(conf-vrrp-group)# priority 200
CBS(conf-vrrp-group)#
14. Create the virtual routers:
CBS(conf-vrrp-group)# virtual-router vrrp-id 10 circuit mltv1
CBS(conf-vrrp-failover-vr)# priority-delta 100
CBS(conf-vrrp-failover-vr)# mac-usage vrrp-mac
CBS(conf-vrrp-failover-vr)# vap-group fwvpn
CBS(conf-vrrp-vr-vapgroup)# virtual-ip 172.16.10.2/24
CBS(conf-vrrp-vr-vapgroup)# exit
CBS(conf-vrrp-failover-vr)# exit
CBS(conf-vrrp-group)# virtual-router vrrp-id 20 circuit mltv2
CBS(conf-vrrp-failover-vr)# priority-delta 100
CBS(conf-vrrp-failover-vr)# mac-usage vrrp-mac
CBS(conf-vrrp-failover-vr)# vap-group fwvpn
CBS(conf-vrrp-vr-vapgroup)# virtual-ip 172.16.60.2/24
CBS(conf-vrrp-vr-vapgroup)# end
15. Enable VRRP on the VAP group:
CBS# configure vrrp vap-group fwvpn
CBS(conf-vrrp-vap-group)#
16. Assign the failover group to a failover group list:
CBS(conf-vrrp-vap-group)# failover-group-list vrrp_fwvpn
17. Specify the time, in seconds, for a VAP group to wait before passing traffic, allowing the application to
fully boot. This delay can prevent an application from dropping connections before the application is able
to pass traffic.
CBS(conf-vrrp-vap-group)# hold-down-timer 120
CBS(conf-vrrp-vap-group)#
18. Assign a priority-delta to the VAP group. VRRP decrements the priority of the failover group whenever
the number of active VAPs falls below the active-vap-threshold. The priority-delta can be any
value between 1 and 255. When the VAP returns to the Active state, the priority-delta is added back to
the priority value.
CBS(conf-vrrp-vap-group)# priority-delta 60
19. Assign the active-vap-threshold to monitor the VAPs in the VAP group. If the number of active
VAPs drops below the threshold, the priority is decremented by the priority-delta. When the priority
of the master chassis drops below the value of the backup chassis, failover occurs.
CBS(conf-vrrp vap-group)# active-vap-threshold 3
CBS(conf-vrrp vap-group)# end
44
6
Managing and Monitoring the Application
Installed on the X-Series Platform
This chapter describes the methods that you can use to manage and monitor Check Point Security Gateway
R70 when it is installed on a Crossbeam X-Series Platform. This chapter also describes the procedures that
you can use to backup and restore the VAP group on which Check Point Security Gateway R70 is installed on
an X-Series Platform.

 Managing the Application on page 45
 Monitoring the Application on page 57
Managing the Application

This section contains the following information:
 XOS Command Line Interface (CLI) on page 46
 Entering License Information on page 46
 Enabling and Disabling Check Point Products SNMP daemon on page 47
 Changing the Secure Internal Communication (SIC) Key on page 47
 Enabling and Disabling High Availability/State Synchronization on page 48
 Installing and Uninstalling Performance Pack on page 49
 Enabling and Disabling SecureXL on page 49
 Configuring Check Point CoreXL on page 50
 Adding and Removing VAP Group Members on page 52
 Performing VAP Group Backups and Restores on page 54
 Deleting a VAP Group Archive on page 56
XOS Command Line Interface (CLI)
This section describes the basic XOS CLI application commands.
IMPORTANT: With the exception of the show application command, the commands described in this
section only work if the following conditions are met:
 The primary CPM, the NPM(s), and in the application’s VAP group are UP.
The management circuit is configured, and the physical link to the

management interface is UP.
Use the following commands at the XOS CLI prompt to perform basic application management. For more
information on using the XOS CLI to manage applications, see the XOS Command Reference Guide, XOS
V8.5 and the XOS Configuration Guide, XOS V8.5.
 Start Check Point Security Gateway R70:
CBS# application CPSG vap-group <VAP_group_name> start
 Configure an application using the Check Point Secuirty Gateway Configuration Menu:
CBS# application CPSG vap-group <VAP_group_name> configure
 Stop Check Point Security Gateway R70 on a VAP group:
CBS# application CPSG vap-group <VAP_group_name> stop
 Restart Check Point Security Gateway R70 on a VAP group:
CBS# application CPSG vap-group <VAP_group_name> restart
 Update the VAP group to install Check Point Security Gateway R70 on any new VAPs that you added to
the group after the initial configuration.
CBS# application-update vap-group <VAP_group_name>
 Display Check Point Security Gateway R70 status on all VAP groups or on a specified VAP group.
CBS# show application vap-group <VAP_group_name>
The XOS health system polls application processes on each VAP in the VAP group every five seconds. If the
application is not running on a VAP, the health system notifies the NPM to stop new flows to this VAP. You can
verify this behavior using the show flow distribution command. The X-Series Platform performs this
process dynamically without modifying the VAP group’s load balance list. However, application monitoring
cannot detect process hangs. If the process is not functioning but is still running, the XOS health system will
continue to report the application as running.
Entering License Information

If you choose not to enter the license information during the installation interview, and want to enter
information now, perform the following steps:
1. Access the Check Point Secuirty Gateway Configuration Menu from the XOS, enter the following
command:
The Check Point Secuirty Gateway Configuration Menu appears.
2. Select Licenses.
3. Enter the following information for the VAP group:
 IP Address
 Expiration date
46
 Signature Key
 SKU/Features
4. Enter n at the “Are any changes needed?” prompt to apply the configuration changes to the VAP
group.
You are returned to the Check Point Secuirty Gateway Configuration Menu after the configuration
changes are complete.
5. Select Exit to return to the XOS CLI.
Enabling and Disabling Check Point Products SNMP daemon

To enable or disable Check Point product’s SNMP, perform the following steps:
command:
2. Select SNMP Extension.
3. Select one of the following:
 If Check Point product’s SNMP daemon was disabled, enter y at the “Do you want to activate
Check Point products SNMP daemon?” prompt to enable it, and press Enter.
 If Check Point product’s SNMP daemon was enabled, enter n at the “Do you want Check Point
products SNMP daemon to remain activated?” prompt to disable it, and press Enter
4. Enter n at the “Are any changes needed?” prompt and press Enter to apply the configuration
changes to the VAP group.
6. Restart the application:
Changing the Secure Internal Communication (SIC) Key

When the SIC Key is changed, communication stops until the application is restarted and completes
reinitalization.
To change the SIC key, perform the following steps:

command:
2. Select Secure Internal Communication.
3. Enter the new key in the Password field, and press Enter.
4. Enter n at the “Are any changes needed?” prompt to apply the configuration changes to the VAP
group.
7. Use the Check Point Management Station to perform the following:
a. Set the Secure Internal Communication (SIC).
b. Get the topology.
c. Download policies to the Cluster object.
Enabling and Disabling High Availability/State Synchronization

To enable or disable HA, perform the following steps:
command:
2. Select High Availability/State Synchronization.
3. Select from one of the following:
 If HA was disabled, enter y at the “Do you want to enable High Availability/State
Synchronization?” prompt to enable it, and press Enter.
 If HA was enabled, enter n at the “Do you want High Availability/State
Synchronization to remain enabled?” prompt to disable it, and press Enter.
6. Reboot the VAP group, using the following command:
7. On the Check Point Management Station:
If you enabled HA:
(1) Create a Gateway Cluster object and include each VAP as a cluster member.
(2) Set the Secure Internal Communication (SIC).
(3) Get the topology.
(4) Set the synchronization network.
(5) Download policies to the Gateway Cluster object.
If you disabled HA:
(1) Remove all VAPs from the Gateway Cluster object.
(2) Delete the Gateway cluster object.
(3) Download new policies to the Cluster objects.
48
Installing and Uninstalling Performance Pack
To install or uninstall Performance Pack, perform the following steps:
command:
2. Select Check Point Optional Packages.
3. Select one of the following:
 To install Performance Pack:
a. Enter y at the “Install Performance Pack?” prompt and press Enter.
b. If the administrative state of SecureXL was set to disabled, enter y at the “Do you want to
enable SecureXL?” prompt and press Enter.
 To uninstall Performance Pack:
a. Enter n at the “Do you want Performance Pack to remain installed?” prompt and
press Enter.
b. If the administrative state of SecureXL was set to enabled, enter n at the “Do you want
SecureXL to remain administratively enabled?” prompt and press Enter.
Enabling and Disabling SecureXL

To enable or disable SecureXL, perform the following steps:
command:
2. Select Check Point SecureXL.
3. Select from one of the following:
 If Check Point SecureXL was disabled, enter y at the “Do you want to enable Check Point
SecureXL?” prompt to enable it, and press Enter.
 If Check Point SecureXL was enabled, enter n at the “Do you want Check Point SecureXL
to remain enabled?” prompt to disable it, and press Enter.
4. Enter n at the “Are any changes needed?” prompt and press Enter to apply the SecureXL
configuration changes to the VAP group.
CBS# application CPSG vap-group <VAP-group-name> restart
Configuring Check Point CoreXL

This section provides information about changing the Check Point CoreXL configuration on the XOS. See
CoreXL Configuration Requirements on page 20, and the Check Point documentation for additional
configuration information.
This section includes the following information:

 Enabling Check Point CoreXL on page 50
 Disabling Check Point CoreXL on page 51
 Changing the Number of CoreXL Firewall Instances on page 51
Enabling Check Point CoreXL

If Check Point CoreXL was not enabled during the application installation, and you want to enable it, perform
the following steps:
command:
2. Select Check Point CoreXL.
3. Enter y at the “Do you want to enable CoreXL” prompt to enable CoreXL.
IMPORTANT: Please enter ? to read important information about CoreXL before entering the number of
firewall instances to enable.
IMPORTANT: At the time of this release, Crossbeam recommends using only the 8-core APM with six
firewall instances.
4. Enter the number of firewall instances to enable, and press Enter.
NOTE: If you choose to enable CoreXL on an APM which has less than 8-cores, Check Point
recommends two firewall instances for the 2-core APM, and three firewall instances for the
4-core APM
5. Enter n at the “Are any changes needed?” prompt and press Enter to apply the CoreXL
50
Disabling Check Point CoreXL
If Check Point Core XL was enabled during the application installation and you want to disable it, perform the
following steps:
command:
3. Enter n at the “Do you want CoreXL to remain enabled” prompt, and press Enter to disable
CoreXL.
4. Enter n at the “Are any changes needed?” prompt to apply the CoreXL configuration changes to the
VAP group, and press Enter.
Changing the Number of CoreXL Firewall Instances

Please see CoreXL Configuration Requirements on page 20 before changing the firewall instances.
To change the number of CoreXL firewall instances, perform the following steps:
command:
The Check Point Security Gateway Configuration Menu appears.
3. Enter y at the “Do you want CoreXL to remain enabled” prompt.
IMPORTANT: Please enter ? to read important information about CoreXL before entering the number of
firewall instances to enable.
4. Enter the number of firewall instances to enable and press Enter.
5. Enter n at the “Are any changes needed?” prompt, and press Enter to apply the CoreXL
You are returned to the Check Point Security Gateway Configuration Menu after the configuration
Adding and Removing VAP Group Members
This section describes how to perform the following tasks:
 Adding a VAP to a VAP Group on page 52
 Removing a VAP from a VAP Group on page 53
Adding a VAP to a VAP Group

To add a VAP to Check Point Security Gateway R70’s VAP group perform the following steps:
1. Acquire and install an APM.
IMPORTANT: Make sure the new APM meets the requirements listed in Hardware Requirements on page 17
and the Software Requirements on page 18. The new APM’s hardware configuration must
match the hardware configuration of all other APMs in the VAP group.
2. Increment the IP address range for the management circuit:
CBS# configure circuit <management_circuit_name> vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)# ip <ip_address_of_first_VAP_in_group>/<netmask>
<broadcast_address> increment-per-vap <ip_address_of_last_vap_in_group>
3. Increment the IP address range for the synchronization circuit:
CBS# configure circuit <sync_circuit_name>
4. Increment the Check Point Security Gateway R70 VAP group VAP count, and set the max load count to
the number of active VAP members in the VAP group:
NOTE: It is not required to set the max load count to equal the VAP count since pre-staged installation
and pre-staged configuration allow the change to the VAP when the APM is available.
CBS# configure vap-group <VAP_group_name>
CBS(config-vap-grp)# vap-count <new_VAP_count>
CBS(config-vap-grp)# max-load-count <number_of_APMs_in_group>
5. Reconfigure the APM list for the VAP group to add the new APM to the group:
[<apm_module_name3>] ...
where <apm_module_name> is the name that the XOS has assigned to the APM. (Use the show
chassis command to determine the assigned names of the APMs in your chassis.)
6. Configure the load-balance VAP list for the VAP group so that the new VAP does not receive any flows.
The new APM will have the highest index number in the VAP group. Leave this index number off the
load-balance VAP list.
CBS(config-vap-grp)# load-balance-vap-list <index1> <index2> [<index3>] ...
CBS(config-vap-grp)# end
7. Use the following commands to verify that the new APM has the correct firmware installed on it. If the
revs_check script prompts you to do so, follow the instructions in the XOS Configuration Guide, XOS
V8.5 to update the firmware on the new APM.
CBS# unix su
[root@xxxx admin]# /crossbeam/bin/revs_check
52
8. Verify that the VAP group is UP by entering the following command:
CBS# show ap-vap-mapping
9. Install Check Point Security Gateway R70 on the new VAP by entering the CLI command:
CBS# application-update vap-group <VAP_group_name>
10. Reboot the new VAP so that the installation can take effect. Use the following command:
CBS# reload vap-group <VAP_group_name> <VAP_group_member_index_number>
11. After the reboot is complete, use the show application vap-group <VAP_group_name>
command to verify that the application is running on the new VAP.
For example, if a new VAP is added to a VAP group named fwvpn, resulting in a VAP group with two
VAPs, would have the following output:
VAP Group : fwvpn
App ID : CPSG
Version : R70
Release : 2.0.0.0-9
Start on Boot : yes
App Monitor : on
App State(fwvpn_1) : Up
CBS#
12. Use the Check Point Management Station to configure the application on the new VAP.
a. Create a Gateway Cluster object, and include the new VAP as a cluster member.
b. Set the Secure Internal Communication (SIC).
c. Get the topology.
d. Set the Synchronization network.
e. Download policies to the Cluster object.
13. Add the new VAP back into the load balance VAP list:
Removing a VAP from a VAP Group

Perform the following steps to remove a VAP from a Check Point Security Gateway R70’s VAP group.
1. Use the following commands to remove the VAP from the load-balance VAP list, so that it no longer
receives new flows.
NOTE: You can only remove the VAP with the highest index number. Exclude this VAP from the list.
2. Reconfigure the APM list for the VAP group to remove the APM from the group:
[<apm_module_name3>] ...
where <apm_module__name#> is the name that the XOS has assigned to the APM. (Use the show
chassis command to determine the assigned names of the APMs in your chassis.)
3. Decrement the Check Point Security Gateway R70 VAP group’s VAP count:
CBS(config-vap-grp)# vap-count <new_VAP_count>
4. Reconfigure the IP address range to reclaim the IP address for the VAP that you have just removed from
the VAP group:
CBS# configure circuit <circuit_name> vap-group <vap_group_name>
5. Use the Check Point Management Station to perform the following:
a. Detach the gateway where the member was removed from the cluster.
b. Get the topology.
c. Download policies to the cluster object.
Performing VAP Group Backups and Restores

You can create multiple backup archives of VAP groups where Check Point Security Gateway R70 is
installed. The backup archives are stored on the X-Series Platform. In case of an application failure, you can
select from the backup archives to restore the VAP group to a previous state in which the application is known
to be fully functional.
The following sections describe the backup and restore functionality provided for Check Point Security
Gateway R70:
 Restrictions on page 54
 Backing Up a VAP Group on page 54
 Restoring a VAP Group on page 55
 Deleting a VAP Group Archive on page 56
Restrictions
The VAP group backup and restore functionality has the following restrictions:
 This functionality is available only from the XOS CLI.
 You cannot use the EMS to perform application backups and restores.
 You cannot back up and restore a VAP group to or from a remote location.
 You cannot back up and restore the APM’s local hard drive.
 You cannot back up and restore any VAP group on which Check Point Security Gateway R70 is not
installed.
 The X-Series Platform must have at least 500 MB of free space for each VAP group archive.
Backing Up a VAP Group

To create a backup archive of a VAP group on which Check Point Security Gateway R70 is installed on the
X-Series Platform:
1. Enter the following CLI command:
CBS# archive-vap-group backup vap-group <vap_group_name>
54
2. The XOS checks to be sure that you have enough disk space to perform the operation, and displays the
following text as it performs this test:
Calculating available and required space........................... Done
3. The VAP group must be shut down during a backup operation. Therefore, the CLI prompts you to confirm
the backup operation. Enter y to confirm the backup operation.
During backup the vap-group will be disabled. Continue? <Y or N> [Y]: y
4. The XOS executes the backup operation and displays the progress of the operation.
For example, the following text appears when the XOS backs up a VAP group named fwvpn containing
two VAPs, and the archive is being stored on the X-Series Platform:
NOTE: A backup operation may take a significant amount of time to complete.
Waiting for vap group to go down ... Done
Backing up fwvpn_1 Archive 1 to /tftpboot/archives/fwvpn/
1................Done
Backing up fwvpn_2 Archive 1 to /tftpboot/archives/fwvpn/1...............Done
Backing up fwvpn_common Archive 1 to /tftpboot/archives/fwvpn/
1................Done
Creating MD5 sum file....Done
CBS#
When the example backup is complete, the VAP group archive is stored in /tftpboot/archives/fwvpn/1 on the
CPM. Archive numbers are automatically appended to the VAP group file. The first time a VAP group is
backed up, the archive number starts at 1. The archive number increments by one for each successive
backup.
The directory will contain the following:

 A gzipped tar file containing each VAP’s file system and the VAP group’s common file system
 A file containing information about the backup (archive_info.txt)
Restoring a VAP Group

To restore a VAP group using a stored backup archive stored on the XOS, perform the following steps:
1. Enter the following CLI command:
CBS# archive-vap-group restore vap-group <VAP_group_name> archive
<archive_number>
IMPORTANT: Before entering this command, make sure the archive stored on the CPM was created from a
VAP group with the same VAP count, XOS version, application name, application version, and
application release as the VAP group you want to restore. The restore operation will fail if any
of these parameters are not the same for the backup archive and the VAP group to be
restored.
2. All of the VAPs in a VAP group must be shut down during a restore operation (even the VAPs that are
functional). Therefore, the CLI prompts you to confirm the restore operation. Press Enter to confirm the
restore operation, or enter n and press Enter to cancel the operation.
During restore the vap-group will be disabled. Continue? <Y or N> [Y]: y
3. The XOS executes the restore operation and displays the progress of the operation.
For example, the following text appears as the XOS is restoring a VAP group named fwvpn containing
two VAPs:
NOTE: A restore operation may take a significant amount of time to complete.
Checking MD5 sums...
Calculating available and required space.......Done
During restore the vap-group will be disabled. Continue? <Y or N> [Y]: y
Waiting for vap group to go down ... Done
Restoring vap-group fwvpn 1. This may take several minutes...
Removing old temporary files ... Done
Extracting fwvpn_1 archive......................................... Done
Extracting fwvpn_2 archive......................................... Done
Extracting fwvpn_common archive.................................... Done
Restoring VapGroup fwvpn
fwvpn_common restoration has completed
fwvpn_1 restoration has completed
fwvpn_2 restoration has completed
VAP Group fwvpn restoration completed
Cleaning up temporary files...................................... Done
CBS#
4. After the VAP group has rebooted, use the following command to verify that the application has restarted
(provided that the application is configured to start on boot):
CBS# show archive vap-group <vap_group_name>
For example, the following text appears for the restore operation:
VAP Group : fwvpn
Archive Number : 1
VAP Count : 2
VAP OS version : xslinux_v5
XOS version : 8.5.0-86
Application : CPSG
Application Version : R70
Application Release : 2.0.0.0-9
Date : Fri Jan 30 14:53:25 EST 2009
Archive Location : /tftpboot/archives/fwvpn/1
Archive Size : 419624
VAP Group : fwvpn

Archive Number : 2
VAP Count : 2
VAP OS version : xslinux_v5
XOS version : 8.5.0-86
Application : CPSG
Application Version : R70
Application Release : 2.0.0.0-9
Date : Fri Feb 6 11:46:51 EST 2009
Archive Location : /tftpboot/archives/fwvpn/2
Archive Size : 1095600
Deleting a VAP Group Archive

To delete a local VAP group backup archive, enter the following command:
CBS# archive-vap-group delete vap-group <VAP_group_name>
The XOS deletes the VAP group’s archive directory and all of the files in it, and displays the progress of the
operation. For example, the following text appears as the XOS is deleting the archive for a VAP group called
fwvpn:
CBS# archive-vap-group delete vap-group fwvpn
Deleting archive for VAP Group fwvpn ... Done
CBS#
56
Monitoring the Application
The following sections describe the tools that you can use to monitor Check Point Security Gateway R70
once it is installed on an X-Series Platform.
 XOS Application Monitoring on page 57
 SNMP Health and Monitoring on page 59
XOS Application Monitoring

Application monitoring is enabled by default when you create a VAP group. You can choose to disable a VAP
group’s application monitoring by using the no application-monitor command. See Disabling a VAP
Group’s Application Monitoring on page 58 for configuration information.
In this section:
 Displaying Application Information on page 57
 Displaying VAP Group Application Information on page 57
 Disabling a VAP Group’s Application Monitoring on page 58
 Enabling a VAP Group for Application Monitoring on page 59
Displaying Application Information

The following command displays available applications loaded on the CPM:
The following example shows that Check Point Security Gateway R70 is available for installation on any VAP
group.
App ID : CPSG
Version : R70
Release : 2.0.0.0-9
CBI Version : 1.2.0.0
Displaying VAP Group Application Information

The following command displays information about the application installed on the VAP groups configured on
the X-Series Platform:
CBS# show application vap-group [<vap_group_name>]
The following example shows the state of the application on VAP group fwvpn. See Table 3 on page 58 for
descriptions of the information provided.
VAP Group : fwvpn
App ID : CPSG
Version : R70
Release : 2.0.0.0-9
Start on Boot : yes
App Monitor : on
Table 3. VAP Group Application Information
Column/Row
Information Provided
Heading
VAP Group Name of the VAP group on which the application is installed.
App ID Application identifier that Crossbeam has assigned to the application.
Name Application name.
Version Application version.
Release Application release number.
Start on boot Indicates whether the application automatically starts running when you boot up
the VAP group:
 on — Application automatically starts up when you boot up the VAP group.
 off — You must manually start up the application each time you boot up the
VAP group.
App Monitor Indicates whether application monitoring is enabled (on) or disabled (off) on the
VAP group on which the application is installed. By default, application monitoring
is enabled (on).
If application monitoring is enabled (on), and the application is not running on a
VAP, the health system notifies the NPM to stop new flows to the VAP. The NPM
performs this process dynamically without modifying the VAP group’s load balance
list.
App State Indicates the current state of the application on the VAP with the VAP index
number n.The show application vap-group command displays the current state of
the application on each VAP on which an application is installed.
Possible application states are:
 Up — Application is running on the VAP.
 Down — Application is not running on the VAP, but the APM on which the VAP
is loaded is functional.
 Initializing — The application is rebooting.
 Not Monitored — Application monitoring is disabled on the VAP group on
which the application is installed. Therefore, XOS is unable to determine the
current state of the application on any VAP.
You can use the CLI show flow distribution command to verify that no new flows are directed to VAPs
that are in a down state.
NOTE: Application monitoring cannot detect process hangs. If a process is not functioning, but the
application is still running, the XOS health system will continue to report the application as running.
Disabling a VAP Group’s Application Monitoring

When application monitoring on a VAP group is disabled, the application’s state for flow control calculation for
that VAP group is ignored.
To disable application monitoring on a VAP group, enter the following command:

CBS# configure vap-group <VAP_group_name> no application-monitor
58
Enabling a VAP Group for Application Monitoring
If you disabled a VAP group’s application monitoring and want to return to the default setting of enabled, enter
the following command:
CBS# configure vap-group <VAP_group_name> application-monitor
SNMP Health and Monitoring

The X-Series Platform supports SNMP Versions 1 and 2c, while supporting the notification types of either
Trap or Inform (Version 2c only). This section describes how to configure the X-Series Platform to use the
SNMP server embedded on the CPM to configure X-Series Platform-specific SNMP health monitoring and
SNMP traps. See the XOS Configuration Guide, XOS V8.5 for a list of Crossbeam MIBs and OID entries.
The main topics in this section are:

 Configuring Trap Destinations on page 59
 Displaying SNMP Trap Log on page 60
 Allowing SNMPv3 User Access on page 60
 Enabling Check Point SNMP MIB Polling on page 61
Configuring Trap Destinations

Use the following to configure a trap destination:
 Host IP Address
 SNMP Version (V1 or V2c)
 Notification Type (traps or informs)
 Community String to identify the trap.
To configure a trap destination, enter the following command:

CBS# configure snmp-server host <host_ip_addr> [traps|informs] [version 1|2c]
<community-string> [udp-port <port_number>]
For example:
CBS# configure snmp-server host 10.1.1.29 traps version 2c private
CBS# configure snmp-server host 10.1.1.29 informs version 1 public
To delete a host, enter the following command:

CBS# configure no snmp-server host <host_ip_addr> <community_string>
NOTE: If the host that you want to delete currently receives informs, you must specify the informs parameter
with this command.
Displaying SNMP Trap Log
The XOS software maintains a rotating log of the last 100 SNMP traps issued by the X-Series Platform. A trap
is counted only once even though it may have been sent to several destinations. Associated trap variables,
for example, sysUpTime, as well as Date and Time are also recorded in the log.
To display the SNMP trap log, enter the following command:

CBS# show traplog
The following example shows a partial display of an SNMP trap log:

CBS# show traplog
Trap Description : cbsHwModuleStatusChanged

Trap OID : .1.3.6.1.4.1.6848.4.1.14
sysUpTime : 23:12:10
Time & Date : 2006-11-02 23:00:44.90
Num of variables : 1
Variable 1 : cbsHwModuleStatus.1 = up(4)
Variable 2 :
Other Variables :
Trap Description : cbsHwModuleStatusChanged

Trap OID : .1.3.6.1.4.1.6848.4.1.14
sysUpTime : 23:10:50
Time & Date : 2006-11-02 22:59:25.09
Num of variables : 1
Variable 1 : cbsHwModuleStatus.1 = initializing(3)
Variable 2 :
Other Variables :
The sysUpTime value is the time accumulated since the SNMP agent was configured.
Allowing SNMPv3 User Access

You can allow SNMPv3 users to have read-only access to the X-Series Platform.
To configure access, enter the following command:

configure snmp-user <username> [no-passwords] [auth-type [md5|sha|none]]
[priv-type [des|none]] [oid <access>]
Where:
<username> Must be a unique name.

no-passwords Do not prompt the user for a password. By default, the user must enter the
passwords configured with auth-type and priv-type.
auth-type Specifies the authentication method for the user. Choices include no
[md5|sha|none] authentication (none), MD5 checksum, and SHA authentication. The default
is none.
60
priv-type Use des to encrypt data or none (default) to not encrypt data. If using des,
[des|none] auth-type must be md5 or sha.
oid <access> Specifies the MIB subtree that the user can access. For example, specify
“iso” for the whole tree, or “mib-2” to limit access to just the MIB objects that
are part of the mib-2 tree. Smaller portions of the MIB can be selected, such
as entering “interfaces” to restrict access to just the interface table. The
default is .iso.
The following OID formats are allowed:
 numeric oids, such as 1.3.6.1
 fully qualified oid names, such as .iso.org.dod
 names directly under mib-2, such as "system", "interfaces", "at", and "ip"
Enabling Check Point SNMP MIB Polling

This section describes how to enable Check Point SNMP polling on the APMs.
To enable SNMP MIB Polling on the Check Point module:
IMPORTANT: Enabling the SNMP daemon at the Check Point level requires a restart of the firewall module.
1. Activate the Check Point products SNMP daemon from the Check Point Secuirty Gateway Configuration
Menu. See Enabling and Disabling Check Point Products SNMP daemon on page 47 for access and
configuration information.
2. Modify $FWDIR/conf/snmp.C to the values used by the SNMP manager to query polling. When
populating the module, place () after the value. For example, value (cbsfw).
IMPORTANT: Do not modify the sysobjectID module.

The following example shows modifications to the snmp.C module:
(
: (
: (system.sysName.0
:value (cbsfw)
)
: (system.sysDescr.0
:value ("Crossbeam Check Point Security Gateway")
)
: (system.sysContact.0
:value ("Support")
)
: (system.sysLocation.0
:value ("Support LAB")
)
: (system.sysObjectID.0
:value (".1.3.6.1.4.1.2620.1.1")
)
)
:snmp_community (
:read (crossbeam)
:write () <--- not necessary to modify only for polling
)
To enable SNMP MIB Polling on the SNMP manager:
1. Locate the Check Point MIB file to import into the SNMP manager. The Check Point ckpnt.mib file is
located in the following path:
$CPDIR/lib/snmp/chkpnt.mib
2. Import the file into your SNMP environment using the import method that applies your environment.
Using Check Point SmartDashboard:

1. Create a rule for inbound traffic to the module on port 260 from the SNMP manager with the following
configuration information:
src: snmp-manager
dst: fw-ip reachable by snmp manager
service: FW1_snmp
action: accept
track: Log
2. Test the configuration to verify that Check Point SNMP MIB polling is enabled. The commands used
depend on the OS, with the exception of the port and the version commands. The following examples
show commands that you may use to test the configuration:
snmpwalk -m </path_to_snmp_mib_file> -v 1 -c <community> -p 260 <ip_of_host>
checkpoint
or
snmpwalk -m </path_to_snmp_mib_file> -v 1 -c <community> <ip_of_host>:260
checkpoint
3. To make the chkpnt.mib file ASN.1 compliant, replace all _ (underscores) with - (hyphens).
62

Check Point Security Gateway R70 Installation and Configuration Guide For Crossbeam X-Series Platforms

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Check Point Security Gateway R70 Installation and Configuration Guide For Crossbeam X-Series Platforms

Uploaded by

Copyright:

Available Formats

Check Point® Security Gateway R70

Installation and Configuration Guide for

Part Number 005592A

Chapter 1: Introduction to Check Point Security Gateway R70 for Crossbeam

Chapter 2: Hardware, Software, and Network Requirements

Chapter 3: Preparing for Installation on the X-Series Platform

Chapter 5: XOS Configuration Examples for Supported Single-Application Use Cases

For command-line text conventions, see Table 2 on page 1-7.

Table 1. Typographical Conventions Used in Paragraph Text

Courier User prompts and CBS# show calendar

Cautions, Warnings, and Notes

United States: +1 800-331-1338 OR +1 978-318-7595

EMEA: + 33 4 9228 8989 (during normal working hours)

+1 978-318-7595 (outside office hours and on public holidays, if applicable)

Asia Pacific: +1 978-318-7595

You can also report issues via email to support@crossbeam.com.

Check Point Customer Support

This chapter provides the following sections:

This section provides the following information:

X-Series Platform Architecture Overview

Each X-Series Platform contains three types of hardware modules:

Figure 1. High-Level X-Series Platform Architecture

Check Point Security Gateway R70 VAPs and VAP Groups

Application Data, Management Interfaces, and Synchronization Circuits

Figure 4. Standalone with Dual-Box High Availability

Secure Internal Communication (SIC) Key

Local License Information

NOTE: The 15-day trial license only allows limited features.

Crossbeam High Availability/State Synchronization

Application Processor Module (APM) Requirements

Software Version Compatibility Requirements

XOS Configuration Requirements

VAP Group Configuration Requirements

Circuit Configuration Requirements

Management Interface Requirements

Synchronization Circuit Requirements

Traffic Interface Requirements

Additional XOS Considerations

Network Configuration Requirements

CoreXL Configuration Requirements

Running SecureXL with CoreXL

This chapter contains the following sections:

Preinstallation Procedure Overview

Basic X-Series Configuration Procedures

Creating and Configuring a VAP Group for the Application

Creating and Configuring a Management Interface

CBS(conf-intf-<iftype>)# logical <logical_name>

Creating and Configuring a Traffic Interface

Creating and Configuring Non-VLAN Interfaces

Creating and Configuring VLAN Interfaces

Creating and Configuring a Synchronization Circuit

This chapter contains the following sections:

Pre-Staged Installation and Pre-Staged Configuration

Copying the Crossbeam Installation (CBI) Package onto the

Installing the CBI Application Bundle

 No previous version of the Check Point is installed on the VAP group.

Any unsaved configuration will be lost.

Verifying the CBI Installation

See Table 3 on page 58 for descriptions of the information provided.

Troubleshooting the CBI Installation

This section assumes the following:

See the Check Point documentation for configuration information.