Professional Documents
Culture Documents
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 3
Chapter 4: Installing the Application on the X-Series Platform
Pre-Staged Installation and Pre-Staged Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Copying the Crossbeam Installation (CBI) Package onto the X-Series Platform . . . . . . . . . . . . . . . . . . 27
Installing the CBI Application Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Verifying the CBI Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Troubleshooting the CBI Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Completing the High Availability State Synchronization Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Uninstalling the CBI Application Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Troubleshooting the Uninstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 6: Managing and Monitoring the Application Installed on the X-Series Platform
Managing the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
XOS Command Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Entering License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Enabling and Disabling Check Point Products SNMP daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Changing the Secure Internal Communication (SIC) Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Enabling and Disabling High Availability/State Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Installing and Uninstalling Performance Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Enabling and Disabling SecureXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring Check Point CoreXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Enabling Check Point CoreXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Disabling Check Point CoreXL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Changing the Number of CoreXL Firewall Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Adding and Removing VAP Group Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Adding a VAP to a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Removing a VAP from a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Performing VAP Group Backups and Restores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Backing Up a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Restoring a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Deleting a VAP Group Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Monitoring the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
XOS Application Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Displaying Application Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Displaying VAP Group Application Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Disabling a VAP Group’s Application Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Enabling a VAP Group for Application Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
SNMP Health and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring Trap Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Displaying SNMP Trap Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Allowing SNMPv3 User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Enabling Check Point SNMP MIB Polling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4
About This Guide
This guide describes how to install and configure Check Point Security Gateway R70 on the Crossbeam
X-Series Platform.
IMPORTANT: For the latest updates and revisions to X-Series Platform documentation, log in to the
Crossbeam Online Support Portal at www.crossbeam.com/services/online_support.php.
Intended Audience
This guide is intended for system integrators and other qualified service personnel responsible for installing,
configuring, and managing the software on the Crossbeam X-Series Platform.
Related Documentation
The following related documents are provided on the Crossbeam Documentation DVD, and are available on
the Crossbeam Customer Support Web site located at www.crossbeam.com/services/online_support.php.
XOS Configuration Guide, XOS V8.5
XOS Command Reference Guide, XOS V8.5
XOS V8.5 Release Notes
Install Server User Guide, V6.0
See the Check Point documentation for information about Check Point Security Gateway R70.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 5
Conventions
Typographical Conventions
For paragraph text conventions, see Table 1 on page 1-6.
Typographical
Types of Information Usage Examples
Convention
Bold Elements on the In the IP Address field, type the IP address of the first VAP
graphical user interface. in the group.
Click OK to close the dialog.
Select the Print to File check box.
Courier Keys on the keyboard. Press Esc to return to the main menu.
File names, folder Save the user.txt file in the user_install directory.
names, and command
Use the start command to start the application.
names.
In the Username field, type Administrator.
Any information that you
must type exactly as The X-Series operating system (XOS) CLI show
shown. calendar command displays the system calendar:
Program output text. Fri Mar 20 13:32:03 2009
Courier File names, folder In the Version Number field, type 8.5.patch_number.
Italic names, command
names, or other
information that you
must supply.
> A sequence of From the taskbar, choose Start > Run.
commands from the task
From the main menu, choose File > Save As...
bar or menu bar.
Right-click on the desktop and choose Arrange Icons By >
Name from the pop-up menu.
6
Table 2. Typographical Conventions Used in Command-Line Text
Typographical
Types of Information Usage Examples
Convention
Warning: Lists precautions that you must take to avoid personal injury, permanent data
loss, or equipment damage.
IMPORTANT: Lists important steps that you must perform properly or important information that you must
take into consideration to avoid performing unnecessary work.
NOTE: Provides special information or tips that help you properly understand or carry out a task.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 7
Crossbeam Customer Support
Crossbeam offers a variety of service plans designed to meet your specific technical support requirements.
For information on purchasing a service plan for your organization, please contact your account
representative or refer to www.crossbeam.com/services/support_overview.php.
If you have purchased a Crossbeam product service plan and need technical assistance, you can report
issues by telephone:
In addition, all of our service plans include access to the Crossbeam Online Support web site located at
www.crossbeam.com/services/online_support.php.
The Crossbeam Online Support Web site provides you with access to a variety of resources, including
Customer Support Knowledge base articles, technical bulletins, product documentation, and release notes.
You can also access our real-time problem reporting application, which lets you submit new technical support
requests and view all your open requests.
Crossbeam also offers extensive customer training on all of its products. Please refer to the Crossbeam
Training and Education Web site for current course offerings and schedules located at
www.crossbeam.com/services/training_education.php.
8
1
Introduction to Check Point Security
Gateway R70 for Crossbeam
This chapter provides an overview of how Check Point Security Gateway R70 operates on the Crossbeam
X-Series Platform, network topology configuration options, and describes configuration options available
during the installation interview.
Overview
Check Point Security Gateway R70 provides a comprehensive security solution for very large enterprises and
organizations. It integrates access control, authentication, and encryption to guarantee the security of
network connections, the authenticity of local and remote users, and the privacy and integrity of data
communications.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 9
The X-Series Platform can be configured to provide high availability for all three types of modules and to
provide performance scalability for NPMs and APMs.
Refer to the XOS V8.5 Release Notes for information about the X-Series Platform and modules that are
supported for use with Check Point Security Gateway R70.
Figure 1 shows how traffic flows through an X-Series Platform with Check Point Security Gateway R70
installed on two APMs in an X-Series chassis that contains two CPMs, two NPMs, and three APMs.
A VAP group is a collection of APMs configured to provide load-balanced network services to run applications
installed on the VAP group and to provide high availability to those applications in the event of an APM failure.
Check Point Security Gateway R70 is installed on a VAP group that consists of one or more VAPs. Each VAP
on which Check Point Security Gateway R70 is installed can function as a single appliance, but if the VAP
group contains more than one VAP, all of the appliances (VAPs) in the group act in concert with each other,
creating a virtual processing engine comprised of APMs.
You must create and configure interfaces for a VAP group to enable the members of that VAP group to send
and receive traffic.
10
A VAP group interface has three parts:
Circuit — A virtualized Ethernet connection configured for members of a VAP group.
The primary purpose of a circuit is to provide a connection between the members of a VAP group and a
physical interface on a Network Processor Module (NPM). However, you can also configure a circuit to
provide an internal connection between members of one or more VAP groups configured on the same
X-Series Platform.
You create and configure a circuit, assign the circuit to one or more VAP groups, and configure each
VAP group to process traffic passing through the circuit.
When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit
on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs
as Linux networking interfaces.
NOTE: Some circuit configuration settings change VND configuration settings, thereby changing the
configuration of a VAP group’s Linux networking devices.
Physical interface — An Ethernet port on an NPM that you configure to pass traffic between the X-Series
Platform and an external network.
Logical interface — An interface that logically links a circuit’s VNDs to a physical interface on an NPM.
You configure a logical interface on a physical interface and then map the logical interface to a circuit that
you have assigned to one or more VAP groups. An NPM uses logical interface mapping to identify the
VNDs that send and receive traffic over each of its physical interfaces.
NOTE: You can map only one circuit to each logical interface. However, you can map multiple logical
interfaces to the same physical interface, allowing multiple circuits to pass traffic over a single
physical interface.
You can also use link aggregation to bond multiple physical interfaces to a single logical interface,
allowing one circuit to pass traffic over multiple physical interfaces.
Before you install Check Point Security Gateway R70, you must first use the XOS CLI to configure a VAP
group, define the number of VAPs in the group by setting the VAP count and using other parameter settings
to control the assignment of VAPs to physical APMs. See Creating and Configuring a VAP Group for the
Application on page 22 for more information.
Within XOS, application management and data interfaces have four types of components: physical interfaces,
logical interfaces, circuits, and Virtual Network Devices (VNDs). Within XOS, each physical interface on the
NPM that is to be used to pass traffic in or out of the VAP group must be mapped to one or more logical
interfaces. Each logical interface is then mapped to a circuit.
In addition, some circuits are defined and configured to provide internal connections between members of
one or more VAP groups configured on the same X-Series Platform. These circuits do not need to be mapped
to physical interfaces on the NPM unless the circuits will also be used to pass traffic to and from the X-Series
Platform, since all APMs are connected by a shared data plane.
Figure 2 shows the different components of an XOS configuration of a management or data interface.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 11
Figure 2. XOS Configuration Components of an Application Data or Management Interface
12
Network Topology Configuration Options
The following sections describe the network topology configuration options for the Check Point Security
Gateway R70 on a X-Series Platform.
Standalone Configuration on page 13
Standalone with Dual-Box High Availability on page 14
Standalone Configuration
Figure 3 shows Check Point Security Gateway R70 running on the X-Series Platform in a standalone
configuration.
Figure 3. Standalone
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 13
Standalone with Dual-Box High Availability
In this scenario, Check Point Security Gateway R70 is installed standalone on two systems in a network
environment configured for Dual-Box High Availability (DBHA).
Virtual Router Redundancy Protocol (VRRP) ensures that all packets in a flow are sent to a single X-Series
Platform.
Figure 4 shows a topology diagram that illustrates this option.
14
Check Point Security Gateway R70 Installation Options
The following sections describe the configuration options available during the application installation on the
X-Series Platform. See the Check Point documentation for more information.
Secure Internal Communication (SIC) Key on page 15
Local License Information on page 15
Performance Pack on page 15
Crossbeam High Availability/State Synchronization on page 15
CoreXL on page 16
Performance Pack
Performance Pack is a software acceleration product installed as an add-on to Security Gateway.
Performance Pack significantly enhances and improves performance of Security Gateway.
Performance Pack uses Check Point SecureXL technology and other innovative network acceleration
techniques, in order to deliver wire-speed Security Gateway throughput for gigabit networks.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 15
Virtual Application Processor (VAP) Load Balancing. Each VAP corresponds to an APM. In a VAP group,
each VAP runs an instance of the application, and traffic is load balanced among the VAPs. Should an
Application Processor Module (APM) fail, the system automatically redistributes the traffic flow among
the remaining VAPs.
Standby VAP. An unused VAP is configured as Standby. Should a VAP in any VAP group fail, the
standby VAP automatically joins that group.
Backup VAPs. A VAP can be assigned as a backup to another VAP in the group. These VAPs are
unused until the primary VAP fails.
APM Preemption Mode. Applications are assigned a priority. Should a higher priority application have a
VAP failure, it can take a VAP from a lower priority application.
Multi-System High Availability. Using VRRP, two or more X-Series Platform can be configured to provide
HA.
VAP Load Balancing with Synchronization. State synchronization may be necessary when switching a
flow from one VAP to another while stateful packet processing is being performed. Using Check Point
Security Gateway synchronization, when a flow is reassigned to another VAP within the group, that VAP
will have the proper Security Gateway connection state to process the arriving packets.
Cluster Synchronization. Check Point Security Gateway cluster synchronization can be combined with
the XOS re-load balancing feature to provide service redundancy. Each flow is assigned a VAP. When a
VAP fails, traffic flows that were being processed on that VAP are re-load balanced to another VAP,
which is automatically selected at that time.
CoreXL
Check Point CoreXL is a performance-enhancing technology for gateways on multi-core processing
platforms. CoreXL enhances performance by enabling the processing cores to concurrently perform multiple
tasks. Increase in performance is achieved without requiring any changes to management or to network
topology.
In a CoreXL gateway, the firewall kernel is replicated multiple times. Each replicated copy, or instance, of the
firewall kernel runs on one processing core. The instances handle traffic concurrently, and each instance is a
complete and independent inspection kernel.
In respect to network topology, management configuration, and security policies, a CoreXL gateway functions
as a regular gateway. All of the kernel instances of a gateway handle traffic going through the same gateway
interfaces and apply the same gateway security policy.
16
2
Hardware, Software, and Network
Requirements
This chapter provides the hardware, software, and network configuration requirements for installing Check
Point Security Gateway R70 onto the Crossbeam X-Series Platform.
Before installing Check Point Security Gateway R70, you must make sure the X-Series Platform meets the
following requirements:
Hardware Requirements on page 17
Software Requirements on page 18
Required Crossbeam Installation (CBI) Package on page 20
Network Configuration Requirements on page 20
CoreXL Configuration Requirements on page 20
Hardware Requirements
You must make sure the X-Series Platform meets the following hardware requirements:
General Requirements on page 17
Application Processor Module (APM) Requirements on page 17
General Requirements
The platform must include only the supported models of Crossbeam hardware components. See the
XOS V8.5 Release Notes to determine the chassis and module support.
All models of Control Processor Modules (CPMs), Network Processor Modules (NPMs), and Application
Processor Modules (APMs) included in the same X-Series Platform must be compatible with one
another. Refer to the X80 Platform Hardware Installation Guide for detailed module compatibility
matrices.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 17
Software Requirements
You must make sure the X-Series Platform meets the following software requirements:
Software Version Compatibility Requirements on page 18
XOS Configuration Requirements on page 18
The above components of the XOS configuration must meet the requirements listed in the following sections:
VAP Group Configuration Requirements on page 18
Circuit Configuration Requirements on page 19
Additional XOS Considerations on page 19
18
RP filtering must be disabled. If RP filtering is enabled for a VAP group, the VAPs in the group drop any
packet whose incoming interface is different from its reply packet’s outgoing interface. A VAP group
applies RP filtering only to packets whose source or destination IP address belongs to a network directly
connected to the VAP group. By default, RP filtering is enabled on all VAP groups.
See the XOS Configuration Guide, XOS V8.5, for more information about VAP configuration.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 19
Required Crossbeam Installation (CBI) Package
To run the CBI for Check Point Security Gateway R70, you must first place the CPSG-R70-x.x.x.x-y.cbi
package into the /usr/os/apps/archive directory on the CPM.
NOTE: See the XOS V8.5 Release Notes for the CBI package name.
See Copying the Crossbeam Installation (CBI) Package onto the X-Series Platform on page 27 for
instructions on obtaining the CBI package the CBI package from the Crossbeam Customer Support
Download Portal.
IMPORTANT: At the time of this release, Crossbeam recommends using only the 8-core APM with six
firewall instances.
NOTE: To avoid configuring different number of firewall instances on cluster members, do not use the
Check Point command “cpconfig” to change the CoreXL configuration. Always use the CLI
command “application CPSG vap-group <VAP-group_name> configure” command.
20
3
Preparing for Installation on the X-Series
Platform
This chapter describes the procedures that you must perform before installing Check Point Security Gateway
R70 on a Crossbeam X-Series Platform.
NOTE: This chapter only describes how to configure the X-Series Platform prior to installing Check Point
Security Gateway R70 as a standalone application. For information about multi-application
serialization deployment, see the following Crossbeam document:
Multiple-Application Serialization Deployments Supported with XOS V8.5.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 21
Prerequisite Reading
Before installing Check Point Security Gateway R70, you must have a thorough understanding of the material
presented in the following documents:
Crossbeam documents available on the Crossbeam DVD, and on the Crossbeam Customer Support
Web site located at www.crossbeam.com/services/online_support.php:
XOS Configuration Guide, XOS V8.5
XOS Command Reference Guide, XOS V8.5
XOS V8.5 Release Notes
Check Point documents are available on the Check Point Customer Web site, located at
http://support.checkpoint.com
22
CBS(config-vap-grp)# ap-list <apm_module_name1> [<apm_module_name2>]
[<apm__module_name3>] ...
where <apm_module_name> is the name that the X-Series Platform has assigned to the APM.
6. Configure a default IP flow rule for the VAP group, and return to the main CLI context. There are four
steps to configure the default IP flow rule:
a. Create the default IP flow rule:
CBS(config-vap-grp)# ip-flow-rule <ip_flow_rule_name>
b. Set the IP flow rule action to load-balance traffic to all available VAP members:
CBS(ip-flow-rule)# action load-balance
c. Set the activate flag to enable the action:
CBS(ip-flow-rule)# activate
d. Return to the main CLI context:
CBS(ip-flow-rule)# end
CBS#
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 23
For example:
CBS# configure ip route 10.1.1.0/24 10.213.212.111 vap-group fw circuit mgmt
7. Save the running configuration:
CBS# wr
24
2. Assign a device name to circuit. The device name is the interface name. The name should be the same
as, or based on, the circuit name.
CBS(conf-cct)# device-name <VLAN_device_name>
CBS(conf-cct)#
3. Assign a VAP group to the circuit.
CBS(conf-cct)# vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)#
4. Assign a tag (egress) to the VLAN circuit:
CBS(conf-cct-vapgroup)# default-egress-vlan-tag <VLAN_tag>
CBS(conf-cct-vapgroup)#
5. Assign an IP address to the VLAN circuit, and return to the main CLI context:
CBS(conf-cct-vapgroup)# ip <IP_address>/<netmask>
CBS(conf-cct-vapgroup-ip)# end
6. Configure the interface:
CBS# configure interface {gigabitethernet | 10gigabitethernet}
<NPM_slot_number>/<port_number>
7. Add a logical with the ingress tag:
CBS(conf-intf-<iftype>)# logical <logical_name> ingress-vlan-tag <VLAN_tag>
8. Assign the circuit to this interface:
CBS(intf-<iftype>-logical)# circuit <VLAN_circuit_name>
CBS(intf-<iftype>-logical)# exit
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 25
CBS# configure interface {gigabitethernet | 10gigabitethernet}
<NPM_slot_number>/<port_number>
CBS(conf-intf-<iftype>)# logical <logical_name>
CBS(intf-<iftype>-logical)# circuit <sync_circuit_name>
CBS(intf-<iftype>-logical)# end
6. Save the running configuration:
CBS# wr
Configuration is complete, go to Installing the Application on the X-Series Platform on page 27.
26
4
Installing the Application on the X-Series
Platform
This chapter describes how to install Check Point Security Gateway R70 onto the Crossbeam X-Series
Platform.
IMPORTANT: Before installing Check Point Security Gateway R70, make sure you meet the Hardware,
Software, and Network Requirements on page 17, and complete the procedures in Preparing
for Installation on the X-Series Platform on page 21.
To load the application onto the X-Series Platform, perform the following steps on each CPM in the X-Series
Platform:
1. Download the CPSG-R70-x.x.x.x-y.cbi CBI package from the Crossbeam Customer Support
Download Portal, www.crossbeam.com/services/online_support.php to the X-Series Platform.
NOTE: You must have an active support contract to access the Crossbeam Customer Support Center.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 27
2. Log into your XOS as root.
CBS# unix su
Password:
[root@xxxx admin]#
3. Copy the CBI file, CPSG-R70-x.x.x.x-y.cbi, to /usr/os/apps/archive on the CPM.
[root@xxxx admin]# cp CPSG-R70-x.x.x.x-y.cbi /usr/os/apps/archive
4. Exit from root:
[root@xxxx admin]# exit
If any of the above requirements are not met, the installation will fail. If the installation fails, see
Troubleshooting the CBI Installation on page 30.
Use the CBI to install Check Point Security Gateway R70, as follows:
1. Enter the following XOS CLI command to verify that Check Point Security Gateway R70 is loaded on the
X-Series Platform.
CBS# show application
App ID: : CPSG
Name : Check Point Security Gateway
Version : R70
Release : 2.0.0.0-9
CBI Version : 1.2.0.0
2. Enter the following XOS CLI command to install the application on the VAP group you created:
CBS# application CPSG vap-group <VAP_group_name> install
For <VAP_group_name> enter the name of the VAP group you created for Check Point Security
Gateway R70.
3. The XOS checks the integrity of the CBI package and its dependencies, displaying the following text:
Checking Bundle Integrity: [####################] 100% [ ok ]
Checking Dependencies: [####################] 100% [ ok ]
Check Point Software Technologies Ltd.
License Agreement
4. The XOS begins the CBI interview process by displaying the terms and definitions for the Check Point
Security Gateway R70 license agreement, and prompts you to read the agreement:
Press ENTER to read or 'q' to quit:
5. Enter y (for yes) and press Enter to accept the license agreement.
[License agreement displayed here]
Do you accept the license agreement?[n]: y
Answer the questions below to configure this application. Type '?' for help.
28
6. Enter the Secure Internal Communication information.
The Secure Internal Communication (SIC) key is a one time Activation Key that is used to establish trust
with the Check Point Management Server. On XOS, the Activation Key is used for all VAPs in the VAP
group.
Enter the Secure Internal Communication (SIC) key below.
Password:
Confirm Password:
7. Enter the local license information.
Enter local license information?[n]:
If you wish to enter license information at this time, enter y (for yes) to continue. When prompted, enter
the management IP address, license expiration date, signature key, and the SKU/feature for each VAP in
the group. If the license is not available, the application installation program automatically uses a 15-day
trial license. The 15-day trial license only allows limited features.
NOTE: This license information is optional, as you can always push a central license from the Check
Point Management Station.
8. The following interview questions appear:
Install Performance Pack?[y]:
The Performance Pack is a software-based acceleration module for Check Point Security Gateway
R70. Accelerating key security functions such as access control, encryption, NAT, attack signature
detection, and accounting, enables wire-speed firewall throughput for gigabit networks.
If you entered y, the “Do you want to enable SecureXL?” prompt appears. Enter y to enable
SecureXL.
Enable High Availability/State Synchronization?[y]:
NOTE: You must enable High Availability State Synchronization if you are creating a Check Point
Security Gateway cluster.
Do you want to enable CoreXL? [n]:y
Enter y to enable CoreXL.
NOTE: At the time of this release, Crossbeam recommends using only the 8-core APM with six firewall
instances. If you choose to enable CoreXL on an APM which has less than 8-cores, Check
Point recommends two firewall instances for the 2-core APM, and three firewall instances for
the 4-core APM.
NOTE: If you entered y, please enter ? to read important information about CoreXL before entering the
number of firewall instances to enable, and refer to CoreXL Configuration Requirements on
page 20.
How many firewall instances would you like to enable (2 to 8)? 6
(Enter '?' for important information) []:
Are there any changes needed?[n]: n
If you do not want to change configuration settings, enter n and press Enter. If you want to change
any configuration settings before installing this application, enter y and press Enter to return to the
first question in the installation interview.
9. XOS installs Check Point Security Gateway R70 on the VAP group you specified in Step 2. The XOS
displays the progress of the application installation on each VAP, and then prompts you to save the
configuration.
NOTE: To save the configuration to the database, enter y and press Enter. If you enter n, the
configuration is not saved to the database.
For example, the following text appears when the application is installed on a VAP group called fwvpn
that consists of three VAPs:
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 29
** A reboot is required for the change(s) to take affect. **
Extracting Bundle: [####################] 100% [ ok ]
Installing CPSG on VAP fwvpn_3: [####################] 100% [ ok ]
Installing CPSG on VAP fwvpn_2: [####################] 100% [ ok ]
Installing CPSG on VAP fwvpn_1: [####################] 100% [ ok ]
In order to successfully complete the application install, the XOS
configuration must be saved.
IMPORTANT: If you are configured to use High Availability Application Synchronization, and enabled it
during the installation interview, go to Completing the High Availability State Synchronization
Configuration on page 31.
For example, the following text is displayed if you installed Check Point Security Gateway R70 on the VAP
group fwvpn, which has two VAPs in the group:
CBS# show application vap-group fwvpn
VAP Group : fwvpn
App ID : CPSG
Name : Check Point Security Gateway
Version : R70
Release : 2.0.0.0-9
Start on Boot : yes
App Monitor : on
App State (fwvpn_1): Up
App State (fwvpn_2): Up
The Start on Boot field shows whether the application will start during VAP boot (yes or no). If no, you
must run the application CPSG vap-group <VAP-group_name> start CLI command to start the
application.
30
Completing the High Availability State Synchronization
Configuration
This section provides the additional steps necessary to complete the High Availability State Synchronization
configuration after installing Check Point Security Gateway R70.
To complete the High Availability State Synchronization configuration, you must perform the following steps
on the Check Point Management Station:
1. Create a Gateway Cluster object and include each VAP as a cluster member.
2. Set the Secure Internal Communication (SIC).
3. Get the topology.
4. Set the synchronization network.
5. Download policies to the Cluster object.
If the application is installed on multiple VAP groups, repeat the previous steps for each VAP group. After
uninstalling the application, reload each VAP group.
You can also view the uninstallation error and warning messages by entering the following command:
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 31
32
5
XOS Configuration Examples for
Supported Single-Application Use Cases
This chapter provides topology diagrams that illustrate the single-application use cases supported for Check
Point Security Gateway R70 installed on the Crossbeam X-Series Platform. It also provides XOS
configuration examples for the supported use cases for each topology configuration option.
Standalone Examples
With a standalone Check Point Security Gateway R70 deployment, you can use any of the following interface
types:
Simple Interface
Simple Interface with Redundancy
LACP (Link Aggregation Control Protocol, IEEE 802.3ad)
VLAN Trunk (802.1q)
VLAN Trunk over LACP
This section contains examples that show how to use the XOS CLI to configure traffic interfaces of the
following types:
Simple Interface Example on page 34
LACP Trunk Interface Example on page 36
VLAN Trunk Example on page 38
NOTE: The examples in this section do not provide configuration information for the management and
synchronization circuits. See Creating and Configuring a Management Interface on page 23 and
Creating and Configuring a Synchronization Circuit on page 25 for configuration of these circuits.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 33
Simple Interface Example
The example in this section shows the configuration of two traffic circuits to the physical interfaces.
Topology Diagram
Figure 5 illustrates the topology configuration for two traffic circuits (wan and lan) mapped to the physical
interfaces. A configuration example of this topology is provided below the topology diagram.
34
2. Configure the physical interfaces for ingress and egress traffic.
CBS# configure interface gigabitethernet 2/1
CBS(conf-intf-gig)# logical lan
CBS(intf-gig-logical)# circuit lan
CBS(intf-gig-logical)# end
CBS#
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 35
LACP Trunk Interface Example
LACP trunks aggregate multiple physical interfaces to form one logical channel, which the X-Series Platform
treats as a single interface. This unification provides interface redundancy and an increase in bandwidth
capacity, but does not increase complexity from the application standpoint.
Topology Diagram
Figure 6 illustrates the topology configuration for two traffic circuits (mltv1 and mltv2) mapped to the LACP
trunk interfaces. A configuration example of this topology is provided below the topology diagram.
36
2. Configure the two LACP Trunk interfaces, and assign each LACP Trunk interface to a traffic circuit:
CBS# configure group-interface mltv1
CBS(conf-group-intf)# mode multi-link circuit mltv1
CBS(conf-group-intf)# interface-type gigabitethernet
CBS(conf-grp-intf-gig)# exit
CBS(conf-group-intf)# interface 1/1
CBS(conf-group-intf-intf)# exit
CBS(conf-group-intf)# interface 1/2
CBS(conf-group-intf-intf)# exit
CBS(conf-group-intf)# interface 1/3
CBS(conf-group-intf-intf)# end
CBS#
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 37
VLAN Trunk Example
In a VLAN configuration using an 802.1q trunk for VLANs, a single physical interface may handle several
subnets. The X-Series Platform can be configured to handle a VLAN trunk by assigning many logical
interfaces to a single physical interface. Each logical interface is associated with a VLAN tag or range of
VLAN tags.
See the XOS Configuration Guide, XOS V8.5 to limit the VLANs that are expected, and to specify whether
untagged packets are accepted.
Topology Diagram
Figure 7 illustrates a topology configuration for VLANs. A configuration example of this topology is provided
below the topology diagram.
38
CBS(CBS(conf-cct-vapgroup)# ip 172.16.6.1/24
CBS(conf-cct-vapgroup-ip)# end
CBS#
2. Map the two traffic circuits to the interface:
CBS# configure interface gigabitethernet 2/1
CBS(conf-intf-gig)# logical lan ingress-vlan-tag 100
CBS(intf-gig-logical)# circuit lan
CBS(intf-gig-logical)# end
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 39
Standalone with Dual-Box High Availability (DBHA) Example
A successful DBHA configuration depends upon external devices configured to provide failure detection and
traffic failover in the event that one X-Series system fails. Crossbeam provides this functionality by using
VRRP.
You can use any combination of the following five interface types, which are supported for a standalone
deployment:
Simple Interface
Simple Interface with redundancy
LACP (Link Aggregation Control Protocol, IEEE 802.3ad)
VLAN Trunk (802.1q)
VLAN Trunk over LACP
40
Topology Diagram
You can configure multiple X-Series Platform’s for High Availability (HA) using the VRRP. However, you do
not need to configure one system as master and another as standby. Instead, you create a group containing
one or more VAP groups and circuits. You create a similar group with the same ID on one or more systems.
Should one group fail, the counterpart group on another system becomes master. In the meantime, the same
group ID on each system can be actively passing traffic so that no system is under-utilized.
Figure 8 illustrates the topology of a standalone when it is installed on two X-Series Platforms that are
configured for dual-box high availability (DBHA).
The following example shows how to configure XOS to enable a dual-box, high-availability (DBHA)
deployment of Check Point Security Gateway R70. This example uses LACP trunk interfaces for the traffic
circuits, and a simple interface for the management and synchronization circuits.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 41
To create the topology configuration shown in Figure 8, perform the following steps on each X-Series
Platform.
1. Configure the remote system ID and IP address. The remote system ID is specific to the system, and the
IP address is the address of the CPM on the other system.
CBS# configure remote-box 5 172.16.1.20
CBS(conf-remote-box)# end
CBS#
2. Use the following commands to create a VAP group to use the xslinux_v5 operating system, specify the
number of VAP members in the group, and the maximum number of VAPs in the group.
CBS# configure vap-group fwvpn xslinux_v5
CBS(config-vap-grp)# vap-count 3
CBS(config-vap-grp)# max-load-count 3
3. Disable RP filtering.
CBS(config-vap-grp)# no rp-filter
4. Specify the list of APMs to be loaded. All VAP members should be identical APMs. Use show chassis
from the CLI to verify the configuration of each APM if necessary.
CBS(config-vap-grp)# ap-list ap7 ap8 ap9
CBS(config-vap-grp)# load-balance-vap-list 1 2 3
5. Configure a basic load balancing flow rule for the VAP group:
CBS(config-vap-grp)# ip-flow-rule lb
CBS(ip-flow-rule)# action load-balance
CBS(ip-flow-rule)# activate
CBS(ip-flow-rule)# end
6. Configure the management circuit, assign a device name to the circuit, and map the circuit to the
application’s VAP group:
CBS# configure circuit mgmt
CBS(conf-cct)# device-name mgmt
CBS(conf-cct)# vap-group fwvpn
CBS(conf-cct-vapgroup)#
7. Configure the management circuit to use a unique IP address to access each VAP in the group:
CBS(conf-cct-vapgroup)# ip 192.168.10.1/24 increment-per-vap 192.168.10.3
CBS(conf-cct-vapgroup-ip)# end
8. Configure a circuit for synchronization:
CBS# configure circuit sync
CBS(conf-cct)# internal
CBS(conf-cct)# device-name sync
CBS(conf-cct)# vap-group fwvpn
CBS(conf-cct-vapgroup)# ip 9.9.9.4/24 9.9.9.255 increment-per-vap 9.9.9.8
CBS(conf-cct-vapgroup-ip)# end
9. Map the synchronization circuit and the management circuit to the interface:
CBS# configure interface gigabitethernet 2/1
CBS(conf-intf-gig)# logical mgmt
CBS(intf-gig-logical)# circuit mgmt
CBS(intf-gig-logical)# end
42
CBS(intf-gig-logical)# end
10. Create two traffic circuits, one for egress traffic and one for ingress traffic:
CBS# configure circuit mltv1
CBS(conf-cct)# device-name mltv1
CBS(conf-cct)# vap-group fwvpn
CBS(conf-cct-vapgroup)# ip 172.16.10.1/24
CBS(conf-cct-vapgroup-ip)# end
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 43
CBS(conf-vrrp-group)# virtual-router vrrp-id 20 circuit mltv2
CBS(conf-vrrp-failover-vr)# priority-delta 100
CBS(conf-vrrp-failover-vr)# mac-usage vrrp-mac
CBS(conf-vrrp-failover-vr)# vap-group fwvpn
CBS(conf-vrrp-vr-vapgroup)# virtual-ip 172.16.60.2/24
CBS(conf-vrrp-vr-vapgroup)# end
15. Enable VRRP on the VAP group:
CBS# configure vrrp vap-group fwvpn
CBS(conf-vrrp-vap-group)#
16. Assign the failover group to a failover group list:
CBS(conf-vrrp-vap-group)# failover-group-list vrrp_fwvpn
17. Specify the time, in seconds, for a VAP group to wait before passing traffic, allowing the application to
fully boot. This delay can prevent an application from dropping connections before the application is able
to pass traffic.
CBS(conf-vrrp-vap-group)# hold-down-timer 120
CBS(conf-vrrp-vap-group)#
18. Assign a priority-delta to the VAP group. VRRP decrements the priority of the failover group whenever
the number of active VAPs falls below the active-vap-threshold. The priority-delta can be any
value between 1 and 255. When the VAP returns to the Active state, the priority-delta is added back to
the priority value.
CBS(conf-vrrp-vap-group)# priority-delta 60
19. Assign the active-vap-threshold to monitor the VAPs in the VAP group. If the number of active
VAPs drops below the threshold, the priority is decremented by the priority-delta. When the priority
of the master chassis drops below the value of the backup chassis, failover occurs.
CBS(conf-vrrp vap-group)# active-vap-threshold 3
CBS(conf-vrrp vap-group)# end
44
6
Managing and Monitoring the Application
Installed on the X-Series Platform
This chapter describes the methods that you can use to manage and monitor Check Point Security Gateway
R70 when it is installed on a Crossbeam X-Series Platform. This chapter also describes the procedures that
you can use to backup and restore the VAP group on which Check Point Security Gateway R70 is installed on
an X-Series Platform.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 45
XOS Command Line Interface (CLI)
This section describes the basic XOS CLI application commands.
IMPORTANT: With the exception of the show application command, the commands described in this
section only work if the following conditions are met:
The primary CPM, the NPM(s), and in the application’s VAP group are UP.
Use the following commands at the XOS CLI prompt to perform basic application management. For more
information on using the XOS CLI to manage applications, see the XOS Command Reference Guide, XOS
V8.5 and the XOS Configuration Guide, XOS V8.5.
Start Check Point Security Gateway R70:
CBS# application CPSG vap-group <VAP_group_name> start
Configure an application using the Check Point Secuirty Gateway Configuration Menu:
CBS# application CPSG vap-group <VAP_group_name> configure
Stop Check Point Security Gateway R70 on a VAP group:
CBS# application CPSG vap-group <VAP_group_name> stop
Restart Check Point Security Gateway R70 on a VAP group:
CBS# application CPSG vap-group <VAP_group_name> restart
Update the VAP group to install Check Point Security Gateway R70 on any new VAPs that you added to
the group after the initial configuration.
CBS# application-update vap-group <VAP_group_name>
Display Check Point Security Gateway R70 status on all VAP groups or on a specified VAP group.
CBS# show application vap-group <VAP_group_name>
The XOS health system polls application processes on each VAP in the VAP group every five seconds. If the
application is not running on a VAP, the health system notifies the NPM to stop new flows to this VAP. You can
verify this behavior using the show flow distribution command. The X-Series Platform performs this
process dynamically without modifying the VAP group’s load balance list. However, application monitoring
cannot detect process hangs. If the process is not functioning but is still running, the XOS health system will
continue to report the application as running.
46
Signature Key
SKU/Features
4. Enter n at the “Are any changes needed?” prompt to apply the configuration changes to the VAP
group.
You are returned to the Check Point Secuirty Gateway Configuration Menu after the configuration
changes are complete.
5. Select Exit to return to the XOS CLI.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 47
You are returned to the Check Point Secuirty Gateway Configuration Menu after the configuration
changes are complete.
5. Select Exit to return to the XOS CLI.
6. Restart the application:
CBS# application CPSG vap-group <VAP_group_name> restart
7. Use the Check Point Management Station to perform the following:
a. Set the Secure Internal Communication (SIC).
b. Get the topology.
c. Download policies to the Cluster object.
48
Installing and Uninstalling Performance Pack
To install or uninstall Performance Pack, perform the following steps:
1. Access the Check Point Secuirty Gateway Configuration Menu from the XOS, enter the following
command:
CBS# application CPSG vap-group <VAP_group_name> configure
The Check Point Secuirty Gateway Configuration Menu appears.
2. Select Check Point Optional Packages.
3. Select one of the following:
To install Performance Pack:
a. Enter y at the “Install Performance Pack?” prompt and press Enter.
b. If the administrative state of SecureXL was set to disabled, enter y at the “Do you want to
enable SecureXL?” prompt and press Enter.
To uninstall Performance Pack:
a. Enter n at the “Do you want Performance Pack to remain installed?” prompt and
press Enter.
b. If the administrative state of SecureXL was set to enabled, enter n at the “Do you want
SecureXL to remain administratively enabled?” prompt and press Enter.
4. Enter n at the “Are any changes needed?” prompt and press Enter to apply the configuration
changes to the VAP group.
You are returned to the Check Point Secuirty Gateway Configuration Menu after the configuration
changes are complete.
5. Select Exit to return to the XOS CLI.
6. Reboot the VAP group, using the following command:
CBS# reload vap-group <VAP_group_name>
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 49
6. Restart the application:
CBS# application CPSG vap-group <VAP-group-name> restart
IMPORTANT: Please enter ? to read important information about CoreXL before entering the number of
firewall instances to enable.
IMPORTANT: At the time of this release, Crossbeam recommends using only the 8-core APM with six
firewall instances.
4. Enter the number of firewall instances to enable, and press Enter.
NOTE: If you choose to enable CoreXL on an APM which has less than 8-cores, Check Point
recommends two firewall instances for the 2-core APM, and three firewall instances for the
4-core APM
5. Enter n at the “Are any changes needed?” prompt and press Enter to apply the CoreXL
configuration changes to the VAP group.
You are returned to the Check Point Secuirty Gateway Configuration Menu after the configuration
changes are complete.
6. Select Exit to return to the XOS CLI.
7. Reboot the VAP group, using the following command:
CBS# reload vap-group <VAP_group_name>
50
Disabling Check Point CoreXL
If Check Point Core XL was enabled during the application installation and you want to disable it, perform the
following steps:
1. Access the Check Point Secuirty Gateway Configuration Menu from the XOS, enter the following
command:
CBS# application CPSG vap-group <VAP_group_name> configure
The Check Point Secuirty Gateway Configuration Menu appears.
2. Select Check Point CoreXL.
3. Enter n at the “Do you want CoreXL to remain enabled” prompt, and press Enter to disable
CoreXL.
4. Enter n at the “Are any changes needed?” prompt to apply the CoreXL configuration changes to the
VAP group, and press Enter.
You are returned to the Check Point Secuirty Gateway Configuration Menu after the configuration
changes are complete.
5. Select Exit to return to the XOS CLI.
6. Reboot the VAP group, using the following command:
CBS# reload vap-group <VAP_group_name>
To change the number of CoreXL firewall instances, perform the following steps:
1. Access the Check Point Secuirty Gateway Configuration Menu from the XOS, enter the following
command:
CBS# application CPSG vap-group <VAP_group_name> configure
The Check Point Security Gateway Configuration Menu appears.
2. Select Check Point CoreXL.
3. Enter y at the “Do you want CoreXL to remain enabled” prompt.
IMPORTANT: Please enter ? to read important information about CoreXL before entering the number of
firewall instances to enable.
4. Enter the number of firewall instances to enable and press Enter.
5. Enter n at the “Are any changes needed?” prompt, and press Enter to apply the CoreXL
configuration changes to the VAP group.
You are returned to the Check Point Security Gateway Configuration Menu after the configuration
changes are complete.
6. Select Exit to return to the XOS CLI.
7. Reboot the VAP group, using the following command:
CBS# reload vap-group <VAP_group_name>
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 51
Adding and Removing VAP Group Members
This section describes how to perform the following tasks:
Adding a VAP to a VAP Group on page 52
Removing a VAP from a VAP Group on page 53
IMPORTANT: Make sure the new APM meets the requirements listed in Hardware Requirements on page 17
and the Software Requirements on page 18. The new APM’s hardware configuration must
match the hardware configuration of all other APMs in the VAP group.
2. Increment the IP address range for the management circuit:
CBS# configure circuit <management_circuit_name> vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)# ip <ip_address_of_first_VAP_in_group>/<netmask>
<broadcast_address> increment-per-vap <ip_address_of_last_vap_in_group>
CBS(conf-cct-vapgroup-ip)# end
3. Increment the IP address range for the synchronization circuit:
CBS# configure circuit <sync_circuit_name>
CBS(conf-cct)# vap-group <VAP_group_name>
CBS(conf-cct-vapgroup)# ip <ip_address_of_first_VAP_in_group>/<netmask>
<broadcast_address> increment-per-vap <ip_address_of_last_vap_in_group>
CBS(conf-cct-vapgroup-ip)# end
4. Increment the Check Point Security Gateway R70 VAP group VAP count, and set the max load count to
the number of active VAP members in the VAP group:
NOTE: It is not required to set the max load count to equal the VAP count since pre-staged installation
and pre-staged configuration allow the change to the VAP when the APM is available.
CBS# configure vap-group <VAP_group_name>
CBS(config-vap-grp)# vap-count <new_VAP_count>
CBS(config-vap-grp)# max-load-count <number_of_APMs_in_group>
5. Reconfigure the APM list for the VAP group to add the new APM to the group:
CBS(config-vap-grp)# ap-list <apm_module_name1> [<apm_module_name2>]
[<apm_module_name3>] ...
where <apm_module_name> is the name that the XOS has assigned to the APM. (Use the show
chassis command to determine the assigned names of the APMs in your chassis.)
6. Configure the load-balance VAP list for the VAP group so that the new VAP does not receive any flows.
The new APM will have the highest index number in the VAP group. Leave this index number off the
load-balance VAP list.
CBS(config-vap-grp)# load-balance-vap-list <index1> <index2> [<index3>] ...
CBS(config-vap-grp)# end
7. Use the following commands to verify that the new APM has the correct firmware installed on it. If the
revs_check script prompts you to do so, follow the instructions in the XOS Configuration Guide, XOS
V8.5 to update the firmware on the new APM.
CBS# unix su
[root@xxxx admin]# /crossbeam/bin/revs_check
52
8. Verify that the VAP group is UP by entering the following command:
CBS# show ap-vap-mapping
9. Install Check Point Security Gateway R70 on the new VAP by entering the CLI command:
CBS# application-update vap-group <VAP_group_name>
10. Reboot the new VAP so that the installation can take effect. Use the following command:
CBS# reload vap-group <VAP_group_name> <VAP_group_member_index_number>
11. After the reboot is complete, use the show application vap-group <VAP_group_name>
command to verify that the application is running on the new VAP.
For example, if a new VAP is added to a VAP group named fwvpn, resulting in a VAP group with two
VAPs, would have the following output:
CBS# show application vap-group fwvpn
VAP Group : fwvpn
App ID : CPSG
Name : Check Point Security Gateway
Version : R70
Release : 2.0.0.0-9
Start on Boot : yes
App Monitor : on
App State(fwvpn_1) : Up
App State(fwvpn_2) : Up
CBS#
12. Use the Check Point Management Station to configure the application on the new VAP.
a. Create a Gateway Cluster object, and include the new VAP as a cluster member.
b. Set the Secure Internal Communication (SIC).
c. Get the topology.
d. Set the Synchronization network.
e. Download policies to the Cluster object.
13. Add the new VAP back into the load balance VAP list:
CBS# configure vap-group <VAP_group_name>
CBS(config-vap-grp)# load-balance-vap-list <index1> <index2> [<index3>] ...
CBS(config-vap-grp)# end
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 53
3. Decrement the Check Point Security Gateway R70 VAP group’s VAP count:
CBS(config-vap-grp)# vap-count <new_VAP_count>
CBS(config-vap-grp)# end
4. Reconfigure the IP address range to reclaim the IP address for the VAP that you have just removed from
the VAP group:
CBS# configure circuit <circuit_name> vap-group <vap_group_name>
CBS(conf-cct-vapgroup)# ip <ip_address_of_first_VAP_in_group>/<netmask>
<broadcast_address> increment-per-vap <ip_address_of_last_vap_in_group>
CBS(conf-cct-vapgroup-ip)# end
5. Use the Check Point Management Station to perform the following:
a. Detach the gateway where the member was removed from the cluster.
b. Get the topology.
c. Download policies to the cluster object.
The following sections describe the backup and restore functionality provided for Check Point Security
Gateway R70:
Restrictions on page 54
Backing Up a VAP Group on page 54
Restoring a VAP Group on page 55
Deleting a VAP Group Archive on page 56
Restrictions
The VAP group backup and restore functionality has the following restrictions:
This functionality is available only from the XOS CLI.
You cannot use the EMS to perform application backups and restores.
You cannot back up and restore a VAP group to or from a remote location.
You cannot back up and restore the APM’s local hard drive.
You cannot back up and restore any VAP group on which Check Point Security Gateway R70 is not
installed.
The X-Series Platform must have at least 500 MB of free space for each VAP group archive.
54
2. The XOS checks to be sure that you have enough disk space to perform the operation, and displays the
following text as it performs this test:
Calculating available and required space........................... Done
3. The VAP group must be shut down during a backup operation. Therefore, the CLI prompts you to confirm
the backup operation. Enter y to confirm the backup operation.
During backup the vap-group will be disabled. Continue? <Y or N> [Y]: y
4. The XOS executes the backup operation and displays the progress of the operation.
For example, the following text appears when the XOS backs up a VAP group named fwvpn containing
two VAPs, and the archive is being stored on the X-Series Platform:
NOTE: A backup operation may take a significant amount of time to complete.
Waiting for vap group to go down ... Done
Backing up fwvpn_1 Archive 1 to /tftpboot/archives/fwvpn/
1................Done
Backing up fwvpn_2 Archive 1 to /tftpboot/archives/fwvpn/1...............Done
Backing up fwvpn_common Archive 1 to /tftpboot/archives/fwvpn/
1................Done
Creating MD5 sum file....Done
CBS#
When the example backup is complete, the VAP group archive is stored in /tftpboot/archives/fwvpn/1 on the
CPM. Archive numbers are automatically appended to the VAP group file. The first time a VAP group is
backed up, the archive number starts at 1. The archive number increments by one for each successive
backup.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 55
Calculating available and required space.......Done
During restore the vap-group will be disabled. Continue? <Y or N> [Y]: y
Waiting for vap group to go down ... Done
Restoring vap-group fwvpn 1. This may take several minutes...
Removing old temporary files ... Done
Extracting fwvpn_1 archive......................................... Done
Extracting fwvpn_2 archive......................................... Done
Extracting fwvpn_common archive.................................... Done
Restoring VapGroup fwvpn
fwvpn_common restoration has completed
fwvpn_1 restoration has completed
fwvpn_2 restoration has completed
VAP Group fwvpn restoration completed
Cleaning up temporary files...................................... Done
CBS#
4. After the VAP group has rebooted, use the following command to verify that the application has restarted
(provided that the application is configured to start on boot):
CBS# show archive vap-group <vap_group_name>
For example, the following text appears for the restore operation:
VAP Group : fwvpn
Archive Number : 1
VAP Count : 2
VAP OS version : xslinux_v5
XOS version : 8.5.0-86
Application : CPSG
Application Version : R70
Application Release : 2.0.0.0-9
Date : Fri Jan 30 14:53:25 EST 2009
Archive Location : /tftpboot/archives/fwvpn/1
Archive Size : 419624
The XOS deletes the VAP group’s archive directory and all of the files in it, and displays the progress of the
operation. For example, the following text appears as the XOS is deleting the archive for a VAP group called
fwvpn:
CBS# archive-vap-group delete vap-group fwvpn
Deleting archive for VAP Group fwvpn ... Done
CBS#
56
Monitoring the Application
The following sections describe the tools that you can use to monitor Check Point Security Gateway R70
once it is installed on an X-Series Platform.
XOS Application Monitoring on page 57
SNMP Health and Monitoring on page 59
In this section:
Displaying Application Information on page 57
Displaying VAP Group Application Information on page 57
Disabling a VAP Group’s Application Monitoring on page 58
Enabling a VAP Group for Application Monitoring on page 59
The following example shows that Check Point Security Gateway R70 is available for installation on any VAP
group.
CBS# show application
App ID : CPSG
Name : Check Point Security Gateway
Version : R70
Release : 2.0.0.0-9
CBI Version : 1.2.0.0
The following example shows the state of the application on VAP group fwvpn. See Table 3 on page 58 for
descriptions of the information provided.
CBS# show application vap-group fwvpn
VAP Group : fwvpn
App ID : CPSG
Name : Check Point Security Gateway
Version : R70
Release : 2.0.0.0-9
Start on Boot : yes
App Monitor : on
App State(fwvpn_1) : Up
App State(fwvpn_2) : Up
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 57
Table 3. VAP Group Application Information
Column/Row
Information Provided
Heading
VAP Group Name of the VAP group on which the application is installed.
App ID Application identifier that Crossbeam has assigned to the application.
Name Application name.
Version Application version.
Release Application release number.
Start on boot Indicates whether the application automatically starts running when you boot up
the VAP group:
on — Application automatically starts up when you boot up the VAP group.
off — You must manually start up the application each time you boot up the
VAP group.
App Monitor Indicates whether application monitoring is enabled (on) or disabled (off) on the
VAP group on which the application is installed. By default, application monitoring
is enabled (on).
If application monitoring is enabled (on), and the application is not running on a
VAP, the health system notifies the NPM to stop new flows to the VAP. The NPM
performs this process dynamically without modifying the VAP group’s load balance
list.
App State Indicates the current state of the application on the VAP with the VAP index
number n.The show application vap-group command displays the current state of
the application on each VAP on which an application is installed.
Possible application states are:
Up — Application is running on the VAP.
Down — Application is not running on the VAP, but the APM on which the VAP
is loaded is functional.
Initializing — The application is rebooting.
Not Monitored — Application monitoring is disabled on the VAP group on
which the application is installed. Therefore, XOS is unable to determine the
current state of the application on any VAP.
You can use the CLI show flow distribution command to verify that no new flows are directed to VAPs
that are in a down state.
NOTE: Application monitoring cannot detect process hangs. If a process is not functioning, but the
application is still running, the XOS health system will continue to report the application as running.
58
Enabling a VAP Group for Application Monitoring
If you disabled a VAP group’s application monitoring and want to return to the default setting of enabled, enter
the following command:
CBS# configure vap-group <VAP_group_name> application-monitor
For example:
CBS# configure snmp-server host 10.1.1.29 traps version 2c private
CBS# configure snmp-server host 10.1.1.29 informs version 1 public
NOTE: If the host that you want to delete currently receives informs, you must specify the informs parameter
with this command.
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 59
Displaying SNMP Trap Log
The XOS software maintains a rotating log of the last 100 SNMP traps issued by the X-Series Platform. A trap
is counted only once even though it may have been sent to several destinations. Associated trap variables,
for example, sysUpTime, as well as Date and Time are also recorded in the log.
The sysUpTime value is the time accumulated since the SNMP agent was configured.
Where:
60
priv-type Use des to encrypt data or none (default) to not encrypt data. If using des,
[des|none] auth-type must be md5 or sha.
oid <access> Specifies the MIB subtree that the user can access. For example, specify
“iso” for the whole tree, or “mib-2” to limit access to just the MIB objects that
are part of the mib-2 tree. Smaller portions of the MIB can be selected, such
as entering “interfaces” to restrict access to just the interface table. The
default is .iso.
The following OID formats are allowed:
numeric oids, such as 1.3.6.1
fully qualified oid names, such as .iso.org.dod
names directly under mib-2, such as "system", "interfaces", "at", and "ip"
IMPORTANT: Enabling the SNMP daemon at the Check Point level requires a restart of the firewall module.
1. Activate the Check Point products SNMP daemon from the Check Point Secuirty Gateway Configuration
Menu. See Enabling and Disabling Check Point Products SNMP daemon on page 47 for access and
configuration information.
2. Modify $FWDIR/conf/snmp.C to the values used by the SNMP manager to query polling. When
populating the module, place () after the value. For example, value (cbsfw).
Check Point® Security Gateway R70 Installation and Configuration Guide for Crossbeam® X-Series Platforms 61
To enable SNMP MIB Polling on the SNMP manager:
1. Locate the Check Point MIB file to import into the SNMP manager. The Check Point ckpnt.mib file is
located in the following path:
$CPDIR/lib/snmp/chkpnt.mib
2. Import the file into your SNMP environment using the import method that applies your environment.
62