How To Install and Configure IPSO VSX 5 · How To Install and Configure IPSO VSX 5.0 How To Install...

6 May 2012

How To Install and Configure IPSO VSX 5.0

© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.htmlhttp://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=16601

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

5/6/2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on How To Install and Configure IPSO VSX 5.0 ).

http://supportcontent.checkpoint.com/documentation_download?ID=16601http://supportcenter.checkpoint.com/mailto:[email protected]?subject=Feedback%20on%20How%20To%20Install%20and%20Configure%20IPSO%20VSX%205.0mailto:[email protected]?subject=Feedback%20on%20How%20To%20Install%20and%20Configure%20IPSO%20VSX%205.0

Contents

Important Information ............................................................................................. 3 How To Install and Configure IPSO VSX 5.0 ......................................................... 5 Objective ................................................................................................................. 5

Supported Versions ............................................................................................. 5 Supported Operating Systems ............................................................................. 5 Supported Appliances ......................................................................................... 5

Before You Start ..................................................................................................... 6 Related Documents and Assumed knowledge ..................................................... 6

Overview .................................................................................................................. 6 Installing and Configuring IPSO VSX 5.0 .............................................................. 7

IPSO Installation and Setup ................................................................................. 7 Configuring Standalone VSX ..............................................................................10 Configuring VSX VRRP Cluster ..........................................................................19 Configuring Virtual System .................................................................................29 Resetting VSX Gateway Installation ...................................................................34

VSX Commands .................................................................................................... 35 Abbreviations and Definitions ............................................................................. 36 Index ...................................................................................................................... 37


How To Install and Configure IPSO VSX 5.0 | 5


Objective This document explains how to install and configure a basic IPSO 5.0 VSX as a single gateway, or in a VRRP High Availability configuration.

Supported Versions Management Station Requirements:

Provider-1

NGX R65 SecurePlatform, Solaris 8, 9, 10, Red Hat Enterprise Linux 3.0 (kernel 2.4.21)

R70 SecurePlatform, Solaris 8, 9, 10, Red Hat Enterprise Linux 5.0 (kernel 2.6.18

SmartCenter Server

IPSO 4.1/4.2, Secure Platform NGX R65, Solaris 8,9,10, Red Hat Enterprise Linux 3.0 (kernel 2.4.21) and Windows 2000/2003

R70 SecurePlatform, Solaris 8, 9, 10, Red Hat Enterprise Linux 5.0 (kernel 2.6.18).

VSX NGX R65 mgmt Add-On must be installed on both the Provider-1 or the SmartCenter Server: VPN-1 Power VSX NGX R65 management update for SmartCenter/Provider-1 (http://supportcontent.checkpoint.com/file_download?id=8259).

Latest HFA must be installed on both Provider-1 and SmartCenter Server.

VSX NGX R65 GUI plug-in for Smart Console.

VSX Gateway Requirements:

VPN-1 VSX NGX R65 for IPSO 5.0

Supported Operating Systems IPSO 5.0 MR2 (Build 67) and MR3 (Build 072) for NGX R65

Supported Appliances IP390 - (flash)

IP390 - (disk)

IP560 - (flash)

IP560 - (disk)

IP740 - (disk)

IP690 – (flash)

IP690 – (disk)

IP1220 - (flash)

IP1220 - (disk)

http://supportcontent.checkpoint.com/file_download?id=8259

Before You Start


IP1260 - (flash)

IP1260 - (disk)

IP1280 (flash)

IP1280 - (disk)

IP2250 - (flash)

IP2255 - (flash)

IP2450 - (flash)

IP2450 - (disk)

Before You Start

Related Documents and Assumed knowledge SK Articles:

VSX supported Devices and Interface Cards - sk41224 (http://supportcontent.checkpoint.com/solutions?id=41224).

Commonly used Abbreviations and Definitions used in VSX - sk40436 (http://supportcontent.checkpoint.com/solutions?id=40436).

Virtual Switch (VSw) FAQ - sk38918 (http://supportcontent.checkpoint.com/solutions?id=38918).

VSX Gateway recovery in NGX R65 - sk40351 (http://supportcontent.checkpoint.com/solutions?id=40351).

What is VSX and where does NMDS fit in? - sk41481 (http://supportcontent.checkpoint.com/solutions?id=41481).

Reading Material:

VPN-1 Power VSX R65 Administration Guide for R70 Management (http://downloads.checkpoint.com/dc/download.htm?ID=7944)

VPN-1 Power VSX NGX R65 HFA 10 Release Notes (http://downloads.checkpoint.com/dc/download.htm?ID=10363)

IPSO VSX 5.0 MR2 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=10246)

VPN-1 Power VSX NGX R65 Nokia Module Installation (, http://downloads.checkpoint.com/dc/download.htm?ID=10162)

VPN-1 Power VSX NGX R65 Administration Guide (http://downloads.checkpoint.com/dc/download.htm?ID=10321)

Overview VSX is multiple virtual firewalls in a single box. A single gateway has separate Policies installed for each virtual system.

The different names used for VSX are:

VSX: Virtual System Extensions

Virtual firewall

High Availability in VSX:

You can use VRRP High Availability in VSX

http://supportcontent.checkpoint.com/solutions?id=41224http://supportcontent.checkpoint.com/solutions?id=40436http://supportcontent.checkpoint.com/solutions?id=38918http://supportcontent.checkpoint.com/solutions?id=40351http://supportcontent.checkpoint.com/solutions?id=41481http://downloads.checkpoint.com/dc/download.htm?ID=7944http://downloads.checkpoint.com/dc/download.htm?ID=10363http://supportcontent.checkpoint.com/documentation_download?ID=10246http://downloads.checkpoint.com/dc/download.htm?ID=10162http://downloads.checkpoint.com/dc/download.htm?ID=10321

Installing and Configuring IPSO VSX 5.0


Cluster Support:

No. Not at this time.

Transparent Mode support:

Yes. It is called Bridge Mode.

Dynamic Routing:

Yes. It supports BGB, OSPF, RIP v1/v2, PIM SM/DM, and IGMP

ADP support:

Yes. As of NMDS/IPSO 5.0

The Check Point versions that NMDS 4.2 and 5.0 are based on:

4.2 is based of Check Point NG AI R54

5.0 is based of Check Point NGX R65

VSX software and operating system requirements:

There are special builds of IPSO and Check Point required for VSX

SmartCenter server for VSX:

VSX is supported in Provider-1 and SmartCenter Server.

Supported IPSO Platforms:

sk41224 (http://supportcontent.checkpoint.com/solutions?id=41224) provides the supported list devices and interface cards.

Disk mirroring support in NMDS installation:

Disk mirroring is currently not supported in NMDS installation


IPSO Installation and Setup To Install IPSO:

1. Place the IPSO package, IPSO 5.0-Build41 (ipso.tgz), and the Firewall VSX package (fw1_****.tgz) in one directory on an FTP server (GuildFTPD is a good, easy to use, free one).

2. Boot into boot manager.

3. Type any character to enter command mode. The command line shows, BOOTMGR[1]>.

4. Run : install

5. Follow the installation prompts as detailed below.

Note - if you select the Retrieve all valid packages, with no further prompting option, it downloads and prompts to install VSX later in the install.

http://supportcontent.checkpoint.com/solutions?id=41224



################## IPSO Full Installation ################

You will need to supply the following information: Client IP address/netmask, FTP server IP address

and filename, and license information. This process will DESTROY any existing files and data on

your disk.

#########################################################

########

Continue? (y/n) [n] y

Please answer the following licensing questions.

Will this node be using IGRP ? [y]

Will this node be using BGP ? [y]

Devices available to install diskless image

# name model size type location

0 wd0 STI Flash 8.0.0 4110MB CF-INTERNAL-IDE

InternalCF

Select # of entry to install diskless image : 0

1. Install from anonymous FTP server. 2. Install from FTP server with user and password. Choose an installation method (1-2): 2

Enter IP address of this client (10.207.107.16/24):

10.207.107.40

Please enter a netmask length: (24) Enter IP address of FTP server (0.0.0.0): 10.207.107.16 Enter IP address of the default gateway (0.0.0.0):

10.207.107.1

Choose an interface from the following list: 1) eth-s2p1 2) eth-s2p2 3) eth-s3p1 4) eth-s3p2 5) eth-s3p3 6) eth-s3p4 7) eth-s4p1 8) eth-s4p2 9) eth-s4p3 10) eth-s4p4 Enter a number [1-10]: 3

Choose interface speed from the following list: 1) 10 Mbit/sec 2) 100 Mbit/sec 3) 1000 Mbit/sec Enter a number [1-3]: 2 Half or full duplex? [h/f] [h] f Enter user name on FTP Server : vsx Enter password for "vsx": Enter path to ipso image on FTP server [~]: Enter ipso image filename on FTP server [ipso.tgz]:

1. Retrieve all valid packages, with no further

prompting. 2. Retrieve packages one-by-one, prompting for each. 3. Retrieve no packages. Enter choice [1-3] [1]: 2

Client IP address = 10.207.107.40/24 Server IP address = 10.207.107.16 Default gateway IP address = 10.207.107.1 Network Interface = eth-s3p1, speed = 100M, full-duplex Server download path = [//] Package install type = prompting Mirror set creation = no

Are these values correct? [y] y Checking what packages are available on 10.207.107.16. Hash mark printing on (1048576 bytes/hash mark). Interactive mode off.



To Setup IPSO:

1. When prompted (after the reboot), enter your desired hostname.

Hostname? Please choose the host name for this system.

This name will be used in messages and usually corresponds with one of

the network hostnames for the system. Note that only letters, numbers,

dashes, and dots (.) are permitted in a hostname.

Hostname? vsxvrrp Hostname set to "vsxvrrp", OK? [y]

2. When prompted, enter an admin password.

Please enter password for user admin: Please re-enter password for confirmation:

3. Select the unit configuration option, Voyager (WebUI) or CLI.

You can configure your system in two ways:

1) configure an interface and use our Web-based

Voyager via a remote browser 2) configure an interface by using the CLI

Please enter a choice [ 1-2, q ]: 1

Select an interface from the following for configuration:

1) eth-s2p1 2) eth-s2p2 3) eth-s3p1 4) eth-s3p2 5) eth-s3p3 6) eth-s3p4 7) eth-s4p1 8) eth-s4p2 9) eth-s4p3 10) eth-s4p4 11) quit this menu

Enter choice [1-11]: 3

Enter the IP address to be used for eth-s3p1:

10.207.107.25

Enter the masklength: 24

Do you wish to set the default route [ y ] ? y

Enter the default router to use with eth-s3p1:

10.207.107.1

This interface is configured as 1000 mbs by default. Do you wish to configure this interface for other speeds

[ n ] ? y

Enter the speed (100M or 10M) for interface: 100M

This interface is configured as half duplex by default. Do you wish to configure this interface as full duplex [

n ] ? f Illegal choice, please enter y or n. Try again:

This interface is configured as half duplex by default. Do you wish to configure this interface as full duplex [

n ] ? y

You have entered the following parameters for the eth-

s3p1 interface:

IP address: 10.207.107.25 masklength: 24 Default route: 10.207.107.1 Speed: 100M



Duplex: full

Is this information correct [ y ] ? y

Do you want to configure Vlan for this interface[ n ] ?

You may now configure your interfaces with the Web-based

Voyager by

typing in the IP address "10.207.107.25" at a remote

browser.

4. When prompted to restore a backup with AUTOBackup, enter n for no.

Do you want to build the system from existing AUTObackup

[y|n]? n

5. If you are without a disk, you are prompted to enable remote logging. Enter n for no.

Do you want to configure remote logging [ n ] ? n

6. The system proceeds with the installation of the VSX package from before. Select 1 Install this

as a new package.

Package Description: Check Point VPN-1 Power VSX NGX R65

(Thu Mar 6 16:42:49 IST 2008 Build 610001014)

Would you like to :

1. Install this as a new package 2. Upgrade from an old package 3. Skip this package 4. Exit new package installation

Choose (1-4): 1

Installing fw1_610001014_1.tgz

Running CPsuite-V40/INSTALL PRE /opt/CPsuite-V40

/opt/tmp/fw1_610001014_1.tgz CPsuite-V40/MANIFEST newpkg Deployment finished OK Running CPsuite-V40/INSTALL POST /opt/CPsuite-V40

/opt/tmp/fw1_610001014_1.tgz CPsuite-V40/MANIFEST newpkg

*********************************************************

******************************

Important - DON'T FORGET TO: Log in again and run vsx_config and then cpconfig in

order to register the license and configure Check Point

VPN-1 Power VSX NGX R65.

*********************************************************

*******

*********************************************************

*

Check Point VPN-1 Power VSX NGX R65 installation

complete.

*********************************************************

*

Done installing CPsuite-V40

End of new package installation cleaning up ..done

Configuring Standalone VSX You can either use the command line or the SmartDashboard.

To Configure Standalone VSX:

1. The unit reboots after the Initial setup. Log into Voyager and verify that Check Point VSX is enabled.

2. From the IPSO command line, to launch the VSX Networking Configuration utility, run: vsx_config.

vsxvrrp[admin]# vsx_config



Welcome to the VSX networking configuration

utility. vsx_config will now attempt to acquire an

exclusive config lock. This means instances of other applications

like clish or voyager loses any config locks that they

currently hold. While vsx_config runs, instances of such

applications are likely to interfere with vsx_config operation.

Please do not run instances of competing applications like

clish, voyager or vsx_config to ensure a smooth user experience.

The configuration system is locked by Voyager service This lock will be deleted.

Welcome to the VSX initial networking

configuration utility. This utility is used in order to

perform all of the necessary network configurations,

prior to running the cpconfig utility.

You can run this utility again at any time in

order to perform certain changes to the system.

If there are any other users connected to this

system via the IPSO CLI or Voyager they will be

disconnected.

Do you wish to proceed (y/n) [y]? y

3. When asked if you want to create Link Aggregated interfaces, enter n for no.

Do you want to create Link Aggregated interfaces (y/n)

[y]? n Creating logical interfaces . . . . . . . . . .

4. When prompted to select the interface you want to use to manage the VSX system, it refers to the interface used to communicate to the SmartCenter or Provider-1 Management. Enter your selection. This prompts for the interface settings, network address, and default gateway.

Which interface will be used to manage the system:

---------------------------------------------------------

-------------

1. eth-s2p1c0 2. eth-s2p2c0 3. eth-s3p1c0 4. eth-s3p2c0 5. eth-s3p3c0 6. eth-s3p4c0 7. eth-s4p1c0 8. eth-s4p2c0 9. eth-s4p3c0 10. eth-s4p4c0 11. Quit this menu

Please Choose [1 - 11]: 10

The interface eth-s4p4c0 is currently configured as 10

mbs. Do you wish to configure this interface for another

speed? (y/n) [n]? y

Enter the interface speed for eth-s4p4

---------------------------------------------------------

-------------

1. 10 MBit 2. 100 MBit 3. 1000 MBit



4. Quit this menu


This interface is currently configured as half duplex.

Do you wish to configure this interface as full duplex

(y/n) [n]? y

The configuration process will create a

Management System. The Management will communicate

through the eth-s4p4c0 interface.

The interface is configured with the following addresses.

Select the Management system address:

---------------------------------------------------------

-------------

1. Configure a new one


Enter an IP address for the interface [eth-s4p4c0]:

10.1.1.2

Enter the mask length: 24

The following default gateways are defined.

Select a default gateway

---------------------------------------------------------

-------------

1. 10.207.107.1



5. When asked if the VSX gateway is to be part of a Cluster. If you select n, you are asked to verify if this is

a standalone system.

Is this VSX gateway part of a cluster (y/n) [y]? n This will configure the system in stand-alone mode. Are

you sure (y/n) [y]? y

6. The system confirms the settings and prompts you to verify your settings. Enter y to verify.

---------------------------------------------------------

-------------

You have entered the following configuration parameters

for VSX

Management Interface: eth-s4p4c0 Management IP Address: 10.1.1.2/24 Default Gateway: 10.207.107.1 Connection Details: 100M, full duplex

LAG Groups: 0

Is this information correct (y/n) [y]? y Saving config struct... executing save_config ...

Initializing instances...

Disabling interface eth-s2p1c0 Disabling interface eth-s2p2c0 Disabling interface eth-s3p1c0 Disabling interface eth-s3p2c0 Disabling interface eth-s3p3c0 Disabling interface eth-s3p4c0 Disabling interface eth-s4p1c0 Disabling interface eth-s4p2c0

7. When prompted to configure other interfaces, select the next interface number for which you want to define the speed and duplex. This can also be done later in Voyager.

You may now make changes to the capabilities of

additional interfaces and enable them.



Would you like to modify the speed/duplexity capabilities

of the following interfaces:

---------------------------------------------------------

-------------

1. eth-s2p1c0 2. eth-s2p2c0 3. eth-s3p1c0 4. eth-s3p2c0 5. eth-s3p3c0 6. eth-s3p4c0 7. eth-s4p1c0 8. eth-s4p2c0 9. eth-s4p3c0 10. No! Quit this menu

Please Choose [1 - 10]: 10 Exiting. The interface eth-s3p1c0 is currently configured as 10

mbs. Do you wish to configure this interface for another

speed? (y/n) [n]? y


---------------------------------------------------------

-------------

1. 10 MBit 2. 100 MBit 3. 1000 MBit 4. Quit this menu Please Choose [1 - 4]: 2 This interface is currently configured as half duplex. Do you wish to configure this interface as full duplex

(y/n) [n]? y

8. VSX initial networking configuration is done. When prompted, run: cpconfig

Congratulations - the initial networking configuration is

done. You should run cpconfig in order to configure the VSX

software.

Do you wish to execute cpconfig now (y/n) [y]? y Proceeding with cpconfig

To Configure a Standalone VSX with Check Point Configuration Program Utility:

1. If you did not run cpconfig during the vsx_config, in IPSO command line, run: cpconfig

Welcome to Check Point Configuration Program

=================================================

Please read the following license agreement. Hit 'ENTER' to continue...

Do you accept all the terms of this license agreement

(y/n) ? y

2. When prompted to enable Check Point clustering High Availability, enter n to select no.

Would you like to install a Check Point clustering

product (CPHA or State Synchronization)? (y/n) [n] ? n

3. When asked if you want to add licenses, enter n to select no. This can be done later from the command

line or SmartUpdate.

Configuring Licenses...

=======================

Host Expiration Signature

Features



Do you want to add licenses (y/n) [y] ? n

4. When prompted, perform a short random keystroke session for random pool.

Configuring Random Pool...

==========================

You are now asked to perform a short random keystroke

session. The random data collected in this session will be used in various cryptographic operations.ion Program

=================================================

Please enter random text containing at least six

different characters. You will see the '*' symbol after keystrokes

that are too fast or too similar to preceding keystrokes.

These keystrokes will be ignored.

Please keep typing until you hear the beep and the bar is

full.

[....................]

Thank you.

5. When prompted, enter an activation key for SIC (Secure Internal Communication). This is a onetime use key and you need to remember for a short time period.

Configuring Secure Internal Communication...

============================================

The Secure Internal Communication is used for

authentication between Check Point components

Trust State: Uninitialized Enter Activation Key: Retype Activation Key:

The Secure Internal Communication was successfully

initialized

6. Your VSX machine is now configured from the command line. Reboot.

In order to complete the installation you must reboot the machine. Do you want to reboot? (y/n) [y] ? y

To Configure a VSX Standalone Gateway in SmartDashboard:

1. Open SmartDashboard for the Smart Center Server or the CMA that the VSX gateway is to be defined under.

2. From the tree view, right click Check Point > New Check Point > VPN-1 Power VSX > Gateway. The VSX Gateway General Properties window opens.



3. Enter the VSX Gateway Name and IP Address, and select the version from the drop down list. For IPSO 5.0 (formerly NMDS 5.0), the version is VPN-1 Power VSX NGX R65, and click Next. The Virtual Systems Creation Templates window opens.



4. Select the Virtual System Creation Template you want to use to create a VS. Custom Configuration allows flexibility when you define each VS. These templates regard the definition of interfaces for each VS. Click Next. The VSX Gateway General Properties window opens.

5. Enter the one-time Activation Key (SIC key) entered on the gateway under cpconfig, and click Next.

The VSX Gateway Interfaces window opens.

6. If you want to use VLAN Trunking. Select the interface you want trunking on, and click Next. The VSX Gateway Management window opens.

Note - You can modify VLAN settings later when you edit the VSX object.



7. You can select what Services and Sources are allowed to access the VSX Gateway. This security policy is automatically generated and installed on the VSX Gateway. Click Next. The Virtual Network Device Configuration window opens.



8. Configure the virtual network device. If a Virtual Switch or Virtual Router is not needed at this moment, and can be defined later, leave the check box clear. Click Next. The VSX Gateway Creation Finalization window opens.



9. Click Finish. The VSX Gateway Creation Summary window opens.

Configuring VSX VRRP Cluster You can configure VSX VRRP cluster either from the command line or from SmartDashboard.

To Configure a VSX VRRP Cluster:

You need to perform the steps on each unit in the VRRP Cluster. Before you proceed, you must have two identical hardware units. They must contain the same installed interfaces and slot configurations. It is also important to look into the addressing of the internal communication network for the VSX cluster.

1. After the initial boot manager installation, Log into Voyager and verify that Check Point VSX is enabled.

2. Run: vsx_config. This launches the VSX initial Networking Configuration utility.

vs1[admin]# vsx_config

Do you wish to proceed (y/n) [y]? y

3. When asked if you want to create Link Aggregated Interfaces, enter n for no.

Do you want to create Link Aggregated interfaces (y/n)

[y]? n

Creating logical interfaces . . . . . . . . . .



4. When prompted, select the interface you want to use to manage the VSX system. This is the interface you use to communicate with the SmartCenter or Provider-1 Management. You are also asked for the interface settings, network address and default gateway.

Which interface will be used to manage the system:

---------------------------------------------------------

-------------

1. eth-s2p1c02. 2. eth-s2p2c0 3. eth-s3p1c0 4. eth-s3p2c0 5. eth-s3p3c0 6. eth-s3p4c0 7. eth-s4p1c0 8. eth-s4p2c0 9. eth-s4p3c0 10. eth-s4p4c0 11. Quit this menu


The interface eth-s4p4c0 is currently configured as 10

mbs.

Do you wish to configure this interface for another

speed? (y/n) [n]? y


---------------------------------------------------------

-------------

1. 10 MBit 2. 100 MBit 3. 1000 MBit 4. Quit this menu


This interface is currently configured as half duplex. Do you wish to configure this interface as full duplex

(y/n) [n]? y

The configuration process will create a

Management System. The Management will communicate

through the eth-s4p4c0 interface.

The interface is configured with the following addresses.

Select the Management system address:

---------------------------------------------------------

-------------




10.1.1.2


The following default gateways are defined.

Select a default gateway

---------------------------------------------------------

-------------

1. 10.207.107.1



5. When asked if the VSX Gateway is to be part of a cluster, if you select yes, you are asked to verify your selection.

Is this VSX gateway part of a cluster (y/n) [y]? y

Are you sure you want to configure clustering on the



system (y/n) [y]? y

6. When asked what interface you want to use for synchronization on the cluster, you also need to provide the speed, duplex and a sync address.

Select the interface that will be used for

synchronization with other cluster members:

---------------------------------------------------------

-------------

1. eth-s2p1c0 2. eth-s2p2c0 3. eth-s3p1c0 4. eth-s3p2c0 5. eth-s3p3c0 6. eth-s3p4c0 7. eth-s4p1c0 8. eth-s4p2c0 9. eth-s4p3c0 10. quit this menu


Select the IP address for the sync interface

Addresses configured on eth-s4p3c0

---------------------------------------------------------

-------------




172.168.1.1


7. In VRRP Setting, select to add all of the physical interfaces you want to add to VRRP. Use a space to separate the interfaces. The management interface is automatically added to the VRRP settings. When

asked if this unit is the Master, if this is the secondary unit, enter n for no. You are also asked which of

your VRRP interfaces are to be used along with the Virtual Router ID, and if the Cluster is to accept connection to the Virtual Router. In the example below, Virtual router ID 100 is used. The Virtual Router ID 101 is automatically assigned to the Management interface.

Do you wish to setup VRRP now (y/n) [y]? y

Will this machine be the master (y/n) [y]? y

You need to select the set of interfaces that

will be used for Virtual Systems. The Management interface (eth-s4p4c0) is

configured with VRRP automatically. for Virtual Systems.The Management interface

(eth-s4p4c0) is configured with VRRP automatically.

If you want to select the Virtual System

interfaces later, or wish to add another interface to be

used by Virtual Systems, you need to run the vsx_config

utility again, selecting "Configure VRRP on additional

interfaces".

From the list below select additional interfaces to be

used by Virtual Systems and Virtual Routers:

---------------------------------------------------------

-------------

1. eth-s2p1c0 2. eth-s2p2c0 3. eth-s3p1c0 4. eth-s3p2c0 5. eth-s3p3c0 6. eth-s3p4c0 7. eth-s4p1c0 8. eth-s4p2c0



9. Configure all available interfaces

Enter the list of interfaces (separated by spaces): 3 4 5

6

The script will allocate a range of Virtual Router IDs

that must be the same for the master and backup. You

will be asked to enter a starting Virtual Router ID and

the range will be calculated based on the number of

interfaces previously selected. For separate VRRP clusters, the range of Virtual Router

IDs must not overlap.

Enter the starting Virtual Router ID (1-254) [1]: 100

The range of Virtual Router IDs used will be 100-101.

Is this range of Virtual Router IDs acceptable (y/n) [y]?

y

8. When asked, confirm your VSX and VRRP settings.

---------------------------------------------------------

-------------

You have entered the following configuration parameters

for VSX Management Interface: eth-s4p4c0 Management IP Address: 10.1.1.1/24 Default Gateway: 10.207.107.1 Connection Details: 100M, full duplex

VRRP Sync Interface: eth-s4p3c0 VRRP Sync Address: 172.168.1.1/24 VRRP State: Master Starting Virtual Router ID: 100

Number of interfaces to be configured with VRRP:

1

Auto-Backup: Not Configured

LAG Groups: 0

Is this information correct (y/n) [y]? y Saving config struct... executing save_config ...

9. The command line configuration for one VSX device is complete. Repeat the steps above for the

secondary unit. One step differs. When asked if this machine is to be the master, enter n for no.

To Configure the VSX VRRP Cluster with the Check Point Configuration Program Utility:

1. If cpconfig is not run during vsx_config, from the IPSO command line, run: cpconfig

Welcome to Check Point Configuration Program

=================================================

Please read the following license agreement. Hit 'ENTER' to continue...

Do you accept all the terms of this license agreement

(y/n) ? y

2. When asked if you want to install a Check Point clustering product, enter y for yes.

Would you like to install a Check Point clustering

product (CPHA or State Synchronization)? (y/n) [n] ? y

3. When asked if you want to add licenses, you can choose to do it later from the SmartUpdate command

line. If so, enter n for no.

Configuring Licenses...

=======================

Host Expiration Signature

Features

Do you want to add licenses (y/n) [y] ? n



4. In Random Pool configuration, when prompted, perform a short random keystroke session.

Configuring Random Pool...

==========================

You are now asked to perform a short random keystroke

session. The random data collected in this session will be used in various cryptographic operations.ion Program

=================================================

Please enter random text containing at least six

different characters. You will see the '*' symbol after keystrokes that are too

fast or too similar to preceding keystrokes. These keystrokes will be ignored.

Please keep typing until you hear the beep and the bar is

full.

[....................]

Thank you.

5. In the SIC (Secure Internal Communication) option, you are required to enter an Activation Key. This is a one-time use key and you only need to remember it for a short time period.

Configuring Secure Internal Communication...

============================================

The Secure Internal Communication is used for

authentication between Check Point components

Trust State: Uninitialized Enter Activation Key: Retype Activation Key:

The Secure Internal Communication was successfully

initialized

6. Your VSX machine is now configured from the command line. Reboot.

In order to complete the installation you must reboot the

machine.

Do you want to reboot? (y/n) [y] ? y

To Configure a VSX Cluster (VRRP) Gateway in SmartDashboard:

1. Open the SmartDashboard for the Smart Center Server or for the CMA that the VSX Cluster is defined under.

2. To create a VSX Cluster Gateway, right click Check Point, and select New Check Point > VPN-1 Power VSX > Cluster. The VSX Cluster General Properties window opens.



3. Enter the VSX Gateway Name and IP Address, and select the Version and Platform from the drop down lists. For IPSO 5.0 (formerly NMDS 5.0), select VPN-1 Power VSX NGX R65, and IPSO VRRP (Nokia VRRP in older versions) for the VSX Cluster Platform. Click Next. The Virtual Systems Creation Templates window opens.

4. Select the Virtual System Creation Template you want to use to create a VS. Custom Configuration allows flexibility when you define each VS. These templates regard the definition of interfaces for each VS. Click Next. The VSX Cluster Members window opens.



5. To define a cluster member, click Add. You must have two members available to establish SIC to continue. The Member Properties window opens.

6. Enter the cluster member Name (the same as you define for each VSX gateway), IP Address (the same

as the Management interface), and the SIC Authentication Key used during the cpconfig process.

Repeat for the second gateway. Click Next.



7. The members show in the VSX Cluster Members window. Click Next. The VSX Cluster Interfaces window opens.

8. The available interfaces are displayed (if there is no available interface, refer to sk39673 (http://supportcontent.checkpoint.com/solutions?id=39673)). You can select VLAN Trunk for any interface in this window. Click Next. The Synchronization Network window opens.

http://supportcontent.checkpoint.com/solutions?id=39673



9. Select the synchronization interface. The available synchronization interface, defined in vsx_config is

also displayed. Verify the defined IP address. Click Next. The External Communication window opens.

10. Select the Virtual System external interface. Click Next. The VSX Gateway Management window opens.



11. Select the protocol access that you want to allow on the VSX Gateway. This security policy is automatically generated and installed on the VSX Gateway. Click Next. The VSX Gateway Creation Finalization window opens.

12. Click Finish. The VSX Cluster Creation Summary window opens.



13. Click Close.

Note - In a VSX cluster environment the internal communication network is a logical network used for communications between VSX components. The address of Internal Communication Network is assigned during the initial creation of the VSX Cluster. This network is automatically assigned from the default IP address range that consists of four class C addresses (192.168.196.0/255.255.252.0). Make sure this range is not used in any other external network connected to this VSX Cluster.

Note - The above default IP address range can be modified on the Cluster Members window of the VSX Cluster object, but only before you create the Virtual Systems. Once Virtual Systems are created, this option is grayed out and cannot be modified.

Configuring Virtual System To Configure a Virtual System with SmartDashboard:

1. In SmartDashboard, right click your VSX Gateway or the VSX Cluster Gateway, and select New Virtual System. The Virtual System General Properties window opens.



2. Enter the name for the new VS and select the VSX Gateway/Cluster the VS is created under. Click Next. The Virtual System Network Configuration window opens.



3. You can add your internal, external, and DNZ interfaces. You can either use a physical interface, or you can create and use a virtual switch if you do not have enough physical ports available. You can also define your routes. This includes your default route. When done, click Next. The Virtual System Gateway Configuration Finalization window opens.



4. Click Finish. The Virtual System Gateway Creation Summary window opens.

5. Click Close.

To Verify Virtual System Configurations:

1. To verify that the system is assigned the correct interfaces and address information, from the IPSO

command line, run: ifconfig –a



vsxvrrp[admin]# ifconfig -a

eth-s2p1c0: lname eth-s2p1c0

flags=e0 phys eth-s2p1

flags=4132 ether 0:a0:8e:ba:c4:b4 speed 1000M full duplex eth-s2p2c0: lname eth-s2p2c0



flags=e7 inet instance vs1 mtu 1500 10.207.107.25/24

broadcast 10.207.107.255 phys eth-s3p1


flags=e7 inet instance vs1 mtu 1500 192.168.100.1/24

broadcast 192.168.100.255 phys eth-s3p2

flags=4133 ether 0:a0:8e:ba:c4:b9 speed 10M half duplex eth-s3p3c0: lname eth-s3p3c0


flags=4132 ether 0:a0:8e:ba:c4:ba speed 10M half duplex eth-s3p4c0: lname eth-s3p4c0


flags=4132 ether 0:a0:8e:ba:c4:bb speed 10M half duplex eth-s4p1c0: lname eth-s4p1c0


flags=4132 ether 0:a0:8e:ba:c4:bc speed 10M half duplex eth-s4p2c0: lname eth-s4p2c0


flags=4132 ether 0:a0:8e:ba:c4:bd speed 10M half duplex eth-s4p3c0: lname eth-s4p3c0


flags=4132 ether 0:a0:8e:ba:c4:be speed 10M half duplex eth-s4p4c0: lname eth-s4p4c0

flags=e7 inet mtu 1500 10.1.1.2/24 broadcast 10.1.1.255 phys eth-s4p4

flags=4133 ether 0:a0:8e:ba:c4:bf speed 100M full duplex loop0c0: lname loop0c0

flags=57 inet6 mtu 63000 ::1 --> ::1 inet mtu 63000 127.0.0.1 --> 127.0.0.1 phys loop0 flags=10b



loop0c1: lname loop0c1

flags=57 inet instance vs1 mtu 63000 127.0.0.1 -->

127.0.0.1 phys loop0 flags=10b pppoe0: flags=127

encaps none soverf0: flags=2923 stof0: flags=2903 tun0: flags=107

2. To verify the correct policy is installed and active, run: vsx stat –v

vsxvrrp[admin]# vsx stat -v VSX Gateway Status

==================

Name: vsxvrrp Security Policy: vsxvrrp_VSX Installed at: 27Mar2008 6:04:03 SIC Status: Trust

Number of Virtual Systems allowed by license: 100 Virtual Systems [active / configured]: 1

/ 1 Virtual Routers and Switches [active / configured]: 0

/ 0 Total connections [current / limit]: 3

/ 30000

Virtual Devices Status

======================

ID | Type & Name | Security Policy |

Installed at | SIC Stat

-----+-------------------------+-------------------+-----

------------+---------

1 | S vs10 | InitialPolicy |

27Mar2008 6:20 | Trust

Type: S - Virtual System, B - Virtual System in Bridge

mode, R - Virtual Router, W - Virtual Switch.

Resetting VSX Gateway Installation You can reset a VSX Gateway to correct a mistake in the initial installation, or if you want to go from a standalone configuration to VRRP, or the other way around.

To Reset VSX Gateway Installation:

1. Remove the Check Point VSX package through Voyager or the CLI.

2. To reboot the unit and ask for a new hostname, run: newsystem –r

3. Enter the initial configuration details.

4. Re-install Check Point VSX.

5. Run: vsx_config

VSX Commands


VSX Commands fw vsx stat Description: displays VSX status information.

Usage: fw vsx stat [-v] [-l]

Syntax:

-v Gives verbose (detailed) information- Shows the status table is full

-l Gives a details list of all the virtual systems.

fw vsx set Description: sets the context to a specific Virtual System. Use fw vsx stats -v to find out the VS system number.

Usage: fw vsx set [VSname | vsid}.

Example: fw vsx set 2 fw getifs: fw [-vs vsid vsname] getifs. Description: Gets Firewall driver interface list for a designated Virtual System. The default gives the VSX Gateway.

Comment: Can be used to check the connectivity of a specific Virtual System to other physical or Virtual Routers. The command line displays the current context.

fw monitor Description: built-in tool that captures network packets at multiple capture points within the VSX system. This Command Line Reference gives only the syntax specific to VSX Gateway/Cluster.

Usage: fw monitor [-v vsid]

Example: fw monitor -v 2 -e ‘accept ip_p=6’ shows all TCP packets that pass through Virtual System 2.

Syntax: [-v vsid] Selects, by ID only, the specific Virtual System on which packets should be captured. The default gives the VSX Gateway.

fw tab Description: shows state tables for a specific Virtual System. State tables are used to keep state information which the Virtual System needs in order to correctly inspect the packet.

Usage: fw [-vs vsid vsname] tab [-t name] [...]

Example: fw –vs 1 tab –t connections –s

Syntax:

[-vs vsid | vsname] Shows state tables for a specific Virtual System, by name or ID. The default gives the VSX Gateway.

-t name Shows table for the specified Virtual System.

[...] Arguments as defined for non-VSX machines.

fw vsx fetch Description: fetches and executes configuration files.

Usage:

fw vsx fetch [-v | -q| -s] [-f conf_file] [local]

fw vsx fetch [-v | -q] -C

fw vsx fetch [-v | -q| -c| -n| -s] [management] [local]

Syntax:

-c Cluster mode.

-n Does not run local.vsall if VSX configuration, Fetched from management, is up-to-date.

-s Concurrent fetches for multi-processor environment.

-q Quiet output. Nothing is displayed except the summary lines at the time of command startup and finish.

-v Gives verbose (detailed) information.

-f conf_file Fetches NCS commands configuration file instead of the default local.vsall. local Reads local.vsall configuration file from $FWDIR/state/local/vsx and executes the NCS script. management Fetches local.vsall from management, replace and run it.

-C “command” Runs specific selected NCS command.

Abbreviations and Definitions


fw vsx sic

reset Description: resets the SIC for the Virtual System.

Usage: fw vsx sic reset {vsname|vsid}

cphaprob state Description: checks on the status for each gateway/cluster member.

Abbreviations and Definitions VSX: Virtual System Extensions. VSX is a virtualized security gateway that allows managed service providers and enterprises with virtualized networks to create up to 250 virtual security systems that include firewall, VPN, and intrusion prevention on a single hardware platform.

NMDS (now IPSO 5.0): Nokia Multi Domain Security. Nokia Virtual Firewall (formally named Nokia Multiple Domain Security) is the package of Check Point VPN-1 Power VSX.

MVS: Management Virtual System. The FireWall-1 instances that provisions and configures virtual systems and routers.

DMI: Direct Management Interface. A dedicated interface that manages the VSX system.

None-DMI: None Direct Management Interface. A none dedicated or shared interface that manages the VSX system.

EVR: External Virtual Router. The FireWall-1 instance that connects virtual systems with the external network. For example, the Internet.

IVR: Internal Virtual Router. A FireWall-1 instance that connects virtual systems with the internal network. For example, a switch. The IVR connects the VS VLAN interface to the customer network.

VS: Virtual System. A FireWall-1 instance with the firewall and VPN facilities of a standard gateway.

VR: Virtual Router. A FireWall-1 instance that acts as a router.

MVS: Multiple Virtual Systems. The FireWall-1 instances that provision and configure virtual systems and routers.

VSw: Virtual Switch. A virtual switch gives you the ability to connect virtual systems (VS) without an External Virtual Router (EVR). A VSw operates at layer 2 which eliminates the need to segment your external public IP network. This way it simplifies your topology from layer 3 to layer 2, it reduces configuration complexity and overhead. Similar to a physical switch, a VSw maintains forwarding tables with a list of MAC addresses and their associated ports.

MSP: Managed Service Providers. A Group of people that manage other customer networks.

Wrp: A virtual end point of a Warp Link. Warp Link is a virtual point-to-point connection between a virtual system and a virtual router. For example, wrp50xxx and wrpj50xxx connect VS/VR to MVS

WrpN: Warp interface terminating at VS

Wrpj: Warp interface terminating at EVR (Unnumbered)

SMC: SmartCenter Server. SmartCenter centrally defines all aspects of a security policy: VPNs, network address translation (NAT), Quality of Service (QoS), web access, desktop and endpoint security, antivirus protections, SmartDefense updates. Objects for networks, hosts, users, services, resources, and actions defined as part of a security policy are visually represented and can be manipulated from within SmartDashboard.

P1: Provider 1. Contains multiple customer SmartCenters on one device that serves as central management.

Index A

Abbreviations and Definitions • 35

B

Before You Start • 6

C

Configuring Standalone VSX • 10 Configuring Virtual System • 28 Configuring VSX VRRP Cluster • 18

H

How To Install and Configure IPSO VSX 5.0 • 5

I

Important Information • 3 Installing and Configuring IPSO VSX 5.0 • 7 IPSO Installation and Setup • 7

O

Objective • 5 Overview • 6

R

Related Documents and Assumed knowledge • 6

Resetting VSX Gateway Installation • 33

S

Supported Appliances • 5 Supported Operating Systems • 5 Supported Versions • 5

V

VSX Commands • 34

Important InformationHow To Install and Configure IPSO VSX 5.0ObjectiveSupported VersionsSupported Operating SystemsSupported Appliances

Before You StartRelated Documents and Assumed knowledge

OverviewInstalling and Configuring IPSO VSX 5.0IPSO Installation and SetupConfiguring Standalone VSXConfiguring VSX VRRP ClusterConfiguring Virtual SystemResetting VSX Gateway Installation

VSX CommandsAbbreviations and DefinitionsIndex

How To Install and Configure IPSO VSX 5 · How To Install and Configure IPSO VSX 5.0 How To Install...

Documents

Transcript of How To Install and Configure IPSO VSX 5 · How To Install and Configure IPSO VSX 5.0 How To Install...