Checkpoint Vsx r65 Install 005595d

8/2/2019 Checkpoint Vsx r65 Install 005595d

http://slidepdf.com/reader/full/checkpoint-vsx-r65-install-005595d 1/46

Part Number 005595DDecember 2010

Check Point ® VPN-1 Power VSX NGX R65Installation and Configuration Guide for

Crossbeam ® X-Series Platforms

Crossbeam XOS Version: 9.5.0 or later



Copyright and Trademark Information

Copyright © 2010 by Crossbeam Systems ®

Boxborough, MA, USA

All Rights Reserved

The products, specifications, and other technical information regarding the products contained in thisdocument are subject to change without notice. All information in this document is believed to be accurateand reliable, but is presented without warranty of any kind, expressed or implied, and users must take fullresponsibility for their application of any products specified in this document. Crossbeam Systems disclaimsresponsibility for errors that may appear in this document, and it reserves the right, in its sole discretion andwithout notice, to make substitutions and modifications in the products and practices described in thisdocument.

This material is protected by the copyright and trade secret laws of the United States and other countries. Itmay not be reproduced, distributed, or altered in any fashion by any entity (either internal or external toCrossbeam Systems), except in accordance with applicable agreements, contracts, or licensing, without theexpress written consent of Crossbeam Systems.

For permission to reproduce or distribute please contact your Crossbeam Systems account executive.

Crossbeam, Crossbeam Systems, X-Series, XOS, X20, X30, X45, X60, X80, X80-S and any logosassociated therewith are trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S. Patentand Trademark Office, and several international jurisdictions.

All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.



Check Point® VPN-1 Power VSX NGX R65 Installation and Configuration Guide for Crossbeam X-Series Platforms 3

Contents

About This GuideIntended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Cautions, Warnings, and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Crossbeam Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Check Point Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1: InstallationPrerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Configuring the VAP Group, Circuits, and Interfaces for the Application . . . . . . . . . . . . . . . . . . . . . . . . 10

Synchronization Circuit Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Configuring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Copying and Installing the Crossbeam RPM Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Installing the Application on a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Verifying the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Upgrading to VPN-1 Power VSX NGX R65 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Upgrading to XOS V9.5.0 Using Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Upgrading to XOS V9.5.0 Using Shar Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Upgrading to VPN-1 Power VSX NGX R65. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Uninstalling VSX NGX and Migrating to XOS V9.5.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Upgrading the Check Point Management Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Modifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Installing Check Point VPN-1 Power VSX NGX R65 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 2: ConfigurationConfiguration Constraints and Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

VSX Application Configuration Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21VSX Application Configuration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22VSX SmartDashboard Configuration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23VSX Cluster Configuration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Reconfiguring Management IP Addresses for a VSX Cluster in Non-DMI Mode . . . . . . . . . . . . . . . . . . 23Configuring High Availability State Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Enabling Single-Box High Availability (SBHA) Application Synchronization . . . . . . . . . . . . . . . . . . . 24Enabling Dual-Box High Availability (DBHA) Application Synchronization . . . . . . . . . . . . . . . . . . . . 25Disabling High Availability Application Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Configuring the VSX Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring VPN using VSX NGX R65 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configuring VPN with One VAP in the VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Configuring VPN with Multiple VAPs in the VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configuring Multiple Entry Point VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configuring Single Entry Point (SEP) VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Configuring VSX Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Creating and Configuring IP Flow Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Enabling Dynamic Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring RSA SecurID Authentication for the VSX Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configuring SecurID Authentication Using the Default RSA ACE/Server Configuration . . . . . . . . . . 34Configuring SecurID Authentication Using the RSA ACE/Server as a RADIUS Server . . . . . . . . . . 35

XOS Running Configuration File Examples for Basic VSX Configurations . . . . . . . . . . . . . . . . . . . . . . 36Basic VSX Configuration Without VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Basic VSX Configuration with VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37



4

VSX Configuration Using VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 3: Managing and Monitoring the ApplicationManaging the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

XOS Command Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Adding and Removing Cluster/VAP Group Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Adding a Member to a Cluster/VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Removing a Member from a Cluster/VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Monitoring the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44XOS Application Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Displaying Application Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Displaying VAP Group Application Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Disabling a VAP Group’s Application Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Enabling a VAP Group for Application Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46




About This Guide

This guide describes how to install and configure Check Point VPN-1 Power VSX NGX R65 on theCrossbeam X-Series Platform.

IMPORTANT: For the latest updates and revisions to X-Series Platform documentation, log in to theCrossbeam online support Web site at http://www.crossbeam.com/support/online-support/ .

Intended AudienceThis guide is intended for system integrators and other qualified service personnel responsible for installing,configuring, and managing the software on the Crossbeam X-Series Platform.

Related DocumentationThe following related documents are provided on the Crossbeam Systems USB Installer (USBI), and areavailable on the Crossbeam online support Web site located at http://www.crossbeam.com/support/online-support/ .

XOS Command Reference Guide

XOS Configuration Guide

XOS V9.5.0 Release Notes

Install Server User Guide, V6.1

See the Check Point documentation for information about Check Point VPN-1 Power VSX NGX R65.

http://www.crossbeam.com/support/online-support/








6

Conventions

Typographical Conventions

For paragraph text conventions, see Table 1 on page 1-6 .

For command-line text conventions, see Table 2 on page 1-7 .

Table 1. Typographical Conventions Used in Paragraph Text

TypographicalConvention

Types of Information Usage Examples

Bold Elements on thegraphical user interface.

In the IP Address field, type the IP address of thefirst VAP in the group.

Click OK to close the dialog.

Select the Print to File check box.

Courier Keys on the keyboard.File names, folder names, and commandnames.

Any information that youmust type exactly asshown.

Program output text.

Press Esc to return to the main menu.Save the user.txt file in the user_install directory.

Use the start command to start the application.

In the Username field, type Administrator .

The X-Series operating system (XOS) CLI showcalendar command displays the systemcalendar:

Fri Mar 20 13:32:03 2009

Courier Italic

File names, folder names, command

names, or other information that youmust supply.

In the Version Number field, type8.5. patch_number .

> A sequence of commands from the taskbar or menu bar.

From the taskbar, choose Start > Run .

From the main menu, choose File > Save As...

Right-click on the desktop and choose ArrangeIcons By > Name from the pop-up menu.

http://-/?-

http://-/?-

http://-/?-

http://-/?-

http://-/?-

http://-/?-




Table 2. Typographical Conventions Used in Command-Line Text

Cautions, Warnings, and Notes

IMPORTANT: Lists important steps that you must perform properly or important information that you musttake into consideration to avoid performing unnecessary work.

NOTE: Provides special information or tips that help you properly understand or carry out a task.

TypographicalConvention

Types of Information Usage Examples

Courier User prompts andprogram output text.

CBS# show calendar

Fri Mar 20 13:32:03 2009

Courier Bold Information that youmust type in exactly asshown.

[root@xxxx]# md crossbeam

<Courier Italic>

Angle bracketssurrounding Courier italic text indicate filenames, folder names,command names, or other information thatyou must supply.

[root@xxxx]# md <your_folder_name>

[ ] Square brackets containoptional information that

may be supplied with acommand.

[root@xxxx]# dir [ drive : ] [ path ][< filename> ] [ /P ] [ /W ] [ /D ] .

| Separates two or moremutually exclusiveoptions.

[root@xxxx]# verify [ ON| OFF]

{ } Braces contain two or more mutually exclusiveoptions from which youmust choose one.

CBS# configure vap-group<VAP_group_name>

CBS(config-vap-grp)# raid { 0 | 1}

Caution: Lists precautions that you must take to avoid temporary data loss or data unavailability.

Warning: Lists precautions that you must take to avoid personal injury,permanent data loss, or equipment damage.



8

Crossbeam Customer SupportCrossbeam Systems offers a variety of service plans designed to meet your specific technical supportrequirements. For information on purchasing a service plan for your organization, please contact your account representative or refer to http://www.crossbeam.com/support/technical-support/ .

If you have purchased a Crossbeam Systems product service plan and need technical assistance, you canreport issues by telephone:

United States: +1 800-331-1338 OR +1 978-318-7595

EMEA: + 33 4 8986 0400 (during normal working hours)

+1 978-318-7595 (outside office hours and on public holidays, if applicable)

Asia Pacific: +1 978-318-7595

Latin America: +1 978-318-7595

You can also report issues via e-mail to [email protected] .

In addition, all of our service plans include access to the Crossbeam online support portal located athttp://www.crossbeam.com/support/online-support/ .

The Crossbeam online support Web site provides you with access to a variety of resources, includingCustomer Support Knowledgebase articles, technical bulletins, product documentation, and release notes.You can also access our real-time problem reporting application, which lets you submit new technical supportrequests and view all your open requests.

Crossbeam Systems also offers extensive customer training on all of its products. For current courseofferings and schedules, please refer to the Crossbeam training and education Web site located athttp://www.crossbeam.com/support/training-services/ .

Check Point Customer SupportCheck Point provides technical support through its Web site. The Check Point Support Web site, located athttp://support.checkpoint.com, provides direct access to online user documentation and technical support.

http://www.crossbeam.com/support/technical-support/

mailto:[email protected]


http://www.crossbeam.com/support/training-services/

http://support.checkpoint.com/

http://support.checkpoint.com/

http://www.crossbeam.com/support/training-services/


mailto:[email protected]

http://www.crossbeam.com/support/technical-support/




1

Installation

This chapter describes how to install Check Point VPN-1 Power VSX NGX R65 onto a X-Series Platform.This chapter also describes how to upgrade from a previous version of VSX to VPN-1 Power VSX NGX R65when upgrading to a new version of XOS.

This chapter contains the following sections:

Prerequisites on page 9

Configuring the VAP Group, Circuits, and Interfaces for the Application on page 10

Copying and Installing the Crossbeam RPM Package on page 12

Installing the Application on a VAP Group on page 12

Verifying the Installation on page 14

Upgrading to VPN-1 Power VSX NGX R65 on page 14

Upgrading to XOS V9.5.0 Using Migration on page 15

Upgrading to XOS V9.5.0 Using Shar Upgrade on page 16

PrerequisitesBefore installing and configuring Check Point VPN-1 Power VSX NGX R65 on an X-Series Platform:

Ensure that all Check Point requirements have been met. See the Check Point documentation.

Each Application Processor Module (APM) on which the application is to be installed must have aminimum of 1GB of memory for up to 50 Virtual Systems, and 2GB for up to 51-100 Virtual Systems.

The X-Series Platform must be running XOS V9.5.0 or later. All necessary firmware upgrades must alsobe installed. See the XOS V9.5.0 Release Notes for firmware revision information.

The following hotfixes, obtained from Check Point, are required on the Check Point VSX NGX R65Management Station (Provider-1 or SmartCenter) to insure that IP address changes on virtual router Warp links are updated correctly:

fw1_HOTFIX_ENF_HF_HA25_289.tgz

fw1_HOTFIX_ENF_HF_289_347.tgz

The following hotfixes, obtained from Check Point, must be installed on each VAP to successfully rundynamic routing:

fw1_HOTFIX_ECUADOR2_NO_UF_HF_BASE_064.tgzMustang-IL_5964_8828_dr_splat_610018001_1.tgz

The VAP group on which the application is to be installed must be configured to run xslinux_v3.

NOTE: Refer to the XOS Configuration Guide, XOS V9.5.0 for instructions on using the CLI to configurea VAP group.

You must be certain that you want to save the X-Series Platform’s current running configuration file to itsstartup configuration file before installing the application. If not, you must change the runningconfiguration before installing the application. Both the application installation program and the



10

application uninstallation program automatically save the system’s running configuration file to thestartup configuration file.

You must use the XOS CLI to configure the management circuit, the synchronization circuit, and anyother external and internal circuits that the application will use. These circuits must meet the followingrequirements:

Device names must be assigned to all circuits. Device names cannot include “vlan”, “vs”, or “vr”, as

these are Check Point reserved keywords. If a circuit is assigned to a physical interface configuredto pass VLANs, the circuit’s device name cannot exceed 4 characters.

NOTE: In the VSX application’s Multi-Domain GUI (MDG), the term “interface name” refers to thedevice names assigned to circuits and interfaces during XOS CLI configuration.

Each physical interface to be used by the application must be assigned to a circuit. All physicalinterfaces must be physically plugged in, and all links must be UP before the application is installed.

Any circuit that is not assigned to a physical interface must be configured with an associatedinterface type called interface-internal (which forces the link to be UP).

If the VSX cluster is to be installed in non-Dedicated Management Interface (non-DMI) mode or if theVirtual Router (VR) and a Virtual System (VS) are on the same subnet, the management circuit mustbe configured to enable proxy ARP.

NOTE: If the Virtual Router (VR) and a Virtual System (VS) are on the same subnet, and proxy ARP is not enabled, the VS ARP cannot be resolved on the internet side and traffic cannotpass through the VS.

You must install licenses on the VSX enforcement modules before configuring VSX Virtual Devices.

Configuring the VAP Group, Circuits, and Interfaces for theApplication

Before installing Check Point VPN-1 Power VSX NGX R65, you must use the XOS CLI to configure the VAPgroup, circuits, and interfaces to be used by Check Point VPN-1 Power VSX NGX R65, as follows.

NOTE: Refer to the XOS Configuration Guide, XOS V9.5.0 for more detailed instructions on using the CLI to

configure VAP groups, circuits, and interfaces.1. Create and configure the VAP group on which the application is to be installed.

IMPORTANT: Make sure the VAP group is configured to run xslinux_v3.

2. Create an IP-less management circuit, assign a device name to the circuit, and assign the circuit to theVAP group on which you plan to install the application.

NOTE: Sharing a management circuit between Dedicated Management Interface (DMI) and non-DMIVAP groups is not supported.

3. If you plan to install the VSX cluster in non-Dedicated Management Interface (non-DMI) mode or if theVirtual Router (VR) and a Virtual System (VS) are on the same subnet, use the following command toenable proxy ARP on the management circuit:

CBS# configure circuit <management_circuit_name> proxy-arp

NOTE: If the Virtual Router (VR) and a Virtual System (VS) are on the same subnet, and proxy ARP isnot enabled, the VS ARP cannot be resolved on the internet side and traffic cannot passthrough the VS.

4. Before creating any virtual devices on the Check Point Management Station, create at least two circuitswithout IP addresses, assign device names to the circuits, assign each circuit to a physical interface or agroup-interface, and assign the circuits to the VAP group on which you plan to install the application.

a. One circuit is usually connected to the Internet; this circuit is shared by multiple customers.




b. One or more additional circuits must be used to connect customers’ networks to the appropriateVirtual Systems configured on the X-Series Platform.

Typically, these circuits are assigned to VLAN interfaces, with one circuit (one VLAN interface)defined for each customer. To configure a VLAN interface for a customer, you create a templateVLAN circuit, assign a device name to the circuit, and then assign the circuit to the physical port thatyou plan to use for the customer’s VLAN interface.

If no VLANs are involved, you can use a single circuit to connect multiple customers to the X-SeriesPlatform; in this case, you must use Check Point source-based routing to direct traffic originatedfrom customers’ networks to the appropriate Virtual Systems (VSs).

NOTE: The X-Series Platform does not support creating two Virtual Devices on the same subnet if both Virtual Devices use non-VLAN circuits.

5. Create a circuit for synchronization and assign a device name to that circuit. See Synchronization CircuitRequirements , below.

6. If the Check Point Management Station is on a different subnet than the VSX Gateway/Cluster, after installing the application, you must add a default gateway to all the cluster members before you createthe cluster in the Check Point SmartCenter GUI.

You can create a default gateway by issuing the following XOS CLI command:

CBS# configure ip default-network <gateway_IP_address> circuit <management_circuit_name> vap-group <VAP_group_name>

Synchronization Circuit RequirementsThe synchronization circuit must be configured with the increment-per-vap parameter.

If no external interface is associated with the synchronization circuit, you must create an internalinterface using the interface-internal command, configure the interface with the logical-all parameter, and associate the synchronization circuit with it.

If an external interface is associated with the synchronization circuit, do not use interface-internal .You must configure the circuit with the link-state-resistant parameter.

Each synchronization circuit must be unique for each VAP group. There must not be a common

synchronization circuit between different firewall clusters on the same network.For dual-system or multi-system communication, you must assign the synchronization circuit on eachsystem to a physical link between the two systems, and you must configure each synchronization circuitwith the link-state-resistant parameter to ensure that the circuit stays up if the physical interfacegoes down.

For dual-system or multi-system communication, all synchronization circuit IP addresses must beconsecutive across the systems.

You cannot use the eth0 or eth1 interface as part of a synchronization network.

Only synchronization traffic should use the synchronization interface.

Configuring RoutingPrior to creating any VSX cluster or gateway, verify that all appropriate routing is in place to ensure successfulcommunications between the modules and the management server.

NOTE: To simplify any future reconfiguration, configure any additional routing using the Check Point GUI.



12

Copying and Installing the Crossbeam RPM PackageNOTE: Refer to the XOS V9.5.0 Release Notes for the correct software version and the RPM package

filename.

Load the application onto the Control Processor Module (CPM), as follows:

1. Download the new version of the Check Point VPN-1 Power VSX NGX R65 RPM file from theCrossbeam Customer Support Download Portal, http://www.crossbeam.com/support/online-support/, tothe X-Series Platform.

NOTE: You must have an active support contract to access the Crossbeam Customer Support Center.

2. Log in to the X-Series Platform as root.

cbs# unix suPassword:[root@ xxxxx admin]#

3. Copy the RPM package of the VSX version to be installed on the VAP group to the/usr/os/rpm directory on the CPM.

4. To locate the VSX file, change to the /usr/os/rpm directory and list all .rpm files that start with app .

[root@ xxxxx admin]# cd /usr/os/rpm/[root@ xxxxx rpm]# ls app*

5. Execute the following command at the root prompt:

[root@xxxxx rpm]# rpm -i <RPM_filename>

Installing the Application on a VAP GroupMake sure the application’s VAP group was created and configured to run xslinux_v3, and make sure thecircuits and interfaces to be used by the application were created and configured, as described inPrerequisites on page 9 .

To install the application, perform the following steps:

1. Exit from root:

[root@xxxx rpm]# exit

2. Enter the following XOS CLI command to display the loaded applications:

CBS# show application

3. Enter the following XOS CLI command to install the application on the VAP group you created:

CBS# application vsx vap-group <vap-group-name> install

4. Follow the interview process. Information for the interview is explained below:

Previously installed Check Point VPN-1 Power VSX . If the application was previously installed on

this VAP group, you are prompted to specify whether you plan to use the existing configurationsettings. Entering y sets the existing configuration settings as the default answers to the interviewquestions, but it does not stop you from changing those default settings during the interviewprocess.

Management interface name. The management interface name is the device name that youassigned to the management circuit when you configured that circuit using the XOS CLI. If themanagement circuit with the specified device name does not exist, the installation fails. If thisoccurs, make sure you have configured the management circuit with the correct device name, and






make sure you have assigned the management circuit to the VAP group on which you are installingthe application. Once you have done this, repeat step 3 to run the installation program again.

Non-DMI. Specify how you will use the management interface.

If the interface will not be a part of a non-Dedicated Management Interface (non-DMI)configuration, enter the dedicated management IP address.

If you plan to use the interface in a non-DMI configuration, specify the type of virtual device(either router or switch) through which users will connect to the management interface.

Virtual Router — When VSX tries to delete the management interface IP in the context of VS0and there is a default route for that IP required by non-DMI, the delete IP request is ignored.The IP is later overwritten by the virtual router IP.

Restrictions for non-DMI virtual router: The management IP of a cluster must be in the samesubnet as the virtual router IP and proxy-ARP has to be enabled.

Virtual Switch — When VSX tries to delete the management interface IP in the context of VS0and there is a default route for that IP required by non-DMI, the delete IP request is handledwhen the cluster is created, but before all associated default or other routes are deleted fromthe CLI for that interface and IP.

Restrictions for non-DMI virtual switch: Proxy-ARP has to be enabled for that circuit.

NOTE: Sharing a management circuit between DMI and non-DMI VAP groups is not supported.Sync Interface. This is the device name that you assigned to the Synchronization circuit when youconfigured that circuit using the XOS CLI.

Secure Internal Communication (SIC): The SIC key is a one time activation key that is used toestablish trust with the Check Point Management Server. On XOS, the activation key is used for allVAPs in the VAP group,

License information. If you wish to enter license information at this time, enter y (for yes) tocontinue. When prompted, enter the management IP address, license expiration date, signature key,and the SKU/feature for each VAP in the group. If the license is not available, the applicationinstallation program automatically uses a 15-day trial license. The 15-day trial license only allowslimited features.

NOTE: This license information is optional, as you can always push a central license from the

Check Point Management Station.NOTE: If you attempt to create a VSX cluster for the VAP group, but one or more VAP group

members (cluster members) have an expired license or have no license, the Check PointManagement Station will issue cluster creation warnings, and the Virtual Device creationprocess will fail. To resolve this problem, create the cluster for the VAP group, add a validlicense to each of the cluster members (VAP group members), and then re-push the policyusing Check Point SmartDashboard.

Check Point SecureXL. Provides network acceleration techniques that deliver wire-speedthroughput for gigabit networks. It is highly recommended that you use SecureXL.

High Availability (HA). Choose to enable or disable High Availability, which is described inConfiguring High Availability State Synchronization on page 24 .

5. You must save the configuration to the database. Enter y at the “Do you want to save it to

startup-config?”prompt and press

Enter.

6. After the installation is complete, reboot the VAP group for the installation to take effect:

CBS# reload vap-group <VAP_group_name>

IMPORTANT: If you are configured to use High Availability Application Synchronization and enabled it duringthe installation interview, you must perform the following steps listed for the Check PointManagement Station listed in Enabling Dual-Box High Availability (DBHA) ApplicationSynchronization on page 25 .



14

Verifying the InstallationUse the following command to verify that the application is installed correctly:

CBS# show application vap-group <VAP_group_name>

where <VAP_group_name> is the name of the VAP group on which you have installed the application.

For example, the following text is displayed if you installed Check Point VPN-1 Power VSX NGX R65 on theVAP group fwvpn , which has two VAPs in the group.

CBS# show application vap-group fwvpn

VAP Group : fwvpnApp ID : VSXName : N/AVersion : NGX_R65Release : N/AStart on Boot : yesApp Monitor : on

App State (fwvpn_1) : UpApp State (fwvpn_2) : Up

The Start on Boot field shows whether the application will start during VAP boot ( yes or no ). If no , youmust run the application vsx vap-group <VAP-group_name> start CLI command to start theapplication.

The App State field will display “ Up” for the VAP group members if you have created a cluster on the CheckPoint Management Station, or if you have disabled High Availability. If you have enabled High Availability buthave not yet configured a cluster, the App State field will indicate that the VAP group members are Down.

See Table 4 on page 45 for descriptions of the information provided.

Upgrading to VPN-1 Power VSX NGX R65XOS V9.5.0 supports Check Point VPN-1 Power VSX NGX R65. If you are running VPN-1 Power VSX NGXR65 on XOS V8.5.x or V8.1.x, you can automatically upgrade the VSX application to work with XOS V9.5.0during the XOS migration process.

If you are running Check Point VPN-1 Power VSX NGX R65 on XOS V9.0 or XOS V9.0.1, you can do a shar upgrade to XOS V9.5.0 and the Check Point VPN-1 Power VSX NGX R65 application will work on the newXOS version.

NOTE: XOS V9.5.0 also supports Check Point VSX NGX R67. If you want to upgrade to this version of theVSX application, see the Check Point® VSX NGX R67 Installation and Configuration Guide for Crossbeam® X-Series Platforms for instructions.

If you are running VPN-1 Power VSX NGX on XOS V8.0.x or V7.3.x, you must uninstall VPN-1 Power VSXNGX, migrate to XOS V9.0, and then install the supported version of the VSX application. Table 3 on page 15 summarizes the XOS migration and VSX application upgrade paths.




NOTE: Migration to XOS V9.5.0 from XOS V7.3.x is supported only with an empty configuration, i.e. thereare no VAP groups or interfaces configured on the system. See the XOS Configuration Guide, XOSV9.5.0 , for more information.

The following sections describe the migration and upgrade options.

Upgrading to XOS V9.5.0 Using Migration on page 15

Upgrading to XOS V9.5.0 Using Shar Upgrade on page 16

Upgrading to VPN-1 Power VSX NGX R65 on page 16

Upgrading to XOS V9.5.0 Using Migration

This section describes how to migrate to the Crossbeam XOS V9.5.0 software if you already have CheckPoint VPN-1 Power VSX NGX R65 installed.

NOTE: Refer to the XOS V9.5.0 Release Notes for the correct RPM file name.

To upgrade an existing VPN-1 Power VSX NGX R65 installation to XOS V9.5.0, do the following:



2. Download the xos-migratepack-9.5.0-xx from the Crossbeam Customer Support DownloadPortal.


CBS# unix suPassword:root@xxxx admin]#

4. Copy the RPM file and the xos-migratepack-9.5.0-xx to the /usr/os/rpm directory on the CPM.Do not uninstall the existing VPN-1 Power VSX NGX R65 version.

5. Perform the XOS migration as documented in the XOS Configuration Guide, XOS V9.5.0 .

During the XOS migration, you will see a question regarding VSX NGX R65 upgrade:

Enter Yes to upgrade XOS and VSX NGX R65.

Enter No to cancel the upgrade.

Table 3. Migration to XOS V9.5.0

Migrate From Supported VSX NGX VersionAutomatically Upgrade

VSX

XOS V7.3.x VPN-1 Power VSX NGX No

XOS V8.0.x VPN-1 Power VSX NGX No

XOS V8.1.x VPN-1 Power VSX NGX R65 Yes

XOS V8.5.x VPN-1 Power VSX NGX R65 Yes

XOS V9.0 or XOS V9.0.1(shar upgrade, not a migration)

VPN-1 Power VSX NGX R65 Yes





16

6. Complete the XOS upgrade and reload the X-Series Platform using the XOS migration instructions in the XOS Configuration Guide, XOS V9.5.0 .

Upgrading to XOS V9.5.0 Using Shar Upgrade

This section describes how to migrate to the Crossbeam XOS V9.5.0 software if you already have CheckPoint VPN-1 Power VSX NGX R65 installed.

NOTE: Refer to the XOS V9.5.0 Release Notes for the correct RPM file name.

To upgrade an existing VPN-1 Power VSX NGX R65 installation to XOS V9.5.0, do the following:



2. Download the xos-upgradepack-A000-9.5.0-xx.shar.gz from the Crossbeam Customer SupportDownload Portal.


cbs# unix suPassword:root@xxxx admin]#

4. Copy the RPM file to the /crossbeam/rpm directory on the CPM. Do not uninstall the existing VPN-1Power VSX NGX R65 version.

5. Perform the XOS shar upgrade as documented in the XOS Configuration Guide, XOS V9.5.0 .

During the XOS migration, you will see a question regarding VSX NGX R65 upgrade:

Enter Yes to upgrade XOS and VSX NGX R65.

Enter No to cancel the upgrade.

6. Complete the XOS upgrade and reload the X-Series Platform using the instructions in the XOS

Configuration Guide, XOS V9.5.0 .

Upgrading to VPN-1 Power VSX NGX R65

NOTE: If you are running a version of Check Point prior to VSX NGX R65, uninstall it from the modulesbefore you upgrade to XOS V9.5.0.

If you are running XOS V8.x or XOS V7.3.x, and any Check Point VSX application version prior to VPN-1Power VSX NGX R65, Crossbeam recommends this sequence:

Uninstall the previous version of Check Point VSX NGX from the modules. Remove the VAP groupassociated with the application.

Upgrade the XOS software from XOS V8.x or XOS V7.3.x to XOS V9.5.0. For migration instructions, seethe XOS Configuration Guide, XOS V9.0 .

Upgrade the Check Point Management Station software. For instructions, see the Check Pointdocumentation.

Modify your configuration.

Install VPN-1 Power VSX NGX R65.






Uninstalling VSX NGX and Migrating to XOS V9.5.01. Uninstall VSX NGX from the VSX NGX ( xslinux_v1 ) VAP group using the following command:

CBS# application vsx vap-group <VAP_group_name> version NGX uninstall

2. Remove the xslinux_v1 VAP group associated with the application.CBS# configure no vap-group <VAP_group_name>

3. Uninstall the VSX NGX RPM, as follows:a. Go to the root prompt:

CBS# unix su

b. Change to the rpm directory:

[root@xxx admin]# cd /usr/os/rpm/

c. Uninstall the RPM:

[root@xxx admin]# rpm –e app-firewallvsx-NGX-xxx

4. Upgrade to XOS V9.5.0, using the migration instructions in the XOS Configuration Guide, XOS V9.5.0 .

NOTE: Migration from XOS V7.3.x is supported only with an empty configuration. If you are migrating fromXOS V7.3.x, save a copy of the configuration file to another system and then uninstall the VSXapplication. After migrating to XOS V9.5.0, modify the configuration file and use it to update the newinstallation.

Upgrading the Check Point Management Station

NOTE: If the version of your Check Point Management Station software is R65 or later, upgrading isoptional.

1. If necessary, upgrade the Check Point Management Station software to VPN-1 Power VSX NGX R65.

2. After you upgrade the Management Station to VSX NGX R65, upgrade all clusters/modules to VSX NGXR65.

For details on how to upgrade the Check Point Management Station software, see the Check Pointdocumentation.

Modifying the Configuration1. Create a xslinux_v3 VAP group for Check Point VPN-1 Power VSX NGX R65. Make sure the new VAP

group has the same number of VAPs as the VAP group previously used by VSX NGX.

CBS# configure vap-group <new_VAP_group_name> xslinux_v3 vap-count<number_of_VAPs_in_group>

2. Associate all circuits that were previously used by the VSX NGX group with the newly created VSX NGXR65 group.

IMPORTANT: For the upgrade to succeed, do not modify device-names or other circuit parameters. All circuitparameters should match the previous configuration.

For example, if a circuit called sync was previously used by a VSX NGX VAP group named fwvpn , thenrunning-config would include the following lines:

vap-group fwvpn xslinux_v3vap-count 3

circuit syncdevice-name syncvap-group fwvpn



18

If you created a new VSX NGX R65 VAP group called vsxvpn , you would use the following commandsto associate the circuit named sync with the new VAP group:

CBS# configure circuit syncCBS(conf-cct)# vap-group vsxvpn

3. Configure the management circuit to remove the IP addresses used by the old VAP group:

CBS# configure circuit <management_circuit_name> vap-group <VAP_group_name> no ip

Installing Check Point VPN-1 Power VSX NGX R651. Once all the circuits have been assigned to the new VAP group, obtain the Check Point VPN-1 Power

VSX NGX R65 RPM package for XOS V9.5.0.

2. Load the RPM package on the CPM, as follows:

a. Copy the RPM package to the /usr/os/rpm directory on the CPM.

NOTE: Refer to the XOS V9.5.0 Release Notes for the correct software version and filename.

b. To locate the VSX file, change to the /usr/os/rpm directory and list all .rpm files that start withapp .

[root@ xxxx admin]# cd /usr/os/rpm/[root@ xxxx rpm]# ls app*

c. Execute the following command at the root prompt:

[root@xxxx rpm]# rpm -i <RPM_filename>

3. Enter the following command to install Check Point VPN-1 Power VSX NGX R65 on the newly createdVAP group.

CBS# application vsx vap-group <new_VAP_group_name> install

4. Answer the interview questions to configure the installation. Make sure you provide the samemanagement IP addresses as previously used by the Check Point VPN-1 Power VSX NGX R65 VAPgroup, and use the same configuration options (HA, SXL).

5. Save the configuration.

6. Reload the new VAP group:

CBS# reload vap-group <new_VAP_group_name>

If you installed the application in non-DMI mode, go to Step 7 . If not, go to Step 8 .

7. For a non-DMI configuration, after you install Check Point VPN-1 Power VSX NGX R65, you mustmanually reconfigure the management circuit to assign a management IP address to each VAP, usingone of the following methods:

Use remote shell ( rsh ) to log in to each VAP and issue the ifconfig command to assign an IPaddress to each VAP.

Use the following XOS CLI command to assign unique, consecutive IP addresses to all the VAPs inthe VAP group.

CBS# configure circuit <management_circuit_name> vap-group<VAP_group_name> ip <IP_address_of_first_VAP_in_group> / <netmask> increment-per-vap <IP_address_of_last_VAP_in_group>

NOTE: Refer to Reconfiguring Management IP Addresses for a VSX Cluster in Non-DMI Mode onpage 23 for details.

8. For each VAP in the new Check Point VPN-1 Power VSX NGX R65 VAP group, run the VSXreconfiguration utility by issuing the following command from the Check Point Management Station:




vsx_util reconfigure

9. Reconfigure each cluster member (VAP group member), as follows:

a. Assign the cluster member to the new Check Point VPN-1 Power VSX NGX R65 cluster (VAPgroup).

b. Enter all other configuration information for the new cluster member.

IMPORTANT: Make sure you provide the same configuration information that was used by the old cluster (VAP group) — specify the same CMA, the same cluster member name, and the same SIC.

c. If you installed Check Point VPN-1 Power VSX NGX R65 in non-DMI mode, change the IP addressassigned to the cluster member to match the management IP address that you configured for thatVAP on the X-Series Platform in step 14.

The utility pushes the upgraded cluster configuration and policy to each cluster member (VAP groupmember) for which you run the vsx_util reconfigure command.

10. Once all the cluster (VAP group) members are reconfigured, reload the new Check Point VPN-1 Power VSX NGX R65 VAP group:

CBS# reload vap-group <new_VAP_group_name>

NOTE: If you need to restore any functionality used on the previous VSX version that is configurable

only with the XOS CLI (such as dynamic routing, resource control, and lightweight QoS), youmust save the configuration files that the old VSX NGX VAP group used for those features anduse those files with the new VAP group.

If you used dynamic routing, you must restart that feature on the new VAP group for each Virtual Deviceparticipating in dynamic routing. Refer to “Enabling Dynamic Routing ” on page 33 for instructions.

11. Once you complete the upgrade, you can remove the old VAP group from the configuration, as follows:

a. Remove the old VAP group from each existing circuit configuration, as follows:

CBS# configure circuit <circuit_name> CBS(conf-cct)# no vap-group <old_VAP_group_name>

b. When no more circuits are assigned to the old VAP group, remove the old VAP group completely:

CBS# configure no vap-group <old_VAP_group_name>



20




2

Configuration

This chapter describes how to configure the VSX application on an X-Series Platform. This chapter containsthe following sections:

Configuration Constraints and Considerations on page 21

Reconfiguring Management IP Addresses for a VSX Cluster in Non-DMI Mode on page 23

Configuring High Availability State Synchronization on page 24

Configuring the VSX Component on page 27

Configuring VPN using VSX NGX R65 on page 28

Configuring VRRP on page 31

Configuring VSX Dynamic Routing on page 32

Configuring RSA SecurID Authentication for the VSX Application on page 34

XOS Running Configuration File Examples for Basic VSX Configurations on page 36

Configuration Constraints and ConsiderationsBefore you configure the VSX application on an X-Series Platform, you should review the constraints andadditional configuration considerations described in this section:

VSX Application Configuration Constraints on page 21

VSX Application Configuration Considerations on page 22VSX SmartDashboard Configuration Considerations on page 23

VSX Cluster Configuration Considerations on page 23

VSX Application Configuration Constraints

Be aware of the following constraints when configuring the VSX application:

The Check Point VPN-1 Power VSX NGX R65 application supports clusters with up to five synchronizedmembers or up to eight non-synchronized members.

Refer to the Check Point release notes for the Check Point VPN-1 Power VSX NGX R65 application for information regarding supported features.

DBHA requires that the IP addresses assigned to the management and synchronization interfaces to becontiguous across all cluster members on both X-Series Platforms. Therefore:

When choosing your cluster IP address during cluster creation, make sure you leave enough IPaddresses available between the highest numbered management IP address and the cluster IPaddress to accommodate potential cluster expansion and DBHA deployment.

When configuring the synchronization circuit in XOS, make sure the range of IP addresses specifiedwith the increment-per-vap parameter is large enough to accommodate potential cluster expansion and DBHA deployment.



22

Do not add or delete more than 20 interfaces at a time for a Virtual System (VS); otherwise, you mayexperience time-outs and configuration failures. To configure a VS with more than 20 interfaces, add or delete the first 20, click OK , let the configuration succeed, re-open the VS, and then proceed with thenext 20 interfaces.

VSX Application Configuration ConsiderationsDuring policy installation, ignore any warnings that state, “Anti-Spoofing not set for Sync interface”.

Anti-Spoofing is not needed on the Sync interface because that interface should be located on a securednetwork.

Ignore any of the following types of “No buffer” VSX error messages that may appear in log files:

vsx : kernel: fw_send_kmsg: No buffer for tsid=0 vsid=2 error message seen in/var/log/messagesvsx_2 kernel: fw_send_kmsg: No buffer for tsid=0 vsid=2vsx_2 kernel: fw_send_kmsg: No buffer for tsid=0 vsid=1vsx_2 cbs_fw_vfp: FireWall-1: Warning - FireWall-1 does not enforce anypolicyvsx_2 cbs_fw_vfp:vsx_1 cbs_fw_vfp: FireWall-1: disabling IP forwardingvsx_1 kernel: fw_send_kmsg: No buffer for tsid=0 vsid=2vsx_1 kernel: fw_send_kmsg: No buffer for tsid=0 vsid=1vsx_1 cbs_fw_vfp: FireWall-1: Warning - FireWall-1 does not enforce anypolicyvsx_1 cbs_fw_vfp:

If Static NAT (Automatic or Manual) is defined for an IP address in the Security Policy of a Virtual System,you must configure every Virtual Router connected to that Virtual System to include a route to the NAT-edIP address. You must do this by adding the following template IP route on the NAT-ing VS andpropagating it to the EVR/VR:

destination <NAT-ed_IP_address> , next hop <internal_IP_address_of_the_VS>

Changing the connection limit on a Virtual System from Check Point SmartDashboard will only take effecton the module after a policy is installed on that Virtual System.

Using SNMP to retrieve status information on the VSX gateway is supported only for the ManagementVS.

To activate Hub-mode for a Virtual System, you must edit the objects_5_0.C file using dbedit andset the allow_VPN_routing_from_SR attribute on that Virtual System to true .

Before changing the VLAN ID of an interface configured in the Virtual System (VS) usingSmartDashboard, you must use the XOS CLI to delete all manual configurations associated with that VScircuit. For example, if you bind an ARP entry to a VS circuit, you must manually remove the entry beforechanging the VLAN ID.

By default, every circuit created by VSX is placed into a different domain, since this configuration isalmost always required by the network topology. However, if your network topology does not requireeach circuit to be placed in a separate domain, you can improve system performance by enabling theVSX configuration option, Disable Overlapping IP Support and placing every circuit into a single

domain.When configuring authentication for the Check Point VPN-1 Power VSX NGX R65 application using anexternal authentication server such as RADIUS, there are two modes of operation: shared (all VSs sharethe same cluster interface — for example, all VSs should share the same management interface) andprivate (each VS can access an external server using one of its own interfaces). In an X-Series DBHAconfiguration, you can configure the shared option only when using a local database.




VSX-created circuits do not inherit non-default circuit parameters from a parent (template) circuit. Youmust manually configure each VSX-created circuit’s non-default parameters to match the parenttemplate circuit.

The names of Virtual Systems and Virtual Routers are case-insensitive. Do not create Virtual Systems or Virtual Routers that have the same names except for the case of some of the letters.

VSX VLAN circuits cannot be associated with the same interface for multiple VSX clusters. To work

around this issue, do only ONE of the following:Create a template VLAN-tagged circuit and then use it as an untagged interface from Check PointProvider-1. Provider-1 will not push any VLAN IDs that allow you to attach the tagged circuit tomultiple clusters.

Assign a unique VLAN ID to each Virtual System that runs on multiple VSX clusters.

VSX SmartDashboard Configuration ConsiderationsDeleting the VSX object from Check Point SmartDashboard removes the VSX object and its relatedVirtual Systems from the Check Point SmartCenter management only. The Virtual Systems are notdeleted from the VSX gateway/cluster.

Check Point SmartConsole’s revision control is not supported.

VSX Cluster Configuration ConsiderationsChanging a cluster member’s priority on a VSX cluster is not supported.

Changing an interface IP address for a Virtual System only takes effect after a policy is installed on theVirtual System.

Reconfiguring Management IP Addresses for a VSX Cluster in

Non-DMI ModeIf you installed the VSX application in non-DMI mode, you must manually reconfigure the IP addressesassigned to the VAP group’s management interface (external interface) on the X-Series Platform to match themanagement IP addresses assigned to the cluster members on the Check Point Management Station.

To reconfigure management IP addresses for a cluster (VAP group) in non-DMI mode, perform the followingsteps.

1. On the X-Series Platform, assign a unique IP address to each VAP in the VAP group, in one of thefollowing ways:

Use remote shell ( rsh ) to log in to each VAP and issue the ifconfig command to assign an IPaddress to each VAP.

Use the following XOS CLI command to assign unique, consecutive IP addresses to all the VAPs inthe VAP group.

CBS# configure circuit <management_circuit_name> vap-group<VAP_group_name> ip <IP_address_of_first_VAP_in_group> / <netmask> increment-per-vap <IP_address_of_last_VAP_in_group>



24

2. On the Check Point Management Station, use the vsx_util reconfigure command to reconfigureeach cluster member (VAP group member), and set the IP address for each cluster member (VAP groupmember) to match the management IP address you configured for that VAP.

NOTE: In non-DMI mode, once you reconfigure one cluster member, the management or externalinterface on all the other cluster members will also get that VR IP address. Make sure you usethe XOS CLI to assign an IP address to each VAP group member (cluster member) before yourun vsx_util reconfigure for that cluster member.

Configuring High Availability State SynchronizationState Synchronization is essential for the VSX application redundancy to operate within the X-SeriesPlatform. Each VAP synchronizes the VSX application connections with other VAPs in the group, so that eachVAP can back up any other VAP. Initially, all traffic flows are load-balanced among all VAPs in the group.

NOTE: Each Synchronization circuit must be unique for each VAP group. A single Synchronization circuitcannot be used by different firewall clusters on the same network.

Enabling Single-Box High Availability (SBHA) ApplicationSynchronization

In this section:

Enabling Single-Box High Availability (SBHA) Application Synchronization on page 24

Enabling Dual-Box High Availability (DBHA) Application Synchronization on page 25

Disabling High Availability Application Synchronization on page 27

To enable Check Point VPN-1 Power VSX NGX R65 synchronization in an SBHA configuration, perform thefollowing steps:

1. If the HA/State Sync was not enabled during the application installation, use the XOS CLI to enable

Synchronization, as follows:a. Access the Check Point Configuration menu from the XOS command line, enter the following

command:

CBS# application vsx vap-group <VAP_group_name> configure

b. Select Enable Check Point High Availability/State Synchronization .

c. Enter y at the “ Do you want to enable High Availability/State Synchronization? ”prompt to enable it, and press Enter .

You are returned to the Check Point Configuration menu after the configuration changes arecomplete.

d. Select Exit to return to the XOS CLI.

2. For a cluster configuration, create an internal circuit for VSX Synchronization, assign a device name tothe circuit, and assign the circuit to the VSX VAP group:

CBS# configure circuit <sync_circuit_name> CBS(conf-cct)# device-name <sync_circuit_device_name> CBS(conf-cct)# vap-group <VAP_group_name>

NOTE: An internal circuit used for VSX application Synchronization cannot be used for any other application. Also, you cannot use the eth0 or eth1 interface as a Synchronization network.




3. Add an interface of type interface-internal .

CBS# configure interface-internal <interface_name >CBS(conf-intf-internal)# logical-all <logical_name >

CBS(conf-intf-internal-log)# circuit <sync_circuit_name >

4. Configure the synchronization circuit with the increment-per-vap parameter to use a unique IPaddress for each VAP in the VSX VAP group:

CBS(conf-cct-vapgrp)# ip <first_IP_address_assigned_to_VAP_group> / <netmask> increment-per-vap <last_IP_address_assigned_to_VAP_group>

NOTE: DBHA requires that the IP addresses assigned to the synchronization interface be contiguousacross all cluster members on both X-Series Platforms. You should assign a large enough range of IP addresses to the synchronization circuit to accommodate future expansion of this VAP group andfuture DBHA deployment.

5. Reboot the VAP group, using the following command:


To complete the High Availability State Synchronization configuration, you must perform the following stepson the Check Point Management Station:

1. Create a VSX Gateway Cluster object and include each VAP as a cluster member.NOTE: DBHA requires that the IP addresses assigned to the management interface be contiguous

across all cluster members on both X-Series Platforms. When choosing your cluster IPaddress, make sure you leave enough IP addresses available between the highest numberedmanagement IP address and the cluster IP address to accommodate potential cluster expansion of this VAP group and DBHA deployment.

2. Set the Secure Internal Communication (SIC).

3. Get the topology.

4. Set the synchronization network.

5. Download policies to the Cluster object.

See the Check Point documentation for configuration information.

Enabling Dual-Box High Availability (DBHA) Application Synchronization

NOTE: DBHA requires that the IP addresses assigned to the management interface be contiguous acrossall cluster members (VAP group members) on both X-Series Platforms. When choosing your cluster IP address, make sure you leave enough IP addresses available between the highest numberedmanagement IP address and the cluster IP address to accommodate both the current DBHAdeployment and potential cluster expansion of the VAP group on both X-Series Platforms.

NOTE: Refer to Prerequisites on page 9 for a list of VAP group and circuit configuration requirements.

To enable VSX application Synchronization in a DBHA configuration, perform the following steps on bothX-Series Platforms:

1. Use the XOS CLI to create and configure a VRRP failover group for the VSX application’s VAP group.Then, configure the application’s VAP group to use VRRP, and assign the VAP group to the VRRPfailover group.

NOTE: Refer to Configuring VRRP on page 31 for a list of VRRP configuration considerations for theVSX application. Refer to the XOS Configuration Guide for detailed instructions on configuringVRRP on an X-Series Platform.

2. If the HA/State Sync was not enabled during the application installation, use the XOS CLI to enableSynchronization, as follows:



26

a. Access the Check Point Configuration menu from the XOS CLI, enter the following command:


b. Select Enable Check Point High Availability/State Synchronization , and enter n at the “ Arethere any changes needed?” prompt.

You are returned to the Check Point Configuration menu after the configuration changes arecomplete.

c. Select Exit to return to the XOS CLI.

3. For a cluster configuration, create an internal circuit for VSX Synchronization, assign a device name tothe circuit, and assign the circuit to the VSX VAP group:

CBS# configure circuit <sync_circuit_name> CBS(conf-cct)# device-name <sync_circuit_device_name> CBS(conf-cct)# link-state-resistantCBS(conf-cct)# vap-group <VAP_group_name>

NOTE: For dual-system communication, you must assign the Synchronization circuit on each system toa physical link between the two systems, and you must configure each Synchronization circuitwith the link-state-resistant parameter. You cannot use the eth0 or eth1 interface as aSynchronization network. Only sync traffic should use the Synchronization interface.

4. Configure the synchronization circuit with the increment-per-vap parameter to use a unique IPaddress for each VAP in the VSX VAP group:

CBS(conf-cct-vapgrp)# ip <first_IP_address_assigned_to_VAP_group> / <netmask> increment-per-vap <last_IP_address_assigned_to_VAP_group>

NOTE: DBHA requires that the IP addresses assigned to the synchronization interface be contiguousacross all cluster members (VAP group members) on both X-Series Platforms. Make sure youassign a large enough range of IP addresses to the synchronization circuit to accommodatepotential expansion of the VAP group on both X-Series Platforms.

5. Assign the synchronization circuit to a physical interface:

NOTE: The NPM8600/NPM8650 ports 11 and 12 only support 10 Gigabit Ethernet. The NPM8620 doesnot have 10 Gigabit Ethernet ports.

CBS# configure interface { gigabitethernet | 10gigabitethernet }<NPM_slot_number> / <port_number> CBS(conf-intf- <iftype> )# logical <logical_name> CBS(intf- <iftype> -logical)# circuit <sync_circuit_name> CBS(intf- <iftype> -logical)# end

6. Reboot the VAP group for the installation to take effect.


To complete the High Availability State Synchronization configuration, you must perform the following stepson the Check Point Management Station:

1. Create a Gateway Cluster object and include each VAP as a cluster member.

2. Set the Secure Internal Communication (SIC).

3. Get the topology.

4. Set the synchronization network.

5. Download policies to the Cluster object.





Disabling High Availability Application Synchronization

To disable VSX application Synchronization, perform the following steps:

1. Access the Check Point Configuration menu from the XOS CLI, enter the following command:


2. Select Disable Check Point High Availability/State Synchronization .3. Enter n at the “Do you want High Availability/State Synchronization to remain

enabled?” prompt and press Enter .

4. Enter n at the “ Are there any changes needed?” prompt and press Enter .

You are returned to the Check Point Configuration menu after the configuration changes are complete.

5. Select Exit to return to the XOS CLI.

6. Reboot the VAP group for the installation to take effect.


To complete the High Availability State Synchronization configuration, you must perform the following stepson the Check Point Management Station

1. Remove all VAPs from the Gateway Cluster object and delete the Gateway cluster object.2. Delete the Gateway Cluster object.

3. Download new policies onto each VAP in the VAP group.


Configuring the VSX ComponentPerform the following steps to configure the VSX application using the XOS system as the gateway. Refer tothe appropriate Check Point VSX user guide for details on using Check Point Provider-1 and managementutilities.

1. Install the application on the desired VAP group by following the instructions in the section, Installing the Application on a VAP Group on page 12 .

2. Install and configure Check Point Provider-1 on a separate system, as described in the Check Pointdocumentation.

3. Install Provider-1 VSX and other Check Point SMART clients on a PC running Windows.

4. Connect to the Provider-1 machine using the Provider-1 VSX GUI client (also referred as Multi DomainGUI or MDG).

5. Create VSX Gateway/VSX Gateway Clusters.

6. Establish a SIC with VSX Gateway/VSX Gateway Cluster members and download licenses on VSXGateway/VSX Gateway Cluster members.

IMPORTANT: Once SIC is successfully established with each cluster member, make sure that all theinterfaces are defined on all the cluster members.

7. Create the Virtual Routers/Virtual Systems.

NOTE: To push VSX configuration changes onto a cluster whose cluster members are not all UP,uncheck the install configuration on all members, if fails, do not install at all option box.When all cluster members are UP and active, you must re-push the VSX configuration to allmembers; otherwise, you may experience some VSX configuration inconsistencies betweenProvider-1 and VSX enforcement modules running on the X-Series.



28

Configuring VPN using VSX NGX R65This section describes the configuration and operation of the VSX application using the XOS system as thegateway. Check Point supports the following types of VPN:

SecuRemote/SecureClient-to-gateway VPN.

Gateway-to-gateway VPN.

XOS systems support multiple gateways in a single system, providing the following VPN configurations.

VPN with one VAP in the VAP group.

VPN with multiple VAPs in the VAP group.

IMPORTANT: Do not use the XOS CLI to manually change the configuration of logical lines, circuits, andflow-rules used by VSs/VRs that were created from a Provider-1 system. These changes arelost if the VSX configuration is backed up and restored.

Configuring VPN with One VAP in the VAP Group

To configure VPN for one VAP in a VAP group, complete the following:

1. Follow the instructions in Configuring the VSX Component on page 27 to install and configure theFireWall-1 component.

2. In the General Properties pane of the VSX Gateway/VSX Gateway Clusters window, check theFireWall-1 and VPN-1 Pro modules.

3. While defining Virtual Systems, you must also define the VPN domain. If this gateway is to be used for aSecuRemote-to-gateway VPN, check the exportable for SecuRemote option when configuring VirtualSystems.

4. Click the VPN tab and select IKE as the encryption scheme. Edit the IKE properties to set the dataintegrity and key exchange methods.

NOTE: If using the shared-secret method of authentication, you must set a shared secret for a peer

gateway.5. Click the Authentication tab and define the supported methods of authentication.

6. Define all users and their respective properties.

7. Define the rule base. For a gateway-to-gateway VPN, add rules to encrypt the traffic going from theencryption domain of one gateway to the encryption domain of the other gateway. Similarly, for aSecuRemote-to-gateway VPN, add a user access rule to client-encrypt any traffic coming from theSecuRemote user. Refer to the Check Point documentation for a detailed explanation of these rules.

8. Download the policy to the specified Virtual System.




Configuring VPN with Multiple VAPs in the VAP Group

When you install the application on a VAP group with multiple VAPs, the encryption domain becomes guardedby multiple gateways. Since all VAPs in a VAP group are connected to the encryption domain through thesame interfaces, the encryption domain is fully overlapping. When using VPN on multiple VAPs within a VAPgroup, the following requirements apply:

Check Point requires that with a fully overlapping encryption domain, the encryption domain must bedefined as the group that contains the internal (secure) corporate network and all the gateways thatprotect it.

To achieve this, using Multi Domain GUI, create a group object that contains all the Virtual Systems for acustomer on all the gateways (VAPs) plus the corporate network. Then, use this group as the encryptiondomain for a customer on all these gateway objects (VAPs).

If you plan to use IP pool NAT, you must create IP flow rules that cover IP pool NAT.

Because the VSX application cannot perform VPN load balancing, to successfully pass VPN traffic, youmust configure IP flow rules with the action pass-to-master parameter for all VPN and local trafficthat is initiated from the VSX cluster side. For example:

CBS# configure vap-group vsxCBS(config-vap-grp)# vap-count 2

CBS(config-vap-grp)# ap-list ap1 ap2 ap3 ap4 ap5 ap6 ap7 ap8 ap9 ap10CBS(config-vap-grp)# load-balance-vap-list 3 4 5 6 7 8 9 10 2 1CBS(config-vap-grp)# ip-flow-rule vsx_default_vsxCBS(ip-flow-rule)# action load-balanceCBS(ip-flow-rule)# activateCBS(ip-flow-rule)# exit

CBS(config-vap-grp)# ip-flow-rule ipsecCBS(ip-flow-rule)# action pass-to-masterCBS(ip-flow-rule)# priority 26CBS(ip-flow-rule)# protocol 50CBS(ip-flow-rule)# activateCBS(ip-flow-rule)# exit

CBS(config-vap-grp)# ip-flow-rule ikeCBS(ip-flow-rule)# action pass-to-masterCBS(ip-flow-rule)# priority 26CBS(ip-flow-rule)# destination-port 500 500CBS(ip-flow-rule)# protocol 17CBS(ip-flow-rule)# activateCBS(ip-flow-rule)# exit

CBS(config-vap-grp)# ip-flow-rule remote_vpnCBS(ip-flow-rule)# action pass-to-masterCBS(ip-flow-rule)# priority 25CBS(ip-flow-rule)# destination-addr x.x.x.x

IMPORTANT: Create an IP flow rule for each subnet that is part of the VPN encryption domain.



30

Configuring Multiple Entry Point VPNs

To configure Multiple Entry Point (MEP) VPNs, complete the following on the Check Point Provider-1 system:

1. Run the dbedit utility to modify the vpn_peer_ls attribute from false to true , as follows. Theattribute is located in the objects.c file. You will need your username and password. Also, make surethat no GUI client is running when you perform this procedure.

root# mdsenv <CMA_name>

Where <CMA_name> is the name of the CMA that holds the Virtual Systems for the customer.

root# mcd confroot# dbedit

When prompted, enter your username and password. Then enter the following dbedit commands.

dbedit> modify properties firewall_properties vpn_peer_ls truedbedit> quit

2. To avoid asymmetric routing, configure IP pool NAT. Refer to the appropriate Check Point VSX user guide for information about clustering solutions for VPN Connections.

3. Enable MEP Load Sharing using the Policy > Global properties > Desktop security > VPN menucommand.

4. On SecuRemote, create the site using one of the customer VS’s main IP addresses. SecuRemoteestablishes a VPN tunnel by randomly choosing a gateway. Similarly, other SecuRemote clients willchoose different VAPs as gateways, thereby achieving load-balancing.

Configuring Single Entry Point (SEP) VPNs

The Check Point Cluster XL solution is not supported or needed on the XOS system, since XOS has built inhigh availability. However, to configure SEP VPNs from within the Check Point CMA, you must configure aVSX Gateway Cluster that contains the following elements:

All VAPs in the XOS VAP group.

Desired VPN configuration, including the VPN domain and a Synchronization network.

Check Point High Availability/State Synchronization was enabled during the application’s installation onthe VAP group.

For single-box, high-availability (SBHA) scenarios, one of the following can be used for Synchronizationtraffic:

Control network that connects the CPM, NPM, and APMs through the backplane of the XOS system

User-defined internal circuit network

External network

On the Check Point CMA for the customer’s Virtual Systems, perform the following steps:

1. Create a new VSX Gateway Cluster object.

2. In the General Properties tab, check FireWall-1 , and check VPN-1 Pro .3. Add each VAP as a new member of the VSX Gateway Cluster.

4. Specify each VAP’s management IP address as its cluster member IP address.

5. Establish a SIC with each cluster member.

6. Define the topology for each cluster member.

7. Define the Synchronization network.




8. In the Synchronization tab, check State Synchronization and select one of the following networks touse for Synchronization traffic:

X-Series Platform’s internal circuit network for Synchronization traffic

User-defined internal circuit network

External network

9. Download a license and a policy for each cluster member (VAP group member).10. Create Virtual Routers, as needed.

11. When configuring each Virtual System, define its VPN domain and make it exportable for SecuRemote, if required.

12. In the VPN tab, check IKE and set the appropriate authentication and encryption parameters.

13. Define the appropriate users, user groups, and encryption rules. Then, download the policy to the VirtualSystems assigned to that customer.

NOTE: The VPN clients, or peer gateways, use the external Cluster IP address to set up VPN tunnels to thecluster.

Configuring VRRPThe VSX application can be included in a high-availability configuration using VRRP, as described in the XOSConfiguration Guide . When configuring VSX in a VRRP configuration, be aware of the following:

Configure VRRP templates for Virtual Routers before configuring the VSX application. This allows you toadd Virtual Routers to the configuration automatically via Provider-1 or SmartCenter. Otherwise, anyVSX circuits you create must be added manually to the VRRP configuration.

VSX automatically selects the next unused VRRP ID when creating a Virtual Router. This can cause aVRRP ID mismatch between counterpart Virtual Routers, which are in the same VRRP failover group,but are configured on different X-Seriess. If you are using VRRP MAC addresses for these VirtualRouters, some network devices may temporarily fail to respond after a failover occurs.

To avoid these problems, make sure you configure matching VRRP IDs for counterpart Virtual Routersthat are created on different X-Series Platforms and are assigned to the same failover group.

You should not use 255 as the VRRP priority for the failover group that contains the VAP group on whichthe VSX application is installed. If the failover group’s priority is set to 255 , the application may start tofailover to the backup system, but then fail-back to the master system before the backup systemcompletes its initialization. This will cause a service outage.

You should enable the backup-stay-up parameter for each Virtual Router in the VRRP failover group.This practice ensures that all VRRP interfaces remain UP at all times, even when the failover group is inbackup mode.

NOTE: All of the VRRP failover group and Virtual Router parameters described above are configured withthe configure vrrp failover-group command.



32

Configuring VSX Dynamic RoutingBefore configuring dynamic routing on an X-Series Platform, you must configure appropriate pass-to-master IP flow rules and then enable dynamic routing for each VS or VR on each VAP in the VAP group.

NOTE: RIP version 1 is not supported.

Creating and Configuring IP Flow Rules

To use VSX dynamic routing, the NPM must forward all routing protocol traffic to the master VAP, which runsthe active gated daemon. To achieve this, you must add a pass-to-master IP flow rule for each routingprotocol that you plan to configure. For OSPF, the application automatically adds a pass-to-master IP flowrule.

You must create flow rules for PIM-SM, IGMP, BGP, RIP, and multicast traffic. The following commandsconfigure an IP flow rule to re-direct IGMP traffic to a master VAP within a specified VAP group:

CBS# configure vap-group <VAP_group_name> CBS(config-vap-grp)# ip-flow-rule <ip-flow-rule-name1>

CBS(ip-flow-rule)# action pass-to-masterCBS(ip-flow-rule)# priority 11CBS(ip-flow-rule)# protocol 2 2CBS(ip-flow-rule)# activateCBS(ip-flow-rule)# end

The following commands configure an IP flow rule to re-direct PIM-SM traffic to a master VAP:

CBS# configure vap-group <VAP_group_name> CBS(config-vap-grp)# ip-flow-rule <ip-flow-rule-name2> CBS(ip-flow-rule)# action pass-to-masterCBS(ip-flow-rule)# priority 11CBS(ip-flow-rule)# protocol 103 103CBS(ip-flow-rule)# activate

CBS(ip-flow-rule)# end The following commands configure an IP flow rule to re-direct BGP traffic to a master VAP. Crossbeamrecommends that you use a priority of 30.

CBS# configure vap-group <VAP_group_name> CBS(config-vap-grp)# ip-flow-rule <ip-flow-rule-name3> CBS(ip-flow-rule)# action pass-to-masterCBS(ip-flow-rule)# priority 30CBS(ip-flow-rule)# destination-port 179 179CBS(ip-flow-rule)# activateCBS(ip-flow-rule)# end

The following commands configure an IP flow rule to re-direct RIP traffic to a master VAP:

CBS# configure vap-group <VAP_group_name> CBS(config-vap-grp)# ip-flow-rule <ip-flow-rule-name4> CBS(ip-flow-rule)# action pass-to-masterCBS(ip-flow-rule)# priority 30CBS(ip-flow-rule)# destination-port 520 520CBS(ip-flow-rule)# protocol 17 17CBS(ip-flow-rule)# activateCBS(ip-flow-rule)# end




The following commands configure an IP flow rule to re-direct multicast traffic to a master VAP:

CBS# configure vap-group <VAP_group_name> CBS(config-vap-grp)# ip-flow-rule <ip-flow-rule-name5> CBS(ip-flow-rule)# action pass-to-masterCBS(ip-flow-rule)# priority 12CBS(ip-flow-rule)# destination-addr 224.0.0.0 239.255.255.255CBS(ip-flow-rule)# activateCBS(ip-flow-rule)# end

Enabling Dynamic Routing

Dynamic routing must be enabled for each VS or VR participating in dynamic routing before configuring therouting protocol. The simplest way to enable dynamic routing on all VAPs for a particular VS or VR is to usecbs_rsh tool on the CPM.

IMPORTANT: The following Check Point Hotfix Accumulators (HFAs), obtained from Check Point, must beinstalled on each VAP to successfully run dynamic routing:

fw1_HOTFIX_ECUADOR2_NO_UF_HF_BASE_064.tgz

Mustang-IL_5964_8828_dr_splat_610018001_1.tgz

IMPORTANT: State Synchronization must be enabled on the cluster for routing table synchronization.

1. From the root prompt on the CPM, run the following command:

[root@x80 admin]# /usr/os/bin/cbs_rsh <VAP_group_name> vg >> /opt/CPadvr-V40/bin/drouter enable <VS_ID>

where <VAP_group_name> is the name of the VAP group on which VSX is installed, and <VS_ID> isthe ID number of the VS or VR that you want to configure.

2. Repeat step 1 for each VS or VR that will have dynamic routing.

3. From the CLI, run the following command:


4. Choose the Configure Dynamic Routing option.

5. At the prompt, enter privileged mode:

Please connect to a vrf context(disconnected)> enable

6. Connect to a VS or VR and enter Configuration Mode to configure dynamic routing on that VS/VR. Thefollowing example connects to the VR with ID 1.

(disconnected)# vrf-connect 1localhost- VRF-1# configure terminal

7. Configure routing as appropriate. Refer to the Check Point routing documentation for details.

8. Repeat steps 6 and 7 for each VS or VR that you want to configure.

9. Exit configuration mode and save the configuration.

localhost- VRF-1(config)# exitlocalhost- VRF-1# write memory

10. Quit dynamic routing configuration.

localhost- VRF-1# quit



34

Configuring RSA SecurID Authentication for the VSXApplication

This section describes two procedures that you can use to configure RSA SecurID authentication for the VSXapplication:

Configuring SecurID Authentication Using the Default RSA ACE/Server Configuration on page 34

Configuring SecurID Authentication Using the RSA ACE/Server as a RADIUS Server on page 35

NOTE: This section assumes that you have already installed and configured the VSX application on a VAPgroup and that you are familiar with the RSA ACE/Server and VSX applications.

Configuring SecurID Authentication Using the Default RSA ACE/Server Configuration

To install and configure the RSA Ace/Server on a PC located on the trusted side of the VSX application,perform the following steps.

1. Create a host object with the name and IP address of the RSA ACE/Server.

2. Create a rule to allow communication between the SecurID server and the Virtual System that you will beusing for ACE authentication.

3. Define a user.

4. In the Authentication tab, set the new user’s Authentication type to SecureID .

On the RSA ACE/Server:

5. Create a new user with a login name matching the username configured on the VSX applicationCustomer Management Add-on (CMA) for the customer’s Virtual System. Attach a token to the new user,synchronizing the token with the RSA SecurID Card. You may also assign a PIN number to this user.

6. Create the agent entry for the user’s Virtual System with its name and IP address. The IP address that

you use is the IP address of the user’s Virtual System that sends SecureID requests to the server. Allother IP addresses of the user’s Virtual System should be added as Secondary nodes.

7. The agent type can be a Unix Agent. Check Open to all locally known users and assign an encryptionkey to the agent. Assign the agent to an acting server, and generate a configuration file ( sdconf.rec ).(Later, you will copy this file onto each VAP in the VAP group.)

On each VAP in the VAP group:

8. Create a directory called /var/ace and copy the file sdconf.rec (created above) into this directory.

9. Create a file under /var/ace called sdopts.rec and in the file add the entry:

CLIENT_IP= <IP_address_of_Virtual_System>

This entry ensures that the Virtual System will use only the specified IP address to communicate with theSecureID server.

On SECUREMOTE/SECURECLIENT:

10. Create a Site using the Main IP address of the customer’s Virtual System.

11. When prompted for the username and password, enter the username as described above. Thispassword should be the RSA SecurID PASSCODE, which comprises 4 to 8 digits of the PIN that youselected, and the 6-digit code that appears on the SecurID Card.




Configuring SecurID Authentication Using the RSA ACE/Server as aRADIUS Server

To install and configure the RSA Ace/Server on a PC located on the trusted side of the VSX application,perform the following steps.

Within Check Point SmartDashboard:1. Create a host object with the name and IP address of the RSA ACE/Server.

2. Create and configure the RADIUS server object:

a. Designate the host object that you created in Step 1 as the host for the RADIUS server.

b. Assign a secret key to the host object. (Assign the same key that you plan to configure on the RSA ACE/Server.)

c. For the service-type , you can select RADIUS or NEW-RADIUS . However, you must match theservice-type to the type (UDP port number) that you plan to configure on the RSA ACE/Server.

NOTE: RADIUS uses UDP port 1645, while NEW-RADIUS uses UDP port 1812.

3. Define a user.

4. In the Authentication tab, set the new user’s Authentication type to RADIUS and select the RADIUSserver that you created in step 2 of this procedure. Set the other user parameters (such as IKE), asrequired.

On the RSA ACE/Server:

5. Create a new user with a login name matching the username that you configured on the VSX applicationCustomer Management Add-on (CMA) for the customer’s Virtual System. Attach a token to the new user,synchronizing the token with the RSA SecurID Card. You may also assign a PIN number to this user.

6. Create the agent entry for the user’s Virtual System with its name and IP address. The IP address thatyou use is the IP address of the user’s Virtual System that sends the RADIUS requests to the server. Allother IP addresses of the user’s Virtual System should be added as Secondary nodes.

7. The agent type can be a Unix Agent. Check Open to all locally known users and assign an encryptionkey to the agent. Assign the agent to an acting server, and generate a configuration file ( sdconf.rec ).(Later, you will copy this file onto each VAP in the VAP group.)

8. Check Open to all locally known users and assign an encryption key to the agent. This key (sharedsecret) is the same as the secret key that you configured for the RADIUS server on the Check PointManagement Station. Assign the agent to an acting server, and generate a configuration file(sdconf.rec ). (Later, you will copy this file onto each VAP in the VAP group.)

9. Open the RSA Ace/Server Configuration Management application, click the Edit button, and enable theRADIUS server. By default, the server appears under services , with port number 1645 . If you want touse port 1812 , change the port number now. For proper operation, you may also have to change the portnumber in the winnt\system32\drivers\etc\services file.

10. Make sure that RADIUS services have started. To do this:

a. Within Windows 2000, right-click on My Computer and select the path, Manage > Services andApplications > Services .

b. Locate and start RSA ACE/ Server RADIUS .

c. If you have recently changed the UDP port number for the RADIUS server, Crossbeam and CheckPoint recommend that you restart the RSA ACE/Server and its RADIUS daemon.

On each VAP in the VAP group:

11. Create a directory called /var/ace and copy the file sdconf.rec (created above) into this directory.



36

On SECUREMOTE/SECURECLIENT:

12. Create a Site using the Main IP address of the customer’s Virtual System.

13. When prompted for the username and password, enter the username as described above. Thispassword should be the RSA SecurID PASSCODE, which is comprised of 4 to 8 digits of the PIN that youselected, and the 6-digit code that appears on the SecurID Card.

XOS Running Configuration File Examples for Basic VSXConfigurations

This section provides examples of XOS running configuration files that illustrate basic VSX configurationswith and without VLANs. This section also provides an example of an XOS running configuration file thatillustrates a VSX configuration that uses VRRP.

IMPORTANT: These examples show the running configuration files that result from a combination of theinitial VAP group, circuit, and interface configuration procedures that the user performs and the automatic configuration procedures that VSX performs, such as IP addressing for specificcircuits and VLANs. Do NOT try to use the XOS CLI to manually recreate these examples in

their entirety.

Basic VSX Configuration Without VLANs

The following is an example of an XOS running configuration file for a VSX configuration that does not useVLANs.

NOTE: This example does not describe how to configure VSX using the Check Point management utilities.

vap-group fwvap-count 2max-load-count 2ap-list ap1 ap2 ap3 ap4 ap5 ap6 ap7 ap8 ap9 ap10load-balance-vap-list 1 2 3 4 5 6 7 8 9 10ip-flow-rule vsx_default_fw

action load-balanceactivate

circuit mgmtdevice-name mgmtvap-group fw

ip 192.168.200.10 255.255.255.0 192.168.200.255 increment-per-vap192.168.200.11

circuit custdevice-name custvap-group fw

ip 100.100.100.100 255.255.255.0 100.100.100.255

circuit evrdevice-name evrvap-group fw

ip 200.200.200.200 255.255.255.0 200.200.200.255

circuit syncdevice-name sync




vap-group fwip 4.4.4.4 255.255.255.0 4.4.4.255 increment-per-vap 4.4.4.5

#interface gigabitethernet 1/1

logical mgmtcircuit mgmt

interface gigabitethernet 1/2logical cust

circuit cust

interface gigabitethernet 1/3logical evr

circuit evr

interface-internal synclogical-all sync

circuit sync

ip route 0.0.0.0 0.0.0.0 192.168.1.1 circuit mgmt

Basic VSX Configuration with VLANs

The following is an example of an XOS running configuration file for a VSX configuration that uses VLANs.

NOTE: This example does not describe how to configure VSX using the Check Point management utilities.





circuit custdevice-name custvap-group fw

circuit evrdevice-name evr

vap-group fwcircuit sync

device-name syncvap-group fw

ip 4.4.4.4 255.255.255.0 4.4.4.255 increment-per-vap 4.4.4.5

circuit vsx_ckt_fw_1_2_100 domain 3device-name cust.100vap-group fw



38

default-egress-vlan-tag 100ip 100.100.100.100 255.255.255.0 100.100.100.255

circuit vsx_ckt_fw_1_3_200 domain 2device-name evr.200vap-group fw

default-egress-vlan-tag 200

ip 200.200.200.200 255.255.255.0 200.200.200.255

interface gigabitethernet 1/1logical mgmt

circuit mgmt


circuit custlogical vsx_log_fw_1_2_100 ingress-vlan-tag 100 100

circuit vsx_ckt_fw_1_2_100

interface gigabitethernet 1/3logical evr

circuit evrlogical vsx_log_fw_1_3_200 ingress-vlan-tag 200 200


interface-internal synclogical-all sync

circuit sync

ip route 0.0.0.0 0.0.0.0 192.168.200.1 circuit mgmt

VSX Configuration Using VRRP

This example shows an XOS running configuration file for one of two X-Series Platforms configured to runVSX in a dual-box, high-availability configuration, using VRRP. This configuration would need to be repeatedon another X-Series in the VRRP configuration.



circuit sync

link-state-resistantdevice-name syncvap-group fw

ip 7.7.7.4 255.255.255.0 7.7.7.255 increment-per-vap 7.7.7.6






circuit evrdevice-name evrvap-group fw

circuit custdevice-name cust

vap-group fw

circuit vsx_ckt_fw_2_3_100 domain 3002device-name cust.100vap-group fw

default-egress-vlan-tag 100

vrrp failover-group vrrp_vsx failover-group-id 200preemptionpriority 200virtual-router vrrp-id 10 circuit evr

mac-usage vrrp-macvap-group fwip 200.200.200.200 255.255.255.0 200.200.200.255

virtual-router vrrp-id 20 circuit custmac-usage vrrp-macvap-group fw

virtual-router vrrp-id 153 circuit vsx_ckt_fw_2_3_100mac-usage vrrp-macbackup-stay-upvap-group fwip 100.100.100.100 255.255.255.0 100.100.100.255

vrrp vap-group fwfailover-group-list vrrp_vsxhold-down-timer 50priority-delta 50

interface fastethernet 1/1logical mgmt

circuit mgmt

interface gigabitethernet 2/1logical sync

circuit syncinterface gigabitethernet 2/2

logical evrcircuit evr


circuit custlogical vsx_log_fw_2_3_100 ingress-vlan-tag 100 100


ip route 0.0.0.0 0.0.0.0 192.168.200.1 vap-group fw circuit mgmt



40




3

Managing and Monitoring the Application

This chapter describes the methods that you can use to manage and monitor Check Point VPN-1 Power VSXNGX R65 when it is installed on a Crossbeam X-Series Platform. This chapter also describes the proceduresthat you can use to backup and restore the VAP group on which Check Point VPN-1 Power VSX NGX R65 isinstalled on an X-Series Platform.

For more detailed information on using the XOS CLI to manage applications, refer to the XOS ConfigurationGuide . For more detailed information on using the Check Point Configuration menu to manage theapplication, refer to the Check Point documentation.

This chapter contains the following sections:

Managing the Application on page 41Monitoring the Application on page 44

Managing the ApplicationThis section contains the following information:

XOS Command Line Interface (CLI) on page 41

Adding and Removing Cluster/VAP Group Members on page 42

XOS Command Line Interface (CLI)This section describes the basic XOS CLI application commands.

IMPORTANT: With the exception of the show application command, the commands described in thissection only work if the following conditions are met:

The primary CPM, the NPM(s), and in the application’s VAP group are UP.

The management circuit is configured, and the physical link to themanagement interface is UP

Use the following commands at the XOS CLI prompt to perform basic application management. For moreinformation on using the XOS CLI to manage applications, see the XOS Command Reference Guide and the

XOS Configuration Guide .

Start Check Point VPN-1 Power VSX NGX R65:

CBS# application vsx vap-group <VAP_group_name> start

Configure an application using the Check Point Configuration menu:




42

Stop Check Point VPN-1 Power VSX NGX R65 on a VAP group:

CBS# application vsx vap-group <VAP_group_name> stop

Restart Check Point VPN-1 Power VSX NGX R65 on a VAP group:

CBS# application vsx vap-group <VAP_group_name> restart

Update the VAP group to install Check Point VPN-1 Power VSX NGX R65 on any new VAPs that you

added to the group after the initial configuration.CBS# application-update vap-group <VAP_group_name>

Display Check Point VPN-1 Power VSX NGX R65 status on all VAP groups or on a specified VAP group.

CBS# show application vap-group <VAP_group_name >

Uninstall the Check Point VPN-1 Power VSX NGX R65.

CBS# application vsx vap-group <VAP_group_name> uninstall

IMPORTANT: Before uninstalling VSX or deleting an individual Virtual System (VS), remove any VS circuitconfigurations completed after the VSX application installation. For example, if you bind astatic ARP entry in the CLI to a VS circuit, you must manually delete the ARP entry beforeuninstalling VSX or deleting that VS.

The XOS health system polls application processes on each VAP in the VAP group every five seconds. If theapplication is not running on a VAP, the health system notifies the NPM to stop new flows to this VAP. You canverify this behavior using the show flow distribution command. The X-Series Platform performs this processdynamically without modifying the VAP group’s load balance list. However, application monitoring cannotdetect process hangs. If the process is not functioning but is still running, the XOS health system will continueto report the application as running.

Use rsh to log in to each individual APM and then use the cbs_fw_vfp script to stop the VSXapplication on each APM.

To stop an application on a VAP (instead of a VAP group):

/etc/rc.d/init.d/cbs_fw_vfp stop

To start the application on a VAP (instead of a VAP group):

/etc/rc.d/init.d/cbs_fw_vfp start

Adding and Removing Cluster/VAP Group Members

This section describes how to perform the following tasks:

Adding a Member to a Cluster/VAP Group on page 42

Removing a Member from a Cluster/VAP Group on page 44

Adding a Member to a Cluster/VAP Group

Perform the following steps to add a VAP to the VSX application’s VAP group and then add that VAP as amember of the VSX cluster:

1. If necessary, increase the increment-per-vap range on the VSX management and Synchronizationcircuits for the new cluster member (VAP group member). You may not need to do this if there areunused IP addresses in the current increment-per-vap range.

CBS# configure circuit < management_circuit_name> vap-group <VAP_group_name> CBS(conf-cct-vapgroup)# ip <ip_address_of_first_VAP_in_group> / <netmask> <broadcast_address> increment-per-vap <ip_address_of_last_vap_in_group> CBS(conf-cct-vapgroup-ip)# end




CBS# configure circuit <sync_circuit_name> CBS(conf-cct)# vap-group <VAP_group_name> CBS(conf-cct-vapgroup)# ip <ip_address_of_first_VAP_in_group> / <netmask> <broadcast_address> increment-per-vap <ip_address_of_last_vap_in_group> CBS(conf-cct-vapgroup-ip)# end

2. Increment the VSX NGX R65 VAP group’s VAP count and max load count:

CBS# configure vap-group <VAP_group_name> CBS(config-vap-grp)# vap-count <new_VAP_count> CBS(config-vap-grp)# max-load-count <number_of_APMs_in_group>

3. Reconfigure the APM list for the VAP group to add the new APM to the group:

CBS(config-vap-grp)# ap-list <apm_module_name1> [ <apm_module_name2> ] [ <apm_module_name3> ] ...

where <apm_module_name> is the name that the XOS has assigned to the APM. Use the showchassis command to determine the assigned names of the APMs in your chassis.

4. You must configure the load-balance VAP list for the VAP group so that the new VAP does not receiveany flows. The new APM will have the highest index number in the VAP group. Leave this index number off the load-balance VAP list.

CBS(config-vap-grp)# load-balance-vap-list <index1> <index2> [ <index3> ] ...CBS(config-vap-grp)# end

5. Install VSX on the new VAP by entering the CLI command:

CBS# application-update vap-group <VAP_group_name>

6. Enter the management IP address and license information for the new cluster member (VAP groupmember).

7. Reboot the new VAP after the installation is complete.

CBS# reload vap-group <VAP_group_name> <VAP_group_member_index_number>

8. After the reboot is complete, access the Check Point Management Station (Provider-1 or SmartCenter) toadd the new VAP member, and enter the following command:

vsx_util add_member

9. Follow the instructions for adding a new cluster member.10. Reconfigure the new cluster member:

vsx_util reconfigure

NOTE: While running this command, you may see a timeout error if the system has VPN configured. If this happens, run the vsx_util reconfigure command again.

11. Use the Check Point Management Station to configure the application on the new VAP.

a. Create a Gateway Cluster object, and include the new VAP as a cluster member.

b. Set the Secure Internal Communication (SIC).

c. Get the topology.

d. Set the Synchronization network.

e. Download policies to the Cluster object.

12. Add the new VAP back into the load balance VAP list:

CBS# configure vap-group <VAP_group_name> CBS(config-vap-grp)# load-balance-vap-list <index1> <index2> [ <index3> ] ...CBS(config-vap-grp)# end



44

Removing a Member from a Cluster/VAP Group

Perform the following steps to remove a cluster member from a VSX cluster and then remove that VAP fromthe VSX application’s VAP group.

NOTE: You can only remove the VSX cluster member with the highest VAP index number.

1. On the Check Point Provider-1 Management Station, run the appropriate command and follow theinstructions.

2. From Check Point Management Station (Provider-1 or SmartCenter), enter the following command:

vsx_util remove_member

3. From the XOS CLI, use the following command to decrement the VSX VAP group’s VAP count.

CBS# configure vap-group <VAP_group_name> vap-count <new_VAP_count>

Monitoring the ApplicationThe following section describes the tools that you can use to monitor Check Point VPN-1 Power VSX NGX

R65 once it is installed on an X-Series Platform.

XOS Application Monitoring

Application monitoring is enabled by default when you create a VAP group. You can choose to disable a VAPgroup’s application monitoring by using the no application-monitor command. See Disabling a VAPGroup’s Application Monitoring on page 46 for configuration information.

In this section:

Displaying Application Information on page 44

Displaying VAP Group Application Information on page 44

Disabling a VAP Group’s Application Monitoring on page 46Enabling a VAP Group for Application Monitoring on page 46

Displaying Application Information

The following command displays available applications loaded on the CPM:

CBS# show application

The following example shows that Check Point VPN-1 Power VSX NGX R65 is available for installation onany VAP group.

CBS# show applicationApp ID : vsx

Version : NGX_R65

Displaying VAP Group Application Information

The following command displays information about the application installed on the VAP groups configured onthe X-Series Platform:

CBS# show application vap-group [ <VAP_group_name> ]




The following example shows the state of the application on VAP group fwvxs . See Table 4 on page 3-45 for descriptions of the information provided.

CBS# show application vap-group fwvxsVAP Group : fwvxsApp ID : VSXName : N/AVersion : NGX_R65Release : N/AStart on Boot : yesApp Monitor : onApp State(fwvxs_1) : UpApp State(fwvxs_2) : Up

Table 4. VAP Group Application Information

Column/RowHeading Information Provided

VAP Group Name of the VAP group on which the application is installed.

App ID Application identifier that Crossbeam has assigned to the application.

Version Application version.

Start on boot Indicates whether the application automatically starts running when you boot upthe VAP group:

on — Application automatically starts up when you boot up the VAP group.

off — You must manually start up the application each time you boot up theVAP group.

App Monitor Indicates whether application monitoring is enabled ( on ) or disabled ( off ) on theVAP group on which the application is installed. By default, application monitoringis enabled ( on ).

If application monitoring is enabled (on), and the application is not running on aVAP, the health system notifies the NPM to stop new flows to the VAP. The NPM

performs this process dynamically without modifying the VAP group’s load balancelist.

App State Indicates the current state of the application on the VAP with the VAP indexnumber n.The show application vap-group command displays the current state of the application on each VAP on which an application is installed.

Possible application states are:

Up — Application is running on the VAP.

Down — Application is not running on the VAP, but the APM on which the VAPis loaded is functional.

NOTE: The App State field will display “ Up” for the VAP group members if you have created a cluster on the Check Point Management Station,or if you have disabled High Availability. If you have enabled High

Availability but have not yet configured a cluster, the App State field will indicate that the VAP group members are Down.

Initializing — The application is initializing.

Not Monitored — Application monitoring is disabled on the VAP group onwhich the application is installed. Therefore, XOS is unable to determine thecurrent state of the application on any VAP.

http://-/?-

http://-/?-

http://-/?-



You can use the CLI show flow distribution command to verify that no new flows are directed to VAPsthat are in a down state.

NOTE: Application monitoring cannot detect process hangs. If a process is not functioning, but theapplication is still running, the XOS health system will continue to report the application as running.

Disabling a VAP Group’s Application Monitoring

When application monitoring on a VAP group is disabled, the application’s state for flow control calculation for that VAP group is ignored.

To disable application monitoring on a VAP group, use the following command:

CBS# configure vap-group <VAP-group_name> no application-monitor

Enabling a VAP Group for Application Monitoring

If you disabled a VAP group’s application monitoring and want to return to the default setting of enabled, usethe following command:

CBS# configure vap-group <VAP_group_name> application-monitor

Documents

Checkpoint Vsx r65 Install 005595d