background image

Introduction 

 

Check Point 61000 Security System Getting Started Guide R75.40VS for 61000   |   14 

 

In this Document 

 

A brief overview of necessary 61000 Security System concepts and features 

 

A step by step guide to getting the 61000 Security System up and running 

Note - Many examples in this guide show the largest model available at the time of publication. 
The concepts and procedures are applicable to all models. 

 

Shipping Carton Contents 

This section describes the contents of the shipping carton. 

Item 

Description 

Check Point 61000 Security 
System 

A single 61000 Security System Chassis 

61000 Security System 
components 

 

2 to 12 Security Gateway Modules 

 

2 Security Switch Modules 

 

2 Chassis Management Modules 

 

Power Supplies (preinstalled) 

 

5 AC Power Supply Units (PSUs) or 

 

1 to 2 DC Power Entry Modules (PEMs) 

 

6 Fans (preinstalled)   

 

Power cord set 

 

Documentation 

 

EULA 

 

Welcome document 

Obligatory Hardware Purchases 

Transceivers are not included in the shipping carton and must be purchased separately. 

SSM60 Transceivers

 

Ports   

Required Transceivers 

Network and Synchronization  Fiber transceiver for 10GbE XFP ports (SR/LR) 

Management and log 

 

Fiber transceiver for 1GbE SFP ports (SX/LR) 

 

Twisted-pair transceiver for 1GbE SFP ports 

 

Fiber transceiver for 10GbE XFP ports (SR/LR) 

 

Summary of Contents for 61000

Page 1: ...30 April 2018 Getting Started Guide CHECK POINT 61000 SECURITY SYSTEM R75 40VS FOR 61000 Protected ...

Page 2: ...Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice RESTRICTED RIGHTS LEGEND Use duplication or disclosure by the government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 and FAR 52 227 19 TRADEMARKS Refer ...

Page 3: ...il 2018 Updated Installing the SGM with Snapshot Import on page 55 05 November 2017 Updated General updates 23 January 2014 Added Health and Safety Information in French Informations relatives à la santé et à la sécurité on page 9 Improved Formatting and document layout Added SGM260 LEDs support information 16 September 2013 Added After configuring a Security Gateway verify the configuration by ru...

Page 4: ...engaged in a continuous effort to improve its documentation Please help us by sending your comments mailto cp_techpub_feedback checkpoint com subject Feedback on R75 40VS Check Point 61000 Security System Getting Started Guide ...

Page 5: ...sis Management Modules 34 Blank Filler Panels for Airflow Management 36 Front Blank Panels with Air Baffles 36 Step 1 Site Preparation 37 Rack Mounting Requirements 37 Required Tools 37 Step 2 Installing the Chassis in a Rack 38 Step 3 Installing Hardware Components and Connecting Power Cables 39 Inserting AC Power Supply Units 40 Inserting Fan Trays 41 Inserting Chassis Management Modules 42 Inse...

Page 6: ... Interfaces 65 Virtual Network Device Configuration 66 Wizard Step 6 VSX Gateway Management 67 Completing the VSX Wizard 67 Confirming the VSX Gateway Software Configuration 67 Basic Configuration Using gclish 69 Licensing and Registration 71 Monitoring and Configuration 72 Showing Chassis and Component States asg stat 72 Monitoring Chassis and Component Status asg monitor 73 Monitoring Performanc...

Page 7: ...odules or gold contacts When holding memory modules do not touch their pins or gold edge fingers Restore SGMs to the anti static bag when they are not in use or not installed in the Chassis Some circuitry on the SGM can continue operating after the power is switched off Do not let the lithium battery cell used to power the real time clock on the CMM short The battery can heat up and become a burn ...

Page 8: ...n which case the user will be required to correct the interference at his own expense Information to user The user s manual or instruction manual for an intentional or unintentional radiator shall caution the user that changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment In cases where the manual is provide...

Page 9: ...n place ou d utiliser l appareil veuillez lire ces avertissements Avertissement Ne pas obturer les aérations Les SGM dans le châssis doivent disposer d une aération suffisante Cet appareil ne contient aucune pièce remplaçable par l utilisateur Ne pas retirer de capot ni tenter d atteindre l intérieur L ouverture ou la modification de l appareil peut traîner un risque de blessure et invalidera la g...

Page 10: ... Proposition 65 Les produits chimiques identifiés par l état de Californie conformément aux exigences du California Safe Drinking Water and Toxic Enforcement Act of 1986 du California Health Safety Code s 25249 5 et seq Proposition 65 qui sont connus par l état pour causer le cancer ou être toxiques pour la reproduction voir http www calepa ca gov AVERTISSEMENT La manipulation de ce cordon vous ex...

Page 11: ... rapprochement des législations des États membres relatives à la directive sur la compatibilité électromagnétique 2004 108 CE Ce produit est conforme à la directive basse tension 2006 95 CE et satisfait aux exigences de la directive 2006 95 CE du Conseil relative aux équipements électriques conçus pour être utilisés dans une certaine plage de ensions selon les modifications de la directive 93 68 C...

Page 12: ...ckpoint com or call Check Point at 1 800 429 4391 For additional technical information about Check Point products consult the Check Point Support Center http supportcenter checkpoint com Welcome to the Check Point family We look forward to meeting all of your current and future network application and management security needs Overview of Check Point 61000 Security Systems The Check Point 61000 Se...

Page 13: ...y gateways with Virtual Systems with advanced protection for many networks and network segments Virtual Systems can support up to 250 Virtual Systems on a 61000 Security System This gives you scalability availability reliability and optimal performance while minimizing hardware investment space requirements and maintenance costs Network virtualization supports easy deployment and configuration of ...

Page 14: ...Security System A single 61000 Security System Chassis 61000 Security System components 2 to 12 Security Gateway Modules 2 Security Switch Modules 2 Chassis Management Modules Power Supplies preinstalled 5 AC Power Supply Units PSUs or 1 to 2 DC Power Entry Modules PEMs 6 Fans preinstalled Power cord set Documentation EULA Welcome document Obligatory Hardware Purchases Transceivers are not include...

Page 15: ...nd Synchronization SFP 10GbE Fiber transceiver for SFP ports SR LR SFP 1GbE Fiber transceiver for SFP ports SX LX Twisted pair 1GbE transceiver for SFP ports QSFP transceiver for 40GbE ports SR LR QSFP splitter for 40GbE ports Management and log Fiber Twisted pair transceiver for 1GbE SFP ports SX LX SFP 10GbE Fiber transceiver for SFP ports SR LR ...

Page 16: ...anel Modules 16 Security Switch Module 18 Security Gateway Module SGM 23 AC Power Supply Units PSUs 27 AC Power Cords 29 DC Power Entry Modules PEMs 31 Fan Trays 33 Chassis Management Modules 34 Blank Filler Panels for Airflow Management 36 This section shows the hardware components of the 61000 Security System 61000 Security System Front Panel Modules ...

Page 17: ...ecurity Switch Module SSM distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules Two are inserted in a chassis Two SSM versions are available SSM60 Not supported in a VSX Gateway SSM160 For more about each port see Security Switch Module Ports Security Switch Module on page 18 5 The Chassis Management Module CMM monitors the status of the...

Page 18: ...ble In the CLI output Upper slots are for DC PEMs They are listed as bay 1 and bay 2 numbered right to left Lower slots are for AC PSUs They are listed as bay 1 to bay 5 numbered right to left Security Switch Module The Security Switch Module SSM distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules Two are inserted in a Chassis Two SSM ...

Page 19: ...ht Security Switch Module lower QSFP port eth2 13 to eth2 16 3 7 x 10GbE SFP data ports Can use 1GbE or 10GbE transceivers In the initial setup program the interface names are Left Security Switch Module eth1 01 eth1 02 eth1 07 Right Security Switch Module eth2 01 eth2 02 eth2 07 In SmartDashboard define used interfaces as internal or external 4 1 synchronization port for connecting to and synchro...

Page 20: ...orts Connect these ports to the management logging network Security Management Server or dedicated logging servers should be accessible from these interfaces 2 x 1GbE SFP port In the 61000 appliance initial setup program these interface are labeled On the left SSM eth1 Mgmt3 eth1 Mgmt4 On the right SSM eth2 Mgmt3 eth2 Mgmt4 ...

Page 21: ...d eth2 01 eth2 02 eth2 05 In SmartDashboard define used interfaces as internal or external 2 1 synchronization port on each SSM for connecting to and synchronizing with another 61000 Security System that functions as a high availability peer 3 4 ports for management and logging on each SSM 2 Upper ports 1GbE SFP 2 Lower ports 10GbE XFP Connect these ports to the management logging network Security...

Page 22: ... service Red SSM out of service Off Normal SSM hardware is normal 2 Power On Normal Power on Off Power off 3 Hot swap Blue SSM can be safely removed Blue blinking SSM is going to Standby mode Do not remove Off Normal SSM is Active Do not remove 4 SYN ACT On Normal Normal operation Off N A 5 Link On Link enabled Yellow blinking Link is active Off Link is disabled ...

Page 23: ...SGM versions are available SGM220 SGM220T for NEBS SGM260 The SGM260 has more powerful CPUs and uses a more advanced technology It also has a different front panel layout and different LEDs SGM260 LEDs Item LED Status Description 5 Out of service Red SGM out of service Off Normal SGM hardware is normal 6 Health Green Normal SGM core operating system is Active Green blinking SGM core operating syst...

Page 24: ...Link is disabled CTRL SPEED 1 CTRL SPEED 2 SSM1 and SSM2 management ports Yellow 10 Gbps Green 1 Gbps Off 100 Mbps Traffic 1 2 3 4 On Data and Sync traffic in SSM1 SSM2 SS3 SSM4 L2 Off Not used L1 Red Lower Right Installation started Red blinking in sequence Installation in progress Red All Installation failure Yellow Left Installation completed ...

Page 25: ...s Check Point 61000 Security System Getting Started Guide R75 40VS for 61000 25 Green Right SGM is being configured Using First Time Configuration Wizard or adding a new SGM into a Chassis Off SGM is configured and ready ...

Page 26: ...e Off SGM operating system is in Standby mode 3 Hot swap Blue SGM can be safely removed Blue blinking SGM is going to Standby mode Do not remove Off Normal SGM is active Do not remove 4 Link Yellow Link enabled Yellow blinking Link is active Off Link is disabled 5 Data port speed Yellow 10 Gbps Green 1 Gbps Off 100 Mbps Management port speed Yellow 1 Gbps Green 100 Mbps Off 10 Mbps 6 L LEDs 2 and ...

Page 27: ...he backplane The AC Power inlets are located in the rear of the Chassis Each power supply has one power inlet Item Description AC Power Unit 1 Air filter Prevents dust entering the PSU 2 Latch for extracting and inserting the PSU 3 AC Power Supply LED Green AC Power is OK OFF AC power is OFF 4 DC Power Supply LED Green DC Power is OK Red DC power failure or Hot swap ready 5 Extraction handle for h...

Page 28: ... Fan 240W maximum CMM 10W maximum SGM 300W maximum SSM 300W maximum Recommended quantity of PSUs Important One power supply cannot supply a fully loaded Chassis This table shows how to calculate the recommended number of power supplies For a PSU that supplies 1500W Number of SGMs Minimum N Recommended N 1 2 2 3 4 2 3 6 3 4 8 3 4 10 4 5 12 4 5 ...

Page 29: ...graphical region These are some of the available power cords Region PLUG CONNECTOR CABLE EU KC 015 16A 250V KC 003H 10 A 250V H05RR F 3G 0 75mm2 AUSTRALIA KC 014 10A 250V KC 003H 10 A 250V H05RR F 3G 0 75mm2 UK KC 039 13A 250V KC 003H 10 A 250V H05RR F 3G 0 75mm2 JP KC 001 15A 125V KC 003H 15A 125V VCTF 3G 2 0mm2 US KC 001 15A 125V KC 003H 15A 125V SJT 14 3C 75ºC ...

Page 30: ...Hardware Components Check Point 61000 Security System Getting Started Guide R75 40VS for 61000 30 Region PLUG CONNECTOR CABLE CHINA KC 017N 10A 250V KC 003H 10 A 250V H05RR F 3G 0 7mm2 ...

Page 31: ...ion does not have its own power source You must supply a mains DC power system that includes an external battery and a branch circuit breaker of 125A for each PEM You must also supply lugs Panduit LCD6 14A L Use them to connect wires to the terminal blocks of the PEMs PEM Panel and LED Indicators Item Description 1 Locking captive screws Secure the PEM in the Chassis 2 Handles used for holding the...

Page 32: ...ing up or ready for extraction Blue blinking Hot swap process OFF Working Important Do not remove a PEM while it is connected to the power source Before replacing a PEM verify that power source is disconnected and isolated The PEM circuit breaker has only one pole and only disconnects the 48V lead The 48VDC RTN lead is always connected ...

Page 33: ...hree high performance fan trays The fan trays are at the rear of the Chassis Each tray contains two fans that supply air volume and velocity for cooling front and rear Chassis components Air flows from the inside to the outside of the Chassis Item Description 1 Power fault LED 2 Locking captive screw Three fan trays are preinstalled 6 fans ...

Page 34: ...3 Application defined LEDs 4 Latch 5 Network port 6 Serial port 7 Alarm 8 Thumb screw General LEDs LED Status Meaning ACT Green Chassis Management Module is active Red Chassis Management Module failure Green blink Chassis Management Module inactive PWR Green Good local voltage supply on Chassis Management Module Off Local voltage failure HS hot swap Steady blue Chassis Management Module is powerin...

Page 35: ...ystem Getting Started Guide R75 40VS for 61000 35 Telco Alarm LEDs LED Status Meaning CRT Critical Off Normal operation Red System alarm event MJR Major Off Normal operation Red System Alarm event MNR Minor Off Normal operation Red System alarm event ...

Page 36: ... requires a stable air flow in the Chassis To make sure that Chassis cooling is effective add blank filler panels to all empty slots Two types of airflow management panels are available for the empty slots on the Chassis Front blank panels with air baffles Rear panel with air baffles Front Blank Panels with Air Baffles Item Description 1 Slot cover 2 Tightening screws 3 Air Baffles ...

Page 37: ...ent space at the front and rear of the Chassis to let service personnel to swap out hardware components The rack has a sufficient supply of cooling air The rack is correctly grounded A readily accessible disconnect device is incorporated into the building s wiring The disconnect device must be placed between the system s AC power inlet and the power source The disconnect device rating required mus...

Page 38: ... of the rack centering the Chassis in front the shelf 2 Lift and slide the Chassis on to the rack shelf 3 Make sure that the holes in the front mounting flanges of the Chassis align with the holes in the rack rails 4 Insert mounting screws into the front mounting flanges aligned with the rack 5 Secure the appliance by fastening the mounting screws to the rack The appliance must be level and not po...

Page 39: ...rting Security Gateway Modules 44 Inserting Transceivers 45 Inserting Front Blank Panels 48 Connecting DC Power 48 Connecting a Second Chassis 50 This section covers inserting Chassis Management Modules Security Switch Modules Security Gateway Modules Twisted pair and fiber optic transceivers into ports on the Security Switch Modules Transceivers into the management ports on the Security Switch Mo...

Page 40: ...e pre installed in the Chassis You can swap in more units or replace units without interfering with the operation of the Scalable Platform Note One AC PSU cannot supply sufficient power to support a fully populated Chassis To insert an AC Power Supply Unit 1 Pull out the latch 2 Push in the Power Supply until it locks in place 3 Push in the Power Supply insertion latch 4 Make sure that the DC LED ...

Page 41: ...normal operating conditions the fans run at 21 of full speed The lower speed reduces the noise and increases the longevity of the fans The speed of each individual fan is monitored If the speed of one fan drops below the desired speed i e fan failure the other fans speed up Fans are pre installed in the appliance Manual replacement must be coordinated with Check Point Support To Insert a Fan 1 Sli...

Page 42: ...emove the tape on the battery This tape protects the battery life before installation 2 Open the upper latch 3 Insert the Chassis Management Module into the allocated slot Note If you have only one CMM we recommend inserting it into the lower Chassis slot 4 Close the latch 5 Tighten the two thumb screws 6 After power up all LEDs must light up for 1 2 seconds The ACT and PWR LEDs continue to show g...

Page 43: ...0 Security System Getting Started Guide R75 40VS for 61000 43 Inserting Security Switch Modules To insert a Security Switch Module 1 Open the latches at the top and bottom of the Security Switch Module 2 Slide the SSM into the allocated slot 3 Fasten the latches 4 Tighten the screws ...

Page 44: ...0VS for 61000 44 Inserting Security Gateway Modules To insert a Security Gateway Module 1 Open the latches at the top and bottom of the Security Gateway Module 2 Make sure the SGM is located correctly on the Chassis rail 3 Slide the Security Gateway Module into the allocated slot 4 Fasten the latches 5 Tighten the thumb screws ...

Page 45: ...ing Transceivers For connecting different interface types to the 61000 Security System using SFP SFP or XFP ports on the SSM Security Switch Modules support Twisted Pair and Fiber Optic transceivers The type and number of transceiver ports available depends on the SSM Note Remember to select a transceiver that matches the speed of the designated port ...

Page 46: ...00 Security System Getting Started Guide R75 40VS for 61000 46 Inserting Twisted Pair Transceivers Twisted pair transceivers can be inserted into Data and management ports on the SSM160 SFP management ports on the SSM60 Slide the transceiver into the open Security Switch Module port ...

Page 47: ...ransceivers can be inserted into data and management ports on the SSM60 and SSM160 switch modules The ports can be SFP SFP or XFP Slide the transceiver into the open Security Switch Module port Inserting QSFP Splitters 1 Insert the QSFP transceiver into the Security Switch Module 2 Insert the QSFP splitter cable into the transceiver This converts the 40GbE QSPF port to 4 x 10GbE ports ...

Page 48: ...wire color coding There is no standard for DC wire color coding Use the color codes on the DC power source battery for the DC wire leads 4 lugs Panduit LCD6 10A L for each PEM connect he wire leads to the PEM terminal blocks Crimping tool to connect the wire leads to the lugs Wire cutters Hexagonal head socket wrench or nut driver for tightening nuts to terminal studs on each PEM To connect DC pow...

Page 49: ...re the resistance between disconnected PEM wire leads and the Battery Return pole For all the PEM wired leads one at a time a At the battery disconnect a PEM wire lead from the battery b Connect one multimeter probe to the battery Return and the other probe to the PEM wire lead A very large resistance indicating an open circuit shows that the wire lead is connected to the PEM 48 60VDC terminal A v...

Page 50: ...aration on page 37 b Step 2 Installing the Chassis in a Rack on page 38 c Step 3 Installing Components and Connecting Power Cables Step 3 Installing Hardware Components and Connecting Power Cables on page 39 2 Connect the second Chassis 3 On each SSM connect the sync ports to the corresponding sync ports on the backup Chassis eth1 Sync in Chassis1 to eth1 Sync in Chassis2 eth2 Sync in Chassis1 to ...

Page 51: ... slows down until it reaches the optimum rate for cooling Chassis Management Module ACT and PWR LEDs show green Other LEDs turn off Turning off the Scalable Platform 1 Shutdown the SGMs If the installation wizard Step 5 has not yet run release the levers on each SGM to shut them down If the installation wizard has run from gclish run asg_hard_shutdown b all 2 Shutdown the SSMs and CMMs by releasin...

Page 52: ...ssis deployment in high availability make sure that all CMMs on each Chassis have the same Chassis ID The CMMs on Chassis 1 must include chassis_id 1 SHMM_CHASSID 1 The CMMs on Chassis 2 must include chassis_id 2 SHMM_CHASSID 2 Note When you add a new CMM to a Chassis you must validate the Chassis ID Make sure that the Chassis is in the Standby mode when you do this ...

Page 53: ...th1 Sync on chassis2 3 For IP management of the 61000 Security System connect a cable to one of the management interfaces on chassis1 Connect to the eth1 Mgmt1 if using a 10Gbps network Connect to the eth1 Mgmt4 if using a 1Gbps network Connecting over Console Serial See Connecting over Console Serial Port Configuring a Security Group and a Management IP Address 1 Start the installation wizard Run...

Page 54: ...eboots Other Security Gateway Modules in the Security Group are installed automatically Validating the Initial System Setup To make sure that the initial system setup is completed successfully Run the asg monitor command An Initial Policy must be installed on the local SGM after initial setup completes and the SGM reboots To monitor the automatic installation of other SGMs run tail f var log start...

Page 55: ...hed on all SGMs revert to the snapshot From gclish run set snapshot revert snapshot name The system is now installed with the latest software and firmware Installing the SGM Image from Removable Media You can install an ISO image on the Security Gateway Modules from a USB stick or DVD To copy the ISO image to the removable media 1 Obtain the ISO image file see instructions on the R75 40VS for 6100...

Page 56: ...d immediately pushing it back in place a Loosen the thumb screws at the top and bottom of the SGM b Open the latches at the top and bottom of the SGM c Fasten the latches d Tighten the thumb screws 5 When the first screen shows select Install Gaia on the system and press Enter 6 You must press Enter in 60 seconds or the computer will try to start from the hard drive The timer countdown stops once ...

Page 57: ... install on one SGM at a time repeat all the steps for each SGM To install on many SGMs at one time a Insert all the USB sticks or DVD drives into the USB ports of the other SGMs b Do this for one SGM at a time Connect to the console Reboot the SGM Partially remove the SGM and then push it back in place Select Install Gaia on the system and press Enter ...

Page 58: ...t on the Control Panel For more information see Control Panel for 64000 and 61000 N N Security Systems Control Panel for 44000 Security System 2 Connect the management ports on the Security Switch Modules to your network 3 Connect the data ports on the Security Switch Modules to your network For more information see the front panel of your appliance Hardware Components on page 16 ...

Page 59: ...curity Group is the group of SGMs that make up the Security Gateway Note In SmartDashboard one Security Gateway object represents all the SGMs in the security group Connecting a Console 1 Connect the RJ 45 jack end of a serial cable to the console port on the left most 61000 Security System in the Chassis 2 Connect the other end of the serial cable to the computer that you will use to do the initi...

Page 60: ...about Security Gateway Module numbering see the front panel of your appliance Hardware Components on page 16 5 The subnet for internal communication in the chassis is 192 0 2 0 24 by default Change the IP address if it conflicts with an existing subnet on your network 6 Configure parameters for Host Name Time and Date To configure the local time choose the geographical area and city 7 Select Netwo...

Page 61: ...re Secure Internal Communication When prompted enter and confirm the activation key Remember this activation key The same activation key is used for configuring the 61000 Security System object in SmartDashboard Configuration settings are applied and the SGM reboots The other Security Gateway Modules in the security group install automatically System Validation To make sure that the initial system...

Page 62: ...tes In these cases do the instructions on the screen To configure a Security Gateway 1 Open SmartDashboard 2 When prompted enter your credentials to connect for the Security Management Server 3 Create a Security Gateway object In the Network Objects tree right click Check Point and then select New Check Point Security Gateway Management The Check Point Security Gateway Creation wizard opens 4 Sele...

Page 63: ...he Security Gateway object closes 17 Install the Policy Confirming the Security Gateway Software Configuration To make sure that the policy was successfully installed 1 Connect to the appliance with SSH or a serial console 2 Run asg monitor 3 Make sure that the SGM status is Enforcing Security on the ACTIVE and STANDBY Chassis 4 Make sure the Policy Date matches the date and time the policy was in...

Page 64: ...Guide http supportcontent checkpoint com solutions id sk76540 The VSX Gateway Wizard This section explains how to create a new VSX Gateway using the VSX Gateway Wizard The VSX Gateway in this example has one Virtual System VS0 and one dedicated management interface After you complete the VSX Gateway Wizard you can change the VSX Gateway definition from SmartDashboard For example you can add Virtua...

Page 65: ...Platform Separate Interfaces Virtual Systems use their own separate internal and external interfaces This template creates a Dedicated Management Interface DMI by default Custom Configuration Define Virtual System Virtual Switch and Interface configurations For this example choose Custom configuration Wizard Step 3 Establishing SIC Trust Initialize SIC trust between the VSX Gateway and the managem...

Page 66: ...te a Virtual Device 2 Select the Virtual Network Device type Virtual Router or Virtual Switch 3 Select the shared physical interface to define a non DMI gateway Do not select the management interface if you want to define a Dedicated Management Interface DMI gateway If you do not define a shared Virtual Device a DMI gateway is created by default Important This setting cannot be changed after you c...

Page 67: ...fault all services are blocked For example to be able to ping the gateway from the management server allow ICMP echo request traffic 2 Source Click the arrow and select a Source Object from the list The default value is Any Click New Source Object to define a new source You can modify the security policy rules that protect the VSX Gateway later 3 Click Next Completing the VSX Wizard Click Next to ...

Page 68: ...shows the output for a dual Chassis VSX Gateway Chassis 1 Active has 1 SGM in its Security Group Chassis 1 ACTIVE SGM 1 local State UP VS ID 0 Enforcing Security 4 You can now add more SGMs to the Security Group Run asg security_group 5 After all SGMs are UP and enforcing Security you can add Virtual Systems to the VSX Gateway ...

Page 69: ...urity Gateway Show the IPv4 interface address show interface eth1 01 ipv4 address Security Gateway VSX Gateway Delete the IPv4 address from an interface delete interface eth1 01 ipv4 address Security Gateway Hostname To Run Applicable Modes Set the hostname set hostname security system name Each SGM gets its local identity as suffix For example gcp X1000 ch01 04 Security Gateway VSX Gateway Show t...

Page 70: ...eway VSX Gateway VLANs To Run Applicable Modes Add a VLAN interface add interface eth2 02 vlan 1023 Security Gateway Show a VLAN interface show interface eth2 02 vlans Security Gateway VSX Gateway Image Management Snapshots To Run Applicable Modes Add a snapshot add snapshot snapshot name desc description Security Gateway VSX Gateway Revert to a snapshot set snapshot revert snapshot name Security ...

Page 71: ...ng the IP address open an SSH connection to the CMM ssh IP Address of CMM Log in with these credentials Username admin Password admin 4 On the CMM run clia fruinfo 20 254 5 The output shows the Chassis Serial Number To register the 61000 Security System 1 Log in to the User Center https usercenter checkpoint com 2 In the applicable account search for the chassis serial number 3 Generate a license ...

Page 72: ...tates asg stat Use this command to show the Chassis and hardware component state for single and dual Chassis configurations The command shows system Up time CPU load average and current Concurrent connections Health Use Verbose mode to show SGM state process and policy Syntax asg stat v vs vs_ids l Note If you run this command in a VSX context the output is for the applicable Virtual System Parame...

Page 73: ...g monitor v all amw vs vs_ids interval asg monitor l asg monitor h Parameter Description No parameters Shows the SGM status h Shows the command syntax and help information amw Shows the Anti Malware policy date instead of the Firewall policy date v Shows only Chassis component status all Shows both SGM and Chassis component status interval Sets the data refresh interval in seconds for this session...

Page 74: ... Enforcing Security 10Feb14 19 56 2 UP Enforcing Security 10Feb14 19 56 3 UP Enforcing Security 10Feb14 19 56 4 UP Enforcing Security 10Feb14 19 56 Chassis HA mode Active Up This example shows the Chassis component status asg monitor v Chassis Parameters Unit Chassis 1 Chassis 2 Unit Weight SGMs 4 4 3 4 6 Ports Standard 2 2 2 2 11 Bond 2 2 2 2 11 Mgmt 1 1 1 1 11 Other 0 0 0 0 6 Sensors Fans 4 6 6 ...

Page 75: ...p a k last hist e Parameter Description b SGM_string Shows results for SGMs and or Chassis as specified by SGM_string The SGM_string can be No SGM_string or all Shows all SGMs and Chassis One SGM A comma separated list of SGMs 1_1 1_4 A range of SGMs 1_1 1_4 One Chassis Chassis1 or Chassis2 The active Chassis chassis_active vs VS_string For VSX Gateway only List of Virtual Systems For example 1 VS...

Page 76: ...en these paths on the Active Chassis Acceleration path Performance Pack Medium path PXL Slow path Firewall a Show absolute values k Shows peak values for connection rate concurrent connections and throughput h Display usage Example If no SGMs are specified the command shows performance statistics for the Active Chassis asg perf v Output Notes Load Average CPU load ...

Page 77: ...pes in a comma separated list CMM CPUtemp Fan PowerConsumption PowerUnit SSM Sample Output for the 61000 Security System asg hw_monitor v Hardware Monitor Sensor Location Value Threshold Units State Chassis 1 CMM bay 1 1 0 S D A 1 CMM bay 2 0 0 S D A 1 CPUtemp blade 1 CPU0 45 65 Celsius 1 CPUtemp blade 1 CPU1 39 65 Celsius 1 CPUtemp blade 2 CPU0 44 65 Celsius 1 CPUtemp blade 2 CPU1 39 65 Celsius 1...

Page 78: ...bay 5 fan 1 0 0 NA 0 PowerUnitFan bay 5 fan 2 0 0 NA 0 SSM bay 1 0 0 Mbps 1 SSM bay 2 0 0 Mbps 1 Chassis 2 CMM bay 1 1 0 S D A 1 CMM bay 2 0 0 S D A 1 CPUtemp blade 1 CPU0 46 65 Celsius 1 CPUtemp blade 1 CPU1 46 65 Celsius 1 CPUtemp blade 2 CPU0 48 65 Celsius 1 CPUtemp blade 2 CPU1 49 65 Celsius 1 CPUtemp blade 3 CPU0 46 65 Celsius 1 CPUtemp blade 3 CPU1 47 65 Celsius 1 CPUtemp blade 4 CPU0 46 65 ...

Page 79: ...sius 1 CPUtemp blade 1 CPU1 46 65 Celsius 1 CPUtemp blade 2 CPU0 46 65 Celsius 1 CPUtemp blade 2 CPU1 44 65 Celsius 1 CPUtemp blade 3 CPU0 46 65 Celsius 1 CPUtemp blade 3 CPU1 45 65 Celsius 1 CPUtemp blade 4 CPU0 45 65 Celsius 1 CPUtemp blade 4 CPU1 46 65 Celsius 1 Fan bay 1 fan 1 4 11 Speed Level 1 Fan bay 1 fan 2 4 11 Speed Level 1 Fan bay 1 fan 3 4 11 Speed Level 1 Fan bay 1 fan 4 4 11 Speed Le...

Page 80: ... 3 3 11 Speed Level 1 Fan bay 1 fan 4 3 11 Speed Level 1 Fan bay 1 fan 5 3 11 Speed Level 1 Fan bay 1 fan 6 3 11 Speed Level 1 Fan bay 1 fan 7 3 11 Speed Level 1 Fan bay 1 fan 8 3 11 Speed Level 1 Fan bay 1 fan 9 3 11 Speed Level 1 Fan bay 1 fan 10 3 11 Speed Level 1 Fan bay 2 fan 1 3 11 Speed Level 1 Fan bay 2 fan 2 3 11 Speed Level 1 Fan bay 2 fan 3 3 11 Speed Level 1 Fan bay 2 fan 4 3 11 Speed ...

Page 81: ...toring SGM Resources asg resource Use this command to show SGM resource usage and thresholds for the entire 61000 Security System Syntax asg resource b sgm_ids asg resource h Parameter Description b sgm_ids Works with SGMs and or Chassis as specified by sgm_ids sgm_ids can be No sgm_ids specified or all shows all SGMs and Chassis One SGM A comma separated list of SGMs 1_1 1_4 A range of SGMs 1_1 1...

Page 82: ...t 19 80 288 6M Notes The SGM column shows the SGM ID The Resource column identifies the resource There are four types of resources Memory HD Hard drive space HD var log Space on hard drive committed to log files HD boot Location of the kernel The Usage column shows the percentage of the resource in use The Threshold gives an indication of the health and functionality of the component When the valu...

Page 83: ...ameters the wildcard is used for the others v Verbose mode help Display usage Example 1 asg search source IP Destination IP asg search 10 33 86 2 10 33 87 101 Output Lookup for conn 10 33 86 2 10 33 87 101 may take few seconds 10 33 86 2 2686 10 33 87 101 22 tcp 1_01 A 1_03 B 2_01 B Legend A Active SGM B Backup SGM Comments Searching for connections from 10 33 86 2 to 10 33 87 101 shows one SSH co...

Page 84: ... Security System Getting Started Guide R75 40VS for 61000 84 Comments Searching for tcp connection with source IP address 10 33 86 2 and destination port 8080 The output shows three connections handled on SGM 1_01 with a backup on SGM 1_07 and 2_01 ...

Page 85: ...meters as prompted by the wizard Alert type and related parameters Event type Alert mode Alert Parameters SMS alert parameters SMS Provider URL Fully qualified URL to your SMS provider HTTP proxy and port optional Necessary only if your Security Gateway requires a proxy server to reach the SMS provider SMS rate limit Maximum number of SMS messages sent per hour When there are too many messages oth...

Page 86: ...DES or AES SNMP v3 privacy password Privacy password SNMP user text Custom text for the SNMP trap messages SNMP community string Community string for the SNMP manager Note Some parameters do not show based on your settings Log alert parameters There are no configurable parameters for log alerts Event types You can select one or more event types One event type A comma delimited list of more than on...

Page 87: ...Monitoring and Configuration Check Point 61000 Security System Getting Started Guide R75 40VS for 61000 87 Monitor A log entry is generated instead of an alert ...

Page 88: ...oducts asg OID 1 3 6 1 4 1 2620 1 48 2 Enable the SNMP agent on the 61000 Security System In gclish run set snmp agent on SNMP Traps The 61000 Security System supports this SNMP trap only iso org dod internet private enterprise checkpoint products asgTrap OID 1 3 6 1 4 1 2620 1 2001 The SNMP traps MIB is located on each SGM under CPDIR lib snmp chkpnt trap mib Note The set snmp traps command is no...

Page 89: ...al System You can only run a remote SNMP query on VS0 You can use the CLI to change the Virtual System context and then run a local SNMP query on a Virtual System To use SNMP in the Virtual System mode 1 Configure an SNMP V3 user add snmp usm user jon security level authNoPriv authpass phrase VALUE 2 Set the SNMP mode set snmp mode vs or set snmp mode default 3 Start SNMP agent set snmp agent on V...

Page 90: ... each test Passed or Failed and the location of the output log file Syntax asg diag list TestNum1 TestNum2 asg diag verify TestNum1 TestNum2 asg diag print TestNum1 TestNum2 asg diag purge Number of logs to keep Parameters Parameter Description list Show the list of tests verify Run tests and show a summary of the results print Run tests and show the full output and a also summary of the results T...

Page 91: ...Cores Distribution cores_verifier 13 SPI Affinity spi_affinity_verifier v 14 Clock clock_verifier v 15 Mgmt Monitor mgmt_monitor snmp_verify 16 Licenses asg_license_verifier 17 Hide NAT range asg_hide_behind_range v Networking 18 MAC Setting mac_verifier v 19 Interfaces interface_verifier q 20 Bond asg_bond_verifier v 21 Bridge asg_br_verifier v 22 IPv4 Route asg_route q 23 IPv6 Route asg_route ip...

Page 92: ...assed 16 Licenses Passed 17 Hide NAT range Passed Networking 18 MAC Setting Passed 19 Interfaces Passed 20 Bond Passed 21 Bridge Passed 22 IPv4 Route Passed 23 IPv6 Route Passed 1 Not configured 24 Dynamic Routing Failed 1 BGP 25 Local ARP Passed 26 Port Speed Passed Misc 27 Core Dumps Passed 28 Syslog Passed Tests Summary Passed 22 28 tests Run asg diag list 1 2 3 4 5 24 to view a complete list o...

Page 93: ...8 124 Synchronization Within chassis Enabled Default Exception Rules Default Distribution Control Blade Disabled Default Comment 2 2 The Chassis grade is 118 124 because one of the SGMs is in DOWN Admin state Bringing the SGM up solves the problem Alternatively remove the SGM from the security group to suppress the alert Another way of debugging the issue is to open the output file in var log When...

Page 94: ...h the CPU type After solving the issues identified by asg diag verify you can run a subset of the tests that failed to make sure that all issues have been solved To run a subset of the tests see example 3 Example 3 To run a subset of the tests run asg diag verify 1 2 3 4 5 24 Output 3 Tests Status ID Title Result Reason System Components 1 System Health Passed 2 Hardware Passed 3 Resources Passed ...

Page 95: ...efined threshold CPU type Non compliant CPU type At least one SGM CPU type is not configured in the list of compliant CPUs You can define the compliant CPU types Security group Source error The information collected from this source is different between the SGMs Sources differ The information collected from many sources is different Changing Compliance Thresholds You can change some compliance thr...

Reviews: