Check Point
IP690 Security Platform
Installation Guide
Part No. N450000890 Rev 001
Published March 2009
© 2003-2009 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No
part of this product or related documentation may be reproduced in any form or by any means
without prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.
For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
Check Point Contact Information
For additional technical information about Check Point products, and for the latest version of
this document, see the Check Point Support Center at http://support.checkpoint.com/.
Check Point is engaged in a continuous effort to improve its documentation. Please help us by
sending your comments to:
cp_techpub_feedback@checkpoint.com
2 Check Point IP690 Security Platform Installation Guide
Contents
Check Point Contact Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
In this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Conventions this Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
About the Check Point IP690 Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Managing the Check Point IP690 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . 16
Check Point IP690 Security Platform Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Four-Port 10/100/1000 Ethernet NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
PMC Expansion Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Auxiliary Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
System Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Logging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using Hard-Disk Drives for Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using PC Card for Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Power Supplies and Fan Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Power Supplies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Fan Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Site Requirements, Warnings, and Cautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Product Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2 Installing the Check Point IP690 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Rack-Mounting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Check Point IP690 Security Platform Installation Guide 3
3 Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Using a Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Connecting Power and Turning the Power On . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Performing the Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Connecting Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Using Check Point Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Viewing Check Point IPSO Documentation by Using
Check Point Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Using the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Using Check Point Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4 Installing and Replacing Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . 41
Deactivating Configured Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Installing NICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring and Activating Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Monitoring Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5 Connecting PMC Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Four-Port 10/100 Ethernet NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
10/100 Ethernet NIC Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Ethernet NIC Connectors and Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Two-Port and Four-Port Copper Gigabit Ethernet NIC . . . . . . . . . . . . . . . . . . . . . . 50
Copper Gigabit Ethernet NIC Features in the IP690 . . . . . . . . . . . . . . . . . . . . . . 50
Copper Gigabit Ethernet NIC Connectors and Cables. . . . . . . . . . . . . . . . . . . . . 51
Two-Port Fiber-Optic Gigabit Ethernet NICs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Fiber-Optic Gigabit Ethernet NIC Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Fiber-Optic Gigabit Ethernet NIC Connectors and Cables. . . . . . . . . . . . . . . . . . 54
6 Installing, Using, and Replacing ADP Services Modules . . . . . . . . . . . . . . . . . . 57
Installing and Replacing ADP Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Check Point ADP Module LED Reference Information . . . . . . . . . . . . . . . . . . . . . . 66
Configuring Check Point IPSO with IP690 ADP Interfaces. . . . . . . . . . . . . . . . . . . 67
Effect on Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Check Point ADP Module Interface Names for IP690 Appliances . . . . . . . . . . . . 68
Configuring Network Topology with an IP690 Appliance . . . . . . . . . . . . . . . . . . . 68
Configuration Example with VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Deleting VRRP Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Reconfiguring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Reconfiguring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
7 Installing and Replacing Components Other than Network Interface Cards (NICs)
4 Check Point IP690 Security Platform Installation Guide
and Accelerated Data Path (ADP) Services Modules . . . . . . . . . . . . . . . . . . . . . 77
Replacing the Compact Flash Memory Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Installing and Using a PC Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Installing a Hard-Disk Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Replacing a Check Point Encryption Accelerator Card . . . . . . . . . . . . . . . . . . . . . . 86
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configuring Software to Use Hardware Acceleration . . . . . . . . . . . . . . . . . . . . . . 90
Replacing a Fan Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Replacing a Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Monitoring the IP690 Appliance Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Replacing the Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
8 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
General Troubleshooting Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Troubleshooting Routing Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
A Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Other Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
B Compliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Declaration of Conformity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
FCC Notice (US) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Check Point IP690 Security Platform Installation Guide 5
6 Check Point IP690 Security Platform Installation Guide
Figures
Figure 1 Component Locations Front View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 2 Four-Port 10/100/1000 Ethernet PMC Details . . . . . . . . . . . . . . . . . . . . 17
Figure 3 Check Point IP690 Security Platform System Status LEDs . . . . . . . . . . 20
Figure 4 Location of the PMC PC Card Carrier Slot . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 5 Power Supplies and Fan Unit Locations . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 6 Power Supply Receptacle and Switch Locations . . . . . . . . . . . . . . . . . . 22
Figure 7 Fan Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 8 Rack-Mounting Screw Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 9 Power Switch Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 10 Check Point Network Voyager Reference Access Points . . . . . . . . . . . 39
Figure 11 Four-Port 10/100 Ethernet NIC Front Panel Details . . . . . . . . . . . . . . . 48
Figure 12 Output Connector for the Ethernet Cable . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 13 Ethernet Crossover-Cable Pin Connections . . . . . . . . . . . . . . . . . . . . . 50
Figure 14 Four-Port Copper Gigabit Ethernet NIC Front Panel Details . . . . . . . . 51
Figure 15 Two-Port Copper Gigabit Ethernet NIC Front Panel Details . . . . . . . . . 51
Figure 16 Gigabit Ethernet Cable Connector Output Pin Assignments . . . . . . . . . 52
Figure 17 Gigabit Ethernet Crossover Cable Pin Connections . . . . . . . . . . . . . . . 53
Figure 18 PMC Two-Port Short-Range Gigabit Ethernet NIC . . . . . . . . . . . . . . . . 54
Figure 19 PMC Two-Port Long-Range Gigabit Ethernet NIC . . . . . . . . . . . . . . . . 54
Figure 20 Compact Flash Memory Card Slot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Figure 21 External PC Card Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Figure 22 Location of Hard-Disk Drive on Chassis Tray Assembly . . . . . . . . . . . . 84
Figure 23 Power Supply Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Check Point IP690 Security Platform Installation Guide 7
8 Check Point IP690 Security Platform Installation Guide
Tables
Table 1 Command-Line Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 2 Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Table 3 Pin Assignments for Console Connector and Console Cable . . . . . . . . . 18
Table 4 System Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Table 5 Power Supply Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 6 NIC PCI Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Check Point IP690 Security Platform Installation Guide 9
10 Check Point IP690 Security Platform Installation Guide
About this Guide
This manual provides information for the installation and use of the Check Point IP690 security
platforms. Installation and maintenance should be performed by experienced technicians or
Check Point-approved service providers only.
This preface provides the following information:
In this Guide
Conventions this Guide Uses
In this Guide
This guide is organized into the following chapters and appendixes:
Chapter 1, “Overview” presents a general overview of the Check Point IP690 security
platform.
Chapter 2, “Installing the Check Point IP690 Appliance” describes how to rack-mount the
appliance.
Chapter 3, “Performing the Initial Configuration” describes how to physically connect the
Check Point IP690 security platform to a network and to a power source and how to make
the security platform available on the network.
Chapter 4, “Installing and Replacing Network Interface Cards” describes how to install,
monitor, and replace network interface cards (NICs) and Accelerated Data Path (ADP)
services modules.
Chapter 5, “Connecting PMC Network Interface Cards” describes how to connect to and use
each of the supported NICs.
Chapter 6, “Installing, Using, and Replacing ADP Services Modules” describes how to
install and use Accelerated Data Path (ADP) services modules with your appliance.
Chapter 7, “Installing and Replacing Components Other than Network Interface Cards
(NICs) and Accelerated Data Path (ADP) Services Modules” describes how to install or
replace memory, hard-disk drives, the fan unit, power supplies, battery, compact flash
memory card, PC card, and the Check Point encryption accelerator card.
Chapter 8, “Troubleshooting” discusses problems you might encounter and proposes
solutions to these problems.
Appendix A, “Technical Specifications” provides technical specifications such as interface
characteristics.
Check Point IP690 Security Platform Installation Guide 11
Appendix B, “Compliance Information” provides compliance and regulatory information.
Warning
Caution
Note
Conventions this Guide Uses
The following sections describe the conventions this guide uses, including notices, text
conventions, and command-line conventions.
Notices
Warnings advise the user that either bodily injury might occur because of a physical hazard,
or that damage to a structure, such as a room or equipment closet, might occur because of
equipment damage.
Cautions indicate potential equipment damage, equipment malfunction, loss of
performance, loss of data, or interruption of service.
Notes provide information of special interest or recommendations.
Command-Line Conventions
Table 1 describes the elements of commands that are available in Check Point business security
products. You might encounter one or more of the following elements on a command-line path.
Table 1 Command-Line Conventions
Convention Description
command This required element is usually the product name or other short
word that invokes the product or calls the compiler or preprocessor
script for a compiled Check Point product. It might appear alone or
precede one or more options. You must spell a command exactly
as shown and use lowercase letters.
Italics Indicates a variable in a command that you must supply. For
example:
delete interface if_name
Supply an interface name in place of the variable. For example:
delete interface nic1
12 Check Point IP690 Security Platform Installation Guide
Conventions this Guide Uses
Table 1 Command-Line Conventions (continued)
Convention Description
angle brackets < > Indicates arguments for which you must supply a value:
retry-limit <1–100>
Supply a value. For example:
retry-limit 60
Square brackets [ ] Indicates optional arguments.
delete [slot slot_num]
For example:
delete slot 3
Vertical bars, also called a
pipe
(|)
Separates alternative, mutually exclusive elements.
framing <sonet | sdh>
To complete the command, supply the value. For example:
framing sonet
or
framing sdh
-flag A flag is usually an abbreviation for a function, menu, or option
name, or for a compiler or preprocessor argument. You must enter
a flag exactly as shown, including the preceding hyphen.
.ext A filename extension, such as .ext, might follow a variable that
represents a filename. Type this extension exactly as shown,
immediately after the name of the file. The extension might be
optional in certain products.
( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that
you must enter exactly as shown.
' ' Single quotation marks are literal symbols that you must enter as
shown.
Check Point IP690 Security Platform Installation Guide 13
1
Text Conventions
Table 2 describes the text conventions this guide uses.
Table 2 Text Conventions
Convention Description
monospace font
Indicates command syntax, or represents computer or screen
output, for example:
Log error 12453
bold monospace font Indicates text you enter or type, for example:
# configure nat
Key names Keys that you press simultaneously are linked by a plus sign (+):
Press Ctrl + Alt + Del.
Menu commands Menu commands are separated by a greater than sign (>):
Choose File > Open.
The words enter and type Enter indicates you type something and then press the Return or
Enter key.
Do not press the Return or Enter key when an instruction says
type.
Italics
• Emphasizes a point or denotes new terms at the place where
they are defined in the text.
• Indicates an external book title reference.
• Indicates a variable in a command:
delete interface if_name
14 Check Point IP690 Security Platform Installation Guide
1 Overview
This chapter provides an overview of the Check Point IP690 security platform and the
requirements for its use. The following topics are covered:
About the Check Point IP690 Security Platform
Managing the Check Point IP690 Security Platform
Check Point IP690 Security Platform Overview
Logging Options
Site Requirements, Warnings, and Cautions
Software Requirements
Product Disposal
About the Check Point IP690 Security Platform
The Check Point IP690 security platform combines the power of the Check Point IPSO for IP
appliances operating system with the Check Point VPN-1/FW-1 firewall application. The Check
Point IP690 security platform is a high-end, multi-port security platform that is ideally suited for
the enterprise data center.
The IP690 is a one rack-unit appliance that incorporates a serviceable slide-out tray into the
chassis design. In its base configuration, the IP690 consists of:
Solid state IDE compact flash storage, which stores the Check Point IPSO operating system
2-GB system RAM
Redundant hot-swappable AC power supplies
Fan unit
Encryption accelerator card to further enhance VPN performance
The front panel of the IP690 security platform contains:
Four PMC slots for network interfaces cards (NICs) and Accelerated Data Path (ADP)
services modules, including:
An option for single-slot PCMCIA PMC carrier card in slot 3
A four-port Ethernet 10/100/1000 interface in slot 4
A console port
An auxiliary port
Check Point IP690 Security Platform Installation Guide 15
1 Overview
Note
Front-panel reset button
Any slot can be used for an Ethernet NIC. The PCMCIA PC card carrier that is an option for
slot 3 is removable; slot 3 can accept a Check Point-approved NIC.
You can purchase optional 2.5-inch hard-disk drives to use for logging. You can also purchase an
optional PC card for logging.
The IP690 security platform is designed to meet other mid- to high-end availability
requirements, including port density for connections to redundant internal, external, DMZ, and
management networks. In addition, the IP690 security platform provides N + 1 cooling.
As a network device, the IP690 security platform supports a comprehensive suite of IP-routing
functions and protocols.
The integrated router functionality eliminates the need for separate intranet and access routers in
security applications.
Managing the Check Point IP690 Security Platform
You can manage the IP690 security platform by using the following interfaces:
Check Point Network Voyager for IP appliances—an SSL-secured, Web-based element
management interface to Check Point IP security platforms. Network Voyager is preinstalled
on the IP690 security platform and enabled through the Check Point IPSO operating system.
With Network Voyager, you can manage, monitor, and configure the IP690 security platform
from any authorized location within the network by using a standard Web browser. Use one
of the four Ethernet ports to access the Network Voyager interface.
For information about how to access Network Voyager and the related reference materials,
see “Using Check Point Network Voyager” on page 38.
The Check Point IPSO command-line interface (CLI)—an SSHv2-secured interface that
enables you to easily configure Check Point IP security platforms from the command line.
Everything that you can accomplish with Network Voyager—manage, monitor, and
configure the IP690 security platform—you can also do with the CLI.
For information about how to access the CLI, see the CLI Reference Guide for the version of
Check Point IPSO you are using.
Check Point Horizon Manager for IP appliances—a secure GUI-based software image
management application. With Horizon Manager, you can securely install and upgrade the
proprietary Check Point IPSO operating system, plus hardware and applications. Horizon
Manager can perform installations and upgrades on up to 2,500 Check Point IP security
platforms, offering administrators the most rapid and dependable upgrade to Check Point
NG.
For information about how to obtain Horizon Manager, contact the Check Point Support
Center at http://support.checkpoint.com/.
16 Check Point IP690 Security Platform Installation Guide
Check Point IP690 Security Platform Overview
Note
Caution
00577
SLOT 1 SLOT 2 SLOT 3
RESET
SLOT 4
1
2
3
4
IP690
AUXCONSOLE
System status LEDs
AUX port
Console port
Four-port Ethernet
10/100/1000 (slot 4)
PC-card slot (slot 3)
PMC NIC slots (slots 1 and 2)
Reset button
00120a
RJ-45 connectors
LInk LEDs (green)
Port 2 Port 4Port 1
Port 3
Check Point IP690 Security Platform Overview
Figure 1 shows the component locations for the IP690.
Figure 1 Component Locations Front View
Four-Port 10/100/1000 Ethernet NIC
The four-port 10/100/1000 Mbps Ethernet ports are located in slot 4. Figure 2 shows the layout
of the Ethernet ports and link LEDs. The top link LED represents the left-most port (port 1). The
remaining LEDs represent the remaining ports from top to bottom and left to right.
The Ethernet ports are intended for management or high-speed traffic.
Figure 2 Four-Port 10/100/1000 Ethernet PMC Details
Cables that connect to the Ethernet NIC must be compliant with IEEE 802.3ab, Cat 5E,
or Cat 5 cables to prevent potential data loss.
Check Point IP690 Security Platform Installation Guide 17
1 Overview
Note
PMC Expansion Slots
The IP690 security platform provides two additional PMC expansion slots for network interface
card (NIC) and Accelerated Data Path (ADP) services modules options.
For information about NICs, see Chapter 5, “Connecting PMC Network Interface Cards.”
For information about ADP modules, see Chapter 6, “Installing, Using, and Replacing ADP
Services Modules.”
Check Point products only support NICs and ADP modules purchased from Check Point or
Check Point-approved resellers. The Check Point support services group can only provide
support for Check Point products that use Check Point-approved accessories. For sales or
reseller information,
support.checkpoint.com/..
Console Port
The default configuration of the serial ports are: 9600 baud, 8 bits, no parity, and 1 stop. Table 3
provides pin assignment information for console connections. If you need to access the device
locally, you must use the console port.
contact the Check Point Support Center at http://
Table 3 Pin Assignments for Console Connector and Console Cable
RJ-45 to DB-9
Console Port
(DTE)
Signal RJ-45 Pin RJ-45 Pin DB-9 Pin Signal
RTS 1 8 8 CTS
DTR 2 7 6 DSR
TxD 3 6 2 RxD
GND 4 5 5 GND
GND 5 4 5 GND
RxD 6 3 3 TxD
DSR 7 2 4 DTR
CTS 8 1 7 RTS
RJ-45 to RJ-45 Rollover
Cable
Ter min al
Adapter Console Device
The console cable provided with the IP690 is comprised of two parts:
A 6’ rollover cable with RJ-45 terminations
18 Check Point IP690 Security Platform Installation Guide
An RJ-45 to DB-9 adapter
Note
One RJ-45 termination has a retractable shroud that releases or secures the RJ-45 tab. Use this
end of the cable when connecting to the console port of the IP690. You can easily remove the
console cable by pulling back on the shroud.
On the opposite end of the console cable, connect the RJ-45 to the DB-9 adapter, which you can
then connect to the host terminal.
Auxiliary Port
Use the built-in serial (AUX) port, shown in Figure 1, to establish a modem connection for
managing the appliance remotely or out-of-band. Use USB cables with a standard USB A-style
connector and pinout for the AUX port. For Check Point approved modem connections, you will
need a USB to RS232 adaptor.
The only modem approved for use with Check Point security appliances with USB AUX
ports is the Radicom model V92MB-U-E, and you must be using IPSO 6.1 or greater.
Check Point IP690 Security Platform Overview
System Status LEDs
You can visually monitor the status of the IP690 security platform by checking the system status
LEDs. The system status LEDs are located on the center of the front panel, as shown in Figure 3.
Check Point IP690 Security Platform Installation Guide 19
1 Overview
Note
00578
SLOT 2 SLOT 3
RESET
SLOT 4
1
2
3
4
AUXCONSOLE
Fault (red)
Warning
(yellow)
System OK
(green)
!
!
Figure 3 Check Point IP690 Security Platform System Status LEDs
Table 4 shows the system status LEDs and describes their meaning.
Table 4 System Status LEDs
Status Indicator Definition Symbol
Solid yellow Appliance is experiencing an
internal voltage problem.
Blinking yellow Appliance is experiencing a
temperature problem.
Solid red One or more fans are not
operating properly.
Power supply over temperature
fault.
Blinking green System activity indicator
The location and definition of the status LEDs for the installed network interface cards (NICs) is
described in Chapter 5, “Connecting PMC Network Interface Cards.”
The location and definition of the status LEDs for the installed ADP modules is described in
Chapter 6, “Installing, Using, and Replacing ADP Services Modules.”
The Fault and Warning symbols in Tab le 4 are visible only if there is an alarm condition, as
specified.
20 Check Point IP690 Security Platform Installation Guide
Logging Options
Note
00578
SLOT 2 SLOT 3
RESET
SLOT 4
1
2
3
4
AUXCONSOLE
PMC card carrier slot
The IP690 supports two options for storing local system log files, as described in the following
topics:
Using Hard-Disk Drives for Logging
Using PC Card for Logging
You can use only one device for logging (whether hard-disk drive or PC card) so only one
should be plugged into the system at any one time.
Using Hard-Disk Drives for Logging
The IP690 security platform is either a flash-based or disk-based appliance, and the appliance
also supports one or two optional hard-disk drives that plug into connectors on the motherboard.
Each hard-disk drive provides 40 GB of disk storage.
A hard-disk drive is not included with a standard flash-based IP690, nor is a second hard-disk
drive included with a standard disk-based IP690. When you purchase your IP690, you can order
one or two hard-disk drives for factory installation or order them later and install them yourself,
as described in “Installing a Hard-Disk Drive” on page 82.
Logging Options
You can use a single hard-disk drive for storing log files.
Using PC Card for Logging
The IP690 slot 3 populated with an optional PCMCIA card carrier can support an optional PC
card with 1 GB flash memory. The slot, labeled Slot 3, is located on the front panel of the
appliance, as Figure 4 shows. The IP690 supports using only one PC card at a time.
Figure 4 Location of the PMC PC Card Carrier Slot
You can use the PC card flash memory to store local system logs.
Check Point only supports PC cards purchased from Check Point or Check Point-approved
resellers. For more information, contact the appropriate Check Point customer support site listed
in “For additional technical information about Check Point products, and for the latest version of
Check Point IP690 Security Platform Installation Guide 21
1 Overview
Note
00580
FAULT
OVER TEMP
OVER
PWER OK
FAULT
OVER TEMP
OVER
PWER OK
Power supplies
Fan unit
00580
FAULT
OVER TEMP
OVER
PWER OK
FAULT
OVER TEMP
OVER
PWER OK
AC power receptacle
Power supply switches
this document, see the Check Point Support Center at http://support.checkpoint.com/.” on
page 2.
The slot that the PCMCIA card carrier uses also supports other PMC cards approved by
Check Point.
Power Supplies and Fan Unit
The redundant power supplies and fan unit are located at the rear of the IP690 appliance, as
shown in Figure 5.
Figure 5 Power Supplies and Fan Unit Locations
Power Supplies
The IP690 supports two redundant power supplies. Each power supply is autosensing and can
accept input voltages between 47Hz-64Hz and 85VAC-264VAC.
Figure 6 Power Supply Receptacle and Switch Locations
For information about how to install or remove and replace a failed power supply, see
“Replacing a Power Supply” on page 92.
The power supply status LEDs provide the status of the power supply as described in Table 5.
22 Check Point IP690 Security Platform Installation Guide
Logging Options
Caution
00586
Table 5 Power Supply Status LEDs
LED LED status Meaning
Fault Red Power supply has a voltage problem
and power was turned off.
or
One power supply in a redundant
system is not turned on.
Over Temp Yellow Power supply has an internal
temperature problem. All power to the
unit is turned off. After the internal
temperature returns to normal, power
will be turned back on.
PWR OK Green Power is on and the power supply is
functioning properly.
Fan Unit
The IP690 fan is a single unit made up of four individual fans to provide the air flow required to
maintain a proper operating temperature. The fan unit can provide proper airflow for a short time
even if an individual fan fails.
Figure 7 Fan Unit
If an individual fan fails, replace the fan unit as soon as possible. For information about
how to replace a failed fan unit, see “Replacing a Fan Unit” on page 91.
The system status LEDs on the front panel of the appliance show the status of the fan unit. For
more information about the system status LEDs, see “System Status LEDs” on page 19.
Check Point IP690 Security Platform Installation Guide 23
1 Overview
Warning
Warning
Warning
Caution
Caution
Site Requirements, Warnings, and Cautions
Before you install a Check Point IP690 security platform, ensure that your computer room or
wiring closet conforms to the environmental specifications listed in Appendix A, “Technical
Specifications.”
Excessive electromagnetic interference (EMI) can occur if you use controls, make
performance adjustments, or follow procedures that are not described in this document.
To reduce the risk of fire, electric shock, and injury when you use telephone equipment,
follow basic safety precautions. Do not use the product near water.
On Check Point IP690 security platforms intended for shipment outside of the United States,
the cord set might be optional. If a cord set is not provided, use a power cord rated at 10A,
250V, maximum 15 feet long, made of HAR cordage and IEC fittings approved by the
country of end use.
Risk of explosion if battery is replaced by an incorrect type. Replace the battery only
with the same or equivalent type that the manufacturer recommends. Dispose of used
batteries according to the manufacturer's instructions.
Do not block any of the ventilation holes on the appliance. The components might
overheat and become damaged.
Software Requirements
The Check Point IP690 security platform supports the following operating system and
applications as of the publication date for this guide:
IPSO v4.2 or later operating system
Check Point VPN-1/FW-1 firewall application
For information about updates to the software requirements or additional applications that have
become available since this guide was published, see the Check Point Support Center at http://
support.checkpoint.com/.
24 Check Point IP690 Security Platform Installation Guide
Product Disposal
Product Disposal
This symbol on the product or on its packaging indicates that this product must not
be disposed of with your other household waste. Instead, it is your responsibility to
dispose of your waste equipment by handing it over to a designated collection point
for the recycling of waste electrical and electronic equipment. The separate
collection and recycling of your waste equipment at the time of disposal will help to
conserve natural resources and ensure that it is recycled in a manner that protects
human health and the environment. For more information about where you can drop
off your waste equipment for recycling, please contact your local city office or your
household waste disposal service.
Check Point IP690 Security Platform Installation Guide 25
1 Overview
26 Check Point IP690 Security Platform Installation Guide
2 Installing the Check Point IP690
Caution
Note
Appliance
This chapter describes how to install the IP690 appliance. The following topic is discussed:
Before You Begin
Rack-Mounting the Appliance
Before You Begin
To rack-mount the appliance, you need:
Phillips-head screwdriver
Grounding wrist strap
Suitable, grounded work surface on which to place the chassis tray assembly
To help guard against electrostatic discharge damage, make sure you are properly
grounded by using a grounding wrist strap and following the instructions provided with
the wrist strap before you handle the components or open the appliance.
Rack-Mounting the Appliance
The Check Point IP690 security platform mounts in a standard 19-inch equipment rack with four
mounting screws, as Figure 8 shows.
To avoid damaging your equipment, Check Point recommends that you use all four rackmounting bolts when you install your appliance on the rack.
Check Point IP690 Security Platform Installation Guide 27
2 Installing the Check Point IP690 Appliance
Caution
Caution
00581
SLOT 1 SLOT 2 SLOT 3 SLOT 4
1
2
3
4
IP690
RESET
AUXCONSOLE
Rack-mounting screw locations
00580
FAULT
OVER TEMP
OVER
PWER OK
FAULT
OVER TEMP
OVER
PWER OK
Fan unit
Figure 8 Rack-Mounting Screw Locations
Two rack-mounting positions allow you to mount the appliance either flush with the rack, or two
inches forward of the equipment rack. If the space behind the rack is insufficient, the rackmounting brackets can be attached further back on the side of the appliance.
During installation, do not block any ventilation openings. Doing so might result in
damage to the appliance when it is turned on.
To rack-mount the appliance
The appliance is heavy. Use care when you remove it from the packaging.
1. Remove the appliance from the packaging.
2. Optionally, remove the fan unit from the back of the appliance to lighten it.
a. Locate the fan unit and the two retaining screws that secure it on the back of the IP690.
b. Loosen the retaining screws by turning them counterclockwise.
28 Check Point IP690 Security Platform Installation Guide
Rack-Mounting the Appliance
00587
00580
FAULT
OVER TEMP
OVER
PWER OK
FAULT
OVER TEMP
OVER
PWER OK
Power supplies
00588
c. Slowly pull the fan unit out of the chassis toward the rear.
3. Optionally, remove the power supplies from the rear of the appliance to reduce weight, as
follows.
a. Locate the power supplies on the back of the IP690.
b. Grasp the handle and release lever as shown in the following figure, and use the handle to
firmly pull each power supply out of the chassis.
Check Point IP690 Security Platform Installation Guide 29
2 Installing the Check Point IP690 Appliance
00581
SLOT 1 SLOT 2 SLOT 3 SLOT 4
1
2
3
4
IP690
RESET
AUXCONSOLE
Chassis tray assembly retaining screws
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP690
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00597
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3S
L
O
T
4
1
2
3
4
I
P
6
9
0
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00584
4. Optionally, remove the chassis tray assembly from the appliance.
a. Loosen the two chassis tray assembly retaining screws from the front panel of the
appliance.
b. Slowly slide the chassis tray assembly forward, taking care to prevent damaging
components, press the release tab on the right side of the assembly, and completely
remove the chassis tray assembly to expose the motherboard components.
c. Place the chassis tray assembly on a properly grounded surface.
30 Check Point IP690 Security Platform Installation Guide
Rack-Mounting the Appliance
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
I
P6
90
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00583
5. Adjust the mounting brackets on the side of the appliance if necessary.
6. Mount the appliance into a standard 19-inch rack by using the mounting screws located on
the mounting brackets. You can use the rear brackets for additional chassis support.
7. Slowly slide the chassis tray assembly back into the appliance, taking care to prevent
damaging components, and resecure the two chassis tray assembly retaining screws.
8. Reinstall the fan unit into the rear of the appliance.
9. Reinstall the power supplies.
After you rack-mount the appliance, you can ground it by using the grounding lugs provided.
Check Point IP690 Security Platform Installation Guide 31
2 Installing the Check Point IP690 Appliance
32 Check Point IP690 Security Platform Installation Guide
3 Performing the Initial Configuration
Note
The first time you turn on power to a Check Point IP690 appliance, the initial configuration
process begins. This process enables you to configure the network settings and provides access
to the admin account.
You can perform the initial configuration in two ways:
Configure a DHCP server to provide the initial configuration information the first time the
appliance is started.
Perform the initial configuration manually by using a console connection.
This chapter describes how to perform the initial configuration manually by using a console
connection. It includes the following sections:
Using a Console Connection
Connecting Power and Turning the Power On
Performing the Initial Configuration
Connecting Network Interfaces
Using Check Point Network Voyager
Using the Command-Line Interface
Using Check Point Horizon Manager
For information about how to use the DHCP client for initial configuration, see the Read Me
First document, Using DHCP to Configure Your Appliance.
Check Point recommends that you physically install all NICs, ADP modules, and other
hardware components before you perform the initial configuration procedure this chapter
describes. For information about how to install NICs, see Chapter 4, “Installing and
Replacing Network Interface Cards.” For information about how to install ADP modules, see
Chapter 6, “Installing, Using, and Replacing ADP Services Modules.” For information about
how to install other components, see Chapter 7, “Installing and Replacing Components
Other than Network Interface Cards (NICs) and Accelerated Data Path (ADP) Services
Modules.”
Check Point IP690 Security Platform Installation Guide 33
3 Performing the Initial Configuration
00577
SLOT 1 SLOT 2 SLOT 3
RESET
SLOT 4
1
2
3
4
IP690
AUXCONSOLE
Console port
Using a Console Connection
If you do not use DHCP to perform the initial configuration of your Check Point IP690 security
platform, you must use a serial console connection (cable included). After you perform the
initial configuration, you no longer need the console connection.
You can use any standard VT100-compatible terminal with an RS-232 data terminal equipment
(DTE) interface or terminal-emulation program configured with the following settings for the
console:
9600 bps
8 data bits
No parity
1 stop bit
To connect to the console
1. Connect the supplied null-modem cable (console cable) to the console port on the front
panel of the IP690.
Use only the RJ-45 port labeled Console on the front panel; the serial (AUX) port is an
auxiliary port.
One RJ-45 termination has a retractable shroud that releases or secures the RJ-45 tab. Use
this end of the cable when connecting to the console port of the IP690. You can easily
remove the console cable by pulling back on the shroud.
If you connect the console port to a data communications equipment (DCE) device, use a
straight-through cable.
For cable pin assignments for the console connection, see “Console Port” on page 18.
2. Connect the other end of the cable to the VT100 console or to a system running a terminal-
emulation program.
Connecting Power and Turning the Power On
A power switch and a receptacle for the power cord are located on each power supply on the
back of the appliance as shown in Figure 9.
34 Check Point IP690 Security Platform Installation Guide
Connecting Power and Turning the Power On
Caution
00580
FAULT
OVER TEMP
OVER
PWER OK
FAULT
OVER TEMP
OVER
PWER OK
Power cord receptacle
Power switch
Power supplies
Figure 9 Power Switch Location
To avoid potential service interruptions from momentary facility power interruptions and
potential power spikes that might damage your equipment, Check Point strongly
recommends that you use an uninterruptible power supply (UPS) with surge protection
with your IP690.
To connect the power supplies
1. Connect the power cord securely into the power cord receptacle on each power supply.
2. Plug the other end of the power cords into a three wire grounded power strip or wall outlet.
3. Toggle the 1/O power switch to the 1 position on each power supply to provide power to the
IP690.
The fan unit on the power supply turns on when you press the power switches. Verify that
the power supply fans are running after you press the switches.
4. Check the power LED on the front panel of the appliance to ensure that the power supply is
operating correctly.
The power LED should be illuminated. For more information about the system status LEDs, see
“System Status LEDs” on page 19.
If the fans are not running, or if the power LED is not illuminated, make sure:
The power cords are properly connected.
The power supply switches are on.
The chassis tray assembly is pushed all the way in from the front of the appliance.
That power is turned on to the power strip or wall receptacle into which you plugged the
appliance.
If the fans are still not running, or if the power LED does not illuminate, see the Check Point
Support Center at http://support.checkpoint.com/.
Check Point IP690 Security Platform Installation Guide 35
3 Performing the Initial Configuration
Note
Performing the Initial Configuration
If you do not use DHCP to perform the initial configuration of your Check Point IP690 security
platform, you must use a serial console connection (cable included). After you perform the
initial configuration, you no longer need the console connection.
To perform the initial configuration
1. Press the power switch to the “on” position to turn on power to the appliance.
The fan son the back of the appliance turn on when you press the power switch. Verify that
the fans are running after you press the switch.
Check the power LED on the front panel of the appliance to ensure that the power supply is
operating correctly. The power LED should be illuminated. For more information about the
system status LEDs, see “System Status LEDs” on page 19.
If the power supply fans are not running, or if the power LED is not illuminated:
Check the power supply cord to make sure it is properly connected.
Make sure the power switch is on.
Make sure the chassis tray assembly is pushed all the way in from the front of the
appliance and that the front panel retaining screws are tightened.
Make sure that power is turned on to the power strip or wall receptacle you plugged the
appliance in to.
If the fans are still not running, or if the power LED does not illuminate, see the Check Point
Support Center at http://support.checkpoint.com/.
2. At the console a series of startup messages appears, then the console prompt appears.
The prompt remains on the screen for about five seconds. If you type any character during
this time, the appliance activates the IPSO boot manager.
BOOTMGR[0]>
For information about using the boot manager, see the IPSO Boot Manager Reference
Guide.
After some miscellaneous output, the following prompt appears:
Hostname?
If the Hostname? prompt does not appear on the console, check the console port and console
display connections to ensure that the serial cable is completely plugged in at both ends. If
you verify the console connections and still do not see either the BOOTMGR> or
Hostname? prompts, verify that the terminal or terminal emulator program settings are
correct. If the settings are correct, see the Check Point Support Center at http://
support.checkpoint.com/.
3. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from
starting.
36 Check Point IP690 Security Platform Installation Guide
Connecting Network Interfaces
Note
If the DHCP client starts, it might configure the appliance with an incorrect host name and
IP address (this could happen if a DHCP server on your network is configured to respond to
any request). To reset the incorrect host name and IP address:
a. Establish a console connection to the appliance.
b. Log into the system using the user name admin and the password password.
c. Enter the following:
rm /config/active
or
mv /config/active /config/active.old
d. Reboot the appliance.
e. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from
restarting.
4. At each subsequent prompt, type the requested configuration information and then press
Enter.
For more information about how to respond to the prompts during the initial configuration
process, see the Getting Started Guide and Release Notes for the version of IPSO you are
using.
5. After you complete the initial configuration, you can use Network Voyager to configure the
remaining network ports.
Connecting Network Interfaces
Connect at least one network interface to the network to use as the Check Point Network
Voyager system-management interface. This interface is configured during the initial
configuration process.
You can also connect the remaining LAN interface cables at this point, although you are not
required to do so.
Check Point recommends that you use one of the four front-panel Ethernet ports for this
connection.
To connect Ethernet devices, use a straight-through RJ-45 cable to connect to a 10-Mbps or
100-Mbps or 1000-Mbps hub.
For details, see “Ethernet NIC Connectors and Cables” on page 49.
To connect Gigabit Fiber Ethernet devices, use a fiber-optic cable with an LC connector for
each NIC interface. The destination end of the cable can be either LC or SC, depending on
the type of connector required for the destination Gigabit Ethernet device.
For details, see “Fiber-Optic Gigabit Ethernet NIC Features” on page 53.
Check Point IP690 Security Platform Installation Guide 37
3 Performing the Initial Configuration
Note
Using Check Point Network Voyager
Use Check Point Network Voyager to configure and monitor your appliance.
To open Check Point Network Voyager
1. Open a Web browser on the host you plan to use to configure or monitor your appliance.
2. In the Location or Address field, enter the IP address of the initial interface you configured
for the appliance.
You are prompted to enter the admin username and the password you entered when you
performed the initial configuration.
If the username login screen does not open, you might not have a physical network
connection between the host and your appliance, or you might have a network routing
problem. Confirm the information you entered during the initial configuration and check
that all cables are firmly connected. For more information, see the troubleshooting
section in the installation guide for your appliance.
Viewing Check Point IPSO Documentation by Using
Check Point Network Voyager
The following documentation is available from the Check Point Network Voyager interface, as
shown in Figure 10:
Network Voyager Reference Guide—This guide is the comprehensive reference source for
Check Point Network Voyager. To access this source, look at the list in the navigation tree on
the left side of the window (as shown in Figure 10).You can also access this guide and other
Check Point IPSO documentation at the Check Point Support Center at http://
support.checkpoint.com/.
Network Voyager online help—You can access online help when you use Check Point
Network Voyager. Online help is the context-sensitive information source for Check Point
Network Voyager
Close button is available at the bottom of each online help window you view.
. To access online help for the window you are viewing, click Help. A
38 Check Point IP690 Security Platform Installation Guide
Using the Command-Line Interface
Link to complete user
documentation
Link to online help (context sensitive help)
Figure 10 Check Point Network Voyager Reference Access Points
Using the Command-Line Interface
You can also use the Check Point IPSO command-line interface (CLI) to manage and configure
Check Point IP security appliances from the command line. Nearly everything that you can
accomplish with Check Point Network Voyager you can also do with the CLI.
To access the command-line interface
1. Log on to the appliance by using a command-line connection (SSH, console, or Telnet) over
a TCP/IP network as an admin, cadmin, or monitor user:
If you log in as a cadmin (cluster administrator) user, you can change and view
configuration settings on all the cluster nodes. For information about how to administer a
cluster, see the traffic management commands section in the CLI Reference Guide for the
version of Check Point IPSO you are using.
2. If you log in as a monitor user, you can execute only the show form of commands. That is,
you can view configuration settings, but you cannot change them.
You can now execute CLI commands from the CLI shell and the Check Point IPSO shell. The
Check Point IPSO shell is what you see when you initially log on to the appliance.
Check Point IP690 Security Platform Installation Guide 39
3 Performing the Initial Configuration
Execute from To Implement Purpose
Check Point
IPSO command
line
Check Point
IPSO command
line
Command files From inside the CLI shell, enter
Enter the following command
to invoke the CLI shell:
clish
The prompt changes, and you
can then enter CLI commands.
Enter
clish -c
“cli-command”
load commands
filename
Enter any CLI commands in an
interactive mode with help text
and other helpful CLI features.
Execute a single CLI
command. You must place
double-quotation marks
around the CLI command.
Load commands from a text
file that contains commands.
The argument must be the
name of a regular file.
For more information about how to access and use the CLI, see the CLI Reference Guide for the
version of Check Point IPSO you are using.
Using Check Point Horizon Manager
Check Point Horizon Manager is an extension of the Check Point Network Voyager
management functionality.
While Check Point Network Voyager provides the device administrator access to network
configuration tasks (such as interface configuration and routing configuration) and security
configuration tasks (such as user configuration and access configuration), Check Point Horizon
Manager concentrates on secure software image, inventory, and platform management of Check
Point IP security platforms.
Using Check Point Horizon Manager, an administrator can obtain configuration information,
upgrade (or downgrade) the operating system, perform application installations, and distribute
necessary licensing to multiple platforms simultaneously, thereby reducing potential human
error and improving productivity.
Using Check Point Horizon Manager, a network security professional can manage multiple
devices simultaneously, perform parallel software upgrades, device verifications, device
configuration, file backups, and more.
Check Point Horizon Manager is designed to manage and configure a large number of Check
Point IP security appliances that reside on a corporate enterprise, managed service provider
(MSP), or hosted applications service provider network (ASP).
For information about how to obtain Check Point Horizon Manager or to learn more about the
Check Point Horizon Manager, see the Check Point Web site at www.checkpoint.com.
40 Check Point IP690 Security Platform Installation Guide
4 Installing and Replacing Network
Caution
Caution
Interface Cards
Your Check Point IP690 security platform comes with any network interface cards (NICs) or
Accelerated Data Path (ADP) services modules you ordered already installed. All NICs and
ADP modules installed in the appliance are housed in PMC expansion slots. You should have a
working knowledge of networking equipment before you attempt to service a appliance.
This chapter describes how to remove, add, or replace NICs later if it becomes necessary.
The following topics are covered:
Deactivating Configured Interfaces
Installing NICs
Configuring and Activating Interfaces
Monitoring Network Interface Cards
For detailed information about specific network interface cards, see Chapter 5, “Connecting
PMC Network Interface Cards.”
For installation and other information about Accelerated Data Path (ADP) services modules, see
Chapter 6, “Installing, Using, and Replacing ADP Services Modules.”
Limit service of the appliance to the procedures described in this chapter.
To help guard against electrostatic discharge damage, make sure you are properly
grounded by using a grounding wrist strap and following the instructions provided with
the wrist strap before you handle the components or open the appliance.
Deactivating Configured Interfaces
If you are removing or replacing an installed NIC, use Check Point Network Voyager to
deactivate any configured ports on the NIC before removing it.
Deactivate all of the logical interfaces on the NIC.
Check Point IP690 Security Platform Installation Guide 41
4 Installing and Replacing Network Interface Cards
Note
Note
Deactivate all of the physical interfaces on the NIC.
If you do not deactivate the interfaces before removing the NIC, you may have to reinstall the
NIC to deactivate its logical and physical interfaces in Network Voyager.
For information about how to access Network Voyager, see “Using Check Point Network
Voyager” on page 38.
Installing NICs
Before removing a configured network interface card with these instructions, you must
deactivate the NIC by using Check Point Network Voyager. For additional information, see
“Deactivating Configured Interfaces” on page 41.
Use these instructions to install a NIC in the IP690. Some steps are not applicable to all
procedures. The instructions point out steps appropriate to each procedure.
Before You Begin
To install a NIC, you need the following:
A Phillips-head screwdriver
Physical access to the appliance
Access to the appliance by using Check Point Network Voyager or the CLI
A suitable, grounded work surface
A field replaceable unit kit, including the NIC
You do not need to manually disconnect power for this procedure. If the power supply
switches at the rear of the appliance are difficult to reach, you can safely disconnect power
when you remove the chassis tray assembly from the front of the appliance. Any servicing of
the appliance, however, should be completed with the chassis tray assembly fully removed
from the appliance.
To install a network interface card
1. Use Check Point Network Voyager or command-line interface (CLI) to perform an orderly
shutdown of the IP690 appliance.
For information about how to access Network Voyager and the related reference materials,
see “Using Check Point Network Voyager” on page 38.
2. Turn off the power to the IP690 appliance.
42 Check Point IP690 Security Platform Installation Guide
Installing NICs
00581
SLOT 1 SLOT 2 SLOT 3 SLOT 4
1
2
3
4
IP690
RESET
AUXCONSOLE
Chassis tray assembly retaining screws
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP690
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00597
3. Loosen the two front panel retaining screws.
4. Slowly slide the chassis tray assembly forward, taking care to prevent damaging
components, press the release tab on the right side of the assembly, and completely remove
the chassis tray assembly to expose the motherboard components.
5. Place the chassis tray assembly on a table top.
Check Point IP690 Security Platform Installation Guide 43
4 Installing and Replacing Network Interface Cards
SLOT 1
SLOT 2
00590
RESET
AUX
CONSOLE
SLOT 1
SLOT 2
00592
RESET
A
U
X
C
O
N
S
O
L
E
6. From underneath the chassis tray assembly, remove the bezel or NIC retaining screws.
If you are installing a NIC in an unoccupied slot, remove the blank bezel that occupies the
space in the appliance front panel and retain it for future use.
If you are removing an installed NIC, remove it by pulling up on the back of the NIC
adjacent to the two interface connectors.
7. Insert the new NIC.
a. Insert the NIC bezel into the front panel.
44 Check Point IP690 Security Platform Installation Guide
Installing NICs
SLOT 1
SL
OT 2
00591
R
ES
ET
AUX
CONSOLE
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
I
P6
9
0
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00583
b. Gently push down on the two connectors on the back of the NIC until they are fully
seated.
8. From the top of the chassis tray assembly, screw the NIC retaining screws into the standoffs
on the back of the NIC.
9. From beneath the chassis tray assembly, screw in the bezel retaining screws.
10. Insert and close the chassis tray assembly until it clicks into place.
The IPSO operating system automatically recognizes the NIC and applies the original
configuration to the new NIC.
Check Point IP690 Security Platform Installation Guide 45
4 Installing and Replacing Network Interface Cards
00581
SLOT 1 SLOT 2 SLOT 3 SLOT 4
1
2
3
4
IP690
RESET
AUXCONSOLE
Chassis tray assembly retaining screws
11. Tighten the retaining screws that hold the chassis tray assembly.
12. Turn the power on.
Configuring and Activating Interfaces
The IP690 appliance automatically detects any new NIC when the appliance is restarted. Use
Check Point Network Voyager to configure and activate the logical and physical interfaces on
the NIC.
For information about how to access Network Voyager and the related reference materials, see
“Using Check Point Network Voyager” on page 38.
Monitoring Network Interface Cards
You can asses the general operating condition of the NIC in your appliance by looking at the
LED status indicators on the NIC. The status indicators for each NIC are explained in Chapter 5,
“Connecting PMC Network Interface Cards.”
Use Network Voyager to access detailed port information. For information about accessing
Network Voyager, see “Using Check Point Network Voyager” on page 38. You can also use the
tcpdump command to examine the track on a specific port.
46 Check Point IP690 Security Platform Installation Guide
5 Connecting PMC Network Interface
Caution
Cards
This chapter describes the network interface cards available for the Check Point IP690 security
platform and how to connect those NICs to your network. The following NICs are described:
Four-Port 10/100 Ethernet NIC
Two-Port and Four-Port Copper Gigabit Ethernet NIC
Two-Port Fiber-Optic Gigabit Ethernet NICs
For instructions about how to add or replace NICs, see Chapter 4, “Installing and Replacing
Network Interface Cards.”
The NICs supported in the Check Point IP690 security platform operate at the peripheral
component interconnect (PCI) frequency listed in Table 6.
Table 6 NIC PCI Frequency
NIC or interface port Maximum PCI operation supported
Four-port 10/100 Ethernet 133 MHz
Two-port copper Gigabit Ethernet
(10/100/1000)
Four-port copper Gigabit Ethernet
(10/100/1000)
Two-port fiber-optic Gigabit Ethernet 133 MHz
To protect the IP690 and the memory modules from electrostatic discharge damage,
make sure you are properly grounded before you touch these components. Use a
grounding wrist strap and follow the instructions provided with the wrist strap before
you handle the components or open the appliance.
133 MHz
133 MHz
Check Point IP690 Security Platform Installation Guide 47
5 Connecting PMC Network Interface Cards
Note
00026.2
321
1
2
3
4
4
10/100 BaseT
Link LED (solid green)
Activity LED (blinking green)
Ports
Four-Port 10/100 Ethernet NIC
The IP690 supports Check Point-approved, four-port UTP5 dual-mode (10-Mbps and 100Mbps) Ethernet NICs installed in a PMC expansion slot. When you purchase a 10/100 Ethernet
NIC with your IP690, the NIC is installed before the appliance is delivered to you. For
information about how to add or replace a NIC, see Chapter 4, “Installing and Replacing
Network Interface Cards.”
10/100 Ethernet NIC Features
The four-port 10/100 Ethernet NIC supports PCI operation at 133 MHz.
The IP690 appliance requires IPSO 4.2 or later.
In the IP690, the four-port Ethernet NIC supports the following features:
Tracing through tcpdump
High bandwidth
Full-duplex mode operation up to 100 Mbps
Link speed auto advertising (10/100)
PCI operation at 133 MHz
Compliance with IEEE 802.3ab Gigabit Ethernet specifications
You can configure and monitor Ethernet NIC interfaces by using Check Point Network Voyager.
Specifically, you set the port speed and full-duplex or half-duplex mode with Network Voyager.
For information about how to access Network Voyager and the related reference materials, see
“Using Check Point Network Voyager” on page 38.
Figure 11 Four-Port 10/100 Ethernet NIC Front Panel Details
After the power is turned on and the cables are connected, the Ethernet link LEDs on both the
IP690 and on the remote equipment illuminate to indicate the connection. As data is transmitted,
the activity LEDs on the appliance illuminate.
48 Check Point IP690 Security Platform Installation Guide
Ethernet NIC Connectors and Cables
Caution
00270
Pin Assignment
1TX +
2TX -
3RX +
4
5
6RX -
7
8
81
The Ethernet connectors on the four-port 10/100 Ethernet NICs are RJ-45 connectors. Use a
straight-through cable to connect the NIC to a 10-Mbps or 100-Mbps hub or switch or a
crossover cable to connect directly to a host.
Use ANSI TIA/EIA-568-A/B compliant (Cat 5 or Cat 5e) unshielded twisted pair cable. You can
order appropriate adapter cables separately from a cable vendor of your choice.
Cables that connect to the Ethernet NIC must be ANSI TIA/EIA-568-A/B compliant (Cat
5 or Cat 5e) to prevent potential data loss.
Figure 12 shows the pin assignments for the RJ-45 cable. The connector is numbered from right
to left, with the copper tabs facing up and toward you.
Figure 12 Output Connector for the Ethernet Cable
Four-Port 10/100 Ethernet NIC
Figure 13 shows the pin assignments for the RJ-45 cross-over cable.
Check Point IP690 Security Platform Installation Guide 49
5 Connecting PMC Network Interface Cards
00017.1
1
2
3
4
5
6
7
8
1
2
3
4
5
6
7
8
Figure 13 Ethernet Crossover-Cable Pin Connections
Two-Port and Four-Port Copper Gigabit Ethernet NIC
The Check Point IP690 security platform supports Check Point-approved, four-port and
two-port copper Gigabit Ethernet NICs installed on a PMC expansion slot. The IP690 can
accommodate up to four Gigabit Ethernet NICs.
When you purchase a copper Gigabit Ethernet NIC with your IP690, the NIC is installed before
the appliance is delivered to you. For information about how to add or replace a NIC, see
Chapter 4, “Installing and Replacing Network Interface Cards.”
Copper Gigabit Ethernet NIC Features in the IP690
The copper Gigabit Ethernet NIC supports:
Tracing through tcpdump
High bandwidth
Full-duplex mode operation up to 1 Gbps
Link speed auto advertising (10/100/1000)
PCI operation at 133 MHz on the IP690
Compliance with IEEE 802.3ab Gigabit Ethernet specifications
You can configure and monitor Gigabit Ethernet NIC interfaces with Check Point Network
Voyager. Specifically, you can use Network Voyager to set the port speed and full-duplex mode
to 1000, 100, or 10 Mbps.
For information about how to access Network Voyager and the related reference materials, see
“Using Check Point Network Voyager” on page 38.
50 Check Point IP690 Security Platform Installation Guide
Two-Port and Four-Port Copper Gigabit Ethernet NIC
Note
Note
00641
321
1
2
3
4
4
1000 BaseT
Link LED (solid green)
Activity LED (blinking green)
RJ-45 receptacles
Link LEDs (green or yellow)
Activity LEDs (yellow)
Ports
Figure 14 Four-Port Copper Gigabit Ethernet NIC Front Panel Details
Figure 15 Two-Port Copper Gigabit Ethernet NIC Front Panel Details
Copper Gigabit Ethernet NIC Connectors and Cables
The two-port copper Gigabit Ethernet NIC you use in IP690 appliance must be the Version 2
type, as indicated on the right end of the NIC faceplate. These NICs are sold by Check Point
under the order code NIF4425.
After the power is turned on and the cables are connected, the Ethernet Link LEDs on both the
IP690 and on the remote equipment illuminate to indicate the connection.
The Link LED on the NIC is bicolored. A green LED indicates a 1 Gbps link speed, and a
yellow LED indicates a 10/100 Mbps link speed. As the NIC transmits data, the activity LEDs
on the appliance illuminate.
The copper Gigabit Ethernet NIC receptacles are for RJ-45 connectors.
Check Point IP690 Security Platform Installation Guide 51
5 Connecting PMC Network Interface Cards
Caution
Note
00270
81
Pin#
1000 Mbps
Assignment
10/100 Mbps
Assignment
1BI_DA+ TX+
2BI_DA- TX-
3BI_DB+ RX+
4
BI_DC+
5
BI_DC-
6BI_DB- RX-
7 BI_DD+
8 BI_DD-
Cables that connect to the Gigabit Ethernet NIC must be ANSI TIA/EIA-568-A/B
compliant (Cat 5 or Cat 5e) to prevent potential data loss.
To connect to a 1-Gbps hub, switch, or router, use a straight-through RJ-45 cable (Cat 5 or Cat
5e type cable, or as required by your network configuration).
You can use a straight-through cable to connect the NIC to a Gigabit Ethernet hub or switch
or a crossover cable to connect directly to a host.
In Figure 16, the RJ-45 cable output connector is numbered from right to left, with the copper
pins facing up and toward you.
Figure 16 Gigabit Ethernet Cable Connector Output Pin Assignments
52 Check Point IP690 Security Platform Installation Guide
Two-Port Fiber-Optic Gigabit Ethernet NICs
Note
To connect directly to a host, use an RJ-45 crossover cable wired as Figure 17 shows.
Figure 17 Gigabit Ethernet Crossover Cable Pin Connections
After you turn on the appliance, the Ethernet link LEDs on both the appliance and on the
remote equipment illuminate to indicate the connection. As data is transmitted or received,
the activity LEDs on the appliance illuminate.
To connect the IP690 to other network components, you can order appropriate adapter cables
separately from a cable vendor of your choice.
Two-Port Fiber-Optic Gigabit Ethernet NICs
The IP690 supports Check Point-approved, two-port, fiber-optic Gigabit Ethernet NICs installed
on a PMC expansion slot. The IP690 can accommodate up to four Gigabit Ethernet NICs.
When you purchase a Gigabit Ethernet NIC with your IP690, the NIC is installed before the
appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 4,
“Installing and Replacing Network Interface Cards.”
Fiber-Optic Gigabit Ethernet NIC Features
The short-range and long-range fiber-optic Gigabit Ethernet NICs support:
High bandwidth
Full-duplex mode operation up to 1 Gbps (no half-duplex support)
Link speed auto advertising
Tracing through tcpdump
Compliance with IEEE 802.3z Gigabit Ethernet specification
You can configure and monitor Gigabit Ethernet NIC interfaces with Check Point Network
Voyager. Specifically, you set the port speed and full-duplex mode with Network Voyager.
Check Point IP690 Security Platform Installation Guide 53
5 Connecting PMC Network Interface Cards
00206
GIGE
Link LEDs (solid green)
Activity LEDs (blinking amber)
Ports
00555
LINK
ACT
1000B-LX
Link LEDs (solid green)
Activity LEDs (blinking amber)
Ports
For information about how to access Network Voyager and the related reference materials, see
“Using Check Point Network Voyager” on page 38.
Figure 18 shows the front panel details for the two-port short-range (1000 BASE-SX) fiber-optic
Gigabit Ethernet NIC you can use in IP690 appliance.
Figure 18 PMC Two-Port Short-Range Gigabit Ethernet NIC
Figure 19 shows the front panel details for the two-port long-range (1000 BASE-LX) fiber-optic
Gigabit Ethernet NIC you can use in your IP690.
Figure 19 PMC Two-Port Long-Range Gigabit Ethernet NIC
After the power is turned on and the cables are connected, the Ethernet link LEDs on both the
IP690 and on the remote equipment illuminate to indicate the connection. As data is transmitted,
the activity LEDs on the appliance illuminate.
Fiber-Optic Gigabit Ethernet NIC Connectors and Cables
For short-range NICs, to connect the fiber-optic Gigabit Ethernet NIC to other network
components, use a multi-mode, fiber-optic cable with an LC connector for each NIC interface.
You can use either 50 or 62.5 micron cable; 50 micron-type cable provides longer transmission
reach.
For long-range NICs, to connect the fiber-optic Gigabit Ethernet NIC to other network
components, use a single-mode, fiber-optic cable with an LC connector for each NIC interface.
The destination end of the cable can be either LC or SC, depending on the type of connector
required for the destination Gigabit Ethernet device. You can also use a half-duplex LC-to-LC
54 Check Point IP690 Security Platform Installation Guide
Two-Port Fiber-Optic Gigabit Ethernet NICs
Caution
cable to loop back the transmit port of an interface to the receiver port. LC and SC define the
fiber-optic connector types; LC connectors are smaller than SC connectors.
Depending on the product you order, one or more LC-to-SC cables are included with fiber-optic
Gigabit Ethernet NICs. You can order additional cables from a cable vendor of your choice.
Cables that connect to the Gigabit Ethernet NIC must be IEEE 802.3z compliant to
prevent potential data loss.
Check Point IP690 Security Platform Installation Guide 55
5 Connecting PMC Network Interface Cards
56 Check Point IP690 Security Platform Installation Guide
6 Installing, Using, and Replacing ADP
Note
Note
Services Modules
This chapter describes the Accelerated Data Path (ADP) services modules available for the
Check Point IP690 appliance and how to connect those modules to your network. It includes the
following sections:
Installing and Replacing ADP Modules
Check Point ADP Module LED Reference Information
Configuring Check Point IPSO with IP690 ADP Interfaces
Effect on Interfaces
Check Point ADP Module Interface Names for IP690 Appliances
Configuring Network Topology with an IP690 Appliance
Configuration Example with VRRP
In this chapter, network interface cards (NICs) refer to any installable PMC interface devices
other than ADP modules.
Check Point IP690 ADP modules help to accelerate firewall and VPN throughput. ADP is a
technology designed to forward packets at the highest possible rate. Check Point ADP modules
provide this technology by offloading processing from the CPU to network processors.
For IP690 appliances, ADP is implemented with a single module providing a total of eight ports.
For ADP modules other than the eight-port 10/100/1000 Ethernet module with built-in RJ-45
ports, the modules use swappable small form-factor pluggable (SFP) transceivers to provide
Gigabit Ethernet copper, Gigabit Ethernet short-range fiber, and Gigabit Ethernet long-range
fiber interface options. Check Point ADP module transceivers are hot swappable.
The eight-port 10/100/1000 Ethernet ADP module with built-in RJ-45 ports is supported only
for the IP690 running IPSO 6.0 or later.
Check Point IP690 Security Platform Installation Guide 57
6 Installing, Using, and Replacing ADP Services Modules
Note
Note
Note
Check Point supports only ADP modules and transceivers sold by Check Point. For further
information, contact your Check Point representative.
Installing and Replacing ADP Modules
Before you begin this procedure, you should review all ADP module information in the
Getting Started Guide and Release Notes for the version of IPSO you are using and refer to
both of these documents as needed as you complete the installation and configuration
process.
Use these instructions to install an ADP module in your appliance.
Before You Begin
To install a Check Point ADP module, you need the following:
A Phillips-head screwdriver
Physical access to the appliance
Access to the appliance by using Check Point Network Voyager or the CLI
A suitable, grounded work surface
The ADP module kit
You do not need to manually disconnect power for this procedure. Any servicing of the
appliance, however, should be completed with the chassis tray assembly fully removed from
the appliance.
To install an ADP module in IP690 appliances
1. You cannot preserve the configuration for slot 2 of your appliance when you replace your
PMC NICs with an ADP module or, conversely, when you replace your ADP module with
58 Check Point IP690 Security Platform Installation Guide
Installing and Replacing ADP Modules
Note
00581
SLOT 1 SLOT 2 SLOT 3 SLOT 4
1
2
3
4
IP690
RESET
AUXCONSOLE
Chassis tray assembly retaining screws
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP6
90
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00597
PMC NICs due to interface naming convention differences. Therefore, you need to delete all
existing configurations associated with slot 2.
You do not need to delete the slot 1 configuration for the first 4 ports, as the naming
conventions for the first 4 ports for Slot 1 remain the same when you use an ADP
module rather than a NIC. Naming conventions for slots and ports are provided in
“Check Point ADP Module Interface Names for IP690 Appliances” on page 68.
2. Upgrade the IPSO software to the required version as described in the Getting Started Guide
and Release Notes that you received with your appliance.
3. Use Network Voyager or the command-line interface (CLI) to perform an orderly shutdown
of the IP690 appliance.
For information about how to use Network Voyager or the CLI, see the Network Voyager
Reference Guide or CLI Reference Guide for the version of IPSO you are using.
4. Turn off the power to the IP690 appliance.
5. Loosen the two front panel retaining screws.
6. Slide the chassis tray assembly forward, pressing the release tab on the right side of the
assembly, and, taking care not to damage any internal components, completely remove the
chassis to expose the motherboard.
7. Place the chassis tray assembly on a table top.
Check Point IP690 Security Platform Installation Guide 59
6 Installing, Using, and Replacing ADP Services Modules
Note
S
LOT 1
SLOT 2
00440a
Remove the four bezel screws, and filler panels,
installed PMC NICs, or ADP modules
8. From underneath the chassis tray assembly, remove the four bezel retaining screws.
If the slots you are using for the ADP module are unoccupied, remove the filler panels that
occupy the spaces in the appliance front panel and retain them for future use.
If the slots you are using for the ADP module are occupied, remove the NICs or ADP
modules that occupy the spaces in the appliance front panel and retain them for future use.
Remove any SFP transceivers that are installed in an ADP module first to make the
procedure easier.
9. Remove the two screws that secure the left air baffle and remove the baffle. Retain the baffle
for future use. Reinstall the two baffle screws to secure the motherboard.
60 Check Point IP690 Security Platform Installation Guide
Installing and Replacing ADP Modules
Note
SLOT 1
SLOT 2
00648
Remove the two baffle
screws and baffle, and
reinstall the two screws
It is important that you reinstall the two baffle screws for proper motherboard operation.
Check Point IP690 Security Platform Installation Guide 61
6 Installing, Using, and Replacing ADP Services Modules
Note
SLOT 1
SLOT 2
00649
Remove the two FIPS screen
screws and the screen
10. If a FIPS screen is installed, note the position of the screen, as it must be reinstalled the same
way. Remove the two screws that secure the screen, and remove the screen.
11. Insert the ADP module.
Remove any SFP transceivers that are installed in the ADP module first to make the
procedure easier.
a. Angling the ADP module at a 45-degree angle to ensure that the rubber EMI gaskets seat
properly and don’t roll back, insert the module bezel into the front panel. As you lower
62 Check Point IP690 Security Platform Installation Guide
Installing and Replacing ADP Modules
Note
SLOT 1
SLOT 2
00443a
1
0
0
0
B
a
s
e
X
1
2
3
4
1
0
0
0
B
a
s
e
X
1
2
3
4
00650
1000BaseX
1
2
3
4
1000BaseX
1
2
3
4
Take care that the EMI
gaskets don’t roll back
during ADP module
installations
Arrows indicate locations
where gaskets might roll
back
Push down only at these two points and ensure
that both connectors are completely seated
Memory card location
the back of the module down, you should detect little or no resistance; if you do, check to
ensure that the EMI gaskets have not rolled back.
b. Gently push the back of the ADP module down toward the motherboard being sure to
push down only where the module connectors are located. Be sure that the module is
completely seated into both connectors on the motherboard.
12. If the ADP module memory card is installed, you should remove it to provide access the
retaining screw hole at the right side of the module.
13. From the top of the chassis tray assembly, screw the two retaining screws into the standoffs
on the back of the module.
Check Point IP690 Security Platform Installation Guide 63
Extra screws are included in your ADP module kit in case you don’t have appropriate
screws on hand.
6 Installing, Using, and Replacing ADP Services Modules
S
LO
T
1
SL
OT
2
00441a
1000BaseX
1
2
3
4
1000BaseX
1
2
3
4
ADP module heat sink
Reinstall the two retaining screws
Reinstall the four bezel screws
Memory card must be
removed at this stage
14. From beneath the chassis tray assembly, screw in the bezel retaining screws.
15. If you removed the FIPS screen, reinstall it in the same position it was previously installed in
16. Reinstall the ADP module memory card.
17. Using care to ensure that the top edge of the enclosure does not interfere with the ADP
18. Tighten the retaining screws that secure the chassis tray assembly.
19. Turn the power on.
20. Use either Network Voyager or the CLI to delete the old interfaces and configure the new
and secure the two screen screws.
module heat sink, slide the chassis tray assembly into the chassis until it clicks into place.
ADP interfaces as described in “Configuring Check Point IPSO with IP690 ADP Interfaces”
on page 67. Note the interface naming conventions in “Check Point ADP Module Interface
Names for IP690 Appliances” on page 68.
64 Check Point IP690 Security Platform Installation Guide
Installing and Replacing ADP Modules
1000BaseX
1
2
3
4
00605a
1000BaseX
5
6
7
8
1000BaseT
1234 5678
1000BaseT
1
2
3
4
5
6
7
8
00660
ADP module with ports for transceivers
ADP module with fixed RJ-45 ports
Link and Activity LEDs
00652
1
2
3
4
1
2
3
4
Latch lever
Flip latch lever down before inserting
the ADP transceiver
The following figure shows the IP690 ADP module front panel details.
To install or remove transceivers in a Check Point ADP module
For ADP modules that require transceivers, refer to the following figure, which shows how to
install or remove the transceivers. Transceivers are hot swappable as are the interface cables you
use with them. Rotate the latch levers up or down to secure transceivers, or to release them for
removal. You do not need to change the interface type in Network Voyager or the CLI, as the
system makes the configuration changes automatically.
To identify whether a fiber transceiver you are using is short-range or long-range, refer to the
color of the latch lever as follows:
Type Latch lever color
Short-range Beige
Long range Blue
To install an ADP transceiver:
Check Point IP690 Security Platform Installation Guide 65
6 Installing, Using, and Replacing ADP Services Modules
Note
Note
Push the transceiver into an available port in the ADP module.
Rotate the transceiver latch lever down to secure the transceiver in the ADP module.
Depending on the design of your transceiver, you might need to rotate the latch lever
upward to release the device.
Insert an appropriate interface cable into the transceiver.
To remove an ADP transceiver:
Remove the cable.
Release the transceiver by rotating the latch lever.
Pull out the transceiver.
Note that if you install any ADP transceivers that are not supported by Check Point, they are not
recognized by IPSO; the system rejects the transceivers and includes them in a list of rejected
interfaces on the Interface Configuration page in Check Point Network Voyager, as shown in the
following figure.
The Non-Supported SFP Components table appears only if you have ADP transceivers
installed that are not supported by Check Point.
Check Point ADP Module LED Reference Information
All Check Point IP690 ADP modules provide a single LED for each port. The LED illuminates
solid green for Link status and blinks green to indicate Activity.
66 Check Point IP690 Security Platform Installation Guide
Configuring Check Point IPSO with IP690 ADP Interfaces
Note
Configuring Check Point IPSO with IP690 ADP Interfaces
This section includes information about configuring IPSO to use the interfaces on a Check Point
ADP module. To help you understand the implications of installing an ADP module, it provides
an example of the steps you might perform to install an ADP module in an IP690 appliance
running the Virtual Router Redundancy Protocol (VRRP).
Effect on Interfaces
When you install ADP modules, IPSO automatically creates interface names for the ADP
interfaces and changes the existing interface names and configuration information, as explained
below:
If you install an ADP module in an IP690 appliance, the names and configuration
information for the interfaces previously installed in slot 2 become invalid.
The interface names of the interfaces installed in slot 1 of an IP690 appliance do not change.
These changes can affect any features or protocols that use the existing interfaces or their
addresses, including the following:
Dynamic routing protocols
Multicast routing protocols
Static routing configuration
VRRP
IP clustering
Transparent mode
Link aggregation
Link redundancy
Traffic management/QoS
After you install an ADP module, reconfigure any protocols and features that used removed
interfaces to use the ADP interfaces. Reassign IP addresses from the removed interfaces to
the ADP interfaces as appropriate.
Check Point IP690 Security Platform Installation Guide 67
6 Installing, Using, and Replacing ADP Services Modules
Check Point ADP Module Interface Names for IP690 Appliances
ADP module interface naming conventions differ from those for PMC NICs.
IP690 appliances support one ADP module which occupies both slots 1 and 2. However, the
ADP module appears to the host as though it logically occupies only slot 1 of the appliance. The
eight ports on your ADP module are named as follows:
eth-s1p1, eth-s1p2, eth-s1p3, eth-s1p4, eth-s1p5, eth-s1p6, eth-s1p7, eth-s1p8
Since the ADP interface names are not exactly the same as other PMC NIC interface names, you
need to reconfigure your appliance when you replace PMC NICs with an ADP module or an
ADP module with PMC NICs.
Configuring Network Topology with an IP690 Appliance
There are several constraints that are relevant to your network topology after you install an ADP
module in an IP690 appliance that are also relevant to the interaction of ADP interfaces and NIC
interfaces.
When you install an ADP module in an IP690 appliance, Check Point recommends that you
configure your network so that your appliance does not forward traffic between ADP interfaces
and PMC NIC interfaces even if the NIC interfaces are Gigabit Ethernet. Using a configuration
of this type can significantly degrade throughput.
When you install an ADP module in an IP690 appliance, the network processor in the module
performs all VPN encryption and decryption, even for VPN packets that are sent through PMC
NIC interfaces. The built-in Check Point encryption accelerator continues to accelerate IKE
traffic but does not perform any other processing. If VPN traffic ingresses or egresses through a
NIC interface, throughput is negatively affected because the packets must transit the IP690
appliance backplane to reach the network processor in the ADP module. Check Point
recommends that you configure your VPNs to use only ADP interfaces to avoid this
performance loss.
68 Check Point IP690 Security Platform Installation Guide
Configuring Check Point IPSO with IP690 ADP Interfaces
Configuration Example with VRRP
This example describes the steps required to install an ADP module in an IP690 appliance with
VRRP configured. The following figure shows the Interface Configuration page of the appliance
before an ADP module is installed. Interfaces are installed in slots 1, 2, and 4.
For this example, legacy monitored-circuit VRRP is enabled and configured with these settings:
Interface eth-s2p1c0 is assigned the IP address 10.1.1.1 and uses 10.1.1.99 as the VRRP
backup address.
Interface eth-s2p2c0 backs up interface eth-s2p1c0.
Check Point IP690 Security Platform Installation Guide 69
6 Installing, Using, and Replacing ADP Services Modules
The following figure shows the VRRP configuration:
The rest of this section describes how to reconfigure the interfaces and VRRP to accommodate
the ADP interfaces.
Deleting VRRP Configurations
After you physically remove PMC NICs that you are replacing with ADP modules, you need to
delete the configuration information for those interfaces. If VRRP is active at that time, you will
not be able to delete the configuration information for the interfaces used by VRRP. Therefore,
you should begin by deleting the existing VRRP configuration.
70 Check Point IP690 Security Platform Installation Guide
Configuring Check Point IPSO with IP690 ADP Interfaces
Note
It is best to perform the procedures in this section on the VRRP backup system first. When
the installation is complete, the upgraded system can become the new master while you
upgrade the original master.
Reconfiguring Interfaces
After you install the ADP module, you need to reconfigure interface information as described
below.
To reconfigure interfaces for ADP modules
1. Log into the appliance using Check Point Network Voyager.
2. Navigate to the Interface Configuration page.
Notice that the names of the interfaces in slot 1 have not changed. Any configuration
information for these interfaces is unchanged as well.
The interfaces in slot 2 have been replaced by the ADP interfaces named eth-s1p5 through
eth-s1p8.
Check Point IP690 Security Platform Installation Guide 71
6 Installing, Using, and Replacing ADP Services Modules
The interfaces you removed from slot 2 are still listed on this page, and you see a blue
indicator next to each of them in the Up column.
3. Delete the interface names and configuration information for the interfaces you removed
from slot 2 by following the remaining steps in this procedure.
72 Check Point IP690 Security Platform Installation Guide
Configuring Check Point IPSO with IP690 ADP Interfaces
Note
To delete an interface used by VRRP or IP clustering, you must first disable the feature
that uses the interface. This is why you deleted the VRRP configuration before you
installed the ADP module.
4. Click a physical interface name.
Network Voyager displays the Physical Configuration page for that interface.
5. In the Physical Status area, click the Delete check box.
6. Click Apply.
7. Delete the configuration information for the rest of interfaces that you removed by restarting
this procedure at step 2.
8. When you have deleted the configuration information for all the interfaces that you
removed, click Save.
Check Point IP690 Security Platform Installation Guide 73
6 Installing, Using, and Replacing ADP Services Modules
The following figure shows the example system after the configuration information for all of
the removed interfaces has been deleted:
9. If appropriate, configure the ADP interfaces to use the IP addresses previously assigned to
the removed interfaces.
In this example, you need to assign the address 10.1.1.1 to the new interface eth-s1p5c0.
Reconfiguring VRRP
After you finish reconfiguring interfaces, you need to reconfigure any protocols and features that
used the removed interfaces to use the ADP interfaces.
74 Check Point IP690 Security Platform Installation Guide
Configuring Check Point IPSO with IP690 ADP Interfaces
In this example, you need to recreate the VRRP configuration using the new interfaces
eth-s1p5c0 and eth-s1p6c0. The following figure shows the example system after you
recreate the VRRP configuration using the new interfaces:
Check Point IP690 Security Platform Installation Guide 75
6 Installing, Using, and Replacing ADP Services Modules
76 Check Point IP690 Security Platform Installation Guide
7 Installing and Replacing Components
Note
Other than Network Interface Cards
(NICs) and Accelerated Data Path
(ADP) Services Modules
This chapter provides information about how to install or replace orderable parts other than
network interface cards (NICs) and Accelerated Data Path (ADP) services modules in your
Check Point IP690 appliance. The following topics are covered:
Replacing the Compact Flash Memory Card
Installing and Using a PC Card
Installing a Hard-Disk Drive
Replacing a Check Point Encryption Accelerator Card
Replacing a Fan Unit
Replacing a Power Supply
Replacing the Battery
For information about how to add or replace NICs, see Chapter 4, “Installing and Replacing
Network Interface Cards.”
For information about how to add or replace ADP modules, see Chapter 6, “Installing, Using,
and Replacing ADP Services Modules.”
You should have a working knowledge of networking equipment before you attempt to service
an IP690 appliance. Limit service of the appliance to the procedures described in this chapter.
To protect the IP690 appliance and the memory modules from electrostatic discharge
damage, make sure you are properly grounded before you touch these components. Use a
grounding wrist strap and follow the instructions provided with the wrist strap before you
handle the components or open the appliance.
Check Point IP690 Security Platform Installation Guide 77
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
Caution
Caution
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
I
P
69
0
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00600
Replacing the Compact Flash Memory Card
The compact flash memory card stores the Check Point IPSO operating system and the boot
manager program. Use the internal compact flash to boot the system and install the IPSO
operating system on the compact flash memory card. The compact flash memory card is located
on the motherboard in a slot in front of the hard-disk drive (slot B).
Figure 20 shows the location of the compact flash memory card.
Figure 20 Compact Flash Memory Card Slot
To protect the appliance and the compact flash memory from electrostatic discharge
damage, make sure you are properly grounded before you touch these components.
Use a grounding wrist strap and follow the instructions provided with the wrist strap
before you handle the components or open the appliance. If you do not have a
grounding wrist strap, make sure you are properly grounded before you touch any
electronic component.
You must perform an orderly shutdown of the appliance and turn the power off whenever you
remove the chassis tray assembly to service internal components.
You risk damage to the appliance or loss of data if you do not use the following
procedure when you replace the compact flash memory.
78 Check Point IP690 Security Platform Installation Guide
Replacing the Compact Flash Memory Card
Note
00581
SLOT 1 SLOT 2 SLOT 3 SLOT 4
1
2
3
4
IP690
RESET
AUXCONSOLE
Chassis tray assembly retaining screws
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP690
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00597
To replace your compact flash
1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an
orderly shutdown of the IP690 appliance.
For information about how to access Network Voyager and the related reference materials,
see “Using Check Point Network Voyager” on page 38.
2. Turn off the power to the IP690 appliance.
Make sure you turn off power on the power supplies.
3. Loosen the two front panel retaining screws.
4. Slowly slide the chassis tray assembly forward, taking care to prevent damaging
components, press the release tab on the right side of the assembly, and completely remove
the chassis tray assembly to expose the motherboard components.
5. Place the chassis tray assembly on a table top.
Check Point IP690 Security Platform Installation Guide 79
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP690
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00599
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
I
P
6
90
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00583
6. Locate and remove the existing compact flash memory card from the slot by gently sliding it
out of the slot.
7. Gently insert the new compact flash memory card into the slot.
8. Slowly slide the chassis tray assembly back into the appliance, taking care to prevent
damaging components.
9. Resecure the two chassis tray assembly retaining screws.
10. Turn on the power supplies at the back of the appliance.
80 Check Point IP690 Security Platform Installation Guide
Installing and Using a PC Card
Note
Caution
00577
SLOT 1 SLOT 2 SLOT 3
RESET
SLOT 4
1
2
3
4
IP690
AUXCONSOLE
PMC PC card slot
Eject
button
Figure 21 shows the external PC card location.
To use a PC card with the IP690, you need to install an optional PCMCIA card carrier in slot
3. Install the card carrier just as you would any PMC NIC. For information about installing
PMC NICs, see Chapter 4, “Installing and Replacing Network Interface Cards.”
Figure 21 External PC Card Location
Installing and Using a PC Card
To install and use the PC card for system logging
1. Insert the PC card into the PC card slot until it snaps in place.
2. Press gently on the card until it is firmly seated in the slot.
The eject button to the left of the slot should be flush with the card.
3. Open Check Point Network Voyager and configure the PC card as an optional disk by using
Network Voyager.
A /var directory is created on the card, and log files, configuration files, monitoring
information, and /tmp directory are subsequently stored in this directory.
4. Reboot the IP690.
5. Use Network Voyager to configure system logging options.
For more information, see the section on using an optional disk in the Voyager Reference
Guide.
If you want to remove a PC card that was configured as an optional disk, you must turn it off as
an optional disk and then perform an orderly system shutdown before you remove it, as
described in the following procedure. You do not need to turn off the power.
If you do not perform this procedure before removing a PC card that is configured as an
optional disk, system processes randomly fail because the system tries to find a /var
directory on the optional disk. The resulting error messages indicate that some files in
the /var directory are not available.
Check Point IP690 Security Platform Installation Guide 81
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
Caution
Note
Caution
To remove a PC card used for logging in an IP690
1. Perform one of the following:
In Network Voyager, access Optional Disks and unselect the PC card as an optional disk.
Using the CLI, enter the command:
set optional-disk device-id <1 | 2> off
where the number 1 or 2 indicates the PC-card slot.
2. Perform a system shutdown by using Network Voyager or the CLI halt command.
3. Press the eject button to remove the PC card.
To prevent the card from ejecting too quickly, hold the PC card while you push the eject
button.
4. Reboot the system.
Installing a Hard-Disk Drive
The IP690 is a flash-based appliance that also supports one or two optional hard-disk drives that
plug into connectors on the motherboard. Each hard-disk drive contains 40 GB of storage space.
A second hard-disk drive, which can be used for disk mirroring, is an option only for a
disk-based IP690. A single optional hard-disk drive can by used in a flash-based IP690 for
storing log files.
The hard-disk drives are not included in the standard package for the flash-based IP690. When
you purchase your IP690, you can order one or two hard-disk drive(s) for factory installation or
order them later and install them yourself, as described in this chapter.
You can use a single hard-disk drive for storing log files.
This section describes how to install a hard-disk drive.
Before You Begin
Hard-disk drives are susceptible to damage from shock. Handle them with care.
82 Check Point IP690 Security Platform Installation Guide
Installing a Hard-Disk Drive
Caution
Caution
Caution
00581
SLOT 1 SLOT 2 SLOT 3 SLOT 4
1
2
3
4
IP690
RESET
AUXCONSOLE
Chassis tray assembly retaining screws
To help guard against electrostatic discharge damage, make sure you are properly
grounded by using a grounding wrist strap and following the instructions provided with
the wrist strap before you handle the components or open the appliance. If you do not
have a grounding wrist strap, make sure you are properly grounded before you touch
any electronic component.
To install or replace a hard-disk drive, you need:
Physical access to the appliance
Check Point hard-disk drive kit
A Phillips-head screwdriver
The following procedure requires removing the chassis tray assembly from the chassis.
Make sure you perform an orderly shut down of the system before attempting to
remove the chassis tray assembly.
You must replace the hard-disk drive with a drive that has a capacity equal to or larger than the
drive you are replacing. Back up your hard-disk drive files to a remote system on a regular basis.
To remove or replace a hard-disk drive
If you fail to use the following procedure when you remove the hard-disk drive, the drive
might become damaged or you might lose data.
1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an
orderly shutdown of the IP690 appliance.
For information about how to access Network Voyager and the related reference materials,
see “Using Check Point Network Voyager” on page 38.
2. Turn off the power to the IP690 appliance.
3. Loosen the two front panel retaining screws.
Check Point IP690 Security Platform Installation Guide 83
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
Note
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP69
0
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00597
00579
S
L
OT
1
SL
OT
2
SL
OT
3
SLO
T
4
1
2
3
4
IP690
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
Slot A
Slot B
4. Slowly slide the chassis tray assembly forward, taking care to prevent damaging
components, press the release tab on the right side of the assembly, and completely remove
the chassis tray assembly to expose the motherboard components.
5. Place the chassis tray assembly on a table top.
Figure 22 Location of Hard-Disk Drive on Chassis Tray Assembly
In single hard-drive configurations, install the hard-disk drive in Slot A first.
84 Check Point IP690 Security Platform Installation Guide
Installing a Hard-Disk Drive
00593
00582
00593
6. Remove the four screws from the base of the hard-disk drive and remove the hard-disk
drive.
7. Slide the new hard-disk drive onto the mounting locations.
8. Replace the four screws.
Check Point IP690 Security Platform Installation Guide 85
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
I
P6
9
0
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00583
9. Slowly slide the chassis tray assembly back into the appliance, taking care to prevent
damaging components.
10. Resecure the two chassis tray assembly retaining screws.
Replacing a Check Point Encryption Accelerator Card
The IP1560 comes with the Check Point encryption accelerator card preinstalled as part of its
base bundle to further enhance VPN performance. The encryption accelerator card provides
high-speed cryptographic processing that enhances VPN performance.
The IP690 appliance uses a PMC format encryption accelerator card. The encryption accelerator
card has no external connections and requires no cables. The encryption accelerator card
software package is part of IPSO, so the appliance automatically detects and configures the card.
Use Check Point Network Voyager to configure your software applications (IPSec or Check
Point VPN) to make use of the available hardware accelerator. For information about how to
configure software applications, see “Configuring Software to Use Hardware Acceleration” on
page 90.
This section describes how to replace a previously installed encryption accelerator card.
Before You Begin
To replace the encryption accelerator card, you need:
Physical access to the appliance
The Check Point encryption accelerator card and installation kit
Phillips-head screwdriver
Four screws (included in kit)
Grounding wrist strap (included in kit)
86 Check Point IP690 Security Platform Installation Guide
Replacing a Check Point Encryption Accelerator Card
Caution
Note
00581
SLOT 1 SLOT 2 SLOT 3 SLOT 4
1
2
3
4
IP690
RESET
AUXCONSOLE
Chassis tray assembly retaining screws
To help guard against electrostatic discharge damage, make sure you are properly
grounded by using a grounding wrist strap and following the instructions provided with
the wrist strap before you handle the components or open the appliance.
You do not need to manually disconnect power for this procedure. If the power supply
switches at the rear of the appliance are difficult to reach, you can safely disconnect power
when you remove the chassis tray assembly from the front of the appliance. Any servicing of
the appliance should be completed with the chassis tray assembly fully removed from the
appliance.
To replace the encryption accelerator card
1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an
orderly shutdown of the IP690.
For information about how to access Network Voyager and the related reference materials,
see “Using Check Point Network Voyager” on page 38.
2. Turn off the power to the IP690 appliance.
3. Loosen the two chassis tray assembly retaining screws.
Check Point IP690 Security Platform Installation Guide 87
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP69
0
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00597
00585.1
SL
OT 1
SLOT 2
SLOT 3
SLOT 4
1
2
3
4
IP690
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
4. Slowly slide the chassis tray assembly forward, taking care to prevent damaging
components, press the release tab on the right side of the assembly, and completely remove
the chassis tray assembly to expose the motherboard components.
5. Locate the PMC encryption accelerator card on the motherboard. The encryption card is
located on the back left side of the motherboard.
88 Check Point IP690 Security Platform Installation Guide
Replacing a Check Point Encryption Accelerator Card
Caution
00517.1
00518.1
6. Loosen the four retaining screws and remove the card by pulling up from the right side of
the card above the interface connectors.
Do not use the PMC connectors located at the front of the motherboard for the
encryption accelerator card. Those connectors are for NICs and ADP modules.
7. Position the three male PMC connectors on the card over the three female PMC connectors
on the motherboard.
The two sets of connectors should be aligned with each other. The four screw holes and four
standoffs should also be aligned with each other.
8. Push down on the right side of the card above the interface connectors until it is properly
seated on the motherboard.
Check Point IP690 Security Platform Installation Guide 89
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
00175.1
Screw
Encryption accelerator card
Standoff hole
Motherboard standoff
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
I
P
6
90
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00583
9. Place the screws through the standoff holes on the card and into the standoffs on the
motherboard.
10. Turn each screw clockwise to attach the card to the standoffs. Do not overtighten.
Make sure that all four standoff connections are properly aligned before tightening the
screws completely.
11. Slowly slide the chassis tray assembly back into the appliance, taking care to prevent
damaging components, and resecure the two retaining screws.
12. Configure your software to use hardware acceleration by following the instructions in
“Configuring Software to Use Hardware Acceleration” on page 90.
Configuring Software to Use Hardware Acceleration
The Check Point encryption accelerator software package is part of the Check Point IPSO
operating system, so the appliance automatically detects and configures the Check Point
encryption accelerator card.
For the Check Point IP690 appliances, SecureXL is on by default. After you install the Check
Point encryption accelerator card and reboot the appliance, SecureXL automatically uses the
card for encryption acceleration. If you do not want to use SecureXL for encryption acceleration,
use the Check Point cpconfig utility to disable SecureXL.
You can also configure the IP690 appliances to use the Check Point encryption accelerator card
for IKE acceleration. When you enable IKE acceleration, the encryption accelerator card
performs cryptographic operations for IPsec tunnel negotiation.
90 Check Point IP690 Security Platform Installation Guide
To enable IKE acceleration
Caution
1. From the Network Voyager home page, click Security and Access Configuration, then click
IKE Acceleration.
For information about how to access Network Voyager and the related reference materials,
see “Using Check Point Network Voyager” on page 38.
2. On the IKE Acceleration page, click Register the module.
3. Click Apply.
The PKCS#11 token that enables IKE acceleration is registered with the Check Point software
on your appliance. After you register the module, you must install the Check Point security
policy on the firewall for the encryption accelerator card to perform IKE acceleration.
Replacing a Fan Unit
The appliance fan unit is a single unit made up of four individual fans to provide the air flow
required to maintain a proper operating temperature. The fan unit can provide proper airflow for
a short time even if an individual fan fails.
Before you replace a fan unit, you must first turn off power to the appliance.
Replacing a Fan Unit
Before You Begin
To replace a fan unit, you need:
Physical access to the IP690 appliance
Replacement fan unit kit
A Phillips-head screwdriver
Components inside the appliance can overheat if they are not cooled even for a short
period of time. If you are replacing a failed fan unit, you must completely remove power
to the appliance.
To replace a fan unit
1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an
orderly shutdown of the IP690.
For information about how to access Network Voyager and the related reference materials,
see “Using Check Point Network Voyager” on page 38.
2. Turn off power to the IP690 appliance.
Check Point IP690 Security Platform Installation Guide 91
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
00580
FAULT
OVER TEMP
OVER
PWER OK
FAULT
OVER TEMP
OVER
PWER OK
Retaining screws
00587
3. Locate the fan unit on the back of the IP690 appliance and the two retaining screws that
secure it.
4. Loosen the retaining screws by turning them counterclockwise.
5. Slowly pull the fan unit out of the chassis toward the rear.
6. Insert the new fan unit into the chassis.
7. Tighten the two retaining screws on the new fan unit.
8. Turn on the power.
Replacing a Power Supply
The appliance supports redundant 250-watt power supplies. Each power supply is autosensing
and can accept input voltages between 47Hz-64Hz and 85VAC-264VAC. The power supply
output is regulated to a tolerance of ± 5 percent of the specified output voltage.
Before You Begin
To install or replace a power supply, you need:
Physical access to the appliance
A replacement power supply
92 Check Point IP690 Security Platform Installation Guide
Replacing a Power Supply
Caution
Caution
00580
FAULT
OVER TEMP
OVER
PWER OK
FAULT
OVER TEMP
OVER
PWER OK
Power supplies
Figure 23 Power Supply Locations
You should have working knowledge of networking equipment before you attempt to
service an appliance. Limit service to the procedures described in this document.
Protect your appliance and other electronic equipment from electrostatic discharge
damage by making sure you are properly grounded before you touch any component.
To replace a power supply
1. Use Check Point Network Voyager or command-line interface (CLI) to perform an orderly
shutdown of the IP690 appliance.
For information about how to access Network Voyager, see Using Check Point Network
Voyager on page 38.
2. Locate the power supply on the back of the appliance.
3. Turn off the power to the power supply.
4. Remove the power cord.
5. Remove the grounding cable if one is in use.
Check Point IP690 Security Platform Installation Guide 93
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
00588
00598
6. Grasp the handle and release lever as shown in the following figure, and use the handle to
firmly pull the power supply out of the chassis.
7. Insert the new power supply into the empty bay until the release lever latches.
8. Replace the grounding cable if being used.
9. Plug the power cord into the new power supply.
10. Turn on the power.
Monitoring the IP690 Appliance Power Supply
You can monitor the status of the IP690 appliance power supplies with Check Point Network
Voyager. Similarly, you can also use the command-line interface (CLI). For information about
94 Check Point IP690 Security Platform Installation Guide
the CLI, see the CLI Reference Guide. For more information about Network Voyager, see the
Caution
Check Point Network Voyager Reference Guide or use the Network Voyager inline help.
To monitor the IP690 appliance power supplies by using Check Point Network
Voyager
1. Log on to the IP690 appliance with Network Voyager.
2. Click Monitor.
3. Click Hardware Monitoring > System Status.
To the right of the Power Supply link, the status indicator is green for normal and red for
fault.
4. For more detailed information about the power supply status, click Power Supply.
Replacing the Battery
To replace the battery, you need the following:
The appropriate Check Point battery replacement kit for your appliance
Physical access to the appliance
A Phillips-head screwdriver
A grounding wrist strap
(Optional) Safety glasses
Replacing the Battery
Risk of explosion if battery is replaced by an incorrect type. Replace the battery only
with the same or equivalent type that the manufacturer recommends. Dispose of used
batteries according to the manufacturer's instructions.Make certain that you are
properly grounded when you handle components internal to the appliance to protect
against electrostatic discharge damage to the appliance. Use the grounding strap
included in the battery replacement kit.
To install the battery, perform the following tasks:
1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an
orderly shutdown of the IP690.
For information about how to access Network Voyager and the related reference materials,
see “Using Check Point Network Voyager” on page 38.
2. Turn off the power to the IP690 appliance.
3. Loosen the front panel retaining screws.
Check Point IP690 Security Platform Installation Guide 95
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP6
90
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00597
00594.1
SLOT 1
SLOT 2
SLOT 3
SLOT 4
1
2
3
4
I
P
6
90
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
4. Slowly slide the chassis tray assembly forward, taking care to prevent damaging
components, press the release tab on the right side of the assembly, and completely remove
the chassis tray assembly to expose the motherboard components.
5. Place the chassis tray assembly on a table top.
6. Locate the battery on the motherboard.
The battery is in a black battery holder secured with a battery retaining tab.
7. Remove the old battery. Use a small nonconductive device, such as a plastic probe, to slide
the battery out of the battery holder through the cutout in the holder.
8. With the positive side facing up, slide the new battery through the cutout in the battery
holder.
96 Check Point IP690 Security Platform Installation Guide
Replacing the Battery
Caution
S
L
O
T
1
S
L
O
T
2
S
L
O
T
3
S
L
O
T
4
1
2
3
4
IP
6
9
0
R
E
S
E
T
A
U
X
C
O
N
S
O
L
E
00583
You must place the new battery into the battery holder observing the correct polarity.
The positive terminal of the battery must be facing up.
9. Slowly slide the chassis tray assembly back into the appliance, taking care to prevent
damaging components.
10. Resecure the chassis tray assembly retaining screws.
11. Turn on the power supplies at the back of the appliance.
The appliance should start up normally with the new battery installed. If it does not, repeat
step 1 through step 11. If the appliance does not start up normally after that, see the Check
Point Support Center at http://support.checkpoint.com/.
12. Reset the appliance date and time information by using Check Point Network Voyager or the
command-line interface. The battery is required to maintain the date and time whenever you
shut down the appliance.
Check Point IP690 Security Platform Installation Guide 97
7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path
98 Check Point IP690 Security Platform Installation Guide
8 Troubleshooting
This chapter provides troubleshooting tips, problems, and solutions related to IP690
installations.
General Troubleshooting Information
The information in this section relates to non-routing problems. For information about how to
troubleshoot routing problems, see “Troubleshooting Routing Problems” on page 106.
Unable to Log in to the Console Port—No Error Message
Two laptop computers (using terminal emulation programs) or terminals should be able to
communicate back to back in the same way that the terminal communicates with the IP690. If
this is not possible using your laptop computer or terminal, the problem is with the terminal or
cable and not the appliance.
Problem You do not have a console connection to the IP690.
Solution For information about how to create a console connection,
see “Using a Console Connection” on page 34.
Problem Not connected with a null-modem cable.
Solution Verify that you are using a null-modem cable. For pinout information, see “Using a
Console Connection” on page 34.
Problem Wrong terminal settings.
Solution Verify terminal settings: 8 data, 1 stop, no parity, 9600 bps.
Problem Terminal set for flow control.
Solution The IP690 does not use flow control. The terminal should be set for no flow control.
Problem Defective IP690 or file system.
Solution See the Check Point Support Center at http://support.checkpoint.com/.
Check Point IP690 Security Platform Installation Guide 99
8 Troubleshooting
Note
Note
Problem Database is corrupt.
Solution Return to default settings according to the instructions included in the instructions
for resetting the default password, or see the Check Point Support Center at http://
support.checkpoint.com/.
Login Prompt Appears, But Password Not Accepted
Problem Entered wrong password.
Solution Obtain a valid password or set the password to a default value.
To reset the admin password to a default value
You must have local serial access to your appliance console to perform this procedure. With
a keyboard and monitor directly connected to the appliance, the
appear, and you cannot perform this procedure.
1. Boot up the appliance in single-user mode by restarting or power cycling the appliance.
boot:
prompt does not
When the
boot:
prompt appears, enter -s before the appliance goes into multiuser mode;
you have about 10 seconds to do this.
2. After the appliance boots up, the following text appears:
Enter pathname of shell or RETURN for sh:
Press Enter.
3. Type
/etc/overpw
at the # prompt.
When the response asks if you want to continue, type
y
.
4. The admin password defaults to no password for admin.
Continue to boot to multiuser mode.
5. Reconfigure the password as you normally would.
Blank passwords are not accepted in Network Voyager. In such cases, enter the following
command to reset the password from the command line using a blank password:
dbpasswd admin newpassword ""
The two double quotation marks at the end of the command properly indicate a blank
password.
After you execute this command, the system reports that the password was not successfully
changed. However, the password is changed and is now newpassword.
Finally, return the entire database to its default settings and bring up the new system-startup
procedure. The new system-startup procedure is described in Chapter 3, “Performing the Initial
Configuration”.
100 Check Point IP690 Security Platform Installation Guide
Loading...