Check Point 61000, R75.40VS Getting Started Manual

Download

23 January 2014

Getting Started Guide

Check Point 61000

Security System

R75.40VS for 61000

Protected

licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph

(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR

52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of

relevant copyrights and third-party licenses.

Important Information

Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: (http://supportcontent.checkpoint.com/documentation_download?ID=20444)

To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the R75.40VS for 61000 home page

(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutio

nid=sk89900).

Revision History

Date

Description

23 January 2014

Added Health and Safety Information in French ("Informations

relatives à la santé et à la sécurité" on page 6).

Improved formatting and document layout. Added SGM240 LEDs support information.

16 September 2013

Added: After configuring a Security Gateway, verify the configuration by running asg diag ("Confirming the Security

Gateway Software Configuration" on page 54).

9 July 2013

 Corrected syntax of asg monitor command ("Monitoring

Chassis and Component Status (asg monitor)" on page 61).

 Corrected examples of asg search command ("Searching

for a Connection (asg search)" on page 70).

21 March 2013

Added: Before creating the VSX Gateway, if the management interface is not eth1-Mgmt4, see sk92556 ("Configuring a VSX

Gateway" on page 54).

10 February 2013

First release of this document.

Feedback

Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments

(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R75.40VS Check Point 61000

Security System Getting Started Guide).

Health and Safety Information

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 4

Health and Safety Information

Read these warnings before setting up or using the appliance.

Warning -  Do not block air vents. This is to ensure sufficient airflow for the individual SGMs in

the Chassis.

 This appliance does not contain any user-serviceable parts. Do not remove any

covers or attempt to gain access to the inside of the product. Opening the device or modifying it in any way has the risk of personal injury and will void your warranty. The following instructions are for trained service personnel only.

Handle SGM system parts carefully to prevent damage. These measures are sufficient to protect your equipment from static electricity discharge:

 When handling components (Fans, CMMS, SGMS, PSUs, SSMs) use a grounded wrist-strap designed

for static discharge elimination.

 Touch a grounded metal object before removing the board from the anti-static bag.  Hold the board by its edges only. Do not touch its components, peripheral chips, memory modules or

gold contacts.

 When holding memory modules, do not touch their pins or gold edge fingers.  Restore SGMs to the anti-static bag when they are not in use or not installed in the Chassis. Some

circuitry on the SGM can continue operating after the power is switched off.

 Do not let the lithium battery cell (used to power the real-time clock on the CMM) short. The battery can

heat up and become a burn hazard.

Warning  DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED.

REPLACE ONLY WITH SAME OR EQUIVALENT TYPE RECOMMENDED BY CHECK POINT SUPPORT.

 DISCARD USED BATTERIES ACCORDING TO INSTRUCTIONS FROM CHECK

POINT.

 Do not operate the processor without a thermal solution. Damage to the processor can occur in

seconds.

 Before you install or remove a chassis, or work near power supplies, turn off the power and unplug the

power cord.

For California:

Perchlorate Material - special handling can apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate

The foregoing notice is provided in accordance with California Code of Regulations Title 22, Division 4.5, Chapter 33. Best Management Practices for Perchlorate Materials. This product, part, or both may include a lithium manganese dioxide battery which contains a perchlorate substance.

Proposition 65 Chemical Chemicals identified by the State of California, pursuant to the requirements of the California Safe Drinking

Water and Toxic Enforcement Act of 1986, California Health & Safety Code s. 25249.5, et seq. ("Proposition 65"), that is "known to the State to cause cancer or reproductive toxicity" (see http://www.calepa.ca.gov)

WARNING: Handling the cord on this product will expose you to lead, a chemical known to the State of California to

cause cancer, and birth defects or other reproductive harm. Wash hands after handling.

Health and Safety Information

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 5

Federal Communications Commission (FCC) Statement:

Note: This equipment has been tested and found to comply with the limits for a Class A digital device,

pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

Information to user: The user's manual or instruction manual for an intentional or unintentional radiator shall caution the user that

changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. In cases where the manual is provided only in a form other than paper, such as on a computer disk or over the Internet, the information required by this section may be included in the manual in that alternative form, provided the user can reasonably be expected to have the capability to access information in that form.

Canadian Department Compliance Statement:

This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

Japan Class A Compliance Statement:

European Union (EU) Electromagnetic Compatibility Directive

This product is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive (2004/108/EC).

This product is in conformity with Low Voltage Directive 2006/95/EC, and complies with the requirements in the Council Directive 2006/95/EC relating to electrical equipment designed for use within certain voltage limits and the Amendment Directive 93/68/EEC.

Product Disposal

This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for the recycling of waste electrical and electronic equipment. The separate collection and recycling of your waste equipment at the time of disposal will help to conserve natural resources and ensure that it is recycled in a manner that protects human health and the environment. For more information about where you can drop off your waste equipment for recycling, please contact your local city office or your household waste disposal service.

Informations relatives à la santé et à la sécurité

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 6

Informations relatives à la santé et à la sécurité

Avant de mettre en place ou d'utiliser l'appareil, veuillez lire ces avertissements.

Avertissement :  Ne pas obturer les aérations. Les SGM dans le châssis doivent disposer d'une

aération suffisante.

 Cet appareil ne contient aucune pièce remplaçable par l'utilisateur. Ne pas retirer de

capot ni tenter d'atteindre l'intérieur. L'ouverture ou la modification de l'appareil peut traîner un risque de blessure et invalidera la garantie. Les instructions suivantes sont réservées à un personnel de maintenance formé.

Manipulez avec précautions les pièces du SGM pour ne pas les endommager. Les mesures suivantes sont suffisantes pour protéger votre équipement contre les décharges d'électricité statique :

 Avant de manipuler un composant (ventilateur, CMM, SGM, PSU, SSM), portez au poignet un bracelet

antistatique relié à la terre.

 Touchez un objet métallique relié à la terre avant de retirer la carte de son sachet antistatique.  Ne tenez la carte que par ses bords. Ne touchez aucun composant, puce périphérique, module mémoire

ou contact plaqué or.

 Lorsque vous manipulez des modules mémoire, ne touchez pas leurs broches ou les pistes de contact

dorées.

 Remettez dans leur sachet antistatique les SGM lorsqu'ils ne sont pas utilisés ou installés dans le

châssis. Certains circuits du SGM peuvent continuer de fonctionner même si l'appareil est éteint.

 Il ne faut jamais court-circuiter la pile au lithium (qui alimente l'horloge temps-réel du CMM). Elle pourrait

chauffer et déclencher un incendie.

Avertissement :  DANGER D'EXPLOSION SI LA PILE N'EST PAS CORRECTEMENT

REMPLACÉE. NE REMPLACER QU'AVEC UN TYPE IDENTIQUE OU ÉQUIVALENT, RECOMMANDÉ PAR L'ASSISTANCE CHECKPOINT.

 LES PILES DOIVENT ÊTRE MISES AU REBUT CONFORMÉMENT AUX

INSTRUCTIONS DE CHECKPOINT.

 Ne pas faire fonctionner le processeur sans refroidissement. Le processeur peut être endommagé en

quelques secondes.

 Avant de manipuler une appliance ou ses blocs d’alimentations, l’éteindre et débrancher son câble

électrique.

Pour la Californie :

Matériau perchloraté : manipulation spéciale potentiellement requise. Voir

http://www.dtsc.ca.gov/hazardouswaste/perchlorate L'avis suivant est fourni conformément au California Code of Regulations, titre 22, division 4.5, chapitre 33.

Meilleures pratiques de manipulation des matériaux perchloratés. Ce produit, cette pièce ou les deux peuvent contenir une pile au dioxyde de lithium manganèse, qui contient une substance perchloratée.

Produits chimiques « Proposition 65 » Les produits chimiques identifiés par l'état de Californie, conformément aux exigences du California Safe

Drinking Water and Toxic Enforcement Act of 1986 du California Health & Safety Code s. 25249.5, et seq. (« Proposition 65 »), qui sont « connus par l'état pour causer le cancer ou être toxiques pour la reproduction » (voir http://www.calepa.ca.gov)

Informations relatives à la santé et à la sécurité

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 7

AVERTISSEMENT : La manipulation de ce cordon vous expose au contact du plomb, un élément reconnue par l'état de

Californie pour causer de cancer, des malformations à la naissance et autres dommages relatifs à la reproduction. Se laver les mains après toute manipulation.

Déclaration à la Federal Communications Commission (FCC) :

Remarque : Cet équipement a été testé et déclaré conforme aux limites pour appareils numériques de

classe A, selon la section 15 des règlements de la FCC. Ces limitations sont conçues pour fournir une protection raisonnable contre les interférences nocives dans un environnement commercial. Cet

appareil génère, et peut diffuser des fréquences radio et, dans le cas d’une installation et d’une utilisation

non conformes aux instructions, il peut provoquer des interférences nuisibles aux communications radio. Le fonctionnement de cet équipement dans une zone résidentielle engendrera vraisemblablement des perturbations préjudiciables, auquel cas l’utilisateur sera tenu d’éliminer ces perturbations à sa charge.

Information à l'intention de l'utilisateur : Le manuel utilisateur ou le manuel d'instruction d'un dispositif rayonnant (intentionnel ou non) doit avertir

que toute modification non approuvée expressément par la partie responsable de la conformité peut annuler le droit de faire fonctionner l'équipement. Si le manuel n'est pas fourni sous forme imprimée (par exemple sur le disque d'un ordinateur ou via Internet), les informations requises par cette section doivent être incluses dans ces versions du manuel, sous réserve que l'utilisateur soit raisonnablement capable d'y accéder.

Déclaration de conformité du département canadien :

This Class A digital apparatus complies with Canadian ICES-003. appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

Déclaration de conformité de classe A pour le Japon :

Directive de l'Union européenne relative à la compatibilité électromagnétique

Ce produit est certifié conforme aux exigences de la directive du Conseil concernant concernant le rapprochement des législations des États membres relatives à la directive sur la compatibilité électromagnétique (2004/108/CE).

Ce produit est conforme à la directive basse tension 2006/95/CE et satisfait aux exigences de la directive 2006/95/CE du Conseil relative aux équipements électriques conçus pour être utilisés dans une certaine plage de ensions, selon les modifications de la directive 93/68/CEE.

Mise au rebut du produit

Ce symbole apposé sur le produit ou son emballage signifie que le produit ne doit pas être mis au rebut avec les autres déchets ménagers. Il est de votre responsabilité de le porter à un centre de collecte désigné pour le recyclage des équipements électriques et électroniques. Le fait de séparer vos équipements lors de

Informations relatives à la santé et à la sécurité

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 8

la mise au rebut, et de les recycler, contribue à préserver les ressources naturelles et s'assure qu'ils sont recyclés d'une façon qui protège la santé de l'homme et l'environnement. Pour obtenir plus d'informations sur les lieux où déposer vos équipements mis au rebut, veuillez contacter votre municipalité ou le service de gestion des déchets.

Contents

Important Information ............................................................................................................ 3

Health and Safety Information .............................................................................................. 4

Informations relatives à la santé et à la sécurité ................................................................. 6

Introduction .......................................................................................................................... 11

Overview of Check Point 61000 Security Systems ............................................................ 11

Check Point Virtual Systems ............................................................................................. 11

In this Document ............................................................................................................... 13

Shipping Carton Contents.................................................................................................. 13

Hardware Components ........................................................................................................ 14

61000 Security System Front Panel Modules .................................................................... 14

Security Switch Module (SSM) .......................................................................................... 16

SSM160 Security Switch Module .................................................................................. 17

SSM60 Security Switch Module .................................................................................... 18

Security Switch Module LEDs ....................................................................................... 19

Security Gateway Module (SGM) ...................................................................................... 20

SGM260 LEDs .............................................................................................................. 20

SGM SGM220 LEDs ..................................................................................................... 22

AC Power Supply Units (PSUs) ................................ ......................................................... 23

AC Power Cords ................................................................................................................ 24

DC Power Entry Modules (PEMs) ...................................................................................... 26

PEM Panel and LED Indicators ..................................................................................... 26

Fan Trays .......................................................................................................................... 27

Chassis Management Modules.......................................................................................... 27

Blank Filler Panels for Airflow Management ...................................................................... 29

Front Blank Panels with Air Baffles ............................................................................... 29

Step 1: Site Preparation....................................................................................................... 30

Rack Mounting Requirements ........................................................................................... 30

Required Tools .................................................................................................................. 30

Step 2: Installing the Chassis in a Rack ............................................................................. 31

Step 3: Installing Components and Connecting Power Cables ........................................ 32

Inserting AC Power Supply Units ....................................................................................... 32

Inserting Fan Trays............................................................................................................ 33

Inserting Chassis Management Modules ........................................................................... 34

Inserting Security Switch Modules ..................................................................................... 35

Inserting Security Gateway Modules ................................................................................. 36

Inserting Transceivers ....................................................................................................... 37

Inserting Twisted Pair Transceivers .............................................................................. 37

Inserting Fiber Optic Transceivers ................................................................................ 38

Inserting QSFP Splitters ............................................................................................... 39

Inserting Front Blank Panels .............................................................................................. 39

Connecting AC Power Cables ........................................................................................... 39

Connecting DC Power ....................................................................................................... 39

Connecting a Second Chassis ........................................................................................... 41

Step 4: Turning on the 61000 Security System ................................ .................................. 42

Step 5: Validating Chassis ID on a Dual Chassis Configuration ...................................... 43

Step 6: Software Installation ............................................................................................... 44

Before Installing Firmware and Software ........................................................................... 44

Installing SSM160 Firmware .............................................................................................. 45

Installing the SGM Image .................................................................................................. 47

Installing the SGM Using snapshot import .................................................................... 47

Installing the SGM Image Using Removable Media ...................................................... 47

Step 7: Connecting to the Network ..................................................................................... 49

Step 8: Initial Software Configuration ................................................................................ 50

Connecting a Console ....................................................................................................... 50

Working on the Initial Setup ............................................................................................... 50

Step 9: SmartDashboard Configuration ............................................................................. 53

Configuring a Security Gateway ........................................................................................ 53

Confirming the Security Gateway Software Configuration ............................................. 54

Configuring a VSX Gateway .............................................................................................. 54

Wizard Step 1: Defining VSX Gateway General Properties ........................................... 55

Wizard Step 2: Selecting Virtual Systems Creation Templates ..................................... 55

Wizard Step 3: Establishing SIC Trust ................................................................ .......... 55

Wizard Step 4: Defining Physical Interfaces ................................ .................................. 56

Wizard Step 5: Virtual Network Device Configuration.................................................... 56

Wizard Step 6: VSX Gateway Management ................................ .................................. 56

Wizard Step 7: Completing the VSX Wizard ................................................................. 56

Confirming the VSX Gateway Software Configuration ................................................... 57

Basic Configuration Using gclish ....................................................................................... 58

Licensing and Registration ................................................................................................. 60

Monitoring and Configuration Commands ......................................................................... 61

Showing Chassis and Component State (asg stat) ............................................................ 61

Monitoring Chassis and Component Status (asg monitor) ................................................. 61

Monitoring Performance Indicators and Statistics (asg perf) .............................................. 63

Monitoring Hardware Components (asg hw_monitor) ........................................................ 64

Monitoring SGM Resources (asg resource) ....................................................................... 68

Searching for a Connection (asg search) ........................................................................... 70

Configuring Alerts for SGM and Chassis Events (asg alert) ............................................... 71

Monitoring the System using SNMP .................................................................................. 73

SNMP in a VSX Gateway ............................................................................................. 73

Troubleshooting Commands .............................................................................................. 75

Collecting System Diagnostics (asg diag) .......................................................................... 75

Error Types ................................................................................................................... 79

Changing Compliance Thresholds ................................................................................ 79

Introduction

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 11

Introduction

Thank you for choosing Check Point’s 61000 Security System. We hope that you will be satisfied with this system and our support services. Check Point products supply your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.

For additional information on the Internet Security Product Suite and other security solutions, refer to the Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800) 429-4391. For additional technical information about Check Point products, consult the Check Point Support Center (http://supportcenter.checkpoint.com).

Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.

Overview of Check Point 61000 Security Systems

The Check Point 61000 Security System is a high performance, scalable, carrier class solution for Service Providers and high-end data centers. The system gives advanced Security Gateway functionality to meet your dynamically changing security needs. Supported Security Gateway Software Blades include: Firewall, IPS, Application Control, Identity Awareness, URL Filtering, IPSec VPN, Anti-Bot, and Anti-Virus.

The Check Point 61000 Security System is a 14-15U Chassis and includes:

Component(s)

Function

Up to 12 Security Gateway Modules (SGMs)

Runs a high performance Firewall, and other Software Blades.

2 Security Switch Modules (SSMs)

Distributes network traffic to SGMs.

2 Chassis Management Modules (CMMs)

Monitors the Chassis, the SSMs and the SGMs with zero downtime.

The 61000 Security System:  Is highly fault tolerant, and provides redundancy between Chassis modules, power supplies and fans.

For extra redundancy, you can install a Dual Chassis deployment.

 Has NEBS-ready and Non-NEBS versions. The Network Equipment Building Systems (NEBS) certificate

ensures that 61000 Security System meets the environmental and spatial requirements for products used in telecommunications networks.

 Includes a rich variety of CLI monitoring and management tools. The system can be centrally managed

from Check Point Security Management Server or a Multi-Domain Security Management.  Lets you install different numbers of SGMs to match the processing needs of your network. You can operate the 61000 Security System as a Security Gateway or as a VSX Gateway for Check Point

Virtual Systems.

Check Point Virtual Systems

With Check Point Virtual Systems you can consolidate infrastructure by creating multiple virtualized security gateways on the 61000 Security System, delivering deep cost savings, seamless security and infrastructure consolidation. Based on proven virtualized security design and the extensible Software Blade Architecture, Virtual Systems provide best-in-class customized security protections to multiple networks and simplify enterprise-wide policy by creating tailored policies for each network.

Introduction

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 12

Administrators can replicate conventional physical security gateways with Virtual Systems to deliver advanced protection to multiple networks and network segments. Up to 250 fully independent Virtual Systems can be supported on the 61000 Security System, delivering scalability, availability and performance while dramatically reduce hardware investment, space requirements and maintenance costs. The latest Check Point technologies ensure the best performance for virtualized security; CoreXL technology utilizes multi-core processors to increase throughput, 64-bit Gaia OS allows a significantly increased number of concurrent connections.

Complete virtualization of network infrastructure allows easy deployment and configuration of network topology with simpler inter-VS communication. Save the costs of external network routers and switches by using integrated virtual routers, switches and links to direct traffic to their intended destinations.

KEY FEATURES

 Consolidate up to 250 gateways in a single device  Software Blade Architecture  Gaia 64-bit operating system  Separation of management duties  Customized security policies per Virtual System  Per Virtual System Monitoring of resource usage

KEY BENEFITS

 Easily add virtual systems to a security gateway  Reduce hardware cost and simplified network policy by consolidating multiple gateways into a single

device

 Stronger performance and manageability enable enterprises to better leverage their investment  More granularity and greater manageability with customizable policies per Virtual System  Better usage-based resource planning with per Virtual System monitoring  Boost performance with Multi-core CoreXL technology

Introduction

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 13

In this Document

 A brief overview of necessary 61000 Security System concepts and features  A step by step guide to getting the 61000 Security System up and running

Note - Screen shots in this guide may apply only to the highest model to which this guide applies.

Shipping Carton Contents

This section describes the contents of the shipping carton.

Item

Description

Check Point 61000 Security System

A single 61000 Security System Chassis

61000 Security System components

 2 to 12 Security Gateway Modules  2 Security Switch Modules  2 Chassis Management Modules  Power Supplies (preinstalled)

 5 AC Power Supply Units (PSUs) or

 1 to 2 DC Power Entry Modules (PEMs)  6 Fans (preinstalled)  Power cord set

Documentation

 EULA  Welcome document

Obligatory Hardware Purchases

Transceivers are not included in the shipping carton and must be purchased separately.

SSM60 Transceivers

Ports

Required Transceivers

Network and Synchronization

Fiber transceiver for 10GbE XFP ports (SR/LR)

Management and log

 Fiber transceiver for 1GbE SFP ports (SX/LR)  Twisted-pair transceiver for 1GbE SFP ports  Fiber transceiver for 10GbE XFP ports (SR/LR)

SSM160 Transceivers

Ports

Required Transceivers

Network and Synchronization

 SFP+ (10GbE) Fiber transceiver for SFP+ ports (SR/LR)  SFP (1GbE) Fiber transceiver for SFP+ ports (SX/LX)  Twisted pair (1GbE) transceiver for SFP+ ports  QSFP transceiver for 40GbE ports (SR/LR)  QSFP splitter for 40GbE ports

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 14

Ports

Required Transceivers

Management and log

 Fiber/Twisted pair transceiver for 1GbE SFP+ ports (SX/LX)  SFP+ (10GbE) Fiber transceiver for SFP+ ports (SR/LR)

Hardware Components

This section is about the hardware components of the 61000 Security System.

61000 Security System Front Panel Modules

Item

Description

The Security Gateway Modules (SGMs) in the Chassis work together as a single, high performance Security Gateway or VSX Gateway. Adding a Security Gateway Module scales the performance of the system. A Security Gateway Module can be added and removed without losing connections. If an SGM is removed or fails, traffic is distributed to the other active SGMs.

Security Gateway Module slots are numbered 1 to 12, left to right. Slot 7 for example, (labeled [7] in the diagram) is the slot that is immediately to the right of the two Security Switch Module slots.

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 15

Item

Description

Console port, for a serial connection to a specific SGM using a terminal emulation program.

USB port, for a connection to external media, such as a DVD drive.

The Security Switch Module (SSM) distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules. Two are inserted in a chassis. Two SSM versions are available:

 SSM60

 Not supported in a VSX Gateway

 Not supported for SGM240  SSM160

For more about each port, see Security Switch Module Ports ("Security Switch Module

(SSM)" on page 16).

The Chassis Management Module (CMM) monitors the status of the chassis hardware components. It also supplies the DC current to the cooling fan trays.

If the Chassis Management Module fails or is removed from the chassis, the 61000 Security System continues to forward traffic. However, hardware monitoring is not available. Adding or removing a Security Gateway Module to or from the chassis is not recognized. if the two CMMs are removed, the cooling fans stop working.

Warning - There must be at least one CMM in the chassis. A second Chassis Management Module can be used to supply CMM High Availability. In the CLI output, the lower slot is listed bay 1. The upper slot is listed as bay2.

Power:

 AC Power Supply Units (PSUs)

 100 VAC to 240 VAC

 3-5 PSUs

Or:

 DC Power Entry Modules (PEMs)

 48 VDC to 60 VDC

 2 PEMs

Field-replaceable and hot-swappable In the CLI output:  Upper slots are for DC PEMs. They are listed as bay 1 and bay 2, numbered right to

left.  Lower slots are for AC PSUs. They are listed as bay 1 to bay 5, numbered right to left.

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 16

Security Switch Module (SSM)

 SSM60

 Not supported in a VSX Gateway  Not supported for SGM240

 SSM160

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 17

SSM160 Security Switch Module

Security Switch Modules

Item

Description

(1)

 1 port for direct access through LAN  1 port for direct access through console (serial)

(2)

 2 x 40GbE QSFP data ports.

In the initial setup program, the interface names

are:

 Left Security Switch Module:

eth1-09, eth1-13

 Right Security Switch Module:

eth2-09, eth2-13

 Use a QSFP splitter to split each of the two QSFP

ports to 4 x 10GbE.

When using a QSFP splitter the interface names

are:

 Left Security Switch Module upper QSFP port:

eth1-09 to eth1-12

 Left Security Switch Module lower QSFP port:

eth1-13 to eth1-16

 Right Security Switch Module upper QSFP port:

eth2-09 to eth2-12

 Right Security Switch Module lower QSFP port:

eth2-13 to eth2-16

(3)

 7 x 10GbE SFP+ data ports  Can use 1GbE or 10GbE transceivers  In the initial setup program, the interface names

are:

 Left Security Switch Module:

eth1-01, eth1-02, ... eth1-07

 Right Security Switch Module:

eth2-01, eth2-02, ... eth2-07

 In SmartDashboard, define used interfaces as

internal or external.

(4)

 1 synchronization port for connecting to and

synchronizing with another 61000 appliance that

functions as a high availability peer.

 10 GbE SFP+ port  Interface names are eth1-Sync in the left and

eth2-sync on the right.

(5)

Management and logging ports. Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

 2x 10GbE SFP+ port  In the 61000 appliance initial setup program, these

interfaces are labeled:

 On the left SSM: eth1-Mgmt1, eth1-Mgmt2

 On the right SSM: eth2-Mgmt1, eth2-

Mgmt2

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 18

(6)

Management and logging ports. Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

 2 x 1GbE SFP port  In the 61000 appliance initial setup program, these

interface are labeled

 On the left SSM: eth1-Mgmt3, eth1-Mgmt4

 On the right SSM: eth2-Mgmt3, eth2-

Mgmt4

SSM60 Security Switch Module

Security Switch Modules

Item

(1)

5 x 10GbE XFP data ports in each Security Switch Module. These data ports are the network interfaces of the 61000 Security System.

In the initial setup program, the interfaces in the

 Left Security Switch Module are named:

eth1-01, eth1-02, ... eth1-05

 Right Security Switch Module are named:

eth2-01, eth2-02, ... eth2-05

In SmartDashboard, define used interfaces as internal or external.

(2)

1 synchronization port on each SSM for connecting to and synchronizing with another 61000 Security System that functions as a high availability peer.

(3)

4 ports for management and logging on each SSM.

 2 Upper ports: 1GbE SFP  2 Lower ports: 10GbE XFP

Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

In the initial setup program, the interfaces are named:  On Left SSM:

eth1-Mgmt1, eth1-Mgmt2, ... eth1-Mgmt4  On the right SSM:

eth2-Mgmt1, eth2-Mgmt2, ... eth2-Mgmt4

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 19

Security Switch Module LEDs

Item

LED

Status

Description

Out of service

Red SSM out of service Off (Normal)

SSM hardware is normal

Power

On (Normal)

Power on

Off

Power off

Hot-swap

Blue

SSM can be safely removed

Blue blinking

SSM is going to Standby mode. Do not remove

Off (Normal)

SSM is Active. Do not remove

SYN ACT On (Normal)

Normal operation

Off

N/A

Link

Link enabled

Yellow blinking

Link is active

Off

Link is disabled

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 20

Security Gateway Module (SGM)

These SGM versions are available:

 SGM220  SGM220T (for NEBS)  SGM240

The SGM240 has more powerful CPUs and uses a more advanced technology. It also has a different front panel layout and different LEDs.

SGM260 LEDs

Item

LED

Status

Description

Out of service

Red SGM out of service

Off (Normal)

SGM hardware is normal

Health

Green (Normal)

SGM core operating system is active

Green blinking

SGM core operating system is partially active

Off

SGM operating system is in standby mode

Hot-swap

Blue

SGM can be safely removed

Blue blinking

SGM is going to standby mode. Do not remove

Off (Normal)

SGM is active. Do not remove

CTRL Link 1

CTRL Link 2

SSM1 and SSM2 management ports

Yellow

Link enabled Yellow

blinking

Link is active Off

Link is disabled

CTRL SPEED 1

CTRL

SSM1 and SSM2 management ports

Yellow

10 Gbps

Green

1 Gbps

Off

100 Mbps

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 21

SPEED 2

Traffic

1 2 3 4

Data and sync traffic in SSM1, SSM2, SS3, SSM4

L2 Off

Not used

Red. Lower Right

Installation started

Red blink, in sequence

Installation in progress Red. All

Installation failure

Yellow.Left

Installation completed

Green. Right

SGM is being configured. (Using First Time Configuration Wizard or adding a new SGM into a Chassis)

Off

SGM is configured and ready

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 22

SGM SGM220 LEDs

Item

LED

Status

Description

Out of service

Red SGM out of service Off (Normal)

SGM hardware is normal

Health

Green (Normal)

SGM core operating system is active

Green blinking

SGM core operating system is partially active

Off

SGM operating system is in Standby mode

Hot-swap

Blue

SGM can be safely removed

Blue blinking

SGM is going to Standby mode. Do not remove

Off (Normal)

SGM is active. Do not remove

Link

Yellow

Link enabled

Yellow blinking

Link is active Off

Link is disabled

Data port speed

Yellow

10 Gbps

Green

1 Gbps

Off

100 Mbps

Management port speed

Yellow

1 Gbps

Green

100 Mbps

Off

10 Mbps

6 L

LEDs 2 and 4

- Green

SGM is being configured. (Using First Time Wizard or adding a new SGM into a Chassis)

All LEDs - Off

SGM is configured and ready

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 23

AC Power Supply Units (PSUs)

5 Field replaceable and hot swappable 100 VAC to 240 VAC Power Supply Units (PSUs) supply :

 Power to the Chassis  Power filtering and over-current protection.

Each PSU is located on a tray that slides directly into the backplane. The AC Power inlets are located in the rear of the Chassis. Each power supply has one power inlet.

Item

Description (AC Power Unit)

Air filter. Prevents dust entering the PSU.

Latch for extracting and inserting the PSU.

AC Power Supply LED

 Green: AC Power is OK.  OFF: AC power is OFF

DC Power Supply LED

 Green: DC Power is OK.  Red: DC power failure or Hot swap ready

Extraction handle for holding the PSU during extraction and insertion

Power Requirements:

Each PSU supplies power at these values: 1500W at 220VAC

1200W at 110VAC

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 24

Power Consumption Data:

 Chassis (constant) - 100W  Fan - 240W maximum  CMM - 10W maximum  SGM - 300W maximum  SSM- 300W maximum

Recommended quantity of PSUs

Important - One power supply cannot supply a fully loaded Chassis. This table shows how to

calculate the recommended number of power supplies.

For a PSU that supplies 1500W

Number of SGMs

Minimum (N)

Recommended (N+1)

2 2 3 4 2 3 6 3 4 8 3 4 10 4 5

12 4 5

AC Power Cords

The supplied AC power cords are specific to the geographical region. These are some of the available power cords.

Region

PLUG

CONNECTOR

CABLE

KC-015, 16A 250V ~

KC-003H, 10 A 250V~

H05RR-F,3G

0.75mm2 AUSTRALIA

KC-014, 10A 250V

KC-003H, 10 A 250V~

H05RR-F 3G

0.75mm2

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 25

Region

PLUG

CONNECTOR

CABLE

KC-039, 13A 250V~

KC-003H, 10 A 250V~

H05RR-F 3G

0.75mm2

KC-001, 15A 125V

KC-003H, 15A 125V

VCTF 3G

2.0mm2

KC-001, 15A 125V

KC-003H, 15A 125V

SJT 14/3C 75ºC

CHINA

KC-017N, 10A 250V~

KC-003H, 10 A 250V~

H05RR-F 3G

0.7mm2

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 26

DC Power Entry Modules (PEMs)

The DC 61000 Security System configuration includes two Power Entry Modules (PEMs), each with a rating of -48/-60VDC 125A. The PEMs supply DC power, EMC filtering and over-current protection for the Chassis. Each PEM can supply 100% of Chassis power. The PEM is a customer replaceable unit. The two-PEM configuration provides full redundancy. The PEMs are located in the bottom-rear of the Chassis.

The DC configuration does not have its own power source. You must supply a mains DC power system that includes an external battery and a branch circuit breaker of 125A for each PEM.

You must also supply lugs (Panduit LCD6-14A-L). Use them to connect wires to the terminal blocks of the PEMs.

PEM Panel and LED Indicators

Item

Description

Locking captive screws. Secure the PEM in the Chassis.

Handles. Used for holding the PEM during insertion and extraction.

Terminal blocks: -48/-60 VDC and Return. Each terminal block has 4 terminal studs.

PEM Status LEDs.

Hot-Swap button. Used for evoking the hot swap sequence.

4 Circuit breakers. 50A per circuit breaker.

PEM Status LEDS

Item

Description

Status

 Green: OK  Red: Failure

Fault

 Green: OK  Red: -48VDC is missing

 Blue steady: Powering up or ready for extraction  Blue blinking: Hot swap process  OFF: Working

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 27

Important -

Do not remove a PEM while an electrical charge remains in the wiring.

Before replacing a PEM, verify that power source is disconnected and isolated.

The PEMs circuit breaker has only one pole and disconnects only the -48V lead. The

48VDC RTN lead is always connected.

Fan Trays

The cooling system consists of three high performance fan trays. The fan trays are at the rear of the Chassis. Each tray contains two fans that supply air volume and velocity for cooling front and rear Chassis components. Air flows from the inside to the outside of the Chassis.

Item

Description

Power fault LED

Locking captive screw

Three fan trays are preinstalled (6 fans).

Chassis Management Modules

The Chassis Management Module controls controls and monitors Chassis operation. This includes fan speed speed, Chassis and module temperature, and component hot-swapping.

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 28

Item

Description

General LEDs

Telco Alarm LEDs

Application defined LEDs

Latch

Network port

Serial port

Alarm

Thumb screw

General LEDs

LED

Status

Meaning

ACT

Green

Chassis Management Module is active

Red

Chassis Management Module failure

Green blink

Chassis Management Module inactive

PWR Green

Good local voltage supply on Chassis Management Module

Off

Local voltage failure

HS (hot swap)

Steady blue

Chassis Management Module is powering up or ready for extraction.

Blue blink

Chassis Management Module is being hot swapped

Off

Chassis Management Module in operation

Telco Alarm LEDs

LED

Status

Meaning

CRT (Critical) Off

Normal operation

Red

System alarm event

MJR (Major) Off

Normal operation

Red

System Alarm event

MNR (Minor) Off

Normal operation

Red

System alarm event

Hardware Components

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 29

Blank Filler Panels for Airflow Management

Compliance with temperature specifications requires a stable air flow in the Chassis. To make sure that the Chassis is correctly cooled, fully populate the Chassis or add blank filler panels to the empty slots.

Two types of airflow-management panels are available for the empty slots on the Chassis:

 Front blank panels with air baffles  Rear panel with air baffles

Front Blank Panels with Air Baffles

Item

Description

Slot cover

Tightening screws

Air Baffles

Step 1: Site Preparation

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 30

Step 1: Site Preparation

This step covers preparing the site.

Rack Mounting Requirements

Before mounting the 61000 Security System in a standard 19" rack, make sure that:

 The rack is stable, level, and secured to the building.  The rack is sufficiently strong to support the weight of a fully loaded Security System

(http://www.checkpoint.com/products/downloads/datasheets/61000-security-system-datasheet.pdf).

 The rack rails are spaced sufficiently wide to accommodate the system's external dimensions.  The shelf is mounted on the rack.  There is sufficient space at the front and rear of the Chassis to let service personnel to swap out

hardware components.

 The rack has a sufficient supply of cooling air.  The rack is correctly grounded.  A readily accessible disconnect device is incorporated into the building’s wiring. The disconnect device

must be placed between the system's AC power inlet and the power source. The disconnect device rating required must be determined by the nominal input voltage.

 There are at least two inches of clearance at the air inlets and outlets to make sure there is sufficient

airflow.

 Hot exhaust air is not circulated back into the system.  At least two persons are available to lift the Chassis.  You have eight M6x10 (or longer) screws to mount the Chassis on the rack.

Required Tools

To install the appliance in a standard 19" rack, these tools are required:

 Standard Philips (+) screwdriver set  Wrench  Electrostatic Discharge (ESD) grounding wrist strap

Step 2: Installing the Chassis in a Rack

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 31

Step 2: Installing the Chassis in a Rack

Before mounting on rack, attach the rear-end static grounding screws to the Chassis.

To install the Chassis on the Rack:

1. Set the Chassis in front of the rack, centering the Chassis in front the shelf.

2. Lift and slide the Chassis on to the rack shelf.

3. Make sure that the holes in the front mounting flanges of the Chassis align with the holes in the rack rails.

4. Insert mounting screws into the front mounting flanges aligned with the rack.

5. Secure the appliance by fastening the mounting screws to the rack The appliance must be level, and not positioned at an angle.

6. Attach grounding cables to the grounding screws on the Chassis.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 32

Step 3: Installing Components and Connecting Power Cables

This section covers inserting:

 Chassis Management Modules  Security Switch Modules  Security Gateway Modules  Twisted pair and fiber optic transceivers into ports on the Security Switch Modules  Transceivers into the management ports on the Security Switch Modules  Covers for blank slots

This section also covers:

 Backup Chassis in a dual Chassis environment  Power cables

Inserting AC Power Supply Units

Power Supply Units (AC only) are inserted at the front of the Chassis. If you have one Power Supply Unit already in place, other units can be swapped in and out without interfering with the operation of the 61000 Security System. Note that one PSU cannot supply sufficient power to support a fully populated Chassis.

To Insert a Power Supply Unit:

1. Pull out the latch.

2. Push in the Power Supply until it locks in place.

3. Push in the Power Supply insertion latch.

4. Make sure that the DC LED show green.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 33

Inserting Fan Trays

When a fan tray is inserted into the Chassis, the fans start at full speed and then decrease by steps of 7%. Under normal operating conditions, the fans run at 21% of full speed. The lower speed reduces the noise and increases the longevity of the fans.

The speed of each individual fan is monitored. If the speed of one fan drops below the desired speed (i.e. fan failure) , the other fans speed up.

Fans are pre-installed in the appliance. Manual replacement must be coordinated with Check Point Support.

To Insert a Fan:

1. Slide the fan into the allocated space.

2. Tighten the locking captive screw.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 34

Inserting Chassis Management Modules

To insert a Chassis Management Module:

1. On the CMM, remove the tape on the battery. This tape protects the battery life before installation.

2. Open the upper latch.

3. Insert the Chassis Management Module into the allocated slot. Note - If you have only one CMM, we recommend inserting it into the lower Chassis slot.

4. Close the latch.

5. Tighten the two thumb screws.

6. After power up, all LEDs must light up for 1-2 seconds. The ACT and PWR LEDs continue to show green after the other LEDs turn off.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 35

Inserting Security Switch Modules

To insert a Security Switch Module:

1. Open the latches at the top and bottom of the Security Switch Module.

2. Slide the SSM into the allocated slot.

3. Fasten the latches.

4. Tighten the screws.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 36

Inserting Security Gateway Modules

To insert a Security Gateway Module:

1. Open the latches at the top and bottom of the Security Gateway Module.

2. Make sure the SGM is located correctly on the Chassis rail.

3. Slide the Security Gateway Module into the allocated slot.

4. Fasten the latches.

5. Tighten the thumb screws.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 37

Inserting Transceivers

For connecting different interface types to the 61000 Security System using SFP, SFP+, or XFP ports on the SSM, Security Switch Modules support Twisted Pair and Fiber Optic transceivers.

The type and number of transceiver ports available depends on the SSM.

Note - Remember to select a transceiver that matches the speed of the designated port.

Inserting Twisted Pair Transceivers

Twisted pair transceivers can be inserted into:  Data and management ports on the SSM160

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 38

 SFP management ports on the SSM60

Slide the transceiver into the open Security Switch Module port.

Inserting Fiber Optic Transceivers

Fiber transceivers can be inserted into data and management ports on the SSM60 and SSM160 switch modules. The ports can be SFP, SFP+ or XFP.

Slide the transceiver into the open Security Switch Module port.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 39

Inserting QSFP Splitters

1. Insert the QSFP transceiver into the Security Switch Module.

2. Insert the QSFP splitter cable into the transceiver. This converts the 40GbE QSPF port to 4 10GbE ports.

Inserting Front Blank Panels

Blank panels contain cooled air in the appliance. Use the blank panels to close open slots.

To insert a blank panel at the front:

1. Insert the blank panel into the open slot.

2. Tighten the two thumb screws.

Note - Rear blank panels are pre-installed on the Chassis.

Connecting AC Power Cables

To connect AC power:

1. Check circuit breaker at the mains is off.

2. Insert an AC power cable into each AC power inlet on the rear-bottom of the Chassis.

Connecting DC Power

Connect the DC PEMs in the 61000 Security System to an external battery power source. You must have a mains DC power supply system that includes batteries and a branch circuit breaker of 125A for each PEM.

The DC PEM is described in DC Power Entry Modules (PEMs) (on page 26)

Tools and Parts Required

 4 DC wire leads for each PEM, to connect the PEM to the DC power supply. Use 6AWG wires. There is

no standard for DC wire color coding. Therefore, use the color coding of the DC power source (battery) for the DC wire leads.

 4 lugs (Panduit LCD6-10A-L) for each PEM. For connecting the wire leads to the PEM terminal blocks.  Crimping tool to connect the wire leads to the lugs.  Wire cutters.  Hexagonal-head socket wrench, or nut driver for tightening nuts to terminal studs on each PEM.

To connect DC power:

Note - These instructions assume that the PEMs are installed in the 61000 Security

System Chassis.

1. Set the branch circuit breakers at the mains to OFF.

2. On the PEM, set all the circuit breakers to OFF.

3. Remove the protective plastic cover.

4. Where the PEM is marked -48/-60 VDC and Return, remove the nuts from the terminal studs. Use a socket wrench or nut driver.

5. Connect the 48/-60 VDC cables to the battery: a) Using the crimping tool, connect two 6 AWG wire leads to two lugs. b) Attach the two wired lugs to the -48/-60 VDC terminal studs on the PEM. Use the socket wrench or

nut driver.

c) Connect the other ends of the two wires to the -48/-60VDC battery terminal.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 40

6. Connect the Return cables to the battery: a) Using the crimping tool, connect two 6 AWG wire leads to two lugs. b) Attach the two wired lugs to the Return terminal studs on the PEM. Use the socket wrench or nut

driver.

c) Connect the other ends of the two wires to the Return battery terminal.

7. Make sure that you have correctly connected the battery to the PEM. Do this by using a multimeter to measure the resistance between disconnected PEM wire leads and the Battery Return pole.

For all the PEM wired leads, one at a time: a) At the battery, disconnect a PEM wire lead from the battery. b) Connect one multimeter probe to the battery Return and the other probe to the PEM wire lead.

 A very large resistance (indicating an open circuit) shows that the wire lead is connected to

the PEM -48/-60VDC terminal.

 A very low resistance (indicating a closed circuit) shows that the wire lead is connected to

the PEM Return terminal.

c) Reconnect the PEM wire lead to the battery.

8. At the PEM: a) Attach the protective plastic cover. b) Set all the circuit breakers to ON.

9. Do step 2 to step 8 for the second PEM.

10. Set the branch circuit breakers at the mains to ON.

Step 3: Installing Components and Connecting Power Cables

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 41

Connecting a Second Chassis

If you have a dual Chassis environment (for Chassis high availability):

 For the second Chassis, repeat Step 1: Site Preparation (on page 30) to Step 3: Installing Components

and Connecting Power Cables (on page 32)

 Connect the second Chassis.  On each SSM, connect the sync ports to the corresponding sync ports on the backup Chassis (eth1-

Sync in Chassis1 to eth1-Sync in Chassis2, eth2-Sync in Chassis1 to eth2-Sync in Chassis2).

Step 4: Turning on the 61000 Security System

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 42

Step 4: Turning on the 61000 Security System

Connect the appliance to the power source. At power up:

 Fan speed goes to maximum.  LEDs on the Chassis Management Module light up.  After 1-60 seconds, fan speed slows down until it reaches the optimum rate for cooling.  Chassis Management Module ACT and PWR LEDs show green.  Other LEDs turn off.

Turning off the 61000 Security System

1. Shutdown the SGMs:

 If the installation wizard (Step 5) has not yet run, release the levers on each SGM to shut them down  If the installation wizard has run, from gclish run: asg_hard_shutdown -b all

2. Shutdown SSMs and CMMs by releasing the levers.

3. After the LEDs on SGMs, SSMs and CMMs (both Chassis) show a steady blue, unplug the power cords.

Step 5: Validating Chassis ID on a Dual Chassis Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 43

Step 5: Validating Chassis ID on a Dual Chassis Configuration

When installing and configuring dual Chassis in high availability, make sure that:

 The CMMs on the same Chassis have the same Chassis ID.  Each pair of CMMs on the different Chassis have different Chassis ID.

The CMMs on Chassis <1> should include chassis_id <1> (SHMM_CHASSID=’1’). The CMMs on Chassis <2> should include chassis_id <2> (SHMM_CHASSID=’2’).

Note - When a new CMM is added to the system, it is necessary to validate its Chassis_ID. Make sure that Chassis for the new CMM is in Standby mode.

To validate the Chassis IDs:

1. When you receive the shipment make sure that the stickers on the outer box are marked with numbers 1 and 2.

If the numbers are the same, contact Check Point Technical Support.

2. Open the outer box, and confirm that the stickers on the Chassis and the CMM blades are different for each Chassis.

If the numbers are the same, contact Check Point Technical Support.

3. We recommend that you validate the CMM configured IDs. a) Log in to the 61000 Security System.

(i) Connect the RJ-45 jack serial cable to the console port on CMM blade. (ii) Connect the other end of the serial cable to the computer that you are using to do the initial

configuration of the 61000 Security System.

(iii) Connect to the 61000 Security System 160 using a terminal emulation application such as

PuTTY.

 Make sure the Speed (baud rate) is set to 9600.  No IP address is necessary.

(i) Log in with username and password: admin/admin.

b) Verify that the CMM ID is correct. Run this command:

# cat /etc/shmm.cfg | grep CHASSID This is a sample output from CMM 1: SHMM_CHASSID=’1’

c) Do these steps again to validate the CMM IDs on the other Chassis.

If the numbers are the same, contact Check Point Technical Support.

Step 6: Software Installation

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 44

Step 6: Software Installation

You must install the SSM160 firmware and then install the SGM image.

Before Installing Firmware and Software

Installing Components and Connecting Cables:

 Install all components in the Chassis (SGMs, SSMs and CMMs).  If you have a dual Chassis environment, connect only one Sync cable between the two Chassis.

Connect eth1-Sync on chassis1 to eth1-Sync on chassis2. (Connect the second sync cable after installing software).

For IP management of the 61000 Security System, connect a cable to one of the management interfaces on chassis1.

Connecting a Console

Use a console to configure a Security Group and an accessible management IP address on the 61000 Security System.

1. Connect the supplied DB9 serial cable to the console port on the front of the 61000 Security System.

2. Connect to the 61000 Security System using a terminal emulation program such as PuTTY or Microsoft HyperTerminal.

3. Configure the terminal emulation program:

 In PuTTY select the Serial connection type. Go to the Connection > Serial page.  In HyperTerminal Connect To window, select a port from the Connect using list.  Define the serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. Flow control: None

4. Connect to the first SGM in the 61000 Security System.

5. Turn on the 61000 Security System.

6. Log in with username: admin and password: admin

Configuring a Security Group and a Management IP Address

1. Start the installation wizard. Run: #setup

2. In the Welcome screen, press a key.

3. Select Set SGMs for Security Group Define the SGMs that belong to the Security Group. There are two lines, one for Chassis 1, one for

Chassis 2.

Step 6: Software Installation

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 45

In each line, you can enter:

 all (same as 1-12)  A range, such as: 1-9  A number of comma-separated ranges, such as: 1-3,5-7  Single SGMS, such as: 1,4  A combination of single SGMs and ranges, such as: 10,2, 3-7.

By default, the SGM you are connected to belongs to the group: Chassis 1, SGM 1 (slot 1 in Chassis

1). For more about Security Gateway Module numbering, see 61000 Security System front panel components ("61000 Security System Front Panel Modules" on page 14).

4. Select Network Connections. For the management interface, configure:

 An IP address  The Netmask length

5. Configure Routing.

 If you are directly connected to the management interface: Skip this step.  If you are not directly connected to the management interface: Define a route which will allow you to

access the 61000 Security System.

6. Click Next until you finish the installation wizard. At the Secure Internal Communication stage, enter a dummy key.

Configuration settings are applied, and the Security Gateway Modules reboots. Other Security Gateway Modules in the Security Group are installed automatically.

Validating the Initial System Setup:

To make sure that the initial system setup is completed successfully:  Run the asg monitor command. An initial policy must be installed on the local SGM after initial setup

completes and the SGM reboots.

 To monitor the automatic installation of other SGMs, run: tail -f /var/log/start_mbs.log.  Wait until the installation process is complete.

The installation process is complete when all the SGMs in the security group are UP and in the Initial Policy state.

Installing SSM160 Firmware

You must install firmware on the Security Switch Module SSM160. There is no need to install firmware on SSM60.

Installing the SSM160 Firmware

1. Download the SSM160 firmware from the R75.40VS for 61000 Home page (http://supportcontent.checkpoint.com/solutions?id=sk89900).

Step 6: Software Installation

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 46

2. Connect to one SGM, using the management IP address configured in the installation wizard.

3. Copy the SSM160 firmware file to the SGM using the scp command to the IP address of the management interface, to the /home/admin directory. This copies the file to the left-most SGM on the active Chassis.

4. From this SGM, copy the firmware file to the other SGMs in the Security Group. Run: >asg_cp2blades –b <blade_list> /home/admin/<file>

5. From this SGM, copy the firmware to the two SSMs in the Chassis. Run for each SSM: scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@SSM[1|2]:/batm/current_version/

6. Enter the SCP password you received from Support. You may see a read-only file system error. For example:

# scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@ssm2:/batm/current_version/ root@ssm2's password: scp: /batm/current_version//2.4.B27.2.T-HUB4.tar.bz2: Read-only file system

If you see a read-only file system error do this: a) Connect to the SSM via ssh. From the expert shell, run:

ssh ssm<1/2> The password is admin

b) From default shell, run

unhide private The password is private

c) Run the following commands:

# show private shell # mount -rw -o remount /batm/ # exit # logout

d) Run the firmware copy command for each SSM:

scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@ssm2:/batm/current_version/

e) Enter the SCP password you received from Support.

7. Activate the new firmware on the SSM. Do this for the two SSMs on the Standby Chassis: a) Connect to the SSM via ssh. Run from expert shell:

ssh ssm<1/2> The password is admin

b) Run

#file ls os-image and copy to clipboard the name of the new image file

c) Run

#file activate-os-image 2.4.B27.2.T-HUB4.tar.bz2

d) Move to configuration shell. Run:

#config terminal

e) Reload the SSM with the new image. Run

#system reload manufacturing-defaults

Example:

T-HUB4#file activate-os-image 2.4.B27.2.T-HUB4.tar.bz2 Image file 2.4.B27.2.T-HUB4.tar.bz2 is tested for validity, please wait... OK Activating image 2.4.B27.2.T-HUB4.tar.bz2..

T-HUB4#config terminal Entering configuration mode terminal T-HUB4(config)#system reload manufacturing-defaults Are you sure that you want to delete existing configuration and reload manufacturing default configuration (yes/no)? yes

8. Connect to SGM on the other Chassis. From the Expert shell, run blade <SGM>

Step 6: Software Installation

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 47

For example: blade 2_01

(Run exit to return to the previous SGM)

9. Repeat the firmware upgrade procedure on the two SSMs of the other Chassis.

Validation

To verify the upgrade, run asg_version

All SSMs should have firmware version 2.4.B27.2.

Installing the SGM Image

Use one of these procedures to install an image on the Security Gateway Modules:

 Using snapshot import  Using an ISO image on removable media: A DVD or USB stick

Installing the SGM Using snapshot import

1. Download the snapshot file with the SGM image from the R75.40VS for 61000 Security Systems home page (http://supportcontent.checkpoint.com/solutions?id=sk89900).

2. Copy the snapshot file using the scp command to the IP address of the management interface, to the /home/admin directory. This copies the file to the left-most SGM on the active Chassis.

3. Connect to the SGM via SSH or console

4. Copy the snapshot file to all SGMs, to the /var/log/ directory. Run: asg_cp2blades –b all /home/admin/<snapshot file> /var/log/<snapshot file>

5. Import the snapshot. From gclish, run: set snapshot import <snapshot name, without tar> path /var/log/

6. Monitor snapshot import progress. From gclish, run: show snapshots

7. After the snapshot import process has finished on all SGMs, revert to the snapshot. From gclish, run: set snapshot revert <snapshot name>

The system is now installed with proper software and firmware

Installing the SGM Image Using Removable Media

You can install an ISO image on the Security Gateway Modules using a USB stick or DVD.

To copy the ISO image to the removable media:

1. Download the ISO file with the SGM image (http://supportcontent.checkpoint.com/solutions?id=sk89900).

2. Copy the file to removable media in one of these ways:

 Burn the ISO file on a DVD.  Download the Check Point ISOmorphic utility to create a bootable USB device from the ISO. See

sk65205 (http://supportcontent.checkpoint.com/solutions?id=sk65205).

3. You can install many SGMs at one time. Copy the ISO image to many USB sticks or DVD drives.

To install an ISO image on the Security Gateway Modules:

1. Connect the removable media to the left-most Security Gateway Module in one of these ways:

 Connect the USB stick to the USB port.  Connect an external DVD drive to the USB port. Put the DVD with the ISO file in the DVD drive.

Step 6: Software Installation

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 48

Item

Description

1 2 USB port One of two latches for extracting and inserting the SGM.

2. Connect the supplied DB9 serial cable to the console port on the front of the upper SGM on the 61000 Security System.

3. Connect to the left-most SGM using a terminal emulation program.

4. Reboot the SGM by partially sliding it out and immediately pushing it back in place: a) Loosen the thumb screws at the top and bottom of the SGM. b) Open the latches at the top and bottom of the SGM. c) Fasten the latches. d) Tighten the thumb screws.

5. When the first screen shows, select Install Gaia on the system and press Enter.

6. You must press Enter in 60 seconds, or the computer will try to start from the hard drive. The timer countdown stops once you press Enter. There is no time limit for the subsequent steps.

7. Press OK to continue with the installation. After the installation, the 61000 Security System begins the boot process and status messages show in

the terminal emulation program.

8. Install the SGM image on the other SGMs. To install on one SGM at a time repeat all the steps for each SGM. To install on many SGMs at one time:

a) Insert all the USB sticks or DVD drives into the USB ports of the other SGMs. b) On one SGM at a time:

 Connect to the console.  Reboot the SGM by partially sliding it out and immediately pushing it back in place.  Select Install Gaia on the system and press Enter.

Step 7: Connecting to the Network

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 49

Step 7: Connecting to the Network

1. If you have a dual Chassis environment: Connect the second Sync cable between the two Chassis. These are the Sync cable connections:

 eth1-Sync on chassis1 to eth1-Sync on chassis2.  eth2-Sync on chassis1 to eth2-Sync on chassis2.

2. Connect the management ports on the Security Switch Modules to your network.

3. Connect the data ports on the Security Switch Modules to your network.

Step 8: Initial Software Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 50

Step 8: Initial Software Configuration

When installing and configuring the 61000 Security System, start with the Security Gateway Module furthest to the left in the Chassis. After the first SGM is configured, installation and configuration settings are automatically propagated to all other SGMs in the defined security group. The Security Group is the group of SGMs that make up the Security Gateway.

Note - In SmartDashboard, one Security Gateway object represents the SGMs in the security group.

Connecting a Console

1. Connect the RJ-45 jack end of a serial cable to the console port on the upper 61000 Security System in the Chassis.

2. Connect the other end of the serial cable to the computer that you will use to do the initial configuration of the 61000 Security System.

3. On the configuration computer, connect to the 61000 Security System using a terminal emulation application such as PuTTY.

 Make sure the Speed (baud rate) is set to 9600  No IP address is necessary

4. Log in with username: admin and password: admin.

Working on the Initial Setup

1. To start the installation wizard run #setup

2. In the Welcome screen, press a key.

3. Select Set SGMs for Security Group

4. If installing a VSX Gateway: Choose only the current SGM Chassis 1, SGM 1 (slot 1 in Chassis 1)

If installing a Security Gateway: Define the SGMs that belong to the Security Group. There are two lines, one for Chassis 1, one for Chassis 2.

In each line, you can enter:

 all (same as 1-12)  A range, such as: 1-9  A number of comma-separated ranges, such as: 1-3,5-7

Step 8: Initial Software Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 51

 Single SGMS, such as: 1,4  A combination of single SGMs and ranges, such as: 10,2, 3-7.

By default, the SGM you are connected belongs to the group: Chassis 1, SGM 1 (slot 1 in Chassis

1). To define a fully populated dual Chassis system select all in the top and bottom lines. For more about Security Gateway Module numbering, see 61000 Security System front panel components ("61000 Security System Front Panel Modules" on page 14).

5. The subnet for internal communication in the Chassis is 192.0.2.0/24 by default. Change the IP address if it conflicts with an existing subnet on your network.

6. Configure parameters for:

 Host Name  Time and Date.

To configure the local time, choose the geographical area and city.

7. Select Network Connections. Configure the management ports and the data ports of the Security Switch Module.  There are 4 management ports on each SSM. Only configure those ports you intend to use. To

associate port names with the physical ports, refer to Security Switch Module Ports ("Security

Switch Module (SSM)" on page 16). For each management port configure:

 An IP address  The Netmask length

 To associate data port names with the physical ports, refer to Security Switch Module Ports

("Security Switch Module (SSM)" on page 16). For each data port configure:

 An IP address  The Netmask length

8. Configure Routing.

Note - Wait 10-20 seconds for routing information to be updated throughout the system.

9. The Welcome to Check Point Suite screen shows. Wait for Check Point products packages to install.

10. Wait for the:

 Installation Program Completed Successfully message to show  Check Point Configuration Program to start.

This program guides you through the configuration of Check Point products.

11. Configure Secure Internal Communication. When prompted, enter and confirm the activation key. Remember this activation key. The same

activation key is used for configuring the 61000 Security System object in SmartDashboard.

Configuration settings are applied, and the SGM reboots. Other Security Gateway Modules in the Security Group are installed automatically.

System Validation

Make sure that the initial system setup is completed successfully by:

Step 8: Initial Software Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 52

 Running the asg monitor command. An initial policy must be installed on the local SGM after initial

setup completes and the SGM reboots.

 To monitor the automatic installation of other SGMs, run: tail -f /var/log/start_mbs.log.  After installation, all the SGMs in the security group must be UP and in the Initial Policy state.

Step 9: SmartDashboard Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 53

Step 9: SmartDashboard Configuration

The 61000 Security System can work as a Security Gateway or as a VSX Gateway. The Security Management Server must be R75.40VS for 61000 or higher.

Do one of these procedures:

 Configuring a Security Gateway (on page 53).  Configuring a VSX Gateway (on page 54).

Configuring a Security Gateway

This procedure explains how to configure a Security Gateway in SmartDashboard.

Note - The Check Point Security Gateway Creation Wizard is version dependent. The steps may vary slightly.

To configure a Security Gateway:

1. Open SmartDashboard.

2. Enter your credentials to connect to the Security Management Server.

3. Create the Check Point Security Gateway object. In the Network Objects tree, right click and select New > Check Point > Security

Gateway/Management The Check Point Security Gateway Creation wizard opens.

4. Select Wizard Mode or Classic Mode. This procedure describes Wizard mode. If you choose Classic Mode, make sure you set all the

necessary configuration parameters.

5. In the General Properties screen, configure:

 Gateway name  Gateway platform - Select Open server  Gateway IP address

6. Click Next.

7. In the Secure Internal Communication Initialization screen, enter the One-time password. This is the same as the Activation Key you entered during the initial setup.

8. Click Next.

9. View the Configuration Summary.

10. Select Edit Gateway properties for further configuration.

11. Click Finish. The General Properties page of the 61000 Security System object opens.

12. In the General Properties page, make sure the Version is correct.

13. Enable the Firewall Software Blade. If required, enable other supported Software Blades.

14. In the navigation tree, select Topology.

15. Configure:

 Interfaces as Internal or External  Anti-Spoofing.

Note: Only data and management interfaces are shown in the list.

16. Click OK. The Security Gateway object closes.

17. Install the Policy.

Step 9: SmartDashboard Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 54

Confirming the Security Gateway Software Configuration

To make sure that the policy was successfully installed:

1. Connect to the appliance (through SSH or the serial console).

2. Run asg monitor.

3. Make sure that the status for SGMs is: Enforcing Security on the ACTIVE and STANDBY Chassis.

4. Make sure the Policy Date matches the time that the policy was installed.

To verify the configuration:

After configuring the Security Gateway and installing the policy, validate the configuration using the asg diag command ("Collecting System Diagnostics (asg diag)" on page 75). Use the command to collect and

show diagnostic information about the system. If there is a problem, fix it before using the system.

Configuring a VSX Gateway

The 61000 Security System can work as a Security Gateway or as a VSX Gateway. This procedure shows how to configure a VSX Gateway in SmartDashboard.

Before creating the VSX Gateway

Understand how VSX works, and the VSX architecture and concepts. Also, you should understand how to deploy and configure your security environment using the VSX virtual devices:

 Virtual System  Virtual System in Bridge Mode  Virtual Router  Virtual Switch

To learn about how VSX works, architecture, concepts and virtual devices, see the R75.40VS Check Point VSX Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk76540).

The VSX Gateway Wizard

This section explains how to create a new VSX Gateway using the VSX Gateway Wizard.

Step 9: SmartDashboard Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 55

The VSX Gateway in this example has one Virtual System (VS0) and one dedicated management interface.

After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from SmartDashboard. For example, you can add Virtual Systems, add or delete interfaces, or configure existing interfaces to support VLANs.

Note - The Check Point VSX Gateway Wizard is version dependent. The steps may vary slightly.

To start the VSX Gateway wizard:

1. Open SmartDashboard. If you are using Multi-Domain Security Management, open SmartDashboard from the Domain

Management Server of the VSX Gateway.

2. From the Network Objects tree, right-click Check Point and select VSX > Gateway. The General Properties page of the VSX Gateway Wizard opens.

Wizard Step 1: Defining VSX Gateway General Properties

The General Properties page contains basic identification properties for VSX Gateways.  VSX Gateway Name: Unique, alphanumeric for the VSX Gateway. The name cannot contain spaces or

special characters except the underscore.

 VSX Gateway IP Address: Management interface IP address.  VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.

Wizard Step 2: Selecting Virtual Systems Creation Templates

The Creation Templates page lets you provision predefined, default topology and routing definitions to Virtual Systems. This makes sure Virtual Systems are consistent and makes the definition process faster. You always have the option to override the default creation template when you create or change a Virtual System.

The Creation Templates are:

 Shared Interface - Not supported for the 61000 Security System.  Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This

template creates a Dedicated Management Interface (DMI) by default.

 Custom Configuration: Define Virtual System, Virtual Router, Virtual Switch, and Interface

configurations.

For this example, choose Custom configuration.

Wizard Step 3: Establishing SIC Trust

Initialize Secure Internal Communication trust between the VSX Gateway and the management server. The gateway and server cannot communicate without Trust.

Step 9: SmartDashboard Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 56

Initializing SIC Trust

When you create a VSX Gateway, you must enter the Activation Key that you defined in the installation wizard setup program ("Working on the Initial Setup" on page 50). Enter and confirm the activation key and then click Initialize. If you enter the correct activation key, the Trust State changes to Trust established.

For more about SIC trust, see the R75.40VS Check Point VSX Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk76540).

Wizard Step 4: Defining Physical Interfaces

In the VSX Gateway Interfaces window, you can define physical interfaces as VLAN trunks. The page shows the interfaces currently defined on the VSX Gateway.

To define an interface as a VLAN trunk, select VLAN Trunk for the interface. You can define VLAN trunks later. For this example, choose Next.

Wizard Step 5: Virtual Network Device Configuration

If you chose the Custom Configuration option, the Virtual Network Device Configuration window opens. The options in this window are not supported for the 61000 Security System. Click Next.

Wizard Step 6: VSX Gateway Management

In the VSX Gateway Management window, define security policy rules that protect the VSX Gateway. This policy is installed automatically on the new VSX Gateway.

Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual Systems, other virtual devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules for these services:

 UDP - SNMP requests  TCP - SSH traffic  ICMP - Echo-request (ping)  TCP - HTTPS traffic

To Modify the Gateway Security Policy

1. Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By default, all services are blocked.

For example, to be able to ping the gateway from the management server, allow ICMP echo-request traffic.

2. Source: Click the arrow and select a Source Object from the list. The default value is *Any. Click New Source Object to define a new source.

You can modify the security policy rules that protect the VSX Gateway later. Click Next.

Wizard Step 7: Completing the VSX Wizard

Click Next to continue and then click Finish to complete the VSX Gateway wizard. This may take several minutes to complete. If the process ends unsuccessfully, click View Report to see the error messages.

Step 9: SmartDashboard Configuration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 57

Confirming the VSX Gateway Software Configuration

To make sure that the policy was successfully installed:

1. Connect to the appliance (through SSH or the serial console).

2. Run asg monitor -vs all.

3. Make sure that the status for SGMs is: Enforcing Security on the Active and Standby Chassis, for all Virtual Systems.

This shows the output for a dual Chassis VSX Gateway. Chassis 1 (Active) has 1 SGM in its Security Group.

-------------------------------------------------------------------------------| Chassis 1 ACTIVE |

-------------------------------------------------------------------------------| SGM | 1 (local) | - | - |

-------------------------------------------------------------------------------| State | UP | - | - |

-------------------------------------------------------------------------------| VS ID |

-------------------------------------------------------------------------------| 0 | Enforcing Security | - | - |

--------------------------------------------------------------------------------

You can now add more SGMs to the Security Group. Use the asg security_group tool. Run asg monitor -vs all. After all SGMs are UP and enforcing Security, you can add Virtual Systems

to the VSX Gateway.

Basic Configuration Using gclish

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 58

Basic Configuration Using gclish

Use the gclish shell for basic system configuration.

Virtual Context

To:

Run

Applicable Modes

Move to a different virtual context

# set Virtual-system <vsid>

VSX Gateway

Interfaces

To:

Run

Applicable Modes

Set an IPv4 address on an interface

# set interface eth1-01 ipv4-address

192.0.20.10 mask-length 24

Security Gateway

Show the IPv4 interface address

# show interface eth1-01 ipv4-address

Security Gateway VSX Gateway

Delete the IPv4 address from an interface

# delete interface eth1-01 ipv4-address

Security Gateway

Hostname

To:

Run

Applicable Modes

Set the hostname

# set hostname <security system name> (each SGM gets its local identity as suffix. For example

gcp-X1000-ch01-04)

Security Gateway VSX Gateway

Show the hostname

# show hostname

Security Gateway VSX Gateway

Routes

To:

Run

Applicable Modes

Set a default route

# set static-route default nexthop

gateway address 192.0.20.1 on

Security Gateway

Show the route table

# show route

Security Gateway VSX Gateway

Bonds

To:

Run

Applicable Modes

Create a bond and assign an interface to it

# add bonding group 1000 interface eth2-

Security Gateway VSX Gateway

Basic Configuration Using gclish

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 59

To:

Run

Applicable Modes

Show existing bonds

# show bonding groups

Security Gateway VSX Gateway

VLANs

To:

Run

Applicable Modes

Add a VLAN interface

# add interface eth2-02 vlan 1023

Security Gateway

Show a VLAN interface

# show interface eth2-02 vlans

Security Gateway VSX Gateway

Image Management (Snapshots)

To:

Run

Applicable Modes

Add a snapshot

add snapshot <snapshot name> desc

Security Gateway VSX Gateway

Revert to a snapshot

set snapshot revert <snapshot name>

Security Gateway VSX Gateway

Show snapshots and monitor snapshot progress

show snapshots

Security Gateway VSX Gateway

Licensing and Registration

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 60

Licensing and Registration

The 61000 Security System has an initial 15-day evaluation license. After the evaluation license expires, you must license and register the system.

Each chassis is licensed separately. If you have dual chassis system, you must install two licenses. The license key (CK) is the Chassis serial number. The Chassis serial number is printed on the Chassis

sticker. You can also retrieve the Chassis serial number using gclish.

To retrieve the Chassis serial number (if a policy is installed on the SGM)

1. Open a command line window on one of the SGMs on the Chassis.

2. Run: asg_serial_info

The output shows the Chassis Serial Number.

To retrieve the Chassis serial number (if no policy is installed on the SGM)

1. Connect to one of the SGMs on the Chassis

2. Connect to the Active CMM and run: ssh 198.51.100.33

This is the permanent, static IP address of the Active CMM.

3. On the CMM, run: clia fruinfo 20 254.

The output shows the Chassis Serial Number.

To license and register the 61000 Security System

1. Open the User Center Registration page (http://register.checkpoint.com/cpapp ).

2. Search for the Chassis serial number.

3. Generate a license based on the IP address of the SSM interface connected to your Security Management Server

Note - Because the 61000 Security System has single Management IP address, in dual Chassis environments, the Active and Standby Chassis should be bound to the same IP address in the license. Generate two licenses and enter the same IP address in each license.

4. Install the license on the system.  If you use the cplic command, run it from gclish so that it applies to all SGMs. Run cplic twice

if you have a dual Chassis environment.

 If using SmartUpdate, install the Policy.

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 61

Monitoring and Configuration Commands

This section lists the most important gclish commands that you can use to monitor and configure the 61000 Security System.

Showing Chassis and Component State (asg stat)

Use this command to show the Chassis and hardware component state for single and dual Chassis configurations. The command shows system:

 Up-time  CPU load: average and current  Concurrent connections  Health

Use Verbose mode to show SGM state, process and policy Syntax

asg stat asg stat [-v] [-vs <vs_ids>] [-l]

Note -If you run this command in a VSX context, the output is for the applicable Virtual System.

Parameter

Description

None

Show a basic summary of the Chassis status.

-v

Show detailed Chassis status (verbose mode).

<vs_ids>

Shows the Chassis status of multiple Virtual systems. Specify the VS IDs. For example 4, 7, 8, 10.

For a Chassis with more than 3 SGMs, the output has abbreviations to make the output more compact.

-l

Show the meaning of the abbreviations in the output for a Chassis with more than 3 SGMs.

Monitoring Chassis and Component Status (asg monitor)

Use this command to continuously monitor Chassis and component status. This command shows the same information as asg stat, but the information stays on the screen and refreshes at user-specified intervals (default = 1 second). To end the monitor session, press Ctrl-c.

Note - If you run this command in a Virtual System context, you will see only the output for that Virtual System. You can also specify the Virtual System as a command parameter.

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 62

Syntax

asg monitor -h asg monitor [-v] [interval] asg monitor all [interval] asg monitor [-vs <vs_ids>] asg monitor -l

Parameter

Description

None

Show summary SGM and Chassis status with data refresh every second.

-h

Show the command syntax and help information.

interval

Set the data refresh interval (in seconds) for the current session.

-v

Show detailed (verbose) component status without SGM status.

all

show

-vs <vs_ids>

Shows the component status for one or more Virtual Systems in a comma-separated list. You can also specify all to show all Virtual Systems.

For a Chassis with more than 3 SGMs, the output has abbreviations to make the output more compact.

all

Shows all SGMs and all Chassis components status.

-l

Shows legend of column title abbreviations.

Examples

> asg monitor

----------------------------------------------------------------------------

| VS ID: 0 VS Name: Athens |

----------------------------------------------------------------------------

| Chassis 1 STANDBY |

----------------------------------------------------------------------------

----------------------------------------------------------------------------

| Chassis 2 ACTIVE |

----------------------------------------------------------------------------

----------------------------------------------------------------------------

| Chassis HA mode: Active Up |

----------------------------------------------------------------------------

This example shows the SGM and Chassis HA status.

> asg monitor –vs 3

--------------------------------------------------------------------------------

| Chassis 1 ACTIVE |

--------------------------------------------------------------------------------

|SGM |1 (l)|2 |3 |4 | - | - | - | - | - | - | - | - |

--------------------------------------------------------------------------------

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 63

|State | UP | UP | UP | DWN | - | - | - | - | - | - | - | - |

--------------------------------------------------------------------------------

| VS ID |

--------------------------------------------------------------------------------

| 3 | ES | ES | ES | IAC | - | - | - | - | - | - | - | - |

--------------------------------------------------------------------------------

This example shows the status of the SGMS and Virtual System 3.

Monitoring Performance Indicators and Statistics (asg perf)

Use this command to continuously monitor key performance indicators and load statistics.

Syntax

asg perf [-b <SGM_string>] [-vs <VS_string>] [-v] [-p] [-a] [-k[–-last|--hist]] [-e]

Parameter

Description

-b <SGM_string>

Shows results for SGMs and/or Chassis as specified by <SGM_string>.

The <SGM_string> can be: No <SGM_string> or all - Shows all SGMs and Chassis One SGM A comma-separated list of SGMs (1_1,1_4) A range of SGMs (1_1-1_4) One Chassis (Chassis1 or Chassis2) The active Chassis (chassis_active)

-vs <VS_string>

For VSX Gateway only: List of Virtual Systems. For example:

1 VS 1 1,3-5 VS 1,2,4,5 all All VSs

Note: In a VSX Gateway, if no –vs option is specified , the command runs in the context of the current VS.

-v

Verbose mode: Per-SGM display. Show performance statistics (including load and acceleration load)

on the Active Chassis.

-p

Show detailed statistics and traffic distribution between these paths on the Active Chassis:

 Acceleration path (Performance Pack).  Medium path (PXL).  Slow path (Firewall).

-a

Show absolute values.

-k

Shows peak values for connection rate, concurrent connections and throughput.

-h

Display usage.

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 64

Example

If no SGMs are specified, the command shows performance statistics for the Active Chassis: > asg perf -v

Output

Notes:

Load Average = CPU load.

Monitoring Hardware Components (asg hw_monitor)

Use this command to show per-Chassis hardware information and thresholds for monitored components:

 Security Gateway Module - CPU temperature per socket  Chassis fan speeds  Security Switch Module - Throughput rates  Power consumption per Chassis  Power Supply Unit: Whether installed or not, and PSU fan speed  Chassis Management Module - Installed, Active or Standby

Syntax

asg hw_monitor [-v] [-f <filter>]

Parameter

Description

none

Show component status summary report

-v

Show detailed component status report (verbose)

-f

Show status of one or more specified (filtered) components

One or more of these component types, in a comma separated list:

CMM CPUtemp Fan PowerConsumption PowerUnit SSM

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 65

Sample Output for the 61000 Security System

# asg hw_monitor -v

-------------------------------------------------------------------------------

| Hardware Monitor |

-----------------------------------------------------------------------------

------------------------------------------------------------------------------

| Chassis 1 |

------------------------------------------------------------------------------

| CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 | | CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 | | CPUtemp | blade 1, CPU0 | 45 | 65 | Celsius | 1 | | CPUtemp | blade 1, CPU1 | 39 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU0 | 44 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU1 | 39 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU0 | 44 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU1 | 38 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU0 | 47 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU1 | 42 | 65 | Celsius | 1 | | CPUtemp | blade 5, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 5, CPU1 | 47 | 65 | Celsius | 1 | | CPUtemp | blade 6, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 6, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 7, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 7, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 8, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 8, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 9, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 9, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 10, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 10, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 11, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 11, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 12, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 12, CPU1 | 0 | 65 | Celsius | 0 | | Fan | bay 1, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 2 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 2 | 3 | 11 | Speed Level | 1 | | Fan | bay 3, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 3, fan 2 | 3 | 11 | Speed Level | 1 | | PowerConsumption | N/A | 2711 | 4050 | Watts | 1 | | PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 4 | 0 | 0 | NA | 0 | | PowerUnit(AC) | bay 5 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 4, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 4, fan 2 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 5, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 5, fan 2 | 0 | 0 | NA | 0 | | SSM | bay 1 | 0 | 0 | Mbps | 1 | | SSM | bay 2 | 0 | 0 | Mbps | 1 |

------------------------------------------------------------------------------

| Chassis 2 |

------------------------------------------------------------------------------

| CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 | | CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 |

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 66

| CPUtemp | blade 1, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 1, CPU1 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU0 | 48 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU1 | 49 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU1 | 47 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU1 | 50 | 65 | Celsius | 1 | | CPUtemp | blade 5, CPU0 | 50 | 65 | Celsius | 1 | | CPUtemp | blade 5, CPU1 | 49 | 65 | Celsius | 1 | | CPUtemp | blade 6, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 6, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 7, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 7, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 8, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 8, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 9, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 9, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 10, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 10, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 11, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 11, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 12, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 12, CPU1 | 0 | 65 | Celsius | 0 | | Fan | bay 1, fan 1 | 5 | 11 | Speed Level | 1 | | Fan | bay 1, fan 2 | 5 | 11 | Speed Level | 1 | | Fan | bay 2, fan 1 | 5 | 11 | Speed Level | 1 | | Fan | bay 2, fan 2 | 5 | 11 | Speed Level | 1 | | Fan | bay 3, fan 1 | 5 | 11 | Speed Level | 1 | | Fan | bay 3, fan 2 | 5 | 11 | Speed Level | 1 | | PowerConsumption | N/A | 2711 | 4050 | Watts | 1 | | PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 4 | 0 | 0 | NA | 0 | | PowerUnit(AC) | bay 5 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 4, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 4, fan 2 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 5, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 5, fan 2 | 0 | 0 | NA | 0 | | SSM | bay 1 | 0 | 0 | Mbps | 1 | | SSM | bay 2 | 0 | 0 | Mbps | 1 |

------------------------------------------------------------------------------

Sample Output for 41000 Security System

------------------------------------------------------------------------------

| Hardware Monitor |

------------------------------------------------------------------------------

------------------------------------------------------------------------------

| Chassis 1 |

------------------------------------------------------------------------------

| CMM | bay 1 | 0 | 0 | <S,D>/<A> | 1 | | CMM | bay 2 | 1 | 0 | <S,D>/<A> | 1 | | CPUtemp | blade 1, CPU0 | 47 | 65 | Celsius | 1 | | CPUtemp | blade 1, CPU1 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU1 | 44 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU0 | 46 | 65 | Celsius | 1 |

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 67

| CPUtemp | blade 3, CPU1 | 45 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU0 | 45 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU1 | 46 | 65 | Celsius | 1 | | Fan | bay 1, fan 1 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 2 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 3 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 4 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 5 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 6 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 7 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 8 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 9 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 10 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 1 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 2 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 3 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 4 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 5 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 6 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 7 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 8 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 9 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 10 | 4 | 11 | Speed Level | 1 | | PowerConsumption | N/A | 1894 | 4050 | Watts | 1 | | PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 | | SSM | bay 1 | 40 | 0 | Mbps | 1 | | SSM | bay 2 | 0 | 0 | Mbps | 1 |

------------------------------------------------------------------------------

| Chassis 2 |

------------------------------------------------------------------------------

| CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 | | CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 | | CPUtemp | blade 1, CPU0 | 47 | 65 | Celsius | 0 | | CPUtemp | blade 1, CPU1 | 51 | 65 | Celsius | 0 | | CPUtemp | blade 2, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU1 | 56 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU0 | 49 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU1 | 51 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 4, CPU1 | 0 | 65 | Celsius | 0 | | Fan | bay 1, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 2 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 3 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 4 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 5 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 6 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 7 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 8 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 9 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 10 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 2 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 3 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 4 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 5 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 6 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 7 | 3 | 11 | Speed Level | 1 |

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 68

| Fan | bay 2, fan 8 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 9 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 10 | 3 | 11 | Speed Level | 1 | | PowerConsumption | N/A | 1624 | 4050 | Watts | 1 | | PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 3 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 0 | | SSM | bay 1 | 2 | 0 | Mbps | 1 | | SSM | bay 2 | 0 | 0 | Mbps | 1 |

------------------------------------------------------------------------------

Notes

Column

Meaning

Location

To identify the location, see the 61000 Security System Front Panel ("61000 Security

System Front Panel Modules" on page 14).

Value Threshold Units

Most components have a defined threshold value. The threshold gives an indication of the health and functionality of the component. When the value of the resource is greater than the threshold, an alert is sent ("Configuring Alerts for SGM and Chassis Events (asg alert)" on page 71).

State

0 = Component not installed 1 = Component is installed

Monitoring SGM Resources (asg resource)

Use this commend to show the SGM resource usage and thresholds for the 61000 Security System.

Syntax

asg resource [-b sgm]

Parameter

Description

-b sgm

Shows results for SGMs and/or Chassis as specified by <sgm_string>.

The <sgm_string> can be:

 No <sgm_string> or all - Shows all SGMs and Chassis  One SGM  A comma-separated list of SGMs (1_1,1_4)  A range of SGMs (1_1-1_4)  One Chassis (Chassis1 or Chassis2)  The active Chassis (chassis_active)

-h

Shows usage and exits

Example

> asg resource [-b sgm] +-----------------------------------------------------------------------------------+ |Resource Table | +------------+-------------------------+------------+------------+------------------+ |SGM ID |Resource Name |Usage |Threshold |Total | +------------+-------------------------+------------+------------+------------------+ |1_01 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M |

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 69

+------------+-------------------------+------------+------------+------------------+ |1_02 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.7G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |1_03 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |1_04 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |1_05 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_01 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_02 |Memory |19% |50% |31.3G | | |HD: / |19% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_03 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_04 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_05 |Memory |19% |50% |31.3G | | |HD: / |21% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+

Notes

Column descriptions:

1. The Resource column identifies the resource. There are 4 kinds of resources:

 Memory  HD – hard drive space (/)  HD: /var/log – space on hard drive committed to log files  HD: /boot - location of the kernel

2. The Location column identifies the SGM with the resource.

3. The Usage column shows in percentage terms how much of the resource is in use.

4. The Threshold column is also expressed as a percentage. The threshold gives an indication of the health and functionality of the component. When the value of the resource is greater than the threshold, an alert is sent. The threshold can be modified in gclish.

5. The Total column is the total absolute value in units

6. The Units column shows the measurement type, Megabytes (M) or Gigabytes (G).

For example, the first row shows that SGM1 on Chassis 1 has 31.3 Gigabyte of memory, 19% of which is used. An alert will be sent if the usage exceeds 80%.

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 70

Searching for a Connection (asg search)

Description

Use this command to:

 Search for a connection.  Find out which SGM handles the connection (actively or as backup), and which Chassis.

Syntax

asg search asg search <src> <dst> <dport> <ipp> <sport> asg search -v asg search -help

Parameter

Description

asg search

Run in interactive mode. In this mode you are asked to enter the 5 tuples of the connection parameters. Each parameter can be a wildcard. Press enter for wildcard.

asg search <src> <dst> <dport> <ipp>

<sport>

Run in command line. Each parameter can be replaced by * for wildcard. If you specify only few parameters, the wildcard is used for the others.

-v

Verbose mode

-help

Display usage

Example 1

asg search <source IP> <Destination IP>

asg search 10.33.86.2 10.33.87.101

Output

Lookup for conn: <10.33.86.2, *, 10.33.87.101, *, *>, may take few seconds... <10.33.86.2, 2686, 10.33.87.101, 22, tcp> -> [1_01 A, 1_03 B, 2_01 B] Legend: A - Active SGM B - Backup SGM

Comments

Searching for connections from 10.33.86.2 to 10.33.87.101 shows one SSH connection:

<10.33.86.2, 2686, 10.33.87.101, 22, tcp>

This connection is handled by SGM 1 in Chassis 1. The connection has a backup on SGM 3, and another backup in Chassis 2 on SGM 1.

Example 2

asg search 10.33.86.2 \* 8080 tcp

Output

Lookup for conn: <10.33.86.2, *, *, 8080, tcp>, may take few seconds... <10.33.86.2, 49581, 194.29.36.43, 8080, tcp> -> [1_01 A, 1_07 B, 2_01 B] <10.33.86.2, 49600, 194.29.36.43, 8080, tcp> -> [1_01 A, 1_07 B, 2_01 B] <10.33.86.2, 49601, 194.29.36.43, 8080, tcp> -> [1_01 A, 1_07 B, 2_01 B] Legend: A - Active SGM B - Backup SGM

Comments

Searching for tcp connection with source IP address 10.33.86.2 and destination port

8080. The output shows three connections handled on SGM 1_01 with a backup on SGM

1_07 and 2_01.

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 71

Configuring Alerts for SGM and Chassis Events (asg alert)

The asg alert utility is an interactive wizard used to configure alerts for SGM and Chassis events. Event types can include hardware failure, recovery, and performance related events. You can also create events for other, general events.

An alert is sent when an event occurs. For example, an alert is generated when the value of a hardware resource is greater than the threshold. The alert message includes the Chassis ID, SGM ID and/or unit ID, as applicable.

The wizard includes these options:

Option

Description

Full Configuration Wizard

Create a new alert

Edit Configuration

Change an existing alert

Show Configuration

Show existing alert configurations

Run Test

Run a test simulation to make sure that the alert works correctly

To create or change an alert:

1. Run: > asg alert

2. Select and configure these parameters as prompted by the wizard:

 Alert type and related parameters  Event types  Alert mode

These sections include details about the alert parameters that you configure with the wizard. SMS alert parameters

 SMS Provider URL - Fully qualified URL to your SMS provider based on this syntax.  HTTP proxy and port (Optional) – Necessary only if your Security Gateway requires a proxy server to

reach the SMS provider

 SMS rate limit - Maximum number of SMS messages sent per hour. When there are too many

messages, the others are sent together as one message.

 SMS user text - Custom prefix for SMS messages

Email alert configuration:

 SMTP server IP - Configure one or more SMTP servers to which the email alerts will be sent.  Email recipient addresses - Configure one or more recipient email addresses for each SMTP

servers.

 Periodic connectivity checks - Run a periodic test to make sure that there is connectivity with the

SNMP servers. If there is no connectivity, alert messages are saved and sent in one email when connectivity is restored.

 Interval - Define the interval, in minutes, between connectivity tests.  Sender email address - Configure a sender email address for email alerts.  Subject - Subject header text for the email alert.  Body text - Enter user-defined text for the alert message. .

SNMP alert parameters

Define one or more SNMP managers to get SNMP traps sent from the Security Gateway. For each manager, configure these parameters as prompted:

Note: Some parameters do not show, based on your settings.

 SNMP manager name - Configure a name for your SNMP manager (unique)  SNMP manager IP - Configure the manager IP address (trap receiver)

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 72

 SNMP version - Select the SNMP version to use (v2cv3)  SNMP v3 user name - If using SNMP v3 authentication, you must configure this.  SNMP v3 engine ID - Unique SNMP v3 engine ID used by your system. Default =

[0x80000000010203EA].

 SNMP v3 authentication protocol - MD5 or SHA.  SNMP v3 authentication password - Enter a privacy password.  SNMP v3 privacy protocol - DES or AES.  SNMP v3 privacy password - Enter a privacy password.  SNMP user text - Custom text for the SNMP trap messages.  SNMP community string - Configure the community string for the SNMP manager.

See SNMP for more information.

Log alert parameters There are no configurable parameters for log alerts

Event types

You can select one or more event types:

 One event type  A comma-delimited list of more than one event type  all for all event types.

Chassis States:

1. SGM State

2. Chassis State

3. Port State

4. Pingable Hosts State Hardware Components:

5. Fans

6. SSM

7. CMM

8. Power Supplies

9. CPU Temperature Performance Events:

10. Concurrent Connections

11. Connection Rate

12. Packet Rate

13. Throughput

14. CPU Load

15. Hard Drive Utilization

16. Memory Utilization

Alert Modes

 Enabled - An alert is sent for the selected events  Disabled - No alert is sent for the selected events  Monitor - A log entry is generated instead of an alert

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 73

Monitoring the System using SNMP

SNMP can be used to monitor various aspects of the 61000 Security System, including:

 Software versions  Hardware status  Key performance indicators  Chassis high availability status

To monitor the system using SNMP

1. Upload the MIB to your third-party SNMP monitoring software. The SNMP MIB is located on each SGM under: $CPDIR/lib/snmp/chkpnt.mib For monitoring the 61000 Security System, the only supported OIDs are under

iso.org.dod.internet.private.enterprise.checkpoint.products.asg (OID

1.3.6.1.4.1.2620.1.48)

2. Enable the SNMP agent on the 61000 Security System. In gclish, run: set snmp agent on

SNMP Traps

The 61000 Security System supports SNMP traps.

 The SNMP traps MIB is located on each SGM under: $CPDIR/lib/snmp/chkpnt-trap.mib

iso.org.dod.internet.private.enterprise.checkpoint.products.chkpntTrap

(OID 1.3.6.1.4.1.2620.2000) iso.org.dod.internet.private.enterprise.checkpoint.products.asgTrap (OID 1.3.6.1.4.1.2620.2001)

 To learn more about SNMP, see:

 Configuring asg alerts ("Configuring Alerts for SGM and Chassis Events (asg alert)" on page 71)  The R75.40VS for 61000 Security System Administration Guide

SNMP in a VSX Gateway

There are two SNMP modes for a 61000 Security System that is configured as a VSX Gateway:

Default Mode -

Monitor global SNMP data from the 61000 Security System. Data is accumulated from all SGMs for all Virtual Systems.

VS Mode -

Monitor each Virtual System separately.

Note - SNMP traps are supported for VS0 only.

Supported SNMP Versions

SNMP VS mode uses SNMP version 3 to query the Virtual Systems. You can run remote SNMP queries on each Virtual System in the VSX Gateway.

For systems that only support SNMP versions 1 and 2:  You cannot run remote SNMP queries for each Virtual System. You can only run a remote SNMP query

on VS0.

 You can use the CLI to change the Virtual System context and then run a local SNMP query on a Virtual

System.

Monitoring and Configuration Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 74

Enabling the SNMP Mode

To use SNMP Per-VS (VS mode):

1. Configure an SNMP V3 user. Run: add snmp usm user jon security-level authNoPriv authpass-phrase VALUE

2. Set the SNMP mode. Run: set snmp mode vs

or set snmp mode default

3. Start SNMP agent. Run: set snmp agent on

VS Mode Example 1

To query a Virtual System for traffic throughput, from a remote Linux host:

[admin@linux-snmp] snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -n ctxname_vsid1 -v 3

-l authNoPriv -u jon -A mypassword 192.0.2.72 asgThroughput

VS Mode Example 2:

To query a Virtual System for traffic throughput, from its virtual context:

1. Enter expert mode.

2. Move to the Virtual System. Run vsenv <vs_id>

3. Run

[Expert@VSX-Box:7] snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -v 2c -c public

localhost asgThroughput

Troubleshooting Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 75

Troubleshooting Commands

This section lists the most important gclish commands that you can use to troubleshoot the 61000 Security System.

Collecting System Diagnostics (asg diag)

Description

Use this tool to show collect and show diagnostic information about the system. This command runs a list of predefined diagnostics tools. The output shows the result of

each test (Passed or Failed) and the location of the output log file.

Syntax

asg diag list [[TestNum1][,TestNum2]...] asg diag verify [[TestNum1][,TestNum2]...] asg diag print [[TestNum1][,TestNum2]...] asg diag purge [Number of logs to keep]

Parameters

Parameter

Description

list

Show the list of tests.

verify

Run tests and show a summary of the results.

Run tests and show the full output and a also summary of the results.

[[TestNum1][,TestNum2]...]

Comma separated list of test IDs. To see the IDs of the tests, run asg diag list.

purge

Delete the asg diag logs except for the newest.

[Number of logs to keep]

The number of the newest logs to keep when deleting (purging) asg diag log files. The default is 5.

Example 1

asg diag list

Troubleshooting Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 76

Output 1

------------------------------------------------------| ID | Title | Command |

------------------------------------------------------| System Components |

------------------------------------------------------| 1 | System Health | asg stat -d | | 2 | Hardware | asg hw_monitor -q | | 3 | Resources | asg resource -q | | 4 | Software Versions | asg_version verify -v | | 5 | CPU Type | cpu_socket_verifier -v | | 6 | Media Details | transceiver_verifier -v |

------------------------------------------------------| Policy and Configuration |

------------------------------------------------------| 7 | Distribution Mode | dist_verify -d | | 8 | Policy | asg policy verify -a | | 9 | AMW Policy | asg policy verify_amw -a | | 10 | Installation | installation_verify | | 11 | Security Group | asg security_group diag | | 12 | Cores Distribution | cores_verifier | | 13 | SPI Affinity | spi_affinity_verifier -v | | 14 | Clock | clock_verifier -v | | 15 | Mgmt Monitor | mgmt_monitor snmp_verify | | 16 | Licenses | asg_license_verifier | | 17 | Hide NAT range | asg_hide_behind_range -v |

------------------------------------------------------| Networking |

------------------------------------------------------| 18 | MAC Setting | mac_verifier -v | | 19 | Interfaces | interface_verifier -q | | 20 | Bond | asg_bond_verifier -v | | 21 | Bridge | asg_br_verifier -v | | 22 | IPv4 Route | asg_route -q | | 23 | IPv6 Route | asg_route ipv6 -q | | 24 | Dynamic Routing | asg_dr_verifier | | 25 | Local ARP | asg_local_arp_verifier -v | | 26 | Port Speed | asg_port_speed verify |

------------------------------------------------------| Misc |

------------------------------------------------------| 27 | Core Dumps | core_dump_verifier -v | | 28 | Syslog | asg_syslog verify |

-------------------------------------------------------

Comment

The output shows that the Test with ID 1 is called System Health. This test runs the command asg stat –d to get the test status.

Example 2

asg diag verify

Troubleshooting Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 77

Output 2

-------------------------------------------------------------------------------| Tests Status |

-------------------------------------------------------------------------------| ID | Title | Result | Reason |

-------------------------------------------------------------------------------| System Components |

-------------------------------------------------------------------------------| 1 | System Health | Failed | (1)Chassis 1 error | | 2 | Hardware | Failed | (1)Power unit is missing | | 3 | Resources | Failed | (1)Memory capacity | | | | | (2)Primary HD capacity | | | | | (3)Log HD capacity | | | | | (4)Boot HD capacity | | 4 | Software Versions | Failed | | | 5 | CPU Type | Failed | (1)Non-compliant CPU type | | 6 | Media Details | Passed | |

-------------------------------------------------------------------------------| Policy and Configuration |

-------------------------------------------------------------------------------| 7 | Distribution Mode | Passed | | | 8 | Policy | Passed | | | 9 | AMW Policy | Passed | | | 10 | Installation | Passed | | | 11 | Security Group | Passed | | | 12 | Cores Distribution | Passed | | | 13 | SPI Affinity | Passed | | | 14 | Clock | Passed | | | 15 | Mgmt Monitor | Passed | | | 16 | Licenses | Passed | | | 17 | Hide NAT range | Passed | |

-------------------------------------------------------------------------------| Networking |

-------------------------------------------------------------------------------| 18 | MAC Setting | Passed | | | 19 | Interfaces | Passed | | | 20 | Bond | Passed | | | 21 | Bridge | Passed | | | 22 | IPv4 Route | Passed | | | 23 | IPv6 Route | Passed | (1)Not configured | | 24 | Dynamic Routing | Failed | (1)BGP | | 25 | Local ARP | Passed | | | 26 | Port Speed | Passed | |

-------------------------------------------------------------------------------| Misc |

-------------------------------------------------------------------------------| 27 | Core Dumps | Passed | | | 28 | Syslog | Passed | |

-------------------------------------------------------------------------------| Tests Summary |

-------------------------------------------------------------------------------| Passed: 22/28 tests | | Run: "asg diag list 1,2,3,4,5,24" to view a complete list of failed tests | | Output file: /var/log/verifier_sum.1-28.2012-11-28_10-24-33.txt |

--------------------------------------------------------------------------------

Example 2.1

Run the command suggested by the asg diag verify output to show the commands that failed.

asg diag list 1,2,3,4,5,24

Output 2.1

------------------------------------------------------| ID | Title | Command |

------------------------------------------------------| System Components |

------------------------------------------------------| Networking |

------------------------------------------------------| 24 | Dynamic Routing | asg_dr_verifier |

-------------------------------------------------------

Example 2.2

To find out why the System Health test failed, run asg stat –d or asg diag print 1. Here is a sample output of asg stat –d:

Troubleshooting Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 78

Output 2.2

-------------------------------------------------------------------------| System Status |

-------------------------------------------------------------------------| Chassis 1 ACTIVE |

-------------------------------------------------------------------------| SGM ID State Process Policy Date | | 2 (local) UP Enforcing Security 01Jul12 14:54 | | 3 DOWN (Admin) Inactive NA |

-------------------------------------------------------------------------| Chassis Parameters |

-------------------------------------------------------------------------| Unit Chassis 1 Unit Weight | | | | SGMs 1 / 2 (!) 6 | | Ports | | Standard 2 / 2 11 | | Other 0 / 0 6 | | Sensors | | Fans 4 / 4 5 | | SSMs 2 / 2 11 | | CMMs 2 / 2 6 | | Power Supplies 6 / 6 6 | | | | Chassis Grade 118 / 124 - |

-------------------------------------------------------------------------| Synchronization | | Within chassis: Enabled (Default) | | Exception Rules: (Default) | | Distribution | | Control Blade: Disabled (Default) |

--------------------------------------------------------------------------

Comment 2.2

The Chassis grade is 118/124 because one of the SGMs is in DOWN (Admin) state. Bringing the SGM up solves the problem. Alternatively, remove the SGM from the security group to suppress the alert.

Another way of debugging the issue is to open the output file in /var/log/. When you run asg diag verify or asg diag print, a log file is created which includes the full (verbose) output of each test.

Example

2.3

A sample full (verbose) output for the CPU Type test in the /var/log/ log file:

Output 2.3

============================== CPU Type: ==============================

Non-compliant cpu models found:

-----------------------------------model name : Intel(R) Xeon(R) CPU E5530 @ 2.40GHz

Refer to /proc/cpuinfo for more information

Comment

2.3

This file shows that the E5530 CPU is not recognized by the CPU Type test as compliant with the current system. To make a CPU type recognized as compliant:

1. Edit the file asg_diag_config in the $FWDIR/conf directory.

2. Add the line Certified cpu=<value>

3. Replace <value> with the CPU type.

After solving the issues identified by asg diag verify, you can run a subset of the tests that failed to make sure that all issues have been solved. To run a subset of the tests, see example 3.

Example 3

To run a subset of the tests, run:

asg diag verify 1,2,3,4,5,24

Troubleshooting Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 79

Output 3

-----------------------------------------------------------------------------

| Tests Status |

-----------------------------------------------------------------------------

-----------------------------------------------------------------------------

| System Components |

-----------------------------------------------------------------------------

-----------------------------------------------------------------------------

| Networking |

-----------------------------------------------------------------------------

-----------------------------------------------------------------------------

| Tests Summary |

-----------------------------------------------------------------------------

| Passed: 6/6 tests | | Output file: /var/log/verifier_sum.1-5.24.2012-11-28_10-37-36.txt |

-----------------------------------------------------------------------------

Error Types

These are some of the errors shown by asg diag verify and their meaning.

Error Type

Error

Description

System health

Chassis <X> error

General error indicating that Chassis X grade is not perfect.

Hardware <Component> is missing

The component is not found in the Chassis.

<Component> is down

The component is found in the Chassis but is inactive.

Resources

<Resource> capacity

The specified resource capacity is not as expected. Expected capacity can be tuned.

<Resource> exceed

threshold

The resource’s usage exceeds the configured

threshold.

CPU type

Non compliant CPU type

At least one SGM CPU type is not configured in the list of compliant CPUs. Compliant CPU types can be configured

Security group

<Source> error

The information gathered from this source is different between the SGMs.

<Sources> differ

The information gathered from several sources is different.

Changing Compliance Thresholds

You can change some compliance thresholds that define a healthy working system. To do this, edit the asg diag configuration file $FWDIR/conf/asg_diag_config and change the threshold values.

These are the resources you can control:

Resource

Description

Memory

RAM memory capacity in GB

HD: /

Disk capacity in GB for <disk>:/ partition.

HD:/var/log

Disk capacity in GB for the /var/log partition.

Troubleshooting Commands

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 80

Resource

Description

HD: /boot

Disk capacity in GB for the /boot partition.

Skew

The maximum permissible clock difference between the SGMs and SSMs, in seconds.

Certified cpu

Each line represents one compliant CPU type.

Check Point 61000, R75.40VS Getting Started Manual

Specifications and Main Features

Frequently Asked Questions

User Manual