Check Point 61000 Security System Getting Started Guide 8 November 2011
© 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions.
Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12557 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Warning - DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPE RECOMMENDED BY CHECK POINT SUPPORT. DISCARD USED BATTERIES ACCORDING TO INSTRUCTIONS FROM CHECK POINT. Do not operate the processor without a thermal solution. Damage to the processor can occur in seconds. For California: Perchlorate Material - special handling can apply. See http://www.dtsc.ca.
This product is in conformity with Low Voltage Directive 2006/95/EC, and complies with the requirements in the Council Directive 2006/95/EC relating to electrical equipment designed for use within certain voltage limits and the Amendment Directive 93/68/EEC. Product Disposal This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste.
Contents Important Information .............................................................................................3 Health and Safety Information ...............................................................................3 Introduction .............................................................................................................7 Overview of Check Point 61000 Security Systems .............................................. 7 In this Document ......................................
Overview of Check Point 61000 Security Systems Introduction Thank you for choosing Check Point’s 61000 Security System. We hope that you will be satisfied with this system and our support services. Check Point products supply your business with the most up to date and secure solutions available today.
In this Document In this Document A brief overview of necessary 61000 Security System concepts and features A step by step guide to getting the 61000 Security System up and running Note - Screen shots in this guide may apply only to the highest model to which this guide applies. Shipping Carton Contents This section describes the contents of the shipping carton.
61000 Security System Front Panel Modules Hardware Components This sections covers hardware components of the 61000 Security System 61000 Security System Front Panel Modules Item Description 1 The Security Gateway Modules (SGMs) in the chassis work together as a single, high performance Security Gateway. Adding a Security Gateway Module scales the performance of the system. A Security Gateway Module can be added and removed without losing connections.
61000 Security System Front Panel Modules Item Description 3 The Security Switch Module (SSM) distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules. One or two can be inserted in a chassis. Two SSM versions are available: SSM60 SSM160 For more about each port, see Security Switch Module Ports (on page 11). 4 The Chassis Management Module (CMM) monitors the status of the chassis hardware components.
Security Switch Module Ports Security Switch Module Ports The Security Switch Module (SSM) distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules. One or two can be inserted in a chassis. Two SSM versions are available: SSM60 SSM160 SSM60 Security Switch Module Security Switch Modules Item (1) 5 x 10GbE XFP data ports in each Security Switch Module. These data ports are the network interfaces of the 61000 Security System.
Security Switch Module Ports SSM160 Security Switch Module Security Switch Modules Item Description (1) 1 port for direct access through LAN 1 port for direct access through console (serial) 2 QSFP data ports 40GbE, can split to 4 x 10GbE using a QSFP splitter 7 data ports 10GbE SFP+ ports Can use 1GbE or 10GbE transceivers In the initial setup program, the interfaces in the (2) (3) (4) (5) (6) Left Security Switch Module are named: eth1-01, eth1-02, ...
AC Power Supply Units (PSUs) AC Power Supply Units (PSUs) 5 Field replaceable and hot swappable PSUs provide: Power to the chassis Power filtering and over-current protection. Each PSU is located on a tray that slides directly into the backplane. Item Description (AC Power Unit) 1 Tumble screw 2 Power Supply LEDs: AC OK. Normally green. Red means AC is missing DC OK. Normally green. Red means that the DC is missing H SWAP. Normally blue. The unit can be hot-swapped.
Fan Trays Fan Trays The cooling system consists of three high performance fan trays. Each tray contains two fans that supply air volume and velocity for cooling front and rear chassis components. Air flows from the inside to the outside of the chassis. Item Description 1 Power fault LED 2 Locking captive screw Three fan trays are preinstalled (6 fans). Chassis Management Modules The Chassis Management Module controls and manages the chassis.
Chassis Management Modules Item Description 5 Network port 6 Serial port 7 Alarm 8 Tumble screw General LEDs LED Status Meaning ACT Green Chassis Management Module is active Red Chassis Management Module failure Green blink Chassis Management Module inactive Green Good local voltage supply on Chassis Management Module Off Local voltage failure Steady blue Chassis Management Module is powering up or ready for extraction.
Blank Filler Panels for Airflow Management Blank Filler Panels for Airflow Management Compliance with temperature specifications requires a stable air flow in the chassis. To make sure that the chassis is correctly cooled, fully populate the chassis or add blank filler panels to the empty slots.
Rack Mounting Requirements Step 1: Site Preparation This step covers preparing the site. Rack Mounting Requirements Before mounting the 61000 Security System in a standard 19" rack, make sure that: The rack is stable, level, and secured to the building. The rack is sufficiently strong to support the weight of a fully loaded Security System (http://www.checkpoint.com/products/downloads/datasheets/61000-security-system-datasheet.pdf).
Required Tools Step 2: Installing the Device in a Rack Before mounting on rack Insert the: AC PSUs or DC PEMs Fan Units Attach the rear-end static grounding screws to the chassis. To install the Chassis on the Rack: 1. Set the chassis in front of the rack, centering the chassis in front the shelf. 2. Lift and slide the chassis on to the rack shelf. 3. Make sure that the holes in the front mounting flanges of the chassis align with the holes in the rack rails. 4.
Inserting Power Supply Units Inserting Power Supply Units Power Supply Units (AC only) are inserted at the front of the chassis. If you have one Power Supply Unit already in place, other units can be swapped in and out without interfering with the operation of the 61000 Security System. Note that one PSU cannot supply sufficient power to support a fully populated chassis. To Insert a Power Supply Unit: 1. 2. 3. 4. Pull out the lever. Push in the Power Supply. Push in the Power Supply insertion lever.
Inserting Fan Trays Fans are pre-installed in the appliance. Manual replacement must be coordinated with Check Point Support. To Insert a Fan: 1. Slide the fan into the allocated space. 2. Tighten the locking captive screw.
Inserting Chassis Management Modules Inserting Chassis Management Modules To insert a Chassis Management Module: 1. Open the latch at the top 2. Insert the Chassis Management Module into the allocated slot. Note - If you have only one CMM, we recommend inserting it into the lower chassis slot 3. Fasten the latch. 4. Close the two tumble screws tightly. 5. After power up, all LEDs must light up for 1-2 seconds. The ACT and PWR LEDs continue to show green after the other LEDs turn off.
Inserting Security Switch Modules Inserting Security Switch Modules To insert a Security Switch Module: 1. 2. 3. 4. Open the latches at the top and bottom of the Security Switch Module. Slide the SSM into the allocated slot. Fasten the latches. Tighten the screws.
Inserting Security Gateway Modules Inserting Security Gateway Modules To insert a Security Gateway Module: 1. 2. 3. 4. 5. Open the latches at the top and bottom of the Security Gateway Module. Make sure the SGM is located correctly on the chassis rail. Slide the Security Gateway Module into the allocated slot. Fasten the latches. Tighten the tumble screws.
Inserting Transceivers Inserting Transceivers For connecting different interface types to the 61000 Security System using SFP, SFP+, or XFP ports on the SSM, Security Switch Modules support Twisted Pair and Fiber Optic transceivers. The type and number of transceiver ports available depends on the SSM. Note - Remember to select a transceiver that matches the speed of the designated port.
Inserting Transceivers SFP management ports on the SSM60 Slide the transceiver into the open Security Switch Module port. Inserting Fiber Optic Transceivers Fiber transceivers can be inserted into data and management ports on the SSM60 and SSM160 switch modules. The ports can be SFP, SFP+ or XFP. Slide the transceiver into the open Security Switch Module port.
Inserting Front Blank Panels Inserting QSFP Splitters 1. Insert the QSFP transceiver into the Security Switch Module. 2. Insert the QSFP splitter cable into the transceiver. This converts the 40GbE QSPF port to 4 10GbE ports. Inserting Front Blank Panels Blank panels contain cooled air in the appliance. Use the blank panels to close open slots. To Insert a blank Panel at the front: 1. Insert the blank panel into the open slot. 2. Tighten the two tumble screws.
Connecting Power Cables Connecting Power Cables Connect power cables at the rear: Step 4: Powering Up Connect the appliance to the power source. At power up: Fan speed goes to maximum. LEDs on the Chassis Management Module light up. After 1-60 seconds, fan speed slows down until it reaches the optimum rate for cooling. Chassis Management Module ACT and PWR LEDs show green. Other LEDs turn off.
Connecting a Management Console Step 5: Initial Software Configuration When installing and configuring the 61000 Security System, start with the Security Gateway Module furthest to the left in the chassis. After the first SGM is configured, installation and configuration settings are automatically propagated to all other SGMs in the defined security group. The Security Group is the group of SGMs that make up the Security Gateway.
Performing the Initial Setup 4. Define the SGMs that belong to the Security Group. There are two lines, one for Chassis 1, one for chassis 2. In each line, you can enter: all (same as 1-12) A range, such as: 1-9 A number of comma-separated ranges, such as: 1-3,5-7 Single SGMS, such as: 1,4 A combination of single SGMs and ranges, such as: 10,2, 3-7. By default, the SGM you are connected belongs to the group: Chassis 1, SGM 1 (slot 1 in chassis 1).
Performing the Initial Setup System Validation Make sure that the initial system setup completed successfully by: Running the asg monitor command. An initial policy must be installed on the local SGM after initial setup completes and the SGM reboots. To monitor the automatic installation of other SGMs, run: tail -f /var/log/start_mbs.log. After installation, all the SGMs in the security group must be in the Initial Policy state.
Confirming the Software Configuration 13. Enable the Firewall Software Blade. If required, enable other supported Software Blades. 14. In the navigation tree, select Topology. 15. Configure: Interfaces as Internal or External Anti-Spoofing. Note: Only data and management interfaces are shown in the list. 16. Click OK. The Security Gateway object closes. 17. Install the Policy. Confirming the Software Configuration To make sure that the policy was successfully installed: 1.
Confirming the Software Configuration Basic Configuration Using gclish Use the gclish shell for basic system configuration. To: Run Set an IPv4 address on an interface # set interface eth1-01 ipv4-address 50.50.50.10 mask-length 24 Show the IPv4 interface address # show interface eth1-01 ipv4-address Delete the IPv4 address from an interface # delete interface eth1-01 ipv4-address To: Run Set the hostname # set hostname (each SGM gets its local identity as suffix e.g.
Confirming the Software Configuration Licensing and Registration 61000 Security Systems have an initial 15-day evaluation license. After the evaluation license expires, you must license and register the system. Each chassis is licensed separately. If you have dual chassis system, you must install two licenses. The license key (CK) is the chassis serial number. The chassis serial number is printed on the chassis sticker. You can also retrieve the chassis serial number from the CCM.
Showing Chassis and Component State (asg stat) Monitoring and Configuration Commands Configure the appliance using g_commands or the gclish shell only. Showing Chassis and Component State (asg stat) Description Use this command to show the chassis and component state for single and dual chassis configurations.
Showing Chassis and Component State (asg stat) Example 1 asg stat Output Comments Example 2 The output shows that: Chassis 1 is in STANDBY state.
Showing Chassis and Component State (asg stat) Comments (local) Represents the SGM on which the command asg stat -v was run. State State Meaning UP The SGM is processing traffic DOWN The SGM is not processing traffic DETACHED No SGM has been detected in a slot Note - To manually change the state of an SGM to or from 'administratively down', use: asg_blade_admin. Process The process state of the SGM, whether the SGM is: Enforcing Security. The SGM is UP and working properly.
Showing Chassis and Component Status (asg monitor) If you run asg stat -v, the output shows a higher unit weight and Chassis Grade: Failure of an SGM with this high unit weight will cause a chassis failover, as the minimum grade gap for chassis failover remained at 11. Minimum threshold for traffic processing The minimum grade required for the chassis to become ACTIVE. Minimum grade gap for chassis failover Minimum grade gap is a value that determines when a chassis fails over.
Showing Chassis and Component Status (asg monitor) Parameter interval -v interval -all interval Example 1 Description Monitors SGM state and running processes. Enter a decimal value in seconds, for example: asg monitor 3 Monitors chassis parameters. For example: asg monitor –v 3.
Monitoring Key Performance Indicators and Load Statistics (asg perf) Output Comments The (number/ number) convention presents the number of components actually up set against the number of components required to be up. For example SGMs 3 / 3 means that 3 SGMs are up and 3 are required to be up. Chassis grade is the sum of the grades of all components. The grade of each component = One Unit Weight x the number of components that are UP.
Monitoring Key Performance Indicators and Load Statistics (asg perf) Parameter Description -b blades List of Security Gateway Modules. For example: -v 1_01 Chassis 1 SGM 1 1_03-1_05 Chassis 1 SGMs 3, 4 and 5. 1_01,1_03-1_05 Combination of previous two items all All SGMs (including chassis 2, if applicable) chassis1 All SGMs in Chassis 1 chassis2 All SGMs in chassis 2 chassis_active All SGMs in the active chassis Verbose mode: Per-Security Gateway Module display.
Showing Hardware Information for Monitored Components (asg hw_monitor) Showing Hardware Information for Monitored Components (asg hw_monitor) Description Example Use this command to show per-chassis hardware information and thresholds for monitored components, including: Security Gateway Module: CPU temperatures per CPU socket. Chassis fan speeds. Security Switch Module: throughput rates. Power consumption per chassis. Power Supply Unit: Whether installed or not.
Showing Hardware Information for Monitored Components (asg hw_monitor) Comments Column Meaning Location To identify the location, see the 61000 Security System Front Panel ("61000 Security System Front Panel Modules" on page 9). Value Most components have a defined threshold value. The threshold gives an indication of the health and functionality of Threshold the component.
Showing Security Gateway Module Resource Information (asg resource) Showing Security Gateway Module Resource Information (asg resource) Description Shows the Security Gateway Module (SGM) resource usage and thresholds for the entire 61000 Security System. Syntax asg resource [-b sgm] Parameter Description -b sgm List of Security Gateway Modules. For example: -h Example 1_01 Chassis 1 SGM 1 1_03-1_05 Chassis 1 SGMs 3, 4 and 5.
Showing Security Gateway Module Resource Information (asg resource) Output Monitoring and Configuration Commands Page 44
Searching for a Connection (asg search) Comments 1. The Resource column identifies the resource. There are 4 kinds of resource: Memory HD – hard drive space (/) HD: /var/log – space on hard drive committed to log files HD: /boot - location of the kernel 2. The Location column identifies the SGM with the resource. 3. The Usage column shows in percentage terms how much of that resource has been used (hard drive or directory on hard drive) or is in use (memory). 4.
Configuring Alerts for SGM and Chassis Events (asg alert) Comments Searching for connections from 14.14.14.1 to 24.24.24.1 shows one SSH connection: <14.14.14.1, 38110, 24.24.24.1, 22, tcp> This connection is handled by SGM 3 in chassis 1. The connection has a backup on SGM 1, and another backup in chassis 2 on SGM 3. Configuring Alerts for SGM and Chassis Events (asg alert) Description Configure alerts for SGM and chassis events.
Configuring Alerts for SGM and Chassis Events (asg alert) 2. Run Test Run a test on an alert, to make sure that it works properly. 3. Edit configuration Change the configuration of an alert. 4. Show Configuration Show the configuration of an alert. Show hardware monitoring values using asg hw_monitor ("Showing Hardware Information for Monitored Components (asg hw_monitor)" on page 41).