61000

23 January 2014

Getting Started Guide

Check Point 61000 Security System

R75.40VS for 61000

Protected

Downloaded from www.Manualslib.com manuals search engine

2014 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.


Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: (http://supportcontent.checkpoint.com/documentation_download?ID=20444)

To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

For more about this release, see the R75.40VS for 61000 home page (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk89900).

Revision History

Date Description

23 January 2014 Added Health and Safety Information in French ("Informations relatives la sant et la scurit" on page 6).

Improved formatting and document layout.

Added SGM240 LEDs support information.

16 September 2013 Added: After configuring a Security Gateway, verify the

configuration by running asg diag ("Confirming the Security

Gateway Software Configuration" on page 54).

9 July 2013 Corrected syntax of asg monitor command ("Monitoring

Chassis and Component Status (asg monitor)" on page 61).

Corrected examples of asg search command ("Searching

for a Connection (asg search)" on page 70).

21 March 2013 Added: Before creating the VSX Gateway, if the management

interface is not eth1-Mgmt4, see sk92556 ("Configuring a VSX

Gateway" on page 54).

10 February 2013 First release of this document.

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on R75.40VS Check Point 61000 Security System Getting Started Guide).


Health and Safety Information

Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 4

Health and Safety Information Read these warnings before setting up or using the appliance.

Warning -

Do not block air vents. This is to ensure sufficient airflow for the individual SGMs in the Chassis.

This appliance does not contain any user-serviceable parts. Do not remove any covers or attempt to gain access to the inside of the product. Opening the device or modifying it in any way has the risk of personal injury and will void your warranty. The following instructions are for trained service personnel only.

Handle SGM system parts carefully to prevent damage. These measures are sufficient to protect your equipment from static electricity discharge:

When handling components (Fans, CMMS, SGMS, PSUs, SSMs) use a grounded wrist-strap designed for static discharge elimination.

Touch a grounded metal object before removing the board from the anti-static bag.

Hold the board by its edges only. Do not touch its components, peripheral chips, memory modules or gold contacts.

When holding memory modules, do not touch their pins or gold edge fingers.

Restore SGMs to the anti-static bag when they are not in use or not installed in the Chassis. Some circuitry on the SGM can continue operating after the power is switched off.

Do not let the lithium battery cell (used to power the real-time clock on the CMM) short. The battery can heat up and become a burn hazard.

Warning -

DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPE RECOMMENDED BY CHECK POINT SUPPORT.

DISCARD USED BATTERIES ACCORDING TO INSTRUCTIONS FROM CHECK POINT.

Do not operate the processor without a thermal solution. Damage to the processor can occur in seconds.

Before you install or remove a chassis, or work near power supplies, turn off the power and unplug the power cord.

For California:

Perchlorate Material - special handling can apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate

The foregoing notice is provided in accordance with California Code of Regulations Title 22, Division 4.5, Chapter 33. Best Management Practices for Perchlorate Materials. This product, part, or both may include a lithium manganese dioxide battery which contains a perchlorate substance.

Proposition 65 Chemical

Chemicals identified by the State of California, pursuant to the requirements of the California Safe Drinking Water and Toxic Enforcement Act of 1986, California Health & Safety Code s. 25249.5, et seq. ("Proposition 65"), that is "known to the State to cause cancer or reproductive toxicity" (see http://www.calepa.ca.gov)

WARNING:

Handling the cord on this product will expose you to lead, a chemical known to the State of California to cause cancer, and birth defects or other reproductive harm. Wash hands after handling.


Health and Safety Information


Federal Communications Commission (FCC) Statement:

Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

Information to user:

The user's manual or instruction manual for an intentional or unintentional radiator shall caution the user that changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. In cases where the manual is provided only in a form other than paper, such as on a computer disk or over the Internet, the information required by this section may be included in the manual in that alternative form, provided the user can reasonably be expected to have the capability to access information in that form.

Canadian Department Compliance Statement:

This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numrique de la classe A est conforme la norme NMB-003 du Canada.

Japan Class A Compliance Statement:

European Union (EU) Electromagnetic Compatibility Directive

This product is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive (2004/108/EC).

This product is in conformity with Low Voltage Directive 2006/95/EC, and complies with the requirements in the Council Directive 2006/95/EC relating to electrical equipment designed for use within certain voltage limits and the Amendment Directive 93/68/EEC.

Product Disposal

This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for the recycling of waste electrical and electronic equipment. The separate collection and recycling of your waste equipment at the time of disposal will help to conserve natural resources and ensure that it is recycled in a manner that protects human health and the environment. For more information about where you can drop off your waste equipment for recycling, please contact your local city office or your household waste disposal service.


Informations relatives la sant et la scurit



Avant de mettre en place ou d'utiliser l'appareil, veuillez lire ces avertissements.

Avertissement :

Ne pas obturer les arations. Les SGM dans le chssis doivent disposer d'une aration suffisante.

Cet appareil ne contient aucune pice remplaable par l'utilisateur. Ne pas retirer de capot ni tenter d'atteindre l'intrieur. L'ouverture ou la modification de l'appareil peut traner un risque de blessure et invalidera la garantie. Les instructions suivantes sont rserves un personnel de maintenance form.

Manipulez avec prcautions les pices du SGM pour ne pas les endommager. Les mesures suivantes sont suffisantes pour protger votre quipement contre les dcharges d'lectricit statique :

Avant de manipuler un composant (ventilateur, CMM, SGM, PSU, SSM), portez au poignet un bracelet antistatique reli la terre.

Touchez un objet mtallique reli la terre avant de retirer la carte de son sachet antistatique.

Ne tenez la carte que par ses bords. Ne touchez aucun composant, puce priphrique, module mmoire ou contact plaqu or.

Lorsque vous manipulez des modules mmoire, ne touchez pas leurs broches ou les pistes de contact dores.

Remettez dans leur sachet antistatique les SGM lorsqu'ils ne sont pas utiliss ou installs dans le chssis. Certains circuits du SGM peuvent continuer de fonctionner mme si l'appareil est teint.

Il ne faut jamais court-circuiter la pile au lithium (qui alimente l'horloge temps-rel du CMM). Elle pourrait chauffer et dclencher un incendie.

Avertissement :

DANGER D'EXPLOSION SI LA PILE N'EST PAS CORRECTEMENT REMPLACE. NE REMPLACER QU'AVEC UN TYPE IDENTIQUE OU QUIVALENT, RECOMMAND PAR L'ASSISTANCE CHECKPOINT.

LES PILES DOIVENT TRE MISES AU REBUT CONFORMMENT AUX INSTRUCTIONS DE CHECKPOINT.

Ne pas faire fonctionner le processeur sans refroidissement. Le processeur peut tre endommag en quelques secondes.

Avant de manipuler une appliance ou ses blocs dalimentations, lteindre et dbrancher son cble lectrique.

Pour la Californie :

Matriau perchlorat : manipulation spciale potentiellement requise. Voir http://www.dtsc.ca.gov/hazardouswaste/perchlorate

L'avis suivant est fourni conformment au California Code of Regulations, titre 22, division 4.5, chapitre 33. Meilleures pratiques de manipulation des matriaux perchlorats. Ce produit, cette pice ou les deux peuvent contenir une pile au dioxyde de lithium manganse, qui contient une substance perchlorate.

Produits chimiques Proposition 65

Les produits chimiques identifis par l'tat de Californie, conformment aux exigences du California Safe Drinking Water and Toxic Enforcement Act of 1986 du California Health & Safety Code s. 25249.5, et seq. ( Proposition 65 ), qui sont connus par l'tat pour causer le cancer ou tre toxiques pour la reproduction (voir http://www.calepa.ca.gov)




AVERTISSEMENT :

La manipulation de ce cordon vous expose au contact du plomb, un lment reconnue par l'tat de Californie pour causer de cancer, des malformations la naissance et autres dommages relatifs la reproduction. Se laver les mains aprs toute manipulation.

Dclaration la Federal Communications Commission (FCC) :

Remarque : Cet quipement a t test et dclar conforme aux limites pour appareils numriques de classe A, selon la section 15 des rglements de la FCC. Ces limitations sont conues pour fournir une protection raisonnable contre les interfrences nocives dans un environnement commercial. Cet appareil gnre, et peut diffuser des frquences radio et, dans le cas dune installation et dune utilisation non conformes aux instructions, il peut provoquer des interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une zone rsidentielle engendrera vraisemblablement des perturbations prjudiciables, auquel cas lutilisateur sera tenu dliminer ces perturbations sa charge.

Information l'intention de l'utilisateur :

Le manuel utilisateur ou le manuel d'instruction d'un dispositif rayonnant (intentionnel ou non) doit avertir que toute modification non approuve expressment par la partie responsable de la conformit peut annuler le droit de faire fonctionner l'quipement. Si le manuel n'est pas fourni sous forme imprime (par exemple sur le disque d'un ordinateur ou via Internet), les informations requises par cette section doivent tre incluses dans ces versions du manuel, sous rserve que l'utilisateur soit raisonnablement capable d'y accder.

Dclaration de conformit du dpartement canadien :

This Class A digital apparatus complies with Canadian ICES-003. appareil numrique de la classe A est conforme la norme NMB-003 du Canada.

Dclaration de conformit de classe A pour le Japon :

Directive de l'Union europenne relative la compatibilit lectromagntique

Ce produit est certifi conforme aux exigences de la directive du Conseil concernant concernant le rapprochement des lgislations des tats membres relatives la directive sur la compatibilit lectromagntique (2004/108/CE).

Ce produit est conforme la directive basse tension 2006/95/CE et satisfait aux exigences de la directive 2006/95/CE du Conseil relative aux quipements lectriques conus pour tre utiliss dans une certaine plage de ensions, selon les modifications de la directive 93/68/CEE.

Mise au rebut du produit

Ce symbole appos sur le produit ou son emballage signifie que le produit ne doit pas tre mis au rebut avec les autres dchets mnagers. Il est de votre responsabilit de le porter un centre de collecte dsign pour le recyclage des quipements lectriques et lectroniques. Le fait de sparer vos quipements lors de




la mise au rebut, et de les recycler, contribue prserver les ressources naturelles et s'assure qu'ils sont recycls d'une faon qui protge la sant de l'homme et l'environnement. Pour obtenir plus d'informations sur les lieux o dposer vos quipements mis au rebut, veuillez contacter votre municipalit ou le service de gestion des dchets.


Contents

Important Information ............................................................................................................ 3 Health and Safety Information .............................................................................................. 4 Informations relatives la sant et la scurit ................................................................. 6 Introduction .......................................................................................................................... 11

Overview of Check Point 61000 Security Systems ............................................................ 11 Check Point Virtual Systems ............................................................................................. 11 In this Document ............................................................................................................... 13 Shipping Carton Contents.................................................................................................. 13

Hardware Components ........................................................................................................ 14 61000 Security System Front Panel Modules .................................................................... 14 Security Switch Module (SSM) .......................................................................................... 16

SSM160 Security Switch Module .................................................................................. 17 SSM60 Security Switch Module .................................................................................... 18 Security Switch Module LEDs ....................................................................................... 19

Security Gateway Module (SGM) ...................................................................................... 20 SGM260 LEDs .............................................................................................................. 20 SGM SGM220 LEDs ..................................................................................................... 22

AC Power Supply Units (PSUs) ......................................................................................... 23 AC Power Cords ................................................................................................................ 24 DC Power Entry Modules (PEMs) ...................................................................................... 26

PEM Panel and LED Indicators ..................................................................................... 26 Fan Trays .......................................................................................................................... 27 Chassis Management Modules.......................................................................................... 27 Blank Filler Panels for Airflow Management ...................................................................... 29

Front Blank Panels with Air Baffles ............................................................................... 29 Step 1: Site Preparation....................................................................................................... 30

Rack Mounting Requirements ........................................................................................... 30 Required Tools .................................................................................................................. 30

Step 2: Installing the Chassis in a Rack ............................................................................. 31 Step 3: Installing Components and Connecting Power Cables ........................................ 32

Inserting AC Power Supply Units ....................................................................................... 32 Inserting Fan Trays............................................................................................................ 33 Inserting Chassis Management Modules ........................................................................... 34 Inserting Security Switch Modules ..................................................................................... 35 Inserting Security Gateway Modules ................................................................................. 36 Inserting Transceivers ....................................................................................................... 37

Inserting Twisted Pair Transceivers .............................................................................. 37 Inserting Fiber Optic Transceivers ................................................................................ 38 Inserting QSFP Splitters ............................................................................................... 39

Inserting Front Blank Panels .............................................................................................. 39 Connecting AC Power Cables ........................................................................................... 39 Connecting DC Power ....................................................................................................... 39 Connecting a Second Chassis ........................................................................................... 41

Step 4: Turning on the 61000 Security System .................................................................. 42 Step 5: Validating Chassis ID on a Dual Chassis Configuration ...................................... 43 Step 6: Software Installation ............................................................................................... 44

Before Installing Firmware and Software ........................................................................... 44 Installing SSM160 Firmware .............................................................................................. 45 Installing the SGM Image .................................................................................................. 47

Installing the SGM Using snapshot import .................................................................... 47 Installing the SGM Image Using Removable Media ...................................................... 47

Step 7: Connecting to the Network ..................................................................................... 49


Step 8: Initial Software Configuration ................................................................................ 50 Connecting a Console ....................................................................................................... 50 Working on the Initial Setup ............................................................................................... 50

Step 9: SmartDashboard Configuration ............................................................................. 53 Configuring a Security Gateway ........................................................................................ 53

Confirming the Security Gateway Software Configuration ............................................. 54 Configuring a VSX Gateway .............................................................................................. 54

Wizard Step 1: Defining VSX Gateway General Properties ........................................... 55 Wizard Step 2: Selecting Virtual Systems Creation Templates ..................................... 55 Wizard Step 3: Establishing SIC Trust .......................................................................... 55 Wizard Step 4: Defining Physical Interfaces .................................................................. 56 Wizard Step 5: Virtual Network Device Configuration.................................................... 56 Wizard Step 6: VSX Gateway Management .................................................................. 56 Wizard Step 7: Completing the VSX Wizard ................................................................. 56 Confirming the VSX Gateway Software Configuration ................................................... 57

Basic Configuration Using gclish ....................................................................................... 58 Licensing and Registration ................................................................................................. 60 Monitoring and Configuration Commands ......................................................................... 61

Showing Chassis and Component State (asg stat) ............................................................ 61 Monitoring Chassis and Component Status (asg monitor) ................................................. 61 Monitoring Performance Indicators and Statistics (asg perf) .............................................. 63 Monitoring Hardware Components (asg hw_monitor) ........................................................ 64 Monitoring SGM Resources (asg resource) ....................................................................... 68 Searching for a Connection (asg search) ........................................................................... 70 Configuring Alerts for SGM and Chassis Events (asg alert) ............................................... 71 Monitoring the System using SNMP .................................................................................. 73

SNMP in a VSX Gateway ............................................................................................. 73 Troubleshooting Commands .............................................................................................. 75

Collecting System Diagnostics (asg diag) .......................................................................... 75 Error Types ................................................................................................................... 79 Changing Compliance Thresholds ................................................................................ 79


Introduction


Introduction Thank you for choosing Check Points 61000 Security System. We hope that you will be satisfied with this system and our support services. Check Point products supply your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.

For additional information on the Internet Security Product Suite and other security solutions, refer to the Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800) 429-4391. For additional technical information about Check Point products, consult the Check Point Support Center (http://supportcenter.checkpoint.com).

Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.

Overview of Check Point 61000 Security Systems The Check Point 61000 Security System is a high performance, scalable, carrier class solution for Service Providers and high-end data centers. The system gives advanced Security Gateway functionality to meet your dynamically changing security needs. Supported Security Gateway Software Blades include: Firewall, IPS, Application Control, Identity Awareness, URL Filtering, IPSec VPN, Anti-Bot, and Anti-Virus.

The Check Point 61000 Security System is a 14-15U Chassis and includes:

Component(s) Function

Up to 12 Security Gateway Modules (SGMs)

Runs a high performance Firewall, and other Software Blades.

2 Security Switch Modules (SSMs) Distributes network traffic to SGMs.

2 Chassis Management Modules (CMMs) Monitors the Chassis, the SSMs and the SGMs with zero downtime.

The 61000 Security System:

Is highly fault tolerant, and provides redundancy between Chassis modules, power supplies and fans. For extra redundancy, you can install a Dual Chassis deployment.

Has NEBS-ready and Non-NEBS versions. The Network Equipment Building Systems (NEBS) certificate ensures that 61000 Security System meets the environmental and spatial requirements for products used in telecommunications networks.

Includes a rich variety of CLI monitoring and management tools. The system can be centrally managed from Check Point Security Management Server or a Multi-Domain Security Management.

Lets you install different numbers of SGMs to match the processing needs of your network.

You can operate the 61000 Security System as a Security Gateway or as a VSX Gateway for Check Point Virtual Systems.

Check Point Virtual Systems With Check Point Virtual Systems you can consolidate infrastructure by creating multiple virtualized security gateways on the 61000 Security System, delivering deep cost savings, seamless security and infrastructure consolidation. Based on proven virtualized security design and the extensible Software Blade Architecture, Virtual Systems provide best-in-class customized security protections to multiple networks and simplify enterprise-wide policy by creating tailored policies for each network.


Introduction


Administrators can replicate conventional physical security gateways with Virtual Systems to deliver advanced protection to multiple networks and network segments. Up to 250 fully independent Virtual Systems can be supported on the 61000 Security System, delivering scalability, availability and performance while dramatically reduce hardware investment, space requirements and maintenance costs. The latest Check Point technologies ensure the best performance for virtualized security; CoreXL technology utilizes multi-core processors to increase throughput, 64-bit Gaia OS allows a significantly increased number of concurrent connections.

Complete virtualization of network infrastructure allows easy deployment and configuration of network topology with simpler inter-VS communication. Save the costs of external network routers and switches by using integrated virtual routers, switches and links to direct traffic to their intended destinations.

KEY FEATURES

Consolidate up to 250 gateways in a single device

Software Blade Architecture

Gaia 64-bit operating system

Separation of management duties

Customized security policies per Virtual System

Per Virtual System Monitoring of resource usage

KEY BENEFITS

Easily add virtual systems to a security gateway

Reduce hardware cost and simplified network policy by consolidating multiple gateways into a single device

Stronger performance and manageability enable enterprises to better leverage their investment

More granularity and greater manageability with customizable policies per Virtual System

Better usage-based resource planning with per Virtual System monitoring

Boost performance with Multi-core CoreXL technology


Introduction


In this Document A brief overview of necessary 61000 Security System concepts and features

A step by step guide to getting the 61000 Security System up and running

Note - Screen shots in this guide may apply only to the highest model to which this guide applies.

Shipping Carton Contents This section describes the contents of the shipping carton.

Item Description

Check Point 61000 Security System

A single 61000 Security System Chassis

61000 Security System components

2 to 12 Security Gateway Modules

2 Security Switch Modules

2 Chassis Management Modules

Power Supplies (preinstalled)

5 AC Power Supply Units (PSUs) or

1 to 2 DC Power Entry Modules (PEMs)

6 Fans (preinstalled)

Power cord set

Documentation EULA

Welcome document

Obligatory Hardware Purchases

Transceivers are not included in the shipping carton and must be purchased separately.

SSM60 Transceivers

Ports Required Transceivers

Network and Synchronization Fiber transceiver for 10GbE XFP ports (SR/LR)

Management and log Fiber transceiver for 1GbE SFP ports (SX/LR)

Twisted-pair transceiver for 1GbE SFP ports

Fiber transceiver for 10GbE XFP ports (SR/LR)

SSM160 Transceivers


Network and Synchronization SFP+ (10GbE) Fiber transceiver for SFP+ ports (SR/LR)

SFP (1GbE) Fiber transceiver for SFP+ ports (SX/LX)

Twisted pair (1GbE) transceiver for SFP+ ports

QSFP transceiver for 40GbE ports (SR/LR)

QSFP splitter for 40GbE ports


Hardware Components



Management and log Fiber/Twisted pair transceiver for 1GbE SFP+ ports (SX/LX)

SFP+ (10GbE) Fiber transceiver for SFP+ ports (SR/LR)

Hardware Components This section is about the hardware components of the 61000 Security System.

61000 Security System Front Panel Modules

Item Description

1 The Security Gateway Modules (SGMs) in the Chassis work together as a single, high performance Security Gateway or VSX Gateway. Adding a Security Gateway Module scales the performance of the system. A Security Gateway Module can be added and removed without losing connections. If an SGM is removed or fails, traffic is distributed to the other active SGMs.

Security Gateway Module slots are numbered 1 to 12, left to right. Slot 7 for example, (labeled [7] in the diagram) is the slot that is immediately to the right of the two Security Switch Module slots.


Hardware Components


Item Description

2 Console port, for a serial connection to a specific SGM using a terminal emulation program.

3 USB port, for a connection to external media, such as a DVD drive.

4 The Security Switch Module (SSM) distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules. Two are inserted in a chassis. Two SSM versions are available:

SSM60

Not supported in a VSX Gateway

Not supported for SGM240

SSM160

For more about each port, see Security Switch Module Ports ("Security Switch Module (SSM)" on page 16).

5 The Chassis Management Module (CMM) monitors the status of the chassis hardware components. It also supplies the DC current to the cooling fan trays.

If the Chassis Management Module fails or is removed from the chassis, the 61000 Security System continues to forward traffic. However, hardware monitoring is not available. Adding or removing a Security Gateway Module to or from the chassis is not recognized. if the two CMMs are removed, the cooling fans stop working.

Warning - There must be at least one CMM in the chassis.

A second Chassis Management Module can be used to supply CMM High Availability.

In the CLI output, the lower slot is listed bay 1. The upper slot is listed as bay2.

6 Power:

AC Power Supply Units (PSUs)

100 VAC to 240 VAC

3-5 PSUs

Or:

DC Power Entry Modules (PEMs)

48 VDC to 60 VDC

2 PEMs

Field-replaceable and hot-swappable

In the CLI output:

Upper slots are for DC PEMs. They are listed as bay 1 and bay 2, numbered right to

left.

Lower slots are for AC PSUs. They are listed as bay 1 to bay 5, numbered right to left.


Hardware Components


Security Switch Module (SSM) The Security Switch Module (SSM) distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules. Two are inserted in a chassis. Two SSM versions are available:

SSM60

Not supported in a VSX Gateway

Not supported for SGM240

SSM160


Hardware Components


SSM160 Security Switch Module

Security Switch Modules Item Description

(1) 1 port for direct access through LAN

1 port for direct access through console (serial)

(2) 2 x 40GbE QSFP data ports. In the initial setup program, the interface names are:

Left Security Switch Module:

eth1-09, eth1-13

Right Security Switch Module:

eth2-09, eth2-13

Use a QSFP splitter to split each of the two QSFP ports to 4 x 10GbE. When using a QSFP splitter the interface names are:

Left Security Switch Module upper QSFP port:

eth1-09 to eth1-12

Left Security Switch Module lower QSFP port:

eth1-13 to eth1-16

Right Security Switch Module upper QSFP port:

eth2-09 to eth2-12

Right Security Switch Module lower QSFP port:

eth2-13 to eth2-16

(3) 7 x 10GbE SFP+ data ports

Can use 1GbE or 10GbE transceivers

In the initial setup program, the interface names are:

Left Security Switch Module: eth1-01, eth1-02, ... eth1-07

Right Security Switch Module: eth2-01, eth2-02, ... eth2-07

In SmartDashboard, define used interfaces as internal or external.

(4) 1 synchronization port for connecting to and synchronizing with another 61000 appliance that functions as a high availability peer.

10 GbE SFP+ port

Interface names are eth1-Sync in the left and

eth2-sync on the right.

(5) Management and logging ports. Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

2x 10GbE SFP+ port

In the 61000 appliance initial setup program, these interfaces are labeled:

On the left SSM: eth1-Mgmt1, eth1-Mgmt2

On the right SSM: eth2-Mgmt1, eth2-Mgmt2


Hardware Components


(6) Management and logging ports. Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

2 x 1GbE SFP port

In the 61000 appliance initial setup program, these interface are labeled

On the left SSM: eth1-Mgmt3, eth1-Mgmt4

On the right SSM: eth2-Mgmt3, eth2-Mgmt4

SSM60 Security Switch Module

Security Switch Modules Item

(1) 5 x 10GbE XFP data ports in each Security Switch Module. These data ports are the network interfaces of the 61000 Security System.

In the initial setup program, the interfaces in the

Left Security Switch Module are named: eth1-01, eth1-02, ... eth1-05

Right Security Switch Module are named: eth2-01, eth2-02, ... eth2-05

In SmartDashboard, define used interfaces as internal or external.

(2) 1 synchronization port on each SSM for connecting to and synchronizing with another 61000 Security System that functions as a high availability peer.

(3) 4 ports for management and logging on each SSM.

2 Upper ports: 1GbE SFP

2 Lower ports: 10GbE XFP

Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

In the initial setup program, the interfaces are named:

On Left SSM:

eth1-Mgmt1, eth1-Mgmt2, ... eth1-Mgmt4

On the right SSM:

eth2-Mgmt1, eth2-Mgmt2, ... eth2-Mgmt4


Hardware Components


Security Switch Module LEDs

Item LED Status Description

1 Out of service

Red

SSM out of service

Off (Normal) SSM hardware is normal

2 Power

On (Normal) Power on

Off Power off

3 Hot-swap

Blue SSM can be safely removed

Blue blinking

SSM is going to Standby mode. Do not remove

Off (Normal) SSM is Active. Do not remove

4 SYN ACT On (Normal) Normal operation

Off N/A

5 Link On Link enabled

Yellow blinking

Link is active

Off Link is disabled


Hardware Components


Security Gateway Module (SGM) The Security Gateway Modules (SGMs) in the Chassis work together as a single, high performance Security Gateway or VSX Gateway. Adding a Security Gateway Module scales the performance of the system. A Security Gateway Module can be added and removed without losing connections. If an SGM is removed or fails, traffic is distributed to the other active SGMs.

These SGM versions are available:

SGM220

SGM220T (for NEBS)

SGM240

The SGM240 has more powerful CPUs and uses a more advanced technology. It also has a different front panel layout and different LEDs.

SGM260 LEDs


5 Out of service

Red

SGM out of service

Off (Normal) SGM hardware is normal

6 Health

Green (Normal)

SGM core operating system is active

Green blinking

SGM core operating system is partially active

Off SGM operating system is in standby mode

7 Hot-swap

Blue SGM can be safely removed

Blue blinking SGM is going to standby mode. Do not remove

Off (Normal) SGM is active. Do not remove

CTRL Link 1

CTRL Link 2

SSM1 and SSM2 management ports

Yellow Link enabled

Yellow blinking

Link is active


CTRL SPEED 1

CTRL

SSM1 and SSM2 management ports

Yellow 10 Gbps

Green 1 Gbps

Off 100 Mbps


Hardware Components


SPEED 2

Traffic 1

2

3

4

On Data and sync traffic in SSM1, SSM2, SS3, SSM4

L2 Off Not used

L1 Red. Lower Right

Installation started

Red blink, in sequence

Installation in progress

Red. All

Installation failure

Yellow.Left

Installation completed

Green. Right

SGM is being configured. (Using First Time Configuration Wizard or adding a new SGM into a Chassis)

Off SGM is configured and ready


Hardware Components


SGM SGM220 LEDs


1 Out of service

Red

SGM out of service

Off (Normal) SGM hardware is normal

2 Health

Green (Normal)

SGM core operating system is active

Green blinking

SGM core operating system is partially active

Off SGM operating system is in Standby mode

3 Hot-swap

Blue SGM can be safely removed

Blue blinking SGM is going to Standby mode. Do not remove

Off (Normal) SGM is active. Do not remove

4 Link Yellow Link enabled

Yellow blinking

Link is active


5

Data port speed

Yellow 10 Gbps

Green 1 Gbps

Off 100 Mbps

Management port speed

Yellow 1 Gbps

Green 100 Mbps

Off 10 Mbps

6

L

LEDs 2 and 4 - Green

SGM is being configured. (Using First Time Wizard or adding a new SGM into a Chassis)

All LEDs - Off SGM is configured and ready


Hardware Components


AC Power Supply Units (PSUs) 5 Field replaceable and hot swappable 100 VAC to 240 VAC Power Supply Units (PSUs) supply :

Power to the Chassis

Power filtering and over-current protection.

Each PSU is located on a tray that slides directly into the backplane.

The AC Power inlets are located in the rear of the Chassis. Each power supply has one power inlet.

Item Description (AC Power Unit)

1 Air filter. Prevents dust entering the PSU.

2 Latch for extracting and inserting the PSU.

3 AC Power Supply LED

Green: AC Power is OK.

OFF: AC power is OFF

4 DC Power Supply LED

Green: DC Power is OK.

Red: DC power failure or Hot swap ready

5 Extraction handle for holding the PSU during extraction and insertion

Power Requirements:

Each PSU supplies power at these values:

1500W at 220VAC 1200W at 110VAC


Hardware Components


Power Consumption Data:

Chassis (constant) - 100W

Fan - 240W maximum

CMM - 10W maximum

SGM - 300W maximum

SSM- 300W maximum

Recommended quantity of PSUs

Important - One power supply cannot supply a fully loaded Chassis. This table shows how to calculate the recommended number of power supplies.

For a PSU that supplies 1500W

Number of SGMs Minimum (N) Recommended (N+1)

2 2 3

4 2 3

6 3 4

8 3 4

10 4 5

12 4 5

AC Power Cords The supplied AC power cords are specific to the geographical region. These are some of the available power cords.

Region PLUG CONNECTOR CABLE

EU KC-015, 16A 250V ~

KC-003H, 10 A 250V~

H05RR-F,3G 0.75mm2

AUSTRALIA KC-014, 10A 250V

KC-003H, 10 A 250V~

H05RR-F 3G 0.75mm2


Hardware Components


Region PLUG CONNECTOR CABLE

UK KC-039, 13A 250V~

KC-003H, 10 A 250V~

H05RR-F 3G 0.75mm2

JP KC-001, 15A 125V

KC-003H, 15A 125V

VCTF 3G 2.0mm2

US KC-001, 15A 125V

KC-003H, 15A 125V

SJT 14/3C 75C

CHINA KC-017N, 10A 250V~

KC-003H, 10 A 250V~

H05RR-F 3G 0.7mm2


Hardware Components


DC Power Entry Modules (PEMs) The DC 61000 Security System configuration includes two Power Entry Modules (PEMs), each with a rating of -48/-60VDC 125A. The PEMs supply DC power, EMC filtering and over-current protection for the Chassis. Each PEM can supply 100% of Chassis power. The PEM is a customer replaceable unit. The two-PEM configuration provides full redundancy. The PEMs are located in the bottom-rear of the Chassis.

The DC configuration does not have its own power source. You must supply a mains DC power system that includes an external battery and a branch circuit breaker of 125A for each PEM.

You must also supply lugs (Panduit LCD6-14A-L). Use them to connect wires to the terminal blocks of the PEMs.

PEM Panel and LED Indicators

Item Description

1 Locking captive screws. Secure the PEM in the Chassis.

2 Handles. Used for holding the PEM during insertion and extraction.

3 Terminal blocks: -48/-60 VDC and Return. Each terminal block has 4 terminal studs.

4 PEM Status LEDs.

5 Hot-Swap button. Used for evoking the hot swap sequence.

6 4 Circuit breakers. 50A per circuit breaker.

PEM Status LEDS

Item Description

Status Green: OK

Red: Failure

Fault Green: OK

Red: -48VDC is missing

HS Blue steady: Powering up or ready for extraction

Blue blinking: Hot swap process

OFF: Working


Hardware Components


Important -

Do not remove a PEM while an electrical charge remains in the wiring.

Before replacing a PEM, verify that power source is disconnected and isolated.

The PEMs circuit breaker has only one pole and disconnects only the -48V lead. The 48VDC RTN lead is always connected.

Fan Trays The cooling system consists of three high performance fan trays. The fan trays are at the rear of the Chassis. Each tray contains two fans that supply air volume and velocity for cooling front and rear Chassis components. Air flows from the inside to the outside of the Chassis.

Item Description

1 Power fault LED

2 Locking captive screw

Three fan trays are preinstalled (6 fans).

Chassis Management Modules The Chassis Management Module controls controls and monitors Chassis operation. This includes fan speed speed, Chassis and module temperature, and component hot-swapping.


Hardware Components


Item Description

1 General LEDs

2 Telco Alarm LEDs

3 Application defined LEDs

4 Latch

5 Network port

6 Serial port

7 Alarm

8 Thumb screw

General LEDs

LED Status Meaning

ACT

Green Chassis Management Module is active

Red Chassis Management Module failure

Green blink Chassis Management Module inactive

PWR

Green Good local voltage supply on Chassis Management Module

Off Local voltage failure

HS (hot swap)

Steady blue Chassis Management Module is powering up or ready for extraction.

Blue blink Chassis Management Module is being hot swapped

Off Chassis Management Module in operation

Telco Alarm LEDs

LED Status Meaning

CRT (Critical)

Off Normal operation

Red System alarm event

MJR (Major)


Red System Alarm event

MNR (Minor)


Red System alarm event


Hardware Components


Blank Filler Panels for Airflow Management Compliance with temperature specifications requires a stable air flow in the Chassis. To make sure that the Chassis is correctly cooled, fully populate the Chassis or add blank filler panels to the empty slots.

Two types of airflow-management panels are available for the empty slots on the Chassis:

Front blank panels with air baffles

Rear panel with air baffles

Front Blank Panels with Air Baffles

Item Description

1 Slot cover

2 Tightening screws

3 Air Baffles


Step 1: Site Preparation


Step 1: Site Preparation This step covers preparing the site.

Rack Mounting Requirements Before mounting the 61000 Security System in a standard 19" rack, make sure that:

The rack is stable, level, and secured to the building.

The rack is sufficiently strong to support the weight of a fully loaded Security System (http://www.checkpoint.com/products/downloads/datasheets/61000-security-system-datasheet.pdf).

The rack rails are spaced sufficiently wide to accommodate the system's external dimensions.

The shelf is mounted on the rack.

There is sufficient space at the front and rear of the Chassis to let service personnel to swap out hardware components.

The rack has a sufficient supply of cooling air.

The rack is correctly grounded.

A readily accessible disconnect device is incorporated into the buildings wiring. The disconnect device must be placed between the system's AC power inlet and the power source. The disconnect device rating required must be determined by the nominal input voltage.

There are at least two inches of clearance at the air inlets and outlets to make sure there is sufficient airflow.

Hot exhaust air is not circulated back into the system.

At least two persons are available to lift the Chassis.

You have eight M6x10 (or longer) screws to mount the Chassis on the rack.

Required Tools To install the appliance in a standard 19" rack, these tools are required:

Standard Philips (+) screwdriver set

Wrench

Electrostatic Discharge (ESD) grounding wrist strap


Step 2: Installing the Chassis in a Rack


Step 2: Installing the Chassis in a Rack

Before mounting on rack, attach the rear-end static grounding screws to the Chassis.

To install the Chassis on the Rack:

1. Set the Chassis in front of the rack, centering the Chassis in front the shelf.

2. Lift and slide the Chassis on to the rack shelf.

3. Make sure that the holes in the front mounting flanges of the Chassis align with the holes in the rack rails.

4. Insert mounting screws into the front mounting flanges aligned with the rack.

5. Secure the appliance by fastening the mounting screws to the rack

The appliance must be level, and not positioned at an angle.

6. Attach grounding cables to the grounding screws on the Chassis.


Step 3: Installing Components and Connecting Power Cables



This section covers inserting:

Chassis Management Modules

Security Switch Modules

Security Gateway Modules

Twisted pair and fiber optic transceivers into ports on the Security Switch Modules

Transceivers into the management ports on the Security Switch Modules

Covers for blank slots

This section also covers:

Backup Chassis in a dual Chassis environment

Power cables

Inserting AC Power Supply Units Power Supply Units (AC only) are inserted at the front of the Chassis. If you have one Power Supply Unit already in place, other units can be swapped in and out without interfering with the operation of the 61000 Security System. Note that one PSU cannot supply sufficient power to support a fully populated Chassis.

To Insert a Power Supply Unit:

1. Pull out the latch.

2. Push in the Power Supply until it locks in place.

3. Push in the Power Supply insertion latch.

4. Make sure that the DC LED show green.




Inserting Fan Trays When a fan tray is inserted into the Chassis, the fans start at full speed and then decrease by steps of 7%. Under normal operating conditions, the fans run at 21% of full speed. The lower speed reduces the noise and increases the longevity of the fans.

The speed of each individual fan is monitored. If the speed of one fan drops below the desired speed (i.e. fan failure) , the other fans speed up.

Fans are pre-installed in the appliance. Manual replacement must be coordinated with Check Point Support.

To Insert a Fan:

1. Slide the fan into the allocated space.

2. Tighten the locking captive screw.




Inserting Chassis Management Modules

To insert a Chassis Management Module:

1. On the CMM, remove the tape on the battery.

This tape protects the battery life before installation.

2. Open the upper latch.

3. Insert the Chassis Management Module into the allocated slot.

Note - If you have only one CMM, we recommend inserting it into the lower Chassis slot.

4. Close the latch.

5. Tighten the two thumb screws.

6. After power up, all LEDs must light up for 1-2 seconds. The ACT and PWR LEDs continue to show green after the other LEDs turn off.




Inserting Security Switch Modules

To insert a Security Switch Module:

1. Open the latches at the top and bottom of the Security Switch Module.

2. Slide the SSM into the allocated slot.

3. Fasten the latches.

4. Tighten the screws.




Inserting Security Gateway Modules

To insert a Security Gateway Module:

1. Open the latches at the top and bottom of the Security Gateway Module.

2. Make sure the SGM is located correctly on the Chassis rail.

3. Slide the Security Gateway Module into the allocated slot.

4. Fasten the latches.

5. Tighten the thumb screws.




Inserting Transceivers For connecting different interface types to the 61000 Security System using SFP, SFP+, or XFP ports on the SSM, Security Switch Modules support Twisted Pair and Fiber Optic transceivers.

The type and number of transceiver ports available depends on the SSM.

Note - Remember to select a transceiver that matches the speed of the designated port.

Inserting Twisted Pair Transceivers

Twisted pair transceivers can be inserted into:

Data and management ports on the SSM160




SFP management ports on the SSM60

Slide the transceiver into the open Security Switch Module port.

Inserting Fiber Optic Transceivers

Fiber transceivers can be inserted into data and management ports on the SSM60 and SSM160 switch modules. The ports can be SFP, SFP+ or XFP.

Slide the transceiver into the open Security Switch Module port.




Inserting QSFP Splitters

1. Insert the QSFP transceiver into the Security Switch Module.

2. Insert the QSFP splitter cable into the transceiver.

This converts the 40GbE QSPF port to 4 10GbE ports.

Inserting Front Blank Panels Blank panels contain cooled air in the appliance. Use the blank panels to close open slots.

To insert a blank panel at the front:

1. Insert the blank panel into the open slot.

2. Tighten the two thumb screws.

Note - Rear blank panels are pre-installed on the Chassis.

Connecting AC Power Cables To connect AC power:

1. Check circuit breaker at the mains is off.

2. Insert an AC power cable into each AC power inlet on the rear-bottom of the Chassis.

Connecting DC Power Connect the DC PEMs in the 61000 Security System to an external battery power source. You must have a mains DC power supply system that includes batteries and a branch circuit breaker of 125A for each PEM.

The DC PEM is described in DC Power Entry Modules (PEMs) (on page 26)

Tools and Parts Required

4 DC wire leads for each PEM, to connect the PEM to the DC power supply. Use 6AWG wires. There is no standard for DC wire color coding. Therefore, use the color coding of the DC power source (battery) for the DC wire leads.

4 lugs (Panduit LCD6-10A-L) for each PEM. For connecting the wire leads to the PEM terminal blocks.

Crimping tool to connect the wire leads to the lugs.

Wire cutters.

Hexagonal-head socket wrench, or nut driver for tightening nuts to terminal studs on each PEM.

To connect DC power:

Note - These instructions assume that the PEMs are installed in the 61000 Security System Chassis.

1. Set the branch circuit breakers at the mains to OFF.

2. On the PEM, set all the circuit breakers to OFF.

3. Remove the protective plastic cover.

4. Where the PEM is marked -48/-60 VDC and Return, remove the nuts from the terminal studs. Use a socket wrench or nut driver.

5. Connect the 48/-60 VDC cables to the battery:

a) Using the crimping tool, connect two 6 AWG wire leads to two lugs.

b) Attach the two wired lugs to the -48/-60 VDC terminal studs on the PEM. Use the socket wrench or nut driver.

c) Connect the other ends of the two wires to the -48/-60VDC battery terminal.




6. Connect the Return cables to the battery:

a) Using the crimping tool, connect two 6 AWG wire leads to two lugs.

b) Attach the two wired lugs to the Return terminal studs on the PEM. Use the socket wrench or nut driver.

c) Connect the other ends of the two wires to the Return battery terminal.

7. Make sure that you have correctly connected the battery to the PEM. Do this by using a multimeter to measure the resistance between disconnected PEM wire leads and the Battery Return pole.

For all the PEM wired leads, one at a time:

a) At the battery, disconnect a PEM wire lead from the battery.

b) Connect one multimeter probe to the battery Return and the other probe to the PEM wire lead.

A very large resistance (indicating an open circuit) shows that the wire lead is connected to the PEM -48/-60VDC terminal.

A very low resistance (indicating a closed circuit) shows that the wire lead is connected to the PEM Return terminal.

c) Reconnect the PEM wire lead to the battery.

8. At the PEM:

a) Attach the protective plastic cover.

b) Set all the circuit breakers to ON.

9. Do step 2 to step 8 for the second PEM.

10. Set the branch circuit breakers at the mains to ON.




Connecting a Second Chassis If you have a dual Chassis environment (for Chassis high availability):

For the second Chassis, repeat Step 1: Site Preparation (on page 30) to Step 3: Installing Components and Connecting Power Cables (on page 32)

Connect the second Chassis.

On each SSM, connect the sync ports to the corresponding sync ports on the backup Chassis (eth1-

Sync in Chassis1 to eth1-Sync in Chassis2, eth2-Sync in Chassis1 to eth2-Sync in

Chassis2).


Step 4: Turning on the 61000 Security System


Step 4: Turning on the 61000 Security System

Connect the appliance to the power source. At power up:

Fan speed goes to maximum.

LEDs on the Chassis Management Module light up.

After 1-60 seconds, fan speed slows down until it reaches the optimum rate for cooling.

Chassis Management Module ACT and PWR LEDs show green.

Other LEDs turn off.

Turning off the 61000 Security System

1. Shutdown the SGMs:

If the installation wizard (Step 5) has not yet run, release the levers on each SGM to shut them down

If the installation wizard has run, from gclish run: asg_hard_shutdown -b all

2. Shutdown SSMs and CMMs by releasing the levers.

3. After the LEDs on SGMs, SSMs and CMMs (both Chassis) show a steady blue, unplug the power cords.


Step 5: Validating Chassis ID on a Dual Chassis Configuration


Step 5: Validating Chassis ID on a Dual Chassis Configuration

When installing and configuring dual Chassis in high availability, make sure that:

The CMMs on the same Chassis have the same Chassis ID.

Each pair of CMMs on the different Chassis have different Chassis ID.

The CMMs on Chassis should include chassis_id (SHMM_CHASSID=1). The CMMs on

Chassis should include chassis_id (SHMM_CHASSID=2).

Note - When a new CMM is added to the system, it is necessary to validate its Chassis_ID. Make sure that Chassis for the new CMM is in Standby mode.

To validate the Chassis IDs:

1. When you receive the shipment make sure that the stickers on the outer box are marked with numbers 1 and 2.

If the numbers are the same, contact Check Point Technical Support.

2. Open the outer box, and confirm that the stickers on the Chassis and the CMM blades are different for each Chassis.


3. We recommend that you validate the CMM configured IDs.

a) Log in to the 61000 Security System.

(i) Connect the RJ-45 jack serial cable to the console port on CMM blade.

(ii) Connect the other end of the serial cable to the computer that you are using to do the initial configuration of the 61000 Security System.

(iii) Connect to the 61000 Security System 160 using a terminal emulation application such as PuTTY.

Make sure the Speed (baud rate) is set to 9600.

No IP address is necessary.

(i) Log in with username and password: admin/admin.

b) Verify that the CMM ID is correct. Run this command:

# cat /etc/shmm.cfg | grep CHASSID

This is a sample output from CMM 1: SHMM_CHASSID=1

c) Do these steps again to validate the CMM IDs on the other Chassis.



Step 6: Software Installation


Step 6: Software Installation You must install the SSM160 firmware and then install the SGM image.

Before Installing Firmware and Software Installing Components and Connecting Cables:

Install all components in the Chassis (SGMs, SSMs and CMMs).

If you have a dual Chassis environment, connect only one Sync cable between the two Chassis.

Connect eth1-Sync on chassis1 to eth1-Sync on chassis2. (Connect the second sync cable

after installing software).

For IP management of the 61000 Security System, connect a cable to one of the management interfaces on

chassis1.

Connecting a Console

Use a console to configure a Security Group and an accessible management IP address on the 61000 Security System.

1. Connect the supplied DB9 serial cable to the console port on the front of the 61000 Security System.

2. Connect to the 61000 Security System using a terminal emulation program such as PuTTY or Microsoft HyperTerminal.

3. Configure the terminal emulation program:

In PuTTY select the Serial connection type. Go to the Connection > Serial page.

In HyperTerminal Connect To window, select a port from the Connect using list.

Define the serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. Flow control: None

4. Connect to the first SGM in the 61000 Security System.

5. Turn on the 61000 Security System.

6. Log in with username: admin and password: admin

Configuring a Security Group and a Management IP Address

1. Start the installation wizard. Run: #setup

2. In the Welcome screen, press a key.

3. Select Set SGMs for Security Group

Define the SGMs that belong to the Security Group. There are two lines, one for Chassis 1, one for Chassis 2.




In each line, you can enter:

all (same as 1-12)

A range, such as: 1-9

A number of comma-separated ranges, such as: 1-3,5-7

Single SGMS, such as: 1,4

A combination of single SGMs and ranges, such as: 10,2, 3-7.

By default, the SGM you are connected to belongs to the group: Chassis 1, SGM 1 (slot 1 in Chassis

1). For more about Security Gateway Module numbering, see 61000 Security System front panel components ("61000 Security System Front Panel Modules" on page 14).

4. Select Network Connections.

For the management interface, configure:

An IP address

The Netmask length

5. Configure Routing.

If you are directly connected to the management interface: Skip this step.

If you are not directly connected to the management interface: Define a route which will allow you to access the 61000 Security System.

6. Click Next until you finish the installation wizard. At the Secure Internal Communication stage, enter a

dummy key.

Configuration settings are applied, and the Security Gateway Modules reboots. Other Security Gateway Modules in the Security Group are installed automatically.

Validating the Initial System Setup:

To make sure that the initial system setup is completed successfully:

Run the asg monitor command. An initial policy must be installed on the local SGM after initial setup

completes and the SGM reboots.

To monitor the automatic installation of other SGMs, run: tail -f /var/log/start_mbs.log.

Wait until the installation process is complete.

The installation process is complete when all the SGMs in the security group are UP and in the Initial Policy state.

Installing SSM160 Firmware You must install firmware on the Security Switch Module SSM160. There is no need to install firmware on SSM60.

Installing the SSM160 Firmware

1. Download the SSM160 firmware from the R75.40VS for 61000 Home page (http://supportcontent.checkpoint.com/solutions?id=sk89900).




2. Connect to one SGM, using the management IP address configured in the installation wizard.

3. Copy the SSM160 firmware file to the SGM using the scp command to the IP address of the management interface, to the /home/admin directory. This copies the file to the left-most SGM on the active Chassis.

4. From this SGM, copy the firmware file to the other SGMs in the Security Group. Run: >asg_cp2blades b /home/admin/

5. From this SGM, copy the firmware to the two SSMs in the Chassis. Run for each SSM: scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@SSM[1|2]:/batm/current_version/

6. Enter the SCP password you received from Support.

You may see a read-only file system error. For example:

# scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@ssm2:/batm/current_version/

root@ssm2's password:

scp: /batm/current_version//2.4.B27.2.T-HUB4.tar.bz2: Read-only file system

If you see a read-only file system error do this:

a) Connect to the SSM via ssh. From the expert shell, run: ssh ssm

The password is admin

b) From default shell, run unhide private

The password is private

c) Run the following commands:

# show private shell

# mount -rw -o remount /batm/

# exit

# logout

d) Run the firmware copy command for each SSM: scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@ssm2:/batm/current_version/

e) Enter the SCP password you received from Support.

7. Activate the new firmware on the SSM. Do this for the two SSMs on the Standby Chassis:

a) Connect to the SSM via ssh. Run from expert shell: ssh ssm

The password is admin

b) Run #file ls os-image

and copy to clipboard the name of the new image file

c) Run #file activate-os-image 2.4.B27.2.T-HUB4.tar.bz2

d) Move to configuration shell. Run: #config terminal

e) Reload the SSM with the new image. Run #system reload manufacturing-defaults

Example:

T-HUB4#file activate-os-image 2.4.B27.2.T-HUB4.tar.bz2

Image file 2.4.B27.2.T-HUB4.tar.bz2 is tested for validity, please wait...

OK

Activating image 2.4.B27.2.T-HUB4.tar.bz2..

T-HUB4#config terminal

Entering configuration mode terminal

T-HUB4(config)#system reload manufacturing-defaults

Are you sure that you want to delete existing configuration and reload

manufacturing default configuration (yes/no)? yes

8. Connect to SGM on the other Chassis. From the Expert shell, run blade




For example: blade 2_01

(Run exit to return to the previous SGM)

9. Repeat the firmware upgrade procedure on the two SSMs of the other Chassis.

Validation

To verify the upgrade, run asg_version

All SSMs should have firmware version 2.4.B27.2.

Installing the SGM Image Use one of these procedures to install an image on the Security Gateway Modules:

Using snapshot import

Using an ISO image on removable media: A DVD or USB stick

Installing the SGM Using snapshot import

1. Download the snapshot file with the SGM image from the R75.40VS for 61000 Security Systemshome page (http://supportcontent.checkpoint.com/solutions?id=sk89900).

2. Copy the snapshot file using the scp command to the IP address of the management interface, to the

/home/admin directory. This copies the file to the left-most SGM on the active Chassis.

3. Connect to the SGM via SSH or console

4. Copy the snapshot file to all SGMs, to the /var/log/ directory. Run:

asg_cp2blades b all /home/admin/ /var/log/

5. Import the snapshot. From gclish, run:

set snapshot import path /var/log/

6. Monitor snapshot import progress. From gclish, run:

show snapshots

7. After the snapshot import process has finished on all SGMs, revert to the snapshot. From gclish, run:

set snapshot revert

The system is now installed with proper software and firmware

Installing the SGM Image Using Removable Media

You can install an ISO image on the Security Gateway Modules using a USB stick or DVD.

To copy the ISO image to the removable media:

1. Download the ISO file with the SGM image(http://supportcontent.checkpoint.com/solutions?id=sk89900).

2. Copy the file to removable media in one of these ways:

Burn the ISO file on a DVD.

Download the Check Point ISOmorphic utility to create a bootable USB device from the ISO. Seesk65205 (http://supportcontent.checkpoint.com/solutions?id=sk65205).

3. You can install many SGMs at one time. Copy the ISO image to many USB sticks or DVD drives.

To install an ISO image on the Security Gateway Modules:

1. Connect the removable media to the left-most Security Gateway Module in one of these ways:

Connect the USB stick to the USB port.

Connect an external DVD drive to the USB port. Put the DVD with the ISO file in the DVD drive.




Item Description

1

2

USB port

One of two latches for extracting and inserting the SGM.

2. Connect the supplied DB9 serial cable to the console port on the front of the upper SGM on the 61000 Security System.

3. Connect to the left-most SGM using a terminal emulation program.

4. Reboot the SGM by partially sliding it out and immediately pushing it back in place:

a) Loosen the thumb screws at the top and bottom of the SGM.

b) Open the latches at the top and bottom of the SGM.

c) Fasten the latches.

d) Tighten the thumb screws.

5. When the first screen shows, select Install Gaia on the system and press Enter.

6. You must press Enter in 60 seconds, or the computer will try to start from the hard drive. The timer countdown stops once you press Enter. There is no time limit for the subsequent steps.

7. Press OK to continue with the installation.

After the installation, the 61000 Security System begins the boot process and status messages show in the terminal emulation program.

8. Install the SGM image on the other SGMs. To install on one SGM at a time repeat all the steps for each SGM. To install on many SGMs at one time:

a) Insert all the USB sticks or DVD drives into the USB ports of the other SGMs.

b) On one SGM at a time:

Connect to the console.

Reboot the SGM by partially sliding it out and immediately pushing it back in place.

Select Install Gaia on the system and press Enter.


Step 7: Connecting to the Network


Step 7: Connecting to the Network 1. If you have a dual Chassis environment: Connect the second Sync cable between the two Chassis.

These are the Sync cable connections:

eth1-Sync on chassis1 to eth1-Sync on chassis2.

eth2-Sync on chassis1 to eth2-Sync on chassis2.

2. Connect the management ports on the Security Switch Modules to your network.

3. Connect the data ports on the Security Switch Modules to your network.


Step 8: Initial Software Configuration


Step 8: Initial Software Configuration When installing and configuring the 61000 Security System, start with the Security Gateway Module furthest to the left in the Chassis. After the first SGM is configured, installation and configuration settings are automatically propagated to all other SGMs in the defined security group. The Security Group is the group of SGMs that make up the Security Gateway.

Note - In SmartDashboard, one Security Gateway object represents the SGMs in the security group.

Connecting a Console 1. Connect the RJ-45 jack end of a serial cable to the console port on the upper 61000 Security System in

the Chassis.

2. Connect the other end of the serial cable to the computer that you will use to do the initial configuration of the 61000 Security System.

3. On the configuration computer, connect to the 61000 Security System using a terminal emulation application such as PuTTY.

Make sure the Speed (baud rate) is set to 9600

No IP address is necessary

4. Log in with username: admin and password: admin.

Working on the Initial Setup 1. To start the installation wizard run #setup

2. In the Welcome screen, press a key.

3. Select Set SGMs for Security Group

4. If installing a VSX Gateway: Choose only the current SGM

Chassis 1, SGM 1 (slot 1 in Chassis 1)

If installing a Security Gateway: Define the SGMs that belong to the Security Group. There are two lines, one for Chassis 1, one for Chassis 2.

In each line, you can enter:

all (same as 1-12)

A range, such as: 1-9

A number of comma-separated ranges, such as: 1-3,5-7




Single SGMS, such as: 1,4

A combination of single SGMs and ranges, such as: 10,2, 3-7.

By default, the SGM you are connected belongs to the group: Chassis 1, SGM 1 (slot 1 in Chassis

1). To define a fully populated dual Chassis system select all in the top and bottom lines. For more

about Security Gateway Module numbering, see 61000 Security System front panel components ("61000 Security System Front Panel Modules" on page 14).

5. The subnet for internal communication in the Chassis is 192.0.2.0/24 by default. Change the IP address if it conflicts with an existing subnet on your network.

6. Configure parameters for:

Host Name

Time and Date.

To configure the local time, choose the geographical area and city.

7. Select Network Connections.

Configure the management ports and the data ports of the Security Switch Module.

There are 4 management ports on each SSM. Only configure those ports you intend to use. To associate port names with the physical ports, refer to Security Switch Module Ports ("Security Switch Module (SSM)" on page 16). For each management port configure:

An IP address

The Netmask length

To associate data port names with the physical ports, refer to Security Switch Module Ports ("Security Switch Module (SSM)" on page 16). For each data port configure:

An IP address

The Netmask length

8. Configure Routing.

Note - Wait 10-20 seconds for routing information to be updated throughout the system.

9. The Welcome to Check Point Suite screen shows. Wait for Check Point products packages to install.

10. Wait for the:

Installation Program Completed Successfully message to show

Check Point Configuration Program to start.

This program guides you through the configuration of Check Point products.

11. Configure Secure Internal Communication.

When prompted, enter and confirm the activation key. Remember this activation key. The same activation key is used for configuring the 61000 Security System object in SmartDashboard.

Configuration settings are applied, and the SGM reboots. Other Security Gateway Modules in the Security Group are installed automatically.

System Validation

Make sure that the initial system setup is completed successfully by:




Running the asg monitor command. An initial policy must be installed on the local SGM after initial

setup completes and the SGM reboots.

To monitor the automatic installation of other SGMs, run: tail -f /var/log/start_mbs.log.

After installation, all the SGMs in the security group must be UP and in the Initial Policy state.


Step 9: SmartDashboard Configuration



The 61000 Security System can work as a Security Gateway or as a VSX Gateway. The Security Management Server must be R75.40VS for 61000 or higher.

Do one of these procedures:

Configuring a Security Gateway (on page 53).

Configuring a VSX Gateway (on page 54).

Configuring a Security Gateway This procedure explains how to configure a Security Gateway in SmartDashboard.

Note - The Check Point Security Gateway Creation Wizard is version dependent. The steps may vary slightly.

To configure a Security Gateway:

1. Open SmartDashboard.

2. Enter your credentials to connect to the Security Management Server.

3. Create the Check Point Security Gateway object.

In the Network Objects tree, right click and select New > Check Point > Security Gateway/Management

The Check Point Security Gateway Creation wizard opens.

4. Select Wizard Mode or Classic Mode.

This procedure describes Wizard mode. If you choose Classic Mode, make sure you set all the necessary configuration parameters.

5. In the General Properties screen, configure:

Gateway name

Gateway platform - Select Open server

Gateway IP address

6. Click Next.

7. In the Secure Internal Communication Initialization screen, enter the One-time password. This is

the same as the Activation Key you entered during the initial setup.

8. Click Next.

9. View the Configuration Summary.

10. Select Edit Gateway properties for further configuration.

11. Click Finish.

The General Properties page of the 61000 Security System object opens.

12. In the General Properties page, make sure the Version is correct.

13. Enable the Firewall Software Blade. If required, enable other supported Software Blades.

14. In the navigation tree, select Topology.

15. Configure:

Interfaces as Internal or External

Anti-Spoofing.

Note: Only data and management interfaces are shown in the list.

16. Click OK.

The Security Gateway object closes.

17. Install the Policy.



Check Point Chassis Secur

Date post:	18-Dec-2015
Category:	Documents
Upload:	adrian-jmurco
View:	12 times
Download:	0 times

61000

Documents