Part Number 05233AMay 2008
Deploying Multiple Security Serviceson the Crossbeam X-Series Platform
Using IBM Proventia® Network IPS 2.0 for Crossbeam and Check Point™ VPN-1 Power VSX NGX R65
Copyright and Trademark InformationCopyright © 2008 by Crossbeam Systems Boxborough, MA, USA
All Rights Reserved
The products, specifications, and other technical information regarding the products contained in this document are subject to change without notice. All information in this document is believed to be accurate and reliable, but is presented without warranty of any kind, expressed or implied, and users must take full responsibility for their application of any products specified in this document. Crossbeam Systems disclaims responsibility for errors that may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document.
This material is protected by the copyright and trade secret laws of the United States and other countries. It may not be reproduced, distributed, or altered in any fashion by any entity (either internal or external to Crossbeam Systems), except in accordance with applicable agreements, contracts, or licensing, without the express written consent of Crossbeam Systems.
For permission to reproduce or distribute please contact your Crossbeam Systems account executive.
This product includes software developed by the Apache Software Foundation: www.apache.org.
“Crossbeam,” “Crossbeam Systems,” “iBeam,” X40, X45, X80 and any logos associated therewith are trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S. Patent and Trademark Office, and several international jurisdictions.
All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.
3
ContentsChapter 1: About This Guide
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Crossbeam Systems Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Other Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Cautions, Warnings, and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Crossbeam Systems Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 1: IntroductionSerialization and Secure Flow Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Applications Used in this Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Serialized Application Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2: Configuring SerializationRequirements To Support this Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
X-Series Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Proventia Network IPS Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Check Point VPN-1 Power VSX NGX R65 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Serialization Using Single Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Create VAP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14ISS VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14VSX VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Bridge Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Internal Circuit for Serialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19WAN Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Internal Circuit for Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Shared Management Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure the Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Group Interface Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configure the MLT Group Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31LAN Template Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32LAN MLT Group Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33MLT Group Interface Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35WAN MLT Group Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 3: Application InstallationInstallation Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Install and Configure Proventia Network IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Application Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Installing Proventia Network IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Install the Application onto a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Interview Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4
Configure Proventia Network IPS Using Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Install and Configure Check Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Application Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Installing the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Install the Application onto a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Interview Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Create Virtual Devices and Circuits Using the VSX GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 4: Advanced ConfigurationsIPS to VSX NGX R65 to IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Individual Management Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Multi-System High Availability Using VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configure the Remote System ID and IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Assign a Physical Interface to the Internal Synchronization Circuit . . . . . . . . . . . . . . . . . . . . . . . . . 51Configure the VRRP Failover Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Enable VRRP on the VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Configure Next Hop Health Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 5: TroubleshootingConfiguration Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Application Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Management Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58VAP Traffic Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Troubleshooting from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Appendix A: Sample ConfigurationsConfiguration of the Single Physical Interface Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configuration of the MLT Group Interface Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Deploying Multiple Security Services on the Crossbeam X-Series Platform 5
About This Guide
This guide provides information for configuring the X-Series platform to run multiple applications in series.
This guide assumes that you have already installed the X-Series platform hardware, and that you have a basic understanding of how the X-Series platform is designed and operates.
Intended AudienceThis guide is intended for system integrators and other qualified service personnel responsible for installing, configuring, and managing the Crossbeam X-Series platform.
Related Documentation
Crossbeam Systems DocumentationThese documents are provided on the Crossbeam Systems Documentation CD and are available through the Crossbeam Systems support Web site located at http://www.crossbeam.com/services/online_support.php.
X40-X80 Security Switch Hardware Installation Guide
X45 Security Switch Hardware Installation Guide
XOS Configuration Guide
Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point™ VPN-1 Power NGX R65
Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point™ VPN-1 Power VSX NGX R65 with Bridged Virtual Systems
Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point™ Layer-2 Firewall
XOS V8.1 Command Reference Guide
Install Server User Guide
XOS V8.1 Release Notes
Other DocumentationInstallation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems located at http://www.iss.net/support/documentation
Check Point™ VPN-1 Power VSX NGX R65 Installation and Configuration for Crossbeam X-Series System
6
Conventions
Typographical ConventionsFor paragraph text conventions, see Table 1 on page 6.
For command-line text conventions, see Table 2 on page 7.
Table 1. Typographical Conventions Used in Paragraph Text
Typographical Convention Types of Information Usage Examples
Bold Elements on the graphical user interface.
In the IP Address field, type the IP address of the first VAP in the group.
Click OK to close the dialog.
Select the Print to File check box.
Courier Keys on the keyboard.
File names, folder names, and command names.
Any information that you must type exactly as shown.
Program output text.
Press Esc to return to the main menu.
Save the user.txt file in the user_install directory.
Use the start command to start the application.
In the Username field, type Administrator.
The XOS CLI show calendar command displays the system calendar:
Fri Mar 7 13:32:03 2008
Courier Italic
File names, folder names, command names, or other information that you must supply.
In the Version Number field, type 8.1.patch_number.
> A sequence of commands from the task bar or menu bar.
From the taskbar, choose Start > Run.
From the main menu, choose File > Save As...
Right-click on the desktop and choose Arrange Icons By > Name from the pop-up menu.
Deploying Multiple Security Services on the Crossbeam X-Series Platform 7
Table 2. Typographical Conventions Used in Command-Line Text
Cautions, Warnings, and Notes
IMPORTANT: Lists important steps that you must perform properly or important information that you must take into consideration to avoid performing unnecessary work.
NOTE: Provides special information or tips that help you properly understand or carry out a task.
Typographical Convention Types of Information Usage Examples
Courier User prompts and program output text.
CBS# show calendar
Fri Mar 7 13:32:03 2008
Courier Bold Information that you must type in exactly as shown.
[root@xxxxx]# md crossbeam
<Courier Italic>
Angle brackets surrounding Courier italic text indicate file names, folder names, command names, or other information that you must supply.
[root@xxxxx]# md <your_folder_name>
[ ] Square brackets contain optional information that may be supplied with a command.
[root@xxxxx]# dir [drive:] [path] [<filename>] [/P] [/W] [/D].
| Separates two or more mutually exclusive options.
[root@xxxxx]# verify [ON|OFF]
{ } Braces contain two or more mutually exclusive options from which you must choose one.
CBS# configure vap-group <vap_group_name>
CBS(config-vap-grp)# raid {0|1}
Caution: Lists precautions that you must take to avoid temporary data loss or data unavailability.
Warning: Lists precautions that you must take to avoid personal injury, permanent data loss, or equipment damage.
8
Crossbeam Systems Customer SupportCrossbeam Systems offers a variety of service plans designed to meet your specific technical support requirements. For information on purchasing a service plan for your organization, please contact your account representative or refer to http://www.crossbeam.com/services/support_overview.php.
If you have purchased a Crossbeam Systems product service plan and need technical assistance, you can report issues by telephone:
United States: +1 800-331-1338 OR +1 978-318-7595
EMEA: + 33 4 8986 0400 (during normal working hours) +1 978-318-7595 (out of office and public holidays, if applicable)
Asia Pacific: +1 978-318-7595
You can also report issues via E-mail to [email protected].
In addition, all of our service plans include access to the Crossbeam Online Support Web site located at http://www.crossbeam.com/services/online_support.php.
The Crossbeam Online Support Web site provides you with access to a variety of resources, including Customer Support Knowledge base articles, technical bulletins, product documentation, and release notes. You can also access our real-time problem reporting application, which lets you submit new technical support requests and view all your open requests.
Crossbeam Systems also offers extensive customer training on all of its products. Please refer to the Crossbeam Training and Education Web site located at http://www.crossbeam.com/services/training_education.php for current course offerings and schedules.
Deploying Multiple Security Services on the Crossbeam X-Series Platform 9
1Introduction
This book is intended to provide information specific to the process of connecting IBM Proventia® Network Intrusion Prevention System and Check Point™ VPN-1 Power VSX NGX R65 in series. It is expected that you have read or are familiar with the information in the XOS Configuration Guide, the Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems, and the Check Point™ VPN-1 Power VSX NGX R65 Installation and Configuration for Crossbeam X-Series System.
This chapter provides a brief overview of Serialization and Secure Flow Processing. It provides information to help you understand the benefits of serialized applications, the specific applications used in this scenario, and a simple diagram of the serial topology.
Serialization and Secure Flow ProcessingSerialization refers to the flow of data traffic from one application, such as an IPS, to a second application, such as a firewall. You can configure multiple instances of each application on Crossbeam’s Application Processor Modules (APMs) and connect them internally, in series. Traffic passes from one application to the next, allowing multi-layered, in-depth inspection, consistent with a user defined security policy. See Figure 1. Serialized Application Topology on page 10 for an illustration of this scenario.
Secure flow processing refers to the movement of traffic through an X-series chassis following the user defined security policy. A key Crossbeam innovation is the ability to logically sequence traffic flow (i.e. serialize) from one security application to another – we call this “secure flow processing”. For example; Company X has a security policy that requires all traffic to go through an IPS (e.g. IBM Proventia Network IPS) for deep packet inspection, and then pass through a firewall with a separate rule set (e.g. Check Point). Secure flow processing enables this pattern as if switches, load balancers, and network cables were all physically installed between the IPS and firewall. The serialized traffic flow is all done at wire speed, internal to the X-series chassis, with active management of data and load balancing.
Applications Used in this TopologyProventia® Network IPS
Proventia Network IPS employs multiple intrusion prevention technologies, all integrated to work in tandem, providing unprecedented correlation and protection mechanisms. These core technologies enable preemptive protection of the network against a wide variety of Internet threats.
Check Point™ VPN-1 Power VSX NGX R65
Check Point VPN-1 Power VSX NGX R65 is a security gateway providing security systems, including firewall and VPN. By creating virtual networks within the application, you can create multiple security systems on a single hardware platform.
10
Serialized Application TopologyIn this serialized topology, multiple VLANs configured in an 802.1q trunk ingress on a single physical interface, pass through the Proventia Network IPS bridge, and are split into individual circuits, one per VLAN, on Check Point VPN-1 Power VSX NGX R65. Traffic exits to an external network through a separate physical interface. Management of the applications is done through a single physical interface that is split internally.
Figure 1. Serialized Application Topology
The steps and process provided in this guide allow you to construct a simple, working serialized configuration. The complete configuration is provided in Appendix A Sample Configurations on page 61. As an alternative to the single interface, configuration steps for an MLT group interface are provided in the section, Configure the MLT Group Interfaces on page 31.
This topology can also be adapted for a network designed with multiple subnets, allowing you to configure security policies specific to each subnet. Since individual networks may have increased security requirements or traffic patterns, additional IPS systems may be added to handle these requirements.
To accommodate these requirements, this topology can be configured using a third VAP group (a second instance of Proventia Network IPS). That full configuration is provided in Chapter 4 Advanced Configurations on page 45.
Deploying Multiple Security Services on the Crossbeam X-Series Platform 11
2Configuring Serialization
This chapter provides information about the topology, and steps to configure serialization. General X-series prerequisites and configuration information is available in the XOS Configuration Guide. This chapter contains the following sections:
Requirements To Support this Topology on page 11
Configuration Overview on page 12
Create VAP Groups on page 14
Configure Circuits on page 17
Configure the Physical Interfaces on page 25
Configure the MLT Group Interfaces on page 31
Requirements To Support this TopologyXOS Version 8.1
NPM-8600
This serialization scenario is supported on the following Crossbeam X-Series Platforms:
X40
X80
X-Series Module RequirementsThe specific scenario described in this guide was developed using the following modules on an X80 platform:
Three APM-8600s for the ISS VAP group
If you are configuring a second ISS VAP group for the advanced configuration, you will need three additional APM-8600s
Three APM-8600s for the VSX VAP group
Two NPM-8600s
One CPM-8600
For the latest firmware information, please refer to the XOS 8.1 Release Notes.
Application RequirementsThis scenario uses the following two applications:
12
Proventia Network IPS Requirements
The serialization scenario described in this guide supports IBM Proventia Network IPS and has the following APM requirements:
NOTE: RAID 0 and 1 configurations are supported with 2 SATA HDDs installed.
Check Point VPN-1 Power VSX NGX R65 Requirements
The serialization scenario described in this guide supports Check Point VPN-1 Power VSX NGX R65 and has the following APM requirements:
Configuration Overview This section describes the process of configuring Proventia Network IPS to bridge traffic to Check Point VSX NGX R65 in series on an X-Series system. The configuration options covered in this chapter are:
Single physical interfaces
Multi-Link Trunk (MLT) interfaces
This chapter provides detailed steps to configure two VAP groups, the associated circuits, and either single interfaces or MLT interfaces. The completed configuration for this process is provided in Appendix A.
If you require a configuration comprised of three individual VAP groups (IPS / VSX / IPS), and are familiar with XOS serial configurations, Chapter 4 provides a completed configuration for that topology. If you are not yet familiar with configuring serialization, it is recommended that you reference both chapters 2 and 4 to complete this advanced configuration process.
Multi-system high availability for the serialized topology is configured by creating nearly identical configurations on multiple systems. The systems are linked using a physical connection to the CPM through either the High Availability (HA) link or management port. For more information about mult-system high availability, see Multi-System High Availability Using VRRP on page 49.
Serialization Using Single InterfacesSections 1 through 3 describe how to configure the circuits and interfaces for the serialized topology illustrated below. Each command is broken down and described in the following steps, explaining the configuration process. Optional topologies are built on this basic scenario using the same approach.
Section 4 describes how to configure MLT interfaces for the same topology, and replaces Section 3, Configure the Physical Interfaces on page 25.
Module CPU Disk Drive Minimum Memory
Recommended Memory
APM-8600 Single or Dual Required, in SATA-1 position
2 GB 4 GB
Module CPU Disk Drive Minimum Memory
Recommended Memory
APM-8600 Single or Dual Not Required 1 GB 4 GB
Deploying Multiple Security Services on the Crossbeam X-Series Platform 13
The following single interface topology is configured in the subsequent sections:
Multiple VLANs configured in an 802.1q trunk ingress on a single physical interface, pass through the ISS bridge, and are split into individual circuits, one per VLAN, on the layer 3 device (VSX). Traffic exits to an external network through a separate physical interface. Management of the applications is done through a single physical interface that is split internally.
Figure 2. Configuration Overview
VAP group, circuit, and interface names in this topology are used as examples, and are not required names. In most cases they are used to demonstrate the function of the circuit or interface.
The complete configuration for this topology is provided in Appendix A Sample Configurations on page 61.
The following steps are required to configure the X-series system. It is not necessary to complete both Section 3 Configure the Physical Interfaces, and Section 4 Configure the MLT Group Interfaces, for serialization. The sample topologies use one or the other.
Create VAP Groups on page 14
ISS VAP Group on page 14
VSX VAP Group on page 16
Configure Circuits on page 17
Bridge Circuit on page 17
Internal Circuit for Serialization on page 19
WAN Circuit on page 21
Internal Circuit for Synchronization on page 22
Shared Management Circuit on page 23
Configure the Physical Interfaces on page 25
Group Interface Bridge on page 26
WAN Interface on page 28
Management Interface on page 29
14
Configure the MLT Group Interfaces on page 31
LAN Template Circuit on page 32
LAN MLT Group Interface on page 33
MLT Group Interface Bridge on page 35
WAN MLT Group Interface on page 37
Management Interface on page 38
1.0 Create VAP GroupsThis section describes the creation of the ISS VAP group and the VSX VAP group. Each VAP group contains three individual instances of the specific application, or VAPs.
1.1 ISS VAP GroupCreate a VAP group consisting of three APM’s that support the installation of Proventia Network IPS (ISS). Name the VAP group “iss”.
Figure 3. Configure the ISS VAP Group
In the following section you will create this portion of the configuration. A complete configuration is available in Appendix A. To check your progress throughout the setup process, open a second CLI window and log into the CPM. From there, use show running-config to verify your work at any time.
vap-group iss xslinux_v3vap-count 3max-load-count 3ap-list ap3 ap4 ap5ip-flow-rule iss_lb
action load-balanceactivate
Deploying Multiple Security Services on the Crossbeam X-Series Platform 15
1.1.1 Configure the ISS VAP Group
Create a VAP group named "iss" using the xslinux_v3 operating system. The v3 kernel is required by ISS.
Command:
CBS# configure vap-group iss xslinux_v3 Are you sure you want to create a new vap-group with OS version xslinux_v3? <Y or N> [Y]: Y Creating vap-group iss. May take several minutes.......................
CBS(config-vap-grp)#
1.1.2 Configure three VAP members for the ISS VAP Group
Create three VAP members for redundancy and additional capacity.
Command:
CBS(config-vap-grp)# vap-count 3Are you sure you want to adjust vap-count to 3? <Y or N> [Y]: YAdjusting vap-count. May take several minutes............................
CBS(config-vap-grp)#
1.1.3 Configure the ISS VAP Group APM list
This command specifies the list of APMs to be loaded. All VAP members should be identical APMs. Use show module status from the CLI to verify the configuration of each APM if necessary.
Command:
CBS(config-vap-grp)# ap-list ap3 ap4 ap5CBS(config-vap-grp)#
1.1.4 Specify the number of active VAP members
Specify the maximum number of VAP members in the VAP group. In order to install Proventia Network IPS, the max load count must match the VAP count.
Command:
CBS(config-vap-grp)# max-load-count 3 CBS(config-vap-grp)#
1.1.5 Configure the default flow-rule for the VAP group and return to main CLI context
There are four steps to configure the load balancing flow rule.
Create the load balancing flow rule for the ISS VAP group.
Set flow rule action to load-balance ISS traffic to all available VAP members.
Set the activate flag to enable the action.
Return to main CLI context to prepare for the next step.
CBS(config-vap-grp)# ip-flow-rule iss_lb CBS(ip-flow-rule)# action load-balance CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# end CBS#
16
1.2 VSX VAP GroupCreate a VAP group consisting of three APMs that support the installation of Check Point VPN-1Power VSX NGX R65. Name the VAP group “vsx”.
Figure 4. Configure the VSX VAP Group
In the following section you will create this portion of the configuration.
vap-group vsx xslinux_v3vap-count 3max-load-count 3ap-list ap8 ap9 ap10
1.2.1 Configure the VSX VAP Group
Create a VAP group named “vsx” using the xslinux_v3 operating system. The v3 kernel is required by VSX.
Command:
CBS# configure vap-group vsx xslinux_v3 Are you sure you want to create a new vap-group with OS version xslinux_v3? <Y or N> [Y]: YCreating vap-group vsx. May take several minutes.............................................................
CBS(config-vap-grp)#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 17
1.2.2 Configure three VAP members for the VSX VAP Group
Create three VAP members for redundancy and additional capacity.
Command:
CBS(config-vap-grp)# vap-count 3 Are you sure you want to adjust vap-count to 3? <Y or N> [Y]: YAdjusting vap-count. May take several minutes..................................
CBS(config-vap-grp)#
1.2.3 Configure the VSX VAP Group APM list
This command specifies the list of APMs to be loaded. All VAP members should be identical APMs. Use show module status from the CLI to verify the configuration of each APM if necessary.
Command:
CBS(config-vap-grp)# ap-list ap8 ap9 ap10CBS(config-vap-grp)#
1.2.4 Specify the number of active VAP members and return to the main CLI context
Specify the maximum number of VAP members in the VAP group. In order to install VSX, the max load count must match the VAP count. Return to main CLI context to prepare for the next step.
NOTE: You do not have to manually configure a default flow-rule for VSX VAP groups. VSX configures a default flow rule as part of the application installation process. See the application installation guide for more information.
Command:
CBS(config-vap-grp)# max-load-count 3CBS(config-vap-grp)# endCBS#
2.0 Configure CircuitsThis section describes how to configure the internal and external circuits connecting the VAP groups to each other and to the network. If you are configuring circuits in a topology using VLANs, VSX requires that the interface’s device-name not exceed 4 characters, and that the device-name cannot be “vlan”. VLAN is a Check Point reserved keyword.
2.1 Bridge Circuit The Layer 2 bridge circuit is a template circuit that must be in place prior to configuring the group interface bridge covered in Section 3.1, Section 3.1 Group Interface Bridge on page 26.
18
Figure 5. Layer 2 Bridge Circuit
In the following section you will create this portion of the configuration.
circuit bridge device-name bridgevap-group iss
promiscuous-mode active
2.1.1 Configure the bridge circuit required by the group interface
Create a circuit to bridge traffic on ISS.
Command:
CBS# configure circuit bridgeCBS(conf-cct)
2.1.2 Assign a device name to the circuit
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name.
Command:
CBS(conf-cct)# device-name bridgeCBS(conf-cct)#
2.1.3 Associate the circuit with ISS VAP group
Specify a VAP group to assign to this circuit.
Command:
CBS(conf-cct)# vap-group issCBS(conf-cct-vapgroup)#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 19
2.1.4 Set mode to promiscuous-mode active and return to the main CLI context
Setting promiscuous-mode to active allows the circuit to pass traffic.
Command:
CBS(conf-cct-vapgroup)# promiscuous-mode activeCBS(conf-cct-vapgroup)# endCBS#
2.2 Internal Circuit for SerializationThis internal circuit connects the ISS VAP group to the VSX VAP group in series. It is a template circuit that must be in place prior to configuring the group interface bridge covered in Section 3.1 Group Interface Bridge on page 26.
Figure 6. Serial Connection between VAP Groups
In the following section you will create this portion of the configuration.
circuit SerialOneinternaldevice-name Ser1vap-group iss
promiscuous-mode activevap-group vsx
2.2.1 Configure the circuit
Create an internal circuit, connecting the two VAP groups in series.
Command:
CBS# configure circuit SerialOneCBS(conf-cct)
20
2.2.2 Define the circuit as internal
Configure the circuit as internal.
Command:
CBS(conf-cct)# internalCBS(conf-cct)#
2.2.3 Assign a device name to the circuit
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. When configuring circuits in a topology using VLANs, the device names for circuits that directly interface with VSX cannot exceed 4 characters.
Command:
CBS(conf-cct)# device-name Ser1 CBS(conf-cct)#
2.2.4 Associate the circuit with ISS VAP group
Assign the ISS VAP group to this circuit.
Command:
CBS(conf-cct)# vap-group issCBS(conf-cct-vapgroup)#
2.2.5 Set mode to promiscuous-mode active and exit the ISS VAP group context
Any VAP-specific parameters must be configured on this circuit. In this case, the ISS parameter promiscuous-mode active must be configured here as well. Setting promiscuous-mode to active allows the circuit to pass traffic.
Command:
CBS(conf-cct-vapgroup)# promiscuous-mode activeCBS(conf-cct-vapgroup)# exitCBS(conf-cct)#
2.2.6 Associate the circuit with the VSX VAP group and return to the main CLI context
Assigning the VSX VAP group to this circuit allows traffic to flow between the two VAP groups.
Command:
CBS(conf-cct)# vap-group vsxCBS(conf-cct-vapgroup)# endCBS#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 21
2.3 WAN Circuit Create the WAN circuit. This circuit interfaces with an external network.
Figure 7. WAN Circuit attached to the VSX VAP Group
In the following section you will create this portion of the configuration. When configuring circuits in a topology using VLANs, the device names for circuits that interface with VSX cannot exceed 4 characters.
circuit wandevice-name wanvap-group vsx
2.3.1 Configure the WAN circuit
Create the wan circuit.
Command:
CBS# configure circuit wanCBS(conf-cct)
2.3.2 Assign a device name to the circuit
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. When configuring circuits in a topology using VLANs, the device names for circuits that interface with VSX cannot exceed 4 characters.
Command:
CBS(conf-cct)# device-name wanCBS(conf-cct)#
22
2.3.3 Assign the circuit to the VSX VAP group and return to the main CLI context
Assigning the VSX VAP group to this circuit allows traffic to flow across the circuit.
Command:
CBS(conf-cct)# vap-group vsxCBS(conf-cct-vapgroup)# endCBS#
2.4 Internal Circuit for SynchronizationA synchronization circuit is an internal circuit that connects VSX VAP members. VSX uses this circuit to maintain state synchronization and communications between VSX cluster members.
Figure 8. Sync Circuit between VSX VAP members
In the following section you will create this portion of the configuration.
circuit sync internaldevice-name syncvap-group vsx
2.4.1 Configure the VSX synchronization circuit
Create a circuit for VSX synchronization.
Command:
CBS# configure circuit syncCBS(conf-cct)
Deploying Multiple Security Services on the Crossbeam X-Series Platform 23
2.4.2 Define the circuit as internal
Configure the circuit as internal.
Command:
CBS(conf-cct)# internalCBS(conf-cct)#
2.4.3 Assign a device name to the circuit
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name.
Command:
CBS(conf-cct)# device-name syncCBS(conf-cct)#
2.4.4 Assign the circuit to the VSX VAP group and return to the main CLI context
Assign the sync circuit to the VSX VAP group.
Command:
CBS(conf-cct)# vap-group vsxCBS(conf-cct-vapgroup)# endCBS#
2.5 Shared Management CircuitManaging multiple applications installed on an X-Series system can be done using individual or shared connections to the modules. With serialized applications, it is often more efficient to manage VAP groups using a single physical interface, split internally. This topology creates a single shared circuit, which will later be assigned to a single physical interface (Section 3.3 Management Interface on page 29).
If you expect a high level of log activity on your management circuit, consider creating individual management interfaces for each VAP group. For information on creating individual managment circuits and interfaces, see Individual Management Circuits on page 49.
24
Figure 9. Shared Management Circuit
In the following section you will create this portion of the configuration.
circuit mgmt device-name mgmtvap-group iss
management-circuitip 172.16.19.62/24 increment-per-vap 172.16.19.65
vap-group vsx
2.5.1 Create a management circuit for both applications, ISS & VSX
Create a management circuit, so that application management utilities can interface with the applications.
Command:
CBS# configure circuit mgmtCBS(conf-cct)
2.5.2 Assign a device name to the circuit
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name.
Command:
CBS(conf-cct)# device-name mgmtCBS(conf-cct)#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 25
2.5.3 Assign the ISS VAP group to the circuit
Associate the ISS VAP group with a circuit. Designate this circuit as the management-circuit.
NOTE: Proventia Network IPS requires that you specify a management circuit using the management-circuit parameter.
Command:
CBS(conf-cct)# vap-group issCBS(conf-cct-vapgroup)# management-circuitCBS(conf-cct-vapgroup)#
2.5.4 Assign an IP address for ISS VAP group management
Use increment-per-vap to assign a unique IP-address per vap member, allowing individual management connections. When configuring the management IP addresses it is recommended to leave some unused IP addresses so that additional APMs and VAPs can be added as the system grows.
Command:
CBS(conf-cct-vapgroup)# ip 172.16.19.62/24 increment-per-vap 172.16.19.65CBS(conf-cct-vapgroup-ip)#
2.5.5 Return to the configure circuit context
Using the exit command returns you to the proper context.
Command:
CBS(conf-cct-vapgroup-ip)# exitCBS(conf-cct-vapgroup)# exitCBS(conf-cct)#
2.5.6 Assign the VSX VAP group to the circuit and return to the main CLI context
Associate the VSX VAP group with the management circuit.
Command:
CBS(conf-cct)# vap-group vsxCBS(conf-cct-vapgroup)# endCBS#
NOTE: An IP address for VSX VAP group management will automatically be assigned by VSX upon installation. You do not need to configure this manually.
3.0 Configure the Physical InterfacesThe following section provides steps for configuring the single physical interfaces for the connection to the client subnet, an external network (the Internet), and management.
It is not necessary to complete both Section 3 Configure the Physical Interfaces, and Section 4 Configure the MLT Group Interfaces, for serialization. The sample topologies use one or the other.
MLT interfaces are configured in a separate section. If you are configuring MLT interfaces, skip this section and go to Configure the MLT Group Interfaces on page 31.
26
3.1 Group Interface BridgeThe group interface bridge includes the physical interface, the ISS bridge circuit (bridge), and the internal circuit used for serialization, (Ser1). Name this group interface bridge L2Br.
Figure 10. Group Interface Bridge
In the following section you will create this portion of the configuration.
group-interface L2Brinterface-type gigabitethernetmode transparent circuit bridgeinterface-internal circuit SerialOneinterface 1/1
device-name LAN
3.1.1 Create the group interface
Configure a group interface.
Command:
CBS# configure group-interface L2BrCBS(conf-group-intf)#
3.1.2 Configure the interface type and return to interface configuration mode
Specify the interface type as gigabitethernet or 10gigabitethernet, and then exit the interface type mode. Exiting returns you to the interface configuration context and prepares you for the next step.
Command:
CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exitCBS(conf-group-intf)#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 27
3.1.3 Set mode to transparent
Transparent mode allows ISS to provide the bridging mechanism.
Command:
CBS(conf-group-intf)# mode transparent circuit bridgeCBS(conf-group-intf)#
3.1.4 Associate the internal circuit with the group interface
Associates the internal circuit and group interface.
Command:
CBS(conf-group-intf)# interface-internal circuit SerialOneCBS(conf-group-intf)#
3.1.5 Configure the physical interface and return to the main CLI context
Name and configure the physical interface. Be sure to associate a device name with the interface. This avoids the potential confusion of a system generated interface name.
Command:
CBS(conf-group-intf)# interface 1/1CBS(conf-grp-intf-intf)# device-name LANCBS(conf-grp-intf-intf)# endCBS#
28
3.2 WAN InterfaceCreate the WAN interface for the VSX VAP group, and attach a physical interface to the wan circuit.
Figure 11. WAN Interface
In the following section you will create this portion of the configuration.
interface gigabitethernet 1/2logical wan
circuit wan
3.2.1 Define a physical interface
Define the physical interface to be assigned to the circuit.
Command:
CBS# configure interface gigabitethernet 1/2CBS(conf-intf-gig)#
3.2.2 Define the logical interface for the wan circuit
Define the logical interface for the physical interface specified in the previous step. For clarity, the logical name should be the same as, or based on the circuit name.
Command:
CBS(conf-intf-gig)# logical wanCBS(intf-gig-logical)#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 29
3.2.3 Assign the circuit to the logical and physical interface and return to the main CLI context
Assign the circuit to the interface.
Command:
CBS(intf-gig-logical)# circuit wanCBS(intf-gig-logical)# endCBS#
3.3 Management InterfaceAssign the physical interface used by the management circuit.
Figure 12. Management Interface
In the following section you will create this portion of the configuration.
interface gigabitethernet 1/5logical mgmt
circuit mgmt
3.3.1 Define the physical interface
Define the physical interface to be used by the management circuit.
Command:
CBS# configure interface gigabitethernet 1/5CBS(conf-intf-gig)#
30
3.3.2 Define the logical interface for the management circuit
Define the logical interface for the physical interface specified in the previous step.
Command:
CBS(conf-intf-gig)# logical mgmtCBS(intf-gig-logical)#
3.3.3 Assign the circuit to the logical and physical interfaces and return to the main CLI context
Assign the circuit to the logical and physical interfaces specified above. For clarity, the logical name should be the same as, or based on the circuit name.
Command:
CBS(intf-gig-logical)# circuit mgmtCBS(intf-gig-logical)# endCBS#
Next StepsConfiguration of the serialized topology using a single physical interface is complete. Go to Chapter 3 Application Installation on page 39 for information about installing the applications onto each VAP group.
Deploying Multiple Security Services on the Crossbeam X-Series Platform 31
4.0 Configure the MLT Group InterfacesThis section provides the steps necessary to configure MLT in a serial topology. These steps replace Section 3.0 Configure the Physical Interfaces on page 25.
It is not necessary to complete both Section 3 Configure the Physical Interfaces, and Section 4 Configure the MLT Group Interfaces, for serialization. The sample topologies use one or the other.
A multi-link trunk (MLT) aggregates multiple physical interfaces to form one logical channel, allowing the X-Series system to treat these interfaces as a single logical interface. This section describes the process for configuring XOS to handle the interface.
In the following topology, multiple VLANs ingress on an aggregated physical interface, and are delivered to the Layer 2 bridge via an 802.1q trunk. Traffic passes through the Proventia Network IPS application and over an internal circuit for serialization. Upon reaching the VPN-1 Power VSX NGX R65 application, the 802.1q trunk is split into individual circuits, one per VLAN, and processed. If the traffic passes inspection, it flows out of the application to another MLT interface. If the traffic does not pass inspection, it is dropped.
VLAN configuration is performed using the VSX application, and is outside the scope of this document. See the Check Point™ VPN-1 Power VSX NGX R65 documentation for more information.
NOTE: When you are configuring an interface to pass VLANs to the VSX NGX R65 application, the interface’s device-name must not exceed 4 characters. The device-name cannot be “vlan”. VLAN is a Check Point reserved keyword.
Figure 13. MLT Group Interfaces in the Serial Topology
32
4.1 LAN Template CircuitThe LAN circuit is a template circuit that must be in place prior to configuring the MLT group interface. This circuit is only used for the MLT group interface. The other circuits used in the MLT interface configuration were created in Section 2.
Figure 14. LAN Template Circuit
In the following section you will create this portion of the configuration.
circuit LAN device-name LANvap-group iss
promiscuous-mode active
4.1.1 Configure the LAN circuit required by the group interface
Create a template circuit to be used by the MLT group interface.
Command:
CBS# configure circuit LANCBS(conf-cct)
4.1.2 Assign a device name to the circuit
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name.
Command:
CBS(conf-cct)# device-name LANCBS(conf-cct)#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 33
4.1.3 Associate the circuit with the ISS VAP group
Assign a VAP group to this circuit.
Command:
CBS(conf-cct)# vap-group issCBS(conf-cct-vapgroup)#
4.1.4 Set mode to promiscuous-mode active and return to the main CLI context
Setting promiscuous-mode to active allows the circuit to pass all traffic.
Command:
CBS(conf-cct-vapgroup)# promiscuous-mode activeCBS(conf-cct-vapgroup)# endCBS#
4.2 LAN MLT Group InterfaceThe LAN MLT group interface attaches physical interfaces to the lan template circuit, and is defined as a multi-link circuit.
Figure 15. LAN MLT Group Interface
In the following section you will create this portion of the configuration.
group-interface LANinterface-type gigabitethernetmode multi-link circuit LANinterface 1/1interface 1/2interface 1/3
34
4.2.1 Create the group interface
Configure a group interface.
Command:
CBS# configure group-interface LANCBS(conf-group-intf)#
4.2.2 Configure the interface type and return to the interface configuration context
Define the interface type as gigabitethernet or 10gigabitethernet, and return to the interface configuration context.
Command:
CBS(conf-group-intf)# interface-type gigabitethernetCBS(conf-grp-intf-intf)# exitCBS(conf-group-intf)#
4.2.3 Define the interface mode
Define the interface mode as multi-link, and assign the circuit.
Command:
CBS(conf-group-intf)# mode multi-link circuit LANCBS(conf-group-intf)#
4.2.4 Configure the physical interfaces and return to the main CLI context
Assign interfaces to the MLT group interface and exit the configuration mode. Using end returns you to the main CLI context, and prepares you for the next step.
Command:
CBS(conf-group-intf)# interface 1/1CBS(conf-grp-intf-intf)#exitCBS(conf-group-intf)# interface 1/2CBS(conf-grp-intf-intf)#exitCBS(conf-group-intf)# interface 1/3CBS(conf-grp-intf-intf)# endCBS#
NOTE: To prevent a loss of traffic to the VAP groups, consider spreading MLT interfaces across more than one NPM. In the case of an NPM failure, traffic can continue to flow on other NPMs.
Deploying Multiple Security Services on the Crossbeam X-Series Platform 35
4.3 MLT Group Interface BridgeThe MLT group interface bridge connects the Layer 2 bridge and the internal circuit for serialization, and then attaches to the LAN MLT group interface.
Figure 16. Create the Group Interface Bridge
In the following section you will create this portion of the configuration.
group-interface bridgeinterface-type gigabitethernetmode transparent circuit bridgeinterface-internal circuit SerialOnegroup LAN
4.3.1 Configure the group interface bridge to use MLT
Configure a group interface bridge using MLT.
Command:
CBS# configure group-interface bridgeCBS(conf-group-intf)#
4.3.2 Match interface types to the group interface MLT
Define the interface type as gigabitethernet or 10gigabitethernet.
Command:
CBS(conf-group-intf)# interface-type gigabitethernetCBS(conf-grp-intf-gig)# exitCBS(conf-group-intf)#
36
4.3.3 Define the mode for the bridge
Transparent mode allows ISS to provide the bridging mechanism.
Command:
CBS(conf-group-intf)# mode transparent circuit bridgeCBS(conf-group-intf)#
4.3.4 Associate the internal circuit with the group interface bridge
Connect the group interface bridge with the internal circuit for serialization.
Command:
CBS(conf-group-intf)# interface-internal circuit SerialOneCBS(conf-group-intf-intf)# exitCBS(conf-group-intf)#
4.3.5 Associate the MLT group with the group interface bridge and return to the main CLI context
The group interface bridge is attached to the MLT group interface, LAN.
Command:
CBS(conf-group-intf)# group LANCBS(conf-group-intf)#endCBS#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 37
4.4 WAN MLT Group InterfaceThe WAN group interface attaches physical interfaces to the wan circuit, and is defined as a multi-link circuit.
Figure 17. WAN MLT Group Interface
In the following section you will create this portion of the configuration.
group-interface waninterface-type gigabitethernetmode multi-link circuit waninterface 2/1interface 2/2interface 2/3
4.4.1 Create the WAN MLT group interface
Define the wan interface as a group interface.
Command:
CBS# configure group-interface wanCBS(conf-group-intf)#
4.4.2 Configure the interface type and return to the interface configuration context
Define the interface type as gigabitethernet or 10gigabitethernet, and return to the interface configuration context.
Command:
CBS(conf-group-intf)# interface-type gigabitethernetCBS(conf-grp-intf-gig)# exitCBS(conf-group-intf)#
38
4.4.3 Define the interface mode
Define the interface mode as multi-link, and assign the circuit.
Command:
CBS(conf-group-intf)# mode multi-link circuit wanCBS(conf-group-intf)#
4.4.4 Configure the physical interfaces and return to main CLI context
Assign interfaces to the wan group interface and exit the configuration mode. Using end returns you to the top level of the CLI, and prepares you for the next step.
Command:
CBS(conf-group-intf)# interface 2/1CBS(conf-grp-intf-intf)# exitCBS(conf-group-intf)# interface 2/2CBS(conf-grp-intf-intf)# exitCBS(conf-group-intf)# interface 2/3CBS(conf-grp-intf-intf)# endCBS#
NOTE: To prevent a loss of traffic to the VAP groups, consider spreading MLT interfaces across more than one NPM. In the case of an NPM failure, traffic can continue to flow on other NPMs.
4.5 Management InterfaceRefer to Management Interface on page 29 to configure a physical interface for the shared management circuit. As an alternative, see Individual Management Circuits on page 45 for instructions on how to split the management circuits into individual interfaces.
Next StepsConfiguration of the serialized topology using MLT interfaces is complete. Go to Chapter 3 Application Installation on page 39 for information about installing the applications onto each VAP group.
Deploying Multiple Security Services on the Crossbeam X-Series Platform 39
3Application Installation
After completing the XOS configuration steps, you can install the individual applications. We recommend installing the applications in the order presented here.
Installation Considerations on page 39
Install and Configure Proventia Network IPS on page 39
Install and Configure Check Point on page 41
Installation ConsiderationsIn addition to the Application Requirements on page 11, you should be aware of the following APM considerations:
Max Load and VAP count must be the same. In order to install Proventia Network IPS, the max load count must match the VAP count.
Module must be in the Up state.
IPS management interfaces must be Up.
Install and Configure Proventia Network IPSThe following section discusses the installation and configuration of Proventia Network IPS in a serial topology.
Application PrerequisitesPlease refer to the IBM Proventia Network IPS documentation for a complete list of prerequisites and restrictions.
Installing Proventia Network IPSPlace the CBI (Crossbeam Installer) onto the X-series system as described in the Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems.
Install the Application onto a VAP Group
After copying the CBI to the X-Series system, install the application onto one or more VAP Groups.
40
At the XOS CLI prompt, enter the following command to run the Proventia Network IPS application CBI and begin the installation procedure:
CBS# application issprovg vap-group iss install
Interview Process
The ISS CBI displays the interview program and begins the installation. Below are example answers based on the serial topology described in this book. Complete the questions in the interview to install Proventia Network IPS. If necessary, refer to the Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems.
This example interview installs Proventia Network IPS using the specified agent name iss, in protection mode (p) and defines the management circuit as the shared management circuit (mgmt).
CBS# application issprovg vap-group iss installIBM Internet Security Systems, IBM Proventia Network IPS 2.0 release 1Checking Bundle Integrity: [####################] 100% [ ok ]Checking Dependencies: [####################] 100% [ ok ]International Program License AgreementPart 1 - General Terms<License Disclaimer Here>Press ENTER to read or 'q' to quit: qAccept the license agreement? [n]: y============================================================================Answer the questions below to configure this application. Type '?' for help.Change password for Proventia Manager user 'admin':Password:Confirm Password:Agent Name? [Proventia_GC1200]: issAdapter Mode Configuration? [s]: pManagement Port Interface? [provgmgmt]: mgmtAre any changes needed? [n]:============================================================================** A vap-group reload is required for the change(s) to take affect. **Extracting Bundle: [####################] 100% [ ok ]Installing issprovg on VAP iss: [######## ]
Once the installation is complete, you must reload the ISS VAP group.
CBS# reload vap-group issProceed with reload? <Y or N> [Y]:Y
Configure Proventia Network IPS Using Proventia Manager
Use a Web browser and the IP address assigned to the management interface for the ISS VAP to log into Proventia Manager. Once you have logged in, you can configure the application and register with SiteProtector. For more information about accessing Proventia Manager, see Chapter 8 of the Installation and Configuration Guide for IPS Deployments of IBM Proventia Network IPS on Crossbeam X-Series Systems.
Deploying Multiple Security Services on the Crossbeam X-Series Platform 41
Install and Configure Check Point The following section discusses the installation and configuration of Check Point VPN-1 Power VSX NGX R65 in a serial topology.
Application PrerequisitesPlease refer to the Check Point documentation for a complete list of prerequisites and restrictions.
Installing the ApplicationLoad the application as described in the Check Point™ VPN-1 Power VSX NGX R65 Installation and Configuration for Crossbeam X-Series System.
Install the Application onto a VAP Group
After loading the application, install VSX onto one or more VAP Groups, as follows:
1. Enter the following XOS CLI command to display the loaded applications:
CBS# show application
2. Enter the following XOS CLI command to install the application on the VAP group you created:
CBS# application vsx vap-group vsx install
Interview Process
Starting the application install displays the VSX interview program. Below are example answers based on the serial topology in the previous chapter. Complete the interview questions to successfully install the application. The following example installs VPN-1 Power VSX NGX R65 with the following information:
Specify the shared management circuit as mgmt, and the IP that will be put under the management circuit definition. The IPs will be automatically calculated by incrementing the management IP by one. The starting IP used in this configuration example is 172.16.19.66.
You will need to specify the name of the synchronization circuit you configured; sync.
CBS# application vsx vap-group vsx installThis program will help you install Check Point Software Technologies Ltd. (TM)VPN-1 Power VSX NGX R65 (R) software on the X-series platforms
Press Enter to continue ...
This End-user License Agreement...<License Disclaimer Here>Do you accept this license agreement? (y/n) [n]: y
Welcome to the Check Point VPN-1 Power VSX NGX R65 Configuration Program for the X Series platforms.=========================================================================This program will allow you to install VPN-1 Power VSX NGX R65 Enforcement Module on X Series platforms.
42
Checking available options. Please wait...
Configuring VAP Group "vsx" with VAPs: 1 2 3
Enter the interface name from which you want to manage the VSX system (): mgmt
Will this interface be used in non-DMI configuration, managed by a Remote CMA? (y/n) [n] n
VPN-1 Power VSX NGX R65 VAP Group vsx, VAP1==>>Enter the IP address that will be used to manage the first cluster member[NOTE: Because of increment-per-vap order restriction, IP addresses on management interface for remaining cluster members will be based on this IP address] (): 172.16.19.66
VPN-1 Power VSX NGX R65 VAP Group vsx, VAP2==>>IP address for the management interface on this cluster member[NOTE: Make sure this IP address is available ] (172.16.19.67):
VPN-1 Power VSX NGX R65 VAP Group vsx, VAP3==>>IP address for the management interface on this cluster member[NOTE: Make sure this IP address is available ] (172.16.19.68):
Enter the netmask for the management interface (): 255.255.255.0
Enter the name of the interface that will be used for synchronization with other cluster members (): sync Please wait ...You will now be prompted to enter a one time 'Activation Key' thatwill be used to establish trust with the Check Point Management Server
NOTE: This Activation Key will be used for all VAPs in the VAP GroupEnter SIC Activation Key> Again SIC Activation Key>
Central license information can be downloaded from the Management station.Do you want to enter Local license information at this time ? (y/n) n
Do you want to Enable Check Point SecureXL? (y/n) y
Do you want to Enable High Availability/State Synchronization? (y/n) y******************************************************************* ** At the Check Point Management Station, make sure that each VAP ** from this VAP Group is in the same VSX Cluster ** *******************************************************************
==================================================
Setup configuration is complete.Do you wish to modify the configured settings? (y/n) n
------------------------------------------------------------Performing System Checks
vsx_1: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation
Deploying Multiple Security Services on the Crossbeam X-Series Platform 43
vsx_2: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation
vsx_3: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation
==================================================================VPN-1 Power VSX NGX R65 will beinstalled/configured on the following vaps:12=================================================================
If all VAPs are not reported as Validated above,then this is an opportunity to exit this script bychoosing 'n' below. Then fix the problemsreported above and restart this script again.
Continue (y/n) ?: y
Once the installation has completed, you must reload the VSX VAP group.
CBS# reload vap-group vsxProceed with reload? <Y or N> [Y]:Y
Create Virtual Devices and Circuits Using the VSX GUI
The creation of VSX virtual devices and circuits is performed from the GUI. Please refer to the Check Point documentation for configuration information.
44
Deploying Multiple Security Services on the Crossbeam X-Series Platform 45
4Advanced Configurations
This chapter provides the following advanced serial configuration information:
IPS to VSX NGX R65 to IPS on page 45, which includes adding a second ISS VAP group and a third MLT interface.
Individual Management Circuits on page 49 provides information for configuring individual management circuits for each VAP group.
Multi-System High Availability Using VRRP on page 49 is a stepped procedure to configure Multi-System High Availability.
IPS to VSX NGX R65 to IPSThe configuration below defines three individual VAP Groups: A single Check Point VSX NGX R65 VAP between two separate Proventia Network IPS VAP groups, and adding a third MLT interface. Configuring Proventia Network IPS and VSX NGX R65 in this manner helps ensure that any client to client communication is inspected by both applications and their security policies.
See Figure 18 on page 46 for a high level diagram of this topology.
46
Figure 18. IPS to VSX to IPS
The configuration is provided, rather than broken into individual steps. If you need information about how to perform a specific configuration task, see the relevant section in Chapter 2.
vap-group iss xslinux_v3vap-count 3max-load-count 3ap-list ap3 ap4 ap5load-balance-vap-list 1 2 3ip-flow-rule iss_lb
action load-balanceactivate
vap-group vsx xslinux_v3vap-count 3max-load-count 3ap-list ap7 ap8 ap9load-balance-vap-list 1 2 3
vap-group iss2 xslinux_v3vap-count 2max-load-count 2ap-list ap6 ap10load-balance-vap-list 1 2
Deploying Multiple Security Services on the Crossbeam X-Series Platform 47
ip-flow-rule iss2_lbaction load-balanceactivate
#circuit mgtvsx
device-name mgtvsxvap-group vsx
circuit mgtiss device-name mgtissvap-group iss
management-circuitip 192.168.0.49/24 192.168.0.255 increment-per-vap 192.168.0.50
vap-group iss2management-circuitip 192.168.0.51/24 192.168.0.255 increment-per-vap 192.168.0.52
circuit sync internaldevice-name syncvap-group vsx
circuit lan device-name lanvap-group iss
promiscuous-mode activecircuit wan
device-name wanvap-group vsx
circuit dmzdevice-name dmzvap-group iss2
circuit bridge1device-name bridge1vap-group iss
promiscuous-mode activecircuit bridge2
device-name bridge2vap-group iss2
promiscuous-mode activecircuit SerialOne
internaldevice-name Ser1vap-group vsxvap-group iss
promiscuous-mode activecircuit SerialTwo
internaldevice-name Ser2vap-group vsxvap-group iss2
promiscuous-mode active#interface gigabitethernet 1/1
logical mgtisscircuit mgtiss
interface gigabitethernet 4/1logical mgtvsx
circuit mgtvsx#
48
group-interface laninterface-type gigabitethernetmode multi-link circuit laninterface 1/2interface 1/3interface 4/2interface 4/3
group-interface waninterface-type gigabitethernetmode multi-link circuit waninterface 1/6interface 1/7interface 4/6interface 4/7
group-interface dmzinterface-type gigabitethernetmode multi-link circuit dmzinterface 1/4interface 1/5interface 2/4interface 2/5
group-interface bridge1interface-type gigabitethernetmode transparent circuit bridge1interface-internal circuit SerialOnegroup lan
group-interface bridge2interface-type gigabitethernetmode transparent circuit bridge2interface-internal circuit SerialTwogroup dmz
#ip route 10.0.0.0/8 192.168.0.1 vap-group iss circuit mgtissip route 192.168.0.0/16 192.168.0.1 vap-group iss circuit mgtissip route 10.0.0.0/8 192.168.0.1 vap-group iss2 circuit mgtissip route 192.168.0.0/16 192.168.0.1 vap-group iss2 circuit mgtiss
Deploying Multiple Security Services on the Crossbeam X-Series Platform 49
Individual Management CircuitsManaging of multiple VAPs is often done using individual physical connections to the modules. With serialized applications it is often more efficient to manage both VAP groups using a single physical interface split internally.
However, if you expect a high level of log activity on your management circuit, you can choose to define separate physical management circuits. The following examples create individual management circuits for each VAP group.
NOTE: VSX automatically assigns the ip address for the management circuit during application install.
circuit mgmtiss device-name mgmtiss vap-group iss management-circuit
ip 172.16.19.62/24 increment-per-vap 172.16.19.65circuit mgmtvsx device-name mgmtvsx vap-group vsx
Multi-System High Availability Using VRRPMulti-system high availability for the serialized topology is configured by creating nearly identical configurations on multiple systems. The only differences will be the ip addresses and the priority value of the failover group. The systems are linked using a physical connection to the CPM through either the High Availability (HA) link or management port.
IMPORTANT: For a high availability configuration to function, you must create identical VAP group and IP flow rule configurations on each X-Series System. In addition, each circuit must use the same circuit name, device name, and interface name on each system. When circuits are related to the ISS VAP group, the circuit IDs must also match on both systems.
To configure high availability with Check Point VPN-1 Power VSX NGX R65 as part of a serialized topology on an X-Series platform, we will use Virtual Router Redundancy Protocol (VRRP).
The information provided in this section is built upon the configurations already described in this guide. The steps in sections 5.1 through 5.4 should be performed during the configuration process (either single interface or MLT) provided in Chapter 2.
The final section, Configure Next Hop Health Check on page 54, must be completed after the installation and configuration of the VSX application, since it is dependent on VSX-named circuit information.
The configuration steps in this chapter are specific to configuring two systems for dual-box high availability (DBHA).
Configure the Remote System ID and IP Address on page 50.
Assign a Physical Interface to the Internal Synchronization Circuit on page 51, so that the two VSX VAP groups can communicate from one system to the other through a synchronized network.
Configure the VRRP Failover Groups on page 51. Create a failover group on each system.
Enable VRRP on the VAP Group on page 53. Enable VRRP and set the priority delta.
Configure Next Hop Health Check on page 54. Once the Check Point VPN-1 Power VSX NGX R65 application has been installed and configured, set the next hop health check.
For additional information about VRRP and High availability, see Chapter 12 Multi-System High Availability in the XOS Configuration Guide.
50
Figure 19. Dual-Box High Availability
5.1 Configure the Remote System ID and IP AddressFrom each system, configure the remote system ID and IP address. The remote system ID is specific to the system, and in this example is 20. The IP to be used is the address of the CPM on the other system. Return to main CLI context after completing the command.
IMPORTANT: When configuring multiple systems for high availability, it is important that each system have a unique ID. If systems are configured with duplicate ID’s, you run the risk of having identical mac-addresses on any given circuit.
Command:
CBS# configure remote-box 20 172.16.1.20CBS(conf-remote-box)# endCBS#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 51
5.2 Assign a Physical Interface to the Internal Synchronization CircuitIn the following section you will create this portion of the configuration.
interface gigabitethernet 4/2logical sync
circuit sync
This physical interface provides an external link to the internal synchronization circuits within the VSX VAPs. It is this connection that allows the VSX vap groups on separate systems to communicate with one another.
Return to main CLI context after completing the command.
Command:
CBS# configure interface gigabitethernet 4/2CBS(conf-intf-gig)# logical syncCBS(intf-gig-logical)# circuit syncCBS(intf-gig-logical)# end
5.3 Configure the VRRP Failover GroupsA failover group is a grouping of one or more virtual routers. A virtual router (VR) identifies the circuits and their associated VAP groups for high availability. Only a failover group, not the entire system or an individual VAP group, can fail over to a standby failover group on another system.
In the following section you will create this portion of the configuration on each system.
vrrp failover-group vrrp_vsx failover-group-id 200priority 200 monitor-interface gigabitethernet 1/1virtual-router vrrp-id 10 circuit wan priority-delta 2 mac-usage vrrp-mac vap-group vsx virtual-router vrrp-id 20 circuit SerialOne priority-delta 2 mac-usage vrrp-mac vap-group vsx
Configure the VRRP failover groups on each system. The configurations should be identical, except for the priority value. The system with the lower value will assume the backup status.
5.3.1 Create the failover group vrrp_vsx
Create the failover group by assigning it a name (vrrp_vsx) and ID. The ID must be unique on this system, and must be the same on its counterpart failover group on the other system.
Command:
CBS# configure vrrp failover-group vrrp_vsx failover-group-id 200CBS(conf-vrrp-failover-group)#
52
5.3.2 Set the VRRP priority
Set the VRRP priority. Valid values are 1 to 255. Default is 100. The chassis that has the failover group with the highest priority becomes the master for this failover group. Certain events, such as a link failure or a change in VAP Group member count, will decrement the priority. A chassis failover will occur if a failover group’s priority drops below the priority of the failover group on the other chassis
Command:
CBS(conf-vrrp-failover-group)# priority 200CBS(conf-vrrp-failover-group)#
5.3.3 Determine which interface to monitor and set a priority-delta for each one
Determine which interface to monitor and set the priority-delta. In this serialized topology, the interface used in the group-interface mode bridge is specified. If there are additional group interface mode bridges, they should be specified here. The priority-delta decrements the failover group’s VRRP priority whenever the interface fails.
Command:
CBS(conf-vrrp-failover-group)# monitor-interface gigabitethernet 1/1CBS(conf-vrrp-failover-group)#
5.3.4 Create a virtual router template
Create a virtual router, assign an ID, and attach it to an existing circuit. VSX will use this template for creating and configuring virtual routers.
Command:
CBS(conf-vrrp-failover-group)# virtual-router vrrp-id 10 circuit wanCBS(conf-vrrp-failover-group)#
5.3.5 Specify MAC usage on the VRRP virtual router (VR)
Specify MAC usage for VRRP.
CBS(conf-vrrp-failover-group-virtual-router)# mac-usage vrrp-macCBS(conf-vrrp-failover-group-virtual-router)#
5.3.6 Assign a priority-delta to the virtual router
Assign a priority-delta to the VR. The priority-delta decrements the failover group’s VRRP priority whenever an interface on the VR fails. The priority-delta can be 1 to 255. Default is 1. The priority-delta is added back to the priority when the interface returns to the Up state.
CBS(conf-vrrp-failover-group-virtual-router)# priority-delta 2CBS(conf-vrrp-failover-group-virtual-router)#
Deploying Multiple Security Services on the Crossbeam X-Series Platform 53
5.3.7 Specify the VAP group of the VR
Specify the VAP group of the VR. The circuit, named in 4.3.4 above, must already be mapped to the VAP group. Then exit the context to prepare for the next step.
CBS(conf-vrrp-failover-group-virtual-router)# vap-group vsxCBS(conf-vrrp-failover-group-virtual-router)# exitCBS(conf-vrrp-failover-group)#
5.3.8 Configure the internal circuit for serialization as part of the failover group
Repeat steps 5-8 to include the internal circuit for serialization in the failover group.
virtual-router vrrp-id 20 circuit SerialOnepriority-delta 2mac-usage vrrp-macvap-group vsx
5.4 Enable VRRP on the VAP GroupIn the following section you will create this portion of the configuration.
vrrp vap-group vsx failover-group-list vrrp_vsx hold-down-timer 60 priority-delta 50
Once the failover group is configured and the VAP group is added to the failover list, configure the VAP group for High Availability.
5.4.1 Configure the VSX VAP group for failover
Enable VRRP on the vsx VAP group.
CBS# configure vrrp vap-group vsxCBS(conf-vrrp vap-group)#
5.4.2 Specify the failover group list
Assign the failover group to a failover group list
CBS(conf-vrrp vap-group)# failover-group-list vrrp_vsxCBS(conf-vrrp vap-group)#
5.4.3 Set the hold down timer
Use hold-down-timer to have a VAP group wait between 1 to 3600 seconds before becoming the VRRP Master. This can prevent an application from dropping connections should a rapid failover occur from a Master to Backup and back to Master.
CBS(conf-vrrp vap-group)# hold-down-timer 60CBS(conf-vrrp vap-group)#
54
5.4.4 Set the priority delta for the group and return to the main CLI context
Assign a priority-delta to the VR circuit. The priority-delta decrements the failover group’s VRRP priority whenever an interface on the VR circuit fails. The priority-delta can be 1 to 255. Default is 1. The priority-delta is added back to the priority when the interface returns to the Up state. 50 is used here as an example.
CBS(conf-vrrp vap-group)# priority-delta 50CBS(conf-vrrp vap-group)# endCBS#
NOTE: Before continuing to the next step, you must complete the installation and configuration of Check Point VPN-1 Power VSX NGX R65.
5.5 Configure Next Hop Health CheckIn the following section you will create this portion of the configuration.
vrrp failover-group vrrp_vsx failover-group-id 200 virtual-router vrrp-id 22 circuit vsx_ckt_vsx_internal_ser1_3001
vap-group vsx verify-next-hop 10.10.1.10
In order for the VSX VAP group to use VRRP, the application must be able to monitor the physical interfaces on either end of the topology.The VSX VAP group can monitor the physical interface to which it is attached. The ability to monitor the physical interface connected to the ISS VAP group was configured in step 4.3.3.
The next hop health check is an optional setting to verify IP connectivity from the VSX VAP group, through the ISS VAP group, and out to the next hop gateway. It is highly recommended to use both physical interface monitoring and the next hop health check.
After installing and configuring Check Point VPN-1 Power VSX NGX R65 application, return to the command line interface. To configure Next Hop Health Check, perform the following tasks.
5.5.1 View the VSX VAP group
Use the show run command to display the APM running configuration. To configure the Next Hop Health Check you will need information about the internal circuit for serialization between the VSX VAP group and the ISS VAP group.
Command:
CBS# show run
5.5.2 Select the internal circuit that connects the two VAP groups
Under the VRRP failover group configured previously, find the internal circuit that connects the VSX VAP group and the ISS VAP Group.
NOTE: The Check Point application appends information to the circuit name for internal identification.
Identify a usable circuit by looking for the following:
The name of the VSX application VAP group (in this guide, the VAP group is “vsx”)
The name of the internal circuit for serialization (in this guide, the internal circuit for serialization is “ser1”)
The vlan id you assigned to the circuit using the VSX GUI during application installation and configuration process (in this example, the vlan id used is “3001”)
Deploying Multiple Security Services on the Crossbeam X-Series Platform 55
In this sample configuration copied from the running configuration, the listed items are in bold below.
virtual-router vrrp-id 22 circuit vsx_ckt_vsx_internal_ser1_3001priority-delta 2
mac-usage vrrp-mac backup-stay-up vap-group vsx ip 10.10.1.1 255.255.255.0 10.10.1.255
5.5.3 Configure the next hop health check and return to the main CLI context
Use the virtual router identified above to configure the next hop health check.
CBS# configure vrrp failover-group vrrp_vsx failover-group-id 200 CBS(conf-vrrp-group)#
5.5.4 Specify the VRRP failover group
Specify the VRRP failover group.
Command:
CBS(conf-vrrp-group)# virtual-router vrrp-id 22 circuit vsx_ckt_vsx_internal_ser1_3001 CBS(conf-vrrp-failover-vr)#
5.5.5 Change context to configure the next hop health check
Change context to prepare for the next step.
Command:
CBS(conf-vrrp-failover-vr)# vap-group vsx
5.5.6 Configure the next hop IP, and return to the main CLI context
Configure the next hop IP check. Specify the IP of an external host (external to the X-Series platform) and return to the main CLI context. 10.10.1.10 is used here as an example.
Command:
CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip 10.10.1.10CBS(conf-vrrp-vr-vapgroup)# endCBS#
56
Deploying Multiple Security Services on the Crossbeam X-Series Platform 57
5Troubleshooting
This chapter provides information to help you optimize the configuration process and troubleshoot minor issues.
Configuration TipsDetermine your Requirements
Determine your specific topology requirements prior to beginning configuration.
Multiple CLI Sessions
You may find it useful to have multiple CLI sessions running on the CPM during the configuration process. Use one window to create the configuration, and validate your input by using the show running-config command in the other.
Tab key Validation
Use the Tab key to validate your command syntax. Type a few letters of the command and press the Tab key to complete the command. If the command is not available or is mis-typed, pressing Tab key will not complete the command.
[no] parameter
Use the [no] parameter to delete erroneous configuration entries.
Verify Your Configuration
Use the show running-config command to verify your configuration at any point during the process. It is useful to review the config for transposed letters or numbers. These errors are easily overlooked and can cause unpredictable results.
Context Sensitive Help
For context sensitive help, use the question mark from the command line to view the previously configured options. For example, use configure circuit ? to view all previously configured circuits and command options.
Troubleshooting Any time you open a support case with Crossbeam Technical Support, make sure you run the command show tech-support and have the results available.
Application InstallationSome things to check if you are having application install issues.
With Proventia Network IPS:
58
Make sure the correct APMs are being used (see requirements Proventia Network IPS Requirements on page 12).
Verify that the ISS management circuit exists and is correctly configured (see Step 2.5.3 on page 25).
With VSX NGX R65:
Verify that the management circuit exists and is correctly configured (see Step 2.5.1 on page 24).
Use show circuit <name> to verify the internal sync circuit is correctly configured (see Internal Circuit for Synchronization on page 22).
Management CommunicationsIf there are issues with the management communications from the VAPs, verify that the appropriate routing is in place, and that if a domain name server (DNS) is needed, that it is in place and all configuration information is correct.
VAP Traffic IssuesFor traffic issues with the Proventia Network IPS VAP:
Proventia Network IPS has a special tcpdump: /etc/iss/usr/sbin/tcpdump -i provg_1.
IMPORTANT: This will perform a tcpdump on all vlans and all bridges of the IPS blade. In a busy environment, this will have a significant impact on the system. The use of tcpdump filtering is highly recommended.
Run the command ifconfig and review the statistics.
Check LMI/SP for drops.
Use the Proventia Manager to check for dropped traffic.
For traffic issues with VSX NGX R65 VAP:
Perform a regular tcpdump on each interface.
NOTE: VSX uses Checkpoint Secure XL, which may prevent traffic from being seen on the egress interfaces. Should tcpdump be required on a given VS, perform fw accel –vs x off before the tcpdump.
Any time you perform VAP group troubleshooting, make sure to be in the right VS context (vsx set_x).
Make sure the correct policy is installed (vsx stat -v).
Review the FW log for dropped traffic.
Deploying Multiple Security Services on the Crossbeam X-Series Platform 59
Troubleshooting from the Command Line Use these show commands to validate your configuration and pinpoint trouble areas.
show chassisshow module status <ap> [disk/memory/etc]show ap-vap-mappingshow vap-group <name>show application vap-group <name>show runshow flow active source-address <address>show flow-path active verbose source-address <address>show flow distributionshow interface <name>show group-interface <name>show alarmsshow logging console level <name>show cp-redundancyshow redundancy-interface
60
Deploying Multiple Security Services on the Crossbeam X-Series Platform 61
Appendix ASample Configurations
This appendix provides the configuration generated by following the steps in Chapter 2. Use this appendix for reference, or in place of the steps.
Configuration of the Single Physical Interface TopologyThis section provides the full configuration using the single physical interface steps described in Chapter 2.
#vap-group iss xslinux_v3
vap-count 3max-load-count 3ap-list ap3 ap4 ap5load-balance-vap-list 1 2 3 4 5 6 7 8 9 10ip-flow-rule iss_lb
action load-balanceactivate
vap-group vsx xslinux_v3vap-count 3max-load-count 3ap-list ap8 ap9 ap10load-balance-vap-list 1 2 3 4 5 6 7 8 9 10
#circuit bridge
device-name bridgevap-group iss
promiscuous-mode activecircuit SerialOne
internaldevice-name Ser1vap-group iss
promiscuous-mode activevap-group vsx
circuit wan device-name wanvap-group vsx
circuit sync internaldevice-name syncvap-group vsx
circuit mgmt device-name mgmtvap-group iss
ip 172.16.19.62/24 increment-per-vap 172.16.19.65vap-group vsx
#
62
interface gigabitethernet 1/2logical wan
circuit waninterface gigabitethernet 1/5
logical mgmtcircuit mgmt
#group-interface L2Br
interface-type gigabitethernetmode transparent circuit bridgeinterface-internal circuit SerialOneinterface 1/1
device-name lan#
Configuration of the MLT Group Interface TopologyThis section provides the full configuration using the MLT group interface steps described in Chapter 2, Section 4.0 Configure the MLT Group Interfaces on page 31.
#vap-group iss xslinux_v3
vap-count 3max-load-count 3ap-list ap3 ap4 ap5load-balance-vap-list 1 2 3 4 5 6 7 8 9 10ip-flow-rule iss_lb
action load-balanceactivate
vap-group vsx xslinux_v3vap-count 3max-load-count 3ap-list ap8 ap9 ap10load-balance-vap-list 1 2 3 4 5 6 7 8 9 10
#circuit lan
device-name lanvap-group iss
promiscuous-mode activecircuit bridge
device-name bridgevap-group iss
promiscuous-mode activecircuit SerialOne
internaldevice-name Ser1
circuit wan device-name wanvap-group vsx
circuit sync internaldevice-name syncvap-group vsx
Deploying Multiple Security Services on the Crossbeam X-Series Platform 63
circuit mgmt device-name mgmtvap-group iss
ip 172.16.19.62/24 increment-per-vap 172.16.19.65vap-group vsx
#group-interface lan
interface-type gigabitethernetmode multi-link circuit laninterface 1/1interface 1/2interface 1/3
group-interface bridgeinterface-type gigabitethernetmode transparent circuit bridgeinterface-internal circuit SerialOnegroup lan
group-interface waninterface-type gigabitethernetmode multi-link circuit waninterface 2/1interface 2/2interface 2/3
#
64